diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 254ad48..825818c 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -82,6 +82,23 @@ interface(`fs_associate_noxattr',`
########################################
##
+## Execute files on a filesystem that does
+## not support extended attributes.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`fs_exec_noxattr',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ can_exec($1,noxattrfs)
+')
+
+########################################
+##
## Mount a persistent filesystem which
## has extended attributes, such as
## ext3, JFS, or XFS.
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 4106bdd..13cafe0 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -303,9 +303,9 @@ interface(`domain_kill_all_domains',`
')
########################################
-##
+##
## Read the process state (/proc/pid) of all domains.
-##
+##
##
## The type of the process performing this action.
##
@@ -332,6 +332,36 @@ interface(`domain_read_all_domains_state',`
')
########################################
+##
+## Do not audit attempts to read the process
+## state (/proc/pid) of all domains.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`domain_dontaudit_read_all_domains_state',`
+ gen_require(`
+ attribute domain;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ class file r_file_perms;
+ class process { getattr ptrace };
+ ')
+
+ dontaudit $1 domain:dir r_dir_perms;
+ dontaudit $1 domain:lnk_file r_file_perms;
+ dontaudit $1 domain:file r_file_perms;
+ dontaudit $1 domain:process getattr;
+
+ # We need to suppress this denial because procps tries to access
+ # /proc/pid/environ and this now triggers a ptrace check in recent kernels
+ # (2.4 and 2.6). Might want to change procps to not do this, or only if
+ # running in a privileged domain.
+ dontaudit $1 domain:process ptrace;
+')
+
+########################################
##
## Do not audit attempts to read the process state
## directories of all domains.
@@ -350,9 +380,9 @@ interface(`domain_dontaudit_list_all_domains_proc',`
')
########################################
-##
+##
## Get the session ID of all domains.
-##
+##
##
## The type of the process performing this action.
##
@@ -368,6 +398,51 @@ interface(`domain_getsession_all_domains',`
########################################
##
+## Do not audit attempts to get the
+## session ID of all domains.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`domain_dontaudit_getsession_all_domains',`
+ gen_require(`
+ attribute domain;
+ class process getsession;
+ ')
+
+ allow $1 domain:process getsession;
+')
+
+########################################
+##
+## Get the attributes of all domains
+## sockets, for all socket types.
+##
+##
+##
+## Get the attributes of all domains
+## sockets, for all socket types.
+##
+##
+## This is commonly used for domains
+## that can use lsof on all domains.
+##
+##
+##
+## Domain allowed access.
+##
+#
+interface(`domain_getattr_all_sockets',`
+ gen_require(`
+ gen_require_set(getattr,socket_class_set)
+ ')
+
+ allow $1 domain:socket_class_set getattr;
+')
+
+########################################
+##
## Do not audit attempts to get the attributes
## of all domains sockets, for all socket types.
##
diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if
index a439efd..399d502 100644
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@@ -1,13 +1,13 @@
## Miscelaneous files.
########################################
-##
-## Allow process to create files and dirs in /var/cache/man
-## and /var/catman/
-##
-##
-## Type type of the process performing this action.
-##
+##
+## Allow process to create files and dirs in /var/cache/man
+## and /var/catman/
+##
+##
+## Type type of the process performing this action.
+##
#
interface(`miscfiles_rw_man_cache',`
gen_require(`
@@ -22,12 +22,12 @@ interface(`miscfiles_rw_man_cache',`
')
########################################
-##
-## Allow process to read fonts files
-##
-##
-## Type type of the process performing this action.
-##
+##
+## Read fonts
+##
+##
+## Type type of the process performing this action.
+##
#
interface(`miscfiles_read_fonts',`
gen_require(`
@@ -45,12 +45,12 @@ interface(`miscfiles_read_fonts',`
')
########################################
-##
-## Allow process to read localization info
-##
-##
-## Type type of the process performing this action.
-##
+##
+## Allow process to read localization info
+##
+##
+## Type type of the process performing this action.
+##
#
interface(`miscfiles_read_localization',`
gen_require(`
@@ -72,12 +72,12 @@ interface(`miscfiles_read_localization',`
')
########################################
-##
-## Allow process to read legacy time localization info
-##
-##
-## Type type of the process performing this action.
-##
+##
+## Allow process to read legacy time localization info
+##
+##
+## Type type of the process performing this action.
+##
#
interface(`miscfiles_legacy_read_localization',`
gen_require(`
@@ -90,12 +90,12 @@ interface(`miscfiles_legacy_read_localization',`
')
########################################
-##
-## Allow process to read manpages
-##
-##
-## Type type of the process performing this action.
-##
+##
+## Allow process to read man pages
+##
+##
+## Type type of the process performing this action.
+##
#
interface(`miscfiles_read_man_pages',`
gen_require(`
@@ -111,3 +111,49 @@ interface(`miscfiles_read_man_pages',`
allow $1 man_t:lnk_file r_file_perms;
')
+########################################
+##
+## Read TeX data
+##
+##
+## Type type of the process performing this action.
+##
+#
+interface(`miscfiles_read_tetex_data',`
+ gen_require(`
+ type tetex_data_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ class lnk_file r_file_perms;
+ ')
+
+ files_search_var($1)
+ files_search_var_lib($1)
+
+ # cjp: TeX data can be in either of the above dirs
+ allow $1 tetex_data_t:dir r_dir_perms;
+ allow $1 tetex_data_t:file r_file_perms;
+ allow $1 tetex_data_t:lnk_file r_file_perms;
+')
+
+########################################
+##
+## Execute TeX data programs in the caller domain.
+##
+##
+## Type type of the process performing this action.
+##
+#
+interface(`miscfiles_exec_tetex_data',`
+ gen_require(`
+ type fonts_t;
+ class dir r_dir_perms;
+ ')
+
+ files_search_var($1)
+ files_search_var_lib($1)
+
+ # cjp: TeX data can be in either of the above dirs
+ allow $1 tetex_data_t:dir r_dir_perms;
+ can_exec($1,tetex_data_t)
+')
diff --git a/refpolicy/policy/modules/system/pcmcia.if b/refpolicy/policy/modules/system/pcmcia.if
index 389ba9b..96cddbf 100644
--- a/refpolicy/policy/modules/system/pcmcia.if
+++ b/refpolicy/policy/modules/system/pcmcia.if
@@ -76,6 +76,26 @@ interface(`pcmcia_run_cardctl',`
########################################
##
+## Read cardmgr pid files.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`pcmcia_read_pid',`
+ gen_require(`
+ type cardmgr_var_run_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
+
+ files_search_pids($1)
+ allow $1 cardmgr_var_run_t:dir r_dir_perms;
+ allow $1 cardmgr_var_run_t:file r_file_perms;
+')
+
+########################################
+##
## Create, read, write, and delete
## cardmgr pid files.
##
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 5a25579..3e386ed 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -156,6 +156,7 @@ template(`base_user_template',`
fs_get_all_fs_quotas($1_t)
fs_getattr_all_fs($1_t)
fs_search_auto_mountpoints($1_t)
+ fs_exec_noxattr($1_t)
# for eject
storage_getattr_fixed_disk($1_t)
@@ -171,6 +172,10 @@ template(`base_user_template',`
domain_exec_all_entry_files($1_t)
domain_use_wide_inherit_fd($1_t)
+ # When the user domain runs ps, there will be a number of access
+ # denials when ps tries to search /proc. Do not audit these denials.
+ domain_dontaudit_read_all_domains_state($1_t)
+ domain_dontaudit_getsession_all_domains($1_t)
files_exec_etc_files($1_t)
files_read_usr_src_files($1_t)
@@ -188,6 +193,9 @@ template(`base_user_template',`
miscfiles_read_localization($1_t)
miscfiles_rw_man_cache($1_t)
+ # for running TeX programs
+ miscfiles_read_tetex_data($1_t)
+ miscfiles_exec_tetex_data($1_t)
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
@@ -198,6 +206,14 @@ template(`base_user_template',`
allow $1_t self:process execmem;
')
+ tunable_policy(`read_default_t',`
+ files_list_default($1_t)
+ files_read_default_files($1_t)
+ files_read_default_symlinks($1_t)
+ files_read_default_sockets($1_t)
+ files_read_default_pipes($1_t)
+ ')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_t)
fs_manage_nfs_files($1_t)
@@ -236,6 +252,11 @@ template(`base_user_template',`
nscd_use_socket($1_t)
')
+ optional_policy(`pcmcia.te',`
+ # to allow monitoring of pcmcia status
+ pcmcia_read_pid($1_t)
+ ')
+
optional_policy(`rpm.te',`
files_getattr_var_lib_dir($1_t)
files_search_var_lib($1_t)
@@ -248,11 +269,6 @@ template(`base_user_template',`
ifdef(`TODO',`
- # When the user domain runs ps, there will be a number of access
- # denials when ps tries to search /proc. Do not audit these denials.
- dontaudit $1_t domain:dir r_dir_perms;
- dontaudit $1_t domain:notdevfile_class_set r_file_perms;
- dontaudit $1_t domain:process { getattr getsession };
#
# Cups daemon running as user tries to write /etc/printcap
#
@@ -271,11 +287,6 @@ template(`base_user_template',`
# /initrd is left mounted, various programs try to look at it
dontaudit $1_t ramfs_t:dir getattr;
- tunable_policy(`read_default_t',`
- allow $1_t default_t:dir r_dir_perms;
- allow $1_t default_t:notdevfile_class_set r_file_perms;
- ')
-
#
# Running ifconfig as a user generates the following
#
@@ -303,11 +314,8 @@ template(`base_user_template',`
dontaudit $1_t sysctl_t:dir_file_class_set getattr;
dontaudit $1_t proc_fs:dir { read search };
- can_exec($1_t, { removable_t noexattrfile } )
-
tunable_policy(`user_rw_noexattrfile',`
create_dir_file($1_t, noexattrfile)
- create_dir_file($1_t, removable_t)
# Write floppies
storage_raw_read_removable_device($1_t)
storage_raw_write_removable_device($1_t)
@@ -321,12 +329,6 @@ template(`base_user_template',`
allow $1_t usbtty_device_t:chr_file read;
- can_exec($1_t, noexattrfile)
-
- # for running TeX programs
- r_dir_file($1_t, tetex_data_t)
- can_exec($1_t, tetex_data_t)
-
can_resmgrd_connect($1_t)
# Grant permissions to access the system DBus
@@ -350,22 +352,19 @@ template(`base_user_template',`
allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms;
')
- # Connect to inetd.
ifdef(`inetd.te', `
+ # Connect to inetd.
can_tcp_connect($1_t, inetd_t)
can_udp_send($1_t, inetd_t)
can_udp_send(inetd_t, $1_t)
+ # Inherit and use sockets from inetd
+ allow $1_t inetd_t:fd use;
+ allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
')
# Connect to portmap.
ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
- # Inherit and use sockets from inetd
- ifdef(`inetd.te', `
- allow $1_t inetd_t:fd use;
- allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
- ')
-
ifdef(`xserver.te', `
# for /tmp/.ICE-unix
file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
@@ -398,11 +397,6 @@ template(`base_user_template',`
create_dir_file($1_t, nfsd_rw_t)
')
- ifdef(`cardmgr.te', `
- # to allow monitoring of pcmcia status
- allow $1_t cardmgr_var_run_t:file r_file_perms;
- ')
-
#
# Allow graphical boot to check battery lifespan
#
@@ -417,7 +411,7 @@ template(`base_user_template',`
') dnl endif TODO
-')dnl end base_user_domain macro
+')
#######################################
##
@@ -496,6 +490,14 @@ template(`unpriv_user_template', `
files_read_etc_files($1_t)
files_list_home($1_t)
files_read_usr_files($1_t)
+ files_exec_usr_files($1_t)
+ # Read directories and files with the readable_t type.
+ # This type is a general type for "world"-readable files.
+ files_list_world_readable($1_t)
+ files_read_world_readable_files($1_t)
+ files_read_world_readable_symlinks($1_t)
+ files_read_world_readable_pipes($1_t)
+ files_read_world_readable_sockets($1_t)
init_read_script_pid($1_t)
# The library functions always try to open read-write first,
@@ -567,18 +569,6 @@ template(`unpriv_user_template', `
')
')
- tunable_policy(`read_default_t',`
- allow $1 default_t:dir r_dir_perms;
- allow $1 default_t:notdevfile_class_set r_file_perms;
- ')
-
- can_exec($1_t, usr_t)
-
- # Read directories and files with the readable_t type.
- # This type is a general type for "world"-readable files.
- allow $1_t readable_t:dir r_dir_perms;
- allow $1_t readable_t:notdevfile_class_set r_file_perms;
-
# Stat lost+found.
allow $1_t lost_found_t:dir getattr;
@@ -644,8 +634,7 @@ template(`unpriv_user_template', `
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
##
-##
-##
+##
## The privileges given to administrative users are:
##
## - Raw disk access
@@ -658,7 +647,8 @@ template(`unpriv_user_template', `
## - Manage source and binary format SELinux policy
## - Run insmod
##
-##
+##
+##
##
## The prefix of the user domain (e.g., sysadm
## is the prefix for sysadm_t).
@@ -724,13 +714,26 @@ template(`admin_user_template',`
kernel_read_ring_buffer($1_t)
kernel_get_sysvipc_info($1_t)
kernel_rw_all_sysctl($1_t)
-
# signal unlabeled processes:
kernel_kill_unlabeled($1_t)
kernel_signal_unlabeled($1_t)
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
+ # for the administrator to run TCP servers directly
+ kernel_tcp_recvfrom($1_t)
+
+ corenet_tcp_bind_generic_port($1_t)
+ # allow setting up tunnels
+ corenet_use_tun_tap_device($1_t)
+
+ dev_getattr_generic_blk_file($1_t)
+ dev_getattr_generic_chr_file($1_t)
+ dev_getattr_all_blk_files($1_t)
+ dev_getattr_all_chr_files($1_t)
+
+ fs_getattr_all_fs($1_t)
+ fs_set_all_quotas($1_t)
selinux_set_enforce_mode($1_t)
selinux_set_boolean($1_t)
@@ -743,16 +746,6 @@ template(`admin_user_template',`
selinux_compute_relabel_context($1_t)
selinux_compute_user_contexts($1_t)
- corenet_tcp_bind_generic_port($1_t)
-
- dev_getattr_generic_blk_file($1_t)
- dev_getattr_generic_chr_file($1_t)
- dev_getattr_all_blk_files($1_t)
- dev_getattr_all_chr_files($1_t)
-
- fs_getattr_all_fs($1_t)
- fs_set_all_quotas($1_t)
-
storage_raw_read_removable_device($1_t)
storage_raw_write_removable_device($1_t)
@@ -761,6 +754,7 @@ template(`admin_user_template',`
term_use_all_user_ptys($1_t)
term_use_all_user_ttys($1_t)
+ auth_getattr_shadow($1_t)
# Manage almost all files
auth_manage_all_files_except_shadow($1_t)
# Relabel almost all files
@@ -775,6 +769,8 @@ template(`admin_user_template',`
domain_sigstop_all_domains($1_t)
domain_sigstop_all_domains($1_t)
domain_sigchld_all_domains($1_t)
+ # for lsof
+ domain_getattr_all_sockets($1_t)
files_exec_usr_files($1_t)
@@ -799,44 +795,45 @@ template(`admin_user_template',`
ifdef(`TODO',`
- # Let admin stat the shadow file.
- allow $1_t shadow_t:file getattr;
-
# for lsof
allow $1_t mtrr_device_t:file getattr;
- allow $1_t serial_device:chr_file setattr;
+ # for lsof
+ allow $1_t eventpollfs_t:file getattr;
- # allow setting up tunnels
- allow $1_t tun_tap_device_t:chr_file rw_file_perms;
+ allow $1_t serial_device:chr_file setattr;
allow $1_t ptyfile:chr_file getattr;
- # Run programs from staff home directories.
- # Not ideal, but typical if users want to login as both sysadm_t or staff_t.
- can_exec($1_t, staff_home_t)
-
# Run admin programs that require different permissions in their own domain.
# These rules were moved into the appropriate program domain file.
- ifdef(`startx.te', `
- ifdef(`xserver.te', `
- # Create files in /tmp/.X11-unix with our X servers derived
- # tmp type rather than user_xserver_tmp_t.
- file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
- ')
+ ifdef(`xserver.te', `
+ # Create files in /tmp/.X11-unix with our X servers derived
+ # tmp type rather than user_xserver_tmp_t.
+ file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
')
+
ifdef(`xdm.te', `
- ifdef(`xauth.te', `
- tunable_policy(`xdm_sysadm_login',`
- allow xdm_t $1_home_t:lnk_file read;
- allow xdm_t $1_home_t:dir search;
- ')
- allow $1_t xdm_t:fifo_file rw_file_perms;
+ tunable_policy(`xdm_sysadm_login',`
+ allow xdm_t $1_home_t:lnk_file read;
+ allow xdm_t $1_home_t:dir search;
')
+ allow $1_t xdm_t:fifo_file rw_file_perms;
')
+ # Connect data port to ftpd.
+ ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
+
+ # Connect second port to rshd.
+ ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
+
+ # Allow MAKEDEV to work
+ allow $1_t device_t:dir rw_dir_perms;
+ allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
+ allow $1_t device_t:lnk_file { create read };
+
#
# A user who is authorized for sysadm_t may nonetheless have
# a home directory labeled with user_home_t if the user is expected
@@ -850,23 +847,9 @@ template(`admin_user_template',`
allow $1_gph_t user_home_type:file create_file_perms;
')
- # for the administrator to run TCP servers directly
- allow $1_t kernel_t:tcp_socket recvfrom;
-
- # Connect data port to ftpd.
- ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
-
- # Connect second port to rshd.
- ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
-
- # Allow MAKEDEV to work
- allow $1_t device_t:dir rw_dir_perms;
- allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
- allow $1_t device_t:lnk_file { create read };
-
- # for lsof
- allow $1_t domain:socket_class_set getattr;
- allow $1_t eventpollfs_t:file getattr;
+ # Run programs from staff home directories.
+ # Not ideal, but typical if users want to login as both sysadm_t or staff_t.
+ can_exec($1_t, staff_home_t)
') dnl endif TODO
')