diff --git a/Changelog b/Changelog
index bb2e41c..e324451 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,5 @@
+- Deprecate per-role templates and rolemap support.
+- Implement user-based access control for use as role separations.
- Move shared library calls from individual modules to the domain module.
- Enable open permission checks policy capability.
- Remove hierarchy from portage module as it is not a good example of
diff --git a/Makefile b/Makefile
index ec7c7d5..12c9128 100644
--- a/Makefile
+++ b/Makefile
@@ -204,6 +204,10 @@ ifeq ($(DIRECT_INITRC),y)
M4PARAM += -D direct_sysadm_daemon
endif
+ifeq "$(UBAC)" "y"
+ M4PARAM += -D enable_ubac
+endif
+
# default MLS/MCS sensitivity and category settings.
MLS_SENS ?= 16
MLS_CATS ?= 256
@@ -550,6 +554,7 @@ ifneq "$(DISTRO)" ""
endif
$(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf
$(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf
+ $(verbose) echo "override UBAC := $(UBAC)" >> $(headerdir)/build.conf
$(verbose) echo "override MLS_SENS := $(MLS_SENS)" >> $(headerdir)/build.conf
$(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf
$(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf
diff --git a/README b/README
index 37d5ce3..184c6ef 100644
--- a/README
+++ b/README
@@ -119,6 +119,9 @@ UNK_PERMS String. Set the kernel behavior for handling of
policy. The permissions can either be allowed, denied,
or the policy loading can be rejected.
+UBAC Boolean. If set, the SELinux user will be used
+ additionally for approximate role separation.
+
MLS_SENS Integer. Set the number of sensitivities in the MLS
policy. Ignored on standard and MCS policies.
diff --git a/Rules.modular b/Rules.modular
index 6c5f58e..168a14f 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -157,7 +157,7 @@ endif
$(verbose) $(M4) $(M4PARAM) -s $^ > $@
$(tmpdir)/post_te_files.conf: M4PARAM += -D self_contained_policy
-$(tmpdir)/post_te_files.conf: $(m4support) $(base_post_te_files)
+$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(base_post_te_files)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) $^ > $@
diff --git a/Rules.monolithic b/Rules.monolithic
index 4b6acbc..1dde01a 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -142,7 +142,7 @@ endif
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) -s $^ > $@
-$(tmpdir)/post_te_files.conf: $(m4support) $(post_te_files)
+$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(post_te_files)
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) $(M4) $(M4PARAM) $^ > $@
diff --git a/build.conf b/build.conf
index 1cd0d66..58fd51d 100644
--- a/build.conf
+++ b/build.conf
@@ -48,6 +48,10 @@ DIRECT_INITRC = n
# will build a loadable module policy.
MONOLITHIC = y
+# User-based access control (UBAC)
+# Enable UBAC for role separations.
+UBAC = y
+
# Number of MLS Sensitivities
# The sensitivities will be s0 to s(MLS_SENS-1).
# Dominance will be in increasing numerical order
diff --git a/config/appconfig-mcs/default_contexts b/config/appconfig-mcs/default_contexts
index c2b7a80..22aeb67 100644
--- a/config/appconfig-mcs/default_contexts
+++ b/config/appconfig-mcs/default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
+system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mcs/root_default_contexts b/config/appconfig-mcs/root_default_contexts
index 7f4a125..7805778 100644
--- a/config/appconfig-mcs/root_default_contexts
+++ b/config/appconfig-mcs/root_default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts
index 679a5dd..881a292 100644
--- a/config/appconfig-mcs/staff_u_default_contexts
+++ b/config/appconfig-mcs/staff_u_default_contexts
@@ -1,7 +1,7 @@
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:remote_login_t:s0 staff_r:staff_t:s0
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0 staff_r:staff_crond_t:s0
+system_r:crond_t:s0 staff_r:cronjob_t:s0
system_r:xdm_t:s0 staff_r:staff_t:s0
staff_r:staff_su_t:s0 staff_r:staff_t:s0
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
diff --git a/config/appconfig-mcs/unconfined_u_default_contexts b/config/appconfig-mcs/unconfined_u_default_contexts
index 53b04ec..106e093 100644
--- a/config/appconfig-mcs/unconfined_u_default_contexts
+++ b/config/appconfig-mcs/unconfined_u_default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
system_r:initrc_t:s0 unconfined_r:unconfined_t:s0
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0
system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts
index 38656b1..cacbc93 100644
--- a/config/appconfig-mcs/user_u_default_contexts
+++ b/config/appconfig-mcs/user_u_default_contexts
@@ -1,7 +1,7 @@
system_r:local_login_t:s0 user_r:user_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
system_r:sshd_t:s0 user_r:user_t:s0
-system_r:crond_t:s0 user_r:user_crond_t:s0
+system_r:crond_t:s0 user_r:cronjob_t:s0
system_r:xdm_t:s0 user_r:user_t:s0
user_r:user_su_t:s0 user_r:user_t:s0
user_r:user_sudo_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mls/default_contexts b/config/appconfig-mls/default_contexts
index c2b7a80..22aeb67 100644
--- a/config/appconfig-mls/default_contexts
+++ b/config/appconfig-mls/default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
+system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mls/root_default_contexts b/config/appconfig-mls/root_default_contexts
index 7f4a125..7805778 100644
--- a/config/appconfig-mls/root_default_contexts
+++ b/config/appconfig-mls/root_default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts
index 679a5dd..881a292 100644
--- a/config/appconfig-mls/staff_u_default_contexts
+++ b/config/appconfig-mls/staff_u_default_contexts
@@ -1,7 +1,7 @@
system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
system_r:remote_login_t:s0 staff_r:staff_t:s0
system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0 staff_r:staff_crond_t:s0
+system_r:crond_t:s0 staff_r:cronjob_t:s0
system_r:xdm_t:s0 staff_r:staff_t:s0
staff_r:staff_su_t:s0 staff_r:staff_t:s0
staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
diff --git a/config/appconfig-mls/unconfined_u_default_contexts b/config/appconfig-mls/unconfined_u_default_contexts
index 53b04ec..106e093 100644
--- a/config/appconfig-mls/unconfined_u_default_contexts
+++ b/config/appconfig-mls/unconfined_u_default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
system_r:initrc_t:s0 unconfined_r:unconfined_t:s0
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0
system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts
index 38656b1..cacbc93 100644
--- a/config/appconfig-mls/user_u_default_contexts
+++ b/config/appconfig-mls/user_u_default_contexts
@@ -1,7 +1,7 @@
system_r:local_login_t:s0 user_r:user_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
system_r:sshd_t:s0 user_r:user_t:s0
-system_r:crond_t:s0 user_r:user_crond_t:s0
+system_r:crond_t:s0 user_r:cronjob_t:s0
system_r:xdm_t:s0 user_r:user_t:s0
user_r:user_su_t:s0 user_r:user_t:s0
user_r:user_sudo_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-standard/default_contexts b/config/appconfig-standard/default_contexts
index 4bb784d..6141347 100644
--- a/config/appconfig-standard/default_contexts
+++ b/config/appconfig-standard/default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t unconfined_r:unconfined_crond_t
+system_r:crond_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_crond_t unconfined_r:unconfined_cronjob_t
system_r:local_login_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t
system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
diff --git a/config/appconfig-standard/root_default_contexts b/config/appconfig-standard/root_default_contexts
index 3806d33..f522568 100644
--- a/config/appconfig-standard/root_default_contexts
+++ b/config/appconfig-standard/root_default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t unconfined_r:unconfined_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t
+system_r:crond_t unconfined_r:unconfined_t sysadm_r:cronjob_t staff_r:cronjob_t user_r:cronjob_t
system_r:local_login_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
staff_r:staff_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts
index 456bbf9..c2a5ea8 100644
--- a/config/appconfig-standard/staff_u_default_contexts
+++ b/config/appconfig-standard/staff_u_default_contexts
@@ -1,7 +1,7 @@
system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t
system_r:remote_login_t staff_r:staff_t
system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t
-system_r:crond_t staff_r:staff_crond_t
+system_r:crond_t staff_r:cronjob_t
system_r:xdm_t staff_r:staff_t
staff_r:staff_su_t staff_r:staff_t
staff_r:staff_sudo_t staff_r:staff_t
diff --git a/config/appconfig-standard/unconfined_u_default_contexts b/config/appconfig-standard/unconfined_u_default_contexts
index 1b26b60..e340b21 100644
--- a/config/appconfig-standard/unconfined_u_default_contexts
+++ b/config/appconfig-standard/unconfined_u_default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t unconfined_r:unconfined_t
+system_r:crond_t unconfined_r:unconfined_t unconfined_r:unconfined_cronjob_t
system_r:initrc_t unconfined_r:unconfined_t
system_r:local_login_t unconfined_r:unconfined_t
system_r:remote_login_t unconfined_r:unconfined_t
diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts
index 26835d8..f5bfac3 100644
--- a/config/appconfig-standard/user_u_default_contexts
+++ b/config/appconfig-standard/user_u_default_contexts
@@ -1,7 +1,7 @@
system_r:local_login_t user_r:user_t
system_r:remote_login_t user_r:user_t
system_r:sshd_t user_r:user_t
-system_r:crond_t user_r:user_crond_t
+system_r:crond_t user_r:cronjob_t
system_r:xdm_t user_r:user_t
user_r:user_su_t user_r:user_t
user_r:user_sudo_t user_r:user_t
diff --git a/policy/constraints b/policy/constraints
index 2e58ead..bf4a736 100644
--- a/policy/constraints
+++ b/policy/constraints
@@ -25,59 +25,219 @@
# name_list : name | name_list name
#
+define(`basic_ubac_conditions',`
+ ifdef(`enable_ubac',`
+ u1 == u2
+ or u1 == system_u
+ or u2 == system_u
+ or t1 != ubac_constrained_type
+ or t2 != ubac_constrained_type
+ ')
+')
+
+define(`basic_ubac_constraint',`
+ ifdef(`enable_ubac',`
+ constrain $1 all_$1_perms
+ (
+ basic_ubac_conditions
+ );
+ ')
+')
+
+define(`exempted_ubac_constraint',`
+ ifdef(`enable_ubac',`
+ constrain $1 all_$1_perms
+ (
+ basic_ubac_conditions
+ or t1 == $2
+ );
+ ')
+')
+
+########################################
#
-# SELinux process identity change constraint:
+# File rules
#
-constrain process transition
+
+exempted_ubac_constraint(dir, ubacfile)
+exempted_ubac_constraint(file, ubacfile)
+exempted_ubac_constraint(lnk_file, ubacfile)
+exempted_ubac_constraint(fifo_file, ubacfile)
+exempted_ubac_constraint(sock_file, ubacfile)
+exempted_ubac_constraint(chr_file, ubacfile)
+exempted_ubac_constraint(blk_file, ubacfile)
+
+# SElinux object identity change constraint:
+constrain dir_file_class_set { create relabelto relabelfrom }
(
u1 == u2
+ or t1 == can_change_object_identity
+);
- or ( t1 == can_change_process_identity and t2 == process_user_target )
+########################################
+#
+# Process rules
+#
- or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
+constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
+(
+ basic_ubac_conditions
+ or t1 == ubacproc
+);
+constrain process { transition noatsecure siginh rlimitinh }
+(
+ u1 == u2
+ or ( t1 == can_change_process_identity and t2 == process_user_target )
+ or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
or ( t1 == can_system_change and u2 == system_u )
-
or ( t1 == process_uncond_exempt )
);
-#
-# SELinux process role change constraint:
-#
-constrain process transition
+constrain process { transition noatsecure siginh rlimitinh }
(
- r1 == r2
-
- or ( t1 == can_change_process_role and t2 == process_user_target )
-
- or ( t1 == cron_source_domain and t2 == cron_job_domain )
-
- or ( t1 == can_system_change and r2 == system_r )
-
+ r1 == r2
+ or ( t1 == can_change_process_identity and t2 == process_user_target )
+ or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
+ or ( t1 == can_system_change and u2 == system_u )
or ( t1 == process_uncond_exempt )
);
-#
-# SELinux dynamic transition constraint:
-#
constrain process dyntransition
(
u1 == u2 and r1 == r2
);
+# These permissions do not have ubac constraints:
+# fork
+# setexec
+# setfscreate
+# setcurrent
+# execmem
+# execstack
+# execheap
+# setkeycreate
+# setsockcreate
+
+########################################
#
-# SElinux object identity change constraint:
+# File descriptor rules
#
-constrain dir_file_class_set { create relabelto relabelfrom }
-(
- u1 == u2
- or t1 == can_change_object_identity
-);
+exempted_ubac_constraint(fd, ubacfd)
+
+########################################
+#
+# Socket rules
+#
+
+exempted_ubac_constraint(socket, ubacsock)
+exempted_ubac_constraint(tcp_socket, ubacsock)
+exempted_ubac_constraint(udp_socket, ubacsock)
+exempted_ubac_constraint(rawip_socket, ubacsock)
+exempted_ubac_constraint(netlink_socket, ubacsock)
+exempted_ubac_constraint(packet_socket, ubacsock)
+exempted_ubac_constraint(key_socket, ubacsock)
+exempted_ubac_constraint(unix_stream_socket, ubacsock)
+exempted_ubac_constraint(unix_dgram_socket, ubacsock)
+exempted_ubac_constraint(netlink_route_socket, ubacsock)
+exempted_ubac_constraint(netlink_firewall_socket, ubacsock)
+exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsock)
+exempted_ubac_constraint(netlink_nflog_socket, ubacsock)
+exempted_ubac_constraint(netlink_xfrm_socket, ubacsock)
+exempted_ubac_constraint(netlink_selinux_socket, ubacsock)
+exempted_ubac_constraint(netlink_audit_socket, ubacsock)
+exempted_ubac_constraint(netlink_ip6fw_socket, ubacsock)
+exempted_ubac_constraint(netlink_dnrt_socket, ubacsock)
+exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
+exempted_ubac_constraint(appletalk_socket, ubacsock)
+exempted_ubac_constraint(dccp_socket, ubacsock)
constrain socket_class_set { create relabelto relabelfrom }
(
u1 == u2
-
or t1 == can_change_object_identity
);
+
+########################################
+#
+# SysV IPC rules
+
+exempted_ubac_constraint(sem, ubacipc)
+exempted_ubac_constraint(msg, ubacipc)
+exempted_ubac_constraint(msgq, ubacipc)
+exempted_ubac_constraint(shm, ubacipc)
+exempted_ubac_constraint(ipc, ubacipc)
+
+########################################
+#
+# SE-X Windows rules
+#
+
+exempted_ubac_constraint(x_drawable, ubacxwin)
+exempted_ubac_constraint(x_screen, ubacxwin)
+exempted_ubac_constraint(x_gc, ubacxwin)
+exempted_ubac_constraint(x_font, ubacxwin)
+exempted_ubac_constraint(x_colormap, ubacxwin)
+exempted_ubac_constraint(x_property, ubacxwin)
+exempted_ubac_constraint(x_selection, ubacxwin)
+exempted_ubac_constraint(x_cursor, ubacxwin)
+exempted_ubac_constraint(x_client, ubacxwin)
+exempted_ubac_constraint(x_device, ubacxwin)
+exempted_ubac_constraint(x_server, ubacxwin)
+exempted_ubac_constraint(x_extension, ubacxwin)
+exempted_ubac_constraint(x_resource, ubacxwin)
+exempted_ubac_constraint(x_event, ubacxwin)
+exempted_ubac_constraint(x_synthetic_event, ubacxwin)
+exempted_ubac_constraint(x_application_data, ubacxwin)
+
+########################################
+#
+# D-BUS rules
+#
+
+exempted_ubac_constraint(dbus, ubacdbus)
+
+########################################
+#
+# Key rules
+#
+
+exempted_ubac_constraint(key, ubackey)
+
+########################################
+#
+# Database rules
+#
+
+exempted_ubac_constraint(db_database, ubacdb)
+exempted_ubac_constraint(db_table, ubacdb)
+exempted_ubac_constraint(db_procedure, ubacdb)
+exempted_ubac_constraint(db_column, ubacdb)
+exempted_ubac_constraint(db_tuple, ubacdb)
+exempted_ubac_constraint(db_blob, ubacdb)
+
+
+
+basic_ubac_constraint(association)
+basic_ubac_constraint(peer)
+
+
+# these classes have no UBAC restrictions
+#class security
+#class system
+#class capability
+#class memprotect
+#class passwd # userspace
+#class node
+#class netif
+#class packet
+#class capability2
+#class nscd # userspace
+#class context # userspace
+
+
+
+undefine(`basic_ubac_constraint')
+undefine(`basic_ubac_conditions')
+undefine(`exempted_ubac_constraint')
diff --git a/policy/global_tunables b/policy/global_tunables
index ee3e484..c08ca6f 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -62,8 +62,8 @@ gen_tunable(global_ssp,false)
##
##
## Allow email client to various content.
-## nfs, samba, removable devices, user temp
-## and untrusted content files
+## nfs, samba, removable devices, and user temp
+## files
##
##
gen_tunable(mail_read_content,false)
@@ -91,15 +91,6 @@ gen_tunable(read_default_t,false)
##
##
-## Allow applications to read untrusted content
-## If this is disallowed, Internet content has
-## to be manually relabeled for read access to be granted
-##
-##
-gen_tunable(read_untrusted_content,false)
-
-##
-##
## Support NFS home directories
##
##
@@ -120,12 +111,3 @@ gen_tunable(use_samba_home_dirs,false)
##
##
gen_tunable(user_tcp_server,false)
-
-##
-##
-## Allow applications to write untrusted content
-## If this is disallowed, no Internet content
-## will be stored.
-##
-##
-gen_tunable(write_untrusted_content,false)
diff --git a/policy/modules/admin/acct.te b/policy/modules/admin/acct.te
index 8a7c421..e51ae66 100644
--- a/policy/modules/admin/acct.te
+++ b/policy/modules/admin/acct.te
@@ -1,5 +1,5 @@
-policy_module(acct, 1.2.0)
+policy_module(acct, 1.2.1)
########################################
#
@@ -64,8 +64,7 @@ logging_send_syslog_msg(acct_t)
miscfiles_read_localization(acct_t)
userdom_dontaudit_use_unpriv_user_fds(acct_t)
-
-sysadm_dontaudit_search_home_dirs(acct_t)
+userdom_dontaudit_search_user_home_dirs(acct_t)
optional_policy(`
optional_policy(`
diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index b7cb5df..fd3abca 100644
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@@ -1,5 +1,5 @@
-policy_module(alsa, 1.6.0)
+policy_module(alsa, 1.6.1)
########################################
#
@@ -60,10 +60,7 @@ miscfiles_read_localization(alsa_t)
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
-
-sysadm_dontaudit_search_home_dirs(alsa_t)
-
-unprivuser_search_home_dirs(alsa_t)
+userdom_search_user_home_dirs(alsa_t)
optional_policy(`
hal_use_fds(alsa_t)
diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if
index e877b02..dab38fb 100644
--- a/policy/modules/admin/amanda.if
+++ b/policy/modules/admin/amanda.if
@@ -33,11 +33,6 @@ interface(`amanda_domtrans_recover',`
## The role to be allowed the amanda_recover domain.
##
##
-##
-##
-## The type of the terminal allow the amanda_recover domain to use.
-##
-##
##
#
interface(`amanda_run_recover',`
@@ -47,7 +42,6 @@ interface(`amanda_run_recover',`
amanda_domtrans_recover($1)
role $2 types amanda_recover_t;
- allow amanda_recover_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
index dd39ca4..4b32928 100644
--- a/policy/modules/admin/amanda.te
+++ b/policy/modules/admin/amanda.te
@@ -1,5 +1,5 @@
-policy_module(amanda, 1.10.0)
+policy_module(amanda, 1.10.1)
#######################################
#
@@ -182,7 +182,7 @@ manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_
manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
manage_fifo_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
manage_sock_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
-sysadm_home_dir_filetrans(amanda_recover_t, amanda_recover_dir_t, { dir file lnk_file sock_file fifo_file })
+userdom_user_home_dir_filetrans(amanda_recover_t, amanda_recover_dir_t, { dir file lnk_file sock_file fifo_file })
manage_dirs_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
manage_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
@@ -227,4 +227,5 @@ logging_search_logs(amanda_recover_t)
miscfiles_read_localization(amanda_recover_t)
-sysadm_search_home_content_dirs(amanda_recover_t)
+userdom_use_user_terminals(amanda_recover_t)
+userdom_search_user_home_content(amanda_recover_t)
diff --git a/policy/modules/admin/amtu.if b/policy/modules/admin/amtu.if
index 01432cc..18e3bc6 100644
--- a/policy/modules/admin/amtu.if
+++ b/policy/modules/admin/amtu.if
@@ -34,11 +34,6 @@ interface(`amtu_domtrans',`
## The role to be allowed the amtu domain.
##
##
-##
-##
-## The type of the terminal allow the amtu domain to use.
-##
-##
#
interface(`amtu_run',`
gen_require(`
@@ -47,5 +42,4 @@ interface(`amtu_run',`
amtu_domtrans($1)
role $2 types amtu_t;
- allow amtu_t $3:chr_file rw_term_perms;
')
diff --git a/policy/modules/admin/amtu.te b/policy/modules/admin/amtu.te
index fd34746..ec4c097 100644
--- a/policy/modules/admin/amtu.te
+++ b/policy/modules/admin/amtu.te
@@ -1,4 +1,4 @@
-policy_module(amtu,1.1.0)
+policy_module(amtu, 1.1.1)
########################################
#
@@ -23,6 +23,8 @@ files_read_etc_files(amtu_t)
logging_send_audit_msgs(amtu_t)
+userdom_use_user_terminals(amtu_t)
+
optional_policy(`
nscd_dontaudit_search_pid(amtu_t)
')
diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te
index 35d22c5..9e11224 100644
--- a/policy/modules/admin/anaconda.te
+++ b/policy/modules/admin/anaconda.te
@@ -1,5 +1,5 @@
-policy_module(anaconda, 1.4.0)
+policy_module(anaconda, 1.4.1)
########################################
#
@@ -32,7 +32,7 @@ modutils_domtrans_insmod(anaconda_t)
seutil_domtrans_semanage(anaconda_t)
-unprivuser_home_dir_filetrans_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
+userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
kudzu_domtrans(anaconda_t)
diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if
index 99004b5..68ecf71 100644
--- a/policy/modules/admin/apt.if
+++ b/policy/modules/admin/apt.if
@@ -34,11 +34,6 @@ interface(`apt_domtrans',`
## The role to allow the apt domain.
##
##
-##
-##
-## The type of the terminal allow the apt domain to use.
-##
-##
##
#
interface(`apt_run',`
@@ -48,7 +43,6 @@ interface(`apt_run',`
apt_domtrans($1)
role $2 types apt_t;
- allow apt_t $3:chr_file rw_term_perms;
# TODO: likely have to add dpkg_run here.
')
diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index d59fc5c..37226e1 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -1,5 +1,5 @@
-policy_module(apt, 1.4.0)
+policy_module(apt, 1.4.1)
########################################
#
@@ -119,6 +119,8 @@ seutil_use_newrole_fds(apt_t)
sysnet_read_config(apt_t)
+userdom_use_user_terminals(apt_t)
+
# with boolean, for cron-apt and such?
#optional_policy(`
# cron_system_entry(apt_t,apt_exec_t)
diff --git a/policy/modules/admin/backup.if b/policy/modules/admin/backup.if
index 8720ae7..29ed36e 100644
--- a/policy/modules/admin/backup.if
+++ b/policy/modules/admin/backup.if
@@ -33,11 +33,6 @@ interface(`backup_domtrans',`
## The role to be allowed the backup domain.
##
##
-##
-##
-## Domain allowed access.
-##
-##
##
#
interface(`backup_run',`
@@ -47,5 +42,4 @@ interface(`backup_run',`
backup_domtrans($1)
role $2 types backup_t;
- allow backup_t $3:chr_file rw_term_perms;
')
diff --git a/policy/modules/admin/backup.te b/policy/modules/admin/backup.te
index bfe5fab..eea9a80 100644
--- a/policy/modules/admin/backup.te
+++ b/policy/modules/admin/backup.te
@@ -1,5 +1,5 @@
-policy_module(backup, 1.3.0)
+policy_module(backup, 1.3.1)
########################################
#
@@ -71,6 +71,8 @@ logging_send_syslog_msg(backup_t)
sysnet_read_config(backup_t)
+userdom_use_user_terminals(backup_t)
+
optional_policy(`
cron_system_entry(backup_t, backup_exec_t)
')
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
index e083200..0106920 100644
--- a/policy/modules/admin/bootloader.if
+++ b/policy/modules/admin/bootloader.if
@@ -33,11 +33,6 @@ interface(`bootloader_domtrans',`
## The role to be allowed the bootloader domain.
##
##
-##
-##
-## The type of the terminal allow the bootloader domain to use.
-##
-##
##
#
interface(`bootloader_run',`
@@ -48,11 +43,10 @@ interface(`bootloader_run',`
bootloader_domtrans($1)
role $2 types bootloader_t;
- allow bootloader_t $3:chr_file rw_term_perms;
ifdef(`distro_redhat',`
# for mke2fs
- mount_run(bootloader_t, $2, $3)
+ mount_run(bootloader_t, $2)
')
')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 292be8b..b11c06b 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -1,5 +1,5 @@
-policy_module(bootloader, 1.9.0)
+policy_module(bootloader, 1.9.1)
########################################
#
@@ -135,6 +135,9 @@ seutil_read_bin_policy(bootloader_t)
seutil_read_loadpolicy(bootloader_t)
seutil_dontaudit_search_config(bootloader_t)
+userdom_use_user_terminals(bootloader_t)
+userdom_dontaudit_search_user_home_dirs(bootloader_t)
+
ifdef(`distro_debian',`
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
fs_list_tmpfs(bootloader_t)
@@ -211,11 +214,3 @@ optional_policy(`
optional_policy(`
rpm_rw_pipes(bootloader_t)
')
-
-optional_policy(`
- staff_dontaudit_search_home_dirs(bootloader_t)
-')
-
-optional_policy(`
- sysadm_dontaudit_search_home_dirs(bootloader_t)
-')
diff --git a/policy/modules/admin/certwatch.if b/policy/modules/admin/certwatch.if
index 6dc459a..1cbd014 100644
--- a/policy/modules/admin/certwatch.if
+++ b/policy/modules/admin/certwatch.if
@@ -37,11 +37,6 @@ interface(`certwatch_domtrans',`
## The role to be allowed the certwatch domain.
##
##
-##
-##
-## The type of the terminal allow the certwatch domain to use.
-##
-##
##
#
interface(`certwatch_run',`
@@ -51,7 +46,6 @@ interface(`certwatch_run',`
certwatch_domtrans($1)
role $2 types certwatch_t;
- allow certwatch_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te
index 46913fd..15be490 100644
--- a/policy/modules/admin/certwatch.te
+++ b/policy/modules/admin/certwatch.te
@@ -32,6 +32,8 @@ logging_send_syslog_msg(certwatch_t)
miscfiles_read_certs(certwatch_t)
miscfiles_read_localization(certwatch_t)
+userdom_use_user_terminals(certwatch_t)
+
optional_policy(`
apache_exec_modules(certwatch_t)
')
diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if
index bb06d8c..bd8c9c9 100644
--- a/policy/modules/admin/consoletype.if
+++ b/policy/modules/admin/consoletype.if
@@ -36,11 +36,6 @@ interface(`consoletype_domtrans',`
## The role to be allowed the consoletype domain.
##
##
-##
-##
-## The type of the terminal allow the consoletype domain to use.
-##
-##
#
interface(`consoletype_run',`
gen_require(`
@@ -49,7 +44,6 @@ interface(`consoletype_run',`
consoletype_domtrans($1)
role $2 types consoletype_t;
- allow consoletype_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index 2672c68..d3700dd 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
@@ -1,5 +1,5 @@
-policy_module(consoletype, 1.6.0)
+policy_module(consoletype, 1.6.1)
########################################
#
@@ -54,6 +54,8 @@ domain_use_interactive_fds(consoletype_t)
files_dontaudit_read_root_files(consoletype_t)
files_list_usr(consoletype_t)
+userdom_use_user_terminals(consoletype_t)
+
ifdef(`distro_redhat',`
fs_rw_tmpfs_chr_files(consoletype_t)
')
diff --git a/policy/modules/admin/ddcprobe.if b/policy/modules/admin/ddcprobe.if
index e334a51..898f54e 100644
--- a/policy/modules/admin/ddcprobe.if
+++ b/policy/modules/admin/ddcprobe.if
@@ -33,11 +33,6 @@ interface(`ddcprobe_domtrans',`
## Role to be authenticated for ddcprobe domain.
##
##
-##
-##
-## The type of the terminal allow the clock domain to use.
-##
-##
##
#
interface(`ddcprobe_run',`
@@ -47,5 +42,4 @@ interface(`ddcprobe_run',`
ddcprobe_domtrans($1)
role $2 types ddcprobe_t;
- allow ddcprobe_t $3:chr_file rw_term_perms;
')
diff --git a/policy/modules/admin/ddcprobe.te b/policy/modules/admin/ddcprobe.te
index 07f9f03..be46d42 100644
--- a/policy/modules/admin/ddcprobe.te
+++ b/policy/modules/admin/ddcprobe.te
@@ -1,5 +1,5 @@
-policy_module(ddcprobe, 1.1.0)
+policy_module(ddcprobe, 1.1.1)
########################################
#
@@ -45,6 +45,7 @@ miscfiles_read_localization(ddcprobe_t)
modutils_read_module_deps(ddcprobe_t)
+userdom_use_user_terminals(ddcprobe_t)
userdom_use_all_users_fds(ddcprobe_t)
#reh why? this does not seem even necessary to function properly
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index 02bd258..69ca5b5 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -1,5 +1,5 @@
-policy_module(dmesg, 1.2.0)
+policy_module(dmesg, 1.2.1)
########################################
#
@@ -48,8 +48,7 @@ logging_write_generic_logs(dmesg_t)
miscfiles_read_localization(dmesg_t)
userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
-
-sysadm_use_terms(dmesg_t)
+userdom_use_user_terminals(dmesg_t)
optional_policy(`
seutil_sigchld_newrole(dmesg_t)
diff --git a/policy/modules/admin/dmidecode.if b/policy/modules/admin/dmidecode.if
index 5a7774a..233e6d4 100644
--- a/policy/modules/admin/dmidecode.if
+++ b/policy/modules/admin/dmidecode.if
@@ -38,11 +38,6 @@ interface(`dmidecode_domtrans',`
## The role to be allowed the dmidecode domain.
##
##
-##
-##
-## The type of the terminal allow the dmidecode domain to use.
-##
-##
##
#
interface(`dmidecode_run',`
@@ -52,5 +47,4 @@ interface(`dmidecode_run',`
dmidecode_domtrans($1)
role $2 types dmidecode_t;
- allow dmidecode_t $3:chr_file rw_term_perms;
')
diff --git a/policy/modules/admin/dmidecode.te b/policy/modules/admin/dmidecode.te
index 8fb4783..d032a09 100644
--- a/policy/modules/admin/dmidecode.te
+++ b/policy/modules/admin/dmidecode.te
@@ -1,5 +1,5 @@
-policy_module(dmidecode, 1.3.0)
+policy_module(dmidecode, 1.3.1)
########################################
#
@@ -24,8 +24,8 @@ dev_read_raw_memory(dmidecode_t)
mls_file_read_all_levels(dmidecode_t)
-term_list_ptys(dmidecode_t)
-
files_list_usr(dmidecode_t)
locallogin_use_fds(dmidecode_t)
+
+userdom_use_user_terminals(dmidecode_t)
diff --git a/policy/modules/admin/dpkg.if b/policy/modules/admin/dpkg.if
index 1822169..560d021 100644
--- a/policy/modules/admin/dpkg.if
+++ b/policy/modules/admin/dpkg.if
@@ -58,11 +58,6 @@ interface(`dpkg_domtrans_script',`
## The role to allow the dpkg domain.
##
##
-##
-##
-## The type of the terminal allow the dpkg domain to use.
-##
-##
##
#
interface(`dpkg_run',`
@@ -73,8 +68,7 @@ interface(`dpkg_run',`
dpkg_domtrans($1)
role $2 types dpkg_t;
role $2 types dpkg_script_t;
- seutil_run_loadpolicy(dpkg_script_t, $2, $3)
- allow dpkg_t $3:chr_file rw_term_perms;
+ seutil_run_loadpolicy(dpkg_script_t, $2)
')
########################################
diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
index f57eab0..2e03742 100644
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@@ -1,5 +1,5 @@
-policy_module(dpkg, 1.5.0)
+policy_module(dpkg, 1.5.1)
########################################
#
@@ -141,8 +141,6 @@ storage_raw_write_fixed_disk(dpkg_t)
# for installing kernel packages
storage_raw_read_fixed_disk(dpkg_t)
-term_list_ptys(dpkg_t)
-
auth_relabel_all_files_except_shadow(dpkg_t)
auth_manage_all_files_except_shadow(dpkg_t)
auth_dontaudit_read_shadow(dpkg_t)
@@ -164,6 +162,7 @@ seutil_manage_bin_policy(dpkg_t)
sysnet_read_config(dpkg_t)
+userdom_use_user_terminals(dpkg_t)
userdom_use_unpriv_users_fds(dpkg_t)
# transition to dpkg script:
@@ -284,8 +283,6 @@ selinux_compute_user_contexts(dpkg_script_t)
storage_raw_read_fixed_disk(dpkg_script_t)
storage_raw_write_fixed_disk(dpkg_script_t)
-term_getattr_unallocated_ttys(dpkg_script_t)
-term_list_ptys(dpkg_script_t)
term_use_all_terms(dpkg_script_t)
auth_dontaudit_getattr_shadow(dpkg_script_t)
diff --git a/policy/modules/admin/firstboot.if b/policy/modules/admin/firstboot.if
index 402cc7a..00415af 100644
--- a/policy/modules/admin/firstboot.if
+++ b/policy/modules/admin/firstboot.if
@@ -36,11 +36,6 @@ interface(`firstboot_domtrans',`
## The role to be allowed the firstboot domain.
##
##
-##
-##
-## The type of the terminal allow the firstboot domain to use.
-##
-##
#
interface(`firstboot_run',`
gen_require(`
@@ -49,7 +44,6 @@ interface(`firstboot_run',`
firstboot_domtrans($1)
role $2 types firstboot_t;
- allow firstboot_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
index ea98cfd..374ffd4 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@@ -1,5 +1,5 @@
-policy_module(firstboot, 1.8.0)
+policy_module(firstboot, 1.8.1)
gen_require(`
class passwd rootok;
@@ -80,14 +80,15 @@ modutils_domtrans_insmod(firstboot_t)
modutils_read_module_config(firstboot_t)
modutils_read_module_deps(firstboot_t)
+userdom_use_user_terminals(firstboot_t)
# Add/remove user home directories
-unprivuser_manage_home_content_dirs(firstboot_t)
-unprivuser_manage_home_content_files(firstboot_t)
-unprivuser_manage_home_content_symlinks(firstboot_t)
-unprivuser_manage_home_content_pipes(firstboot_t)
-unprivuser_manage_home_content_sockets(firstboot_t)
-unprivuser_home_filetrans_home_dir(firstboot_t)
-unprivuser_home_dir_filetrans_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
+userdom_manage_user_home_content_dirs(firstboot_t)
+userdom_manage_user_home_content_files(firstboot_t)
+userdom_manage_user_home_content_symlinks(firstboot_t)
+userdom_manage_user_home_content_pipes(firstboot_t)
+userdom_manage_user_home_content_sockets(firstboot_t)
+userdom_home_filetrans_user_home_dir(firstboot_t)
+userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
hal_dbus_chat(firstboot_t)
@@ -116,6 +117,6 @@ optional_policy(`
')
optional_policy(`
- xserver_rw_xdm_xserver_shm(firstboot_t)
+ xserver_rw_shm(firstboot_t)
xserver_unconfined(firstboot_t)
')
diff --git a/policy/modules/admin/kismet.if b/policy/modules/admin/kismet.if
index 149ced6..b4cf132 100644
--- a/policy/modules/admin/kismet.if
+++ b/policy/modules/admin/kismet.if
@@ -33,11 +33,6 @@ interface(`kismet_domtrans',`
## The role to be allowed the kismet domain.
##
##
-##
-##
-## The type of the role's terminal.
-##
-##
#
interface(`kismet_run',`
gen_require(`
@@ -46,7 +41,6 @@ interface(`kismet_run',`
kismet_domtrans($1)
role $2 types kismet_t;
- allow kismet_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/admin/kismet.te b/policy/modules/admin/kismet.te
index c6aaa1d..9a243c0 100644
--- a/policy/modules/admin/kismet.te
+++ b/policy/modules/admin/kismet.te
@@ -1,5 +1,5 @@
-policy_module(kismet, 1.1.0)
+policy_module(kismet, 1.1.1)
########################################
#
@@ -52,3 +52,5 @@ auth_use_nsswitch(kismet_t)
files_read_etc_files(kismet_t)
miscfiles_read_localization(kismet_t)
+
+userdom_use_user_terminals(kismet_t)
diff --git a/policy/modules/admin/kudzu.if b/policy/modules/admin/kudzu.if
index 6fb17f7..11c6f9e 100644
--- a/policy/modules/admin/kudzu.if
+++ b/policy/modules/admin/kudzu.if
@@ -33,11 +33,6 @@ interface(`kudzu_domtrans',`
## The role to be allowed the kudzu domain.
##
##
-##
-##
-## The type of the terminal allow the kudzu domain to use.
-##
-##
##
#
interface(`kudzu_run',`
@@ -47,7 +42,6 @@ interface(`kudzu_run',`
kudzu_domtrans($1)
role $2 types kudzu_t;
- allow kudzu_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te
index fe122aa..eef8ee3 100644
--- a/policy/modules/admin/kudzu.te
+++ b/policy/modules/admin/kudzu.te
@@ -1,5 +1,5 @@
-policy_module(kudzu, 1.7.0)
+policy_module(kudzu, 1.7.1)
########################################
#
@@ -77,7 +77,6 @@ storage_raw_write_removable_device(kudzu_t)
storage_raw_read_fixed_disk(kudzu_t)
storage_raw_read_removable_device(kudzu_t)
-term_search_ptys(kudzu_t)
term_dontaudit_use_console(kudzu_t)
# so it can write messages to the console
term_use_unallocated_ttys(kudzu_t)
@@ -123,9 +122,9 @@ modutils_domtrans_insmod(kudzu_t)
sysnet_read_config(kudzu_t)
+userdom_use_user_terminals(kudzu_t)
userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
-
-sysadm_search_home_dirs(kudzu_t)
+userdom_search_user_home_dirs(kudzu_t)
optional_policy(`
gpm_getattr_gpmctl(kudzu_t)
diff --git a/policy/modules/admin/logrotate.if b/policy/modules/admin/logrotate.if
index 3485d9f..f9af0e1 100644
--- a/policy/modules/admin/logrotate.if
+++ b/policy/modules/admin/logrotate.if
@@ -33,11 +33,6 @@ interface(`logrotate_domtrans',`
## The role to be allowed the logrotate domain.
##
##
-##
-##
-## The type of the terminal allow the logrotate domain to use.
-##
-##
##
#
interface(`logrotate_run',`
@@ -47,7 +42,6 @@ interface(`logrotate_run',`
logrotate_domtrans($1)
role $2 types logrotate_t;
- allow logrotate_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 0743fca..982fb75 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -1,5 +1,5 @@
-policy_module(logrotate, 1.10.0)
+policy_module(logrotate, 1.10.1)
########################################
#
@@ -115,6 +115,8 @@ miscfiles_read_localization(logrotate_t)
seutil_dontaudit_read_config(logrotate_t)
+userdom_use_user_terminals(logrotate_t)
+userdom_dontaudit_search_user_home_dirs(logrotate_t)
userdom_use_unpriv_users_fds(logrotate_t)
cron_system_entry(logrotate_t, logrotate_exec_t)
@@ -122,8 +124,6 @@ cron_search_spool(logrotate_t)
mta_send_mail(logrotate_t)
-sysadm_dontaudit_search_home_dirs(logrotate_t)
-
ifdef(`distro_debian', `
allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
# for savelog
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
index 80fd11b..d67089e 100644
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@@ -1,5 +1,5 @@
-policy_module(logwatch, 1.8.0)
+policy_module(logwatch, 1.8.1)
#################################
#
@@ -86,9 +86,9 @@ selinux_dontaudit_getattr_dir(logwatch_t)
sysnet_dns_name_resolve(logwatch_t)
-mta_send_mail(logwatch_t)
+userdom_dontaudit_search_user_home_dirs(logwatch_t)
-sysadm_dontaudit_search_home_dirs(logwatch_t)
+mta_send_mail(logwatch_t)
optional_policy(`
apache_read_log(logwatch_t)
diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te
index 2e013ac..5acd1fd 100644
--- a/policy/modules/admin/mrtg.te
+++ b/policy/modules/admin/mrtg.te
@@ -1,5 +1,5 @@
-policy_module(mrtg, 1.5.0)
+policy_module(mrtg, 1.5.1)
########################################
#
@@ -113,11 +113,10 @@ miscfiles_read_localization(mrtg_t)
selinux_dontaudit_getattr_dir(mrtg_t)
+userdom_use_user_terminals(mrtg_t)
+userdom_dontaudit_read_user_home_content_files(mrtg_t)
userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
-sysadm_use_terms(mrtg_t)
-sysadm_dontaudit_read_home_content_files(mrtg_t)
-
ifdef(`enable_mls',`
corenet_udp_sendrecv_lo_if(mrtg_t)
')
diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
index 0e3fd06..0ab5f13 100644
--- a/policy/modules/admin/netutils.if
+++ b/policy/modules/admin/netutils.if
@@ -33,11 +33,6 @@ interface(`netutils_domtrans',`
## The role to be allowed the netutils domain.
##
##
-##
-##
-## The type of the terminal allow the netutils domain to use.
-##
-##
##
#
interface(`netutils_run',`
@@ -47,7 +42,6 @@ interface(`netutils_run',`
netutils_domtrans($1)
role $2 types netutils_t;
- allow netutils_t $3:chr_file rw_term_perms;
')
########################################
@@ -155,11 +149,6 @@ interface(`netutils_signal_ping',`
## The role to be allowed the ping domain.
##
##
-##
-##
-## The type of the terminal allow the ping domain to use.
-##
-##
##
#
interface(`netutils_run_ping',`
@@ -169,7 +158,6 @@ interface(`netutils_run_ping',`
netutils_domtrans_ping($1)
role $2 types ping_t;
- allow ping_t $3:chr_file rw_term_perms;
')
########################################
@@ -187,11 +175,6 @@ interface(`netutils_run_ping',`
## The role to be allowed the ping domain.
##
##
-##
-##
-## The type of the terminal allow the ping domain to use.
-##
-##
##
#
interface(`netutils_run_ping_cond',`
@@ -204,7 +187,6 @@ interface(`netutils_run_ping_cond',`
if ( user_ping ) {
netutils_domtrans_ping($1)
- allow ping_t $3:chr_file rw_term_perms;
}
')
@@ -259,11 +241,6 @@ interface(`netutils_domtrans_traceroute',`
## The role to be allowed the traceroute domain.
##
##
-##
-##
-## The type of the terminal allow the traceroute domain to use.
-##
-##
##
#
interface(`netutils_run_traceroute',`
@@ -273,7 +250,6 @@ interface(`netutils_run_traceroute',`
netutils_domtrans_traceroute($1)
role $2 types traceroute_t;
- allow traceroute_t $3:chr_file rw_term_perms;
')
########################################
@@ -291,11 +267,6 @@ interface(`netutils_run_traceroute',`
## The role to be allowed the traceroute domain.
##
##
-##
-##
-## The type of the terminal allow the traceroute domain to use.
-##
-##
##
#
interface(`netutils_run_traceroute_cond',`
@@ -308,7 +279,6 @@ interface(`netutils_run_traceroute_cond',`
if( user_ping ) {
netutils_domtrans_traceroute($1)
- allow traceroute_t $3:chr_file rw_term_perms;
}
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index ca45fce..9414ac3 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,5 +1,5 @@
-policy_module(netutils, 1.7.0)
+policy_module(netutils, 1.7.1)
########################################
#
@@ -85,6 +85,7 @@ logging_send_syslog_msg(netutils_t)
miscfiles_read_localization(netutils_t)
+userdom_use_user_terminals(netutils_t)
userdom_use_all_users_fds(netutils_t)
optional_policy(`
@@ -133,6 +134,8 @@ logging_send_syslog_msg(ping_t)
miscfiles_read_localization(ping_t)
+userdom_use_user_terminals(ping_t)
+
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
')
@@ -197,6 +200,8 @@ logging_send_syslog_msg(traceroute_t)
miscfiles_read_localization(traceroute_t)
+userdom_use_user_terminals(traceroute_t)
+
#rules needed for nmap
dev_read_rand(traceroute_t)
dev_read_urand(traceroute_t)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index da338ab..f4043c3 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -40,11 +40,6 @@ interface(`portage_domtrans',`
## The role to allow the portage domain.
##
##
-##
-##
-## The type of the terminal allow for portage to use.
-##
-##
##
#
interface(`portage_run',`
@@ -54,9 +49,6 @@ interface(`portage_run',`
portage_domtrans($1)
role $2 types { portage_t portage_fetch_t portage_sandbox_t };
- allow portage_t $3:chr_file rw_term_perms;
- allow portage_fetch_t $3:chr_file rw_term_perms;
- allow portage_sandbox_t $3:chr_file rw_term_perms;
')
########################################
@@ -186,6 +178,8 @@ interface(`portage_compile_domain',`
logging_send_syslog_msg($1)
+ userdom_use_user_terminals($1)
+
ifdef(`TODO',`
# some gui ebuilds want to interact with X server, like xawtv
optional_policy(`
@@ -231,11 +225,6 @@ interface(`portage_domtrans_gcc_config',`
## The role to allow the gcc_config domain.
##
##
-##
-##
-## The type of the terminal allow for gcc_config to use.
-##
-##
##
#
interface(`portage_run_gcc_config',`
@@ -245,5 +234,4 @@ interface(`portage_run_gcc_config',`
portage_domtrans_gcc_config($1)
role $2 types gcc_config_t;
- allow gcc_config_t $3:chr_file rw_term_perms;
')
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index af61ccf..20ac2f1 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -1,5 +1,5 @@
-policy_module(portage, 1.6.1)
+policy_module(portage, 1.6.2)
########################################
#
@@ -90,8 +90,6 @@ files_search_pids(gcc_config_t)
# the directory it is being run from
files_list_all(gcc_config_t)
-term_search_ptys(gcc_config_t)
-
# seems to be ok without this
init_dontaudit_read_script_status_files(gcc_config_t)
@@ -105,6 +103,8 @@ logging_send_syslog_msg(gcc_config_t)
miscfiles_read_localization(gcc_config_t)
+userdom_use_user_terminals(gcc_config_t)
+
consoletype_exec(gcc_config_t)
optional_policy(`
@@ -245,7 +245,8 @@ miscfiles_read_localization(portage_fetch_t)
sysnet_read_config(portage_fetch_t)
sysnet_dns_name_resolve(portage_fetch_t)
-sysadm_dontaudit_read_home_content_files(portage_fetch_t)
+userdom_use_user_terminals(portage_fetch_t)
+userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
ifdef(`hide_broken_symptoms',`
dontaudit portage_fetch_t portage_cache_t:file read;
diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if
index 9e09e88..38d22ad 100644
--- a/policy/modules/admin/prelink.if
+++ b/policy/modules/admin/prelink.if
@@ -33,11 +33,6 @@ interface(`prelink_domtrans',`
## The role to allow the prelink domain.
##
##
-##
-##
-## The type of the terminal allow the prelink domain to use.
-##
-##
##
#
interface(`prelink_run',`
@@ -47,7 +42,6 @@ interface(`prelink_run',`
prelink_domtrans($1)
role $2 types prelink_t;
- allow prelink_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
index 6fe27d0..be3a1ee 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -1,5 +1,5 @@
-policy_module(prelink, 1.5.0)
+policy_module(prelink, 1.5.1)
########################################
#
@@ -79,6 +79,8 @@ libs_delete_lib_symlinks(prelink_t)
miscfiles_read_localization(prelink_t)
+userdom_use_user_terminals(prelink_t)
+
optional_policy(`
amanda_manage_lib(prelink_t)
')
diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if
index 8eae304..50ff52e 100644
--- a/policy/modules/admin/quota.if
+++ b/policy/modules/admin/quota.if
@@ -33,11 +33,6 @@ interface(`quota_domtrans',`
## The role to be allowed the quota domain.
##
##
-##
-##
-## The type of the terminal allow the quota domain to use.
-##
-##
##
#
interface(`quota_run',`
@@ -47,7 +42,6 @@ interface(`quota_run',`
quota_domtrans($1)
role $2 types quota_t;
- allow quota_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te
index 098d817..d796579 100644
--- a/policy/modules/admin/quota.te
+++ b/policy/modules/admin/quota.te
@@ -1,5 +1,5 @@
-policy_module(quota, 1.3.0)
+policy_module(quota, 1.3.1)
########################################
#
@@ -72,6 +72,7 @@ init_use_script_ptys(quota_t)
logging_send_syslog_msg(quota_t)
+userdom_use_user_terminals(quota_t)
userdom_dontaudit_use_unpriv_user_fds(quota_t)
optional_policy(`
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
index cbf5853..8645082 100644
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
@@ -1,5 +1,5 @@
-policy_module(readahead, 1.7.0)
+policy_module(readahead, 1.7.1)
########################################
#
@@ -77,8 +77,7 @@ logging_dontaudit_search_audit_config(readahead_t)
miscfiles_read_localization(readahead_t)
userdom_dontaudit_use_unpriv_user_fds(readahead_t)
-
-sysadm_dontaudit_search_home_dirs(readahead_t)
+userdom_dontaudit_search_user_home_dirs(readahead_t)
optional_policy(`
cron_system_entry(readahead_t, readahead_exec_t)
diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
index e115154..36f9fa8 100644
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@ -56,11 +56,6 @@ interface(`rpm_domtrans_script',`
## The role to allow the RPM domain.
##
##
-##
-##
-## The type of the terminal allow the RPM domain to use.
-##
-##
##
#
interface(`rpm_run',`
@@ -71,10 +66,9 @@ interface(`rpm_run',`
rpm_domtrans($1)
role $2 types rpm_t;
role $2 types rpm_script_t;
- seutil_run_loadpolicy(rpm_script_t, $2, $3)
- seutil_run_semanage(rpm_script_t, $2, $3)
- seutil_run_setfiles(rpm_script_t, $2, $3)
- allow rpm_t $3:chr_file rw_term_perms;
+ seutil_run_loadpolicy(rpm_script_t, $2)
+ seutil_run_semanage(rpm_script_t, $2)
+ seutil_run_setfiles(rpm_script_t, $2)
')
########################################
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index aa77c0f..5d8a46c 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,5 +1,5 @@
-policy_module(rpm, 1.8.0)
+policy_module(rpm, 1.8.1)
########################################
#
@@ -132,8 +132,6 @@ storage_raw_write_fixed_disk(rpm_t)
# for installing kernel packages
storage_raw_read_fixed_disk(rpm_t)
-term_list_ptys(rpm_t)
-
auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
@@ -168,6 +166,7 @@ logging_send_syslog_msg(rpm_t)
seutil_manage_src_policy(rpm_t)
seutil_manage_bin_policy(rpm_t)
+userdom_use_user_terminals(rpm_t)
userdom_use_unpriv_users_fds(rpm_t)
optional_policy(`
@@ -273,8 +272,6 @@ selinux_compute_user_contexts(rpm_script_t)
storage_raw_read_fixed_disk(rpm_script_t)
storage_raw_write_fixed_disk(rpm_script_t)
-term_getattr_unallocated_ttys(rpm_script_t)
-term_list_ptys(rpm_script_t)
term_use_all_terms(rpm_script_t)
auth_dontaudit_getattr_shadow(rpm_script_t)
@@ -338,7 +335,7 @@ optional_policy(`
unconfined_domtrans(rpm_script_t)
optional_policy(`
- java_domtrans(rpm_script_t)
+ java_domtrans_unconfined(rpm_script_t)
')
optional_policy(`
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 801577e..36f2316 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -125,38 +125,26 @@ template(`su_restricted_domain_template', `
#######################################
##
-## The per role template for the su module.
+## The role template for the su module.
##
-##
-##
-## This template creates a derived domain which is allowed
-## to change the linux user id, to run shells as a different
-## user.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
##
##
-##
+##
##
-## The type of the user domain.
+## The role associated with the user domain.
##
##
-##
+##
##
-## The role associated with the user domain.
+## The type of the user domain.
##
##
#
-template(`su_per_role_template',`
+template(`su_role_template',`
gen_require(`
attribute su_domain_type;
type su_exec_t;
@@ -167,9 +155,10 @@ template(`su_per_role_template',`
domain_entry_file($1_su_t,su_exec_t)
domain_type($1_su_t)
domain_interactive_fd($1_su_t)
- role $3 types $1_su_t;
+ ubac_constrained($1_su_t)
+ role $2 types $1_su_t;
- allow $2 $1_su_t:process signal;
+ allow $3 $1_su_t:process signal;
allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
dontaudit $1_su_t self:capability sys_tty_config;
@@ -179,13 +168,15 @@ template(`su_per_role_template',`
allow $1_su_t self:key { search write };
# Transition from the user domain to this domain.
- domtrans_pattern($2, su_exec_t, $1_su_t)
+ domtrans_pattern($3, su_exec_t, $1_su_t)
+
+ ps_process_pattern($3, $1_su_t)
# By default, revert to the calling domain when a shell is executed.
- corecmd_shell_domtrans($1_su_t, $2)
- allow $2 $1_su_t:fd use;
- allow $2 $1_su_t:fifo_file rw_file_perms;
- allow $2 $1_su_t:process sigchld;
+ corecmd_shell_domtrans($1_su_t, $3)
+ allow $3 $1_su_t:fd use;
+ allow $3 $1_su_t:fifo_file rw_file_perms;
+ allow $3 $1_su_t:process sigchld;
kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctls($1_su_t)
@@ -200,7 +191,7 @@ template(`su_per_role_template',`
# needed for pam_rootok
selinux_compute_access_vector($1_su_t)
- auth_domtrans_user_chk_passwd($1, $1_su_t)
+ auth_domtrans_chk_passwd($1_su_t)
auth_dontaudit_read_shadow($1_su_t)
auth_use_nsswitch($1_su_t)
auth_rw_faillog($1_su_t)
@@ -224,8 +215,8 @@ template(`su_per_role_template',`
miscfiles_read_localization($1_su_t)
- userdom_use_user_terminals($1, $1_su_t)
- userdom_search_user_home_dirs($1, $1_su_t)
+ userdom_use_user_terminals($1_su_t)
+ userdom_search_user_home_dirs($1_su_t)
ifdef(`distro_rhel4',`
domain_role_change_exemption($1_su_t)
@@ -285,17 +276,9 @@ template(`su_per_role_template',`
# Modify .Xauthority file (via xauth program).
optional_policy(`
- xserver_user_home_dir_filetrans_user_xauth($1, su_domain_type)
- xserver_domtrans_user_xauth($1, $1_su_t)
+ xserver_user_home_dir_filetrans_user_xauth($1_su_t)
+ xserver_domtrans_xauth($1_su_t)
')
-
- ifdef(`TODO',`
- allow $1_su_t $1_home_t:file manage_file_perms;
-
- # Access sshd cookie files.
- allow $1_su_t sshd_tmp_t:file rw_file_perms;
- file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
- ') dnl end TODO
')
#######################################
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
index 696a768..68c20e2 100644
--- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te
@@ -1,5 +1,5 @@
-policy_module(su, 1.8.0)
+policy_module(su, 1.8.1)
########################################
#
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index a068802..a9468b9 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -2,7 +2,7 @@
#######################################
##
-## The per role template for the sudo module.
+## The role template for the sudo module.
##
##
##
@@ -10,30 +10,25 @@
## to change the linux user id, to run commands as a different
## user.
##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
##
##
-##
+##
##
-## The type of the user domain.
+## The user role.
##
##
-##
+##
##
-## The role associated with the user domain.
+## The user domain associated with the role.
##
##
#
-template(`sudo_per_role_template',`
+template(`sudo_role_template',`
gen_require(`
type sudo_exec_t;
@@ -47,7 +42,8 @@ template(`sudo_per_role_template',`
type $1_sudo_t;
application_domain($1_sudo_t, sudo_exec_t)
domain_interactive_fd($1_sudo_t)
- role $3 types $1_sudo_t;
+ ubac_constrained($1_sudo_t)
+ role $2 types $1_sudo_t;
##############################
#
@@ -71,13 +67,13 @@ template(`sudo_per_role_template',`
allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
# Enter this derived domain from the user domain
- domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
+ domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
# By default, revert to the calling domain when a shell is executed.
- corecmd_shell_domtrans($1_sudo_t, $2)
- allow $2 $1_sudo_t:fd use;
- allow $2 $1_sudo_t:fifo_file rw_file_perms;
- allow $2 $1_sudo_t:process sigchld;
+ corecmd_shell_domtrans($1_sudo_t, $3)
+ allow $3 $1_sudo_t:fd use;
+ allow $3 $1_sudo_t:fifo_file rw_file_perms;
+ allow $3 $1_sudo_t:process sigchld;
kernel_read_kernel_sysctls($1_sudo_t)
kernel_read_system_state($1_sudo_t)
@@ -113,22 +109,11 @@ template(`sudo_per_role_template',`
miscfiles_read_localization($1_sudo_t)
- userdom_manage_user_home_content_files($1, $1_sudo_t)
- userdom_manage_user_home_content_symlinks($1, $1_sudo_t)
- userdom_manage_user_tmp_files($1, $1_sudo_t)
- userdom_manage_user_tmp_symlinks($1, $1_sudo_t)
- userdom_use_user_terminals($1, $1_sudo_t)
- userdom_use_unpriv_users_fds($1_sudo_t)
+ userdom_manage_user_home_content_files($1_sudo_t)
+ userdom_manage_user_home_content_symlinks($1_sudo_t)
+ userdom_manage_user_tmp_files($1_sudo_t)
+ userdom_manage_user_tmp_symlinks($1_sudo_t)
+ userdom_use_user_terminals($1_sudo_t)
# for some PAM modules and for cwd
- userdom_dontaudit_search_all_users_home_content($1_sudo_t)
-
- ifdef(`TODO',`
- # for when the network connection is killed
- dontaudit unpriv_userdomain $1_sudo_t:process signal;
-
- ifdef(`mta.te', `
- domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
- ')
-
- ') dnl end TODO
+ userdom_dontaudit_search_user_home_content($1_sudo_t)
')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index 6af4f6d..c890938 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -1,5 +1,5 @@
-policy_module(sudo, 1.3.0)
+policy_module(sudo, 1.3.1)
########################################
#
@@ -7,5 +7,3 @@ policy_module(sudo, 1.3.0)
type sudo_exec_t;
application_executable_file(sudo_exec_t)
-
-# Remaining policy in per user domain template.
diff --git a/policy/modules/admin/tripwire.if b/policy/modules/admin/tripwire.if
index 2bbae12..d23d02a 100644
--- a/policy/modules/admin/tripwire.if
+++ b/policy/modules/admin/tripwire.if
@@ -46,11 +46,6 @@ interface(`tripwire_domtrans_tripwire',`
## The role to be allowed the tripwire domain.
##
##
-##
-##
-## The type of the terminal allow the tripwire domain to use.
-##
-##
##
#
interface(`tripwire_run_tripwire',`
@@ -60,7 +55,6 @@ interface(`tripwire_run_tripwire',`
tripwire_domtrans_tripwire($1)
role $2 types tripwire_t;
- allow tripwire_t $3:chr_file rw_term_perms;
')
########################################
@@ -96,11 +90,6 @@ interface(`tripwire_domtrans_twadmin',`
## The role to be allowed the twadmin domain.
##
##
-##
-##
-## The type of the terminal allow the twadmin domain to use.
-##
-##
##
#
interface(`tripwire_run_twadmin',`
@@ -110,7 +99,6 @@ interface(`tripwire_run_twadmin',`
tripwire_domtrans_twadmin($1)
role $2 types twadmin_t;
- allow twadmin_t $3:chr_file rw_term_perms;
')
########################################
@@ -146,11 +134,6 @@ interface(`tripwire_domtrans_twprint',`
## The role to be allowed the twprint domain.
##
##
-##
-##
-## The type of the terminal allow the twprint domain to use.
-##
-##
##
#
interface(`tripwire_run_twprint',`
@@ -160,7 +143,6 @@ interface(`tripwire_run_twprint',`
tripwire_domtrans_twprint($1)
role $2 types twprint_t;
- allow twprint_t $3:chr_file rw_term_perms;
')
########################################
@@ -196,11 +178,6 @@ interface(`tripwire_domtrans_siggen',`
## The role to be allowed the siggen domain.
##
##
-##
-##
-## The type of the terminal allow the siggen domain to use.
-##
-##
##
#
interface(`tripwire_run_siggen',`
@@ -210,5 +187,4 @@ interface(`tripwire_run_siggen',`
tripwire_domtrans_siggen($1)
role $2 types siggen_t;
- allow siggen_t $3:chr_file rw_term_perms;
')
diff --git a/policy/modules/admin/tripwire.te b/policy/modules/admin/tripwire.te
index 151a18c..e57a2d1 100644
--- a/policy/modules/admin/tripwire.te
+++ b/policy/modules/admin/tripwire.te
@@ -1,5 +1,5 @@
-policy_module(tripwire, 1.1.0)
+policy_module(tripwire, 1.1.1)
########################################
#
@@ -81,6 +81,8 @@ files_getattr_all_sockets(tripwire_t)
logging_send_syslog_msg(tripwire_t)
+userdom_use_user_terminals(tripwire_t)
+
optional_policy(`
cron_system_entry(tripwire_t, tripwire_exec_t)
')
@@ -100,6 +102,8 @@ logging_send_syslog_msg(twadmin_t)
miscfiles_read_localization(twadmin_t)
+userdom_use_user_terminals(twadmin_t)
+
########################################
#
# Twprint local policy
@@ -124,6 +128,8 @@ logging_send_syslog_msg(twprint_t)
miscfiles_read_localization(twprint_t)
+userdom_use_user_terminals(twprint_t)
+
########################################
#
# Siggen local policy
@@ -137,3 +143,5 @@ files_read_all_files(siggen_t)
logging_send_syslog_msg(siggen_t)
miscfiles_read_localization(siggen_t)
+
+userdom_use_user_terminals(siggen_t)
diff --git a/policy/modules/admin/tzdata.if b/policy/modules/admin/tzdata.if
index f6e3b89..b873388 100644
--- a/policy/modules/admin/tzdata.if
+++ b/policy/modules/admin/tzdata.if
@@ -32,11 +32,6 @@ interface(`tzdata_domtrans',`
## The role to allow the tzdata domain.
##
##
-##
-##
-## The type of the terminal allow the tzdata domain to use.
-##
-##
##
#
interface(`tzdata_run',`
@@ -46,5 +41,4 @@ interface(`tzdata_run',`
tzdata_domtrans($1)
role $2 types tzdata_t;
- allow tzdata_t $3:chr_file rw_term_perms;
')
diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te
index ad5d172..c21be19 100644
--- a/policy/modules/admin/tzdata.te
+++ b/policy/modules/admin/tzdata.te
@@ -1,5 +1,5 @@
-policy_module(tzdata, 1.2.0)
+policy_module(tzdata, 1.2.1)
########################################
#
@@ -27,6 +27,8 @@ miscfiles_read_localization(tzdata_t)
miscfiles_manage_localization(tzdata_t)
miscfiles_etc_filetrans_localization(tzdata_t)
+userdom_use_user_terminals(tzdata_t)
+
# tzdata looks for /var/spool/postfix/etc/localtime.
optional_policy(`
postfix_search_spool(tzdata_t)
diff --git a/policy/modules/admin/updfstab.te b/policy/modules/admin/updfstab.te
index 976ee15..e492606 100644
--- a/policy/modules/admin/updfstab.te
+++ b/policy/modules/admin/updfstab.te
@@ -1,5 +1,5 @@
-policy_module(updfstab, 1.4.0)
+policy_module(updfstab, 1.4.1)
########################################
#
@@ -76,7 +76,7 @@ seutil_read_config(updfstab_t)
seutil_read_default_contexts(updfstab_t)
seutil_read_file_contexts(updfstab_t)
-userdom_dontaudit_search_all_users_home_content(updfstab_t)
+userdom_dontaudit_search_user_home_content(updfstab_t)
userdom_dontaudit_use_unpriv_user_fds(updfstab_t)
optional_policy(`
@@ -86,7 +86,7 @@ optional_policy(`
optional_policy(`
init_dbus_chat_script(updfstab_t)
- dbus_system_bus_client_template(updfstab, updfstab_t)
+ dbus_system_bus_client(updfstab_t)
')
optional_policy(`
diff --git a/policy/modules/admin/usbmodules.if b/policy/modules/admin/usbmodules.if
index 50c1dc3..9ac17f5 100644
--- a/policy/modules/admin/usbmodules.if
+++ b/policy/modules/admin/usbmodules.if
@@ -34,11 +34,6 @@ interface(`usbmodules_domtrans',`
## The role to be allowed the usbmodules domain.
##
##
-##
-##
-## The type of the terminal allow the usbmodules domain to use.
-##
-##
##
#
interface(`usbmodules_run',`
@@ -48,5 +43,4 @@ interface(`usbmodules_run',`
usbmodules_domtrans($1)
role $2 types usbmodules_t;
- allow usbmodules_t $3:chr_file rw_term_perms;
')
diff --git a/policy/modules/admin/usbmodules.te b/policy/modules/admin/usbmodules.te
index 9932456..3a16d1e 100644
--- a/policy/modules/admin/usbmodules.te
+++ b/policy/modules/admin/usbmodules.te
@@ -1,5 +1,5 @@
-policy_module(usbmodules, 1.1.0)
+policy_module(usbmodules, 1.1.1)
########################################
#
@@ -37,6 +37,8 @@ miscfiles_read_hwdata(usbmodules_t)
modutils_read_module_deps(usbmodules_t)
+userdom_use_user_terminals(usbmodules_t)
+
optional_policy(`
hotplug_read_config(usbmodules_t)
')
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index 900d377..ac74240 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -35,11 +35,6 @@ interface(`usermanage_domtrans_chfn',`
## The role to be allowed the chfn domain.
##
##
-##
-##
-## The type of the terminal allow the chfn domain to use.
-##
-##
#
interface(`usermanage_run_chfn',`
gen_require(`
@@ -48,7 +43,6 @@ interface(`usermanage_run_chfn',`
usermanage_domtrans_chfn($1)
role $2 types chfn_t;
- allow chfn_t $3:chr_file rw_term_perms;
')
########################################
@@ -86,11 +80,6 @@ interface(`usermanage_domtrans_groupadd',`
## The role to be allowed the groupadd domain.
##
##
-##
-##
-## The type of the terminal allow the groupadd domain to use.
-##
-##
##
#
interface(`usermanage_run_groupadd',`
@@ -100,10 +89,9 @@ interface(`usermanage_run_groupadd',`
usermanage_domtrans_groupadd($1)
role $2 types groupadd_t;
- allow groupadd_t $3:chr_file rw_term_perms;
optional_policy(`
- nscd_run(groupadd_t, $2, $3)
+ nscd_run(groupadd_t, $2)
')
')
@@ -142,11 +130,6 @@ interface(`usermanage_domtrans_passwd',`
## The role to be allowed the passwd domain.
##
##
-##
-##
-## The type of the terminal allow the passwd domain to use.
-##
-##
#
interface(`usermanage_run_passwd',`
gen_require(`
@@ -155,7 +138,6 @@ interface(`usermanage_run_passwd',`
usermanage_domtrans_passwd($1)
role $2 types passwd_t;
- allow passwd_t $3:chr_file rw_term_perms;
')
########################################
@@ -195,11 +177,6 @@ interface(`usermanage_domtrans_admin_passwd',`
## The role to be allowed the admin passwd domain.
##
##
-##
-##
-## The type of the terminal allow the admin passwd domain to use.
-##
-##
##
#
interface(`usermanage_run_admin_passwd',`
@@ -209,10 +186,9 @@ interface(`usermanage_run_admin_passwd',`
usermanage_domtrans_admin_passwd($1)
role $2 types sysadm_passwd_t;
- allow sysadm_passwd_t $3:chr_file rw_term_perms;
optional_policy(`
- nscd_run(sysadm_passwd_t, $2, $3)
+ nscd_run(sysadm_passwd_t, $2)
')
')
@@ -269,11 +245,6 @@ interface(`usermanage_domtrans_useradd',`
## The role to be allowed the useradd domain.
##
##
-##
-##
-## The type of the terminal allow the useradd domain to use.
-##
-##
##
#
interface(`usermanage_run_useradd',`
@@ -283,10 +254,9 @@ interface(`usermanage_run_useradd',`
usermanage_domtrans_useradd($1)
role $2 types useradd_t;
- allow useradd_t $3:chr_file rw_term_perms;
optional_policy(`
- nscd_run(useradd_t, $2, $3)
+ nscd_run(useradd_t, $2)
')
')
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 384df0d..8f28ae0 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
-policy_module(usermanage, 1.11.0)
+policy_module(usermanage, 1.11.1)
########################################
#
@@ -119,7 +119,7 @@ seutil_dontaudit_search_config(chfn_t)
userdom_use_unpriv_users_fds(chfn_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
-userdom_dontaudit_search_all_users_home_content(chfn_t)
+userdom_dontaudit_search_user_home_content(chfn_t)
########################################
#
@@ -153,7 +153,7 @@ corecmd_exec_bin(crack_t)
logging_send_syslog_msg(crack_t)
-sysadm_dontaudit_search_home_dirs(crack_t)
+userdom_dontaudit_search_user_home_dirs(crack_t)
ifdef(`distro_debian',`
# the package cracklib-runtime on Debian contains a daily maintenance
@@ -227,9 +227,8 @@ auth_use_nsswitch(groupadd_t)
seutil_read_config(groupadd_t)
userdom_use_unpriv_users_fds(groupadd_t)
-
# for when /root is the cwd
-sysadm_dontaudit_search_home_dirs(groupadd_t)
+userdom_dontaudit_search_user_home_dirs(groupadd_t)
optional_policy(`
dpkg_use_fds(groupadd_t)
@@ -316,13 +315,14 @@ miscfiles_read_localization(passwd_t)
seutil_dontaudit_search_config(passwd_t)
+userdom_use_user_terminals(passwd_t)
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
userdom_read_all_users_state(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
-userdom_dontaudit_search_all_users_home_content(passwd_t)
+userdom_dontaudit_search_user_home_content(passwd_t)
optional_policy(`
nscd_domtrans(passwd_t)
@@ -406,7 +406,7 @@ seutil_dontaudit_search_config(sysadm_passwd_t)
userdom_use_unpriv_users_fds(sysadm_passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
-userdom_dontaudit_search_all_users_home_content(sysadm_passwd_t)
+userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
optional_policy(`
nscd_domtrans(sysadm_passwd_t)
@@ -485,10 +485,10 @@ seutil_domtrans_setfiles(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
-userdom_manage_all_users_home_content_dirs(useradd_t)
-userdom_manage_all_users_home_content_files(useradd_t)
-unprivuser_home_filetrans_home_dir(useradd_t)
-unprivuser_home_dir_filetrans_home_content(useradd_t, notdevfile_class_set)
+userdom_manage_user_home_content_dirs(useradd_t)
+userdom_manage_user_home_content_files(useradd_t)
+userdom_home_filetrans_user_home_dir(useradd_t)
+userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
mta_manage_spool(useradd_t)
diff --git a/policy/modules/admin/vpn.if b/policy/modules/admin/vpn.if
index 05cfd4e..8779a18 100644
--- a/policy/modules/admin/vpn.if
+++ b/policy/modules/admin/vpn.if
@@ -33,11 +33,6 @@ interface(`vpn_domtrans',`
## The role to be allowed the vpnc domain.
##
##
-##
-##
-## The type of the terminal allow the vpnc domain to use.
-##
-##
##
#
interface(`vpn_run',`
@@ -47,8 +42,7 @@ interface(`vpn_run',`
vpn_domtrans($1)
role $2 types vpnc_t;
- allow vpnc_t $3:chr_file rw_term_perms;
- sysnet_run_ifconfig(vpnc_t, $2, $3)
+ sysnet_run_ifconfig(vpnc_t, $2)
')
########################################
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index c7db478..42d5238 100644
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@@ -1,5 +1,5 @@
-policy_module(vpn, 1.9.0)
+policy_module(vpn, 1.9.1)
########################################
#
@@ -105,10 +105,10 @@ sysnet_etc_filetrans_config(vpnc_t)
sysnet_manage_config(vpnc_t)
userdom_use_all_users_fds(vpnc_t)
-userdom_dontaudit_search_all_users_home_content(vpnc_t)
+userdom_dontaudit_search_user_home_content(vpnc_t)
optional_policy(`
- dbus_system_bus_client_template(vpnc, vpnc_t)
+ dbus_system_bus_client(vpnc_t)
optional_policy(`
networkmanager_dbus_chat(vpnc_t)
diff --git a/policy/modules/apps/ada.if b/policy/modules/apps/ada.if
index 348c348..3f3bbe0 100644
--- a/policy/modules/apps/ada.if
+++ b/policy/modules/apps/ada.if
@@ -34,11 +34,6 @@ interface(`ada_domtrans',`
## The role to be allowed the ada domain.
##
##
-##
-##
-## The type of the terminal allow the ada domain to use.
-##
-##
#
interface(`ada_run',`
gen_require(`
@@ -47,5 +42,4 @@ interface(`ada_run',`
ada_domtrans($1)
role $2 types ada_t;
- allow ada_t $3:chr_file rw_term_perms;
')
diff --git a/policy/modules/apps/ada.te b/policy/modules/apps/ada.te
index 048d953..4ae3777 100644
--- a/policy/modules/apps/ada.te
+++ b/policy/modules/apps/ada.te
@@ -1,5 +1,5 @@
-policy_module(ada, 1.2.0)
+policy_module(ada, 1.2.1)
########################################
#
@@ -18,6 +18,8 @@ role system_r types ada_t;
allow ada_t self:process { execstack execmem };
+userdom_use_user_terminals(ada_t)
+
optional_policy(`
unconfined_domain_noaudit(ada_t)
')
diff --git a/policy/modules/apps/calamaris.te b/policy/modules/apps/calamaris.te
index 39213d5..9811f98 100644
--- a/policy/modules/apps/calamaris.te
+++ b/policy/modules/apps/calamaris.te
@@ -1,5 +1,5 @@
-policy_module(calamaris, 1.3.0)
+policy_module(calamaris, 1.3.1)
########################################
#
@@ -65,7 +65,7 @@ miscfiles_read_localization(calamaris_t)
sysnet_read_config(calamaris_t)
-sysadm_dontaudit_list_home_dirs(calamaris_t)
+userdom_dontaudit_list_user_home_dirs(calamaris_t)
squid_read_log(calamaris_t)
diff --git a/policy/modules/apps/cdrecord.if b/policy/modules/apps/cdrecord.if
index 1319eaf..1582faf 100644
--- a/policy/modules/apps/cdrecord.if
+++ b/policy/modules/apps/cdrecord.if
@@ -1,187 +1,33 @@
## Policy for cdrecord
-#######################################
+########################################
##
-## The per role template for the cdrecord module.
+## Role access for cdrecord
##
-##
-##
-## This template creates derived domains which are used
-## for cdrecord.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## Role allowed access
##
##
-##
+##
##
-## The type of the user domain.
-##
-##
-##
-##
-## The role associated with the user domain.
+## User domain for the role
##
##
#
-template(`cdrecord_per_role_template', `
-
+interface(`cdrecord_role',`
gen_require(`
- type cdrecord_exec_t;
+ type cdrecord_t, cdrecord_exec_t;
')
- ########################################
- #
- # Declarations
- #
-
- type $1_cdrecord_t;
- application_domain($1_cdrecord_t, cdrecord_exec_t)
- role $3 types $1_cdrecord_t;
-
- ########################################
- #
- # Local policy
- #
-
- allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
- allow $1_cdrecord_t self:process { getsched setsched sigkill };
- allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms;
- allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms;
-
- allow $1_cdrecord_t $2:unix_stream_socket { getattr read write ioctl };
-
- # allow ps to show cdrecord and allow the user to kill it
- ps_process_pattern($2,$1_cdrecord_t)
- allow $2 $1_cdrecord_t:process signal;
+ role $1 types cdrecord_t;
# Transition from the user domain to the derived domain.
- domtrans_pattern($2, cdrecord_exec_t, $1_cdrecord_t)
-
- # allow searching for cdrom-drive
- dev_list_all_dev_nodes($1_cdrecord_t)
-
- domain_interactive_fd($1_cdrecord_t)
- domain_use_interactive_fds($1_cdrecord_t)
-
- files_read_etc_files($1_cdrecord_t)
-
- term_use_controlling_term($1_cdrecord_t)
- term_list_ptys($1_cdrecord_t)
-
- # allow cdrecord to write the CD
- storage_raw_write_removable_device($1_cdrecord_t)
- storage_write_scsi_generic($1_cdrecord_t)
-
- logging_send_syslog_msg($1_cdrecord_t)
-
- miscfiles_read_localization($1_cdrecord_t)
+ domtrans_pattern($2, cdrecord_exec_t, cdrecord_t)
- # write to the user domain tty.
- userdom_use_user_terminals($1, $1_cdrecord_t)
- userdom_use_user_terminals($1, $2)
+ allow cdrecord_t $2:unix_stream_socket { getattr read write ioctl };
- userdom_read_user_home_content_files($1, $1_cdrecord_t)
-
- # Handle nfs home dirs
- tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
- fs_list_auto_mountpoints($1_cdrecord_t)
- files_list_home($1_cdrecord_t)
- fs_read_nfs_files($1_cdrecord_t)
- fs_read_nfs_symlinks($1_cdrecord_t)
-
- ',`
- files_dontaudit_list_home($1_cdrecord_t)
- fs_dontaudit_list_auto_mountpoints($1_cdrecord_t)
- fs_dontaudit_read_nfs_files($1_cdrecord_t)
- fs_dontaudit_list_nfs($1_cdrecord_t)
- ')
- # Handle samba home dirs
- tunable_policy(`cdrecord_read_content && use_samba_home_dirs',`
- fs_list_auto_mountpoints($1_cdrecord_t)
- files_list_home($1_cdrecord_t)
- fs_read_cifs_files($1_cdrecord_t)
- fs_read_cifs_symlinks($1_cdrecord_t)
- ',`
- files_dontaudit_list_home($1_cdrecord_t)
- fs_dontaudit_list_auto_mountpoints($1_cdrecord_t)
- fs_dontaudit_read_cifs_files($1_cdrecord_t)
- fs_dontaudit_list_cifs($1_cdrecord_t)
- ')
-
- # Handle removable media, /tmp, and /home
- tunable_policy(`cdrecord_read_content',`
- userdom_list_user_tmp($1, $1_cdrecord_t)
- userdom_read_user_tmp_files($1, $1_cdrecord_t)
- userdom_read_user_tmp_symlinks($1, $1_cdrecord_t)
- userdom_search_user_home_dirs($1, $1_cdrecord_t)
- userdom_read_user_home_content_files($1, $1_cdrecord_t)
- userdom_read_user_home_content_symlinks($1, $1_cdrecord_t)
-
- ifdef(`enable_mls',`
- ',`
- fs_search_removable($1_cdrecord_t)
- fs_read_removable_files($1_cdrecord_t)
- fs_read_removable_symlinks($1_cdrecord_t)
- ')
- ',`
- files_dontaudit_list_tmp($1_cdrecord_t)
- files_dontaudit_list_home($1_cdrecord_t)
- fs_dontaudit_list_removable($1_cdrecord_t)
- fs_dontaudit_read_removable_files($1_cdrecord_t)
- userdom_dontaudit_list_user_tmp($1, $1_cdrecord_t)
- userdom_dontaudit_read_user_tmp_files($1, $1_cdrecord_t)
- userdom_dontaudit_list_user_home_dirs($1, $1_cdrecord_t)
- userdom_dontaudit_read_user_home_content_files($1, $1_cdrecord_t)
- ')
-
- # Handle default_t content
- tunable_policy(`cdrecord_read_content && read_default_t',`
- files_list_default($1_cdrecord_t)
- files_read_default_files($1_cdrecord_t)
- files_read_default_symlinks($1_cdrecord_t)
- ',`
- files_dontaudit_read_default_files($1_cdrecord_t)
- files_dontaudit_list_default($1_cdrecord_t)
- ')
-
- # Handle untrusted content
- tunable_policy(`cdrecord_read_content && read_untrusted_content',`
- files_list_tmp($1_cdrecord_t)
- files_list_home($1_cdrecord_t)
- userdom_search_user_home_dirs($1, $1_cdrecord_t)
-
- userdom_list_user_untrusted_content($1, $1_cdrecord_t)
- userdom_read_user_untrusted_content_files($1, $1_cdrecord_t)
- userdom_read_user_untrusted_content_symlinks($1, $1_cdrecord_t)
- userdom_list_user_tmp_untrusted_content($1, $1_cdrecord_t)
- userdom_read_user_tmp_untrusted_content_files($1, $1_cdrecord_t)
- userdom_read_user_tmp_untrusted_content_symlinks($1, $1_cdrecord_t)
- ',`
- files_dontaudit_list_tmp($1_cdrecord_t)
- files_dontaudit_list_home($1_cdrecord_t)
- userdom_dontaudit_list_user_home_dirs($1, $1_cdrecord_t)
- userdom_dontaudit_list_user_untrusted_content($1, $1_cdrecord_t)
- userdom_dontaudit_read_user_untrusted_content_files($1, $1_cdrecord_t)
- userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_cdrecord_t)
- userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_cdrecord_t)
- ')
-
- tunable_policy(`use_nfs_home_dirs',`
- files_search_mnt($1_cdrecord_t)
- fs_read_nfs_files($1_cdrecord_t)
- fs_read_nfs_symlinks($1_cdrecord_t)
- ')
-
- optional_policy(`
- resmgr_stream_connect($1_cdrecord_t)
- ')
+ # allow ps to show cdrecord and allow the user to kill it
+ ps_process_pattern($2, cdrecord_t)
+ allow $2 cdrecord_t:process signal;
')
diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te
index 26139e6..a3148c7 100644
--- a/policy/modules/apps/cdrecord.te
+++ b/policy/modules/apps/cdrecord.te
@@ -1,5 +1,5 @@
-policy_module(cdrecord, 1.4.0)
+policy_module(cdrecord, 2.0.0)
########################################
#
@@ -15,5 +15,112 @@ policy_module(cdrecord, 1.4.0)
##
gen_tunable(cdrecord_read_content, false)
+type cdrecord_t;
type cdrecord_exec_t;
-application_executable_file(cdrecord_exec_t)
+typealias cdrecord_t alias { user_cdrecord_t staff_cdrecord_t sysadm_cdrecord_t };
+typealias cdrecord_t alias { auditadm_cdrecord_t secadm_cdrecord_t };
+application_domain(cdrecord_t, cdrecord_exec_t)
+ubac_constrained(cdrecord_t)
+
+########################################
+#
+# Local policy
+#
+
+allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
+allow cdrecord_t self:process { getsched setsched sigkill };
+allow cdrecord_t self:unix_dgram_socket create_socket_perms;
+allow cdrecord_t self:unix_stream_socket create_stream_socket_perms;
+
+# allow searching for cdrom-drive
+dev_list_all_dev_nodes(cdrecord_t)
+
+domain_interactive_fd(cdrecord_t)
+domain_use_interactive_fds(cdrecord_t)
+
+files_read_etc_files(cdrecord_t)
+
+term_use_controlling_term(cdrecord_t)
+term_list_ptys(cdrecord_t)
+
+# allow cdrecord to write the CD
+storage_raw_write_removable_device(cdrecord_t)
+storage_write_scsi_generic(cdrecord_t)
+
+logging_send_syslog_msg(cdrecord_t)
+
+miscfiles_read_localization(cdrecord_t)
+
+# write to the user domain tty.
+userdom_use_user_terminals(cdrecord_t)
+userdom_read_user_home_content_files(cdrecord_t)
+
+# Handle nfs home dirs
+tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(cdrecord_t)
+ files_list_home(cdrecord_t)
+ fs_read_nfs_files(cdrecord_t)
+ fs_read_nfs_symlinks(cdrecord_t)
+
+',`
+ files_dontaudit_list_home(cdrecord_t)
+ fs_dontaudit_list_auto_mountpoints(cdrecord_t)
+ fs_dontaudit_read_nfs_files(cdrecord_t)
+ fs_dontaudit_list_nfs(cdrecord_t)
+')
+# Handle samba home dirs
+tunable_policy(`cdrecord_read_content && use_samba_home_dirs',`
+ fs_list_auto_mountpoints(cdrecord_t)
+ files_list_home(cdrecord_t)
+ fs_read_cifs_files(cdrecord_t)
+ fs_read_cifs_symlinks(cdrecord_t)
+',`
+ files_dontaudit_list_home(cdrecord_t)
+ fs_dontaudit_list_auto_mountpoints(cdrecord_t)
+ fs_dontaudit_read_cifs_files(cdrecord_t)
+ fs_dontaudit_list_cifs(cdrecord_t)
+')
+
+# Handle removable media, /tmp, and /home
+tunable_policy(`cdrecord_read_content',`
+ userdom_list_user_tmp(cdrecord_t)
+ userdom_read_user_tmp_files(cdrecord_t)
+ userdom_read_user_tmp_symlinks(cdrecord_t)
+ userdom_read_user_home_content_files(cdrecord_t)
+ userdom_read_user_home_content_symlinks(cdrecord_t)
+
+ ifndef(`enable_mls',`
+ fs_search_removable(cdrecord_t)
+ fs_read_removable_files(cdrecord_t)
+ fs_read_removable_symlinks(cdrecord_t)
+ ')
+',`
+ files_dontaudit_list_tmp(cdrecord_t)
+ files_dontaudit_list_home(cdrecord_t)
+ fs_dontaudit_list_removable(cdrecord_t)
+ fs_dontaudit_read_removable_files(cdrecord_t)
+ userdom_dontaudit_list_user_tmp(cdrecord_t)
+ userdom_dontaudit_read_user_tmp_files(cdrecord_t)
+ userdom_dontaudit_list_user_home_dirs(cdrecord_t)
+ userdom_dontaudit_read_user_home_content_files(cdrecord_t)
+')
+
+# Handle default_t content
+tunable_policy(`cdrecord_read_content && read_default_t',`
+ files_list_default(cdrecord_t)
+ files_read_default_files(cdrecord_t)
+ files_read_default_symlinks(cdrecord_t)
+',`
+ files_dontaudit_read_default_files(cdrecord_t)
+ files_dontaudit_list_default(cdrecord_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ files_search_mnt(cdrecord_t)
+ fs_read_nfs_files(cdrecord_t)
+ fs_read_nfs_symlinks(cdrecord_t)
+')
+
+optional_policy(`
+ resmgr_stream_connect(cdrecord_t)
+')
diff --git a/policy/modules/apps/ethereal.fc b/policy/modules/apps/ethereal.fc
index 7204fe2..b489cae 100644
--- a/policy/modules/apps/ethereal.fc
+++ b/policy/modules/apps/ethereal.fc
@@ -1,4 +1,4 @@
-HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ROLE_ethereal_home_t,s0)
+HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ethereal_home_t,s0)
/usr/sbin/ethereal.* -- gen_context(system_u:object_r:ethereal_exec_t,s0)
/usr/sbin/tethereal.* -- gen_context(system_u:object_r:tethereal_exec_t,s0)
diff --git a/policy/modules/apps/ethereal.if b/policy/modules/apps/ethereal.if
index 20eee67..23d5b85 100644
--- a/policy/modules/apps/ethereal.if
+++ b/policy/modules/apps/ethereal.if
@@ -1,244 +1,55 @@
## Ethereal packet capture tool.
-#######################################
+########################################
##
-## The per role template for the ethereal module.
+## Role access for ethereal
##
-##
-##
-## This template creates a derived domains which are used
-## for ethereal packet capture tool.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
+##
##
-## The type of the user domain.
+## Role allowed access
##
##
-##
+##
##
-## The role associated with the user domain.
+## User domain for the role
##
##
#
-template(`ethereal_per_role_template',`
-
+interface(`ethereal_role',`
gen_require(`
- type ethereal_exec_t;
- ')
-
- ##############################
- #
- # Declarations
- #
-
- # Type for program
- type $1_ethereal_t;
- application_domain($1_ethereal_t, ethereal_exec_t)
- role $3 types $1_ethereal_t;
-
- type $1_ethereal_home_t alias $1_ethereal_rw_t;
- files_poly_member($1_ethereal_home_t)
- userdom_user_home_content($1, $1_ethereal_home_t)
-
- type $1_ethereal_tmp_t;
- files_tmp_file($1_ethereal_tmp_t)
-
- type $1_ethereal_tmpfs_t;
- files_tmpfs_file($1_ethereal_tmpfs_t)
-
- ##############################
- #
- # Local Policy
- #
-
- allow $1_ethereal_t self:capability { net_admin net_raw setgid };
- allow $1_ethereal_t self:process { signal getsched };
- allow $1_ethereal_t self:fifo_file { getattr read write };
- allow $1_ethereal_t self:shm destroy;
- allow $1_ethereal_t self:shm create_shm_perms;
- allow $1_ethereal_t self:netlink_route_socket { nlmsg_read create_socket_perms };
- allow $1_ethereal_t self:packet_socket { setopt bind ioctl getopt create read };
- allow $1_ethereal_t self:tcp_socket create_socket_perms;
- allow $1_ethereal_t self:udp_socket create_socket_perms;
-
- # Re-execute itself (why?)
- can_exec($1_ethereal_t, ethereal_exec_t)
- corecmd_search_bin($1_ethereal_t)
-
- # /home/.ethereal
- manage_dirs_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t)
- manage_files_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t)
- manage_lnk_files_pattern($1_ethereal_t, $1_ethereal_home_t, $1_ethereal_home_t)
- userdom_user_home_dir_filetrans($1, $1_ethereal_t, $1_ethereal_home_t, dir)
-
- # Store temporary files
- manage_dirs_pattern($1_ethereal_t, $1_ethereal_tmp_t, $1_ethereal_tmp_t)
- manage_files_pattern($1_ethereal_t, $1_ethereal_tmp_t, $1_ethereal_tmp_t)
- files_tmp_filetrans($1_ethereal_t, $1_ethereal_tmp_t, { dir file })
-
- manage_dirs_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
- manage_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
- manage_lnk_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
- manage_sock_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
- manage_fifo_files_pattern($1_ethereal_t, $1_ethereal_tmpfs_t, $1_ethereal_tmpfs_t)
- fs_tmpfs_filetrans($1_ethereal_t, $1_ethereal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
- domain_auto_trans($2, ethereal_exec_t, $1_ethereal_t)
- allow $1_ethereal_t $2:fd use;
- allow $1_ethereal_t $2:process sigchld;
-
- manage_dirs_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
- manage_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
- manage_lnk_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
- relabel_dirs_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
- relabel_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
- relabel_lnk_files_pattern($2, $1_ethereal_home_t, $1_ethereal_home_t)
-
- kernel_read_kernel_sysctls($1_ethereal_t)
- kernel_read_system_state($1_ethereal_t)
- kernel_read_sysctl($1_ethereal_t)
-
- corecmd_search_bin($1_ethereal_t)
-
- corenet_tcp_connect_generic_port($1_ethereal_t)
- corenet_tcp_sendrecv_generic_if($1_ethereal_t)
-
- dev_read_urand($1_ethereal_t)
-
- files_read_etc_files($1_ethereal_t)
- files_read_usr_files($1_ethereal_t)
-
- fs_list_inotifyfs($1_ethereal_t)
- fs_search_auto_mountpoints($1_ethereal_t)
-
- libs_read_lib_files($1_ethereal_t)
-
- miscfiles_read_fonts($1_ethereal_t)
- miscfiles_read_localization($1_ethereal_t)
-
- seutil_use_newrole_fds($1_ethereal_t)
-
- sysnet_read_config($1_ethereal_t)
-
- userdom_manage_user_home_content_files($1, $1_ethereal_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_ethereal_t)
- fs_manage_nfs_files($1_ethereal_t)
- fs_manage_nfs_symlinks($1_ethereal_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_ethereal_t)
- fs_manage_cifs_files($1_ethereal_t)
- fs_manage_cifs_symlinks($1_ethereal_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_ethereal_t)
+ type ethereal_t, ethereal_exec_t, ethereal_home_t;
')
- # Manual transition from userhelper
- optional_policy(`
- userhelper_use_user_fd($1, $1_ethereal_t)
- userhelper_sigchld_user($1, $1_ethereal_t)
- ')
-
- optional_policy(`
- xserver_user_x_domain_template($1, $1_ethereal, $1_ethereal_t, $1_ethereal_tmpfs_t)
- xserver_create_xdm_tmp_sockets($1_ethereal_t)
- ')
-
- ifdef(`TODO',`
- # Why does it write this?
- optional_policy(`
- dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write;
- ')
- #TODO
- gnome_application($1_ethereal, $1)
- gnome_file_dialog($1_ethereal, $1)
- # FIXME: policy is incomplete
- ')
-
-')
-
-#######################################
-##
-## The administrative functions template for the ethereal module.
-##
-##
-##
-## This template creates rules for administrating ethereal,
-## allowing the specified user to manage ethereal files.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-#
-template(`ethereal_admin_template',`
- gen_require(`
- type $1_ethereal_t;
- ')
+ role $1 types ethereal_t;
- # Create various types of sockets
- allow $1_ethereal_t self:netlink_route_socket create_netlink_socket_perms;
- allow $1_ethereal_t self:udp_socket create_socket_perms;
- allow $1_ethereal_t self:packet_socket create_socket_perms;
- allow $1_ethereal_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_ethereal_t self:tcp_socket create_socket_perms;
+ domain_auto_trans($2, ethereal_exec_t, ethereal_t)
+ allow ethereal_t $2:fd use;
+ allow ethereal_t $2:process sigchld;
- userdom_use_user_terminals($1, $1_ethereal_t)
- # Ethereal tries to write to user terminal
- userdom_dontaudit_use_user_terminals($1, $1_ethereal_t)
+ manage_dirs_pattern($2, ethereal_home_t, ethereal_home_t)
+ manage_files_pattern($2, ethereal_home_t, ethereal_home_t)
+ manage_lnk_files_pattern($2, ethereal_home_t, ethereal_home_t)
+ relabel_dirs_pattern($2, ethereal_home_t, ethereal_home_t)
+ relabel_files_pattern($2, ethereal_home_t, ethereal_home_t)
+ relabel_lnk_files_pattern($2, ethereal_home_t, ethereal_home_t)
')
########################################
##
## Run ethereal in ethereal domain.
##
-##
-##
-## Run ethereal in ethereal domain.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
##
##
#
-template(`ethereal_domtrans_user_ethereal',`
+interface(`ethereal_domtrans',`
gen_require(`
- type $1_ethereal_t, ethereal_exec_t;
+ type ethereal_t, ethereal_exec_t;
')
- domtrans_pattern($2, ethereal_exec_t, $1_ethereal_t)
+ domtrans_pattern($1, ethereal_exec_t, ethereal_t)
')
########################################
@@ -251,7 +62,7 @@ template(`ethereal_domtrans_user_ethereal',`
##
##
#
-template(`ethereal_domtrans_tethereal',`
+interface(`ethereal_domtrans_tethereal',`
gen_require(`
type tethereal_t, tethereal_exec_t;
')
@@ -274,11 +85,6 @@ template(`ethereal_domtrans_tethereal',`
## The role to be allowed the tethereal domain.
##
##
-##
-##
-## The type of the terminal allow the tethereal domain to use.
-##
-##
#
interface(`ethereal_run_tethereal',`
gen_require(`
@@ -287,5 +93,4 @@ interface(`ethereal_run_tethereal',`
ethereal_domtrans_tethereal($1)
role $2 types tethereal_t;
- allow tethereal_t $3:chr_file rw_term_perms;
')
diff --git a/policy/modules/apps/ethereal.te b/policy/modules/apps/ethereal.te
index e4d312d..30c850f 100644
--- a/policy/modules/apps/ethereal.te
+++ b/policy/modules/apps/ethereal.te
@@ -1,13 +1,35 @@
-policy_module(ethereal, 1.5.0)
+policy_module(ethereal, 2.0.0)
########################################
#
# Declarations
#
+type ethereal_t;
type ethereal_exec_t;
-application_executable_file(ethereal_exec_t)
+typealias ethereal_t alias { user_ethereal_t staff_ethereal_t sysadm_ethereal_t };
+typealias ethereal_t alias { auditadm_ethereal_t secadm_ethereal_t };
+application_domain(ethereal_t, ethereal_exec_t)
+ubac_constrained(ethereal_t)
+
+type ethereal_home_t;
+typealias ethereal_home_t alias { user_ethereal_home_t staff_ethereal_home_t sysadm_ethereal_home_t };
+typealias ethereal_home_t alias { auditadm_ethereal_home_t secadm_ethereal_home_t };
+files_poly_member(ethereal_home_t)
+userdom_user_home_content(ethereal_home_t)
+
+type ethereal_tmp_t;
+typealias ethereal_tmp_t alias { user_ethereal_tmp_t staff_ethereal_tmp_t sysadm_ethereal_tmp_t };
+typealias ethereal_tmp_t alias { auditadm_ethereal_tmp_t secadm_ethereal_tmp_t };
+files_tmp_file(ethereal_tmp_t)
+ubac_constrained(ethereal_tmp_t)
+
+type ethereal_tmpfs_t;
+typealias ethereal_tmpfs_t alias { user_ethereal_tmpfs_t staff_ethereal_tmpfs_t sysadm_ethereal_tmpfs_t };
+typealias ethereal_tmpfs_t alias { auditadm_ethereal_tmpfs_t secadm_ethereal_tmpfs_t };
+files_tmpfs_file(ethereal_tmpfs_t)
+ubac_constrained(ethereal_tmpfs_t)
type tethereal_t;
type tethereal_exec_t;
@@ -16,6 +38,99 @@ application_domain(tethereal_t, tethereal_exec_t)
type tethereal_tmp_t;
files_tmp_file(tethereal_tmp_t)
+##############################
+#
+# Local Policy
+#
+
+allow ethereal_t self:capability { net_admin net_raw setgid };
+allow ethereal_t self:process { signal getsched };
+allow ethereal_t self:fifo_file { getattr read write };
+allow ethereal_t self:shm destroy;
+allow ethereal_t self:shm create_shm_perms;
+allow ethereal_t self:netlink_route_socket { nlmsg_read create_socket_perms };
+allow ethereal_t self:packet_socket { setopt bind ioctl getopt create read };
+allow ethereal_t self:tcp_socket create_socket_perms;
+allow ethereal_t self:udp_socket create_socket_perms;
+
+# Re-execute itself (why?)
+can_exec(ethereal_t, ethereal_exec_t)
+corecmd_search_bin(ethereal_t)
+
+# /home/.ethereal
+manage_dirs_pattern(ethereal_t, ethereal_home_t, ethereal_home_t)
+manage_files_pattern(ethereal_t, ethereal_home_t, ethereal_home_t)
+manage_lnk_files_pattern(ethereal_t, ethereal_home_t, ethereal_home_t)
+userdom_user_home_dir_filetrans(ethereal_t, ethereal_home_t, dir)
+
+# Store temporary files
+manage_dirs_pattern(ethereal_t, ethereal_tmp_t, ethereal_tmp_t)
+manage_files_pattern(ethereal_t, ethereal_tmp_t, ethereal_tmp_t)
+files_tmp_filetrans(ethereal_t, ethereal_tmp_t, { dir file })
+
+manage_dirs_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
+manage_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
+manage_lnk_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
+manage_sock_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
+manage_fifo_files_pattern(ethereal_t, ethereal_tmpfs_t, ethereal_tmpfs_t)
+fs_tmpfs_filetrans(ethereal_t, ethereal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(ethereal_t)
+kernel_read_system_state(ethereal_t)
+kernel_read_sysctl(ethereal_t)
+
+corecmd_search_bin(ethereal_t)
+
+corenet_tcp_connect_generic_port(ethereal_t)
+corenet_tcp_sendrecv_generic_if(ethereal_t)
+
+dev_read_urand(ethereal_t)
+
+files_read_etc_files(ethereal_t)
+files_read_usr_files(ethereal_t)
+
+fs_list_inotifyfs(ethereal_t)
+fs_search_auto_mountpoints(ethereal_t)
+
+libs_read_lib_files(ethereal_t)
+
+miscfiles_read_fonts(ethereal_t)
+miscfiles_read_localization(ethereal_t)
+
+seutil_use_newrole_fds(ethereal_t)
+
+sysnet_read_config(ethereal_t)
+
+userdom_manage_user_home_content_files(ethereal_t)
+userdom_use_user_terminals(ethereal_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(ethereal_t)
+ fs_manage_nfs_files(ethereal_t)
+ fs_manage_nfs_symlinks(ethereal_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(ethereal_t)
+ fs_manage_cifs_files(ethereal_t)
+ fs_manage_cifs_symlinks(ethereal_t)
+')
+
+optional_policy(`
+ nscd_socket_use(ethereal_t)
+')
+
+# Manual transition from userhelper
+optional_policy(`
+ userhelper_use_fd(ethereal_t)
+ userhelper_sigchld(ethereal_t)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(ethereal, ethereal_t, ethereal_tmpfs_t)
+ xserver_create_xdm_tmp_sockets(ethereal_t)
+')
+
########################################
#
# Tethereal policy
@@ -48,6 +163,8 @@ seutil_use_newrole_fds(tethereal_t)
sysnet_dns_name_resolve(tethereal_t)
+userdom_use_user_terminals(tethereal_t)
+
optional_policy(`
nscd_socket_use(tethereal_t)
')
diff --git a/policy/modules/apps/evolution.fc b/policy/modules/apps/evolution.fc
index 1b425f4..c011277 100644
--- a/policy/modules/apps/evolution.fc
+++ b/policy/modules/apps/evolution.fc
@@ -2,13 +2,13 @@
# HOME_DIR/
#
-HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0)
-HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0)
+HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
+HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
#
# /tmp
#
-/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:ROLE_evolution_exchange_tmp_t,s0)
+/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0)
#
# /usr
diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if
index d50b4b7..1cb204c 100644
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@@ -1,795 +1,71 @@
## Evolution email client
-#######################################
+########################################
##
-## The per role template for the evolution module.
+## Role access for evolution
##
-##
-##
-## This template creates a derived domains which are used
-## for evolution email client and other related evolution applications such as webcal and alarm
-## type is also created to protect the user evolution keys.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
+##
##
-## The type of the user domain.
+## Role allowed access
##
##
-##
+##
##
-## The role associated with the user domain.
+## User domain for the role
##
##
#
-template(`evolution_per_role_template',`
-
- ########################################
- #
- # Declarations
- #
-
- type $1_evolution_t;
- application_domain($1_evolution_t, evolution_exec_t)
- role $3 types $1_evolution_t;
-
- type $1_evolution_tmpfs_t;
- files_tmpfs_file($1_evolution_tmpfs_t)
-
- type $1_evolution_home_t alias $1_evolution_rw_t;
- files_poly_member($1_evolution_home_t)
- userdom_user_home_content($1, $1_evolution_home_t)
-
- type $1_evolution_orbit_tmp_t;
- files_tmp_file($1_evolution_orbit_tmp_t)
-
- type $1_evolution_alarm_t;
- application_domain($1_evolution_alarm_t, evolution_alarm_exec_t)
- role $3 types $1_evolution_alarm_t;
-
- type $1_evolution_alarm_tmpfs_t;
- files_tmpfs_file($1_evolution_alarm_tmpfs_t)
-
- type $1_evolution_alarm_orbit_tmp_t;
- files_tmp_file($1_evolution_alarm_orbit_tmp_t)
-
- type $1_evolution_exchange_t;
- application_domain($1_evolution_exchange_t, evolution_exchange_exec_t)
- role $3 types $1_evolution_exchange_t;
-
- type $1_evolution_exchange_tmpfs_t;
- files_tmpfs_file($1_evolution_exchange_tmpfs_t)
-
- type $1_evolution_exchange_tmp_t;
- files_tmp_file($1_evolution_exchange_tmp_t)
-
- type $1_evolution_exchange_orbit_tmp_t;
- files_tmp_file($1_evolution_exchange_orbit_tmp_t)
-
- type $1_evolution_server_t;
- application_domain($1_evolution_server_t, evolution_server_exec_t)
- role $3 types $1_evolution_server_t;
-
- type $1_evolution_server_orbit_tmp_t;
- files_tmp_file($1_evolution_server_orbit_tmp_t)
-
- type $1_evolution_webcal_t;
- application_domain($1_evolution_webcal_t, evolution_webcal_exec_t)
- role $3 types $1_evolution_webcal_t;
-
- type $1_evolution_webcal_tmpfs_t;
- files_tmpfs_file($1_evolution_webcal_tmpfs_t)
-
- type $1_orbit_tmp_t;
- files_tmp_file($1_orbit_tmp_t)
-
- ########################################
- #
- # Evolution local policy
- #
-
- allow $1_evolution_t self:capability { setuid setgid sys_nice };
- allow $1_evolution_t self:process { signal getsched setsched };
- allow $1_evolution_t self:fifo_file rw_file_perms;
- allow $1_evolution_t self:tcp_socket create_socket_perms;
- allow $1_evolution_t self:udp_socket create_socket_perms;
-
- allow $1_evolution_t $1_evolution_alarm_t:dir search_dir_perms;
- allow $1_evolution_t $1_evolution_alarm_t:file read;
-
- allow $1_evolution_t $1_evolution_alarm_t:unix_stream_socket connectto;
- allow $1_evolution_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
-
- can_exec($1_evolution_t, evolution_alarm_exec_t)
-
- allow $1_evolution_t $1_evolution_exchange_t:unix_stream_socket connectto;
- allow $1_evolution_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
-
- allow $1_evolution_t $1_evolution_home_t:dir manage_dir_perms;
- allow $1_evolution_t $1_evolution_home_t:file manage_file_perms;
- allow $1_evolution_t $1_evolution_home_t:lnk_file manage_lnk_file_perms;
-
- allow $1_evolution_t $1_evolution_orbit_tmp_t:dir manage_dir_perms;
- allow $1_evolution_t $1_evolution_orbit_tmp_t:file manage_file_perms;
- files_tmp_filetrans($1_evolution_t, $1_evolution_orbit_tmp_t, { dir file })
-
- allow $1_evolution_server_t $1_evolution_orbit_tmp_t:dir manage_dir_perms;
- allow $1_evolution_server_t $1_evolution_orbit_tmp_t:file manage_file_perms;
- files_tmp_filetrans($1_evolution_server_t, $1_evolution_orbit_tmp_t, { dir file })
-
- allow $1_evolution_t $1_evolution_server_t:dir search_dir_perms;
- allow $1_evolution_t $1_evolution_server_t:file read;
-
- allow $1_evolution_t $1_evolution_server_t:unix_stream_socket connectto;
- allow $1_evolution_t $1_evolution_server_orbit_tmp_t:sock_file write;
-
- can_exec($1_evolution_t, evolution_server_exec_t)
-
- allow $1_evolution_t $1_evolution_tmpfs_t:dir rw_dir_perms;
- allow $1_evolution_t $1_evolution_tmpfs_t:file manage_file_perms;
- allow $1_evolution_t $1_evolution_tmpfs_t:lnk_file manage_lnk_file_perms;
- allow $1_evolution_t $1_evolution_tmpfs_t:sock_file manage_sock_file_perms;
- allow $1_evolution_t $1_evolution_tmpfs_t:fifo_file manage_fifo_file_perms;
- fs_tmpfs_filetrans($1_evolution_t, $1_evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
- allow $1_evolution_t $2:dir search;
- allow $1_evolution_t $2:fd use;
- allow $1_evolution_t $2:file read;
- allow $1_evolution_t $2:lnk_file read;
- allow $1_evolution_t $2:process sigchld;
- allow $1_evolution_t $2:unix_stream_socket connectto;
- allow $1_evolution_t $2:dir search;
- allow $1_evolution_t $2:file read;
-
- domain_auto_trans($2, evolution_exec_t, $1_evolution_t)
-
- allow $2 $1_evolution_t:unix_stream_socket connectto;
- allow $2 $1_evolution_t:process noatsecure;
- allow $2 $1_evolution_t:process signal_perms;
+interface(`evolution_role',`
+ gen_require(`
+ type evolution_t, evolution_exec_t, evolution_home_t;
+ type evolution_alarm_t, evolution_alarm_exec_t;
+ type evolution_exchange_t, evolution_exchange_exec_t;
+ type evolution_exchange_orbit_tmp_t;
+ type evolution_server_t, evolution_server_exec_t;
+ type evolution_webcal_t, evolution_webcal_exec_t;
+ ')
+
+ role $1 types { evolution_t evolution_alarm_t evolution_exchange_t };
+ role $1 types { evolution_server_t evolution_webcal_t };
+
+ domtrans_pattern($2, evolution_exec_t, evolution_t)
+ domtrans_pattern($2, evolution_alarm_exec_t, evolution_alarm_t)
+ domtrans_pattern($2, evolution_exchange_exec_t, evolution_exchange_t)
+ domtrans_pattern($2, evolution_server_exec_t, evolution_server_t)
+ domtrans_pattern($2, evolution_webcal_exec_t, evolution_webcal_t)
+
+ ps_process_pattern($2, evolution_t)
+ ps_process_pattern($2, evolution_alarm_t)
+ ps_process_pattern($2, evolution_exchange_t)
+ ps_process_pattern($2, evolution_server_t)
+ ps_process_pattern($2, evolution_webcal_t)
+
+ allow evolution_t $2:dir search;
+ allow evolution_t $2:file read;
+ allow evolution_t $2:lnk_file read;
+ allow evolution_t $2:unix_stream_socket connectto;
+
+ allow $2 evolution_t:unix_stream_socket connectto;
+ allow $2 evolution_t:process noatsecure;
+ allow $2 evolution_t:process signal_perms;
# Access .evolution
- allow $2 $1_evolution_home_t:dir manage_dir_perms;
- allow $2 $1_evolution_home_t:file manage_file_perms;
- allow $2 $1_evolution_home_t:lnk_file manage_lnk_file_perms;
- allow $2 $1_evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto };
- userdom_search_user_home_dirs($1, $1_evolution_t)
-
- # Allow the user domain to signal/ps.
- ps_process_pattern($2, $1_evolution_t)
-
- domain_dontaudit_read_all_domains_state($1_evolution_t)
-
- #FIXME check to see if really needed
- kernel_read_kernel_sysctls($1_evolution_t)
- kernel_read_system_state($1_evolution_t)
- # Allow netstat
- kernel_read_network_state($1_evolution_t)
- kernel_read_net_sysctls($1_evolution_t)
-
- corecmd_exec_shell($1_evolution_t)
- # Run various programs
- corecmd_exec_bin($1_evolution_t)
-
- corenet_all_recvfrom_unlabeled($1_evolution_t)
- corenet_all_recvfrom_netlabel($1_evolution_t)
- corenet_tcp_sendrecv_generic_if($1_evolution_t)
- corenet_udp_sendrecv_generic_if($1_evolution_t)
- corenet_raw_sendrecv_generic_if($1_evolution_t)
- corenet_tcp_sendrecv_all_nodes($1_evolution_t)
- corenet_udp_sendrecv_all_nodes($1_evolution_t)
- corenet_tcp_sendrecv_pop_port($1_evolution_t)
- corenet_udp_sendrecv_pop_port($1_evolution_t)
- corenet_tcp_sendrecv_smtp_port($1_evolution_t)
- corenet_udp_sendrecv_smtp_port($1_evolution_t)
- corenet_tcp_sendrecv_innd_port($1_evolution_t)
- corenet_udp_sendrecv_innd_port($1_evolution_t)
- corenet_tcp_sendrecv_ldap_port($1_evolution_t)
- corenet_udp_sendrecv_ldap_port($1_evolution_t)
- corenet_tcp_sendrecv_ipp_port($1_evolution_t)
- corenet_udp_sendrecv_ipp_port($1_evolution_t)
- corenet_tcp_connect_pop_port($1_evolution_t)
- corenet_tcp_connect_smtp_port($1_evolution_t)
- corenet_tcp_connect_innd_port($1_evolution_t)
- corenet_tcp_connect_ldap_port($1_evolution_t)
- corenet_tcp_connect_ipp_port($1_evolution_t)
- corenet_sendrecv_pop_client_packets($1_evolution_t)
- corenet_sendrecv_smtp_client_packets($1_evolution_t)
- corenet_sendrecv_innd_client_packets($1_evolution_t)
- corenet_sendrecv_ldap_client_packets($1_evolution_t)
- corenet_sendrecv_ipp_client_packets($1_evolution_t)
- # not sure about this bind
- corenet_udp_bind_all_nodes($1_evolution_t)
- corenet_udp_bind_generic_port($1_evolution_t)
-
- dev_read_urand($1_evolution_t)
-
- files_read_etc_files($1_evolution_t)
- files_read_usr_files($1_evolution_t)
- files_read_usr_symlinks($1_evolution_t)
- files_read_var_files($1_evolution_t)
-
- fs_search_auto_mountpoints($1_evolution_t)
-
- logging_send_syslog_msg($1_evolution_t)
-
- miscfiles_read_localization($1_evolution_t)
-
- sysnet_read_config($1_evolution_t)
- sysnet_dns_name_resolve($1_evolution_t)
-
- udev_read_state($1_evolution_t)
-
- userdom_rw_user_tmp_files($1, $1_evolution_t)
- userdom_manage_user_tmp_dirs($1, $1_evolution_t)
- userdom_manage_user_tmp_sockets($1, $1_evolution_t)
- userdom_manage_user_tmp_files($1, $1_evolution_t)
- userdom_use_user_terminals($1, $1_evolution_t)
- # FIXME: suppress access to .local/.icons/.themes until properly implemented
- # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
- # until properly implemented
- userdom_dontaudit_read_user_home_content_files($1, $1_evolution_t)
-
- mta_read_config($1_evolution_t)
-
- xserver_user_x_domain_template($1, $1_evolution, $1_evolution_t, $1_evolution_tmpfs_t)
- xserver_read_xdm_tmp_files($1_evolution_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_evolution_t)
- fs_manage_nfs_files($1_evolution_t)
- fs_manage_nfs_symlinks($1_evolution_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_evolution_t)
- fs_manage_cifs_files($1_evolution_t)
- fs_manage_cifs_symlinks($1_evolution_t)
- ')
-
- tunable_policy(`mail_read_content && use_nfs_home_dirs',`
- fs_list_auto_mountpoints($1_evolution_t)
- files_list_home($1_evolution_t)
- fs_read_nfs_files($1_evolution_t)
- fs_read_nfs_symlinks($1_evolution_t)
-
- ',`
- files_dontaudit_list_home($1_evolution_t)
- fs_dontaudit_list_auto_mountpoints($1_evolution_t)
- fs_dontaudit_read_nfs_files($1_evolution_t)
- fs_dontaudit_list_nfs($1_evolution_t)
- ')
-
- tunable_policy(`mail_read_content && use_samba_home_dirs',`
- fs_list_auto_mountpoints($1_evolution_t)
- files_list_home($1_evolution_t)
- fs_read_cifs_files($1_evolution_t)
- fs_read_cifs_symlinks($1_evolution_t)
- ',`
- files_dontaudit_list_home($1_evolution_t)
- fs_dontaudit_list_auto_mountpoints($1_evolution_t)
- fs_dontaudit_read_cifs_files($1_evolution_t)
- fs_dontaudit_list_cifs($1_evolution_t)
- ')
-
- tunable_policy(`mail_read_content',`
- userdom_list_user_tmp($1, $1_evolution_t)
- userdom_read_user_tmp_files($1, $1_evolution_t)
- userdom_read_user_tmp_symlinks($1, $1_evolution_t)
- userdom_search_user_home_dirs($1, $1_evolution_t)
- userdom_read_user_home_content_files($1, $1_evolution_t)
- userdom_read_user_home_content_symlinks($1, $1_evolution_t)
-
- ifndef(`enable_mls',`
- fs_search_removable($1_evolution_t)
- fs_read_removable_files($1_evolution_t)
- fs_read_removable_symlinks($1_evolution_t)
- ')
- ',`
- files_dontaudit_list_tmp($1_evolution_t)
- files_dontaudit_list_home($1_evolution_t)
- fs_dontaudit_list_removable($1_evolution_t)
- fs_dontaudit_read_removable_files($1_evolution_t)
- userdom_dontaudit_list_user_tmp($1,$1_evolution_t)
- userdom_dontaudit_read_user_tmp_files($1,$1_evolution_t)
- userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
- userdom_dontaudit_read_user_home_content_files($1,$1_evolution_t)
- ')
-
- tunable_policy(`mail_read_content && read_default_t',`
- files_list_default($1_evolution_t)
- files_read_default_files($1_evolution_t)
- files_read_default_symlinks($1_evolution_t)
- ',`
- files_dontaudit_read_default_files($1_evolution_t)
- files_dontaudit_list_default($1_evolution_t)
- ')
-
- tunable_policy(`mail_read_content && read_untrusted_content',`
- files_list_tmp($1_evolution_t)
- files_list_home($1_evolution_t)
- userdom_search_user_home_dirs($1,$1_evolution_t)
-
- userdom_list_user_untrusted_content($1, $1_evolution_t)
- userdom_read_user_untrusted_content_files($1, $1_evolution_t)
- userdom_read_user_untrusted_content_symlinks($1, $1_evolution_t)
- userdom_list_user_tmp_untrusted_content($1, $1_evolution_t)
- userdom_read_user_tmp_untrusted_content_files($1, $1_evolution_t)
- userdom_read_user_tmp_untrusted_content_symlinks($1, $1_evolution_t)
- ',`
- files_dontaudit_list_tmp($1_evolution_t)
- files_dontaudit_list_home($1_evolution_t)
- userdom_dontaudit_list_user_home_dirs($1, $1_evolution_t)
- userdom_dontaudit_list_user_untrusted_content($1, $1_evolution_t)
- userdom_dontaudit_read_user_untrusted_content_files($1, $1_evolution_t)
- userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_evolution_t)
- userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_evolution_t)
- ')
-
- tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
- files_search_home($1_evolution_t)
-
- fs_search_auto_mountpoints($1_evolution_t)
- fs_manage_nfs_dirs($1_evolution_t)
- fs_manage_nfs_files($1_evolution_t)
- fs_manage_nfs_symlinks($1_evolution_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_evolution_t)
- fs_dontaudit_manage_nfs_dirs($1_evolution_t)
- fs_dontaudit_manage_nfs_files($1_evolution_t)
- ')
-
- tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
- files_search_home($1_evolution_t)
-
- fs_search_auto_mountpoints($1_evolution_t)
- fs_manage_cifs_dirs($1_evolution_t)
- fs_manage_cifs_files($1_evolution_t)
- fs_manage_cifs_symlinks($1_evolution_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_evolution_t)
- fs_dontaudit_manage_cifs_dirs($1_evolution_t)
- fs_dontaudit_manage_cifs_files($1_evolution_t)
- ')
-
- tunable_policy(`write_untrusted_content',`
- files_search_home($1_evolution_t)
-
- userdom_manage_user_untrusted_content_files($1, $1_evolution_t)
- userdom_user_home_dir_filetrans($1, $1_evolution_t, $1_untrusted_content_tmp_t, { file dir })
- userdom_user_home_content_filetrans($1, $1_evolution_t, $1_untrusted_content_tmp_t, { file dir })
-
- ',`
- files_dontaudit_list_home($1_evolution_t)
- files_dontaudit_list_tmp($1_evolution_t)
-
- userdom_dontaudit_list_user_home_dirs($1, $1_evolution_t)
- #userdom_dontaudit_manage_user_tmp($1,$1_evolution_t)
- #userdom_dontaudit_manage_user_tmp_files($1,$1_evolution_t)
- #userdom_dontaudit_manage_user_home_subdirs($1,$1_evolution_t)
- ')
-
- optional_policy(`
- automount_read_state($1_evolution_t)
- ')
-
- # Allow printing the mail
- optional_policy(`
- cups_read_rw_config($1_evolution_t)
- ')
-
- optional_policy(`
- dbus_system_bus_client_template($1_evolution, $1_evolution_t)
- dbus_user_bus_client_template($1, $1_evolution, $1_evolution_t)
- ')
-
- optional_policy(`
- gnome_stream_connect_gconf_template($1, $1_evolution_t)
- ')
-
- # Encrypt mail
- optional_policy(`
- gpg_domtrans_user_gpg($1, $1_evolution_t)
- gpg_signal_user_gpg($1, $1_evolution_t)
- ')
-
- optional_policy(`
- lpd_domtrans_user_lpr($1, $1_evolution_t)
- ')
-
- optional_policy(`
- mozilla_read_user_home_files($1, $1_evolution_t)
- mozilla_domtrans_user_mozilla($1, $1_evolution_t)
- ')
-
- # Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
- optional_policy(`
- nis_use_ypbind($1_evolution_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_evolution_t)
- ')
-
- ### Junk mail filtering (start spamd)
- optional_policy(`
- spamassassin_exec_spamd($1_evolution_t)
- spamassassin_domtrans_user_client($1, $1_evolution_t)
- spamassassin_domtrans_user_local_client($1, $1_evolution_t)
- # Allow evolution to signal the daemon
- # FIXME: Now evolution can read spamd temp files
- spamassassin_read_spamd_tmp_files($1_evolution_t)
- spamassassin_signal_spamd($1_evolution_t)
- spamassassin_dontaudit_getattr_spamd_tmp_sockets($1_evolution_t)
- ')
-
- ifdef(`TODO',`
-
- # Gnome common stuff
- gnome_application($1_evolution, $1)
-
- #TODO gnome stuff
- # Store passwords in .gnome2_private
- # Type for storing secret data
- # (different from home, not directly accessible from ROLE_t)
- type $1_evolutioin_secret_t;
- userdom_user_home_content($1,$1_evolutioin_secret_t)
-
- # Put secret files in .gnome2_private
- allow $1_evolution_t $1_gnome_secret_t:dir rw_dir_perms;
- allow $1_evolution_t $1_evolutioin_secret_t:file manage_file_perms;
- type_transition $1_evolution_t $1_gnome_secret_t:file $1_evolutioin_secret_t;
-
- allow $2 $1_evolution_secret_t:file unlink;
+ allow $2 evolution_home_t:dir manage_dir_perms;
+ allow $2 evolution_home_t:file manage_file_perms;
+ allow $2 evolution_home_t:lnk_file manage_lnk_file_perms;
+ allow $2 evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto };
- ifdef(`TODO',`
- gnome_file_dialog($1_evolution, $1)
- ')
- ')
-
- ########################################
- #
- # Evolution alarm local policy
- #
-
- allow $1_evolution_alarm_t self:process { signal getsched };
- allow $1_evolution_alarm_t self:fifo_file rw_fifo_file_perms;
-
- allow $1_evolution_alarm_t $1_evolution_t:unix_stream_socket connectto;
- allow $1_evolution_alarm_t $1_evolution_orbit_tmp_t:sock_file write;
-
- allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:dir rw_dir_perms;
- allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:file manage_file_perms;
- allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms;
- allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms;
- allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms;
- fs_tmpfs_filetrans($1_evolution_alarm_t,$1_evolution_alarm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
- allow $1_evolution_alarm_t $1_evolution_exchange_t:unix_stream_socket connectto;
- allow $1_evolution_alarm_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
-
- # Access evolution home
- allow $1_evolution_alarm_t $1_evolution_home_t:dir manage_dir_perms;
- allow $1_evolution_alarm_t $1_evolution_home_t:file manage_file_perms;
- allow $1_evolution_alarm_t $1_evolution_home_t:lnk_file manage_lnk_file_perms;
-
- allow $1_evolution_alarm_t $1_evolution_server_t:unix_stream_socket connectto;
- allow $1_evolution_alarm_t $1_evolution_server_orbit_tmp_t:sock_file write;
-
- domain_auto_trans($2, evolution_alarm_exec_t, $1_evolution_alarm_t)
- allow $1_evolution_alarm_t $2:fd use;
-
- dev_read_urand($1_evolution_alarm_t)
-
- files_read_etc_files($1_evolution_alarm_t)
- files_read_usr_files($1_evolution_alarm_t)
-
- fs_search_auto_mountpoints($1_evolution_alarm_t)
-
- miscfiles_read_localization($1_evolution_alarm_t)
-
- # Access evolution home
- userdom_search_user_home_dirs($1,$1_evolution_alarm_t)
- # FIXME: suppress access to .local/.icons/.themes until properly implemented
- # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
- # until properly implemented
- userdom_dontaudit_read_user_home_content_files($1, $1_evolution_alarm_t)
-
- xserver_user_x_domain_template($1, $1_evolution_alarm, $1_evolution_alarm_t, $1_evolution_alarm_tmpfs_t)
-
- # Access evolution home
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files($1_evolution_alarm_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files($1_evolution_alarm_t)
- ')
-
- optional_policy(`
- dbus_user_bus_client_template($1, $1_evolution_alarm, $1_evolution_alarm_t)
- ')
-
- optional_policy(`
- gnome_stream_connect_gconf_template($1, $1_evolution_alarm_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_evolution_alarm_t)
- ')
-
- ifdef(`TODO',`
- # Gnome common stuff
- gnome_application($1_evolution_alarm,$1)
- ')
-
- ########################################
- #
- # Evolution exchange connector local policy
- #
-
- allow $1_evolution_exchange_t self:process getsched;
- allow $1_evolution_exchange_t self:fifo_file rw_fifo_file_perms;
-
- allow $1_evolution_exchange_t self:tcp_socket create_socket_perms;
- allow $1_evolution_exchange_t self:udp_socket create_socket_perms;
-
- allow $1_evolution_exchange_t $1_evolution_t:unix_stream_socket connectto;
- allow $1_evolution_exchange_t $1_evolution_orbit_tmp_t:sock_file write;
-
- allow $1_evolution_exchange_t $1_evolution_alarm_t:unix_stream_socket connectto;
- allow $1_evolution_exchange_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
-
- # Access evolution home
- allow $1_evolution_exchange_t $1_evolution_home_t:dir manage_dir_perms;
- allow $1_evolution_exchange_t $1_evolution_home_t:file manage_file_perms;
- allow $1_evolution_exchange_t $1_evolution_home_t:lnk_file manage_lnk_file_perms;
-
- allow $1_evolution_exchange_t $1_evolution_server_t:unix_stream_socket connectto;
- allow $1_evolution_exchange_t $1_evolution_server_orbit_tmp_t:sock_file write;
-
- # /tmp/.exchange-$USER
- allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:dir manage_dir_perms;
- allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:file manage_file_perms;
- files_tmp_filetrans($1_evolution_exchange_t, $1_evolution_exchange_tmp_t, { file dir })
-
- allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:dir rw_dir_perms;
- allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:file manage_file_perms;
- allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms;
- allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms;
- allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms;
- fs_tmpfs_filetrans($1_evolution_exchange_t, $1_evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
- allow $1_evolution_exchange_t $2:unix_stream_socket connectto;
- #FIXME, who should own this. I dont think this module should
- allow $1_evolution_exchange_t $1_orbit_tmp_t:sock_file write;
+ allow evolution_exchange_t $2:unix_stream_socket connectto;
# Clock applet talks to exchange (FIXME: Needs policy)
- allow $2 $1_evolution_exchange_t:unix_stream_socket connectto;
- allow $2 $1_evolution_exchange_orbit_tmp_t:sock_file write;
-
- # Transition from user domain
- domain_auto_trans($2, evolution_exchange_exec_t, $1_evolution_exchange_t)
-
- kernel_read_network_state($1_evolution_exchange_t)
- kernel_read_net_sysctls($1_evolution_exchange_t)
-
- # Allow netstat
- corecmd_exec_bin($1_evolution_exchange_t)
-
- dev_read_urand($1_evolution_exchange_t)
-
- files_read_etc_files($1_evolution_exchange_t)
- files_read_usr_files($1_evolution_exchange_t)
-
- # Access evolution home
- fs_search_auto_mountpoints($1_evolution_exchange_t)
-
- miscfiles_read_localization($1_evolution_exchange_t)
-
- # Access evolution home
- userdom_search_user_home_dirs($1, $1_evolution_exchange_t)
- # FIXME: suppress access to .local/.icons/.themes until properly implemented
- # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
- # until properly implemented
- userdom_dontaudit_read_user_home_content_files($1, $1_evolution_exchange_t)
-
- xserver_user_x_domain_template($1, $1_evolution_exchange, $1_evolution_exchange_t, $1_evolution_exchange_tmpfs_t)
-
- # Access evolution home
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files($1_evolution_exchange_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files($1_evolution_exchange_t)
- ')
-
- optional_policy(`
- gnome_stream_connect_gconf_template($1, $1_evolution_exchange_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_evolution_exchange_t)
- ')
-
- ifdef(`TODO',`
- # Gnome common stuff
- gnome_application($1_evolution_exchange, $1)
- ')
-
- ########################################
- #
- # Evolution data server local policy
- #
-
- allow $1_evolution_server_t self:process { getsched signal };
-
- allow $1_evolution_server_t self:fifo_file { read write };
- allow $1_evolution_server_t self:unix_stream_socket { accept connectto };
- # Talk to ldap (address book),
- # Obtain weather data via http (read server name from xml file in /usr)
- allow $1_evolution_server_t self:tcp_socket create_socket_perms;
-
- allow $1_evolution_server_t $1_evolution_t:unix_stream_socket connectto;
- allow $1_evolution_server_t $1_evolution_orbit_tmp_t:sock_file write;
-
- allow $1_evolution_server_t $1_evolution_exchange_t:unix_stream_socket connectto;
- allow $1_evolution_server_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
-
- # Access evolution home
- allow $1_evolution_server_t $1_evolution_home_t:dir manage_dir_perms;
- allow $1_evolution_server_t $1_evolution_home_t:file manage_file_perms;
- allow $1_evolution_server_t $1_evolution_home_t:lnk_file manage_lnk_file_perms;
-
- allow $1_evolution_server_t $1_evolution_alarm_t:unix_stream_socket connectto;
- allow $1_evolution_server_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
-
- # Transition from user type
- domain_auto_trans($2, evolution_server_exec_t, $1_evolution_server_t)
-
- kernel_read_system_state($1_evolution_server_t)
-
- corecmd_exec_shell($1_evolution_server_t)
-
- # Obtain weather data via http (read server name from xml file in /usr)
- corenet_all_recvfrom_unlabeled($1_evolution_server_t)
- corenet_all_recvfrom_netlabel($1_evolution_server_t)
- corenet_tcp_sendrecv_generic_if($1_evolution_server_t)
- corenet_tcp_sendrecv_all_nodes($1_evolution_server_t)
- corenet_tcp_sendrecv_http_port($1_evolution_server_t)
- corenet_tcp_sendrecv_http_cache_port($1_evolution_server_t)
- corenet_tcp_connect_http_cache_port($1_evolution_server_t)
- corenet_tcp_connect_http_port($1_evolution_server_t)
- corenet_sendrecv_http_client_packets($1_evolution_server_t)
- corenet_sendrecv_http_cache_client_packets($1_evolution_server_t)
-
- dev_read_urand($1_evolution_server_t)
-
- files_read_etc_files($1_evolution_server_t)
- # Obtain weather data via http (read server name from xml file in /usr)
- files_read_usr_files($1_evolution_server_t)
-
- fs_search_auto_mountpoints($1_evolution_server_t)
-
- miscfiles_read_localization($1_evolution_server_t)
- # Look in /etc/pki
- miscfiles_read_certs($1_evolution_server_t)
-
- # Talk to ldap (address book)
- sysnet_read_config($1_evolution_server_t)
- sysnet_dns_name_resolve($1_evolution_server_t)
- sysnet_use_ldap($1_evolution_server_t)
-
- # Access evolution home
- userdom_search_user_home_dirs($1, $1_evolution_server_t)
- # FIXME: suppress access to .local/.icons/.themes until properly implemented
- # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
- # until properly implemented
- userdom_dontaudit_read_user_home_content_files($1, $1_evolution_server_t)
-
- # Access evolution home
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files($1_evolution_server_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files($1_evolution_server_t)
- ')
-
- optional_policy(`
- gnome_stream_connect_gconf_template($1, $1_evolution_server_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_evolution_server_t)
- ')
-
- ifdef(`TODO',`
- # Gnome common stuff
- gnome_application($1_evolution_server, $1)
- ')
-
- ########################################
- #
- # Evolution webcal local policy
- #
-
- allow $1_evolution_webcal_t self:tcp_socket create_socket_perms;
-
- # X/evolution common stuff
- allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:dir rw_dir_perms;
- allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:file manage_file_perms;
- allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms;
- allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms;
- allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms;
- fs_tmpfs_filetrans($1_evolution_webcal_t, $1_evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
- # Transition from user type
- domain_auto_trans($2, evolution_webcal_exec_t, $1_evolution_webcal_t)
-
- corenet_all_recvfrom_unlabeled($1_evolution_webcal_t)
- corenet_all_recvfrom_netlabel($1_evolution_webcal_t)
- corenet_tcp_sendrecv_generic_if($1_evolution_webcal_t)
- corenet_raw_sendrecv_generic_if($1_evolution_webcal_t)
- corenet_tcp_sendrecv_all_nodes($1_evolution_webcal_t)
- corenet_raw_sendrecv_all_nodes($1_evolution_webcal_t)
- corenet_tcp_sendrecv_http_port($1_evolution_webcal_t)
- corenet_tcp_sendrecv_http_cache_port($1_evolution_webcal_t)
- corenet_tcp_connect_http_cache_port($1_evolution_webcal_t)
- corenet_tcp_connect_http_port($1_evolution_webcal_t)
- corenet_sendrecv_http_client_packets($1_evolution_webcal_t)
- corenet_sendrecv_http_cache_client_packets($1_evolution_webcal_t)
-
- # Networking capability - connect to website and handle ics link
- sysnet_read_config($1_evolution_webcal_t)
- sysnet_dns_name_resolve($1_evolution_webcal_t)
-
- # Search home directory (?)
- userdom_search_user_home_dirs($1, $1_evolution_webcal_t)
- # FIXME: suppress access to .local/.icons/.themes until properly implemented
- # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
- # until properly implemented
- userdom_dontaudit_read_user_home_content_files($1, $1_evolution_webcal_t)
-
- xserver_user_x_domain_template($1, $1_evolution_webcal, $1_evolution_webcal_t, $1_evolution_webcal_tmpfs_t)
-
- optional_policy(`
- nscd_socket_use($1_evolution_webcal_t)
- ')
-
- ifdef(`TODO',`
- # Gnome common stuff
- gnome_application($1_evolution_webcal, $1)
- ')
+ allow $2 evolution_exchange_t:unix_stream_socket connectto;
+ allow $2 evolution_exchange_orbit_tmp_t:sock_file write;
')
########################################
##
## Create objects in users evolution home folders.
##
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
@@ -802,52 +78,36 @@ template(`evolution_per_role_template',`
##
##
##
-## The object class of the object being created. If
-## no class is specified, dir will be used.
+## The object class of the object being created.
##
##
#
-template(`evolution_home_filetrans',`
+interface(`evolution_home_filetrans',`
gen_require(`
- type $1_evolution_home_t;
+ type evolution_home_t;
')
- allow $2 $1_evolution_home_t:dir rw_dir_perms;
- type_transition $2 $1_evolution_home_t:$4 $3;
+ allow $1 evolution_home_t:dir rw_dir_perms;
+ type_transition $1 evolution_home_t:$3 $2;
')
########################################
##
-## Connect to user evolution unix stream socket.
+## Connect to evolution unix stream socket.
##
-##
-##
-## Connect to user evolution unix stream socket.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
##
##
#
-template(`evolution_stream_connect',`
+interface(`evolution_stream_connect',`
gen_require(`
- type $1_evolution_t, $1_evolution_home_t;
+ type evolution_t, evolution_home_t;
')
- allow $2 $1_evolution_t:unix_stream_socket connectto;
- allow $2 $1_evolution_home_t:dir search;
+ allow $1 evolution_t:unix_stream_socket connectto;
+ allow $1 evolution_home_t:dir search;
')
########################################
@@ -855,12 +115,6 @@ template(`evolution_stream_connect',`
## Send and receive messages from
## evolution over dbus.
##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
@@ -869,12 +123,12 @@ template(`evolution_stream_connect',`
#
interface(`evolution_dbus_chat',`
gen_require(`
- type $1_evolution_t;
+ type evolution_t;
class dbus send_msg;
')
- allow $2 $1_evolution_t:dbus send_msg;
- allow $1_evolution_t $2:dbus send_msg;
+ allow $1 evolution_t:dbus send_msg;
+ allow evolution_t $1:dbus send_msg;
')
########################################
@@ -882,12 +136,6 @@ interface(`evolution_dbus_chat',`
## Send and receive messages from
## evolution_alarm over dbus.
##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
@@ -896,10 +144,10 @@ interface(`evolution_dbus_chat',`
#
interface(`evolution_alarm_dbus_chat',`
gen_require(`
- type $1_evolution_alarm_t;
+ type evolution_alarm_t;
class dbus send_msg;
')
- allow $2 $1_evolution_alarm_t:dbus send_msg;
- allow $1_evolution_alarm_t $2:dbus send_msg;
+ allow $1 evolution_alarm_t:dbus send_msg;
+ allow evolution_alarm_t $1:dbus send_msg;
')
diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index c08a51b..c126b9a 100644
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@@ -1,22 +1,629 @@
-policy_module(evolution, 1.6.0)
+policy_module(evolution, 2.0.0)
########################################
#
# Declarations
#
+type evolution_t;
type evolution_exec_t;
-application_executable_file(evolution_exec_t)
+typealias evolution_t alias { user_evolution_t staff_evolution_t sysadm_evolution_t };
+typealias evolution_t alias { auditadm_evolution_t secadm_evolution_t };
+application_domain(evolution_t, evolution_exec_t)
+ubac_constrained(evolution_t)
+type evolution_alarm_t;
type evolution_alarm_exec_t;
-application_executable_file(evolution_alarm_exec_t)
+typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t };
+typealias evolution_alarm_t alias { auditadm_evolution_alarm_t secadm_evolution_alarm_t };
+application_domain(evolution_alarm_t, evolution_alarm_exec_t)
+ubac_constrained(evolution_alarm_t)
+type evolution_alarm_tmpfs_t;
+typealias evolution_alarm_tmpfs_t alias { user_evolution_alarm_tmpfs_t staff_evolution_alarm_tmpfs_t sysadm_evolution_alarm_tmpfs_t };
+typealias evolution_alarm_tmpfs_t alias { auditadm_evolution_alarm_tmpfs_t secadm_evolution_alarm_tmpfs_t };
+files_tmpfs_file(evolution_alarm_tmpfs_t)
+ubac_constrained(evolution_alarm_tmpfs_t)
+
+type evolution_alarm_orbit_tmp_t;
+typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t };
+typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t };
+files_tmp_file(evolution_alarm_orbit_tmp_t)
+ubac_constrained(evolution_alarm_orbit_tmp_t)
+
+type evolution_exchange_t;
type evolution_exchange_exec_t;
-application_executable_file(evolution_exchange_exec_t)
+typealias evolution_exchange_t alias { user_evolution_exchange_t staff_evolution_exchange_t sysadm_evolution_exchange_t };
+typealias evolution_exchange_t alias { auditadm_evolution_exchange_t secadm_evolution_exchange_t };
+application_domain(evolution_exchange_t, evolution_exchange_exec_t)
+ubac_constrained(evolution_exchange_t)
+
+type evolution_exchange_tmpfs_t;
+typealias evolution_exchange_tmpfs_t alias { user_evolution_exchange_tmpfs_t staff_evolution_exchange_tmpfs_t sysadm_evolution_exchange_tmpfs_t };
+typealias evolution_exchange_tmpfs_t alias { auditadm_evolution_exchange_tmpfs_t secadm_evolution_exchange_tmpfs_t };
+files_tmpfs_file(evolution_exchange_tmpfs_t)
+ubac_constrained(evolution_exchange_tmpfs_t)
+
+type evolution_exchange_tmp_t;
+typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t };
+typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t };
+files_tmp_file(evolution_exchange_tmp_t)
+ubac_constrained(evolution_exchange_tmp_t)
+
+type evolution_exchange_orbit_tmp_t;
+typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t };
+typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t };
+files_tmp_file(evolution_exchange_orbit_tmp_t)
+ubac_constrained(evolution_exchange_orbit_tmp_t)
+type evolution_home_t;
+typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t };
+typealias evolution_home_t alias { auditadm_evolution_home_t secadm_evolution_home_t };
+files_poly_member(evolution_home_t)
+userdom_user_home_content(evolution_home_t)
+
+type evolution_orbit_tmp_t;
+typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t };
+typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t };
+files_tmp_file(evolution_orbit_tmp_t)
+ubac_constrained(evolution_orbit_tmp_t)
+
+type evolution_server_t;
type evolution_server_exec_t;
-application_executable_file(evolution_server_exec_t)
+typealias evolution_server_t alias { user_evolution_server_t staff_evolution_server_t sysadm_evolution_server_t };
+typealias evolution_server_t alias { auditadm_evolution_server_t secadm_evolution_server_t };
+application_domain(evolution_server_t, evolution_server_exec_t)
+ubac_constrained(evolution_server_t)
+
+type evolution_server_orbit_tmp_t;
+typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t };
+typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t };
+files_tmp_file(evolution_server_orbit_tmp_t)
+ubac_constrained(evolution_server_orbit_tmp_t)
+
+type evolution_tmpfs_t;
+typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t };
+typealias evolution_tmpfs_t alias { auditadm_evolution_tmpfs_t secadm_evolution_tmpfs_t };
+files_tmpfs_file(evolution_tmpfs_t)
+ubac_constrained(evolution_tmpfs_t)
+type evolution_webcal_t;
type evolution_webcal_exec_t;
-application_executable_file(evolution_webcal_exec_t)
+typealias evolution_webcal_t alias { user_evolution_webcal_t staff_evolution_webcal_t sysadm_evolution_webcal_t };
+typealias evolution_webcal_t alias { auditadm_evolution_webcal_t secadm_evolution_webcal_t };
+application_domain(evolution_webcal_t, evolution_webcal_exec_t)
+ubac_constrained(evolution_webcal_t)
+
+type evolution_webcal_tmpfs_t;
+typealias evolution_webcal_tmpfs_t alias { user_evolution_webcal_tmpfs_t staff_evolution_webcal_tmpfs_t sysadm_evolution_webcal_tmpfs_t };
+typealias evolution_webcal_tmpfs_t alias { auditadm_evolution_webcal_tmpfs_t secadm_evolution_webcal_tmpfs_t };
+files_tmpfs_file(evolution_webcal_tmpfs_t)
+ubac_constrained(evolution_webcal_tmpfs_t)
+
+########################################
+#
+# Evolution local policy
+#
+
+allow evolution_t self:capability { setuid setgid sys_nice };
+allow evolution_t self:process { signal getsched setsched };
+allow evolution_t self:fifo_file rw_file_perms;
+allow evolution_t self:tcp_socket create_socket_perms;
+allow evolution_t self:udp_socket create_socket_perms;
+
+allow evolution_t evolution_alarm_t:dir search_dir_perms;
+allow evolution_t evolution_alarm_t:file read;
+
+allow evolution_t evolution_alarm_t:unix_stream_socket connectto;
+allow evolution_t evolution_alarm_orbit_tmp_t:sock_file write;
+
+can_exec(evolution_t, evolution_alarm_exec_t)
+
+allow evolution_t evolution_exchange_t:unix_stream_socket connectto;
+allow evolution_t evolution_exchange_orbit_tmp_t:sock_file write;
+
+allow evolution_t evolution_home_t:dir manage_dir_perms;
+allow evolution_t evolution_home_t:file manage_file_perms;
+allow evolution_t evolution_home_t:lnk_file manage_lnk_file_perms;
+userdom_search_user_home_dirs(evolution_t)
+
+allow evolution_t evolution_orbit_tmp_t:dir manage_dir_perms;
+allow evolution_t evolution_orbit_tmp_t:file manage_file_perms;
+files_tmp_filetrans(evolution_t, evolution_orbit_tmp_t, { dir file })
+
+allow evolution_server_t evolution_orbit_tmp_t:dir manage_dir_perms;
+allow evolution_server_t evolution_orbit_tmp_t:file manage_file_perms;
+files_tmp_filetrans(evolution_server_t, evolution_orbit_tmp_t, { dir file })
+
+allow evolution_t evolution_server_t:dir search_dir_perms;
+allow evolution_t evolution_server_t:file read;
+
+allow evolution_t evolution_server_t:unix_stream_socket connectto;
+allow evolution_t evolution_server_orbit_tmp_t:sock_file write;
+
+can_exec(evolution_t, evolution_server_exec_t)
+
+allow evolution_t evolution_tmpfs_t:dir rw_dir_perms;
+allow evolution_t evolution_tmpfs_t:file manage_file_perms;
+allow evolution_t evolution_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_t evolution_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_t evolution_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_t, evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+#FIXME check to see if really needed
+kernel_read_kernel_sysctls(evolution_t)
+kernel_read_system_state(evolution_t)
+# Allow netstat
+kernel_read_network_state(evolution_t)
+kernel_read_net_sysctls(evolution_t)
+
+corecmd_exec_shell(evolution_t)
+# Run various programs
+corecmd_exec_bin(evolution_t)
+
+corenet_all_recvfrom_unlabeled(evolution_t)
+corenet_all_recvfrom_netlabel(evolution_t)
+corenet_tcp_sendrecv_generic_if(evolution_t)
+corenet_udp_sendrecv_generic_if(evolution_t)
+corenet_raw_sendrecv_generic_if(evolution_t)
+corenet_tcp_sendrecv_all_nodes(evolution_t)
+corenet_udp_sendrecv_all_nodes(evolution_t)
+corenet_tcp_sendrecv_pop_port(evolution_t)
+corenet_udp_sendrecv_pop_port(evolution_t)
+corenet_tcp_sendrecv_smtp_port(evolution_t)
+corenet_udp_sendrecv_smtp_port(evolution_t)
+corenet_tcp_sendrecv_innd_port(evolution_t)
+corenet_udp_sendrecv_innd_port(evolution_t)
+corenet_tcp_sendrecv_ldap_port(evolution_t)
+corenet_udp_sendrecv_ldap_port(evolution_t)
+corenet_tcp_sendrecv_ipp_port(evolution_t)
+corenet_udp_sendrecv_ipp_port(evolution_t)
+corenet_tcp_connect_pop_port(evolution_t)
+corenet_tcp_connect_smtp_port(evolution_t)
+corenet_tcp_connect_innd_port(evolution_t)
+corenet_tcp_connect_ldap_port(evolution_t)
+corenet_tcp_connect_ipp_port(evolution_t)
+corenet_sendrecv_pop_client_packets(evolution_t)
+corenet_sendrecv_smtp_client_packets(evolution_t)
+corenet_sendrecv_innd_client_packets(evolution_t)
+corenet_sendrecv_ldap_client_packets(evolution_t)
+corenet_sendrecv_ipp_client_packets(evolution_t)
+# not sure about this bind
+corenet_udp_bind_all_nodes(evolution_t)
+corenet_udp_bind_generic_port(evolution_t)
+
+dev_read_urand(evolution_t)
+
+domain_dontaudit_read_all_domains_state(evolution_t)
+
+files_read_etc_files(evolution_t)
+files_read_usr_files(evolution_t)
+files_read_usr_symlinks(evolution_t)
+files_read_var_files(evolution_t)
+
+fs_search_auto_mountpoints(evolution_t)
+
+logging_send_syslog_msg(evolution_t)
+
+miscfiles_read_localization(evolution_t)
+
+sysnet_read_config(evolution_t)
+sysnet_dns_name_resolve(evolution_t)
+
+udev_read_state(evolution_t)
+
+userdom_rw_user_tmp_files(evolution_t)
+userdom_manage_user_tmp_dirs(evolution_t)
+userdom_manage_user_tmp_sockets(evolution_t)
+userdom_manage_user_tmp_files(evolution_t)
+userdom_use_user_terminals(evolution_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_t)
+
+mta_read_config(evolution_t)
+
+xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
+xserver_read_xdm_tmp_files(evolution_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(evolution_t)
+ fs_manage_nfs_files(evolution_t)
+ fs_manage_nfs_symlinks(evolution_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(evolution_t)
+ fs_manage_cifs_files(evolution_t)
+ fs_manage_cifs_symlinks(evolution_t)
+')
+
+tunable_policy(`mail_read_content && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(evolution_t)
+ files_list_home(evolution_t)
+ fs_read_nfs_files(evolution_t)
+ fs_read_nfs_symlinks(evolution_t)
+
+',`
+ files_dontaudit_list_home(evolution_t)
+ fs_dontaudit_list_auto_mountpoints(evolution_t)
+ fs_dontaudit_read_nfs_files(evolution_t)
+ fs_dontaudit_list_nfs(evolution_t)
+')
+
+tunable_policy(`mail_read_content && use_samba_home_dirs',`
+ fs_list_auto_mountpoints(evolution_t)
+ files_list_home(evolution_t)
+ fs_read_cifs_files(evolution_t)
+ fs_read_cifs_symlinks(evolution_t)
+',`
+ files_dontaudit_list_home(evolution_t)
+ fs_dontaudit_list_auto_mountpoints(evolution_t)
+ fs_dontaudit_read_cifs_files(evolution_t)
+ fs_dontaudit_list_cifs(evolution_t)
+')
+
+tunable_policy(`mail_read_content',`
+ userdom_list_user_tmp(evolution_t)
+ userdom_read_user_tmp_files(evolution_t)
+ userdom_read_user_tmp_symlinks(evolution_t)
+ userdom_read_user_home_content_files(evolution_t)
+ userdom_read_user_home_content_symlinks(evolution_t)
+
+ ifndef(`enable_mls',`
+ fs_search_removable(evolution_t)
+ fs_read_removable_files(evolution_t)
+ fs_read_removable_symlinks(evolution_t)
+ ')
+',`
+ files_dontaudit_list_tmp(evolution_t)
+ files_dontaudit_list_home(evolution_t)
+ fs_dontaudit_list_removable(evolution_t)
+ fs_dontaudit_read_removable_files(evolution_t)
+ userdom_dontaudit_list_user_tmp(evolution_t)
+ userdom_dontaudit_read_user_tmp_files(evolution_t)
+ userdom_dontaudit_list_user_home_dirs(evolution_t)
+ userdom_dontaudit_read_user_home_content_files(evolution_t)
+')
+
+tunable_policy(`mail_read_content && read_default_t',`
+ files_list_default(evolution_t)
+ files_read_default_files(evolution_t)
+ files_read_default_symlinks(evolution_t)
+',`
+ files_dontaudit_read_default_files(evolution_t)
+ files_dontaudit_list_default(evolution_t)
+')
+
+optional_policy(`
+ automount_read_state(evolution_t)
+')
+
+# Allow printing the mail
+optional_policy(`
+ cups_read_rw_config(evolution_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(evolution_t)
+ dbus_session_bus_client(evolution_t)
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(evolution_t)
+')
+
+# Encrypt mail
+optional_policy(`
+ gpg_domtrans(evolution_t)
+ gpg_signal(evolution_t)
+')
+
+optional_policy(`
+ lpd_domtrans_lpr(evolution_t)
+')
+
+optional_policy(`
+ mozilla_read_user_home_files(evolution_t)
+ mozilla_domtrans(evolution_t)
+')
+
+# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
+optional_policy(`
+ nis_use_ypbind(evolution_t)
+')
+
+optional_policy(`
+ nscd_socket_use(evolution_t)
+')
+
+### Junk mail filtering (start spamd)
+optional_policy(`
+ spamassassin_exec_spamd(evolution_t)
+ spamassassin_domtrans_client(evolution_t)
+ spamassassin_domtrans_local_client(evolution_t)
+ # Allow evolution to signal the daemon
+ # FIXME: Now evolution can read spamd temp files
+ spamassassin_read_spamd_tmp_files(evolution_t)
+ spamassassin_signal_spamd(evolution_t)
+ spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t)
+')
+
+########################################
+#
+# Evolution alarm local policy
+#
+
+allow evolution_alarm_t self:process { signal getsched };
+allow evolution_alarm_t self:fifo_file rw_fifo_file_perms;
+
+allow evolution_alarm_t evolution_t:unix_stream_socket connectto;
+allow evolution_alarm_t evolution_orbit_tmp_t:sock_file write;
+
+allow evolution_alarm_t evolution_alarm_tmpfs_t:dir rw_dir_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:file manage_file_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_alarm_t, evolution_alarm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+allow evolution_alarm_t evolution_exchange_t:unix_stream_socket connectto;
+allow evolution_alarm_t evolution_exchange_orbit_tmp_t:sock_file write;
+
+# Access evolution home
+allow evolution_alarm_t evolution_home_t:dir manage_dir_perms;
+allow evolution_alarm_t evolution_home_t:file manage_file_perms;
+allow evolution_alarm_t evolution_home_t:lnk_file manage_lnk_file_perms;
+
+allow evolution_alarm_t evolution_server_t:unix_stream_socket connectto;
+allow evolution_alarm_t evolution_server_orbit_tmp_t:sock_file write;
+
+dev_read_urand(evolution_alarm_t)
+
+files_read_etc_files(evolution_alarm_t)
+files_read_usr_files(evolution_alarm_t)
+
+fs_search_auto_mountpoints(evolution_alarm_t)
+
+miscfiles_read_localization(evolution_alarm_t)
+
+# Access evolution home
+userdom_search_user_home_dirs(evolution_alarm_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_alarm_t)
+
+xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
+
+# Access evolution home
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(evolution_alarm_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(evolution_alarm_t)
+')
+
+optional_policy(`
+ dbus_session_bus_client(evolution_alarm_t)
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(evolution_alarm_t)
+')
+
+optional_policy(`
+ nscd_socket_use(evolution_alarm_t)
+')
+
+########################################
+#
+# Evolution exchange connector local policy
+#
+
+allow evolution_exchange_t self:process getsched;
+allow evolution_exchange_t self:fifo_file rw_fifo_file_perms;
+
+allow evolution_exchange_t self:tcp_socket create_socket_perms;
+allow evolution_exchange_t self:udp_socket create_socket_perms;
+
+allow evolution_exchange_t evolution_t:unix_stream_socket connectto;
+allow evolution_exchange_t evolution_orbit_tmp_t:sock_file write;
+
+allow evolution_exchange_t evolution_alarm_t:unix_stream_socket connectto;
+allow evolution_exchange_t evolution_alarm_orbit_tmp_t:sock_file write;
+
+# Access evolution home
+allow evolution_exchange_t evolution_home_t:dir manage_dir_perms;
+allow evolution_exchange_t evolution_home_t:file manage_file_perms;
+allow evolution_exchange_t evolution_home_t:lnk_file manage_lnk_file_perms;
+
+allow evolution_exchange_t evolution_server_t:unix_stream_socket connectto;
+allow evolution_exchange_t evolution_server_orbit_tmp_t:sock_file write;
+
+# /tmp/.exchange-$USER
+allow evolution_exchange_t evolution_exchange_tmp_t:dir manage_dir_perms;
+allow evolution_exchange_t evolution_exchange_tmp_t:file manage_file_perms;
+files_tmp_filetrans(evolution_exchange_t, evolution_exchange_tmp_t, { file dir })
+
+allow evolution_exchange_t evolution_exchange_tmpfs_t:dir rw_dir_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:file manage_file_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_network_state(evolution_exchange_t)
+kernel_read_net_sysctls(evolution_exchange_t)
+
+# Allow netstat
+corecmd_exec_bin(evolution_exchange_t)
+
+dev_read_urand(evolution_exchange_t)
+
+files_read_etc_files(evolution_exchange_t)
+files_read_usr_files(evolution_exchange_t)
+
+# Access evolution home
+fs_search_auto_mountpoints(evolution_exchange_t)
+
+miscfiles_read_localization(evolution_exchange_t)
+
+userdom_write_user_tmp_sockets(evolution_exchange_t)
+# Access evolution home
+userdom_search_user_home_dirs(evolution_exchange_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_exchange_t)
+
+xserver_user_x_domain_template(evolution_exchange,evolution_exchange_t, evolution_exchange_tmpfs_t)
+
+# Access evolution home
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(evolution_exchange_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(evolution_exchange_t)
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(evolution_exchange_t)
+')
+
+optional_policy(`
+ nscd_socket_use(evolution_exchange_t)
+')
+
+########################################
+#
+# Evolution data server local policy
+#
+
+allow evolution_server_t self:process { getsched signal };
+
+allow evolution_server_t self:fifo_file { read write };
+allow evolution_server_t self:unix_stream_socket { accept connectto };
+# Talk to ldap (address book),
+# Obtain weather data via http (read server name from xml file in /usr)
+allow evolution_server_t self:tcp_socket create_socket_perms;
+
+allow evolution_server_t evolution_t:unix_stream_socket connectto;
+allow evolution_server_t evolution_orbit_tmp_t:sock_file write;
+
+allow evolution_server_t evolution_exchange_t:unix_stream_socket connectto;
+allow evolution_server_t evolution_exchange_orbit_tmp_t:sock_file write;
+
+# Access evolution home
+allow evolution_server_t evolution_home_t:dir manage_dir_perms;
+allow evolution_server_t evolution_home_t:file manage_file_perms;
+allow evolution_server_t evolution_home_t:lnk_file manage_lnk_file_perms;
+
+allow evolution_server_t evolution_alarm_t:unix_stream_socket connectto;
+allow evolution_server_t evolution_alarm_orbit_tmp_t:sock_file write;
+
+kernel_read_system_state(evolution_server_t)
+
+corecmd_exec_shell(evolution_server_t)
+
+# Obtain weather data via http (read server name from xml file in /usr)
+corenet_all_recvfrom_unlabeled(evolution_server_t)
+corenet_all_recvfrom_netlabel(evolution_server_t)
+corenet_tcp_sendrecv_generic_if(evolution_server_t)
+corenet_tcp_sendrecv_all_nodes(evolution_server_t)
+corenet_tcp_sendrecv_http_port(evolution_server_t)
+corenet_tcp_sendrecv_http_cache_port(evolution_server_t)
+corenet_tcp_connect_http_cache_port(evolution_server_t)
+corenet_tcp_connect_http_port(evolution_server_t)
+corenet_sendrecv_http_client_packets(evolution_server_t)
+corenet_sendrecv_http_cache_client_packets(evolution_server_t)
+
+dev_read_urand(evolution_server_t)
+
+files_read_etc_files(evolution_server_t)
+# Obtain weather data via http (read server name from xml file in /usr)
+files_read_usr_files(evolution_server_t)
+
+fs_search_auto_mountpoints(evolution_server_t)
+
+miscfiles_read_localization(evolution_server_t)
+# Look in /etc/pki
+miscfiles_read_certs(evolution_server_t)
+
+# Talk to ldap (address book)
+sysnet_read_config(evolution_server_t)
+sysnet_dns_name_resolve(evolution_server_t)
+sysnet_use_ldap(evolution_server_t)
+
+# Access evolution home
+userdom_search_user_home_dirs(evolution_server_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_server_t)
+
+# Access evolution home
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(evolution_server_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(evolution_server_t)
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(evolution_server_t)
+')
+
+optional_policy(`
+ nscd_socket_use(evolution_server_t)
+')
+
+########################################
+#
+# Evolution webcal local policy
+#
+
+allow evolution_webcal_t self:tcp_socket create_socket_perms;
+
+# X/evolution common stuff
+allow evolution_webcal_t evolution_webcal_tmpfs_t:dir rw_dir_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:file manage_file_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+corenet_all_recvfrom_unlabeled(evolution_webcal_t)
+corenet_all_recvfrom_netlabel(evolution_webcal_t)
+corenet_tcp_sendrecv_generic_if(evolution_webcal_t)
+corenet_raw_sendrecv_generic_if(evolution_webcal_t)
+corenet_tcp_sendrecv_all_nodes(evolution_webcal_t)
+corenet_raw_sendrecv_all_nodes(evolution_webcal_t)
+corenet_tcp_sendrecv_http_port(evolution_webcal_t)
+corenet_tcp_sendrecv_http_cache_port(evolution_webcal_t)
+corenet_tcp_connect_http_cache_port(evolution_webcal_t)
+corenet_tcp_connect_http_port(evolution_webcal_t)
+corenet_sendrecv_http_client_packets(evolution_webcal_t)
+corenet_sendrecv_http_cache_client_packets(evolution_webcal_t)
+
+# Networking capability - connect to website and handle ics link
+sysnet_read_config(evolution_webcal_t)
+sysnet_dns_name_resolve(evolution_webcal_t)
+
+# Search home directory (?)
+userdom_search_user_home_dirs(evolution_webcal_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_webcal_t)
+
+xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
+
+optional_policy(`
+ nscd_socket_use(evolution_webcal_t)
+')
diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if
index 86b8ff7..c136e1f 100644
--- a/policy/modules/apps/games.if
+++ b/policy/modules/apps/games.if
@@ -1,164 +1,32 @@
## Games
-#######################################
+############################################################
##
-## The per role template for the games module.
+## Role access for games
##
-##
-##
-## This template creates a derived domains which are used
-## for games.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## Role allowed access
##
##
-##
+##
##
-## The type of the user domain.
-##
-##
-##
-##
-## The role associated with the user domain.
+## User domain for the role
##
##
#
-template(`games_per_role_template',`
-
+interface(`games_role',`
gen_require(`
- type games_exec_t, games_data_t;
- ')
-
- ########################################
- #
- # Declarations
- #
-
- type $1_games_t;
- application_domain($1_games_t, games_exec_t)
- role $3 types $1_games_t;
-
- type $1_games_devpts_t;
- term_pty($1_games_devpts_t)
-
- type $1_games_tmpfs_t;
- files_tmpfs_file($1_games_tmpfs_t)
-
- type $1_games_tmp_t;
- files_tmp_file($1_games_tmp_t)
-
- ########################################
- #
- # Local policy
- #
-
- allow $1_games_t self:sem create_sem_perms;
- allow $1_games_t self:tcp_socket create_stream_socket_perms;
- allow $1_games_t self:udp_socket create_socket_perms;
-
- manage_files_pattern($1_games_t, games_data_t, games_data_t)
- manage_lnk_files_pattern($1_games_t, games_data_t, games_data_t)
-
- allow $1_games_t $1_games_devpts_t:chr_file { rw_chr_file_perms setattr };
- term_create_pty($1_games_t,$1_games_devpts_t)
-
- manage_dirs_pattern($1_games_t, $1_games_tmp_t, $1_games_tmp_t)
- manage_files_pattern($1_games_t, $1_games_tmp_t, $1_games_tmp_t)
- files_tmp_filetrans($1_games_t, $1_games_tmp_t, { file dir })
-
- manage_files_pattern($1_games_t, $1_games_tmpfs_t, $1_games_tmpfs_t)
- manage_lnk_files_pattern($1_games_t, $1_games_tmpfs_t, $1_games_tmpfs_t)
- manage_fifo_files_pattern($1_games_t, $1_games_tmpfs_t, $1_games_tmpfs_t)
- manage_sock_files_pattern($1_games_t, $1_games_tmpfs_t, $1_games_tmpfs_t)
- fs_tmpfs_filetrans($1_games_t, $1_games_tmpfs_t, { file lnk_file sock_file fifo_file })
-
- can_exec($1_games_t, games_exec_t)
-
- domain_auto_trans($2, games_exec_t, $1_games_t)
- allow $2 $1_games_t:unix_stream_socket connectto;
- allow $1_games_t $2:unix_stream_socket connectto;
-
- kernel_read_system_state($1_games_t)
-
- corecmd_exec_bin($1_games_t)
-
- corenet_all_recvfrom_unlabeled($1_games_t)
- corenet_all_recvfrom_netlabel($1_games_t)
- corenet_tcp_sendrecv_generic_if($1_games_t)
- corenet_udp_sendrecv_generic_if($1_games_t)
- corenet_tcp_sendrecv_all_nodes($1_games_t)
- corenet_udp_sendrecv_all_nodes($1_games_t)
- corenet_tcp_sendrecv_all_ports($1_games_t)
- corenet_udp_sendrecv_all_ports($1_games_t)
- corenet_tcp_bind_all_nodes($1_games_t)
- corenet_tcp_bind_generic_port($1_games_t)
- corenet_tcp_connect_generic_port($1_games_t)
- corenet_sendrecv_generic_client_packets($1_games_t)
- corenet_sendrecv_generic_server_packets($1_games_t)
-
- dev_read_sound($1_games_t)
- dev_write_sound($1_games_t)
- dev_read_input($1_games_t)
- dev_read_mouse($1_games_t)
- dev_read_urand($1_games_t)
-
- files_list_var($1_games_t)
- files_search_var_lib($1_games_t)
- files_dontaudit_search_var($1_games_t)
- files_read_etc_files($1_games_t)
- files_read_usr_files($1_games_t)
- files_read_var_files($1_games_t)
-
- init_dontaudit_rw_utmp($1_games_t)
-
- logging_dontaudit_search_logs($1_games_t)
-
- miscfiles_read_man_pages($1_games_t)
- miscfiles_read_localization($1_games_t)
-
- sysnet_read_config($1_games_t)
-
- userdom_manage_user_tmp_dirs($1,$1_games_t)
- userdom_manage_user_tmp_files($1,$1_games_t)
- userdom_manage_user_tmp_symlinks($1,$1_games_t)
- userdom_manage_user_tmp_sockets($1,$1_games_t)
- # Suppress .icons denial until properly implemented
- userdom_dontaudit_read_user_home_content_files($1,$1_games_t)
-
- tunable_policy(`allow_execmem',`
- allow $1_games_t self:process execmem;
+ type games_t, games_exec_t;
')
- optional_policy(`
- nscd_socket_use($1_games_t)
- ')
+ role $1 types games_t;
- optional_policy(`
- xserver_user_x_domain_template($1, $1_games, $1_games_t, $1_games_tmpfs_t)
- xserver_create_xdm_tmp_sockets($1_games_t)
- xserver_read_xdm_lib_files($1_games_t)
- ')
+ domtrans_pattern($2, games_exec_t, games_t)
+ allow $2 games_t:unix_stream_socket connectto;
+ allow games_t $2:unix_stream_socket connectto;
- ifdef(`TODO',`
- gnome_application($1_games, $1)
- gnome_file_dialog($1_games, $1)
- # Access /home/user/.gnome2
- # FIXME: Change to use per app types
- allow $1_games_t $1_gnome_settings_t:dir manage_dir_perms;
- allow $1_games_t $1_gnome_settings_t:file manage_file_perms;
- allow $1_games_t $1_gnome_settings_t:lnk_file manage_lnk_file_perms;
- #missing policy
- optional_policy(`
- dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
- ')
- ')
+ # Allow the user domain to signal/ps.
+ ps_process_pattern($2, games_t)
+ allow $2 games_t:process signal_perms;
')
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index 92b1513..eedbc4b 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -1,67 +1,182 @@
-policy_module(games, 1.7.0)
+policy_module(games, 2.0.0)
########################################
#
# Declarations
#
+type games_t;
+type games_exec_t;
+typealias games_t alias { user_games_t staff_games_t sysadm_games_t };
+typealias games_t alias { auditadm_games_t secadm_games_t };
+application_domain(games_t, games_exec_t)
+ubac_constrained(games_t)
+
type games_data_t;
+typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t };
+typealias games_data_t alias { auditadm_games_data_t secadm_games_data_t };
files_type(games_data_t)
+ubac_constrained(games_data_t)
+
+type games_devpts_t;
+typealias games_devpts_t alias { user_games_devpts_t staff_games_devpts_t sysadm_games_devpts_t };
+typealias games_devpts_t alias { auditadm_games_devpts_t secadm_games_devpts_t };
+term_pty(games_devpts_t)
+ubac_constrained(games_devpts_t)
-# games_t is for system operation of games, generic games daemons and
+# games_srv_t is for system operation of games, generic games daemons and
# games recovery scripts
-type games_t;
-type games_exec_t;
-init_system_domain(games_t, games_exec_t)
+type games_srv_t;
+init_system_domain(games_srv_t, games_exec_t)
+
+type games_srv_var_run_t;
+files_pid_file(games_srv_var_run_t)
+
+type games_tmp_t;
+typealias games_tmp_t alias { user_games_tmp_t staff_games_tmp_t sysadm_games_tmp_t };
+typealias games_tmp_t alias { auditadm_games_tmp_t secadm_games_tmp_t };
+files_tmp_file(games_tmp_t)
+ubac_constrained(games_tmp_t)
-type games_var_run_t;
-files_pid_file(games_var_run_t)
+type games_tmpfs_t;
+typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t };
+typealias games_tmpfs_t alias { auditadm_games_tmpfs_t secadm_games_tmpfs_t };
+files_tmpfs_file(games_tmpfs_t)
+ubac_constrained(games_tmpfs_t)
########################################
#
-# Local policy
+# Server local policy
#
-dontaudit games_t self:capability sys_tty_config;
-allow games_t self:process signal_perms;
+dontaudit games_srv_t self:capability sys_tty_config;
+allow games_srv_t self:process signal_perms;
-manage_files_pattern(games_t, games_data_t, games_data_t)
-manage_lnk_files_pattern(games_t, games_data_t, games_data_t)
+manage_files_pattern(games_srv_t, games_data_t, games_data_t)
+manage_lnk_files_pattern(games_srv_t, games_data_t, games_data_t)
+
+manage_files_pattern(games_srv_t, games_srv_var_run_t, games_srv_var_run_t)
+files_pid_filetrans(games_srv_t, games_srv_var_run_t, file)
-manage_files_pattern(games_t, games_var_run_t, games_var_run_t)
-files_pid_filetrans(games_t, games_var_run_t, file)
+can_exec(games_srv_t, games_exec_t)
-can_exec(games_t,games_exec_t)
+kernel_read_kernel_sysctls(games_srv_t)
+kernel_list_proc(games_srv_t)
+kernel_read_proc_symlinks(games_srv_t)
-kernel_read_kernel_sysctls(games_t)
-kernel_list_proc(games_t)
-kernel_read_proc_symlinks(games_t)
+dev_read_sysfs(games_srv_t)
-dev_read_sysfs(games_t)
+fs_getattr_all_fs(games_srv_t)
+fs_search_auto_mountpoints(games_srv_t)
-fs_getattr_all_fs(games_t)
-fs_search_auto_mountpoints(games_t)
+term_dontaudit_use_console(games_srv_t)
-term_dontaudit_use_console(games_t)
+domain_use_interactive_fds(games_srv_t)
-domain_use_interactive_fds(games_t)
+init_use_fds(games_srv_t)
+init_use_script_ptys(games_srv_t)
-init_use_fds(games_t)
-init_use_script_ptys(games_t)
+logging_send_syslog_msg(games_srv_t)
-logging_send_syslog_msg(games_t)
+miscfiles_read_localization(games_srv_t)
+userdom_dontaudit_use_unpriv_user_fds(games_srv_t)
+
+userdom_dontaudit_search_user_home_dirs(games_srv_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(games_srv_t)
+')
+
+optional_policy(`
+ udev_read_db(games_srv_t)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow games_t self:sem create_sem_perms;
+allow games_t self:tcp_socket create_stream_socket_perms;
+allow games_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(games_t, games_data_t, games_data_t)
+manage_lnk_files_pattern(games_t, games_data_t, games_data_t)
+
+allow games_t games_devpts_t:chr_file { rw_chr_file_perms setattr };
+term_create_pty(games_t, games_devpts_t)
+
+manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t)
+manage_files_pattern(games_t, games_tmp_t, games_tmp_t)
+files_tmp_filetrans(games_t, games_tmp_t, { file dir })
+
+manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+manage_lnk_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+manage_fifo_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+manage_sock_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+fs_tmpfs_filetrans(games_t, games_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+can_exec(games_t, games_exec_t)
+
+kernel_read_system_state(games_t)
+
+corecmd_exec_bin(games_t)
+
+corenet_all_recvfrom_unlabeled(games_t)
+corenet_all_recvfrom_netlabel(games_t)
+corenet_tcp_sendrecv_generic_if(games_t)
+corenet_udp_sendrecv_generic_if(games_t)
+corenet_tcp_sendrecv_all_nodes(games_t)
+corenet_udp_sendrecv_all_nodes(games_t)
+corenet_tcp_sendrecv_all_ports(games_t)
+corenet_udp_sendrecv_all_ports(games_t)
+corenet_tcp_bind_all_nodes(games_t)
+corenet_tcp_bind_generic_port(games_t)
+corenet_tcp_connect_generic_port(games_t)
+corenet_sendrecv_generic_client_packets(games_t)
+corenet_sendrecv_generic_server_packets(games_t)
+
+dev_read_sound(games_t)
+dev_write_sound(games_t)
+dev_read_input(games_t)
+dev_read_mouse(games_t)
+dev_read_urand(games_t)
+
+files_list_var(games_t)
+files_search_var_lib(games_t)
+files_dontaudit_search_var(games_t)
+files_read_etc_files(games_t)
+files_read_usr_files(games_t)
+files_read_var_files(games_t)
+
+init_dontaudit_rw_utmp(games_t)
+
+logging_dontaudit_search_logs(games_t)
+
+miscfiles_read_man_pages(games_t)
miscfiles_read_localization(games_t)
-userdom_dontaudit_use_unpriv_user_fds(games_t)
+sysnet_read_config(games_t)
+
+userdom_manage_user_tmp_dirs(games_t)
+userdom_manage_user_tmp_files(games_t)
+userdom_manage_user_tmp_symlinks(games_t)
+userdom_manage_user_tmp_sockets(games_t)
+# Suppress .icons denial until properly implemented
+userdom_dontaudit_read_user_home_content_files(games_t)
-sysadm_dontaudit_search_home_dirs(games_t)
+tunable_policy(`allow_execmem',`
+ allow games_t self:process execmem;
+')
optional_policy(`
- seutil_sigchld_newrole(games_t)
+ nscd_socket_use(games_t)
')
optional_policy(`
- udev_read_db(games_t)
+ xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
+ xserver_create_xdm_tmp_sockets(games_t)
+ xserver_read_xdm_lib_files(games_t)
')
diff --git a/policy/modules/apps/gift.fc b/policy/modules/apps/gift.fc
index 2c2a01a..df7ced4 100644
--- a/policy/modules/apps/gift.fc
+++ b/policy/modules/apps/gift.fc
@@ -1,4 +1,4 @@
-HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:ROLE_gift_home_t,s0)
+HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:gift_home_t,s0)
/usr/(local/)?bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0)
/usr/(local/)?bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0)
diff --git a/policy/modules/apps/gift.if b/policy/modules/apps/gift.if
index 7ab618e..c9b90d3 100644
--- a/policy/modules/apps/gift.if
+++ b/policy/modules/apps/gift.if
@@ -1,193 +1,42 @@
## giFT peer to peer file sharing tool
-#######################################
+############################################################
##
-## The per role template for the gift module.
+## Role access for gift
##
-##
-##
-## This template creates a derived domains which are used
-## for gift client sessions and gift daemons.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## Role allowed access
##
##
-##
+##
##
-## The type of the user domain.
-##
-##
-##
-##
-## The role associated with the user domain.
+## User domain for the role
##
##
#
-template(`gift_per_role_template',`
-
- ##############################
- #
- # Declarations
- #
-
- type $1_gift_t;
- application_domain($1_gift_t, gift_exec_t)
- role $3 types $1_gift_t;
-
- type $1_gift_home_t alias $1_gift_rw_t;
- files_poly_member($1_gift_home_t)
- userdom_user_home_content($1, $1_gift_home_t)
-
- type $1_gift_tmpfs_t;
- files_tmpfs_file($1_gift_tmpfs_t)
-
- type $1_giftd_t;
- application_domain($1_giftd_t, giftd_exec_t)
- role $3 types $1_giftd_t;
-
- ##############################
- #
- # giFT user interface local policy
- #
-
- allow $1_gift_t self:tcp_socket create_socket_perms;
-
- manage_files_pattern($1_gift_t, $1_gift_tmpfs_t, $1_gift_tmpfs_t)
- manage_lnk_files_pattern($1_gift_t, $1_gift_tmpfs_t, $1_gift_tmpfs_t)
- manage_fifo_files_pattern($1_gift_t, $1_gift_tmpfs_t, $1_gift_tmpfs_t)
- manage_sock_files_pattern($1_gift_t, $1_gift_tmpfs_t, $1_gift_tmpfs_t)
- fs_tmpfs_filetrans($1_gift_t, $1_gift_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
- manage_dirs_pattern($1_gift_t, $1_gift_home_t, $1_gift_home_t)
- manage_files_pattern($1_gift_t, $1_gift_home_t, $1_gift_home_t)
- manage_lnk_files_pattern($1_gift_t, $1_gift_home_t, $1_gift_home_t)
- userdom_user_home_dir_filetrans($1, $1_gift_t, $1_gift_home_t,dir)
+interface(`gift_role',`
+ gen_require(`
+ type gift_t, gift_exec_t;
+ type giftd_t, giftd_exec_t;
+ type gift_home_t;
+ ')
- # Launch gift daemon
- domtrans_pattern($1_gift_t, giftd_exec_t, $1_giftd_t)
+ role $1 types { gift_t giftd_t };
# transition from user domain
- domtrans_pattern($2, gift_exec_t, $1_gift_t)
+ domtrans_pattern($2, gift_exec_t, gift_t)
+ domtrans_pattern($2, giftd_exec_t, giftd_t)
# user managed content
- manage_dirs_pattern($2, $1_gift_home_t, $1_gift_home_t)
- manage_files_pattern($2, $1_gift_home_t, $1_gift_home_t)
- manage_lnk_files_pattern($2, $1_gift_home_t, $1_gift_home_t)
- relabel_dirs_pattern($2, $1_gift_home_t, $1_gift_home_t)
- relabel_files_pattern($2, $1_gift_home_t, $1_gift_home_t)
- relabel_lnk_files_pattern($2, $1_gift_home_t, $1_gift_home_t)
+ manage_dirs_pattern($2, gift_home_t, gift_home_t)
+ manage_files_pattern($2, gift_home_t, gift_home_t)
+ manage_lnk_files_pattern($2, gift_home_t, gift_home_t)
+ relabel_dirs_pattern($2, gift_home_t, gift_home_t)
+ relabel_files_pattern($2, gift_home_t, gift_home_t)
+ relabel_lnk_files_pattern($2, gift_home_t, gift_home_t)
# Allow the user domain to signal/ps.
- ps_process_pattern($2, $1_gift_t)
- allow $2 $1_gift_t:process signal_perms;
-
- # Read /proc/meminfo
- kernel_read_system_state($1_giftd_t)
-
- # Connect to gift daemon
- corenet_all_recvfrom_unlabeled($1_gift_t)
- corenet_all_recvfrom_netlabel($1_gift_t)
- corenet_tcp_sendrecv_generic_if($1_gift_t)
- corenet_tcp_sendrecv_all_nodes($1_gift_t)
- corenet_tcp_sendrecv_giftd_port($1_gift_t)
- corenet_tcp_connect_giftd_port($1_gift_t)
- corenet_sendrecv_giftd_client_packets($1_gift_t)
-
- fs_search_auto_mountpoints($1_gift_t)
-
- sysnet_read_config($1_gift_t)
-
- # giftui looks in .icons, .themes.
- userdom_dontaudit_read_user_home_content_files($1, $1_gift_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_gift_t)
- fs_manage_nfs_files($1_gift_t)
- fs_manage_nfs_symlinks($1_gift_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_gift_t)
- fs_manage_cifs_files($1_gift_t)
- fs_manage_cifs_symlinks($1_gift_t)
- ')
-
-# optional_policy(`
-# gnome_user_application($1,$1_gift,$1_gift_t)
-# ')
-
- optional_policy(`
- nscd_socket_use($1_gift_t)
- ')
-
- optional_policy(`
- xserver_user_x_domain_template($1, $1_gift, $1_gift_t, $1_gift_tmpfs_t)
- ')
-
- ##############################
- #
- # giFT server local policy
- #
-
- allow $1_giftd_t self:process { signal setsched };
- allow $1_giftd_t self:unix_stream_socket create_socket_perms;
- allow $1_giftd_t self:tcp_socket create_stream_socket_perms;
- allow $1_giftd_t self:udp_socket create_socket_perms;
-
- manage_dirs_pattern($1_giftd_t, $1_gift_home_t, $1_gift_home_t)
- manage_files_pattern($1_giftd_t, $1_gift_home_t, $1_gift_home_t)
- manage_lnk_files_pattern($1_giftd_t, $1_gift_home_t, $1_gift_home_t)
- userdom_user_home_dir_filetrans($1, $1_giftd_t, $1_gift_home_t, dir)
-
- domtrans_pattern($2, giftd_exec_t, $1_giftd_t)
-
- kernel_read_system_state($1_giftd_t)
- kernel_read_kernel_sysctls($1_giftd_t)
-
- # Serve content on various p2p networks. Ports can be random.
- corenet_all_recvfrom_unlabeled($1_giftd_t)
- corenet_all_recvfrom_netlabel($1_giftd_t)
- corenet_tcp_sendrecv_generic_if($1_giftd_t)
- corenet_udp_sendrecv_generic_if($1_giftd_t)
- corenet_tcp_sendrecv_all_nodes($1_giftd_t)
- corenet_udp_sendrecv_all_nodes($1_giftd_t)
- corenet_tcp_sendrecv_all_ports($1_giftd_t)
- corenet_udp_sendrecv_all_ports($1_giftd_t)
- corenet_tcp_bind_all_nodes($1_giftd_t)
- corenet_udp_bind_all_nodes($1_giftd_t)
- corenet_tcp_bind_all_ports($1_giftd_t)
- corenet_udp_bind_all_ports($1_giftd_t)
- corenet_tcp_connect_all_ports($1_giftd_t)
- corenet_sendrecv_all_client_packets($1_giftd_t)
-
- files_read_usr_files($1_giftd_t)
- # Read /etc/mtab
- files_read_etc_runtime_files($1_giftd_t)
-
- miscfiles_read_localization($1_giftd_t)
-
- sysnet_read_config($1_giftd_t)
-
- userdom_use_user_terminals($1,$1_giftd_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_giftd_t)
- fs_manage_nfs_files($1_giftd_t)
- fs_manage_nfs_symlinks($1_giftd_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_giftd_t)
- fs_manage_cifs_files($1_giftd_t)
- fs_manage_cifs_symlinks($1_giftd_t)
- ')
+ ps_process_pattern($2, { gift_t giftd_t })
+ allow $2 { gift_t giftd_t }:process signal_perms;
')
diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te
index c0aec31..b7c1e18 100644
--- a/policy/modules/apps/gift.te
+++ b/policy/modules/apps/gift.te
@@ -1,13 +1,149 @@
-policy_module(gift, 1.4.0)
+policy_module(gift, 2.0.0)
########################################
#
# Declarations
#
+type gift_t;
type gift_exec_t;
-application_executable_file(gift_exec_t)
+typealias gift_t alias { user_gift_t staff_gift_t sysadm_gift_t };
+typealias gift_t alias { auditadm_gift_t secadm_gift_t };
+application_domain(gift_t, gift_exec_t)
+ubac_constrained(gift_t)
+type gift_home_t;
+typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t };
+typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t };
+files_poly_member(gift_home_t)
+userdom_user_home_content(gift_home_t)
+
+type gift_tmpfs_t;
+typealias gift_tmpfs_t alias { user_gift_tmpfs_t staff_gift_tmpfs_t sysadm_gift_tmpfs_t };
+typealias gift_tmpfs_t alias { auditadm_gift_tmpfs_t secadm_gift_tmpfs_t };
+files_tmpfs_file(gift_tmpfs_t)
+ubac_constrained(gift_tmpfs_t)
+
+type giftd_t;
type giftd_exec_t;
-application_executable_file(giftd_exec_t)
+typealias giftd_t alias { user_giftd_t staff_giftd_t sysadm_giftd_t };
+typealias giftd_t alias { auditadm_giftd_t secadm_giftd_t };
+application_domain(giftd_t, giftd_exec_t)
+ubac_constrained(giftd_t)
+
+##############################
+#
+# giFT user interface local policy
+#
+
+allow gift_t self:tcp_socket create_socket_perms;
+
+manage_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+manage_lnk_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+manage_fifo_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+manage_sock_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+fs_tmpfs_filetrans(gift_t, gift_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(gift_t, gift_home_t, gift_home_t)
+manage_files_pattern(gift_t, gift_home_t, gift_home_t)
+manage_lnk_files_pattern(gift_t, gift_home_t, gift_home_t)
+userdom_user_home_dir_filetrans(gift_t, gift_home_t, dir)
+
+# Launch gift daemon
+domtrans_pattern(gift_t, giftd_exec_t, giftd_t)
+
+# Read /proc/meminfo
+kernel_read_system_state(giftd_t)
+
+# Connect to gift daemon
+corenet_all_recvfrom_unlabeled(gift_t)
+corenet_all_recvfrom_netlabel(gift_t)
+corenet_tcp_sendrecv_generic_if(gift_t)
+corenet_tcp_sendrecv_all_nodes(gift_t)
+corenet_tcp_sendrecv_giftd_port(gift_t)
+corenet_tcp_connect_giftd_port(gift_t)
+corenet_sendrecv_giftd_client_packets(gift_t)
+
+fs_search_auto_mountpoints(gift_t)
+
+sysnet_read_config(gift_t)
+
+# giftui looks in .icons, .themes.
+userdom_dontaudit_read_user_home_content_files(gift_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(gift_t)
+ fs_manage_nfs_files(gift_t)
+ fs_manage_nfs_symlinks(gift_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(gift_t)
+ fs_manage_cifs_files(gift_t)
+ fs_manage_cifs_symlinks(gift_t)
+')
+
+optional_policy(`
+ nscd_socket_use(gift_t)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t)
+')
+
+##############################
+#
+# giFT server local policy
+#
+
+allow giftd_t self:process { signal setsched };
+allow giftd_t self:unix_stream_socket create_socket_perms;
+allow giftd_t self:tcp_socket create_stream_socket_perms;
+allow giftd_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(giftd_t, gift_home_t, gift_home_t)
+manage_files_pattern(giftd_t, gift_home_t, gift_home_t)
+manage_lnk_files_pattern(giftd_t, gift_home_t, gift_home_t)
+userdom_user_home_dir_filetrans(giftd_t, gift_home_t, dir)
+
+kernel_read_system_state(giftd_t)
+kernel_read_kernel_sysctls(giftd_t)
+
+# Serve content on various p2p networks. Ports can be random.
+corenet_all_recvfrom_unlabeled(giftd_t)
+corenet_all_recvfrom_netlabel(giftd_t)
+corenet_tcp_sendrecv_generic_if(giftd_t)
+corenet_udp_sendrecv_generic_if(giftd_t)
+corenet_tcp_sendrecv_all_nodes(giftd_t)
+corenet_udp_sendrecv_all_nodes(giftd_t)
+corenet_tcp_sendrecv_all_ports(giftd_t)
+corenet_udp_sendrecv_all_ports(giftd_t)
+corenet_tcp_bind_all_nodes(giftd_t)
+corenet_udp_bind_all_nodes(giftd_t)
+corenet_tcp_bind_all_ports(giftd_t)
+corenet_udp_bind_all_ports(giftd_t)
+corenet_tcp_connect_all_ports(giftd_t)
+corenet_sendrecv_all_client_packets(giftd_t)
+
+files_read_usr_files(giftd_t)
+# Read /etc/mtab
+files_read_etc_runtime_files(giftd_t)
+
+miscfiles_read_localization(giftd_t)
+
+sysnet_read_config(giftd_t)
+
+userdom_use_user_terminals(giftd_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(giftd_t)
+ fs_manage_nfs_files(giftd_t)
+ fs_manage_nfs_symlinks(giftd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(giftd_t)
+ fs_manage_cifs_files(giftd_t)
+ fs_manage_cifs_symlinks(giftd_t)
+')
diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
index e5f5f1c..223a9d1 100644
--- a/policy/modules/apps/gnome.fc
+++ b/policy/modules/apps/gnome.fc
@@ -1,8 +1,8 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:ROLE_gnome_home_t,s0)
-HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:ROLE_gconf_home_t,s0)
+HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
-/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:ROLE_gconf_tmp_t,s0)
+/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index 8da9f61..9601de0 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -1,190 +1,93 @@
## GNU network object model environment (GNOME)
-########################################
+############################################################
##
-## The per role template for the gnome module.
+## Role access for gnome
##
-##
-##
-## This template creates a derived domain which is used
-## for gconf sessions.
-##
-##
-## This template is invoked automatically for each role, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## Role allowed access
##
##
-##
-##
-## The type of the user domain.
-##
-##
-##
+##
##
-## The role associated with the user domain.
+## User domain for the role
##
##
#
-template(`gnome_per_role_template',`
+interface(`gnome_role',`
gen_require(`
- type gconfd_exec_t, gconf_etc_t;
- attribute gnomedomain;
+ type gconfd_t, gconfd_exec_t;
+ type gconf_tmp_t;
')
- ##############################
- #
- # Declarations
- #
- type $1_gconfd_t, gnomedomain;
-
- application_domain($1_gconfd_t, gconfd_exec_t)
- role $3 types $1_gconfd_t;
-
- type $1_gconf_home_t;
- userdom_user_home_content($1, $1_gconf_home_t)
-
- type $1_gnome_home_t;
- userdom_user_home_content($1, $1_gnome_home_t)
-
- type $1_gconf_tmp_t;
- files_tmp_file($1_gconf_tmp_t)
-
- ##############################
- #
- # Local Policy
- #
-
- allow $1_gconfd_t self:process getsched;
- allow $1_gconfd_t self:fifo_file rw_fifo_file_perms;
-
- manage_dirs_pattern($1_gconfd_t, $1_gconf_home_t, $1_gconf_home_t)
- manage_files_pattern($1_gconfd_t, $1_gconf_home_t, $1_gconf_home_t)
- userdom_user_home_dir_filetrans($1, $1_gconfd_t, $1_gconf_home_t, dir)
-
- manage_dirs_pattern($1_gconfd_t, $1_gconf_tmp_t, $1_gconf_tmp_t)
- manage_files_pattern($1_gconfd_t, $1_gconf_tmp_t, $1_gconf_tmp_t)
- userdom_user_tmp_filetrans($1, $1_gconfd_t, $1_gconf_tmp_t, { dir file })
-
- domain_auto_trans($2, gconfd_exec_t, $1_gconfd_t)
- allow $1_gconfd_t $2:fd use;
- allow $1_gconfd_t $2:fifo_file write;
- allow $1_gconfd_t $2:unix_stream_socket connectto;
-
- allow $1_gconfd_t gconf_etc_t:dir list_dir_perms;
- read_files_pattern($1_gconfd_t, gconf_etc_t, gconf_etc_t)
+ role $1 types gconfd_t;
- ps_process_pattern($2, $1_gconfd_t)
+ domain_auto_trans($2, gconfd_exec_t, gconfd_t)
+ allow gconfd_t $2:fd use;
+ allow gconfd_t $2:fifo_file write;
+ allow gconfd_t $2:unix_stream_socket connectto;
- dev_read_urand($1_gconfd_t)
+ ps_process_pattern($2, gconfd_t)
- files_read_etc_files($1_gconfd_t)
-
- miscfiles_read_localization($1_gconfd_t)
-
- logging_send_syslog_msg($1_gconfd_t)
-
- userdom_manage_user_tmp_sockets($1, $1_gconfd_t)
- userdom_manage_user_tmp_dirs($1, $1_gconfd_t)
- userdom_tmp_filetrans_user_tmp($1, $1_gconfd_t,dir)
-
- gnome_stream_connect_gconf_template($1, $2)
-
- optional_policy(`
- nscd_dontaudit_search_pid($1_gconfd_t)
- ')
-
- optional_policy(`
- xserver_use_xdm_fds($1_gconfd_t)
- xserver_rw_xdm_pipes($1_gconfd_t)
- ')
+ #gnome_stream_connect_gconf_template($1, $2)
+ read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
+ allow $2 gconfd_t:unix_stream_socket connectto;
')
########################################
##
## gconf connection template.
##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## The type of the user domain.
##
##
#
-template(`gnome_stream_connect_gconf_template',`
+interface(`gnome_stream_connect_gconf',`
gen_require(`
- type $1_gconfd_t, $1_gconf_tmp_t;
+ type gconfd_t, gconf_tmp_t;
')
- read_files_pattern($2, $1_gconf_tmp_t, $1_gconf_tmp_t)
- allow $2 $1_gconfd_t:unix_stream_socket connectto;
+ read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
+ allow $1 gconfd_t:unix_stream_socket connectto;
')
########################################
##
-## Run gconfd in the role-specific gconfd domain.
+## Run gconfd in gconfd domain.
##
-##
-##
-## Run gconfd in the role-specfic gconfd domain.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
##
##
#
-template(`gnome_domtrans_user_gconf',`
+interface(`gnome_domtrans_gconfd',`
gen_require(`
- type $1_gconfd_t, gconfd_exec_t;
+ type gconfd_t, gconfd_exec_t;
')
- domtrans_pattern($2, gconfd_exec_t, $1_gconfd_t)
+ domtrans_pattern($1, gconfd_exec_t, gconfd_t)
')
########################################
##
## manage gnome homedir content (.config)
##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## The type of the user domain.
##
##
#
-template(`gnome_manage_user_gnome_config',`
+interface(`gnome_manage_config',`
gen_require(`
- type $1_gnome_home_t;
+ type gnome_home_t;
')
- allow $2 $1_gnome_home_t:dir manage_dir_perms;
- allow $2 $1_gnome_home_t:file manage_file_perms;
+ allow $1 gnome_home_t:dir manage_dir_perms;
+ allow $1 gnome_home_t:file manage_file_perms;
+ userdom_search_user_home_dirs($1)
')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
index 1bfe4dd..984009e 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -1,5 +1,5 @@
-policy_module(gnome, 1.3.0)
+policy_module(gnome, 2.0.0)
##############################
#
@@ -11,5 +11,65 @@ attribute gnomedomain;
type gconf_etc_t;
files_type(gconf_etc_t)
+type gconf_home_t;
+typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
+typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
+userdom_user_home_content(gconf_home_t)
+
+type gconf_tmp_t;
+typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t };
+typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t };
+files_tmp_file(gconf_tmp_t)
+ubac_constrained(gconf_tmp_t)
+
+type gconfd_t, gnomedomain;
type gconfd_exec_t;
-application_executable_file(gconfd_exec_t)
+typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
+typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
+application_domain(gconfd_t, gconfd_exec_t)
+ubac_constrained(gconfd_t)
+
+type gnome_home_t;
+typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
+typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
+userdom_user_home_content(gnome_home_t)
+
+##############################
+#
+# Local Policy
+#
+
+allow gconfd_t self:process getsched;
+allow gconfd_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
+
+manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
+
+allow gconfd_t gconf_etc_t:dir list_dir_perms;
+read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
+
+dev_read_urand(gconfd_t)
+
+files_read_etc_files(gconfd_t)
+
+miscfiles_read_localization(gconfd_t)
+
+logging_send_syslog_msg(gconfd_t)
+
+userdom_manage_user_tmp_sockets(gconfd_t)
+userdom_manage_user_tmp_dirs(gconfd_t)
+userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
+
+optional_policy(`
+ nscd_dontaudit_search_pid(gconfd_t)
+')
+
+optional_policy(`
+ xserver_use_xdm_fds(gconfd_t)
+ xserver_rw_xdm_pipes(gconfd_t)
+')
diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc
index 0c5dc94..3a42f2a 100644
--- a/policy/modules/apps/gpg.fc
+++ b/policy/modules/apps/gpg.fc
@@ -1,4 +1,4 @@
-HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0)
+HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
index 9b03de2..176e01d 100644
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
@@ -1,382 +1,88 @@
## Policy for GNU Privacy Guard and related programs.
-#######################################
+############################################################
##
-## The per role template for the gpg module.
+## Role access for gpg
##
-##
-##
-## This template creates the types and rules for GPG,
-## GPG-agent, and GPG helper programs. This protects
-## the user keys and secrets, and runs the programs
-## in domains specific to the user type.
-##
-##
-## This is invoked automatically for each user and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
+##
##
-## The user domain.
+## Role allowed access
##
##
-##
+##
##
-## The role associated with the user.
+## User domain for the role
##
##
#
-template(`gpg_per_role_template',`
+interface(`gpg_role',`
gen_require(`
- type gpg_exec_t, gpg_helper_exec_t, gpg_agent_exec_t, pinentry_exec_t;
+ type gpg_t, gpg_exec_t;
+ type gpg_agent_t, gpg_agent_exec_t;
+ type gpg_agent_tmp_t;
+ type gpg_helper_t, gpg_pinentry_t;
')
- ########################################
- #
- # Declarations
- #
-
- type $1_gpg_t;
- application_domain($1_gpg_t, gpg_exec_t)
- role $3 types $1_gpg_t;
-
- type $1_gpg_agent_t;
- application_domain($1_gpg_agent_t, gpg_agent_exec_t)
- role $3 types $1_gpg_agent_t;
-
- type $1_gpg_agent_tmp_t;
- files_tmp_file($1_gpg_agent_tmp_t)
-
- type $1_gpg_secret_t;
- userdom_user_home_content($1, $1_gpg_secret_t)
-
- type $1_gpg_helper_t;
- application_domain($1_gpg_helper_t, gpg_helper_exec_t)
- role $3 types $1_gpg_helper_t;
-
- type $1_gpg_pinentry_t;
- application_domain($1_gpg_pinentry_t, pinentry_exec_t)
- role $3 types $1_gpg_pinentry_t;
-
- ########################################
- #
- # GPG local policy
- #
-
- allow $1_gpg_t self:capability { ipc_lock setuid };
- allow { $2 $1_gpg_t } $1_gpg_t:process signal;
- # setrlimit is for ulimit -c 0
- allow $1_gpg_t self:process { setrlimit setcap setpgid };
-
- allow $1_gpg_t self:fifo_file rw_fifo_file_perms;
- allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
-
- # transition from the gpg domain to the helper domain
- domtrans_pattern($1_gpg_t, gpg_helper_exec_t, $1_gpg_helper_t)
-
- manage_files_pattern($1_gpg_t, $1_gpg_secret_t, $1_gpg_secret_t)
- manage_lnk_files_pattern($1_gpg_t, $1_gpg_secret_t, $1_gpg_secret_t)
- allow $1_gpg_t $1_gpg_secret_t:dir create_dir_perms;
- userdom_user_home_dir_filetrans($1, $1_gpg_t, $1_gpg_secret_t, dir)
+ role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t };
# transition from the userdomain to the derived domain
- domtrans_pattern($2, gpg_exec_t, $1_gpg_t)
+ domtrans_pattern($2, gpg_exec_t, gpg_t)
# allow ps to show gpg
- ps_process_pattern($2, $1_gpg_t)
-
- corenet_all_recvfrom_unlabeled($1_gpg_t)
- corenet_all_recvfrom_netlabel($1_gpg_t)
- corenet_tcp_sendrecv_all_if($1_gpg_t)
- corenet_udp_sendrecv_all_if($1_gpg_t)
- corenet_tcp_sendrecv_all_nodes($1_gpg_t)
- corenet_udp_sendrecv_all_nodes($1_gpg_t)
- corenet_tcp_sendrecv_all_ports($1_gpg_t)
- corenet_udp_sendrecv_all_ports($1_gpg_t)
- corenet_tcp_connect_all_ports($1_gpg_t)
- corenet_sendrecv_all_client_packets($1_gpg_t)
-
- dev_read_rand($1_gpg_t)
- dev_read_urand($1_gpg_t)
-
- fs_getattr_xattr_fs($1_gpg_t)
-
- domain_use_interactive_fds($1_gpg_t)
-
- files_read_etc_files($1_gpg_t)
- files_read_usr_files($1_gpg_t)
- files_dontaudit_search_var($1_gpg_t)
-
- miscfiles_read_localization($1_gpg_t)
-
- logging_send_syslog_msg($1_gpg_t)
-
- sysnet_read_config($1_gpg_t)
-
- userdom_use_user_terminals($1, $1_gpg_t)
-
- optional_policy(`
- nis_use_ypbind($1_gpg_t)
- ')
-
- ifdef(`TODO',`
- # Read content to encrypt/decrypt/sign
- read_content($1_gpg_t, $1)
-
- # Write content to encrypt/decrypt/sign
- write_trusted($1_gpg_t, $1)
- ') dnl end TODO
-
- ########################################
- #
- # GPG helper local policy
- #
-
- # for helper programs (which automatically fetch keys)
- # Note: this is only tested with the hkp interface. If you use eg the
- # mail interface you will likely need additional permissions.
-
- allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms };
- allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms };
+ ps_process_pattern($2, gpg_t)
+ allow $2 gpg_t:process signal;
# communicate with the user
- allow $1_gpg_helper_t $2:fd use;
- allow $1_gpg_helper_t $2:fifo_file write;
-
- dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
-
- corenet_all_recvfrom_unlabeled($1_gpg_helper_t)
- corenet_all_recvfrom_netlabel($1_gpg_helper_t)
- corenet_tcp_sendrecv_all_if($1_gpg_helper_t)
- corenet_raw_sendrecv_all_if($1_gpg_helper_t)
- corenet_udp_sendrecv_all_if($1_gpg_helper_t)
- corenet_tcp_sendrecv_all_nodes($1_gpg_helper_t)
- corenet_udp_sendrecv_all_nodes($1_gpg_helper_t)
- corenet_raw_sendrecv_all_nodes($1_gpg_helper_t)
- corenet_tcp_sendrecv_all_ports($1_gpg_helper_t)
- corenet_udp_sendrecv_all_ports($1_gpg_helper_t)
- corenet_tcp_bind_all_nodes($1_gpg_helper_t)
- corenet_udp_bind_all_nodes($1_gpg_helper_t)
- corenet_tcp_connect_all_ports($1_gpg_helper_t)
-
- dev_read_urand($1_gpg_helper_t)
-
- files_read_etc_files($1_gpg_helper_t)
- # for nscd
- files_dontaudit_search_var($1_gpg_helper_t)
-
- sysnet_read_config($1_gpg_helper_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_dontaudit_rw_nfs_files($1_gpg_helper_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_dontaudit_rw_cifs_files($1_gpg_helper_t)
- ')
-
- optional_policy(`
- xserver_use_xdm_fds($1_gpg_t)
- xserver_rw_xdm_pipes($1_gpg_t)
- ')
-
- ########################################
- #
- # GPG agent local policy
- #
-
- # rlimit: gpg-agent wants to prevent coredumps
- allow $1_gpg_agent_t self:process setrlimit;
-
- allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
- allow $1_gpg_agent_t self:fifo_file rw_fifo_file_perms;
-
- # Allow the gpg-agent to manage its tmp files (socket)
- manage_dirs_pattern($1_gpg_agent_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
- manage_files_pattern($1_gpg_agent_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
- manage_sock_files_pattern($1_gpg_agent_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
- files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
-
- # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
- manage_dirs_pattern($1_gpg_agent_t, $1_gpg_secret_t, $1_gpg_secret_t)
- manage_files_pattern($1_gpg_agent_t, $1_gpg_secret_t, $1_gpg_secret_t)
- manage_lnk_files_pattern($1_gpg_agent_t, $1_gpg_secret_t, $1_gpg_secret_t)
-
- # allow gpg to connect to the gpg agent
- stream_connect_pattern($1_gpg_t, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t, $1_gpg_agent_t)
+ allow gpg_helper_t $2:fd use;
+ allow gpg_helper_t $2:fifo_file write;
# allow ps to show gpg-agent
- ps_process_pattern($2, $1_gpg_agent_t)
+ ps_process_pattern($2, gpg_agent_t)
# Allow the user shell to signal the gpg-agent program.
- allow $2 $1_gpg_agent_t:process { signal sigkill signull };
-
- # Allow the user to manage gpg-agent tmp files (socket)
- manage_dirs_pattern($2, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
- manage_files_pattern($2, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
- manage_sock_files_pattern($2, $1_gpg_agent_tmp_t, $1_gpg_agent_tmp_t)
-
- # Transition from the user domain to the derived domain.
- domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t)
-
- corecmd_search_bin($1_gpg_agent_t)
-
- domain_use_interactive_fds($1_gpg_agent_t)
-
- miscfiles_read_localization($1_gpg_agent_t)
-
- # Write to the user domain tty.
- userdom_use_user_terminals($1, $1_gpg_agent_t)
- # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
- userdom_search_user_home_dirs($1, $1_gpg_agent_t)
-
- tunable_policy(`gpg_agent_env_file',`
- # write ~/.gpg-agent-info or a similar to the users home dir
- # or subdir (gpg-agent --write-env-file option)
- #
- userdom_user_home_dir_filetrans_user_home_content($1, $1_gpg_agent_t, file)
- userdom_manage_user_home_content_dirs($1, $1_gpg_agent_t)
- userdom_manage_user_home_content_files($1, $1_gpg_agent_t)
- ')
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_gpg_agent_t)
- fs_manage_nfs_files($1_gpg_agent_t)
- fs_manage_nfs_symlinks($1_gpg_agent_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_gpg_agent_t)
- fs_manage_cifs_files($1_gpg_agent_t)
- fs_manage_cifs_symlinks($1_gpg_agent_t)
- ')
-
- ##############################
- #
- # Pinentry local policy
- #
-
- allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
- allow $1_gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
-
- # we need to allow gpg-agent to call pinentry so it can get the passphrase
- # from the user.
- domtrans_pattern($1_gpg_agent_t, pinentry_exec_t, $1_gpg_pinentry_t)
-
- # read /proc/meminfo
- kernel_read_system_state($1_gpg_pinentry_t)
+ allow $2 gpg_agent_t:process { signal sigkill };
- files_read_usr_files($1_gpg_pinentry_t)
- # read /etc/X11/qtrc
- files_read_etc_files($1_gpg_pinentry_t)
+ manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
- miscfiles_read_fonts($1_gpg_pinentry_t)
- miscfiles_read_localization($1_gpg_pinentry_t)
-
- # for .Xauthority
- userdom_read_user_home_content_files($1, $1_gpg_pinentry_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files($1_gpg_pinentry_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files($1_gpg_pinentry_t)
- ')
-
- optional_policy(`
- xserver_stream_connect_xdm_xserver($1_gpg_pinentry_t)
- ')
-
- ifdef(`TODO',`
- allow $1_gpg_pinentry_t tmp_t:dir { getattr search };
-
- # wants to put some lock files into the user home dir, seems to work fine without
- dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
- dontaudit $1_gpg_pinentry_t $1_home_t:file write;
-
- tunable_policy(`use_nfs_home_dirs',`
- dontaudit $1_gpg_pinentry_t nfs_t:dir write;
- dontaudit $1_gpg_pinentry_t nfs_t:file write;
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- dontaudit $1_gpg_pinentry_t cifs_t:dir write;
- dontaudit $1_gpg_pinentry_t cifs_t:file write;
- ')
-
- dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
- ') dnl end TODO
+ # Transition from the user domain to the agent domain.
+ domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
')
########################################
##
## Transition to a user gpg domain.
##
-##
-##
-## Transition to a user gpg domain.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
##
##
#
-template(`gpg_domtrans_user_gpg',`
+interface(`gpg_domtrans',`
gen_require(`
- type $1_gpg_t, gpg_exec_t;
+ type gpg_t, gpg_exec_t;
')
- domtrans_pattern($2, gpg_exec_t, $1_gpg_t)
+ domtrans_pattern($1, gpg_exec_t, gpg_t)
')
########################################
##
## Send generic signals to user gpg processes.
##
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
##
##
#
-template(`gpg_signal_user_gpg',`
+interface(`gpg_signal',`
gen_require(`
- type $1_gpg_t;
+ type gpg_t;
')
- allow $2 $1_gpg_t:process signal;
+ allow $1 gpg_t:process signal;
')
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 6754d6d..061b94c 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -1,5 +1,5 @@
-policy_module(gpg, 1.6.0)
+policy_module(gpg, 2.0.0)
########################################
#
@@ -14,16 +14,239 @@ policy_module(gpg, 1.6.0)
##
gen_tunable(gpg_agent_env_file, false)
-# Type for gpg or pgp executables.
+type gpg_t;
type gpg_exec_t;
-type gpg_helper_exec_t;
-application_executable_file(gpg_exec_t)
-application_executable_file(gpg_helper_exec_t)
+typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
+typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
+application_domain(gpg_t, gpg_exec_t)
+ubac_constrained(gpg_t)
-# Type for the gpg-agent executable.
+type gpg_agent_t;
type gpg_agent_exec_t;
-application_executable_file(gpg_agent_exec_t)
+typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t };
+typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t };
+application_domain(gpg_agent_t, gpg_agent_exec_t)
+ubac_constrained(gpg_agent_t)
+
+type gpg_agent_tmp_t;
+typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
+typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
+files_tmp_file(gpg_agent_tmp_t)
+ubac_constrained(gpg_agent_tmp_t)
+
+type gpg_secret_t;
+typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
+typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t };
+userdom_user_home_content(gpg_secret_t)
+
+type gpg_helper_t;
+type gpg_helper_exec_t;
+typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
+typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
+application_domain(gpg_helper_t, gpg_helper_exec_t)
+ubac_constrained(gpg_helper_t)
-# type for the pinentry executable
+type gpg_pinentry_t;
type pinentry_exec_t;
-application_executable_file(pinentry_exec_t)
+typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t };
+typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t };
+application_domain(gpg_pinentry_t, pinentry_exec_t)
+ubac_constrained(gpg_pinentry_t)
+
+########################################
+#
+# GPG local policy
+#
+
+allow gpg_t self:capability { ipc_lock setuid };
+# setrlimit is for ulimit -c 0
+allow gpg_t self:process { signal setrlimit setcap setpgid };
+
+allow gpg_t self:fifo_file rw_fifo_file_perms;
+allow gpg_t self:tcp_socket create_stream_socket_perms;
+
+# transition from the gpg domain to the helper domain
+domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+
+allow gpg_t gpg_secret_t:dir create_dir_perms;
+manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
+
+corenet_all_recvfrom_unlabeled(gpg_t)
+corenet_all_recvfrom_netlabel(gpg_t)
+corenet_tcp_sendrecv_all_if(gpg_t)
+corenet_udp_sendrecv_all_if(gpg_t)
+corenet_tcp_sendrecv_all_nodes(gpg_t)
+corenet_udp_sendrecv_all_nodes(gpg_t)
+corenet_tcp_sendrecv_all_ports(gpg_t)
+corenet_udp_sendrecv_all_ports(gpg_t)
+corenet_tcp_connect_all_ports(gpg_t)
+corenet_sendrecv_all_client_packets(gpg_t)
+
+dev_read_rand(gpg_t)
+dev_read_urand(gpg_t)
+
+fs_getattr_xattr_fs(gpg_t)
+
+domain_use_interactive_fds(gpg_t)
+
+files_read_etc_files(gpg_t)
+files_read_usr_files(gpg_t)
+files_dontaudit_search_var(gpg_t)
+
+miscfiles_read_localization(gpg_t)
+
+logging_send_syslog_msg(gpg_t)
+
+sysnet_read_config(gpg_t)
+
+userdom_use_user_terminals(gpg_t)
+
+optional_policy(`
+ nis_use_ypbind(gpg_t)
+')
+
+########################################
+#
+# GPG helper local policy
+#
+
+# for helper programs (which automatically fetch keys)
+# Note: this is only tested with the hkp interface. If you use eg the
+# mail interface you will likely need additional permissions.
+
+allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
+allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
+
+dontaudit gpg_helper_t gpg_secret_t:file read;
+
+corenet_all_recvfrom_unlabeled(gpg_helper_t)
+corenet_all_recvfrom_netlabel(gpg_helper_t)
+corenet_tcp_sendrecv_all_if(gpg_helper_t)
+corenet_raw_sendrecv_all_if(gpg_helper_t)
+corenet_udp_sendrecv_all_if(gpg_helper_t)
+corenet_tcp_sendrecv_all_nodes(gpg_helper_t)
+corenet_udp_sendrecv_all_nodes(gpg_helper_t)
+corenet_raw_sendrecv_all_nodes(gpg_helper_t)
+corenet_tcp_sendrecv_all_ports(gpg_helper_t)
+corenet_udp_sendrecv_all_ports(gpg_helper_t)
+corenet_tcp_bind_all_nodes(gpg_helper_t)
+corenet_udp_bind_all_nodes(gpg_helper_t)
+corenet_tcp_connect_all_ports(gpg_helper_t)
+
+dev_read_urand(gpg_helper_t)
+
+files_read_etc_files(gpg_helper_t)
+# for nscd
+files_dontaudit_search_var(gpg_helper_t)
+
+sysnet_read_config(gpg_helper_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files(gpg_helper_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_rw_cifs_files(gpg_helper_t)
+')
+
+optional_policy(`
+ xserver_use_xdm_fds(gpg_t)
+ xserver_rw_xdm_pipes(gpg_t)
+')
+
+########################################
+#
+# GPG agent local policy
+#
+
+# rlimit: gpg-agent wants to prevent coredumps
+allow gpg_agent_t self:process setrlimit;
+
+allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
+allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
+
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+
+# Allow the gpg-agent to manage its tmp files (socket)
+manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
+
+# allow gpg to connect to the gpg agent
+stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+
+corecmd_search_bin(gpg_agent_t)
+
+domain_use_interactive_fds(gpg_agent_t)
+
+miscfiles_read_localization(gpg_agent_t)
+
+# Write to the user domain tty.
+userdom_use_user_terminals(gpg_agent_t)
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+userdom_search_user_home_dirs(gpg_agent_t)
+
+tunable_policy(`gpg_agent_env_file',`
+ # write ~/.gpg-agent-info or a similar to the users home dir
+ # or subdir (gpg-agent --write-env-file option)
+ #
+ userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
+ userdom_manage_user_home_content_dirs(gpg_agent_t)
+ userdom_manage_user_home_content_files(gpg_agent_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(gpg_agent_t)
+ fs_manage_nfs_files(gpg_agent_t)
+ fs_manage_nfs_symlinks(gpg_agent_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(gpg_agent_t)
+ fs_manage_cifs_files(gpg_agent_t)
+ fs_manage_cifs_symlinks(gpg_agent_t)
+')
+
+##############################
+#
+# Pinentry local policy
+#
+
+allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
+
+# we need to allow gpg-agent to call pinentry so it can get the passphrase
+# from the user.
+domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
+
+# read /proc/meminfo
+kernel_read_system_state(gpg_pinentry_t)
+
+files_read_usr_files(gpg_pinentry_t)
+# read /etc/X11/qtrc
+files_read_etc_files(gpg_pinentry_t)
+
+miscfiles_read_fonts(gpg_pinentry_t)
+miscfiles_read_localization(gpg_pinentry_t)
+
+# for .Xauthority
+userdom_read_user_home_content_files(gpg_pinentry_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(gpg_pinentry_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(gpg_pinentry_t)
+')
+
+optional_policy(`
+ xserver_stream_connect(gpg_pinentry_t)
+')
diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc
index 618588c..65ece18 100644
--- a/policy/modules/apps/irc.fc
+++ b/policy/modules/apps/irc.fc
@@ -1,11 +1,11 @@
#
# /home
#
-HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:ROLE_irc_home_t,s0)
+HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
#
# /usr
#
-/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
-/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
index 42d49ac..4f9dc90 100644
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@@ -1,147 +1,31 @@
## IRC client policy
-#######################################
+########################################
##
-## The per role template for the irc module.
+## Role access for IRC
##
-##
-##
-## This template creates a derived domains which are used
-## for an irc client sessions.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## Role allowed access
##
##
-##
+##
##
-## The type of the user domain.
-##
-##
-##
-##
-## The role associated with the user domain.
+## User domain for the role
##
##
#
-template(`irc_per_role_template',`
+interface(`irc_role',`
gen_require(`
- type irc_exec_t;
+ type irc_t, irc_exec_t;
')
- ########################################
- #
- # Declarations
- #
-
- type $1_irc_t;
- application_domain($1_irc_t, irc_exec_t)
- role $3 types $1_irc_t;
-
- type $1_irc_exec_t;
- userdom_user_home_content($1, $1_irc_exec_t)
- application_domain($1_irc_t, $1_irc_exec_t)
-
- type $1_irc_home_t;
- userdom_user_home_content($1, $1_irc_home_t)
-
- type $1_irc_tmp_t;
- userdom_user_home_content($1, $1_irc_tmp_t)
-
- ########################################
- #
- # Local policy
- #
-
- allow $1_irc_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_irc_t self:tcp_socket create_socket_perms;
- allow $1_irc_t self:udp_socket create_socket_perms;
-
- manage_dirs_pattern($1_irc_t, $1_irc_home_t, $1_irc_home_t)
- manage_files_pattern($1_irc_t, $1_irc_home_t, $1_irc_home_t)
- manage_lnk_files_pattern($1_irc_t, $1_irc_home_t, $1_irc_home_t)
- userdom_user_home_dir_filetrans($1, $1_irc_t, $1_irc_home_t,{ dir file lnk_file })
-
- # access files under /tmp
- manage_dirs_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t)
- manage_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t)
- manage_lnk_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t)
- manage_fifo_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t)
- manage_sock_files_pattern($1_irc_t, $1_irc_tmp_t, $1_irc_tmp_t)
- files_tmp_filetrans($1_irc_t, $1_irc_tmp_t, { file dir lnk_file sock_file fifo_file })
+ role $1 types irc_t;
# Transition from the user domain to the derived domain.
- domtrans_pattern($2, irc_exec_t, $1_irc_t)
-
- allow $2 $1_irc_exec_t:file { relabelfrom relabelto manage_file_perms };
+ domtrans_pattern($2, irc_exec_t, irc_t)
# allow ps to show irc
- ps_process_pattern($2, $1_irc_t)
- allow $2 $1_irc_t:process signal;
-
- kernel_read_proc_symlinks($1_irc_t)
-
- corenet_all_recvfrom_unlabeled($1_irc_t)
- corenet_all_recvfrom_netlabel($1_irc_t)
- corenet_tcp_sendrecv_generic_if($1_irc_t)
- corenet_udp_sendrecv_generic_if($1_irc_t)
- corenet_tcp_sendrecv_all_nodes($1_irc_t)
- corenet_udp_sendrecv_all_nodes($1_irc_t)
- corenet_tcp_sendrecv_all_ports($1_irc_t)
- corenet_udp_sendrecv_all_ports($1_irc_t)
- corenet_sendrecv_ircd_client_packets($1_irc_t)
- # cjp: this seems excessive:
- corenet_tcp_connect_all_ports($1_irc_t)
- corenet_sendrecv_all_client_packets($1_irc_t)
-
- domain_use_interactive_fds($1_irc_t)
-
- files_dontaudit_search_pids($1_irc_t)
- files_search_var($1_irc_t)
- files_read_etc_files($1_irc_t)
- files_read_usr_files($1_irc_t)
-
- fs_getattr_xattr_fs($1_irc_t)
- fs_search_auto_mountpoints($1_irc_t)
-
- term_use_controlling_term($1_irc_t)
- term_list_ptys($1_irc_t)
-
- # allow utmp access
- init_read_utmp($1_irc_t)
- init_dontaudit_lock_utmp($1_irc_t)
-
- miscfiles_read_localization($1_irc_t)
-
- # Inherit and use descriptors from newrole.
- seutil_use_newrole_fds($1_irc_t)
-
- sysnet_read_config($1_irc_t)
-
- # Write to the user domain tty.
- userdom_use_user_terminals($1, $1_irc_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_irc_t)
- fs_manage_nfs_files($1_irc_t)
- fs_manage_nfs_symlinks($1_irc_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_irc_t)
- fs_manage_cifs_files($1_irc_t)
- fs_manage_cifs_symlinks($1_irc_t)
- ')
-
- optional_policy(`
- nis_use_ypbind($1_irc_t)
- ')
+ ps_process_pattern($2, irc_t)
+ allow $2 irc_t:process signal;
')
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
index 31208b6..c8b6405 100644
--- a/policy/modules/apps/irc.te
+++ b/policy/modules/apps/irc.te
@@ -1,10 +1,104 @@
-policy_module(irc, 1.4.0)
+policy_module(irc, 2.0.0)
########################################
#
# Declarations
#
+type irc_t;
type irc_exec_t;
-application_executable_file(irc_exec_t)
+typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t };
+typealias irc_t alias { auditadm_irc_t secadm_irc_t };
+application_domain(irc_t, irc_exec_t)
+ubac_constrained(irc_t)
+
+type irc_home_t;
+typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t };
+typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
+userdom_user_home_content(irc_home_t)
+
+type irc_tmp_t;
+typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
+typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
+userdom_user_home_content(irc_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow irc_t self:unix_stream_socket create_stream_socket_perms;
+allow irc_t self:tcp_socket create_socket_perms;
+allow irc_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
+manage_files_pattern(irc_t, irc_home_t, irc_home_t)
+manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
+userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file })
+
+# access files under /tmp
+manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
+
+kernel_read_proc_symlinks(irc_t)
+
+corenet_all_recvfrom_unlabeled(irc_t)
+corenet_all_recvfrom_netlabel(irc_t)
+corenet_tcp_sendrecv_generic_if(irc_t)
+corenet_udp_sendrecv_generic_if(irc_t)
+corenet_tcp_sendrecv_all_nodes(irc_t)
+corenet_udp_sendrecv_all_nodes(irc_t)
+corenet_tcp_sendrecv_all_ports(irc_t)
+corenet_udp_sendrecv_all_ports(irc_t)
+corenet_sendrecv_ircd_client_packets(irc_t)
+# cjp: this seems excessive:
+corenet_tcp_connect_all_ports(irc_t)
+corenet_sendrecv_all_client_packets(irc_t)
+
+domain_use_interactive_fds(irc_t)
+
+files_dontaudit_search_pids(irc_t)
+files_search_var(irc_t)
+files_read_etc_files(irc_t)
+files_read_usr_files(irc_t)
+
+fs_getattr_xattr_fs(irc_t)
+fs_search_auto_mountpoints(irc_t)
+
+term_use_controlling_term(irc_t)
+term_list_ptys(irc_t)
+
+# allow utmp access
+init_read_utmp(irc_t)
+init_dontaudit_lock_utmp(irc_t)
+
+miscfiles_read_localization(irc_t)
+
+# Inherit and use descriptors from newrole.
+seutil_use_newrole_fds(irc_t)
+
+sysnet_read_config(irc_t)
+
+# Write to the user domain tty.
+userdom_use_user_terminals(irc_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(irc_t)
+ fs_manage_nfs_files(irc_t)
+ fs_manage_nfs_symlinks(irc_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(irc_t)
+ fs_manage_cifs_files(irc_t)
+ fs_manage_cifs_symlinks(irc_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(irc_t)
+')
diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
index 11f192c..a620f39 100644
--- a/policy/modules/apps/java.if
+++ b/policy/modules/apps/java.if
@@ -1,206 +1,58 @@
## Java virtual machine
-#######################################
+########################################
##
-## The per role template for the java module.
+## Role access for java
##
-##
-##
-## This template creates a derived domains which are used
-## for java plugins that are executed by a browser.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
+##
##
-## The type of the user domain.
+## Role allowed access
##
##
-##
+##
##
-## The role associated with the user domain.
+## User domain for the role
##
##
#
-template(`java_per_role_template',`
+interface(`java_role',`
gen_require(`
- type java_exec_t;
+ type java_t, java_exec_t;
')
- ########################################
- #
- # Declarations
- #
-
- type $1_javaplugin_t;
- application_domain($1_javaplugin_t, java_exec_t)
- role $3 types $1_javaplugin_t;
-
- type $1_javaplugin_tmp_t;
- files_tmp_file($1_javaplugin_tmp_t)
-
- type $1_javaplugin_tmpfs_t;
- files_tmpfs_file($1_javaplugin_tmpfs_t)
-
- ########################################
- #
- # Local policy
- #
-
- allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem };
- allow $1_javaplugin_t self:fifo_file rw_fifo_file_perms;
- allow $1_javaplugin_t self:tcp_socket create_socket_perms;
- allow $1_javaplugin_t self:udp_socket create_socket_perms;
-
- allow $1_javaplugin_t $2:unix_stream_socket connectto;
- allow $1_javaplugin_t $2:unix_stream_socket { read write };
- userdom_write_user_tmp_sockets($1, $1_javaplugin_t)
-
- manage_dirs_pattern($1_javaplugin_t, $1_javaplugin_tmp_t, $1_javaplugin_tmp_t)
- manage_files_pattern($1_javaplugin_t, $1_javaplugin_tmp_t, $1_javaplugin_tmp_t)
- files_tmp_filetrans($1_javaplugin_t, $1_javaplugin_tmp_t, { file dir })
-
- manage_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t)
- manage_lnk_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t)
- manage_fifo_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t)
- manage_sock_files_pattern($1_javaplugin_t, $1_javaplugin_tmpfs_t, $1_javaplugin_tmpfs_t)
- fs_tmpfs_filetrans($1_javaplugin_t, $1_javaplugin_tmpfs_t, { file lnk_file sock_file fifo_file })
-
- rw_files_pattern($1_javaplugin_t, $1_home_t, $1_home_t)
- read_files_pattern($1_javaplugin_t, $1_home_t, $1_home_t)
-
- can_exec($1_javaplugin_t, java_exec_t)
+ role $1 types java_t;
# The user role is authorized for this domain.
- domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
- allow $1_javaplugin_t $2:fd use;
+ domtrans_pattern($2, java_exec_t, java_t)
+ allow java_t $2:process signull;
# Unrestricted inheritance from the caller.
- allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
- allow $1_javaplugin_t $2:process signull;
-
- kernel_read_all_sysctls($1_javaplugin_t)
- kernel_search_vm_sysctl($1_javaplugin_t)
- kernel_read_network_state($1_javaplugin_t)
- kernel_read_system_state($1_javaplugin_t)
-
- # Search bin directory under javaplugin for javaplugin executable
- corecmd_search_bin($1_javaplugin_t)
-
- corenet_all_recvfrom_unlabeled($1_javaplugin_t)
- corenet_all_recvfrom_netlabel($1_javaplugin_t)
- corenet_tcp_sendrecv_generic_if($1_javaplugin_t)
- corenet_udp_sendrecv_generic_if($1_javaplugin_t)
- corenet_tcp_sendrecv_all_nodes($1_javaplugin_t)
- corenet_udp_sendrecv_all_nodes($1_javaplugin_t)
- corenet_tcp_sendrecv_all_ports($1_javaplugin_t)
- corenet_udp_sendrecv_all_ports($1_javaplugin_t)
- corenet_tcp_connect_all_ports($1_javaplugin_t)
- corenet_sendrecv_all_client_packets($1_javaplugin_t)
-
- dev_read_sound($1_javaplugin_t)
- dev_write_sound($1_javaplugin_t)
- dev_read_urand($1_javaplugin_t)
- dev_read_rand($1_javaplugin_t)
-
- files_read_etc_files($1_javaplugin_t)
- files_read_usr_files($1_javaplugin_t)
- files_search_home($1_javaplugin_t)
- files_search_var_lib($1_javaplugin_t)
- files_read_etc_runtime_files($1_javaplugin_t)
- # Read global fonts and font config
- files_read_etc_files($1_javaplugin_t)
-
- fs_getattr_xattr_fs($1_javaplugin_t)
- fs_dontaudit_rw_tmpfs_files($1_javaplugin_t)
+ allow $2 java_t:process { noatsecure siginh rlimitinh };
- logging_send_syslog_msg($1_javaplugin_t)
-
- miscfiles_read_localization($1_javaplugin_t)
- # Read global fonts and font config
- miscfiles_read_fonts($1_javaplugin_t)
-
- sysnet_read_config($1_javaplugin_t)
-
- userdom_dontaudit_use_user_terminals($1, $1_javaplugin_t)
- userdom_dontaudit_setattr_user_home_content_files($1, $1_javaplugin_t)
- userdom_dontaudit_exec_user_home_content_files($1, $1_javaplugin_t)
- userdom_manage_user_home_content_dirs($1, $1_javaplugin_t)
- userdom_manage_user_home_content_files($1, $1_javaplugin_t)
- userdom_manage_user_home_content_symlinks($1, $1_javaplugin_t)
- userdom_manage_user_home_content_pipes($1, $1_javaplugin_t)
- userdom_manage_user_home_content_sockets($1, $1_javaplugin_t)
- userdom_user_home_dir_filetrans_user_home_content($1, $1_javaplugin_t, { file lnk_file sock_file fifo_file })
-
- tunable_policy(`allow_java_execstack',`
- allow $1_javaplugin_t self:process execstack;
-
- allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
-
- libs_legacy_use_shared_libs($1_javaplugin_t)
- libs_legacy_use_ld_so($1_javaplugin_t)
-
- miscfiles_legacy_read_localization($1_javaplugin_t)
- ')
-
- optional_policy(`
- nis_use_ypbind($1_javaplugin_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_javaplugin_t)
- ')
-
- optional_policy(`
- xserver_user_x_domain_template($1, $1_javaplugin, $1_javaplugin_t, $1_javaplugin_tmpfs_t)
- ')
+ allow java_t $2:unix_stream_socket connectto;
+ allow java_t $2:unix_stream_socket { read write };
')
########################################
##
## Run java in javaplugin domain.
##
-##
-##
-## Run java in javaplugin domain.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
##
##
#
-template(`java_domtrans_user_javaplugin',`
+template(`java_domtrans',`
gen_require(`
- type $1_javaplugin_t, java_exec_t;
+ type java_t, java_exec_t;
')
- domtrans_pattern($2, java_exec_t, $1_javaplugin_t)
+ domtrans_pattern($1, java_exec_t, java_t)
')
########################################
##
-## Execute the java program in the java domain.
+## Execute the java program in the unconfined java domain.
##
##
##
@@ -208,11 +60,11 @@ template(`java_domtrans_user_javaplugin',`
##
##
#
-interface(`java_domtrans',`
+interface(`java_domtrans_unconfined',`
gen_require(`
- type java_t, java_exec_t;
+ type unconfined_java_t, java_exec_t;
')
+ domtrans_pattern($1, java_exec_t, unconfined_java_t)
corecmd_search_bin($1)
- domtrans_pattern($1, java_exec_t, java_t)
')
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
index 16d43eb..1f866e7 100644
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -1,5 +1,5 @@
-policy_module(java, 1.8.0)
+policy_module(java, 2.0.0)
########################################
#
@@ -15,19 +15,136 @@ gen_tunable(allow_java_execstack, false)
type java_t;
type java_exec_t;
-init_system_domain(java_t, java_exec_t)
+application_domain(java_t, java_exec_t)
+ubac_constrained(java_t)
+typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
+typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
+
+type java_tmp_t;
+files_tmp_file(java_tmp_t)
+ubac_constrained(java_tmp_t)
+typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t };
+typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t };
+
+type java_tmpfs_t;
+ubac_constrained(java_tmpfs_t)
+files_tmpfs_file(java_tmpfs_t)
+typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t };
+typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t };
+
+type unconfined_java_t;
+init_system_domain(unconfined_java_t, java_exec_t)
########################################
#
# Local policy
#
-# execheap is needed for itanium/BEA jrocket
-allow java_t self:process { execstack execmem execheap };
+allow java_t self:process { signal_perms getsched setsched execmem };
+allow java_t self:fifo_file rw_fifo_file_perms;
+allow java_t self:tcp_socket create_socket_perms;
+allow java_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(java_t, java_tmp_t, java_tmp_t)
+manage_files_pattern(java_t, java_tmp_t, java_tmp_t)
+files_tmp_filetrans(java_t, java_tmp_t,{ file dir })
+
+manage_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
+manage_lnk_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
+manage_fifo_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
+manage_sock_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
+fs_tmpfs_filetrans(java_t, java_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+can_exec(java_t, java_exec_t)
+
+kernel_read_all_sysctls(java_t)
+kernel_search_vm_sysctl(java_t)
+kernel_read_network_state(java_t)
+kernel_read_system_state(java_t)
+
+# Search bin directory under java for java executable
+corecmd_search_bin(java_t)
+
+corenet_all_recvfrom_unlabeled(java_t)
+corenet_all_recvfrom_netlabel(java_t)
+corenet_tcp_sendrecv_generic_if(java_t)
+corenet_udp_sendrecv_generic_if(java_t)
+corenet_tcp_sendrecv_all_nodes(java_t)
+corenet_udp_sendrecv_all_nodes(java_t)
+corenet_tcp_sendrecv_all_ports(java_t)
+corenet_udp_sendrecv_all_ports(java_t)
+corenet_tcp_connect_all_ports(java_t)
+corenet_sendrecv_all_client_packets(java_t)
+
+dev_read_sound(java_t)
+dev_write_sound(java_t)
+dev_read_urand(java_t)
+dev_read_rand(java_t)
+
+files_read_etc_files(java_t)
+files_read_usr_files(java_t)
+files_search_home(java_t)
+files_search_var_lib(java_t)
+files_read_etc_runtime_files(java_t)
+# Read global fonts and font config
+files_read_etc_files(java_t)
+
+fs_getattr_xattr_fs(java_t)
+fs_dontaudit_rw_tmpfs_files(java_t)
+
+logging_send_syslog_msg(java_t)
+
+miscfiles_read_localization(java_t)
+# Read global fonts and font config
+miscfiles_read_fonts(java_t)
+
+sysnet_read_config(java_t)
+
+userdom_dontaudit_use_user_terminals(java_t)
+userdom_dontaudit_setattr_user_home_content_files(java_t)
+userdom_dontaudit_exec_user_home_content_files(java_t)
+userdom_manage_user_home_content_dirs(java_t)
+userdom_manage_user_home_content_files(java_t)
+userdom_manage_user_home_content_symlinks(java_t)
+userdom_manage_user_home_content_pipes(java_t)
+userdom_manage_user_home_content_sockets(java_t)
+userdom_user_home_dir_filetrans_user_home_content(java_t, { file lnk_file sock_file fifo_file })
+userdom_write_user_tmp_sockets(java_t)
+
+tunable_policy(`allow_java_execstack',`
+ allow java_t self:process execstack;
+
+ allow java_t java_tmp_t:file execute;
-init_dbus_chat_script(java_t)
+ libs_legacy_use_shared_libs(java_t)
+ libs_legacy_use_ld_so(java_t)
+
+ miscfiles_legacy_read_localization(java_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(java_t)
+')
optional_policy(`
- unconfined_domain_noaudit(java_t)
- unconfined_dbus_chat(java_t)
+ nscd_socket_use(java_t)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
+')
+
+########################################
+#
+# Unconfined java local policy
+#
+
+optional_policy(`
+ # execheap is needed for itanium/BEA jrocket
+ allow unconfined_java_t self:process { execstack execmem execheap };
+
+ init_dbus_chat_script(unconfined_java_t)
+
+ unconfined_domain_noaudit(unconfined_java_t)
+ unconfined_dbus_chat(unconfined_java_t)
')
diff --git a/policy/modules/apps/loadkeys.if b/policy/modules/apps/loadkeys.if
index 1c5f09b..c56cfa4 100644
--- a/policy/modules/apps/loadkeys.if
+++ b/policy/modules/apps/loadkeys.if
@@ -33,11 +33,6 @@ interface(`loadkeys_domtrans',`
## The role to allow the loadkeys domain.
##
##
-##
-##
-## The type of the terminal allow the loadkeys domain to use.
-##
-##
##
#
interface(`loadkeys_run',`
@@ -47,7 +42,6 @@ interface(`loadkeys_run',`
loadkeys_domtrans($1)
role $2 types loadkeys_t;
- allow loadkeys_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
index bcb6676..670ef29 100644
--- a/policy/modules/apps/loadkeys.te
+++ b/policy/modules/apps/loadkeys.te
@@ -1,5 +1,5 @@
-policy_module(loadkeys, 1.4.0)
+policy_module(loadkeys, 1.4.1)
########################################
#
@@ -39,6 +39,8 @@ locallogin_use_fds(loadkeys_t)
miscfiles_read_localization(loadkeys_t)
+userdom_use_user_ttys(loadkeys_t)
+
optional_policy(`
nscd_dontaudit_search_pid(loadkeys_t)
')
diff --git a/policy/modules/apps/lockdev.if b/policy/modules/apps/lockdev.if
index c818c1e..8e7d279 100644
--- a/policy/modules/apps/lockdev.if
+++ b/policy/modules/apps/lockdev.if
@@ -1,79 +1,33 @@
## device locking policy for lockdev
-#######################################
+########################################
##
-## The per role template for the lockdev module.
+## Role access for lockdev
##
-##
-##
-## This template creates derived domains which are used
-## for lockdev. A derived type is also created to protect
-## the user's device locks.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## Role allowed access
##
##
-##
+##
##
-## The type of the user domain.
-##
-##
-##
-##
-## The role associated with the user domain.
+## User domain for the role
##
##
#
-template(`lockdev_per_role_template',`
+interface(`lockdev_role',`
gen_require(`
- type lockdev_exec_t;
+ type lockdev_t, lockdev_exec_t;
+ type lockdev_lock_t;
')
- ########################################
- #
- # Declarations
- #
-
- type $1_lockdev_t;
- application_domain($1_lockdev_t, lockdev_exec_t)
- role $3 types $1_lockdev_t;
-
- type $1_lockdev_lock_t;
- files_lock_file($1_lockdev_lock_t)
-
- ########################################
- #
- # Local policy
- #
-
- # Use capabilities.
- allow $1_lockdev_t self:capability setgid;
- allow $1_lockdev_t $2:process signull;
+ role $1 types lockdev_t;
# Transition from the user domain to the derived domain.
- domtrans_pattern($2, lockdev_exec_t, $1_lockdev_t)
+ domtrans_pattern($2, lockdev_exec_t, lockdev_t)
+ allow lockdev_t $2:process signull;
- allow $1_lockdev_t $1_lockdev_lock_t:file manage_file_perms;
- files_lock_filetrans($1_lockdev_t, $1_lockdev_lock_t, file)
-
- files_read_all_locks($1_lockdev_t)
-
- fs_getattr_xattr_fs($1_lockdev_t)
-
- logging_send_syslog_msg($1_lockdev_t)
-
- userdom_use_user_terminals($1, $1_lockdev_t)
-
- optional_policy(`
- logging_send_syslog_msg($1_t)
- ')
+ # allow ps to show lockdev
+ ps_process_pattern($2, lockdev_t)
+ allow $2 lockdev_t:process signal;
')
diff --git a/policy/modules/apps/lockdev.te b/policy/modules/apps/lockdev.te
index bb96b0c..34467b6 100644
--- a/policy/modules/apps/lockdev.te
+++ b/policy/modules/apps/lockdev.te
@@ -1,10 +1,40 @@
-policy_module(lockdev, 1.2.0)
+policy_module(lockdev, 1.2.1)
########################################
#
# Declarations
#
+type lockdev_t;
type lockdev_exec_t;
-application_executable_file(lockdev_exec_t)
+typealias lockdev_t alias { user_lockdev_t staff_lockdev_t sysadm_lockdev_t };
+typealias lockdev_t alias { auditadm_lockdev_t secadm_lockdev_t };
+application_domain(lockdev_t, lockdev_exec_t)
+ubac_constrained(lockdev_t)
+
+type lockdev_lock_t;
+typealias lockdev_lock_t alias { user_lockdev_lock_t staff_lockdev_lock_t sysadm_lockdev_lock_t };
+typealias lockdev_lock_t alias { auditadm_lockdev_lock_t secadm_lockdev_lock_t };
+files_lock_file(lockdev_lock_t)
+ubac_constrained(lockdev_lock_t)
+
+########################################
+#
+# Local policy
+#
+
+# Use capabilities.
+allow lockdev_t self:capability setgid;
+
+allow lockdev_t lockdev_lock_t:file manage_file_perms;
+files_lock_filetrans(lockdev_t, lockdev_lock_t, file)
+
+files_read_all_locks(lockdev_t)
+
+fs_getattr_xattr_fs(lockdev_t)
+
+logging_send_syslog_msg(lockdev_t)
+
+userdom_use_user_terminals(lockdev_t)
+
diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te
index 831090a..5c79af6 100644
--- a/policy/modules/apps/mono.te
+++ b/policy/modules/apps/mono.te
@@ -1,5 +1,5 @@
-policy_module(mono, 1.5.0)
+policy_module(mono, 1.5.1)
########################################
#
@@ -17,10 +17,10 @@ init_system_domain(mono_t, mono_exec_t)
allow mono_t self:process { execheap execmem };
-unprivuser_home_dir_filetrans_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
-
init_dbus_chat_script(mono_t)
+userdom_user_home_dir_filetrans_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
+
optional_policy(`
avahi_dbus_chat(mono_t)
')
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
index 99f54ca..b6f0924 100644
--- a/policy/modules/apps/mozilla.fc
+++ b/policy/modules/apps/mozilla.fc
@@ -1,8 +1,8 @@
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
+HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
#
# /bin
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index abbb2bb..3811a40 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -1,504 +1,108 @@
## Policy for Mozilla and related web browsers
-#######################################
+########################################
##
-## The per role template for the mozilla module.
+## Role access for mozilla
##
-##
-##
-## This template creates a derived domains which are used
-## for mozilla web browser.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
+##
##
-## The type of the user domain.
+## Role allowed access
##
##
-##
+##
##
-## The role associated with the user domain.
+## User domain for the role
##
##
#
-template(`mozilla_per_role_template',`
+interface(`mozilla_role',`
gen_require(`
- type mozilla_conf_t, mozilla_exec_t;
+ type mozilla_t, mozilla_exec_t, mozilla_home_t;
')
- ########################################
- #
- # Declarations
- #
- type $1_mozilla_t;
- application_domain($1_mozilla_t, mozilla_exec_t)
- role $3 types $1_mozilla_t;
-
- type $1_mozilla_home_t alias $1_mozilla_rw_t;
- files_poly_member($1_mozilla_home_t)
- userdom_user_home_content($1, $1_mozilla_home_t)
-
- type $1_mozilla_tmpfs_t;
- files_tmpfs_file($1_mozilla_tmpfs_t)
-
- ########################################
- #
- # Local policy
- #
-
- allow $1_mozilla_t self:capability { sys_nice setgid setuid };
- allow $1_mozilla_t self:process { sigkill signal setsched getsched setrlimit };
- allow $1_mozilla_t self:fifo_file rw_fifo_file_perms;
- allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create };
- allow $1_mozilla_t self:sem create_sem_perms;
- allow $1_mozilla_t self:socket create_socket_perms;
- allow $1_mozilla_t self:unix_stream_socket { listen accept };
- # Browse the web, connect to printer
- allow $1_mozilla_t self:tcp_socket create_socket_perms;
- allow $1_mozilla_t self:netlink_route_socket r_netlink_socket_perms;
-
- # for bash - old mozilla binary
- can_exec($1_mozilla_t, mozilla_exec_t)
-
- # X access, Home files
- manage_dirs_pattern($1_mozilla_t, $1_mozilla_home_t, $1_mozilla_home_t)
- manage_files_pattern($1_mozilla_t, $1_mozilla_home_t, $1_mozilla_home_t)
- manage_lnk_files_pattern($1_mozilla_t, $1_mozilla_home_t, $1_mozilla_home_t)
- userdom_search_user_home_dirs($1, $1_mozilla_t)
-
- # Mozpluggerrc
- allow $1_mozilla_t mozilla_conf_t:file read_file_perms;
+ role $1 types mozilla_t;
- allow $1_mozilla_t $2:fd use;
- allow $1_mozilla_t $2:process sigchld;
- allow $1_mozilla_t $2:unix_stream_socket connectto;
- allow $2 $1_mozilla_t:fd use;
- allow $2 $1_mozilla_t:shm { associate getattr };
- allow $2 $1_mozilla_t:shm { unix_read unix_write };
- allow $2 $1_mozilla_t:unix_stream_socket connectto;
-
- # X access, Home files
- manage_dirs_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
- manage_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
- manage_lnk_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
- relabel_dirs_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
- relabel_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
- relabel_lnk_files_pattern($2, $1_mozilla_home_t, $1_mozilla_home_t)
-
- manage_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t)
- manage_lnk_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t)
- manage_fifo_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t)
- manage_sock_files_pattern($1_mozilla_t, $1_mozilla_tmpfs_t, $1_mozilla_tmpfs_t)
- fs_tmpfs_filetrans($1_mozilla_t, $1_mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
-
- allow $1_mozilla_t $2:process signull;
-
- domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
+ domain_auto_trans($2, mozilla_exec_t, mozilla_t)
# Unrestricted inheritance from the caller.
- allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
+ allow $2 mozilla_t:process { noatsecure siginh rlimitinh };
+ allow mozilla_t $2:fd use;
+ allow mozilla_t $2:process { sigchld signull };
+ allow mozilla_t $2:unix_stream_socket connectto;
# Allow the user domain to signal/ps.
- ps_process_pattern($2, $1_mozilla_t)
- allow $2 $1_mozilla_t:process signal_perms;
-
- kernel_read_kernel_sysctls($1_mozilla_t)
- kernel_read_network_state($1_mozilla_t)
- # Access /proc, sysctl
- kernel_read_system_state($1_mozilla_t)
- kernel_read_net_sysctls($1_mozilla_t)
-
- # Look for plugins
- corecmd_list_bin($1_mozilla_t)
- # for bash - old mozilla binary
- corecmd_exec_shell($1_mozilla_t)
- corecmd_exec_bin($1_mozilla_t)
-
- # Browse the web, connect to printer
- corenet_all_recvfrom_unlabeled($1_mozilla_t)
- corenet_all_recvfrom_netlabel($1_mozilla_t)
- corenet_tcp_sendrecv_generic_if($1_mozilla_t)
- corenet_raw_sendrecv_generic_if($1_mozilla_t)
- corenet_tcp_sendrecv_all_nodes($1_mozilla_t)
- corenet_raw_sendrecv_all_nodes($1_mozilla_t)
- corenet_tcp_sendrecv_http_port($1_mozilla_t)
- corenet_tcp_sendrecv_http_cache_port($1_mozilla_t)
- corenet_tcp_sendrecv_ftp_port($1_mozilla_t)
- corenet_tcp_sendrecv_ipp_port($1_mozilla_t)
- corenet_tcp_connect_http_port($1_mozilla_t)
- corenet_tcp_connect_http_cache_port($1_mozilla_t)
- corenet_tcp_connect_ftp_port($1_mozilla_t)
- corenet_tcp_connect_ipp_port($1_mozilla_t)
- corenet_tcp_connect_generic_port($1_mozilla_t)
- corenet_sendrecv_http_client_packets($1_mozilla_t)
- corenet_sendrecv_http_cache_client_packets($1_mozilla_t)
- corenet_sendrecv_ftp_client_packets($1_mozilla_t)
- corenet_sendrecv_ipp_client_packets($1_mozilla_t)
- corenet_sendrecv_generic_client_packets($1_mozilla_t)
- # Should not need other ports
- corenet_dontaudit_tcp_sendrecv_generic_port($1_mozilla_t)
- corenet_dontaudit_tcp_bind_generic_port($1_mozilla_t)
-
- dev_read_urand($1_mozilla_t)
- dev_read_rand($1_mozilla_t)
- dev_write_sound($1_mozilla_t)
- dev_read_sound($1_mozilla_t)
- dev_dontaudit_rw_dri($1_mozilla_t)
- dev_getattr_sysfs_dirs($1_mozilla_t)
-
- files_read_etc_runtime_files($1_mozilla_t)
- files_read_usr_files($1_mozilla_t)
- files_read_etc_files($1_mozilla_t)
- # /var/lib
- files_read_var_lib_files($1_mozilla_t)
- # interacting with gstreamer
- files_read_var_files($1_mozilla_t)
- files_read_var_symlinks($1_mozilla_t)
- files_dontaudit_getattr_boot_dirs($1_mozilla_t)
-
- fs_search_auto_mountpoints($1_mozilla_t)
- fs_list_inotifyfs($1_mozilla_t)
- fs_rw_tmpfs_files($1_mozilla_t)
-
- term_dontaudit_getattr_pty_dirs($1_mozilla_t)
-
- logging_send_syslog_msg($1_mozilla_t)
+ ps_process_pattern($2, mozilla_t)
+ allow $2 mozilla_t:process signal_perms;
- miscfiles_read_fonts($1_mozilla_t)
- miscfiles_read_localization($1_mozilla_t)
-
- # Browse the web, connect to printer
- sysnet_dns_name_resolve($1_mozilla_t)
- sysnet_read_config($1_mozilla_t)
-
- userdom_manage_user_home_content_dirs($1, $1_mozilla_t)
- userdom_manage_user_home_content_files($1, $1_mozilla_t)
- userdom_manage_user_home_content_symlinks($1, $1_mozilla_t)
- userdom_manage_user_tmp_dirs($1, $1_mozilla_t)
- userdom_manage_user_tmp_files($1, $1_mozilla_t)
- userdom_manage_user_tmp_sockets($1, $1_mozilla_t)
-
- xserver_user_x_domain_template($1, $1_mozilla, $1_mozilla_t, $1_mozilla_tmpfs_t)
- xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
- xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t)
-
- tunable_policy(`allow_execmem',`
- allow $1_mozilla_t self:process { execmem execstack };
- ')
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_mozilla_t)
- fs_manage_nfs_files($1_mozilla_t)
- fs_manage_nfs_symlinks($1_mozilla_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_mozilla_t)
- fs_manage_cifs_files($1_mozilla_t)
- fs_manage_cifs_symlinks($1_mozilla_t)
- ')
-
- # Uploads, local html
- tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
- fs_list_auto_mountpoints($1_mozilla_t)
- files_list_home($1_mozilla_t)
- fs_read_nfs_files($1_mozilla_t)
- fs_read_nfs_symlinks($1_mozilla_t)
-
- ',`
- files_dontaudit_list_home($1_mozilla_t)
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_read_nfs_files($1_mozilla_t)
- fs_dontaudit_list_nfs($1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
- fs_list_auto_mountpoints($1_mozilla_t)
- files_list_home($1_mozilla_t)
- fs_read_cifs_files($1_mozilla_t)
- fs_read_cifs_symlinks($1_mozilla_t)
- ',`
- files_dontaudit_list_home($1_mozilla_t)
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_read_cifs_files($1_mozilla_t)
- fs_dontaudit_list_cifs($1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content',`
- userdom_list_user_tmp($1, $1_mozilla_t)
- userdom_read_user_tmp_files($1, $1_mozilla_t)
- userdom_read_user_tmp_symlinks($1, $1_mozilla_t)
- userdom_search_user_home_dirs($1, $1_mozilla_t)
- userdom_read_user_home_content_files($1, $1_mozilla_t)
- userdom_read_user_home_content_symlinks($1, $1_mozilla_t)
-
- ifdef(`enable_mls',`',`
- fs_search_removable($1_mozilla_t)
- fs_read_removable_files($1_mozilla_t)
- fs_read_removable_symlinks($1_mozilla_t)
- ')
- ',`
- files_dontaudit_list_tmp($1_mozilla_t)
- files_dontaudit_list_home($1_mozilla_t)
- fs_dontaudit_list_removable($1_mozilla_t)
- fs_dontaudit_read_removable_files($1_mozilla_t)
- userdom_dontaudit_list_user_tmp($1, $1_mozilla_t)
- userdom_dontaudit_read_user_tmp_files($1, $1_mozilla_t)
- userdom_dontaudit_list_user_home_dirs($1, $1_mozilla_t)
- userdom_dontaudit_read_user_home_content_files($1, $1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content && read_default_t',`
- files_list_default($1_mozilla_t)
- files_read_default_files($1_mozilla_t)
- files_read_default_symlinks($1_mozilla_t)
- ',`
- files_dontaudit_read_default_files($1_mozilla_t)
- files_dontaudit_list_default($1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content && read_untrusted_content',`
- files_list_tmp($1_mozilla_t)
- files_list_home($1_mozilla_t)
- userdom_search_user_home_dirs($1, $1_mozilla_t)
-
- userdom_list_user_untrusted_content($1, $1_mozilla_t)
- userdom_read_user_untrusted_content_files($1, $1_mozilla_t)
- userdom_read_user_untrusted_content_symlinks($1, $1_mozilla_t)
- userdom_list_user_tmp_untrusted_content($1, $1_mozilla_t)
- userdom_read_user_tmp_untrusted_content_files($1, $1_mozilla_t)
- userdom_read_user_tmp_untrusted_content_symlinks($1, $1_mozilla_t)
- ',`
- files_dontaudit_list_tmp($1_mozilla_t)
- files_dontaudit_list_home($1_mozilla_t)
- userdom_dontaudit_list_user_home_dirs($1, $1_mozilla_t)
- userdom_dontaudit_list_user_untrusted_content($1, $1_mozilla_t)
- userdom_dontaudit_read_user_untrusted_content_files($1, $1_mozilla_t)
- userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_mozilla_t)
- userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_mozilla_t)
- ')
-
- # Save web pages
- tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
- files_search_home($1_mozilla_t)
-
- fs_search_auto_mountpoints($1_mozilla_t)
- fs_manage_nfs_dirs($1_mozilla_t)
- fs_manage_nfs_files($1_mozilla_t)
- fs_manage_nfs_symlinks($1_mozilla_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_manage_nfs_dirs($1_mozilla_t)
- fs_dontaudit_manage_nfs_files($1_mozilla_t)
- ')
+ allow $2 mozilla_t:fd use;
+ allow $2 mozilla_t:shm { associate getattr };
+ allow $2 mozilla_t:shm { unix_read unix_write };
+ allow $2 mozilla_t:unix_stream_socket connectto;
- tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
- files_search_home($1_mozilla_t)
-
- fs_search_auto_mountpoints($1_mozilla_t)
- fs_manage_cifs_dirs($1_mozilla_t)
- fs_manage_cifs_files($1_mozilla_t)
- fs_manage_cifs_symlinks($1_mozilla_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_manage_cifs_dirs($1_mozilla_t)
- fs_dontaudit_manage_cifs_files($1_mozilla_t)
- ')
-
- tunable_policy(`write_untrusted_content',`
- files_search_home($1_mozilla_t)
- userdom_manage_user_untrusted_content_tmp_files($1, $1_mozilla_t)
- files_tmp_filetrans($1_mozilla_t, $1_untrusted_content_tmp_t, file)
- files_tmp_filetrans($1_mozilla_t, $1_untrusted_content_tmp_t, dir)
-
- userdom_manage_user_untrusted_content_files($1, $1_mozilla_t)
- userdom_user_home_dir_filetrans($1, $1_mozilla_t, $1_untrusted_content_tmp_t, { file dir })
- userdom_user_home_content_filetrans($1, $1_mozilla_t, $1_untrusted_content_tmp_t, { file dir })
- ',`
- files_dontaudit_list_home($1_mozilla_t)
- files_dontaudit_list_tmp($1_mozilla_t)
-
- userdom_dontaudit_list_user_home_dirs($1, $1_mozilla_t)
- userdom_dontaudit_manage_user_tmp_dirs($1, $1_mozilla_t)
- userdom_dontaudit_manage_user_tmp_files($1, $1_mozilla_t)
- userdom_dontaudit_manage_user_home_content_dirs($1, $1_mozilla_t)
-
- ')
-
- optional_policy(`
- apache_read_user_scripts($1, $1_mozilla_t)
- apache_read_user_content($1, $1_mozilla_t)
- ')
-
- optional_policy(`
- automount_dontaudit_getattr_tmp_dirs($1_mozilla_t)
- ')
-
- optional_policy(`
- cups_read_rw_config($1_mozilla_t)
- cups_dbus_chat($1_mozilla_t)
- ')
-
- optional_policy(`
- dbus_system_bus_client_template($1_mozilla, $1_mozilla_t)
- dbus_user_bus_client_template($1, $1_mozilla, $1_mozilla_t)
- ')
-
- optional_policy(`
- gnome_stream_connect_gconf_template($1, $1_mozilla_t)
- ')
-
- optional_policy(`
- java_domtrans_user_javaplugin($1, $1_mozilla_t)
- ')
-
- optional_policy(`
- lpd_domtrans_user_lpr($1, $1_mozilla_t)
- ')
-
- optional_policy(`
- mplayer_domtrans_user_mplayer($1, $1_mozilla_t)
- mplayer_read_user_home_files($1, $1_mozilla_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_mozilla_t)
- ')
-
- optional_policy(`
- thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
- ')
-
- ifdef(`TODO',`
- #NOTE commented out in strict.
- ######### Launch email client, and make webcal links work
- #ifdef(`evolution.te', `
- #domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t)
- #domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
- #')
-
- # Macros for mozilla/mozilla (or other browser) domains.
- # FIXME: Rules were removed to centralize policy in a gnome_app macro
- # A similar thing might be necessary for mozilla compiled without GNOME
- # support (is this possible?).
-
- # GNOME integration
- optional_policy(`
- gnome_application($1_mozilla, $1)
- gnome_file_dialog($1_mozilla, $1)
- ')
- ')
+ # X access, Home files
+ manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+ manage_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
')
########################################
##
-## Read mozilla per user homedir
+## Read mozilla home directory content
##
-##
-##
-## Read mozilla per user homedir
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
##
##
#
-template(`mozilla_read_user_home_files',`
+interface(`mozilla_read_user_home_files',`
gen_require(`
- type $1_mozilla_home_t;
+ type mozilla_home_t;
')
- allow $2 $1_mozilla_home_t:dir list_dir_perms;
- allow $2 $1_mozilla_home_t:file read_file_perms;
+ allow $1 mozilla_home_t:dir list_dir_perms;
+ allow $1 mozilla_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
')
########################################
##
-## write mozilla per user homedir
+## Write mozilla home directory content
##
-##
-##
-## Read mozilla per user homedir
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
##
##
#
-template(`mozilla_write_user_home_files',`
+interface(`mozilla_write_user_home_files',`
gen_require(`
- type $1_mozilla_home_t;
+ type mozilla_home_t;
')
- allow $2 $1_mozilla_home_t:dir list_dir_perms;
- allow $2 $1_mozilla_home_t:file write;
+ allow $1 mozilla_home_t:dir list_dir_perms;
+ allow $1 mozilla_home_t:file write;
+ userdom_search_user_home_dirs($1)
')
########################################
##
-## Run mozilla in user mozilla domain.
+## Run mozilla in the mozilla domain.
##
-##
-##
-## Run mozilla in mozilla domain.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
##
##
#
-template(`mozilla_domtrans_user_mozilla',`
+interface(`mozilla_domtrans',`
gen_require(`
- type $1_mozilla_t, mozilla_exec_t;
+ type mozilla_t, mozilla_exec_t;
')
- domtrans_pattern($2, mozilla_exec_t, $1_mozilla_t)
+ domtrans_pattern($1, mozilla_exec_t, mozilla_t)
')
########################################
@@ -506,67 +110,36 @@ template(`mozilla_domtrans_user_mozilla',`
## Send and receive messages from
## mozilla over dbus.
##
-##
-##
-## Send and receive messages from
-## mozilla over dbus.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
##
##
#
-template(`mozilla_dbus_chat',`
+interface(`mozilla_dbus_chat',`
gen_require(`
- type $1_mozilla_t;
+ type mozilla_t;
class dbus send_msg;
')
- allow $2 $1_mozilla_t:dbus send_msg;
- allow $1_mozilla_t $2:dbus send_msg;
+ allow $1 mozilla_t:dbus send_msg;
+ allow mozilla_t $1:dbus send_msg;
')
########################################
##
## read/write mozilla per user tcp_socket
##
-##
-##
-## read/write mozilla per user tcp_socket
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
##
##
#
-template(`mozilla_rw_user_tcp_sockets',`
+interface(`mozilla_rw_tcp_sockets',`
gen_require(`
- type $1_mozilla_t;
+ type mozilla_t;
')
- allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
+ allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 5d653b8..55576bc 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -1,5 +1,5 @@
-policy_module(mozilla, 1.6.0)
+policy_module(mozilla, 2.0.0)
########################################
#
@@ -13,8 +13,255 @@ policy_module(mozilla, 1.6.0)
##
gen_tunable(mozilla_read_content, false)
+type mozilla_t;
+type mozilla_exec_t;
+typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
+typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
+application_domain(mozilla_t, mozilla_exec_t)
+ubac_constrained(mozilla_t)
+
type mozilla_conf_t;
files_config_file(mozilla_conf_t)
-type mozilla_exec_t;
-application_executable_file(mozilla_exec_t)
+type mozilla_home_t;
+typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
+typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
+files_poly_member(mozilla_home_t)
+userdom_user_home_content(mozilla_home_t)
+
+type mozilla_tmpfs_t;
+typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t };
+typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
+files_tmpfs_file(mozilla_tmpfs_t)
+ubac_constrained(mozilla_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mozilla_t self:capability { sys_nice setgid setuid };
+allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
+allow mozilla_t self:fifo_file rw_fifo_file_perms;
+allow mozilla_t self:shm { unix_read unix_write read write destroy create };
+allow mozilla_t self:sem create_sem_perms;
+allow mozilla_t self:socket create_socket_perms;
+allow mozilla_t self:unix_stream_socket { listen accept };
+# Browse the web, connect to printer
+allow mozilla_t self:tcp_socket create_socket_perms;
+allow mozilla_t self:netlink_route_socket r_netlink_socket_perms;
+
+# for bash - old mozilla binary
+can_exec(mozilla_t, mozilla_exec_t)
+
+# X access, Home files
+manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+userdom_search_user_home_dirs(mozilla_t)
+
+# Mozpluggerrc
+allow mozilla_t mozilla_conf_t:file read_file_perms;
+
+manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(mozilla_t)
+kernel_read_network_state(mozilla_t)
+# Access /proc, sysctl
+kernel_read_system_state(mozilla_t)
+kernel_read_net_sysctls(mozilla_t)
+
+# Look for plugins
+corecmd_list_bin(mozilla_t)
+# for bash - old mozilla binary
+corecmd_exec_shell(mozilla_t)
+corecmd_exec_bin(mozilla_t)
+
+# Browse the web, connect to printer
+corenet_all_recvfrom_unlabeled(mozilla_t)
+corenet_all_recvfrom_netlabel(mozilla_t)
+corenet_tcp_sendrecv_generic_if(mozilla_t)
+corenet_raw_sendrecv_generic_if(mozilla_t)
+corenet_tcp_sendrecv_all_nodes(mozilla_t)
+corenet_raw_sendrecv_all_nodes(mozilla_t)
+corenet_tcp_sendrecv_http_port(mozilla_t)
+corenet_tcp_sendrecv_http_cache_port(mozilla_t)
+corenet_tcp_sendrecv_ftp_port(mozilla_t)
+corenet_tcp_sendrecv_ipp_port(mozilla_t)
+corenet_tcp_connect_http_port(mozilla_t)
+corenet_tcp_connect_http_cache_port(mozilla_t)
+corenet_tcp_connect_ftp_port(mozilla_t)
+corenet_tcp_connect_ipp_port(mozilla_t)
+corenet_tcp_connect_generic_port(mozilla_t)
+corenet_sendrecv_http_client_packets(mozilla_t)
+corenet_sendrecv_http_cache_client_packets(mozilla_t)
+corenet_sendrecv_ftp_client_packets(mozilla_t)
+corenet_sendrecv_ipp_client_packets(mozilla_t)
+corenet_sendrecv_generic_client_packets(mozilla_t)
+# Should not need other ports
+corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
+corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
+
+dev_read_urand(mozilla_t)
+dev_read_rand(mozilla_t)
+dev_write_sound(mozilla_t)
+dev_read_sound(mozilla_t)
+dev_dontaudit_rw_dri(mozilla_t)
+dev_getattr_sysfs_dirs(mozilla_t)
+
+files_read_etc_runtime_files(mozilla_t)
+files_read_usr_files(mozilla_t)
+files_read_etc_files(mozilla_t)
+# /var/lib
+files_read_var_lib_files(mozilla_t)
+# interacting with gstreamer
+files_read_var_files(mozilla_t)
+files_read_var_symlinks(mozilla_t)
+files_dontaudit_getattr_boot_dirs(mozilla_t)
+
+fs_search_auto_mountpoints(mozilla_t)
+fs_list_inotifyfs(mozilla_t)
+fs_rw_tmpfs_files(mozilla_t)
+
+term_dontaudit_getattr_pty_dirs(mozilla_t)
+
+logging_send_syslog_msg(mozilla_t)
+
+miscfiles_read_fonts(mozilla_t)
+miscfiles_read_localization(mozilla_t)
+
+# Browse the web, connect to printer
+sysnet_dns_name_resolve(mozilla_t)
+
+userdom_manage_user_home_content_dirs(mozilla_t)
+userdom_manage_user_home_content_files(mozilla_t)
+userdom_manage_user_home_content_symlinks(mozilla_t)
+userdom_manage_user_tmp_dirs(mozilla_t)
+userdom_manage_user_tmp_files(mozilla_t)
+userdom_manage_user_tmp_sockets(mozilla_t)
+
+xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
+xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
+xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
+
+tunable_policy(`allow_execmem',`
+ allow mozilla_t self:process { execmem execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mozilla_t)
+ fs_manage_nfs_files(mozilla_t)
+ fs_manage_nfs_symlinks(mozilla_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mozilla_t)
+ fs_manage_cifs_files(mozilla_t)
+ fs_manage_cifs_symlinks(mozilla_t)
+')
+
+# Uploads, local html
+tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(mozilla_t)
+ files_list_home(mozilla_t)
+ fs_read_nfs_files(mozilla_t)
+ fs_read_nfs_symlinks(mozilla_t)
+
+',`
+ files_dontaudit_list_home(mozilla_t)
+ fs_dontaudit_list_auto_mountpoints(mozilla_t)
+ fs_dontaudit_read_nfs_files(mozilla_t)
+ fs_dontaudit_list_nfs(mozilla_t)
+')
+
+tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
+ fs_list_auto_mountpoints(mozilla_t)
+ files_list_home(mozilla_t)
+ fs_read_cifs_files(mozilla_t)
+ fs_read_cifs_symlinks(mozilla_t)
+',`
+ files_dontaudit_list_home(mozilla_t)
+ fs_dontaudit_list_auto_mountpoints(mozilla_t)
+ fs_dontaudit_read_cifs_files(mozilla_t)
+ fs_dontaudit_list_cifs(mozilla_t)
+')
+
+tunable_policy(`mozilla_read_content',`
+ userdom_list_user_tmp(mozilla_t)
+ userdom_read_user_tmp_files(mozilla_t)
+ userdom_read_user_tmp_symlinks(mozilla_t)
+ userdom_read_user_home_content_files(mozilla_t)
+ userdom_read_user_home_content_symlinks(mozilla_t)
+
+ ifdef(`enable_mls',`',`
+ fs_search_removable(mozilla_t)
+ fs_read_removable_files(mozilla_t)
+ fs_read_removable_symlinks(mozilla_t)
+ ')
+',`
+ files_dontaudit_list_tmp(mozilla_t)
+ files_dontaudit_list_home(mozilla_t)
+ fs_dontaudit_list_removable(mozilla_t)
+ fs_dontaudit_read_removable_files(mozilla_t)
+ userdom_dontaudit_list_user_tmp(mozilla_t)
+ userdom_dontaudit_read_user_tmp_files(mozilla_t)
+ userdom_dontaudit_list_user_home_dirs(mozilla_t)
+ userdom_dontaudit_read_user_home_content_files(mozilla_t)
+')
+
+tunable_policy(`mozilla_read_content && read_default_t',`
+ files_list_default(mozilla_t)
+ files_read_default_files(mozilla_t)
+ files_read_default_symlinks(mozilla_t)
+',`
+ files_dontaudit_read_default_files(mozilla_t)
+ files_dontaudit_list_default(mozilla_t)
+')
+
+optional_policy(`
+ apache_read_user_scripts(mozilla_t)
+ apache_read_user_content(mozilla_t)
+')
+
+optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(mozilla_t)
+')
+
+optional_policy(`
+ cups_read_rw_config(mozilla_t)
+ cups_dbus_chat(mozilla_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(mozilla_t)
+ dbus_session_bus_client(mozilla_t)
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(mozilla_t)
+')
+
+optional_policy(`
+ java_domtrans(mozilla_t)
+')
+
+optional_policy(`
+ lpd_domtrans_lpr(mozilla_t)
+')
+
+optional_policy(`
+ mplayer_domtrans(mozilla_t)
+ mplayer_read_user_home_files(mozilla_t)
+')
+
+optional_policy(`
+ nscd_socket_use(mozilla_t)
+')
+
+optional_policy(`
+ thunderbird_domtrans(mozilla_t)
+')
diff --git a/policy/modules/apps/mplayer.fc b/policy/modules/apps/mplayer.fc
index ffef8be..ab54284 100644
--- a/policy/modules/apps/mplayer.fc
+++ b/policy/modules/apps/mplayer.fc
@@ -10,4 +10,4 @@
/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0)
/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0)
-HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:ROLE_mplayer_home_t,s0)
+HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0)
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index 664a3e9..8944655 100644
--- a/policy/modules/apps/mplayer.if
+++ b/policy/modules/apps/mplayer.if
@@ -1,503 +1,85 @@
## Mplayer media player and encoder
-#######################################
+########################################
##
-## The per role template for the mplayer module.
+## Role access for mplayer
##
-##
-##
-## This template creates a derived domains which are used
-## for mplayer media player.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
+##
##
-## The type of the user domain.
+## Role allowed access
##
##
-##
+##
##
-## The role associated with the user domain.
+## User domain for the role
##
##
#
-template(`mplayer_per_role_template',`
+interface(`mplayer_role',`
gen_require(`
- type mencoder_exec_t, mplayer_exec_t, mplayer_etc_t;
+ type mencoder_t, mencoder_exec_t;
+ type mplayer_t, mplayer_exec_t;
+ type mplayer_home_t;
')
- ########################################
- #
- # Declarations
- #
-
- type $1_mencoder_t;
- application_domain($1_mencoder_t, mencoder_exec_t)
- role $3 types $1_mencoder_t;
-
- type $1_mplayer_t;
- application_domain($1_mplayer_t, mplayer_exec_t)
- role $3 types $1_mplayer_t;
-
- type $1_mplayer_home_t alias $1_mplayer_rw_t;
- files_poly_member($1_mplayer_home_t)
- userdom_user_home_content($1,$1_mplayer_home_t)
-
- type $1_mplayer_tmpfs_t;
- files_tmpfs_file($1_mplayer_tmpfs_t)
-
- ########################################
- #
- # mencoder local policy
- #
-
- manage_dirs_pattern($1_mencoder_t, $1_mplayer_home_t, $1_mplayer_home_t)
- manage_files_pattern($1_mencoder_t, $1_mplayer_home_t, $1_mplayer_home_t)
- manage_lnk_files_pattern($1_mencoder_t, $1_mplayer_home_t, $1_mplayer_home_t)
-
- # Read global config
- allow $1_mencoder_t mplayer_etc_t:dir list_dir_perms;
- read_files_pattern($1_mencoder_t, mplayer_etc_t, mplayer_etc_t)
- read_lnk_files_pattern($1_mencoder_t, mplayer_etc_t, mplayer_etc_t)
+ role $1 types { mencoder_t mplayer_t };
# domain transition
- domtrans_pattern($2, mencoder_exec_t, $1_mencoder_t)
+ domtrans_pattern($2, mencoder_exec_t, mencoder_t)
# Allow the user domain to signal/ps.
- ps_process_pattern($2,$1_mencoder_t)
- allow $2 $1_mencoder_t:process signal_perms;
-
- # Read /proc files and directories
- # Necessary for /proc/meminfo, /proc/cpuinfo, etc..
- kernel_read_system_state($1_mencoder_t)
- # Sysctl on kernel version
- kernel_read_kernel_sysctls($1_mencoder_t)
-
- # Required for win32 binary loader
- dev_rwx_zero($1_mencoder_t)
- # Access to DVD/CD/V4L
- dev_read_video_dev($1_mencoder_t)
-
- # Read data in /usr/share (fonts, icons..)
- files_read_usr_files($1_mencoder_t)
- files_read_usr_symlinks($1_mencoder_t)
-
- fs_search_auto_mountpoints($1_mencoder_t)
-
- # Access to DVD/CD/V4L
- storage_raw_read_removable_device($1_mencoder_t)
-
- miscfiles_read_localization($1_mencoder_t)
-
- userdom_use_user_terminals($1,$1_mencoder_t)
- # Handle removable media, /tmp, and /home
- userdom_list_user_tmp($1,$1_mencoder_t)
- userdom_read_user_tmp_files($1,$1_mencoder_t)
- userdom_read_user_tmp_symlinks($1,$1_mencoder_t)
- userdom_read_user_home_content_files($1,$1_mencoder_t)
- userdom_read_user_home_content_symlinks($1,$1_mencoder_t)
-
- # Read content to encode
- ifdef(`enable_mls',`',`
- fs_search_removable($1_mencoder_t)
- fs_read_removable_files($1_mencoder_t)
- fs_read_removable_symlinks($1_mencoder_t)
- ')
-
- tunable_policy(`allow_execmem',`
- allow $1_mencoder_t self:process execmem;
- ')
-
- tunable_policy(`allow_execmod',`
- dev_execmod_zero($1_mencoder_t)
- ')
-
- tunable_policy(`allow_mplayer_execstack',`
- allow $1_mencoder_t self:process { execmem execstack };
- ')
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_mencoder_t)
- fs_manage_nfs_files($1_mencoder_t)
- fs_manage_nfs_symlinks($1_mencoder_t)
-
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_mencoder_t)
- fs_manage_cifs_files($1_mencoder_t)
- fs_manage_cifs_symlinks($1_mencoder_t)
-
- ')
-
- # Read content to encode
- tunable_policy(`use_nfs_home_dirs',`
- fs_list_auto_mountpoints($1_mencoder_t)
- files_list_home($1_mencoder_t)
- fs_read_nfs_files($1_mencoder_t)
- fs_read_nfs_symlinks($1_mencoder_t)
-
- ',`
- files_dontaudit_list_home($1_mencoder_t)
- fs_dontaudit_list_auto_mountpoints($1_mencoder_t)
- fs_dontaudit_read_nfs_files($1_mencoder_t)
- fs_dontaudit_list_nfs($1_mencoder_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_list_auto_mountpoints($1_mencoder_t)
- files_list_home($1_mencoder_t)
- fs_read_cifs_files($1_mencoder_t)
- fs_read_cifs_symlinks($1_mencoder_t)
- ',`
- files_dontaudit_list_home($1_mencoder_t)
- fs_dontaudit_list_auto_mountpoints($1_mencoder_t)
- fs_dontaudit_read_cifs_files($1_mencoder_t)
- fs_dontaudit_list_cifs($1_mencoder_t)
- ')
-
- tunable_policy(`read_default_t',`
- files_list_default($1_mencoder_t)
- files_read_default_files($1_mencoder_t)
- files_read_default_symlinks($1_mencoder_t)
- ',`
- files_dontaudit_read_default_files($1_mencoder_t)
- files_dontaudit_list_default($1_mencoder_t)
- ')
-
- tunable_policy(`read_untrusted_content',`
- files_list_tmp($1_mencoder_t)
- files_list_home($1_mencoder_t)
-
- userdom_list_user_untrusted_content($1, $1_mencoder_t)
- userdom_read_user_untrusted_content_files($1, $1_mencoder_t)
- userdom_read_user_untrusted_content_symlinks($1, $1_mencoder_t)
- userdom_list_user_tmp_untrusted_content($1, $1_mencoder_t)
- userdom_read_user_tmp_untrusted_content_files($1, $1_mencoder_t)
- userdom_read_user_tmp_untrusted_content_symlinks($1, $1_mencoder_t)
- ',`
- files_dontaudit_list_tmp($1_mencoder_t)
- files_dontaudit_list_home($1_mencoder_t)
- userdom_dontaudit_list_user_home_dirs($1, $1_mencoder_t)
- userdom_dontaudit_list_user_untrusted_content($1, $1_mencoder_t)
- userdom_dontaudit_read_user_untrusted_content_files($1, $1_mencoder_t)
- userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_mencoder_t)
- userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_mencoder_t)
- ')
-
- tunable_policy(`write_untrusted_content',`
- userdom_manage_user_untrusted_content_files($1, $1_mplayer_t)
- ')
-
- # Save encoded files
- tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
- files_search_home($1_mencoder_t)
-
- fs_search_auto_mountpoints($1_mencoder_t)
- fs_manage_nfs_dirs($1_mencoder_t)
- fs_manage_nfs_files($1_mencoder_t)
- fs_manage_nfs_symlinks($1_mencoder_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_mencoder_t)
- fs_dontaudit_manage_nfs_dirs($1_mencoder_t)
- fs_dontaudit_manage_nfs_files($1_mencoder_t)
- ')
-
- tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
- files_search_home($1_mencoder_t)
-
- fs_search_auto_mountpoints($1_mencoder_t)
- fs_manage_cifs_dirs($1_mencoder_t)
- fs_manage_cifs_files($1_mencoder_t)
- fs_manage_cifs_symlinks($1_mencoder_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_mencoder_t)
- fs_dontaudit_manage_cifs_dirs($1_mencoder_t)
- fs_dontaudit_manage_cifs_files($1_mencoder_t)
- ')
-
- tunable_policy(`write_untrusted_content',`
- files_search_home($1_mencoder_t)
- files_tmp_filetrans($1_mencoder_t, $1_untrusted_content_tmp_t, file)
- files_tmp_filetrans($1_mencoder_t, $1_untrusted_content_tmp_t ,dir)
-
- userdom_manage_user_untrusted_content_dirs($1, $1_mencoder_t)
- userdom_manage_user_untrusted_content_files($1, $1_mencoder_t)
- ',`
- files_dontaudit_list_home($1_mencoder_t)
- files_dontaudit_list_tmp($1_mencoder_t)
-
- userdom_dontaudit_list_user_home_dirs($1, $1_mencoder_t)
- userdom_dontaudit_manage_user_tmp_files($1, $1_mencoder_t)
- userdom_dontaudit_manage_user_home_content_dirs($1, $1_mencoder_t)
- ')
-
- ########################################
- #
- # mplayer local policy
- #
-
- allow $1_mplayer_t self:process { signal_perms getsched };
- allow $1_mplayer_t self:fifo_file rw_fifo_file_perms;
- allow $1_mplayer_t self:sem create_sem_perms;
-
- manage_dirs_pattern($1_mplayer_t, $1_mplayer_home_t, $1_mplayer_home_t)
- manage_files_pattern($1_mplayer_t, $1_mplayer_home_t, $1_mplayer_home_t)
- manage_lnk_files_pattern($1_mplayer_t, $1_mplayer_home_t, $1_mplayer_home_t)
- userdom_search_user_home_dirs($1, $1_mplayer_t)
-
- manage_files_pattern($1_mplayer_t, $1_mplayer_tmpfs_t, $1_mplayer_tmpfs_t)
- manage_lnk_files_pattern($1_mplayer_t, $1_mplayer_tmpfs_t, $1_mplayer_tmpfs_t)
- manage_fifo_files_pattern($1_mplayer_t, $1_mplayer_tmpfs_t, $1_mplayer_tmpfs_t)
- manage_sock_files_pattern($1_mplayer_t, $1_mplayer_tmpfs_t, $1_mplayer_tmpfs_t)
- fs_tmpfs_filetrans($1_mplayer_t, $1_mplayer_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
- # Read global config
- allow $1_mplayer_t mplayer_etc_t:dir list_dir_perms;
- read_files_pattern($1_mplayer_t, mplayer_etc_t, mplayer_etc_t)
- read_lnk_files_pattern($1_mplayer_t, mplayer_etc_t, mplayer_etc_t)
+ ps_process_pattern($2, mencoder_t)
+ allow $2 mencoder_t:process signal_perms;
# Home access
- manage_dirs_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
- manage_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
- manage_lnk_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
- relabel_dirs_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
- relabel_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
- relabel_lnk_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
+ manage_dirs_pattern($2, mplayer_home_t, mplayer_home_t)
+ manage_files_pattern($2, mplayer_home_t, mplayer_home_t)
+ manage_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t)
+ relabel_dirs_pattern($2, mplayer_home_t, mplayer_home_t)
+ relabel_files_pattern($2, mplayer_home_t, mplayer_home_t)
+ relabel_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t)
# domain transition
- domtrans_pattern($2, mplayer_exec_t, $1_mplayer_t)
+ domtrans_pattern($2, mplayer_exec_t, mplayer_t)
# Allow the user domain to signal/ps.
- ps_process_pattern($2,$1_mplayer_t)
- allow $2 $1_mplayer_t:process signal_perms;
-
- kernel_dontaudit_list_unlabeled($1_mplayer_t)
- kernel_dontaudit_getattr_unlabeled_files($1_mplayer_t)
- kernel_dontaudit_read_unlabeled_files($1_mplayer_t)
- # Necessary for /proc/meminfo, /proc/cpuinfo, etc..
- kernel_read_system_state($1_mplayer_t)
- # Sysctl on kernel version
- kernel_read_kernel_sysctls($1_mplayer_t)
-
- # Run bash/sed (??)
- corecmd_exec_bin($1_mplayer_t)
- corecmd_exec_shell($1_mplayer_t)
-
- # Required for win32 binary loader
- dev_rwx_zero($1_mplayer_t)
- # Access to DVD/CD/V4L
- dev_read_video_dev($1_mplayer_t)
- # Audio, alsa.conf
- dev_read_sound_mixer($1_mplayer_t)
- dev_write_sound_mixer($1_mplayer_t)
- # RTC clock
- dev_read_realtime_clock($1_mplayer_t)
-
- # Access to DVD/CD/V4L
- storage_raw_read_removable_device($1_mplayer_t)
-
- files_read_etc_files($1_mplayer_t)
- files_dontaudit_list_non_security($1_mplayer_t)
- files_dontaudit_getattr_non_security_files($1_mplayer_t)
- files_read_non_security_files($1_mplayer_t)
- # Unfortunately the ancient file dialog starts in /
- files_list_home($1_mplayer_t)
- # Read /etc/mtab
- files_read_etc_runtime_files($1_mplayer_t)
- # Read data in /usr/share (fonts, icons..)
- files_read_usr_files($1_mplayer_t)
- files_read_usr_symlinks($1_mplayer_t)
-
- fs_dontaudit_getattr_all_fs($1_mplayer_t)
- fs_search_auto_mountpoints($1_mplayer_t)
- fs_list_inotifyfs($1_mplayer_t)
-
- miscfiles_read_localization($1_mplayer_t)
- miscfiles_read_fonts($1_mplayer_t)
-
- userdom_use_user_terminals($1, $1_mplayer_t)
- # Read media files
- userdom_list_user_tmp($1, $1_mplayer_t)
- userdom_read_user_tmp_files($1, $1_mplayer_t)
- userdom_read_user_tmp_symlinks($1, $1_mplayer_t)
- userdom_read_user_home_content_files($1, $1_mplayer_t)
- userdom_read_user_home_content_symlinks($1, $1_mplayer_t)
-
- xserver_user_x_domain_template($1, $1_mplayer, $1_mplayer_t, $1_mplayer_tmpfs_t)
-
- # Read songs
- ifdef(`enable_mls',`',`
- fs_search_removable($1_mplayer_t)
- fs_read_removable_files($1_mplayer_t)
- fs_read_removable_symlinks($1_mplayer_t)
- ')
-
- tunable_policy(`allow_execmem',`
- allow $1_mplayer_t self:process execmem;
- ')
-
- tunable_policy(`allow_execmod',`
- dev_execmod_zero($1_mplayer_t)
- ')
-
- tunable_policy(`allow_mplayer_execstack',`
- allow $1_mplayer_t self:process { execmem execstack };
- ')
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_mplayer_t)
- fs_manage_nfs_files($1_mplayer_t)
- fs_manage_nfs_symlinks($1_mplayer_t)
- ')
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_mplayer_t)
- fs_manage_cifs_files($1_mplayer_t)
- fs_manage_cifs_symlinks($1_mplayer_t)
- ')
-
- # Legacy domain issues
- tunable_policy(`allow_mplayer_execstack',`
- allow $1_mplayer_t $1_mplayer_tmpfs_t:file execute;
- ')
-
- # Read songs
- tunable_policy(`use_nfs_home_dirs',`
- fs_list_auto_mountpoints($1_mplayer_t)
- files_list_home($1_mplayer_t)
- fs_read_nfs_files($1_mplayer_t)
- fs_read_nfs_symlinks($1_mplayer_t)
-
- ',`
- files_dontaudit_list_home($1_mplayer_t)
- fs_dontaudit_list_auto_mountpoints($1_mplayer_t)
- fs_dontaudit_read_nfs_files($1_mplayer_t)
- fs_dontaudit_list_nfs($1_mplayer_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_list_auto_mountpoints($1_mplayer_t)
- files_list_home($1_mplayer_t)
- fs_read_cifs_files($1_mplayer_t)
- fs_read_cifs_symlinks($1_mplayer_t)
- ',`
- files_dontaudit_list_home($1_mplayer_t)
- fs_dontaudit_list_auto_mountpoints($1_mplayer_t)
- fs_dontaudit_read_cifs_files($1_mplayer_t)
- fs_dontaudit_list_cifs($1_mplayer_t)
- ')
-
- tunable_policy(`read_default_t',`
- files_list_default($1_mplayer_t)
- files_read_default_files($1_mplayer_t)
- files_read_default_symlinks($1_mplayer_t)
- ',`
- files_dontaudit_read_default_files($1_mplayer_t)
- files_dontaudit_list_default($1_mplayer_t)
- ')
-
- tunable_policy(`read_untrusted_content',`
- files_list_tmp($1_mplayer_t)
- files_list_home($1_mplayer_t)
-
- userdom_list_user_untrusted_content($1, $1_mplayer_t)
- userdom_read_user_untrusted_content_files($1, $1_mplayer_t)
- userdom_read_user_untrusted_content_symlinks($1, $1_mplayer_t)
- userdom_list_user_tmp_untrusted_content($1, $1_mplayer_t)
- userdom_read_user_tmp_untrusted_content_files($1, $1_mplayer_t)
- userdom_read_user_tmp_untrusted_content_symlinks($1, $1_mplayer_t)
- ',`
- files_dontaudit_list_tmp($1_mplayer_t)
- files_dontaudit_list_home($1_mplayer_t)
- userdom_dontaudit_list_user_home_dirs($1, $1_mplayer_t)
- userdom_dontaudit_list_user_untrusted_content($1, $1_mplayer_t)
- userdom_dontaudit_read_user_untrusted_content_files($1, $1_mplayer_t)
- userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_mplayer_t)
- userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_mplayer_t)
- ')
-
- optional_policy(`
- alsa_read_rw_config($1_mplayer_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_mplayer_t)
- ')
+ ps_process_pattern($2, mplayer_t)
+ allow $2 mplayer_t:process signal_perms;
')
########################################
##
## Run mplayer in mplayer domain.
##
-##
-##
-## Run mplayer in mplayer domain.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
##
##
#
-template(`mplayer_domtrans_user_mplayer',`
+interface(`mplayer_domtrans',`
gen_require(`
- type $1_mplayer_t, mplayer_exec_t;
+ type mplayer_t, mplayer_exec_t;
')
- domtrans_pattern($2, mplayer_exec_t, $1_mplayer_t)
+ domtrans_pattern($1, mplayer_exec_t, mplayer_t)
')
########################################
##
## Read mplayer per user homedir
##
-##
-##
-## Read mplayer per user homedir
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
##
##
#
-template(`mplayer_read_user_home_files',`
+interface(`mplayer_read_user_home_files',`
gen_require(`
- type $1_mplayer_home_t;
+ type mplayer_home_t;
')
- read_files_pattern($2, $1_mplayer_home_t, $1_mplayer_home_t)
+ read_files_pattern($1, mplayer_home_t, mplayer_home_t)
+ userdom_search_user_home_dirs($1)
')
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
index 94fa547..83c177c 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -1,5 +1,5 @@
-policy_module(mplayer, 1.5.0)
+policy_module(mplayer, 2.0.0)
########################################
#
@@ -13,12 +13,300 @@ policy_module(mplayer, 1.5.0)
##
gen_tunable(allow_mplayer_execstack, false)
+type mencoder_t;
type mencoder_exec_t;
-application_executable_file(mencoder_exec_t)
+typealias mencoder_t alias { user_mencoder_t staff_mencoder_t sysadm_mencoder_t };
+typealias mencoder_t alias { auditadm_mencoder_t secadm_mencoder_t };
+application_domain(mencoder_t, mencoder_exec_t)
+ubac_constrained(mencoder_t)
+
+type mplayer_t;
+type mplayer_exec_t;
+typealias mplayer_t alias { user_mplayer_t staff_mplayer_t sysadm_mplayer_t };
+typealias mplayer_t alias { auditadm_mplayer_t secadm_mplayer_t };
+application_domain(mplayer_t, mplayer_exec_t)
+ubac_constrained(mplayer_t)
type mplayer_etc_t;
files_config_file(mplayer_etc_t)
-type mplayer_exec_t;
-corecmd_executable_file(mplayer_exec_t)
-application_executable_file(mplayer_exec_t)
+type mplayer_home_t;
+typealias mplayer_home_t alias { user_mplayer_home_t staff_mplayer_home_t sysadm_mplayer_home_t };
+typealias mplayer_home_t alias { auditadm_mplayer_home_t secadm_mplayer_home_t };
+files_poly_member(mplayer_home_t)
+userdom_user_home_content(mplayer_home_t)
+
+type mplayer_tmpfs_t;
+typealias mplayer_tmpfs_t alias { user_mplayer_tmpfs_t staff_mplayer_tmpfs_t sysadm_mplayer_tmpfs_t };
+typealias mplayer_tmpfs_t alias { auditadm_mplayer_tmpfs_t secadm_mplayer_tmpfs_t };
+files_tmpfs_file(mplayer_tmpfs_t)
+ubac_constrained(mplayer_tmpfs_t)
+
+########################################
+#
+# mencoder local policy
+#
+
+manage_dirs_pattern(mencoder_t, mplayer_home_t, mplayer_home_t)
+manage_files_pattern(mencoder_t, mplayer_home_t, mplayer_home_t)
+manage_lnk_files_pattern(mencoder_t, mplayer_home_t, mplayer_home_t)
+
+# Read global config
+allow mencoder_t mplayer_etc_t:dir list_dir_perms;
+read_files_pattern(mencoder_t, mplayer_etc_t, mplayer_etc_t)
+read_lnk_files_pattern(mencoder_t, mplayer_etc_t, mplayer_etc_t)
+
+# Read /proc files and directories
+# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
+kernel_read_system_state(mencoder_t)
+# Sysctl on kernel version
+kernel_read_kernel_sysctls(mencoder_t)
+
+# Required for win32 binary loader
+dev_rwx_zero(mencoder_t)
+# Access to DVD/CD/V4L
+dev_read_video_dev(mencoder_t)
+
+# Read data in /usr/share (fonts, icons..)
+files_read_usr_files(mencoder_t)
+files_read_usr_symlinks(mencoder_t)
+
+fs_search_auto_mountpoints(mencoder_t)
+
+# Access to DVD/CD/V4L
+storage_raw_read_removable_device(mencoder_t)
+
+miscfiles_read_localization(mencoder_t)
+
+userdom_use_user_terminals(mencoder_t)
+# Handle removable media, /tmp, and /home
+userdom_list_user_tmp(mencoder_t)
+userdom_read_user_tmp_files(mencoder_t)
+userdom_read_user_tmp_symlinks(mencoder_t)
+userdom_read_user_home_content_files(mencoder_t)
+userdom_read_user_home_content_symlinks(mencoder_t)
+
+# Read content to encode
+ifndef(`enable_mls',`
+ fs_search_removable(mencoder_t)
+ fs_read_removable_files(mencoder_t)
+ fs_read_removable_symlinks(mencoder_t)
+')
+
+tunable_policy(`allow_execmem',`
+ allow mencoder_t self:process execmem;
+')
+
+tunable_policy(`allow_execmod',`
+ dev_execmod_zero(mencoder_t)
+')
+
+tunable_policy(`allow_mplayer_execstack',`
+ allow mencoder_t self:process { execmem execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mencoder_t)
+ fs_manage_nfs_files(mencoder_t)
+ fs_manage_nfs_symlinks(mencoder_t)
+
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mencoder_t)
+ fs_manage_cifs_files(mencoder_t)
+ fs_manage_cifs_symlinks(mencoder_t)
+
+')
+
+# Read content to encode
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(mencoder_t)
+ files_list_home(mencoder_t)
+ fs_read_nfs_files(mencoder_t)
+ fs_read_nfs_symlinks(mencoder_t)
+
+',`
+ files_dontaudit_list_home(mencoder_t)
+ fs_dontaudit_list_auto_mountpoints(mencoder_t)
+ fs_dontaudit_read_nfs_files(mencoder_t)
+ fs_dontaudit_list_nfs(mencoder_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_list_auto_mountpoints(mencoder_t)
+ files_list_home(mencoder_t)
+ fs_read_cifs_files(mencoder_t)
+ fs_read_cifs_symlinks(mencoder_t)
+',`
+ files_dontaudit_list_home(mencoder_t)
+ fs_dontaudit_list_auto_mountpoints(mencoder_t)
+ fs_dontaudit_read_cifs_files(mencoder_t)
+ fs_dontaudit_list_cifs(mencoder_t)
+')
+
+tunable_policy(`read_default_t',`
+ files_list_default(mencoder_t)
+ files_read_default_files(mencoder_t)
+ files_read_default_symlinks(mencoder_t)
+',`
+ files_dontaudit_read_default_files(mencoder_t)
+ files_dontaudit_list_default(mencoder_t)
+')
+
+########################################
+#
+# mplayer local policy
+#
+
+allow mplayer_t self:process { signal_perms getsched };
+allow mplayer_t self:fifo_file rw_fifo_file_perms;
+allow mplayer_t self:sem create_sem_perms;
+
+manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+userdom_search_user_home_dirs(mplayer_t)
+
+manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+manage_fifo_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+manage_sock_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+fs_tmpfs_filetrans(mplayer_t, mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+# Read global config
+allow mplayer_t mplayer_etc_t:dir list_dir_perms;
+read_files_pattern(mplayer_t, mplayer_etc_t, mplayer_etc_t)
+read_lnk_files_pattern(mplayer_t, mplayer_etc_t, mplayer_etc_t)
+
+kernel_dontaudit_list_unlabeled(mplayer_t)
+kernel_dontaudit_getattr_unlabeled_files(mplayer_t)
+kernel_dontaudit_read_unlabeled_files(mplayer_t)
+# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
+kernel_read_system_state(mplayer_t)
+# Sysctl on kernel version
+kernel_read_kernel_sysctls(mplayer_t)
+
+# Run bash/sed (??)
+corecmd_exec_bin(mplayer_t)
+corecmd_exec_shell(mplayer_t)
+
+# Required for win32 binary loader
+dev_rwx_zero(mplayer_t)
+# Access to DVD/CD/V4L
+dev_read_video_dev(mplayer_t)
+# Audio, alsa.conf
+dev_read_sound_mixer(mplayer_t)
+dev_write_sound_mixer(mplayer_t)
+# RTC clock
+dev_read_realtime_clock(mplayer_t)
+
+# Access to DVD/CD/V4L
+storage_raw_read_removable_device(mplayer_t)
+
+files_read_etc_files(mplayer_t)
+files_dontaudit_list_non_security(mplayer_t)
+files_dontaudit_getattr_non_security_files(mplayer_t)
+files_read_non_security_files(mplayer_t)
+# Unfortunately the ancient file dialog starts in /
+files_list_home(mplayer_t)
+# Read /etc/mtab
+files_read_etc_runtime_files(mplayer_t)
+# Read data in /usr/share (fonts, icons..)
+files_read_usr_files(mplayer_t)
+files_read_usr_symlinks(mplayer_t)
+
+fs_dontaudit_getattr_all_fs(mplayer_t)
+fs_search_auto_mountpoints(mplayer_t)
+fs_list_inotifyfs(mplayer_t)
+
+miscfiles_read_localization(mplayer_t)
+miscfiles_read_fonts(mplayer_t)
+
+userdom_use_user_terminals(mplayer_t)
+# Read media files
+userdom_list_user_tmp(mplayer_t)
+userdom_read_user_tmp_files(mplayer_t)
+userdom_read_user_tmp_symlinks(mplayer_t)
+userdom_read_user_home_content_files(mplayer_t)
+userdom_read_user_home_content_symlinks(mplayer_t)
+
+xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
+
+# Read songs
+ifdef(`enable_mls',`',`
+ fs_search_removable(mplayer_t)
+ fs_read_removable_files(mplayer_t)
+ fs_read_removable_symlinks(mplayer_t)
+')
+
+tunable_policy(`allow_execmem',`
+ allow mplayer_t self:process execmem;
+')
+
+tunable_policy(`allow_execmod',`
+ dev_execmod_zero(mplayer_t)
+')
+
+tunable_policy(`allow_mplayer_execstack',`
+ allow mplayer_t self:process { execmem execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mplayer_t)
+ fs_manage_nfs_files(mplayer_t)
+ fs_manage_nfs_symlinks(mplayer_t)
+')
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mplayer_t)
+ fs_manage_cifs_files(mplayer_t)
+ fs_manage_cifs_symlinks(mplayer_t)
+')
+
+# Legacy domain issues
+tunable_policy(`allow_mplayer_execstack',`
+ allow mplayer_t mplayer_tmpfs_t:file execute;
+')
+
+# Read songs
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(mplayer_t)
+ files_list_home(mplayer_t)
+ fs_read_nfs_files(mplayer_t)
+ fs_read_nfs_symlinks(mplayer_t)
+
+',`
+ files_dontaudit_list_home(mplayer_t)
+ fs_dontaudit_list_auto_mountpoints(mplayer_t)
+ fs_dontaudit_read_nfs_files(mplayer_t)
+ fs_dontaudit_list_nfs(mplayer_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_list_auto_mountpoints(mplayer_t)
+ files_list_home(mplayer_t)
+ fs_read_cifs_files(mplayer_t)
+ fs_read_cifs_symlinks(mplayer_t)
+',`
+ files_dontaudit_list_home(mplayer_t)
+ fs_dontaudit_list_auto_mountpoints(mplayer_t)
+ fs_dontaudit_read_cifs_files(mplayer_t)
+ fs_dontaudit_list_cifs(mplayer_t)
+')
+
+tunable_policy(`read_default_t',`
+ files_list_default(mplayer_t)
+ files_read_default_files(mplayer_t)
+ files_read_default_symlinks(mplayer_t)
+',`
+ files_dontaudit_read_default_files(mplayer_t)
+ files_dontaudit_list_default(mplayer_t)
+')
+
+optional_policy(`
+ alsa_read_rw_config(mplayer_t)
+')
+
+optional_policy(`
+ nscd_socket_use(mplayer_t)
+')
diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
index 08b504b..802461d 100644
--- a/policy/modules/apps/podsleuth.te
+++ b/policy/modules/apps/podsleuth.te
@@ -1,5 +1,5 @@
-policy_module(podsleuth, 1.0.0)
+policy_module(podsleuth, 1.0.1)
########################################
#
@@ -28,7 +28,7 @@ files_read_etc_files(podsleuth_t)
miscfiles_read_localization(podsleuth_t)
-dbus_system_bus_client_template(podsleuth, podsleuth_t)
+dbus_system_bus_client(podsleuth_t)
mono_exec(podsleuth_t)
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
index aff0165..c010a01 100644
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@@ -32,11 +32,6 @@ interface(`qemu_domtrans',`
## The role to allow the qemu domain.
##
##
-##
-##
-## The type of the terminal allow the qemu domain to use.
-##
-##
#
interface(`qemu_run',`
gen_require(`
@@ -45,7 +40,6 @@ interface(`qemu_run',`
qemu_domtrans($1)
role $2 types qemu_t;
- allow qemu_t $3:chr_file rw_file_perms;
')
########################################
@@ -195,6 +189,8 @@ template(`qemu_domain_template',`
sysnet_read_config($1_t)
+ userdom_use_user_terminals($1_t)
+
# optional_policy(`
# samba_domtrans_smb($1_t)
# ')
@@ -206,7 +202,7 @@ template(`qemu_domain_template',`
')
optional_policy(`
- xserver_stream_connect_xdm_xserver($1_t)
+ xserver_stream_connect($1_t)
xserver_read_xdm_tmp_files($1_t)
xserver_read_xdm_pid($1_t)
# xserver_xdm_rw_shm($1_t)
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
index d341aab..fa023cd 100644
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
@@ -1,5 +1,5 @@
-policy_module(qemu, 1.0.0)
+policy_module(qemu, 1.0.1)
########################################
#
diff --git a/policy/modules/apps/rssh.if b/policy/modules/apps/rssh.if
index d0129a8..3870eda 100644
--- a/policy/modules/apps/rssh.if
+++ b/policy/modules/apps/rssh.if
@@ -1,104 +1,30 @@
## Restricted (scp/sftp) only shell
-#######################################
+########################################
##
-## The per role template for the rssh module.
+## Role access for rssh
##
-##
-##
-## This template creates a derived domains which are used
-## for rssh client sessions. Derived types are also created
-## for read-only and read-write file access.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
+##
+##
+## Role allowed access
+##
+##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## User domain for the role
##
##
#
-template(`rssh_per_role_template',`
+interface(`rssh_role',`
gen_require(`
- type rssh_exec_t;
- attribute rssh_domain_type;
- attribute rssh_ro_content_type;
+ type rssh_t;
')
- ##############################
- #
- # Declarations
- #
-
- type $1_rssh_t alias rssh_$1_t, rssh_domain_type;
- application_domain($1_rssh_t, rssh_exec_t)
- domain_user_exemption_target($1_t)
- domain_interactive_fd($1_rssh_t)
- role system_r types $1_rssh_t;
-
- type $1_rssh_devpts_t alias rssh_$1_devpts_t;
- term_user_pty($1_rssh_t,$1_rssh_devpts_t)
-
- type $1_rssh_ro_t alias rssh_$1_ro_t, rssh_ro_content_type;
- userdom_user_home_content($1,$1_rssh_ro_t)
-
- type $1_rssh_rw_t alias rssh_$1_rw_t;
- userdom_user_home_content($1, $1_rssh_rw_t)
-
- ##############################
- #
- # Local policy
- #
-
- allow $1_rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_rssh_t self:fd use;
- allow $1_rssh_t self:fifo_file rw_fifo_file_perms;
- allow $1_rssh_t self:unix_dgram_socket create_socket_perms;
- allow $1_rssh_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_rssh_t self:unix_dgram_socket sendto;
- allow $1_rssh_t self:unix_stream_socket connectto;
- allow $1_rssh_t self:shm create_shm_perms;
- allow $1_rssh_t self:sem create_sem_perms;
- allow $1_rssh_t self:msgq create_msgq_perms;
- allow $1_rssh_t self:msg { send receive };
+ role $1 types rssh_t;
- allow $1_rssh_t $1_rssh_devpts_t:chr_file { rw_file_perms setattr };
- term_create_pty($1_rssh_t, $1_rssh_devpts_t)
-
- allow $1_rssh_t $1_rssh_ro_t:dir list_dir_perms;
- read_files_pattern($1_rssh_t, $1_rssh_ro_t, $1_rssh_ro_t)
-
- manage_dirs_pattern($1_rssh_t, $1_rssh_rw_t, $1_rssh_rw_t)
- manage_files_pattern($1_rssh_t, $1_rssh_rw_t, $1_rssh_rw_t)
-
- kernel_read_system_state($1_rssh_t)
- kernel_read_kernel_sysctls($1_rssh_t)
-
- files_read_etc_files($1_rssh_t)
- files_read_etc_runtime_files($1_rssh_t)
- files_list_home($1_rssh_t)
- files_read_usr_files($1_rssh_t)
- files_list_var($1_rssh_t)
-
- fs_search_auto_mountpoints($1_rssh_t)
-
- logging_send_syslog_msg($1_rssh_t)
-
- miscfiles_read_localization($1_rssh_t)
-
- userdom_use_unpriv_users_fds($1_rssh_t)
-
- ssh_rw_tcp_sockets($1_rssh_t)
- ssh_rw_stream_sockets($1_rssh_t)
-
- optional_policy(`
- nis_use_ypbind($1_rssh_t)
- ')
+ # allow ps to show irc
+ ps_process_pattern($2, rssh_t)
+ allow $2 rssh_t:process signal;
')
########################################
@@ -111,13 +37,12 @@ template(`rssh_per_role_template',`
##
##
#
-interface(`rssh_spec_domtrans_all_users',`
+interface(`rssh_spec_domtrans',`
gen_require(`
- attribute rssh_domain_type;
- type rssh_exec_t;
+ type rssh_t, rssh_exec_t;
')
- spec_domtrans_pattern($1, rssh_exec_t, rssh_domain_type)
+ spec_domtrans_pattern($1, rssh_exec_t, rssh_t)
')
########################################
@@ -130,12 +55,12 @@ interface(`rssh_spec_domtrans_all_users',`
##
##
#
-interface(`rssh_read_all_users_ro_content',`
+interface(`rssh_read_ro_content',`
gen_require(`
- attribute rssh_ro_content_type;
+ type rssh_ro_t;
')
- allow $1 rssh_ro_content_type:dir list_dir_perms;
- read_files_pattern($1, rssh_ro_content_type, rssh_ro_content_type)
- read_lnk_files_pattern($1, rssh_ro_content_type, rssh_ro_content_type)
+ allow $1 rssh_ro_t:dir list_dir_perms;
+ read_files_pattern($1, rssh_ro_t, rssh_ro_t)
+ read_lnk_files_pattern($1, rssh_ro_t, rssh_ro_t)
')
diff --git a/policy/modules/apps/rssh.te b/policy/modules/apps/rssh.te
index 92ba29f..7f357d2 100644
--- a/policy/modules/apps/rssh.te
+++ b/policy/modules/apps/rssh.te
@@ -1,13 +1,81 @@
-policy_module(rssh, 1.1.0)
+policy_module(rssh, 2.0.0)
########################################
#
# Declarations
#
-attribute rssh_domain_type;
-attribute rssh_ro_content_type;
-
+type rssh_t;
type rssh_exec_t;
-application_executable_file(rssh_exec_t)
+typealias rssh_t alias { user_rssh_t staff_rssh_t sysadm_rssh_t };
+typealias rssh_t alias { auditadm_rssh_t secadm_rssh_t };
+application_domain(rssh_t, rssh_exec_t)
+domain_user_exemption_target(rssh_t)
+domain_interactive_fd(rssh_t)
+ubac_constrained(rssh_t)
+role system_r types rssh_t;
+
+type rssh_devpts_t;
+typealias rssh_devpts_t alias { user_rssh_devpts_t staff_rssh_devpts_t sysadm_rssh_devpts_t };
+typealias rssh_devpts_t alias { auditadm_rssh_devpts_t secadm_rssh_devpts_t };
+term_user_pty(rssh_t, rssh_devpts_t)
+ubac_constrained(rssh_devpts_t)
+
+type rssh_ro_t;
+typealias rssh_ro_t alias { user_rssh_ro_t staff_rssh_ro_t sysadm_rssh_ro_t };
+typealias rssh_ro_t alias { auditadm_rssh_ro_t secadm_rssh_ro_t };
+userdom_user_home_content(rssh_ro_t)
+
+type rssh_rw_t;
+typealias rssh_rw_t alias { user_rssh_rw_t staff_rssh_rw_t sysadm_rssh_rw_t };
+typealias rssh_rw_t alias { auditadm_rssh_rw_t secadm_rssh_rw_t };
+userdom_user_home_content(rssh_rw_t)
+
+##############################
+#
+# Local policy
+#
+
+allow rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow rssh_t self:fd use;
+allow rssh_t self:fifo_file rw_fifo_file_perms;
+allow rssh_t self:unix_dgram_socket create_socket_perms;
+allow rssh_t self:unix_stream_socket create_stream_socket_perms;
+allow rssh_t self:unix_dgram_socket sendto;
+allow rssh_t self:unix_stream_socket connectto;
+allow rssh_t self:shm create_shm_perms;
+allow rssh_t self:sem create_sem_perms;
+allow rssh_t self:msgq create_msgq_perms;
+allow rssh_t self:msg { send receive };
+
+allow rssh_t rssh_devpts_t:chr_file { rw_file_perms setattr };
+term_create_pty(rssh_t, rssh_devpts_t)
+
+allow rssh_t rssh_ro_t:dir list_dir_perms;
+read_files_pattern(rssh_t, rssh_ro_t, rssh_ro_t)
+
+manage_dirs_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
+manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
+
+kernel_read_system_state(rssh_t)
+kernel_read_kernel_sysctls(rssh_t)
+
+files_read_etc_files(rssh_t)
+files_read_etc_runtime_files(rssh_t)
+files_list_home(rssh_t)
+files_read_usr_files(rssh_t)
+files_list_var(rssh_t)
+
+fs_search_auto_mountpoints(rssh_t)
+
+logging_send_syslog_msg(rssh_t)
+
+miscfiles_read_localization(rssh_t)
+
+ssh_rw_tcp_sockets(rssh_t)
+ssh_rw_stream_sockets(rssh_t)
+
+optional_policy(`
+ nis_use_ypbind(rssh_t)
+')
diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc
index 92211c9..b020416 100644
--- a/policy/modules/apps/screen.fc
+++ b/policy/modules/apps/screen.fc
@@ -1,7 +1,7 @@
#
# /home
#
-HOME_DIR/\.screenrc -- gen_context(system_u:object_r:ROLE_screen_ro_home_t,s0)
+HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
#
# /usr
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
index 2c949a3..2e1ab41 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@@ -2,39 +2,29 @@
#######################################
##
-## The per role template for the screen module.
+## The role template for the screen module.
##
-##
-##
-## This template creates a derived domains which are used
-## for screen sessions.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
##
##
-##
+##
##
-## The type of the user domain.
+## The role associated with the user domain.
##
##
-##
+##
##
-## The role associated with the user domain.
+## The type of the user domain.
##
##
#
-template(`screen_per_role_template',`
+template(`screen_role_template',`
gen_require(`
- type screen_dir_t, screen_exec_t;
+ type screen_dir_t, screen_exec_t, screen_tmp_t;
+ type screen_home_t, screen_var_run_t;
')
########################################
@@ -45,16 +35,8 @@ template(`screen_per_role_template',`
type $1_screen_t;
application_domain($1_screen_t, screen_exec_t)
domain_interactive_fd($1_screen_t)
- role $3 types $1_screen_t;
-
- type $1_screen_tmp_t;
- files_tmp_file($1_screen_tmp_t)
-
- type $1_screen_ro_home_t;
- files_type($1_screen_ro_home_t)
-
- type $1_screen_var_run_t;
- files_pid_file($1_screen_var_run_t)
+ ubac_constrained($1_screen_t)
+ role $2 types $1_screen_t;
########################################
#
@@ -70,33 +52,33 @@ template(`screen_per_role_template',`
allow $1_screen_t self:unix_stream_socket create_socket_perms;
allow $1_screen_t self:unix_dgram_socket create_socket_perms;
- manage_dirs_pattern($1_screen_t, $1_screen_tmp_t, $1_screen_tmp_t)
- manage_files_pattern($1_screen_t, $1_screen_tmp_t, $1_screen_tmp_t)
- manage_fifo_files_pattern($1_screen_t, $1_screen_tmp_t, $1_screen_tmp_t)
- files_tmp_filetrans($1_screen_t, $1_screen_tmp_t, { file dir })
+ manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+ manage_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+ manage_fifo_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+ files_tmp_filetrans($1_screen_t, screen_tmp_t, { file dir })
# Create fifo
- manage_fifo_files_pattern($1_screen_t, screen_dir_t, $1_screen_var_run_t)
+ manage_fifo_files_pattern($1_screen_t, screen_dir_t, screen_var_run_t)
manage_dirs_pattern($1_screen_t, screen_dir_t, screen_dir_t)
- filetrans_pattern($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file)
+ filetrans_pattern($1_screen_t, screen_dir_t, screen_var_run_t, fifo_file)
files_pid_filetrans($1_screen_t, screen_dir_t, dir)
- allow $1_screen_t $1_screen_ro_home_t:dir list_dir_perms;
- read_files_pattern($1_screen_t, $1_screen_ro_home_t, $1_screen_ro_home_t)
- read_lnk_files_pattern($1_screen_t, $1_screen_ro_home_t, $1_screen_ro_home_t)
+ allow $1_screen_t screen_home_t:dir list_dir_perms;
+ read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+ read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
- allow $1_screen_t $2:process signal;
+ allow $1_screen_t $3:process signal;
- domtrans_pattern($2, screen_exec_t, $1_screen_t)
- allow $2 $1_screen_t:process signal;
- allow $1_screen_t $2:process signal;
+ domtrans_pattern($3, screen_exec_t, $1_screen_t)
+ allow $3 $1_screen_t:process signal;
+ allow $1_screen_t $3:process signal;
- manage_dirs_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
- manage_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
- manage_lnk_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
- relabel_dirs_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
- relabel_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
- relabel_lnk_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
+ manage_dirs_pattern($3, screen_home_t, screen_home_t)
+ manage_files_pattern($3, screen_home_t, screen_home_t)
+ manage_lnk_files_pattern($3, screen_home_t, screen_home_t)
+ relabel_dirs_pattern($3, screen_home_t, screen_home_t)
+ relabel_files_pattern($3, screen_home_t, screen_home_t)
+ relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
kernel_read_system_state($1_screen_t)
kernel_read_kernel_sysctls($1_screen_t)
@@ -107,8 +89,8 @@ template(`screen_per_role_template',`
corecmd_read_bin_pipes($1_screen_t)
corecmd_read_bin_sockets($1_screen_t)
# Revert to the user domain when a shell is executed.
- corecmd_shell_domtrans($1_screen_t,$2)
- corecmd_bin_domtrans($1_screen_t,$2)
+ corecmd_shell_domtrans($1_screen_t, $3)
+ corecmd_bin_domtrans($1_screen_t, $3)
corenet_all_recvfrom_unlabeled($1_screen_t)
corenet_all_recvfrom_netlabel($1_screen_t)
@@ -150,10 +132,10 @@ template(`screen_per_role_template',`
sysnet_read_config($1_screen_t)
- userdom_use_user_terminals($1, $1_screen_t)
- userdom_create_user_pty($1, $1_screen_t)
- userdom_user_home_domtrans($1, $1_screen_t, $2)
- userdom_setattr_user_ptys($1, $1_screen_t)
+ userdom_use_user_terminals($1_screen_t)
+ userdom_create_user_pty($1_screen_t)
+ userdom_user_home_domtrans($1_screen_t, $3)
+ userdom_setattr_user_ptys($1_screen_t)
tunable_policy(`read_default_t',`
files_list_default($1_screen_t)
@@ -164,13 +146,13 @@ template(`screen_per_role_template',`
')
tunable_policy(`use_samba_home_dirs',`
- fs_cifs_domtrans($1_screen_t, $2)
+ fs_cifs_domtrans($1_screen_t, $3)
fs_read_cifs_symlinks($1_screen_t)
fs_list_cifs($1_screen_t)
')
tunable_policy(`use_nfs_home_dirs',`
- fs_nfs_domtrans($1_screen_t, $2)
+ fs_nfs_domtrans($1_screen_t, $3)
fs_list_nfs($1_screen_t)
fs_read_nfs_symlinks($1_screen_t)
')
diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
index 5ad00a1..554eebe 100644
--- a/policy/modules/apps/screen.te
+++ b/policy/modules/apps/screen.te
@@ -1,5 +1,5 @@
-policy_module(screen, 1.4.0)
+policy_module(screen, 2.0.0)
########################################
#
@@ -11,3 +11,20 @@ files_pid_file(screen_dir_t)
type screen_exec_t;
application_executable_file(screen_exec_t)
+
+type screen_home_t;
+typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_screen_home_t };
+typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t };
+userdom_user_home_content(screen_home_t)
+
+type screen_tmp_t;
+typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t };
+typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t };
+files_tmp_file(screen_tmp_t)
+ubac_constrained(screen_tmp_t)
+
+type screen_var_run_t;
+typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
+typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t };
+files_pid_file(screen_var_run_t)
+ubac_constrained(screen_var_run_t)
diff --git a/policy/modules/apps/thunderbird.fc b/policy/modules/apps/thunderbird.fc
index 2b6c006..fb43a7b 100644
--- a/policy/modules/apps/thunderbird.fc
+++ b/policy/modules/apps/thunderbird.fc
@@ -3,4 +3,4 @@
#
/usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
-HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:ROLE_thunderbird_home_t,s0)
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:thunderbird_home_t,s0)
diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if
index d9d5af8..c2cc18d 100644
--- a/policy/modules/apps/thunderbird.if
+++ b/policy/modules/apps/thunderbird.if
@@ -1,383 +1,63 @@
## Thunderbird email client
-#######################################
+########################################
##
-## The per role template for the thunderbird module.
+## Role access for thunderbird
##
-##
-##
-## This template creates a derived domain which is used
-## for the thunderbird email client.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## Role allowed access
##
##
-##
-##
-## The type of the user domain.
-##
-##
-##
+##
##
-## The role associated with the user domain.
+## User domain for the role
##
##
#
-template(`thunderbird_per_role_template',`
-
- ########################################
- #
- # Declarations
- #
-
- type $1_thunderbird_t;
- application_domain($1_thunderbird_t, thunderbird_exec_t)
- role $3 types $1_thunderbird_t;
-
- type $1_thunderbird_home_t alias $1_thunderbird_rw_t;
- files_poly_member($1_thunderbird_home_t)
- userdom_user_home_content($1, $1_thunderbird_home_t)
-
- type $1_thunderbird_tmpfs_t;
- files_tmpfs_file($1_thunderbird_tmpfs_t)
-
- ########################################
- #
- # Local policy
- #
-
- allow $1_thunderbird_t self:capability sys_nice;
- allow $1_thunderbird_t self:process { signal_perms setsched getsched execheap execmem execstack };
- allow $1_thunderbird_t self:fifo_file { ioctl read write getattr };
- allow $1_thunderbird_t self:unix_dgram_socket { create connect };
- allow $1_thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind };
- allow $1_thunderbird_t self:tcp_socket create_socket_perms;
- allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write };
-
- # Access ~/.thunderbird
- manage_dirs_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t)
- manage_files_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t)
- manage_lnk_files_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t)
- userdom_search_user_home_dirs($1, $1_thunderbird_t)
-
- manage_files_pattern($1_thunderbird_t, $1_thunderbird_tmpfs_t, $1_thunderbird_tmpfs_t)
- manage_lnk_files_pattern($1_thunderbird_t, $1_thunderbird_tmpfs_t, $1_thunderbird_tmpfs_t)
- manage_fifo_files_pattern($1_thunderbird_t, $1_thunderbird_tmpfs_t, $1_thunderbird_tmpfs_t)
- manage_sock_files_pattern($1_thunderbird_t, $1_thunderbird_tmpfs_t, $1_thunderbird_tmpfs_t)
- fs_tmpfs_filetrans($1_thunderbird_t, $1_thunderbird_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
- domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t)
- allow $2 $1_thunderbird_t:fd use;
- allow $2 $1_thunderbird_t:shm { associate getattr };
- allow $2 $1_thunderbird_t:unix_stream_socket connectto;
- allow $1_thunderbird_t $2:fd use;
- allow $1_thunderbird_t $2:process sigchld;
- allow $1_thunderbird_t $2:unix_stream_socket connectto;
-
- # Allow the user domain to signal/ps.
- ps_process_pattern($2,$1_thunderbird_t)
-
- # Access ~/.thunderbird
- manage_dirs_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
- manage_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
- manage_lnk_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
-
- relabel_dirs_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
- relabel_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
- relabel_lnk_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
-
- # Allow netstat
- kernel_read_network_state($1_thunderbird_t)
- kernel_read_net_sysctls($1_thunderbird_t)
- kernel_read_system_state($1_thunderbird_t)
-
- # Startup shellscript
- corecmd_exec_shell($1_thunderbird_t)
-
- corenet_all_recvfrom_unlabeled($1_thunderbird_t)
- corenet_all_recvfrom_netlabel($1_thunderbird_t)
- corenet_tcp_sendrecv_generic_if($1_thunderbird_t)
- corenet_tcp_sendrecv_all_nodes($1_thunderbird_t)
- corenet_tcp_sendrecv_ipp_port($1_thunderbird_t)
- corenet_tcp_sendrecv_ldap_port($1_thunderbird_t)
- corenet_tcp_sendrecv_innd_port($1_thunderbird_t)
- corenet_tcp_sendrecv_smtp_port($1_thunderbird_t)
- corenet_tcp_sendrecv_pop_port($1_thunderbird_t)
- corenet_tcp_sendrecv_http_port($1_thunderbird_t)
- corenet_tcp_connect_ipp_port($1_thunderbird_t)
- corenet_tcp_connect_ldap_port($1_thunderbird_t)
- corenet_tcp_connect_innd_port($1_thunderbird_t)
- corenet_tcp_connect_smtp_port($1_thunderbird_t)
- corenet_tcp_connect_pop_port($1_thunderbird_t)
- corenet_tcp_connect_http_port($1_thunderbird_t)
- corenet_sendrecv_ipp_client_packets($1_thunderbird_t)
- corenet_sendrecv_ldap_client_packets($1_thunderbird_t)
- corenet_sendrecv_innd_client_packets($1_thunderbird_t)
- corenet_sendrecv_smtp_client_packets($1_thunderbird_t)
- corenet_sendrecv_pop_client_packets($1_thunderbird_t)
- corenet_sendrecv_http_client_packets($1_thunderbird_t)
-
- dev_read_urand($1_thunderbird_t)
- dev_dontaudit_search_sysfs($1_thunderbird_t)
-
- files_list_tmp($1_thunderbird_t)
- files_read_usr_files($1_thunderbird_t)
- files_read_etc_files($1_thunderbird_t)
- files_read_etc_runtime_files($1_thunderbird_t)
- files_read_var_files($1_thunderbird_t)
- files_read_var_symlinks($1_thunderbird_t)
- files_dontaudit_getattr_all_tmp_files($1_thunderbird_t)
- files_dontaudit_getattr_boot_dirs($1_thunderbird_t)
- files_dontaudit_getattr_lost_found_dirs($1_thunderbird_t)
- files_dontaudit_search_mnt($1_thunderbird_t)
-
- fs_getattr_xattr_fs($1_thunderbird_t)
- fs_list_inotifyfs($1_thunderbird_t)
- # Access ~/.thunderbird
- fs_search_auto_mountpoints($1_thunderbird_t)
-
- auth_use_nsswitch($1_thunderbird_t)
-
- miscfiles_read_fonts($1_thunderbird_t)
- miscfiles_read_localization($1_thunderbird_t)
-
- userdom_manage_user_tmp_dirs($1, $1_thunderbird_t)
- userdom_read_user_tmp_files($1, $1_thunderbird_t)
- userdom_write_user_tmp_sockets($1, $1_thunderbird_t)
- userdom_manage_user_tmp_sockets($1, $1_thunderbird_t)
- # .kde/....gtkrc
- userdom_read_user_home_content_files($1, $1_thunderbird_t)
-
- xserver_user_x_domain_template($1, $1_thunderbird, $1_thunderbird_t, $1_thunderbird_tmpfs_t)
- xserver_read_xdm_tmp_files($1_thunderbird_t)
- xserver_dontaudit_getattr_xdm_tmp_sockets($1_thunderbird_t)
-
- # Access ~/.thunderbird
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_thunderbird_t)
- fs_manage_nfs_files($1_thunderbird_t)
- fs_manage_nfs_symlinks($1_thunderbird_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_thunderbird_t)
- fs_manage_cifs_files($1_thunderbird_t)
- fs_manage_cifs_symlinks($1_thunderbird_t)
- ')
-
- tunable_policy(`mail_read_content && use_nfs_home_dirs',`
- files_list_home($1_thunderbird_t)
-
- fs_list_auto_mountpoints($1_thunderbird_t)
- fs_read_nfs_files($1_thunderbird_t)
- fs_read_nfs_symlinks($1_thunderbird_t)
- ',`
- files_dontaudit_list_home($1_thunderbird_t)
-
- fs_dontaudit_list_auto_mountpoints($1_thunderbird_t)
- fs_dontaudit_list_nfs($1_thunderbird_t)
- fs_dontaudit_read_nfs_files($1_thunderbird_t)
- ')
-
- tunable_policy(`mail_read_content && use_samba_home_dirs',`
- files_list_home($1_thunderbird_t)
-
- fs_list_auto_mountpoints($1_thunderbird_t)
- fs_read_cifs_files($1_thunderbird_t)
- fs_read_cifs_symlinks($1_thunderbird_t)
- ',`
- files_dontaudit_list_home($1_thunderbird_t)
-
- fs_dontaudit_list_auto_mountpoints($1_thunderbird_t)
- fs_dontaudit_read_cifs_files($1_thunderbird_t)
- fs_dontaudit_list_cifs($1_thunderbird_t)
- ')
-
- tunable_policy(`mail_read_content',`
- userdom_list_user_tmp($1, $1_thunderbird_t)
- userdom_read_user_tmp_files($1, $1_thunderbird_t)
- userdom_read_user_tmp_symlinks($1, $1_thunderbird_t)
- userdom_search_user_home_dirs($1, $1_thunderbird_t)
- userdom_read_user_home_content_files($1, $1_thunderbird_t)
-
- ifndef(`enable_mls',`
- fs_search_removable($1_thunderbird_t)
- fs_read_removable_files($1_thunderbird_t)
- fs_read_removable_symlinks($1_thunderbird_t)
- ')
- ',`
- files_dontaudit_list_tmp($1_thunderbird_t)
- files_dontaudit_list_home($1_thunderbird_t)
-
- fs_dontaudit_list_removable($1_thunderbird_t)
- fs_dontaudit_read_removable_files($1_thunderbird_t)
-
- userdom_dontaudit_list_user_tmp($1, $1_thunderbird_t)
- userdom_dontaudit_read_user_tmp_files($1, $1_thunderbird_t)
- userdom_dontaudit_list_user_home_dirs($1, $1_thunderbird_t)
- userdom_dontaudit_read_user_home_content_files($1, $1_thunderbird_t)
- ')
-
- tunable_policy(`mail_read_content && read_default_t',`
- files_list_default($1_thunderbird_t)
- files_read_default_files($1_thunderbird_t)
- files_read_default_symlinks($1_thunderbird_t)
- ',`
- files_dontaudit_read_default_files($1_thunderbird_t)
- files_dontaudit_list_default($1_thunderbird_t)
- ')
-
- tunable_policy(`mail_read_content && read_untrusted_content',`
- files_list_tmp($1_thunderbird_t)
- files_list_home($1_thunderbird_t)
-
- userdom_search_user_home_dirs($1, $1_thunderbird_t)
- userdom_list_user_untrusted_content($1, $1_thunderbird_t)
- userdom_read_user_untrusted_content_files($1, $1_thunderbird_t)
- userdom_read_user_untrusted_content_symlinks($1, $1_thunderbird_t)
- userdom_list_user_tmp_untrusted_content($1, $1_thunderbird_t)
- userdom_read_user_tmp_untrusted_content_files($1, $1_thunderbird_t)
- userdom_read_user_tmp_untrusted_content_symlinks($1, $1_thunderbird_t)
- ',`
- files_dontaudit_list_tmp($1_thunderbird_t)
- files_dontaudit_list_home($1_thunderbird_t)
-
- userdom_dontaudit_list_user_home_dirs($1, $1_thunderbird_t)
- userdom_dontaudit_list_user_untrusted_content($1, $1_thunderbird_t)
- userdom_dontaudit_read_user_untrusted_content_files($1, $1_thunderbird_t)
- userdom_dontaudit_list_user_tmp_untrusted_content($1, $1_thunderbird_t)
- userdom_dontaudit_read_user_tmp_untrusted_content_files($1, $1_thunderbird_t)
- ')
-
- # Manage nfs homedirs
- tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
- files_search_home($1_thunderbird_t)
-
- fs_search_auto_mountpoints($1_thunderbird_t)
- fs_manage_nfs_dirs($1_thunderbird_t)
- fs_manage_nfs_files($1_thunderbird_t)
- fs_manage_nfs_symlinks($1_thunderbird_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_thunderbird_t)
- fs_dontaudit_manage_nfs_dirs($1_thunderbird_t)
- fs_dontaudit_manage_nfs_files($1_thunderbird_t)
- ')
-
- # Manage samba homedirs
- tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
- files_search_home($1_thunderbird_t)
-
- fs_search_auto_mountpoints($1_thunderbird_t)
- fs_manage_cifs_dirs($1_thunderbird_t)
- fs_manage_cifs_files($1_thunderbird_t)
- fs_manage_cifs_symlinks($1_thunderbird_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_thunderbird_t)
- fs_dontaudit_manage_cifs_dirs($1_thunderbird_t)
- fs_dontaudit_manage_cifs_files($1_thunderbird_t)
- ')
-
- # Manage /tmp and /home
- tunable_policy(`write_untrusted_content',`
- files_search_home($1_thunderbird_t)
- files_tmp_filetrans($1_thunderbird_t, $1_untrusted_content_tmp_t,file)
- files_tmp_filetrans($1_thunderbird_t, $1_untrusted_content_tmp_t,dir)
- userdom_manage_user_untrusted_content_files($1, $1_thunderbird_t)
- userdom_manage_user_untrusted_content_tmp_files($1, $1_thunderbird_t)
- userdom_user_home_dir_filetrans($1, $1_thunderbird_t, $1_untrusted_content_tmp_t, { file dir })
- userdom_user_home_content_filetrans($1, $1_thunderbird_t, $1_untrusted_content_tmp_t, { file dir })
- ',`
- files_dontaudit_list_home($1_thunderbird_t)
- files_dontaudit_list_tmp($1_thunderbird_t)
-
- userdom_dontaudit_list_user_home_dirs($1, $1_thunderbird_t)
- userdom_dontaudit_manage_user_tmp_dirs($1, $1_thunderbird_t)
- userdom_dontaudit_manage_user_tmp_files($1, $1_thunderbird_t)
- userdom_dontaudit_manage_user_home_content_dirs($1, $1_thunderbird_t)
- ')
-
- optional_policy(`
- dbus_system_bus_client_template($1_thunderbird, $1_thunderbird_t)
- dbus_user_bus_client_template($1, $1_thunderbird, $1_thunderbird_t)
- ')
-
- optional_policy(`
- cups_read_rw_config($1_thunderbird_t)
- cups_dbus_chat($1_thunderbird_t)
- ')
-
- optional_policy(`
- gnome_stream_connect_gconf_template($1, $1_thunderbird_t)
- gnome_domtrans_user_gconf($1, $1_thunderbird_t)
- gnome_manage_user_gnome_config($1, $1_thunderbird_t)
- ')
-
- optional_policy(`
- gpg_domtrans_user_gpg($1, $1_thunderbird_t)
+interface(`thunderbird_role',`
+ gen_require(`
+ type thunderbird_t, thunderbird_exec_t;
+ type thunderbird_home_t, thunderbird_tmpfs_t;
')
- optional_policy(`
- lpd_domtrans_user_lpr($1, $1_thunderbird_t)
- ')
+ role $1 types thunderbird_t;
- optional_policy(`
- mozilla_read_user_home_files($1, $1_thunderbird_t)
- mozilla_domtrans_user_mozilla($1, $1_thunderbird_t)
- mozilla_dbus_chat($1, $1_thunderbird_t)
- ')
+ domain_auto_trans($2, thunderbird_exec_t, thunderbird_t)
+ allow $2 thunderbird_t:fd use;
+ allow $2 thunderbird_t:shm { associate getattr };
+ allow $2 thunderbird_t:unix_stream_socket connectto;
+ allow thunderbird_t $2:fd use;
+ allow thunderbird_t $2:process sigchld;
+ allow thunderbird_t $2:unix_stream_socket connectto;
- ifdef(`TODO',`
- # FIXME: Rules were removed to centralize policy in a gnome_app macro
- # A similar thing might be necessary for mozilla compiled without GNOME
- # support (is this possible?).
+ # allow ps to show thunderbird and allow the user to kill it
+ ps_process_pattern($2, thunderbird_t)
+ allow $2 thunderbird_t:process signal;
- # GNOME support
- optional_policy(`
- gnome_application($1_thunderbird, $1)
- gnome_file_dialog($1_thunderbird, $1)
- allow $1_thunderbird_t $1_gnome_settings_t:file { read write };
- ')
- ')
+ # Access ~/.thunderbird
+ manage_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t)
+ manage_files_pattern($2, thunderbird_home_t, thunderbird_home_t)
+ manage_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t)
+ relabel_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t)
+ relabel_files_pattern($2, thunderbird_home_t, thunderbird_home_t)
+ relabel_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t)
')
########################################
##
## Run thunderbird in the user thunderbird domain.
##
-##
-##
-## Run thunderbird in the user thunderbird domain.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
##
##
#
-template(`thunderbird_domtrans_user_thunderbird',`
+interface(`thunderbird_domtrans',`
gen_require(`
- type $1_thunderbird_t, thunderbird_exec_t;
+ type thunderbird_t, thunderbird_exec_t;
')
- domtrans_pattern($2, thunderbird_exec_t, $1_thunderbird_t)
+ domtrans_pattern($1, thunderbird_exec_t, thunderbird_t)
')
diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
index 15169bc..8c0faea 100644
--- a/policy/modules/apps/thunderbird.te
+++ b/policy/modules/apps/thunderbird.te
@@ -1,10 +1,221 @@
-policy_module(thunderbird, 1.6.0)
+policy_module(thunderbird, 2.0.0)
########################################
#
# Declarations
#
+type thunderbird_t;
type thunderbird_exec_t;
-application_executable_file(thunderbird_exec_t)
+typealias thunderbird_t alias { user_thunderbird_t staff_thunderbird_t sysadm_thunderbird_t };
+typealias thunderbird_t alias { auditadm_thunderbird_t secadm_thunderbird_t };
+application_domain(thunderbird_t, thunderbird_exec_t)
+ubac_constrained(thunderbird_t)
+
+type thunderbird_home_t;
+typealias thunderbird_home_t alias { user_thunderbird_home_t staff_thunderbird_home_t sysadm_thunderbird_home_t };
+typealias thunderbird_home_t alias { auditadm_thunderbird_home_t secadm_thunderbird_home_t };
+files_poly_member(thunderbird_home_t)
+userdom_user_home_content(thunderbird_home_t)
+
+type thunderbird_tmpfs_t;
+typealias thunderbird_tmpfs_t alias { user_thunderbird_tmpfs_t staff_thunderbird_tmpfs_t sysadm_thunderbird_tmpfs_t };
+typealias thunderbird_tmpfs_t alias { auditadm_thunderbird_tmpfs_t secadm_thunderbird_tmpfs_t };
+files_tmpfs_file(thunderbird_tmpfs_t)
+ubac_constrained(thunderbird_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow thunderbird_t self:capability sys_nice;
+allow thunderbird_t self:process { signal_perms setsched getsched execheap execmem execstack };
+allow thunderbird_t self:fifo_file { ioctl read write getattr };
+allow thunderbird_t self:unix_dgram_socket { create connect };
+allow thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind };
+allow thunderbird_t self:tcp_socket create_socket_perms;
+allow thunderbird_t self:shm { read write create destroy unix_read unix_write };
+
+# Access ~/.thunderbird
+manage_dirs_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t)
+manage_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t)
+manage_lnk_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t)
+userdom_search_user_home_dirs(thunderbird_t)
+
+manage_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
+manage_lnk_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
+manage_fifo_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
+manage_sock_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
+fs_tmpfs_filetrans(thunderbird_t, thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+# Allow netstat
+kernel_read_network_state(thunderbird_t)
+kernel_read_net_sysctls(thunderbird_t)
+kernel_read_system_state(thunderbird_t)
+
+# Startup shellscript
+corecmd_exec_shell(thunderbird_t)
+
+corenet_all_recvfrom_unlabeled(thunderbird_t)
+corenet_all_recvfrom_netlabel(thunderbird_t)
+corenet_tcp_sendrecv_generic_if(thunderbird_t)
+corenet_tcp_sendrecv_all_nodes(thunderbird_t)
+corenet_tcp_sendrecv_ipp_port(thunderbird_t)
+corenet_tcp_sendrecv_ldap_port(thunderbird_t)
+corenet_tcp_sendrecv_innd_port(thunderbird_t)
+corenet_tcp_sendrecv_smtp_port(thunderbird_t)
+corenet_tcp_sendrecv_pop_port(thunderbird_t)
+corenet_tcp_sendrecv_http_port(thunderbird_t)
+corenet_tcp_connect_ipp_port(thunderbird_t)
+corenet_tcp_connect_ldap_port(thunderbird_t)
+corenet_tcp_connect_innd_port(thunderbird_t)
+corenet_tcp_connect_smtp_port(thunderbird_t)
+corenet_tcp_connect_pop_port(thunderbird_t)
+corenet_tcp_connect_http_port(thunderbird_t)
+corenet_sendrecv_ipp_client_packets(thunderbird_t)
+corenet_sendrecv_ldap_client_packets(thunderbird_t)
+corenet_sendrecv_innd_client_packets(thunderbird_t)
+corenet_sendrecv_smtp_client_packets(thunderbird_t)
+corenet_sendrecv_pop_client_packets(thunderbird_t)
+corenet_sendrecv_http_client_packets(thunderbird_t)
+
+dev_read_urand(thunderbird_t)
+dev_dontaudit_search_sysfs(thunderbird_t)
+
+files_list_tmp(thunderbird_t)
+files_read_usr_files(thunderbird_t)
+files_read_etc_files(thunderbird_t)
+files_read_etc_runtime_files(thunderbird_t)
+files_read_var_files(thunderbird_t)
+files_read_var_symlinks(thunderbird_t)
+files_dontaudit_getattr_all_tmp_files(thunderbird_t)
+files_dontaudit_getattr_boot_dirs(thunderbird_t)
+files_dontaudit_getattr_lost_found_dirs(thunderbird_t)
+files_dontaudit_search_mnt(thunderbird_t)
+
+fs_getattr_xattr_fs(thunderbird_t)
+fs_list_inotifyfs(thunderbird_t)
+# Access ~/.thunderbird
+fs_search_auto_mountpoints(thunderbird_t)
+
+auth_use_nsswitch(thunderbird_t)
+
+miscfiles_read_fonts(thunderbird_t)
+miscfiles_read_localization(thunderbird_t)
+
+userdom_manage_user_tmp_dirs(thunderbird_t)
+userdom_read_user_tmp_files(thunderbird_t)
+userdom_manage_user_tmp_sockets(thunderbird_t)
+# .kde/....gtkrc
+userdom_read_user_home_content_files(thunderbird_t)
+
+xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
+xserver_read_xdm_tmp_files(thunderbird_t)
+xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
+
+# Access ~/.thunderbird
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(thunderbird_t)
+ fs_manage_nfs_files(thunderbird_t)
+ fs_manage_nfs_symlinks(thunderbird_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(thunderbird_t)
+ fs_manage_cifs_files(thunderbird_t)
+ fs_manage_cifs_symlinks(thunderbird_t)
+')
+
+tunable_policy(`mail_read_content && use_nfs_home_dirs',`
+ files_list_home(thunderbird_t)
+
+ fs_list_auto_mountpoints(thunderbird_t)
+ fs_read_nfs_files(thunderbird_t)
+ fs_read_nfs_symlinks(thunderbird_t)
+',`
+ files_dontaudit_list_home(thunderbird_t)
+
+ fs_dontaudit_list_auto_mountpoints(thunderbird_t)
+ fs_dontaudit_list_nfs(thunderbird_t)
+ fs_dontaudit_read_nfs_files(thunderbird_t)
+')
+
+tunable_policy(`mail_read_content && use_samba_home_dirs',`
+ files_list_home(thunderbird_t)
+
+ fs_list_auto_mountpoints(thunderbird_t)
+ fs_read_cifs_files(thunderbird_t)
+ fs_read_cifs_symlinks(thunderbird_t)
+',`
+ files_dontaudit_list_home(thunderbird_t)
+
+ fs_dontaudit_list_auto_mountpoints(thunderbird_t)
+ fs_dontaudit_read_cifs_files(thunderbird_t)
+ fs_dontaudit_list_cifs(thunderbird_t)
+')
+
+tunable_policy(`mail_read_content',`
+ userdom_list_user_tmp(thunderbird_t)
+ userdom_read_user_tmp_files(thunderbird_t)
+ userdom_read_user_tmp_symlinks(thunderbird_t)
+ userdom_search_user_home_dirs(thunderbird_t)
+ userdom_read_user_home_content_files(thunderbird_t)
+
+ ifndef(`enable_mls',`
+ fs_search_removable(thunderbird_t)
+ fs_read_removable_files(thunderbird_t)
+ fs_read_removable_symlinks(thunderbird_t)
+ ')
+',`
+ files_dontaudit_list_tmp(thunderbird_t)
+ files_dontaudit_list_home(thunderbird_t)
+
+ fs_dontaudit_list_removable(thunderbird_t)
+ fs_dontaudit_read_removable_files(thunderbird_t)
+
+ userdom_dontaudit_list_user_tmp(thunderbird_t)
+ userdom_dontaudit_read_user_tmp_files(thunderbird_t)
+ userdom_dontaudit_list_user_home_dirs(thunderbird_t)
+ userdom_dontaudit_read_user_home_content_files(thunderbird_t)
+')
+
+tunable_policy(`mail_read_content && read_default_t',`
+ files_list_default(thunderbird_t)
+ files_read_default_files(thunderbird_t)
+ files_read_default_symlinks(thunderbird_t)
+',`
+ files_dontaudit_read_default_files(thunderbird_t)
+ files_dontaudit_list_default(thunderbird_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(thunderbird_t)
+ dbus_session_bus_client(thunderbird_t)
+')
+
+optional_policy(`
+ cups_read_rw_config(thunderbird_t)
+ cups_dbus_chat(thunderbird_t)
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(thunderbird_t)
+ gnome_domtrans_gconfd(thunderbird_t)
+ gnome_manage_config(thunderbird_t)
+')
+
+optional_policy(`
+ gpg_domtrans(thunderbird_t)
+')
+
+optional_policy(`
+ lpd_domtrans_lpr(thunderbird_t)
+')
+
+optional_policy(`
+ mozilla_read_user_home_files(thunderbird_t)
+ mozilla_domtrans(thunderbird_t)
+ mozilla_dbus_chat(thunderbird_t)
+')
diff --git a/policy/modules/apps/tvtime.if b/policy/modules/apps/tvtime.if
index 2cfec68..8d89f21 100644
--- a/policy/modules/apps/tvtime.if
+++ b/policy/modules/apps/tvtime.if
@@ -1,136 +1,40 @@
## tvtime - a high quality television application
-#######################################
+########################################
##
-## The per role template for the tvtime module.
+## Role access for tvtime
##
-##
-##
-## This template creates a derived domains which are used
-## for tvtime.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## Role allowed access
##
##
-##
+##
##
-## The type of the user domain.
-##
-##
-##
-##
-## The role associated with the user domain.
+## User domain for the role
##
##
#
-template(`tvtime_per_role_template',`
+interface(`tvtime_role',`
gen_require(`
- type tvtime_exec_t;
+ type tvtime_t, tvtime_exec_t;
+ type tvtime_home_t, tvtime_tmpfs_t;
')
- ########################################
- #
- # Declarations
- #
-
- type $1_tvtime_t;
- application_domain($1_tvtime_t, tvtime_exec_t)
- role $3 types $1_tvtime_t;
-
- type $1_tvtime_home_t alias $1_tvtime_rw_t;
- userdom_user_home_content($1, $1_tvtime_home_t)
- files_poly_member($1_tvtime_home_t)
-
- type $1_tvtime_tmp_t;
- files_tmp_file($1_tvtime_tmp_t)
-
- type $1_tvtime_tmpfs_t;
- files_tmpfs_file($1_tvtime_tmpfs_t)
-
- ########################################
- #
- # Local policy
- #
-
- allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
- allow $1_tvtime_t self:process setsched;
- allow $1_tvtime_t self:unix_dgram_socket rw_socket_perms;
- allow $1_tvtime_t self:unix_stream_socket rw_stream_socket_perms;
-
- # X access, Home files
- manage_dirs_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t)
- manage_files_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t)
- manage_lnk_files_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t)
- userdom_user_home_dir_filetrans($1, $1_tvtime_t, $1_tvtime_home_t, dir)
-
- manage_dirs_pattern($1_tvtime_t, $1_tvtime_tmp_t, $1_tvtime_tmp_t)
- manage_files_pattern($1_tvtime_t, $1_tvtime_tmp_t, $1_tvtime_tmp_t)
- files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t, { file dir })
-
- manage_files_pattern($1_tvtime_t, $1_tvtime_tmpfs_t, $1_tvtime_tmpfs_t)
- manage_lnk_files_pattern($1_tvtime_t, $1_tvtime_tmpfs_t, $1_tvtime_tmpfs_t)
- manage_fifo_files_pattern($1_tvtime_t, $1_tvtime_tmpfs_t, $1_tvtime_tmpfs_t)
- manage_sock_files_pattern($1_tvtime_t, $1_tvtime_tmpfs_t, $1_tvtime_tmpfs_t)
- fs_tmpfs_filetrans($1_tvtime_t, $1_tvtime_tmpfs_t, { file lnk_file sock_file fifo_file })
+ role $1 types tvtime_t;
# Type transition
- domtrans_pattern($2, tvtime_exec_t, $1_tvtime_t)
+ domtrans_pattern($2, tvtime_exec_t, tvtime_t)
# X access, Home files
- manage_dirs_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
- manage_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
- manage_lnk_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
- relabel_dirs_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
- relabel_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
- relabel_lnk_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
+ manage_dirs_pattern($2, tvtime_home_t, tvtime_home_t)
+ manage_files_pattern($2, tvtime_home_t, tvtime_home_t)
+ manage_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t)
+ relabel_dirs_pattern($2, tvtime_home_t, tvtime_home_t)
+ relabel_files_pattern($2, tvtime_home_t, tvtime_home_t)
+ relabel_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t)
# Allow the user domain to signal/ps.
- ps_process_pattern($2,$1_tvtime_t)
- allow $2 $1_tvtime_t:process signal_perms;
-
- kernel_read_all_sysctls($1_tvtime_t)
- kernel_get_sysvipc_info($1_tvtime_t)
-
- dev_read_urand($1_tvtime_t)
- dev_read_realtime_clock($1_tvtime_t)
- dev_read_sound($1_tvtime_t)
-
- files_read_usr_files($1_tvtime_t)
- files_search_pids($1_tvtime_t)
- # Read /etc/tvtime
- files_read_etc_files($1_tvtime_t)
-
- # X access, Home files
- fs_search_auto_mountpoints($1_tvtime_t)
-
- miscfiles_read_localization($1_tvtime_t)
- miscfiles_read_fonts($1_tvtime_t)
-
- userdom_use_user_terminals($1, $1_tvtime_t)
- userdom_read_user_home_content_files($1, $1_tvtime_t)
-
- # X access, Home files
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_tvtime_t)
- fs_manage_nfs_files($1_tvtime_t)
- fs_manage_nfs_symlinks($1_tvtime_t)
- ')
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_tvtime_t)
- fs_manage_cifs_files($1_tvtime_t)
- fs_manage_cifs_symlinks($1_tvtime_t)
- ')
-
- optional_policy(`
- xserver_user_x_domain_template($1, $1_tvtime, $1_tvtime_t, $1_tvtime_tmpfs_t)
- ')
+ ps_process_pattern($2, tvtime_t)
+ allow $2 tvtime_t:process signal_perms;
')
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
index 8c64f2d..033b123 100644
--- a/policy/modules/apps/tvtime.te
+++ b/policy/modules/apps/tvtime.te
@@ -1,13 +1,95 @@
-policy_module(tvtime, 1.4.0)
+policy_module(tvtime, 2.0.0)
########################################
#
# Declarations
#
+type tvtime_t;
type tvtime_exec_t;
-application_executable_file(tvtime_exec_t)
+typealias tvtime_t alias { user_tvtime_t staff_tvtime_t sysadm_tvtime_t };
+typealias tvtime_t alias { auditadm_tvtime_t secadm_tvtime_t };
+application_domain(tvtime_t, tvtime_exec_t)
+ubac_constrained(tvtime_t)
-type tvtime_dir_t;
-files_pid_file(tvtime_dir_t)
+type tvtime_home_t alias tvtime_rw_t;
+typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t };
+typealias tvtime_home_t alias { auditadm_tvtime_home_t secadm_tvtime_home_t };
+userdom_user_home_content(tvtime_home_t)
+files_poly_member(tvtime_home_t)
+
+type tvtime_tmp_t;
+typealias tvtime_tmp_t alias { user_tvtime_tmp_t staff_tvtime_tmp_t sysadm_tvtime_tmp_t };
+typealias tvtime_tmp_t alias { auditadm_tvtime_tmp_t secadm_tvtime_tmp_t };
+files_tmp_file(tvtime_tmp_t)
+ubac_constrained(tvtime_tmp_t)
+
+type tvtime_tmpfs_t;
+typealias tvtime_tmpfs_t alias { user_tvtime_tmpfs_t staff_tvtime_tmpfs_t sysadm_tvtime_tmpfs_t };
+typealias tvtime_tmpfs_t alias { auditadm_tvtime_tmpfs_t secadm_tvtime_tmpfs_t };
+files_tmpfs_file(tvtime_tmpfs_t)
+ubac_constrained(tvtime_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow tvtime_t self:capability { setuid sys_nice sys_resource };
+allow tvtime_t self:process setsched;
+allow tvtime_t self:unix_dgram_socket rw_socket_perms;
+allow tvtime_t self:unix_stream_socket rw_stream_socket_perms;
+
+# X access, Home files
+manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
+manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
+manage_lnk_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
+userdom_user_home_dir_filetrans(tvtime_t, tvtime_home_t, dir)
+
+manage_dirs_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t)
+manage_files_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t)
+files_tmp_filetrans(tvtime_t, tvtime_tmp_t,{ file dir })
+
+manage_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t)
+manage_lnk_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t)
+manage_fifo_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t)
+manage_sock_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t)
+fs_tmpfs_filetrans(tvtime_t, tvtime_tmpfs_t,{ file lnk_file sock_file fifo_file })
+
+kernel_read_all_sysctls(tvtime_t)
+kernel_get_sysvipc_info(tvtime_t)
+
+dev_read_urand(tvtime_t)
+dev_read_realtime_clock(tvtime_t)
+dev_read_sound(tvtime_t)
+
+files_read_usr_files(tvtime_t)
+files_search_pids(tvtime_t)
+# Read /etc/tvtime
+files_read_etc_files(tvtime_t)
+
+# X access, Home files
+fs_search_auto_mountpoints(tvtime_t)
+
+miscfiles_read_localization(tvtime_t)
+miscfiles_read_fonts(tvtime_t)
+
+userdom_use_user_terminals(tvtime_t)
+userdom_read_user_home_content_files(tvtime_t)
+
+# X access, Home files
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(tvtime_t)
+ fs_manage_nfs_files(tvtime_t)
+ fs_manage_nfs_symlinks(tvtime_t)
+')
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(tvtime_t)
+ fs_manage_cifs_files(tvtime_t)
+ fs_manage_cifs_symlinks(tvtime_t)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t)
+')
diff --git a/policy/modules/apps/uml.fc b/policy/modules/apps/uml.fc
index ba0a764..b8b9520 100644
--- a/policy/modules/apps/uml.fc
+++ b/policy/modules/apps/uml.fc
@@ -1,7 +1,7 @@
#
# HOME_DIR/
#
-HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:ROLE_uml_rw_t,s0)
+HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:uml_rw_t,s0)
#
# /usr
diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if
index a833644..d2ab7cb 100644
--- a/policy/modules/apps/uml.if
+++ b/policy/modules/apps/uml.if
@@ -1,194 +1,64 @@
## Policy for UML
-#######################################
+########################################
##
-## The per role template for the uml module.
+## Role access for uml
##
-##
-##
-## This template creates a derived domains which are used
-## for uml program.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## Role allowed access
##
##
-##
-##
-## The type of the user domain.
-##
-##
-##
+##
##
-## The role associated with the user domain.
+## User domain for the role
##
##
#
-template(`uml_per_role_template',`
+interface(`uml_role',`
gen_require(`
- type uml_ro_t, uml_exec_t;
+ type uml_t, uml_exec_t;
+ type uml_ro_t, uml_rw_t, uml_tmp_t;
+ type uml_devpts_t, uml_tmpfs_t;
')
- ########################################
- #
- # Declarations
- #
-
- type $1_uml_t;
- type $1_uml_exec_t;
- application_domain($1_uml_t, $1_uml_exec_t)
- role $3 types $1_uml_t;
-
- type $1_uml_ro_t;
- files_type($1_uml_ro_t)
-
- type $1_uml_rw_t;
- files_type($1_uml_rw_t)
-
- type $1_uml_tmp_t;
- files_tmp_file($1_uml_tmp_t)
-
- type $1_uml_tmpfs_t;
- files_tmpfs_file($1_uml_tmpfs_t)
-
- type $1_uml_devpts_t;
- term_pty($1_uml_devpts_t)
-
- ########################################
- #
- # Local policy
- #
-
- allow $1_uml_t self:fifo_file rw_fifo_file_perms;
- allow $1_uml_t self:process { signal_perms ptrace };
- allow $1_uml_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_uml_t self:unix_dgram_socket create_socket_perms;
- # Use the network.
- allow $1_uml_t self:tcp_socket create_stream_socket_perms;
- allow $1_uml_t self:udp_socket create_socket_perms;
-
- allow $1_uml_t $2:process sigchld;
- allow $1_uml_t $2:fifo_file { ioctl read write getattr lock append };
-
- # allow the UML thing to happen
- allow $1_uml_t $1_uml_devpts_t:chr_file { rw_chr_file_perms setattr };
- term_create_pty($1_uml_t,$1_uml_devpts_t)
-
- manage_dirs_pattern($1_uml_t, $1_uml_tmp_t, $1_uml_tmp_t)
- manage_files_pattern($1_uml_t, $1_uml_tmp_t, $1_uml_tmp_t)
- files_tmp_filetrans($1_uml_t, $1_uml_tmp_t, { file dir })
- can_exec($1_uml_t, $1_uml_tmp_t)
-
- manage_files_pattern($1_uml_t, $1_uml_tmpfs_t, $1_uml_tmpfs_t)
- manage_lnk_files_pattern($1_uml_t, $1_uml_tmpfs_t, $1_uml_tmpfs_t)
- manage_fifo_files_pattern($1_uml_t, $1_uml_tmpfs_t, $1_uml_tmpfs_t)
- manage_sock_files_pattern($1_uml_t, $1_uml_tmpfs_t, $1_uml_tmpfs_t)
- fs_tmpfs_filetrans($1_uml_t, $1_uml_tmpfs_t, { file lnk_file sock_file fifo_file })
- can_exec($1_uml_t, $1_uml_tmpfs_t)
-
- # access config files
- allow $1_uml_t { $1_uml_ro_t uml_ro_t }:dir list_dir_perms;
- read_files_pattern($1_uml_t, { $1_uml_ro_t uml_ro_t }, { $1_uml_ro_t uml_ro_t })
- read_lnk_files_pattern($1_uml_t, { $1_uml_ro_t uml_ro_t }, { $1_uml_ro_t uml_ro_t })
-
- manage_dirs_pattern($1_uml_t, $1_uml_rw_t, $1_uml_rw_t)
- manage_files_pattern($1_uml_t, $1_uml_rw_t, $1_uml_rw_t)
- manage_lnk_files_pattern($1_uml_t, $1_uml_rw_t, $1_uml_rw_t)
- manage_fifo_files_pattern($1_uml_t, $1_uml_rw_t, $1_uml_rw_t)
- manage_sock_files_pattern($1_uml_t, $1_uml_rw_t, $1_uml_rw_t)
- userdom_user_home_dir_filetrans($1, $1_uml_t, $1_uml_rw_t, { file lnk_file sock_file fifo_file })
-
- allow $2 uml_ro_t:dir list_dir_perms;
- read_files_pattern($2,uml_ro_t, uml_ro_t)
- read_lnk_files_pattern($2,uml_ro_t, uml_ro_t)
-
- manage_dirs_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t })
- manage_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t })
- manage_lnk_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t })
- manage_fifo_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t })
- manage_sock_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t })
- relabel_dirs_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t })
- relabel_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t })
- relabel_lnk_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t })
- relabel_fifo_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t })
- relabel_sock_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t }, { $1_uml_ro_t $1_uml_rw_t })
-
- manage_dirs_pattern($2, { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }, { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t })
- manage_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }, { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t })
- relabel_dirs_pattern($2, { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }, { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t })
- relabel_files_pattern($2, { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }, { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t })
-
- # allow ps, ptrace, signal
- ps_process_pattern($2,$1_uml_t)
- allow $2 $1_uml_t:process { ptrace signal_perms };
-
- manage_dirs_pattern($2, $1_uml_tmp_t, $1_uml_tmp_t)
- manage_files_pattern($2, $1_uml_tmp_t, $1_uml_tmp_t)
- manage_lnk_files_pattern($2, $1_uml_tmp_t, $1_uml_tmp_t)
- manage_sock_files_pattern($2, $1_uml_tmp_t, $1_uml_tmp_t)
+ role $1 types uml_t;
# Transition from the user domain to this domain.
- domain_auto_trans($2, { uml_exec_t $1_uml_exec_t }, $1_uml_t)
- can_exec($1_uml_t, { uml_exec_t $1_uml_exec_t })
+ domtrans_pattern($2, uml_exec_t, uml_t)
# for mconsole
- allow { $2 $1_uml_t } $1_uml_t:unix_dgram_socket sendto;
- allow $1_uml_t $2:unix_dgram_socket sendto;
-
- kernel_read_system_state($1_uml_t)
- # for SKAS - need something better
- kernel_write_proc_files($1_uml_t)
-
- # for xterm
- corecmd_exec_bin($1_uml_t)
-
- corenet_all_recvfrom_unlabeled($1_uml_t)
- corenet_all_recvfrom_netlabel($1_uml_t)
- corenet_tcp_sendrecv_generic_if($1_uml_t)
- corenet_udp_sendrecv_generic_if($1_uml_t)
- corenet_tcp_sendrecv_all_nodes($1_uml_t)
- corenet_udp_sendrecv_all_nodes($1_uml_t)
- corenet_tcp_sendrecv_all_ports($1_uml_t)
- corenet_udp_sendrecv_all_ports($1_uml_t)
- corenet_tcp_connect_all_ports($1_uml_t)
- corenet_sendrecv_all_client_packets($1_uml_t)
- corenet_rw_tun_tap_dev($1_uml_t)
-
- domain_use_interactive_fds($1_uml_t)
+ allow $2 uml_t:unix_dgram_socket sendto;
+ allow uml_t $2:unix_dgram_socket sendto;
- # for xterm
- files_read_etc_files($1_uml_t)
- files_dontaudit_read_etc_runtime_files($1_uml_t)
- # putting uml data under /var is usual...
- files_search_var($1_uml_t)
-
- fs_getattr_xattr_fs($1_uml_t)
-
- init_read_utmp($1_uml_t)
- init_dontaudit_write_utmp($1_uml_t)
-
- # for xterm
- libs_exec_lib_files($1_uml_t)
-
- # Inherit and use descriptors from newrole.
- seutil_use_newrole_fds($1_uml_t)
-
- # Use the network.
- sysnet_read_config($1_uml_t)
-
- userdom_use_user_terminals($1, $1_uml_t)
+ # allow ps, ptrace, signal
+ ps_process_pattern($2, uml_t)
+ allow $2 uml_t:process { ptrace signal_perms };
- optional_policy(`
- nis_use_ypbind($1_uml_t)
- ')
+ allow $2 uml_ro_t:dir list_dir_perms;
+ read_files_pattern($2, uml_ro_t, uml_ro_t)
+ read_lnk_files_pattern($2, uml_ro_t, uml_ro_t)
+
+ manage_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ manage_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ manage_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ manage_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ manage_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ relabel_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ relabel_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ relabel_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ relabel_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ relabel_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+
+ manage_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
+ manage_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
+ relabel_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
+ relabel_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
+
+ manage_dirs_pattern($2, uml_tmp_t, uml_tmp_t)
+ manage_files_pattern($2, uml_tmp_t, uml_tmp_t)
+ manage_lnk_files_pattern($2, uml_tmp_t, uml_tmp_t)
+ manage_sock_files_pattern($2, uml_tmp_t, uml_tmp_t)
')
########################################
diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
index b9f8783..84b8efd 100644
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
@@ -1,16 +1,47 @@
-policy_module(uml, 1.6.0)
+policy_module(uml, 2.0.0)
########################################
#
# Declarations
#
+type uml_t;
type uml_exec_t;
-application_executable_file(uml_exec_t)
+typealias uml_t alias { user_uml_t staff_uml_t sysadm_uml_t };
+typealias uml_t alias { auditadm_uml_t secadm_uml_t };
+application_domain(uml_t, uml_exec_t)
+ubac_constrained(uml_t)
type uml_ro_t;
+typealias uml_ro_t alias { user_uml_ro_t staff_uml_ro_t sysadm_uml_ro_t };
+typealias uml_ro_t alias { auditadm_uml_ro_t secadm_uml_ro_t };
files_type(uml_ro_t)
+ubac_constrained(uml_ro_t)
+
+type uml_rw_t;
+typealias uml_rw_t alias { user_uml_rw_t staff_uml_rw_t sysadm_uml_rw_t };
+typealias uml_rw_t alias { auditadm_uml_rw_t secadm_uml_rw_t };
+files_type(uml_rw_t)
+ubac_constrained(uml_rw_t)
+
+type uml_tmp_t;
+typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t };
+typealias uml_tmp_t alias { auditadm_uml_tmp_t secadm_uml_tmp_t };
+files_tmp_file(uml_tmp_t)
+ubac_constrained(uml_tmp_t)
+
+type uml_tmpfs_t;
+typealias uml_tmpfs_t alias { user_uml_tmpfs_t staff_uml_tmpfs_t sysadm_uml_tmpfs_t };
+typealias uml_tmpfs_t alias { auditadm_uml_tmpfs_t secadm_uml_tmpfs_t };
+files_tmpfs_file(uml_tmpfs_t)
+ubac_constrained(uml_tmpfs_t)
+
+type uml_devpts_t;
+typealias uml_devpts_t alias { user_uml_devpts_t staff_uml_devpts_t sysadm_uml_devpts_t };
+typealias uml_devpts_t alias { auditadm_uml_devpts_t secadm_uml_devpts_t };
+term_pty(uml_devpts_t)
+ubac_constrained(uml_devpts_t)
type uml_switch_t;
type uml_switch_exec_t;
@@ -24,6 +55,98 @@ files_pid_file(uml_switch_var_run_t)
# Local policy
#
+allow uml_t self:fifo_file rw_fifo_file_perms;
+allow uml_t self:process { signal_perms ptrace };
+allow uml_t self:unix_stream_socket create_stream_socket_perms;
+allow uml_t self:unix_dgram_socket create_socket_perms;
+# Use the network.
+allow uml_t self:tcp_socket create_stream_socket_perms;
+allow uml_t self:udp_socket create_socket_perms;
+# for mconsole
+allow uml_t self:unix_dgram_socket sendto;
+
+# allow the UML thing to happen
+allow uml_t uml_devpts_t:chr_file { rw_file_perms setattr };
+term_create_pty(uml_t, uml_devpts_t)
+
+manage_dirs_pattern(uml_t, uml_tmp_t, uml_tmp_t)
+manage_files_pattern(uml_t, uml_tmp_t, uml_tmp_t)
+files_tmp_filetrans(uml_t, uml_tmp_t, { file dir })
+can_exec(uml_t, uml_tmp_t)
+
+manage_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
+manage_lnk_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
+manage_fifo_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
+manage_sock_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
+fs_tmpfs_filetrans(uml_t, uml_tmpfs_t, { file lnk_file sock_file fifo_file })
+can_exec(uml_t, uml_tmpfs_t)
+
+# access config files
+allow uml_t { uml_ro_t uml_ro_t }:dir list_dir_perms;
+read_files_pattern(uml_t, { uml_ro_t uml_ro_t }, { uml_ro_t uml_ro_t })
+read_lnk_files_pattern(uml_t, { uml_ro_t uml_ro_t }, { uml_ro_t uml_ro_t })
+
+manage_dirs_pattern(uml_t, uml_rw_t, uml_rw_t)
+manage_files_pattern(uml_t, uml_rw_t, uml_rw_t)
+manage_lnk_files_pattern(uml_t, uml_rw_t, uml_rw_t)
+manage_fifo_files_pattern(uml_t, uml_rw_t, uml_rw_t)
+manage_sock_files_pattern(uml_t, uml_rw_t, uml_rw_t)
+userdom_user_home_dir_filetrans(uml_t, uml_rw_t, { file lnk_file sock_file fifo_file })
+
+can_exec(uml_t, { uml_exec_t uml_exec_t })
+
+kernel_read_system_state(uml_t)
+# for SKAS - need something better
+kernel_write_proc_files(uml_t)
+
+# for xterm
+corecmd_exec_bin(uml_t)
+
+corenet_all_recvfrom_unlabeled(uml_t)
+corenet_all_recvfrom_netlabel(uml_t)
+corenet_tcp_sendrecv_generic_if(uml_t)
+corenet_udp_sendrecv_generic_if(uml_t)
+corenet_tcp_sendrecv_all_nodes(uml_t)
+corenet_udp_sendrecv_all_nodes(uml_t)
+corenet_tcp_sendrecv_all_ports(uml_t)
+corenet_udp_sendrecv_all_ports(uml_t)
+corenet_tcp_connect_all_ports(uml_t)
+corenet_sendrecv_all_client_packets(uml_t)
+corenet_rw_tun_tap_dev(uml_t)
+
+domain_use_interactive_fds(uml_t)
+
+# for xterm
+files_read_etc_files(uml_t)
+files_dontaudit_read_etc_runtime_files(uml_t)
+# putting uml data under /var is usual...
+files_search_var(uml_t)
+
+fs_getattr_xattr_fs(uml_t)
+
+init_read_utmp(uml_t)
+init_dontaudit_write_utmp(uml_t)
+
+# for xterm
+libs_exec_lib_files(uml_t)
+
+# Inherit and use descriptors from newrole.
+seutil_use_newrole_fds(uml_t)
+
+# Use the network.
+sysnet_read_config(uml_t)
+
+userdom_use_user_terminals(uml_t)
+
+optional_policy(`
+ nis_use_ypbind(uml_t)
+')
+
+########################################
+#
+# Local policy
+#
+
dontaudit uml_switch_t self:capability sys_tty_config;
allow uml_switch_t self:process signal_perms;
allow uml_switch_t self:unix_dgram_socket create_socket_perms;
@@ -54,8 +177,7 @@ logging_send_syslog_msg(uml_switch_t)
miscfiles_read_localization(uml_switch_t)
userdom_dontaudit_use_unpriv_user_fds(uml_switch_t)
-
-sysadm_dontaudit_search_home_dirs(uml_switch_t)
+userdom_dontaudit_search_user_home_dirs(uml_switch_t)
optional_policy(`
seutil_sigchld_newrole(uml_switch_t)
diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
index b144715..c25e403 100644
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@@ -2,38 +2,28 @@
#######################################
##
-## The per role template for the userhelper module.
+## The role template for the userhelper module.
##
-##
-##
-## This template creates a derived domains which are used
-## for userhelper.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
##
##
-##
+##
##
-## The type of the user domain.
+## The user role.
##
##
-##
+##
##
-## The role associated with the user domain.
+## The user domain associated with the role.
##
##
#
-template(`userhelper_per_role_template',`
+template(`userhelper_role_template',`
gen_require(`
+ attribute userhelper_type;
type userhelper_exec_t, userhelper_conf_t;
')
@@ -42,13 +32,14 @@ template(`userhelper_per_role_template',`
# Declarations
#
- type $1_userhelper_t;
+ type $1_userhelper_t, userhelper_type;
application_domain($1_userhelper_t, userhelper_exec_t)
domain_role_change_exemption($1_userhelper_t)
domain_obj_id_change_exemption($1_userhelper_t)
domain_interactive_fd($1_userhelper_t)
domain_subj_id_change_exemption($1_userhelper_t)
- role $3 types $1_userhelper_t;
+ ubac_constrained($1_userhelper_t)
+ role $2 types $1_userhelper_t;
########################################
#
@@ -70,14 +61,14 @@ template(`userhelper_per_role_template',`
allow $1_userhelper_t self:sock_file read_sock_file_perms;
#Transition to the derived domain.
- domtrans_pattern($2, userhelper_exec_t, $1_userhelper_t)
+ domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t)
can_exec($1_userhelper_t, userhelper_exec_t)
- dontaudit $2 $1_userhelper_t:process signal;
+ dontaudit $3 $1_userhelper_t:process signal;
kernel_read_all_sysctls($1_userhelper_t)
kernel_getattr_debugfs($1_userhelper_t)
@@ -86,7 +77,7 @@ template(`userhelper_per_role_template',`
# Execute shells
corecmd_exec_shell($1_userhelper_t)
# By default, revert to the calling domain when a program is executed
- corecmd_bin_domtrans($1_userhelper_t,$2)
+ corecmd_bin_domtrans($1_userhelper_t, $3)
# Inherit descriptors from the current session.
domain_use_interactive_fds($1_userhelper_t)
@@ -98,8 +89,6 @@ template(`userhelper_per_role_template',`
dev_list_all_dev_nodes($1_userhelper_t)
files_list_var_lib($1_userhelper_t)
- # Write to utmp.
- files_pid_filetrans($1_userhelper_t,initrc_var_run_t,file)
# Read the /etc/security/default_type file
files_read_etc_files($1_userhelper_t)
# Read /var.
@@ -138,13 +127,13 @@ template(`userhelper_per_role_template',`
init_use_fds($1_userhelper_t)
# Write to utmp.
init_manage_utmp($1_userhelper_t)
+ init_pid_filetrans_utmp($1_userhelper_t)
miscfiles_read_localization($1_userhelper_t)
seutil_read_config($1_userhelper_t)
seutil_read_default_contexts($1_userhelper_t)
- userdom_use_unpriv_users_fds($1_userhelper_t)
# Allow $1_userhelper_t to transition to user domains.
userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
@@ -156,14 +145,8 @@ template(`userhelper_per_role_template',`
')
')
- tunable_policy(`! secure_mode',`
- #if we are not in secure mode then we can transition to sysadm_t
- sysadm_bin_spec_domtrans($1_userhelper_t)
- sysadm_entry_spec_domtrans($1_userhelper_t)
- ')
-
optional_policy(`
- ethereal_domtrans_user_ethereal($1, $1_userhelper_t)
+ ethereal_domtrans($1_userhelper_t)
')
optional_policy(`
@@ -177,6 +160,14 @@ template(`userhelper_per_role_template',`
optional_policy(`
nscd_socket_use($1_userhelper_t)
')
+
+ optional_policy(`
+ tunable_policy(`! secure_mode',`
+ #if we are not in secure mode then we can transition to sysadm_t
+ sysadm_bin_spec_domtrans($1_userhelper_t)
+ sysadm_entry_spec_domtrans($1_userhelper_t)
+ ')
+ ')
')
########################################
@@ -220,46 +211,36 @@ interface(`userhelper_dontaudit_search_config',`
##
## Allow domain to use userhelper file descriptor.
##
-##
-##
-## The prefix of the domain, example user is the prefix of user_t.
-##
-##
##
##
## Domain allowed access.
##
##
#
-template(`userhelper_use_user_fd',`
+interface(`userhelper_use_fd',`
gen_require(`
- type $1_userhelper_t;
+ attribute userhelper_type;
')
- allow $2 $1_userhelper_t:fd use;
+ allow $1 userhelper_type:fd use;
')
########################################
##
## Allow domain to send sigchld to userhelper.
##
-##
-##
-## The prefix of the domain, example user is the prefix of user_t.
-##
-##
##
##
## Domain allowed access.
##
##
#
-template(`userhelper_sigchld_user',`
+interface(`userhelper_sigchld',`
gen_require(`
- type $1_userhelper_t;
+ attribute userhelper_type;
')
- allow $2 $1_userhelper_t:process sigchld;
+ allow $1 userhelper_type:process sigchld;
')
########################################
diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te
index b93fc24..eac2ff4 100644
--- a/policy/modules/apps/userhelper.te
+++ b/policy/modules/apps/userhelper.te
@@ -1,11 +1,13 @@
-policy_module(userhelper, 1.4.0)
+policy_module(userhelper, 1.4.1)
########################################
#
# Declarations
#
+attribute userhelper_type;
+
type userhelper_conf_t;
files_type(userhelper_conf_t)
diff --git a/policy/modules/apps/usernetctl.if b/policy/modules/apps/usernetctl.if
index f846690..cc4609c 100644
--- a/policy/modules/apps/usernetctl.if
+++ b/policy/modules/apps/usernetctl.if
@@ -33,11 +33,6 @@ interface(`usernetctl_domtrans',`
## The role to be allowed the usernetctl domain.
##
##
-##
-##
-## The type of the terminal allow the usernetctl domain to use.
-##
-##
##
#
interface(`usernetctl_run',`
@@ -47,24 +42,23 @@ interface(`usernetctl_run',`
usernetctl_domtrans($1)
role $2 types usernetctl_t;
- allow usernetctl_t $3:chr_file rw_term_perms;
- sysnet_run_ifconfig(usernetctl_t, $2, $3)
- sysnet_run_dhcpc(usernetctl_t, $2, $3)
+ sysnet_run_ifconfig(usernetctl_t, $2)
+ sysnet_run_dhcpc(usernetctl_t, $2)
optional_policy(`
- consoletype_run(usernetctl_t, $2, $3)
+ consoletype_run(usernetctl_t, $2)
')
optional_policy(`
- iptables_run(usernetctl_t, $2, $3)
+ iptables_run(usernetctl_t, $2)
')
optional_policy(`
- modutils_run_insmod(usernetctl_t, $2, $3)
+ modutils_run_insmod(usernetctl_t, $2)
')
optional_policy(`
- ppp_run(usernetctl_t, $2, $3)
+ ppp_run(usernetctl_t, $2)
')
')
diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te
index aa63889..ef81e79 100644
--- a/policy/modules/apps/usernetctl.te
+++ b/policy/modules/apps/usernetctl.te
@@ -1,5 +1,5 @@
-policy_module(usernetctl, 1.4.0)
+policy_module(usernetctl, 1.4.1)
########################################
#
@@ -59,7 +59,7 @@ seutil_read_config(usernetctl_t)
sysnet_read_config(usernetctl_t)
-term_search_ptys(usernetctl_t)
+userdom_use_user_terminals(usernetctl_t)
optional_policy(`
hostname_exec(usernetctl_t)
diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc
index cf2097d..85b26a5 100644
--- a/policy/modules/apps/vmware.fc
+++ b/policy/modules/apps/vmware.fc
@@ -1,9 +1,9 @@
#
# HOME_DIR/
#
-HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
-HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:ROLE_vmware_conf_t,s0)
-HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
+HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0)
+HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:vmware_conf_t,s0)
+HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0)
#
# /etc
diff --git a/policy/modules/apps/vmware.if b/policy/modules/apps/vmware.if
index d4d83f6..80afe1f 100644
--- a/policy/modules/apps/vmware.if
+++ b/policy/modules/apps/vmware.if
@@ -1,168 +1,33 @@
## VMWare Workstation virtual machines
-#######################################
+########################################
##
-## The per role template for the vmware module.
+## Role access for vmware
##
-##
-##
-## This template creates a derived domain which is used
-## for vmware sessions.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
+##
##
-## The type of the user domain.
+## Role allowed access
##
##
-##
+##
##
-## The role associated with the user domain.
+## User domain for the role
##
##
#
-template(`vmware_per_role_template',`
+interface(`vmware_role',`
gen_require(`
- type vmware_exec_t, vmware_sys_conf_t;
+ type vmware_t, vmware_exec_t;
')
- ##############################
- #
- # Declarations
- #
-
- type $1_vmware_t;
- domain_type($1_vmware_t)
- domain_entry_file($1_vmware_t, vmware_exec_t)
- role $3 types $1_vmware_t;
-
- type $1_vmware_conf_t;
- userdom_user_home_content($1, $1_vmware_conf_t)
-
- type $1_vmware_file_t;
- userdom_user_home_content($1, $1_vmware_file_t)
-
- type $1_vmware_tmp_t;
- files_tmp_file($1_vmware_tmp_t)
-
- type $1_vmware_tmpfs_t;
- files_tmpfs_file($1_vmware_tmpfs_t)
-
- type $1_vmware_var_run_t;
- files_pid_file($1_vmware_var_run_t)
-
- ##############################
- #
- # Local policy
- #
-
- allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
- dontaudit $1_vmware_t self:capability sys_tty_config;
- allow $1_vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_vmware_t self:process { execmem execstack };
- allow $1_vmware_t self:fd use;
- allow $1_vmware_t self:fifo_file rw_fifo_file_perms;
- allow $1_vmware_t self:unix_dgram_socket create_socket_perms;
- allow $1_vmware_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_vmware_t self:unix_dgram_socket sendto;
- allow $1_vmware_t self:unix_stream_socket connectto;
- allow $1_vmware_t self:shm create_shm_perms;
- allow $1_vmware_t self:sem create_sem_perms;
- allow $1_vmware_t self:msgq create_msgq_perms;
- allow $1_vmware_t self:msg { send receive };
-
- can_exec($1_vmware_t, vmware_exec_t)
-
- # User configuration files
- allow $1_vmware_t $1_vmware_conf_t:file manage_file_perms;
-
- # VMWare disks
- manage_files_pattern($1_vmware_t, $1_vmware_file_t, $1_vmware_file_t)
- manage_lnk_files_pattern($1_vmware_t, $1_vmware_file_t, $1_vmware_file_t)
-
- allow $1_vmware_t $1_vmware_tmp_t:file execute;
- manage_dirs_pattern($1_vmware_t, $1_vmware_tmp_t, $1_vmware_tmp_t)
- manage_files_pattern($1_vmware_t, $1_vmware_tmp_t, $1_vmware_tmp_t)
- manage_sock_files_pattern($1_vmware_t, $1_vmware_tmp_t, $1_vmware_tmp_t)
- files_tmp_filetrans($1_vmware_t, $1_vmware_tmp_t, { file dir })
-
- manage_files_pattern($1_vmware_t, $1_vmware_tmpfs_t, $1_vmware_tmpfs_t)
- manage_lnk_files_pattern($1_vmware_t, $1_vmware_tmpfs_t, $1_vmware_tmpfs_t)
- manage_fifo_files_pattern($1_vmware_t, $1_vmware_tmpfs_t, $1_vmware_tmpfs_t)
- manage_sock_files_pattern($1_vmware_t, $1_vmware_tmpfs_t, $1_vmware_tmpfs_t)
- fs_tmpfs_filetrans($1_vmware_t, $1_vmware_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
- # Read clobal configuration files
- allow $1_vmware_t vmware_sys_conf_t:dir list_dir_perms;
- read_files_pattern($1_vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)
- read_lnk_files_pattern($1_vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)
-
- manage_dirs_pattern($1_vmware_t, $1_vmware_var_run_t, $1_vmware_var_run_t)
- manage_files_pattern($1_vmware_t, $1_vmware_var_run_t, $1_vmware_var_run_t)
- manage_lnk_files_pattern($1_vmware_t, $1_vmware_var_run_t, $1_vmware_var_run_t)
- manage_sock_files_pattern($1_vmware_t, $1_vmware_var_run_t, $1_vmware_var_run_t)
- files_pid_filetrans($1_vmware_t, $1_vmware_var_run_t, { dir file lnk_file })
-
- domtrans_pattern($2, vmware_exec_t, $1_vmware_t)
-
- kernel_read_system_state($1_vmware_t)
- kernel_read_network_state($1_vmware_t)
- kernel_read_kernel_sysctls($1_vmware_t)
-
- # startup scripts
- corecmd_exec_bin($1_vmware_t)
- corecmd_exec_shell($1_vmware_t)
-
- dev_read_raw_memory($1_vmware_t)
- dev_write_raw_memory($1_vmware_t)
- dev_read_mouse($1_vmware_t)
- dev_write_sound($1_vmware_t)
- dev_read_realtime_clock($1_vmware_t)
- dev_rwx_vmware($1_vmware_t)
- dev_rw_usbfs($1_vmware_t)
- dev_search_sysfs($1_vmware_t)
-
- domain_use_interactive_fds($1_vmware_t)
-
- files_read_etc_files($1_vmware_t)
- files_read_etc_runtime_files($1_vmware_t)
- files_read_usr_files($1_vmware_t)
- files_list_home($1_vmware_t)
-
- fs_getattr_xattr_fs($1_vmware_t)
- fs_search_auto_mountpoints($1_vmware_t)
-
- storage_raw_read_removable_device($1_vmware_t)
- storage_raw_write_removable_device($1_vmware_t)
-
- # startup scripts run ldd
- libs_exec_ld_so($1_vmware_t)
- # Access X11 config files
- libs_read_lib_files($1_vmware_t)
-
- miscfiles_read_localization($1_vmware_t)
-
- userdom_use_user_terminals($1, $1_vmware_t)
- userdom_use_unpriv_users_fds($1_vmware_t)
- userdom_list_user_home_dirs($1, $1_vmware_t)
- # cjp: why?
- userdom_read_user_home_content_files($1, $1_vmware_t)
+ role $1 types vmware_t;
- sysnet_dns_name_resolve($1_vmware_t)
- sysnet_read_config($1_vmware_t)
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, vmware_exec_t, vmware_t)
- xserver_user_x_domain_template($1, $1_vmware, $1_vmware_t, $1_vmware_tmpfs_t)
+ # allow ps to show vmware and allow the user to kill it
+ ps_process_pattern($2, vmware_t)
+ allow $2 vmware_t:process signal;
')
########################################
@@ -180,7 +45,7 @@ interface(`vmware_read_system_config',`
type vmware_sys_conf_t;
')
- allow $1 vmware_sys_conf_t:file read_file_perms;
+ allow $1 vmware_sys_conf_t:file { getattr read };
')
########################################
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index bf61196..8cc3a31 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -1,5 +1,5 @@
-policy_module(vmware, 1.6.0)
+policy_module(vmware, 2.0.0)
########################################
#
@@ -7,23 +7,58 @@ policy_module(vmware, 1.6.0)
#
# VMWare user program
+type vmware_t;
type vmware_exec_t;
-corecmd_executable_file(vmware_exec_t)
+typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t };
+typealias vmware_t alias { auditadm_vmware_t secadm_vmware_t };
+application_domain(vmware_t, vmware_exec_t)
+ubac_constrained(vmware_t)
+
+type vmware_conf_t;
+typealias vmware_conf_t alias { user_vmware_conf_t staff_vmware_conf_t sysadm_vmware_conf_t };
+typealias vmware_conf_t alias { auditadm_vmware_conf_t secadm_vmware_conf_t };
+userdom_user_home_content(vmware_conf_t)
+
+type vmware_file_t;
+typealias vmware_file_t alias { user_vmware_file_t staff_vmware_file_t sysadm_vmware_file_t };
+typealias vmware_file_t alias { auditadm_vmware_file_t secadm_vmware_file_t };
+userdom_user_home_content(vmware_file_t)
# VMWare host programs
type vmware_host_t;
type vmware_host_exec_t;
init_daemon_domain(vmware_host_t, vmware_host_exec_t)
+type vmware_host_pid_t alias vmware_var_run_t;
+files_pid_file(vmware_host_pid_t)
+
type vmware_log_t;
+typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t };
+typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t };
logging_log_file(vmware_log_t)
+ubac_constrained(vmware_log_t)
+
+type vmware_pid_t;
+typealias vmware_pid_t alias { user_vmware_pid_t staff_vmware_pid_t sysadm_vmware_pid_t };
+typealias vmware_pid_t alias { auditadm_vmware_pid_t secadm_vmware_pid_t };
+files_pid_file(vmware_pid_t)
+ubac_constrained(vmware_pid_t)
# Systemwide configuration files
type vmware_sys_conf_t;
files_type(vmware_sys_conf_t)
-type vmware_var_run_t;
-files_pid_file(vmware_var_run_t)
+type vmware_tmp_t;
+typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t };
+typealias vmware_tmp_t alias { auditadm_vmware_tmp_t secadm_vmware_tmp_t };
+files_tmp_file(vmware_tmp_t)
+ubac_constrained(vmware_tmp_t)
+
+type vmware_tmpfs_t;
+typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t };
+typealias vmware_tmpfs_t alias { auditadm_vmware_tmpfs_t secadm_vmware_tmpfs_t };
+files_tmpfs_file(vmware_tmpfs_t)
+ubac_constrained(vmware_tmpfs_t)
########################################
#
@@ -92,8 +127,7 @@ miscfiles_read_localization(vmware_host_t)
sysnet_dns_name_resolve(vmware_host_t)
userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
-
-sysadm_dontaudit_search_home_dirs(vmware_host_t)
+userdom_dontaudit_search_user_home_dirs(vmware_host_t)
netutils_domtrans_ping(vmware_host_t)
@@ -105,3 +139,112 @@ optional_policy(`
optional_policy(`
udev_read_db(vmware_host_t)
')
+
+ifdef(`TODO',`
+# VMWare need access to pcmcia devices for network
+optional_policy(`
+allow kernel_t cardmgr_var_lib_t:dir { getattr search };
+allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read };
+')
+# Vmware create network devices
+allow kernel_t self:capability net_admin;
+allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
+allow kernel_t self:socket create;
+')
+
+##############################
+#
+# VMWare guest local policy
+#
+
+allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
+dontaudit vmware_t self:capability sys_tty_config;
+allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow vmware_t self:process { execmem execstack };
+allow vmware_t self:fd use;
+allow vmware_t self:fifo_file rw_fifo_file_perms;
+allow vmware_t self:unix_dgram_socket { create_socket_perms sendto };
+allow vmware_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow vmware_t self:shm create_shm_perms;
+allow vmware_t self:sem create_sem_perms;
+allow vmware_t self:msgq create_msgq_perms;
+allow vmware_t self:msg { send receive };
+
+can_exec(vmware_t, vmware_exec_t)
+
+# User configuration files
+allow vmware_t vmware_conf_t:file manage_file_perms;
+
+# VMWare disks
+manage_files_pattern(vmware_t, vmware_file_t, vmware_file_t)
+manage_lnk_files_pattern(vmware_t, vmware_file_t, vmware_file_t)
+
+allow vmware_t vmware_tmp_t:file execute;
+manage_dirs_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
+manage_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
+manage_sock_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
+files_tmp_filetrans(vmware_t, vmware_tmp_t, { file dir })
+
+manage_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
+manage_lnk_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
+manage_fifo_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
+manage_sock_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
+fs_tmpfs_filetrans(vmware_t, vmware_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+# Read clobal configuration files
+allow vmware_t vmware_sys_conf_t:dir list_dir_perms;
+read_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)
+read_lnk_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)
+
+manage_dirs_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
+manage_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
+manage_lnk_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
+manage_sock_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
+files_pid_filetrans(vmware_t, vmware_pid_t, { dir file lnk_file })
+
+kernel_read_system_state(vmware_t)
+kernel_read_network_state(vmware_t)
+kernel_read_kernel_sysctls(vmware_t)
+
+# startup scripts
+corecmd_exec_bin(vmware_t)
+corecmd_exec_shell(vmware_t)
+
+dev_read_raw_memory(vmware_t)
+dev_write_raw_memory(vmware_t)
+dev_read_mouse(vmware_t)
+dev_write_sound(vmware_t)
+dev_read_realtime_clock(vmware_t)
+dev_rwx_vmware(vmware_t)
+dev_rw_usbfs(vmware_t)
+dev_search_sysfs(vmware_t)
+
+domain_use_interactive_fds(vmware_t)
+
+files_read_etc_files(vmware_t)
+files_read_etc_runtime_files(vmware_t)
+files_read_usr_files(vmware_t)
+files_list_home(vmware_t)
+
+fs_getattr_xattr_fs(vmware_t)
+fs_search_auto_mountpoints(vmware_t)
+
+storage_raw_read_removable_device(vmware_t)
+storage_raw_write_removable_device(vmware_t)
+
+# startup scripts run ldd
+libs_exec_ld_so(vmware_t)
+# Access X11 config files
+libs_read_lib_files(vmware_t)
+
+miscfiles_read_localization(vmware_t)
+
+userdom_use_user_terminals(vmware_t)
+userdom_list_user_home_dirs(vmware_t)
+# cjp: why?
+userdom_read_user_home_content_files(vmware_t)
+
+sysnet_dns_name_resolve(vmware_t)
+sysnet_read_config(vmware_t)
+
+xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t)
diff --git a/policy/modules/apps/webalizer.if b/policy/modules/apps/webalizer.if
index 7b0bc5c..1d25688 100644
--- a/policy/modules/apps/webalizer.if
+++ b/policy/modules/apps/webalizer.if
@@ -33,11 +33,6 @@ interface(`webalizer_domtrans',`
## The role to be allowed the webalizer domain.
##
##
-##
-##
-## The type of the terminal allow the webalizer domain to use.
-##
-##
##
#
interface(`webalizer_run',`
@@ -47,5 +42,4 @@ interface(`webalizer_run',`
webalizer_domtrans($1)
role $2 types webalizer_t;
- allow webalizer_t $3:chr_file rw_term_perms;
')
diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te
index 3553ffc..e268644 100644
--- a/policy/modules/apps/webalizer.te
+++ b/policy/modules/apps/webalizer.te
@@ -1,5 +1,5 @@
-policy_module(webalizer, 1.7.0)
+policy_module(webalizer, 1.7.1)
########################################
#
@@ -80,8 +80,9 @@ miscfiles_read_localization(webalizer_t)
sysnet_dns_name_resolve(webalizer_t)
sysnet_read_config(webalizer_t)
+userdom_use_user_terminals(webalizer_t)
userdom_use_unpriv_users_fds(webalizer_t)
-userdom_dontaudit_search_all_users_home_content(webalizer_t)
+userdom_dontaudit_search_user_home_content(webalizer_t)
apache_read_log(webalizer_t)
apache_manage_sys_content(webalizer_t)
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
index 48ba074..7a99209 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -34,11 +34,6 @@ interface(`wine_domtrans',`
## The role to be allowed the wine domain.
##
##
-##
-##
-## The type of the terminal allow the wine domain to use.
-##
-##
#
interface(`wine_run',`
gen_require(`
@@ -47,5 +42,4 @@ interface(`wine_run',`
wine_domtrans($1)
role $2 types wine_t;
- allow wine_t $3:chr_file rw_term_perms;
')
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
index 6789cdc..6dd261c 100644
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@ -1,5 +1,5 @@
-policy_module(wine, 1.5.0)
+policy_module(wine, 1.5.1)
########################################
#
@@ -15,6 +15,8 @@ application_domain(wine_t, wine_exec_t)
# Local policy
#
+userdom_use_user_terminals(wine_t)
+
optional_policy(`
allow wine_t self:process { execstack execmem execheap };
unconfined_domain_noaudit(wine_t)
diff --git a/policy/modules/apps/wireshark.fc b/policy/modules/apps/wireshark.fc
index dac9c99..96844ae 100644
--- a/policy/modules/apps/wireshark.fc
+++ b/policy/modules/apps/wireshark.fc
@@ -1,3 +1,3 @@
-HOME_DIR/\.wireshark(/.*)? gen_context(system_u:object_r:ROLE_wireshark_home_t,s0)
+HOME_DIR/\.wireshark(/.*)? gen_context(system_u:object_r:wireshark_home_t,s0)
/usr/bin/wireshark -- gen_context(system_u:object_r:wireshark_exec_t,s0)
diff --git a/policy/modules/apps/wireshark.if b/policy/modules/apps/wireshark.if
index 8a0af00..a7c27a5 100644
--- a/policy/modules/apps/wireshark.if
+++ b/policy/modules/apps/wireshark.if
@@ -1,242 +1,55 @@
## Wireshark packet capture tool.
-#######################################
+############################################################
##
-## The per role template for the wireshark module.
+## Role access for wireshark
##
-##
-##
-## This template creates a derived domains which are used
-## for wireshark packet capture tool.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## Role allowed access
##
##
-##
-##
-## The type of the user domain.
-##
-##
-##
+##
##
-## The role associated with the user domain.
+## User domain for the role
##
##
#
-template(`wireshark_per_role_template',`
-
+interface(`wireshark_role',`
gen_require(`
- type wireshark_exec_t;
+ type wireshark_t, wireshark_exec_t;
+ type wireshark_home_t, wireshark_tmp_t;
+ type wireshark_tmpfs_t;
')
- ##############################
- #
- # Declarations
- #
-
- # Type for program
- type $1_wireshark_t;
- application_domain($1_wireshark_t, wireshark_exec_t)
- role $3 types $1_wireshark_t;
-
- type $1_wireshark_home_t;
- files_poly_member($1_wireshark_home_t)
- userdom_user_home_content($1, $1_wireshark_home_t)
-
- type $1_wireshark_tmp_t;
- files_tmp_file($1_wireshark_tmp_t)
-
- type $1_wireshark_tmpfs_t;
- files_tmpfs_file($1_wireshark_tmpfs_t)
-
- ##############################
- #
- # Local Policy
- #
-
- allow $1_wireshark_t self:capability { net_admin net_raw setgid };
- allow $1_wireshark_t self:process { signal getsched };
- allow $1_wireshark_t self:fifo_file { getattr read write };
- allow $1_wireshark_t self:shm destroy;
- allow $1_wireshark_t self:shm create_shm_perms;
- allow $1_wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms };
- allow $1_wireshark_t self:packet_socket { setopt bind ioctl getopt create read };
- allow $1_wireshark_t self:tcp_socket create_socket_perms;
- allow $1_wireshark_t self:udp_socket create_socket_perms;
-
- # Re-execute itself (why?)
- can_exec($1_wireshark_t, wireshark_exec_t)
- corecmd_search_bin($1_wireshark_t)
-
- # /home/.wireshark
- manage_dirs_pattern($1_wireshark_t, $1_wireshark_home_t, $1_wireshark_home_t)
- manage_files_pattern($1_wireshark_t, $1_wireshark_home_t, $1_wireshark_home_t)
- manage_lnk_files_pattern($1_wireshark_t, $1_wireshark_home_t, $1_wireshark_home_t)
- userdom_user_home_dir_filetrans($1, $1_wireshark_t, $1_wireshark_home_t, dir)
-
- # Store temporary files
- manage_dirs_pattern($1_wireshark_t, $1_wireshark_tmp_t, $1_wireshark_tmp_t)
- manage_files_pattern($1_wireshark_t, $1_wireshark_tmp_t, $1_wireshark_tmp_t)
- files_tmp_filetrans($1_wireshark_t, $1_wireshark_tmp_t, { dir file })
+ role $1 types wireshark_t;
- manage_dirs_pattern($1_wireshark_t, $1_wireshark_tmpfs_t, $1_wireshark_tmpfs_t)
- manage_files_pattern($1_wireshark_t, $1_wireshark_tmpfs_t, $1_wireshark_tmpfs_t)
- manage_lnk_files_pattern($1_wireshark_t, $1_wireshark_tmpfs_t, $1_wireshark_tmpfs_t)
- manage_sock_files_pattern($1_wireshark_t, $1_wireshark_tmpfs_t, $1_wireshark_tmpfs_t)
- manage_fifo_files_pattern($1_wireshark_t, $1_wireshark_tmpfs_t, $1_wireshark_tmpfs_t)
- fs_tmpfs_filetrans($1_wireshark_t, $1_wireshark_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
- domain_auto_trans($2, wireshark_exec_t, $1_wireshark_t)
- allow $1_wireshark_t $2:fd use;
- allow $1_wireshark_t $2:process sigchld;
-
- manage_dirs_pattern($2, $1_wireshark_home_t, $1_wireshark_home_t)
- manage_files_pattern($2, $1_wireshark_home_t, $1_wireshark_home_t)
- manage_lnk_files_pattern($2, $1_wireshark_home_t, $1_wireshark_home_t)
- relabel_dirs_pattern($2, $1_wireshark_home_t, $1_wireshark_home_t)
- relabel_files_pattern($2, $1_wireshark_home_t, $1_wireshark_home_t)
- relabel_lnk_files_pattern($2, $1_wireshark_home_t, $1_wireshark_home_t)
-
- kernel_read_kernel_sysctls($1_wireshark_t)
- kernel_read_system_state($1_wireshark_t)
- kernel_read_sysctl($1_wireshark_t)
-
- corecmd_search_bin($1_wireshark_t)
-
- corenet_tcp_connect_generic_port($1_wireshark_t)
- corenet_tcp_sendrecv_generic_if($1_wireshark_t)
-
- dev_read_urand($1_wireshark_t)
-
- files_read_etc_files($1_wireshark_t)
- files_read_usr_files($1_wireshark_t)
-
- fs_list_inotifyfs($1_wireshark_t)
- fs_search_auto_mountpoints($1_wireshark_t)
-
- libs_read_lib_files($1_wireshark_t)
-
- miscfiles_read_fonts($1_wireshark_t)
- miscfiles_read_localization($1_wireshark_t)
-
- seutil_use_newrole_fds($1_wireshark_t)
-
- sysnet_read_config($1_wireshark_t)
-
- userdom_manage_user_home_content_files($1, $1_wireshark_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_wireshark_t)
- fs_manage_nfs_files($1_wireshark_t)
- fs_manage_nfs_symlinks($1_wireshark_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_wireshark_t)
- fs_manage_cifs_files($1_wireshark_t)
- fs_manage_cifs_symlinks($1_wireshark_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_wireshark_t)
- ')
-
- # Manual transition from userhelper
- optional_policy(`
- userhelper_use_user_fd($1, $1_wireshark_t)
- userhelper_sigchld_user($1, $1_wireshark_t)
- ')
-
- optional_policy(`
- xserver_user_client_template($1, $1_wireshark_t, $1_wireshark_tmpfs_t)
- xserver_create_xdm_tmp_sockets($1_wireshark_t)
- ')
-
- ifdef(`TODO',`
- # Why does it write this?
- optional_policy(`
- dontaudit sysadm_wireshark_t snmpd_var_lib_t:file write;
- ')
- #TODO
- gnome_application($1_wireshark, $1)
- gnome_file_dialog($1_wireshark, $1)
- # FIXME: policy is incomplete
- ')
+ domain_auto_trans($2, wireshark_exec_t, wireshark_t)
+ allow wireshark_t $2:fd use;
+ allow wireshark_t $2:process sigchld;
-')
-
-#######################################
-##
-## The administrative functions template for the wireshark module.
-##
-##
-##
-## This template creates rules for administrating wireshark,
-## allowing the specified user to manage wireshark files.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-#
-template(`wireshark_admin_template',`
- gen_require(`
- type $1_wireshark_t;
- ')
-
- # Create various types of sockets
- allow $1_wireshark_t self:netlink_route_socket create_netlink_socket_perms;
- allow $1_wireshark_t self:udp_socket create_socket_perms;
- allow $1_wireshark_t self:packet_socket create_socket_perms;
- allow $1_wireshark_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_wireshark_t self:tcp_socket create_socket_perms;
-
- userdom_use_user_terminals($1, $1_wireshark_t)
- # wireshark tries to write to user terminal
- userdom_dontaudit_use_user_terminals($1, $1_wireshark_t)
+ manage_dirs_pattern($2, wireshark_home_t, wireshark_home_t)
+ manage_files_pattern($2, wireshark_home_t, wireshark_home_t)
+ manage_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t)
+ relabel_dirs_pattern($2, wireshark_home_t, wireshark_home_t)
+ relabel_files_pattern($2, wireshark_home_t, wireshark_home_t)
+ relabel_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t)
')
########################################
##
## Run wireshark in wireshark domain.
##
-##
-##
-## Run wireshark in wireshark domain.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
##
##
#
-template(`wireshark_domtrans_user_wireshark',`
+interface(`wireshark_domtrans',`
gen_require(`
- type $1_wireshark_t, wireshark_exec_t;
+ type wireshark_t, wireshark_exec_t;
')
- domtrans_pattern($2, wireshark_exec_t, $1_wireshark_t)
+ domtrans_pattern($1, wireshark_exec_t, wireshark_t)
')
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index a0f1de0..9a03cb6 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -1,10 +1,124 @@
-policy_module(wireshark, 1.0.0)
+policy_module(wireshark, 2.0.0)
########################################
#
# Declarations
#
+type wireshark_t;
type wireshark_exec_t;
-application_executable_file(wireshark_exec_t)
+typealias wireshark_t alias { user_wireshark_t staff_wireshark_t sysadm_wireshark_t };
+typealias wireshark_t alias { auditadm_wireshark_t secadm_wireshark_t };
+application_domain(wireshark_t, wireshark_exec_t)
+ubac_constrained(wireshark_t)
+
+type wireshark_home_t;
+typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t };
+typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t };
+files_poly_member(wireshark_home_t)
+userdom_user_home_content(wireshark_home_t)
+
+type wireshark_tmp_t;
+typealias wireshark_tmp_t alias { user_wireshark_tmp_t staff_wireshark_tmp_t sysadm_wireshark_tmp_t };
+typealias wireshark_tmp_t alias { auditadm_wireshark_tmp_t secadm_wireshark_tmp_t };
+files_tmp_file(wireshark_tmp_t)
+ubac_constrained(wireshark_tmp_t)
+
+type wireshark_tmpfs_t;
+typealias wireshark_tmpfs_t alias { user_wireshark_tmpfs_t staff_wireshark_tmpfs_t sysadm_wireshark_tmpfs_t };
+typealias wireshark_tmpfs_t alias { auditadm_wireshark_tmpfs_t secadm_wireshark_tmpfs_t };
+files_tmpfs_file(wireshark_tmpfs_t)
+ubac_constrained(wireshark_tmpfs_t)
+
+##############################
+#
+# Local Policy
+#
+
+allow wireshark_t self:capability { net_admin net_raw setgid };
+allow wireshark_t self:process { signal getsched };
+allow wireshark_t self:fifo_file { getattr read write };
+allow wireshark_t self:shm destroy;
+allow wireshark_t self:shm create_shm_perms;
+allow wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms };
+allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read };
+allow wireshark_t self:tcp_socket create_socket_perms;
+allow wireshark_t self:udp_socket create_socket_perms;
+
+# Re-execute itself (why?)
+can_exec(wireshark_t, wireshark_exec_t)
+corecmd_search_bin(wireshark_t)
+
+# /home/.wireshark
+manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
+manage_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
+manage_lnk_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
+userdom_user_home_dir_filetrans(wireshark_t, wireshark_home_t,dir)
+
+# Store temporary files
+manage_dirs_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t)
+manage_files_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t)
+files_tmp_filetrans(wireshark_t, wireshark_tmp_t, { dir file })
+
+manage_dirs_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+manage_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+manage_lnk_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+manage_sock_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+manage_fifo_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+fs_tmpfs_filetrans(wireshark_t, wireshark_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(wireshark_t)
+kernel_read_system_state(wireshark_t)
+kernel_read_sysctl(wireshark_t)
+
+corecmd_search_bin(wireshark_t)
+
+corenet_tcp_connect_generic_port(wireshark_t)
+corenet_tcp_sendrecv_generic_if(wireshark_t)
+
+dev_read_urand(wireshark_t)
+
+files_read_etc_files(wireshark_t)
+files_read_usr_files(wireshark_t)
+
+fs_list_inotifyfs(wireshark_t)
+fs_search_auto_mountpoints(wireshark_t)
+
+libs_read_lib_files(wireshark_t)
+
+miscfiles_read_fonts(wireshark_t)
+miscfiles_read_localization(wireshark_t)
+
+seutil_use_newrole_fds(wireshark_t)
+
+sysnet_read_config(wireshark_t)
+
+userdom_manage_user_home_content_files(wireshark_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(wireshark_t)
+ fs_manage_nfs_files(wireshark_t)
+ fs_manage_nfs_symlinks(wireshark_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(wireshark_t)
+ fs_manage_cifs_files(wireshark_t)
+ fs_manage_cifs_symlinks(wireshark_t)
+')
+
+optional_policy(`
+ nscd_socket_use(wireshark_t)
+')
+
+# Manual transition from userhelper
+optional_policy(`
+ userhelper_use_fd(wireshark_t)
+ userhelper_sigchld(wireshark_t)
+')
+
+optional_policy(`
+ xserver_user_client(wireshark_t, wireshark_tmpfs_t)
+ xserver_create_xdm_tmp_sockets(wireshark_t)
+')
diff --git a/policy/modules/apps/yam.if b/policy/modules/apps/yam.if
index b530e78..5fb7790 100644
--- a/policy/modules/apps/yam.if
+++ b/policy/modules/apps/yam.if
@@ -34,11 +34,6 @@ interface(`yam_domtrans',`
## The role to be allowed the yam domain.
##
##
-##
-##
-## The type of the terminal allow the yam domain to use.
-##
-##
##
#
interface(`yam_run',`
@@ -48,7 +43,6 @@ interface(`yam_run',`
yam_domtrans($1)
role $2 types yam_t;
- allow yam_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/apps/yam.te b/policy/modules/apps/yam.te
index 5c5b8a3..5971c2f 100644
--- a/policy/modules/apps/yam.te
+++ b/policy/modules/apps/yam.te
@@ -1,5 +1,5 @@
-policy_module(yam, 1.2.0)
+policy_module(yam, 1.2.1)
########################################
#
@@ -84,8 +84,6 @@ fs_search_auto_mountpoints(yam_t)
# Content can also be on ISO image files.
fs_read_iso9660_files(yam_t)
-term_search_ptys(yam_t)
-
logging_send_syslog_msg(yam_t)
miscfiles_read_localization(yam_t)
@@ -95,10 +93,11 @@ seutil_read_config(yam_t)
sysnet_dns_name_resolve(yam_t)
sysnet_read_config(yam_t)
+userdom_use_user_terminals(yam_t)
userdom_use_unpriv_users_fds(yam_t)
# Reading dotfiles...
# cjp: ?
-userdom_search_all_users_home_dirs(yam_t)
+userdom_search_user_home_dirs(yam_t)
# The whole point of this program is to make updates available on a
# local web server. Need to go through /var to get to /var/yam
diff --git a/policy/modules/roles/auditadm.if b/policy/modules/roles/auditadm.if
index 532cb5a..d320022 100644
--- a/policy/modules/roles/auditadm.if
+++ b/policy/modules/roles/auditadm.if
@@ -2,44 +2,49 @@
########################################
##
-## Change to the generic user role.
+## Change to the audit administrator role.
##
-##
+##
##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
+## Role allowed access.
##
##
##
#
-template(`auditadm_role_change_template',`
- userdom_role_change_template($1, auditadm)
+interface(`auditadm_role_change',`
+ gen_require(`
+ role auditadm_r;
+ ')
+
+ allow $1 auditadm_r;
')
########################################
##
-## Change from the generic user role.
+## Change from the audit administrator role.
##
##
##
-## Change from the generic user role to
+## Change from the audit administrator role to
## the specified role.
##
##
-## This is a template to support third party modules
+## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
-##
+##
##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
+## Role allowed access.
##
##
##
#
-template(`auditadm_role_change_to_template',`
- userdom_role_change_template(auditadm, $1)
-')
+interface(`auditadm_role_change_to',`
+ gen_require(`
+ role auditadm_r;
+ ')
+ allow auditadm_r $1;
+')
diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
index 29d389a..046de2a 100644
--- a/policy/modules/roles/auditadm.te
+++ b/policy/modules/roles/auditadm.te
@@ -1,5 +1,5 @@
-policy_module(auditadm, 1.0.0)
+policy_module(auditadm, 2.0.0)
########################################
#
@@ -25,26 +25,165 @@ logging_send_syslog_msg(auditadm_t)
logging_read_generic_logs(auditadm_t)
logging_manage_audit_log(auditadm_t)
logging_manage_audit_config(auditadm_t)
-logging_run_auditctl(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
-logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+logging_run_auditctl(auditadm_t, auditadm_r)
+logging_run_auditd(auditadm_t, auditadm_r)
-seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+seutil_run_runinit(auditadm_t, auditadm_r)
seutil_read_bin_policy(auditadm_t)
optional_policy(`
+ apache_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ auth_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ bluetooth_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ cdrecord_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
consoletype_exec(auditadm_t)
')
optional_policy(`
+ cron_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ dbus_role_template(auditadm, auditadm_r, auditadm_t)
+')
+
+optional_policy(`
dmesg_exec(auditadm_t)
')
optional_policy(`
- secadm_role_change_template(auditadm)
+ ethereal_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ evolution_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ games_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ gift_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ gpg_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ gnome_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ irc_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ java_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ lockdev_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ lpd_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ mozilla_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ mplayer_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ mta_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ oident_manage_user_content(auditadm_t)
+ oident_relabel_user_content(auditadm_t)
+')
+
+optional_policy(`
+ pyzor_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ razor_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ rssh_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ screen_role_template(auditadm, auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ spamassassin_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ ssh_role_template(auditadm, auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ secadm_role_change(auditadm_r)
')
optional_policy(`
- sysadm_role_change_template(auditadm)
- sysadm_dontaudit_read_home_content_files(auditadm_t)
+ su_role_template(auditadm, auditadm_r, auditadm_t)
')
+optional_policy(`
+ sudo_role_template(auditadm, auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ sysadm_role_change(auditadm_r)
+')
+
+optional_policy(`
+ thunderbird_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ tvtime_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ userhelper_role_template(auditadm, auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ vmware_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ wireshark_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ uml_role(auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ xserver_role(auditadm_r, auditadm_t)
+')
diff --git a/policy/modules/roles/secadm.if b/policy/modules/roles/secadm.if
index a5148b0..bb6a5fe 100644
--- a/policy/modules/roles/secadm.if
+++ b/policy/modules/roles/secadm.if
@@ -2,44 +2,50 @@
########################################
##
-## Change to the generic user role.
+## Change to the security administrator role.
##
-##
+##
##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
+## Role allowed access.
##
##
##
#
-template(`secadm_role_change_template',`
- userdom_role_change_template($1, secadm)
+interface(`secadm_role_change',`
+ gen_require(`
+ role secadm_r;
+ ')
+
+ allow $1 secadm_r;
')
########################################
##
-## Change from the generic user role.
+## Change from the security administrator role.
##
##
##
-## Change from the generic user role to
+## Change from the security administrator role to
## the specified role.
##
##
-## This is a template to support third party modules
+## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
-##
+##
##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
+## Role allowed access.
##
##
##
#
-template(`secadm_role_change_to_template',`
- userdom_role_change_template(secadm, $1)
+interface(`secadm_role_change_to_template',`
+ gen_require(`
+ role secadm_r;
+ ')
+
+ allow secadm_r $1;
')
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index 5b62c8f..018f64d 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -1,5 +1,5 @@
-policy_module(secadm, 1.1.0)
+policy_module(secadm, 2.0.0)
########################################
#
@@ -9,7 +9,7 @@ policy_module(secadm, 1.1.0)
role secadm_r;
userdom_unpriv_user_template(secadm)
-userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
+userdom_security_admin_template(secadm_t, secadm_r)
########################################
#
@@ -30,6 +30,7 @@ mls_file_write_all_levels(secadm_t)
mls_file_upgrade(secadm_t)
mls_file_downgrade(secadm_t)
+auth_role(secadm_r, secadm_t)
auth_relabel_all_files_except_shadow(secadm_t)
auth_relabel_shadow(secadm_t)
@@ -40,11 +41,31 @@ logging_read_generic_logs(secadm_t)
logging_read_audit_config(secadm_t)
optional_policy(`
- aide_run(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
+ aide_run(secadm_t, secadm_r)
')
optional_policy(`
- auditadm_role_change_template(secadm)
+ apache_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ auditadm_role_change(secadm_r)
+')
+
+optional_policy(`
+ bluetooth_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ cdrecord_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ cron_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ dbus_role_template(secadm, secadm_r, secadm_t)
')
optional_policy(`
@@ -52,15 +73,126 @@ optional_policy(`
')
optional_policy(`
- netlabel_run_mgmt(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
+ ethereal_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ evolution_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ games_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ gift_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ gnome_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ gpg_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ irc_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ java_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ lockdev_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ lpd_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ mozilla_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ mplayer_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ mta_role(secadm_r, secadm_t)
')
optional_policy(`
- staff_dontaudit_append_home_content_files(secadm_t)
+ netlabel_run_mgmt(secadm_t, secadm_r)
')
optional_policy(`
- sysadm_role_change_template(secadm)
- sysadm_dontaudit_read_home_content_files(secadm_t)
+ oident_manage_user_content(secadm_t)
+ oident_relabel_user_content(secadm_t)
')
+optional_policy(`
+ pyzor_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ razor_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ rssh_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ screen_role_template(secadm, secadm_r, secadm_t)
+')
+
+optional_policy(`
+ spamassassin_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ ssh_role_template(secadm, secadm_r, secadm_t)
+')
+
+optional_policy(`
+ su_role_template(secadm, secadm_r, secadm_t)
+')
+
+optional_policy(`
+ sudo_role_template(secadm, secadm_r, secadm_t)
+')
+
+optional_policy(`
+ sysadm_role_change(secadm_r)
+')
+
+optional_policy(`
+ thunderbird_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ tvtime_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ uml_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ userhelper_role_template(secadm, secadm_r, secadm_t)
+')
+
+optional_policy(`
+ vmware_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ wireshark_role(secadm_r, secadm_t)
+')
+
+optional_policy(`
+ xserver_role(secadm_r, secadm_t)
+')
diff --git a/policy/modules/roles/staff.if b/policy/modules/roles/staff.if
index 6e0bc69..234a940 100644
--- a/policy/modules/roles/staff.if
+++ b/policy/modules/roles/staff.if
@@ -4,16 +4,19 @@
##
## Change to the staff role.
##
-##
+##
##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
+## Role allowed access.
##
##
##
#
-template(`staff_role_change_template',`
- userdom_role_change_template($1, staff)
+interface(`staff_role_change',`
+ gen_require(`
+ role staff_r;
+ ')
+
+ allow $1 staff_r;
')
########################################
@@ -26,137 +29,22 @@ template(`staff_role_change_template',`
## the specified role.
##
##
-## This is a template to support third party modules
+## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
-##
+##
##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
+## Role allowed access.
##
##
##
#
-template(`staff_role_change_to_template',`
- userdom_role_change_template(staff, $1)
-')
-
-########################################
-##
-## Search the staff users home directory.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`staff_search_home_dirs',`
+interface(`staff_role_change_to',`
gen_require(`
- type staff_home_dir_t;
+ role staff_r;
')
- files_search_home($1)
- allow $1 staff_home_dir_t:dir search_dir_perms;
+ allow staff_r $1;
')
-
-########################################
-##
-## Do not audit attempts to search the staff
-## users home directory.
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-interface(`staff_dontaudit_search_home_dirs',`
- gen_require(`
- type staff_home_dir_t;
- ')
-
- dontaudit $1 staff_home_dir_t:dir search_dir_perms;
-')
-
-########################################
-##
-## Create, read, write, and delete staff
-## home directories.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`staff_manage_home_dirs',`
- gen_require(`
- type staff_home_dir_t;
- ')
-
- files_search_home($1)
- allow $1 staff_home_dir_t:dir manage_dir_perms;
-')
-
-########################################
-##
-## Relabel to staff home directories.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`staff_relabelto_home_dirs',`
- gen_require(`
- type staff_home_dir_t;
- ')
-
- files_search_home($1)
- allow $1 staff_home_dir_t:dir relabelto;
-')
-
-########################################
-##
-## Do not audit attempts to append to the staff
-## users home directory.
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-interface(`staff_dontaudit_append_home_content_files',`
- gen_require(`
- type staff_home_t;
- ')
-
- dontaudit $1 staff_home_t:file append;
-')
-
-########################################
-##
-## Read files in the staff users home directory.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`staff_read_home_content_files',`
- gen_require(`
- type staff_home_dir_t, staff_home_t;
- ')
-
- files_search_home($1)
- allow $1 { staff_home_dir_t staff_home_t }:dir list_dir_perms;
- read_files_pattern($1, { staff_home_dir_t staff_home_t }, staff_home_t)
- read_lnk_files_pattern($1, { staff_home_dir_t staff_home_t }, staff_home_t)
-')
-
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 9d68d0b..7433ca0 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -1,5 +1,5 @@
-policy_module(staff, 1.0.0)
+policy_module(staff, 2.0.0)
########################################
#
@@ -16,15 +16,155 @@ userdom_unpriv_user_template(staff)
#
optional_policy(`
- auditadm_role_change_template(staff)
+ apache_role(staff_r, staff_t)
')
optional_policy(`
- secadm_role_change_template(staff)
+ auth_role(staff_r, staff_t)
')
optional_policy(`
- sysadm_role_change_template(staff)
- sysadm_dontaudit_use_terms(staff_t)
+ auditadm_role_change(staff_r)
')
+optional_policy(`
+ bluetooth_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ cdrecord_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ cron_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ dbus_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+ ethereal_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ evolution_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ games_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ gift_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ gnome_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ gpg_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ irc_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ java_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ lockdev_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ lpd_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ mozilla_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ mplayer_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ mta_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ oident_manage_user_content(staff_t)
+ oident_relabel_user_content(staff_t)
+')
+
+optional_policy(`
+ pyzor_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ razor_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ rssh_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ screen_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+ secadm_role_change(staff_r)
+')
+
+optional_policy(`
+ spamassassin_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ ssh_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+ su_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+ sudo_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+ sysadm_role_change(staff_r)
+ userdom_dontaudit_use_user_terminals(staff_t)
+')
+
+optional_policy(`
+ thunderbird_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ tvtime_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ uml_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ userhelper_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+ vmware_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ wireshark_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ xserver_role(staff_r, staff_t)
+')
diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if
index 8c4ad00..42be030 100644
--- a/policy/modules/roles/sysadm.if
+++ b/policy/modules/roles/sysadm.if
@@ -2,45 +2,51 @@
########################################
##
-## Change to the generic user role.
+## Change to the system administrator role.
##
-##
+##
##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
+## Role allowed access.
##
##
##
#
-template(`sysadm_role_change_template',`
- userdom_role_change_template($1, sysadm)
+interface(`sysadm_role_change',`
+ gen_require(`
+ role sysadm_r;
+ ')
+
+ allow $1 sysadm_r;
')
########################################
##
-## Change from the generic user role.
+## Change from the system administrator role.
##
##
##
-## Change from the generic user role to
+## Change from the system administrator role to
## the specified role.
##
##
-## This is a template to support third party modules
+## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
-##
+##
##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
+## Role allowed access.
##
##
##
#
-template(`sysadm_role_change_to_template',`
- userdom_role_change_template(sysadm, $1)
+interface(`sysadm_role_change_to',`
+ gen_require(`
+ role sysadm_r;
+ ')
+
+ allow sysadm_r $1;
')
########################################
@@ -195,353 +201,3 @@ interface(`sysadm_rw_pipes',`
allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
')
-
-########################################
-##
-## Do not audit attepts to get the attributes
-## of sysadm ttys.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`sysadm_dontaudit_getattr_ttys',`
- gen_require(`
- type sysadm_tty_device_t;
- ')
-
- dontaudit $1 sysadm_tty_device_t:chr_file getattr;
-')
-
-########################################
-##
-## Read and write sysadm ttys.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`sysadm_use_ttys',`
- gen_require(`
- type sysadm_tty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- term_list_ptys($1)
- allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
-')
-
-########################################
-##
-## Do not audit attempts to use sysadm ttys.
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-interface(`sysadm_dontaudit_use_ttys',`
- gen_require(`
- type sysadm_tty_device_t;
- ')
-
- dontaudit $1 sysadm_tty_device_t:chr_file { read write };
-')
-
-########################################
-##
-## Read and write sysadm ptys.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`sysadm_use_ptys',`
- gen_require(`
- type sysadm_devpts_t;
- ')
-
- dev_list_all_dev_nodes($1)
- term_list_ptys($1)
- allow $1 sysadm_devpts_t:chr_file rw_term_perms;
-')
-
-########################################
-##
-## Dont audit attempts to read and write sysadm ptys.
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-interface(`sysadm_dontaudit_use_ptys',`
- gen_require(`
- type sysadm_devpts_t;
- ')
-
- dontaudit $1 sysadm_devpts_t:chr_file { read write };
-')
-
-########################################
-##
-## Read and write sysadm ttys and ptys.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`sysadm_use_terms',`
- sysadm_use_ttys($1)
- sysadm_use_ptys($1)
-')
-
-########################################
-##
-## Do not audit attempts to use sysadm ttys and ptys.
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-interface(`sysadm_dontaudit_use_terms',`
- sysadm_dontaudit_use_ttys($1)
- sysadm_dontaudit_use_ptys($1)
-')
-
-########################################
-##
-## Get the attributes of the sysadm users
-## home directory.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`sysadm_getattr_home_dirs',`
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- allow $1 sysadm_home_dir_t:dir getattr;
-')
-
-########################################
-##
-## Do not audit attempts to get the
-## attributes of the sysadm users
-## home directory.
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-interface(`sysadm_dontaudit_getattr_home_dirs',`
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- dontaudit $1 sysadm_home_dir_t:dir getattr;
-')
-
-########################################
-##
-## Search the sysadm users home directory.
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-interface(`sysadm_search_home_dirs',`
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- allow $1 sysadm_home_dir_t:dir search_dir_perms;
-')
-
-########################################
-##
-## Do not audit attempts to search the sysadm
-## users home directory.
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-interface(`sysadm_dontaudit_search_home_dirs',`
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
-')
-
-########################################
-##
-## List the sysadm users home directory.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`sysadm_list_home_dirs',`
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- allow $1 sysadm_home_dir_t:dir list_dir_perms;
-')
-
-########################################
-##
-## Do not audit attempts to list the sysadm
-## users home directory.
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-interface(`sysadm_dontaudit_list_home_dirs',`
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;
-')
-
-########################################
-##
-## Create objects in sysadm home directories
-## with automatic file type transition.
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## The type of the object to be created.
-##
-##
-##
-##
-## The class of the object to be created.
-## If not specified, file is used.
-##
-##
-#
-interface(`sysadm_home_dir_filetrans',`
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- filetrans_pattern($1, sysadm_home_dir_t, $2, $3)
-')
-
-########################################
-##
-## Search the sysadm users home sub directories.
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-interface(`sysadm_search_home_content_dirs',`
- gen_require(`
- type sysadm_home_dir_t, sysadm_home_t;
- ')
-
- allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
-')
-
-########################################
-##
-## Read files in the sysadm home directory.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`sysadm_read_home_content_files',`
- gen_require(`
- type sysadm_home_dir_t, sysadm_home_t;
- ')
-
- files_search_home($1)
- allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
- read_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
- read_lnk_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
-')
-
-########################################
-##
-## Do not audit attempts to read files in the sysadm
-## home directory.
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-interface(`sysadm_dontaudit_read_home_content_files',`
- gen_require(`
- type sysadm_home_dir_t, sysadm_home_t;
- ')
-
- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
- dontaudit $1 sysadm_home_t:dir search_dir_perms;
- dontaudit $1 sysadm_home_t:file read_file_perms;
-')
-
-########################################
-##
-## Read sysadm temporary files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`sysadm_read_tmp_files',`
- gen_require(`
- type sysadm_tmp_t;
- ')
-
- files_search_tmp($1)
- allow $1 sysadm_tmp_t:dir list_dir_perms;
- read_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
- read_lnk_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
-')
-
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index f1628d2..e69ab7c 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,5 +1,5 @@
-policy_module(sysadm, 1.0.0)
+policy_module(sysadm, 2.0.0)
########################################
#
@@ -18,7 +18,7 @@ role sysadm_r;
userdom_admin_user_template(sysadm)
ifndef(`enable_mls',`
- userdom_security_admin_template(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ userdom_security_admin_template(sysadm_t, sysadm_r)
')
########################################
@@ -30,20 +30,24 @@ corecmd_exec_shell(sysadm_t)
mls_process_read_up(sysadm_t)
+ubac_process_exempt(sysadm_t)
+ubac_file_exempt(sysadm_t)
+ubac_fd_exempt(sysadm_t)
+
init_exec(sysadm_t)
-# For sending reboot and wall messages
-userdom_use_unpriv_users_ptys(sysadm_t)
-userdom_use_unpriv_users_ttys(sysadm_t)
+# Add/remove user home directories
+userdom_manage_user_home_dirs(sysadm_t)
+userdom_home_filetrans_user_home_dir(sysadm_t)
ifdef(`direct_sysadm_daemon',`
optional_policy(`
- init_run_daemon(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ init_run_daemon(sysadm_t, sysadm_r)
')
',`
ifdef(`distro_gentoo',`
optional_policy(`
- seutil_init_script_run_runinit(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ seutil_init_script_run_runinit(sysadm_t, sysadm_r)
')
')
')
@@ -51,7 +55,7 @@ ifdef(`direct_sysadm_daemon',`
ifndef(`enable_mls',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
- logging_run_auditctl(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ logging_run_auditctl(sysadm_t, sysadm_r)
')
tunable_policy(`allow_ptrace',`
@@ -59,13 +63,14 @@ tunable_policy(`allow_ptrace',`
')
optional_policy(`
- amanda_run_recover(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ amanda_run_recover(sysadm_t, sysadm_r)
')
optional_policy(`
- apache_run_helper(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
+ apache_role(sysadm_r, sysadm_t)
')
optional_policy(`
@@ -74,43 +79,55 @@ optional_policy(`
')
optional_policy(`
- apt_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ apt_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ auditadm_role_change(sysadm_r)
+')
+
+optional_policy(`
+ auth_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+ backup_run(sysadm_t, sysadm_r)
')
optional_policy(`
- auditadm_role_change_template(sysadm)
+ bind_run_ndc(sysadm_t, sysadm_r)
')
optional_policy(`
- backup_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ bluetooth_role(sysadm_r, sysadm_t)
')
optional_policy(`
- bind_run_ndc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ bootloader_run(sysadm_t, sysadm_r)
')
optional_policy(`
- bootloader_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ cdrecord_role(sysadm_r, sysadm_t)
')
optional_policy(`
- certwatch_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ certwatch_run(sysadm_t, sysadm_r)
')
optional_policy(`
- clock_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ clock_run(sysadm_t, sysadm_r)
')
optional_policy(`
- clockspeed_run_cli(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ clockspeed_run_cli(sysadm_t, sysadm_r)
')
optional_policy(`
- consoletype_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ consoletype_run(sysadm_t, sysadm_r)
')
optional_policy(`
- cron_admin_template(sysadm)
+ cron_admin_role(sysadm_r, sysadm_t)
')
optional_policy(`
@@ -118,13 +135,17 @@ optional_policy(`
')
optional_policy(`
- dcc_run_cdcc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
- dcc_run_client(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
- dcc_run_dbclean(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
optional_policy(`
- ddcprobe_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ dcc_run_cdcc(sysadm_t, sysadm_r)
+ dcc_run_client(sysadm_t, sysadm_r)
+ dcc_run_dbclean(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ddcprobe_run(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -132,28 +153,48 @@ optional_policy(`
')
optional_policy(`
- dmidecode_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ dmidecode_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dpkg_run(sysadm_t, sysadm_r)
')
optional_policy(`
- dpkg_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ ethereal_role(sysadm_r, sysadm_t)
+ ethereal_run_tethereal(sysadm_t, sysadm_r)
')
optional_policy(`
- ethereal_run_tethereal(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
- ethereal_admin_template(sysadm)
+ evolution_role(sysadm_r, sysadm_t)
')
optional_policy(`
- firstboot_run(sysadm_t, sysadm_r, sysadm_tty_device_t)
+ firstboot_run(sysadm_t, sysadm_r)
')
optional_policy(`
- fstools_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ fstools_run(sysadm_t, sysadm_r)
')
optional_policy(`
- hostname_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ games_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+ gift_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+ gnome_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+ gpg_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+ hostname_run(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -167,42 +208,62 @@ optional_policy(`
')
optional_policy(`
- iptables_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ iptables_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ irc_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+ java_role(sysadm_r, sysadm_t)
')
optional_policy(`
- kudzu_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ kudzu_run(sysadm_t, sysadm_r)
')
optional_policy(`
- libs_run_ldconfig(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ libs_run_ldconfig(sysadm_t, sysadm_r)
')
optional_policy(`
- logrotate_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ lockdev_role(sysadm_r, sysadm_t)
')
optional_policy(`
- lpd_run_checkpc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
- lpr_admin_template(sysadm)
+ logrotate_run(sysadm_t, sysadm_r)
')
optional_policy(`
- lvm_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ lpd_run_checkpc(sysadm_t, sysadm_r)
+ lpd_role(sysadm_r, sysadm_t)
')
optional_policy(`
- modutils_run_depmod(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
- modutils_run_insmod(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
- modutils_run_update_mods(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ lvm_run(sysadm_t, sysadm_r)
')
optional_policy(`
- mount_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ modutils_run_depmod(sysadm_t, sysadm_r)
+ modutils_run_insmod(sysadm_t, sysadm_r)
+ modutils_run_update_mods(sysadm_t, sysadm_r)
')
optional_policy(`
- mta_admin_template(sysadm, sysadm_t)
+ mount_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ mozilla_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+ mplayer_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+ mta_role(sysadm_r, sysadm_t)
')
optional_policy(`
@@ -214,9 +275,9 @@ optional_policy(`
')
optional_policy(`
- netutils_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
- netutils_run_ping(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
- netutils_run_traceroute(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ netutils_run(sysadm_t, sysadm_r)
+ netutils_run_ping(sysadm_t, sysadm_r)
+ netutils_run_traceroute(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -225,24 +286,33 @@ optional_policy(`
')
optional_policy(`
- oav_run_update(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ oav_run_update(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ oident_manage_user_content(sysadm_t)
+ oident_relabel_user_content(sysadm_t)
+')
+
+optional_policy(`
+ pcmcia_run_cardctl(sysadm_t, sysadm_r)
')
optional_policy(`
- pcmcia_run_cardctl(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ portage_run(sysadm_t, sysadm_r)
+ portage_run_gcc_config(sysadm_t, sysadm_r)
')
optional_policy(`
- portage_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
- portage_run_gcc_config(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ portmap_run_helper(sysadm_t, sysadm_r)
')
optional_policy(`
- portmap_run_helper(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ pyzor_role(sysadm_r, sysadm_t)
')
optional_policy(`
- quota_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ quota_run(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -250,11 +320,19 @@ optional_policy(`
')
optional_policy(`
+ razor_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
rpc_domtrans_nfsd(sysadm_t)
')
optional_policy(`
- rpm_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ rpm_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rssh_role(sysadm_r, sysadm_t)
')
optional_policy(`
@@ -262,33 +340,61 @@ optional_policy(`
')
optional_policy(`
- samba_run_net(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
- samba_run_winbind_helper(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ samba_run_net(sysadm_t, sysadm_r)
+ samba_run_winbind_helper(sysadm_t, sysadm_r)
')
optional_policy(`
- secadm_role_change_template(sysadm)
+ screen_role_template(sysadm, sysadm_r, sysadm_t)
')
optional_policy(`
- seutil_run_setfiles(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
- seutil_run_runinit(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ secadm_role_change(sysadm_r)
')
optional_policy(`
- staff_role_change_template(sysadm)
+ seutil_run_setfiles(sysadm_t, sysadm_r)
+ seutil_run_runinit(sysadm_t, sysadm_r)
')
optional_policy(`
- sysnet_run_ifconfig(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
- sysnet_run_dhcpc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ spamassassin_role(sysadm_r, sysadm_t)
')
optional_policy(`
- tripwire_run_siggen(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
- tripwire_run_tripwire(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
- tripwire_run_twadmin(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
- tripwire_run_twprint(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ ssh_role_template(sysadm, sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+ staff_role_change(sysadm_r)
+')
+
+optional_policy(`
+ su_role_template(sysadm, sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+ sudo_role_template(sysadm, sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+ sysnet_run_ifconfig(sysadm_t, sysadm_r)
+ sysnet_run_dhcpc(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ thunderbird_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+ tripwire_run_siggen(sysadm_t, sysadm_r)
+ tripwire_run_tripwire(sysadm_t, sysadm_r)
+ tripwire_run_twadmin(sysadm_t, sysadm_r)
+ tripwire_run_twprint(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ tvtime_role(sysadm_r, sysadm_t)
')
optional_policy(`
@@ -296,35 +402,51 @@ optional_policy(`
')
optional_policy(`
+ uml_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
unconfined_domtrans(sysadm_t)
')
optional_policy(`
- # Add/remove user home directories
- unprivuser_manage_home_dirs(sysadm_t)
- unprivuser_home_filetrans_home_dir(sysadm_t)
+ unprivuser_role_change(sysadm_r)
+')
+
+optional_policy(`
+ usbmodules_run(sysadm_t, sysadm_r)
+')
- unprivuser_role_change_template(sysadm)
+optional_policy(`
+ userhelper_role_template(sysadm, sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+ usermanage_run_admin_passwd(sysadm_t, sysadm_r)
+ usermanage_run_groupadd(sysadm_t, sysadm_r)
+ usermanage_run_useradd(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ vmware_role(sysadm_r, sysadm_t)
')
optional_policy(`
- usbmodules_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ vpn_run(sysadm_t, sysadm_r)
')
optional_policy(`
- usermanage_run_admin_passwd(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
- usermanage_run_groupadd(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
- usermanage_run_useradd(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ webalizer_run(sysadm_t, sysadm_r)
')
optional_policy(`
- vpn_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ wireshark_role(sysadm_r, sysadm_t)
')
optional_policy(`
- webalizer_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ xserver_role(sysadm_r, sysadm_t)
')
optional_policy(`
- yam_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ yam_run(sysadm_t, sysadm_r)
')
diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if
index 8ac6b36..3835596 100644
--- a/policy/modules/roles/unprivuser.if
+++ b/policy/modules/roles/unprivuser.if
@@ -4,16 +4,19 @@
##
## Change to the generic user role.
##
-##
+##
##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
+## Role allowed access.
##
##
##
#
-template(`unprivuser_role_change_template',`
- userdom_role_change_template($1, user)
+interface(`unprivuser_role_change',`
+ gen_require(`
+ role user_r;
+ ')
+
+ allow $1 user_r;
')
########################################
@@ -26,319 +29,22 @@ template(`unprivuser_role_change_template',`
## the specified role.
##
##
-## This is a template to support third party modules
+## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
##
##
-##
+##
##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
+## Role allowed access.
##
##
##
#
-template(`unprivuser_role_change_to_template',`
- userdom_role_change_template(user, $1)
-')
-
-########################################
-##
-## Create generic user home directories
-## with automatic file type transition.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`unprivuser_home_filetrans_home_dir',`
- gen_require(`
- type user_home_dir_t;
- ')
-
- files_home_filetrans($1, user_home_dir_t, dir)
-')
-
-########################################
-##
-## Search generic user home directories.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`unprivuser_search_home_dirs',`
- gen_require(`
- type user_home_dir_t;
- ')
-
- allow $1 user_home_dir_t:dir search_dir_perms;
-')
-
-########################################
-##
-## Create objects in generic user home directories
-## with automatic file type transition.
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## The class of the object to be created.
-## If not specified, file is used.
-##
-##
-#
-interface(`unprivuser_home_dir_filetrans_home_content',`
- gen_require(`
- type user_home_dir_t, user_home_t;
- ')
-
- files_search_home($1)
- filetrans_pattern($1, user_home_dir_t, user_home_t, $2)
-')
-
-########################################
-##
-## Don't audit search on the user home subdirectory.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`unprivuser_dontaudit_search_home_dirs',`
- gen_require(`
- type user_home_t;
- ')
-
- dontaudit $1 user_home_t:dir search_dir_perms;
-')
-
-########################################
-##
-## Create generic user home directories
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`unprivuser_create_home_dir',`
- gen_require(`
- type user_home_dir_t;
- ')
-
- files_search_home($1)
- allow $1 user_home_dir_t:dir create_dir_perms;
-')
-
-########################################
-##
-## Create, read, write, and delete generic user
-## home directories.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`unprivuser_manage_home_dirs',`
- gen_require(`
- type user_home_dir_t;
- ')
-
- files_search_home($1)
- allow $1 user_home_dir_t:dir manage_dir_perms;
-')
-
-########################################
-##
-## Create, read, write, and delete
-## subdirectories of generic user
-## home directories.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`unprivuser_manage_home_content_dirs',`
- gen_require(`
- type user_home_dir_t, user_home_t;
- ')
-
- files_search_home($1)
- manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-')
-
-########################################
-##
-## Relabel to generic user home directories.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`unprivuser_relabelto_home_dirs',`
- gen_require(`
- type user_home_dir_t;
- ')
-
- files_search_home($1)
- allow $1 user_home_dir_t:dir relabelto;
-')
-
-########################################
-##
-## Read files in generic user home directories.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`unprivuser_read_home_content_files',`
- gen_require(`
- type user_home_t, user_home_dir_t;
- ')
-
- files_search_home($1)
- allow $1 user_home_t:dir list_dir_perms;
- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-')
-
-########################################
-##
-## Mmap of generic user
-## home files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`unprivuser_mmap_home_content_files',`
- gen_require(`
- type user_home_t;
- ')
-
- files_search_home($1)
- allow $1 user_home_t:file execute;
-')
-
-########################################
-##
-## Create, read, write, and delete files
-## in generic user home directories.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`unprivuser_manage_home_content_files',`
- gen_require(`
- type user_home_dir_t, user_home_t;
- ')
-
- files_search_home($1)
- manage_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-')
-
-########################################
-##
-## Do not audit attempts to relabel generic user
-## home files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`unprivuser_dontaudit_relabel_home_content_files',`
- gen_require(`
- type user_home_t;
- ')
-
- dontaudit $1 user_home_t:file { relabelto relabelfrom };
-')
-
-########################################
-##
-## Create, read, write, and delete symbolic
-## links in generic user home directories.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`unprivuser_manage_home_content_symlinks',`
- gen_require(`
- type user_home_dir_t, user_home_t;
- ')
-
- files_search_home($1)
- manage_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-')
-
-########################################
-##
-## Create, read, write, and delete named
-## pipes in generic user home directories.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`unprivuser_manage_home_content_pipes',`
+interface(`unprivuser_role_change_to',`
gen_require(`
- type user_home_dir_t, user_home_t;
+ role user_r;
')
- files_search_home($1)
- manage_fifo_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+ allow user_r $1;
')
-
-########################################
-##
-## Create, read, write, and delete named
-## sockets in generic user home directories.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`unprivuser_manage_home_content_sockets',`
- gen_require(`
- type user_home_dir_t, user_home_t;
- ')
-
- files_search_home($1)
- manage_sock_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-')
-
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 63f50c2..2183644 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,5 +1,5 @@
-policy_module(unprivuser, 1.1.0)
+policy_module(unprivuser, 2.0.0)
# this module should be named user, but that is
# a compile error since user is a keyword.
@@ -13,3 +13,143 @@ role user_r;
userdom_unpriv_user_template(user)
+optional_policy(`
+ apache_role(user_r, user_t)
+')
+
+optional_policy(`
+ auth_role(user_r, user_t)
+')
+
+optional_policy(`
+ bluetooth_role(user_r, user_t)
+')
+
+optional_policy(`
+ cdrecord_role(user_r, user_t)
+')
+
+optional_policy(`
+ cron_role(user_r, user_t)
+')
+
+optional_policy(`
+ dbus_role_template(user, user_r, user_t)
+')
+
+optional_policy(`
+ ethereal_role(user_r, user_t)
+')
+
+optional_policy(`
+ evolution_role(user_r, user_t)
+')
+
+optional_policy(`
+ games_role(user_r, user_t)
+')
+
+optional_policy(`
+ gift_role(user_r, user_t)
+')
+
+optional_policy(`
+ gnome_role(user_r, user_t)
+')
+
+optional_policy(`
+ gpg_role(user_r, user_t)
+')
+
+optional_policy(`
+ irc_role(user_r, user_t)
+')
+
+optional_policy(`
+ java_role(user_r, user_t)
+')
+
+optional_policy(`
+ lockdev_role(user_r, user_t)
+')
+
+optional_policy(`
+ lpd_role(user_r, user_t)
+')
+
+optional_policy(`
+ mozilla_role(user_r, user_t)
+')
+
+optional_policy(`
+ mplayer_role(user_r, user_t)
+')
+
+optional_policy(`
+ mta_role(user_r, user_t)
+')
+
+optional_policy(`
+ oident_manage_user_content(user_t)
+ oident_relabel_user_content(user_t)
+')
+
+optional_policy(`
+ pyzor_role(user_r, user_t)
+')
+
+optional_policy(`
+ razor_role(user_r, user_t)
+')
+
+optional_policy(`
+ rssh_role(user_r, user_t)
+')
+
+optional_policy(`
+ screen_role_template(user, user_r, user_t)
+')
+
+optional_policy(`
+ spamassassin_role(user_r, user_t)
+')
+
+optional_policy(`
+ ssh_role_template(user, user_r, user_t)
+')
+
+optional_policy(`
+ su_role_template(user, user_r, user_t)
+')
+
+optional_policy(`
+ sudo_role_template(user, user_r, user_t)
+')
+
+optional_policy(`
+ thunderbird_role(user_r, user_t)
+')
+
+optional_policy(`
+ tvtime_role(user_r, user_t)
+')
+
+optional_policy(`
+ uml_role(user_r, user_t)
+')
+
+optional_policy(`
+ userhelper_role_template(user, user_r, user_t)
+')
+
+optional_policy(`
+ vmware_role(user_r, user_t)
+')
+
+optional_policy(`
+ wireshark_role(user_r, user_t)
+')
+
+optional_policy(`
+ xserver_role(user_r, user_t)
+')
diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te
index 7f193c4..b571424 100644
--- a/policy/modules/services/afs.te
+++ b/policy/modules/services/afs.te
@@ -1,5 +1,5 @@
-policy_module(afs, 1.3.0)
+policy_module(afs, 1.3.1)
########################################
#
@@ -180,7 +180,7 @@ seutil_read_config(afs_fsserver_t)
sysnet_read_config(afs_fsserver_t)
-sysadm_dontaudit_use_terms(afs_fsserver_t)
+userdom_dontaudit_use_user_terminals(afs_fsserver_t)
########################################
#
@@ -225,7 +225,7 @@ seutil_read_config(afs_kaserver_t)
sysnet_read_config(afs_kaserver_t)
-sysadm_dontaudit_use_terms(afs_kaserver_t)
+userdom_dontaudit_use_user_terminals(afs_kaserver_t)
########################################
#
@@ -263,7 +263,7 @@ miscfiles_read_localization(afs_ptserver_t)
sysnet_read_config(afs_ptserver_t)
-sysadm_dontaudit_use_terms(afs_ptserver_t)
+userdom_dontaudit_use_user_terminals(afs_ptserver_t)
########################################
#
@@ -301,4 +301,4 @@ miscfiles_read_localization(afs_vlserver_t)
sysnet_read_config(afs_vlserver_t)
-sysadm_dontaudit_use_terms(afs_vlserver_t)
+userdom_dontaudit_use_user_terminals(afs_vlserver_t)
diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if
index c656fa9..5b8def1 100644
--- a/policy/modules/services/aide.if
+++ b/policy/modules/services/aide.if
@@ -33,11 +33,6 @@ interface(`aide_domtrans',`
## The role to allow the AIDE domain.
##
##
-##
-##
-## The type of the terminal allow the AIDE domain to use.
-##
-##
#
interface(`aide_run',`
gen_require(`
@@ -46,7 +41,6 @@ interface(`aide_run',`
aide_domtrans($1)
role $2 types aide_t;
- allow aide_t $3:chr_file rw_chr_file_perms;
')
########################################
diff --git a/policy/modules/services/aide.te b/policy/modules/services/aide.te
index af51f7f..aa3692c 100644
--- a/policy/modules/services/aide.te
+++ b/policy/modules/services/aide.te
@@ -1,5 +1,5 @@
-policy_module(aide, 1.4.0)
+policy_module(aide, 1.4.1)
########################################
#
@@ -37,3 +37,5 @@ files_read_all_files(aide_t)
logging_send_audit_msgs(aide_t)
seutil_use_newrole_fds(aide_t)
+
+userdom_use_user_terminals(aide_t)
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index 42ffed8..6a9b4f7 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -1,5 +1,5 @@
-policy_module(amavis, 1.8.0)
+policy_module(amavis, 1.8.1)
########################################
#
@@ -145,6 +145,8 @@ miscfiles_read_localization(amavis_t)
sysnet_dns_name_resolve(amavis_t)
sysnet_use_ldap(amavis_t)
+userdom_dontaudit_search_user_home_dirs(amavis_t)
+
# Cron handling
cron_use_fds(amavis_t)
cron_use_system_job_fds(amavis_t)
@@ -152,8 +154,6 @@ cron_rw_pipes(amavis_t)
mta_read_config(amavis_t)
-sysadm_dontaudit_search_home_dirs(amavis_t)
-
optional_policy(`
clamav_stream_connect(amavis_t)
clamav_domtrans_clamscan(amavis_t)
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index 7bb7be7..afcb9bd 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,4 +1,4 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 7946f40..bae17ed 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -238,107 +238,71 @@ template(`apache_content_template',`
')
')
-#######################################
+########################################
##
-## The per role template for the apache module.
+## Role access for apache
##
-##
-##
-## This template creates types used for web pages
-## and web cgi to be used from the user home directory.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
+##
##
-## The type of the user domain.
+## Role allowed access
##
##
-##
+##
##
-## The role associated with the user domain.
+## User domain for the role
##
##
#
-template(`apache_per_role_template', `
+interface(`apache_role',`
gen_require(`
- attribute httpdcontent, httpd_script_domains;
- attribute httpd_exec_scripts, httpd_user_content_type;
- attribute httpd_user_script_exec_type;
- type httpd_t, httpd_suexec_t, httpd_log_t;
+ attribute httpdcontent;
+ type httpd_user_content_t, httpd_user_htaccess_t;
+ type httpd_user_script_t, httpd_user_script_exec_t;
+ type httpd_user_script_ra_t, httpd_user_script_ro_t;
+ type httpd_user_script_rw_t;
')
- apache_content_template($1)
-
- typeattribute httpd_$1_content_t httpd_user_content_type;
- typeattribute httpd_$1_script_ra_t httpd_user_content_type;
- typeattribute httpd_$1_script_rw_t httpd_user_content_type;
- typeattribute httpd_$1_script_ro_t httpd_user_content_type;
- typeattribute httpd_$1_script_exec_t httpd_user_script_exec_type;
-
- typeattribute httpd_$1_script_t httpd_script_domains;
- userdom_user_home_content($1,httpd_$1_content_t)
+ role $1 types httpd_user_script_t;
- role $3 types httpd_$1_script_t;
+ allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
- allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom };
+ allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
- allow $2 httpd_$1_htaccess_t:file { manage_file_perms relabelto relabelfrom };
+ manage_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
+ manage_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
+ manage_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
+ relabel_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
+ relabel_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
+ relabel_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
- manage_dirs_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
- manage_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
- manage_lnk_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
- relabel_dirs_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
- relabel_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
- relabel_lnk_files_pattern($2, httpd_$1_script_ra_t, httpd_$1_script_ra_t)
+ manage_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
+ manage_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
+ manage_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
+ relabel_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
+ relabel_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
+ relabel_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
- manage_dirs_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
- manage_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
- manage_lnk_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
- relabel_dirs_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
- relabel_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
- relabel_lnk_files_pattern($2, httpd_$1_script_ro_t, httpd_$1_script_ro_t)
+ manage_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
+ manage_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
+ manage_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
+ relabel_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
+ relabel_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
+ relabel_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
- manage_dirs_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
- manage_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
- manage_lnk_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
- relabel_dirs_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
- relabel_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
- relabel_lnk_files_pattern($2, httpd_$1_script_rw_t, httpd_$1_script_rw_t)
-
- manage_dirs_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
- manage_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
- manage_lnk_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
- relabel_dirs_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
- relabel_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
- relabel_lnk_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
+ manage_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
+ manage_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
+ manage_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
+ relabel_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
+ relabel_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
+ relabel_lnk_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
tunable_policy(`httpd_enable_cgi',`
# If a user starts a script by hand it gets the proper context
- domtrans_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_t)
+ domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
- allow httpd_$1_script_t httpdcontent:file entrypoint;
-
- domtrans_pattern($2, httpdcontent, httpd_$1_script_t)
- ')
-
- # allow accessing files/dirs below the users home dir
- tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs($1,httpd_t)
- userdom_search_user_home_dirs($1,httpd_suexec_t)
- userdom_search_user_home_dirs($1,httpd_$1_script_t)
+ domtrans_pattern($2, httpdcontent, httpd_user_script_t)
')
')
@@ -346,52 +310,40 @@ template(`apache_per_role_template', `
##
## Read httpd user scripts executables.
##
-##
-##
-## Prefix of the domain. Example, user would be
-## the prefix for the uder_t domain.
-##
-##
##
##
## Domain allowed access.
##
##
#
-template(`apache_read_user_scripts',`
+interface(`apache_read_user_scripts',`
gen_require(`
- type httpd_$1_script_exec_t;
+ type httpd_user_script_exec_t;
')
- allow $2 httpd_$1_script_exec_t:dir list_dir_perms;
- read_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
- read_lnk_files_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_exec_t)
+ allow $1 httpd_user_script_exec_t:dir list_dir_perms;
+ read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
')
########################################
##
## Read user web content.
##
-##
-##
-## Prefix of the domain. Example, user would be
-## the prefix for the uder_t domain.
-##
-##
##
##
## Domain allowed access.
##
##
#
-template(`apache_read_user_content',`
+interface(`apache_read_user_content',`
gen_require(`
- type httpd_$1_content_t;
+ type httpd_user_content_t;
')
- allow $2 httpd_$1_content_t:dir list_dir_perms;
- read_files_pattern($2, httpd_$1_content_t, httpd_$1_content_t)
- read_lnk_files_pattern($2, httpd_$1_content_t, httpd_$1_content_t)
+ allow $1 httpd_user_content_t:dir list_dir_perms;
+ read_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
+ read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
')
########################################
@@ -630,11 +582,6 @@ interface(`apache_domtrans_helper',`
## The role to be allowed the dmidecode domain.
##
##
-##
-##
-## The type of the terminal allow the dmidecode domain to use.
-##
-##
##
#
interface(`apache_run_helper',`
@@ -644,7 +591,6 @@ interface(`apache_run_helper',`
apache_domtrans_helper($1)
role $2 types httpd_helper_t;
- allow httpd_helper_t $3:chr_file rw_term_perms;
')
########################################
@@ -913,8 +859,6 @@ interface(`apache_domtrans_all_scripts',`
##
##
#
-# cjp: this is missing the terminal since scripts
-# do not output to the terminal
interface(`apache_run_all_scripts',`
gen_require(`
attribute httpd_exec_scripts, httpd_script_domains;
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index ab19229..2afa17f 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,18 +1,17 @@
-policy_module(apache, 1.11.0)
+policy_module(apache, 2.0.0)
#
# NOTES:
# This policy will work with SUEXEC enabled as part of the Apache
# configuration. However, the user CGI scripts will run under the
-# system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the
-# of the creating user.
+# system_u:system_r:httpd_user_script_t.
#
-# The user CGI scripts must be labeled with the httpd_$1_script_exec_t
+# The user CGI scripts must be labeled with the httpd_user_script_exec_t
# type, and the directory containing the scripts should also be labeled
-# with these types. This policy allows user_r role to perform that
-# relabeling. If it is desired that only sysadm_r should be able to relabel
-# the user CGI scripts, then relabel rule for user_r should be removed.
+# with these types. This policy allows the user role to perform that
+# relabeling. If it is desired that only admin role should be able to relabel
+# the user CGI scripts, then relabel rule for user roles should be removed.
#
########################################
@@ -187,6 +186,30 @@ files_tmp_file(httpd_tmp_t)
type httpd_tmpfs_t;
files_tmpfs_file(httpd_tmpfs_t)
+apache_content_template(user)
+ubac_constrained(httpd_user_script_t)
+userdom_user_home_content(httpd_user_content_t)
+userdom_user_home_content(httpd_user_htaccess_t)
+userdom_user_home_content(httpd_user_script_exec_t)
+userdom_user_home_content(httpd_user_script_ra_t)
+userdom_user_home_content(httpd_user_script_ro_t)
+userdom_user_home_content(httpd_user_script_rw_t)
+typeattribute httpd_user_script_t httpd_script_domains;
+typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
+typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
+typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
+typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
+typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
+typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
+typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
+typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
+typealias httpd_user_script_ro_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
+typealias httpd_user_script_ro_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
+typealias httpd_user_script_rw_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
+typealias httpd_user_script_rw_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
+typealias httpd_user_script_ra_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
+typealias httpd_user_script_ra_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
+
# for apache2 memory mapped files
type httpd_var_lib_t;
files_type(httpd_var_lib_t)
@@ -393,7 +416,7 @@ tunable_policy(`httpd_enable_ftp_server',`
')
tunable_policy(`httpd_enable_homedirs',`
- userdom_read_unpriv_users_home_content_files(httpd_t)
+ userdom_read_user_home_content_files(httpd_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -418,12 +441,9 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
- # cjp: this is redundant:
- term_use_controlling_term(httpd_t)
-
- sysadm_use_terms(httpd_t)
+ userdom_use_user_terminals(httpd_t)
',`
- sysadm_dontaudit_use_terms(httpd_t)
+ userdom_dontaudit_use_user_terminals(httpd_t)
')
optional_policy(`
@@ -513,9 +533,7 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
-tunable_policy(`httpd_tty_comm',`
- sysadm_use_terms(httpd_helper_t)
-')
+userdom_use_user_terminals(httpd_helper_t)
########################################
#
@@ -628,7 +646,7 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',`
')
tunable_policy(`httpd_enable_homedirs',`
- userdom_read_unpriv_users_home_content_files(httpd_suexec_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -686,7 +704,7 @@ ifdef(`distro_redhat',`
')
tunable_policy(`httpd_enable_homedirs',`
- userdom_read_unpriv_users_home_content_files(httpd_sys_script_t)
+ userdom_read_user_home_content_files(httpd_sys_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -728,3 +746,19 @@ files_read_etc_files(httpd_rotatelogs_t)
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
+
+########################################
+#
+# User content local policy
+#
+
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_user_script_t httpdcontent:file entrypoint;
+')
+
+# allow accessing files/dirs below the users home dir
+tunable_policy(`httpd_enable_homedirs',`
+ userdom_search_user_home_dirs(httpd_t)
+ userdom_search_user_home_dirs(httpd_suexec_t)
+ userdom_search_user_home_dirs(httpd_user_script_t)
+')
diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
index 2a96926..e565c32 100644
--- a/policy/modules/services/apcupsd.te
+++ b/policy/modules/services/apcupsd.te
@@ -1,5 +1,5 @@
-policy_module(apcupsd, 1.4.0)
+policy_module(apcupsd, 1.4.1)
########################################
#
@@ -88,8 +88,7 @@ miscfiles_read_localization(apcupsd_t)
sysnet_dns_name_resolve(apcupsd_t)
-userdom_use_unpriv_users_ttys(apcupsd_t)
-userdom_use_unpriv_users_ptys(apcupsd_t)
+userdom_use_user_ttys(apcupsd_t)
optional_policy(`
hostname_exec(apcupsd_t)
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
index 80c7780..2490ed7 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -1,5 +1,5 @@
-policy_module(apm, 1.8.0)
+policy_module(apm, 1.8.1)
########################################
#
@@ -133,9 +133,8 @@ modutils_read_module_config(apmd_t)
seutil_dontaudit_read_config(apmd_t)
userdom_dontaudit_use_unpriv_user_fds(apmd_t)
-userdom_dontaudit_search_all_users_home_content(apmd_t) # Excessive?
-
-sysadm_dontaudit_search_home_dirs(apmd_t)
+userdom_dontaudit_search_user_home_dirs(apmd_t)
+userdom_dontaudit_search_user_home_content(apmd_t) # Excessive?
ifdef(`distro_redhat',`
allow apmd_t apmd_lock_t:file manage_file_perms;
@@ -225,5 +224,5 @@ optional_policy(`
# cjp: related to sleep/resume (?)
optional_policy(`
- xserver_domtrans_xdm_xserver(apmd_t)
+ xserver_domtrans(apmd_t)
')
diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
index efff63c..27bf9ad 100644
--- a/policy/modules/services/arpwatch.te
+++ b/policy/modules/services/arpwatch.te
@@ -1,5 +1,5 @@
-policy_module(arpwatch, 1.6.0)
+policy_module(arpwatch, 1.6.1)
########################################
#
@@ -77,12 +77,11 @@ logging_send_syslog_msg(arpwatch_t)
miscfiles_read_localization(arpwatch_t)
+userdom_dontaudit_search_user_home_dirs(arpwatch_t)
userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
mta_send_mail(arpwatch_t)
-sysadm_dontaudit_search_home_dirs(arpwatch_t)
-
optional_policy(`
seutil_sigchld_newrole(arpwatch_t)
')
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
index 5aaa127..6f1f982 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -1,5 +1,5 @@
-policy_module(asterisk, 1.5.0)
+policy_module(asterisk, 1.5.1)
########################################
#
@@ -123,8 +123,7 @@ miscfiles_read_localization(asterisk_t)
sysnet_read_config(asterisk_t)
userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
-
-sysadm_dontaudit_search_home_dirs(asterisk_t)
+userdom_dontaudit_search_user_home_dirs(asterisk_t)
optional_policy(`
nis_use_ypbind(asterisk_t)
diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
index 66672f4..64a716a 100644
--- a/policy/modules/services/audioentropy.te
+++ b/policy/modules/services/audioentropy.te
@@ -1,5 +1,5 @@
-policy_module(audio_entropy, 1.4.0)
+policy_module(audio_entropy, 1.4.1)
########################################
#
@@ -46,8 +46,7 @@ logging_send_syslog_msg(entropyd_t)
miscfiles_read_localization(entropyd_t)
userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
-
-sysadm_dontaudit_search_home_dirs(entropyd_t)
+userdom_dontaudit_search_user_home_dirs(entropyd_t)
optional_policy(`
seutil_sigchld_newrole(entropyd_t)
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
index 61b06c6..43192df 100644
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
@@ -1,5 +1,5 @@
-policy_module(automount, 1.10.0)
+policy_module(automount, 1.10.1)
########################################
#
@@ -144,8 +144,7 @@ miscfiles_read_certs(automount_t)
mount_domtrans(automount_t)
userdom_dontaudit_use_unpriv_user_fds(automount_t)
-
-sysadm_dontaudit_search_home_dirs(automount_t)
+userdom_dontaudit_search_user_home_dirs(automount_t)
optional_policy(`
bind_search_cache(automount_t)
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index dddae90..8120ad5 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -1,5 +1,5 @@
-policy_module(avahi, 1.9.0)
+policy_module(avahi, 1.9.1)
########################################
#
@@ -75,11 +75,10 @@ logging_send_syslog_msg(avahi_t)
miscfiles_read_localization(avahi_t)
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
-
-sysadm_dontaudit_search_home_dirs(avahi_t)
+userdom_dontaudit_search_user_home_dirs(avahi_t)
optional_policy(`
- dbus_system_bus_client_template(avahi,avahi_t)
+ dbus_system_bus_client(avahi_t)
dbus_connect_system_bus(avahi_t)
init_dbus_chat_script(avahi_t)
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
index d089eff..c28e4d9 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -51,11 +51,6 @@ interface(`bind_signal',`
## The role to be allowed the bind domain.
##
##
-##
-##
-## The type of the terminal allow the bind domain to use.
-##
-##
##
#
interface(`bind_run_ndc',`
@@ -65,7 +60,6 @@ interface(`bind_run_ndc',`
bind_domtrans_ndc($1)
role $2 types ndc_t;
- allow ndc_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 4ceaab3..77dfd18 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -1,5 +1,5 @@
-policy_module(bind, 1.8.0)
+policy_module(bind, 1.8.1)
########################################
#
@@ -147,8 +147,7 @@ miscfiles_read_certs(named_t)
sysnet_read_config(named_t)
userdom_dontaudit_use_unpriv_user_fds(named_t)
-
-sysadm_dontaudit_search_home_dirs(named_t)
+userdom_dontaudit_search_user_home_dirs(named_t)
tunable_policy(`named_write_master_zones',`
manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
@@ -161,7 +160,7 @@ optional_policy(`
sysnet_dbus_chat_dhcpc(named_t)
- dbus_system_bus_client_template(named, named_t)
+ dbus_system_bus_client(named_t)
dbus_connect_system_bus(named_t)
optional_policy(`
@@ -241,6 +240,8 @@ miscfiles_read_localization(ndc_t)
sysnet_read_config(ndc_t)
sysnet_dns_name_resolve(ndc_t)
+userdom_use_user_terminals(ndc_t)
+
# for /etc/rndc.key
ifdef(`distro_redhat',`
allow ndc_t named_conf_t:dir search;
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index deb7d45..edf2769 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -1,111 +1,40 @@
## Bluetooth tools and system services.
-#######################################
+########################################
##
-## The per role template for the bluetooth module.
+## Role access for bluetooth
##
-##
-##
-## This template creates derived domains which are used
-## for bluetooth.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
+##
##
-## The type of the user domain.
+## Role allowed access
##
##
-##
+##
##
-## The role associated with the user domain.
+## User domain for the role
##
##
#
-template(`bluetooth_per_role_template',`
+interface(`bluetooth_role',`
gen_require(`
- attribute bluetooth_helper_domain;
- type bluetooth_helper_exec_t, bluetooth_t;
+ type bluetooth_helper_t, bluetooth_helper_exec_t;
+ type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t;
')
- type $1_bluetooth_t, bluetooth_helper_domain;
- application_domain($1_bluetooth_t, bluetooth_helper_exec_t)
- role $3 types $1_bluetooth_t;
-
- type $1_bluetooth_tmp_t;
- files_tmp_file($1_bluetooth_tmp_t)
-
- type $1_bluetooth_tmpfs_t;
- files_tmpfs_file($1_bluetooth_tmpfs_t)
-
- allow $1_bluetooth_t self:capability sys_nice;
- allow $1_bluetooth_t self:process getsched;
- allow $1_bluetooth_t self:fifo_file rw_fifo_file_perms;
- allow $1_bluetooth_t self:shm create_shm_perms;
- allow $1_bluetooth_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow $1_bluetooth_t self:tcp_socket create_socket_perms;
- allow $1_bluetooth_t self:netlink_route_socket r_netlink_socket_perms;
-
- allow $1_bluetooth_t bluetooth_t:socket { read write };
-
- manage_dirs_pattern($1_bluetooth_t, $1_bluetooth_tmp_t, $1_bluetooth_tmp_t)
- manage_files_pattern($1_bluetooth_t, $1_bluetooth_tmp_t, $1_bluetooth_tmp_t)
- manage_sock_files_pattern($1_bluetooth_t, $1_bluetooth_tmp_t, $1_bluetooth_tmp_t)
- files_tmp_filetrans($1_bluetooth_t, $1_bluetooth_tmp_t, { file dir sock_file })
-
- manage_dirs_pattern($1_bluetooth_t, $1_bluetooth_tmpfs_t, $1_bluetooth_tmpfs_t)
- manage_files_pattern($1_bluetooth_t, $1_bluetooth_tmpfs_t, $1_bluetooth_tmpfs_t)
- fs_tmpfs_filetrans($1_bluetooth_t, $1_bluetooth_tmpfs_t, { dir file })
-
- kernel_read_system_state($1_bluetooth_t)
- kernel_read_kernel_sysctls($1_bluetooth_t)
+ role $1 types bluetooth_helper_t;
- dev_read_urand($1_bluetooth_t)
+ domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)
- term_dontaudit_use_all_user_ttys($1_bluetooth_t)
+ # allow ps to show cdrecord and allow the user to kill it
+ ps_process_pattern($2, bluetooth_helper_t)
+ allow $2 bluetooth_helper_t:process signal;
- corecmd_exec_bin($1_bluetooth_t)
- corecmd_exec_shell($1_bluetooth_t)
+ manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+ manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+ manage_sock_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
- domain_read_all_domains_state($1_bluetooth_t)
-
- files_read_etc_files($1_bluetooth_t)
- files_read_etc_runtime_files($1_bluetooth_t)
- files_read_usr_files($1_bluetooth_t)
- files_dontaudit_list_default($1_bluetooth_t)
-
- locallogin_dontaudit_use_fds($1_bluetooth_t)
-
- logging_send_syslog_msg($1_bluetooth_t)
-
- miscfiles_read_localization($1_bluetooth_t)
-
- sysnet_read_config($1_bluetooth_t)
-
- optional_policy(`
- bluetooth_dbus_chat($1_bluetooth_t)
-
- dbus_system_bus_client_template($1_bluetooth, $1_bluetooth_t)
- dbus_connect_system_bus($1_bluetooth_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_bluetooth_t)
- ')
-
- optional_policy(`
- xserver_user_x_domain_template($1, $1_bluetooth, $1_bluetooth_t, $1_bluetooth_tmpfs_t)
- ')
+ manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+ manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
')
########################################
@@ -207,7 +136,7 @@ interface(`bluetooth_run_helper',`
########################################
##
-## Read bluetooth helper files.
+## Read bluetooth helper state files.
##
##
##
@@ -215,11 +144,11 @@ interface(`bluetooth_run_helper',`
##
##
#
-interface(`bluetooth_dontaudit_read_helper_files',`
+interface(`bluetooth_dontaudit_read_helper_state',`
gen_require(`
- attribute bluetooth_helper_domain;
+ type bluetooth_helper_t;
')
- dontaudit $1 bluetooth_helper_domain:dir search;
- dontaudit $1 bluetooth_helper_domain:file { read getattr };
+ dontaudit $1 bluetooth_helper_t:dir search;
+ dontaudit $1 bluetooth_helper_t:file { read getattr };
')
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index 0da2c88..302dd11 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -1,5 +1,5 @@
-policy_module(bluetooth, 2.2.0)
+policy_module(bluetooth, 3.0.0)
########################################
#
@@ -15,10 +15,24 @@ files_type(bluetooth_conf_t)
type bluetooth_conf_rw_t;
files_type(bluetooth_conf_rw_t)
-attribute bluetooth_helper_domain;
-
+type bluetooth_helper_t;
type bluetooth_helper_exec_t;
-application_executable_file(bluetooth_helper_exec_t)
+typealias bluetooth_helper_t alias { user_bluetooth_helper_t staff_bluetooth_helper_t sysadm_bluetooth_helper_t };
+typealias bluetooth_helper_t alias { auditadm_bluetooth_helper_t secadm_bluetooth_helper_t };
+application_domain(bluetooth_helper_t, bluetooth_helper_exec_t)
+ubac_constrained(bluetooth_helper_t)
+
+type bluetooth_helper_tmp_t;
+typealias bluetooth_helper_tmp_t alias { user_bluetooth_helper_tmp_t staff_bluetooth_helper_tmp_t sysadm_bluetooth_helper_tmp_t };
+typealias bluetooth_helper_tmp_t alias { auditadm_bluetooth_helper_tmp_t secadm_bluetooth_helper_tmp_t };
+files_tmp_file(bluetooth_helper_tmp_t)
+ubac_constrained(bluetooth_helper_tmp_t)
+
+type bluetooth_helper_tmpfs_t;
+typealias bluetooth_helper_tmpfs_t alias { user_bluetooth_helper_tmpfs_t staff_bluetooth_helper_tmpfs_t sysadm_bluetooth_helper_tmpfs_t };
+typealias bluetooth_helper_tmpfs_t alias { auditadm_bluetooth_helper_tmpfs_t secadm_bluetooth_helper_tmpfs_t };
+files_tmpfs_file(bluetooth_helper_tmpfs_t)
+ubac_constrained(bluetooth_helper_tmpfs_t)
type bluetooth_lock_t;
files_lock_file(bluetooth_lock_t)
@@ -118,12 +132,11 @@ miscfiles_read_fonts(bluetooth_t)
sysnet_read_config(bluetooth_t)
userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
-
-sysadm_dontaudit_use_ptys(bluetooth_t)
-sysadm_dontaudit_search_home_dirs(bluetooth_t)
+userdom_dontaudit_use_user_terminals(bluetooth_t)
+userdom_dontaudit_search_user_home_dirs(bluetooth_t)
optional_policy(`
- dbus_system_bus_client_template(bluetooth, bluetooth_t)
+ dbus_system_bus_client(bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
')
@@ -142,3 +155,67 @@ optional_policy(`
optional_policy(`
ppp_domtrans(bluetooth_t)
')
+
+########################################
+#
+# Bluetooth helper programs local policy
+#
+
+allow bluetooth_helper_t self:capability sys_nice;
+allow bluetooth_helper_t self:process getsched;
+allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms;
+allow bluetooth_helper_t self:shm create_shm_perms;
+allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow bluetooth_helper_t self:tcp_socket create_socket_perms;
+allow bluetooth_helper_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow bluetooth_helper_t bluetooth_t:socket { read write };
+
+manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+manage_sock_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir sock_file })
+
+manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+fs_tmpfs_filetrans(bluetooth_helper_t, bluetooth_helper_tmpfs_t, { dir file })
+
+kernel_read_system_state(bluetooth_helper_t)
+kernel_read_kernel_sysctls(bluetooth_helper_t)
+
+dev_read_urand(bluetooth_helper_t)
+
+term_dontaudit_use_all_user_ttys(bluetooth_helper_t)
+
+corecmd_exec_bin(bluetooth_helper_t)
+corecmd_exec_shell(bluetooth_helper_t)
+
+domain_read_all_domains_state(bluetooth_helper_t)
+
+files_read_etc_files(bluetooth_helper_t)
+files_read_etc_runtime_files(bluetooth_helper_t)
+files_read_usr_files(bluetooth_helper_t)
+files_dontaudit_list_default(bluetooth_helper_t)
+
+locallogin_dontaudit_use_fds(bluetooth_helper_t)
+
+logging_send_syslog_msg(bluetooth_helper_t)
+
+miscfiles_read_localization(bluetooth_helper_t)
+
+sysnet_read_config(bluetooth_helper_t)
+
+optional_policy(`
+ bluetooth_dbus_chat(bluetooth_helper_t)
+
+ dbus_system_bus_client(bluetooth_helper_t)
+ dbus_connect_system_bus(bluetooth_helper_t)
+')
+
+optional_policy(`
+ nscd_socket_use(bluetooth_helper_t)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t)
+')
diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te
index 5f14678..110f2fa 100644
--- a/policy/modules/services/canna.te
+++ b/policy/modules/services/canna.te
@@ -1,5 +1,5 @@
-policy_module(canna, 1.8.0)
+policy_module(canna, 1.8.1)
########################################
#
@@ -78,8 +78,7 @@ miscfiles_read_localization(canna_t)
sysnet_read_config(canna_t)
userdom_dontaudit_use_unpriv_user_fds(canna_t)
-
-sysadm_dontaudit_search_home_dirs(canna_t)
+userdom_dontaudit_search_user_home_dirs(canna_t)
optional_policy(`
nis_use_ypbind(canna_t)
diff --git a/policy/modules/services/clockspeed.if b/policy/modules/services/clockspeed.if
index 5dc0c2d..50aba89 100644
--- a/policy/modules/services/clockspeed.if
+++ b/policy/modules/services/clockspeed.if
@@ -32,11 +32,6 @@ interface(`clockspeed_domtrans_cli',`
## The role to be allowed the clockspeed_cli domain.
##
##
-##
-##
-## The type of the terminal allow the clockspeed_cli domain to use.
-##
-##
##
#
interface(`clockspeed_run_cli',`
@@ -46,6 +41,4 @@ interface(`clockspeed_run_cli',`
role $2 types clockspeed_cli_t;
clockspeed_domtrans_cli($1)
- allow clockspeed_cli_t $3:chr_file { getattr read write ioctl };
-
')
diff --git a/policy/modules/services/clockspeed.te b/policy/modules/services/clockspeed.te
index f1699bc..075a7ea 100644
--- a/policy/modules/services/clockspeed.te
+++ b/policy/modules/services/clockspeed.te
@@ -1,5 +1,5 @@
-policy_module(clockspeed, 1.3.0)
+policy_module(clockspeed, 1.3.1)
########################################
#
@@ -39,6 +39,8 @@ files_read_etc_files(clockspeed_cli_t)
miscfiles_read_localization(clockspeed_cli_t)
+userdom_use_user_terminals(clockspeed_cli_t)
+
########################################
#
# Server local policy
diff --git a/policy/modules/services/comsat.te b/policy/modules/services/comsat.te
index 4881daf..5e1df3a 100644
--- a/policy/modules/services/comsat.te
+++ b/policy/modules/services/comsat.te
@@ -1,5 +1,5 @@
-policy_module(comsat, 1.5.0)
+policy_module(comsat, 1.5.1)
########################################
#
@@ -66,9 +66,9 @@ logging_send_syslog_msg(comsat_t)
miscfiles_read_localization(comsat_t)
-mta_getattr_spool(comsat_t)
+userdom_dontaudit_getattr_user_ttys(comsat_t)
-sysadm_dontaudit_getattr_ttys(comsat_t)
+mta_getattr_spool(comsat_t)
optional_policy(`
kerberos_use(comsat_t)
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
index 33deb95..f483a16 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@@ -1,5 +1,5 @@
-policy_module(consolekit, 1.3.0)
+policy_module(consolekit, 1.3.1)
########################################
#
@@ -50,7 +50,7 @@ auth_use_nsswitch(consolekit_t)
miscfiles_read_localization(consolekit_t)
optional_policy(`
- dbus_system_bus_client_template(consolekit, consolekit_t)
+ dbus_system_bus_client(consolekit_t)
dbus_connect_system_bus(consolekit_t)
hal_dbus_chat(consolekit_t)
@@ -61,6 +61,6 @@ optional_policy(`
')
optional_policy(`
- xserver_read_all_users_xauth(consolekit_t)
- xserver_stream_connect_xdm_xserver(consolekit_t)
+ xserver_read_user_xauth(consolekit_t)
+ xserver_stream_connect(consolekit_t)
')
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index 768c1da..475e509 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -1,5 +1,5 @@
-policy_module(courier, 1.6.0)
+policy_module(courier, 1.6.1)
########################################
#
@@ -67,12 +67,10 @@ libs_read_lib_files(courier_authdaemon_t)
miscfiles_read_localization(courier_authdaemon_t)
# should not be needed!
-userdom_search_unpriv_users_home_dirs(courier_authdaemon_t)
+userdom_search_user_home_dirs(courier_authdaemon_t)
courier_domtrans_pop(courier_authdaemon_t)
-sysadm_dontaudit_search_home_dirs(courier_authdaemon_t)
-
########################################
#
# Calendar (PCP) local policy
@@ -100,12 +98,12 @@ miscfiles_read_localization(courier_pop_t)
courier_domtrans_authdaemon(courier_pop_t)
# do the actual work (read the Maildir)
-userdom_manage_unpriv_users_home_content_files(courier_pop_t)
+userdom_manage_user_home_content_files(courier_pop_t)
# cjp: the fact that this is different for pop vs imap means that
# there should probably be a courier_pop_t and courier_imap_t
# this should also probably be a separate type too instead of
# the regular home dir
-userdom_manage_unpriv_users_home_content_dirs(courier_pop_t)
+userdom_manage_user_home_content_dirs(courier_pop_t)
########################################
#
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
index fb0d378..969629e 100644
--- a/policy/modules/services/cron.fc
+++ b/policy/modules/services/cron.fc
@@ -41,7 +41,7 @@ ifdef(`distro_suse', `
#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/fcron/.* <>
+/var/spool/fcron/[^/]* <>
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 0822ff9..e75526a 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -2,307 +2,234 @@
#######################################
##
-## The per role template for the cron module.
+## The common rules for a crontab domain.
##
-##
-##
-## This template creates a derived domains which are used
-## for running programs on behalf of the user, from cron.
-## A type for the user crontab is also created.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
##
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
##
##
-##
-##
-## The type of the user domain.
-##
-##
-##
-##
-## The role associated with the user domain.
-##
-##
#
-template(`cron_per_role_template',`
- gen_require(`
- attribute cron_spool_type;
- type crond_t, cron_spool_t, crontab_exec_t;
- class dbus send_msg;
- ')
-
- # Type of user crontabs once moved to cron spool.
- type $1_cron_spool_t, cron_spool_type;
- files_type($1_cron_spool_t)
-
- type $1_crond_t;
- domain_type($1_crond_t)
- domain_cron_exemption_target($1_crond_t)
- corecmd_shell_entry_type($1_crond_t)
- role $3 types $1_crond_t;
+template(`cron_common_crontab_template',`
+ ##############################
+ #
+ # Declarations
+ #
- type $1_crontab_t;
- application_domain($1_crontab_t, crontab_exec_t)
- role $3 types $1_crontab_t;
+ type $1_t;
+ application_domain($1_t, crontab_exec_t)
+ ubac_constrained($1_t)
- type $1_crontab_tmp_t;
- files_tmp_file($1_crontab_tmp_t)
+ type $1_tmp_t;
+ files_tmp_file($1_tmp_t)
##############################
#
- # $1_crond_t local policy
+ # Local policy
#
- allow $1_crond_t self:capability dac_override;
- allow $1_crond_t self:process { signal_perms setsched };
- allow $1_crond_t self:fifo_file rw_fifo_file_perms;
- allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_crond_t self:unix_dgram_socket create_socket_perms;
-
- # The entrypoint interface is not used as this is not
- # a regular entrypoint. Since crontab files are
- # not directly executed, crond must ensure that
- # the crontab file has a type that is appropriate
- # for the domain of the user cron job. It
- # performs an entrypoint permission check
- # for this purpose.
- allow $1_crond_t $1_cron_spool_t:file entrypoint;
-
- # Permit a transition from the crond_t domain to this domain.
- # The transition is requested explicitly by the modified crond
- # via setexeccon. There is no way to set up an automatic
- # transition, since crontabs are configuration files, not executables.
- allow crond_t $1_crond_t:process transition;
- dontaudit crond_t $1_crond_t:process { noatsecure siginh rlimitinh };
- allow crond_t $1_crond_t:fd use;
- allow $1_crond_t crond_t:fd use;
- allow $1_crond_t crond_t:fifo_file rw_file_perms;
- allow $1_crond_t crond_t:process sigchld;
-
- kernel_read_system_state($1_crond_t)
- kernel_read_kernel_sysctls($1_crond_t)
-
- # ps does not need to access /boot when run from cron
- files_dontaudit_search_boot($1_crond_t)
-
- corenet_all_recvfrom_unlabeled($1_crond_t)
- corenet_all_recvfrom_netlabel($1_crond_t)
- corenet_tcp_sendrecv_all_if($1_crond_t)
- corenet_udp_sendrecv_all_if($1_crond_t)
- corenet_tcp_sendrecv_all_nodes($1_crond_t)
- corenet_udp_sendrecv_all_nodes($1_crond_t)
- corenet_tcp_sendrecv_all_ports($1_crond_t)
- corenet_udp_sendrecv_all_ports($1_crond_t)
- corenet_tcp_connect_all_ports($1_crond_t)
- corenet_sendrecv_all_client_packets($1_crond_t)
-
- dev_read_urand($1_crond_t)
-
- fs_getattr_all_fs($1_crond_t)
-
- corecmd_exec_all_executables($1_crond_t)
-
- # quiet other ps operations
- domain_dontaudit_read_all_domains_state($1_crond_t)
- domain_dontaudit_getattr_all_domains($1_crond_t)
-
- files_read_usr_files($1_crond_t)
- files_exec_etc_files($1_crond_t)
- # for nscd:
- files_dontaudit_search_pids($1_crond_t)
-
- libs_exec_lib_files($1_crond_t)
- libs_exec_ld_so($1_crond_t)
-
- files_read_etc_runtime_files($1_crond_t)
- files_read_var_files($1_crond_t)
- files_search_spool($1_crond_t)
-
- logging_search_logs($1_crond_t)
-
- seutil_read_config($1_crond_t)
-
- miscfiles_read_localization($1_crond_t)
-
- userdom_manage_user_tmp_files($1, $1_crond_t)
- userdom_manage_user_tmp_symlinks($1, $1_crond_t)
- userdom_manage_user_tmp_pipes($1, $1_crond_t)
- userdom_manage_user_tmp_sockets($1, $1_crond_t)
- # Run scripts in user home directory and access shared libs.
- userdom_exec_user_home_content_files($1, $1_crond_t)
- # Access user files and dirs.
-# userdom_manage_user_home_subdir_dirs($1,$1_crond_t)
- userdom_manage_user_home_content_files($1, $1_crond_t)
- userdom_manage_user_home_content_symlinks($1, $1_crond_t)
- userdom_manage_user_home_content_pipes($1, $1_crond_t)
- userdom_manage_user_home_content_sockets($1, $1_crond_t)
-# userdom_user_home_dir_filetrans_user_home_content($1,$1_crond_t,notdevfile_class_set)
-
- tunable_policy(`fcron_crond', `
- allow crond_t $1_cron_spool_t:file manage_file_perms;
- ')
+ # dac_override is to create the file in the directory under /tmp
+ allow $1_t self:capability { fowner setuid setgid chown dac_override };
+ allow $1_t self:process signal_perms;
- # need a per-role version of this:
- #optional_policy(`
- # mono_domtrans($1_crond_t)
- #')
+ allow $1_t $1_tmp_t:file manage_file_perms;
+ files_tmp_filetrans($1_t,$1_tmp_t,file)
- optional_policy(`
- dbus_stub($1_crond_t)
+ # create files in /var/spool/cron
+ # cjp: change this to a role transition
+ manage_files_pattern($1_t, cron_spool_t, user_cron_spool_t)
+ filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file)
+ files_search_spool($1_t)
- allow $1_crond_t $2:dbus send_msg;
- ')
+ # crontab signals crond by updating the mtime on the spooldir
+ allow $1_t cron_spool_t:dir setattr;
- optional_policy(`
- nis_use_ypbind($1_crond_t)
- ')
+ kernel_read_system_state($1_t)
- ifdef(`TODO',`
- optional_policy(`
- create_dir_file($1_crond_t, httpd_$1_content_t)
- ')
- allow $1_crond_t tmp_t:dir rw_dir_perms;
- type_transition $1_crond_t $1_tmp_t:{ file lnk_file sock_file fifo_file } $1_tmp_t;
+ # for the checks used by crontab -u
+ selinux_dontaudit_search_fs($1_t)
- ifdef(`mta.te', `
- domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
- allow $1_crond_t sendmail_exec_t:lnk_file read_lnk_file_perms;
+ fs_getattr_xattr_fs($1_t)
- # $1_mail_t should only be reading from the cron fifo not needing to write
- dontaudit $1_mail_t crond_t:fifo_file write;
- allow mta_user_agent $1_crond_t:fd use;
- ')
- ') dnl endif TODO
+ domain_use_interactive_fds($1_t)
- ##############################
- #
- # $1_crontab_t local policy
- #
+ files_read_etc_files($1_t)
+ files_dontaudit_search_pids($1_t)
- # dac_override is to create the file in the directory under /tmp
- allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
- allow $1_crontab_t self:process signal_perms;
+ logging_send_syslog_msg($1_t)
- # Transition from the user domain to the derived domain.
- domtrans_pattern($2, crontab_exec_t, $1_crontab_t)
+ miscfiles_read_localization($1_t)
- # crontab shows up in user ps
- ps_process_pattern($2, $1_crontab_t)
+ seutil_read_config($1_t)
- # for ^Z
- allow $2 $1_crontab_t:process signal;
+ userdom_manage_user_tmp_dirs($1_t)
+ userdom_manage_user_tmp_files($1_t)
+ # Access terminals.
+ userdom_use_user_terminals($1_t)
+ # Read user crontabs
+ userdom_read_user_home_content_files($1_t)
- # Allow crond to read those crontabs in cron spool.
- allow crond_t $1_cron_spool_t:file manage_file_perms;
+ tunable_policy(`fcron_crond',`
+ # fcron wants an instant update of a crontab change for the administrator
+ # also crontab does a security check for crontab -u
+ dontaudit $1_t crond_t:process signal;
+ ')
- allow $1_crontab_t $1_crontab_tmp_t:file manage_file_perms;
- files_tmp_filetrans($1_crontab_t, $1_crontab_tmp_t, file)
+ optional_policy(`
+ nscd_socket_use($1_t)
+ ')
+')
- # create files in /var/spool/cron
- manage_files_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t)
- filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t,file)
- files_search_spool($1_crontab_t)
+########################################
+##
+## Role access for cron
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`cron_role',`
+ gen_require(`
+ type cronjob_t, crontab_t, crontab_exec_t;
+ ')
- # crontab signals crond by updating the mtime on the spooldir
- allow $1_crontab_t cron_spool_t:dir setattr;
+ role $1 types { cronjob_t crontab_t };
- kernel_read_system_state($1_crontab_t)
+ # cronjob shows up in user ps
+ ps_process_pattern($2, cronjob_t)
- # for the checks used by crontab -u
- selinux_dontaudit_search_fs($1_crontab_t)
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, crontab_exec_t, crontab_t)
- fs_getattr_xattr_fs($1_crontab_t)
+ # crontab shows up in user ps
+ ps_process_pattern($2, crontab_t)
+ allow $2 crontab_t:process signal;
# Run helper programs as the user domain
- corecmd_bin_domtrans($1_crontab_t, $2)
- corecmd_shell_domtrans($1_crontab_t, $2)
+ #corecmd_bin_domtrans(crontab_t, $2)
+ #corecmd_shell_domtrans(crontab_t, $2)
+ corecmd_exec_bin(crontab_t)
+ corecmd_exec_shell(crontab_t)
+
+ optional_policy(`
+ gen_require(`
+ class dbus send_msg;
+ ')
- domain_use_interactive_fds($1_crontab_t)
+ dbus_stub(cronjob_t)
+
+ allow cronjob_t $2:dbus send_msg;
+ ')
+')
- files_read_etc_files($1_crontab_t)
- files_dontaudit_search_pids($1_crontab_t)
+########################################
+##
+## Role access for unconfined cronjobs
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+interface(`cron_unconfined_role',`
+ gen_require(`
+ type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t;
+ ')
- logging_send_syslog_msg($1_crontab_t)
+ role $1 types { unconfined_cronjob_t crontab_t };
- miscfiles_read_localization($1_crontab_t)
+ # cronjob shows up in user ps
+ ps_process_pattern($2, unconfined_cronjob_t)
- seutil_read_config($1_crontab_t)
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, crontab_exec_t, crontab_t)
- userdom_manage_user_tmp_dirs($1, $1_crontab_t)
- userdom_manage_user_tmp_files($1, $1_crontab_t)
- # Access terminals.
- userdom_use_user_terminals($1, $1_crontab_t)
- # Read user crontabs
- userdom_read_user_home_content_files($1, $1_crontab_t)
+ # crontab shows up in user ps
+ ps_process_pattern($2, crontab_t)
+ allow $2 crontab_t:process signal;
- tunable_policy(`fcron_crond',`
- # fcron wants an instant update of a crontab change for the administrator
- # also crontab does a security check for crontab -u
- dontaudit $1_crontab_t crond_t:process signal;
- ')
+ # Run helper programs as the user domain
+ #corecmd_bin_domtrans(crontab_t, $2)
+ #corecmd_shell_domtrans(crontab_t, $2)
+ corecmd_exec_bin(crontab_t)
+ corecmd_exec_shell(crontab_t)
optional_policy(`
- nscd_socket_use($1_crontab_t)
- ')
+ gen_require(`
+ class dbus send_msg;
+ ')
- ifdef(`TODO',`
- # Read user crontabs
- dontaudit $1_crontab_t $1_home_dir_t:dir write;
- ') dnl endif TODO
+ dbus_stub(unconfined_cronjob_t)
+
+ allow unconfined_cronjob_t $2:dbus send_msg;
+ ')
')
-#######################################
+########################################
##
-## The administrative functions template for the cron module.
+## Role access for cron
##
-##
-##
-## This template creates rules for administrating the cron service,
-## allowing the specified user to manage other user crontabs.
-##
-##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
##
##
-##
#
-template(`cron_admin_template',`
+interface(`cron_admin_role',`
gen_require(`
- attribute cron_spool_type;
- type $1_crontab_t, $1_crond_t;
+ type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t;
+ class passwd crontab;
')
- # Allow our crontab domain to unlink a user cron spool file.
- allow $1_crontab_t cron_spool_type:file { read_file_perms delete_file_perms };
+ role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t };
- logging_read_generic_logs($1_crond_t)
+ # cronjob shows up in user ps
+ ps_process_pattern($2, cronjob_t)
# Manipulate other users crontab.
- selinux_get_fs_mount($1_crontab_t)
- selinux_validate_context($1_crontab_t)
- selinux_compute_access_vector($1_crontab_t)
- selinux_compute_create_context($1_crontab_t)
- selinux_compute_relabel_context($1_crontab_t)
- selinux_compute_user_contexts($1_crontab_t)
-
- tunable_policy(`fcron_crond', `
- # fcron wants an instant update of a crontab change for the administrator
- # also crontab does a security check for crontab -u
- allow $1_crontab_t self:process setfscreate;
- selinux_get_fs_mount($1_crontab_t)
- ')
+ allow $2 self:passwd crontab;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
+
+ # crontab shows up in user ps
+ ps_process_pattern($2, admin_crontab_t)
+ allow $2 admin_crontab_t:process signal;
+
+ # Run helper programs as the user domain
+ #corecmd_bin_domtrans(admin_crontab_t, $2)
+ #corecmd_shell_domtrans(admin_crontab_t, $2)
+ corecmd_exec_bin(admin_crontab_t)
+ corecmd_exec_shell(admin_crontab_t)
+
+ optional_policy(`
+ gen_require(`
+ class dbus send_msg;
+ ')
+
+ dbus_stub(admin_cronjob_t)
+
+ allow cronjob_t $2:dbus send_msg;
+ ')
')
########################################
@@ -323,16 +250,16 @@ template(`cron_admin_template',`
#
interface(`cron_system_entry',`
gen_require(`
- type crond_t, system_crond_t;
+ type crond_t, system_cronjob_t;
')
- domain_auto_trans(system_crond_t, $2, $1)
+ domain_auto_trans(system_cronjob_t, $2, $1)
# cjp: perhaps these four rules from the old
# domain_auto_trans are not needed?
- allow $1 system_crond_t:fd use;
- allow $1 system_crond_t:fifo_file rw_file_perms;
- allow $1 system_crond_t:process sigchld;
+ allow $1 system_cronjob_t:fd use;
+ allow $1 system_cronjob_t:fifo_file rw_file_perms;
+ allow $1 system_cronjob_t:process sigchld;
allow $1 crond_t:fifo_file rw_file_perms;
allow $1 crond_t:fd use;
@@ -481,10 +408,10 @@ interface(`cron_search_spool',`
#
interface(`cron_anacron_domtrans_system_job',`
gen_require(`
- type system_crond_t, anacron_exec_t;
+ type system_cronjob_t, anacron_exec_t;
')
- domtrans_pattern($1, anacron_exec_t, system_crond_t)
+ domtrans_pattern($1,anacron_exec_t,system_cronjob_t)
')
########################################
@@ -500,10 +427,10 @@ interface(`cron_anacron_domtrans_system_job',`
#
interface(`cron_use_system_job_fds',`
gen_require(`
- type system_crond_t;
+ type system_cronjob_t;
')
- allow $1 system_crond_t:fd use;
+ allow $1 system_cronjob_t:fd use;
')
########################################
@@ -518,10 +445,10 @@ interface(`cron_use_system_job_fds',`
#
interface(`cron_write_system_job_pipes',`
gen_require(`
- type system_crond_t;
+ type system_cronjob_t;
')
- allow $1 system_crond_t:file write;
+ allow $1 system_cronjob_t:file write;
')
########################################
@@ -536,10 +463,10 @@ interface(`cron_write_system_job_pipes',`
#
interface(`cron_rw_system_job_pipes',`
gen_require(`
- type system_crond_t;
+ type system_cronjob_t;
')
- allow $1 system_crond_t:fifo_file rw_fifo_file_perms;
+ allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
')
########################################
@@ -554,11 +481,11 @@ interface(`cron_rw_system_job_pipes',`
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
- type system_crond_tmp_t;
+ type system_cronjob_tmp_t;
')
files_search_tmp($1)
- allow $1 system_crond_tmp_t:file read_file_perms;
+ allow $1 system_cronjob_tmp_t:file read_file_perms;
')
########################################
@@ -574,8 +501,8 @@ interface(`cron_read_system_job_tmp_files',`
#
interface(`cron_dontaudit_append_system_job_tmp_files',`
gen_require(`
- type system_crond_tmp_t;
+ type system_cronjob_tmp_t;
')
- dontaudit $1 system_crond_tmp_t:file append;
+ dontaudit $1 system_cronjob_tmp_t:file append;
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index d8ffcc3..a63ee63 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -1,5 +1,5 @@
-policy_module(cron, 1.9.0)
+policy_module(cron, 2.0.0)
gen_require(`
class passwd rootok;
@@ -42,6 +42,14 @@ files_type(cron_var_lib_t)
type cron_log_t;
logging_log_file(cron_log_t)
+type cronjob_t;
+typealias cronjob_t alias { user_crond_t staff_crond_t sysadm_crond_t };
+typealias cronjob_t alias { auditadm_crond_t secadm_crond_t };
+domain_type(cronjob_t)
+domain_cron_exemption_target(cronjob_t)
+corecmd_shell_entry_type(cronjob_t)
+ubac_constrained(cronjob_t)
+
type crond_t;
type crond_exec_t;
init_daemon_domain(crond_t, crond_exec_t)
@@ -57,27 +65,69 @@ files_pid_file(crond_var_run_t)
type crontab_exec_t;
application_executable_file(crontab_exec_t)
+cron_common_crontab_template(admin_crontab)
+typealias admin_crontab_t alias sysadm_crontab_t;
+typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t;
+
+cron_common_crontab_template(crontab)
+typealias crontab_t alias { user_crontab_t staff_crontab_t };
+typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
+typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
+typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+
type system_cron_spool_t, cron_spool_type;
files_type(system_cron_spool_t)
-type system_crond_t;
-init_daemon_domain(system_crond_t, anacron_exec_t)
-corecmd_shell_entry_type(system_crond_t)
-role system_r types system_crond_t;
+type system_cronjob_t alias system_crond_t;
+init_daemon_domain(system_cronjob_t, anacron_exec_t)
+corecmd_shell_entry_type(system_cronjob_t)
+role system_r types system_cronjob_t;
-type system_crond_lock_t;
-files_lock_file(system_crond_lock_t)
+type system_cronjob_lock_t alias system_crond_lock_t;
+files_lock_file(system_cronjob_lock_t)
-type system_crond_tmp_t;
-files_tmp_file(system_crond_tmp_t)
+type system_cronjob_tmp_t alias system_crond_tmp_t;
+files_tmp_file(system_cronjob_tmp_t)
ifdef(`enable_mcs',`
init_ranged_daemon_domain(crond_t,crond_exec_t,s0 - mcs_systemhigh)
')
+type unconfined_cronjob_t;
+domain_type(unconfined_cronjob_t)
+
+# Type of user crontabs once moved to cron spool.
+type user_cron_spool_t, cron_spool_type;
+typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t };
+typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
+files_type(user_cron_spool_t)
+ubac_constrained(user_cron_spool_t)
+
+########################################
+#
+# Admin crontab local policy
+#
+
+# Allow our crontab domain to unlink a user cron spool file.
+allow admin_crontab_t user_cron_spool_t:file { getattr read unlink };
+
+# Manipulate other users crontab.
+selinux_get_fs_mount(admin_crontab_t)
+selinux_validate_context(admin_crontab_t)
+selinux_compute_access_vector(admin_crontab_t)
+selinux_compute_create_context(admin_crontab_t)
+selinux_compute_relabel_context(admin_crontab_t)
+selinux_compute_user_contexts(admin_crontab_t)
+
+tunable_policy(`fcron_crond', `
+ # fcron wants an instant update of a crontab change for the administrator
+ # also crontab does a security check for crontab -u
+ allow admin_crontab_t self:process setfscreate;
+')
+
########################################
#
-# Cron Local policy
+# Cron daemon local policy
#
allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control };
@@ -155,7 +205,7 @@ miscfiles_read_localization(crond_t)
userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
-userdom_list_all_users_home_dirs(crond_t)
+userdom_list_user_home_dirs(crond_t)
mta_send_mail(crond_t)
@@ -218,22 +268,22 @@ optional_policy(`
# System cron process domain
#
-allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
-allow system_crond_t self:process { signal_perms setsched };
-allow system_crond_t self:fifo_file rw_fifo_file_perms;
-allow system_crond_t self:passwd rootok;
+allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
+allow system_cronjob_t self:process { signal_perms setsched };
+allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
+allow system_cronjob_t self:passwd rootok;
# This is to handle creation of files in /var/log directory.
# Used currently by rpm script log files
-allow system_crond_t cron_log_t:file manage_file_perms;
-logging_log_filetrans(system_crond_t, cron_log_t, file)
+allow system_cronjob_t cron_log_t:file manage_file_perms;
+logging_log_filetrans(system_cronjob_t, cron_log_t, file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
-allow system_crond_t cron_var_lib_t:file manage_file_perms;
-files_var_lib_filetrans(system_crond_t, cron_var_lib_t, file)
+allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
+files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
-allow system_crond_t system_cron_spool_t:file read_file_perms;
+allow system_cronjob_t system_cron_spool_t:file read_file_perms;
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
@@ -241,193 +291,303 @@ allow system_crond_t system_cron_spool_t:file read_file_perms;
# for the domain of the user cron job. It
# performs an entrypoint permission check
# for this purpose.
-allow system_crond_t system_cron_spool_t:file entrypoint;
+allow system_cronjob_t system_cron_spool_t:file entrypoint;
# Permit a transition from the crond_t domain to this domain.
# The transition is requested explicitly by the modified crond
# via setexeccon. There is no way to set up an automatic
# transition, since crontabs are configuration files, not executables.
-allow crond_t system_crond_t:process transition;
-dontaudit crond_t system_crond_t:process { noatsecure siginh rlimitinh };
-allow crond_t system_crond_t:fd use;
-allow system_crond_t crond_t:fd use;
-allow system_crond_t crond_t:fifo_file rw_file_perms;
-allow system_crond_t crond_t:process sigchld;
+allow crond_t system_cronjob_t:process transition;
+dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t system_cronjob_t:fd use;
+allow system_cronjob_t crond_t:fd use;
+allow system_cronjob_t crond_t:fifo_file rw_file_perms;
+allow system_cronjob_t crond_t:process sigchld;
# Write /var/lock/makewhatis.lock.
-allow system_crond_t system_crond_lock_t:file manage_file_perms;
-files_lock_filetrans(system_crond_t,system_crond_lock_t,file)
+allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
+files_lock_filetrans(system_cronjob_t,system_cronjob_lock_t,file)
# write temporary files
-manage_files_pattern(system_crond_t, crond_tmp_t, system_crond_tmp_t)
-manage_lnk_files_pattern(system_crond_t,crond_tmp_t, system_crond_tmp_t)
-filetrans_pattern(system_crond_t, crond_tmp_t, system_crond_tmp_t, { file lnk_file })
-files_tmp_filetrans(system_crond_t, system_crond_tmp_t, file)
+manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
# Read from /var/spool/cron.
-allow system_crond_t cron_spool_t:dir list_dir_perms;
-allow system_crond_t cron_spool_t:file read_file_perms;
+allow system_cronjob_t cron_spool_t:dir list_dir_perms;
+allow system_cronjob_t cron_spool_t:file read_file_perms;
-kernel_read_kernel_sysctls(system_crond_t)
-kernel_read_system_state(system_crond_t)
-kernel_read_software_raid_state(system_crond_t)
+kernel_read_kernel_sysctls(system_cronjob_t)
+kernel_read_system_state(system_cronjob_t)
+kernel_read_software_raid_state(system_cronjob_t)
# ps does not need to access /boot when run from cron
-files_dontaudit_search_boot(system_crond_t)
+files_dontaudit_search_boot(system_cronjob_t)
-corecmd_exec_all_executables(system_crond_t)
+corecmd_exec_all_executables(system_cronjob_t)
-corenet_all_recvfrom_unlabeled(system_crond_t)
-corenet_all_recvfrom_netlabel(system_crond_t)
-corenet_tcp_sendrecv_all_if(system_crond_t)
-corenet_udp_sendrecv_all_if(system_crond_t)
-corenet_tcp_sendrecv_all_nodes(system_crond_t)
-corenet_udp_sendrecv_all_nodes(system_crond_t)
-corenet_tcp_sendrecv_all_ports(system_crond_t)
-corenet_udp_sendrecv_all_ports(system_crond_t)
+corenet_all_recvfrom_unlabeled(system_cronjob_t)
+corenet_all_recvfrom_netlabel(system_cronjob_t)
+corenet_tcp_sendrecv_all_if(system_cronjob_t)
+corenet_udp_sendrecv_all_if(system_cronjob_t)
+corenet_tcp_sendrecv_all_nodes(system_cronjob_t)
+corenet_udp_sendrecv_all_nodes(system_cronjob_t)
+corenet_tcp_sendrecv_all_ports(system_cronjob_t)
+corenet_udp_sendrecv_all_ports(system_cronjob_t)
-dev_getattr_all_blk_files(system_crond_t)
-dev_getattr_all_chr_files(system_crond_t)
-dev_read_urand(system_crond_t)
+dev_getattr_all_blk_files(system_cronjob_t)
+dev_getattr_all_chr_files(system_cronjob_t)
+dev_read_urand(system_cronjob_t)
-fs_getattr_all_fs(system_crond_t)
-fs_getattr_all_files(system_crond_t)
-fs_getattr_all_symlinks(system_crond_t)
-fs_getattr_all_pipes(system_crond_t)
-fs_getattr_all_sockets(system_crond_t)
+fs_getattr_all_fs(system_cronjob_t)
+fs_getattr_all_files(system_cronjob_t)
+fs_getattr_all_symlinks(system_cronjob_t)
+fs_getattr_all_pipes(system_cronjob_t)
+fs_getattr_all_sockets(system_cronjob_t)
# quiet other ps operations
-domain_dontaudit_read_all_domains_state(system_crond_t)
-
-files_exec_etc_files(system_crond_t)
-files_read_etc_files(system_crond_t)
-files_read_etc_runtime_files(system_crond_t)
-files_list_all(system_crond_t)
-files_getattr_all_dirs(system_crond_t)
-files_getattr_all_files(system_crond_t)
-files_getattr_all_symlinks(system_crond_t)
-files_getattr_all_pipes(system_crond_t)
-files_getattr_all_sockets(system_crond_t)
-files_read_usr_files(system_crond_t)
-files_read_var_files(system_crond_t)
+domain_dontaudit_read_all_domains_state(system_cronjob_t)
+
+files_exec_etc_files(system_cronjob_t)
+files_read_etc_files(system_cronjob_t)
+files_read_etc_runtime_files(system_cronjob_t)
+files_list_all(system_cronjob_t)
+files_getattr_all_dirs(system_cronjob_t)
+files_getattr_all_files(system_cronjob_t)
+files_getattr_all_symlinks(system_cronjob_t)
+files_getattr_all_pipes(system_cronjob_t)
+files_getattr_all_sockets(system_cronjob_t)
+files_read_usr_files(system_cronjob_t)
+files_read_var_files(system_cronjob_t)
# for nscd:
-files_dontaudit_search_pids(system_crond_t)
+files_dontaudit_search_pids(system_cronjob_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
-files_manage_generic_spool(system_crond_t)
+files_manage_generic_spool(system_cronjob_t)
-init_use_script_fds(system_crond_t)
-init_read_utmp(system_crond_t)
-init_dontaudit_rw_utmp(system_crond_t)
+init_use_script_fds(system_cronjob_t)
+init_read_utmp(system_cronjob_t)
+init_dontaudit_rw_utmp(system_cronjob_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
-init_write_initctl(system_crond_t)
+init_write_initctl(system_cronjob_t)
-auth_use_nsswitch(system_crond_t)
+auth_use_nsswitch(system_cronjob_t)
-libs_exec_lib_files(system_crond_t)
-libs_exec_ld_so(system_crond_t)
+libs_exec_lib_files(system_cronjob_t)
+libs_exec_ld_so(system_cronjob_t)
-logging_read_generic_logs(system_crond_t)
-logging_send_syslog_msg(system_crond_t)
+logging_read_generic_logs(system_cronjob_t)
+logging_send_syslog_msg(system_cronjob_t)
-miscfiles_read_localization(system_crond_t)
-miscfiles_manage_man_pages(system_crond_t)
+miscfiles_read_localization(system_cronjob_t)
+miscfiles_manage_man_pages(system_cronjob_t)
-seutil_read_config(system_crond_t)
+seutil_read_config(system_cronjob_t)
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
- rpm_manage_log(system_crond_t)
+ rpm_manage_log(system_cronjob_t)
')
')
tunable_policy(`cron_can_relabel',`
- seutil_domtrans_setfiles(system_crond_t)
+ seutil_domtrans_setfiles(system_cronjob_t)
',`
- selinux_get_fs_mount(system_crond_t)
- selinux_validate_context(system_crond_t)
- selinux_compute_access_vector(system_crond_t)
- selinux_compute_create_context(system_crond_t)
- selinux_compute_relabel_context(system_crond_t)
- selinux_compute_user_contexts(system_crond_t)
- seutil_read_file_contexts(system_crond_t)
+ selinux_get_fs_mount(system_cronjob_t)
+ selinux_validate_context(system_cronjob_t)
+ selinux_compute_access_vector(system_cronjob_t)
+ selinux_compute_create_context(system_cronjob_t)
+ selinux_compute_relabel_context(system_cronjob_t)
+ selinux_compute_user_contexts(system_cronjob_t)
+ seutil_read_file_contexts(system_cronjob_t)
')
optional_policy(`
# Needed for certwatch
- apache_exec_modules(system_crond_t)
- apache_read_config(system_crond_t)
- apache_read_log(system_crond_t)
- apache_read_sys_content(system_crond_t)
+ apache_exec_modules(system_cronjob_t)
+ apache_read_config(system_cronjob_t)
+ apache_read_log(system_cronjob_t)
+ apache_read_sys_content(system_cronjob_t)
')
optional_policy(`
- cyrus_manage_data(system_crond_t)
+ cyrus_manage_data(system_cronjob_t)
')
optional_policy(`
- ftp_read_log(system_crond_t)
+ ftp_read_log(system_cronjob_t)
')
optional_policy(`
- inn_manage_log(system_crond_t)
- inn_manage_pid(system_crond_t)
- inn_read_config(system_crond_t)
+ inn_manage_log(system_cronjob_t)
+ inn_manage_pid(system_cronjob_t)
+ inn_read_config(system_cronjob_t)
')
optional_policy(`
- mrtg_append_create_logs(system_crond_t)
+ mrtg_append_create_logs(system_cronjob_t)
')
optional_policy(`
- mta_send_mail(system_crond_t)
+ mta_send_mail(system_cronjob_t)
')
optional_policy(`
- mysql_read_config(system_crond_t)
+ mysql_read_config(system_cronjob_t)
')
optional_policy(`
- postfix_read_config(system_crond_t)
+ postfix_read_config(system_cronjob_t)
')
optional_policy(`
- prelink_read_cache(system_crond_t)
- prelink_manage_log(system_crond_t)
- prelink_delete_cache(system_crond_t)
+ prelink_read_cache(system_cronjob_t)
+ prelink_manage_log(system_cronjob_t)
+ prelink_delete_cache(system_cronjob_t)
')
optional_policy(`
- samba_read_config(system_crond_t)
- samba_read_log(system_crond_t)
- #samba_read_secrets(system_crond_t)
+ samba_read_config(system_cronjob_t)
+ samba_read_log(system_cronjob_t)
+ #samba_read_secrets(system_cronjob_t)
')
optional_policy(`
- slocate_create_append_log(system_crond_t)
+ slocate_create_append_log(system_cronjob_t)
')
optional_policy(`
# cjp: why?
- squid_domtrans(system_crond_t)
+ squid_domtrans(system_cronjob_t)
')
optional_policy(`
- sysstat_manage_log(system_crond_t)
+ sysstat_manage_log(system_cronjob_t)
')
optional_policy(`
- unconfined_domain(system_crond_t)
-
- userdom_priveleged_home_dir_manager(system_crond_t)
+ unconfined_domain(system_cronjob_t)
+ userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
ifdef(`TODO',`
ifdef(`mta.te', `
-allow system_crond_t mail_spool_t:lnk_file read;
-allow mta_user_agent system_crond_t:fd use;
+allow system_cronjob_t mail_spool_t:lnk_file read;
+allow mta_user_agent system_cronjob_t:fd use;
r_dir_file(system_mail_t, crond_tmp_t)
')
') dnl end TODO
+
+########################################
+#
+# User cronjobs local policy
+#
+
+allow cronjob_t self:capability dac_override;
+allow cronjob_t self:process { signal_perms setsched };
+allow cronjob_t self:fifo_file rw_fifo_file_perms;
+allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
+allow cronjob_t self:unix_dgram_socket create_socket_perms;
+
+# The entrypoint interface is not used as this is not
+# a regular entrypoint. Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job. It
+# performs an entrypoint permission check
+# for this purpose.
+allow cronjob_t user_cron_spool_t:file entrypoint;
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond
+# via setexeccon. There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t cronjob_t:process transition;
+dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t cronjob_t:fd use;
+allow cronjob_t crond_t:fd use;
+allow cronjob_t crond_t:fifo_file rw_file_perms;
+allow cronjob_t crond_t:process sigchld;
+
+kernel_read_system_state(cronjob_t)
+kernel_read_kernel_sysctls(cronjob_t)
+
+# ps does not need to access /boot when run from cron
+files_dontaudit_search_boot(cronjob_t)
+
+corenet_all_recvfrom_unlabeled(cronjob_t)
+corenet_all_recvfrom_netlabel(cronjob_t)
+corenet_tcp_sendrecv_all_if(cronjob_t)
+corenet_udp_sendrecv_all_if(cronjob_t)
+corenet_tcp_sendrecv_all_nodes(cronjob_t)
+corenet_udp_sendrecv_all_nodes(cronjob_t)
+corenet_tcp_sendrecv_all_ports(cronjob_t)
+corenet_udp_sendrecv_all_ports(cronjob_t)
+corenet_tcp_connect_all_ports(cronjob_t)
+corenet_sendrecv_all_client_packets(cronjob_t)
+
+dev_read_urand(cronjob_t)
+
+fs_getattr_all_fs(cronjob_t)
+
+corecmd_exec_all_executables(cronjob_t)
+
+# quiet other ps operations
+domain_dontaudit_read_all_domains_state(cronjob_t)
+domain_dontaudit_getattr_all_domains(cronjob_t)
+
+files_read_usr_files(cronjob_t)
+files_exec_etc_files(cronjob_t)
+# for nscd:
+files_dontaudit_search_pids(cronjob_t)
+
+libs_exec_lib_files(cronjob_t)
+libs_exec_ld_so(cronjob_t)
+
+files_read_etc_runtime_files(cronjob_t)
+files_read_var_files(cronjob_t)
+files_search_spool(cronjob_t)
+
+logging_search_logs(cronjob_t)
+
+seutil_read_config(cronjob_t)
+
+miscfiles_read_localization(cronjob_t)
+
+userdom_manage_user_tmp_files(cronjob_t)
+userdom_manage_user_tmp_symlinks(cronjob_t)
+userdom_manage_user_tmp_pipes(cronjob_t)
+userdom_manage_user_tmp_sockets(cronjob_t)
+# Run scripts in user home directory and access shared libs.
+userdom_exec_user_home_content_files(cronjob_t)
+# Access user files and dirs.
+userdom_manage_user_home_content_files(cronjob_t)
+userdom_manage_user_home_content_symlinks(cronjob_t)
+userdom_manage_user_home_content_pipes(cronjob_t)
+userdom_manage_user_home_content_sockets(cronjob_t)
+#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
+
+tunable_policy(`fcron_crond', `
+ allow crond_t user_cron_spool_t:file manage_file_perms;
+')
+
+# need a per-role version of this:
+#optional_policy(`
+# mono_domtrans(cronjob_t)
+#')
+
+optional_policy(`
+ nis_use_ypbind(cronjob_t)
+')
+
+########################################
+#
+# Unconfined cronjobs local policy
+#
+
+optional_policy(`
+ unconfined_domain(unconfined_cronjob_t)
+')
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 43bcd15..3b9dd1a 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
-policy_module(cups, 1.11.0)
+policy_module(cups, 1.11.1)
########################################
#
@@ -221,7 +221,7 @@ seutil_read_config(cupsd_t)
sysnet_read_config(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
-userdom_dontaudit_search_all_users_home_content(cupsd_t)
+userdom_dontaudit_search_user_home_content(cupsd_t)
# Write to /var/spool/cups.
lpd_manage_spool(cupsd_t)
@@ -239,7 +239,7 @@ optional_policy(`
')
optional_policy(`
- dbus_system_bus_client_template(cupsd, cupsd_t)
+ dbus_system_bus_client(cupsd_t)
userdom_dbus_send_all_users(cupsd_t)
@@ -352,13 +352,12 @@ miscfiles_read_localization(cupsd_config_t)
seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
+userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
cups_stream_connect(cupsd_config_t)
lpd_read_config(cupsd_config_t)
-sysadm_dontaudit_search_home_dirs(cupsd_config_t)
-
ifdef(`distro_redhat',`
init_getattr_script_files(cupsd_config_t)
@@ -372,7 +371,7 @@ optional_policy(`
')
optional_policy(`
- dbus_system_bus_client_template(cupsd_config, cupsd_config_t)
+ dbus_system_bus_client(cupsd_config_t)
dbus_connect_system_bus(cupsd_config_t)
optional_policy(`
@@ -551,14 +550,13 @@ miscfiles_read_localization(hplip_t)
sysnet_read_config(hplip_t)
userdom_dontaudit_use_unpriv_user_fds(hplip_t)
-userdom_dontaudit_search_all_users_home_content(hplip_t)
+userdom_dontaudit_search_user_home_dirs(hplip_t)
+userdom_dontaudit_search_user_home_content(hplip_t)
lpd_read_config(cupsd_t)
-sysadm_dontaudit_search_home_dirs(hplip_t)
-
optional_policy(`
- dbus_system_bus_client_template(hplip, hplip_t)
+ dbus_system_bus_client(hplip_t)
')
optional_policy(`
@@ -628,7 +626,7 @@ miscfiles_read_localization(ptal_t)
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-userdom_dontaudit_search_all_users_home_content(ptal_t)
+userdom_dontaudit_search_user_home_content(ptal_t)
optional_policy(`
seutil_sigchld_newrole(ptal_t)
diff --git a/policy/modules/services/cyphesis.te b/policy/modules/services/cyphesis.te
index 6e1c9fd..4bc1990 100644
--- a/policy/modules/services/cyphesis.te
+++ b/policy/modules/services/cyphesis.te
@@ -1,5 +1,5 @@
-policy_module(cyphesis, 1.0.0)
+policy_module(cyphesis, 1.0.1)
########################################
#
@@ -73,7 +73,7 @@ sysnet_dns_name_resolve(cyphesis_t)
# cyphesis wants to talk to avahi via dbus
optional_policy(`
avahi_dbus_chat(cyphesis_t)
- dbus_system_bus_client_template(cyphesis, cyphesis_t)
+ dbus_system_bus_client(cyphesis_t)
')
optional_policy(`
diff --git a/policy/modules/services/cyrus.if b/policy/modules/services/cyrus.if
index b4e232d..ff8f24d 100644
--- a/policy/modules/services/cyrus.if
+++ b/policy/modules/services/cyrus.if
@@ -79,4 +79,3 @@ interface(`cyrus_admin',`
files_list_pids($1)
admin_pattern($1, cyrus_var_run_t)
')
-
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
index b8fe817..39b8b04 100644
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -1,5 +1,5 @@
-policy_module(cyrus, 1.7.0)
+policy_module(cyrus, 1.7.1)
########################################
#
@@ -108,14 +108,12 @@ miscfiles_read_certs(cyrus_t)
sysnet_read_config(cyrus_t)
-userdom_dontaudit_use_unpriv_user_fds(cyrus_t)
userdom_use_unpriv_users_fds(cyrus_t)
+userdom_dontaudit_search_user_home_dirs(cyrus_t)
mta_manage_spool(cyrus_t)
mta_send_mail(cyrus_t)
-sysadm_dontaudit_search_home_dirs(cyrus_t)
-
optional_policy(`
cron_system_entry(cyrus_t, cyrus_exec_t)
')
diff --git a/policy/modules/services/dante.te b/policy/modules/services/dante.te
index fd80978..9231cd4 100644
--- a/policy/modules/services/dante.te
+++ b/policy/modules/services/dante.te
@@ -1,5 +1,5 @@
-policy_module(dante, 1.5.0)
+policy_module(dante, 1.5.1)
########################################
#
@@ -69,8 +69,7 @@ miscfiles_read_localization(dante_t)
sysnet_read_config(dante_t)
userdom_dontaudit_use_unpriv_user_fds(dante_t)
-
-sysadm_dontaudit_search_home_dirs(dante_t)
+userdom_dontaudit_search_user_home_dirs(dante_t)
optional_policy(`
seutil_sigchld_newrole(dante_t)
diff --git a/policy/modules/services/dbus.fc b/policy/modules/services/dbus.fc
index 1f30fc4..e67e4e6 100644
--- a/policy/modules/services/dbus.fc
+++ b/policy/modules/services/dbus.fc
@@ -1,8 +1,8 @@
/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
# Sorting does not work correctly if I combine these next two roles
-/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
-/bin/dbus-daemon -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
+/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index f63337c..b117926 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -17,57 +17,45 @@ interface(`dbus_stub',`
')
')
-#######################################
+########################################
##
-## The per role template for the dbus module.
+## Role access for dbus
##
-##
-##
-## This template creates a derived domain which is
-## used for the user dbus.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
##
##
-##
+##
##
-## The type of the user domain.
+## Role allowed access
##
##
-##
+##
##
-## The role associated with the user domain.
+## User domain for the role
##
##
#
-template(`dbus_per_role_template',`
+template(`dbus_role_template',`
gen_require(`
- type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
class dbus { send_msg acquire_svc };
+
+ attribute session_bus_type;
+ type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
')
##############################
#
# Delcarations
#
- type $1_dbusd_t;
- domain_type($1_dbusd_t)
- domain_entry_file($1_dbusd_t, system_dbusd_exec_t)
- role $3 types $1_dbusd_t;
-
- type $1_dbusd_$1_t;
- type $1_dbusd_tmp_t;
- files_tmp_file($1_dbusd_tmp_t)
+ type $1_dbusd_t, session_bus_type;
+ domain_type($1_dbusd_t)
+ domain_entry_file($1_dbusd_t, dbusd_exec_t)
+ ubac_constrained($1_dbusd_t)
+ role $2 types $1_dbusd_t;
##############################
#
@@ -85,31 +73,29 @@ template(`dbus_per_role_template',`
allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
# For connecting to the bus
- allow $2 $1_dbusd_t:unix_stream_socket connectto;
- type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
+ allow $3 $1_dbusd_t:unix_stream_socket connectto;
# SE-DBus specific permissions
- allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
- allow $2 $1_dbusd_t:dbus { send_msg acquire_svc };
- allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
+ allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
- manage_dirs_pattern($1_dbusd_t, $1_dbusd_tmp_t, $1_dbusd_tmp_t)
- manage_files_pattern($1_dbusd_t, $1_dbusd_tmp_t, $1_dbusd_tmp_t)
- files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir })
+ manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
+ manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
+ files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
- domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t)
- allow $2 $1_dbusd_t:process { sigkill signal };
+ domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
+ allow $3 $1_dbusd_t:process { sigkill signal };
# cjp: this seems very broken
- corecmd_bin_domtrans($1_dbusd_t, $2)
- allow $1_dbusd_t $2:process sigkill;
- allow $2 $1_dbusd_t:fd use;
- allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
- allow $2 $1_dbusd_t:process sigchld;
+ corecmd_bin_domtrans($1_dbusd_t, $3)
+ allow $1_dbusd_t $3:process sigkill;
+ allow $3 $1_dbusd_t:fd use;
+ allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
+ allow $3 $1_dbusd_t:process sigchld;
kernel_read_system_state($1_dbusd_t)
kernel_read_kernel_sysctls($1_dbusd_t)
@@ -158,10 +144,10 @@ template(`dbus_per_role_template',`
seutil_read_config($1_dbusd_t)
seutil_read_default_contexts($1_dbusd_t)
- userdom_read_user_home_content_files($1, $1_dbusd_t)
+ userdom_read_user_home_content_files($1_dbusd_t)
ifdef(`hide_broken_symptoms', `
- dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write };
+ dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
')
tunable_policy(`read_default_t',`
@@ -187,39 +173,29 @@ template(`dbus_per_role_template',`
## Template for creating connections to
## the system DBUS.
##
-##
-##
-## The prefix of the domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## The type of the domain.
##
##
#
-template(`dbus_system_bus_client_template',`
+interface(`dbus_system_bus_client',`
gen_require(`
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
')
-# type $1_dbusd_system_t;
-# type_change $2 system_dbusd_t:dbus $1_dbusd_system_t;
-
# SE-DBus specific permissions
-# allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
- allow $2 { system_dbusd_t self }:dbus send_msg;
+ allow $1 { system_dbusd_t self }:dbus send_msg;
- read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
- files_search_var_lib($2)
+ read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ files_search_var_lib($1)
# For connecting to the bus
- files_search_pids($2)
- stream_connect_pattern($2, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
- dbus_read_config($2)
+ files_search_pids($1)
+ stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
+ dbus_read_config($1)
')
#######################################
@@ -227,64 +203,42 @@ template(`dbus_system_bus_client_template',`
## Template for creating connections to
## a user DBUS.
##
-##
-##
-## The prefix of the domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## The prefix of the domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## The type of the domain.
##
##
#
-template(`dbus_user_bus_client_template',`
+interface(`dbus_session_bus_client',`
gen_require(`
- type $1_dbusd_t;
+ attribute session_bus_type;
class dbus send_msg;
')
-# type $2_dbusd_$1_t;
-# type_change $3 $1_dbusd_t:dbus $2_dbusd_$1_t;
-
# SE-DBus specific permissions
-# allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
- allow $3 { $1_dbusd_t self }:dbus send_msg;
+ allow $1 { session_bus_type self }:dbus send_msg;
# For connecting to the bus
- allow $3 $1_dbusd_t:unix_stream_socket connectto;
+ allow $1 session_bus_type:unix_stream_socket connectto;
')
########################################
##
-## Send a message on user/application specific DBUS.
+## Send a message the session DBUS.
##
-##
-##
-## The prefix of the domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
##
##
#
-template(`dbus_send_user_bus',`
+interface(`dbus_send_session_bus',`
gen_require(`
- type $1_dbusd_t;
+ attribute session_bus_type;
class dbus send_msg;
')
- allow $2 $1_dbusd_t:dbus send_msg;
+ allow $1 session_bus_type:dbus send_msg;
')
########################################
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 0e5c879..0ea943b 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -1,5 +1,5 @@
-policy_module(dbus, 1.9.0)
+policy_module(dbus, 1.9.1)
gen_require(`
class dbus all_dbus_perms;
@@ -10,12 +10,22 @@ gen_require(`
# Delcarations
#
-type dbusd_etc_t alias etc_dbusd_t;
+attribute session_bus_type;
+
+type dbusd_etc_t;
files_type(dbusd_etc_t)
-type system_dbusd_t alias dbusd_t;
-type system_dbusd_exec_t;
-init_system_domain(system_dbusd_t, system_dbusd_exec_t)
+type dbusd_exec_t;
+corecmd_executable_file(dbusd_exec_t)
+
+type session_dbusd_tmp_t;
+typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
+typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
+files_tmp_file(session_dbusd_tmp_t)
+ubac_constrained(session_dbusd_tmp_t)
+
+type system_dbusd_t;
+init_system_domain(system_dbusd_t, dbusd_exec_t)
type system_dbusd_tmp_t;
files_tmp_file(system_dbusd_tmp_t)
@@ -28,7 +38,7 @@ files_pid_file(system_dbusd_var_run_t)
##############################
#
-# Local policy
+# System bus local policy
#
# dac_override: /var/run/dbus is owned by messagebus on Debian
@@ -103,8 +113,7 @@ seutil_read_default_contexts(system_dbusd_t)
seutil_sigchld_newrole(system_dbusd_t)
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
-
-sysadm_dontaudit_search_home_dirs(system_dbusd_t)
+userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
tunable_policy(`read_default_t',`
files_list_default(system_dbusd_t)
diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if
index 320c670..80102a7 100644
--- a/policy/modules/services/dcc.if
+++ b/policy/modules/services/dcc.if
@@ -34,11 +34,6 @@ interface(`dcc_domtrans_cdcc',`
## The role to be allowed the cdcc domain.
##
##
-##
-##
-## The type of the terminal allow the cdcc domain to use.
-##
-##
##
#
interface(`dcc_run_cdcc',`
@@ -48,7 +43,6 @@ interface(`dcc_run_cdcc',`
dcc_domtrans_cdcc($1)
role $2 types cdcc_t;
- allow cdcc_t $3:chr_file rw_term_perms;
')
########################################
@@ -85,11 +79,6 @@ interface(`dcc_domtrans_client',`
## The role to be allowed the dcc_client domain.
##
##
-##
-##
-## The type of the terminal allow the dcc_client domain to use.
-##
-##
##
#
interface(`dcc_run_client',`
@@ -99,7 +88,6 @@ interface(`dcc_run_client',`
dcc_domtrans_client($1)
role $2 types dcc_client_t;
- allow dcc_client_t $3:chr_file rw_term_perms;
')
########################################
@@ -136,11 +124,6 @@ interface(`dcc_domtrans_dbclean',`
## The role to be allowed the dcc_dbclean domain.
##
##
-##
-##
-## The type of the terminal allow the dcc_dbclean domain to use.
-##
-##
##
#
interface(`dcc_run_dbclean',`
@@ -150,7 +133,6 @@ interface(`dcc_run_dbclean',`
dcc_domtrans_dbclean($1)
role $2 types dcc_dbclean_t;
- allow dcc_dbclean_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te
index b3c90f3..baddef3 100644
--- a/policy/modules/services/dcc.te
+++ b/policy/modules/services/dcc.te
@@ -1,5 +1,5 @@
-policy_module(dcc, 1.6.0)
+policy_module(dcc, 1.6.1)
########################################
#
@@ -112,6 +112,8 @@ miscfiles_read_localization(cdcc_t)
sysnet_read_config(cdcc_t)
sysnet_dns_name_resolve(cdcc_t)
+userdom_use_user_terminals(cdcc_t)
+
optional_policy(`
nscd_socket_use(cdcc_t)
')
@@ -152,6 +154,8 @@ miscfiles_read_localization(dcc_client_t)
sysnet_read_config(dcc_client_t)
sysnet_dns_name_resolve(dcc_client_t)
+userdom_use_user_terminals(dcc_client_t)
+
optional_policy(`
nscd_socket_use(dcc_client_t)
')
@@ -192,6 +196,8 @@ miscfiles_read_localization(dcc_dbclean_t)
sysnet_read_config(dcc_dbclean_t)
sysnet_dns_name_resolve(dcc_dbclean_t)
+userdom_use_user_terminals(dcc_dbclean_t)
+
optional_policy(`
nscd_socket_use(dcc_dbclean_t)
')
@@ -261,8 +267,7 @@ sysnet_read_config(dccd_t)
sysnet_dns_name_resolve(dccd_t)
userdom_dontaudit_use_unpriv_user_fds(dccd_t)
-
-sysadm_dontaudit_search_home_dirs(dccd_t)
+userdom_dontaudit_search_user_home_dirs(dccd_t)
optional_policy(`
nscd_socket_use(dccd_t)
@@ -332,8 +337,7 @@ sysnet_read_config(dccifd_t)
sysnet_dns_name_resolve(dccifd_t)
userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
-
-sysadm_dontaudit_search_home_dirs(dccifd_t)
+userdom_dontaudit_search_user_home_dirs(dccifd_t)
optional_policy(`
nscd_socket_use(dccifd_t)
@@ -402,8 +406,7 @@ sysnet_read_config(dccm_t)
sysnet_dns_name_resolve(dccm_t)
userdom_dontaudit_use_unpriv_user_fds(dccm_t)
-
-sysadm_dontaudit_search_home_dirs(dccm_t)
+userdom_dontaudit_search_user_home_dirs(dccm_t)
optional_policy(`
nscd_socket_use(dccm_t)
diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
index dccbbe2..4b42128 100644
--- a/policy/modules/services/ddclient.te
+++ b/policy/modules/services/ddclient.te
@@ -1,5 +1,5 @@
-policy_module(ddclient, 1.6.0)
+policy_module(ddclient, 1.6.1)
########################################
#
@@ -98,8 +98,7 @@ sysnet_exec_ifconfig(ddclient_t)
sysnet_read_config(ddclient_t)
userdom_dontaudit_use_unpriv_user_fds(ddclient_t)
-
-sysadm_dontaudit_search_home_dirs(ddclient_t)
+userdom_dontaudit_search_user_home_dirs(ddclient_t)
optional_policy(`
seutil_sigchld_newrole(ddclient_t)
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index 9e125b7..a81476a 100644
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
@@ -1,5 +1,5 @@
-policy_module(dhcp, 1.6.0)
+policy_module(dhcp, 1.6.1)
########################################
#
@@ -96,8 +96,7 @@ sysnet_read_config(dhcpd_t)
sysnet_read_dhcp_config(dhcpd_t)
userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
-
-sysadm_dontaudit_search_home_dirs(dhcpd_t)
+userdom_dontaudit_search_user_home_dirs(dhcpd_t)
ifdef(`distro_gentoo',`
allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
@@ -109,7 +108,7 @@ optional_policy(`
')
optional_policy(`
- dbus_system_bus_client_template(dhcpd, dhcpd_t)
+ dbus_system_bus_client(dhcpd_t)
dbus_connect_system_bus(dhcpd_t)
')
diff --git a/policy/modules/services/distcc.te b/policy/modules/services/distcc.te
index eb74f4e..4d0c431 100644
--- a/policy/modules/services/distcc.te
+++ b/policy/modules/services/distcc.te
@@ -1,5 +1,5 @@
-policy_module(distcc, 1.6.0)
+policy_module(distcc, 1.6.1)
########################################
#
@@ -79,8 +79,7 @@ miscfiles_read_localization(distccd_t)
sysnet_read_config(distccd_t)
userdom_dontaudit_use_unpriv_user_fds(distccd_t)
-
-sysadm_dontaudit_search_home_dirs(distccd_t)
+userdom_dontaudit_search_user_home_dirs(distccd_t)
optional_policy(`
nis_use_ypbind(distccd_t)
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index 9dbbc52..c2002a0 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -1,5 +1,5 @@
-policy_module(dnsmasq, 1.6.0)
+policy_module(dnsmasq, 1.6.1)
########################################
#
@@ -78,8 +78,7 @@ miscfiles_read_localization(dnsmasq_t)
sysnet_read_config(dnsmasq_t)
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
-
-sysadm_dontaudit_search_home_dirs(dnsmasq_t)
+userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
optional_policy(`
nis_use_ypbind(dnsmasq_t)
diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc
index a738f3e..7018910 100644
--- a/policy/modules/services/dovecot.fc
+++ b/policy/modules/services/dovecot.fc
@@ -33,4 +33,3 @@ ifdef(`distro_redhat', `
/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
-
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 0148550..7f49af3 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -1,5 +1,5 @@
-policy_module(dovecot, 1.9.0)
+policy_module(dovecot, 1.9.1)
########################################
#
@@ -110,12 +110,15 @@ miscfiles_read_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
-userdom_priveleged_home_dir_manager(dovecot_t)
+userdom_manage_user_home_content_dirs(dovecot_t)
+userdom_manage_user_home_content_files(dovecot_t)
+userdom_manage_user_home_content_symlinks(dovecot_t)
+userdom_manage_user_home_content_pipes(dovecot_t)
+userdom_manage_user_home_content_sockets(dovecot_t)
+userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
mta_manage_spool(dovecot_t)
-sysadm_dontaudit_search_home_dirs(dovecot_t)
-
optional_policy(`
kerberos_use(dovecot_t)
')
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index eb01ac7..0cbf37b 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -1,5 +1,5 @@
-policy_module(exim, 1.2.0)
+policy_module(exim, 1.2.1)
########################################
#
@@ -99,20 +99,18 @@ miscfiles_read_localization(exim_t)
sysnet_dns_name_resolve(exim_t)
-unprivuser_dontaudit_search_home_dirs(exim_t)
+userdom_dontaudit_search_user_home_dirs(exim_t)
mta_read_aliases(exim_t)
mta_rw_spool(exim_t)
-sysadm_dontaudit_search_home_dirs(exim_t)
-
tunable_policy(`exim_read_user_files',`
- userdom_read_unpriv_users_home_content_files(exim_t)
- userdom_read_unpriv_users_tmp_files(exim_t)
+ userdom_read_user_home_content_files(exim_t)
+ userdom_read_user_tmp_files(exim_t)
')
tunable_policy(`exim_manage_user_files',`
- userdom_manage_unpriv_users_home_content_dirs(exim_t)
- userdom_read_unpriv_users_tmp_files(exim_t)
- userdom_write_unpriv_users_tmp_files(exim_t)
+ userdom_manage_user_home_content_dirs(exim_t)
+ userdom_read_user_tmp_files(exim_t)
+ userdom_write_user_tmp_files(exim_t)
')
diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
index b9720c1..3ee6d4b 100644
--- a/policy/modules/services/fetchmail.te
+++ b/policy/modules/services/fetchmail.te
@@ -1,5 +1,5 @@
-policy_module(fetchmail, 1.7.0)
+policy_module(fetchmail, 1.7.1)
########################################
#
@@ -80,8 +80,7 @@ miscfiles_read_certs(fetchmail_t)
sysnet_read_config(fetchmail_t)
userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
-
-sysadm_dontaudit_search_home_dirs(fetchmail_t)
+userdom_dontaudit_search_user_home_dirs(fetchmail_t)
optional_policy(`
procmail_domtrans(fetchmail_t)
diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te
index 0c8a0b8..ba4cb01 100644
--- a/policy/modules/services/finger.te
+++ b/policy/modules/services/finger.te
@@ -1,5 +1,5 @@
-policy_module(finger, 1.7.0)
+policy_module(finger, 1.7.1)
########################################
#
@@ -90,11 +90,9 @@ miscfiles_read_localization(fingerd_t)
# stop it accessing sub-directories, prevents checking a Maildir for new mail,
# have to change this when we create a type for Maildir
-userdom_read_unpriv_users_home_content_files(fingerd_t)
+userdom_read_user_home_content_files(fingerd_t)
userdom_dontaudit_use_unpriv_user_fds(fingerd_t)
-sysadm_dontaudit_search_home_dirs(fingerd_t)
-
optional_policy(`
cron_system_entry(fingerd_t, fingerd_exec_t)
')
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
index f07f6d4..b593224 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@@ -1,42 +1,5 @@
## File transfer protocol service
-#######################################
-##
-## The per role template for the ftp module.
-##
-##
-##
-## This template allows ftpd to manage files in
-## a user home directory, creating files with the
-## correct type.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-#
-template(`ftp_per_role_template',`
- gen_require(`
- type ftpd_t;
- ')
-
- tunable_policy(`ftp_home_dir',`
- userdom_manage_user_home_content_files($1, ftpd_t)
- userdom_manage_user_home_content_symlinks($1, ftpd_t)
- userdom_manage_user_home_content_sockets($1, ftpd_t)
- userdom_manage_user_home_content_pipes($1, ftpd_t)
- userdom_user_home_dir_filetrans_user_home_content($1, ftpd_t, { dir file lnk_file sock_file fifo_file })
- ')
-')
-
########################################
##
## Use ftp by connecting over TCP. (Deprecated)
@@ -141,11 +104,6 @@ interface(`ftp_domtrans_ftpdctl',`
## The role to allow the ftpdctl domain.
##
##
-##
-##
-## The type of the terminal allow the ftpdctl domain to use.
-##
-##
##
#
interface(`ftp_run_ftpdctl',`
@@ -155,7 +113,6 @@ interface(`ftp_run_ftpdctl',`
ftp_domtrans_ftpdctl($1)
role $2 types ftpdctl_t;
- allow ftpdctl_t $3:chr_file rw_term_perms;
')
########################################
@@ -173,11 +130,6 @@ interface(`ftp_run_ftpdctl',`
## The role to be allowed to manage the ftp domain.
##
##
-##
-##
-## The type of the terminal allow the ftpdctl domain to use.
-##
-##
##
#
interface(`ftp_admin',`
@@ -197,7 +149,7 @@ interface(`ftp_admin',`
allow $2 system_r;
ps_process_pattern($1, ftpdctl_t)
- ftp_run_ftpdctl($1, $2, $3)
+ ftp_run_ftpdctl($1, $2)
miscfiles_manage_public_files($1)
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 6c0dcf0..597a734 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -1,5 +1,5 @@
-policy_module(ftp, 1.9.0)
+policy_module(ftp, 1.9.1)
########################################
#
@@ -184,8 +184,7 @@ sysnet_read_config(ftpd_t)
sysnet_use_ldap(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
-
-sysadm_dontaudit_search_home_dirs(ftpd_t)
+userdom_dontaudit_search_user_home_dirs(ftpd_t)
tunable_policy(`allow_ftpd_anon_write',`
miscfiles_manage_public_files(ftpd_t)
@@ -219,10 +218,11 @@ tunable_policy(`ftp_home_dir',`
# allow access to /home
files_list_home(ftpd_t)
- userdom_read_all_users_home_content_files(ftpd_t)
- userdom_manage_all_users_home_content_dirs(ftpd_t)
- userdom_manage_all_users_home_content_files(ftpd_t)
- userdom_manage_all_users_home_content_symlinks(ftpd_t)
+ userdom_read_user_home_content_files(ftpd_t)
+ userdom_manage_user_home_content_dirs(ftpd_t)
+ userdom_manage_user_home_content_files(ftpd_t)
+ userdom_manage_user_home_content_symlinks(ftpd_t)
+ userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
@@ -292,3 +292,5 @@ files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
# Allow ftpdctl to read config files
files_read_etc_files(ftpdctl_t)
+
+userdom_use_user_terminals(ftpdctl_t)
diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te
index c8b8742..0baa897 100644
--- a/policy/modules/services/gatekeeper.te
+++ b/policy/modules/services/gatekeeper.te
@@ -1,5 +1,5 @@
-policy_module(gatekeeper, 1.5.0)
+policy_module(gatekeeper, 1.5.1)
########################################
#
@@ -85,8 +85,7 @@ miscfiles_read_localization(gatekeeper_t)
sysnet_read_config(gatekeeper_t)
userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
-
-sysadm_dontaudit_search_home_dirs(gatekeeper_t)
+userdom_dontaudit_search_user_home_dirs(gatekeeper_t)
optional_policy(`
nis_use_ypbind(gatekeeper_t)
diff --git a/policy/modules/services/gpm.te b/policy/modules/services/gpm.te
index 9ad5472..e991ef5 100644
--- a/policy/modules/services/gpm.te
+++ b/policy/modules/services/gpm.te
@@ -1,5 +1,5 @@
-policy_module(gpm, 1.5.0)
+policy_module(gpm, 1.5.1)
########################################
#
@@ -66,8 +66,7 @@ logging_send_syslog_msg(gpm_t)
miscfiles_read_localization(gpm_t)
userdom_dontaudit_use_unpriv_user_fds(gpm_t)
-
-sysadm_dontaudit_search_home_dirs(gpm_t)
+userdom_dontaudit_search_user_home_dirs(gpm_t)
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index 260c08d..3e49a36 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
-policy_module(hal, 1.10.0)
+policy_module(hal, 1.10.1)
########################################
#
@@ -197,8 +197,7 @@ seutil_read_file_contexts(hald_t)
sysnet_read_config(hald_t)
userdom_dontaudit_use_unpriv_user_fds(hald_t)
-
-sysadm_dontaudit_search_home_dirs(hald_t)
+userdom_dontaudit_search_user_home_dirs(hald_t)
optional_policy(`
alsa_domtrans(hald_t)
@@ -233,7 +232,7 @@ optional_policy(`
')
optional_policy(`
- dbus_system_bus_client_template(hald, hald_t)
+ dbus_system_bus_client(hald_t)
dbus_connect_system_bus(hald_t)
init_dbus_chat_script(hald_t)
diff --git a/policy/modules/services/howl.te b/policy/modules/services/howl.te
index e135a7e..1560d23 100644
--- a/policy/modules/services/howl.te
+++ b/policy/modules/services/howl.te
@@ -1,5 +1,5 @@
-policy_module(howl, 1.6.0)
+policy_module(howl, 1.6.1)
########################################
#
@@ -66,8 +66,7 @@ miscfiles_read_localization(howl_t)
sysnet_read_config(howl_t)
userdom_dontaudit_use_unpriv_user_fds(howl_t)
-
-sysadm_dontaudit_search_home_dirs(howl_t)
+userdom_dontaudit_search_user_home_dirs(howl_t)
optional_policy(`
nis_use_ypbind(howl_t)
diff --git a/policy/modules/services/i18n_input.te b/policy/modules/services/i18n_input.te
index f3db142..bcb0113 100644
--- a/policy/modules/services/i18n_input.te
+++ b/policy/modules/services/i18n_input.te
@@ -1,5 +1,5 @@
-policy_module(i18n_input, 1.6.0)
+policy_module(i18n_input, 1.6.1)
########################################
#
@@ -74,9 +74,7 @@ miscfiles_read_localization(i18n_input_t)
sysnet_read_config(i18n_input_t)
userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
-userdom_read_unpriv_users_home_content_files(i18n_input_t)
-
-sysadm_dontaudit_search_home_dirs(i18n_input_t)
+userdom_read_user_home_content_files(i18n_input_t)
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(i18n_input_t)
diff --git a/policy/modules/services/imaze.te b/policy/modules/services/imaze.te
index d8c62bf..6b53adf 100644
--- a/policy/modules/services/imaze.te
+++ b/policy/modules/services/imaze.te
@@ -1,5 +1,5 @@
-policy_module(imaze, 1.5.0)
+policy_module(imaze, 1.5.1)
########################################
#
@@ -85,8 +85,7 @@ miscfiles_read_localization(imazesrv_t)
sysnet_read_config(imazesrv_t)
userdom_use_unpriv_users_fds(imazesrv_t)
-
-sysadm_dontaudit_search_home_dirs(imazesrv_t)
+userdom_dontaudit_search_user_home_dirs(imazesrv_t)
optional_policy(`
nis_use_ypbind(imazesrv_t)
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
index d788754..faeadf0 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@@ -1,5 +1,5 @@
-policy_module(inetd, 1.8.0)
+policy_module(inetd, 1.8.1)
########################################
#
@@ -150,8 +150,7 @@ mls_process_set_level(inetd_t)
sysnet_read_config(inetd_t)
userdom_dontaudit_use_unpriv_user_fds(inetd_t)
-
-sysadm_dontaudit_search_home_dirs(inetd_t)
+userdom_dontaudit_search_user_home_dirs(inetd_t)
ifdef(`distro_redhat',`
optional_policy(`
diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te
index e0d02e0..cc5dabe 100644
--- a/policy/modules/services/inn.te
+++ b/policy/modules/services/inn.te
@@ -1,5 +1,5 @@
-policy_module(inn, 1.7.0)
+policy_module(inn, 1.7.1)
########################################
#
@@ -105,8 +105,7 @@ seutil_dontaudit_search_config(innd_t)
sysnet_read_config(innd_t)
userdom_dontaudit_use_unpriv_user_fds(innd_t)
-
-sysadm_dontaudit_search_home_dirs(innd_t)
+userdom_dontaudit_search_user_home_dirs(innd_t)
mta_send_mail(innd_t)
diff --git a/policy/modules/services/ircd.te b/policy/modules/services/ircd.te
index fafbdd5..0015e70 100644
--- a/policy/modules/services/ircd.te
+++ b/policy/modules/services/ircd.te
@@ -1,5 +1,5 @@
-policy_module(ircd, 1.5.0)
+policy_module(ircd, 1.5.1)
########################################
#
@@ -79,8 +79,7 @@ miscfiles_read_localization(ircd_t)
sysnet_read_config(ircd_t)
userdom_dontaudit_use_unpriv_user_fds(ircd_t)
-
-sysadm_dontaudit_search_home_dirs(ircd_t)
+userdom_dontaudit_search_user_home_dirs(ircd_t)
optional_policy(`
nis_use_ypbind(ircd_t)
diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te
index a7e1ad4..30f26e8 100644
--- a/policy/modules/services/irqbalance.te
+++ b/policy/modules/services/irqbalance.te
@@ -1,5 +1,5 @@
-policy_module(irqbalance, 1.3.0)
+policy_module(irqbalance, 1.3.1)
########################################
#
@@ -47,8 +47,7 @@ logging_send_syslog_msg(irqbalance_t)
miscfiles_read_localization(irqbalance_t)
userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
-
-sysadm_dontaudit_search_home_dirs(irqbalance_t)
+userdom_dontaudit_search_user_home_dirs(irqbalance_t)
optional_policy(`
seutil_sigchld_newrole(irqbalance_t)
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index 6a123ff..c0d8cee 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -1,5 +1,5 @@
-policy_module(jabber, 1.6.0)
+policy_module(jabber, 1.6.1)
########################################
#
@@ -80,8 +80,7 @@ miscfiles_read_localization(jabberd_t)
sysnet_read_config(jabberd_t)
userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
-
-sysadm_dontaudit_search_home_dirs(jabberd_t)
+userdom_dontaudit_search_user_home_dirs(jabberd_t)
optional_policy(`
nis_use_ypbind(jabberd_t)
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index 8ab5c86..00ff5fa 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -1,5 +1,5 @@
-policy_module(kerberos, 1.8.0)
+policy_module(kerberos, 1.8.1)
########################################
#
@@ -153,8 +153,7 @@ sysnet_read_config(kadmind_t)
sysnet_use_ldap(kadmind_t)
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
-
-sysadm_dontaudit_search_home_dirs(kadmind_t)
+userdom_dontaudit_search_user_home_dirs(kadmind_t)
optional_policy(`
nis_use_ypbind(kadmind_t)
@@ -254,8 +253,7 @@ sysnet_read_config(krb5kdc_t)
sysnet_use_ldap(krb5kdc_t)
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
-
-sysadm_dontaudit_search_home_dirs(krb5kdc_t)
+userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
optional_policy(`
nis_use_ypbind(krb5kdc_t)
diff --git a/policy/modules/services/kerneloops.te b/policy/modules/services/kerneloops.te
index f9bb268..e27a1ec 100644
--- a/policy/modules/services/kerneloops.te
+++ b/policy/modules/services/kerneloops.te
@@ -1,5 +1,5 @@
-policy_module(kerneloops, 1.1.0)
+policy_module(kerneloops, 1.1.1)
########################################
#
@@ -46,6 +46,6 @@ miscfiles_read_localization(kerneloops_t)
sysnet_dns_name_resolve(kerneloops_t)
optional_policy(`
- dbus_system_bus_client_template(kerneloops, kerneloops_t)
+ dbus_system_bus_client(kerneloops_t)
dbus_connect_system_bus(kerneloops_t)
')
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index 07d2572..f228aae 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -1,5 +1,5 @@
-policy_module(ldap, 1.8.0)
+policy_module(ldap, 1.8.1)
########################################
#
@@ -114,8 +114,7 @@ miscfiles_read_certs(slapd_t)
miscfiles_read_localization(slapd_t)
userdom_dontaudit_use_unpriv_user_fds(slapd_t)
-
-sysadm_dontaudit_search_home_dirs(slapd_t)
+userdom_dontaudit_search_user_home_dirs(slapd_t)
optional_policy(`
kerberos_use(slapd_t)
diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
index ae4ac06..5a7046d 100644
--- a/policy/modules/services/lpd.if
+++ b/policy/modules/services/lpd.if
@@ -1,230 +1,36 @@
## Line printer daemon
-#######################################
+########################################
##
-## The per role template for the lpd module.
+## Role access for lpd
##
-##
-##
-## This template creates a derived domains which are used
-## for lpr printing client.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
+##
##
-## The type of the user domain.
+## Role allowed access
##
##
-##
+##
##
-## The role associated with the user domain.
+## User domain for the role
##
##
#
-template(`lpd_per_role_template',`
+interface(`lpd_role',`
gen_require(`
- type lpr_exec_t, lpd_t, print_spool_t, printconf_t, lpd_var_run_t, printer_t;
- ')
-
- ##############################
- #
- # Declarations
- #
- # Derived domain based on the calling user domain and the program
- type $1_lpr_t;
- application_domain($1_lpr_t, lpr_exec_t)
- role $3 types $1_lpr_t;
-
- type $1_lpr_tmp_t;
- files_tmp_file($1_lpr_tmp_t)
-
- # Type for spool files.
- type $1_print_spool_t;
- files_type($1_print_spool_t)
-
- ##############################
- #
- # Local policy
- #
- allow $1_lpr_t self:capability { setuid dac_override net_bind_service chown };
- allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_lpr_t self:tcp_socket create_socket_perms;
- allow $1_lpr_t self:udp_socket create_socket_perms;
- allow $1_lpr_t self:netlink_route_socket r_netlink_socket_perms;
-
- can_exec($1_lpr_t,lpr_exec_t)
-
- tunable_policy(`use_lpd_server',`
- # lpr can run in lightweight mode, without a local print spooler.
- allow $1_lpr_t lpd_var_run_t:dir search;
- allow $1_lpr_t lpd_var_run_t:sock_file write;
- files_read_var_files($1_lpr_t)
-
- # Connect to lpd via a Unix domain socket.
- allow $1_lpr_t printer_t:sock_file rw_sock_file_perms;
- allow $1_lpr_t lpd_t:unix_stream_socket connectto;
- # Send SIGHUP to lpd.
- allow $1_lpr_t lpd_t:process signal;
-
- manage_dirs_pattern($1_lpr_t, $1_lpr_tmp_t, $1_lpr_tmp_t)
- manage_files_pattern($1_lpr_t, $1_lpr_tmp_t, $1_lpr_tmp_t)
- files_tmp_filetrans($1_lpr_t, $1_lpr_tmp_t, { file dir })
-
- manage_files_pattern($1_lpr_t, print_spool_t, $1_print_spool_t)
- filetrans_pattern($1_lpr_t, print_spool_t, $1_print_spool_t, file)
- # Read and write shared files in the spool directory.
- allow $1_lpr_t print_spool_t:file rw_file_perms;
-
- allow $1_lpr_t printconf_t:dir list_dir_perms;
- read_files_pattern($1_lpr_t, printconf_t, printconf_t)
- read_lnk_files_pattern($1_lpr_t, printconf_t, printconf_t)
+ type lpr_t, lpr_exec_t, print_spool_t;
')
- dontaudit $1_lpr_t $2:unix_stream_socket { read write };
+ role $1 types lpr_t;
# Transition from the user domain to the derived domain.
- domtrans_pattern($2, lpr_exec_t, $1_lpr_t)
-
- allow $2 $1_lpr_t:process signull;
-
- # Allow lpd to read, rename, and unlink spool files.
- allow lpd_t $1_print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
-
- kernel_read_kernel_sysctls($1_lpr_t)
-
- corenet_all_recvfrom_unlabeled($1_lpr_t)
- corenet_all_recvfrom_netlabel($1_lpr_t)
- corenet_tcp_sendrecv_generic_if($1_lpr_t)
- corenet_udp_sendrecv_generic_if($1_lpr_t)
- corenet_tcp_sendrecv_all_nodes($1_lpr_t)
- corenet_udp_sendrecv_all_nodes($1_lpr_t)
- corenet_tcp_sendrecv_all_ports($1_lpr_t)
- corenet_udp_sendrecv_all_ports($1_lpr_t)
- corenet_tcp_connect_all_ports($1_lpr_t)
- corenet_sendrecv_all_client_packets($1_lpr_t)
-
- dev_read_rand($1_lpr_t)
- dev_read_urand($1_lpr_t)
-
- domain_use_interactive_fds($1_lpr_t)
-
- files_search_spool($1_lpr_t)
- # for lpd config files (should have a new type)
- files_read_etc_files($1_lpr_t)
- # for test print
- files_read_usr_files($1_lpr_t)
- #Added to cover read_content macro
- files_list_home($1_lpr_t)
- files_read_generic_tmp_files($1_lpr_t)
-
- fs_getattr_xattr_fs($1_lpr_t)
-
- # Access the terminal.
- term_use_controlling_term($1_lpr_t)
- term_use_generic_ptys($1_lpr_t)
-
- miscfiles_read_localization($1_lpr_t)
-
- sysnet_read_config($1_lpr_t)
-
- userdom_read_user_tmp_symlinks($1,$1_lpr_t)
- # Write to the user domain tty.
- userdom_use_user_terminals($1,$1_lpr_t)
- userdom_read_user_home_content_files($1,$1_lpr_t)
- userdom_read_user_tmp_files($1,$1_lpr_t)
-
- tunable_policy(`read_default_t',`
- files_list_default($1_lpr_t)
- files_read_default_symlinks($1_lpr_t)
- files_read_default_files($1_lpr_t)
- ')
-
- tunable_policy(`read_untrusted_content',`
- #list and read user specific untrusted content
- userdom_read_user_untrusted_content_files($1, $1_lpr_t)
-
- #list and read user specific temporary untrusted content
- files_list_tmp($1_lpr_t)
- userdom_read_user_tmp_untrusted_content_files($1, $1_lpr_t)
- ')
+ domtrans_pattern($2, lpr_exec_t, lpr_t)
+ dontaudit lpr_t $2:unix_stream_socket { read write };
- tunable_policy(`use_nfs_home_dirs',`
- files_list_home($1_lpr_t)
- fs_list_auto_mountpoints($1_lpr_t)
- fs_read_nfs_files($1_lpr_t)
- fs_read_nfs_symlinks($1_lpr_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- files_list_home($1_lpr_t)
- fs_list_auto_mountpoints($1_lpr_t)
- fs_read_cifs_files($1_lpr_t)
- fs_read_cifs_symlinks($1_lpr_t)
- ')
+ ps_process_pattern($2, lpr_t)
+ allow $2 lpr_t:process signull;
optional_policy(`
- cups_read_config($1_lpr_t)
cups_read_config($2)
- cups_stream_connect($1_lpr_t)
- cups_read_pid_files($1_lpr_t)
- ')
-
- optional_policy(`
- logging_send_syslog_msg($1_lpr_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_lpr_t)
- ')
-
- optional_policy(`
- nis_use_ypbind($1_lpr_t)
- ')
-')
-
-#######################################
-##
-## The administrative functions template for the lpd module.
-##
-##
-##
-## This template creates rules for administrating the ldp service,
-## allowing the specified user to manage lpr files.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-#
-template(`lpr_admin_template',`
- gen_require(`
- type $1_lpr_t, print_spool_t;
- ')
-
- userdom_read_all_users_home_content_files($1_lpr_t)
-
- # Read and write shared files in the spool directory.
- allow $1_lpr_t print_spool_t:file rw_file_perms;
-
- # Allow per user lpr domain read acces for specific user.
- tunable_policy(`read_untrusted_content',`
- userdom_read_all_untrusted_content($1_lpr_t)
- userdom_read_all_tmp_untrusted_content($1_lpr_t)
')
')
@@ -261,11 +67,6 @@ interface(`lpd_domtrans_checkpc',`
## The role to be allowed the lpd domain.
##
##
-##
-##
-## The type of the terminal allow the lpd domain to use.
-##
-##
##
#
interface(`lpd_run_checkpc',`
@@ -275,7 +76,6 @@ interface(`lpd_run_checkpc',`
lpd_domtrans_checkpc($1)
role $2 types checkpc_t;
- allow checkpc_t $3:chr_file rw_term_perms;
')
########################################
@@ -379,33 +179,18 @@ interface(`lpd_read_config',`
##
## Transition to a user lpr domain.
##
-##
-##
-## Transition to a user lpr domain.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
##
##
#
-template(`lpd_domtrans_user_lpr',`
+template(`lpd_domtrans_lpr',`
gen_require(`
- type $1_lpr_t, lpr_exec_t;
+ type lpr_t, lpr_exec_t;
')
- domtrans_pattern($2, lpr_exec_t, $1_lpr_t)
+ domtrans_pattern($1, lpr_exec_t, lpr_t)
')
########################################
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 6093e9b..0dd55e8 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -1,5 +1,5 @@
-policy_module(lpd, 1.10.0)
+policy_module(lpd, 1.10.1)
########################################
#
@@ -31,11 +31,25 @@ files_tmp_file(lpd_tmp_t)
type lpd_var_run_t;
files_pid_file(lpd_var_run_t)
+type lpr_t;
type lpr_exec_t;
-application_executable_file(lpr_exec_t)
-
+typealias lpr_t alias { user_lpr_t staff_lpr_t sysadm_lpr_t };
+typealias lpr_t alias { auditadm_lpr_t secadm_lpr_t };
+application_domain(lpr_t, lpr_exec_t)
+ubac_constrained(lpr_t)
+
+type lpr_tmp_t;
+typealias lpr_tmp_t alias { user_lpr_tmp_t staff_lpr_tmp_t sysadm_lpr_tmp_t };
+typealias lpr_tmp_t alias { auditadm_lpr_tmp_t secadm_lpr_tmp_t };
+files_tmp_file(lpr_tmp_t)
+ubac_constrained(lpr_tmp_t)
+
+# Type for spool files.
type print_spool_t;
-files_tmp_file(print_spool_t)
+typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t };
+typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t };
+files_type(print_spool_t)
+ubac_constrained(print_spool_t)
type printer_t;
files_type(printer_t)
@@ -100,6 +114,8 @@ init_use_fds(checkpc_t)
sysnet_read_config(checkpc_t)
+userdom_use_user_terminals(checkpc_t)
+
optional_policy(`
cron_system_entry(checkpc_t, checkpc_exec_t)
')
@@ -132,7 +148,7 @@ files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
-files_pid_filetrans(lpd_t, lpd_var_run_t, file)
+files_pid_filetrans(lpd_t, lpd_var_run_t,file)
# Write to /var/spool/lpd.
manage_files_pattern(lpd_t, print_spool_t, print_spool_t)
@@ -194,8 +210,7 @@ miscfiles_read_localization(lpd_t)
sysnet_read_config(lpd_t)
userdom_dontaudit_use_unpriv_user_fds(lpd_t)
-
-sysadm_dontaudit_search_home_dirs(lpd_t)
+userdom_dontaudit_search_user_home_dirs(lpd_t)
optional_policy(`
nis_use_ypbind(lpd_t)
@@ -208,3 +223,126 @@ optional_policy(`
optional_policy(`
udev_read_db(lpd_t)
')
+
+##############################
+#
+# Local policy
+#
+
+allow lpr_t self:capability { setuid dac_override net_bind_service chown };
+allow lpr_t self:unix_stream_socket create_stream_socket_perms;
+allow lpr_t self:tcp_socket create_socket_perms;
+allow lpr_t self:udp_socket create_socket_perms;
+allow lpr_t self:netlink_route_socket r_netlink_socket_perms;
+
+can_exec(lpr_t, lpr_exec_t)
+
+# Allow lpd to read, rename, and unlink spool files.
+allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
+
+kernel_read_kernel_sysctls(lpr_t)
+
+corenet_all_recvfrom_unlabeled(lpr_t)
+corenet_all_recvfrom_netlabel(lpr_t)
+corenet_tcp_sendrecv_generic_if(lpr_t)
+corenet_udp_sendrecv_generic_if(lpr_t)
+corenet_tcp_sendrecv_all_nodes(lpr_t)
+corenet_udp_sendrecv_all_nodes(lpr_t)
+corenet_tcp_sendrecv_all_ports(lpr_t)
+corenet_udp_sendrecv_all_ports(lpr_t)
+corenet_tcp_connect_all_ports(lpr_t)
+corenet_sendrecv_all_client_packets(lpr_t)
+
+dev_read_rand(lpr_t)
+dev_read_urand(lpr_t)
+
+domain_use_interactive_fds(lpr_t)
+
+files_search_spool(lpr_t)
+# for lpd config files (should have a new type)
+files_read_etc_files(lpr_t)
+# for test print
+files_read_usr_files(lpr_t)
+#Added to cover read_content macro
+files_list_home(lpr_t)
+files_read_generic_tmp_files(lpr_t)
+
+fs_getattr_xattr_fs(lpr_t)
+
+# Access the terminal.
+term_use_controlling_term(lpr_t)
+term_use_generic_ptys(lpr_t)
+
+miscfiles_read_localization(lpr_t)
+
+sysnet_read_config(lpr_t)
+
+userdom_read_user_tmp_symlinks(lpr_t)
+# Write to the user domain tty.
+userdom_use_user_terminals(lpr_t)
+userdom_read_user_home_content_files(lpr_t)
+userdom_read_user_tmp_files(lpr_t)
+
+tunable_policy(`read_default_t',`
+ files_list_default(lpr_t)
+ files_read_default_symlinks(lpr_t)
+ files_read_default_files(lpr_t)
+')
+
+tunable_policy(`use_lpd_server',`
+ # lpr can run in lightweight mode, without a local print spooler.
+ allow lpr_t lpd_var_run_t:dir search;
+ allow lpr_t lpd_var_run_t:sock_file write;
+ files_read_var_files(lpr_t)
+
+ # Connect to lpd via a Unix domain socket.
+ allow lpr_t printer_t:sock_file rw_sock_file_perms;
+ allow lpr_t lpd_t:unix_stream_socket connectto;
+ # Send SIGHUP to lpd.
+ allow lpr_t lpd_t:process signal;
+
+ manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
+ manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
+ files_tmp_filetrans(lpr_t, lpr_tmp_t, { file dir })
+
+ manage_files_pattern(lpr_t,print_spool_t,print_spool_t)
+ filetrans_pattern(lpr_t,print_spool_t,print_spool_t,file)
+ # Read and write shared files in the spool directory.
+ allow lpr_t print_spool_t:file rw_file_perms;
+
+ allow lpr_t printconf_t:dir list_dir_perms;
+ read_files_pattern(lpr_t,printconf_t,printconf_t)
+ read_lnk_files_pattern(lpr_t,printconf_t,printconf_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ files_list_home(lpr_t)
+ fs_list_auto_mountpoints(lpr_t)
+ fs_read_nfs_files(lpr_t)
+ fs_read_nfs_symlinks(lpr_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ files_list_home(lpr_t)
+ fs_list_auto_mountpoints(lpr_t)
+ fs_read_cifs_files(lpr_t)
+ fs_read_cifs_symlinks(lpr_t)
+')
+
+optional_policy(`
+ cups_read_config(lpr_t)
+ cups_stream_connect(lpr_t)
+ cups_read_pid_files(lpr_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(lpr_t)
+')
+
+optional_policy(`
+ nscd_socket_use(lpr_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(lpr_t)
+')
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
index ea67c12..d6c5212 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@@ -1,5 +1,5 @@
-policy_module(mailman, 1.5.0)
+policy_module(mailman, 1.5.1)
########################################
#
@@ -99,11 +99,11 @@ files_dontaudit_search_pids(mailman_queue_t)
# for su
seutil_dontaudit_search_config(mailman_queue_t)
-su_exec(mailman_queue_t)
-
# some of the following could probably be changed to dontaudit, someone who
# knows mailman well should test this out and send the changes
-sysadm_search_home_dirs(mailman_queue_t)
+userdom_search_user_home_dirs(mailman_queue_t)
+
+su_exec(mailman_queue_t)
optional_policy(`
cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
diff --git a/policy/modules/services/monop.te b/policy/modules/services/monop.te
index df46abf..23842b3 100644
--- a/policy/modules/services/monop.te
+++ b/policy/modules/services/monop.te
@@ -1,5 +1,5 @@
-policy_module(monop, 1.5.0)
+policy_module(monop, 1.5.1)
########################################
#
@@ -71,8 +71,7 @@ miscfiles_read_localization(monopd_t)
sysnet_read_config(monopd_t)
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
-
-sysadm_dontaudit_search_home_dirs(monopd_t)
+userdom_dontaudit_search_user_home_dirs(monopd_t)
optional_policy(`
nis_use_ypbind(monopd_t)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 5bfa326..1709743 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -132,154 +132,36 @@ template(`mta_base_mail_template',`
')
-#######################################
+########################################
##
-## The per role template for the mta module.
+## Role access for mta
##
-##
-##
-## This template creates a derived domain which is
-## a email transfer agent, which sends mail on
-## behalf of the user.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
+##
##
-## The type of the user domain.
+## Role allowed access
##
##
-##
+##
##
-## The role associated with the user domain.
+## User domain for the role
##
##
#
-template(`mta_per_role_template',`
+interface(`mta_role',`
gen_require(`
attribute mta_user_agent;
- attribute mailserver_delivery;
- type sendmail_exec_t;
+ type user_mail_t, sendmail_exec_t;
')
- ##############################
- #
- # Declarations
- #
-
- mta_base_mail_template($1)
- role $3 types $1_mail_t;
-
- ##############################
- #
- # $1_mail_t local policy
- #
+ role $1 types { user_mail_t mta_user_agent };
# Transition from the user domain to the derived domain.
- domtrans_pattern($2, sendmail_exec_t, $1_mail_t)
+ domtrans_pattern($2, sendmail_exec_t, user_mail_t)
allow $2 sendmail_exec_t:lnk_file { getattr read };
- domain_use_interactive_fds($1_mail_t)
-
- userdom_use_user_terminals($1, $1_mail_t)
- # Write to the user domain tty. cjp: why?
- userdom_use_user_terminals($1, mta_user_agent)
- # Create dead.letter in user home directories.
- userdom_manage_user_home_content_files($1, $1_mail_t)
- userdom_user_home_dir_filetrans_user_home_content($1, $1_mail_t, file)
- # for reading .forward - maybe we need a new type for it?
- # also for delivering mail to maildir
- userdom_manage_user_home_content_dirs($1, mailserver_delivery)
- userdom_manage_user_home_content_files($1, mailserver_delivery)
- userdom_manage_user_home_content_symlinks($1, mailserver_delivery)
- userdom_manage_user_home_content_pipes($1, mailserver_delivery)
- userdom_manage_user_home_content_sockets($1, mailserver_delivery)
- userdom_user_home_dir_filetrans_user_home_content($1, mailserver_delivery, { dir file lnk_file fifo_file sock_file })
- # Read user temporary files.
- userdom_read_user_tmp_files($1, $1_mail_t)
- userdom_dontaudit_append_user_tmp_files($1, $1_mail_t)
- # cjp: this should probably be read all user tmp
- # files in an appropriate place for mta_user_agent
- userdom_read_user_tmp_files($1, mta_user_agent)
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files($1_mail_t)
- fs_manage_cifs_symlinks($1_mail_t)
- ')
-
- optional_policy(`
- allow $1_mail_t self:capability dac_override;
-
- # Read user temporary files.
- # postfix seems to need write access if the file handle is opened read/write
- userdom_rw_user_tmp_files($1, $1_mail_t)
-
- postfix_read_config($1_mail_t)
- postfix_list_spool($1_mail_t)
- ')
-')
-
-########################################
-##
-## Provide extra permissions for admin users
-## mail domain.
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## The type of the user domain.
-##
-##
-##
-#
-template(`mta_admin_template',`
- gen_require(`
- type $1_mail_t;
- ')
-
- # allow the sysadmin to do "mail someone < /home/user/whatever"
- userdom_read_unpriv_users_home_content_files($1_mail_t)
-
- optional_policy(`
- gen_require(`
- attribute mta_user_agent;
- type etc_aliases_t;
- ')
-
- allow mta_user_agent $2:fifo_file { read write };
-
- manage_dirs_pattern($1_mail_t, etc_aliases_t, etc_aliases_t)
- manage_files_pattern($1_mail_t, etc_aliases_t, etc_aliases_t)
- manage_lnk_files_pattern($1_mail_t, etc_aliases_t, etc_aliases_t)
- manage_fifo_files_pattern($1_mail_t, etc_aliases_t, etc_aliases_t)
- manage_sock_files_pattern($1_mail_t, etc_aliases_t, etc_aliases_t)
- files_etc_filetrans($1_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
-
- # postfix needs this for newaliases
- files_getattr_tmp_dirs($1_mail_t)
-
- postfix_exec_master($1_mail_t)
-
- ifdef(`distro_redhat',`
- # compatability for old default main.cf
- postfix_config_filetrans($1_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
- ')
- ')
+ allow mta_user_agent $2:fd use;
+ allow mta_user_agent $2:process sigchld;
+ allow mta_user_agent $2:fifo_file { read write };
')
########################################
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index d796fa4..27b9099 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
-policy_module(mta, 1.11.0)
+policy_module(mta, 2.0.0)
########################################
#
@@ -33,6 +33,14 @@ mta_agent_executable(sendmail_exec_t)
mta_base_mail_template(system)
role system_r types system_mail_t;
+mta_base_mail_template(user)
+typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
+typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
+typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
+typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
+ubac_constrained(user_mail_t)
+ubac_constrained(user_mail_tmp_t)
+
########################################
#
# System mail local policy
@@ -55,8 +63,8 @@ dev_read_urand(system_mail_t)
init_use_script_ptys(system_mail_t)
-sysadm_use_terms(system_mail_t)
-sysadm_dontaudit_search_home_dirs(system_mail_t)
+userdom_use_user_terminals(system_mail_t)
+userdom_dontaudit_search_user_home_dirs(system_mail_t)
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
@@ -134,7 +142,7 @@ optional_policy(`
')
optional_policy(`
- userdom_dontaudit_use_unpriv_users_ptys(system_mail_t)
+ userdom_dontaudit_use_user_ptys(system_mail_t)
optional_policy(`
cron_dontaudit_append_system_job_tmp_files(system_mail_t)
@@ -160,3 +168,47 @@ optional_policy(`
cron_read_system_job_tmp_files(mta_user_agent)
')
')
+
+########################################
+#
+# User send mail local policy
+#
+
+domain_use_interactive_fds(user_mail_t)
+
+userdom_use_user_terminals(user_mail_t)
+# Write to the user domain tty. cjp: why?
+userdom_use_user_terminals(mta_user_agent)
+# Create dead.letter in user home directories.
+userdom_manage_user_home_content_files(user_mail_t)
+userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
+# for reading .forward - maybe we need a new type for it?
+# also for delivering mail to maildir
+userdom_manage_user_home_content_dirs(mailserver_delivery)
+userdom_manage_user_home_content_files(mailserver_delivery)
+userdom_manage_user_home_content_symlinks(mailserver_delivery)
+userdom_manage_user_home_content_pipes(mailserver_delivery)
+userdom_manage_user_home_content_sockets(mailserver_delivery)
+userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file })
+# Read user temporary files.
+userdom_read_user_tmp_files(user_mail_t)
+userdom_dontaudit_append_user_tmp_files(user_mail_t)
+# cjp: this should probably be read all user tmp
+# files in an appropriate place for mta_user_agent
+userdom_read_user_tmp_files(mta_user_agent)
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(user_mail_t)
+ fs_manage_cifs_symlinks(user_mail_t)
+')
+
+optional_policy(`
+ allow user_mail_t self:capability dac_override;
+
+ # Read user temporary files.
+ # postfix seems to need write access if the file handle is opened read/write
+ userdom_rw_user_tmp_files(user_mail_t)
+
+ postfix_read_config(user_mail_t)
+ postfix_list_spool(user_mail_t)
+')
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index e5f05ae..174b17d 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -1,5 +1,5 @@
-policy_module(munin, 1.5.0)
+policy_module(munin, 1.5.1)
########################################
#
@@ -93,8 +93,7 @@ miscfiles_read_localization(munin_t)
sysnet_read_config(munin_t)
userdom_dontaudit_use_unpriv_user_fds(munin_t)
-
-sysadm_dontaudit_search_home_dirs(munin_t)
+userdom_dontaudit_search_user_home_dirs(munin_t)
optional_policy(`
# for accessing the output directory
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index c093fc4..8f5706a 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -1,5 +1,5 @@
-policy_module(mysql, 1.9.0)
+policy_module(mysql, 1.9.1)
########################################
#
@@ -97,9 +97,8 @@ miscfiles_read_localization(mysqld_t)
sysnet_read_config(mysqld_t)
userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
-
# for /root/.my.cnf - should not be needed:
-sysadm_read_home_content_files(mysqld_t)
+userdom_read_user_home_content_files(mysqld_t)
ifdef(`distro_redhat',`
# because Fedora has the sock_file in the database directory
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index 3d6b783..5fc26e7 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -1,5 +1,5 @@
-policy_module(nagios, 1.6.0)
+policy_module(nagios, 1.6.1)
########################################
#
@@ -100,11 +100,10 @@ logging_send_syslog_msg(nagios_t)
miscfiles_read_localization(nagios_t)
userdom_dontaudit_use_unpriv_user_fds(nagios_t)
+userdom_dontaudit_search_user_home_dirs(nagios_t)
mta_send_mail(nagios_t)
-sysadm_dontaudit_search_home_dirs(nagios_t)
-
optional_policy(`
netutils_domtrans_ping(nagios_t)
netutils_signal_ping(nagios_t)
diff --git a/policy/modules/services/nessus.te b/policy/modules/services/nessus.te
index 1d265b0..0977507 100644
--- a/policy/modules/services/nessus.te
+++ b/policy/modules/services/nessus.te
@@ -1,5 +1,5 @@
-policy_module(nessus, 1.5.0)
+policy_module(nessus, 1.5.1)
########################################
#
@@ -91,8 +91,7 @@ miscfiles_read_localization(nessusd_t)
sysnet_read_config(nessusd_t)
userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
-
-sysadm_dontaudit_search_home_dirs(nessusd_t)
+userdom_dontaudit_search_user_home_dirs(nessusd_t)
optional_policy(`
nis_use_ypbind(nessusd_t)
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index f978889..b36d63f 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -1,5 +1,5 @@
-policy_module(networkmanager, 1.11.0)
+policy_module(networkmanager, 1.11.1)
########################################
#
@@ -127,11 +127,9 @@ sysnet_manage_config(NetworkManager_t)
sysnet_etc_filetrans_config(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
-userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t)
+userdom_dontaudit_use_user_ttys(NetworkManager_t)
# Read gnome-keyring
-userdom_read_unpriv_users_home_content_files(NetworkManager_t)
-
-sysadm_dontaudit_search_home_dirs(NetworkManager_t)
+userdom_read_user_home_content_files(NetworkManager_t)
optional_policy(`
bind_domtrans(NetworkManager_t)
@@ -140,7 +138,7 @@ optional_policy(`
')
optional_policy(`
- bluetooth_dontaudit_read_helper_files(NetworkManager_t)
+ bluetooth_dontaudit_read_helper_state(NetworkManager_t)
')
optional_policy(`
@@ -148,7 +146,7 @@ optional_policy(`
')
optional_policy(`
- dbus_system_bus_client_template(NetworkManager, NetworkManager_t)
+ dbus_system_bus_client(NetworkManager_t)
dbus_connect_system_bus(NetworkManager_t)
')
@@ -185,11 +183,6 @@ optional_policy(`
')
optional_policy(`
- # Read gnome-keyring
- unconfined_read_home_content_files(NetworkManager_t)
-')
-
-optional_policy(`
vpn_domtrans(NetworkManager_t)
vpn_signal(NetworkManager_t)
')
@@ -198,6 +191,7 @@ optional_policy(`
#
# wpa_cli local policy
#
+
allow wpa_cli_t self:capability dac_override;
allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
index bfcdfcb..d0572ac 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -1,5 +1,5 @@
-policy_module(nis, 1.7.0)
+policy_module(nis, 1.7.1)
########################################
#
@@ -108,8 +108,7 @@ miscfiles_read_localization(ypbind_t)
sysnet_read_config(ypbind_t)
userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
-
-sysadm_dontaudit_search_home_dirs(ypbind_t)
+userdom_dontaudit_search_user_home_dirs(ypbind_t)
optional_policy(`
seutil_sigchld_newrole(ypbind_t)
@@ -187,8 +186,7 @@ miscfiles_read_localization(yppasswdd_t)
sysnet_read_config(yppasswdd_t)
userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t)
-
-sysadm_dontaudit_search_home_dirs(yppasswdd_t)
+userdom_dontaudit_search_user_home_dirs(yppasswdd_t)
optional_policy(`
hostname_exec(yppasswdd_t)
@@ -268,8 +266,7 @@ nis_domtrans_ypxfr(ypserv_t)
sysnet_read_config(ypserv_t)
userdom_dontaudit_use_unpriv_user_fds(ypserv_t)
-
-sysadm_dontaudit_search_home_dirs(ypserv_t)
+userdom_dontaudit_search_user_home_dirs(ypserv_t)
optional_policy(`
seutil_sigchld_newrole(ypserv_t)
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
index 732e5e8..33ce3da 100644
--- a/policy/modules/services/nscd.if
+++ b/policy/modules/services/nscd.if
@@ -189,11 +189,6 @@ interface(`nscd_unconfined',`
## The role to be allowed the nscd domain.
##
##
-##
-##
-## The type of the role's terminal.
-##
-##
#
interface(`nscd_run',`
gen_require(`
@@ -202,5 +197,4 @@ interface(`nscd_run',`
nscd_domtrans($1)
role $2 types nscd_t;
- dontaudit nscd_t $3:chr_file rw_term_perms;
')
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
index f99aa8a..d84d0ac 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -1,5 +1,5 @@
-policy_module(nscd, 1.7.0)
+policy_module(nscd, 1.7.1)
gen_require(`
class nscd all_nscd_perms;
@@ -100,9 +100,9 @@ seutil_sigchld_newrole(nscd_t)
sysnet_read_config(nscd_t)
+userdom_dontaudit_use_user_terminals(nscd_t)
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
-
-sysadm_dontaudit_search_home_dirs(nscd_t)
+userdom_dontaudit_search_user_home_dirs(nscd_t)
optional_policy(`
udev_read_db(nscd_t)
diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te
index f50ef97..d9b34e0 100644
--- a/policy/modules/services/nsd.te
+++ b/policy/modules/services/nsd.te
@@ -1,5 +1,5 @@
-policy_module(nsd, 1.5.0)
+policy_module(nsd, 1.5.1)
########################################
#
@@ -93,8 +93,7 @@ miscfiles_read_localization(nsd_t)
sysnet_read_config(nsd_t)
userdom_dontaudit_use_unpriv_user_fds(nsd_t)
-
-sysadm_dontaudit_search_home_dirs(nsd_t)
+userdom_dontaudit_search_user_home_dirs(nsd_t)
optional_policy(`
nis_use_ypbind(nsd_t)
@@ -167,7 +166,7 @@ miscfiles_read_localization(nsd_crond_t)
sysnet_read_config(nsd_crond_t)
-sysadm_dontaudit_search_home_dirs(nsd_crond_t)
+userdom_dontaudit_search_user_home_dirs(nsd_crond_t)
optional_policy(`
cron_system_entry(nsd_crond_t, nsd_exec_t)
diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te
index dce93e7..000815f 100644
--- a/policy/modules/services/ntop.te
+++ b/policy/modules/services/ntop.te
@@ -1,5 +1,5 @@
-policy_module(ntop, 1.6.0)
+policy_module(ntop, 1.6.1)
########################################
#
@@ -89,8 +89,7 @@ miscfiles_read_localization(ntop_t)
sysnet_read_config(ntop_t)
userdom_dontaudit_use_unpriv_user_fds(ntop_t)
-
-sysadm_dontaudit_search_home_dirs(ntop_t)
+userdom_dontaudit_search_user_home_dirs(ntop_t)
optional_policy(`
seutil_sigchld_newrole(ntop_t)
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index b5b2701..546c28e 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -1,5 +1,5 @@
-policy_module(ntp, 1.7.0)
+policy_module(ntp, 1.7.1)
########################################
#
@@ -113,9 +113,7 @@ logging_send_syslog_msg(ntpd_t)
miscfiles_read_localization(ntpd_t)
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
-
-sysadm_list_home_dirs(ntpd_t)
-sysadm_dontaudit_list_home_dirs(ntpd_t)
+userdom_list_user_home_dirs(ntpd_t)
optional_policy(`
# for cron jobs
diff --git a/policy/modules/services/oav.if b/policy/modules/services/oav.if
index 0d6b501..2102b0b 100644
--- a/policy/modules/services/oav.if
+++ b/policy/modules/services/oav.if
@@ -34,11 +34,6 @@ interface(`oav_domtrans_update',`
## The role to be allowed the oav_update domain.
##
##
-##
-##
-## The type of the terminal allow the oav_update domain to use.
-##
-##
##
#
interface(`oav_run_update',`
@@ -48,5 +43,4 @@ interface(`oav_run_update',`
oav_domtrans_update($1)
role $2 types oav_update_t;
- allow oav_update_t $3:chr_file rw_term_perms;
')
diff --git a/policy/modules/services/oav.te b/policy/modules/services/oav.te
index d865e02..80a8ec9 100644
--- a/policy/modules/services/oav.te
+++ b/policy/modules/services/oav.te
@@ -1,5 +1,5 @@
-policy_module(oav, 1.7.0)
+policy_module(oav, 1.7.1)
########################################
#
@@ -67,6 +67,8 @@ logging_send_syslog_msg(oav_update_t)
sysnet_read_config(oav_update_t)
+userdom_use_user_terminals(oav_update_t)
+
optional_policy(`
cron_system_entry(oav_update_t, oav_update_exec_t)
')
@@ -134,8 +136,7 @@ miscfiles_read_localization(scannerdaemon_t)
sysnet_read_config(scannerdaemon_t)
userdom_dontaudit_use_unpriv_user_fds(scannerdaemon_t)
-
-sysadm_dontaudit_search_home_dirs(scannerdaemon_t)
+userdom_dontaudit_search_user_home_dirs(scannerdaemon_t)
optional_policy(`
seutil_sigchld_newrole(scannerdaemon_t)
diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te
index c48e0f2..daba3ef 100644
--- a/policy/modules/services/oddjob.te
+++ b/policy/modules/services/oddjob.te
@@ -1,5 +1,5 @@
-policy_module(oddjob, 1.5.0)
+policy_module(oddjob, 1.5.1)
########################################
#
@@ -52,7 +52,7 @@ miscfiles_read_localization(oddjob_t)
locallogin_dontaudit_use_fds(oddjob_t)
optional_policy(`
- dbus_system_bus_client_template(oddjob, oddjob_t)
+ dbus_system_bus_client(oddjob_t)
dbus_connect_system_bus(oddjob_t)
')
@@ -72,12 +72,10 @@ files_read_etc_files(oddjob_mkhomedir_t)
miscfiles_read_localization(oddjob_mkhomedir_t)
-staff_manage_home_dirs(oddjob_mkhomedir_t)
-
# Add/remove user home directories
-unprivuser_home_filetrans_home_dir(oddjob_mkhomedir_t)
-unprivuser_manage_home_content_dirs(oddjob_mkhomedir_t)
-unprivuser_manage_home_content_files(oddjob_mkhomedir_t)
-unprivuser_manage_home_dirs(oddjob_mkhomedir_t)
-unprivuser_home_dir_filetrans_home_content(oddjob_mkhomedir_t, notdevfile_class_set)
+userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
+userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
+userdom_manage_user_home_content_files(oddjob_mkhomedir_t)
+userdom_manage_user_home_dirs(oddjob_mkhomedir_t)
+userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set)
diff --git a/policy/modules/services/oident.fc b/policy/modules/services/oident.fc
index 9879ead..5840ea8 100644
--- a/policy/modules/services/oident.fc
+++ b/policy/modules/services/oident.fc
@@ -1,4 +1,4 @@
-HOME_DIR/\.oidentd.conf gen_context(system_u:object_r:ROLE_oidentd_home_t, s0)
+HOME_DIR/\.oidentd.conf gen_context(system_u:object_r:oidentd_home_t, s0)
/etc/oidentd\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0)
/etc/oidentd_masq\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0)
@@ -6,4 +6,3 @@ HOME_DIR/\.oidentd.conf gen_context(system_u:object_r:ROLE_oidentd_home_t, s0)
/etc/rc\.d/init\.d/oidentd -- gen_context(system_u:object_r:oidentd_initrc_exec_t, s0)
/usr/sbin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t, s0)
-
diff --git a/policy/modules/services/oident.if b/policy/modules/services/oident.if
index c9beafe..bb4fae5 100644
--- a/policy/modules/services/oident.if
+++ b/policy/modules/services/oident.if
@@ -7,66 +7,49 @@
##
##
-#######################################
+########################################
##
-## The per role template for the Oidentd module.
+## Allow the specified domain to read
+## Oidentd personal configuration files.
##
-##
-##
-## This template creates derived domains which are used
-## for Oident daemon.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## The type of the user domain.
-##
-##
-##
-##
-## The role associated with the user domain.
-##
+##
+##
+## Domain allowed access.
+##
##
#
-template(`oident_per_role_template', `
-
- ########################################
- #
- # Oident daemon shared declarations
- #
-
+interface(`oident_read_user_content', `
gen_require(`
- attribute oidentd_user_content_type;
+ type oidentd_home_t;
')
- type $1_oidentd_home_t, oidentd_user_content_type;
- userdom_user_home_content($1, $1_oidentd_home_t)
-
- typeattribute $1_oidentd_home_t oidentd_user_content_type;
+ allow $1 oidentd_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
+')
- ########################################
- #
- # Oident daemon shared policy
- #
+########################################
+##
+## Allow the specified domain to create, read, write, and delete
+## Oidentd personal configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`oident_manage_user_content', `
+ gen_require(`
+ type oidentd_home_t;
+ ')
- allow $2 $1_oidentd_home_t:file manage_file_perms;
- allow $2 $1_oidentd_home_t:file relabel_file_perms;
+ allow $1 oidentd_home_t:file manage_file_perms;
+ userdom_search_user_home_dirs($1)
')
########################################
##
-## Allow the specified domain to read
+## Allow the specified domain to relabel
## Oidentd personal configuration files.
##
##
@@ -75,11 +58,11 @@ template(`oident_per_role_template', `
##
##
#
-interface(`oident_read_all_user_content', `
+interface(`oident_relabel_user_content', `
gen_require(`
- attribute oidentd_user_content_type;
+ type oidentd_home_t;
')
- allow $1 oidentd_user_content_type:file read_file_perms;
- userdom_search_all_users_home_dirs($1)
+ allow $1 oidentd_home_t:file relabel_file_perms;
+ userdom_search_user_home_dirs($1)
')
diff --git a/policy/modules/services/oident.te b/policy/modules/services/oident.te
index 0a7195c..bb56f9e 100644
--- a/policy/modules/services/oident.te
+++ b/policy/modules/services/oident.te
@@ -1,17 +1,20 @@
-policy_module(oident, 1.0.0)
+policy_module(oident, 2.0.0)
########################################
#
# Oident daemon private declarations
#
-attribute oidentd_user_content_type;
-
type oidentd_t;
type oidentd_exec_t;
init_daemon_domain(oidentd_t, oidentd_exec_t)
+type oidentd_home_t;
+typealias oidentd_home_t alias { oidentd_user_content_t oidentd_staff_content_t oidentd_sysadm_content_t };
+typealias oidentd_home_t alias { oidentd_secadm_content_t oidentd_auditadm_content_t };
+userdom_user_home_content(oidentd_home_t)
+
type oidentd_initrc_exec_t;
init_script_file(oidentd_initrc_exec_t)
@@ -53,7 +56,7 @@ miscfiles_read_localization(oidentd_t)
sysnet_read_config(oidentd_t)
-oident_read_all_user_content(oidentd_t)
+oident_read_user_content(oidentd_t)
optional_policy(`
nis_use_ypbind(oidentd_t)
diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te
index cb046d9..638508a 100644
--- a/policy/modules/services/openct.te
+++ b/policy/modules/services/openct.te
@@ -1,5 +1,5 @@
-policy_module(openct, 1.3.0)
+policy_module(openct, 1.3.1)
########################################
#
@@ -48,8 +48,7 @@ logging_send_syslog_msg(openct_t)
miscfiles_read_localization(openct_t)
userdom_dontaudit_use_unpriv_user_fds(openct_t)
-
-sysadm_dontaudit_search_home_dirs(openct_t)
+userdom_dontaudit_search_user_home_dirs(openct_t)
openct_exec(openct_t)
diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if
index f448846..18d95e6 100644
--- a/policy/modules/services/openvpn.if
+++ b/policy/modules/services/openvpn.if
@@ -33,11 +33,6 @@ interface(`openvpn_domtrans',`
## The role to be allowed the openvpn domain.
##
##
-##
-##
-## The type of the terminal allow the openvpn domain to use.
-##
-##
##
#
interface(`openvpn_run',`
@@ -47,7 +42,6 @@ interface(`openvpn_run',`
openvpn_domtrans($1)
role $2 types openvpn_t;
- allow openvpn_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index ed97458..6e16c60 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -1,5 +1,5 @@
-policy_module(openvpn, 1.6.0)
+policy_module(openvpn, 1.6.1)
########################################
#
@@ -100,8 +100,10 @@ miscfiles_read_certs(openvpn_t)
sysnet_dns_name_resolve(openvpn_t)
sysnet_exec_ifconfig(openvpn_t)
+userdom_use_user_terminals(openvpn_t)
+
tunable_policy(`openvpn_enable_homedirs',`
- userdom_read_unpriv_users_home_content_files(openvpn_t)
+ userdom_read_user_home_content_files(openvpn_t)
')
optional_policy(`
@@ -109,7 +111,7 @@ optional_policy(`
')
optional_policy(`
- dbus_system_bus_client_template(openvpn, openvpn_t)
+ dbus_system_bus_client(openvpn_t)
dbus_connect_system_bus(openvpn_t)
networkmanager_dbus_chat(openvpn_t)
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
index 8f206d5..57cb94d 100644
--- a/policy/modules/services/pegasus.te
+++ b/policy/modules/services/pegasus.te
@@ -1,5 +1,5 @@
-policy_module(pegasus, 1.6.0)
+policy_module(pegasus, 1.6.1)
########################################
#
@@ -119,8 +119,7 @@ sysnet_read_config(pegasus_t)
sysnet_domtrans_ifconfig(pegasus_t)
userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
-
-sysadm_dontaudit_search_home_dirs(pegasus_t)
+userdom_dontaudit_search_user_home_dirs(pegasus_t)
optional_policy(`
rpm_exec(pegasus_t)
diff --git a/policy/modules/services/perdition.te b/policy/modules/services/perdition.te
index e54e60d..a8372cd 100644
--- a/policy/modules/services/perdition.te
+++ b/policy/modules/services/perdition.te
@@ -1,5 +1,5 @@
-policy_module(perdition, 1.5.0)
+policy_module(perdition, 1.5.1)
########################################
#
@@ -65,8 +65,7 @@ miscfiles_read_localization(perdition_t)
sysnet_read_config(perdition_t)
userdom_dontaudit_use_unpriv_user_fds(perdition_t)
-
-sysadm_dontaudit_search_home_dirs(perdition_t)
+userdom_dontaudit_search_user_home_dirs(perdition_t)
optional_policy(`
seutil_sigchld_newrole(perdition_t)
diff --git a/policy/modules/services/portmap.if b/policy/modules/services/portmap.if
index 039c6de..19d9f8a 100644
--- a/policy/modules/services/portmap.if
+++ b/policy/modules/services/portmap.if
@@ -35,11 +35,6 @@ interface(`portmap_domtrans_helper',`
## The role to be allowed the portmap domain.
##
##
-##
-##
-## The type of the terminal allow the portmap domain to use.
-##
-##
##
#
interface(`portmap_run_helper',`
@@ -49,7 +44,6 @@ interface(`portmap_run_helper',`
portmap_domtrans_helper($1)
role $2 types portmap_helper_t;
- allow portmap_helper_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te
index b766249..e9af057 100644
--- a/policy/modules/services/portmap.te
+++ b/policy/modules/services/portmap.te
@@ -1,5 +1,5 @@
-policy_module(portmap, 1.7.0)
+policy_module(portmap, 1.7.1)
########################################
#
@@ -84,8 +84,7 @@ miscfiles_read_localization(portmap_t)
sysnet_read_config(portmap_t)
userdom_dontaudit_use_unpriv_user_fds(portmap_t)
-
-sysadm_dontaudit_search_home_dirs(portmap_t)
+userdom_dontaudit_search_user_home_dirs(portmap_t)
optional_policy(`
nis_use_ypbind(portmap_t)
@@ -145,6 +144,7 @@ logging_send_syslog_msg(portmap_helper_t)
sysnet_read_config(portmap_helper_t)
+userdom_use_user_terminals(portmap_helper_t)
userdom_dontaudit_use_all_users_fds(portmap_helper_t)
optional_policy(`
diff --git a/policy/modules/services/portslave.te b/policy/modules/services/portslave.te
index 617ebe0..c52a3e2 100644
--- a/policy/modules/services/portslave.te
+++ b/policy/modules/services/portslave.te
@@ -1,5 +1,5 @@
-policy_module(portslave, 1.5.0)
+policy_module(portslave, 1.5.1)
########################################
#
@@ -95,7 +95,7 @@ sysnet_read_config(portslave_t)
userdom_use_unpriv_users_fds(portslave_t)
# for ~/.ppprc - if it actually exists then you need some policy to read it
-userdom_search_all_users_home_dirs(portslave_t)
+userdom_search_user_home_dirs(portslave_t)
mta_send_mail(portslave_t)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
index 0eeb4e7..88b923c 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -160,40 +160,6 @@ template(`postfix_user_domain_template',`
########################################
##
-## The per role template for the postfix module.
-##
-##
-##
-## The prefix of the user domain.
-## (e.g., user is the prefix of user_t)
-##
-##
-##
-##
-## User domain type.
-##
-##
-##
-##
-## User role
-##
-##
-#
-template(`postfix_per_role_template',`
- gen_require(`
- attribute postfix_user_domains;
- type postfix_postdrop_t;
- ')
-
- role $3 types postfix_postdrop_t;
-
- allow postfix_user_domains $2:process sigchld;
- allow postfix_user_domains $2:fifo_file { write getattr };
- allow postfix_user_domains $2:fd use;
-')
-
-########################################
-##
## Read postfix configuration files.
##
##
@@ -353,11 +319,6 @@ interface(`postfix_domtrans_map',`
## The role to be allowed the postfix_map domain.
##
##
-##
-##
-## The type of the terminal allow the postfix_map domain to use.
-##
-##
##
#
interface(`postfix_run_map',`
@@ -367,7 +328,6 @@ interface(`postfix_run_map',`
postfix_domtrans_map($1)
role $2 types postfix_map_t;
- allow postfix_map_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index d83b1b6..89d0abe 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -1,5 +1,5 @@
-policy_module(postfix, 1.9.0)
+policy_module(postfix, 1.9.1)
########################################
#
@@ -342,6 +342,8 @@ miscfiles_read_localization(postfix_map_t)
seutil_read_config(postfix_map_t)
+userdom_use_user_terminals(postfix_map_t)
+
tunable_policy(`read_default_t',`
files_list_default(postfix_map_t)
files_read_default_files(postfix_map_t)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 4351a8c..7c84488 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -2,16 +2,11 @@
#######################################
##
-## The userdomain template for the SE-PostgreSQL.
+## Role access for SE-PostgreSQL.
##
-##
-## This template creates a delivered types which are used
-## for given userdomains.
-##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## The role associated with the user domain.
##
##
##
@@ -19,13 +14,8 @@
## The type of the user domain.
##
##
-##
-##
-## The role associated with the user domain.
-##
-##
#
-template(`postgresql_userdom_template',`
+interface(`postgresql_role',`
gen_require(`
class db_database all_db_database_perms;
class db_table all_db_table_perms;
@@ -38,6 +28,8 @@ template(`postgresql_userdom_template',`
attribute sepgsql_sysobj_table_type;
type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t;
+ type user_sepgsql_blob_t, user_sepgsql_proc_exec_t;
+ type user_sepgsql_sysobj_t, user_sepgsql_table_t;
')
########################################
@@ -46,20 +38,7 @@ template(`postgresql_userdom_template',`
#
typeattribute $2 sepgsql_client_type;
-
- type $1_sepgsql_blob_t;
- postgresql_blob_object($1_sepgsql_blob_t)
-
- type $1_sepgsql_proc_exec_t;
- postgresql_procedure_object($1_sepgsql_proc_exec_t)
-
- type $1_sepgsql_sysobj_t;
- postgresql_system_table_object($1_sepgsql_sysobj_t)
-
- type $1_sepgsql_table_t;
- postgresql_table_object($1_sepgsql_table_t)
-
- role $3 types sepgsql_trusted_proc_t;
+ role $1 types sepgsql_trusted_proc_t;
##############################
#
@@ -67,25 +46,25 @@ template(`postgresql_userdom_template',`
#
tunable_policy(`sepgsql_enable_users_ddl',`
- allow $2 $1_sepgsql_table_t:db_table { create drop };
- type_transition $2 sepgsql_database_type:db_table $1_sepgsql_table_t;
+ allow $2 user_sepgsql_table_t:db_table { create drop };
+ type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;
- allow $2 $1_sepgsql_table_t:db_column { create drop };
+ allow $2 user_sepgsql_table_t:db_column { create drop };
- allow $2 $1_sepgsql_sysobj_t:db_tuple { update insert delete };
- type_transition $2 sepgsql_sysobj_table_type:db_tuple $1_sepgsql_sysobj_t;
+ allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
+ type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
')
- allow $2 $1_sepgsql_table_t:db_table { getattr setattr use select update insert delete };
- allow $2 $1_sepgsql_table_t:db_column { getattr setattr use select update insert };
- allow $2 $1_sepgsql_table_t:db_tuple { use select update insert delete };
- allow $2 $1_sepgsql_sysobj_t:db_tuple { use select };
+ allow $2 user_sepgsql_table_t:db_table { getattr setattr use select update insert delete };
+ allow $2 user_sepgsql_table_t:db_column { getattr setattr use select update insert };
+ allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete };
+ allow $2 user_sepgsql_sysobj_t:db_tuple { use select };
- allow $2 $1_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute };
- type_transition $2 sepgsql_database_type:db_procedure $1_sepgsql_proc_exec_t;
+ allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute };
+ type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;
- allow $2 $1_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
- type_transition $2 sepgsql_database_type:db_blob $1_sepgsql_blob_t;
+ allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
+ type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;
allow $2 sepgsql_trusted_proc_t:process transition;
type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 0dc0afb..3ba8a4c 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,5 +1,5 @@
-policy_module(postgresql, 1.7.0)
+policy_module(postgresql, 1.7.1)
gen_require(`
class db_database all_db_database_perms;
@@ -96,6 +96,26 @@ domain_type(sepgsql_trusted_proc_t)
postgresql_unconfined(sepgsql_trusted_proc_t)
role system_r types sepgsql_trusted_proc_t;
+type user_sepgsql_blob_t;
+typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t };
+typealias user_sepgsql_blob_t alias { auditadm_sepgsql_blob_t secadm_sepgsql_blob_t };
+postgresql_blob_object(user_sepgsql_blob_t)
+
+type user_sepgsql_proc_exec_t;
+typealias user_sepgsql_proc_exec_t alias { staff_sepgsql_proc_exec_t sysadm_sepgsql_proc_exec_t };
+typealias user_sepgsql_proc_exec_t alias { auditadm_sepgsql_proc_exec_t secadm_sepgsql_proc_exec_t };
+postgresql_procedure_object(user_sepgsql_proc_exec_t)
+
+type user_sepgsql_sysobj_t;
+typealias user_sepgsql_sysobj_t alias { staff_sepgsql_sysobj_t sysadm_sepgsql_sysobj_t };
+typealias user_sepgsql_sysobj_t alias { auditadm_sepgsql_sysobj_t secadm_sepgsql_sysobj_t };
+postgresql_system_table_object(user_sepgsql_sysobj_t)
+
+type user_sepgsql_table_t;
+typealias user_sepgsql_table_t alias { staff_sepgsql_table_t sysadm_sepgsql_table_t };
+typealias user_sepgsql_table_t alias { auditadm_sepgsql_table_t secadm_sepgsql_table_t };
+postgresql_table_object(user_sepgsql_table_t)
+
########################################
#
# postgresql Local policy
@@ -218,12 +238,11 @@ miscfiles_read_localization(postgresql_t)
seutil_libselinux_linked(postgresql_t)
userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
+userdom_dontaudit_search_user_home_dirs(postgresql_t)
+userdom_dontaudit_use_user_terminals(postgresql_t)
mta_getattr_spool(postgresql_t)
-sysadm_dontaudit_search_home_dirs(postgresql_t)
-sysadm_dontaudit_use_ttys(postgresql_t)
-
tunable_policy(`allow_execmem',`
allow postgresql_t self:process execmem;
')
diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
index 68be03d..7c40fed 100644
--- a/policy/modules/services/postgrey.te
+++ b/policy/modules/services/postgrey.te
@@ -1,5 +1,5 @@
-policy_module(postgrey, 1.5.0)
+policy_module(postgrey, 1.5.1)
########################################
#
@@ -75,8 +75,7 @@ miscfiles_read_localization(postgrey_t)
sysnet_read_config(postgrey_t)
userdom_dontaudit_use_unpriv_user_fds(postgrey_t)
-
-sysadm_dontaudit_search_home_dirs(postgrey_t)
+userdom_dontaudit_search_user_home_dirs(postgrey_t)
optional_policy(`
nis_use_ypbind(postgrey_t)
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index e100e9a..5786afa 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -125,11 +125,6 @@ interface(`ppp_domtrans',`
## The role to allow the ppp domain.
##
##
-##
-##
-## The type of the terminal allow the ppp domain to use.
-##
-##
##
#
interface(`ppp_run_cond',`
@@ -141,7 +136,6 @@ interface(`ppp_run_cond',`
tunable_policy(`pppd_for_user',`
ppp_domtrans($1)
- allow pppd_t $3:chr_file rw_term_perms;
')
')
@@ -159,11 +153,6 @@ interface(`ppp_run_cond',`
## The role to allow the ppp domain.
##
##
-##
-##
-## The type of the terminal allow the ppp domain to use.
-##
-##
##
#
interface(`ppp_run',`
@@ -173,7 +162,6 @@ interface(`ppp_run',`
ppp_domtrans($1)
role $2 types pppd_t;
- allow pppd_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 6f8636a..02f556e 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -1,5 +1,5 @@
-policy_module(ppp, 1.9.0)
+policy_module(ppp, 1.9.1)
########################################
#
@@ -172,16 +172,13 @@ sysnet_exec_ifconfig(pppd_t)
sysnet_manage_config(pppd_t)
sysnet_etc_filetrans_config(pppd_t)
+userdom_use_user_terminals(pppd_t)
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
# for ~/.ppprc - if it actually exists then you need some policy to read it
-#allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
-userdom_search_unpriv_users_home_dirs(pppd_t)
+userdom_search_user_home_dirs(pppd_t)
ppp_exec(pppd_t)
-sysadm_dontaudit_search_home_dirs(pppd_t)
-sysadm_search_home_dirs(pppd_t)
-
optional_policy(`
ddclient_domtrans(pppd_t)
')
@@ -279,8 +276,7 @@ miscfiles_read_localization(pptp_t)
sysnet_read_config(pptp_t)
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
-
-sysadm_dontaudit_search_home_dirs(pptp_t)
+userdom_dontaudit_search_user_home_dirs(pptp_t)
optional_policy(`
consoletype_exec(pppd_t)
diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
index cf1e5a8..5c6323b 100644
--- a/policy/modules/services/privoxy.te
+++ b/policy/modules/services/privoxy.te
@@ -1,5 +1,5 @@
-policy_module(privoxy, 1.7.0)
+policy_module(privoxy, 1.7.1)
########################################
#
@@ -73,10 +73,9 @@ miscfiles_read_localization(privoxy_t)
sysnet_dns_name_resolve(privoxy_t)
userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
-
-sysadm_dontaudit_search_home_dirs(privoxy_t)
+userdom_dontaudit_search_user_home_dirs(privoxy_t)
# cjp: this should really not be needed
-sysadm_use_terms(privoxy_t)
+userdom_use_user_terminals(privoxy_t)
optional_policy(`
nis_use_ypbind(privoxy_t)
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
index f75453b..c9d52f4 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -1,5 +1,5 @@
-policy_module(procmail, 1.9.0)
+policy_module(procmail, 1.9.1)
########################################
#
@@ -70,11 +70,15 @@ logging_send_syslog_msg(procmail_t)
miscfiles_read_localization(procmail_t)
# only works until we define a different type for maildir
-userdom_priveleged_home_dir_manager(procmail_t)
+userdom_manage_user_home_content_dirs(procmail_t)
+userdom_manage_user_home_content_files(procmail_t)
+userdom_manage_user_home_content_symlinks(procmail_t)
+userdom_manage_user_home_content_pipes(procmail_t)
+userdom_manage_user_home_content_sockets(procmail_t)
+userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
# Do not audit attempts to access /root.
-staff_dontaudit_search_home_dirs(procmail_t)
-sysadm_dontaudit_search_home_dirs(procmail_t)
+userdom_dontaudit_search_user_home_dirs(procmail_t)
mta_manage_spool(procmail_t)
diff --git a/policy/modules/services/pxe.te b/policy/modules/services/pxe.te
index 558a691..17e7c49 100644
--- a/policy/modules/services/pxe.te
+++ b/policy/modules/services/pxe.te
@@ -1,5 +1,5 @@
-policy_module(pxe, 1.3.0)
+policy_module(pxe, 1.3.1)
# cjp: policy seems incomplete
@@ -53,8 +53,7 @@ logging_send_syslog_msg(pxe_t)
miscfiles_read_localization(pxe_t)
userdom_dontaudit_use_unpriv_user_fds(pxe_t)
-
-sysadm_dontaudit_search_home_dirs(pxe_t)
+userdom_dontaudit_search_user_home_dirs(pxe_t)
optional_policy(`
seutil_sigchld_newrole(pxe_t)
diff --git a/policy/modules/services/pyzor.fc b/policy/modules/services/pyzor.fc
index c512523..d4a7750 100644
--- a/policy/modules/services/pyzor.fc
+++ b/policy/modules/services/pyzor.fc
@@ -1,6 +1,6 @@
/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
-HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if
index 8ab808b..3745b62 100644
--- a/policy/modules/services/pyzor.if
+++ b/policy/modules/services/pyzor.if
@@ -1,40 +1,34 @@
## Pyzor is a distributed, collaborative spam detection and filtering network.
-#######################################
+########################################
##
-## The per role template for the pyzor module.
+## Role access for pyzor
##
-##
-##
-## This template allows pyzor to manage files in
-## a user home directory, creating files with the
-## correct type.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
+##
+##
+## Role allowed access
+##
+##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## User domain for the role
##
##
#
-template(`pyzor_per_role_template',`
+interface(`pyzor_role',`
gen_require(`
- type pyzord_t;
+ type pyzor_t, pyzor_exec_t;
+ type pyzor_home_t, pyzor_var_lib_t, pyzor_tmp_t;
')
- type $1_pyzor_home_t;
- userdom_user_home_content($1, $1_pyzor_home_t)
+ role $1 types pyzor_t;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, pyzor_exec_t, pyzor_t)
- manage_dirs_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
- manage_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
- manage_lnk_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
- userdom_user_home_dir_filetrans($1, pyzord_t, $1_pyzor_home_t, { dir file lnk_file })
+ # allow ps to show pyzor and allow the user to kill it
+ ps_process_pattern($2, pyzor_t)
+ allow $2 pyzor_t:process signal;
')
########################################
diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
index 6a4ba88..002132a 100644
--- a/policy/modules/services/pyzor.te
+++ b/policy/modules/services/pyzor.te
@@ -1,5 +1,5 @@
-policy_module(pyzor, 1.6.0)
+policy_module(pyzor, 2.0.0)
########################################
#
@@ -8,33 +8,51 @@ policy_module(pyzor, 1.6.0)
type pyzor_t;
type pyzor_exec_t;
+typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
+typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
application_domain(pyzor_t, pyzor_exec_t)
+ubac_constrained(pyzor_t)
role system_r types pyzor_t;
-type pyzord_t;
-type pyzord_exec_t;
-domain_type(pyzord_t)
-init_daemon_domain(pyzord_t, pyzord_exec_t)
-
type pyzor_etc_t;
files_type(pyzor_etc_t)
-type pyzord_log_t;
-logging_log_file(pyzord_log_t)
+type pyzor_home_t;
+typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
+typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
+userdom_user_home_content(pyzor_home_t)
type pyzor_tmp_t;
+typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
+typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
files_tmp_file(pyzor_tmp_t)
+ubac_constrained(pyzor_tmp_t)
type pyzor_var_lib_t;
+typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
+typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
files_type(pyzor_var_lib_t)
+ubac_constrained(pyzor_var_lib_t)
+
+type pyzord_t;
+type pyzord_exec_t;
+init_daemon_domain(pyzord_t,pyzord_exec_t)
+
+type pyzord_log_t;
+logging_log_file(pyzord_log_t)
########################################
#
-# Pyzor local policy
+# Pyzor client local policy
#
allow pyzor_t self:udp_socket create_socket_perms;
+manage_dirs_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
+manage_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
+manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
+userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, { dir file lnk_file })
+
allow pyzor_t pyzor_var_lib_t:dir list_dir_perms;
read_files_pattern(pyzor_t,pyzor_var_lib_t,pyzor_var_lib_t)
files_search_var_lib(pyzor_t)
@@ -65,7 +83,7 @@ auth_use_nsswitch(pyzor_t)
miscfiles_read_localization(pyzor_t)
-sysadm_dontaudit_search_home_dirs(pyzor_t)
+userdom_dontaudit_search_user_home_dirs(pyzor_t)
optional_policy(`
amavis_manage_lib_files(pyzor_t)
@@ -79,7 +97,7 @@ optional_policy(`
########################################
#
-# Pyzord local policy
+# Pyzor server local policy
#
allow pyzord_t self:udp_socket create_socket_perms;
@@ -121,11 +139,10 @@ locallogin_dontaudit_use_fds(pyzord_t)
miscfiles_read_localization(pyzord_t)
-mta_manage_spool(pyzord_t)
-
# Do not audit attempts to access /root.
-staff_dontaudit_search_home_dirs(pyzord_t)
-sysadm_dontaudit_search_home_dirs(pyzord_t)
+userdom_dontaudit_search_user_home_dirs(pyzord_t)
+
+mta_manage_spool(pyzord_t)
optional_policy(`
logging_send_syslog_msg(pyzord_t)
diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if
index a40b0a2..5112322 100644
--- a/policy/modules/services/qmail.if
+++ b/policy/modules/services/qmail.if
@@ -1,48 +1,5 @@
## Qmail Mail Server
-#######################################
-##
-## The per role template for qmail
-##
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## The type of the user domain.
-##
-##
-##
-##
-## The role associated with the user domain.
-##
-##
-#
-template(`qmail_per_role_template',`
- gen_require(`
- attribute qmail_user_domains;
- ')
-
- role $3 types qmail_user_domains;
-
- qmail_domtrans_inject($2)
-
- allow qmail_user_domains $2:process sigchld;
- allow qmail_user_domains $2:fifo_file { write getattr };
- allow qmail_user_domains $2:fd use;
-
-')
-
########################################
##
## Template for qmail parent/sub-domain pairs
diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te
index ca0bf07..1da1661 100644
--- a/policy/modules/services/qmail.te
+++ b/policy/modules/services/qmail.te
@@ -1,5 +1,5 @@
-policy_module(qmail, 1.4.0)
+policy_module(qmail, 1.4.1)
########################################
#
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
index d803d38..c247f4f 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -1,5 +1,5 @@
-policy_module(radius, 1.9.0)
+policy_module(radius, 1.9.1)
########################################
#
@@ -113,9 +113,7 @@ miscfiles_read_localization(radiusd_t)
miscfiles_read_certs(radiusd_t)
userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
-
-sysadm_dontaudit_search_home_dirs(radiusd_t)
-sysadm_dontaudit_getattr_home_dirs(radiusd_t)
+userdom_dontaudit_search_user_home_dirs(radiusd_t)
optional_policy(`
cron_system_entry(radiusd_t, radiusd_exec_t)
diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te
index 1397e40..dc5cc13 100644
--- a/policy/modules/services/radvd.te
+++ b/policy/modules/services/radvd.te
@@ -1,5 +1,5 @@
-policy_module(radvd, 1.9.0)
+policy_module(radvd, 1.9.1)
########################################
#
@@ -70,8 +70,7 @@ miscfiles_read_localization(radvd_t)
sysnet_read_config(radvd_t)
userdom_dontaudit_use_unpriv_user_fds(radvd_t)
-
-sysadm_dontaudit_search_home_dirs(radvd_t)
+userdom_dontaudit_search_user_home_dirs(radvd_t)
optional_policy(`
nis_use_ypbind(radvd_t)
diff --git a/policy/modules/services/razor.fc b/policy/modules/services/razor.fc
index d50875b..1efba0c 100644
--- a/policy/modules/services/razor.fc
+++ b/policy/modules/services/razor.fc
@@ -1,4 +1,4 @@
-HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:ROLE_razor_home_t,s0)
+HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if
index 37fc170..b564199 100644
--- a/policy/modules/services/razor.if
+++ b/policy/modules/services/razor.if
@@ -26,6 +26,9 @@ template(`razor_common_domain_template',`
gen_require(`
type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
')
+ type $1_t;
+ domain_type($1_t)
+ domain_entry_file($1_t, razor_exec_t)
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_t self:fd use;
@@ -95,109 +98,46 @@ template(`razor_common_domain_template',`
sysnet_read_config($1_t)
sysnet_dns_name_resolve($1_t)
- userdom_use_unpriv_users_fds($1_t)
-
optional_policy(`
nis_use_ypbind($1_t)
')
')
-#######################################
+########################################
##
-## The per role template for the razor module.
+## Role access for razor
##
-##
-##
-## The per role template for the razor module.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## Role allowed access
##
##
-##
-##
-## The type of the user domain.
-##
-##
-##
+##
##
-## The role associated with the user domain.
+## User domain for the role
##
##
#
-template(`razor_per_role_template',`
+interface(`razor_role',`
gen_require(`
- type razor_exec_t;
+ type razor_t, razor_exec_t, razor_home_t;
')
- type $1_razor_t;
- domain_type($1_razor_t)
- domain_entry_file($1_razor_t, razor_exec_t)
- razor_common_domain_template($1_razor)
- role $3 types $1_razor_t;
+ role $1 types razor_t;
- type $1_razor_home_t alias $1_razor_rw_t;
- files_poly_member($1_razor_home_t)
- userdom_user_home_content($1, $1_razor_home_t)
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, razor_exec_t, razor_t)
- type $1_razor_tmp_t;
- files_tmp_file($1_razor_tmp_t)
+ # allow ps to show razor and allow the user to kill it
+ ps_process_pattern($2, razor_t)
+ allow $2 razor_t:process signal;
- ##############################
- #
- # Local policy
- #
-
- allow $1_razor_t self:unix_stream_socket create_stream_socket_perms;
-
- manage_dirs_pattern($1_razor_t, $1_razor_home_t, $1_razor_home_t)
- manage_files_pattern($1_razor_t, $1_razor_home_t, $1_razor_home_t)
- manage_lnk_files_pattern($1_razor_t, $1_razor_home_t, $1_razor_home_t)
- userdom_user_home_dir_filetrans($1, $1_razor_t, $1_razor_home_t, dir)
-
- manage_dirs_pattern($1_razor_t, $1_razor_tmp_t, $1_razor_tmp_t)
- manage_files_pattern($1_razor_t, $1_razor_tmp_t, $1_razor_tmp_t)
- files_tmp_filetrans($1_razor_t, $1_razor_tmp_t, { file dir })
-
- domtrans_pattern($2, razor_exec_t, $1_razor_t)
-
- manage_dirs_pattern($2, $1_razor_home_t, $1_razor_home_t)
- manage_files_pattern($2, $1_razor_home_t, $1_razor_home_t)
- manage_lnk_files_pattern($2, $1_razor_home_t, $1_razor_home_t)
- relabel_dirs_pattern($2, $1_razor_home_t, $1_razor_home_t)
- relabel_files_pattern($2, $1_razor_home_t, $1_razor_home_t)
- relabel_lnk_files_pattern($2, $1_razor_home_t, $1_razor_home_t)
-
- logging_send_syslog_msg($1_razor_t)
-
- userdom_search_user_home_dirs($1, $1_razor_t)
- # Allow razor to be run by hand. Needed by any action other than
- # invocation from a spam filter.
- userdom_use_user_terminals($1, $1_razor_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_razor_t)
- fs_manage_nfs_files($1_razor_t)
- fs_manage_nfs_symlinks($1_razor_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_razor_t)
- fs_manage_cifs_files($1_razor_t)
- fs_manage_cifs_symlinks($1_razor_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_razor_t)
- ')
+ manage_dirs_pattern($2, razor_home_t, razor_home_t)
+ manage_files_pattern($2, razor_home_t, razor_home_t)
+ manage_lnk_files_pattern($2, razor_home_t, razor_home_t)
+ relabel_dirs_pattern($2, razor_home_t, razor_home_t)
+ relabel_files_pattern($2, razor_home_t, razor_home_t)
+ relabel_lnk_files_pattern($2, razor_home_t, razor_home_t)
')
########################################
diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
index 156d1a6..f856ccf 100644
--- a/policy/modules/services/razor.te
+++ b/policy/modules/services/razor.te
@@ -1,60 +1,122 @@
-policy_module(razor, 1.4.0)
+policy_module(razor, 2.0.0)
########################################
#
# Declarations
#
-type razor_t;
type razor_exec_t;
-domain_type(razor_t)
-domain_entry_file(razor_t, razor_exec_t)
-role system_r types razor_t;
+corecmd_executable_file(razor_exec_t)
type razor_etc_t;
files_config_file(razor_etc_t)
+type razor_home_t;
+typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+files_poly_member(razor_home_t)
+userdom_user_home_content(razor_home_t)
+
type razor_log_t;
logging_log_file(razor_log_t)
+type razor_tmp_t;
+typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+files_tmp_file(razor_tmp_t)
+ubac_constrained(razor_tmp_t)
+
type razor_var_lib_t;
files_type(razor_var_lib_t)
+# these are here due to ordering issues:
razor_common_domain_template(razor)
+typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
+typealias razor_t alias { auditadm_razor_t secadm_razor_t };
+ubac_constrained(razor_t)
+
+razor_common_domain_template(system_razor)
+role system_r types system_razor_t;
########################################
#
-# Local policy
+# System razor local policy
#
-allow razor_t self:tcp_socket create_socket_perms;
+# this version of razor is invoked typically
+# via the system spam filter
-manage_dirs_pattern(razor_t, razor_etc_t, razor_etc_t)
-manage_files_pattern(razor_t, razor_etc_t, razor_etc_t)
-manage_lnk_files_pattern(razor_t, razor_etc_t, razor_etc_t)
-files_search_etc(razor_t)
+allow system_razor_t self:tcp_socket create_socket_perms;
-allow razor_t razor_log_t:file manage_file_perms;
-logging_log_filetrans(razor_t, razor_log_t, file)
+manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+files_search_etc(system_razor_t)
-manage_files_pattern(razor_t, razor_var_lib_t, razor_var_lib_t)
-files_var_lib_filetrans(razor_t, razor_var_lib_t, file)
+allow system_razor_t razor_log_t:file manage_file_perms;
+logging_log_filetrans(system_razor_t, razor_log_t, file)
-corenet_all_recvfrom_unlabeled(razor_t)
-corenet_all_recvfrom_netlabel(razor_t)
-corenet_tcp_sendrecv_generic_if(razor_t)
-corenet_raw_sendrecv_generic_if(razor_t)
-corenet_tcp_sendrecv_all_nodes(razor_t)
-corenet_raw_sendrecv_all_nodes(razor_t)
-corenet_tcp_sendrecv_razor_port(razor_t)
-corenet_tcp_connect_razor_port(razor_t)
-corenet_sendrecv_razor_client_packets(razor_t)
+manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
+files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
-sysnet_read_config(razor_t)
+corenet_all_recvfrom_unlabeled(system_razor_t)
+corenet_all_recvfrom_netlabel(system_razor_t)
+corenet_tcp_sendrecv_generic_if(system_razor_t)
+corenet_raw_sendrecv_generic_if(system_razor_t)
+corenet_tcp_sendrecv_all_nodes(system_razor_t)
+corenet_raw_sendrecv_all_nodes(system_razor_t)
+corenet_tcp_sendrecv_razor_port(system_razor_t)
+corenet_tcp_connect_razor_port(system_razor_t)
+corenet_sendrecv_razor_client_packets(system_razor_t)
+
+sysnet_read_config(system_razor_t)
+
+# cjp: this shouldn't be needed
+userdom_use_unpriv_users_fds(system_razor_t)
optional_policy(`
- logging_send_syslog_msg(razor_t)
+ logging_send_syslog_msg(system_razor_t)
+')
+
+optional_policy(`
+ nscd_socket_use(system_razor_t)
+')
+
+########################################
+#
+# User razor local policy
+#
+
+# Allow razor to be run by hand. Needed by any action other than
+# invocation from a spam filter.
+
+allow razor_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
+manage_files_pattern(razor_t, razor_home_t, razor_home_t)
+manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
+userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
+
+manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
+
+logging_send_syslog_msg(razor_t)
+
+userdom_search_user_home_dirs(razor_t)
+userdom_use_user_terminals(razor_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(razor_t)
+ fs_manage_nfs_files(razor_t)
+ fs_manage_nfs_symlinks(razor_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(razor_t)
+ fs_manage_cifs_files(razor_t)
+ fs_manage_cifs_symlinks(razor_t)
')
optional_policy(`
diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te
index 7a77cc0..5810a43 100644
--- a/policy/modules/services/remotelogin.te
+++ b/policy/modules/services/remotelogin.te
@@ -1,5 +1,5 @@
-policy_module(remotelogin, 1.5.0)
+policy_module(remotelogin, 1.5.1)
########################################
#
@@ -83,7 +83,7 @@ sysnet_dns_name_resolve(remote_login_t)
miscfiles_read_localization(remote_login_t)
userdom_use_unpriv_users_fds(remote_login_t)
-userdom_search_all_users_home_content(remote_login_t)
+userdom_search_user_home_content(remote_login_t)
# Only permit unprivileged user domains to be entered via rlogin,
# since very weak authentication is used.
userdom_signal_unpriv_users(remote_login_t)
diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
index 8b118e0..59f6291 100644
--- a/policy/modules/services/rhgb.te
+++ b/policy/modules/services/rhgb.te
@@ -1,5 +1,5 @@
-policy_module(rhgb, 1.7.0)
+policy_module(rhgb, 1.7.1)
########################################
#
@@ -109,18 +109,16 @@ sysnet_read_config(rhgb_t)
sysnet_domtrans_ifconfig(rhgb_t)
userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
-userdom_dontaudit_search_all_users_home_content(rhgb_t)
+userdom_dontaudit_search_user_home_content(rhgb_t)
-sysadm_dontaudit_search_home_dirs(rhgb_t)
-
-xserver_read_xdm_xserver_tmp_files(rhgb_t)
-xserver_kill_xdm_xserver(rhgb_t)
+xserver_read_tmp_files(rhgb_t)
+xserver_kill(rhgb_t)
# for running setxkbmap
xserver_read_xkb_libs(rhgb_t)
-xserver_domtrans_xdm_xserver(rhgb_t)
-xserver_signal_xdm_xserver(rhgb_t)
+xserver_domtrans(rhgb_t)
+xserver_signal(rhgb_t)
xserver_read_xdm_tmp_files(rhgb_t)
-xserver_stream_connect_xdm_xserver(rhgb_t)
+xserver_stream_connect(rhgb_t)
optional_policy(`
consoletype_exec(rhgb_t)
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
index 4cb3917..38e99a4 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -1,5 +1,5 @@
-policy_module(ricci, 1.4.0)
+policy_module(ricci, 1.4.1)
########################################
#
@@ -155,7 +155,7 @@ optional_policy(`
')
optional_policy(`
- dbus_system_bus_client_template(ricci, ricci_t)
+ dbus_system_bus_client(ricci_t)
oddjob_dbus_chat(ricci_t)
')
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
index 3286a3c..f1c0407 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -1,5 +1,5 @@
-policy_module(rlogin, 1.7.0)
+policy_module(rlogin, 1.7.1)
########################################
#
@@ -83,9 +83,9 @@ miscfiles_read_localization(rlogind_t)
seutil_read_config(rlogind_t)
-userdom_setattr_unpriv_users_ptys(rlogind_t)
+userdom_setattr_user_ptys(rlogind_t)
# cjp: this is egregious
-userdom_read_all_users_home_content_files(rlogind_t)
+userdom_read_user_home_content_files(rlogind_t)
remotelogin_domtrans(rlogind_t)
remotelogin_signal(rlogind_t)
diff --git a/policy/modules/services/roundup.te b/policy/modules/services/roundup.te
index 395044f..1325aa7 100644
--- a/policy/modules/services/roundup.te
+++ b/policy/modules/services/roundup.te
@@ -1,5 +1,5 @@
-policy_module(roundup, 1.5.0)
+policy_module(roundup, 1.5.1)
########################################
#
@@ -78,8 +78,7 @@ miscfiles_read_localization(roundup_t)
sysnet_read_config(roundup_t)
userdom_dontaudit_use_unpriv_user_fds(roundup_t)
-
-sysadm_dontaudit_search_home_dirs(roundup_t)
+userdom_dontaudit_search_user_home_dirs(roundup_t)
optional_policy(`
mysql_stream_connect(roundup_t)
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 55995a5..7c6d443 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -1,5 +1,5 @@
-policy_module(rpc, 1.9.0)
+policy_module(rpc, 1.9.1)
########################################
#
@@ -174,9 +174,9 @@ auth_use_nsswitch(gssd_t)
miscfiles_read_certs(gssd_t)
tunable_policy(`allow_gssd_read_tmp',`
- userdom_list_unpriv_users_tmp(gssd_t)
- userdom_read_unpriv_users_tmp_files(gssd_t)
- userdom_read_unpriv_users_tmp_symlinks(gssd_t)
+ userdom_list_user_tmp(gssd_t)
+ userdom_read_user_tmp_files(gssd_t)
+ userdom_read_user_tmp_symlinks(gssd_t)
')
optional_policy(`
diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
index ea4a7c5..00887fb 100644
--- a/policy/modules/services/rshd.te
+++ b/policy/modules/services/rshd.te
@@ -1,5 +1,5 @@
-policy_module(rshd, 1.5.0)
+policy_module(rshd, 1.5.1)
########################################
#
@@ -61,7 +61,7 @@ miscfiles_read_localization(rshd_t)
seutil_read_config(rshd_t)
seutil_read_default_contexts(rshd_t)
-userdom_search_all_users_home_content(rshd_t)
+userdom_search_user_home_content(rshd_t)
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(rshd_t)
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
index 23da552..a0eaff1 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -4,44 +4,6 @@
## from Windows NT servers.
##
-#######################################
-##
-## The per role template for the samba module.
-##
-##
-##
-## This template allows smbd to manage files in
-## a user home directory, creating files with the
-## correct type.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-#
-template(`samba_per_role_template',`
- gen_require(`
- type smbd_t;
- ')
-
- tunable_policy(`samba_enable_home_dirs',`
- userdom_manage_user_home_content_dirs($1, smbd_t)
- userdom_manage_user_home_content_files($1, smbd_t)
- userdom_manage_user_home_content_symlinks($1, smbd_t)
- userdom_manage_user_home_content_sockets($1, smbd_t)
- userdom_manage_user_home_content_pipes($1, smbd_t)
- userdom_user_home_dir_filetrans_user_home_content($1, smbd_t, { dir file lnk_file sock_file fifo_file })
- ')
-')
-
########################################
##
## Execute samba net in the samba_net domain.
@@ -76,11 +38,6 @@ interface(`samba_domtrans_net',`
## The role to be allowed the samba_net domain.
##
##
-##
-##
-## The type of the terminal allow the samba_net domain to use.
-##
-##
##
#
interface(`samba_run_net',`
@@ -90,7 +47,6 @@ interface(`samba_run_net',`
samba_domtrans_net($1)
role $2 types samba_net_t;
- allow samba_net_t $3:chr_file rw_term_perms;
')
########################################
@@ -127,11 +83,6 @@ interface(`samba_domtrans_smbmount',`
## The role to be allowed the smbmount domain.
##
##
-##
-##
-## The type of the terminal allow the smbmount domain to use.
-##
-##
##
#
interface(`samba_run_smbmount',`
@@ -141,7 +92,6 @@ interface(`samba_run_smbmount',`
samba_domtrans_smbmount($1)
role $2 types smbmount_t;
- allow smbmount_t $3:chr_file rw_term_perms;
')
########################################
@@ -437,11 +387,6 @@ interface(`samba_domtrans_winbind_helper',`
## The role to be allowed the winbind_helper domain.
##
##
-##
-##
-## The type of the terminal allow the winbind_helper domain to use.
-##
-##
##
#
interface(`samba_run_winbind_helper',`
@@ -451,7 +396,6 @@ interface(`samba_run_winbind_helper',`
samba_domtrans_winbind_helper($1)
role $2 types winbind_helper_t;
- allow winbind_helper_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 2b52ef9..b1eda58 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -1,5 +1,5 @@
-policy_module(samba, 1.10.0)
+policy_module(samba, 1.10.1)
#################################
#
@@ -197,7 +197,8 @@ logging_send_syslog_msg(samba_net_t)
miscfiles_read_localization(samba_net_t)
-sysadm_dontaudit_search_home_dirs(samba_net_t)
+userdom_use_user_terminals(samba_net_t)
+userdom_dontaudit_search_user_home_dirs(samba_net_t)
optional_policy(`
kerberos_use(samba_net_t)
@@ -317,10 +318,8 @@ logging_send_syslog_msg(smbd_t)
miscfiles_read_localization(smbd_t)
miscfiles_read_public_files(smbd_t)
-userdom_dontaudit_use_unpriv_user_fds(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
-
-sysadm_dontaudit_search_home_dirs(smbd_t)
+userdom_dontaudit_search_user_home_dirs(smbd_t)
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
@@ -338,6 +337,15 @@ tunable_policy(`samba_domain_controller',`
usermanage_domtrans_groupadd(smbd_t)
')
+tunable_policy(`samba_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs(smbd_t)
+ userdom_manage_user_home_content_files(smbd_t)
+ userdom_manage_user_home_content_symlinks(smbd_t)
+ userdom_manage_user_home_content_sockets(smbd_t)
+ userdom_manage_user_home_content_pipes(smbd_t)
+ userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file })
+')
+
# Support Samba sharing of NFS mount points
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
@@ -367,8 +375,8 @@ optional_policy(`
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
- unprivuser_create_home_dir(smbd_t)
- unprivuser_home_filetrans_home_dir(smbd_t)
+ userdom_create_user_home_dirs(smbd_t)
+ userdom_home_filetrans_user_home_dir(smbd_t)
')
tunable_policy(`samba_export_all_ro',`
@@ -383,7 +391,7 @@ tunable_policy(`samba_export_all_rw',`
auth_manage_all_files_except_shadow(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
auth_manage_all_files_except_shadow(nmbd_t)
- unprivuser_home_dir_filetrans_home_content(nmbd_t, { file dir })
+ userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
')
########################################
@@ -461,10 +469,8 @@ logging_send_syslog_msg(nmbd_t)
miscfiles_read_localization(nmbd_t)
-userdom_dontaudit_use_unpriv_user_fds(nmbd_t)
userdom_use_unpriv_users_fds(nmbd_t)
-
-sysadm_dontaudit_search_home_dirs(nmbd_t)
+userdom_dontaudit_search_user_home_dirs(nmbd_t)
optional_policy(`
seutil_sigchld_newrole(nmbd_t)
@@ -526,8 +532,6 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
-term_list_ptys(smbmount_t)
-
corecmd_list_bin(smbmount_t)
files_list_mnt(smbmount_t)
@@ -546,6 +550,7 @@ locallogin_use_fds(smbmount_t)
logging_search_logs(smbmount_t)
+userdom_use_user_terminals(smbmount_t)
userdom_use_all_users_fds(smbmount_t)
########################################
@@ -714,9 +719,12 @@ logging_send_syslog_msg(winbind_t)
miscfiles_read_localization(winbind_t)
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
-userdom_priveleged_home_dir_manager(winbind_t)
-
-sysadm_dontaudit_search_home_dirs(winbind_t)
+userdom_manage_user_home_content_dirs(winbind_t)
+userdom_manage_user_home_content_files(winbind_t)
+userdom_manage_user_home_content_symlinks(winbind_t)
+userdom_manage_user_home_content_pipes(winbind_t)
+userdom_manage_user_home_content_sockets(winbind_t)
+userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
kerberos_use(winbind_t)
@@ -757,6 +765,8 @@ logging_send_syslog_msg(winbind_helper_t)
miscfiles_read_localization(winbind_helper_t)
+userdom_use_user_terminals(winbind_helper_t)
+
optional_policy(`
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
index cad7efb..c7d0716 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -1,5 +1,5 @@
-policy_module(sasl, 1.10.0)
+policy_module(sasl, 1.10.1)
########################################
#
@@ -89,8 +89,7 @@ seutil_dontaudit_read_config(saslauthd_t)
sysnet_read_config(saslauthd_t)
userdom_dontaudit_use_unpriv_user_fds(saslauthd_t)
-
-sysadm_dontaudit_search_home_dirs(saslauthd_t)
+userdom_dontaudit_search_user_home_dirs(saslauthd_t)
# cjp: typeattribute doesnt work in conditionals
auth_can_read_shadow_passwords(saslauthd_t)
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
index 1e63079..9c63d2d 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -1,5 +1,5 @@
-policy_module(sendmail, 1.8.0)
+policy_module(sendmail, 1.8.1)
########################################
#
@@ -94,6 +94,7 @@ miscfiles_read_certs(sendmail_t)
miscfiles_read_localization(sendmail_t)
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
+userdom_dontaudit_search_user_home_dirs(sendmail_t)
mta_read_config(sendmail_t)
mta_etc_filetrans_aliases(sendmail_t)
@@ -103,8 +104,6 @@ mta_rw_aliases(sendmail_t)
mta_manage_queue(sendmail_t)
mta_manage_spool(sendmail_t)
-sysadm_dontaudit_search_home_dirs(sendmail_t)
-
optional_policy(`
clamav_search_lib(sendmail_t)
')
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
index 709b7a6..74f4499 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -1,5 +1,5 @@
-policy_module(setroubleshoot, 1.8.0)
+policy_module(setroubleshoot, 1.8.1)
########################################
#
@@ -102,10 +102,10 @@ seutil_read_file_contexts(setroubleshootd_t)
sysnet_read_config(setroubleshootd_t)
-sysadm_dontaudit_read_home_content_files(setroubleshootd_t)
+userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
- dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
+ dbus_system_bus_client(setroubleshootd_t)
dbus_connect_system_bus(setroubleshootd_t)
')
diff --git a/policy/modules/services/slrnpull.te b/policy/modules/services/slrnpull.te
index dd722d6..9bc9e4c 100644
--- a/policy/modules/services/slrnpull.te
+++ b/policy/modules/services/slrnpull.te
@@ -1,5 +1,5 @@
-policy_module(slrnpull, 1.3.0)
+policy_module(slrnpull, 1.3.1)
########################################
#
@@ -56,8 +56,7 @@ logging_send_syslog_msg(slrnpull_t)
miscfiles_read_localization(slrnpull_t)
userdom_dontaudit_use_unpriv_user_fds(slrnpull_t)
-
-sysadm_dontaudit_search_home_dirs(slrnpull_t)
+userdom_dontaudit_search_user_home_dirs(slrnpull_t)
optional_policy(`
cron_system_entry(slrnpull_t, slrnpull_exec_t)
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
index 5e015ea..6dfe92a 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -1,5 +1,5 @@
-policy_module(smartmon, 1.7.0)
+policy_module(smartmon, 1.7.1)
########################################
#
@@ -83,8 +83,7 @@ miscfiles_read_localization(fsdaemon_t)
sysnet_dns_name_resolve(fsdaemon_t)
userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
-
-sysadm_dontaudit_search_home_dirs(fsdaemon_t)
+userdom_dontaudit_search_user_home_dirs(fsdaemon_t)
optional_policy(`
mta_send_mail(fsdaemon_t)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index afefddc..242e92f 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -1,5 +1,5 @@
-policy_module(snmp, 1.8.0)
+policy_module(snmp, 1.8.1)
########################################
#
@@ -103,8 +103,7 @@ seutil_dontaudit_search_config(snmpd_t)
sysnet_read_config(snmpd_t)
userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
-
-sysadm_dontaudit_search_home_dirs(snmpd_t)
+userdom_dontaudit_search_user_home_dirs(snmpd_t)
ifdef(`distro_redhat', `
optional_policy(`
diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te
index 64f2f5e..9206d22 100644
--- a/policy/modules/services/snort.te
+++ b/policy/modules/services/snort.te
@@ -1,5 +1,5 @@
-policy_module(snort, 1.6.0)
+policy_module(snort, 1.6.1)
########################################
#
@@ -92,8 +92,7 @@ miscfiles_read_localization(snort_t)
sysnet_read_config(snort_t)
userdom_dontaudit_use_unpriv_user_fds(snort_t)
-
-sysadm_dontaudit_search_home_dirs(snort_t)
+userdom_dontaudit_search_user_home_dirs(snort_t)
optional_policy(`
seutil_sigchld_newrole(snort_t)
diff --git a/policy/modules/services/soundserver.te b/policy/modules/services/soundserver.te
index 3536fd3..8a7ac69 100644
--- a/policy/modules/services/soundserver.te
+++ b/policy/modules/services/soundserver.te
@@ -1,5 +1,5 @@
-policy_module(soundserver, 1.6.0)
+policy_module(soundserver, 1.6.1)
########################################
#
@@ -100,8 +100,7 @@ miscfiles_read_localization(soundd_t)
sysnet_read_config(soundd_t)
userdom_dontaudit_use_unpriv_user_fds(soundd_t)
-
-sysadm_dontaudit_search_home_dirs(soundd_t)
+userdom_dontaudit_search_user_home_dirs(soundd_t)
optional_policy(`
alsa_domtrans(soundd_t)
diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc
index e4f676b..80cab98 100644
--- a/policy/modules/services/spamassassin.fc
+++ b/policy/modules/services/spamassassin.fc
@@ -1,4 +1,4 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index 6881e57..4140164 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -1,315 +1,41 @@
## Filter used for removing unsolicited email.
-#######################################
+########################################
##
-## The per role template for the spamassassin module.
+## Role access for spamassassin
##
-##
-##
-## The per role template for the spamassassin module.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
+##
##
-## The type of the user domain.
+## Role allowed access
##
##
-##
+##
##
-## The role associated with the user domain.
+## User domain for the role
##
##
#
-# cjp: when tunables are available, spamc stuff should be
-# toggled on activation of spamc, and similarly for spamd.
-template(`spamassassin_per_role_template',`
-
+interface(`spamassassin_role',`
gen_require(`
- type spamc_exec_t, spamassassin_exec_t;
- type spamd_t, spamd_tmp_t;
- ')
-
- ##############################
- #
- # Declarations
- #
-
- type $1_spamc_t;
- application_domain($1_spamc_t, spamc_exec_t)
- role $3 types $1_spamc_t;
-
- type $1_spamc_tmp_t;
- files_tmp_file($1_spamc_tmp_t)
-
- type $1_spamassassin_t;
- application_domain($1_spamassassin_t, spamassassin_exec_t)
- role $3 types $1_spamassassin_t;
-
- type $1_spamassassin_home_t alias $1_spamassassin_rw_t;
- userdom_user_home_content($1, $1_spamassassin_home_t)
- files_poly_member($1_spamassassin_home_t)
-
- type $1_spamassassin_tmp_t;
- files_tmp_file($1_spamassassin_tmp_t)
-
- ##############################
- #
- # $1_spamc_t local policy
- #
-
- allow $1_spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_spamc_t self:fd use;
- allow $1_spamc_t self:fifo_file rw_fifo_file_perms;
- allow $1_spamc_t self:sock_file read_sock_file_perms;
- allow $1_spamc_t self:shm create_shm_perms;
- allow $1_spamc_t self:sem create_sem_perms;
- allow $1_spamc_t self:msgq create_msgq_perms;
- allow $1_spamc_t self:msg { send receive };
- allow $1_spamc_t self:unix_dgram_socket create_socket_perms;
- allow $1_spamc_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_spamc_t self:unix_dgram_socket sendto;
- allow $1_spamc_t self:unix_stream_socket connectto;
- allow $1_spamc_t self:tcp_socket create_stream_socket_perms;
- allow $1_spamc_t self:udp_socket create_socket_perms;
-
- manage_dirs_pattern($1_spamc_t, $1_spamc_tmp_t, $1_spamc_tmp_t)
- manage_files_pattern($1_spamc_t, $1_spamc_tmp_t, $1_spamc_tmp_t)
- files_tmp_filetrans($1_spamc_t, $1_spamc_tmp_t, { file dir })
-
- # Allow connecting to a local spamd
- stream_connect_pattern($1_spamc_t, spamd_tmp_t, spamd_tmp_t, spamd_t)
-
- domtrans_pattern($2, spamc_exec_t, $1_spamc_t)
-
- kernel_read_kernel_sysctls($1_spamc_t)
-
- corenet_all_recvfrom_unlabeled($1_spamc_t)
- corenet_all_recvfrom_netlabel($1_spamc_t)
- corenet_tcp_sendrecv_generic_if($1_spamc_t)
- corenet_udp_sendrecv_generic_if($1_spamc_t)
- corenet_tcp_sendrecv_all_nodes($1_spamc_t)
- corenet_udp_sendrecv_all_nodes($1_spamc_t)
- corenet_tcp_sendrecv_all_ports($1_spamc_t)
- corenet_udp_sendrecv_all_ports($1_spamc_t)
- corenet_tcp_connect_all_ports($1_spamc_t)
- corenet_sendrecv_all_client_packets($1_spamc_t)
-
- fs_search_auto_mountpoints($1_spamc_t)
-
- # cjp: these should probably be removed:
- corecmd_list_bin($1_spamc_t)
- corecmd_read_bin_symlinks($1_spamc_t)
- corecmd_read_bin_files($1_spamc_t)
- corecmd_read_bin_pipes($1_spamc_t)
- corecmd_read_bin_sockets($1_spamc_t)
-
- domain_use_interactive_fds($1_spamc_t)
-
- files_read_etc_files($1_spamc_t)
- files_read_etc_runtime_files($1_spamc_t)
- files_read_usr_files($1_spamc_t)
- files_dontaudit_search_var($1_spamc_t)
- # cjp: this may be removable:
- files_list_home($1_spamc_t)
-
- logging_send_syslog_msg($1_spamc_t)
-
- miscfiles_read_localization($1_spamc_t)
-
- # cjp: this should probably be removed:
- seutil_read_config($1_spamc_t)
-
- sysnet_read_config($1_spamc_t)
-
- userdom_use_unpriv_users_fds($1_spamc_t)
- # cjp: this really should just be the
- # terminal specific to the role
- userdom_use_unpriv_users_ptys($1_spamc_t)
-
- # cjp: this should probably be removed:
- tunable_policy(`read_default_t',`
- files_list_default($1_spamc_t)
- files_read_default_files($1_spamc_t)
- files_read_default_symlinks($1_spamc_t)
- files_read_default_sockets($1_spamc_t)
- files_read_default_pipes($1_spamc_t)
- ')
-
- optional_policy(`
- # Allow connection to spamd socket above
- evolution_stream_connect($1, $1_spamc_t)
- ')
-
- optional_policy(`
- nis_use_ypbind($1_spamc_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_spamc_t)
- ')
-
- optional_policy(`
- mta_read_config($1_spamc_t)
- sendmail_stub($1_spamc_t)
- ')
-
- ##############################
- #
- # $1_spamassassin_t local policy
- #
-
- allow $1_spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_spamassassin_t self:fd use;
- allow $1_spamassassin_t self:fifo_file rw_fifo_file_perms;
- allow $1_spamassassin_t self:sock_file read_sock_file_perms;
- allow $1_spamassassin_t self:unix_dgram_socket create_socket_perms;
- allow $1_spamassassin_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_spamassassin_t self:unix_dgram_socket sendto;
- allow $1_spamassassin_t self:unix_stream_socket connectto;
- allow $1_spamassassin_t self:shm create_shm_perms;
- allow $1_spamassassin_t self:sem create_sem_perms;
- allow $1_spamassassin_t self:msgq create_msgq_perms;
- allow $1_spamassassin_t self:msg { send receive };
-
- manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
- manage_files_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
- manage_lnk_files_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
- manage_fifo_files_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
- manage_sock_files_pattern($1_spamassassin_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
- userdom_user_home_dir_filetrans($1,$1_spamassassin_t,$1_spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
-
- manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_tmp_t, $1_spamassassin_tmp_t)
- manage_files_pattern($1_spamassassin_t, $1_spamassassin_tmp_t, $1_spamassassin_tmp_t)
- files_tmp_filetrans($1_spamassassin_t, $1_spamassassin_tmp_t, { file dir })
-
- manage_dirs_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t)
- manage_files_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t)
- manage_lnk_files_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t)
- relabel_dirs_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t)
- relabel_files_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t)
- relabel_lnk_files_pattern($2, $1_spamassassin_home_t, $1_spamassassin_home_t)
-
- domtrans_pattern($2, spamassassin_exec_t, $1_spamassassin_t)
-
- manage_dirs_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
- manage_files_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
- manage_lnk_files_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
- manage_fifo_files_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
- manage_sock_files_pattern(spamd_t, $1_spamassassin_home_t, $1_spamassassin_home_t)
- userdom_user_home_dir_filetrans($1, spamd_t, $1_spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
-
- kernel_read_kernel_sysctls($1_spamassassin_t)
-
- dev_read_urand($1_spamassassin_t)
-
- fs_search_auto_mountpoints($1_spamassassin_t)
-
- # this should probably be removed
- corecmd_list_bin($1_spamassassin_t)
- corecmd_read_bin_symlinks($1_spamassassin_t)
- corecmd_read_bin_files($1_spamassassin_t)
- corecmd_read_bin_pipes($1_spamassassin_t)
- corecmd_read_bin_sockets($1_spamassassin_t)
-
- domain_use_interactive_fds($1_spamassassin_t)
-
- files_read_etc_files($1_spamassassin_t)
- files_read_etc_runtime_files($1_spamassassin_t)
- files_list_home($1_spamassassin_t)
- files_read_usr_files($1_spamassassin_t)
- files_dontaudit_search_var($1_spamassassin_t)
-
- logging_send_syslog_msg($1_spamassassin_t)
-
- miscfiles_read_localization($1_spamassassin_t)
-
- # cjp: this could probably be removed
- seutil_read_config($1_spamassassin_t)
-
- sysnet_dns_name_resolve($1_spamassassin_t)
-
- userdom_use_unpriv_users_fds($1_spamassassin_t)
- userdom_search_user_home_dirs($1,$1_spamassassin_t)
- # cjp: this really should just be the
- # terminal specific to the role
- userdom_use_unpriv_users_ptys($1_spamassassin_t)
-
- # this should probably be removed:
- tunable_policy(`read_default_t',`
- files_list_default($1_spamassassin_t)
- files_read_default_files($1_spamassassin_t)
- files_read_default_symlinks($1_spamassassin_t)
- files_read_default_sockets($1_spamassassin_t)
- files_read_default_pipes($1_spamassassin_t)
- ')
-
- # set tunable if you have spamassassin do DNS lookups
- tunable_policy(`spamassassin_can_network',`
- allow $1_spamassassin_t self:tcp_socket create_stream_socket_perms;
- allow $1_spamassassin_t self:udp_socket create_socket_perms;
-
- corenet_all_recvfrom_unlabeled($1_spamassassin_t)
- corenet_all_recvfrom_netlabel($1_spamassassin_t)
- corenet_tcp_sendrecv_generic_if($1_spamassassin_t)
- corenet_udp_sendrecv_generic_if($1_spamassassin_t)
- corenet_tcp_sendrecv_all_nodes($1_spamassassin_t)
- corenet_udp_sendrecv_all_nodes($1_spamassassin_t)
- corenet_tcp_sendrecv_all_ports($1_spamassassin_t)
- corenet_udp_sendrecv_all_ports($1_spamassassin_t)
- corenet_tcp_connect_all_ports($1_spamassassin_t)
- corenet_sendrecv_all_client_packets($1_spamassassin_t)
-
- sysnet_read_config($1_spamassassin_t)
+ type spamc_t, spamc_exec_t, spamc_tmp_t;
+ type spamassassin_t, spamassassin_exec_t;
+ type spamassassin_home_t, spamassassin_tmp_t;
')
- tunable_policy(`spamd_enable_home_dirs',`
- userdom_manage_user_home_content_dirs($1,spamd_t)
- userdom_manage_user_home_content_files($1,spamd_t)
- userdom_manage_user_home_content_symlinks($1,spamd_t)
- ')
+ role $1 types { spamc_t spamassassin_t };
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_spamassassin_t)
- fs_manage_nfs_files($1_spamassassin_t)
- fs_manage_nfs_symlinks($1_spamassassin_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_spamassassin_t)
- fs_manage_cifs_files($1_spamassassin_t)
- fs_manage_cifs_symlinks($1_spamassassin_t)
- ')
-
- optional_policy(`
- # Write pid file and socket in ~/.evolution/cache/tmp
- evolution_home_filetrans($1, spamd_t, spamd_tmp_t, { file sock_file })
- ')
+ domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
+ ps_process_pattern($2, spamassassin_t)
- optional_policy(`
- # cjp: clearly some redundancy here
+ domtrans_pattern($2, spamc_exec_t, spamc_t)
+ ps_process_pattern($2, spamc_t)
- nis_use_ypbind($1_spamassassin_t)
-
- tunable_policy(`spamassassin_can_network && allow_ypbind',`
- nis_use_ypbind_uncond($1_spamassassin_t)
- ')
- ')
-
- optional_policy(`
- mta_read_config($1_spamassassin_t)
- sendmail_stub($1_spamassassin_t)
- ')
+ manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
+ manage_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+ manage_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+ relabel_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
+ relabel_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+ relabel_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
')
########################################
@@ -371,31 +97,20 @@ interface(`spamassassin_exec_spamd',`
########################################
##
-## Execute spamassassin client in the user spamassassin client domain.
+## Execute spamassassin client in the spamassassin client domain.
##
-##
-##
-## This is a template and should only be called
-## from per user domain tempaltes.
-##
-##
-##
-##
-## The prefix of the user domain. eg user would be the prefix of user_t.
-##
-##
##
-##
-## The type of the process performing this action.
-##
+##
+## Domain allowed access.
+##
##
#
-template(`spamassassin_domtrans_user_client',`
+interface(`spamassassin_domtrans_client',`
gen_require(`
- type $1_spamc_t, spamc_exec_t;
+ type spamc_t, spamc_exec_t;
')
- domtrans_pattern($2, spamc_exec_t, $1_spamc_t)
+ domtrans_pattern($1, spamc_exec_t, spamc_t)
')
########################################
@@ -419,31 +134,20 @@ interface(`spamassassin_exec_client',`
########################################
##
-## Execute spamassassin in the user spamassassin domain.
+## Execute spamassassin standalone client in the user spamassassin domain.
##
-##
-##
-## This is a template and should only be called
-## from per user domain tempaltes.
-##
-##
-##
-##
-## The prefix of the user domain. eg user would be the prefix of user_t.
-##
-##
##
-##
-## The type of the process performing this action.
-##
+##
+## Domain allowed access.
+##
##
#
-template(`spamassassin_domtrans_user_local_client',`
+interface(`spamassassin_domtrans_local_client',`
gen_require(`
- type $1_spamassassin_t, spamassassin_exec_t;
+ type spamassassin_t, spamassassin_exec_t;
')
- domtrans_pattern($2, spamassassin_exec_t, $1_spamassassin_t)
+ domtrans_pattern($1, spamassassin_exec_t, spamassassin_t)
')
########################################
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 98c7009..343136a 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -1,5 +1,5 @@
-policy_module(spamassassin, 1.10.0)
+policy_module(spamassassin, 2.0.0)
########################################
#
@@ -20,13 +20,41 @@ gen_tunable(spamassassin_can_network, false)
##
gen_tunable(spamd_enable_home_dirs, true)
-# spamassassin client executable
+type spamassassin_t;
+type spamassassin_exec_t;
+typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
+typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
+application_domain(spamassassin_t, spamassassin_exec_t)
+ubac_constrained(spamassassin_t)
+
+type spamassassin_home_t;
+typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
+typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
+userdom_user_home_content(spamassassin_home_t)
+files_poly_member(spamassassin_home_t)
+
+type spamassassin_tmp_t;
+typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
+typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
+files_tmp_file(spamassassin_tmp_t)
+ubac_constrained(spamassassin_tmp_t)
+
+type spamc_t;
type spamc_exec_t;
-application_executable_file(spamc_exec_t)
+typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
+typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
+application_domain(spamc_t, spamc_exec_t)
+ubac_constrained(spamc_t)
+
+type spamc_tmp_t;
+typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
+typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
+files_tmp_file(spamc_tmp_t)
+ubac_constrained(spamc_tmp_t)
type spamd_t;
type spamd_exec_t;
-init_daemon_domain(spamd_t,spamd_exec_t)
+init_daemon_domain(spamd_t, spamd_exec_t)
type spamd_spool_t;
files_type(spamd_spool_t)
@@ -41,12 +69,232 @@ files_type(spamd_var_lib_t)
type spamd_var_run_t;
files_pid_file(spamd_var_run_t)
-type spamassassin_exec_t;
-application_executable_file(spamassassin_exec_t)
+##############################
+#
+# Standalone program local policy
+#
+
+allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow spamassassin_t self:fd use;
+allow spamassassin_t self:fifo_file rw_fifo_file_perms;
+allow spamassassin_t self:sock_file read_sock_file_perms;
+allow spamassassin_t self:unix_dgram_socket create_socket_perms;
+allow spamassassin_t self:unix_stream_socket create_stream_socket_perms;
+allow spamassassin_t self:unix_dgram_socket sendto;
+allow spamassassin_t self:unix_stream_socket connectto;
+allow spamassassin_t self:shm create_shm_perms;
+allow spamassassin_t self:sem create_sem_perms;
+allow spamassassin_t self:msgq create_msgq_perms;
+allow spamassassin_t self:msg { send receive };
+
+manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
+manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
+files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir })
+
+manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(spamassassin_t)
+
+dev_read_urand(spamassassin_t)
+
+fs_search_auto_mountpoints(spamassassin_t)
+
+# this should probably be removed
+corecmd_list_bin(spamassassin_t)
+corecmd_read_bin_symlinks(spamassassin_t)
+corecmd_read_bin_files(spamassassin_t)
+corecmd_read_bin_pipes(spamassassin_t)
+corecmd_read_bin_sockets(spamassassin_t)
+
+domain_use_interactive_fds(spamassassin_t)
+
+files_read_etc_files(spamassassin_t)
+files_read_etc_runtime_files(spamassassin_t)
+files_list_home(spamassassin_t)
+files_read_usr_files(spamassassin_t)
+files_dontaudit_search_var(spamassassin_t)
+
+logging_send_syslog_msg(spamassassin_t)
+
+miscfiles_read_localization(spamassassin_t)
+
+# cjp: this could probably be removed
+seutil_read_config(spamassassin_t)
+
+sysnet_dns_name_resolve(spamassassin_t)
+
+# this should probably be removed:
+tunable_policy(`read_default_t',`
+ files_list_default(spamassassin_t)
+ files_read_default_files(spamassassin_t)
+ files_read_default_symlinks(spamassassin_t)
+ files_read_default_sockets(spamassassin_t)
+ files_read_default_pipes(spamassassin_t)
+')
+
+# set tunable if you have spamassassin do DNS lookups
+tunable_policy(`spamassassin_can_network',`
+ allow spamassassin_t self:tcp_socket create_stream_socket_perms;
+ allow spamassassin_t self:udp_socket create_socket_perms;
+
+ corenet_all_recvfrom_unlabeled(spamassassin_t)
+ corenet_all_recvfrom_netlabel(spamassassin_t)
+ corenet_tcp_sendrecv_generic_if(spamassassin_t)
+ corenet_udp_sendrecv_generic_if(spamassassin_t)
+ corenet_tcp_sendrecv_all_nodes(spamassassin_t)
+ corenet_udp_sendrecv_all_nodes(spamassassin_t)
+ corenet_tcp_sendrecv_all_ports(spamassassin_t)
+ corenet_udp_sendrecv_all_ports(spamassassin_t)
+ corenet_tcp_connect_all_ports(spamassassin_t)
+ corenet_sendrecv_all_client_packets(spamassassin_t)
+
+ sysnet_read_config(spamassassin_t)
+')
+
+tunable_policy(`spamd_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs(spamd_t)
+ userdom_manage_user_home_content_files(spamd_t)
+ userdom_manage_user_home_content_symlinks(spamd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(spamassassin_t)
+ fs_manage_nfs_files(spamassassin_t)
+ fs_manage_nfs_symlinks(spamassassin_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(spamassassin_t)
+ fs_manage_cifs_files(spamassassin_t)
+ fs_manage_cifs_symlinks(spamassassin_t)
+')
+
+optional_policy(`
+ # Write pid file and socket in ~/.evolution/cache/tmp
+ evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
+')
+
+optional_policy(`
+ tunable_policy(`spamassassin_can_network && allow_ypbind',`
+ nis_use_ypbind_uncond(spamassassin_t)
+ ')
+')
+
+optional_policy(`
+ mta_read_config(spamassassin_t)
+ sendmail_stub(spamassassin_t)
+')
+
+########################################
+#
+# Client local policy
+#
+
+allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow spamc_t self:fd use;
+allow spamc_t self:fifo_file rw_fifo_file_perms;
+allow spamc_t self:sock_file read_sock_file_perms;
+allow spamc_t self:shm create_shm_perms;
+allow spamc_t self:sem create_sem_perms;
+allow spamc_t self:msgq create_msgq_perms;
+allow spamc_t self:msg { send receive };
+allow spamc_t self:unix_dgram_socket create_socket_perms;
+allow spamc_t self:unix_stream_socket create_stream_socket_perms;
+allow spamc_t self:unix_dgram_socket sendto;
+allow spamc_t self:unix_stream_socket connectto;
+allow spamc_t self:tcp_socket create_stream_socket_perms;
+allow spamc_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
+manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
+files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir })
+
+# Allow connecting to a local spamd
+allow spamc_t spamd_t:unix_stream_socket connectto;
+allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
+
+kernel_read_kernel_sysctls(spamc_t)
+
+corenet_all_recvfrom_unlabeled(spamc_t)
+corenet_all_recvfrom_netlabel(spamc_t)
+corenet_tcp_sendrecv_generic_if(spamc_t)
+corenet_udp_sendrecv_generic_if(spamc_t)
+corenet_tcp_sendrecv_all_nodes(spamc_t)
+corenet_udp_sendrecv_all_nodes(spamc_t)
+corenet_tcp_sendrecv_all_ports(spamc_t)
+corenet_udp_sendrecv_all_ports(spamc_t)
+corenet_tcp_connect_all_ports(spamc_t)
+corenet_sendrecv_all_client_packets(spamc_t)
+
+fs_search_auto_mountpoints(spamc_t)
+
+# cjp: these should probably be removed:
+corecmd_list_bin(spamc_t)
+corecmd_read_bin_symlinks(spamc_t)
+corecmd_read_bin_files(spamc_t)
+corecmd_read_bin_pipes(spamc_t)
+corecmd_read_bin_sockets(spamc_t)
+
+domain_use_interactive_fds(spamc_t)
+
+files_read_etc_files(spamc_t)
+files_read_etc_runtime_files(spamc_t)
+files_read_usr_files(spamc_t)
+files_dontaudit_search_var(spamc_t)
+# cjp: this may be removable:
+files_list_home(spamc_t)
+
+logging_send_syslog_msg(spamc_t)
+
+miscfiles_read_localization(spamc_t)
+
+# cjp: this should probably be removed:
+seutil_read_config(spamc_t)
+
+sysnet_read_config(spamc_t)
+
+# cjp: this should probably be removed:
+tunable_policy(`read_default_t',`
+ files_list_default(spamc_t)
+ files_read_default_files(spamc_t)
+ files_read_default_symlinks(spamc_t)
+ files_read_default_sockets(spamc_t)
+ files_read_default_pipes(spamc_t)
+')
+
+optional_policy(`
+ # Allow connection to spamd socket above
+ evolution_stream_connect(spamc_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(spamc_t)
+')
+
+optional_policy(`
+ nscd_socket_use(spamc_t)
+')
+
+optional_policy(`
+ mta_read_config(spamc_t)
+ sendmail_stub(spamc_t)
+')
########################################
#
-# Spamassassin daemon local policy
+# Server local policy
#
# Spamassassin, when run as root and using per-user config files,
@@ -143,9 +391,7 @@ sysnet_use_ldap(spamd_t)
sysnet_dns_name_resolve(spamd_t)
userdom_use_unpriv_users_fds(spamd_t)
-userdom_search_unpriv_users_home_dirs(spamd_t)
-
-sysadm_dontaudit_search_home_dirs(spamd_t)
+userdom_search_user_home_dirs(spamd_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(spamd_t)
diff --git a/policy/modules/services/speedtouch.te b/policy/modules/services/speedtouch.te
index 45f3070..dc0423f 100644
--- a/policy/modules/services/speedtouch.te
+++ b/policy/modules/services/speedtouch.te
@@ -1,5 +1,5 @@
-policy_module(speedtouch, 1.3.0)
+policy_module(speedtouch, 1.3.1)
#######################################
#
@@ -51,8 +51,7 @@ logging_send_syslog_msg(speedmgmt_t)
miscfiles_read_localization(speedmgmt_t)
userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t)
-
-sysadm_dontaudit_search_home_dirs(speedmgmt_t)
+userdom_dontaudit_search_user_home_dirs(speedmgmt_t)
optional_policy(`
seutil_sigchld_newrole(speedmgmt_t)
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index 9b7187a..fcde140 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -1,5 +1,5 @@
-policy_module(squid, 1.7.0)
+policy_module(squid, 1.7.1)
########################################
#
@@ -148,9 +148,7 @@ miscfiles_read_certs(squid_t)
miscfiles_read_localization(squid_t)
userdom_use_unpriv_users_fds(squid_t)
-userdom_dontaudit_use_unpriv_user_fds(squid_t)
-
-sysadm_dontaudit_search_home_dirs(squid_t)
+userdom_dontaudit_search_user_home_dirs(squid_t)
tunable_policy(`squid_connect_any',`
corenet_tcp_connect_all_ports(squid_t)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index bf53f28..6262c7b 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -1,4 +1,4 @@
-HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ROLE_home_ssh_t,s0)
+HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 58b25e6..545f5b0 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -166,247 +166,6 @@ template(`ssh_basic_client_template',`
#######################################
##
-## The per role template for the ssh module.
-##
-##
-##
-## This template creates a derived domains which are used
-## for ssh client sessions and user ssh agents. A derived
-## type is also created to protect the user ssh keys.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## The type of the user domain.
-##
-##
-##
-##
-## The role associated with the user domain.
-##
-##
-#
-template(`ssh_per_role_template',`
- gen_require(`
- type ssh_agent_exec_t, ssh_keysign_exec_t, sshd_t, sshd_key_t;
- ')
-
- ##############################
- #
- # Declarations
- #
-
- ssh_basic_client_template($1, $2, $3)
-
- userdom_user_home_content($1, $1_home_ssh_t)
-
- type $1_ssh_agent_t;
- application_domain($1_ssh_agent_t, ssh_agent_exec_t)
- domain_interactive_fd($1_ssh_agent_t)
- role $3 types $1_ssh_agent_t;
-
- type $1_ssh_agent_tmp_t;
- files_tmp_file($1_ssh_agent_tmp_t)
-
- type $1_ssh_keysign_t;
- application_domain($1_ssh_keysign_t, ssh_keysign_exec_t)
- role $3 types $1_ssh_keysign_t;
-
- type $1_ssh_tmpfs_t;
- files_tmpfs_file($1_ssh_tmpfs_t)
-
- ##############################
- #
- # Client local policy
- #
-
- manage_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t)
- manage_lnk_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t)
- manage_fifo_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t)
- manage_sock_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t)
- fs_tmpfs_filetrans($1_ssh_t, $1_ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
- manage_dirs_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t)
- manage_sock_files_pattern($1_ssh_t, $1_home_ssh_t, $1_home_ssh_t)
- userdom_user_home_dir_filetrans($1, $1_ssh_t, $1_home_ssh_t, { dir sock_file })
-
- # Allow the ssh program to communicate with ssh-agent.
- stream_connect_pattern($1_ssh_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t, $1_ssh_agent_t)
-
- allow $1_ssh_t sshd_t:unix_stream_socket connectto;
-
- allow $2 $1_ssh_t:process signal;
-
- userdom_use_unpriv_users_fds($1_ssh_t)
- userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t)
- userdom_search_user_home_dirs($1,$1_ssh_t)
- # Write to the user domain tty.
- userdom_use_user_terminals($1,$1_ssh_t)
- # needs to read krb tgt
- userdom_read_user_tmp_files($1, $1_ssh_t)
-
- tunable_policy(`allow_ssh_keysign',`
- domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
- allow $1_ssh_keysign_t $1_ssh_t:fd use;
- allow $1_ssh_keysign_t $1_ssh_t:process sigchld;
- allow $1_ssh_keysign_t $1_ssh_t:fifo_file rw_file_perms;
- ')
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_ssh_t)
- fs_manage_nfs_files($1_ssh_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_ssh_t)
- fs_manage_cifs_files($1_ssh_t)
- ')
-
- # for port forwarding
- tunable_policy(`user_tcp_server',`
- corenet_tcp_bind_ssh_port($1_ssh_t)
- ')
-
- optional_policy(`
- xserver_user_x_domain_template($1, $1_ssh, $1_ssh_t, $1_ssh_tmpfs_t)
- xserver_domtrans_user_xauth($1, $1_ssh_t)
- ')
-
- ifdef(`TODO',`
- # for /bin/sh used to execute xauth
- dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
-
- #allow ssh to access keys stored on removable media
- # Should we have a boolean around this?
- files_search_mnt($1_ssh_t)
- r_dir_file($1_ssh_t, removable_t)
-
- ') dnl endif TODO
-
- ##############################
- #
- # $1_ssh_agent_t local policy
- #
-
- allow $1_ssh_agent_t self:process setrlimit;
- allow $1_ssh_agent_t self:capability setgid;
-
- allow $1_ssh_agent_t { $1_ssh_agent_t $2 }:process signull;
-
- allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
-
- manage_dirs_pattern($1_ssh_agent_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t)
- manage_sock_files_pattern($1_ssh_agent_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t)
- files_tmp_filetrans($1_ssh_agent_t, $1_ssh_agent_tmp_t, { dir sock_file })
-
- # for ssh-add
- stream_connect_pattern($2, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t, $1_ssh_agent_t)
-
- # Allow the user shell to signal the ssh program.
- allow $2 $1_ssh_agent_t:process signal;
-
- # allow ps to show ssh
- ps_process_pattern($2, $1_ssh_agent_t)
-
- domtrans_pattern($2, ssh_agent_exec_t, $1_ssh_agent_t)
-
- kernel_read_kernel_sysctls($1_ssh_agent_t)
-
- dev_read_urand($1_ssh_agent_t)
- dev_read_rand($1_ssh_agent_t)
-
- fs_search_auto_mountpoints($1_ssh_agent_t)
-
- # transition back to normal privs upon exec
- corecmd_shell_domtrans($1_ssh_agent_t, $1_t)
- corecmd_bin_domtrans($1_ssh_agent_t, $1_t)
-
- domain_use_interactive_fds($1_ssh_agent_t)
-
- files_read_etc_files($1_ssh_agent_t)
- files_read_etc_runtime_files($1_ssh_agent_t)
- files_search_home($1_ssh_agent_t)
-
- libs_read_lib_files($1_ssh_agent_t)
-
- logging_send_syslog_msg($1_ssh_agent_t)
-
- miscfiles_read_localization($1_ssh_agent_t)
-
- seutil_dontaudit_read_config($1_ssh_agent_t)
-
- # Write to the user domain tty.
- userdom_use_user_terminals($1,$1_ssh_agent_t)
-
- # for the transition back to normal privs upon exec
- userdom_user_home_domtrans($1, $1_ssh_agent_t, $2)
- allow $2 $1_ssh_agent_t:fd use;
- allow $2 $1_ssh_agent_t:fifo_file rw_file_perms;
- allow $2 $1_ssh_agent_t:process sigchld;
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files($1_ssh_agent_t)
-
- # transition back to normal privs upon exec
- fs_nfs_domtrans($1_ssh_agent_t, $1_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files($1_ssh_agent_t)
-
- # transition back to normal privs upon exec
- fs_cifs_domtrans($1_ssh_agent_t, $1_t)
- ')
-
- optional_policy(`
- nis_use_ypbind($1_ssh_agent_t)
- ')
-
- optional_policy(`
- xserver_use_xdm_fds($1_ssh_agent_t)
- xserver_rw_xdm_pipes($1_ssh_agent_t)
- ')
-
- ifdef(`TODO',`
- dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
- ') dnl endif TODO
-
- ##############################
- #
- # $1_ssh_keysign_t local policy
- #
-
- tunable_policy(`allow_ssh_keysign',`
- allow $1_ssh_keysign_t self:capability { setgid setuid };
- allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
-
- allow $1_ssh_keysign_t sshd_key_t:file read_file_perms;
-
- dev_read_urand($1_ssh_keysign_t)
-
- files_read_etc_files($1_ssh_keysign_t)
- ')
-
- optional_policy(`
- tunable_policy(`allow_ssh_keysign',`
- nscd_socket_use($1_ssh_keysign_t)
- ')
- ')
-')
-
-#######################################
-##
## The template to define a ssh server.
##
##
@@ -493,8 +252,8 @@ template(`ssh_server_template', `
sysnet_read_config($1_t)
- userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
- userdom_search_all_users_home_dirs($1_t)
+ userdom_dontaudit_relabelfrom_user_ptys($1_t)
+ userdom_search_user_home_dirs($1_t)
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files($1_t)
@@ -524,6 +283,159 @@ template(`ssh_server_template', `
########################################
##
+## Role access for ssh
+##
+##
+##
+## The prefix of the role (e.g., user
+## is the prefix for user_r).
+##
+##
+##
+##
+## Role allowed access
+##
+##
+##
+##
+## User domain for the role
+##
+##
+#
+template(`ssh_role_template',`
+ gen_require(`
+ attribute ssh_server, ssh_agent_type;
+
+ type ssh_t, ssh_exec_t, ssh_tmpfs_t, home_ssh_t;
+ type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
+ type ssh_agent_tmp_t;
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ role $2 types ssh_t;
+
+ type $1_ssh_agent_t, ssh_agent_type;
+ application_domain($1_ssh_agent_t, ssh_agent_exec_t)
+ domain_interactive_fd($1_ssh_agent_t)
+ ubac_constrained($1_ssh_agent_t)
+ role $2 types $1_ssh_agent_t;
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ # Transition from the domain to the derived domain.
+ domtrans_pattern($3, ssh_exec_t, ssh_t)
+
+ # inheriting stream sockets is needed for "ssh host command" as no pty
+ # is allocated
+ allow $3 ssh_server:unix_stream_socket rw_stream_socket_perms;
+
+ # allow ps to show ssh
+ ps_process_pattern($3, ssh_t)
+ allow $3 ssh_t:process signal;
+
+ # for rsync
+ allow ssh_t $3:unix_stream_socket rw_socket_perms;
+ allow ssh_t $3:unix_stream_socket connectto;
+
+ # user can manage the keys and config
+ manage_files_pattern($3, home_ssh_t, home_ssh_t)
+ manage_lnk_files_pattern($3, home_ssh_t, home_ssh_t)
+ manage_sock_files_pattern($3, home_ssh_t, home_ssh_t)
+
+ ##############################
+ #
+ # SSH agent local policy
+ #
+
+ allow $1_ssh_agent_t self:process setrlimit;
+ allow $1_ssh_agent_t self:capability setgid;
+
+ allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;
+
+ allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+ manage_dirs_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)
+ manage_sock_files_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)
+ files_tmp_filetrans($1_ssh_agent_t, ssh_agent_tmp_t, { dir sock_file })
+
+ # for ssh-add
+ stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
+
+ # Allow the user shell to signal the ssh program.
+ allow $3 $1_ssh_agent_t:process signal;
+
+ # allow ps to show ssh
+ ps_process_pattern($3, $1_ssh_agent_t)
+
+ domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t)
+
+ kernel_read_kernel_sysctls($1_ssh_agent_t)
+
+ dev_read_urand($1_ssh_agent_t)
+ dev_read_rand($1_ssh_agent_t)
+
+ fs_search_auto_mountpoints($1_ssh_agent_t)
+
+ # transition back to normal privs upon exec
+ corecmd_shell_domtrans($1_ssh_agent_t, $3)
+ corecmd_bin_domtrans($1_ssh_agent_t, $3)
+
+ domain_use_interactive_fds($1_ssh_agent_t)
+
+ files_read_etc_files($1_ssh_agent_t)
+ files_read_etc_runtime_files($1_ssh_agent_t)
+ files_search_home($1_ssh_agent_t)
+
+ libs_read_lib_files($1_ssh_agent_t)
+
+ logging_send_syslog_msg($1_ssh_agent_t)
+
+ miscfiles_read_localization($1_ssh_agent_t)
+
+ seutil_dontaudit_read_config($1_ssh_agent_t)
+
+ # Write to the user domain tty.
+ userdom_use_user_terminals($1_ssh_agent_t)
+
+ # for the transition back to normal privs upon exec
+ userdom_user_home_domtrans($1_ssh_agent_t, $3)
+ allow $3 $1_ssh_agent_t:fd use;
+ allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
+ allow $3 $1_ssh_agent_t:process sigchld;
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files($1_ssh_agent_t)
+
+ # transition back to normal privs upon exec
+ fs_nfs_domtrans($1_ssh_agent_t, $3)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files($1_ssh_agent_t)
+
+ # transition back to normal privs upon exec
+ fs_cifs_domtrans($1_ssh_agent_t, $3)
+ ')
+
+ optional_policy(`
+ nis_use_ypbind($1_ssh_agent_t)
+ ')
+
+ optional_policy(`
+ xserver_use_xdm_fds($1_ssh_agent_t)
+ xserver_rw_xdm_pipes($1_ssh_agent_t)
+ ')
+')
+
+########################################
+##
## Send a SIGCHLD signal to the ssh server.
##
##
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index fcc0a95..f192d2c 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,5 +1,5 @@
-policy_module(ssh, 1.11.0)
+policy_module(ssh, 2.0.0)
########################################
#
@@ -21,23 +21,13 @@ gen_tunable(allow_ssh_keysign, false)
gen_tunable(ssh_sysadm_login, false)
attribute ssh_server;
-
-# Type for the ssh-agent executable.
-type ssh_agent_exec_t;
-files_type(ssh_agent_exec_t)
-
-# ssh client executable.
-type ssh_exec_t;
-application_executable_file(ssh_exec_t)
+attribute ssh_agent_type;
type ssh_keygen_t;
type ssh_keygen_exec_t;
init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
role system_r types ssh_keygen_t;
-type ssh_keysign_exec_t;
-application_executable_file(ssh_keysign_exec_t)
-
type sshd_exec_t;
corecmd_executable_file(sshd_exec_t)
@@ -55,6 +45,252 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh)
')
+type ssh_t;
+type ssh_exec_t;
+typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
+typealias ssh_t alias { auditadm_ssh_t secadm_ssh_t };
+application_domain(ssh_t, ssh_exec_t)
+ubac_constrained(ssh_t)
+
+type ssh_agent_exec_t;
+corecmd_executable_file(ssh_agent_exec_t)
+
+type ssh_agent_tmp_t;
+typealias ssh_agent_tmp_t alias { user_ssh_agent_tmp_t staff_ssh_agent_tmp_t sysadm_ssh_agent_tmp_t };
+typealias ssh_agent_tmp_t alias { auditadm_ssh_agent_tmp_t secadm_ssh_agent_tmp_t };
+files_tmp_file(ssh_agent_tmp_t)
+ubac_constrained(ssh_agent_tmp_t)
+
+type ssh_keysign_t;
+type ssh_keysign_exec_t;
+typealias ssh_keysign_t alias { user_ssh_keysign_t staff_ssh_keysign_t sysadm_ssh_keysign_t };
+typealias ssh_keysign_t alias { auditadm_ssh_keysign_t secadm_ssh_keysign_t };
+application_domain(ssh_keysign_t, ssh_keysign_exec_t)
+ubac_constrained(ssh_keysign_t)
+
+type ssh_tmpfs_t;
+typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
+typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
+files_tmpfs_file(ssh_tmpfs_t)
+ubac_constrained(ssh_tmpfs_t)
+
+type home_ssh_t;
+typealias home_ssh_t alias { user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
+typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
+files_type(home_ssh_t)
+userdom_user_home_content(home_ssh_t)
+
+##############################
+#
+# SSH client local policy
+#
+
+allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow ssh_t self:fd use;
+allow ssh_t self:fifo_file rw_fifo_file_perms;
+allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
+allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow ssh_t self:shm create_shm_perms;
+allow ssh_t self:sem create_sem_perms;
+allow ssh_t self:msgq create_msgq_perms;
+allow ssh_t self:msg { send receive };
+allow ssh_t self:tcp_socket create_socket_perms;
+allow ssh_t self:netlink_route_socket r_netlink_socket_perms;
+
+# Read the ssh key file.
+allow ssh_t sshd_key_t:file read_file_perms;
+
+# Access the ssh temporary files.
+allow ssh_t sshd_tmp_t:dir manage_dir_perms;
+allow ssh_t sshd_tmp_t:file manage_file_perms;
+files_tmp_filetrans(ssh_t, sshd_tmp_t, { file dir })
+
+manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(ssh_t,home_ssh_t,home_ssh_t)
+manage_sock_files_pattern(ssh_t,home_ssh_t,home_ssh_t)
+userdom_user_home_dir_filetrans(ssh_t, home_ssh_t, { dir sock_file })
+
+# Allow the ssh program to communicate with ssh-agent.
+stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
+
+allow ssh_t sshd_t:unix_stream_socket connectto;
+
+# ssh client can manage the keys and config
+manage_files_pattern(ssh_t,home_ssh_t,home_ssh_t)
+read_lnk_files_pattern(ssh_t,home_ssh_t,home_ssh_t)
+
+# ssh servers can read the user keys and config
+allow ssh_server home_ssh_t:dir list_dir_perms;
+read_files_pattern(ssh_server,home_ssh_t,home_ssh_t)
+read_lnk_files_pattern(ssh_server,home_ssh_t,home_ssh_t)
+
+kernel_read_kernel_sysctls(ssh_t)
+
+corenet_all_recvfrom_unlabeled(ssh_t)
+corenet_all_recvfrom_netlabel(ssh_t)
+corenet_tcp_sendrecv_all_if(ssh_t)
+corenet_tcp_sendrecv_all_nodes(ssh_t)
+corenet_tcp_sendrecv_all_ports(ssh_t)
+corenet_tcp_connect_ssh_port(ssh_t)
+corenet_sendrecv_ssh_client_packets(ssh_t)
+
+dev_read_urand(ssh_t)
+
+fs_getattr_all_fs(ssh_t)
+fs_search_auto_mountpoints(ssh_t)
+
+# run helper programs - needed eg for x11-ssh-askpass
+corecmd_exec_shell(ssh_t)
+corecmd_exec_bin(ssh_t)
+
+domain_use_interactive_fds(ssh_t)
+
+files_list_home(ssh_t)
+files_read_usr_files(ssh_t)
+files_read_etc_runtime_files(ssh_t)
+files_read_etc_files(ssh_t)
+files_read_var_files(ssh_t)
+
+logging_send_syslog_msg(ssh_t)
+logging_read_generic_logs(ssh_t)
+
+miscfiles_read_localization(ssh_t)
+
+seutil_read_config(ssh_t)
+
+sysnet_read_config(ssh_t)
+sysnet_dns_name_resolve(ssh_t)
+
+userdom_dontaudit_list_user_home_dirs(ssh_t)
+userdom_search_user_home_dirs(ssh_t)
+# Write to the user domain tty.
+userdom_use_user_terminals(ssh_t)
+# needs to read krb tgt
+userdom_read_user_tmp_files(ssh_t)
+
+tunable_policy(`allow_ssh_keysign',`
+ domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
+ allow ssh_keysign_t ssh_t:fd use;
+ allow ssh_keysign_t ssh_t:process sigchld;
+ allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
+')
+
+tunable_policy(`read_default_t',`
+ files_list_default(ssh_t)
+ files_read_default_files(ssh_t)
+ files_read_default_symlinks(ssh_t)
+ files_read_default_sockets(ssh_t)
+ files_read_default_pipes(ssh_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(ssh_t)
+ fs_manage_nfs_files(ssh_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(ssh_t)
+ fs_manage_cifs_files(ssh_t)
+')
+
+# for port forwarding
+tunable_policy(`user_tcp_server',`
+ corenet_tcp_bind_ssh_port(ssh_t)
+')
+
+optional_policy(`
+ kerberos_use(ssh_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(ssh_t)
+')
+
+optional_policy(`
+ nscd_socket_use(ssh_t)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
+ xserver_domtrans_xauth(ssh_t)
+')
+
+########################################
+#
+# ssh_keygen local policy
+#
+
+# ssh_keygen_t is the type of the ssh-keygen program when run at install time
+# and by sysadm_t
+
+dontaudit ssh_keygen_t self:capability sys_tty_config;
+allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
+
+allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
+
+allow ssh_keygen_t sshd_key_t:file manage_file_perms;
+files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
+
+kernel_read_kernel_sysctls(ssh_keygen_t)
+
+fs_search_auto_mountpoints(ssh_keygen_t)
+
+dev_read_sysfs(ssh_keygen_t)
+dev_read_urand(ssh_keygen_t)
+
+term_dontaudit_use_console(ssh_keygen_t)
+
+domain_use_interactive_fds(ssh_keygen_t)
+
+files_read_etc_files(ssh_keygen_t)
+
+init_use_fds(ssh_keygen_t)
+init_use_script_ptys(ssh_keygen_t)
+
+logging_send_syslog_msg(ssh_keygen_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
+
+optional_policy(`
+ nscd_socket_use(ssh_keygen_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(ssh_keygen_t)
+')
+
+optional_policy(`
+ udev_read_db(ssh_keygen_t)
+')
+
+##############################
+#
+# ssh_keysign_t local policy
+#
+
+tunable_policy(`allow_ssh_keysign',`
+ allow ssh_keysign_t self:capability { setgid setuid };
+ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+
+ allow ssh_keysign_t sshd_key_t:file { getattr read };
+
+ dev_read_urand(ssh_keysign_t)
+
+ files_read_etc_files(ssh_keysign_t)
+')
+
+optional_policy(`
+ tunable_policy(`allow_ssh_keysign',`
+ nscd_socket_use(ssh_keysign_t)
+ ')
+')
+
#################################
#
# sshd local policy
@@ -74,6 +310,10 @@ files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
kernel_search_key(sshd_t)
kernel_link_key(sshd_t)
+term_use_all_user_ptys(sshd_t)
+term_setattr_all_user_ptys(sshd_t)
+term_relabelto_all_user_ptys(sshd_t)
+
# for X forwarding
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
@@ -83,19 +323,11 @@ tunable_policy(`ssh_sysadm_login',`
# ioctl is necessary for logout() processing for utmp entry and for w to
# display the tty.
# some versions of sshd on the new SE Linux require setattr
- term_use_all_user_ptys(sshd_t)
- term_setattr_all_user_ptys(sshd_t)
- term_relabelto_all_user_ptys(sshd_t)
-
userdom_spec_domtrans_all_users(sshd_t)
userdom_signal_all_users(sshd_t)
',`
userdom_spec_domtrans_unpriv_users(sshd_t)
userdom_signal_unpriv_users(sshd_t)
-
- userdom_setattr_unpriv_users_ptys(sshd_t)
- userdom_relabelto_unpriv_users_ptys(sshd_t)
- userdom_use_unpriv_users_ptys(sshd_t)
')
optional_policy(`
@@ -111,9 +343,9 @@ optional_policy(`
')
optional_policy(`
- rssh_spec_domtrans_all_users(sshd_t)
+ rssh_spec_domtrans(sshd_t)
# For reading /home/user/.ssh
- rssh_read_all_users_ro_content(sshd_t)
+ rssh_read_ro_content(sshd_t)
')
optional_policy(`
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
index 4d32293..3a4e7b8 100644
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
@@ -1,5 +1,5 @@
-policy_module(stunnel, 1.7.0)
+policy_module(stunnel, 1.7.1)
########################################
#
@@ -86,8 +86,7 @@ ifdef(`distro_gentoo', `
domain_use_interactive_fds(stunnel_t)
userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
-
- sysadm_dontaudit_search_home_dirs(stunnel_t)
+ userdom_dontaudit_search_user_home_dirs(stunnel_t)
optional_policy(`
daemontools_service_domain(stunnel_t, stunnel_exec_t)
diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te
index 6cc56c8..dbdd85a 100644
--- a/policy/modules/services/sysstat.te
+++ b/policy/modules/services/sysstat.te
@@ -1,5 +1,5 @@
-policy_module(sysstat, 1.3.0)
+policy_module(sysstat, 1.3.1)
########################################
#
@@ -57,7 +57,7 @@ locallogin_use_fds(sysstat_t)
miscfiles_read_localization(sysstat_t)
-sysadm_dontaudit_list_home_dirs(sysstat_t)
+userdom_dontaudit_list_user_home_dirs(sysstat_t)
optional_policy(`
cron_system_entry(sysstat_t, sysstat_exec_t)
diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te
index 12c6a7b..cda45ef 100644
--- a/policy/modules/services/telnet.te
+++ b/policy/modules/services/telnet.te
@@ -1,5 +1,5 @@
-policy_module(telnet, 1.7.0)
+policy_module(telnet, 1.7.1)
########################################
#
@@ -84,7 +84,7 @@ seutil_read_config(telnetd_t)
remotelogin_domtrans(telnetd_t)
-userdom_search_unpriv_users_home_dirs(telnetd_t)
+userdom_search_user_home_dirs(telnetd_t)
optional_policy(`
kerberos_use(telnetd_t)
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index 154671d..67b736a 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -1,5 +1,5 @@
-policy_module(tftp, 1.9.0)
+policy_module(tftp, 1.9.1)
########################################
#
@@ -87,8 +87,8 @@ miscfiles_read_localization(tftpd_t)
miscfiles_read_public_files(tftpd_t)
userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
-sysadm_dontaudit_use_ttys(tftpd_t)
-sysadm_dontaudit_search_home_dirs(tftpd_t)
+userdom_dontaudit_use_user_terminals(tftpd_t)
+userdom_dontaudit_search_user_home_dirs(tftpd_t)
tunable_policy(`tftp_anon_write',`
miscfiles_manage_public_files(tftpd_t)
diff --git a/policy/modules/services/timidity.te b/policy/modules/services/timidity.te
index 344422a..8147f5a 100644
--- a/policy/modules/services/timidity.te
+++ b/policy/modules/services/timidity.te
@@ -1,5 +1,5 @@
-policy_module(timidity, 1.7.0)
+policy_module(timidity, 1.7.1)
# Note: You only need this policy if you want to run timidity as a server
@@ -75,7 +75,7 @@ userdom_dontaudit_use_unpriv_user_fds(timidity_t)
# stupid timidity won't start if it can't search its current directory.
# allow this so /etc/init.d/alsasound start works from /root
# cjp: this should be fixed if possible so this rule can be removed.
-sysadm_search_home_dirs(timidity_t)
+userdom_search_user_home_dirs(timidity_t)
optional_policy(`
seutil_sigchld_newrole(timidity_t)
diff --git a/policy/modules/services/transproxy.te b/policy/modules/services/transproxy.te
index fa408a9..0599626 100644
--- a/policy/modules/services/transproxy.te
+++ b/policy/modules/services/transproxy.te
@@ -1,5 +1,5 @@
-policy_module(transproxy, 1.5.0)
+policy_module(transproxy, 1.5.1)
########################################
#
@@ -55,8 +55,7 @@ miscfiles_read_localization(transproxy_t)
sysnet_read_config(transproxy_t)
userdom_dontaudit_use_unpriv_user_fds(transproxy_t)
-
-sysadm_dontaudit_search_home_dirs(transproxy_t)
+userdom_dontaudit_search_user_home_dirs(transproxy_t)
optional_policy(`
seutil_sigchld_newrole(transproxy_t)
diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te
index 97a478c..86bdd42 100644
--- a/policy/modules/services/uptime.te
+++ b/policy/modules/services/uptime.te
@@ -1,5 +1,5 @@
-policy_module(uptime, 1.3.0)
+policy_module(uptime, 1.3.1)
########################################
#
@@ -59,8 +59,7 @@ logging_send_syslog_msg(uptimed_t)
miscfiles_read_localization(uptimed_t)
userdom_dontaudit_use_unpriv_user_fds(uptimed_t)
-
-sysadm_dontaudit_search_home_dirs(uptimed_t)
+userdom_dontaudit_search_user_home_dirs(uptimed_t)
optional_policy(`
mta_send_mail(uptimed_t)
diff --git a/policy/modules/services/uwimap.te b/policy/modules/services/uwimap.te
index 234cf68..34ffa8b 100644
--- a/policy/modules/services/uwimap.te
+++ b/policy/modules/services/uwimap.te
@@ -1,5 +1,5 @@
-policy_module(uwimap, 1.6.0)
+policy_module(uwimap, 1.6.1)
########################################
#
@@ -74,9 +74,12 @@ sysnet_read_config(imapd_t)
userdom_dontaudit_use_unpriv_user_fds(imapd_t)
# cjp: this is excessive, should be limited to the
# mail directories
-userdom_priveleged_home_dir_manager(imapd_t)
-
-sysadm_dontaudit_search_home_dirs(imapd_t)
+userdom_manage_user_home_content_dirs(imapd_t)
+userdom_manage_user_home_content_files(imapd_t)
+userdom_manage_user_home_content_symlinks(imapd_t)
+userdom_manage_user_home_content_pipes(imapd_t)
+userdom_manage_user_home_content_sockets(imapd_t)
+userdom_user_home_dir_filetrans_user_home_content(imapd_t, { dir file lnk_file fifo_file sock_file })
mta_rw_spool(imapd_t)
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 7c1c1b8..6aff9bd 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -1,5 +1,5 @@
-policy_module(virt, 1.0.0)
+policy_module(virt, 1.0.1)
########################################
#
@@ -144,7 +144,7 @@ optional_policy(`
')
optional_policy(`
- dbus_system_bus_client_template(virtd, virtd_t)
+ dbus_system_bus_client(virtd_t)
optional_policy(`
avahi_dbus_chat(virtd_t)
diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te
index 11c4d04..0ac9daa 100644
--- a/policy/modules/services/watchdog.te
+++ b/policy/modules/services/watchdog.te
@@ -1,5 +1,5 @@
-policy_module(watchdog, 1.5.0)
+policy_module(watchdog, 1.5.1)
#################################
#
@@ -87,8 +87,7 @@ miscfiles_read_localization(watchdog_t)
sysnet_read_config(watchdog_t)
userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
-
-sysadm_dontaudit_search_home_dirs(watchdog_t)
+userdom_dontaudit_search_user_home_dirs(watchdog_t)
optional_policy(`
mta_send_mail(watchdog_t)
diff --git a/policy/modules/services/xfs.te b/policy/modules/services/xfs.te
index 0b49a20..025f9fa 100644
--- a/policy/modules/services/xfs.te
+++ b/policy/modules/services/xfs.te
@@ -1,5 +1,5 @@
-policy_module(xfs, 1.4.0)
+policy_module(xfs, 1.4.1)
########################################
#
@@ -70,8 +70,7 @@ miscfiles_read_localization(xfs_t)
miscfiles_read_fonts(xfs_t)
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
-
-sysadm_dontaudit_search_home_dirs(xfs_t)
+userdom_dontaudit_search_user_home_dirs(xfs_t)
xfs_exec(xfs_t)
diff --git a/policy/modules/services/xprint.te b/policy/modules/services/xprint.te
index 7e39ac9..0a09bb0 100644
--- a/policy/modules/services/xprint.te
+++ b/policy/modules/services/xprint.te
@@ -1,5 +1,5 @@
-policy_module(xprint, 1.5.0)
+policy_module(xprint, 1.5.1)
########################################
#
@@ -64,8 +64,7 @@ miscfiles_read_localization(xprint_t)
sysnet_read_config(xprint_t)
userdom_dontaudit_use_unpriv_user_fds(xprint_t)
-
-sysadm_dontaudit_search_home_dirs(xprint_t)
+userdom_dontaudit_search_user_home_dirs(xprint_t)
optional_policy(`
cups_read_config(xprint_t)
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 1c4a31d..df70a29 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -1,13 +1,13 @@
#
# HOME_DIR
#
-HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:ROLE_fonts_config_t,s0)
-HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:ROLE_fonts_t,s0)
-HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
-HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
-HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:ROLE_iceauth_home_t,s0)
-HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
-HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
+HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
+HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
+HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
+HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0)
+HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
+HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
#
# /dev
@@ -49,7 +49,7 @@ ifdef(`distro_redhat',`
/tmp/\.ICE-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
/tmp/\.ICE-unix/.* -s <>
-/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_xserver_tmp_t,s0)
+/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0)
/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
/tmp/\.X11-unix/.* -s <>
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index ffa2bd7..43f64fc 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1,518 +1,135 @@
## X Windows Server
-#######################################
-##
-## Template to create types and rules common to
-## all X server domains.
-##
-##
-##
-## The prefix of the domain (e.g., user
-## is the prefix for user_t).
-##
-##
-#
-template(`xserver_common_domain_template',`
- gen_require(`
- type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
-
- attribute x_server_domain;
- class x_drawable all_x_drawable_perms;
- class x_colormap all_x_colormap_perms;
- class x_screen all_x_screen_perms;
- ')
-
- ##############################
- #
- # Declarations
- #
-
- attribute $1_x_domain;
- attribute $1_input_xevent_type;
-
- type $1_rootwindow_t, rootwindow_type;
-
- type $1_xserver_t, x_server_domain;
- domain_type($1_xserver_t)
- domain_entry_file($1_xserver_t, xserver_exec_t)
-
- type $1_xserver_tmp_t;
- files_tmp_file($1_xserver_tmp_t)
-
- type $1_xserver_tmpfs_t;
- files_tmpfs_file($1_xserver_tmpfs_t)
-
- ##############################
- #
- # $1_xserver_t local policy
- #
-
- # setuid/setgid for the wrapper program to change UID
- # sys_rawio is for iopl access - should not be needed for frame-buffer
- # sys_admin, locking shared mem? chowning IPC message queues or semaphores?
- # admin of APM bios?
- # sys_nice is so that the X server can set a negative nice value
- # execheap needed until the X module loader is fixed.
- # NVIDIA Needs execstack
-
- allow $1_xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
- dontaudit $1_xserver_t self:capability chown;
- allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_xserver_t self:memprotect mmap_zero;
- allow $1_xserver_t self:fd use;
- allow $1_xserver_t self:fifo_file rw_fifo_file_perms;
- allow $1_xserver_t self:sock_file read_sock_file_perms;
- allow $1_xserver_t self:shm create_shm_perms;
- allow $1_xserver_t self:sem create_sem_perms;
- allow $1_xserver_t self:msgq create_msgq_perms;
- allow $1_xserver_t self:msg { send receive };
- allow $1_xserver_t self:unix_dgram_socket { create_socket_perms sendto };
- allow $1_xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow $1_xserver_t self:tcp_socket create_stream_socket_perms;
- allow $1_xserver_t self:udp_socket create_socket_perms;
-
- manage_dirs_pattern($1_xserver_t, $1_xserver_tmp_t, $1_xserver_tmp_t)
- manage_files_pattern($1_xserver_t, $1_xserver_tmp_t, $1_xserver_tmp_t)
- manage_sock_files_pattern($1_xserver_t, $1_xserver_tmp_t, $1_xserver_tmp_t)
- files_tmp_filetrans($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file })
-
- filetrans_pattern($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file)
- ifdef(`enable_mls',`
- range_transition $1_xserver_t $1_xserver_tmp_t:sock_file s0 - mls_systemhigh;
- ')
-
- manage_dirs_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t)
- manage_files_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t)
- manage_lnk_files_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t)
- manage_fifo_files_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t)
- manage_sock_files_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t)
- fs_tmpfs_filetrans($1_xserver_t, $1_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
- manage_files_pattern($1_xserver_t, xkb_var_lib_t, xkb_var_lib_t)
- manage_lnk_files_pattern($1_xserver_t, xkb_var_lib_t, xkb_var_lib_t)
- files_search_var_lib($1_xserver_t)
-
- # Create files in /var/log with the xserver_log_t type.
- manage_files_pattern($1_xserver_t, xserver_log_t, xserver_log_t)
- logging_log_filetrans($1_xserver_t, xserver_log_t, file)
-
- # Labeling rules for default windows and colormaps
- type_transition $1_xserver_t $1_xserver_t:{ x_drawable x_colormap } $1_rootwindow_t;
- ifdef(`enable_mls',`
- range_transition $1_xserver_t $1_rootwindow_t:x_drawable s0 - mls_systemhigh;
- ')
-
- kernel_read_system_state($1_xserver_t)
- kernel_read_device_sysctls($1_xserver_t)
- kernel_read_modprobe_sysctls($1_xserver_t)
- # Xorg wants to check if kernel is tainted
- kernel_read_kernel_sysctls($1_xserver_t)
- kernel_write_proc_files($1_xserver_t)
-
- # Run helper programs in $1_xserver_t.
- corecmd_exec_bin($1_xserver_t)
- corecmd_exec_shell($1_xserver_t)
-
- corenet_all_recvfrom_unlabeled($1_xserver_t)
- corenet_all_recvfrom_netlabel($1_xserver_t)
- corenet_tcp_sendrecv_generic_if($1_xserver_t)
- corenet_udp_sendrecv_generic_if($1_xserver_t)
- corenet_tcp_sendrecv_all_nodes($1_xserver_t)
- corenet_udp_sendrecv_all_nodes($1_xserver_t)
- corenet_tcp_sendrecv_all_ports($1_xserver_t)
- corenet_udp_sendrecv_all_ports($1_xserver_t)
- corenet_tcp_bind_all_nodes($1_xserver_t)
- corenet_tcp_bind_xserver_port($1_xserver_t)
- corenet_tcp_connect_all_ports($1_xserver_t)
- corenet_sendrecv_xserver_server_packets($1_xserver_t)
- corenet_sendrecv_all_client_packets($1_xserver_t)
-
- dev_rw_sysfs($1_xserver_t)
- dev_rw_mouse($1_xserver_t)
- dev_rw_mtrr($1_xserver_t)
- dev_rw_apm_bios($1_xserver_t)
- dev_rw_agp($1_xserver_t)
- dev_rw_framebuffer($1_xserver_t)
- dev_manage_dri_dev($1_xserver_t)
- dev_create_generic_dirs($1_xserver_t)
- dev_setattr_generic_dirs($1_xserver_t)
- # raw memory access is needed if not using the frame buffer
- dev_read_raw_memory($1_xserver_t)
- dev_wx_raw_memory($1_xserver_t)
- # for other device nodes such as the NVidia binary-only driver
- dev_rw_xserver_misc($1_xserver_t)
- # read events - the synaptics touchpad driver reads raw events
- dev_rw_input_dev($1_xserver_t)
- dev_rwx_zero($1_xserver_t)
-
- domain_mmap_low($1_xserver_t)
-
- files_read_etc_files($1_xserver_t)
- files_read_etc_runtime_files($1_xserver_t)
- files_read_usr_files($1_xserver_t)
-
- # brought on by rhgb
- files_search_mnt($1_xserver_t)
- # for nscd
- files_dontaudit_search_pids($1_xserver_t)
-
- fs_getattr_xattr_fs($1_xserver_t)
- fs_search_nfs($1_xserver_t)
- fs_search_auto_mountpoints($1_xserver_t)
- fs_search_ramfs($1_xserver_t)
-
- selinux_validate_context($1_xserver_t)
- selinux_compute_access_vector($1_xserver_t)
- selinux_compute_create_context($1_xserver_t)
-
- auth_use_nsswitch($1_xserver_t)
-
- init_getpgid($1_xserver_t)
-
- term_setattr_unallocated_ttys($1_xserver_t)
- term_use_unallocated_ttys($1_xserver_t)
-
- logging_send_syslog_msg($1_xserver_t)
- logging_send_audit_msgs($1_xserver_t)
-
- miscfiles_read_localization($1_xserver_t)
- miscfiles_read_fonts($1_xserver_t)
-
- modutils_domtrans_insmod($1_xserver_t)
-
- # read x_contexts
- seutil_read_default_contexts($1_xserver_t)
-
- ifndef(`distro_redhat',`
- allow $1_xserver_t self:process { execmem execheap execstack };
- ')
-
- ifdef(`distro_rhel4',`
- allow $1_xserver_t self:process { execmem execheap execstack };
- ')
-
- tunable_policy(`!xserver_object_manager',`
- # should be xserver_unconfined($1_xserver_t),
- # but typeattribute doesnt work in conditionals
- gen_require(`
- attribute x_server_domain, x_domain;
- attribute xproperty_type, xselection_type;
- attribute xextension_type, xevent_type;
- attribute rootwindow_type;
-
- type remote_xclient_t;
- ')
- allow $1_xserver_t x_server_domain:x_server *;
- allow $1_xserver_t { x_domain rootwindow_type }:x_drawable *;
- allow $1_xserver_t x_server_domain:x_screen *;
- allow $1_xserver_t x_domain:x_gc *;
- allow $1_xserver_t { x_domain rootwindow_type }:x_colormap *;
- allow $1_xserver_t xproperty_type:x_property *;
- allow $1_xserver_t xselection_type:x_selection *;
- allow $1_xserver_t x_domain:x_cursor *;
- allow $1_xserver_t { x_domain remote_xclient_t }:x_client *;
- allow $1_xserver_t { x_domain x_server_domain }:x_device *;
- allow $1_xserver_t xextension_type:x_extension *;
- allow $1_xserver_t { x_domain x_server_domain }:x_resource *;
- allow $1_xserver_t xevent_type:{ x_event x_synthetic_event } *;
- ')
-
- optional_policy(`
- apm_stream_connect($1_xserver_t)
- ')
-
- optional_policy(`
- auth_search_pam_console_data($1_xserver_t)
- ')
-
- optional_policy(`
- rhgb_getpgid($1_xserver_t)
- rhgb_signal($1_xserver_t)
- ')
-
- optional_policy(`
- xfs_stream_connect($1_xserver_t)
- ')
-')
-
-#######################################
+########################################
##
-## The per role template for the xserver module.
+## Rules required for using the X Windows server
+## and environment.
##
-##
-##
-## Define a derived domain for the X server when executed
-## by a user domain (e.g. via startx). See the xdm module
-## if using an X Display Manager.
-##
-##
-## This is invoked automatically for each user and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## Role allowed access.
##
##
-##
-##
-## The type of the user domain.
-##
-##
-##
+##
##
-## The role associated with the user domain.
+## Domain allowed access.
##
##
#
-template(`xserver_per_role_template',`
-
+interface(`xserver_role',`
gen_require(`
- type iceauth_exec_t, xauth_exec_t;
- attribute fonts_type, fonts_cache_type, fonts_config_type;
- ')
-
- ##############################
- #
- # Declarations
- #
-
- xserver_common_domain_template($1)
- role $3 types $1_xserver_t;
-
- type $1_fonts_t, fonts_type;
- userdom_user_home_content($1, $1_fonts_t)
-
- type $1_fonts_cache_t, fonts_cache_type;
- userdom_user_home_content($1, $1_fonts_cache_t)
+ type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t;
+ type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
+ type iceauth_t, iceauth_exec_t, iceauth_home_t;
+ type xauth_t, xauth_exec_t, xauth_home_t;
- type $1_fonts_config_t, fonts_config_type;
- userdom_user_home_content($1, $1_fonts_cache_t)
+ type info_xproperty_t, rootwindow_t;
- type $1_iceauth_t;
- domain_type($1_iceauth_t)
- domain_entry_file($1_iceauth_t, iceauth_exec_t)
- role $3 types $1_iceauth_t;
-
- type $1_iceauth_home_t alias $1_iceauth_rw_t;
- files_poly_member($1_iceauth_home_t)
- userdom_user_home_content($1, $1_iceauth_home_t)
-
- type $1_xauth_t;
- domain_type($1_xauth_t)
- domain_entry_file($1_xauth_t, xauth_exec_t)
- role $3 types $1_xauth_t;
-
- type $1_xauth_home_t alias $1_xauth_rw_t, xauth_home_type;
- files_poly_member($1_xauth_home_t)
- userdom_user_home_content($1, $1_xauth_home_t)
-
- type $1_xauth_tmp_t;
- files_tmp_file($1_xauth_tmp_t)
-
- ##############################
- #
- # $1_xserver_t Local policy
- #
-
- domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
+ class x_drawable all_x_drawable_perms;
+ class x_screen all_x_screen_perms;
+ class x_gc all_x_gc_perms;
+ class x_font all_x_font_perms;
+ class x_colormap all_x_colormap_perms;
+ class x_property all_x_property_perms;
+ class x_selection all_x_selection_perms;
+ class x_cursor all_x_cursor_perms;
+ class x_client all_x_client_perms;
+ class x_device all_x_device_perms;
+ class x_server all_x_server_perms;
+ class x_extension all_x_extension_perms;
+ class x_resource all_x_resource_perms;
+ class x_event all_x_event_perms;
+ class x_synthetic_event all_x_synthetic_event_perms;
+ ')
- allow $1_xserver_t $1_xauth_home_t:file read_file_perms;
+ role $1 types { xserver_t xauth_t iceauth_t };
- domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
- allow $1_xserver_t $2:process signal;
+ domtrans_pattern($2, xserver_exec_t, xserver_t)
+ allow xserver_t $2:process signal;
- allow $1_xserver_t $2:shm rw_shm_perms;
+ allow xserver_t $2:shm rw_shm_perms;
- manage_dirs_pattern($2, $1_fonts_t, $1_fonts_t)
- manage_files_pattern($2, $1_fonts_t, $1_fonts_t)
- relabel_dirs_pattern($2, $1_fonts_t, $1_fonts_t)
- relabel_files_pattern($2, $1_fonts_t, $1_fonts_t)
+ manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
+ manage_files_pattern($2, user_fonts_t, user_fonts_t)
+ relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
+ relabel_files_pattern($2, user_fonts_t, user_fonts_t)
- manage_dirs_pattern($2, $1_fonts_config_t, $1_fonts_config_t)
- manage_files_pattern($2, $1_fonts_config_t, $1_fonts_config_t)
- relabel_files_pattern($2, $1_fonts_config_t, $1_fonts_config_t)
+ manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+ manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+ relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+ relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
- # For startup relabel
- allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
+ manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
+ manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
+ relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
+ relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
- stream_connect_pattern($2, $1_xserver_tmp_t, $1_xserver_tmp_t, $1_xserver_t)
+ stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
- allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
+ allow $2 xserver_tmpfs_t:file rw_file_perms;
# Communicate via System V shared memory.
- allow $1_xserver_t $2:shm rw_shm_perms;
- allow $2 $1_xserver_t:shm rw_shm_perms;
-
- getty_use_fds($1_xserver_t)
-
- locallogin_use_fds($1_xserver_t)
-
- userdom_search_user_home_dirs($1, $1_xserver_t)
- userdom_use_user_ttys($1, $1_xserver_t)
- userdom_setattr_user_ttys($1, $1_xserver_t)
- userdom_rw_user_tmpfs_files($1, $1_xserver_t)
-
- xserver_use_user_fonts($1, $1_xserver_t)
- xserver_rw_xdm_tmp_files($1_xauth_t)
-
- optional_policy(`
- userhelper_search_config($1_xserver_t)
- ')
-
- ifdef(`TODO',`
- ifdef(`xdm.te', `
- allow $1_t xdm_tmp_t:sock_file unlink;
- allow $1_xserver_t xdm_var_run_t:dir search;
- ')
- ') dnl end TODO
-
- ##############################
- #
- # $1_xauth_t Local policy
- #
+ allow xserver_t $2:shm rw_shm_perms;
+ allow $2 xserver_t:shm rw_shm_perms;
- allow $1_xauth_t self:process signal;
- allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
+ # allow ps to show iceauth
+ ps_process_pattern($2, iceauth_t)
- allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1, $1_xauth_t, $1_xauth_home_t,file)
+ domtrans_pattern($2, iceauth_exec_t, iceauth_t)
- manage_dirs_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t)
- manage_files_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t)
- files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
+ allow $2 iceauth_home_t:file manage_file_perms;
+ allow $2 iceauth_home_t:file { relabelfrom relabelto };
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
- allow $2 $1_xauth_t:process signal;
+ allow $2 xauth_t:process signal;
# allow ps to show xauth
- ps_process_pattern($2,$1_xauth_t)
-
- allow $2 $1_xauth_home_t:file manage_file_perms;
- allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
-
- allow xdm_t $1_xauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1, xdm_t, $1_xauth_home_t, file)
-
- domain_use_interactive_fds($1_xauth_t)
-
- files_read_etc_files($1_xauth_t)
- files_search_pids($1_xauth_t)
-
- fs_getattr_xattr_fs($1_xauth_t)
- fs_search_auto_mountpoints($1_xauth_t)
+ ps_process_pattern($2,xauth_t)
- # cjp: why?
- term_use_ptmx($1_xauth_t)
+ allow $2 xauth_home_t:file manage_file_perms;
+ allow $2 xauth_home_t:file { relabelfrom relabelto };
- auth_use_nsswitch($1_xauth_t)
-
- userdom_use_user_terminals($1, $1_xauth_t)
- userdom_read_user_tmp_files($1, $1_xauth_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files($1_xauth_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files($1_xauth_t)
- ')
-
- optional_policy(`
- ssh_sigchld($1_xauth_t)
- ssh_read_pipes($1_xauth_t)
- ssh_dontaudit_rw_tcp_sockets($1_xauth_t)
- ')
-
- ##############################
- #
- # $1_iceauth_t Local policy
- #
-
- domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
-
- allow $1_iceauth_t $1_iceauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1, $1_iceauth_t, $1_iceauth_home_t, file)
-
- # allow ps to show iceauth
- ps_process_pattern($2, $1_iceauth_t)
-
- allow $2 $1_iceauth_home_t:file manage_file_perms;
- allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
-
- allow xdm_t $1_iceauth_home_t:file read_file_perms;
-
- fs_search_auto_mountpoints($1_iceauth_t)
-
- userdom_use_user_terminals($1, $1_iceauth_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files($1_iceauth_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files($1_iceauth_t)
- ')
+ xserver_common_x_domain_template(user, $2)
##############################
#
# User X object manager local policy
#
- # Device rules
- allow $1_x_domain $1_xserver_t:x_device { read getattr use setattr setfocus grab bell };
-
- allow $1_xserver_t { input_xevent_t $1_input_xevent_type }:x_event send;
- allow $1_xserver_t { $1_rootwindow_t $1_x_domain }:x_drawable send;
-
# manage: xhost X11:ChangeHosts
# freeze: metacity X11:GrabKey
# force_cursor: metacity X11:GrabPointer
- allow $2 $1_xserver_t:x_device { manage freeze force_cursor };
+ allow $2 xserver_t:x_device { manage freeze force_cursor };
# gnome-settings-daemon XKEYBOARD:SetControls
- allow $2 $1_xserver_t:x_server manage;
+ allow $2 xserver_t:x_server manage;
# gnome-settings-daemon RANDR:SelectInput
- allow $2 $1_xserver_t:x_resource write;
+ allow $2 xserver_t:x_resource write;
# metacity X11:InstallColormap X11:UninstallColormap
- allow $2 $1_rootwindow_t:x_colormap { install uninstall };
+ allow $2 rootwindow_t:x_colormap { install uninstall };
# read: gnome-settings-daemon RANDR:GetScreenSizeRange
# write: gnome-settings-daemon RANDR:SelectInput
# setattr: gnome-settings-daemon X11:GrabKey
# manage: metacity X11:ChangeWindowAttributes
- allow $2 $1_rootwindow_t:x_drawable { read write manage setattr };
+ allow $2 rootwindow_t:x_drawable { read write manage setattr };
# setattr: metacity X11:InstallColormap
- allow $2 $1_xserver_t:x_screen { saver_setattr saver_getattr setattr };
+ allow $2 xserver_t:x_screen { saver_getattr saver_setattr setattr };
# xrdb X11:ChangeProperty prop=RESOURCE_MANAGER
- allow $2 info_xproperty_t:x_property { create write append };
-
- mls_xwin_read_to_clearance($1_xserver_t)
-
- xserver_common_x_domain_template($1, $1, $2)
+ allow $2 info_xproperty_t:x_property { create append write };
')
#######################################
##
-## Template for creating sessions on a
-## prefix X server, with read-only
+## Create sessions on the X server, with read-only
## access to the X server shared
## memory segments.
##
-##
-##
-## The prefix of the domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
@@ -524,42 +141,35 @@ template(`xserver_per_role_template',`
##
##
#
-template(`xserver_ro_session_template',`
+interface(`xserver_ro_session',`
gen_require(`
- type $1_xserver_t, $1_xserver_tmp_t, $1_xserver_tmpfs_t;
+ type xserver_t, xserver_tmp_t, xserver_tmpfs_t;
')
# Xserver read/write client shm
- allow $1_xserver_t $2:fd use;
- allow $1_xserver_t $2:shm rw_shm_perms;
- allow $1_xserver_t $3:file rw_file_perms;
+ allow xserver_t $1:fd use;
+ allow xserver_t $1:shm rw_shm_perms;
+ allow xserver_t $2:file rw_file_perms;
# Connect to xserver
- allow $2 $1_xserver_t:unix_stream_socket connectto;
- allow $2 $1_xserver_t:process signal;
+ allow $1 xserver_t:unix_stream_socket connectto;
+ allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
- allow $2 $1_xserver_tmp_t:file read_file_perms;
+ allow $1 xserver_tmp_t:file { getattr read };
# Client read xserver shm
- allow $2 $1_xserver_t:fd use;
- allow $2 $1_xserver_t:shm r_shm_perms;
- allow $2 $1_xserver_tmpfs_t:file read_file_perms;
+ allow $1 xserver_t:fd use;
+ allow $1 xserver_t:shm r_shm_perms;
+ allow $1 xserver_tmpfs_t:file read_file_perms;
')
#######################################
##
-## Template for creating sessions on a
-## prefix X server, with read and write
+## Create sessions on the X server, with read and write
## access to the X server shared
## memory segments.
##
-##
-##
-## The prefix of the domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
@@ -571,27 +181,21 @@ template(`xserver_ro_session_template',`
##
##
#
-template(`xserver_rw_session_template',`
+interface(`xserver_rw_session',`
gen_require(`
- type $1_xserver_t, $1_xserver_tmpfs_t;
+ type xserver_t, xserver_tmpfs_t;
')
- xserver_ro_session_template($1, $2, $3)
- allow $2 $1_xserver_t:shm rw_shm_perms;
- allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
+ xserver_ro_session($1,$2)
+ allow $1 xserver_t:shm rw_shm_perms;
+ allow $1 xserver_tmpfs_t:file rw_file_perms;
')
#######################################
##
-## Template for creating full client sessions
+## Create full client sessions
## on a user X server.
##
-##
-##
-## The prefix of the domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
@@ -603,47 +207,46 @@ template(`xserver_rw_session_template',`
##
##
#
-template(`xserver_user_client_template',`
+interface(`xserver_user_client',`
# refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
gen_require(`
type xdm_t, xdm_tmp_t;
- type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
+ type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
')
- allow $2 self:shm create_shm_perms;
- allow $2 self:unix_dgram_socket create_socket_perms;
- allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow $1 self:shm create_shm_perms;
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
- allow $2 $1_xauth_home_t:file read_file_perms;
- allow $2 $1_iceauth_home_t:file read_file_perms;
+ allow $1 xauth_home_t:file { getattr read };
+ allow $1 iceauth_home_t:file { getattr read };
# for when /tmp/.X11-unix is created by the system
- allow $2 xdm_t:fd use;
- allow $2 xdm_t:fifo_file { getattr read write ioctl };
- allow $2 xdm_tmp_t:dir search;
- allow $2 xdm_tmp_t:sock_file { read write };
- dontaudit $2 xdm_t:tcp_socket { read write };
+ allow $1 xdm_t:fd use;
+ allow $1 xdm_t:fifo_file { getattr read write ioctl };
+ allow $1 xdm_tmp_t:dir search;
+ allow $1 xdm_tmp_t:sock_file { read write };
+ dontaudit $1 xdm_t:tcp_socket { read write };
# Allow connections to X server.
- files_search_tmp($2)
+ files_search_tmp($1)
- miscfiles_read_fonts($2)
+ miscfiles_read_fonts($1)
- userdom_search_user_home_dirs($1, $2)
+ userdom_search_user_home_dirs($1)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($1, $2)
+ userdom_dontaudit_write_user_home_content_files($1)
- xserver_ro_session_template(xdm, $2, $3)
- xserver_rw_session_template($1, $2, $3)
- xserver_use_user_fonts($1, $2)
+ xserver_ro_session($1,$2)
+ xserver_use_user_fonts($1)
- xserver_read_xdm_tmp_files($2)
+ xserver_read_xdm_tmp_files($1)
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
- allow $2 $1_xserver_t:shm rw_shm_perms;
- allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
+ allow $1 xserver_t:shm rw_shm_perms;
+ allow $1 xserver_tmpfs_t:file rw_file_perms;
')
')
@@ -653,12 +256,6 @@ template(`xserver_user_client_template',`
## an X client domain. Provides the minimal set required by a basic
## X client application.
##
-##
-##
-## The prefix of the X server domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## The prefix of the X client domain (e.g., user
@@ -673,176 +270,104 @@ template(`xserver_user_client_template',`
#
template(`xserver_common_x_domain_template',`
gen_require(`
- type $1_rootwindow_t, std_xext_t, shmem_xext_t;
- type xproperty_t, info_xproperty_t, clipboard_xproperty_t;
+ type $1_xproperty_t, $1_input_xevent_t, $1_property_xevent_t;
+ type $1_focus_xevent_t, $1_manage_xevent_t, $1_default_xevent_t;
+ type $1_client_xevent_t;
+
+ type rootwindow_t, xproperty_t;
type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
type xevent_t, client_xevent_t;
- type clipboard_xselection_t, xselection_t;
- attribute x_server_domain, x_domain;
+ attribute x_domain;
attribute xproperty_type;
- attribute xevent_type, xextension_type;
- attribute $1_x_domain, $1_input_xevent_type;
+ attribute xevent_type;
+ attribute input_xevent_type;
class x_drawable all_x_drawable_perms;
- class x_screen all_x_screen_perms;
- class x_gc all_x_gc_perms;
- class x_font all_x_font_perms;
- class x_colormap all_x_colormap_perms;
class x_property all_x_property_perms;
- class x_selection all_x_selection_perms;
- class x_cursor all_x_cursor_perms;
- class x_client all_x_client_perms;
- class x_device all_x_device_perms;
- class x_server all_x_server_perms;
- class x_extension all_x_extension_perms;
- class x_resource all_x_resource_perms;
class x_event all_x_event_perms;
class x_synthetic_event all_x_synthetic_event_perms;
')
##############################
#
- # Declarations
+ # Local Policy
#
# Type attributes
- typeattribute $3 $1_x_domain, x_domain;
+ typeattribute $2 x_domain;
- # Types for properties
- type $2_xproperty_t alias $2_default_xproperty_t, xproperty_type;
+ # X Properties
+ # can read and write client properties
+ allow $2 $1_xproperty_t:x_property { create destroy read write append };
+ type_transition $2 xproperty_t:x_property $1_xproperty_t;
- # Types for events
- type $2_input_xevent_t, $1_input_xevent_type, xevent_type;
- type $2_property_xevent_t, xevent_type;
- type $2_focus_xevent_t, xevent_type;
- type $2_manage_xevent_t, xevent_type;
- type $2_default_xevent_t, xevent_type;
- type $2_client_xevent_t, xevent_type;
+ # X Windows
+ # new windows have the domain type
+ type_transition $2 rootwindow_t:x_drawable $2;
+
+ # X Input
+ # can receive own events
+ allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
+ allow $2 $1_property_xevent_t:{ x_event x_synthetic_event } receive;
+ allow $2 $1_focus_xevent_t:{ x_event x_synthetic_event } receive;
+ allow $2 $1_manage_xevent_t:{ x_event x_synthetic_event } receive;
+ allow $2 $1_default_xevent_t:{ x_event x_synthetic_event } receive;
+ allow $2 $1_client_xevent_t:{ x_event x_synthetic_event } receive;
+ type_transition $2 input_xevent_t:x_event $1_input_xevent_t;
+ type_transition $2 property_xevent_t:x_event $1_property_xevent_t;
+ type_transition $2 focus_xevent_t:x_event $1_focus_xevent_t;
+ type_transition $2 manage_xevent_t:x_event $1_manage_xevent_t;
+ type_transition $2 client_xevent_t:x_event $1_client_xevent_t;
+ type_transition $2 xevent_t:x_event $1_default_xevent_t;
+ # can send ICCCM events to myself
+ allow $2 $1_manage_xevent_t:x_synthetic_event send;
+')
+
+#######################################
+##
+## Template for creating the set of types used
+## in an X windows domain.
+##
+##
+##
+## The prefix of the X client domain (e.g., user
+## is the prefix for user_t).
+##
+##
+#
+template(`xserver_object_types_template',`
+ gen_require(`
+ attribute xproperty_type, input_xevent_type, xevent_type;
+ ')
##############################
#
- # Local Policy
+ # Declarations
#
- # Hacks
- # everyone can get the input focus of everyone else
- # this is a fundamental brokenness in the X protocol
- allow $3 { x_domain x_server_domain }:x_device getfocus;
- # everyone can grab the server
- # everyone does it, it is basically a free DOS attack
- allow $3 x_server_domain:x_server grab;
- # everyone can get the font path, etc.
- # this could leak out sensitive information
- allow $3 x_server_domain:x_server getattr;
- # everyone can do override-redirect windows.
- # this could be used to spoof labels
- allow $3 self:x_drawable override;
- # everyone can receive management events on the root window
- # allows to know when new windows appear, among other things
- allow $3 manage_xevent_t:x_event receive;
-
- # X Server
- # can read server-owned resources
- allow $3 x_server_domain:x_resource read;
- # can mess with own clients
- allow $3 self:x_client { manage destroy };
-
- # X Protocol Extensions
- allow $3 std_xext_t:x_extension { query use };
- allow $3 shmem_xext_t:x_extension { query use };
- dontaudit $3 xextension_type:x_extension { query use };
+ # Types for properties
+ type $1_xproperty_t alias $1_default_xproperty_t, xproperty_type;
+ ubac_constrained($1_xproperty_t)
- # X Properties
- # can read and write client properties
- allow $3 $2_xproperty_t:x_property { create destroy read write append };
- type_transition $3 xproperty_t:x_property $2_xproperty_t;
- # can read and write cut buffers
- allow $3 clipboard_xproperty_t:x_property { create read write append };
- # can read info properties
- allow $3 info_xproperty_t:x_property read;
- # can change properties of root window
- allow $3 $1_rootwindow_t:x_drawable { list_property get_property set_property };
- # can change properties of own windows
- allow $3 self:x_drawable { list_property get_property set_property };
+ # Types for events
+ type $1_input_xevent_t, input_xevent_type, xevent_type;
+ ubac_constrained($1_input_xevent_t)
- # X Windows
- # operations allowed on root windows
- allow $3 $1_rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive };
- # operations allowed on my windows
- allow $3 self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
- type_transition $3 $1_rootwindow_t:x_drawable $3;
+ type $1_property_xevent_t, xevent_type;
+ ubac_constrained($1_property_xevent_t)
- # X Colormaps
- # can use the default colormap
- allow $3 $1_rootwindow_t:x_colormap { read use add_color };
+ type $1_focus_xevent_t, xevent_type;
+ ubac_constrained($1_focus_xevent_t)
- # X Input
- # can receive own events
- allow $3 $2_input_xevent_t:{ x_event x_synthetic_event } receive;
- allow $3 $2_property_xevent_t:{ x_event x_synthetic_event } receive;
- allow $3 $2_focus_xevent_t:{ x_event x_synthetic_event } receive;
- allow $3 $2_manage_xevent_t:{ x_event x_synthetic_event } receive;
- allow $3 $2_default_xevent_t:{ x_event x_synthetic_event } receive;
- allow $3 $2_client_xevent_t:{ x_event x_synthetic_event } receive;
- type_transition $3 input_xevent_t:x_event $2_input_xevent_t;
- type_transition $3 property_xevent_t:x_event $2_property_xevent_t;
- type_transition $3 focus_xevent_t:x_event $2_focus_xevent_t;
- type_transition $3 manage_xevent_t:x_event $2_manage_xevent_t;
- type_transition $3 client_xevent_t:x_event $2_client_xevent_t;
- type_transition $3 xevent_t:x_event $2_default_xevent_t;
- # can receive certain root window events
- allow $3 focus_xevent_t:x_event receive;
- allow $3 property_xevent_t:x_event receive;
- allow $3 client_xevent_t:x_synthetic_event receive;
- allow $3 manage_xevent_t:x_synthetic_event receive;
- # can send ICCCM events to myself
- allow $3 $2_manage_xevent_t:x_synthetic_event send;
- # can send ICCCM events to the root window
- allow $3 manage_xevent_t:x_synthetic_event send;
- allow $3 client_xevent_t:x_synthetic_event send;
-
- # X Selections
- # can use the clipboard
- allow $3 clipboard_xselection_t:x_selection { getattr setattr read };
- # can query all other selections
- allow $3 xselection_t:x_selection { getattr read };
-
- # Other X Objects
- # can create and use cursors
- allow $3 self:x_cursor *;
- # can create and use graphics contexts
- allow $3 self:x_gc *;
- # can create and use colormaps
- allow $3 self:x_colormap *;
- # can read and write own objects
- allow $3 self:x_resource { read write };
-
- tunable_policy(`! xserver_object_manager',`
- # should be xserver_unconfined($3),
- # but typeattribute doesnt work in conditionals
- gen_require(`
- attribute x_server_domain, x_domain;
- attribute xproperty_type, xselection_type;
- attribute xextension_type, xevent_type;
- attribute rootwindow_type;
-
- type remote_xclient_t;
- ')
- allow $3 x_server_domain:x_server *;
- allow $3 { x_domain rootwindow_type }:x_drawable *;
- allow $3 x_server_domain:x_screen *;
- allow $3 x_domain:x_gc *;
- allow $3 { x_domain rootwindow_type }:x_colormap *;
- allow $3 xproperty_type:x_property *;
- allow $3 xselection_type:x_selection *;
- allow $3 x_domain:x_cursor *;
- allow $3 { x_domain remote_xclient_t }:x_client *;
- allow $3 { x_domain x_server_domain }:x_device *;
- allow $3 xextension_type:x_extension *;
- allow $3 { x_domain x_server_domain }:x_resource *;
- allow $3 xevent_type:{ x_event x_synthetic_event } *;
- ')
+ type $1_manage_xevent_t, xevent_type;
+ ubac_constrained($1_manage_xevent_t)
+
+ type $1_default_xevent_t, xevent_type;
+ ubac_constrained($1_default_xevent_t)
+
+ type $1_client_xevent_t, xevent_type;
+ ubac_constrained($1_client_xevent_t)
')
#######################################
@@ -851,12 +376,6 @@ template(`xserver_common_x_domain_template',`
## an X client domain. Provides the minimal set required by a basic
## X client application.
##
-##
-##
-## The prefix of the X server domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## The prefix of the X client domain (e.g., user
@@ -877,46 +396,46 @@ template(`xserver_common_x_domain_template',`
template(`xserver_user_x_domain_template',`
gen_require(`
type xdm_t, xdm_tmp_t;
- type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
+ type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
')
- allow $3 self:shm create_shm_perms;
- allow $3 self:unix_dgram_socket create_socket_perms;
- allow $3 self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow $2 self:shm create_shm_perms;
+ allow $2 self:unix_dgram_socket create_socket_perms;
+ allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
- allow $3 $1_xauth_home_t:file read_file_perms;
- allow $3 $1_iceauth_home_t:file read_file_perms;
+ allow $2 xauth_home_t:file read_file_perms;
+ allow $2 iceauth_home_t:file read_file_perms;
# for when /tmp/.X11-unix is created by the system
- allow $3 xdm_t:fd use;
- allow $3 xdm_t:fifo_file { getattr read write ioctl };
- allow $3 xdm_tmp_t:dir search_dir_perms;
- allow $3 xdm_tmp_t:sock_file { read write };
- dontaudit $3 xdm_t:tcp_socket { read write };
+ allow $2 xdm_t:fd use;
+ allow $2 xdm_t:fifo_file { getattr read write ioctl };
+ allow $2 xdm_tmp_t:dir search_dir_perms;
+ allow $2 xdm_tmp_t:sock_file { read write };
+ dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
- files_search_tmp($3)
+ files_search_tmp($2)
- miscfiles_read_fonts($3)
+ miscfiles_read_fonts($2)
- userdom_search_user_home_dirs($1, $3)
+ userdom_search_user_home_dirs($2)
# for .xsession-errors
- userdom_dontaudit_write_user_home_content_files($1, $3)
+ userdom_dontaudit_write_user_home_content_files($2)
- xserver_ro_session_template(xdm, $3, $4)
- xserver_rw_session_template($1, $3, $4)
- xserver_use_user_fonts($1, $3)
+ xserver_ro_session($2,$3)
+ xserver_use_user_fonts($2)
- xserver_read_xdm_tmp_files($3)
+ xserver_read_xdm_tmp_files($2)
# X object manager
- xserver_common_x_domain_template($1, $2, $3)
+ xserver_object_types_template($1)
+ xserver_common_x_domain_template($1,$2)
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
- allow $3 $1_xserver_t:shm rw_shm_perms;
- allow $3 $1_xserver_tmpfs_t:file rw_file_perms;
+ allow $2 xserver_t:shm rw_shm_perms;
+ allow $2 xserver_tmpfs_t:file rw_file_perms;
')
')
@@ -935,102 +454,66 @@ template(`xserver_user_x_domain_template',`
## be called from a per-userdomain template.
##
##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
##
##
#
-template(`xserver_use_user_fonts',`
+interface(`xserver_use_user_fonts',`
gen_require(`
- type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t;
+ type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
')
# Read per user fonts
- allow $2 $1_fonts_t:dir list_dir_perms;
- allow $2 $1_fonts_t:file read_file_perms;
+ allow $1 user_fonts_t:dir list_dir_perms;
+ allow $1 user_fonts_t:file read_file_perms;
# Manipulate the global font cache
- manage_dirs_pattern($2, $1_fonts_cache_t, $1_fonts_cache_t)
- manage_files_pattern($2, $1_fonts_cache_t, $1_fonts_cache_t)
+ manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
+ manage_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
# Read per user font config
- allow $2 $1_fonts_config_t:dir list_dir_perms;
- allow $2 $1_fonts_config_t:file read_file_perms;
+ allow $1 user_fonts_config_t:dir list_dir_perms;
+ allow $1 user_fonts_config_t:file read_file_perms;
- userdom_search_user_home_dirs($1, $2)
+ userdom_search_user_home_dirs($1)
')
########################################
##
-## Transition to a user Xauthority domain.
+## Transition to the Xauthority domain.
##
-##
-##
-## Transition to a user Xauthority domain.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
##
##
#
-template(`xserver_domtrans_user_xauth',`
+interface(`xserver_domtrans_xauth',`
gen_require(`
- type $1_xauth_t, xauth_exec_t;
+ type xauth_t, xauth_exec_t;
')
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+ domtrans_pattern($1, xauth_exec_t, xauth_t)
')
########################################
##
-## Transition to a user Xauthority domain.
+## Create a Xauthority file in the user home directory.
##
-##
-##
-## Transition to a user Xauthority domain.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
##
##
#
-template(`xserver_user_home_dir_filetrans_user_xauth',`
+interface(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(`
- type $1_xauth_home_t;
+ type xauth_home_t;
')
- userdom_user_home_dir_filetrans($1, $2, $1_xauth_home_t, file)
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file)
')
########################################
@@ -1045,23 +528,8 @@ template(`xserver_user_home_dir_filetrans_user_xauth',`
##
#
interface(`xserver_use_all_users_fonts',`
- gen_require(`
- attribute fonts_type, fonts_cache_type, fonts_config_type;
- ')
-
- # Read per user fonts
- allow $1 fonts_type:dir list_dir_perms;
- allow $1 fonts_type:file read_file_perms;
-
- # Manipulate the global font cache
- manage_dirs_pattern($1, fonts_cache_type, fonts_cache_type)
- manage_files_pattern($1, fonts_cache_type, fonts_cache_type)
-
- # Read per user font config
- allow $1 fonts_config_type:dir list_dir_perms;
- allow $1 fonts_config_type:file read_file_perms;
-
- userdom_search_all_users_home_dirs($1)
+ refpolicywarn(`$0() has been deprecated, please use xserver_use_user_fonts.')
+ xserver_use_user_fonts($1)
')
########################################
@@ -1074,13 +542,13 @@ interface(`xserver_use_all_users_fonts',`
##
##
#
-interface(`xserver_read_all_users_xauth',`
+interface(`xserver_read_user_xauth',`
gen_require(`
- attribute xauth_home_type;
+ type xauth_home_t;
')
- allow $1 xauth_home_type:file read_file_perms;
- userdom_search_all_users_home_dirs($1)
+ allow $1 xauth_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
')
########################################
@@ -1311,25 +779,6 @@ interface(`xserver_read_xdm_lib_files',`
########################################
##
-## Execute the X server in the XDM X server domain.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`xserver_domtrans_xdm_xserver',`
- gen_require(`
- type xdm_xserver_t, xserver_exec_t;
- ')
-
- allow $1 xdm_xserver_t:process siginh;
- domtrans_pattern($1, xserver_exec_t, xdm_xserver_t)
-')
-
-########################################
-##
## Make an X session script an entrypoint for the specified domain.
##
##
@@ -1474,24 +923,6 @@ interface(`xserver_read_xkb_libs',`
##
##
#
-interface(`xserver_read_xdm_xserver_tmp_files',`
- gen_require(`
- type xdm_xserver_tmp_t;
- ')
-
- allow $1 xdm_xserver_tmp_t:file read_file_perms;
-')
-
-########################################
-##
-## Read xdm temporary files.
-##
-##
-##
-## Domain to not audit
-##
-##
-#
interface(`xserver_read_xdm_tmp_files',`
gen_require(`
type xdm_tmp_t;
@@ -1577,7 +1008,26 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
########################################
##
-## Signal XDM X servers
+## Execute the X server in the X server domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`xserver_domtrans',`
+ gen_require(`
+ type xserver_t, xserver_exec_t;
+ ')
+
+ allow $1 xserver_t:process siginh;
+ domtrans_pattern($1, xserver_exec_t, xserver_t)
+')
+
+########################################
+##
+## Signal X servers
##
##
##
@@ -1585,17 +1035,17 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
##
##
#
-interface(`xserver_signal_xdm_xserver',`
+interface(`xserver_signal',`
gen_require(`
- type xdm_xserver_t;
+ type xserver_t;
')
- allow $1 xdm_xserver_t:process signal;
+ allow $1 xserver_t:process signal;
')
########################################
##
-## Kill XDM X servers
+## Kill X servers
##
##
##
@@ -1603,18 +1053,37 @@ interface(`xserver_signal_xdm_xserver',`
##
##
#
-interface(`xserver_kill_xdm_xserver',`
+interface(`xserver_kill',`
+ gen_require(`
+ type xserver_t;
+ ')
+
+ allow $1 xserver_t:process sigkill;
+')
+
+########################################
+##
+## Read and write X server Sys V Shared
+## memory segments.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`xserver_rw_shm',`
gen_require(`
- type xdm_xserver_t;
+ type xserver_t;
')
- allow $1 xdm_xserver_t:process sigkill;
+ allow $1 xserver_t:shm rw_shm_perms;
')
########################################
##
## Do not audit attempts to read and write to
-## a XDM X server socket.
+## X server sockets.
##
##
##
@@ -1622,17 +1091,17 @@ interface(`xserver_kill_xdm_xserver',`
##
##
#
-interface(`xserver_dontaudit_rw_xdm_xserver_tcp_sockets',`
+interface(`xserver_dontaudit_rw_tcp_sockets',`
gen_require(`
- type xdm_xserver_t;
+ type xserver_t;
')
- dontaudit $1 xdm_xserver_t:tcp_socket { read write };
+ dontaudit $1 xserver_t:tcp_socket { read write };
')
########################################
##
-## Do not audit attempts to read and write xdm_xserver
+## Do not audit attempts to read and write X server
## unix domain stream sockets.
##
##
@@ -1641,17 +1110,17 @@ interface(`xserver_dontaudit_rw_xdm_xserver_tcp_sockets',`
##
##
#
-interface(`xserver_dontaudit_rw_xdm_stream_sockets',`
+interface(`xserver_dontaudit_rw_stream_sockets',`
gen_require(`
- type xdm_xserver_t;
+ type xserver_t;
')
- dontaudit $1 xdm_xserver_t:unix_stream_socket { read write };
+ dontaudit $1 xserver_t:unix_stream_socket { read write };
')
########################################
##
-## Connect to xdm_xserver over a unix domain
+## Connect to the X server over a unix domain
## stream socket.
##
##
@@ -1660,31 +1129,32 @@ interface(`xserver_dontaudit_rw_xdm_stream_sockets',`
##
##
#
-interface(`xserver_stream_connect_xdm_xserver',`
+interface(`xserver_stream_connect',`
gen_require(`
- type xdm_xserver_t, xdm_xserver_tmp_t;
+ type xserver_t, xserver_tmp_t;
')
files_search_tmp($1)
- stream_connect_pattern($1, xdm_xserver_tmp_t, xdm_xserver_tmp_t, xdm_xserver_t)
+ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
')
########################################
##
-## xdm xserver RW shared memory socket.
+## Read X server temporary files.
##
##
##
-## Domain allowed access.
+## Domain to not audit
##
##
#
-interface(`xserver_rw_xdm_xserver_shm',`
+interface(`xserver_read_tmp_files',`
gen_require(`
- type xdm_xserver_t;
+ type xserver_tmp_t;
')
- allow $1 xdm_xserver_t:shm rw_shm_perms;
+ allow $1 xserver_tmp_t:file read_file_perms;
+ files_search_tmp($1)
')
########################################
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 5fae59a..d507654 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,5 +1,23 @@
-policy_module(xserver, 2.2.0)
+policy_module(xserver, 3.0.0)
+
+gen_require(`
+ class x_drawable all_x_drawable_perms;
+ class x_screen all_x_screen_perms;
+ class x_gc all_x_gc_perms;
+ class x_font all_x_font_perms;
+ class x_colormap all_x_colormap_perms;
+ class x_property all_x_property_perms;
+ class x_selection all_x_selection_perms;
+ class x_cursor all_x_cursor_perms;
+ class x_client all_x_client_perms;
+ class x_device all_x_device_perms;
+ class x_server all_x_server_perms;
+ class x_extension all_x_extension_perms;
+ class x_resource all_x_resource_perms;
+ class x_event all_x_event_perms;
+ class x_synthetic_event all_x_synthetic_event_perms;
+')
########################################
#
@@ -28,18 +46,10 @@ gen_tunable(xdm_sysadm_login, false)
##
gen_tunable(xserver_object_manager, false)
-attribute fonts_type;
-attribute fonts_cache_type;
-attribute fonts_config_type;
-attribute xauth_home_type;
-
-# Domains
+attribute input_xevent_type;
attribute xserver_unconfined_type;
-attribute x_server_domain;
-
-# Per-object attributes
-attribute rootwindow_type;
attribute x_domain;
+attribute x_userdomain;
attribute xproperty_type;
attribute xselection_type;
attribute xextension_type;
@@ -53,8 +63,18 @@ type debug_xext_t, xextension_type;
type directhw_xext_t alias disallowed_xext_t, xextension_type;
type focus_xevent_t, xevent_type;
+type iceauth_t;
type iceauth_exec_t;
-application_executable_file(iceauth_exec_t)
+typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t };
+typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t };
+application_domain(iceauth_t, iceauth_exec_t)
+ubac_constrained(iceauth_t)
+
+type iceauth_home_t;
+typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
+typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
+files_poly_member(iceauth_home_t)
+userdom_user_home_content(iceauth_home_t)
type info_xproperty_t, xproperty_type;
type input_xevent_t, xevent_type;
@@ -62,19 +82,73 @@ type manage_xevent_t, xevent_type;
type output_xext_t, xextension_type;
type property_xevent_t, xevent_type;
type remote_xclient_t;
+
+type rootwindow_t;
+typealias rootwindow_t alias { user_rootwindow_t staff_rootwindow_t sysadm_rootwindow_t };
+typealias rootwindow_t alias { auditadm_rootwindow_t secadm_rootwindow_t };
+ubac_constrained(rootwindow_t)
+
type screensaver_xext_t, xextension_type;
type security_xext_t, xextension_type;
type shmem_xext_t, xextension_type;
type std_xext_t, xextension_type;
type video_xext_t, xextension_type;
type unknown_xevent_t, xevent_type;
+
+xserver_object_types_template(user)
+typealias user_xproperty_t alias { staff_xproperty_t sysadm_xproperty_t };
+typealias user_xproperty_t alias { auditadm_xproperty_t secadm_xproperty_t };
+typealias user_input_xevent_t alias { staff_input_xevent_t sysadm_input_xevent_t };
+typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xevent_t };
+typealias user_property_xevent_t alias { staff_property_xevent_t sysadm_property_xevent_t };
+typealias user_property_xevent_t alias { auditadm_property_xevent_t secadm_property_xevent_t };
+typealias user_focus_xevent_t alias { staff_focus_xevent_t sysadm_focus_xevent_t };
+typealias user_focus_xevent_t alias { auditadm_focus_xevent_t secadm_focus_xevent_t };
+typealias user_manage_xevent_t alias { staff_manage_xevent_t sysadm_manage_xevent_t };
+typealias user_manage_xevent_t alias { auditadm_manage_xevent_t secadm_manage_xevent_t };
+typealias user_default_xevent_t alias { staff_default_xevent_t sysadm_default_xevent_t };
+typealias user_default_xevent_t alias { auditadm_default_xevent_t secadm_default_xevent_t };
+typealias user_client_xevent_t alias { staff_client_xevent_t sysadm_client_xevent_t };
+typealias user_client_xevent_t alias { auditadm_client_xevent_t secadm_client_xevent_t };
+
+type user_fonts_t;
+typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
+typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
+userdom_user_home_content(user_fonts_t)
+
+type user_fonts_cache_t;
+typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t };
+typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t };
+userdom_user_home_content(user_fonts_cache_t)
+
+type user_fonts_config_t;
+typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t };
+typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t };
+userdom_user_home_content(user_fonts_cache_t)
+
type xevent_t alias default_xevent_t, xevent_type;
type xext_t alias unknown_xext_t, xextension_type;
type xproperty_t alias default_xproperty_t, xproperty_type;
type xselection_t alias default_xselection_t, xselection_type;
+type xauth_t;
type xauth_exec_t;
-application_executable_file(xauth_exec_t)
+typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
+typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
+application_domain(xauth_t, xauth_exec_t)
+ubac_constrained(xauth_t)
+
+type xauth_home_t;
+typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t };
+typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t };
+files_poly_member(xauth_home_t)
+userdom_user_home_content(xauth_home_t)
+
+type xauth_tmp_t;
+typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t };
+typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
+files_tmp_file(xauth_tmp_t)
+ubac_constrained(xauth_tmp_t)
# this is not actually a device, its a pipe
type xconsole_device_t;
@@ -112,8 +186,26 @@ type xkb_var_lib_t;
files_type(xkb_var_lib_t)
# Type for the executable used to start the X server, e.g. Xwrapper.
+type xserver_t;
type xserver_exec_t;
-corecmd_executable_file(xserver_exec_t)
+typealias xserver_t alias { user_xserver_t staff_xserver_t sysadm_xserver_t };
+typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t };
+xserver_object_types_template(xdm)
+xserver_common_x_domain_template(xdm,xdm_t)
+init_system_domain(xserver_t, xserver_exec_t)
+ubac_constrained(xserver_t)
+
+type xserver_tmp_t;
+typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t };
+typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t };
+files_tmp_file(xserver_tmp_t)
+ubac_constrained(xserver_tmp_t)
+
+type xserver_tmpfs_t;
+typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
+typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t };
+files_tmpfs_file(xserver_tmpfs_t)
+ubac_constrained(xserver_tmpfs_t)
type xsession_exec_t;
corecmd_executable_file(xsession_exec_t)
@@ -122,10 +214,6 @@ corecmd_executable_file(xsession_exec_t)
type xserver_log_t;
logging_log_file(xserver_log_t)
-xserver_common_domain_template(xdm)
-xserver_common_x_domain_template(xdm, xdm, xdm_t)
-init_system_domain(xdm_xserver_t, xserver_exec_t)
-
ifdef(`enable_mcs',`
init_ranged_domain(xdm_t,xdm_exec_t,s0 - mcs_systemhigh)
init_ranged_daemon_domain(xdm_t,xdm_exec_t,s0 - mcs_systemhigh)
@@ -137,6 +225,78 @@ optional_policy(`
########################################
#
+# Iceauth local policy
+#
+
+allow iceauth_t iceauth_home_t:file manage_file_perms;
+userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
+
+allow xdm_t iceauth_home_t:file read_file_perms;
+
+fs_search_auto_mountpoints(iceauth_t)
+
+userdom_use_user_terminals(iceauth_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(iceauth_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(iceauth_t)
+')
+
+########################################
+#
+# Xauth local policy
+#
+
+allow xauth_t self:process signal;
+allow xauth_t self:unix_stream_socket create_stream_socket_perms;
+
+allow xauth_t xauth_home_t:file manage_file_perms;
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
+
+manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
+manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
+files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
+
+allow xdm_t xauth_home_t:file manage_file_perms;
+userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
+
+domain_use_interactive_fds(xauth_t)
+
+files_read_etc_files(xauth_t)
+files_search_pids(xauth_t)
+
+fs_getattr_xattr_fs(xauth_t)
+fs_search_auto_mountpoints(xauth_t)
+
+# cjp: why?
+term_use_ptmx(xauth_t)
+
+auth_use_nsswitch(xauth_t)
+
+userdom_use_user_terminals(xauth_t)
+userdom_read_user_tmp_files(xauth_t)
+
+xserver_rw_xdm_tmp_files(xauth_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(xauth_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(xauth_t)
+')
+
+optional_policy(`
+ ssh_sigchld(xauth_t)
+ ssh_read_pipes(xauth_t)
+ ssh_dontaudit_rw_tcp_sockets(xauth_t)
+')
+
+########################################
+#
# XDM Local policy
#
@@ -186,25 +346,25 @@ manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file })
-allow xdm_t xdm_xserver_t:process signal;
-allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
+allow xdm_t xserver_t:process signal;
+allow xdm_t xserver_t:unix_stream_socket connectto;
-allow xdm_t xdm_xserver_tmp_t:sock_file rw_sock_file_perms;
-allow xdm_t xdm_xserver_tmp_t:dir { setattr list_dir_perms };
+allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
+allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms };
# transition to the xdm xserver
-domtrans_pattern(xdm_t, xserver_exec_t, xdm_xserver_t)
-allow xdm_xserver_t xdm_t:process signal;
-allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
+domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
+allow xserver_t xdm_t:process signal;
+allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
-allow xdm_t xdm_xserver_t:shm rw_shm_perms;
+allow xdm_t xserver_t:shm rw_shm_perms;
# connect to xdm xserver over stream socket
-stream_connect_pattern(xdm_t, xdm_xserver_tmp_t, xdm_xserver_tmp_t, xdm_xserver_t)
+stream_connect_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t,xserver_t)
# Remove /tmp/.X11-unix/X0.
-delete_files_pattern(xdm_t, xdm_xserver_tmp_t, xdm_xserver_tmp_t)
-delete_sock_files_pattern(xdm_t, xdm_xserver_tmp_t, xdm_xserver_tmp_t)
+delete_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t)
+delete_sock_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t)
manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t)
manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
@@ -308,14 +468,12 @@ sysnet_read_config(xdm_t)
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
# for .dmrc
-userdom_read_unpriv_users_home_content_files(xdm_t)
+userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
-sysadm_dontaudit_search_home_dirs(xdm_t)
-
-xserver_rw_session_template(xdm, xdm_t, xdm_tmpfs_t)
+xserver_rw_session(xdm_t,xdm_tmpfs_t)
xserver_unconfined(xdm_t)
tunable_policy(`use_nfs_home_dirs',`
@@ -340,8 +498,8 @@ tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_unpriv_users(xdm_t)
# FIXME:
# xserver_rw_session_template(xdm,unpriv_userdomain)
-# dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
-# allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
+# dontaudit xserver_t sysadm_t:shm { unix_read unix_write };
+# allow xserver_t xdm_tmpfs_t:file rw_file_perms;
')
optional_policy(`
@@ -380,6 +538,10 @@ optional_policy(`
')
optional_policy(`
+ resmgr_stream_connect(xdm_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(xdm_t)
')
@@ -414,59 +576,275 @@ optional_policy(`
########################################
#
+# X server local policy
+#
+
+# setuid/setgid for the wrapper program to change UID
+# sys_rawio is for iopl access - should not be needed for frame-buffer
+# sys_admin, locking shared mem? chowning IPC message queues or semaphores?
+# admin of APM bios?
+# sys_nice is so that the X server can set a negative nice value
+# execheap needed until the X module loader is fixed.
+# NVIDIA Needs execstack
+
+allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+dontaudit xserver_t self:capability chown;
+allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow xserver_t self:memprotect mmap_zero;
+allow xserver_t self:fd use;
+allow xserver_t self:fifo_file rw_fifo_file_perms;
+allow xserver_t self:sock_file read_sock_file_perms;
+allow xserver_t self:shm create_shm_perms;
+allow xserver_t self:sem create_sem_perms;
+allow xserver_t self:msgq create_msgq_perms;
+allow xserver_t self:msg { send receive };
+allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow xserver_t self:tcp_socket create_stream_socket_perms;
+allow xserver_t self:udp_socket create_socket_perms;
+
+# Device rules
+allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
+
+allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
+
+domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
+
+allow xserver_t xauth_home_t:file read_file_perms;
+
+# Labeling rules for root windows and colormaps
+type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
+
+allow xserver_t { rootwindow_t x_domain }:x_drawable send;
+
+manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+
+filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t,sock_file)
+
+manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+files_search_var_lib(xserver_t)
+
+# Create files in /var/log with the xserver_log_t type.
+manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
+logging_log_filetrans(xserver_t, xserver_log_t,file)
+
+kernel_read_system_state(xserver_t)
+kernel_read_device_sysctls(xserver_t)
+kernel_read_modprobe_sysctls(xserver_t)
+# Xorg wants to check if kernel is tainted
+kernel_read_kernel_sysctls(xserver_t)
+kernel_write_proc_files(xserver_t)
+
+# Run helper programs in xserver_t.
+corecmd_exec_bin(xserver_t)
+corecmd_exec_shell(xserver_t)
+
+corenet_all_recvfrom_unlabeled(xserver_t)
+corenet_all_recvfrom_netlabel(xserver_t)
+corenet_tcp_sendrecv_generic_if(xserver_t)
+corenet_udp_sendrecv_generic_if(xserver_t)
+corenet_tcp_sendrecv_all_nodes(xserver_t)
+corenet_udp_sendrecv_all_nodes(xserver_t)
+corenet_tcp_sendrecv_all_ports(xserver_t)
+corenet_udp_sendrecv_all_ports(xserver_t)
+corenet_tcp_bind_all_nodes(xserver_t)
+corenet_tcp_bind_xserver_port(xserver_t)
+corenet_tcp_connect_all_ports(xserver_t)
+corenet_sendrecv_xserver_server_packets(xserver_t)
+corenet_sendrecv_all_client_packets(xserver_t)
+
+dev_rw_sysfs(xserver_t)
+dev_rw_mouse(xserver_t)
+dev_rw_mtrr(xserver_t)
+dev_rw_apm_bios(xserver_t)
+dev_rw_agp(xserver_t)
+dev_rw_framebuffer(xserver_t)
+dev_manage_dri_dev(xserver_t)
+dev_create_generic_dirs(xserver_t)
+dev_setattr_generic_dirs(xserver_t)
+# raw memory access is needed if not using the frame buffer
+dev_read_raw_memory(xserver_t)
+dev_wx_raw_memory(xserver_t)
+# for other device nodes such as the NVidia binary-only driver
+dev_rw_xserver_misc(xserver_t)
+# read events - the synaptics touchpad driver reads raw events
+dev_rw_input_dev(xserver_t)
+dev_rwx_zero(xserver_t)
+
+domain_mmap_low(xserver_t)
+
+files_read_etc_files(xserver_t)
+files_read_etc_runtime_files(xserver_t)
+files_read_usr_files(xserver_t)
+
+# brought on by rhgb
+files_search_mnt(xserver_t)
+# for nscd
+files_dontaudit_search_pids(xserver_t)
+
+fs_getattr_xattr_fs(xserver_t)
+fs_search_nfs(xserver_t)
+fs_search_auto_mountpoints(xserver_t)
+fs_search_ramfs(xserver_t)
+
+mls_xwin_read_to_clearance(xserver_t)
+
+selinux_validate_context(xserver_t)
+selinux_compute_access_vector(xserver_t)
+selinux_compute_create_context(xserver_t)
+
+auth_use_nsswitch(xserver_t)
+
+init_getpgid(xserver_t)
+
+term_setattr_unallocated_ttys(xserver_t)
+term_use_unallocated_ttys(xserver_t)
+
+getty_use_fds(xserver_t)
+
+locallogin_use_fds(xserver_t)
+
+logging_send_syslog_msg(xserver_t)
+logging_send_audit_msgs(xserver_t)
+
+miscfiles_read_localization(xserver_t)
+miscfiles_read_fonts(xserver_t)
+
+modutils_domtrans_insmod(xserver_t)
+
+# read x_contexts
+seutil_read_default_contexts(xserver_t)
+
+userdom_search_user_home_dirs(xserver_t)
+userdom_use_user_ttys(xserver_t)
+userdom_setattr_user_ttys(xserver_t)
+userdom_rw_user_tmpfs_files(xserver_t)
+
+xserver_use_user_fonts(xserver_t)
+
+ifndef(`distro_redhat',`
+ allow xserver_t self:process { execmem execheap execstack };
+')
+
+ifdef(`distro_rhel4',`
+ allow xserver_t self:process { execmem execheap execstack };
+')
+
+ifdef(`enable_mls',`
+ range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh;
+ range_transition xserver_t rootwindow_t:x_drawable s0 - mls_systemhigh;
+')
+
+tunable_policy(`!xserver_object_manager',`
+ # should be xserver_unconfined(xserver_t),
+ # but typeattribute doesnt work in conditionals
+
+ allow xserver_t xserver_t:x_server *;
+ allow xserver_t { x_domain rootwindow_t }:x_drawable *;
+ allow xserver_t xserver_t:x_screen *;
+ allow xserver_t x_domain:x_gc *;
+ allow xserver_t { x_domain rootwindow_t }:x_colormap *;
+ allow xserver_t xproperty_type:x_property *;
+ allow xserver_t xselection_type:x_selection *;
+ allow xserver_t x_domain:x_cursor *;
+ allow xserver_t { x_domain remote_xclient_t }:x_client *;
+ allow xserver_t { x_domain xserver_t }:x_device *;
+ allow xserver_t xextension_type:x_extension *;
+ allow xserver_t { x_domain xserver_t }:x_resource *;
+ allow xserver_t xevent_type:{ x_event x_synthetic_event } *;
+')
+
+optional_policy(`
+ apm_stream_connect(xserver_t)
+')
+
+optional_policy(`
+ auth_search_pam_console_data(xserver_t)
+')
+
+optional_policy(`
+ rhgb_getpgid(xserver_t)
+ rhgb_signal(xserver_t)
+')
+
+optional_policy(`
+ unconfined_domain_noaudit(xserver_t)
+ unconfined_domtrans(xserver_t)
+')
+
+optional_policy(`
+ userhelper_search_config(xserver_t)
+')
+
+optional_policy(`
+ xfs_stream_connect(xserver_t)
+')
+
+########################################
+#
# XDM Xserver local policy
#
+# cjp: when xdm is configurable via tunable these
+# rules will be enabled only when xdm is enabled
-allow xdm_xserver_t xdm_t:process { signal getpgid };
-allow xdm_xserver_t xdm_t:shm rw_shm_perms;
+allow xserver_t xdm_t:process { signal getpgid };
+allow xserver_t xdm_t:shm rw_shm_perms;
-# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
+# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
-allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
-dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
+allow xserver_t xdm_var_lib_t:file { getattr read };
+dontaudit xserver_t xdm_var_lib_t:dir search;
-allow xdm_xserver_t xdm_var_run_t:file read_file_perms;
+allow xserver_t xdm_var_run_t:file read_file_perms;
# Label pid and temporary files with derived types.
-manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t)
-manage_lnk_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t)
-manage_sock_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t)
+manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
-allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
-can_exec(xdm_xserver_t, xkb_var_lib_t)
-files_search_var_lib(xdm_xserver_t)
+allow xserver_t xkb_var_lib_t:lnk_file read;
+can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-corenet_tcp_bind_vnc_port(xdm_xserver_t)
-
-fs_search_auto_mountpoints(xdm_xserver_t)
+corenet_tcp_bind_vnc_port(xserver_t)
-init_use_fds(xdm_xserver_t)
+init_use_fds(xserver_t)
# FIXME: After per user fonts are properly working
-# xdm_xserver_t may no longer have any reason
+# xserver_t may no longer have any reason
# to read ROLE_home_t - examine this in more detail
# (xauth?)
-userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
+userdom_read_user_home_content_files(xserver_t)
-xserver_use_all_users_fonts(xdm_xserver_t)
+xserver_use_user_fonts(xserver_t)
tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(xdm_xserver_t)
- fs_manage_nfs_files(xdm_xserver_t)
- fs_manage_nfs_symlinks(xdm_xserver_t)
+ fs_manage_nfs_dirs(xserver_t)
+ fs_manage_nfs_files(xserver_t)
+ fs_manage_nfs_symlinks(xserver_t)
')
tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(xdm_xserver_t)
- fs_manage_cifs_files(xdm_xserver_t)
- fs_manage_cifs_symlinks(xdm_xserver_t)
+ fs_manage_cifs_dirs(xserver_t)
+ fs_manage_cifs_files(xserver_t)
+ fs_manage_cifs_symlinks(xserver_t)
')
optional_policy(`
- dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t)
- hal_dbus_chat(xdm_xserver_t)
+ dbus_system_bus_client(xserver_t)
+ hal_dbus_chat(xserver_t)
')
optional_policy(`
@@ -474,21 +852,105 @@ optional_policy(`
')
optional_policy(`
- rhgb_rw_shm(xdm_xserver_t)
- rhgb_rw_tmpfs_files(xdm_xserver_t)
+ rhgb_rw_shm(xserver_t)
+ rhgb_rw_tmpfs_files(xserver_t)
')
-optional_policy(`
- unconfined_domain_noaudit(xdm_xserver_t)
- unconfined_domtrans(xdm_xserver_t)
-
- ifndef(`distro_redhat',`
- allow xdm_xserver_t self:process { execheap execmem };
- ')
+########################################
+#
+# Rules common to all X window domains
+#
- ifdef(`distro_rhel4',`
- allow xdm_xserver_t self:process { execheap execmem };
- ')
+# Hacks
+# everyone can get the input focus of everyone else
+# this is a fundamental brokenness in the X protocol
+allow x_domain { x_domain xserver_t }:x_device getfocus;
+# everyone can grab the server
+# everyone does it, it is basically a free DOS attack
+allow x_domain xserver_t:x_server grab;
+# everyone can get the font path, etc.
+# this could leak out sensitive information
+allow x_domain xserver_t:x_server getattr;
+# everyone can do override-redirect windows.
+# this could be used to spoof labels
+allow x_domain self:x_drawable override;
+# everyone can receive management events on the root window
+# allows to know when new windows appear, among other things
+allow x_domain manage_xevent_t:x_event receive;
+
+# X Server
+# can read server-owned resources
+allow x_domain xserver_t:x_resource read;
+# can mess with own clients
+allow x_domain self:x_client { manage destroy };
+
+# X Protocol Extensions
+allow x_domain std_xext_t:x_extension { query use };
+allow x_domain shmem_xext_t:x_extension { query use };
+dontaudit x_domain xextension_type:x_extension { query use };
+
+# X Properties
+# can read and write cut buffers
+allow x_domain clipboard_xproperty_t:x_property { create read write append };
+# can read info properties
+allow x_domain info_xproperty_t:x_property read;
+# can change properties of root window
+allow x_domain rootwindow_t:x_drawable { list_property get_property set_property };
+# can change properties of own windows
+allow x_domain self:x_drawable { list_property get_property set_property };
+
+# X Windows
+# operations allowed on root windows
+allow x_domain rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive };
+# operations allowed on my windows
+allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
+
+# X Colormaps
+# can use the default colormap
+allow x_domain rootwindow_t:x_colormap { read use add_color };
+
+# X Input
+# can receive certain root window events
+allow x_domain focus_xevent_t:x_event receive;
+allow x_domain property_xevent_t:x_event receive;
+allow x_domain client_xevent_t:x_synthetic_event receive;
+allow x_domain manage_xevent_t:x_synthetic_event receive;
+# can send ICCCM events to the root window
+allow x_domain manage_xevent_t:x_synthetic_event send;
+allow x_domain client_xevent_t:x_synthetic_event send;
+# X Selections
+# can use the clipboard
+allow x_domain clipboard_xselection_t:x_selection { getattr setattr read };
+# can query all other selections
+allow x_domain xselection_t:x_selection { getattr read };
+
+# Other X Objects
+# can create and use cursors
+allow x_domain self:x_cursor *;
+# can create and use graphics contexts
+allow x_domain self:x_gc *;
+# can create and use colormaps
+allow x_domain self:x_colormap *;
+# can read and write own objects
+allow x_domain self:x_resource { read write };
+
+tunable_policy(`! xserver_object_manager',`
+ # should be xserver_unconfined(x_domain),
+ # but typeattribute doesnt work in conditionals
+
+ allow x_domain xserver_t:x_server *;
+ allow x_domain { x_domain rootwindow_t }:x_drawable *;
+ allow x_domain xserver_t:x_screen *;
+ allow x_domain x_domain:x_gc *;
+ allow x_domain { x_domain rootwindow_t }:x_colormap *;
+ allow x_domain xproperty_type:x_property *;
+ allow x_domain xselection_type:x_selection *;
+ allow x_domain x_domain:x_cursor *;
+ allow x_domain { x_domain remote_xclient_t }:x_client *;
+ allow x_domain { x_domain xserver_t }:x_device *;
+ allow x_domain xextension_type:x_extension *;
+ allow x_domain { x_domain xserver_t }:x_resource *;
+ allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
########################################
@@ -496,35 +958,21 @@ optional_policy(`
# Rules for unconfined access to this module
#
-allow xserver_unconfined_type x_server_domain:x_server *;
-allow xserver_unconfined_type { x_domain rootwindow_type }:x_drawable *;
-allow xserver_unconfined_type x_server_domain:x_screen *;
+allow xserver_unconfined_type xserver_t:x_server *;
+allow xserver_unconfined_type { x_domain rootwindow_t }:x_drawable *;
+allow xserver_unconfined_type xserver_t:x_screen *;
allow xserver_unconfined_type x_domain:x_gc *;
-allow xserver_unconfined_type { x_domain rootwindow_type }:x_colormap *;
+allow xserver_unconfined_type { x_domain rootwindow_t }:x_colormap *;
allow xserver_unconfined_type xproperty_type:x_property *;
allow xserver_unconfined_type xselection_type:x_selection *;
allow xserver_unconfined_type x_domain:x_cursor *;
allow xserver_unconfined_type { x_domain remote_xclient_t }:x_client *;
-allow xserver_unconfined_type { x_domain x_server_domain }:x_device *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
allow xserver_unconfined_type xextension_type:x_extension *;
-allow xserver_unconfined_type { x_domain x_server_domain }:x_resource *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
ifdef(`TODO',`
-# Need to further investigate these permissions and
-# perhaps define derived types.
-allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink };
-allow xdm_t var_lib_t:file { create write unlink };
-
-# Do not audit attempts to write to index files under /usr
-dontaudit xdm_t usr_t:file write;
-
-ifdef(`rhgb.te', `
-allow xdm_xserver_t ramfs_t:dir rw_dir_perms;
-allow xdm_xserver_t ramfs_t:file manage_file_perms;
-allow rhgb_t xdm_xserver_t:process signal;
-')
-
tunable_policy(`allow_polyinstantiation',`
# xdm needs access for linking .X11-unix to poly /tmp
allow xdm_t polymember:dir { add_name remove_name write };
@@ -537,8 +985,4 @@ allow xdm_t polymember:file { create getattr write };
# Wants to delete .xsession-errors file
#
allow xdm_t user_home_type:file unlink;
-#
-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
-#
-allow pam_t xdm_t:fifo_file { getattr ioctl write };
') dnl end TODO
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
index 15458df..a663133 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -1,5 +1,5 @@
-policy_module(zebra, 1.8.0)
+policy_module(zebra, 1.8.1)
########################################
#
@@ -113,8 +113,7 @@ miscfiles_read_localization(zebra_t)
sysnet_read_config(zebra_t)
userdom_dontaudit_use_unpriv_user_fds(zebra_t)
-
-sysadm_dontaudit_search_home_dirs(zebra_t)
+userdom_dontaudit_search_user_home_dirs(zebra_t)
tunable_policy(`allow_zebra_write_config',`
manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index cdda011..7fb4cfe 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1,156 +1,33 @@
## Common policy for authentication and user login.
-#######################################
-##
-## Common template to create a domain for authentication.
-##
-##
-##
-## This template creates a derived domain which is allowed
-## to authenticate users by using PAM unix_chkpwd support.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-#
-template(`authlogin_common_auth_domain_template',`
- gen_require(`
- attribute can_read_shadow_passwords;
- type chkpwd_exec_t, shadow_t;
- ')
-
- type $1_chkpwd_t, can_read_shadow_passwords;
- application_domain($1_chkpwd_t,chkpwd_exec_t)
-
- allow $1_chkpwd_t self:capability { dac_override setuid };
- dontaudit $1_chkpwd_t self:capability sys_tty_config;
- allow $1_chkpwd_t self:process getattr;
-
- files_list_etc($1_chkpwd_t)
- allow $1_chkpwd_t shadow_t:file read_file_perms;
-
- # is_selinux_enabled
- kernel_read_system_state($1_chkpwd_t)
-
- dev_read_rand($1_chkpwd_t)
- dev_read_urand($1_chkpwd_t)
-
- files_read_etc_files($1_chkpwd_t)
- # for nscd
- files_dontaudit_search_var($1_chkpwd_t)
-
- fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
-
- auth_use_nsswitch($1_chkpwd_t)
-
- logging_send_audit_msgs($1_chkpwd_t)
- logging_send_syslog_msg($1_chkpwd_t)
-
- miscfiles_read_localization($1_chkpwd_t)
-
- seutil_read_config($1_chkpwd_t)
-
- optional_policy(`
- kerberos_use($1_chkpwd_t)
- ')
-')
-
-#######################################
+########################################
##
-## The per role template for the authlogin module.
+## Role access for password authentication.
##
-##
-##
-## This template creates a derived domain which is allowed
-## to authenticate users by using PAM unix_chkpwd support.
-## This domain will be used by any programs running in the
-## user domain which use PAM to authenticate.
-##
-##
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
+##
##
-## The type of the user domain.
+## Role allowed access.
##
##
-##
+##
##
-## The role associated with the user domain.
+## Domain allowed access.
##
##
#
-template(`authlogin_per_role_template',`
-
+interface(`auth_role',`
gen_require(`
- type system_chkpwd_t, shadow_t;
+ type chkpwd_t, chkpwd_exec_t, shadow_t;
')
- authlogin_common_auth_domain_template($1)
-
- role $3 types $1_chkpwd_t;
- role $3 types system_chkpwd_t;
-
- dontaudit $2 shadow_t:file read_file_perms;
+ role $1 types chkpwd_t;
# Transition from the user domain to this domain.
- domtrans_pattern($2,chkpwd_exec_t,$1_chkpwd_t)
-
- domain_use_interactive_fds($1_chkpwd_t)
+ domtrans_pattern($2, chkpwd_exec_t, chkpwd_t)
- seutil_use_newrole_fds($1_chkpwd_t)
-
- # Write to the user domain tty.
- userdom_use_user_terminals($1,$1_chkpwd_t)
-')
-
-########################################
-##
-## Run unix_chkpwd to check a password
-## for a user domain.
-##
-##
-##
-## Run unix_chkpwd to check a password
-## for a user domain.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`auth_domtrans_user_chk_passwd',`
- gen_require(`
- type $1_chkpwd_t, chkpwd_exec_t;
- ')
+ ps_process_pattern($2, chkpwd_t)
- corecmd_search_bin($2)
- domtrans_pattern($2,chkpwd_exec_t,$1_chkpwd_t)
+ dontaudit $2 shadow_t:file read_file_perms;
')
########################################
@@ -319,11 +196,11 @@ interface(`auth_ranged_domtrans_login_program',`
#
interface(`auth_domtrans_chk_passwd',`
gen_require(`
- type system_chkpwd_t, chkpwd_exec_t, shadow_t;
+ type chkpwd_t, chkpwd_exec_t, shadow_t;
')
corecmd_search_bin($1)
- domtrans_pattern($1, chkpwd_exec_t, system_chkpwd_t)
+ domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
dontaudit $1 shadow_t:file { getattr read };
@@ -369,20 +246,14 @@ interface(`auth_domtrans_chk_passwd',`
## The role to allow the chkpwd domain.
##
##
-##
-##
-## The type of the terminal allow the chkpwd domain to use.
-##
-##
#
interface(`auth_run_chk_passwd',`
gen_require(`
- type system_chkpwd_t;
+ type chkpwd_t;
')
auth_domtrans_chk_passwd($1)
- role $2 types system_chkpwd_t;
- allow system_chkpwd_t $3:chr_file rw_file_perms;
+ role $2 types chkpwd_t;
')
########################################
@@ -419,11 +290,6 @@ interface(`auth_domtrans_upd_passwd',`
## The role to allow the updpwd domain.
##
##
-##
-##
-## The type of the terminal allow the updpwd domain to use.
-##
-##
#
interface(`auth_run_upd_passwd',`
gen_require(`
@@ -432,7 +298,6 @@ interface(`auth_run_upd_passwd',`
auth_domtrans_upd_passwd($1)
role $2 types updpwd_t;
- allow updpwd_t $3:chr_file rw_file_perms;
')
########################################
@@ -815,11 +680,6 @@ interface(`auth_signal_pam',`
## The role to allow the PAM domain.
##
##
-##
-##
-## The type of the terminal allow the PAM domain to use.
-##
-##
#
interface(`auth_run_pam',`
gen_require(`
@@ -828,7 +688,6 @@ interface(`auth_run_pam',`
auth_domtrans_pam($1)
role $2 types pam_t;
- allow pam_t $3:chr_file rw_file_perms;
')
########################################
@@ -1228,11 +1087,6 @@ interface(`auth_domtrans_utempter',`
## The role to allow the utempter domain.
##
##
-##
-##
-## The type of the terminal allow the utempter domain to use.
-##
-##
#
interface(`auth_run_utempter',`
gen_require(`
@@ -1241,7 +1095,6 @@ interface(`auth_run_utempter',`
auth_domtrans_utempter($1)
role $2 types utempter_t;
- allow utempter_t $3:chr_file rw_file_perms;
')
#######################################
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index b4c998f..0f02b4f 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
-policy_module(authlogin, 1.11.1)
+policy_module(authlogin, 2.0.0)
########################################
#
@@ -10,8 +10,12 @@ attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
+type chkpwd_t, can_read_shadow_passwords;
type chkpwd_exec_t;
-application_executable_file(chkpwd_exec_t)
+typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t };
+typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t };
+application_domain(chkpwd_t, chkpwd_exec_t)
+role system_r types chkpwd_t;
type faillog_t;
logging_log_file(faillog_t)
@@ -69,9 +73,56 @@ files_type(var_auth_t)
type wtmp_t;
logging_log_file(wtmp_t)
-# reorder to work around require-then-decare bug
-authlogin_common_auth_domain_template(system)
-role system_r types system_chkpwd_t;
+########################################
+#
+# Check password local policy
+#
+
+allow chkpwd_t self:capability { dac_override setuid };
+dontaudit chkpwd_t self:capability sys_tty_config;
+allow chkpwd_t self:process getattr;
+
+allow chkpwd_t shadow_t:file read_file_perms;
+files_list_etc(chkpwd_t)
+
+# is_selinux_enabled
+kernel_read_system_state(chkpwd_t)
+
+domain_dontaudit_use_interactive_fds(chkpwd_t)
+
+dev_read_rand(chkpwd_t)
+dev_read_urand(chkpwd_t)
+
+files_read_etc_files(chkpwd_t)
+# for nscd
+files_dontaudit_search_var(chkpwd_t)
+
+fs_dontaudit_getattr_xattr_fs(chkpwd_t)
+
+term_dontaudit_use_unallocated_ttys(chkpwd_t)
+term_dontaudit_use_generic_ptys(chkpwd_t)
+
+auth_use_nsswitch(chkpwd_t)
+
+logging_send_audit_msgs(chkpwd_t)
+logging_send_syslog_msg(chkpwd_t)
+
+miscfiles_read_localization(chkpwd_t)
+
+seutil_read_config(chkpwd_t)
+seutil_dontaudit_use_newrole_fds(chkpwd_t)
+
+userdom_use_user_terminals(chkpwd_t)
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(chkpwd_t)
+ ')
+')
+
+optional_policy(`
+ kerberos_use(chkpwd_t)
+')
########################################
#
@@ -117,8 +168,6 @@ files_read_etc_files(pam_t)
logging_send_syslog_msg(pam_t)
-userdom_use_unpriv_users_fds(pam_t)
-
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(pam_t)
@@ -254,31 +303,6 @@ optional_policy(`
########################################
#
-# System check password local policy
-#
-
-allow system_chkpwd_t shadow_t:file read_file_perms;
-
-corecmd_search_bin(system_chkpwd_t)
-
-domain_dontaudit_use_interactive_fds(system_chkpwd_t)
-
-term_dontaudit_use_unallocated_ttys(system_chkpwd_t)
-term_dontaudit_use_generic_ptys(system_chkpwd_t)
-
-userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
-userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
-
-sysadm_dontaudit_use_terms(system_chkpwd_t)
-
-ifdef(`distro_ubuntu',`
- optional_policy(`
- unconfined_domain(system_chkpwd_t)
- ')
-')
-
-########################################
-#
# updpwd local policy
#
@@ -292,7 +316,6 @@ kernel_read_system_state(updpwd_t)
files_manage_etc_files(updpwd_t)
term_dontaudit_use_console(updpwd_t)
-term_dontaudit_use_console(updpwd_t)
term_dontaudit_use_unallocated_ttys(updpwd_t)
auth_manage_shadow(updpwd_t)
@@ -302,6 +325,8 @@ logging_send_syslog_msg(updpwd_t)
miscfiles_read_localization(updpwd_t)
+userdom_use_user_terminals(updpwd_t)
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(updpwd_t)
@@ -334,8 +359,9 @@ domain_use_interactive_fds(utempter_t)
logging_search_logs(utempter_t)
+userdom_use_user_terminals(utempter_t)
# Allow utemper to write to /tmp/.xses-*
-userdom_write_unpriv_users_tmp_files(utempter_t)
+userdom_write_user_tmp_files(utempter_t)
ifdef(`distro_ubuntu',`
optional_policy(`
@@ -348,11 +374,6 @@ optional_policy(`
')
optional_policy(`
- # Allow utemper to write to /tmp/.xses-*
- unconfined_write_tmp_files(utempter_t)
-')
-
-optional_policy(`
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
index 29397af..f76522e 100644
--- a/policy/modules/system/clock.if
+++ b/policy/modules/system/clock.if
@@ -33,11 +33,6 @@ interface(`clock_domtrans',`
## The role to be allowed the clock domain.
##
##
-##
-##
-## The type of the terminal allow the clock domain to use.
-##
-##
##
#
interface(`clock_run',`
@@ -47,7 +42,6 @@ interface(`clock_run',`
clock_domtrans($1)
role $2 types hwclock_t;
- allow hwclock_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
index 6f74901..4a97136 100644
--- a/policy/modules/system/clock.te
+++ b/policy/modules/system/clock.te
@@ -1,5 +1,5 @@
-policy_module(clock,1.5.0)
+policy_module(clock, 1.5.1)
########################################
#
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index e529bd6..732b54a 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -34,11 +34,6 @@ interface(`fstools_domtrans',`
## The role to be allowed the fs tools domain.
##
##
-##
-##
-## The type of the terminal allow the fs tools domain to use.
-##
-##
##
#
interface(`fstools_run',`
@@ -48,7 +43,6 @@ interface(`fstools_run',`
fstools_domtrans($1)
role $2 types fsadm_t;
- allow fsadm_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 2f58907..14282bb 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,5 +1,5 @@
-policy_module(fstools, 1.11.0)
+policy_module(fstools, 1.11.1)
########################################
#
@@ -150,6 +150,7 @@ modutils_read_module_config(fsadm_t)
seutil_read_config(fsadm_t)
+userdom_use_user_terminals(fsadm_t)
userdom_use_unpriv_users_fds(fsadm_t)
tunable_policy(`read_default_t',`
diff --git a/policy/modules/system/hostname.if b/policy/modules/system/hostname.if
index 7910037..1ce151a 100644
--- a/policy/modules/system/hostname.if
+++ b/policy/modules/system/hostname.if
@@ -34,11 +34,6 @@ interface(`hostname_domtrans',`
## The role to be allowed the hostname domain.
##
##
-##
-##
-## The type of the terminal allow the hostname domain to use.
-##
-##
#
interface(`hostname_run',`
gen_require(`
@@ -47,7 +42,6 @@ interface(`hostname_run',`
hostname_domtrans($1)
role $2 types hostname_t;
- allow hostname_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index d043c9b..c5dca1c 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -1,5 +1,5 @@
-policy_module(hostname,1.5.0)
+policy_module(hostname, 1.5.1)
########################################
#
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
index a1511c4..f7c2d4c 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@@ -1,5 +1,5 @@
-policy_module(hotplug, 1.10.0)
+policy_module(hotplug, 1.10.1)
########################################
#
@@ -112,8 +112,7 @@ seutil_dontaudit_search_config(hotplug_t)
sysnet_read_config(hotplug_t)
userdom_dontaudit_use_unpriv_user_fds(hotplug_t)
-
-sysadm_dontaudit_search_home_dirs(hotplug_t)
+userdom_dontaudit_search_user_home_dirs(hotplug_t)
ifdef(`distro_redhat', `
optional_policy(`
@@ -130,7 +129,7 @@ optional_policy(`
')
optional_policy(`
- dbus_system_bus_client_template(hotplug,hotplug_t)
+ dbus_system_bus_client(hotplug_t)
')
optional_policy(`
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index d6f0c52..150a28e 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -190,6 +190,8 @@ interface(`init_daemon_domain',`
typeattribute $1 direct_init;
typeattribute $2 direct_init_entry;
+
+ userdom_dontaudit_use_user_terminals($1)
')
ifdef(`hide_broken_symptoms',`
@@ -739,11 +741,6 @@ interface(`init_labeled_script_domtrans',`
## The role to be performing this action.
##
##
-##
-##
-## The type of the terminal of the user.
-##
-##
#
interface(`init_run_daemon',`
gen_require(`
@@ -753,7 +750,6 @@ interface(`init_run_daemon',`
typeattribute $1 direct_run_init;
role_transition $2 direct_init_entry system_r;
- dontaudit direct_init $3:chr_file rw_file_perms;
')
########################################
@@ -1474,6 +1470,25 @@ interface(`init_manage_utmp',`
########################################
##
+## Create files in /var/run with the
+## utmp file type.
+##
+##
+##
+## Domain access allowed.
+##
+##
+#
+interface(`init_pid_filetrans_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ files_pid_filetrans($1, initrc_var_run_t, file)
+')
+
+########################################
+##
## Allow the specified domain to connect to daemon with a tcp socket
##
##
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f0035b7..d3788e1 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init, 1.12.0)
+policy_module(init, 1.12.1)
gen_require(`
class passwd rootok;
@@ -382,12 +382,11 @@ modutils_domtrans_insmod(initrc_t)
seutil_read_config(initrc_t)
-userdom_read_all_users_home_content_files(initrc_t)
-
+userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.
-sysadm_use_terms(initrc_t)
+userdom_use_user_terminals(initrc_t)
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
@@ -567,7 +566,7 @@ optional_policy(`
optional_policy(`
dbus_connect_system_bus(initrc_t)
- dbus_system_bus_client_template(initrc,initrc_t)
+ dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
optional_policy(`
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index e082a55..27cacf5 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -219,11 +219,6 @@ interface(`ipsec_domtrans_setkey',`
## The role to be allowed the racoon and setkey domains.
##
##
-##
-##
-## The type of the terminal allow the racoon and setkey domains to use.
-##
-##
##
#
interface(`ipsec_run_setkey',`
@@ -233,5 +228,4 @@ interface(`ipsec_run_setkey',`
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
- allow setkey_t $3:chr_file rw_term_perms;
')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index b7a6b0e..8ccedbe 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,5 +1,5 @@
-policy_module(ipsec, 1.8.0)
+policy_module(ipsec, 1.8.1)
########################################
#
@@ -134,8 +134,7 @@ miscfiles_read_localization(ipsec_t)
sysnet_read_config(ipsec_t)
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
-
-sysadm_dontaudit_search_home_dirs(ipsec_t)
+userdom_dontaudit_search_user_home_dirs(ipsec_t)
optional_policy(`
nis_use_ypbind(ipsec_t)
@@ -250,7 +249,7 @@ seutil_dontaudit_search_config(ipsec_mgmt_t)
sysnet_domtrans_ifconfig(ipsec_mgmt_t)
-sysadm_use_terms(ipsec_mgmt_t)
+userdom_use_user_terminals(ipsec_mgmt_t)
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
@@ -348,3 +347,5 @@ locallogin_use_fds(setkey_t)
miscfiles_read_localization(setkey_t)
seutil_read_config(setkey_t)
+
+userdom_use_user_terminals(setkey_t)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index f05ae34..bab19d2 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -34,11 +34,6 @@ interface(`iptables_domtrans',`
## The role to be allowed the iptables domain.
##
##
-##
-##
-## The type of the terminal allow the iptables domain to use.
-##
-##
##
#
interface(`iptables_run',`
@@ -48,12 +43,11 @@ interface(`iptables_run',`
iptables_domtrans($1)
role $2 types iptables_t;
- allow iptables_t $3:chr_file rw_term_perms;
- sysnet_run_ifconfig(iptables_t, $2, $3)
+ sysnet_run_ifconfig(iptables_t, $2)
optional_policy(`
- modutils_run_insmod(iptables_t, $2, $3)
+ modutils_run_insmod(iptables_t, $2)
')
')
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 937f2db..be4ce0f 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,5 +1,5 @@
-policy_module(iptables, 1.7.0)
+policy_module(iptables, 1.7.1)
########################################
#
@@ -74,6 +74,7 @@ miscfiles_read_localization(iptables_t)
sysnet_domtrans_ifconfig(iptables_t)
sysnet_dns_name_resolve(iptables_t)
+userdom_use_user_terminals(iptables_t)
userdom_use_all_users_fds(iptables_t)
optional_policy(`
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index db3945a..7c9b27b 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -33,11 +33,6 @@ interface(`libs_domtrans_ldconfig',`
## The role to allow the ldconfig domain.
##
##
-##
-##
-## The type of the terminal allow the ldconfig domain to use.
-##
-##
##
#
interface(`libs_run_ldconfig',`
@@ -47,7 +42,6 @@ interface(`libs_run_ldconfig',`
libs_domtrans_ldconfig($1)
role $2 types ldconfig_t;
- allow ldconfig_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 0e47455..794a424 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
-policy_module(libraries, 2.3.0)
+policy_module(libraries, 2.3.1)
########################################
#
@@ -85,6 +85,7 @@ miscfiles_read_localization(ldconfig_t)
logging_send_syslog_msg(ldconfig_t)
+userdom_use_user_terminals(ldconfig_t)
userdom_use_all_users_fds(ldconfig_t)
ifdef(`distro_ubuntu',`
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 1e31efb..7a00ae1 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -1,5 +1,5 @@
-policy_module(locallogin, 1.8.0)
+policy_module(locallogin, 1.8.1)
########################################
#
@@ -131,7 +131,7 @@ miscfiles_read_localization(local_login_t)
userdom_spec_domtrans_all_users(local_login_t)
userdom_signal_all_users(local_login_t)
-userdom_search_all_users_home_content(local_login_t)
+userdom_search_user_home_content(local_login_t)
userdom_use_unpriv_users_fds(local_login_t)
userdom_sigchld_all_users(local_login_t)
userdom_create_all_users_keys(local_login_t)
@@ -165,7 +165,7 @@ optional_policy(`
')
optional_policy(`
- dbus_system_bus_client_template(local_login, local_login_t)
+ dbus_system_bus_client(local_login_t)
consolekit_dbus_chat(local_login_t)
')
@@ -238,11 +238,10 @@ auth_read_shadow(sulogin_t)
userdom_use_unpriv_users_fds(sulogin_t)
-staff_search_home_dirs(sulogin_t)
+userdom_search_user_home_dirs(sulogin_t)
+userdom_use_user_ptys(sulogin_t)
sysadm_shell_domtrans(sulogin_t)
-sysadm_use_ptys(sulogin_t)
-sysadm_search_home_dirs(sulogin_t)
# suse and debian do not use pam with sulogin...
ifdef(`distro_suse', `define(`sulogin_no_pam')')
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 4855a56..65004be 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -136,11 +136,6 @@ interface(`logging_domtrans_auditctl',`
## The role to be allowed the auditctl domain.
##
##
-##
-##
-## The type of the terminal allow the auditctl domain to use.
-##
-##
##
#
interface(`logging_run_auditctl',`
@@ -150,7 +145,6 @@ interface(`logging_run_auditctl',`
logging_domtrans_auditctl($1)
role $2 types auditctl_t;
- allow auditctl_t $3:chr_file rw_term_perms;
')
########################################
@@ -186,11 +180,6 @@ interface(`logging_domtrans_auditd',`
## The role to be allowed the auditd domain.
##
##
-##
-##
-## The type of the terminal allow the auditd domain to use.
-##
-##
#
interface(`logging_run_auditd',`
gen_require(`
@@ -199,7 +188,6 @@ interface(`logging_run_auditd',`
logging_domtrans_auditd($1)
role $2 types auditd_t;
- allow auditd_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 6ec8c70..eddb18e 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
-policy_module(logging, 1.12.0)
+policy_module(logging, 1.12.1)
########################################
#
@@ -188,9 +188,9 @@ seutil_dontaudit_read_config(auditd_t)
sysnet_dns_name_resolve(auditd_t)
+userdom_use_user_terminals(auditd_t)
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
-
-sysadm_dontaudit_search_home_dirs(auditd_t)
+userdom_dontaudit_search_user_home_dirs(auditd_t)
ifdef(`distro_ubuntu',`
optional_policy(`
@@ -305,7 +305,7 @@ miscfiles_read_localization(klogd_t)
mls_file_read_all_levels(klogd_t)
-sysadm_dontaudit_search_home_dirs(klogd_t)
+userdom_dontaudit_search_user_home_dirs(klogd_t)
ifdef(`distro_ubuntu',`
optional_policy(`
@@ -440,8 +440,7 @@ logging_send_syslog_msg(syslogd_t)
miscfiles_read_localization(syslogd_t)
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
-
-sysadm_dontaudit_search_home_dirs(syslogd_t)
+userdom_dontaudit_search_user_home_dirs(syslogd_t)
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index adfa5ae..170f742 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -33,11 +33,6 @@ interface(`lvm_domtrans',`
## The role to allow the LVM domain.
##
##
-##
-##
-## The type of the terminal allow the LVM domain to use.
-##
-##
##
#
interface(`lvm_run',`
@@ -47,7 +42,6 @@ interface(`lvm_run',`
lvm_domtrans($1)
role $2 types lvm_t;
- allow lvm_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 29b0d9d..358a447 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,5 +1,5 @@
-policy_module(lvm, 1.9.0)
+policy_module(lvm, 1.9.1)
########################################
#
@@ -114,8 +114,7 @@ seutil_dontaudit_search_config(clvmd_t)
seutil_sigchld_newrole(clvmd_t)
userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
-
-sysadm_dontaudit_search_home_dirs(clvmd_t)
+userdom_dontaudit_search_user_home_dirs(clvmd_t)
lvm_domtrans(clvmd_t)
lvm_read_config(clvmd_t)
@@ -241,9 +240,6 @@ storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
-term_getattr_all_user_ttys(lvm_t)
-term_list_ptys(lvm_t)
-
corecmd_exec_bin(lvm_t)
corecmd_exec_shell(lvm_t)
@@ -267,6 +263,8 @@ seutil_read_file_contexts(lvm_t)
seutil_search_default_contexts(lvm_t)
seutil_sigchld_newrole(lvm_t)
+userdom_use_user_terminals(lvm_t)
+
ifdef(`distro_redhat',`
# this is from the initrd:
files_rw_isid_type_dirs(lvm_t)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 73b4e08..ce4ac17 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -141,11 +141,6 @@ interface(`modutils_domtrans_insmod',`
## The role to be allowed the insmod domain.
##
##
-##
-##
-## The type of the terminal allow the insmod domain to use.
-##
-##
##
#
interface(`modutils_run_insmod',`
@@ -155,7 +150,6 @@ interface(`modutils_run_insmod',`
modutils_domtrans_insmod($1)
role $2 types insmod_t;
- allow insmod_t $3:chr_file rw_term_perms;
')
########################################
@@ -210,11 +204,6 @@ interface(`modutils_domtrans_depmod',`
## The role to be allowed the depmod domain.
##
##
-##
-##
-## The type of the terminal allow the depmod domain to use.
-##
-##
##
#
interface(`modutils_run_depmod',`
@@ -224,7 +213,6 @@ interface(`modutils_run_depmod',`
modutils_domtrans_depmod($1)
role $2 types depmod_t;
- allow insmod_t $3:chr_file rw_term_perms;
')
########################################
@@ -279,11 +267,6 @@ interface(`modutils_domtrans_update_mods',`
## The role to be allowed the update_modules domain.
##
##
-##
-##
-## The type of the terminal allow the update_modules domain to use.
-##
-##
##
#
interface(`modutils_run_update_mods',`
@@ -293,9 +276,8 @@ interface(`modutils_run_update_mods',`
modutils_domtrans_update_mods($1)
role $2 types update_modules_t;
- allow update_modules_t $3:chr_file rw_term_perms;
- modutils_run_insmod(update_modules_t, $2, $3)
+ modutils_run_insmod(update_modules_t, $2)
')
########################################
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 53ff21b..1883186 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,5 +1,5 @@
-policy_module(modutils, 1.8.0)
+policy_module(modutils, 1.8.1)
gen_require(`
bool secure_mode_insmod;
@@ -109,6 +109,8 @@ miscfiles_read_localization(insmod_t)
seutil_read_file_contexts(insmod_t)
+userdom_use_user_terminals(insmod_t)
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(insmod_t)
@@ -142,11 +144,11 @@ optional_policy(`
rhgb_dontaudit_use_ptys(insmod_t)
xserver_dontaudit_write_log(insmod_t)
- xserver_stream_connect_xdm_xserver(insmod_t)
- xserver_dontaudit_rw_xdm_stream_sockets(insmod_t)
+ xserver_stream_connect(insmod_t)
+ xserver_dontaudit_rw_stream_sockets(insmod_t)
ifdef(`hide_broken_symptoms',`
- xserver_dontaudit_rw_xdm_xserver_tcp_sockets(insmod_t)
+ xserver_dontaudit_rw_tcp_sockets(insmod_t)
')
')
@@ -200,10 +202,10 @@ files_read_etc_files(depmod_t)
files_read_usr_src_files(depmod_t)
files_list_usr(depmod_t)
+userdom_use_user_terminals(depmod_t)
# Read System.map from home directories.
files_list_home(depmod_t)
-staff_read_home_content_files(depmod_t)
-sysadm_read_home_content_files(depmod_t)
+userdom_read_user_home_content_files(depmod_t)
ifdef(`distro_ubuntu',`
optional_policy(`
@@ -212,11 +214,6 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
- # Read System.map from home directories.
- unconfined_read_home_content_files(depmod_t)
-')
-
-optional_policy(`
rpm_rw_pipes(depmod_t)
')
@@ -274,7 +271,8 @@ logging_send_syslog_msg(update_modules_t)
miscfiles_read_localization(update_modules_t)
-sysadm_dontaudit_search_home_dirs(update_modules_t)
+userdom_use_user_terminals(update_modules_t)
+userdom_dontaudit_search_user_home_dirs(update_modules_t)
ifdef(`distro_gentoo',`
files_search_pids(update_modules_t)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index f9717ce..805bef0 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -34,11 +34,6 @@ interface(`mount_domtrans',`
## The role to be allowed the mount domain.
##
##
-##
-##
-## The type of the terminal allow the mount domain to use.
-##
-##
##
#
interface(`mount_run',`
@@ -48,10 +43,9 @@ interface(`mount_run',`
mount_domtrans($1)
role $2 types mount_t;
- allow mount_t $3:chr_file rw_file_perms;
optional_policy(`
- samba_run_smbmount($1, $2, $3)
+ samba_run_smbmount($1, $2)
')
')
@@ -155,11 +149,6 @@ interface(`mount_domtrans_unconfined',`
## The role to be allowed the unconfined mount domain.
##
##
-##
-##
-## The type of the terminal allow the unconfined mount domain to use.
-##
-##
##
#
interface(`mount_run_unconfined',`
@@ -169,5 +158,4 @@ interface(`mount_run_unconfined',`
mount_domtrans_unconfined($1)
role $2 types unconfined_mount_t;
- allow unconfined_mount_t $3:chr_file rw_file_perms;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 0089812..04a2293 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,5 +1,5 @@
-policy_module(mount,1.9.0)
+policy_module(mount, 1.9.1)
########################################
#
diff --git a/policy/modules/system/netlabel.if b/policy/modules/system/netlabel.if
index 7c48ce5..1c9b8f5 100644
--- a/policy/modules/system/netlabel.if
+++ b/policy/modules/system/netlabel.if
@@ -34,11 +34,6 @@ interface(`netlabel_domtrans_mgmt',`
## The role to be allowed the netlabel_mgmt domain.
##
##
-##
-##
-## The type of the terminal allow the netlabel_mgmt domain to use.
-##
-##
##
#
interface(`netlabel_run_mgmt',`
@@ -48,5 +43,4 @@ interface(`netlabel_run_mgmt',`
netlabel_domtrans_mgmt($1)
role $2 types netlabel_mgmt_t;
- allow netlabel_mgmt_t $3:chr_file rw_term_perms;
')
diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
index 59562b0..86d7eaa 100644
--- a/policy/modules/system/netlabel.te
+++ b/policy/modules/system/netlabel.te
@@ -1,5 +1,5 @@
-policy_module(netlabel, 1.2.0)
+policy_module(netlabel, 1.2.1)
########################################
#
@@ -25,3 +25,5 @@ kernel_read_network_state(netlabel_mgmt_t)
files_read_etc_files(netlabel_mgmt_t)
seutil_use_newrole_fds(netlabel_mgmt_t)
+
+userdom_use_user_terminals(netlabel_mgmt_t)
diff --git a/policy/modules/system/pcmcia.if b/policy/modules/system/pcmcia.if
index 5724365..5f63c3a 100644
--- a/policy/modules/system/pcmcia.if
+++ b/policy/modules/system/pcmcia.if
@@ -85,11 +85,6 @@ interface(`pcmcia_domtrans_cardctl',`
## The role to be allowed the cardmgr domain.
##
##
-##
-##
-## The type of the terminal allow the cardmgr domain to use.
-##
-##
##
#
interface(`pcmcia_run_cardctl',`
@@ -99,7 +94,6 @@ interface(`pcmcia_run_cardctl',`
pcmcia_domtrans_cardctl($1)
role $2 types cardmgr_t;
- allow cardmgr_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te
index 77da11e..aaf441e 100644
--- a/policy/modules/system/pcmcia.te
+++ b/policy/modules/system/pcmcia.te
@@ -1,5 +1,5 @@
-policy_module(pcmcia, 1.5.0)
+policy_module(pcmcia, 1.5.1)
########################################
#
@@ -107,9 +107,9 @@ sysnet_domtrans_ifconfig(cardmgr_t)
sysnet_etc_filetrans_config(cardmgr_t)
sysnet_manage_config(cardmgr_t)
+userdom_use_user_terminals(cardmgr_t)
userdom_dontaudit_use_unpriv_user_fds(cardmgr_t)
-
-sysadm_dontaudit_search_home_dirs(cardmgr_t)
+userdom_dontaudit_search_user_home_dirs(cardmgr_t)
optional_policy(`
seutil_dontaudit_read_config(cardmgr_t)
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index 7556f02..a6a6531 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -1,5 +1,5 @@
-policy_module(raid, 1.7.0)
+policy_module(raid, 1.7.1)
########################################
#
@@ -66,12 +66,11 @@ logging_send_syslog_msg(mdadm_t)
miscfiles_read_localization(mdadm_t)
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
-userdom_dontaudit_search_all_users_home_content(mdadm_t)
+userdom_dontaudit_search_user_home_content(mdadm_t)
+userdom_dontaudit_use_user_terminals(mdadm_t)
mta_send_mail(mdadm_t)
-sysadm_dontaudit_use_ttys(mdadm_t)
-
optional_policy(`
gpm_dontaudit_getattr_gpmctl(mdadm_t)
')
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 7364a6e..a8edd1f 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -36,11 +36,6 @@ interface(`seutil_domtrans_checkpolicy',`
## The role to be allowed the checkpolicy domain.
##
##
-##
-##
-## The type of the terminal allow the checkpolicy domain to use.
-##
-##
##
#
interface(`seutil_run_checkpolicy',`
@@ -50,7 +45,6 @@ interface(`seutil_run_checkpolicy',`
seutil_domtrans_checkpolicy($1)
role $2 types checkpolicy_t;
- allow checkpolicy_t $3:chr_file rw_term_perms;
')
########################################
@@ -109,11 +103,6 @@ interface(`seutil_domtrans_loadpolicy',`
## The role to be allowed the load_policy domain.
##
##
-##
-##
-## The type of the terminal allow the load_policy domain to use.
-##
-##
##
#
interface(`seutil_run_loadpolicy',`
@@ -123,7 +112,6 @@ interface(`seutil_run_loadpolicy',`
seutil_domtrans_loadpolicy($1)
role $2 types load_policy_t;
- allow load_policy_t $3:chr_file rw_term_perms;
')
########################################
@@ -166,7 +154,7 @@ interface(`seutil_read_loadpolicy',`
#######################################
##
-## Execute newrole in the load_policy domain.
+## Execute newrole in the newole domain.
##
##
##
@@ -200,11 +188,6 @@ interface(`seutil_domtrans_newrole',`
## The role to be allowed the newrole domain.
##
##
-##
-##
-## The type of the terminal allow the newrole domain to use.
-##
-##
##
#
interface(`seutil_run_newrole',`
@@ -214,9 +197,8 @@ interface(`seutil_run_newrole',`
seutil_domtrans_newrole($1)
role $2 types newrole_t;
- allow newrole_t $3:chr_file rw_term_perms;
- auth_run_upd_passwd(newrole_t, $2, $3)
+ auth_run_upd_passwd(newrole_t, $2)
')
########################################
@@ -294,6 +276,25 @@ interface(`seutil_use_newrole_fds',`
allow $1 newrole_t:fd use;
')
+########################################
+##
+## Do not audit attempts to inherit and use
+## newrole file descriptors.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`seutil_dontaudit_use_newrole_fds',`
+ gen_require(`
+ type newrole_t;
+ ')
+
+ dontaudit $1 newrole_t:fd use;
+')
+
#######################################
##
## Execute restorecon in the restorecon domain. (Deprecated)
@@ -325,16 +326,11 @@ interface(`seutil_domtrans_restorecon',`
## The role to be allowed the restorecon domain.
##
##
-##
-##
-## The type of the terminal allow the restorecon domain to use.
-##
-##
##
#
interface(`seutil_run_restorecon',`
refpolicywarn(`$0($*) has been deprecated, please use seutil_run_setfiles() instead.')
- seutil_run_setfiles($1,$2,$3)
+ seutil_run_setfiles($1,$2)
')
########################################
@@ -417,11 +413,6 @@ interface(`seutil_init_script_domtrans_runinit',`
## The role to be allowed the run_init domain.
##
##
-##
-##
-## The type of the terminal allow the run_init domain to use.
-##
-##
##
#
interface(`seutil_run_runinit',`
@@ -430,10 +421,10 @@ interface(`seutil_run_runinit',`
role system_r;
')
- auth_run_chk_passwd(run_init_t, $2, $3)
+ auth_run_chk_passwd(run_init_t, $2)
seutil_domtrans_runinit($1)
role $2 types run_init_t;
- allow run_init_t $3:chr_file rw_term_perms;
+
allow $2 system_r;
')
@@ -463,11 +454,6 @@ interface(`seutil_run_runinit',`
## The role to be allowed the run_init domain.
##
##
-##
-##
-## The type of the terminal allow the run_init domain to use.
-##
-##
#
interface(`seutil_init_script_run_runinit',`
gen_require(`
@@ -475,10 +461,10 @@ interface(`seutil_init_script_run_runinit',`
role system_r;
')
- auth_run_chk_passwd(run_init_t, $2, $3)
+ auth_run_chk_passwd(run_init_t, $2)
seutil_init_script_domtrans_runinit($1)
role $2 types run_init_t;
- allow run_init_t $3:chr_file rw_term_perms;
+
allow $2 system_r;
')
@@ -536,11 +522,6 @@ interface(`seutil_domtrans_setfiles',`
## The role to be allowed the setfiles domain.
##
##
-##
-##
-## The type of the terminal allow the setfiles domain to use.
-##
-##
##
#
interface(`seutil_run_setfiles',`
@@ -550,7 +531,6 @@ interface(`seutil_run_setfiles',`
seutil_domtrans_setfiles($1)
role $2 types setfiles_t;
- allow setfiles_t $3:chr_file rw_term_perms;
')
########################################
@@ -1033,11 +1013,6 @@ interface(`seutil_domtrans_semanage',`
## The role to be allowed the checkpolicy domain.
##
##
-##
-##
-## The type of the terminal allow the semanage domain to use.
-##
-##
##
#
interface(`seutil_run_semanage',`
@@ -1046,10 +1021,9 @@ interface(`seutil_run_semanage',`
')
seutil_domtrans_semanage($1)
- seutil_run_setfiles(semanage_t, $2, $3)
- seutil_run_loadpolicy(semanage_t, $2, $3)
+ seutil_run_setfiles(semanage_t, $2)
+ seutil_run_loadpolicy(semanage_t, $2)
role $2 types semanage_t;
- allow semanage_t $3:chr_file rw_term_perms;
')
########################################
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index dbbfadd..49e789f 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
-policy_module(selinuxutil, 1.11.1)
+policy_module(selinuxutil, 1.11.2)
gen_require(`
bool secure_mode;
@@ -140,6 +140,7 @@ term_use_console(checkpolicy_t)
init_use_fds(checkpolicy_t)
init_use_script_ptys(checkpolicy_t)
+userdom_use_user_terminals(checkpolicy_t)
userdom_use_all_users_fds(checkpolicy_t)
ifdef(`distro_ubuntu',`
@@ -181,6 +182,7 @@ miscfiles_read_localization(load_policy_t)
seutil_libselinux_linked(load_policy_t)
+userdom_use_user_terminals(load_policy_t)
userdom_use_all_users_fds(load_policy_t)
ifdef(`distro_ubuntu',`
@@ -274,10 +276,9 @@ miscfiles_read_localization(newrole_t)
seutil_libselinux_linked(newrole_t)
-userdom_use_unpriv_users_fds(newrole_t)
# for some PAM modules and for cwd
-userdom_dontaudit_search_all_users_home_content(newrole_t)
-userdom_search_all_users_home_dirs(newrole_t)
+userdom_dontaudit_search_user_home_content(newrole_t)
+userdom_search_user_home_dirs(newrole_t)
ifdef(`distro_ubuntu',`
optional_policy(`
@@ -380,8 +381,6 @@ selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
-term_dontaudit_list_ptys(run_init_t)
-
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
auth_domtrans_upd_passwd(run_init_t)
@@ -398,6 +397,8 @@ miscfiles_read_localization(run_init_t)
seutil_libselinux_linked(run_init_t)
seutil_read_default_contexts(run_init_t)
+userdom_use_user_terminals(run_init_t)
+
ifndef(`direct_sysadm_daemon',`
ifdef(`distro_gentoo',`
# Gentoo integrated run_init:
@@ -494,13 +495,8 @@ ifdef(`enable_mls',`
# read secadm tmp files
',`
# Handle pp files created in homedir and /tmp
- sysadm_read_home_content_files(semanage_t)
- sysadm_read_tmp_files(semanage_t)
-
- optional_policy(`
- unconfined_read_home_content_files(semanage_t)
- unconfined_read_tmp_files(semanage_t)
- ')
+ userdom_read_user_home_content_files(semanage_t)
+ userdom_read_user_tmp_files(semanage_t)
')
########################################
@@ -574,7 +570,7 @@ seutil_libselinux_linked(setfiles_t)
userdom_use_all_users_fds(setfiles_t)
# for config files in a home directory
-userdom_read_all_users_home_content_files(setfiles_t)
+userdom_read_user_home_content_files(setfiles_t)
ifdef(`distro_debian',`
# udev tmpfs is populated with static device nodes
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 57a33a7..21864b9 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -34,11 +34,6 @@ interface(`sysnet_domtrans_dhcpc',`
## The role to be allowed the clock domain.
##
##
-##
-##
-## The type of the terminal allow the clock domain to use.
-##
-##
##
#
interface(`sysnet_run_dhcpc',`
@@ -48,7 +43,6 @@ interface(`sysnet_run_dhcpc',`
sysnet_domtrans_dhcpc($1)
role $2 types dhcpc_t;
- allow dhcpc_t $3:chr_file rw_term_perms;
')
########################################
@@ -404,11 +398,6 @@ interface(`sysnet_domtrans_ifconfig',`
## The role to be allowed the ifconfig domain.
##
##
-##
-##
-## The type of the terminal allow the ifconfig domain to use.
-##
-##
##
#
interface(`sysnet_run_ifconfig',`
@@ -419,7 +408,6 @@ interface(`sysnet_run_ifconfig',`
corecmd_search_bin($1)
sysnet_domtrans_ifconfig($1)
role $2 types ifconfig_t;
- allow ifconfig_t $3:chr_file rw_term_perms;
')
#######################################
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 06ef1ab..db38b3c 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,5 +1,5 @@
-policy_module(sysnetwork, 1.8.0)
+policy_module(sysnetwork, 1.8.1)
########################################
#
@@ -132,7 +132,8 @@ miscfiles_read_localization(dhcpc_t)
modutils_domtrans_insmod(dhcpc_t)
-staff_dontaudit_search_home_dirs(dhcpc_t)
+userdom_use_user_terminals(dhcpc_t)
+userdom_dontaudit_search_user_home_dirs(dhcpc_t)
ifdef(`distro_redhat', `
files_exec_etc_files(dhcpc_t)
@@ -151,7 +152,7 @@ optional_policy(`
optional_policy(`
init_dbus_chat_script(dhcpc_t)
- dbus_system_bus_client_template(dhcpc,dhcpc_t)
+ dbus_system_bus_client(dhcpc_t)
dbus_connect_system_bus(dhcpc_t)
optional_policy(`
@@ -295,6 +296,7 @@ modutils_domtrans_insmod(ifconfig_t)
seutil_use_runinit_fds(ifconfig_t)
+userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index b6506e6..9bd5d7f 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,5 +1,5 @@
-policy_module(udev,1.9.0)
+policy_module(udev, 1.9.1)
########################################
#
@@ -160,7 +160,7 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
-userdom_dontaudit_search_all_users_home_content(udev_t)
+userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_gentoo',`
# during boot, init scripts use /dev/.rcsysinit
@@ -198,7 +198,7 @@ optional_policy(`
')
optional_policy(`
- dbus_system_bus_client_template(udev,udev_t)
+ dbus_system_bus_client(udev_t)
')
optional_policy(`
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index cb43eb1..2d4c440 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -205,11 +205,6 @@ interface(`unconfined_domtrans',`
## The role to allow the unconfined domain.
##
##
-##
-##
-## The type of the terminal allow the unconfined domain to use.
-##
-##
#
interface(`unconfined_run',`
gen_require(`
@@ -218,7 +213,6 @@ interface(`unconfined_run',`
unconfined_domtrans($1)
role $2 types unconfined_t;
- allow unconfined_t $3:chr_file rw_term_perms;
')
########################################
@@ -308,13 +302,13 @@ interface(`unconfined_domtrans_to',`
#
interface(`unconfined_run_to',`
gen_require(`
- type unconfined_t, unconfined_devpts_t, unconfined_tty_device_t;
+ type unconfined_t;
role unconfined_r;
')
domtrans_pattern(unconfined_t,$2,$1)
role unconfined_r types $1;
- allow $1 { unconfined_devpts_t unconfined_tty_device_t }:chr_file rw_term_perms;
+ userdom_use_user_terminals($1)
')
########################################
@@ -587,63 +581,3 @@ interface(`unconfined_dbus_connect',`
allow $1 unconfined_t:dbus acquire_svc;
')
-
-########################################
-##
-## Read files in unconfined users home directories.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`unconfined_read_home_content_files',`
- gen_require(`
- type unconfined_home_dir_t, unconfined_home_t;
- ')
-
- files_search_home($1)
- allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
- read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
- read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
-')
-
-########################################
-##
-## Read unconfined users temporary files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`unconfined_read_tmp_files',`
- gen_require(`
- type unconfined_tmp_t;
- ')
-
- files_search_tmp($1)
- allow $1 unconfined_tmp_t:dir list_dir_perms;
- read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
- read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
-')
-
-########################################
-##
-## Write unconfined users temporary files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`unconfined_write_tmp_files',`
- gen_require(`
- type unconfined_tmp_t;
- ')
-
- allow $1 unconfined_tmp_t:file write_file_perms;
-')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 1c98875..0f2cfb6 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
-policy_module(unconfined, 2.4.0)
+policy_module(unconfined, 3.0.0)
########################################
#
@@ -10,9 +10,9 @@ policy_module(unconfined, 2.4.0)
# calls is not correct, however we dont currently
# have another method to add access to these types
userdom_base_user_template(unconfined)
-userdom_manage_home_template(unconfined)
-userdom_manage_tmp_template(unconfined)
-userdom_manage_tmpfs_template(unconfined)
+userdom_manage_home_role(unconfined_r, unconfined_t)
+userdom_manage_tmp_role(unconfined_r, unconfined_t)
+userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
type unconfined_exec_t;
init_system_domain(unconfined_t, unconfined_exec_t)
@@ -34,25 +34,25 @@ files_create_boot_flag(unconfined_t)
mcs_killall(unconfined_t)
mcs_ptrace_all(unconfined_t)
-init_run_daemon(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+init_run_daemon(unconfined_t, unconfined_r)
-libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+libs_run_ldconfig(unconfined_t, unconfined_r)
logging_send_syslog_msg(unconfined_t)
-logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+logging_run_auditctl(unconfined_t, unconfined_r)
-mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+mount_run_unconfined(unconfined_t, unconfined_r)
-seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+seutil_run_setfiles(unconfined_t, unconfined_r)
+seutil_run_semanage(unconfined_t, unconfined_r)
unconfined_domain(unconfined_t)
-userdom_priveleged_home_dir_manager(unconfined_t)
+userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
ifdef(`distro_gentoo',`
- seutil_run_runinit(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
- seutil_init_script_run_runinit(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
+ seutil_run_runinit(unconfined_t, unconfined_r)
+ seutil_init_script_run_runinit(unconfined_t, unconfined_r)
')
optional_policy(`
@@ -60,24 +60,20 @@ optional_policy(`
')
optional_policy(`
- apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- apache_per_role_template(unconfined, unconfined_t, unconfined_r)
- # this is disallowed usage:
- unconfined_domain(httpd_unconfined_script_t)
+ apache_run_helper(unconfined_t, unconfined_r)
+ apache_role(unconfined_r, unconfined_t)
')
optional_policy(`
- bind_run_ndc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ bind_run_ndc(unconfined_t, unconfined_r)
')
optional_policy(`
- bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ bootloader_run(unconfined_t, unconfined_r)
')
optional_policy(`
- cron_per_role_template(unconfined, unconfined_t, unconfined_r)
- # this is disallowed usage:
- unconfined_domain(unconfined_crond_t)
+ cron_unconfined_role(unconfined_r, unconfined_t)
')
optional_policy(`
@@ -115,11 +111,11 @@ optional_policy(`
')
optional_policy(`
- firstboot_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ firstboot_run(unconfined_t, unconfined_r)
')
optional_policy(`
- ftp_run_ftpdctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ ftp_run_ftpdctl(unconfined_t, unconfined_r)
')
optional_policy(`
@@ -127,15 +123,15 @@ optional_policy(`
')
optional_policy(`
- java_domtrans(unconfined_t)
+ java_domtrans_unconfined(unconfined_t)
')
optional_policy(`
- lpd_run_checkpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ lpd_run_checkpc(unconfined_t, unconfined_r)
')
optional_policy(`
- modutils_run_update_mods(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ modutils_run_update_mods(unconfined_t, unconfined_r)
')
optional_policy(`
@@ -143,7 +139,7 @@ optional_policy(`
')
optional_policy(`
- mta_per_role_template(unconfined, unconfined_t, unconfined_r)
+ mta_role(unconfined_r, unconfined_t)
')
optional_policy(`
@@ -151,26 +147,21 @@ optional_policy(`
')
optional_policy(`
- prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ prelink_run(unconfined_t, unconfined_r)
')
optional_policy(`
- portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ portmap_run_helper(unconfined_t, unconfined_r)
')
optional_policy(`
- postfix_per_role_template(unconfined, unconfined_t, unconfined_r)
- postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ postfix_run_map(unconfined_t, unconfined_r)
# cjp: this should probably be removed:
postfix_domtrans_master(unconfined_t)
')
optional_policy(`
- pyzor_per_role_template(unconfined)
-')
-
-optional_policy(`
- qmail_per_role_template(unconfined, unconfined_t, unconfined_r)
+ pyzor_role(unconfined_r, unconfined_t)
')
optional_policy(`
@@ -179,38 +170,37 @@ optional_policy(`
')
optional_policy(`
- rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ rpm_run(unconfined_t, unconfined_r)
')
optional_policy(`
- samba_per_role_template(unconfined)
- samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ samba_run_net(unconfined_t, unconfined_r)
+ samba_run_winbind_helper(unconfined_t, unconfined_r)
')
optional_policy(`
- spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r)
+ spamassassin_role(unconfined_r, unconfined_t)
')
optional_policy(`
- sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ sysnet_run_dhcpc(unconfined_t, unconfined_r)
sysnet_dbus_chat_dhcpc(unconfined_t)
')
optional_policy(`
- tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ tzdata_run(unconfined_t, unconfined_r)
')
optional_policy(`
- usermanage_run_admin_passwd(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ usermanage_run_admin_passwd(unconfined_t, unconfined_r)
')
optional_policy(`
- vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ vpn_run(unconfined_t, unconfined_r)
')
optional_policy(`
- webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ webalizer_run(unconfined_t, unconfined_r)
')
optional_policy(`
@@ -218,7 +208,7 @@ optional_policy(`
')
optional_policy(`
- xserver_domtrans_xdm_xserver(unconfined_t)
+ xserver_domtrans(unconfined_t)
')
########################################
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index ebb37c5..db75976 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -1,4 +1,4 @@
-HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
-HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
+HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
-/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
+/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index d546c89..4cb0867 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -25,6 +25,7 @@ template(`userdom_base_user_template',`
gen_require(`
attribute userdomain;
+ type user_devpts_t, user_tty_device_t;
class context contains;
')
@@ -35,15 +36,13 @@ template(`userdom_base_user_template',`
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
+ ubac_constrained($1_t)
role $1_r types $1_t;
allow system_r $1_r;
- type $1_devpts_t;
- term_user_pty($1_t,$1_devpts_t)
- files_type($1_devpts_t)
+ term_user_pty($1_t, user_devpts_t)
- type $1_tty_device_t;
- term_user_tty($1_t,$1_tty_device_t)
+ term_user_tty($1_t, user_tty_device_t)
allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
allow $1_t self:fd use;
@@ -57,10 +56,13 @@ template(`userdom_base_user_template',`
allow $1_t self:context contains;
dontaudit $1_t self:socket create;
- allow $1_t $1_devpts_t:chr_file { setattr rw_chr_file_perms };
- term_create_pty($1_t,$1_devpts_t)
+ allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms };
+ # avoid annoying messages on terminal hangup on role change
+ dontaudit $1_t user_devpts_t:chr_file ioctl;
- allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
+ allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms };
+ # avoid annoying messages on terminal hangup on role change
+ dontaudit $1_t user_tty_device_t:chr_file ioctl;
kernel_read_kernel_sysctls($1_t)
kernel_dontaudit_list_unlabeled($1_t)
@@ -117,402 +119,250 @@ template(`userdom_base_user_template',`
#######################################
##
-## The template for creating a home directory
-## that the user has read-only access.
+## Allow a home directory for which the
+## role has read-only access.
##
##
##
-## The template for creating a home directory
-## that the user has read-only access.
+## Allow a home directory for which the
+## role has read-only access.
##
##
## This does not allow execute access.
##
##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## The user role
+##
+##
+##
+##
+## The user domain
##
##
##
#
-template(`userdom_ro_home_template',`
+interface(`userdom_ro_home_role',`
gen_require(`
- attribute home_type, home_dir_type, $1_file_type;
+ type user_home_t, user_home_dir_t;
')
- # type for contents of home directory
- type $1_home_t, $1_file_type, home_type;
- files_type($1_home_t)
- files_associate_tmp($1_home_t)
- fs_associate_tmpfs($1_home_t)
- files_mountpoint($1_home_t)
-
- # type of home directory
- type $1_home_dir_t, home_dir_type, home_type;
- files_type($1_home_dir_t)
- files_mountpoint($1_home_dir_t)
- files_associate_tmp($1_home_dir_t)
- fs_associate_tmpfs($1_home_dir_t)
- files_poly_member($1_home_dir_t)
-
- ##############################
- #
- # User home directory file rules
- #
-
- allow $1_file_type $1_home_t:filesystem associate;
-
- # Rules used to associate a homedir as a mountpoint
- allow $1_home_t self:filesystem associate;
+ role $1 types { user_home_t user_home_dir_t };
##############################
#
# Domain access to home dir
#
+ type_member $2 user_home_dir_t:dir user_home_dir_t;
+
# read-only home directory
- allow $1_t $1_home_dir_t:dir list_dir_perms;
- allow $1_t $1_home_t:dir list_dir_perms;
- allow $1_t $1_home_t:file entrypoint;
- read_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
- read_lnk_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
- read_fifo_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
- read_sock_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
- files_list_home($1_t)
+ allow $2 user_home_dir_t:dir list_dir_perms;
+ allow $2 user_home_t:dir list_dir_perms;
+ allow $2 user_home_t:file entrypoint;
+ read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
+ read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
+ read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
+ read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
+ files_list_home($2)
tunable_policy(`use_nfs_home_dirs',`
- fs_list_nfs($1_t)
- fs_read_nfs_files($1_t)
- fs_read_nfs_symlinks($1_t)
- fs_read_nfs_named_sockets($1_t)
- fs_read_nfs_named_pipes($1_t)
+ fs_list_nfs($2)
+ fs_read_nfs_files($2)
+ fs_read_nfs_symlinks($2)
+ fs_read_nfs_named_sockets($2)
+ fs_read_nfs_named_pipes($2)
',`
- fs_dontaudit_list_nfs($1_t)
- fs_dontaudit_read_nfs_files($1_t)
+ fs_dontaudit_list_nfs($2)
+ fs_dontaudit_read_nfs_files($2)
')
tunable_policy(`use_samba_home_dirs',`
- fs_list_cifs($1_t)
- fs_read_cifs_files($1_t)
- fs_read_cifs_symlinks($1_t)
- fs_read_cifs_named_sockets($1_t)
- fs_read_cifs_named_pipes($1_t)
+ fs_list_cifs($2)
+ fs_read_cifs_files($2)
+ fs_read_cifs_symlinks($2)
+ fs_read_cifs_named_sockets($2)
+ fs_read_cifs_named_pipes($2)
',`
- fs_dontaudit_list_cifs($1_t)
- fs_dontaudit_read_cifs_files($1_t)
+ fs_dontaudit_list_cifs($2)
+ fs_dontaudit_read_cifs_files($2)
')
')
#######################################
##
-## The template for creating a home directory
-## that the user has full access.
+## Allow a home directory for which the
+## role has full access.
##
##
##
-## The template for creating a home directory
-## that the user has full access.
+## Allow a home directory for which the
+## role has full access.
##
##
## This does not allow execute access.
##
##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## The user role
+##
+##
+##
+##
+## The user domain
##
##
##
#
-template(`userdom_manage_home_template',`
+interface(`userdom_manage_home_role',`
gen_require(`
- attribute home_type, home_dir_type, $1_file_type;
+ type user_home_t, user_home_dir_t;
')
- # type for contents of home directory
- type $1_home_t, $1_file_type, home_type;
- files_type($1_home_t)
- files_associate_tmp($1_home_t)
- fs_associate_tmpfs($1_home_t)
-
- # type of home directory
- type $1_home_dir_t, home_dir_type, home_type;
- files_type($1_home_dir_t)
- files_associate_tmp($1_home_dir_t)
- fs_associate_tmpfs($1_home_dir_t)
-
- ##############################
- #
- # User home directory file rules
- #
-
- allow $1_file_type $1_home_t:filesystem associate;
-
- # Rules used to associate a homedir as a mountpoint
- allow $1_home_t self:filesystem associate;
+ role $1 types { user_home_t user_home_dir_t };
##############################
#
# Domain access to home dir
#
+ type_member $2 user_home_dir_t:dir user_home_dir_t;
+
# full control of the home directory
- allow $1_t $1_home_t:file entrypoint;
- manage_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- relabel_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- relabel_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- relabel_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- relabel_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- relabel_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
- filetrans_pattern($1_t,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
- files_list_home($1_t)
+ allow $2 user_home_t:file entrypoint;
+ manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+ manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+ manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+ manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+ manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+ relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+ relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+ relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+ relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+ relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+ filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
+ files_list_home($2)
# cjp: this should probably be removed:
- allow $1_t $1_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_t)
- fs_manage_nfs_files($1_t)
- fs_manage_nfs_symlinks($1_t)
- fs_manage_nfs_named_sockets($1_t)
- fs_manage_nfs_named_pipes($1_t)
+ fs_manage_nfs_dirs($2)
+ fs_manage_nfs_files($2)
+ fs_manage_nfs_symlinks($2)
+ fs_manage_nfs_named_sockets($2)
+ fs_manage_nfs_named_pipes($2)
',`
- fs_dontaudit_manage_nfs_dirs($1_t)
- fs_dontaudit_manage_nfs_files($1_t)
+ fs_dontaudit_manage_nfs_dirs($2)
+ fs_dontaudit_manage_nfs_files($2)
')
tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_t)
- fs_manage_cifs_files($1_t)
- fs_manage_cifs_symlinks($1_t)
- fs_manage_cifs_named_sockets($1_t)
- fs_manage_cifs_named_pipes($1_t)
+ fs_manage_cifs_dirs($2)
+ fs_manage_cifs_files($2)
+ fs_manage_cifs_symlinks($2)
+ fs_manage_cifs_named_sockets($2)
+ fs_manage_cifs_named_pipes($2)
',`
- fs_dontaudit_manage_cifs_dirs($1_t)
- fs_dontaudit_manage_cifs_files($1_t)
+ fs_dontaudit_manage_cifs_dirs($2)
+ fs_dontaudit_manage_cifs_files($2)
')
')
#######################################
##
-## The template for allowing the user
-## to execute files in their home directory.
+## Manage user temporary files
##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-#
-template(`userdom_exec_home_template',`
- can_exec($1_t,$1_home_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_exec_cifs_files($1_t)
- ')
-')
-
-#######################################
-##
-## The template for polyinstantiating
-## a user home directory.
-##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## Role allowed access.
##
##
-##
-#
-template(`userdom_poly_home_template',`
- type_member $1_t $1_home_dir_t:dir $1_home_dir_t;
- files_poly($1_home_dir_t)
- files_poly_parent($1_home_dir_t)
- files_poly_parent($1_home_t)
- files_poly_member($1_home_t)
-')
-
-#######################################
-##
-## The template for full access to the temporary directories.
-##
-##
-##
-## The template for full access to the temporary directories.
-## This creates a derived type for the user
-## temporary type. Execute access is not given.
-##
-##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## Domain allowed access.
##
##
##
#
-template(`userdom_manage_tmp_template',`
+interface(`userdom_manage_tmp_role',`
gen_require(`
- attribute $1_file_type;
+ type user_tmp_t;
')
- type $1_tmp_t, $1_file_type;
- files_tmp_file($1_tmp_t)
+ role $1 types user_tmp_t;
- manage_dirs_pattern($1_t,$1_tmp_t,$1_tmp_t)
- manage_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
- manage_lnk_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
- manage_sock_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
- manage_fifo_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
- files_tmp_filetrans($1_t, $1_tmp_t, { dir file lnk_file sock_file fifo_file })
-')
+ files_poly_member_tmp($2, user_tmp_t)
-#######################################
-##
-## The template for execute access to the user temporary files.
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-#
-template(`userdom_exec_tmp_template',`
- exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
+ manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
+ manage_files_pattern($2, user_tmp_t, user_tmp_t)
+ manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t)
+ manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
+ manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
+ files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
')
#######################################
##
-## The template for a polyinstantiated temporary directory.
+## The execute access user temporary files.
##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## Domain allowed access.
##
##
##
#
-template(`userdom_poly_tmp_template',`
- files_poly_member_tmp($1_t,tmp_t)
+interface(`userdom_exec_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ exec_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
')
#######################################
##
-## The template for creating a tmpfs type
+## Role access for the user tmpfs type
## that the user has full access.
##
##
##
-## The template for creating a tmpfs type
+## Role access for the user tmpfs type
## that the user has full access.
##
##
## This does not allow execute access.
##
##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## Role allowed access.
##
##
-##
-#
-template(`userdom_manage_tmpfs_template',`
- gen_require(`
- attribute $1_file_type;
- ')
-
- type $1_tmpfs_t, $1_file_type;
- files_tmpfs_file($1_tmpfs_t)
-
- manage_dirs_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
- manage_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
- manage_lnk_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
- manage_sock_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
- manage_fifo_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
- fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-')
-
-#######################################
-##
-## The template for creating a set of types
-## for untrusted content.
-##
-##
+##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## Domain allowed access.
##
##
-##
+##
#
-template(`userdom_untrusted_content_template',`
+interface(`userdom_manage_tmpfs_role',`
gen_require(`
- attribute $1_file_type;
- attribute untrusted_content_type, untrusted_content_tmp_type;
- type $1_t;
- ')
-
- # types for network-obtained content
- type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
- files_type($1_untrusted_content_t)
- files_poly_member($1_untrusted_content_t)
-
- type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
- files_tmp_file($1_untrusted_content_tmp_t)
-
- # Allow user to relabel untrusted content
- allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabel_file_perms rename };
-
- tunable_policy(`read_untrusted_content',`
- allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir list_dir_perms;
- read_files_pattern($1_t,{ $1_untrusted_content_t $1_untrusted_content_tmp_t },{ $1_untrusted_content_t $1_untrusted_content_tmp_t })
- read_lnk_files_pattern($1_t,{ $1_untrusted_content_t $1_untrusted_content_tmp_t },{ $1_untrusted_content_t $1_untrusted_content_tmp_t })
- ',`
- dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir list_dir_perms;
- dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file read_file_perms;
+ type user_tmpfs_t;
')
-')
-#######################################
-##
-## The template allowing the user to execute
-## generic programs, such as those found in /bin,
-## /sbin, /usr/bin, and /usr/sbin.
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-#
-template(`userdom_exec_generic_pgms_template',`
- gen_require(`
- type $1_t;
- ')
+ role $1 types user_tmpfs_t;
- corecmd_exec_bin($1_t)
+ manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
+ manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+ manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+ manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+ manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+ fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
')
#######################################
@@ -573,7 +423,7 @@ template(`userdom_basic_networking_template',`
#
template(`userdom_xwindows_client_template',`
gen_require(`
- type $1_t, $1_tmpfs_t;
+ type $1_t, user_tmpfs_t;
')
dev_rw_xserver_misc($1_t)
@@ -587,7 +437,7 @@ template(`userdom_xwindows_client_template',`
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
- xserver_user_client_template($1,$1_t,$1_tmpfs_t)
+ xserver_user_client($1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
xserver_dontaudit_write_log($1_t)
xserver_stream_connect_xdm($1_t)
@@ -613,46 +463,14 @@ template(`userdom_xwindows_client_template',`
#
template(`userdom_change_password_template',`
gen_require(`
- type $1_t, $1_devpts_t, $1_tty_device_t;
+ type $1_t;
role $1_r;
')
optional_policy(`
- usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
- usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
- ')
-')
-
-#######################################
-##
-## The template for allowing the user to change roles.
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-#
-template(`userdom_role_change_template',`
- gen_require(`
- role $1_r, $2_r;
- type $1_t, $2_t;
- type $1_devpts_t, $2_devpts_t;
- type $1_tty_device_t, $2_tty_device_t;
+ usermanage_run_chfn($1_t,$1_r)
+ usermanage_run_passwd($1_t,$1_r)
')
-
- allow $1_r $2_r;
- type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
- type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
- # avoid annoying messages on terminal hangup
- dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
')
#######################################
@@ -678,12 +496,8 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
- userdom_untrusted_content_template($1)
-
userdom_basic_networking_template($1)
- userdom_exec_generic_pgms_template($1)
-
optional_policy(`
userdom_xwindows_client_template($1)
')
@@ -707,6 +521,8 @@ template(`userdom_common_user_template',`
# Find CDROM devices:
kernel_read_device_sysctls($1_t)
+ corecmd_exec_bin($1_t)
+
corenet_udp_bind_all_nodes($1_t)
corenet_udp_bind_generic_port($1_t)
@@ -742,14 +558,14 @@ template(`userdom_common_user_template',`
auth_use_nsswitch($1_t)
auth_read_login_records($1_t)
auth_search_pam_console_data($1_t)
- auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
- auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ auth_run_pam($1_t,$1_r)
+ auth_run_utempter($1_t,$1_r)
init_read_utmp($1_t)
seutil_read_file_contexts($1_t)
seutil_read_default_contexts($1_t)
- seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+ seutil_run_newrole($1_t,$1_r)
seutil_exec_checkpolicy($1_t)
seutil_exec_setfiles($1_t)
# for when the network connection is killed
@@ -787,15 +603,15 @@ template(`userdom_common_user_template',`
')
optional_policy(`
- dbus_system_bus_client_template($1,$1_t)
+ dbus_system_bus_client($1_t)
optional_policy(`
bluetooth_dbus_chat($1_t)
')
optional_policy(`
- evolution_dbus_chat($1,$1_t)
- evolution_alarm_dbus_chat($1,$1_t)
+ evolution_dbus_chat($1_t)
+ evolution_alarm_dbus_chat($1_t)
')
optional_policy(`
@@ -876,7 +692,7 @@ template(`userdom_common_user_template',`
')
optional_policy(`
- usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+ usernetctl_run($1_t,$1_r)
')
')
@@ -905,15 +721,13 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
- userdom_manage_home_template($1)
- userdom_poly_home_template($1)
- userdom_poly_tmp_template($1)
+ userdom_manage_home_role($1_r, $1_t)
- userdom_manage_tmp_template($1)
- userdom_manage_tmpfs_template($1)
+ userdom_manage_tmp_role($1_r, $1_t)
+ userdom_manage_tmpfs_role($1_r, $1_t)
- userdom_exec_tmp_template($1)
- userdom_exec_home_template($1)
+ userdom_exec_user_tmp_files($1_t)
+ userdom_exec_user_home_content_files($1_t)
userdom_change_password_template($1)
@@ -1019,7 +833,6 @@ template(`userdom_login_user_template', `
template(`userdom_restricted_user_template',`
gen_require(`
attribute unpriv_userdomain;
- attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
')
userdom_login_user_template($1)
@@ -1027,27 +840,13 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
- typeattribute $1_devpts_t user_ptynode;
- typeattribute $1_home_dir_t user_home_dir_type;
- typeattribute $1_home_t user_home_type;
- typeattribute $1_tmp_t user_tmpfile;
- typeattribute $1_tty_device_t user_ttynode;
-
##############################
#
# Local policy
#
- # privileged home directory writers
- manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
-
optional_policy(`
- loadkeys_run($1_t,$1_r,$1_tty_device_t)
+ loadkeys_run($1_t,$1_r)
')
')
@@ -1083,7 +882,7 @@ template(`userdom_restricted_xwindows_user_template',`
# Local policy
#
- authlogin_per_role_template($1, $1_t, $1_r)
+ auth_role($1_r, $1_t)
auth_search_pam_console_data($1_t)
dev_read_sound($1_t)
@@ -1103,8 +902,8 @@ template(`userdom_restricted_xwindows_user_template',`
')
optional_policy(`
- dbus_per_role_template($1, $1_t, $1_r)
- dbus_system_bus_client_template($1, $1_t)
+ dbus_role_template($1, $1_r, $1_t)
+ dbus_system_bus_client($1_t)
optional_policy(`
consolekit_dbus_chat($1_t)
@@ -1116,7 +915,7 @@ template(`userdom_restricted_xwindows_user_template',`
')
optional_policy(`
- java_per_role_template($1, $1_t, $1_r)
+ java_role($1_r, $1_t)
')
optional_policy(`
@@ -1201,17 +1000,17 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ netutils_run_ping_cond($1_t,$1_r)
+ netutils_run_traceroute_cond($1_t,$1_r)
')
optional_policy(`
- postgresql_userdom_template($1,$1_t,$1_r)
+ postgresql_role($1_r,$1_t)
')
# Run pppd in pppd_t by default for user
optional_policy(`
- ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ ppp_run_cond($1_t,$1_r)
')
optional_policy(`
@@ -1250,8 +1049,7 @@ template(`userdom_unpriv_user_template', `
#
template(`userdom_admin_user_template',`
gen_require(`
- attribute admin_terminal, privhome;
- class passwd { passwd chfn chsh rootok crontab };
+ class passwd { passwd chfn chsh rootok };
')
##############################
@@ -1263,7 +1061,6 @@ template(`userdom_admin_user_template',`
userdom_login_user_template($1)
userdom_common_user_template($1)
- typeattribute $1_t privhome;
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
@@ -1271,10 +1068,6 @@ template(`userdom_admin_user_template',`
domain_system_change_exemption($1_t)
')
- typeattribute $1_devpts_t admin_terminal;
-
- typeattribute $1_tty_device_t admin_terminal;
-
##############################
#
# $1_t local policy
@@ -1289,9 +1082,6 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
- # Manipulate other users crontab.
- allow $1_t self:passwd crontab;
-
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
kernel_read_software_raid_state($1_t)
@@ -1371,6 +1161,13 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
+ userdom_manage_user_home_content_dirs($1_t)
+ userdom_manage_user_home_content_files($1_t)
+ userdom_manage_user_home_content_symlinks($1_t)
+ userdom_manage_user_home_content_pipes($1_t)
+ userdom_manage_user_home_content_sockets($1_t)
+ userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
+
tunable_policy(`user_rw_noexattrfile',`
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
@@ -1402,12 +1199,6 @@ template(`userdom_admin_user_template',`
## be called from a per-userdomain template.
##
##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
##
##
## Domain allowed access.
@@ -1453,17 +1244,13 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
- seutil_run_checkpolicy($1,$2,$3)
- seutil_run_loadpolicy($1,$2,$3)
- seutil_run_semanage($1,$2,$3)
- seutil_run_setfiles($1, $2, $3)
-
- staff_dontaudit_append_home_content_files($1)
-
- sysadm_dontaudit_read_home_content_files($1)
+ seutil_run_checkpolicy($1,$2)
+ seutil_run_loadpolicy($1,$2)
+ seutil_run_semanage($1,$2)
+ seutil_run_setfiles($1, $2)
optional_policy(`
- aide_run($1,$2, $3)
+ aide_run($1,$2)
')
optional_policy(`
@@ -1475,2523 +1262,186 @@ template(`userdom_security_admin_template',`
')
optional_policy(`
- ipsec_run_setkey($1,$2,$3)
+ ipsec_run_setkey($1,$2)
')
optional_policy(`
- netlabel_run_mgmt($1,$2, $3)
+ netlabel_run_mgmt($1,$2)
')
')
########################################
##
-## Change to the generic user role.
+## Make the specified type usable in a
+## user home directory.
##
-##
+##
##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
+## Type to be used as a file in the
+## user home directory.
##
##
-##
#
-template(`userdom_role_change_generic_user',`
- refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_role_change_template() instead.')
- unprivuser_role_change_template($1)
+interface(`userdom_user_home_content',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ allow $1 user_home_t:filesystem associate;
+ files_type($1)
+ ubac_constrained($1)
')
########################################
##
-## Change from the generic user role.
+## Set the attributes of a user pty.
##
-##
-##
-## Change from the generic user role to
-## the specified role.
-##
-##
-## This is a template to support third party modules
-## and its use is not allowed in upstream reference
-## policy.
-##
-##
-##
+##
##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
+## Domain allowed access.
##
##
-##
#
-template(`userdom_role_change_from_generic_user',`
- refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_role_change_to_template() instead.')
- unprivuser_role_change_to_template($1)
+interface(`userdom_setattr_user_ptys',`
+ gen_require(`
+ type user_devpts_t;
+ ')
+
+ allow $1 user_devpts_t:chr_file setattr;
')
########################################
##
-## Change to the staff user role.
+## Create a user pty.
##
-##
+##
##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
+## Domain allowed access.
##
##
-##
#
-template(`userdom_role_change_staff',`
- refpolicywarn(`$0($*) has been deprecated. Please use staff_role_change_template() instead.')
- staff_role_change_template($1)
+interface(`userdom_create_user_pty',`
+ gen_require(`
+ type user_devpts_t;
+ ')
+
+ term_create_pty($1, user_devpts_t)
')
########################################
##
-## Change from the staff user role.
+## Get the attributes of user home directories.
##
-##
-##
-## Change from the staff user role to
-## the specified role.
-##
-##
-## This is a template to support third party modules
-## and its use is not allowed in upstream reference
-## policy.
-##
-##
-##
+##
##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
+## Domain allowed access.
##
##
-##
#
-template(`userdom_role_change_from_staff',`
- refpolicywarn(`$0($*) has been deprecated. Please use staff_role_change_to_template() instead.')
- staff_role_change_to_template($1)
+interface(`userdom_getattr_user_home_dirs',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ allow $1 user_home_dir_t:dir getattr_dir_perms;
+ files_search_home($1)
')
########################################
##
-## Change to the sysadm user role.
+## Do not audit attempts to get the attributes of user home directories.
##
-##
+##
##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
+## Domain allowed access.
##
##
-##
#
-template(`userdom_role_change_sysadm',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_role_change_template() instead.')
- sysadm_role_change_template($1)
+interface(`userdom_dontaudit_getattr_user_home_dirs',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ dontaudit $1 user_home_dir_t:dir getattr_dir_perms;
')
########################################
##
-## Change from the sysadm user role.
+## Search user home directories.
##
-##
-##
-## Change from the sysadm user role to
-## the specified role.
-##
-##
-## This is a template to support third party modules
-## and its use is not allowed in upstream reference
-## policy.
-##
-##
-##
+##
##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
+## Domain allowed access.
##
##
-##
#
-template(`userdom_role_change_from_sysadm',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_role_change_to_template() instead.')
- sysadm_role_change_to_template($1)
+interface(`userdom_search_user_home_dirs',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ files_search_home($1)
')
########################################
##
-## Change to the secadm user role.
+## Search user home directories.
##
-##
+##
##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
+## Domain allowed access.
##
##
-##
#
-template(`userdom_role_change_secadm',`
- refpolicywarn(`$0($*) has been deprecated. Please use secadm_role_change_template() instead.')
- secadm_role_change_template($1)
+interface(`userdom_dontaudit_search_user_home_dirs',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ dontaudit $1 user_home_dir_t:dir search_dir_perms;
')
########################################
##
-## Change from the secadm user role.
+## List user home directories.
##
-##
-##
-## Change from the secadm user role to
-## the specified role.
-##
-##
-## This is a template to support third party modules
-## and its use is not allowed in upstream reference
-## policy.
-##
-##
-##
+##
##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
+## Domain allowed access.
##
##
-##
#
-template(`userdom_role_change_from_secadm',`
- refpolicywarn(`$0($*) has been deprecated. Please use secadm_role_change_to_template() instead.')
- secadm_role_change_to_template($1)
-')
+interface(`userdom_list_user_home_dirs',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
-########################################
-##
-## Change to the auditadm user role.
-##
-##
-##
-## The prefix of the auditadm role (e.g., user
-## is the prefix for user_r).
-##
-##
-##
-#
-template(`userdom_role_change_auditadm',`
- refpolicywarn(`$0($*) has been deprecated. Please use auditadm_role_change_template() instead.')
- auditadm_role_change_template($1)
-')
-
-########################################
-##
-## Change from the auditadm user role.
-##
-##
-##
-## Change from the auditadm user role to
-## the specified role.
-##
-##
-## This is a template to support third party modules
-## and its use is not allowed in upstream reference
-## policy.
-##
-##
-##
-##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
-##
-##
-##
-#
-template(`userdom_role_change_from_auditadm',`
- refpolicywarn(`$0($*) has been deprecated. Please use auditadm_role_change_to_template() instead.')
- auditadm_role_change_to_template($1)
-')
-
-########################################
-##
-## Make the specified type usable in a
-## user home directory.
-##
-##
-##
-## Make the specified type usable in a
-## user home directory.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Type to be used as a file in the
-## user home directory.
-##
-##
-#
-template(`userdom_user_home_content',`
- gen_require(`
- attribute $1_file_type;
- ')
-
- typeattribute $2 $1_file_type;
- files_type($2)
-')
-
-########################################
-##
-## Set the attributes of a user pty.
-##
-##
-##
-## Set the attributes of a user pty.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_setattr_user_ptys',`
- gen_require(`
- type $1_devpts_t;
- ')
-
- allow $2 $1_devpts_t:chr_file setattr;
-')
-
-########################################
-##
-## Create a user pty.
-##
-##
-##
-## Create a user pty.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_create_user_pty',`
- gen_require(`
- type $1_devpts_t;
- ')
-
- term_create_pty($2, $1_devpts_t)
-')
-
-########################################
-##
-## Search user home directories.
-##
-##
-##
-## Search user home directories.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_search_user_home_dirs',`
- gen_require(`
- type $1_home_dir_t;
- ')
-
- files_search_home($2)
- allow $2 $1_home_dir_t:dir search_dir_perms;
-')
-
-########################################
-##
-## List user home directories.
-##
-##
-##
-## List user home directories.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_list_user_home_dirs',`
- gen_require(`
- type $1_home_dir_t;
- ')
-
- files_search_home($2)
- allow $2 $1_home_dir_t:dir list_dir_perms;
-')
-
-########################################
-##
-## Do a domain transition to the specified
-## domain when executing a program in the
-## user home directory.
-##
-##
-##
-## Do a domain transition to the specified
-## domain when executing a program in the
-## user home directory.
-##
-##
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## Domain to transition to.
-##
-##
-#
-template(`userdom_user_home_domtrans',`
- gen_require(`
- type $1_home_dir_t, $1_home_t;
- ')
-
- files_search_home($2)
- allow $2 $1_home_dir_t:dir search_dir_perms;
- domain_auto_trans($2,$1_home_t,$3)
-')
-
-########################################
-##
-## Do not audit attempts to list user home subdirectories.
-##
-##
-##
-## Do not audit attempts to list user home subdirectories.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain to not audit
-##
-##
-#
-template(`userdom_dontaudit_list_user_home_dirs',`
- gen_require(`
- type $1_home_dir_t;
- ')
-
- dontaudit $2 $1_home_dir_t:dir list_dir_perms;
-')
-
-########################################
-##
-## Create, read, write, and delete directories
-## in a user home subdirectory.
-##
-##
-##
-## Create, read, write, and delete directories
-## in a user home subdirectory.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_manage_user_home_content_dirs',`
- gen_require(`
- type $1_home_dir_t, $1_home_t;
- ')
-
- files_search_home($2)
- manage_dirs_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
-')
-
-########################################
-##
-## Do not audit attempts to set the
-## attributes of user home files.
-##
-##
-##
-## Do not audit attempts to set the
-## attributes of user home files.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_dontaudit_setattr_user_home_content_files',`
- gen_require(`
- type $1_home_dir_t, $1_home_t;
- ')
-
- dontaudit $2 $1_home_t:file setattr;
-')
-
-########################################
-##
-## Read user home files.
-##
-##
-##
-## Read user home files.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_read_user_home_content_files',`
- gen_require(`
- type $1_home_dir_t, $1_home_t;
- ')
-
- files_search_home($2)
- read_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
-')
-
-########################################
-##
-## Do not audit attempts to read user home files.
-##
-##
-##
-## Do not audit attempts to read user home files.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-template(`userdom_dontaudit_read_user_home_content_files',`
- gen_require(`
- type $1_home_t;
- ')
-
- dontaudit $2 $1_home_t:dir list_dir_perms;
- dontaudit $2 $1_home_t:file read_file_perms;
-')
-
-########################################
-##
-## Do not audit attempts to write user home files.
-##
-##
-##
-## Do not audit attempts to write user home files.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-template(`userdom_dontaudit_write_user_home_content_files',`
- gen_require(`
- type $1_home_t;
- ')
-
- dontaudit $2 $1_home_t:file write;
-')
-
-########################################
-##
-## Read user home subdirectory symbolic links.
-##
-##
-##
-## Read user home subdirectory symbolic links.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_read_user_home_content_symlinks',`
- gen_require(`
- type $1_home_dir_t, $1_home_t;
- ')
-
- files_search_home($2)
- read_lnk_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
-')
-
-########################################
-##
-## Execute user home files.
-##
-##
-##
-## Execute user home files.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_exec_user_home_content_files',`
- gen_require(`
- type $1_home_dir_t, $1_home_t;
- ')
-
- files_search_home($2)
- exec_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
-')
-
-########################################
-##
-## Do not audit attempts to execute user home files.
-##
-##
-##
-## Do not audit attempts to execute user home files.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_dontaudit_exec_user_home_content_files',`
- gen_require(`
- type $1_home_t;
- ')
-
- dontaudit $2 $1_home_t:file execute;
-')
-
-########################################
-##
-## Create, read, write, and delete files
-## in a user home subdirectory.
-##
-##
-##
-## Create, read, write, and delete files
-## in a user home subdirectory.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_manage_user_home_content_files',`
- gen_require(`
- type $1_home_dir_t, $1_home_t;
- ')
-
- files_search_home($2)
- allow $2 $1_home_dir_t:dir search_dir_perms;
- manage_files_pattern($2,$1_home_t,$1_home_t)
-')
-
-########################################
-##
-## Do not audit attempts to create, read, write, and delete directories
-## in a user home subdirectory.
-##
-##
-##
-## Do not audit attempts to create, read, write, and delete directories
-## in a user home subdirectory.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_dontaudit_manage_user_home_content_dirs',`
- gen_require(`
- type $1_home_dir_t, $1_home_t;
- ')
-
- dontaudit $2 $1_home_t:dir manage_dir_perms;
-')
-
-########################################
-##
-## Create, read, write, and delete symbolic links
-## in a user home subdirectory.
-##
-##
-##
-## Create, read, write, and delete symbolic links
-## in a user home subdirectory.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_manage_user_home_content_symlinks',`
- gen_require(`
- type $1_home_dir_t, $1_home_t;
- ')
-
- files_search_home($2)
- allow $2 $1_home_dir_t:dir search_dir_perms;
- manage_lnk_files_pattern($2,$1_home_t,$1_home_t)
-')
-
-########################################
-##
-## Create, read, write, and delete named pipes
-## in a user home subdirectory.
-##
-##
-##
-## Create, read, write, and delete named pipes
-## in a user home subdirectory.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_manage_user_home_content_pipes',`
- gen_require(`
- type $1_home_dir_t, $1_home_t;
- ')
-
- files_search_home($2)
- allow $2 $1_home_dir_t:dir search_dir_perms;
- manage_fifo_files_pattern($2,$1_home_t,$1_home_t)
-')
-
-########################################
-##
-## Create, read, write, and delete named sockets
-## in a user home subdirectory.
-##
-##
-##
-## Create, read, write, and delete named sockets
-## in a user home subdirectory.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_manage_user_home_content_sockets',`
- gen_require(`
- type $1_home_dir_t, $1_home_t;
- ')
-
- files_search_home($2)
- allow $2 $1_home_dir_t:dir search_dir_perms;
- manage_sock_files_pattern($2,$1_home_t,$1_home_t)
-')
-
-########################################
-##
-## Create objects in a user home directory
-## with an automatic type transition to
-## a specified private type.
-##
-##
-##
-## Create objects in a user home directory
-## with an automatic type transition to
-## a specified private type.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## The type of the object to create.
-##
-##
-##
-##
-## The class of the object to be created. If not
-## specified, file is used.
-##
-##
-#
-template(`userdom_user_home_dir_filetrans',`
- gen_require(`
- type $1_home_dir_t;
- ')
-
- files_search_home($2)
- filetrans_pattern($2,$1_home_dir_t,$3,$4)
-')
-
-########################################
-##
-## Create objects in a user home directory
-## with an automatic type transition to
-## a specified private type.
-##
-##
-##
-## Create objects in a user home directory
-## with an automatic type transition to
-## a specified private type.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## The type of the object to create.
-##
-##
-##
-##
-## The class of the object to be created. If not
-## specified, file is used.
-##
-##
-#
-template(`userdom_user_home_content_filetrans',`
- gen_require(`
- type $1_home_t;
- ')
-
- files_search_home($2)
- filetrans_pattern($2,$1_home_t,$3,$4)
-')
-
-########################################
-##
-## Create objects in a user home directory
-## with an automatic type transition to
-## the user home file type.
-##
-##
-##
-## Create objects in a user home directory
-## with an automatic type transition to
-## the user home file type.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## The class of the object to be created. If not
-## specified, file is used.
-##
-##
-#
-template(`userdom_user_home_dir_filetrans_user_home_content',`
- gen_require(`
- type $1_home_dir_t, $1_home_t;
- ')
-
- files_search_home($2)
- filetrans_pattern($2,$1_home_dir_t,$1_home_t,$3)
-')
-
-########################################
-##
-## Write to user temporary named sockets.
-##
-##
-##
-## Write to user temporary named sockets.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_write_user_tmp_sockets',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- files_search_tmp($2)
- allow $2 $1_tmp_t:sock_file write;
-')
-
-########################################
-##
-## List user temporary directories.
-##
-##
-##
-## List user temporary directories.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_list_user_tmp',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- files_search_tmp($2)
- allow $2 $1_tmp_t:dir list_dir_perms;
-')
-
-########################################
-##
-## Do not audit attempts to list user
-## temporary directories.
-##
-##
-##
-## Do not audit attempts to list user
-## temporary directories.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-template(`userdom_dontaudit_list_user_tmp',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- dontaudit $2 $1_tmp_t:dir list_dir_perms;
-')
-
-########################################
-##
-## Do not audit attempts to manage users
-## temporary directories.
-##
-##
-##
-## Do not audit attempts to manage users
-## temporary directories.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-template(`userdom_dontaudit_manage_user_tmp_dirs',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- dontaudit $2 $1_tmp_t:dir manage_dir_perms;
-')
-
-########################################
-##
-## Read user temporary files.
-##
-##
-##
-## Read user temporary files.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_read_user_tmp_files',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- files_search_tmp($2)
- allow $2 $1_tmp_t:dir list_dir_perms;
- read_files_pattern($2,$1_tmp_t,$1_tmp_t)
-')
-
-########################################
-##
-## Do not audit attempts to read users
-## temporary files.
-##
-##
-##
-## Do not audit attempts to read users
-## temporary files.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-template(`userdom_dontaudit_read_user_tmp_files',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- dontaudit $2 $1_tmp_t:file read_file_perms;
-')
-
-########################################
-##
-## Do not audit attempts to append users
-## temporary files.
-##
-##
-##
-## Do not audit attempts to append users
-## temporary files.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-template(`userdom_dontaudit_append_user_tmp_files',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- dontaudit $2 $1_tmp_t:file append;
-')
-
-########################################
-##
-## Read and write user temporary files.
-##
-##
-##
-## Read and write user temporary files.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_rw_user_tmp_files',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- files_search_tmp($2)
- allow $2 $1_tmp_t:dir list_dir_perms;
- rw_files_pattern($2,$1_tmp_t,$1_tmp_t)
-')
-
-########################################
-##
-## Do not audit attempts to manage users
-## temporary files.
-##
-##
-##
-## Do not audit attempts to manage users
-## temporary files.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-template(`userdom_dontaudit_manage_user_tmp_files',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- dontaudit $2 $1_tmp_t:file manage_file_perms;
-')
-
-########################################
-##
-## Read user
-## temporary symbolic links.
-##
-##
-##
-## Read user
-## temporary symbolic links.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_read_user_tmp_symlinks',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- files_search_tmp($2)
- allow $2 $1_tmp_t:dir list_dir_perms;
- read_lnk_files_pattern($2,$1_tmp_t,$1_tmp_t)
-')
-
-########################################
-##
-## Create, read, write, and delete user
-## temporary directories.
-##
-##
-##
-## Create, read, write, and delete user
-## temporary directories.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_manage_user_tmp_dirs',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- files_search_tmp($2)
- manage_dirs_pattern($2,$1_tmp_t,$1_tmp_t)
-')
-
-########################################
-##
-## Create, read, write, and delete user
-## temporary files.
-##
-##
-##
-## Create, read, write, and delete user
-## temporary files.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_manage_user_tmp_files',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- files_search_tmp($2)
- manage_files_pattern($2,$1_tmp_t,$1_tmp_t)
-')
-
-########################################
-##
-## Create, read, write, and delete user
-## temporary symbolic links.
-##
-##
-##
-## Create, read, write, and delete user
-## temporary symbolic links.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_manage_user_tmp_symlinks',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- files_search_tmp($2)
- manage_lnk_files_pattern($2,$1_tmp_t,$1_tmp_t)
-')
-
-########################################
-##
-## Create, read, write, and delete user
-## temporary named pipes.
-##
-##
-##
-## Create, read, write, and delete user
-## temporary named pipes.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_manage_user_tmp_pipes',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- files_search_tmp($2)
- manage_fifo_files_pattern($2,$1_tmp_t,$1_tmp_t)
-')
-
-########################################
-##
-## Create, read, write, and delete user
-## temporary named sockets.
-##
-##
-##
-## Create, read, write, and delete user
-## temporary named sockets.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_manage_user_tmp_sockets',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- files_search_tmp($2)
- manage_sock_files_pattern($2,$1_tmp_t,$1_tmp_t)
-')
-
-########################################
-##
-## Create objects in a user temporary directory
-## with an automatic type transition to
-## a specified private type.
-##
-##
-##
-## Create objects in a user temporary directory
-## with an automatic type transition to
-## a specified private type.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## The type of the object to create.
-##
-##
-##
-##
-## The class of the object to be created. If not
-## specified, file is used.
-##
-##
-#
-template(`userdom_user_tmp_filetrans',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- filetrans_pattern($2,$1_tmp_t,$3,$4)
- files_search_tmp($2)
-')
-
-########################################
-##
-## Create objects in the temporary directory
-## with an automatic type transition to
-## the user temporary type.
-##
-##
-##
-## Create objects in the temporary directory
-## with an automatic type transition to
-## the user temporary type.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-##
-##
-## The class of the object to be created. If not
-## specified, file is used.
-##
-##
-#
-template(`userdom_tmp_filetrans_user_tmp',`
- gen_require(`
- type $1_tmp_t;
- ')
-
- files_tmp_filetrans($2,$1_tmp_t,$3)
-')
-
-########################################
-##
-## Read user tmpfs files.
-##
-##
-##
-## Read user tmpfs files.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_rw_user_tmpfs_files',`
- gen_require(`
- type $1_tmpfs_t;
- ')
-
- fs_search_tmpfs($2)
- allow $2 $1_tmpfs_t:dir list_dir_perms;
- rw_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
- read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
-')
-
-########################################
-##
-## List users untrusted directories.
-##
-##
-##
-## List users untrusted directories.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_list_user_untrusted_content',`
- gen_require(`
- type $1_untrusted_content_t;
- ')
-
- allow $2 $1_untrusted_content_t:dir list_dir_perms;
-')
-
-########################################
-##
-## Do not audit attempts to list user
-## untrusted directories.
-##
-##
-##
-## Do not audit attempts to read user
-## untrusted directories.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-template(`userdom_dontaudit_list_user_untrusted_content',`
- gen_require(`
- type $1_untrusted_content_t;
- ')
-
- dontaudit $2 $1_untrusted_content_t:dir list_dir_perms;
-')
-
-########################################
-##
-## Create, read, write, and delete users untrusted directories.
-##
-##
-##
-## Create, read, write, and delete users untrusted directories.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_manage_user_untrusted_content_dirs',`
- gen_require(`
- type $1_untrusted_content_t;
- ')
-
- allow $2 $1_untrusted_content_t:dir manage_dir_perms;
-')
-
-########################################
-##
-## Read user untrusted files.
-##
-##
-##
-## Read user untrusted files.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_read_user_untrusted_content_files',`
- gen_require(`
- type $1_untrusted_content_t;
- ')
-
- allow $2 $1_untrusted_content_t:dir list_dir_perms;
- read_files_pattern($2,$1_untrusted_content_t,$1_untrusted_content_t)
-')
-
-########################################
-##
-## Manage user untrusted files.
-##
-##
-##
-## Create, read, write, and delete untrusted files.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_manage_user_untrusted_content_files',`
- gen_require(`
- type $1_untrusted_content_t;
- ')
-
- manage_files_pattern($2,$1_untrusted_content_t,$1_untrusted_content_t)
-')
-
-########################################
-##
-## Manage user untrusted tmp files.
-##
-##
-##
-## Create, read, write, and delete untrusted tmp files.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_manage_user_untrusted_content_tmp_files',`
- gen_require(`
- type $1_untrusted_content_tmp_t;
- ')
-
- manage_files_pattern($2,$1_untrusted_content_tmp_t,$1_untrusted_content_tmp_t)
-')
-
-########################################
-##
-## Do not audit attempts to read users
-## untrusted files.
-##
-##
-##
-## Do not audit attempts to read users
-## untrusted files.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-template(`userdom_dontaudit_read_user_untrusted_content_files',`
- gen_require(`
- type $1_untrusted_content_t;
- ')
-
- dontaudit $2 $1_untrusted_content_t:file read_file_perms;
-')
-
-########################################
-##
-## Read user untrusted symbolic links.
-##
-##
-##
-## Read user untrusted symbolic links.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_read_user_untrusted_content_symlinks',`
- gen_require(`
- type $1_untrusted_content_t;
- ')
-
- allow $2 $1_untrusted_content_t:dir list_dir_perms;
- read_lnk_files_pattern($2,$1_untrusted_content_t,$1_untrusted_content_t)
-')
-
-########################################
-##
-## List users temporary untrusted directories.
-##
-##
-##
-## List users temporary untrusted directories.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_list_user_tmp_untrusted_content',`
- gen_require(`
- type $1_untrusted_content_tmp_t;
- ')
-
- allow $2 $1_untrusted_content_tmp_t:dir list_dir_perms;
-')
-
-########################################
-##
-## Do not audit attempts to list user
-## temporary untrusted directories.
-##
-##
-##
-## Do not audit attempts to list user
-## temporary directories.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-template(`userdom_dontaudit_list_user_tmp_untrusted_content',`
- gen_require(`
- type $1_untrusted_content_tmp_t;
- ')
-
- dontaudit $2 $1_untrusted_content_tmp_t:dir list_dir_perms;
-')
-
-########################################
-##
-## Read user temporary untrusted files.
-##
-##
-##
-## Read user temporary untrusted files.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_read_user_tmp_untrusted_content_files',`
- gen_require(`
- type $1_untrusted_content_tmp_t;
- ')
-
- allow $2 $1_untrusted_content_tmp_t:dir list_dir_perms;
- read_files_pattern($2,$1_untrusted_content_tmp_t,$1_untrusted_content_tmp_t)
-')
-
-########################################
-##
-## Do not audit attempts to read users
-## temporary untrusted files.
-##
-##
-##
-## Do not audit attempts to read users
-## temporary untrusted files.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-template(`userdom_dontaudit_read_user_tmp_untrusted_content_files',`
- gen_require(`
- type $1_untrusted_content_tmp_t;
- ')
-
- dontaudit $2 $1_untrusted_content_tmp_t:file read_file_perms;
-')
-
-########################################
-##
-## Read user temporary untrusted symbolic links.
-##
-##
-##
-## Read user temporary untrusted symbolic links.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_read_user_tmp_untrusted_content_symlinks',`
- gen_require(`
- type $1_untrusted_content_tmp_t;
- ')
-
- allow $2 $1_untrusted_content_tmp_t:dir list_dir_perms;
- read_lnk_files_pattern($2,$1_untrusted_content_tmp_t,$1_untrusted_content_tmp_t)
-')
-
-########################################
-##
-## Read all user untrusted content files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`userdom_read_all_untrusted_content',`
- gen_require(`
- attribute untrusted_content_type;
- ')
-
- allow $1 untrusted_content_type:dir list_dir_perms;
- read_files_pattern($1,untrusted_content_type,untrusted_content_type)
- read_lnk_files_pattern($1,untrusted_content_type,untrusted_content_type)
-')
-
-########################################
-##
-## Read all user temporary untrusted content files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`userdom_read_all_tmp_untrusted_content',`
- gen_require(`
- attribute untrusted_content_tmp_type;
- ')
-
- allow $1 untrusted_content_tmp_type:dir list_dir_perms;
- read_files_pattern($1,untrusted_content_tmp_type,untrusted_content_tmp_type)
- read_lnk_files_pattern($1,untrusted_content_tmp_type,untrusted_content_tmp_type)
-')
-
-########################################
-##
-## Set the attributes of a user domain tty.
-##
-##
-##
-## Set the attributes of a user domain tty.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_setattr_user_ttys',`
- gen_require(`
- type $1_tty_device_t;
- ')
-
- allow $2 $1_tty_device_t:chr_file setattr;
-')
-
-########################################
-##
-## Read and write a user domain tty.
-##
-##
-##
-## Read and write a user domain tty.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_use_user_ttys',`
- gen_require(`
- type $1_tty_device_t;
- ')
-
- allow $2 $1_tty_device_t:chr_file rw_term_perms;
-')
-
-########################################
-##
-## Read and write a user domain tty and pty.
-##
-##
-##
-## Read and write a user domain tty and pty.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_use_user_terminals',`
- gen_require(`
- type $1_tty_device_t, $1_devpts_t;
- ')
-
- allow $2 $1_tty_device_t:chr_file rw_term_perms;
- allow $2 $1_devpts_t:chr_file rw_term_perms;
- term_list_ptys($2)
-')
-
-########################################
-##
-## Do not audit attempts to read and write
-## a user domain tty and pty.
-##
-##
-##
-## Do not audit attempts to read and write
-## a user domain tty and pty.
-##
-##
-## This is a templated interface, and should only
-## be called from a per-userdomain template.
-##
-##
-##
-##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-##
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-template(`userdom_dontaudit_use_user_terminals',`
- gen_require(`
- type $1_tty_device_t, $1_devpts_t;
- ')
-
- dontaudit $2 $1_tty_device_t:chr_file rw_term_perms;
- dontaudit $2 $1_devpts_t:chr_file rw_term_perms;
-')
-
-########################################
-##
-## Execute a shell in all user domains. This
-## is an explicit transition, requiring the
-## caller to use setexeccon().
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`userdom_spec_domtrans_all_users',`
- gen_require(`
- attribute userdomain;
- ')
-
- corecmd_shell_spec_domtrans($1,userdomain)
- allow userdomain $1:fd use;
- allow userdomain $1:fifo_file rw_file_perms;
- allow userdomain $1:process sigchld;
-')
-
-########################################
-##
-## Execute an Xserver session in all unprivileged user domains. This
-## is an explicit transition, requiring the
-## caller to use setexeccon().
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`userdom_xsession_spec_domtrans_all_users',`
- gen_require(`
- attribute userdomain;
- ')
-
- xserver_xsession_spec_domtrans($1,userdomain)
- allow userdomain $1:fd use;
- allow userdomain $1:fifo_file rw_file_perms;
- allow userdomain $1:process sigchld;
-')
-
-########################################
-##
-## Execute a shell in all unprivileged user domains. This
-## is an explicit transition, requiring the
-## caller to use setexeccon().
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`userdom_spec_domtrans_unpriv_users',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
- corecmd_shell_spec_domtrans($1,unpriv_userdomain)
- allow unpriv_userdomain $1:fd use;
- allow unpriv_userdomain $1:fifo_file rw_file_perms;
- allow unpriv_userdomain $1:process sigchld;
-')
-
-########################################
-##
-## Execute an Xserver session in all unprivileged user domains. This
-## is an explicit transition, requiring the
-## caller to use setexeccon().
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`userdom_xsession_spec_domtrans_unpriv_users',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
- xserver_xsession_spec_domtrans($1,unpriv_userdomain)
- allow unpriv_userdomain $1:fd use;
- allow unpriv_userdomain $1:fifo_file rw_file_perms;
- allow unpriv_userdomain $1:process sigchld;
-')
-
-########################################
-##
-## Manage unpriviledged user SysV sempaphores.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`userdom_manage_unpriv_user_semaphores',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
- allow $1 unpriv_userdomain:sem create_sem_perms;
-')
-
-########################################
-##
-## Manage unpriviledged user SysV shared
-## memory segments.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`userdom_manage_unpriv_user_shared_mem',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
- allow $1 unpriv_userdomain:shm create_shm_perms;
+ allow $1 user_home_dir_t:dir list_dir_perms;
+ files_search_home($1)
')
########################################
##
-## Execute bin_t in the unprivileged user domains. This
-## is an explicit transition, requiring the
-## caller to use setexeccon().
+## Do not audit attempts to list user home subdirectories.
##
##
##
-## Domain allowed access.
+## Domain to not audit
##
##
#
-interface(`userdom_bin_spec_domtrans_unpriv_users',`
+interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
- attribute unpriv_userdomain;
+ type user_home_dir_t;
')
- corecmd_bin_spec_domtrans($1,unpriv_userdomain)
- allow unpriv_userdomain $1:fd use;
- allow unpriv_userdomain $1:fifo_file rw_file_perms;
- allow unpriv_userdomain $1:process sigchld;
+ dontaudit $1 user_home_dir_t:dir list_dir_perms;
')
########################################
##
-## Execute generic sbin programs in all unprivileged user
-## domains. This is an explicit transition, requiring the
-## caller to use setexeccon().
+## Create user home directories.
##
##
##
@@ -3999,16 +1449,17 @@ interface(`userdom_bin_spec_domtrans_unpriv_users',`
##
##
#
-interface(`userdom_sbin_spec_domtrans_unpriv_users',`
- userdom_bin_spec_domtrans_unpriv_users($1)
- refpolicywarn(`$0() has been deprecated, please use userdom_bin_spec_domtrans_unpriv_users() instead.')
+interface(`userdom_create_user_home_dirs',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ allow $1 user_home_dir_t:dir create_dir_perms;
')
########################################
##
-## Execute all entrypoint files in unprivileged user
-## domains. This is an explicit transition, requiring the
-## caller to use setexeccon().
+## Create user home directories.
##
##
##
@@ -4016,20 +1467,17 @@ interface(`userdom_sbin_spec_domtrans_unpriv_users',`
##
##
#
-interface(`userdom_entry_spec_domtrans_unpriv_users',`
+interface(`userdom_manage_user_home_dirs',`
gen_require(`
- attribute unpriv_userdomain;
+ type user_home_dir_t;
')
- domain_entry_file_spec_domtrans($1,unpriv_userdomain)
- allow unpriv_userdomain $1:fd use;
- allow unpriv_userdomain $1:fifo_file rw_file_perms;
- allow unpriv_userdomain $1:process sigchld;
+ allow $1 user_home_dir_t:dir manage_dir_perms;
')
########################################
##
-## Execute a shell in the sysadm domain.
+## Relabel to user home directories.
##
##
##
@@ -4037,29 +1485,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
##
##
#
-interface(`userdom_shell_domtrans_sysadm',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_shell_domtrans() instead.')
- sysadm_shell_domtrans($1)
-')
+interface(`userdom_relabelto_user_home_dirs',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
-########################################
-##
-## Execute a generic bin program in the sysadm domain.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`userdom_bin_spec_domtrans_sysadm',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_bin_spec_domtrans() instead.')
- sysadm_bin_spec_domtrans($1)
+ allow $1 user_home_dir_t:dir relabelto;
')
########################################
##
-## Execute a generic sbin program in the sysadm domain. (Deprecated)
+## Create directories in the home dir root with
+## the user home directory type.
##
##
##
@@ -4067,148 +1504,75 @@ interface(`userdom_bin_spec_domtrans_sysadm',`
##
##
#
-interface(`userdom_sbin_spec_domtrans_sysadm',`
- refpolicywarn(`$0() has been deprecated, please use sysadm_bin_spec_domtrans() instead.')
- sysadm_bin_spec_domtrans($1)
-')
+interface(`userdom_home_filetrans_user_home_dir',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
-########################################
-##
-## Execute all entrypoint files in the sysadm domain. This
-## is an explicit transition, requiring the
-## caller to use setexeccon().
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`userdom_entry_spec_domtrans_sysadm',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_entry_spec_domtrans() instead.')
- sysadm_entry_spec_domtrans($1)
+ files_home_filetrans($1, user_home_dir_t, dir)
')
########################################
##
-## Allow sysadm to execute a generic bin program in
-## a specified domain. This is an explicit transition,
-## requiring the caller to use setexeccon(). (Deprecated)
+## Do a domain transition to the specified
+## domain when executing a program in the
+## user home directory.
##
##
##
-## Allow sysadm to execute a generic bin program in
-## a specified domain. (Deprecated)
+## Do a domain transition to the specified
+## domain when executing a program in the
+## user home directory.
##
##
-## This is a interface to support third party modules
-## and its use is not allowed in upstream reference
-## policy.
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
##
##
-##
+##
##
-## Domain to execute in.
+## Domain allowed access.
##
##
-#
-interface(`userdom_sysadm_bin_spec_domtrans_to',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_bin_spec_domtrans_to() instead.')
- sysadm_bin_spec_domtrans_to($1)
-')
-
-########################################
-##
-## Allow sysadm to execute a generic sbin program in
-## a specified domain. This is an explicit transition,
-## requiring the caller to use setexeccon(). (Deprecated)
-##
-##
-##
-## Allow sysadm to execute a generic sbin program in
-## a specified domain. (Deprecated)
-##
-##
-## This is a interface to support third party modules
-## and its use is not allowed in upstream reference
-## policy.
-##
-##
-##
+##
##
-## Domain to execute in.
+## Domain to transition to.
##
##
#
-interface(`userdom_sysadm_sbin_spec_domtrans_to',`
- refpolicywarn(`$0() has been deprecated, please use sysadm_bin_spec_domtrans_to() instead.')
- sysadm_bin_spec_domtrans_to($1)
-')
+interface(`userdom_user_home_domtrans',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
-########################################
-##
-## Allow sysadm to execute all entrypoint files
-## in the specified domain. This is an explicit
-## transition, requiring the caller to use setexeccon().
-##
-##
-##
-## Allow sysadm to execute all entrypoint files
-## in the specified domain. This is an explicit
-## transition, requiring the caller to use setexeccon().
-##
-##
-## This is a interface to support third party modules
-## and its use is not allowed in upstream reference
-## policy.
-##
-##
-##
-##
-## Domain to execute in.
-##
-##
-#
-interface(`userdom_sysadm_entry_spec_domtrans_to',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_entry_spec_domtrans() instead.')
- sysadm_entry_spec_domtrans($1)
+ domain_auto_trans($1, user_home_t, $2)
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ files_search_home($1)
')
########################################
##
-## Search the staff users home directory.
+## Do not audit attempts to search user home content directories.
##
##
##
-## Domain allowed access.
+## Domain to not audit
##
##
#
-interface(`userdom_search_staff_home_dirs',`
- refpolicywarn(`$0($*) has been deprecated. Please use staff_search_home_dirs() instead.')
- staff_search_home_dirs($1)
-')
+interface(`userdom_dontaudit_search_user_home_content',`
+ gen_require(`
+ type user_home_t;
+ ')
-########################################
-##
-## Do not audit attempts to search the staff
-## users home directory.
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-interface(`userdom_dontaudit_search_staff_home_dirs',`
- refpolicywarn(`$0($*) has been deprecated. Please use staff_dontaudit_search_home_dirs() instead.')
- staff_dontaudit_search_home_dirs($1)
+ dontaudit $1 user_home_t:dir search_dir_perms;
')
########################################
##
-## Create, read, write, and delete staff
-## home directories.
+## Create, read, write, and delete directories
+## in a user home subdirectory.
##
##
##
@@ -4216,14 +1580,19 @@ interface(`userdom_dontaudit_search_staff_home_dirs',`
##
##
#
-interface(`userdom_manage_staff_home_dirs',`
- refpolicywarn(`$0($*) has been deprecated. Please use staff_manage_home_dirs() instead.')
- staff_manage_home_dirs($1)
+interface(`userdom_manage_user_home_content_dirs',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+ files_search_home($1)
')
########################################
##
-## Relabel to staff home directories.
+## Do not audit attempts to set the
+## attributes of user home files.
##
##
##
@@ -4231,30 +1600,17 @@ interface(`userdom_manage_staff_home_dirs',`
##
##
#
-interface(`userdom_relabelto_staff_home_dirs',`
- refpolicywarn(`$0($*) has been deprecated. Please use staff_relabelto_home_dirs() instead.')
- staff_relabelto_home_dirs($1)
-')
+interface(`userdom_dontaudit_setattr_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
-########################################
-##
-## Do not audit attempts to append to the staff
-## users home directory.
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-interface(`userdom_dontaudit_append_staff_home_content_files',`
- refpolicywarn(`$0($*) has been deprecated. Please use staff_dontaudit_append_home_content_files() instead.')
- staff_dontaudit_append_home_content_files($1)
+ dontaudit $1 user_home_t:file setattr;
')
########################################
##
-## Read files in the staff users home directory.
+## Mmap user home files.
##
##
##
@@ -4262,30 +1618,18 @@ interface(`userdom_dontaudit_append_staff_home_content_files',`
##
##
#
-interface(`userdom_read_staff_home_content_files',`
- refpolicywarn(`$0($*) has been deprecated. Please use staff_read_home_content_files() instead.')
- staff_read_home_content_files($1)
-')
+interface(`userdom_mmap_user_home_content_files',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
-########################################
-##
-## Send a SIGCHLD signal to sysadm users.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`userdom_sigchld_sysadm',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_sigchld() instead.')
- sysadm_sigchld($1)
+ mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+ files_search_home($1)
')
########################################
##
-## Do not audit attepts to get the attributes
-## of sysadm ttys.
+## Read user home files.
##
##
##
@@ -4293,29 +1637,37 @@ interface(`userdom_sigchld_sysadm',`
##
##
#
-interface(`userdom_dontaudit_getattr_sysadm_ttys',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_dontaudit_getattr_ttys() instead.')
- sysadm_dontaudit_getattr_ttys($1)
+interface(`userdom_read_user_home_content_files',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+ files_search_home($1)
')
########################################
##
-## Read and write sysadm ttys.
+## Do not audit attempts to read user home files.
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`userdom_use_sysadm_ttys',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_use_ttys() instead.')
- sysadm_use_ttys($1)
+interface(`userdom_dontaudit_read_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ dontaudit $1 user_home_t:dir list_dir_perms;
+ dontaudit $1 user_home_t:file read_file_perms;
')
########################################
##
-## Do not audit attempts to use sysadm ttys.
+## Do not audit attempts to append user home files.
##
##
##
@@ -4323,29 +1675,35 @@ interface(`userdom_use_sysadm_ttys',`
##
##
#
-interface(`userdom_dontaudit_use_sysadm_ttys',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_dontaudit_use_ttys() instead.')
- sysadm_dontaudit_use_ttys($1)
+interface(`userdom_dontaudit_append_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ dontaudit $1 user_home_t:file append;
')
########################################
##
-## Read and write sysadm ptys.
+## Do not audit attempts to write user home files.
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`userdom_use_sysadm_ptys',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_use_ptys() instead.')
- sysadm_use_ptys($1)
+interface(`userdom_dontaudit_write_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ dontaudit $1 user_home_t:file write;
')
########################################
##
-## Dont audit attempts to read and write sysadm ptys.
+## Do not audit attempts to write user home files.
##
##
##
@@ -4353,14 +1711,17 @@ interface(`userdom_use_sysadm_ptys',`
##
##
#
-interface(`userdom_dontaudit_use_sysadm_ptys',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_dontaudit_use_ptys() instead.')
- sysadm_dontaudit_use_ptys($1)
+interface(`userdom_dontaudit_relabel_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ dontaudit $1 user_home_t:file relabel_file_perms;
')
########################################
##
-## Read and write sysadm ttys and ptys.
+## Read user home subdirectory symbolic links.
##
##
##
@@ -4368,29 +1729,46 @@ interface(`userdom_dontaudit_use_sysadm_ptys',`
##
##
#
-interface(`userdom_use_sysadm_terms',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_use_terms() instead.')
- sysadm_use_terms($1)
+interface(`userdom_read_user_home_content_symlinks',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+ files_search_home($1)
')
########################################
##
-## Do not audit attempts to use sysadm ttys and ptys.
+## Execute user home files.
##
##
##
-## Domain to not audit.
+## Domain allowed access.
##
##
+##
#
-interface(`userdom_dontaudit_use_sysadm_terms',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_dontaudit_use_terms() instead.')
- sysadm_dontaudit_use_terms($1)
+interface(`userdom_exec_user_home_content_files',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ files_search_home($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_exec_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_exec_cifs_files($1)
+ ')
')
########################################
##
-## Inherit and use sysadm file descriptors
+## Do not audit attempts to execute user home files.
##
##
##
@@ -4398,14 +1776,18 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
##
##
#
-interface(`userdom_use_sysadm_fds',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_use_fds() instead.')
- sysadm_use_fds($1)
+interface(`userdom_dontaudit_exec_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ dontaudit $1 user_home_t:file execute;
')
########################################
##
-## Read and write sysadm user unnamed pipes.
+## Create, read, write, and delete files
+## in a user home subdirectory.
##
##
##
@@ -4413,15 +1795,20 @@ interface(`userdom_use_sysadm_fds',`
##
##
#
-interface(`userdom_rw_sysadm_pipes',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_rw_pipes() instead.')
- sysadm_rw_pipes($1)
+interface(`userdom_manage_user_home_content_files',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ manage_files_pattern($1, user_home_t, user_home_t)
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ files_search_home($1)
')
########################################
##
-## Get the attributes of the sysadm users
-## home directory.
+## Do not audit attempts to create, read, write, and delete directories
+## in a user home subdirectory.
##
##
##
@@ -4429,166 +1816,188 @@ interface(`userdom_rw_sysadm_pipes',`
##
##
#
-interface(`userdom_getattr_sysadm_home_dirs',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_getattr_home_dirs() instead.')
- sysadm_getattr_home_dirs($1)
+interface(`userdom_dontaudit_manage_user_home_content_dirs',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ dontaudit $1 user_home_t:dir manage_dir_perms;
')
########################################
##
-## Do not audit attempts to get the
-## attributes of the sysadm users
-## home directory.
+## Create, read, write, and delete symbolic links
+## in a user home subdirectory.
##
##
##
-## Domain to not audit.
+## Domain allowed access.
##
##
#
-interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_dontaudit_getattr_home_dirs() instead.')
- sysadm_dontaudit_getattr_home_dirs($1)
+interface(`userdom_manage_user_home_content_symlinks',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ manage_lnk_files_pattern($1, user_home_t, user_home_t)
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ files_search_home($1)
')
########################################
##
-## Search the sysadm users home directory.
+## Create, read, write, and delete named pipes
+## in a user home subdirectory.
##
##
##
-## Domain to not audit.
+## Domain allowed access.
##
##
#
-interface(`userdom_search_sysadm_home_dirs',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_search_home_dirs() instead.')
- sysadm_search_home_dirs($1)
+interface(`userdom_manage_user_home_content_pipes',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ manage_fifo_files_pattern($1, user_home_t, user_home_t)
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ files_search_home($1)
')
########################################
##
-## Do not audit attempts to search the sysadm
-## users home directory.
+## Create, read, write, and delete named sockets
+## in a user home subdirectory.
##
##
##
-## Domain to not audit.
+## Domain allowed access.
##
##
#
-interface(`userdom_dontaudit_search_sysadm_home_dirs',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_dontaudit_search_home_dirs() instead.')
- sysadm_dontaudit_search_home_dirs($1)
+interface(`userdom_manage_user_home_content_sockets',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ manage_sock_files_pattern($1, user_home_t, user_home_t)
+ files_search_home($1)
')
########################################
##
-## List the sysadm users home directory.
+## Create objects in a user home directory
+## with an automatic type transition to
+## a specified private type.
##
##
##
## Domain allowed access.
##
##
-#
-interface(`userdom_list_sysadm_home_dirs',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_list_home_dirs() instead.')
- sysadm_list_home_dirs($1)
-')
-
-########################################
-##
-## Do not audit attempts to list the sysadm
-## users home directory.
-##
-##
+##
##
-## Domain to not audit.
+## The type of the object to create.
##
##
-#
-interface(`userdom_dontaudit_list_sysadm_home_dirs',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_dontaudit_list_home_dirs() instead.')
- sysadm_dontaudit_list_home_dirs($1)
-')
-
-########################################
-##
-## Do not audit attempts to search the sysadm
-## users home directory.
-##
-##
+##
##
-## Domain to not audit.
+## The class of the object to be created.
##
##
#
-interface(`userdom_dontaudit_read_sysadm_home_content_files',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_dontaudit_read_home_content_files() instead.')
- sysadm_dontaudit_read_home_content_files($1)
+interface(`userdom_user_home_dir_filetrans',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ filetrans_pattern($1, user_home_dir_t, $2, $3)
+ files_search_home($1)
')
########################################
##
-## Create objects in sysadm home directories
-## with automatic file type transition.
+## Create objects in a user home directory
+## with an automatic type transition to
+## a specified private type.
##
##
##
## Domain allowed access.
##
##
-##
+##
##
-## The type of the object to be created.
+## The type of the object to create.
##
##
##
##
## The class of the object to be created.
-## If not specified, file is used.
##
##
#
-interface(`userdom_sysadm_home_dir_filetrans',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_home_dir_filetrans() instead.')
- sysadm_home_dir_filetrans($1,$2,$3)
+interface(`userdom_user_home_content_filetrans',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ filetrans_pattern($1, user_home_t, $2, $3)
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ files_search_home($1)
')
########################################
##
-## Search the sysadm users home sub directories.
+## Create objects in a user home directory
+## with an automatic type transition to
+## the user home file type.
##
##
##
-## Domain to not audit.
+## Domain allowed access.
+##
+##
+##
+##
+## The class of the object to be created.
##
##
#
-interface(`userdom_search_sysadm_home_content_dirs',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_search_home_content_dirs() instead.')
- sysadm_search_home_content_dirs($1)
+interface(`userdom_user_home_dir_filetrans_user_home_content',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ filetrans_pattern($1, user_home_dir_t, user_home_t, $2)
+ files_search_home($1)
')
########################################
##
-## Read files in the sysadm users home directory.
+## Write to user temporary named sockets.
##
##
##
-## Domain allowed access.
+## Domain allowed access.
##
##
#
-interface(`userdom_read_sysadm_home_content_files',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_read_home_content_files() instead.')
- sysadm_read_home_content_files($1)
+interface(`userdom_write_user_tmp_sockets',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ allow $1 user_tmp_t:sock_file write;
+ files_search_tmp($1)
')
########################################
##
-## Read sysadm temporary files.
+## List user temporary directories.
##
##
##
@@ -4596,52 +2005,56 @@ interface(`userdom_read_sysadm_home_content_files',`
##
##
#
-interface(`userdom_read_sysadm_tmp_files',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_read_tmp_files() instead.')
- sysadm_read_tmp_files($1)
+interface(`userdom_list_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ allow $1 user_tmp_t:dir list_dir_perms;
+ files_search_tmp($1)
')
########################################
##
-## Search all users home directories.
+## Do not audit attempts to list user
+## temporary directories.
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`userdom_search_all_users_home_dirs',`
+interface(`userdom_dontaudit_list_user_tmp',`
gen_require(`
- attribute home_dir_type;
+ type user_tmp_t;
')
- files_list_home($1)
- allow $1 home_dir_type:dir search_dir_perms;
+ dontaudit $1 user_tmp_t:dir list_dir_perms;
')
########################################
##
-## List all users home directories.
+## Do not audit attempts to manage users
+## temporary directories.
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`userdom_list_all_users_home_dirs',`
+interface(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
- attribute home_dir_type;
+ type user_tmp_t;
')
- files_list_home($1)
- allow $1 home_dir_type:dir list_dir_perms;
+ dontaudit $1 user_tmp_t:dir manage_dir_perms;
')
########################################
##
-## Search all users home directories.
+## Read user temporary files.
##
##
##
@@ -4649,18 +2062,20 @@ interface(`userdom_list_all_users_home_dirs',`
##
##
#
-interface(`userdom_search_all_users_home_content',`
+interface(`userdom_read_user_tmp_files',`
gen_require(`
- attribute home_dir_type, home_type;
+ type user_tmp_t;
')
- files_list_home($1)
- allow $1 { home_dir_type home_type }:dir search_dir_perms;
+ read_files_pattern($1, user_tmp_t, user_tmp_t)
+ allow $1 user_tmp_t:dir list_dir_perms;
+ files_search_tmp($1)
')
########################################
##
-## Do not audit attempts to search all users home directories.
+## Do not audit attempts to read users
+## temporary files.
##
##
##
@@ -4668,38 +2083,36 @@ interface(`userdom_search_all_users_home_content',`
##
##
#
-interface(`userdom_dontaudit_search_all_users_home_content',`
+interface(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
- attribute home_dir_type, home_type;
+ type user_tmp_t;
')
- dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
+ dontaudit $1 user_tmp_t:file read_file_perms;
')
########################################
##
-## Read all files in all users home directories.
+## Do not audit attempts to append users
+## temporary files.
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`userdom_read_all_users_home_content_files',`
+interface(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
- attribute home_type;
+ type user_tmp_t;
')
- files_list_home($1)
- allow $1 home_type:dir list_dir_perms;
- read_files_pattern($1,home_type,home_type)
+ dontaudit $1 user_tmp_t:file append;
')
########################################
##
-## Create, read, write, and delete all directories
-## in all users home directories.
+## Read and write user temporary files.
##
##
##
@@ -4707,39 +2120,38 @@ interface(`userdom_read_all_users_home_content_files',`
##
##
#
-interface(`userdom_manage_all_users_home_content_dirs',`
+interface(`userdom_rw_user_tmp_files',`
gen_require(`
- attribute home_type;
+ type user_tmp_t;
')
- files_list_home($1)
- allow $1 home_type:dir manage_dir_perms;
+ allow $1 user_tmp_t:dir list_dir_perms;
+ rw_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
')
########################################
##
-## Create, read, write, and delete all files
-## in all users home directories.
+## Do not audit attempts to manage users
+## temporary files.
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`userdom_manage_all_users_home_content_files',`
+interface(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
- attribute home_type;
+ type user_tmp_t;
')
- files_list_home($1)
- manage_files_pattern($1,home_type,home_type)
+ dontaudit $1 user_tmp_t:file manage_file_perms;
')
########################################
##
-## Create, read, write, and delete all symlinks
-## in all users home directories.
+## Read user temporary symbolic links.
##
##
##
@@ -4747,47 +2159,40 @@ interface(`userdom_manage_all_users_home_content_files',`
##
##
#
-interface(`userdom_manage_all_users_home_content_symlinks',`
+interface(`userdom_read_user_tmp_symlinks',`
gen_require(`
- attribute home_type;
+ type user_tmp_t;
')
- files_list_home($1)
- manage_lnk_files_pattern($1,home_type,home_type)
+ read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+ allow $1 user_tmp_t:dir list_dir_perms;
+ files_search_tmp($1)
')
########################################
##
-## Make the specified domain a privileged
-## home directory manager.
+## Create, read, write, and delete user
+## temporary directories.
##
-##
-##
-## Make the specified domain a privileged
-## home directory manager. This domain will be
-## able to manage the contents of all users
-## general home directory content, and create
-## files with the correct context.
-##
-##
##
##
## Domain allowed access.
##
##
#
-interface(`userdom_priveleged_home_dir_manager',`
+interface(`userdom_manage_user_tmp_dirs',`
gen_require(`
- attribute privhome;
+ type user_tmp_t;
')
- files_list_home($1)
- typeattribute $1 privhome;
+ manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
')
########################################
##
-## Send general signals to unprivileged user domains.
+## Create, read, write, and delete user
+## temporary files.
##
##
##
@@ -4795,17 +2200,19 @@ interface(`userdom_priveleged_home_dir_manager',`
##
##
#
-interface(`userdom_signal_unpriv_users',`
+interface(`userdom_manage_user_tmp_files',`
gen_require(`
- attribute unpriv_userdomain;
+ type user_tmp_t;
')
- allow $1 unpriv_userdomain:process signal;
+ manage_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
')
########################################
##
-## Inherit the file descriptors from unprivileged user domains.
+## Create, read, write, and delete user
+## temporary symbolic links.
##
##
##
@@ -4813,18 +2220,19 @@ interface(`userdom_signal_unpriv_users',`
##
##
#
-interface(`userdom_use_unpriv_users_fds',`
+interface(`userdom_manage_user_tmp_symlinks',`
gen_require(`
- attribute unpriv_userdomain;
+ type user_tmp_t;
')
- allow $1 unpriv_userdomain:fd use;
+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
')
########################################
##
-## Do not audit attempts to inherit the
-## file descriptors from all user domains.
+## Create, read, write, and delete user
+## temporary named pipes.
##
##
##
@@ -4832,18 +2240,19 @@ interface(`userdom_use_unpriv_users_fds',`
##
##
#
-interface(`userdom_dontaudit_use_unpriv_user_fds',`
+interface(`userdom_manage_user_tmp_pipes',`
gen_require(`
- attribute unpriv_userdomain;
+ type user_tmp_t;
')
- dontaudit $1 unpriv_userdomain:fd use;
+ manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
')
########################################
##
-## Create generic user home directories
-## with automatic file type transition.
+## Create, read, write, and delete user
+## temporary named sockets.
##
##
##
@@ -4851,30 +2260,51 @@ interface(`userdom_dontaudit_use_unpriv_user_fds',`
##
##
#
-interface(`userdom_home_filetrans_generic_user_home_dir',`
- refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_home_filetrans_home_dir() instead.')
- unprivuser_home_filetrans_home_dir($1)
+interface(`userdom_manage_user_tmp_sockets',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
')
########################################
##
-## Search generic user home directories.
+## Create objects in a user temporary directory
+## with an automatic type transition to
+## a specified private type.
##
##
##
## Domain allowed access.
##
##
+##
+##
+## The type of the object to create.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
#
-interface(`userdom_search_generic_user_home_dirs',`
- refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_search_home_dirs() instead.')
- unprivuser_search_home_dirs($1)
+interface(`userdom_user_tmp_filetrans',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ filetrans_pattern($1, user_tmp_t, $2, $3)
+ files_search_tmp($1)
')
########################################
##
-## Create objects in generic user home directories
-## with automatic file type transition.
+## Create objects in the temporary directory
+## with an automatic type transition to
+## the user temporary type.
##
##
##
@@ -4884,18 +2314,20 @@ interface(`userdom_search_generic_user_home_dirs',`
##
##
## The class of the object to be created.
-## If not specified, file is used.
##
##
#
-interface(`userdom_generic_user_home_dir_filetrans_generic_user_home_content',`
- refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_home_dir_filetrans_home_content() instead.')
- unprivuser_home_dir_filetrans_home_content($1, $2)
+interface(`userdom_tmp_filetrans_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ files_tmp_filetrans($1, user_tmp_t, $2)
')
########################################
##
-## Don't audit search on the user home subdirectory.
+## Read user tmpfs files.
##
##
##
@@ -4903,15 +2335,20 @@ interface(`userdom_generic_user_home_dir_filetrans_generic_user_home_content',`
##
##
#
-interface(`userdom_dontaudit_search_generic_user_home_dirs',`
- refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_dontaudit_search_home_dirs() instead.')
- unprivuser_dontaudit_search_home_dirs($1)
+interface(`userdom_rw_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ allow $1 user_tmpfs_t:dir list_dir_perms;
+ fs_search_tmpfs($1)
')
########################################
##
-## Create, read, write, and delete generic user
-## home directories.
+## Get the attributes of a user domain tty.
##
##
##
@@ -4919,16 +2356,17 @@ interface(`userdom_dontaudit_search_generic_user_home_dirs',`
##
##
#
-interface(`userdom_manage_generic_user_home_dirs',`
- refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_manage_home_dirs() instead.')
- unprivuser_manage_home_dirs($1)
+interface(`userdom_getattr_user_ttys',`
+ gen_require(`
+ type user_tty_device_t;
+ ')
+
+ allow $1 user_tty_device_t:chr_file getattr;
')
########################################
##
-## Create, read, write, and delete
-## subdirectories of generic user
-## home directories.
+## Do not audit attempts to get the attributes of a user domain tty.
##
##
##
@@ -4936,14 +2374,17 @@ interface(`userdom_manage_generic_user_home_dirs',`
##
##
#
-interface(`userdom_manage_generic_user_home_content_dirs',`
- refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_manage_home_content_dirs() instead.')
- unprivuser_manage_home_content_dirs($1)
+interface(`userdom_dontaudit_getattr_user_ttys',`
+ gen_require(`
+ type user_tty_device_t;
+ ')
+
+ dontaudit $1 user_tty_device_t:chr_file getattr;
')
########################################
##
-## Relabel to generic user home directories.
+## Set the attributes of a user domain tty.
##
##
##
@@ -4951,14 +2392,17 @@ interface(`userdom_manage_generic_user_home_content_dirs',`
##
##
#
-interface(`userdom_relabelto_generic_user_home_dirs',`
- refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_relabelto_home_dirs() instead.')
- unprivuser_relabelto_home_dirs($1)
+interface(`userdom_setattr_user_ttys',`
+ gen_require(`
+ type user_tty_device_t;
+ ')
+
+ allow $1 user_tty_device_t:chr_file setattr;
')
########################################
##
-## Read files in generic user home directories.
+## Do not audit attempts to set the attributes of a user domain tty.
##
##
##
@@ -4966,15 +2410,17 @@ interface(`userdom_relabelto_generic_user_home_dirs',`
##
##
#
-interface(`userdom_read_generic_user_home_content_files',`
- refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_read_home_content_files() instead.')
- unprivuser_read_home_content_files($1)
+interface(`userdom_dontaudit_setattr_user_ttys',`
+ gen_require(`
+ type user_tty_device_t;
+ ')
+
+ dontaudit $1 user_tty_device_t:chr_file setattr;
')
########################################
##
-## Mmap of generic user
-## home files.
+## Read and write a user domain tty.
##
##
##
@@ -4982,15 +2428,17 @@ interface(`userdom_read_generic_user_home_content_files',`
##
##
#
-interface(`userdom_mmap_generic_user_home_content_files',`
- refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_mmap_home_content_files() instead.')
- unprivuser_mmap_home_content_files($1)
+interface(`userdom_use_user_ttys',`
+ gen_require(`
+ type user_tty_device_t;
+ ')
+
+ allow $1 user_tty_device_t:chr_file rw_term_perms;
')
########################################
##
-## Create, read, write, and delete files
-## in generic user home directories.
+## Read and write a user domain pty.
##
##
##
@@ -4998,15 +2446,17 @@ interface(`userdom_mmap_generic_user_home_content_files',`
##
##
#
-interface(`userdom_manage_generic_user_home_content_files',`
- refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_manage_home_content_files() instead.')
- unprivuser_manage_home_content_files($1)
+interface(`userdom_use_user_ptys',`
+ gen_require(`
+ type user_devpts_t;
+ ')
+
+ allow $1 user_devpts_t:chr_file rw_term_perms;
')
########################################
##
-## Do not audit attempts to relabel generic user
-## home files.
+## Read and write a user domain tty and pty.
##
##
##
@@ -5014,15 +2464,20 @@ interface(`userdom_manage_generic_user_home_content_files',`
##
##
#
-interface(`userdom_dontaudit_relabel_generic_user_home_content_files',`
- refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_dontaudit_relabel_home_content_files() instead.')
- unprivuser_dontaudit_relabel_home_content_files($1)
+interface(`userdom_use_user_terminals',`
+ gen_require(`
+ type user_tty_device_t, user_devpts_t;
+ ')
+
+ allow $1 user_tty_device_t:chr_file rw_term_perms;
+ allow $1 user_devpts_t:chr_file rw_term_perms;
+ term_list_ptys($1)
')
########################################
##
-## Create, read, write, and delete symbolic
-## links in generic user home directories.
+## Do not audit attempts to read and write
+## a user domain tty and pty.
##
##
##
@@ -5030,15 +2485,20 @@ interface(`userdom_dontaudit_relabel_generic_user_home_content_files',`
##
##
#
-interface(`userdom_manage_generic_user_home_content_symlinks',`
- refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_manage_home_content_symlinks() instead.')
- unprivuser_manage_home_content_symlinks($1)
+interface(`userdom_dontaudit_use_user_terminals',`
+ gen_require(`
+ type user_tty_device_t, user_devpts_t;
+ ')
+
+ dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
+ dontaudit $1 user_devpts_t:chr_file rw_term_perms;
')
########################################
##
-## Create, read, write, and delete named
-## pipes in generic user home directories.
+## Execute a shell in all user domains. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
##
##
##
@@ -5046,15 +2506,22 @@ interface(`userdom_manage_generic_user_home_content_symlinks',`
##
##
#
-interface(`userdom_manage_generic_user_home_content_pipes',`
- refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_manage_home_content_pipes() instead.')
- unprivuser_manage_home_content_pipes($1)
+interface(`userdom_spec_domtrans_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ corecmd_shell_spec_domtrans($1,userdomain)
+ allow userdomain $1:fd use;
+ allow userdomain $1:fifo_file rw_file_perms;
+ allow userdomain $1:process sigchld;
')
########################################
##
-## Create, read, write, and delete named
-## sockets in generic user home directories.
+## Execute an Xserver session in all unprivileged user domains. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
##
##
##
@@ -5062,14 +2529,22 @@ interface(`userdom_manage_generic_user_home_content_pipes',`
##
##
#
-interface(`userdom_manage_generic_user_home_content_sockets',`
- refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_manage_home_content_sockets() instead.')
- unprivuser_manage_home_content_sockets($1)
+interface(`userdom_xsession_spec_domtrans_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ xserver_xsession_spec_domtrans($1,userdomain)
+ allow userdomain $1:fd use;
+ allow userdomain $1:fifo_file rw_file_perms;
+ allow userdomain $1:process sigchld;
')
########################################
##
-## Search all unprivileged users home directories.
+## Execute a shell in all unprivileged user domains. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
##
##
##
@@ -5077,19 +2552,22 @@ interface(`userdom_manage_generic_user_home_content_sockets',`
##
##
#
-interface(`userdom_search_unpriv_users_home_dirs',`
+interface(`userdom_spec_domtrans_unpriv_users',`
gen_require(`
- attribute user_home_dir_type;
+ attribute unpriv_userdomain;
')
- files_search_home($1)
- allow $1 user_home_dir_type:dir search_dir_perms;
+ corecmd_shell_spec_domtrans($1,unpriv_userdomain)
+ allow unpriv_userdomain $1:fd use;
+ allow unpriv_userdomain $1:fifo_file rw_file_perms;
+ allow unpriv_userdomain $1:process sigchld;
')
########################################
##
-## Read all unprivileged users home directory
-## files.
+## Execute an Xserver session in all unprivileged user domains. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
##
##
##
@@ -5097,21 +2575,20 @@ interface(`userdom_search_unpriv_users_home_dirs',`
##
##
#
-interface(`userdom_read_unpriv_users_home_content_files',`
+interface(`userdom_xsession_spec_domtrans_unpriv_users',`
gen_require(`
- attribute user_home_dir_type, user_home_type;
+ attribute unpriv_userdomain;
')
- files_search_home($1)
- allow $1 user_home_type:dir list_dir_perms;
- read_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
- read_lnk_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
+ xserver_xsession_spec_domtrans($1,unpriv_userdomain)
+ allow unpriv_userdomain $1:fd use;
+ allow unpriv_userdomain $1:fifo_file rw_file_perms;
+ allow unpriv_userdomain $1:process sigchld;
')
########################################
##
-## Create, read, write, and delete directories in
-## unprivileged users home directories.
+## Manage unpriviledged user SysV sempaphores.
##
##
##
@@ -5119,19 +2596,18 @@ interface(`userdom_read_unpriv_users_home_content_files',`
##
##
#
-interface(`userdom_manage_unpriv_users_home_content_dirs',`
+interface(`userdom_manage_unpriv_user_semaphores',`
gen_require(`
- attribute user_home_dir_type, user_home_type;
+ attribute unpriv_userdomain;
')
- files_search_home($1)
- manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
+ allow $1 unpriv_userdomain:sem create_sem_perms;
')
########################################
##
-## Create, read, write, and delete files in
-## unprivileged users home directories.
+## Manage unpriviledged user SysV shared
+## memory segments.
##
##
##
@@ -5139,18 +2615,19 @@ interface(`userdom_manage_unpriv_users_home_content_dirs',`
##
##
#
-interface(`userdom_manage_unpriv_users_home_content_files',`
+interface(`userdom_manage_unpriv_user_shared_mem',`
gen_require(`
- attribute user_home_dir_type, user_home_type;
+ attribute unpriv_userdomain;
')
- files_search_home($1)
- manage_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
+ allow $1 unpriv_userdomain:shm create_shm_perms;
')
########################################
##
-## Set the attributes of user ptys.
+## Execute bin_t in the unprivileged user domains. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
##
##
##
@@ -5158,17 +2635,22 @@ interface(`userdom_manage_unpriv_users_home_content_files',`
##
##
#
-interface(`userdom_setattr_unpriv_users_ptys',`
+interface(`userdom_bin_spec_domtrans_unpriv_users',`
gen_require(`
- attribute user_ptynode;
+ attribute unpriv_userdomain;
')
- allow $1 user_ptynode:chr_file setattr;
+ corecmd_bin_spec_domtrans($1,unpriv_userdomain)
+ allow unpriv_userdomain $1:fd use;
+ allow unpriv_userdomain $1:fifo_file rw_file_perms;
+ allow unpriv_userdomain $1:process sigchld;
')
########################################
##
-## Read and write unprivileged user ptys.
+## Execute all entrypoint files in unprivileged user
+## domains. This is an explicit transition, requiring the
+## caller to use setexeccon().
##
##
##
@@ -5176,37 +2658,39 @@ interface(`userdom_setattr_unpriv_users_ptys',`
##
##
#
-interface(`userdom_use_unpriv_users_ptys',`
+interface(`userdom_entry_spec_domtrans_unpriv_users',`
gen_require(`
- attribute user_ptynode;
+ attribute unpriv_userdomain;
')
- term_search_ptys($1)
- allow $1 user_ptynode:chr_file rw_file_perms;
+ domain_entry_file_spec_domtrans($1,unpriv_userdomain)
+ allow unpriv_userdomain $1:fd use;
+ allow unpriv_userdomain $1:fifo_file rw_file_perms;
+ allow unpriv_userdomain $1:process sigchld;
')
########################################
##
-## Do not audit attempts to use unprivileged
-## user ptys.
+## Search users home directories.
##
##
##
-## Domain to not audit.
+## Domain allowed access.
##
##
#
-interface(`userdom_dontaudit_use_unpriv_users_ptys',`
+interface(`userdom_search_user_home_content',`
gen_require(`
- attribute user_ptynode;
+ type user_home_dir_t, user_home_t;
')
- dontaudit $1 user_ptynode:chr_file rw_file_perms;
+ files_list_home($1)
+ allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
')
########################################
##
-## Relabel files to unprivileged user pty types.
+## Send general signals to unprivileged user domains.
##
##
##
@@ -5214,18 +2698,17 @@ interface(`userdom_dontaudit_use_unpriv_users_ptys',`
##
##
#
-interface(`userdom_relabelto_unpriv_users_ptys',`
+interface(`userdom_signal_unpriv_users',`
gen_require(`
- attribute user_ptynode;
+ attribute unpriv_userdomain;
')
- allow $1 user_ptynode:chr_file relabelto;
+ allow $1 unpriv_userdomain:process signal;
')
########################################
##
-## Do not audit attempts to relabel files from
-## unprivileged user pty types.
+## Inherit the file descriptors from unprivileged user domains.
##
##
##
@@ -5233,17 +2716,18 @@ interface(`userdom_relabelto_unpriv_users_ptys',`
##
##
#
-interface(`userdom_dontaudit_relabelfrom_unpriv_users_ptys',`
+interface(`userdom_use_unpriv_users_fds',`
gen_require(`
- attribute user_ptynode;
+ attribute unpriv_userdomain;
')
- dontaudit $1 user_ptynode:chr_file relabelfrom;
+ allow $1 unpriv_userdomain:fd use;
')
########################################
##
-## Read all unprivileged users temporary directories.
+## Do not audit attempts to inherit the
+## file descriptors from all user domains.
##
##
##
@@ -5251,35 +2735,35 @@ interface(`userdom_dontaudit_relabelfrom_unpriv_users_ptys',`
##
##
#
-interface(`userdom_list_unpriv_users_tmp',`
+interface(`userdom_dontaudit_use_unpriv_user_fds',`
gen_require(`
- attribute user_tmpfile;
+ attribute unpriv_userdomain;
')
- allow $1 user_tmpfile:dir list_dir_perms;
+ dontaudit $1 unpriv_userdomain:fd use;
')
########################################
##
-## Read all unprivileged users temporary files.
+## Do not audit attempts to use user ptys.
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
-interface(`userdom_read_unpriv_users_tmp_files',`
+interface(`userdom_dontaudit_use_user_ptys',`
gen_require(`
- attribute user_tmpfile;
+ type user_devpts_t;
')
- allow $1 user_tmpfile:file read_file_perms;
+ dontaudit $1 user_devpts_t:chr_file rw_file_perms;
')
########################################
##
-## Read all unprivileged users temporary symbolic links.
+## Relabel files to unprivileged user pty types.
##
##
##
@@ -5287,17 +2771,18 @@ interface(`userdom_read_unpriv_users_tmp_files',`
##
##
#
-interface(`userdom_read_unpriv_users_tmp_symlinks',`
+interface(`userdom_relabelto_user_ptys',`
gen_require(`
- attribute user_tmpfile;
+ type user_devpts_t;
')
- allow $1 user_tmpfile:lnk_file { getattr read };
+ allow $1 user_devpts_t:chr_file relabelto;
')
########################################
##
-## Write all unprivileged users files in /tmp
+## Do not audit attempts to relabel files from
+## user pty types.
##
##
##
@@ -5305,17 +2790,17 @@ interface(`userdom_read_unpriv_users_tmp_symlinks',`
##
##
#
-interface(`userdom_write_unpriv_users_tmp_files',`
+interface(`userdom_dontaudit_relabelfrom_user_ptys',`
gen_require(`
- attribute user_tmpfile;
+ type user_devpts_t;
')
- allow $1 user_tmpfile:file write_file_perms;
+ dontaudit $1 user_devpts_t:chr_file relabelfrom;
')
########################################
##
-## Read and write unprivileged user ttys.
+## Write all users files in /tmp
##
##
##
@@ -5323,18 +2808,17 @@ interface(`userdom_write_unpriv_users_tmp_files',`
##
##
#
-interface(`userdom_use_unpriv_users_ttys',`
+interface(`userdom_write_user_tmp_files',`
gen_require(`
- attribute user_ttynode;
+ type user_tmp_t;
')
- allow $1 user_ttynode:chr_file rw_term_perms;
+ allow $1 user_tmp_t:file write_file_perms;
')
########################################
##
-## Do not audit attempts to use unprivileged
-## user ttys.
+## Do not audit attempts to use user ttys.
##
##
##
@@ -5342,12 +2826,12 @@ interface(`userdom_use_unpriv_users_ttys',`
##
##
#
-interface(`userdom_dontaudit_use_unpriv_users_ttys',`
+interface(`userdom_dontaudit_use_user_ttys',`
gen_require(`
- attribute user_ttynode;
+ type user_tty_device_t;
')
- dontaudit $1 user_ttynode:chr_file rw_file_perms;
+ dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
')
########################################
@@ -5496,17 +2980,3 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
-
-########################################
-##
-## Unconfined access to user domains. (Deprecated)
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`userdom_unconfined',`
- refpolicywarn(`$0($*) has been deprecated.')
-')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index f53a5de..201c359 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain, 3.2.0)
+policy_module(userdomain, 4.0.0)
########################################
#
@@ -49,33 +49,6 @@ gen_tunable(user_rw_noexattrfile,false)
##
gen_tunable(user_ttyfile_stat,false)
-# admin users terminals (tty and pty)
-attribute admin_terminal;
-
-# users home directory
-attribute home_dir_type;
-
-# users home directory contents
-attribute home_type;
-
-# The privhome attribute identifies every domain that can create files under
-# regular user home directories in the regular context (IE act on behalf of
-# a user in writing regular files)
-attribute privhome;
-
-# all unprivileged users home directories
-attribute user_home_dir_type;
-attribute user_home_type;
-
-# all unprivileged users ptys
-attribute user_ptynode;
-
-# all unprivileged users tmp files
-attribute user_tmpfile;
-
-# all unprivileged users ttys
-attribute user_ttynode;
-
# all user domains
attribute userdomain;
@@ -84,3 +57,41 @@ attribute unpriv_userdomain;
attribute untrusted_content_type;
attribute untrusted_content_tmp_type;
+
+type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
+fs_associate_tmpfs(user_home_dir_t)
+files_type(user_home_dir_t)
+files_mountpoint(user_home_dir_t)
+files_associate_tmp(user_home_dir_t)
+files_poly(user_home_dir_t)
+files_poly_member(user_home_dir_t)
+files_poly_parent(user_home_dir_t)
+ubac_constrained(user_home_dir_t)
+
+type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
+typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
+userdom_user_home_content(user_home_t)
+fs_associate_tmpfs(user_home_t)
+files_associate_tmp(user_home_t)
+files_poly_member(user_home_t)
+files_poly_parent(user_home_t)
+files_mountpoint(user_home_t)
+ubac_constrained(user_home_t)
+
+type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
+dev_node(user_devpts_t)
+files_type(user_devpts_t)
+ubac_constrained(user_devpts_t)
+
+type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
+typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
+files_tmp_file(user_tmp_t)
+userdom_user_home_content(user_tmp_t)
+
+type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
+files_tmpfs_file(user_tmpfs_t)
+userdom_user_home_content(user_tmpfs_t)
+
+type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
+dev_node(user_tty_device_t)
+ubac_constrained(user_tty_device_t)
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 9e95995..80caa8b 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -1,5 +1,5 @@
-policy_module(xen, 1.7.0)
+policy_module(xen, 1.7.1)
########################################
#
@@ -201,12 +201,12 @@ sysnet_delete_dhcpc_pid(xend_t)
sysnet_read_dhcpc_pid(xend_t)
sysnet_rw_dhcp_config(xend_t)
+userdom_dontaudit_search_user_home_dirs(xend_t)
+
xen_stream_connect_xenstore(xend_t)
netutils_domtrans(xend_t)
-sysadm_dontaudit_search_home_dirs(xend_t)
-
optional_policy(`
consoletype_exec(xend_t)
')
diff --git a/policy/rolemap b/policy/rolemap
index 729ed88..c1de37e 100644
--- a/policy/rolemap
+++ b/policy/rolemap
@@ -1,6 +1,6 @@
#
# This file contains the mappings
-# used for per-userdomain template
+# used for per-role template
# infrastructure. Each line describes
# the prefix and user domain type
# corresponding to each role.
@@ -8,11 +8,6 @@
# syntax: role prefix user_domain
#
-user_r user user_t
-staff_r staff staff_t
-sysadm_r sysadm sysadm_t
-
-ifdef(`enable_mls',`
- secadm_r secadm secadm_t
- auditadm_r auditadm auditadm_t
-')
+# This support has been deprecated and
+# will be removed in the future. Note: No
+# per-role templates exist in refpolicy.
diff --git a/support/Makefile.devel b/support/Makefile.devel
index a944df0..87be614 100644
--- a/support/Makefile.devel
+++ b/support/Makefile.devel
@@ -62,6 +62,10 @@ ifeq ($(DIRECT_INITRC),y)
M4PARAM += -D direct_sysadm_daemon
endif
+ifeq "$(UBAC)" "y"
+ M4PARAM += -D enable_ubac
+endif
+
# default MLS/MCS sensitivity and category settings.
MLS_SENS ?= 16
MLS_CATS ?= 256