diff --git a/Changelog b/Changelog index 880d9ae..2cba6d7 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,9 @@ +- Merge shlib_t into lib_t. +- Merge strict and targeted policies. The policy will now behave like the + strict policy if the unconfined module is not present. If it is, it will + behave like the targeted policy. Added an unconfined role to have a mix + of confined and unconfined users. + * Fri Sep 28 2007 Chris PeBenito - 20070928 - Add support for setting the unknown permissions handling. - Fix XML building for external reference builds and headers builds. diff --git a/Makefile b/Makefile index 2708a78..df6806e 100644 --- a/Makefile +++ b/Makefile @@ -158,18 +158,8 @@ modpkgdir = $(sharedir)/$(strip $(NAME)) headerdir = $(modpkgdir)/include docsdir = $(prefix)/share/doc/$(PKGNAME) -# compile strict policy if requested. -ifneq ($(findstring strict,$(TYPE)),) - M4PARAM += -D strict_policy -endif - -# compile targeted policy if requested. -ifneq ($(findstring targeted,$(TYPE)),) - M4PARAM += -D targeted_policy -endif - # enable MLS if requested. -ifneq ($(findstring -mls,$(TYPE)),) +ifeq "$(TYPE)" "mls" M4PARAM += -D enable_mls CHECKPOLICY += -M CHECKMODULE += -M @@ -177,7 +167,7 @@ ifneq ($(findstring -mls,$(TYPE)),) endif # enable MLS if MCS requested. -ifneq ($(findstring -mcs,$(TYPE)),) +ifeq "$(TYPE)" "mcs" M4PARAM += -D enable_mcs CHECKPOLICY += -M CHECKMODULE += -M diff --git a/README b/README index 6901c33..f4d8b21 100644 --- a/README +++ b/README @@ -83,13 +83,10 @@ restorelabels Relabel the filesystem and report each file that is 2) Reference Policy Build Options (build.conf) -TYPE String. Available options are strict, targeted, - strict-mls, targeted-mls, strict-mcs, and targeted-mcs. - This sets the policy type as strict or targeted, and - optionally enables multi-leve security (MLS) or +TYPE String. Available options are standard, mls, and mcs. + This optionally enables multi-level security (MLS) or multi-category security (MCS) features. This option - controls strict_policy, targeted_policy, enable_mls, - and enable_mcs policy blocks. + controls enable_mls, and enable_mcs policy blocks. NAME String (optional). Sets the name of the policy; the NAME is used when installing files to e.g., @@ -136,8 +133,7 @@ Rules.modular Makefile rules specific to building loadable module Rules.monolithic Makefile rules specific to building monolithic policies. build.conf Options which influence the building of the policy, - such as the policy type (strict, targeted, etc.) - and distribution. + such as the policy type and distribution. config/appconfig-* Application configuration files for all configurations of the Reference Policy (targeted/strict with or without diff --git a/build.conf b/build.conf index b824ee5..7ebbb8b 100644 --- a/build.conf +++ b/build.conf @@ -11,10 +11,8 @@ #OUTPUT_POLICY = 18 # Policy Type -# strict, targeted, -# strict-mls, targeted-mls, -# strict-mcs, targeted-mcs -TYPE = strict +# standard, mls, mcs +TYPE = standard # Policy Name # If set, this will be used as the policy diff --git a/config/appconfig-mcs/dbus_contexts b/config/appconfig-mcs/dbus_contexts new file mode 100644 index 0000000..116e684 --- /dev/null +++ b/config/appconfig-mcs/dbus_contexts @@ -0,0 +1,6 @@ + + + + + diff --git a/config/appconfig-mcs/default_contexts b/config/appconfig-mcs/default_contexts new file mode 100644 index 0000000..c2b7a80 --- /dev/null +++ b/config/appconfig-mcs/default_contexts @@ -0,0 +1,15 @@ +system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0 +system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 +system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0 +system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 +system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 +system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 + +staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 +staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 + +sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 +sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 + +user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 +user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 diff --git a/config/appconfig-mcs/default_type b/config/appconfig-mcs/default_type new file mode 100644 index 0000000..a39710f --- /dev/null +++ b/config/appconfig-mcs/default_type @@ -0,0 +1,4 @@ +sysadm_r:sysadm_t +staff_r:staff_t +unconfined_r:unconfined_t +user_r:user_t diff --git a/config/appconfig-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context new file mode 100644 index 0000000..999abd9 --- /dev/null +++ b/config/appconfig-mcs/failsafe_context @@ -0,0 +1 @@ +sysadm_r:sysadm_t:s0 diff --git a/config/appconfig-mcs/initrc_context b/config/appconfig-mcs/initrc_context new file mode 100644 index 0000000..30ab971 --- /dev/null +++ b/config/appconfig-mcs/initrc_context @@ -0,0 +1 @@ +system_u:system_r:initrc_t:s0 diff --git a/config/appconfig-mcs/media b/config/appconfig-mcs/media new file mode 100644 index 0000000..81f3463 --- /dev/null +++ b/config/appconfig-mcs/media @@ -0,0 +1,3 @@ +cdrom system_u:object_r:removable_device_t:s0 +floppy system_u:object_r:removable_device_t:s0 +disk system_u:object_r:fixed_disk_device_t:s0 diff --git a/config/appconfig-mcs/removable_context b/config/appconfig-mcs/removable_context new file mode 100644 index 0000000..7fcc56e --- /dev/null +++ b/config/appconfig-mcs/removable_context @@ -0,0 +1 @@ +system_u:object_r:removable_t:s0 diff --git a/config/appconfig-mcs/root_default_contexts b/config/appconfig-mcs/root_default_contexts new file mode 100644 index 0000000..7f4a125 --- /dev/null +++ b/config/appconfig-mcs/root_default_contexts @@ -0,0 +1,11 @@ +system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0 +system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 + +staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 + +# +# Uncomment if you want to automatically login as sysadm_r +# +#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers new file mode 100644 index 0000000..dc5f1e4 --- /dev/null +++ b/config/appconfig-mcs/seusers @@ -0,0 +1,3 @@ +system_u:system_u:s0-mcs_systemhigh +root:root:s0-mcs_systemhigh +__default__:user_u:s0 diff --git a/config/appconfig-mcs/userhelper_context b/config/appconfig-mcs/userhelper_context new file mode 100644 index 0000000..dc37a69 --- /dev/null +++ b/config/appconfig-mcs/userhelper_context @@ -0,0 +1 @@ +system_u:sysadm_r:sysadm_t:s0 diff --git a/config/appconfig-mls/dbus_contexts b/config/appconfig-mls/dbus_contexts new file mode 100644 index 0000000..116e684 --- /dev/null +++ b/config/appconfig-mls/dbus_contexts @@ -0,0 +1,6 @@ + + + + + diff --git a/config/appconfig-mls/default_contexts b/config/appconfig-mls/default_contexts new file mode 100644 index 0000000..c2b7a80 --- /dev/null +++ b/config/appconfig-mls/default_contexts @@ -0,0 +1,15 @@ +system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0 +system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 +system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0 +system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 +system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 +system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 + +staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 +staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 + +sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 +sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 + +user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 +user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 diff --git a/config/appconfig-mls/default_type b/config/appconfig-mls/default_type new file mode 100644 index 0000000..33528d6 --- /dev/null +++ b/config/appconfig-mls/default_type @@ -0,0 +1,6 @@ +auditadm_r:auditadm_t +secadm_r:secadm_t +sysadm_r:sysadm_t +staff_r:staff_t +unconfined_r:unconfined_t +user_r:user_t diff --git a/config/appconfig-mls/failsafe_context b/config/appconfig-mls/failsafe_context new file mode 100644 index 0000000..999abd9 --- /dev/null +++ b/config/appconfig-mls/failsafe_context @@ -0,0 +1 @@ +sysadm_r:sysadm_t:s0 diff --git a/config/appconfig-mls/initrc_context b/config/appconfig-mls/initrc_context new file mode 100644 index 0000000..4598f92 --- /dev/null +++ b/config/appconfig-mls/initrc_context @@ -0,0 +1 @@ +system_u:system_r:initrc_t:s0-mls_systemhigh diff --git a/config/appconfig-mls/media b/config/appconfig-mls/media new file mode 100644 index 0000000..81f3463 --- /dev/null +++ b/config/appconfig-mls/media @@ -0,0 +1,3 @@ +cdrom system_u:object_r:removable_device_t:s0 +floppy system_u:object_r:removable_device_t:s0 +disk system_u:object_r:fixed_disk_device_t:s0 diff --git a/config/appconfig-mls/removable_context b/config/appconfig-mls/removable_context new file mode 100644 index 0000000..7fcc56e --- /dev/null +++ b/config/appconfig-mls/removable_context @@ -0,0 +1 @@ +system_u:object_r:removable_t:s0 diff --git a/config/appconfig-mls/root_default_contexts b/config/appconfig-mls/root_default_contexts new file mode 100644 index 0000000..7f4a125 --- /dev/null +++ b/config/appconfig-mls/root_default_contexts @@ -0,0 +1,11 @@ +system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0 +system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 + +staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 + +# +# Uncomment if you want to automatically login as sysadm_r +# +#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 diff --git a/config/appconfig-mls/seusers b/config/appconfig-mls/seusers new file mode 100644 index 0000000..dc156bf --- /dev/null +++ b/config/appconfig-mls/seusers @@ -0,0 +1,3 @@ +system_u:system_u:s0-mls_systemhigh +root:root:s0-mls_systemhigh +__default__:user_u:s0 diff --git a/config/appconfig-mls/userhelper_context b/config/appconfig-mls/userhelper_context new file mode 100644 index 0000000..dc37a69 --- /dev/null +++ b/config/appconfig-mls/userhelper_context @@ -0,0 +1 @@ +system_u:sysadm_r:sysadm_t:s0 diff --git a/config/appconfig-standard/dbus_contexts b/config/appconfig-standard/dbus_contexts new file mode 100644 index 0000000..116e684 --- /dev/null +++ b/config/appconfig-standard/dbus_contexts @@ -0,0 +1,6 @@ + + + + + diff --git a/config/appconfig-standard/default_contexts b/config/appconfig-standard/default_contexts new file mode 100644 index 0000000..4bb784d --- /dev/null +++ b/config/appconfig-standard/default_contexts @@ -0,0 +1,15 @@ +system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t unconfined_r:unconfined_crond_t +system_r:local_login_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t +system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t +system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t +system_r:sulogin_t sysadm_r:sysadm_t +system_r:xdm_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t + +staff_r:staff_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t +staff_r:staff_sudo_t sysadm_r:sysadm_t staff_r:staff_t + +sysadm_r:sysadm_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t +sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t + +user_r:user_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t +user_r:user_sudo_t sysadm_r:sysadm_t user_r:user_t diff --git a/config/appconfig-standard/default_type b/config/appconfig-standard/default_type new file mode 100644 index 0000000..a39710f --- /dev/null +++ b/config/appconfig-standard/default_type @@ -0,0 +1,4 @@ +sysadm_r:sysadm_t +staff_r:staff_t +unconfined_r:unconfined_t +user_r:user_t diff --git a/config/appconfig-standard/failsafe_context b/config/appconfig-standard/failsafe_context new file mode 100644 index 0000000..2f96c9f --- /dev/null +++ b/config/appconfig-standard/failsafe_context @@ -0,0 +1 @@ +sysadm_r:sysadm_t diff --git a/config/appconfig-standard/initrc_context b/config/appconfig-standard/initrc_context new file mode 100644 index 0000000..7fcf70b --- /dev/null +++ b/config/appconfig-standard/initrc_context @@ -0,0 +1 @@ +system_u:system_r:initrc_t diff --git a/config/appconfig-standard/media b/config/appconfig-standard/media new file mode 100644 index 0000000..de2a652 --- /dev/null +++ b/config/appconfig-standard/media @@ -0,0 +1,3 @@ +cdrom system_u:object_r:removable_device_t +floppy system_u:object_r:removable_device_t +disk system_u:object_r:fixed_disk_device_t diff --git a/config/appconfig-standard/removable_context b/config/appconfig-standard/removable_context new file mode 100644 index 0000000..d4921f0 --- /dev/null +++ b/config/appconfig-standard/removable_context @@ -0,0 +1 @@ +system_u:object_r:removable_t diff --git a/config/appconfig-standard/root_default_contexts b/config/appconfig-standard/root_default_contexts new file mode 100644 index 0000000..3806d33 --- /dev/null +++ b/config/appconfig-standard/root_default_contexts @@ -0,0 +1,11 @@ +system_r:crond_t unconfined_r:unconfined_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t +system_r:local_login_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t + +staff_r:staff_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t +sysadm_r:sysadm_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t +user_r:user_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t + +# +# Uncomment if you want to automatically login as sysadm_r +# +#system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t diff --git a/config/appconfig-standard/seusers b/config/appconfig-standard/seusers new file mode 100644 index 0000000..36b193b --- /dev/null +++ b/config/appconfig-standard/seusers @@ -0,0 +1,3 @@ +system_u:system_u +root:root +__default__:user_u diff --git a/config/appconfig-standard/userhelper_context b/config/appconfig-standard/userhelper_context new file mode 100644 index 0000000..081e93b --- /dev/null +++ b/config/appconfig-standard/userhelper_context @@ -0,0 +1 @@ +system_u:sysadm_r:sysadm_t diff --git a/config/appconfig-strict-mcs/dbus_contexts b/config/appconfig-strict-mcs/dbus_contexts deleted file mode 100644 index 116e684..0000000 --- a/config/appconfig-strict-mcs/dbus_contexts +++ /dev/null @@ -1,6 +0,0 @@ - - - - - diff --git a/config/appconfig-strict-mcs/default_contexts b/config/appconfig-strict-mcs/default_contexts deleted file mode 100644 index 7bf43ff..0000000 --- a/config/appconfig-strict-mcs/default_contexts +++ /dev/null @@ -1,12 +0,0 @@ -system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 -system_r:local_login_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 -system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 -system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 mailman_r:user_crond_t:s0 -system_r:xdm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 -staff_r:staff_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 -sysadm_r:sysadm_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 -user_r:user_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 -sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 -staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 -user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 diff --git a/config/appconfig-strict-mcs/default_type b/config/appconfig-strict-mcs/default_type deleted file mode 100644 index 5212ca4..0000000 --- a/config/appconfig-strict-mcs/default_type +++ /dev/null @@ -1,3 +0,0 @@ -sysadm_r:sysadm_t -staff_r:staff_t -user_r:user_t diff --git a/config/appconfig-strict-mcs/failsafe_context b/config/appconfig-strict-mcs/failsafe_context deleted file mode 100644 index 999abd9..0000000 --- a/config/appconfig-strict-mcs/failsafe_context +++ /dev/null @@ -1 +0,0 @@ -sysadm_r:sysadm_t:s0 diff --git a/config/appconfig-strict-mcs/initrc_context b/config/appconfig-strict-mcs/initrc_context deleted file mode 100644 index 30ab971..0000000 --- a/config/appconfig-strict-mcs/initrc_context +++ /dev/null @@ -1 +0,0 @@ -system_u:system_r:initrc_t:s0 diff --git a/config/appconfig-strict-mcs/media b/config/appconfig-strict-mcs/media deleted file mode 100644 index 81f3463..0000000 --- a/config/appconfig-strict-mcs/media +++ /dev/null @@ -1,3 +0,0 @@ -cdrom system_u:object_r:removable_device_t:s0 -floppy system_u:object_r:removable_device_t:s0 -disk system_u:object_r:fixed_disk_device_t:s0 diff --git a/config/appconfig-strict-mcs/removable_context b/config/appconfig-strict-mcs/removable_context deleted file mode 100644 index 7fcc56e..0000000 --- a/config/appconfig-strict-mcs/removable_context +++ /dev/null @@ -1 +0,0 @@ -system_u:object_r:removable_t:s0 diff --git a/config/appconfig-strict-mcs/root_default_contexts b/config/appconfig-strict-mcs/root_default_contexts deleted file mode 100644 index e9d95e8..0000000 --- a/config/appconfig-strict-mcs/root_default_contexts +++ /dev/null @@ -1,9 +0,0 @@ -system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -system_r:crond_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0 -staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -# -# Uncomment if you want to automatically login as sysadm_r -# -#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 diff --git a/config/appconfig-strict-mcs/seusers b/config/appconfig-strict-mcs/seusers deleted file mode 100644 index dc5f1e4..0000000 --- a/config/appconfig-strict-mcs/seusers +++ /dev/null @@ -1,3 +0,0 @@ -system_u:system_u:s0-mcs_systemhigh -root:root:s0-mcs_systemhigh -__default__:user_u:s0 diff --git a/config/appconfig-strict-mcs/userhelper_context b/config/appconfig-strict-mcs/userhelper_context deleted file mode 100644 index dc37a69..0000000 --- a/config/appconfig-strict-mcs/userhelper_context +++ /dev/null @@ -1 +0,0 @@ -system_u:sysadm_r:sysadm_t:s0 diff --git a/config/appconfig-strict-mls/dbus_contexts b/config/appconfig-strict-mls/dbus_contexts deleted file mode 100644 index 116e684..0000000 --- a/config/appconfig-strict-mls/dbus_contexts +++ /dev/null @@ -1,6 +0,0 @@ - - - - - diff --git a/config/appconfig-strict-mls/default_contexts b/config/appconfig-strict-mls/default_contexts deleted file mode 100644 index 7bf43ff..0000000 --- a/config/appconfig-strict-mls/default_contexts +++ /dev/null @@ -1,12 +0,0 @@ -system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 -system_r:local_login_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 -system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 -system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 mailman_r:user_crond_t:s0 -system_r:xdm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 -staff_r:staff_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 -sysadm_r:sysadm_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 -user_r:user_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 -sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 -staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 -user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 diff --git a/config/appconfig-strict-mls/default_type b/config/appconfig-strict-mls/default_type deleted file mode 100644 index c3315fe..0000000 --- a/config/appconfig-strict-mls/default_type +++ /dev/null @@ -1,5 +0,0 @@ -sysadm_r:sysadm_t -secadm_r:secadm_t -staff_r:staff_t -user_r:user_t -auditadm_r:auditadm_t diff --git a/config/appconfig-strict-mls/failsafe_context b/config/appconfig-strict-mls/failsafe_context deleted file mode 100644 index 999abd9..0000000 --- a/config/appconfig-strict-mls/failsafe_context +++ /dev/null @@ -1 +0,0 @@ -sysadm_r:sysadm_t:s0 diff --git a/config/appconfig-strict-mls/initrc_context b/config/appconfig-strict-mls/initrc_context deleted file mode 100644 index 4598f92..0000000 --- a/config/appconfig-strict-mls/initrc_context +++ /dev/null @@ -1 +0,0 @@ -system_u:system_r:initrc_t:s0-mls_systemhigh diff --git a/config/appconfig-strict-mls/media b/config/appconfig-strict-mls/media deleted file mode 100644 index 81f3463..0000000 --- a/config/appconfig-strict-mls/media +++ /dev/null @@ -1,3 +0,0 @@ -cdrom system_u:object_r:removable_device_t:s0 -floppy system_u:object_r:removable_device_t:s0 -disk system_u:object_r:fixed_disk_device_t:s0 diff --git a/config/appconfig-strict-mls/removable_context b/config/appconfig-strict-mls/removable_context deleted file mode 100644 index 7fcc56e..0000000 --- a/config/appconfig-strict-mls/removable_context +++ /dev/null @@ -1 +0,0 @@ -system_u:object_r:removable_t:s0 diff --git a/config/appconfig-strict-mls/root_default_contexts b/config/appconfig-strict-mls/root_default_contexts deleted file mode 100644 index e9d95e8..0000000 --- a/config/appconfig-strict-mls/root_default_contexts +++ /dev/null @@ -1,9 +0,0 @@ -system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -system_r:crond_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0 -staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -# -# Uncomment if you want to automatically login as sysadm_r -# -#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 diff --git a/config/appconfig-strict-mls/seusers b/config/appconfig-strict-mls/seusers deleted file mode 100644 index dc156bf..0000000 --- a/config/appconfig-strict-mls/seusers +++ /dev/null @@ -1,3 +0,0 @@ -system_u:system_u:s0-mls_systemhigh -root:root:s0-mls_systemhigh -__default__:user_u:s0 diff --git a/config/appconfig-strict-mls/userhelper_context b/config/appconfig-strict-mls/userhelper_context deleted file mode 100644 index dc37a69..0000000 --- a/config/appconfig-strict-mls/userhelper_context +++ /dev/null @@ -1 +0,0 @@ -system_u:sysadm_r:sysadm_t:s0 diff --git a/config/appconfig-strict/dbus_contexts b/config/appconfig-strict/dbus_contexts deleted file mode 100644 index 116e684..0000000 --- a/config/appconfig-strict/dbus_contexts +++ /dev/null @@ -1,6 +0,0 @@ - - - - - diff --git a/config/appconfig-strict/default_contexts b/config/appconfig-strict/default_contexts deleted file mode 100644 index 3ea48aa..0000000 --- a/config/appconfig-strict/default_contexts +++ /dev/null @@ -1,12 +0,0 @@ -system_r:sulogin_t sysadm_r:sysadm_t -system_r:local_login_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t -system_r:remote_login_t user_r:user_t staff_r:staff_t -system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t -system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t mailman_r:user_crond_t -system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t -staff_r:staff_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t -sysadm_r:sysadm_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t -user_r:user_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t -sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t -staff_r:staff_sudo_t sysadm_r:sysadm_t staff_r:staff_t -user_r:user_sudo_t sysadm_r:sysadm_t user_r:user_t diff --git a/config/appconfig-strict/default_type b/config/appconfig-strict/default_type deleted file mode 100644 index 5212ca4..0000000 --- a/config/appconfig-strict/default_type +++ /dev/null @@ -1,3 +0,0 @@ -sysadm_r:sysadm_t -staff_r:staff_t -user_r:user_t diff --git a/config/appconfig-strict/failsafe_context b/config/appconfig-strict/failsafe_context deleted file mode 100644 index 2f96c9f..0000000 --- a/config/appconfig-strict/failsafe_context +++ /dev/null @@ -1 +0,0 @@ -sysadm_r:sysadm_t diff --git a/config/appconfig-strict/initrc_context b/config/appconfig-strict/initrc_context deleted file mode 100644 index 7fcf70b..0000000 --- a/config/appconfig-strict/initrc_context +++ /dev/null @@ -1 +0,0 @@ -system_u:system_r:initrc_t diff --git a/config/appconfig-strict/media b/config/appconfig-strict/media deleted file mode 100644 index de2a652..0000000 --- a/config/appconfig-strict/media +++ /dev/null @@ -1,3 +0,0 @@ -cdrom system_u:object_r:removable_device_t -floppy system_u:object_r:removable_device_t -disk system_u:object_r:fixed_disk_device_t diff --git a/config/appconfig-strict/removable_context b/config/appconfig-strict/removable_context deleted file mode 100644 index d4921f0..0000000 --- a/config/appconfig-strict/removable_context +++ /dev/null @@ -1 +0,0 @@ -system_u:object_r:removable_t diff --git a/config/appconfig-strict/root_default_contexts b/config/appconfig-strict/root_default_contexts deleted file mode 100644 index acdcc08..0000000 --- a/config/appconfig-strict/root_default_contexts +++ /dev/null @@ -1,9 +0,0 @@ -system_r:local_login_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t -system_r:crond_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t -staff_r:staff_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t -sysadm_r:sysadm_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t -user_r:user_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t -# -# Uncomment if you want to automatically login as sysadm_r -# -#system_r:sshd_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t diff --git a/config/appconfig-strict/seusers b/config/appconfig-strict/seusers deleted file mode 100644 index 36b193b..0000000 --- a/config/appconfig-strict/seusers +++ /dev/null @@ -1,3 +0,0 @@ -system_u:system_u -root:root -__default__:user_u diff --git a/config/appconfig-strict/userhelper_context b/config/appconfig-strict/userhelper_context deleted file mode 100644 index 081e93b..0000000 --- a/config/appconfig-strict/userhelper_context +++ /dev/null @@ -1 +0,0 @@ -system_u:sysadm_r:sysadm_t diff --git a/config/appconfig-targeted-mcs/dbus_contexts b/config/appconfig-targeted-mcs/dbus_contexts deleted file mode 100644 index 116e684..0000000 --- a/config/appconfig-targeted-mcs/dbus_contexts +++ /dev/null @@ -1,6 +0,0 @@ - - - - - diff --git a/config/appconfig-targeted-mcs/default_contexts b/config/appconfig-targeted-mcs/default_contexts deleted file mode 100644 index b3dddce..0000000 --- a/config/appconfig-targeted-mcs/default_contexts +++ /dev/null @@ -1,9 +0,0 @@ -system_r:crond_t:s0 system_r:unconfined_t:s0 -system_r:initrc_t:s0 system_r:unconfined_t:s0 -system_r:local_login_t:s0 system_r:unconfined_t:s0 -system_r:remote_login_t:s0 system_r:unconfined_t:s0 -system_r:rshd_t:s0 system_r:unconfined_t:s0 -system_r:sshd_t:s0 system_r:unconfined_t:s0 -system_r:sysadm_su_t:s0 system_r:unconfined_t:s0 -system_r:unconfined_t:s0 system_r:unconfined_t:s0 -system_r:xdm_t:s0 system_r:unconfined_t:s0 diff --git a/config/appconfig-targeted-mcs/default_type b/config/appconfig-targeted-mcs/default_type deleted file mode 100644 index 7ba74a9..0000000 --- a/config/appconfig-targeted-mcs/default_type +++ /dev/null @@ -1 +0,0 @@ -system_r:unconfined_t diff --git a/config/appconfig-targeted-mcs/failsafe_context b/config/appconfig-targeted-mcs/failsafe_context deleted file mode 100644 index 30fd6c0..0000000 --- a/config/appconfig-targeted-mcs/failsafe_context +++ /dev/null @@ -1 +0,0 @@ -system_r:unconfined_t:s0 diff --git a/config/appconfig-targeted-mcs/initrc_context b/config/appconfig-targeted-mcs/initrc_context deleted file mode 100644 index f185cd4..0000000 --- a/config/appconfig-targeted-mcs/initrc_context +++ /dev/null @@ -1 +0,0 @@ -user_u:system_r:initrc_t:s0 diff --git a/config/appconfig-targeted-mcs/media b/config/appconfig-targeted-mcs/media deleted file mode 100644 index 81f3463..0000000 --- a/config/appconfig-targeted-mcs/media +++ /dev/null @@ -1,3 +0,0 @@ -cdrom system_u:object_r:removable_device_t:s0 -floppy system_u:object_r:removable_device_t:s0 -disk system_u:object_r:fixed_disk_device_t:s0 diff --git a/config/appconfig-targeted-mcs/removable_context b/config/appconfig-targeted-mcs/removable_context deleted file mode 100644 index 7fcc56e..0000000 --- a/config/appconfig-targeted-mcs/removable_context +++ /dev/null @@ -1 +0,0 @@ -system_u:object_r:removable_t:s0 diff --git a/config/appconfig-targeted-mcs/root_default_contexts b/config/appconfig-targeted-mcs/root_default_contexts deleted file mode 100644 index 7326fba..0000000 --- a/config/appconfig-targeted-mcs/root_default_contexts +++ /dev/null @@ -1,2 +0,0 @@ -system_r:unconfined_t:s0 system_r:unconfined_t:s0 -system_r:initrc_t:s0 system_r:unconfined_t:s0 diff --git a/config/appconfig-targeted-mcs/seusers b/config/appconfig-targeted-mcs/seusers deleted file mode 100644 index ce614b4..0000000 --- a/config/appconfig-targeted-mcs/seusers +++ /dev/null @@ -1,2 +0,0 @@ -root:root:s0-mcs_systemhigh -__default__:user_u:s0 diff --git a/config/appconfig-targeted-mcs/userhelper_context b/config/appconfig-targeted-mcs/userhelper_context deleted file mode 100644 index 01f02a3..0000000 --- a/config/appconfig-targeted-mcs/userhelper_context +++ /dev/null @@ -1 +0,0 @@ -system_u:system_r:unconfined_t:s0 diff --git a/config/appconfig-targeted-mls/dbus_contexts b/config/appconfig-targeted-mls/dbus_contexts deleted file mode 100644 index 116e684..0000000 --- a/config/appconfig-targeted-mls/dbus_contexts +++ /dev/null @@ -1,6 +0,0 @@ - - - - - diff --git a/config/appconfig-targeted-mls/default_contexts b/config/appconfig-targeted-mls/default_contexts deleted file mode 100644 index b3dddce..0000000 --- a/config/appconfig-targeted-mls/default_contexts +++ /dev/null @@ -1,9 +0,0 @@ -system_r:crond_t:s0 system_r:unconfined_t:s0 -system_r:initrc_t:s0 system_r:unconfined_t:s0 -system_r:local_login_t:s0 system_r:unconfined_t:s0 -system_r:remote_login_t:s0 system_r:unconfined_t:s0 -system_r:rshd_t:s0 system_r:unconfined_t:s0 -system_r:sshd_t:s0 system_r:unconfined_t:s0 -system_r:sysadm_su_t:s0 system_r:unconfined_t:s0 -system_r:unconfined_t:s0 system_r:unconfined_t:s0 -system_r:xdm_t:s0 system_r:unconfined_t:s0 diff --git a/config/appconfig-targeted-mls/default_type b/config/appconfig-targeted-mls/default_type deleted file mode 100644 index 7ba74a9..0000000 --- a/config/appconfig-targeted-mls/default_type +++ /dev/null @@ -1 +0,0 @@ -system_r:unconfined_t diff --git a/config/appconfig-targeted-mls/failsafe_context b/config/appconfig-targeted-mls/failsafe_context deleted file mode 100644 index 30fd6c0..0000000 --- a/config/appconfig-targeted-mls/failsafe_context +++ /dev/null @@ -1 +0,0 @@ -system_r:unconfined_t:s0 diff --git a/config/appconfig-targeted-mls/initrc_context b/config/appconfig-targeted-mls/initrc_context deleted file mode 100644 index 13645ea..0000000 --- a/config/appconfig-targeted-mls/initrc_context +++ /dev/null @@ -1 +0,0 @@ -user_u:system_r:initrc_t:s0-mls_systemhigh diff --git a/config/appconfig-targeted-mls/media b/config/appconfig-targeted-mls/media deleted file mode 100644 index 81f3463..0000000 --- a/config/appconfig-targeted-mls/media +++ /dev/null @@ -1,3 +0,0 @@ -cdrom system_u:object_r:removable_device_t:s0 -floppy system_u:object_r:removable_device_t:s0 -disk system_u:object_r:fixed_disk_device_t:s0 diff --git a/config/appconfig-targeted-mls/removable_context b/config/appconfig-targeted-mls/removable_context deleted file mode 100644 index 7fcc56e..0000000 --- a/config/appconfig-targeted-mls/removable_context +++ /dev/null @@ -1 +0,0 @@ -system_u:object_r:removable_t:s0 diff --git a/config/appconfig-targeted-mls/root_default_contexts b/config/appconfig-targeted-mls/root_default_contexts deleted file mode 100644 index 7326fba..0000000 --- a/config/appconfig-targeted-mls/root_default_contexts +++ /dev/null @@ -1,2 +0,0 @@ -system_r:unconfined_t:s0 system_r:unconfined_t:s0 -system_r:initrc_t:s0 system_r:unconfined_t:s0 diff --git a/config/appconfig-targeted-mls/seusers b/config/appconfig-targeted-mls/seusers deleted file mode 100644 index 4e500b0..0000000 --- a/config/appconfig-targeted-mls/seusers +++ /dev/null @@ -1,2 +0,0 @@ -root:root:s0-mls_systemhigh -__default__:user_u:s0 diff --git a/config/appconfig-targeted-mls/userhelper_context b/config/appconfig-targeted-mls/userhelper_context deleted file mode 100644 index 01f02a3..0000000 --- a/config/appconfig-targeted-mls/userhelper_context +++ /dev/null @@ -1 +0,0 @@ -system_u:system_r:unconfined_t:s0 diff --git a/config/appconfig-targeted/dbus_contexts b/config/appconfig-targeted/dbus_contexts deleted file mode 100644 index 116e684..0000000 --- a/config/appconfig-targeted/dbus_contexts +++ /dev/null @@ -1,6 +0,0 @@ - - - - - diff --git a/config/appconfig-targeted/default_contexts b/config/appconfig-targeted/default_contexts deleted file mode 100644 index d91373a..0000000 --- a/config/appconfig-targeted/default_contexts +++ /dev/null @@ -1,9 +0,0 @@ -system_r:crond_t system_r:unconfined_t -system_r:initrc_t system_r:unconfined_t -system_r:local_login_t system_r:unconfined_t -system_r:remote_login_t system_r:unconfined_t -system_r:rshd_t system_r:unconfined_t -system_r:sshd_t system_r:unconfined_t -system_r:sysadm_su_t system_r:unconfined_t -system_r:unconfined_t system_r:unconfined_t -system_r:xdm_t system_r:unconfined_t diff --git a/config/appconfig-targeted/default_type b/config/appconfig-targeted/default_type deleted file mode 100644 index 7ba74a9..0000000 --- a/config/appconfig-targeted/default_type +++ /dev/null @@ -1 +0,0 @@ -system_r:unconfined_t diff --git a/config/appconfig-targeted/failsafe_context b/config/appconfig-targeted/failsafe_context deleted file mode 100644 index 7ba74a9..0000000 --- a/config/appconfig-targeted/failsafe_context +++ /dev/null @@ -1 +0,0 @@ -system_r:unconfined_t diff --git a/config/appconfig-targeted/initrc_context b/config/appconfig-targeted/initrc_context deleted file mode 100644 index 505f810..0000000 --- a/config/appconfig-targeted/initrc_context +++ /dev/null @@ -1 +0,0 @@ -user_u:system_r:initrc_t diff --git a/config/appconfig-targeted/media b/config/appconfig-targeted/media deleted file mode 100644 index de2a652..0000000 --- a/config/appconfig-targeted/media +++ /dev/null @@ -1,3 +0,0 @@ -cdrom system_u:object_r:removable_device_t -floppy system_u:object_r:removable_device_t -disk system_u:object_r:fixed_disk_device_t diff --git a/config/appconfig-targeted/removable_context b/config/appconfig-targeted/removable_context deleted file mode 100644 index d4921f0..0000000 --- a/config/appconfig-targeted/removable_context +++ /dev/null @@ -1 +0,0 @@ -system_u:object_r:removable_t diff --git a/config/appconfig-targeted/root_default_contexts b/config/appconfig-targeted/root_default_contexts deleted file mode 100644 index 5e3e986..0000000 --- a/config/appconfig-targeted/root_default_contexts +++ /dev/null @@ -1,2 +0,0 @@ -system_r:unconfined_t system_r:unconfined_t -system_r:initrc_t system_r:unconfined_t diff --git a/config/appconfig-targeted/seusers b/config/appconfig-targeted/seusers deleted file mode 100644 index f7c5bd2..0000000 --- a/config/appconfig-targeted/seusers +++ /dev/null @@ -1,2 +0,0 @@ -root:root -__default__:user_u diff --git a/config/appconfig-targeted/userhelper_context b/config/appconfig-targeted/userhelper_context deleted file mode 100644 index 4d47460..0000000 --- a/config/appconfig-targeted/userhelper_context +++ /dev/null @@ -1 +0,0 @@ -system_u:system_r:unconfined_t diff --git a/policy/constraints b/policy/constraints index c1cb375..2e58ead 100644 --- a/policy/constraints +++ b/policy/constraints @@ -28,57 +28,34 @@ # # SELinux process identity change constraint: # -ifdef(`strict_policy',` - constrain process transition - ( - u1 == u2 - - or ( t1 == can_change_process_identity and t2 == process_user_target ) - - or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) ) +constrain process transition +( + u1 == u2 - or ( t1 == can_system_change and u2 == system_u ) + or ( t1 == can_change_process_identity and t2 == process_user_target ) - or ( t1 == process_uncond_exempt ) - ); -') + or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) ) -ifdef(`targeted_policy',` - constrain process transition - ( - u1 == u2 + or ( t1 == can_system_change and u2 == system_u ) - or t1 == can_change_process_identity - ); -') + or ( t1 == process_uncond_exempt ) +); # # SELinux process role change constraint: # +constrain process transition +( + r1 == r2 -ifdef(`strict_policy',` - constrain process transition - ( - r1 == r2 - - or ( t1 == can_change_process_role and t2 == process_user_target ) - - or ( t1 == cron_source_domain and t2 == cron_job_domain ) - - or ( t1 == can_system_change and r2 == system_r ) + or ( t1 == can_change_process_role and t2 == process_user_target ) - or ( t1 == process_uncond_exempt ) - ); -') + or ( t1 == cron_source_domain and t2 == cron_job_domain ) -ifdef(`targeted_policy',` - constrain process transition - ( - r1 == r2 + or ( t1 == can_system_change and r2 == system_r ) - or t1 == can_change_process_role - ); -') + or ( t1 == process_uncond_exempt ) +); # # SELinux dynamic transition constraint: diff --git a/policy/global_booleans b/policy/global_booleans index 844fc78..111d004 100644 --- a/policy/global_booleans +++ b/policy/global_booleans @@ -4,7 +4,6 @@ # file should be used. # -ifdef(`strict_policy',` ## ##

## Enabling secure mode disallows programs, such as @@ -13,7 +12,6 @@ ifdef(`strict_policy',` ##

## gen_bool(secure_mode,false) -') ## ##

diff --git a/policy/global_tunables b/policy/global_tunables index 9a44314..7a1d85d 100644 --- a/policy/global_tunables +++ b/policy/global_tunables @@ -4,11 +4,6 @@ # file should be used. # -######################################## -# -# Common tunables -# - ## ##

## Allow making the heap executable. @@ -69,6 +64,15 @@ gen_tunable(global_ssp,false) ## ##

+## Allow email client to various content. +## nfs, samba, removable devices, user temp +## and untrusted content files +##

+## +gen_tunable(mail_read_content,false) + +## +##

## Allow nfs to be exported read/write. ##

## @@ -90,41 +94,26 @@ gen_tunable(read_default_t,false) ## ##

-## Support NFS home directories -##

-## -gen_tunable(use_nfs_home_dirs,false) - -## -##

-## Support SAMBA home directories +## Allow applications to read untrusted content +## If this is disallowed, Internet content has +## to be manually relabeled for read access to be granted ##

## -gen_tunable(use_samba_home_dirs,false) - -######################################## -# -# Strict policy specific -# +gen_tunable(read_untrusted_content,false) -ifdef(`strict_policy',` ## ##

-## Allow email client to various content. -## nfs, samba, removable devices, user temp -## and untrusted content files +## Support NFS home directories ##

## -gen_tunable(mail_read_content,false) +gen_tunable(use_nfs_home_dirs,false) ## ##

-## Allow applications to read untrusted content -## If this is disallowed, Internet content has -## to be manually relabeled for read access to be granted +## Support SAMBA home directories ##

## -gen_tunable(read_untrusted_content,false) +gen_tunable(use_samba_home_dirs,false) ## ##

@@ -143,4 +132,3 @@ gen_tunable(user_tcp_server,false) ##

## gen_tunable(write_untrusted_content,false) -') diff --git a/policy/modules/admin/acct.te b/policy/modules/admin/acct.te index 0529bb8..5e34a60 100644 --- a/policy/modules/admin/acct.te +++ b/policy/modules/admin/acct.te @@ -69,12 +69,6 @@ miscfiles_read_localization(acct_t) userdom_dontaudit_search_sysadm_home_dirs(acct_t) userdom_dontaudit_use_unpriv_user_fds(acct_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(acct_t) - term_dontaudit_use_generic_ptys(acct_t) - files_dontaudit_read_root_files(acct_t) -') - optional_policy(` optional_policy(` # for monthly cron job diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te index 15a6c98..5d21443 100644 --- a/policy/modules/admin/apt.te +++ b/policy/modules/admin/apt.te @@ -113,10 +113,6 @@ seutil_use_newrole_fds(apt_t) sysnet_read_config(apt_t) -ifdef(`targeted_policy',` - unconfined_domain(apt_t) -') - # with boolean, for cron-apt and such? #optional_policy(` # cron_system_entry(apt_t,apt_exec_t) @@ -137,3 +133,7 @@ optional_policy(` rpm_read_db(apt_t) rpm_domtrans(apt_t) ') + +optional_policy(` + unconfined_domain(apt_t) +') diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 308dce2..c93344d 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -174,11 +174,6 @@ ifdef(`distro_redhat',` mount_domtrans(bootloader_t) ') -ifdef(`targeted_policy',` - term_use_unallocated_ttys(bootloader_t) - term_use_generic_ptys(bootloader_t) -') - optional_policy(` fstools_exec(bootloader_t) ') diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te index 133cd2d..98c54b5 100644 --- a/policy/modules/admin/brctl.te +++ b/policy/modules/admin/brctl.te @@ -37,11 +37,6 @@ libs_use_shared_libs(brctl_t) miscfiles_read_localization(brctl_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(brctl_t) - term_dontaudit_use_generic_ptys(brctl_t) -') - optional_policy(` xen_append_log(brctl_t) ') diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te index 299f21f..400100d 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te @@ -10,14 +10,9 @@ type consoletype_t; type consoletype_exec_t; application_executable_file(consoletype_exec_t) init_domain(consoletype_t,consoletype_exec_t) -mls_file_read_all_levels(consoletype_t) -mls_file_write_all_levels(consoletype_t) +init_system_domain(consoletype_t,consoletype_exec_t) role system_r types consoletype_t; -ifdef(`targeted_policy',`',` - init_system_domain(consoletype_t,consoletype_exec_t) -') - ######################################## # # Local declarations @@ -44,6 +39,9 @@ fs_getattr_all_fs(consoletype_t) fs_search_auto_mountpoints(consoletype_t) fs_write_nfs_files(consoletype_t) +mls_file_read_all_levels(consoletype_t) +mls_file_write_all_levels(consoletype_t) + term_use_console(consoletype_t) term_use_unallocated_ttys(consoletype_t) @@ -60,10 +58,6 @@ files_list_usr(consoletype_t) libs_use_ld_so(consoletype_t) libs_use_shared_libs(consoletype_t) -userdom_use_sysadm_terms(consoletype_t) -userdom_use_sysadm_fds(consoletype_t) -userdom_rw_sysadm_pipes(consoletype_t) - ifdef(`distro_redhat',` fs_rw_tmpfs_chr_files(consoletype_t) ') diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if index dc2a3b6..71081a8 100644 --- a/policy/modules/admin/dmesg.if +++ b/policy/modules/admin/dmesg.if @@ -11,26 +11,12 @@ ## # interface(`dmesg_domtrans',` - ifdef(`targeted_policy',` - gen_require(` - type dmesg_exec_t; - ') - - # $0(): disabled in targeted policy as there - # is no dmesg domain. - ',` - gen_require(` - type dmesg_t, dmesg_exec_t; - ') - - corecmd_search_bin($1) - domain_auto_trans($1,dmesg_exec_t,dmesg_t) - - allow $1 dmesg_t:fd use; - allow dmesg_t $1:fd use; - allow dmesg_t $1:fifo_file rw_file_perms; - allow dmesg_t $1:process sigchld; + gen_require(` + type dmesg_t, dmesg_exec_t; ') + + corecmd_search_bin($1) + domtrans_pattern($1, dmesg_exec_t, dmesg_t) ') ######################################## @@ -45,16 +31,10 @@ interface(`dmesg_domtrans',` ## # interface(`dmesg_exec',` - ifdef(`targeted_policy',` - # $0(): the dmesg program is an alias - # of generic bin programs. - corecmd_exec_bin($1) - ',` - gen_require(` - type dmesg_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1,dmesg_exec_t) + gen_require(` + type dmesg_exec_t; ') + + corecmd_search_bin($1) + can_exec($1,dmesg_exec_t) ') diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te index 150feec..7d31ea0 100644 --- a/policy/modules/admin/dmesg.te +++ b/policy/modules/admin/dmesg.te @@ -6,69 +6,57 @@ policy_module(dmesg,1.0.0) # Declarations # -ifdef(`strict_policy',` - type dmesg_t; - type dmesg_exec_t; - init_system_domain(dmesg_t,dmesg_exec_t) - role system_r types dmesg_t; -') - -ifdef(`targeted_policy',` - # dmesg domain is disabled in the - # targeted policy. for compatibility - # with strict: - corecmd_bin_alias(dmesg_exec_t) -') +type dmesg_t; +type dmesg_exec_t; +init_system_domain(dmesg_t,dmesg_exec_t) ######################################## # # Local policy # -ifdef(`strict_policy',` - allow dmesg_t self:capability sys_admin; - dontaudit dmesg_t self:capability sys_tty_config; +allow dmesg_t self:capability sys_admin; +dontaudit dmesg_t self:capability sys_tty_config; - allow dmesg_t self:process signal_perms; +allow dmesg_t self:process signal_perms; - kernel_read_kernel_sysctls(dmesg_t) - kernel_read_ring_buffer(dmesg_t) - kernel_clear_ring_buffer(dmesg_t) - kernel_change_ring_buffer_level(dmesg_t) - kernel_list_proc(dmesg_t) - kernel_read_proc_symlinks(dmesg_t) +kernel_read_kernel_sysctls(dmesg_t) +kernel_read_ring_buffer(dmesg_t) +kernel_clear_ring_buffer(dmesg_t) +kernel_change_ring_buffer_level(dmesg_t) +kernel_list_proc(dmesg_t) +kernel_read_proc_symlinks(dmesg_t) - dev_read_sysfs(dmesg_t) +dev_read_sysfs(dmesg_t) - fs_search_auto_mountpoints(dmesg_t) +fs_search_auto_mountpoints(dmesg_t) - term_dontaudit_use_console(dmesg_t) +term_dontaudit_use_console(dmesg_t) - domain_use_interactive_fds(dmesg_t) +domain_use_interactive_fds(dmesg_t) - files_list_etc(dmesg_t) - # for when /usr is not mounted: - files_dontaudit_search_isid_type_dirs(dmesg_t) +files_list_etc(dmesg_t) +# for when /usr is not mounted: +files_dontaudit_search_isid_type_dirs(dmesg_t) - init_use_fds(dmesg_t) - init_use_script_ptys(dmesg_t) +init_use_fds(dmesg_t) +init_use_script_ptys(dmesg_t) - libs_use_ld_so(dmesg_t) - libs_use_shared_libs(dmesg_t) +libs_use_ld_so(dmesg_t) +libs_use_shared_libs(dmesg_t) - logging_send_syslog_msg(dmesg_t) - logging_write_generic_logs(dmesg_t) +logging_send_syslog_msg(dmesg_t) +logging_write_generic_logs(dmesg_t) - miscfiles_read_localization(dmesg_t) +miscfiles_read_localization(dmesg_t) - userdom_use_sysadm_terms(dmesg_t) - userdom_dontaudit_use_unpriv_user_fds(dmesg_t) +userdom_use_sysadm_terms(dmesg_t) +userdom_dontaudit_use_unpriv_user_fds(dmesg_t) - optional_policy(` - seutil_sigchld_newrole(dmesg_t) - ') +optional_policy(` + seutil_sigchld_newrole(dmesg_t) +') - optional_policy(` - udev_read_db(dmesg_t) - ') +optional_policy(` + udev_read_db(dmesg_t) ') diff --git a/policy/modules/admin/dmidecode.te b/policy/modules/admin/dmidecode.te index e7f5a84..1e170fc 100644 --- a/policy/modules/admin/dmidecode.te +++ b/policy/modules/admin/dmidecode.te @@ -31,8 +31,3 @@ libs_use_ld_so(dmidecode_t) libs_use_shared_libs(dmidecode_t) locallogin_use_fds(dmidecode_t) - -ifdef(`targeted_policy',` - term_use_generic_ptys(dmidecode_t) - term_use_unallocated_ttys(dmidecode_t) -') diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te index 170bb4f..829e211 100644 --- a/policy/modules/admin/dpkg.te +++ b/policy/modules/admin/dpkg.te @@ -172,10 +172,6 @@ dpkg_domtrans_script(dpkg_t) # since the scripts aren't labeled correctly yet... allow dpkg_t dpkg_var_lib_t:file execute; -ifdef(`targeted_policy',` - unconfined_domain(dpkg_t) -') - # TODO: allow? #optional_policy(` # cron_system_entry(dpkg_t,dpkg_exec_t) @@ -185,6 +181,10 @@ optional_policy(` nis_use_ypbind(dpkg_t) ') +optional_policy(` + unconfined_domain(dpkg_t) +') + # TODO: the following was copied from dpkg_script_t, and could probably # be removed again when dpkg_script_t is actually used... domain_signal_all_domains(dpkg_t) @@ -309,23 +309,15 @@ seutil_domtrans_setfiles(dpkg_script_t) userdom_use_all_users_fds(dpkg_script_t) -ifdef(`distro_redhat',` - unconfined_domain(dpkg_script_t) -') - -ifdef(`targeted_policy',` - unconfined_domain(dpkg_script_t) -',` - optional_policy(` - bootloader_domtrans(dpkg_script_t) - ') -') - tunable_policy(`allow_execmem',` allow dpkg_script_t self:process execmem; ') optional_policy(` + bootloader_domtrans(dpkg_script_t) +') + +optional_policy(` mta_send_mail(dpkg_script_t) ') @@ -334,6 +326,10 @@ optional_policy(` ') optional_policy(` + unconfined_domain(dpkg_script_t) +') + +optional_policy(` usermanage_domtrans_groupadd(dpkg_script_t) usermanage_domtrans_useradd(dpkg_script_t) ') diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te index abde741..c61592b 100644 --- a/policy/modules/admin/firstboot.te +++ b/policy/modules/admin/firstboot.te @@ -96,10 +96,6 @@ userdom_manage_generic_user_home_content_sockets(firstboot_t) userdom_home_filetrans_generic_user_home_dir(firstboot_t) userdom_generic_user_home_dir_filetrans_generic_user_home_content(firstboot_t,{ dir file lnk_file fifo_file sock_file }) -ifdef(`targeted_policy',` - unconfined_domtrans(firstboot_t) -') - optional_policy(` hal_dbus_chat(firstboot_t) ') @@ -113,6 +109,10 @@ optional_policy(` ') optional_policy(` + unconfined_domtrans(firstboot_t) +') + +optional_policy(` usermanage_domtrans_chfn(firstboot_t) usermanage_domtrans_groupadd(firstboot_t) usermanage_domtrans_passwd(firstboot_t) diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te index fb51cb3..a996043 100644 --- a/policy/modules/admin/kudzu.te +++ b/policy/modules/admin/kudzu.te @@ -125,19 +125,6 @@ sysnet_read_config(kudzu_t) userdom_search_sysadm_home_dirs(kudzu_t) userdom_dontaudit_use_unpriv_user_fds(kudzu_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(kudzu_t) - term_dontaudit_use_generic_ptys(kudzu_t) - files_dontaudit_read_root_files(kudzu_t) - - # cjp: this was originally in the else block - # of ifdef userhelper.te, but it seems to - # make more sense here. also, require - # blocks curently do not work in the - # else block of optionals - unconfined_domain(kudzu_t) -') - optional_policy(` gpm_getattr_gpmctl(kudzu_t) ') @@ -154,6 +141,15 @@ optional_policy(` udev_read_db(kudzu_t) ') +optional_policy(` + # cjp: this was originally in the else block + # of ifdef userhelper.te, but it seems to + # make more sense here. also, require + # blocks curently do not work in the + # else block of optionals + unconfined_domain(kudzu_t) +') + ifdef(`TODO',` allow kudzu_t modules_conf_t:file unlink; optional_policy(` diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te index 4128ad5..b02a0d3 100644 --- a/policy/modules/admin/mrtg.te +++ b/policy/modules/admin/mrtg.te @@ -126,12 +126,6 @@ ifdef(`distro_redhat',` filetrans_pattern(mrtg_t,mrtg_etc_t,mrtg_lock_t,file) ') -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(mrtg_t) - term_dontaudit_use_generic_ptys(mrtg_t) - files_dontaudit_read_root_files(mrtg_t) -') - optional_policy(` apache_manage_sys_content(mrtg_t) ') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index e8915d4..985d957 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -6,14 +6,12 @@ policy_module(netutils,1.5.0) # Declarations # -ifdef(`strict_policy',` ## ##

## Control users use of ping and traceroute ##

## gen_tunable(user_ping,false) -') type netutils_t; type netutils_exec_t; @@ -91,11 +89,6 @@ sysnet_read_config(netutils_t) userdom_use_all_users_fds(netutils_t) -ifdef(`targeted_policy',` - term_use_generic_ptys(netutils_t) - term_use_unallocated_ttys(netutils_t) -') - optional_policy(` nis_use_ypbind(netutils_t) ') @@ -144,16 +137,9 @@ ifdef(`hide_broken_symptoms',` init_dontaudit_use_fds(ping_t) ') -ifdef(`targeted_policy',` - term_use_unallocated_ttys(ping_t) - term_use_generic_ptys(ping_t) +tunable_policy(`user_ping',` term_use_all_user_ttys(ping_t) term_use_all_user_ptys(ping_t) -',` - tunable_policy(`user_ping',` - term_use_all_user_ttys(ping_t) - term_use_all_user_ptys(ping_t) - ') ') optional_policy(` @@ -228,14 +214,9 @@ files_read_usr_files(traceroute_t) sysnet_read_config(traceroute_t) -ifdef(`targeted_policy',` - term_use_unallocated_ttys(traceroute_t) - term_use_generic_ptys(traceroute_t) -',` - tunable_policy(`user_ping',` - term_use_all_user_ttys(traceroute_t) - term_use_all_user_ptys(traceroute_t) - ') +tunable_policy(`user_ping',` + term_use_all_user_ttys(traceroute_t) + term_use_all_user_ptys(traceroute_t) ') optional_policy(` diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 30c9dd0..e99dc8c 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -104,7 +104,6 @@ libs_use_shared_libs(gcc_config_t) libs_read_lib_files(gcc_config_t) libs_domtrans_ldconfig(gcc_config_t) libs_manage_shared_libs(gcc_config_t) -lib_filetrans_shared_lib(gcc_config_t,file) # gcc-config creates a temp dir for the libs libs_manage_lib_dirs(gcc_config_t) diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if index 78151ee..cd667b6 100644 --- a/policy/modules/admin/prelink.if +++ b/policy/modules/admin/prelink.if @@ -21,6 +21,37 @@ interface(`prelink_domtrans',` ######################################## ## +## Execute the prelink program in the prelink domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to allow the prelink domain. +## +## +## +## +## The type of the terminal allow the prelink domain to use. +## +## +## +# +interface(`prelink_run',` + gen_require(` + type prelink_t; + ') + + prelink_domtrans($1) + role $2 types prelink_t; + allow prelink_t $3:chr_file rw_term_perms; +') + +######################################## +## ## Make the specified file type prelinkable. ## ## diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te index 1a8d3f2..039d92f 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -77,23 +77,10 @@ libs_relabel_ld_so(prelink_t) libs_use_shared_libs(prelink_t) libs_manage_shared_libs(prelink_t) libs_relabel_shared_libs(prelink_t) -libs_use_lib_files(prelink_t) -libs_manage_lib_files(prelink_t) -libs_relabel_lib_files(prelink_t) libs_delete_lib_symlinks(prelink_t) miscfiles_read_localization(prelink_t) -ifdef(`targeted_policy',` - term_use_unallocated_ttys(prelink_t) - term_use_generic_ptys(prelink_t) - - # prelink executables in the user homedir - userdom_manage_generic_user_home_content_files(prelink_t) - userdom_mmap_generic_user_home_content_files(prelink_t) - userdom_dontaudit_relabel_generic_user_home_content_files(prelink_t) -') - optional_policy(` amanda_manage_lib(prelink_t) ') diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te index c52b0d2..57b4f4c 100644 --- a/policy/modules/admin/quota.te +++ b/policy/modules/admin/quota.te @@ -77,12 +77,6 @@ logging_send_syslog_msg(quota_t) userdom_dontaudit_use_unpriv_user_fds(quota_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(quota_t) - term_dontaudit_use_generic_ptys(quota_t) - files_dontaudit_read_root_files(quota_t) -') - optional_policy(` seutil_sigchld_newrole(quota_t) ') diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te index beccc8a..db35cc4 100644 --- a/policy/modules/admin/readahead.te +++ b/policy/modules/admin/readahead.te @@ -81,12 +81,6 @@ miscfiles_read_localization(readahead_t) userdom_dontaudit_use_unpriv_user_fds(readahead_t) userdom_dontaudit_search_sysadm_home_dirs(readahead_t) -ifdef(`targeted_policy',` - files_dontaudit_read_root_files(readahead_t) - term_dontaudit_use_unallocated_ttys(readahead_t) - term_dontaudit_use_generic_ptys(readahead_t) -') - optional_policy(` cron_system_entry(readahead_t, readahead_exec_t) ') diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index 762f519..56574ff 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -71,6 +71,9 @@ allow rpm_t self:msg { send receive }; allow rpm_t self:dir search; allow rpm_t self:file rw_file_perms;; +allow rpm_t rpm_log_t:file manage_file_perms; +logging_log_filetrans(rpm_t,rpm_log_t,file) + manage_dirs_pattern(rpm_t,rpm_tmp_t,rpm_tmp_t) manage_files_pattern(rpm_t,rpm_tmp_t,rpm_tmp_t) files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir }) @@ -172,22 +175,6 @@ sysnet_read_config(rpm_t) userdom_use_unpriv_users_fds(rpm_t) -ifdef(`distro_redhat',` - unconfined_domain(rpm_t) -') - -ifdef(`targeted_policy',` - unconfined_domain(rpm_t) - # yum-updatesd requires this - unconfined_dbus_chat(rpm_t) -',` - # cjp: these are here to stop type_transition - # conflicts since rpm_t is an alias of - # unconfined in the targeted policy - allow rpm_t rpm_log_t:file manage_file_perms; - logging_log_filetrans(rpm_t,rpm_log_t,file) -') - optional_policy(` cron_system_entry(rpm_t,rpm_exec_t) ') @@ -204,6 +191,12 @@ optional_policy(` prelink_domtrans(rpm_t) ') +optional_policy(` + unconfined_domain(rpm_t) + # yum-updatesd requires this + unconfined_dbus_chat(rpm_t) +') + ifdef(`TODO',` # read/write/create any files in the system dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr; @@ -332,26 +325,6 @@ seutil_domtrans_semanage(rpm_script_t) userdom_use_all_users_fds(rpm_script_t) ifdef(`distro_redhat',` - unconfined_domain(rpm_script_t) -') - -ifdef(`targeted_policy',` - unconfined_domain(rpm_script_t) - - optional_policy(` - java_domtrans(rpm_script_t) - ') - - optional_policy(` - mono_domtrans(rpm_script_t) - ') - - optional_policy(` - unconfined_domtrans(rpm_script_t) - ') -') - -ifdef(`distro_redhat',` optional_policy(` mta_send_mail(rpm_script_t) ') @@ -375,6 +348,19 @@ optional_policy(` ') optional_policy(` + unconfined_domain(rpm_script_t) + unconfined_domtrans(rpm_script_t) + + optional_policy(` + java_domtrans(rpm_script_t) + ') + + optional_policy(` + mono_domtrans(rpm_script_t) + ') +') + +optional_policy(` usermanage_domtrans_groupadd(rpm_script_t) usermanage_domtrans_useradd(rpm_script_t) ') diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index 6c337fa..28c5785 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -254,35 +254,20 @@ template(`su_per_role_template',` seutil_read_config($1_su_t) seutil_read_default_contexts($1_su_t) - ifdef(`strict_policy',` - if(secure_mode) { - # Only allow transitions to unprivileged user domains. - userdom_spec_domtrans_unpriv_users($1_su_t) - } else { - # Allow transitions to all user domains - userdom_spec_domtrans_all_users($1_su_t) - } - ') - - ifdef(`targeted_policy',` + if(secure_mode) { + # Only allow transitions to unprivileged user domains. + userdom_spec_domtrans_unpriv_users($1_su_t) + } else { + # Allow transitions to all user domains + userdom_spec_domtrans_all_users($1_su_t) + } + + optional_policy(` unconfined_domtrans($1_su_t) unconfined_signal($1_su_t) ') ') - ifdef(`targeted_policy',` - # allow user to suspend terminal. - # does not work in strict since the - # parent may not be able to use - # the terminal if we newrole, - # which relabels the terminal. - allow $1_su_t self:process sigstop; - - corecmd_exec_bin($1_su_t) - userdom_manage_all_users_home_content_files($1_su_t) - userdom_manage_all_users_home_content_symlinks($1_su_t) - ') - tunable_policy(`allow_polyinstantiation',` fs_mount_xattr_fs($1_su_t) fs_unmount_xattr_fs($1_su_t) diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te index 165f240..2447b25 100644 --- a/policy/modules/admin/sxid.te +++ b/policy/modules/admin/sxid.te @@ -88,12 +88,6 @@ userdom_dontaudit_use_unpriv_user_fds(sxid_t) cron_system_entry(sxid_t,sxid_exec_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(sxid_t) - term_dontaudit_use_generic_ptys(sxid_t) - files_dontaudit_read_root_files(sxid_t) -') - optional_policy(` mta_send_mail(sxid_t) ') diff --git a/policy/modules/admin/tzdata.if b/policy/modules/admin/tzdata.if index af803bf..747bf4a 100644 --- a/policy/modules/admin/tzdata.if +++ b/policy/modules/admin/tzdata.if @@ -17,3 +17,34 @@ interface(`tzdata_domtrans',` domtrans_pattern($1,tzdata_exec_t,tzdata_t) ') + +######################################## +## +## Execute the tzdata program in the tzdata domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to allow the tzdata domain. +## +## +## +## +## The type of the terminal allow the tzdata domain to use. +## +## +## +# +interface(`tzdata_run',` + gen_require(` + type tzdata_t; + ') + + tzdata_domtrans($1) + role $2 types tzdata_t; + allow tzdata_t $3:chr_file rw_term_perms; +') diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te index a1a0e24..7ea6af7 100644 --- a/policy/modules/admin/tzdata.te +++ b/policy/modules/admin/tzdata.te @@ -30,11 +30,6 @@ miscfiles_read_localization(tzdata_t) miscfiles_manage_localization(tzdata_t) miscfiles_etc_filetrans_localization(tzdata_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(tzdata_t) - term_dontaudit_use_generic_ptys(tzdata_t) -') - # tzdata looks for /var/spool/postfix/etc/localtime. optional_policy(` postfix_search_spool(tzdata_t) diff --git a/policy/modules/admin/updfstab.te b/policy/modules/admin/updfstab.te index df44c1f..2750893 100644 --- a/policy/modules/admin/updfstab.te +++ b/policy/modules/admin/updfstab.te @@ -79,16 +79,9 @@ seutil_read_config(updfstab_t) seutil_read_default_contexts(updfstab_t) seutil_read_file_contexts(updfstab_t) -userdom_use_sysadm_ttys(updfstab_t) userdom_dontaudit_search_all_users_home_content(updfstab_t) userdom_dontaudit_use_unpriv_user_fds(updfstab_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(updfstab_t) - term_dontaudit_use_generic_ptys(updfstab_t) - files_dontaudit_read_root_files(updfstab_t) -') - optional_policy(` auth_domtrans_pam_console(updfstab_t) ') diff --git a/policy/modules/apps/ada.fc b/policy/modules/apps/ada.fc index 01a8572..e802ed5 100644 --- a/policy/modules/apps/ada.fc +++ b/policy/modules/apps/ada.fc @@ -1,9 +1,7 @@ # # /usr # -ifdef(`targeted_policy',` /usr/bin/gnatbind -- gen_context(system_u:object_r:ada_exec_t,s0) /usr/bin/gnatls -- gen_context(system_u:object_r:ada_exec_t,s0) /usr/bin/gnatmake -- gen_context(system_u:object_r:ada_exec_t,s0) /usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:ada_exec_t,s0) -') diff --git a/policy/modules/apps/ada.if b/policy/modules/apps/ada.if index 2c1c44f..348c348 100644 --- a/policy/modules/apps/ada.if +++ b/policy/modules/apps/ada.if @@ -11,16 +11,12 @@ ## # interface(`ada_domtrans',` - ifdef(`targeted_policy',` - gen_require(` - type ada_t, ada_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ada_exec_t, ada_t) - ',` - refpolicywarn(`$0($1) has no effect in strict policy.') + gen_require(` + type ada_t, ada_exec_t; ') + + corecmd_search_bin($1) + domtrans_pattern($1, ada_exec_t, ada_t) ') ######################################## @@ -30,7 +26,7 @@ interface(`ada_domtrans',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -45,15 +41,11 @@ interface(`ada_domtrans',` ## # interface(`ada_run',` - ifdef(`targeted_policy',` - gen_require(` - type ada_t; - ') - - ada_domtrans($1) - role $2 types ada_t; - allow ada_t $3:chr_file rw_term_perms; - ',` - refpolicywarn(`$0($1) has no effect in strict policy.') + gen_require(` + type ada_t; ') + + ada_domtrans($1) + role $2 types ada_t; + allow ada_t $3:chr_file rw_term_perms; ') diff --git a/policy/modules/apps/ada.te b/policy/modules/apps/ada.te index 7628b8b..a629215 100644 --- a/policy/modules/apps/ada.te +++ b/policy/modules/apps/ada.te @@ -9,14 +9,15 @@ policy_module(ada,1.1.0) type ada_t; type ada_exec_t; application_domain(ada_t,ada_exec_t) +role system_r types ada_t; ######################################## # # Local policy # -ifdef(`targeted_policy',` - allow ada_t self:process { execstack execmem }; +allow ada_t self:process { execstack execmem }; + +optional_policy(` unconfined_domain_noaudit(ada_t) - role system_r types ada_t; ') diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te index 90d9e84..0af2bf6 100644 --- a/policy/modules/apps/cdrecord.te +++ b/policy/modules/apps/cdrecord.te @@ -6,7 +6,6 @@ policy_module(cdrecord,1.3.0) # Declarations # -ifdef(`strict_policy',` ## ##

## Allow cdrecord to read various content. @@ -15,7 +14,6 @@ ifdef(`strict_policy',` ##

## gen_tunable(cdrecord_read_content,false) -') type cdrecord_exec_t; application_executable_file(cdrecord_exec_t) diff --git a/policy/modules/apps/ethereal.fc b/policy/modules/apps/ethereal.fc index 12ae276..7204fe2 100644 --- a/policy/modules/apps/ethereal.fc +++ b/policy/modules/apps/ethereal.fc @@ -1,7 +1,4 @@ +HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ROLE_ethereal_home_t,s0) /usr/sbin/ethereal.* -- gen_context(system_u:object_r:ethereal_exec_t,s0) /usr/sbin/tethereal.* -- gen_context(system_u:object_r:tethereal_exec_t,s0) - -ifdef(`strict_policy',` -HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ROLE_ethereal_home_t,s0) -') diff --git a/policy/modules/apps/evolution.fc b/policy/modules/apps/evolution.fc index 4399a1a..1b425f4 100644 --- a/policy/modules/apps/evolution.fc +++ b/policy/modules/apps/evolution.fc @@ -1,10 +1,14 @@ +# +# HOME_DIR/ +# + +HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0) +HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0) # # /tmp # -ifdef(`strict_policy',` /tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:ROLE_evolution_exchange_tmp_t,s0) -') # # /usr @@ -15,8 +19,3 @@ ifdef(`strict_policy',` /usr/libexec/evolution/.*evolution-exchange-storage.* -- gen_context(system_u:object_r:evolution_exchange_exec_t,s0) /usr/libexec/evolution-data-server.* -- gen_context(system_u:object_r:evolution_server_exec_t,s0) /usr/libexec/evolution-webcal.* -- gen_context(system_u:object_r:evolution_webcal_exec_t,s0) - -ifdef(`strict_policy',` -HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0) -HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0) -') diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te index 75d96a4..c8f7a05 100644 --- a/policy/modules/apps/games.te +++ b/policy/modules/apps/games.te @@ -60,12 +60,6 @@ miscfiles_read_localization(games_t) userdom_dontaudit_use_unpriv_user_fds(games_t) userdom_dontaudit_search_sysadm_home_dirs(games_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(games_t) - term_dontaudit_use_generic_ptys(games_t) - files_dontaudit_read_root_files(games_t) -') - optional_policy(` seutil_sigchld_newrole(games_t) ') diff --git a/policy/modules/apps/gift.fc b/policy/modules/apps/gift.fc index 09d6a60..2c2a01a 100644 --- a/policy/modules/apps/gift.fc +++ b/policy/modules/apps/gift.fc @@ -1,8 +1,6 @@ +HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:ROLE_gift_home_t,s0) + /usr/(local/)?bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0) /usr/(local/)?bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0) /usr/(local/)?bin/giftui -- gen_context(system_u:object_r:gift_exec_t,s0) /usr/(local/)?bin/giFToxic -- gen_context(system_u:object_r:gift_exec_t,s0) - -ifdef(`strict_policy',` -HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:ROLE_gift_home_t,s0) -') diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc index c812095..e5f5f1c 100644 --- a/policy/modules/apps/gnome.fc +++ b/policy/modules/apps/gnome.fc @@ -1,11 +1,8 @@ HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:ROLE_gnome_home_t,s0) +HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:ROLE_gconf_home_t,s0) /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) - -ifdef(`strict_policy',` -HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:ROLE_gconf_home_t,s0) - /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:ROLE_gconf_tmp_t,s0) -') + +/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc index 78f8a10..0c5dc94 100644 --- a/policy/modules/apps/gpg.fc +++ b/policy/modules/apps/gpg.fc @@ -1,3 +1,4 @@ +HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0) /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) @@ -6,7 +7,3 @@ /usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) - -ifdef(`targeted_policy',`',` -HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0) -') diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc index 4a2c7c7..618588c 100644 --- a/policy/modules/apps/irc.fc +++ b/policy/modules/apps/irc.fc @@ -1,9 +1,7 @@ # # /home # -ifdef(`strict_policy',` HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:ROLE_irc_home_t,s0) -') # # /usr diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if index a2c4011..cb557b0 100644 --- a/policy/modules/apps/java.if +++ b/policy/modules/apps/java.if @@ -151,7 +151,6 @@ template(`java_per_role_template',` libs_legacy_use_shared_libs($1_javaplugin_t) libs_legacy_use_ld_so($1_javaplugin_t) - libs_use_lib_files($1_javaplugin_t) miscfiles_legacy_read_localization($1_javaplugin_t) ') @@ -213,14 +212,10 @@ template(`java_domtrans_user_javaplugin',` ## # interface(`java_domtrans',` - ifdef(`targeted_policy',` - gen_require(` - type java_t, java_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, java_exec_t, java_t) - ',` - refpolicywarn(`$0($1) has no effect in strict policy.') + gen_require(` + type java_t, java_exec_t; ') + + corecmd_search_bin($1) + domtrans_pattern($1, java_exec_t, java_t) ') diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te index a00de9b..921c45a 100644 --- a/policy/modules/apps/java.te +++ b/policy/modules/apps/java.te @@ -22,13 +22,12 @@ init_system_domain(java_t,java_exec_t) # Local policy # -ifdef(`targeted_policy',` - # execheap is needed for itanium/BEA jrocket - allow java_t self:process { execstack execmem execheap }; - role system_r types java_t; +# execheap is needed for itanium/BEA jrocket +allow java_t self:process { execstack execmem execheap }; - init_dbus_chat_script(java_t) +init_dbus_chat_script(java_t) +optional_policy(` unconfined_domain_noaudit(java_t) unconfined_dbus_chat(java_t) ') diff --git a/policy/modules/apps/loadkeys.if b/policy/modules/apps/loadkeys.if index 8515073..758d1c1 100644 --- a/policy/modules/apps/loadkeys.if +++ b/policy/modules/apps/loadkeys.if @@ -11,16 +11,12 @@ ## # interface(`loadkeys_domtrans',` - ifdef(`strict_policy',` - gen_require(` - type loadkeys_t, loadkeys_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, loadkeys_exec_t, loadkeys_t) - ',` - refpolicywarn(`$0($*) has no effect in targeted policy.') + gen_require(` + type loadkeys_t, loadkeys_exec_t; ') + + corecmd_search_bin($1) + domtrans_pattern($1, loadkeys_exec_t, loadkeys_t) ') ######################################## @@ -45,18 +41,13 @@ interface(`loadkeys_domtrans',` ## # interface(`loadkeys_run',` - ifdef(`targeted_policy',` - # $0(): disabled in targeted policy as there - # is no loadkeys domain. - ',` - gen_require(` - type loadkeys_t; - ') - - loadkeys_domtrans($1) - role $2 types loadkeys_t; - allow loadkeys_t $3:chr_file rw_term_perms; + gen_require(` + type loadkeys_t; ') + + loadkeys_domtrans($1) + role $2 types loadkeys_t; + allow loadkeys_t $3:chr_file rw_term_perms; ') ######################################## @@ -70,15 +61,9 @@ interface(`loadkeys_run',` ## # interface(`loadkeys_exec',` - ifdef(`targeted_policy',` - # $0(): the loadkeys program is an alias - # of generic bin programs. - corecmd_exec_bin($1) - ',` - gen_require(` - type loadkeys_exec_t; - ') - - can_exec($1,loadkeys_exec_t) + gen_require(` + type loadkeys_exec_t; ') + + can_exec($1,loadkeys_exec_t) ') diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te index 88eabb3..cf73ab1 100644 --- a/policy/modules/apps/loadkeys.te +++ b/policy/modules/apps/loadkeys.te @@ -6,51 +6,41 @@ policy_module(loadkeys,1.2.0) # Declarations # -ifdef(`targeted_policy',` - # for compatibility with strict: - corecmd_bin_alias(loadkeys_exec_t) -',` - # cjp: this should probably be rewritten - # per user domain, since it can rw - # all user domain ttys - - type loadkeys_t; - type loadkeys_exec_t; - init_system_domain(loadkeys_t,loadkeys_exec_t) -') +# cjp: this should probably be rewritten +# per user domain, since it can rw +# all user domain ttys +type loadkeys_t; +type loadkeys_exec_t; +init_system_domain(loadkeys_t,loadkeys_exec_t) ######################################## # # Local policy # -ifdef(`targeted_policy',` - # loadkeys domain disabled in targeted policy -',` - allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_config }; - allow loadkeys_t self:fifo_file rw_fifo_file_perms; +allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_config }; +allow loadkeys_t self:fifo_file rw_fifo_file_perms; - kernel_read_system_state(loadkeys_t) +kernel_read_system_state(loadkeys_t) - corecmd_exec_bin(loadkeys_t) - corecmd_exec_shell(loadkeys_t) +corecmd_exec_bin(loadkeys_t) +corecmd_exec_shell(loadkeys_t) - files_read_etc_files(loadkeys_t) - files_read_etc_runtime_files(loadkeys_t) +files_read_etc_files(loadkeys_t) +files_read_etc_runtime_files(loadkeys_t) - term_dontaudit_use_console(loadkeys_t) - term_use_unallocated_ttys(loadkeys_t) +term_dontaudit_use_console(loadkeys_t) +term_use_unallocated_ttys(loadkeys_t) - init_dontaudit_use_script_ptys(loadkeys_t) +init_dontaudit_use_script_ptys(loadkeys_t) - libs_use_ld_so(loadkeys_t) - libs_use_shared_libs(loadkeys_t) +libs_use_ld_so(loadkeys_t) +libs_use_shared_libs(loadkeys_t) - locallogin_use_fds(loadkeys_t) +locallogin_use_fds(loadkeys_t) - miscfiles_read_localization(loadkeys_t) +miscfiles_read_localization(loadkeys_t) - optional_policy(` - nscd_dontaudit_search_pid(loadkeys_t) - ') +optional_policy(` + nscd_dontaudit_search_pid(loadkeys_t) ') diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te index 9072bee..034dd6a 100644 --- a/policy/modules/apps/mono.te +++ b/policy/modules/apps/mono.te @@ -15,37 +15,34 @@ init_system_domain(mono_t,mono_exec_t) # Local policy # -ifdef(`targeted_policy',` - allow mono_t self:process { execheap execmem }; +allow mono_t self:process { execheap execmem }; - unconfined_domain_noaudit(mono_t) - unconfined_dbus_chat(mono_t) - - userdom_generic_user_home_dir_filetrans_generic_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file }) +userdom_generic_user_home_dir_filetrans_generic_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file }) - init_dbus_chat_script(mono_t) +init_dbus_chat_script(mono_t) - optional_policy(` - avahi_dbus_chat(mono_t) - ') +optional_policy(` + avahi_dbus_chat(mono_t) +') - optional_policy(` - cups_dbus_chat(mono_t) - ') +optional_policy(` + cups_dbus_chat(mono_t) +') - optional_policy(` - hal_dbus_chat(mono_t) - ') +optional_policy(` + hal_dbus_chat(mono_t) +') - optional_policy(` - networkmanager_dbus_chat(mono_t) - ') +optional_policy(` + networkmanager_dbus_chat(mono_t) +') - optional_policy(` - rpm_dbus_chat(mono_t) - ') +optional_policy(` + rpm_dbus_chat(mono_t) +') - optional_policy(` - unconfined_dbus_connect(mono_t) - ') +optional_policy(` + unconfined_domain_noaudit(mono_t) + unconfined_dbus_chat(mono_t) + unconfined_dbus_connect(mono_t) ') diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc index 7218f9f..99f54ca 100644 --- a/policy/modules/apps/mozilla.fc +++ b/policy/modules/apps/mozilla.fc @@ -1,3 +1,9 @@ +HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) +HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) +HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) +HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) +HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) + # # /bin # @@ -23,12 +29,3 @@ /usr/lib(64)?/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/lib(64)?/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) - -# netscape/mozilla -ifdef(`strict_policy',` -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) -HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) -HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) -HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) -') diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if index 2450078..558208a 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -173,7 +173,6 @@ template(`mozilla_per_role_template',` term_dontaudit_getattr_pty_dirs($1_mozilla_t) libs_use_ld_so($1_mozilla_t) - libs_use_lib_files($1_mozilla_t) libs_use_shared_libs($1_mozilla_t) logging_send_syslog_msg($1_mozilla_t) diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index 4d2b991..a3a29f6 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -6,14 +6,12 @@ policy_module(mozilla,1.4.0) # Declarations # -ifdef(`strict_policy',` ## ##

## Control mozilla content access ##

## gen_tunable(mozilla_read_content,false) -') type mozilla_conf_t; files_config_file(mozilla_conf_t) diff --git a/policy/modules/apps/mplayer.fc b/policy/modules/apps/mplayer.fc index 4806b64..ffef8be 100644 --- a/policy/modules/apps/mplayer.fc +++ b/policy/modules/apps/mplayer.fc @@ -10,6 +10,4 @@ /usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0) /usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0) -ifdef(`strict_policy',` HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:ROLE_mplayer_home_t,s0) -') diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te index 7065984..9153029 100644 --- a/policy/modules/apps/mplayer.te +++ b/policy/modules/apps/mplayer.te @@ -6,27 +6,19 @@ policy_module(mplayer,1.3.0) # Declarations # -ifdef(`strict_policy',` ## ##

## Allow mplayer executable stack ##

## gen_tunable(allow_mplayer_execstack,false) -') + +type mencoder_exec_t; +application_executable_file(mencoder_exec_t) type mplayer_etc_t; files_config_file(mplayer_etc_t) -ifdef(`strict_policy',` - type mencoder_exec_t; - application_executable_file(mencoder_exec_t) - - type mplayer_exec_t; - application_executable_file(mplayer_exec_t) -') - -ifdef(`targeted_policy',` - unconfined_execmem_alias_program(mencoder_exec_t) - unconfined_execmem_alias_program(mplayer_exec_t) -') +type mplayer_exec_t; +corecmd_executable_file(mplayer_exec_t) +application_executable_file(mplayer_exec_t) diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc index fa622bc..92211c9 100644 --- a/policy/modules/apps/screen.fc +++ b/policy/modules/apps/screen.fc @@ -1,9 +1,7 @@ # # /home # -ifdef(`strict_policy',` HOME_DIR/\.screenrc -- gen_context(system_u:object_r:ROLE_screen_ro_home_t,s0) -') # # /usr diff --git a/policy/modules/apps/thunderbird.fc b/policy/modules/apps/thunderbird.fc index cd80a95..2b6c006 100644 --- a/policy/modules/apps/thunderbird.fc +++ b/policy/modules/apps/thunderbird.fc @@ -3,6 +3,4 @@ # /usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0) -ifdef(`strict_policy',` HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:ROLE_thunderbird_home_t,s0) -') diff --git a/policy/modules/apps/uml.fc b/policy/modules/apps/uml.fc index 2a4afa0..ba0a764 100644 --- a/policy/modules/apps/uml.fc +++ b/policy/modules/apps/uml.fc @@ -1,4 +1,9 @@ # +# HOME_DIR/ +# +HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:ROLE_uml_rw_t,s0) + +# # /usr # /usr/bin/uml_switch -- gen_context(system_u:object_r:uml_switch_exec_t,s0) @@ -7,7 +12,3 @@ # /var # /var/run/uml-utilities(/.*)? gen_context(system_u:object_r:uml_switch_var_run_t,s0) - -ifdef(`strict_policy',` - HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:ROLE_uml_rw_t,s0) -') diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te index a399a25..389d1d7 100644 --- a/policy/modules/apps/uml.te +++ b/policy/modules/apps/uml.te @@ -59,13 +59,6 @@ miscfiles_read_localization(uml_switch_t) userdom_dontaudit_use_unpriv_user_fds(uml_switch_t) userdom_dontaudit_search_sysadm_home_dirs(uml_switch_t) -ifdef(`targeted_policy',` - files_dontaudit_read_root_files(uml_switch_t) - - term_dontaudit_use_unallocated_ttys(uml_switch_t) - term_dontaudit_use_generic_ptys(uml_switch_t) -') - optional_policy(` seutil_sigchld_newrole(uml_switch_t) ') diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc index ea0b7ef..b10db09 100644 --- a/policy/modules/apps/vmware.fc +++ b/policy/modules/apps/vmware.fc @@ -1,11 +1,9 @@ # # HOME_DIR/ # -ifdef(`strict_policy',` HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0) -HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0) HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:ROLE_vmware_conf_t,s0) -') +HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0) # # /etc diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te index 5388212..9faf148 100644 --- a/policy/modules/apps/vmware.te +++ b/policy/modules/apps/vmware.te @@ -89,12 +89,6 @@ sysnet_dns_name_resolve(vmware_host_t) userdom_dontaudit_use_unpriv_user_fds(vmware_host_t) userdom_dontaudit_search_sysadm_home_dirs(vmware_host_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(vmware_host_t) - term_dontaudit_use_generic_ptys(vmware_host_t) - files_dontaudit_read_root_files(vmware_host_t) -') - optional_policy(` seutil_sigchld_newrole(vmware_host_t) diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te index 7a3a15f..438d849 100644 --- a/policy/modules/apps/webalizer.te +++ b/policy/modules/apps/webalizer.te @@ -89,11 +89,6 @@ userdom_dontaudit_search_all_users_home_content(webalizer_t) apache_read_log(webalizer_t) apache_manage_sys_content(webalizer_t) -ifdef(`targeted_policy',` - term_use_generic_ptys(webalizer_t) - term_use_unallocated_ttys(webalizer_t) -') - optional_policy(` cron_system_entry(webalizer_t,webalizer_exec_t) ') diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te index 8a87106..c237c8b 100644 --- a/policy/modules/apps/wine.te +++ b/policy/modules/apps/wine.te @@ -15,7 +15,7 @@ application_domain(wine_t,wine_exec_t) # Local policy # -ifdef(`targeted_policy',` +optional_policy(` allow wine_t self:process { execstack execmem execheap }; unconfined_domain_noaudit(wine_t) files_execmod_all_files(wine_t) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 4395563..7c202da 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -72,10 +72,6 @@ ifdef(`distro_debian',` /etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0) ') -ifdef(`targeted_policy',` -/etc/X11/prefdm -- gen_context(system_u:object_r:bin_t,s0) -') - # # /lib # diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if index 3de0969..881fc71 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -32,11 +32,11 @@ interface(`corecmd_executable_file',` ######################################## ## -## Create a aliased type to generic bin files. +## Create a aliased type to generic bin files. (Deprecated) ## ## ##

-## Create a aliased type to generic bin files. +## Create a aliased type to generic bin files. (Deprecated) ##

##

## This is added to support targeted policy. Its @@ -51,15 +51,7 @@ interface(`corecmd_executable_file',` ## # interface(`corecmd_bin_alias',` - ifdef(`targeted_policy',` - gen_require(` - type bin_t; - ') - - typealias bin_t alias $1; - ',` - refpolicywarn(`$0($*) has no effect in strict policy.') - ') + refpolicywarn(`$0($*) has been deprecated.') ') ######################################## diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if index a8a12f7..232b16d 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -45,11 +45,6 @@ interface(`domain_type',` # start with basic domain domain_base_type($1) - ifdef(`targeted_policy',` - unconfined_use_fds($1) - unconfined_sigchld($1) - ') - # send init a sigchld and signull optional_policy(` init_sigchld($1) @@ -1240,19 +1235,17 @@ interface(`domain_entry_file_spec_domtrans',` interface(`domain_unconfined',` gen_require(` attribute set_curr_context; - attribute can_change_process_identity; - attribute can_change_process_role; attribute can_change_object_identity; attribute unconfined_domain_type; + attribute process_uncond_exempt; ') typeattribute $1 unconfined_domain_type; # pass constraints - typeattribute $1 can_change_process_identity; - typeattribute $1 can_change_process_role; typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; + typeattribute $1 process_uncond_exempt; ') ######################################## diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index 1f93814..d075c54 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -92,20 +92,6 @@ term_use_controlling_term(domain) # list the root directory files_list_root(domain) -ifdef(`targeted_policy',` - # RBAC is disabled in the targeted policy, - # as only one role is used, system_r. - role system_r types domain; - - # FIXME: - # workaround until role dominance is fixed in - # the module compiler - role secadm_r types domain; - role sysadm_r types domain; - role user_r types domain; - role staff_r types domain; -') - tunable_policy(`global_ssp',` # enable reading of urandom for all domains: # this should be enabled when all programs diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index cd51464..8c7600f 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -468,8 +468,7 @@ interface(`files_read_all_files',` ## Allow shared library text relocations in all files. ##

##

-## This is added to support WINE in the targeted -## policy. It has no effect on the strict policy. +## This is added to support WINE policy. ##

## ## @@ -479,15 +478,11 @@ interface(`files_read_all_files',` ## # interface(`files_execmod_all_files',` - ifdef(`targeted_policy',` - gen_require(` - attribute file_type; - ') - - allow $1 file_type:file execmod; - ',` - refpolicywarn(`$0($1) has no effect in strict policy.') + gen_require(` + attribute file_type; ') + + allow $1 file_type:file execmod; ') ######################################## diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index fa78e1f..350d024 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -187,10 +187,7 @@ allow file_type self:filesystem associate; fs_associate(file_type) fs_associate_noxattr(file_type) - -ifdef(`targeted_policy', ` - fs_associate_tmpfs(file_type) -') +fs_associate_tmpfs(file_type) ######################################## # @@ -220,8 +217,6 @@ allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_fil # Mount/unmount any filesystem with the context= option. allow files_unconfined_type file_type:filesystem *; -ifdef(`targeted_policy',` - tunable_policy(`allow_execmod',` - allow files_unconfined_type file_type:file execmod; - ') +tunable_policy(`allow_execmod',` + allow files_unconfined_type file_type:file execmod; ') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 7d91bdf..d116c88 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -26,6 +26,9 @@ role sysadm_r; role staff_r; role user_r; +# here until order dependence is fixed: +role unconfined_r; + ifdef(`enable_mls',` role secadm_r; role auditadm_r; @@ -252,10 +255,6 @@ ifdef(`distro_redhat',` fs_rw_tmpfs_chr_files(kernel_t) ') -ifdef(`targeted_policy',` - unconfined_domain(kernel_t) -') - tunable_policy(`read_default_t',` files_list_default(kernel_t) files_read_default_files(kernel_t) @@ -336,15 +335,15 @@ optional_policy(` seutil_read_bin_policy(kernel_t) ') +optional_policy(` + unconfined_domain(kernel_t) +') + ######################################## # # Unlabeled process local policy # -ifdef(`targeted_policy',` - allow unlabeled_t self:filesystem associate; -') - optional_policy(` # If you load a new policy that removes active domains, processes can # get stuck if you do not allow unlabeled processes to signal init. diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te index 875b547..c8abb8e 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -31,11 +31,6 @@ fs_associate_tmpfs(devpts_t) fs_type(devpts_t) fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0); -ifdef(`targeted_policy',` - # cjp: the ttynode should probably be removed. - typeattribute devpts_t ttynode, ptynode; -') - # # devtty_t is the type of /dev/tty. # @@ -56,10 +51,6 @@ mls_trusted_object(ptmx_t) type tty_device_t, serial_device; dev_node(tty_device_t) -ifdef(`targeted_policy',` - typeattribute tty_device_t ttynode; -') - # # usbtty_device_t is the type of /dev/usr/tty* # diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te index 94f60a9..a2e3d68 100644 --- a/policy/modules/services/amavis.te +++ b/policy/modules/services/amavis.te @@ -150,11 +150,6 @@ cron_rw_pipes(amavis_t) mta_read_config(amavis_t) -ifdef(`targeted_policy',` - term_dontaudit_use_generic_ptys(amavis_t) - term_dontaudit_use_unallocated_ttys(amavis_t) -') - optional_policy(` clamav_stream_connect(amavis_t) clamav_domtrans_clamscan(amavis_t) diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc index 68b46dd..c30c0ea 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -1,9 +1,4 @@ -# temporary hack till genhomedircon is fixed -ifdef(`targeted_policy',` -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -',` HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0) -') /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 548c8bc..eb026c1 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -182,14 +182,6 @@ files_tmp_file(httpd_tmp_t) type httpd_tmpfs_t; files_tmpfs_file(httpd_tmpfs_t) -# Unconfined domain for apache scripts. -# Only to be used as a last resort -type httpd_unconfined_script_t; -type httpd_unconfined_script_exec_t; # customizable -domain_type(httpd_unconfined_script_t) -domain_entry_file(httpd_unconfined_script_t,httpd_unconfined_script_exec_t) -role system_r types httpd_unconfined_script_t; - # for apache2 memory mapped files type httpd_var_lib_t; files_type(httpd_var_lib_t) @@ -201,11 +193,6 @@ files_pid_file(httpd_var_run_t) type squirrelmail_spool_t; files_tmp_file(squirrelmail_spool_t) -ifdef(`targeted_policy',` - typealias httpd_sys_content_t alias httpd_user_content_t; - typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t; -') - optional_policy(` prelink_object_file(httpd_modules_t) ') @@ -363,16 +350,6 @@ userdom_use_unpriv_users_fds(httpd_t) mta_send_mail(httpd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(httpd_t) - term_dontaudit_use_generic_ptys(httpd_t) - files_dontaudit_read_root_files(httpd_t) - - tunable_policy(`httpd_enable_homedirs',` - userdom_search_generic_user_home_dirs(httpd_t) - ') -') - tunable_policy(`allow_httpd_anon_write',` miscfiles_manage_public_files(httpd_t) ') @@ -410,13 +387,6 @@ tunable_policy(`httpd_can_network_relay',` corenet_sendrecv_http_cache_client_packets(httpd_t) ') -tunable_policy(`httpd_enable_cgi',` - domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) - - allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop }; - allow httpd_t httpd_unconfined_script_exec_t:dir list_dir_perms; -') - tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -464,6 +434,10 @@ optional_policy(` ') optional_policy(` + cron_system_entry(httpd_t, httpd_exec_t) +') + +optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -632,12 +606,6 @@ logging_send_syslog_msg(httpd_suexec_t) miscfiles_read_localization(httpd_suexec_t) -ifdef(`targeted_policy',` - tunable_policy(`httpd_enable_homedirs',` - userdom_search_generic_user_home_dirs(httpd_suexec_t) - ') -') - tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; allow httpd_suexec_t self:udp_socket create_socket_perms; @@ -656,10 +624,6 @@ tunable_policy(`httpd_can_network_connect',` sysnet_read_config(httpd_suexec_t) ') -tunable_policy(`httpd_enable_cgi',` - domtrans_pattern(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) -') - tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) ') @@ -726,12 +690,6 @@ ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file { getattr append }; ') -ifdef(`targeted_policy',` - tunable_policy(`httpd_enable_homedirs',` - userdom_search_generic_user_home_dirs(httpd_sys_script_t) - ') -') - tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_files(httpd_sys_script_t) fs_read_nfs_symlinks(httpd_sys_script_t) @@ -753,21 +711,6 @@ optional_policy(` ######################################## # -# Apache unconfined script local policy -# - -unconfined_domain(httpd_unconfined_script_t) - -optional_policy(` - cron_system_entry(httpd_t, httpd_exec_t) -') - -optional_policy(` - nscd_socket_use(httpd_unconfined_script_t) -') - -######################################## -# # httpd_rotatelogs local policy # @@ -785,8 +728,3 @@ libs_use_shared_libs(httpd_rotatelogs_t) logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) - -ifdef(`targeted_policy',` - term_dontaudit_use_generic_ptys(httpd_rotatelogs_t) - term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t) -') diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te index aef5c8a..59f4e59 100644 --- a/policy/modules/services/apcupsd.te +++ b/policy/modules/services/apcupsd.te @@ -86,10 +86,6 @@ logging_send_syslog_msg(apcupsd_t) miscfiles_read_localization(apcupsd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_generic_ptys(apcupsd_t) -') - optional_policy(` hostname_exec(apcupsd_t) ') diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te index 2fad90f..4414826 100644 --- a/policy/modules/services/apm.te +++ b/policy/modules/services/apm.te @@ -172,13 +172,6 @@ ifdef(`distro_suse',` files_var_lib_filetrans(apmd_t,apmd_var_lib_t,file) ') -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(apmd_t) - term_dontaudit_use_generic_ptys(apmd_t) - files_dontaudit_read_root_files(apmd_t) - unconfined_domain(apmd_t) -') - optional_policy(` automount_domtrans(apmd_t) ') @@ -227,6 +220,10 @@ optional_policy(` udev_read_state(apmd_t) #necessary? ') +optional_policy(` + unconfined_domain(apmd_t) +') + # cjp: related to sleep/resume (?) optional_policy(` xserver_domtrans_xdm_xserver(apmd_t) diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te index d0abdb8..33cf2bb 100644 --- a/policy/modules/services/arpwatch.te +++ b/policy/modules/services/arpwatch.te @@ -85,12 +85,6 @@ userdom_dontaudit_search_sysadm_home_dirs(arpwatch_t) mta_send_mail(arpwatch_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(arpwatch_t) - term_dontaudit_use_generic_ptys(arpwatch_t) - files_dontaudit_read_root_files(arpwatch_t) -') - optional_policy(` seutil_sigchld_newrole(arpwatch_t) ') diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te index f9d0256..8853d15 100644 --- a/policy/modules/services/asterisk.te +++ b/policy/modules/services/asterisk.te @@ -127,12 +127,6 @@ sysnet_read_config(asterisk_t) userdom_dontaudit_use_unpriv_user_fds(asterisk_t) userdom_dontaudit_search_sysadm_home_dirs(asterisk_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(asterisk_t) - term_dontaudit_use_generic_ptys(asterisk_t) - files_dontaudit_read_root_files(asterisk_t) -') - optional_policy(` nis_use_ypbind(asterisk_t) ') diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te index c9d7c19..9723ae5 100644 --- a/policy/modules/services/audioentropy.te +++ b/policy/modules/services/audioentropy.te @@ -51,13 +51,6 @@ miscfiles_read_localization(entropyd_t) userdom_dontaudit_use_unpriv_user_fds(entropyd_t) userdom_dontaudit_search_sysadm_home_dirs(entropyd_t) -ifdef(`targeted_policy', ` - files_dontaudit_read_root_files(entropyd_t) - - term_dontaudit_use_unallocated_ttys(entropyd_t) - term_dontaudit_use_generic_ptys(entropyd_t) -') - optional_policy(` seutil_sigchld_newrole(entropyd_t) ') diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te index c22a97a..7e84171 100644 --- a/policy/modules/services/automount.te +++ b/policy/modules/services/automount.te @@ -147,12 +147,6 @@ sysnet_read_config(automount_t) userdom_dontaudit_use_unpriv_user_fds(automount_t) userdom_dontaudit_search_sysadm_home_dirs(automount_t) -ifdef(`targeted_policy', ` - files_dontaudit_read_root_files(automount_t) - term_dontaudit_use_unallocated_ttys(automount_t) - term_dontaudit_use_generic_ptys(automount_t) -') - optional_policy(` bind_search_cache(automount_t) ') diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te index 16a2d07..159d655 100644 --- a/policy/modules/services/avahi.te +++ b/policy/modules/services/avahi.te @@ -80,12 +80,6 @@ miscfiles_read_localization(avahi_t) userdom_dontaudit_use_unpriv_user_fds(avahi_t) userdom_dontaudit_search_sysadm_home_dirs(avahi_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(avahi_t) - term_dontaudit_use_generic_ptys(avahi_t) - files_dontaudit_read_root_files(avahi_t) -') - optional_policy(` dbus_system_bus_client_template(avahi,avahi_t) dbus_connect_system_bus(avahi_t) diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index 6e59307..94b45a6 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -148,12 +148,6 @@ sysnet_read_config(named_t) userdom_dontaudit_use_unpriv_user_fds(named_t) userdom_dontaudit_search_sysadm_home_dirs(named_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(named_t) - term_dontaudit_use_generic_ptys(named_t) - files_dontaudit_read_root_files(named_t) -') - tunable_policy(`named_write_master_zones',` manage_dirs_pattern(named_t,named_zone_t,named_zone_t) manage_files_pattern(named_t,named_zone_t,named_zone_t) @@ -265,13 +259,6 @@ ifdef(`distro_redhat',` allow ndc_t named_conf_t:dir search; ') -ifdef(`targeted_policy',` - kernel_dontaudit_read_unlabeled_files(ndc_t) - - term_use_unallocated_ttys(ndc_t) - term_use_generic_ptys(ndc_t) -') - optional_policy(` nis_use_ypbind(ndc_t) ') diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if index e031f39..4f79278 100644 --- a/policy/modules/services/bluetooth.if +++ b/policy/modules/services/bluetooth.if @@ -1,5 +1,116 @@ ## Bluetooth tools and system services. +####################################### +## +## The per role template for the bluetooth module. +## +## +##

+## This template creates derived domains which are used +## for bluetooth. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +## +## +## The role associated with the user domain. +## +## +# +template(`bluetooth_per_role_template',` + gen_require(` + attribute bluetooth_helper_domain; + type bluetooth_helper_exec_t; + ') + + type $1_bluetooth_t, bluetooth_helper_domain; + application_domain($1_bluetooth_t, bluetooth_helper_exec_t) + role $3 types $1_bluetooth_t; + + type $1_bluetooth_tmp_t; + files_tmp_file($1_bluetooth_tmp_t) + + type $1_bluetooth_tmpfs_t; + files_tmpfs_file($1_bluetooth_tmpfs_t) + + allow $1_bluetooth_t self:capability sys_nice; + allow $1_bluetooth_t self:process getsched; + allow $1_bluetooth_t self:fifo_file rw_fifo_file_perms; + allow $1_bluetooth_t self:shm create_shm_perms; + allow $1_bluetooth_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow $1_bluetooth_t self:tcp_socket create_socket_perms; + allow $1_bluetooth_t self:netlink_route_socket r_netlink_socket_perms; + + allow $1_bluetooth_t bluetooth_t:socket { read write }; + + manage_dirs_pattern($1_bluetooth_t, $1_bluetooth_tmp_t, $1_bluetooth_tmp_t) + manage_files_pattern($1_bluetooth_t, $1_bluetooth_tmp_t, $1_bluetooth_tmp_t) + manage_sock_files_pattern($1_bluetooth_t, $1_bluetooth_tmp_t, $1_bluetooth_tmp_t) + files_tmp_filetrans($1_bluetooth_t, $1_bluetooth_tmp_t, { file dir sock_file }) + + manage_dirs_pattern($1_bluetooth_t, $1_bluetooth_tmpfs_t, $1_bluetooth_tmpfs_t) + manage_files_pattern($1_bluetooth_t, $1_bluetooth_tmpfs_t, $1_bluetooth_tmpfs_t) + fs_tmpfs_filetrans($1_bluetooth_t, $1_bluetooth_tmpfs_t, { dir file }) + + kernel_read_system_state($1_bluetooth_t) + kernel_read_kernel_sysctls($1_bluetooth_t) + + dev_read_urand($1_bluetooth_t) + + term_dontaudit_use_all_user_ttys($1_bluetooth_t) + + corecmd_exec_bin($1_bluetooth_t) + corecmd_exec_shell($1_bluetooth_t) + + domain_read_all_domains_state($1_bluetooth_t) + + files_read_etc_files($1_bluetooth_t) + files_read_etc_runtime_files($1_bluetooth_t) + files_read_usr_files($1_bluetooth_t) + files_dontaudit_list_default($1_bluetooth_t) + + libs_use_ld_so($1_bluetooth_t) + libs_use_shared_libs($1_bluetooth_t) + + locallogin_dontaudit_use_fds($1_bluetooth_t) + + logging_send_syslog_msg($1_bluetooth_t) + + miscfiles_read_localization($1_bluetooth_t) + + sysnet_read_config($1_bluetooth_t) + + optional_policy(` + bluetooth_dbus_chat($1_bluetooth_t) + dbus_system_bus_client_template($1_bluetooth, $1_bluetooth_t) + dbus_connect_system_bus($1_bluetooth_t) + dbus_send_system_bus($1_bluetooth_t) + ') + + optional_policy(` + nscd_socket_use($1_bluetooth_t) + ') + + optional_policy(` + xserver_user_client_template($1, $1_bluetooth_t, $1_bluetooth_tmpfs_t) + ') +') + ######################################## ## ## Execute bluetooth in the bluetooth domain. @@ -38,47 +149,43 @@ interface(`bluetooth_read_config',` ######################################## ## -## Execute bluetooth_helper in the bluetooth_helper domain. +## Send and receive messages from +## bluetooth over dbus. ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # -interface(`bluetooth_domtrans_helper',` +interface(`bluetooth_dbus_chat',` gen_require(` - type bluetooth_helper_t, bluetooth_helper_exec_t; + type bluetooth_t; + class dbus send_msg; ') - domtrans_pattern($1,bluetooth_helper_exec_t,bluetooth_helper_t) + allow $1 bluetooth_t:dbus send_msg; + allow bluetooth_t $1:dbus send_msg; ') ######################################## ## -## Send and receive messages from -## bluetooth over dbus. +## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated) ## ## ## -## Domain allowed access. +## The type of the process performing this action. ## ## # -interface(`bluetooth_dbus_chat',` - gen_require(` - type bluetooth_t; - class dbus send_msg; - ') - - allow $1 bluetooth_t:dbus send_msg; - allow bluetooth_t $1:dbus send_msg; +interface(`bluetooth_domtrans_helper',` + refpolicywarn(`$0($*) has been deprecated.') ') ######################################## ## ## Execute bluetooth_helper in the bluetooth_helper domain, and -## allow the specified role the bluetooth_helper domain. +## allow the specified role the bluetooth_helper domain. (Deprecated) ## ## ## @@ -98,13 +205,7 @@ interface(`bluetooth_dbus_chat',` ## # interface(`bluetooth_run_helper',` - gen_require(` - type bluetooth_helper_t; - ') - - bluetooth_domtrans_helper($1) - role $2 types bluetooth_helper_t; - allow bluetooth_helper_t $3:chr_file rw_term_perms; + refpolicywarn(`$0($*) has been deprecated.') ') ######################################## @@ -119,9 +220,9 @@ interface(`bluetooth_run_helper',` # interface(`bluetooth_dontaudit_read_helper_files',` gen_require(` - type bluetooth_helper_t; + attribute bluetooth_helper_domain; ') - dontaudit $1 bluetooth_helper_t:dir search; - dontaudit $1 bluetooth_helper_t:file { read getattr }; + dontaudit $1 bluetooth_helper_domain:dir search; + dontaudit $1 bluetooth_helper_domain:file { read getattr }; ') diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te index ae6e6a7..7f1f285 100644 --- a/policy/modules/services/bluetooth.te +++ b/policy/modules/services/bluetooth.te @@ -15,14 +15,10 @@ files_type(bluetooth_conf_t) type bluetooth_conf_rw_t; files_type(bluetooth_conf_rw_t) -type bluetooth_helper_t; -type bluetooth_helper_exec_t; -domain_type(bluetooth_helper_t) -domain_entry_file(bluetooth_helper_t,bluetooth_helper_exec_t) -role system_r types bluetooth_helper_t; +attribute bluetooth_helper_domain; -type bluetooth_helper_tmp_t; -files_tmp_file(bluetooth_helper_tmp_t) +type bluetooth_helper_exec_t; +application_executable_file(bluetooth_helper_exec_t) type bluetooth_lock_t; files_lock_file(bluetooth_lock_t) @@ -61,7 +57,7 @@ manage_fifo_files_pattern(bluetooth_t,bluetooth_conf_t,bluetooth_conf_rw_t) manage_sock_files_pattern(bluetooth_t,bluetooth_conf_t,bluetooth_conf_rw_t) filetrans_pattern(bluetooth_t,bluetooth_conf_t,bluetooth_conf_rw_t,{ dir file lnk_file sock_file fifo_file }) -domtrans_pattern(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t) +can_exec(bluetooth_t, bluetooth_helper_exec_t) allow bluetooth_t bluetooth_lock_t:file manage_file_perms; files_lock_filetrans(bluetooth_t,bluetooth_lock_t,file) @@ -117,8 +113,6 @@ files_read_usr_files(bluetooth_t) libs_use_ld_so(bluetooth_t) libs_use_shared_libs(bluetooth_t) -locallogin_dontaudit_use_fds(bluetooth_helper_t) - logging_send_syslog_msg(bluetooth_t) miscfiles_read_localization(bluetooth_t) @@ -130,12 +124,6 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) userdom_dontaudit_use_sysadm_ptys(bluetooth_t) userdom_dontaudit_search_sysadm_home_dirs(bluetooth_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(bluetooth_t) - term_dontaudit_use_generic_ptys(bluetooth_t) - files_dontaudit_read_root_files(bluetooth_t) -') - optional_policy(` dbus_system_bus_client_template(bluetooth,bluetooth_t) dbus_connect_system_bus(bluetooth_t) @@ -154,94 +142,6 @@ optional_policy(` udev_read_db(bluetooth_t) ') -######################################## -# -# Bluetooth helper local policy -# - -allow bluetooth_helper_t self:capability sys_nice; -allow bluetooth_helper_t self:process getsched; -allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms; -allow bluetooth_helper_t self:shm create_shm_perms; -allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow bluetooth_helper_t self:tcp_socket create_socket_perms; -allow bluetooth_helper_t self:netlink_route_socket r_netlink_socket_perms; - -allow bluetooth_helper_t bluetooth_t:socket { read write }; - -manage_dirs_pattern(bluetooth_helper_t,bluetooth_helper_tmp_t,bluetooth_helper_tmp_t) -manage_files_pattern(bluetooth_helper_t,bluetooth_helper_tmp_t,bluetooth_helper_tmp_t) -manage_sock_files_pattern(bluetooth_helper_t,bluetooth_helper_tmp_t,bluetooth_helper_tmp_t) -files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir sock_file }) - -kernel_read_system_state(bluetooth_helper_t) -kernel_read_kernel_sysctls(bluetooth_helper_t) - -dev_read_urand(bluetooth_helper_t) - -term_dontaudit_use_all_user_ttys(bluetooth_helper_t) - -corecmd_exec_bin(bluetooth_helper_t) -corecmd_exec_shell(bluetooth_helper_t) - -domain_read_all_domains_state(bluetooth_helper_t) - -files_read_etc_files(bluetooth_helper_t) -files_read_etc_runtime_files(bluetooth_helper_t) -files_read_usr_files(bluetooth_helper_t) -files_search_tmp(bluetooth_helper_t) -files_dontaudit_list_default(bluetooth_helper_t) - -libs_use_ld_so(bluetooth_helper_t) -libs_use_shared_libs(bluetooth_helper_t) - -logging_send_syslog_msg(bluetooth_helper_t) - -miscfiles_read_localization(bluetooth_helper_t) -miscfiles_read_fonts(bluetooth_helper_t) - -sysnet_read_config(bluetooth_helper_t) - -ifdef(`targeted_policy',` - files_rw_generic_tmp_sockets(bluetooth_helper_t) - files_manage_generic_tmp_files(bluetooth_helper_t) - - fs_rw_tmpfs_files(bluetooth_helper_t) - - term_dontaudit_use_generic_ptys(bluetooth_helper_t) - term_dontaudit_use_unallocated_ttys(bluetooth_helper_t) - - unconfined_stream_connect(bluetooth_helper_t) - - userdom_manage_generic_user_home_content_files(bluetooth_helper_t) - - optional_policy(` - corenet_tcp_connect_xserver_port(bluetooth_helper_t) - #Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=205956 - xserver_read_xdm_tmp_files(bluetooth_helper_t) - xserver_stream_connect_xdm(bluetooth_helper_t) - xserver_use_xdm_fds(bluetooth_helper_t) - xserver_rw_xdm_pipes(bluetooth_helper_t) - # when started via startx - xserver_stream_connect_xdm_xserver(bluetooth_helper_t) - ') -') - -optional_policy(` - bluetooth_dbus_chat(bluetooth_helper_t) - dbus_system_bus_client_template(bluetooth_helper,bluetooth_helper_t) - dbus_connect_system_bus(bluetooth_helper_t) - dbus_send_system_bus(bluetooth_helper_t) -') - -optional_policy(` - nscd_socket_use(bluetooth_helper_t) -') - optional_policy(` ppp_domtrans(bluetooth_t) ') - -optional_policy(` - xserver_stream_connect_xdm(bluetooth_helper_t) -') diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te index 51e7efa..5445a70 100644 --- a/policy/modules/services/canna.te +++ b/policy/modules/services/canna.te @@ -80,12 +80,6 @@ sysnet_read_config(canna_t) userdom_dontaudit_use_unpriv_user_fds(canna_t) userdom_dontaudit_search_sysadm_home_dirs(canna_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(canna_t) - term_dontaudit_use_generic_ptys(canna_t) - files_dontaudit_read_root_files(canna_t) -') - optional_policy(` nis_use_ypbind(canna_t) ') diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te index 26b1da9..fcecb1b 100644 --- a/policy/modules/services/ccs.te +++ b/policy/modules/services/ccs.te @@ -112,11 +112,6 @@ ifdef(`hide_broken_symptoms', ` files_manage_isid_type_files(ccs_t) ') -ifdef(`targeted_policy',` - term_dontaudit_use_generic_ptys(ccs_t) - term_dontaudit_use_unallocated_ttys(ccs_t) -') - optional_policy(` unconfined_use_fds(ccs_t) ') diff --git a/policy/modules/services/cipe.te b/policy/modules/services/cipe.te index b4f8ad4..323554b 100644 --- a/policy/modules/services/cipe.te +++ b/policy/modules/services/cipe.te @@ -63,12 +63,6 @@ sysnet_read_config(ciped_t) userdom_dontaudit_use_unpriv_user_fds(ciped_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(ciped_t) - term_dontaudit_use_generic_ptys(ciped_t) - files_dontaudit_read_root_files(ciped_t) -') - optional_policy(` nis_use_ypbind(ciped_t) ') diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te index 2a2dec7..6b7d0c5 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -120,11 +120,6 @@ cron_use_fds(clamd_t) cron_use_system_job_fds(clamd_t) cron_rw_pipes(clamd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(clamd_t) - term_dontaudit_use_generic_ptys(clamd_t) -') - optional_policy(` amavis_read_lib_files(clamd_t) amavis_read_spool_files(clamd_t) diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if index ee4a98e..354edf6 100644 --- a/policy/modules/services/courier.if +++ b/policy/modules/services/courier.if @@ -77,12 +77,6 @@ template(`courier_domain_template',` userdom_dontaudit_use_unpriv_user_fds(courier_$1_t) - ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(courier_$1_t) - term_dontaudit_use_generic_ptys(courier_$1_t) - files_dontaudit_read_root_files(courier_$1_t) - ') - optional_policy(` seutil_sigchld_newrole(courier_$1_t) ') diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te index 48d6e26..9145263 100644 --- a/policy/modules/services/cpucontrol.te +++ b/policy/modules/services/cpucontrol.te @@ -58,12 +58,6 @@ logging_send_syslog_msg(cpucontrol_t) userdom_dontaudit_use_unpriv_user_fds(cpucontrol_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(cpucontrol_t) - term_dontaudit_use_generic_ptys(cpucontrol_t) - files_dontaudit_read_root_files(cpucontrol_t) -') - optional_policy(` nscd_socket_use(cpucontrol_t) ') @@ -118,12 +112,6 @@ miscfiles_read_localization(cpuspeed_t) userdom_dontaudit_use_unpriv_user_fds(cpuspeed_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(cpuspeed_t) - term_dontaudit_use_generic_ptys(cpuspeed_t) - files_dontaudit_read_root_files(cpuspeed_t) -') - optional_policy(` nscd_socket_use(cpuspeed_t) ') diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index 74c3142..b61103c 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -152,6 +152,17 @@ template(`cron_per_role_template',` allow crond_t $1_cron_spool_t:file manage_file_perms; ') + # need a per-role version of this: + #optional_policy(` + # mono_domtrans($1_crond_t) + #') + + optional_policy(` + dbus_stub($1_crond_t) + + allow $1_crond_t $2:dbus send_msg; + ') + optional_policy(` nis_use_ypbind($1_crond_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index 3e093b3..d95d755 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -60,11 +60,7 @@ application_executable_file(crontab_exec_t) type system_cron_spool_t, cron_spool_type; files_type(system_cron_spool_t) -ifdef(`targeted_policy',` - typealias crond_t alias system_crond_t; -',` - type system_crond_t; -') +type system_crond_t; init_daemon_domain(system_crond_t,anacron_exec_t) corecmd_shell_entry_type(system_crond_t) role system_r types system_crond_t; @@ -75,11 +71,6 @@ files_lock_file(system_crond_lock_t) type system_crond_tmp_t; files_tmp_file(system_crond_tmp_t) -ifdef(`targeted_policy',` - type sysadm_cron_spool_t; - files_type(sysadm_cron_spool_t) -') - ifdef(`enable_mcs',` init_ranged_daemon_domain(crond_t,crond_exec_t,s0 - mcs_systemhigh) ') @@ -111,6 +102,10 @@ files_pid_filetrans(crond_t,crond_var_run_t,file) allow crond_t cron_spool_t:dir rw_dir_perms; allow crond_t cron_spool_t:file read_file_perms; +manage_dirs_pattern(crond_t,crond_tmp_t,crond_tmp_t) +manage_files_pattern(crond_t,crond_tmp_t,crond_tmp_t) +files_tmp_filetrans(crond_t,crond_tmp_t,{ file dir }) + allow crond_t system_cron_spool_t:dir list_dir_perms; allow crond_t system_cron_spool_t:file read_file_perms; @@ -185,35 +180,6 @@ optional_policy(` locallogin_link_keys(crond_t) ') -ifdef(`targeted_policy',` - manage_dirs_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t) - manage_files_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t) - manage_lnk_files_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t) - manage_fifo_files_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t) - manage_sock_files_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t) - files_tmp_filetrans(crond_t,system_crond_tmp_t,{ dir file lnk_file sock_file fifo_file }) - - unconfined_domain(crond_t) - - userdom_manage_generic_user_home_content_dirs(crond_t) - userdom_manage_generic_user_home_content_files(crond_t) - userdom_manage_generic_user_home_content_symlinks(crond_t) - userdom_manage_generic_user_home_content_sockets(crond_t) - userdom_manage_generic_user_home_content_pipes(crond_t) - userdom_generic_user_home_dir_filetrans_generic_user_home_content(crond_t,{ dir file lnk_file fifo_file sock_file }) - - allow crond_t unconfined_t:dbus send_msg; - allow crond_t initrc_t:dbus send_msg; - - optional_policy(` - mono_domtrans(crond_t) - ') -',` - manage_dirs_pattern(crond_t,crond_tmp_t,crond_tmp_t) - manage_files_pattern(crond_t,crond_tmp_t,crond_tmp_t) - files_tmp_filetrans(crond_t, crond_tmp_t, { file dir }) -') - tunable_policy(`fcron_crond', ` allow crond_t system_cron_spool_t:file manage_file_perms; ') @@ -258,6 +224,11 @@ optional_policy(` # System cron process domain # +allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid }; +allow system_crond_t self:process { signal_perms setsched }; +allow system_crond_t self:fifo_file rw_fifo_file_perms; +allow system_crond_t self:passwd rootok; + # This is to handle creation of files in /var/log directory. # Used currently by rpm script log files allow system_crond_t cron_log_t:file manage_file_perms; @@ -268,220 +239,209 @@ logging_log_filetrans(system_crond_t,cron_log_t,file) allow system_crond_t cron_var_lib_t:file manage_file_perms; files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file) -optional_policy(` - # cjp: why? - squid_domtrans(system_crond_t) -') +allow system_crond_t system_cron_spool_t:file read_file_perms; +# The entrypoint interface is not used as this is not +# a regular entrypoint. Since crontab files are +# not directly executed, crond must ensure that +# the crontab file has a type that is appropriate +# for the domain of the user cron job. It +# performs an entrypoint permission check +# for this purpose. +allow system_crond_t system_cron_spool_t:file entrypoint; + +# Permit a transition from the crond_t domain to this domain. +# The transition is requested explicitly by the modified crond +# via setexeccon. There is no way to set up an automatic +# transition, since crontabs are configuration files, not executables. +allow crond_t system_crond_t:process transition; +dontaudit crond_t system_crond_t:process { noatsecure siginh rlimitinh }; +allow crond_t system_crond_t:fd use; +allow system_crond_t crond_t:fd use; +allow system_crond_t crond_t:fifo_file rw_file_perms; +allow system_crond_t crond_t:process sigchld; + +# Write /var/lock/makewhatis.lock. +allow system_crond_t system_crond_lock_t:file manage_file_perms; +files_lock_filetrans(system_crond_t,system_crond_lock_t,file) + +# write temporary files +manage_files_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t) +manage_lnk_files_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t) +filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file }) +files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file) -ifdef(`targeted_policy',` - # cjp: FIXME - allow crond_t unconfined_t:process transition; -',` - allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid }; - allow system_crond_t self:process { signal_perms setsched }; - allow system_crond_t self:fifo_file rw_fifo_file_perms; - allow system_crond_t self:passwd rootok; - - # The entrypoint interface is not used as this is not - # a regular entrypoint. Since crontab files are - # not directly executed, crond must ensure that - # the crontab file has a type that is appropriate - # for the domain of the user cron job. It - # performs an entrypoint permission check - # for this purpose. - allow system_crond_t system_cron_spool_t:file entrypoint; - - allow system_crond_t system_cron_spool_t:file read_file_perms; - - # Permit a transition from the crond_t domain to this domain. - # The transition is requested explicitly by the modified crond - # via setexeccon. There is no way to set up an automatic - # transition, since crontabs are configuration files, not executables. - allow crond_t system_crond_t:process transition; - dontaudit crond_t system_crond_t:process { noatsecure siginh rlimitinh }; - allow crond_t system_crond_t:fd use; - allow system_crond_t crond_t:fd use; - allow system_crond_t crond_t:fifo_file rw_file_perms; - allow system_crond_t crond_t:process sigchld; - - # Write /var/lock/makewhatis.lock. - allow system_crond_t system_crond_lock_t:file manage_file_perms; - files_lock_filetrans(system_crond_t,system_crond_lock_t,file) - - # write temporary files - manage_files_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t) - manage_lnk_files_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t) - filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file }) - files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file) - - # Read from /var/spool/cron. - allow system_crond_t cron_spool_t:dir list_dir_perms; - allow system_crond_t cron_spool_t:file read_file_perms; - - kernel_read_kernel_sysctls(system_crond_t) - kernel_read_system_state(system_crond_t) - kernel_read_software_raid_state(system_crond_t) - - # ps does not need to access /boot when run from cron - files_dontaudit_search_boot(system_crond_t) - - corecmd_exec_all_executables(system_crond_t) - - corenet_all_recvfrom_unlabeled(system_crond_t) - corenet_all_recvfrom_netlabel(system_crond_t) - corenet_tcp_sendrecv_all_if(system_crond_t) - corenet_udp_sendrecv_all_if(system_crond_t) - corenet_tcp_sendrecv_all_nodes(system_crond_t) - corenet_udp_sendrecv_all_nodes(system_crond_t) - corenet_tcp_sendrecv_all_ports(system_crond_t) - corenet_udp_sendrecv_all_ports(system_crond_t) - - dev_getattr_all_blk_files(system_crond_t) - dev_getattr_all_chr_files(system_crond_t) - dev_read_urand(system_crond_t) - - fs_getattr_all_fs(system_crond_t) - fs_getattr_all_files(system_crond_t) - fs_getattr_all_symlinks(system_crond_t) - fs_getattr_all_pipes(system_crond_t) - fs_getattr_all_sockets(system_crond_t) - - # quiet other ps operations - domain_dontaudit_read_all_domains_state(system_crond_t) - - files_exec_etc_files(system_crond_t) - files_read_etc_files(system_crond_t) - files_read_etc_runtime_files(system_crond_t) - files_list_all(system_crond_t) - files_getattr_all_dirs(system_crond_t) - files_getattr_all_files(system_crond_t) - files_getattr_all_symlinks(system_crond_t) - files_getattr_all_pipes(system_crond_t) - files_getattr_all_sockets(system_crond_t) - files_read_usr_files(system_crond_t) - files_read_var_files(system_crond_t) - # for nscd: - files_dontaudit_search_pids(system_crond_t) - # Access other spool directories like - # /var/spool/anacron and /var/spool/slrnpull. - files_manage_generic_spool(system_crond_t) - - init_use_script_fds(system_crond_t) - init_read_utmp(system_crond_t) - init_dontaudit_rw_utmp(system_crond_t) - # prelink tells init to restart it self, we either need to allow or dontaudit - init_write_initctl(system_crond_t) - - libs_use_ld_so(system_crond_t) - libs_use_shared_libs(system_crond_t) - libs_exec_lib_files(system_crond_t) - libs_exec_ld_so(system_crond_t) - - logging_read_generic_logs(system_crond_t) - logging_send_syslog_msg(system_crond_t) - - miscfiles_read_localization(system_crond_t) - miscfiles_manage_man_pages(system_crond_t) - - seutil_read_config(system_crond_t) - - ifdef(`distro_redhat', ` - # Run the rpm program in the rpm_t domain. Allow creation of RPM log files - # via redirection of standard out. - optional_policy(` - rpm_manage_log(system_crond_t) - ') - ') - - tunable_policy(`cron_can_relabel',` - seutil_domtrans_setfiles(system_crond_t) - ',` - selinux_get_fs_mount(system_crond_t) - selinux_validate_context(system_crond_t) - selinux_compute_access_vector(system_crond_t) - selinux_compute_create_context(system_crond_t) - selinux_compute_relabel_context(system_crond_t) - selinux_compute_user_contexts(system_crond_t) - seutil_read_file_contexts(system_crond_t) - ') +# Read from /var/spool/cron. +allow system_crond_t cron_spool_t:dir list_dir_perms; +allow system_crond_t cron_spool_t:file read_file_perms; + +kernel_read_kernel_sysctls(system_crond_t) +kernel_read_system_state(system_crond_t) +kernel_read_software_raid_state(system_crond_t) + +# ps does not need to access /boot when run from cron +files_dontaudit_search_boot(system_crond_t) + +corecmd_exec_all_executables(system_crond_t) + +corenet_all_recvfrom_unlabeled(system_crond_t) +corenet_all_recvfrom_netlabel(system_crond_t) +corenet_tcp_sendrecv_all_if(system_crond_t) +corenet_udp_sendrecv_all_if(system_crond_t) +corenet_tcp_sendrecv_all_nodes(system_crond_t) +corenet_udp_sendrecv_all_nodes(system_crond_t) +corenet_tcp_sendrecv_all_ports(system_crond_t) +corenet_udp_sendrecv_all_ports(system_crond_t) + +dev_getattr_all_blk_files(system_crond_t) +dev_getattr_all_chr_files(system_crond_t) +dev_read_urand(system_crond_t) + +fs_getattr_all_fs(system_crond_t) +fs_getattr_all_files(system_crond_t) +fs_getattr_all_symlinks(system_crond_t) +fs_getattr_all_pipes(system_crond_t) +fs_getattr_all_sockets(system_crond_t) + +# quiet other ps operations +domain_dontaudit_read_all_domains_state(system_crond_t) + +files_exec_etc_files(system_crond_t) +files_read_etc_files(system_crond_t) +files_read_etc_runtime_files(system_crond_t) +files_list_all(system_crond_t) +files_getattr_all_dirs(system_crond_t) +files_getattr_all_files(system_crond_t) +files_getattr_all_symlinks(system_crond_t) +files_getattr_all_pipes(system_crond_t) +files_getattr_all_sockets(system_crond_t) +files_read_usr_files(system_crond_t) +files_read_var_files(system_crond_t) +# for nscd: +files_dontaudit_search_pids(system_crond_t) +# Access other spool directories like +# /var/spool/anacron and /var/spool/slrnpull. +files_manage_generic_spool(system_crond_t) + +init_use_script_fds(system_crond_t) +init_read_utmp(system_crond_t) +init_dontaudit_rw_utmp(system_crond_t) +# prelink tells init to restart it self, we either need to allow or dontaudit +init_write_initctl(system_crond_t) + +libs_use_ld_so(system_crond_t) +libs_use_shared_libs(system_crond_t) +libs_exec_lib_files(system_crond_t) +libs_exec_ld_so(system_crond_t) + +logging_read_generic_logs(system_crond_t) +logging_send_syslog_msg(system_crond_t) + +miscfiles_read_localization(system_crond_t) +miscfiles_manage_man_pages(system_crond_t) + +seutil_read_config(system_crond_t) +ifdef(`distro_redhat', ` + # Run the rpm program in the rpm_t domain. Allow creation of RPM log files + # via redirection of standard out. optional_policy(` - # Needed for certwatch - apache_exec_modules(system_crond_t) - apache_read_config(system_crond_t) - apache_read_log(system_crond_t) - apache_read_sys_content(system_crond_t) + rpm_manage_log(system_crond_t) ') +') - optional_policy(` - cyrus_manage_data(system_crond_t) - ') +tunable_policy(`cron_can_relabel',` + seutil_domtrans_setfiles(system_crond_t) +',` + selinux_get_fs_mount(system_crond_t) + selinux_validate_context(system_crond_t) + selinux_compute_access_vector(system_crond_t) + selinux_compute_create_context(system_crond_t) + selinux_compute_relabel_context(system_crond_t) + selinux_compute_user_contexts(system_crond_t) + seutil_read_file_contexts(system_crond_t) +') - optional_policy(` - ftp_read_log(system_crond_t) - ') +optional_policy(` + # Needed for certwatch + apache_exec_modules(system_crond_t) + apache_read_config(system_crond_t) + apache_read_log(system_crond_t) + apache_read_sys_content(system_crond_t) +') - optional_policy(` - inn_manage_log(system_crond_t) - inn_manage_pid(system_crond_t) - inn_read_config(system_crond_t) - ') +optional_policy(` + cyrus_manage_data(system_crond_t) +') - optional_policy(` - mrtg_append_create_logs(system_crond_t) - ') +optional_policy(` + ftp_read_log(system_crond_t) +') - optional_policy(` - mta_send_mail(system_crond_t) - ') +optional_policy(` + inn_manage_log(system_crond_t) + inn_manage_pid(system_crond_t) + inn_read_config(system_crond_t) +') - optional_policy(` - mysql_read_config(system_crond_t) - ') +optional_policy(` + mrtg_append_create_logs(system_crond_t) +') - optional_policy(` - nis_use_ypbind(system_crond_t) - ') +optional_policy(` + mta_send_mail(system_crond_t) +') - optional_policy(` - nscd_socket_use(system_crond_t) - ') +optional_policy(` + mysql_read_config(system_crond_t) +') - optional_policy(` - postfix_read_config(system_crond_t) - ') +optional_policy(` + nis_use_ypbind(system_crond_t) +') - optional_policy(` - prelink_read_cache(system_crond_t) - prelink_manage_log(system_crond_t) - prelink_delete_cache(system_crond_t) - ') +optional_policy(` + nscd_socket_use(system_crond_t) +') - optional_policy(` - samba_read_config(system_crond_t) - samba_read_log(system_crond_t) - #samba_read_secrets(system_crond_t) - ') +optional_policy(` + postfix_read_config(system_crond_t) +') - optional_policy(` - slocate_create_append_log(system_crond_t) - ') +optional_policy(` + prelink_read_cache(system_crond_t) + prelink_manage_log(system_crond_t) + prelink_delete_cache(system_crond_t) +') - optional_policy(` - sysstat_manage_log(system_crond_t) - ') +optional_policy(` + samba_read_config(system_crond_t) + samba_read_log(system_crond_t) + #samba_read_secrets(system_crond_t) +') + +optional_policy(` + slocate_create_append_log(system_crond_t) +') - ifdef(`TODO',` - dontaudit userdomain system_crond_t:fd use; +optional_policy(` + # cjp: why? + squid_domtrans(system_crond_t) +') - allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr; +optional_policy(` + sysstat_manage_log(system_crond_t) +') - # for if /var/mail is a symlink - allow system_crond_t mail_spool_t:lnk_file read; +optional_policy(` + unconfined_domain(system_crond_t) - ifdef(`mta.te', ` - allow mta_user_agent system_crond_t:fd use; - r_dir_file(system_mail_t, crond_tmp_t) - ') - ') dnl end TODO + userdom_priveleged_home_dir_manager(system_crond_t) +') + +ifdef(`TODO',` +ifdef(`mta.te', ` +allow system_crond_t mail_spool_t:lnk_file read; +allow mta_user_agent system_crond_t:fd use; +r_dir_file(system_mail_t, crond_tmp_t) ') +') dnl end TODO diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te index 4ddf3da..fc06d64 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -231,25 +231,6 @@ ifdef(`enable_mls',` lpd_relabel_spool(cupsd_t) ') -ifdef(`targeted_policy',` - files_dontaudit_read_root_files(cupsd_t) - - term_dontaudit_use_unallocated_ttys(cupsd_t) - term_dontaudit_use_generic_ptys(cupsd_t) - - init_stream_connect_script(cupsd_t) - - unconfined_rw_pipes(cupsd_t) - - optional_policy(` - init_dbus_chat_script(cupsd_t) - - unconfined_dbus_send(cupsd_t) - - dbus_stub(cupsd_t) - ') -') - optional_policy(` apm_domtrans_client(cupsd_t) ') @@ -395,15 +376,6 @@ ifdef(`distro_redhat',` ') ') -ifdef(`targeted_policy',` - files_dontaudit_read_root_files(cupsd_config_t) - - term_dontaudit_use_unallocated_ttys(cupsd_config_t) - term_use_generic_ptys(cupsd_config_t) - - unconfined_rw_pipes(cupsd_config_t) -') - optional_policy(` cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') @@ -617,12 +589,6 @@ userdom_dontaudit_search_all_users_home_content(hplip_t) lpd_read_config(cupsd_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(hplip_t) - term_dontaudit_use_generic_ptys(hplip_t) - files_dontaudit_read_root_files(hplip_t) -') - optional_policy(` seutil_sigchld_newrole(hplip_t) ') @@ -695,12 +661,6 @@ sysnet_read_config(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t) userdom_dontaudit_search_all_users_home_content(ptal_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(ptal_t) - term_dontaudit_use_generic_ptys(ptal_t) - files_dontaudit_read_root_files(ptal_t) -') - optional_policy(` seutil_sigchld_newrole(ptal_t) ') diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te index 23ede85..8b6300a 100644 --- a/policy/modules/services/cyrus.te +++ b/policy/modules/services/cyrus.te @@ -109,17 +109,10 @@ sysnet_read_config(cyrus_t) userdom_dontaudit_use_unpriv_user_fds(cyrus_t) userdom_dontaudit_search_sysadm_home_dirs(cyrus_t) userdom_use_unpriv_users_fds(cyrus_t) -userdom_use_sysadm_ptys(cyrus_t) mta_manage_spool(cyrus_t) mta_send_mail(cyrus_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(cyrus_t) - term_dontaudit_use_generic_ptys(cyrus_t) - files_dontaudit_read_root_files(cyrus_t) -') - optional_policy(` cron_system_entry(cyrus_t,cyrus_exec_t) ') diff --git a/policy/modules/services/dante.te b/policy/modules/services/dante.te index b421355..1bc9f64 100644 --- a/policy/modules/services/dante.te +++ b/policy/modules/services/dante.te @@ -74,12 +74,6 @@ sysnet_read_config(dante_t) userdom_dontaudit_use_unpriv_user_fds(dante_t) userdom_dontaudit_search_sysadm_home_dirs(dante_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(dante_t) - term_dontaudit_use_generic_ptys(dante_t) - files_dontaudit_read_root_files(dante_t) -') - optional_policy(` seutil_sigchld_newrole(dante_t) ') diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if index 5587696..9d0cfe3 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -13,6 +13,7 @@ interface(`dbus_stub',` gen_require(` type system_dbusd_t; + class dbus all_dbus_perms; ') ') diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index c2cb1c0..12f7737 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -2,7 +2,7 @@ policy_module(dbus,1.7.0) gen_require(` - class dbus { send_msg acquire_svc }; + class dbus all_dbus_perms; ') ############################## @@ -108,12 +108,6 @@ seutil_sigchld_newrole(system_dbusd_t) userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) userdom_dontaudit_search_sysadm_home_dirs(system_dbusd_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(system_dbusd_t) - term_dontaudit_use_generic_ptys(system_dbusd_t) - files_dontaudit_read_root_files(system_dbusd_t) -') - tunable_policy(`read_default_t',` files_list_default(system_dbusd_t) files_read_default_files(system_dbusd_t) diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te index 450bb53..d966d13 100644 --- a/policy/modules/services/dcc.te +++ b/policy/modules/services/dcc.te @@ -275,12 +275,6 @@ sysnet_dns_name_resolve(dccd_t) userdom_dontaudit_use_unpriv_user_fds(dccd_t) userdom_dontaudit_search_sysadm_home_dirs(dccd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(dccd_t) - term_dontaudit_use_generic_ptys(dccd_t) - files_dontaudit_read_root_files(dccd_t) -') - optional_policy(` nscd_socket_use(dccd_t) ') @@ -354,12 +348,6 @@ sysnet_dns_name_resolve(dccifd_t) userdom_dontaudit_use_unpriv_user_fds(dccifd_t) userdom_dontaudit_search_sysadm_home_dirs(dccifd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(dccifd_t) - term_dontaudit_use_generic_ptys(dccifd_t) - files_dontaudit_read_root_files(dccifd_t) -') - optional_policy(` nscd_socket_use(dccifd_t) ') @@ -432,12 +420,6 @@ sysnet_dns_name_resolve(dccm_t) userdom_dontaudit_use_unpriv_user_fds(dccm_t) userdom_dontaudit_search_sysadm_home_dirs(dccm_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(dccm_t) - term_dontaudit_use_generic_ptys(dccm_t) - files_dontaudit_read_root_files(dccm_t) -') - optional_policy(` nscd_socket_use(dccm_t) ') diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te index 4c0420b..89aa5ad 100644 --- a/policy/modules/services/ddclient.te +++ b/policy/modules/services/ddclient.te @@ -100,12 +100,6 @@ sysnet_read_config(ddclient_t) userdom_dontaudit_use_unpriv_user_fds(ddclient_t) userdom_dontaudit_search_sysadm_home_dirs(ddclient_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(ddclient_t) - term_dontaudit_use_generic_ptys(ddclient_t) - files_dontaudit_read_root_files(ddclient_t) -') - optional_policy(` seutil_sigchld_newrole(ddclient_t) ') diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te index 257cda7..c4cd996 100644 --- a/policy/modules/services/dhcp.te +++ b/policy/modules/services/dhcp.te @@ -105,12 +105,6 @@ ifdef(`distro_gentoo',` allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; ') -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(dhcpd_t) - term_dontaudit_use_generic_ptys(dhcpd_t) - files_dontaudit_read_root_files(dhcpd_t) -') - optional_policy(` # used for dynamic DNS bind_read_dnssec_keys(dhcpd_t) diff --git a/policy/modules/services/dictd.te b/policy/modules/services/dictd.te index f78306a..2bd1d91 100644 --- a/policy/modules/services/dictd.te +++ b/policy/modules/services/dictd.te @@ -76,12 +76,6 @@ sysnet_read_config(dictd_t) userdom_dontaudit_use_unpriv_user_fds(dictd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(dictd_t) - term_dontaudit_use_generic_ptys(dictd_t) - files_dontaudit_read_root_files(dictd_t) -') - optional_policy(` nis_use_ypbind(dictd_t) ') diff --git a/policy/modules/services/distcc.te b/policy/modules/services/distcc.te index 49b4b68..844c839 100644 --- a/policy/modules/services/distcc.te +++ b/policy/modules/services/distcc.te @@ -83,12 +83,6 @@ sysnet_read_config(distccd_t) userdom_dontaudit_use_unpriv_user_fds(distccd_t) userdom_dontaudit_search_sysadm_home_dirs(distccd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(distccd_t) - term_dontaudit_use_generic_ptys(distccd_t) - files_dontaudit_read_root_files(distccd_t) -') - optional_policy(` nis_use_ypbind(distccd_t) ') diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te index e4a2c8b..42b6bf4 100644 --- a/policy/modules/services/dnsmasq.te +++ b/policy/modules/services/dnsmasq.te @@ -83,12 +83,6 @@ sysnet_read_config(dnsmasq_t) userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) userdom_dontaudit_search_sysadm_home_dirs(dnsmasq_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(dnsmasq_t) - term_dontaudit_use_generic_ptys(dnsmasq_t) - files_dontaudit_read_root_files(dnsmasq_t) -') - optional_policy(` nis_use_ypbind(dnsmasq_t) ') diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index 81b3f6d..a0af2de 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -120,12 +120,6 @@ userdom_priveleged_home_dir_manager(dovecot_t) mta_manage_spool(dovecot_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(dovecot_t) - term_dontaudit_use_generic_ptys(dovecot_t) - files_dontaudit_read_root_files(dovecot_t) -') - optional_policy(` kerberos_use(dovecot_t) ') diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te index 360a251..c0d48ce 100644 --- a/policy/modules/services/fail2ban.te +++ b/policy/modules/services/fail2ban.te @@ -55,11 +55,6 @@ logging_read_generic_logs(fail2ban_t) miscfiles_read_localization(fail2ban_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(fail2ban_t) - term_dontaudit_use_generic_ptys(fail2ban_t) -') - optional_policy(` apache_read_log(fail2ban_t) ') diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te index f1bbac5..23ab327 100644 --- a/policy/modules/services/fetchmail.te +++ b/policy/modules/services/fetchmail.te @@ -85,12 +85,6 @@ sysnet_read_config(fetchmail_t) userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) userdom_dontaudit_search_sysadm_home_dirs(fetchmail_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(fetchmail_t) - term_dontaudit_use_generic_ptys(fetchmail_t) - files_dontaudit_read_root_files(fetchmail_t) -') - optional_policy(` seutil_sigchld_newrole(fetchmail_t) ') diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te index cb62ac1..c2b0997 100644 --- a/policy/modules/services/finger.te +++ b/policy/modules/services/finger.te @@ -98,12 +98,6 @@ userdom_dontaudit_search_sysadm_home_dirs(fingerd_t) # have to change this when we create a type for Maildir userdom_dontaudit_search_generic_user_home_dirs(fingerd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(fingerd_t) - term_dontaudit_use_generic_ptys(fingerd_t) - files_dontaudit_read_root_files(fingerd_t) -') - optional_policy(` cron_system_entry(fingerd_t, fingerd_exec_t) ') diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if index e3bbfb5..f24bd26 100644 --- a/policy/modules/services/ftp.if +++ b/policy/modules/services/ftp.if @@ -124,3 +124,34 @@ interface(`ftp_domtrans_ftpdctl',` corecmd_search_bin($1) domtrans_pattern($1, ftpdctl_exec_t, ftpdctl_t) ') + +######################################## +## +## Execute the ftpdctl program in the ftpdctl domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to allow the ftpdctl domain. +## +## +## +## +## The type of the terminal allow the ftpdctl domain to use. +## +## +## +# +interface(`ftp_run_ftpdctl',` + gen_require(` + type ftpdctl_t; + ') + + ftp_domtrans_ftpdctl($1) + role $2 types ftpdctl_t; + allow ftpdctl_t $3:chr_file rw_term_perms; +') diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te index 450074a..ee383b3 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -181,13 +181,6 @@ sysnet_use_ldap(ftpd_t) userdom_dontaudit_search_sysadm_home_dirs(ftpd_t) userdom_dontaudit_use_unpriv_user_fds(ftpd_t) -ifdef(`targeted_policy',` - files_dontaudit_read_root_files(ftpd_t) - - term_dontaudit_use_generic_ptys(ftpd_t) - term_dontaudit_use_unallocated_ttys(ftpd_t) -') - tunable_policy(`allow_ftpd_anon_write',` miscfiles_manage_public_files(ftpd_t) ') @@ -224,10 +217,6 @@ tunable_policy(`ftp_home_dir',` userdom_manage_all_users_home_content_dirs(ftpd_t) userdom_manage_all_users_home_content_files(ftpd_t) userdom_manage_all_users_home_content_symlinks(ftpd_t) - - ifdef(`targeted_policy',` - userdom_generic_user_home_dir_filetrans_generic_user_home_content(ftpd_t,{ dir file lnk_file sock_file fifo_file }) - ') ') tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` @@ -300,7 +289,3 @@ files_read_etc_files(ftpdctl_t) libs_use_ld_so(ftpdctl_t) libs_use_shared_libs(ftpdctl_t) - -ifdef(`targeted_policy',` - term_use_generic_ptys(ftpdctl_t) -') diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te index fdee3a1..0c12d3c 100644 --- a/policy/modules/services/gatekeeper.te +++ b/policy/modules/services/gatekeeper.te @@ -90,12 +90,6 @@ sysnet_read_config(gatekeeper_t) userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t) userdom_dontaudit_search_sysadm_home_dirs(gatekeeper_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(gatekeeper_t) - term_dontaudit_use_generic_ptys(gatekeeper_t) - files_dontaudit_read_root_files(gatekeeper_t) -') - optional_policy(` nis_use_ypbind(gatekeeper_t) ') diff --git a/policy/modules/services/gpm.te b/policy/modules/services/gpm.te index 977de38..3299d0d 100644 --- a/policy/modules/services/gpm.te +++ b/policy/modules/services/gpm.te @@ -71,12 +71,6 @@ miscfiles_read_localization(gpm_t) userdom_dontaudit_use_unpriv_user_fds(gpm_t) userdom_dontaudit_search_sysadm_home_dirs(gpm_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(gpm_t) - term_dontaudit_use_generic_ptys(gpm_t) - files_dontaudit_read_root_files(gpm_t) -') - optional_policy(` seutil_sigchld_newrole(gpm_t) ') diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te index f368e3b..e250c07 100644 --- a/policy/modules/services/hal.te +++ b/policy/modules/services/hal.te @@ -195,11 +195,6 @@ sysnet_read_config(hald_t) userdom_dontaudit_use_unpriv_user_fds(hald_t) userdom_dontaudit_search_sysadm_home_dirs(hald_t) -ifdef(`targeted_policy',` - term_dontaudit_use_generic_ptys(hald_t) - files_dontaudit_read_root_files(hald_t) -') - optional_policy(` alsa_domtrans(hald_t) alsa_read_rw_config(hald_t) @@ -332,11 +327,6 @@ libs_use_shared_libs(hald_acl_t) miscfiles_read_localization(hald_acl_t) -ifdef(`targeted_policy',` - term_dontaudit_use_console(hald_acl_t) - term_dontaudit_use_generic_ptys(hald_acl_t) -') - ######################################## # # Local hald mac policy @@ -359,11 +349,6 @@ libs_use_shared_libs(hald_mac_t) miscfiles_read_localization(hald_mac_t) -ifdef(`targeted_policy',` - term_dontaudit_use_console(hald_mac_t) - term_dontaudit_use_generic_ptys(hald_mac_t) -') - ######################################## # # Local hald sonypic policy @@ -387,11 +372,6 @@ libs_use_shared_libs(hald_sonypic_t) miscfiles_read_localization(hald_sonypic_t) -ifdef(`targeted_policy',` - term_dontaudit_use_console(hald_sonypic_t) - term_dontaudit_use_generic_ptys(hald_sonypic_t) -') - ######################################## # # Hal keymap local policy diff --git a/policy/modules/services/howl.te b/policy/modules/services/howl.te index 7e2180b..801d07d 100644 --- a/policy/modules/services/howl.te +++ b/policy/modules/services/howl.te @@ -71,12 +71,6 @@ sysnet_read_config(howl_t) userdom_dontaudit_use_unpriv_user_fds(howl_t) userdom_dontaudit_search_sysadm_home_dirs(howl_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(howl_t) - term_dontaudit_use_generic_ptys(howl_t) - files_dontaudit_read_root_files(howl_t) -') - optional_policy(` nis_use_ypbind(howl_t) ') diff --git a/policy/modules/services/i18n_input.te b/policy/modules/services/i18n_input.te index afa1441..480798f 100644 --- a/policy/modules/services/i18n_input.te +++ b/policy/modules/services/i18n_input.te @@ -80,12 +80,6 @@ userdom_dontaudit_use_unpriv_user_fds(i18n_input_t) userdom_dontaudit_search_sysadm_home_dirs(i18n_input_t) userdom_read_unpriv_users_home_content_files(i18n_input_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(i18n_input_t) - term_dontaudit_use_generic_ptys(i18n_input_t) - files_dontaudit_read_root_files(i18n_input_t) -') - tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(i18n_input_t) fs_read_nfs_symlinks(i18n_input_t) diff --git a/policy/modules/services/imaze.te b/policy/modules/services/imaze.te index a998007..92200c7 100644 --- a/policy/modules/services/imaze.te +++ b/policy/modules/services/imaze.te @@ -90,12 +90,6 @@ sysnet_read_config(imazesrv_t) userdom_use_unpriv_users_fds(imazesrv_t) userdom_dontaudit_search_sysadm_home_dirs(imazesrv_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(imazesrv_t) - term_dontaudit_use_generic_ptys(imazesrv_t) - files_dontaudit_read_root_files(imazesrv_t) -') - optional_policy(` nis_use_ypbind(imazesrv_t) ') diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te index 72ba249..f952d22 100644 --- a/policy/modules/services/inetd.te +++ b/policy/modules/services/inetd.te @@ -151,13 +151,6 @@ ifdef(`enable_mls',` corenet_tcp_recvfrom_netlabel(inetd_t) corenet_udp_recvfrom_netlabel(inetd_t) ') - -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(inetd_t) - term_dontaudit_use_generic_ptys(inetd_t) - files_dontaudit_read_root_files(inetd_t) -') - optional_policy(` amanda_search_lib(inetd_t) ') @@ -170,12 +163,8 @@ optional_policy(` udev_read_db(inetd_t) ') -ifdef(`targeted_policy',` - unconfined_domain(inetd_t) -',` - optional_policy(` - unconfined_domtrans(inetd_t) - ') +optional_policy(` + unconfined_domtrans(inetd_t) ') ######################################## @@ -230,11 +219,10 @@ miscfiles_read_localization(inetd_child_t) sysnet_read_config(inetd_child_t) -ifdef(`targeted_policy',` - unconfined_domain(inetd_child_t) -') - optional_policy(` kerberos_use(inetd_child_t) ') +optional_policy(` + unconfined_domain(inetd_child_t) +') diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te index 125b9cb..302cb65 100644 --- a/policy/modules/services/inn.te +++ b/policy/modules/services/inn.te @@ -109,12 +109,6 @@ userdom_dontaudit_search_sysadm_home_dirs(innd_t) mta_send_mail(innd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(innd_t) - term_dontaudit_use_generic_ptys(innd_t) - files_dontaudit_read_root_files(innd_t) -') - optional_policy(` cron_system_entry(innd_t, innd_exec_t) ') diff --git a/policy/modules/services/ircd.te b/policy/modules/services/ircd.te index 8551674..da7b457 100644 --- a/policy/modules/services/ircd.te +++ b/policy/modules/services/ircd.te @@ -84,12 +84,6 @@ sysnet_read_config(ircd_t) userdom_dontaudit_use_unpriv_user_fds(ircd_t) userdom_dontaudit_search_sysadm_home_dirs(ircd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(ircd_t) - term_dontaudit_use_generic_ptys(ircd_t) - files_dontaudit_read_root_files(ircd_t) -') - optional_policy(` nis_use_ypbind(ircd_t) ') diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te index bfac2d5..5523142 100644 --- a/policy/modules/services/irqbalance.te +++ b/policy/modules/services/irqbalance.te @@ -52,12 +52,6 @@ miscfiles_read_localization(irqbalance_t) userdom_dontaudit_use_unpriv_user_fds(irqbalance_t) userdom_dontaudit_search_sysadm_home_dirs(irqbalance_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(irqbalance_t) - term_dontaudit_use_generic_ptys(irqbalance_t) - files_dontaudit_read_root_files(irqbalance_t) -') - optional_policy(` seutil_sigchld_newrole(irqbalance_t) ') diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te index 12ae945..8ac8c3c 100644 --- a/policy/modules/services/jabber.te +++ b/policy/modules/services/jabber.te @@ -82,12 +82,6 @@ sysnet_read_config(jabberd_t) userdom_dontaudit_use_unpriv_user_fds(jabberd_t) userdom_dontaudit_search_sysadm_home_dirs(jabberd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(jabberd_t) - term_dontaudit_use_generic_ptys(jabberd_t) - files_dontaudit_read_root_files(jabberd_t) -') - optional_policy(` nis_use_ypbind(jabberd_t) ') diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te index ae02e95..a67c302 100644 --- a/policy/modules/services/kerberos.te +++ b/policy/modules/services/kerberos.te @@ -131,12 +131,6 @@ sysnet_read_config(kadmind_t) userdom_dontaudit_use_unpriv_user_fds(kadmind_t) userdom_dontaudit_search_sysadm_home_dirs(kadmind_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(kadmind_t) - term_dontaudit_use_generic_ptys(kadmind_t) - files_dontaudit_read_root_files(kadmind_t) -') - optional_policy(` nis_use_ypbind(kadmind_t) ') @@ -233,12 +227,6 @@ sysnet_read_config(krb5kdc_t) userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(krb5kdc_t) - term_dontaudit_use_generic_ptys(krb5kdc_t) - files_dontaudit_read_root_files(krb5kdc_t) -') - optional_policy(` nis_use_ypbind(krb5kdc_t) ') diff --git a/policy/modules/services/ktalk.te b/policy/modules/services/ktalk.te index 6785893..4384504 100644 --- a/policy/modules/services/ktalk.te +++ b/policy/modules/services/ktalk.te @@ -78,11 +78,6 @@ miscfiles_read_localization(ktalkd_t) sysnet_read_config(ktalkd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_generic_ptys(ktalkd_t) - term_dontaudit_use_unallocated_ttys(ktalkd_t) -') - optional_policy(` nis_use_ypbind(ktalkd_t) ') diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te index 0b947fd..71d4a5c 100644 --- a/policy/modules/services/ldap.te +++ b/policy/modules/services/ldap.te @@ -117,21 +117,6 @@ sysnet_read_config(slapd_t) userdom_dontaudit_use_unpriv_user_fds(slapd_t) userdom_dontaudit_search_sysadm_home_dirs(slapd_t) -ifdef(`targeted_policy',` - #reh slapcat will want to talk to the terminal - term_use_generic_ptys(slapd_t) - term_use_unallocated_ttys(slapd_t) - - userdom_search_generic_user_home_dirs(slapd_t) - #need to be able to read ldif files created by root - # cjp: fix to not use templated interface: - userdom_read_user_home_content_files(user,slapd_t) - - term_dontaudit_use_unallocated_ttys(slapd_t) - term_dontaudit_use_generic_ptys(slapd_t) - files_dontaudit_read_root_files(slapd_t) -') - optional_policy(` kerberos_use(slapd_t) ') diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te index 52c628a..d69c48b 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -103,11 +103,6 @@ libs_use_shared_libs(checkpc_t) sysnet_read_config(checkpc_t) -ifdef(`targeted_policy',` - term_use_generic_ptys(checkpc_t) - term_use_unallocated_ttys(checkpc_t) -') - optional_policy(` cron_system_entry(checkpc_t,checkpc_exec_t) ') @@ -207,12 +202,6 @@ sysnet_read_config(lpd_t) userdom_dontaudit_use_unpriv_user_fds(lpd_t) userdom_dontaudit_search_sysadm_home_dirs(lpd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(lpd_t) - term_dontaudit_use_generic_ptys(lpd_t) - files_dontaudit_read_root_files(lpd_t) -') - optional_policy(` nis_use_ypbind(lpd_t) ') diff --git a/policy/modules/services/monop.te b/policy/modules/services/monop.te index a8b621c..1b321d0 100644 --- a/policy/modules/services/monop.te +++ b/policy/modules/services/monop.te @@ -76,12 +76,6 @@ sysnet_read_config(monopd_t) userdom_dontaudit_use_unpriv_user_fds(monopd_t) userdom_dontaudit_search_sysadm_home_dirs(monopd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(monopd_t) - term_dontaudit_use_generic_ptys(monopd_t) - files_dontaudit_read_root_files(monopd_t) -') - optional_policy(` nis_use_ypbind(monopd_t) ') diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index 905dbbc..b701897 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -263,10 +263,8 @@ template(`mta_admin_template',` type $1_mail_t; ') - ifdef(`strict_policy',` - # allow the sysadmin to do "mail someone < /home/user/whatever" - userdom_read_unpriv_users_home_content_files($1_mail_t) - ') + # allow the sysadmin to do "mail someone < /home/user/whatever" + userdom_read_unpriv_users_home_content_files($1_mail_t) optional_policy(` gen_require(` diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index f4589fc..7d587f5 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -31,14 +31,6 @@ application_executable_file(sendmail_exec_t) mta_base_mail_template(system) role system_r types system_mail_t; -# cjp: need to resolve this, but require{} -# does not work in the else part of the optional -#ifdef(`strict_policy',` -# optional_policy(`',` -# init_system_domain(system_mail_t,sendmail_exec_t) -# ') -#') - ######################################## # # System mail local policy @@ -60,34 +52,6 @@ init_use_script_ptys(system_mail_t) userdom_use_sysadm_terms(system_mail_t) userdom_dontaudit_search_sysadm_home_dirs(system_mail_t) -ifdef(`targeted_policy',` - typealias system_mail_t alias sysadm_mail_t; - - manage_dirs_pattern(system_mail_t,mail_spool_t,mail_spool_t) - manage_files_pattern(system_mail_t,mail_spool_t,mail_spool_t) - manage_lnk_files_pattern(system_mail_t,mail_spool_t,mail_spool_t) - manage_fifo_files_pattern(system_mail_t,mail_spool_t,mail_spool_t) - - # for reading .forward - maybe we need a new type for it? - # also for delivering mail to maildir - userdom_manage_generic_user_home_content_dirs(mailserver_delivery) - userdom_manage_generic_user_home_content_files(mailserver_delivery) - userdom_manage_generic_user_home_content_symlinks(mailserver_delivery) - userdom_manage_generic_user_home_content_sockets(mailserver_delivery) - userdom_manage_generic_user_home_content_pipes(mailserver_delivery) - userdom_generic_user_home_dir_filetrans_generic_user_home_content(mailserver_delivery,{ dir file lnk_file sock_file fifo_file }) - -# cjp: another require-in-else to resolve -# optional_policy(`',` - corecmd_exec_all_executables(system_mail_t) - - files_exec_etc_files(system_mail_t) - - libs_exec_ld_so(system_mail_t) - libs_exec_lib_files(system_mail_t) -# ') -') - optional_policy(` apache_read_squirrelmail_data(system_mail_t) apache_append_squirrelmail_data(system_mail_t) @@ -181,9 +145,11 @@ optional_policy(` # why is mail delivered to a directory of type arpwatch_data_t? arpwatch_search_data(mailserver_delivery) arpwatch_manage_tmp_files(mta_user_agent) + ifdef(`hide_broken_symptoms', ` arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) ') + optional_policy(` cron_read_system_job_tmp_files(mta_user_agent) ') diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te index 19037dd..a9d33ca 100644 --- a/policy/modules/services/munin.te +++ b/policy/modules/services/munin.te @@ -98,12 +98,6 @@ sysnet_read_config(munin_t) userdom_dontaudit_use_unpriv_user_fds(munin_t) userdom_dontaudit_search_sysadm_home_dirs(munin_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(munin_t) - term_dontaudit_use_generic_ptys(munin_t) - files_dontaudit_read_root_files(munin_t) -') - optional_policy(` # for accessing the output directory apache_search_sys_content(munin_t) diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te index acb6bd4..fe73b60 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -108,12 +108,6 @@ ifdef(`distro_redhat',` type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t; ') -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(mysqld_t) - term_dontaudit_use_generic_ptys(mysqld_t) - files_dontaudit_read_root_files(mysqld_t) -') - optional_policy(` daemontools_service_domain(mysqld_t, mysqld_exec_t) ') diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te index 38ef62a..2b1fb2e 100644 --- a/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te @@ -105,12 +105,6 @@ userdom_dontaudit_search_sysadm_home_dirs(nagios_t) mta_send_mail(nagios_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(nagios_t) - term_dontaudit_use_generic_ptys(nagios_t) - files_dontaudit_read_root_files(nagios_t) -') - optional_policy(` auth_use_nsswitch(nagios_t) ') @@ -211,12 +205,6 @@ miscfiles_read_localization(nrpe_t) userdom_dontaudit_use_unpriv_user_fds(nrpe_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(nrpe_t) - term_dontaudit_use_generic_ptys(nrpe_t) - files_dontaudit_read_root_files(nrpe_t) -') - optional_policy(` inetd_tcp_service_domain(nrpe_t, nrpe_exec_t) ') diff --git a/policy/modules/services/nessus.te b/policy/modules/services/nessus.te index 7f96fef..027d713 100644 --- a/policy/modules/services/nessus.te +++ b/policy/modules/services/nessus.te @@ -96,12 +96,6 @@ sysnet_read_config(nessusd_t) userdom_dontaudit_use_unpriv_user_fds(nessusd_t) userdom_dontaudit_search_sysadm_home_dirs(nessusd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(nessusd_t) - term_dontaudit_use_generic_ptys(nessusd_t) - files_dontaudit_read_root_files(nessusd_t) -') - optional_policy(` nis_use_ypbind(nessusd_t) ') diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te index b403519..03d6c32 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -111,18 +111,8 @@ sysnet_etc_filetrans_config(NetworkManager_t) userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) userdom_dontaudit_search_sysadm_home_dirs(NetworkManager_t) userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t) - -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(NetworkManager_t) - term_dontaudit_use_generic_ptys(NetworkManager_t) - files_dontaudit_read_root_files(NetworkManager_t) - # Read gnome-keyring - userdom_read_generic_user_home_content_files(NetworkManager_t) - - optional_policy(` - unconfined_rw_pipes(NetworkManager_t) - ') -') +# Read gnome-keyring +userdom_read_unpriv_users_home_content_files(NetworkManager_t) optional_policy(` bind_domtrans(NetworkManager_t) @@ -183,6 +173,11 @@ optional_policy(` ') optional_policy(` + # Read gnome-keyring + unconfined_read_home_content_files(NetworkManager_t) +') + +optional_policy(` vpn_domtrans(NetworkManager_t) vpn_signal(NetworkManager_t) ') diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te index 4337d1a..9e545cc 100644 --- a/policy/modules/services/nis.te +++ b/policy/modules/services/nis.te @@ -113,12 +113,6 @@ sysnet_read_config(ypbind_t) userdom_dontaudit_use_unpriv_user_fds(ypbind_t) userdom_dontaudit_search_sysadm_home_dirs(ypbind_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(ypbind_t) - term_dontaudit_use_generic_ptys(ypbind_t) - files_dontaudit_read_root_files(ypbind_t) -') - optional_policy(` seutil_sigchld_newrole(ypbind_t) ') @@ -200,12 +194,6 @@ sysnet_read_config(yppasswdd_t) userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t) userdom_dontaudit_search_sysadm_home_dirs(yppasswdd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(yppasswdd_t) - term_dontaudit_use_generic_ptys(yppasswdd_t) - files_dontaudit_read_root_files(yppasswdd_t) -') - optional_policy(` hostname_exec(yppasswdd_t) ') @@ -289,12 +277,6 @@ sysnet_read_config(ypserv_t) userdom_dontaudit_use_unpriv_user_fds(ypserv_t) userdom_dontaudit_search_sysadm_home_dirs(ypserv_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(ypserv_t) - term_dontaudit_use_generic_ptys(ypserv_t) - files_dontaudit_read_root_files(ypserv_t) -') - optional_policy(` seutil_sigchld_newrole(ypserv_t) ') @@ -350,8 +332,3 @@ logging_send_syslog_msg(ypxfr_t) miscfiles_read_localization(ypxfr_t) sysnet_read_config(ypxfr_t) - -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(ypxfr_t) - term_dontaudit_use_generic_ptys(ypxfr_t) -') diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te index b8f70d3..3cd96ed 100644 --- a/policy/modules/services/nscd.te +++ b/policy/modules/services/nscd.te @@ -106,12 +106,6 @@ sysnet_read_config(nscd_t) userdom_dontaudit_use_unpriv_user_fds(nscd_t) userdom_dontaudit_search_sysadm_home_dirs(nscd_t) -ifdef(`targeted_policy',` - term_use_unallocated_ttys(nscd_t) - term_use_generic_ptys(nscd_t) - files_dontaudit_read_root_files(nscd_t) -') - optional_policy(` udev_read_db(nscd_t) ') diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te index 5debc19..17c540a 100644 --- a/policy/modules/services/nsd.te +++ b/policy/modules/services/nsd.te @@ -98,12 +98,6 @@ sysnet_read_config(nsd_t) userdom_dontaudit_use_unpriv_user_fds(nsd_t) userdom_dontaudit_search_sysadm_home_dirs(nsd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(nsd_t) - term_dontaudit_use_generic_ptys(nsd_t) - files_dontaudit_read_root_files(nsd_t) -') - optional_policy(` nis_use_ypbind(nsd_t) ') diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te index 9fe22ab..1d50ebf 100644 --- a/policy/modules/services/ntop.te +++ b/policy/modules/services/ntop.te @@ -94,12 +94,6 @@ sysnet_read_config(ntop_t) userdom_dontaudit_use_unpriv_user_fds(ntop_t) userdom_dontaudit_search_sysadm_home_dirs(ntop_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(ntop_t) - term_dontaudit_use_generic_ptys(ntop_t) - files_dontaudit_read_root_files(ntop_t) -') - optional_policy(` seutil_sigchld_newrole(ntop_t) ') diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te index 0847b2e..cb1690a 100644 --- a/policy/modules/services/ntp.te +++ b/policy/modules/services/ntp.te @@ -111,18 +111,6 @@ userdom_dontaudit_use_unpriv_user_fds(ntpd_t) userdom_list_sysadm_home_dirs(ntpd_t) userdom_dontaudit_list_sysadm_home_dirs(ntpd_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(ntpd_t) - term_dontaudit_use_generic_ptys(ntpd_t) - files_dontaudit_read_root_files(ntpd_t) - - optional_policy(` - # The Gnome date GUI code is requesting that - # the ntp code change the date of the machine. - unconfined_rw_pipes(ntpd_t) - ') -') - optional_policy(` # for cron jobs cron_system_entry(ntpd_t,ntpdate_exec_t) diff --git a/policy/modules/services/oav.te b/policy/modules/services/oav.te index 7a3c9f5..96bb8a9 100644 --- a/policy/modules/services/oav.te +++ b/policy/modules/services/oav.te @@ -144,12 +144,6 @@ sysnet_read_config(scannerdaemon_t) userdom_dontaudit_use_unpriv_user_fds(scannerdaemon_t) userdom_dontaudit_search_sysadm_home_dirs(scannerdaemon_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(scannerdaemon_t) - term_dontaudit_use_generic_ptys(scannerdaemon_t) - files_dontaudit_read_root_files(scannerdaemon_t) -') - optional_policy(` seutil_sigchld_newrole(scannerdaemon_t) ') diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te index c2d7c5f..c4049a0 100644 --- a/policy/modules/services/oddjob.te +++ b/policy/modules/services/oddjob.te @@ -54,11 +54,6 @@ miscfiles_read_localization(oddjob_t) locallogin_dontaudit_use_fds(oddjob_t) -ifdef(`targeted_policy',` - term_dontaudit_use_generic_ptys(oddjob_t) - term_dontaudit_use_unallocated_ttys(oddjob_t) -') - optional_policy(` dbus_system_bus_client_template(oddjob,oddjob_t) dbus_send_system_bus(oddjob_t) diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te index 2e3e602..687ab2c 100644 --- a/policy/modules/services/openct.te +++ b/policy/modules/services/openct.te @@ -54,12 +54,6 @@ userdom_dontaudit_search_sysadm_home_dirs(openct_t) openct_exec(openct_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(openct_t) - term_dontaudit_use_generic_ptys(openct_t) - files_dontaudit_read_root_files(openct_t) -') - optional_policy(` seutil_sigchld_newrole(openct_t) ') diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te index 55900a2..70092cb 100644 --- a/policy/modules/services/openvpn.te +++ b/policy/modules/services/openvpn.te @@ -96,11 +96,6 @@ miscfiles_read_certs(openvpn_t) sysnet_dns_name_resolve(openvpn_t) sysnet_exec_ifconfig(openvpn_t) -ifdef(`targeted_policy',` - # Need to interact with terminals if config option "auth-user-pass" is used - term_use_generic_ptys(openvpn_t) -') - tunable_policy(`openvpn_enable_homedirs',` userdom_read_unpriv_users_home_content_files(openvpn_t) ') diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te index ee1be00..7e08dde 100644 --- a/policy/modules/services/pcscd.te +++ b/policy/modules/services/pcscd.te @@ -58,11 +58,6 @@ miscfiles_read_localization(pcscd_t) sysnet_dns_name_resolve(pcscd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_generic_ptys(pcscd_t) - term_dontaudit_use_unallocated_ttys(pcscd_t) -') - optional_policy(` openct_stream_connect(pcscd_t) openct_read_pid_files(pcscd_t) diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te index a0ae68d..ea9e256 100644 --- a/policy/modules/services/pegasus.te +++ b/policy/modules/services/pegasus.te @@ -121,13 +121,6 @@ sysnet_read_config(pegasus_t) userdom_dontaudit_use_unpriv_user_fds(pegasus_t) userdom_dontaudit_search_sysadm_home_dirs(pegasus_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(pegasus_t) - term_dontaudit_use_generic_ptys(pegasus_t) - files_dontaudit_read_root_files(pegasus_t) - unconfined_signull(pegasus_t) -') - optional_policy(` logging_send_syslog_msg(pegasus_t) ') @@ -144,3 +137,7 @@ optional_policy(` optional_policy(` udev_read_db(pegasus_t) ') + +optional_policy(` + unconfined_signull(pegasus_t) +') diff --git a/policy/modules/services/perdition.te b/policy/modules/services/perdition.te index 9634866..a817d46 100644 --- a/policy/modules/services/perdition.te +++ b/policy/modules/services/perdition.te @@ -70,12 +70,6 @@ sysnet_read_config(perdition_t) userdom_dontaudit_use_unpriv_user_fds(perdition_t) userdom_dontaudit_search_sysadm_home_dirs(perdition_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(perdition_t) - term_dontaudit_use_generic_ptys(perdition_t) - files_dontaudit_read_root_files(perdition_t) -') - optional_policy(` seutil_sigchld_newrole(perdition_t) ') diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te index 89033f2..27ef494 100644 --- a/policy/modules/services/portmap.te +++ b/policy/modules/services/portmap.te @@ -89,12 +89,6 @@ sysnet_read_config(portmap_t) userdom_dontaudit_use_unpriv_user_fds(portmap_t) userdom_dontaudit_search_sysadm_home_dirs(portmap_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(portmap_t) - term_dontaudit_use_generic_ptys(portmap_t) - files_dontaudit_read_root_files(portmap_t) -') - optional_policy(` nis_use_ypbind(portmap_t) ') @@ -158,11 +152,6 @@ sysnet_read_config(portmap_helper_t) userdom_dontaudit_use_all_users_fds(portmap_helper_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(portmap_helper_t) - term_dontaudit_use_generic_ptys(portmap_helper_t) -') - optional_policy(` nis_use_ypbind(portmap_helper_t) ') diff --git a/policy/modules/services/portslave.te b/policy/modules/services/portslave.te index 3cac76a..9ba5db8 100644 --- a/policy/modules/services/portslave.te +++ b/policy/modules/services/portslave.te @@ -112,12 +112,6 @@ ppp_pid_filetrans(portslave_t) ssh_exec(portslave_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(portslave_t) - term_dontaudit_use_generic_ptys(portslave_t) - files_dontaudit_read_root_files(portslave_t) -') - optional_policy(` inetd_tcp_service_domain(portslave_t,portslave_exec_t) ') diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if index bafbdf8..7e4e584 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -93,12 +93,6 @@ template(`postfix_domain_template',` userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t) - ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(postfix_$1_t) - term_dontaudit_use_generic_ptys(postfix_$1_t) - files_dontaudit_read_root_files(postfix_$1_t) - ') - optional_policy(` nscd_socket_use(postfix_$1_t) ') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 6191453..108c89c 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -180,12 +180,6 @@ mta_read_sendmail_bin(postfix_master_t) optional_policy(` auth_use_nsswitch(postfix_master_t) ') - -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(postfix_master_t) - term_dontaudit_use_generic_ptys(postfix_master_t) -') - optional_policy(` cyrus_stream_connect(postfix_master_t) ') @@ -200,10 +194,6 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(postfix_master_t) -') - -optional_policy(` sendmail_signal(postfix_master_t) ') @@ -363,11 +353,6 @@ seutil_read_config(postfix_map_t) sysnet_read_config(postfix_map_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(postfix_map_t) - term_dontaudit_use_generic_ptys(postfix_map_t) -') - tunable_policy(`read_default_t',` files_list_default(postfix_map_t) files_read_default_files(postfix_map_t) @@ -452,11 +437,6 @@ sysnet_dns_name_resolve(postfix_postdrop_t) mta_rw_user_mail_stream_sockets(postfix_postdrop_t) -ifdef(`targeted_policy', ` - term_use_unallocated_ttys(postfix_postdrop_t) - term_use_generic_ptys(postfix_postdrop_t) -') - optional_policy(` cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index f1d1623..7c384f1 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -136,12 +136,6 @@ userdom_dontaudit_use_unpriv_user_fds(postgresql_t) mta_getattr_spool(postgresql_t) -ifdef(`targeted_policy', ` - files_dontaudit_read_root_files(postgresql_t) - term_dontaudit_use_generic_ptys(postgresql_t) - term_dontaudit_use_unallocated_ttys(postgresql_t) -') - tunable_policy(`allow_execmem',` allow postgresql_t self:process execmem; ') @@ -174,19 +168,3 @@ optional_policy(` optional_policy(` udev_read_db(postgresql_t) ') - -ifdef(`TODO',` -ifdef(`distro_debian', ` - init_exec_script_files(postgresql_t) - # gross hack - postgresql_domtrans(dpkg_t) - can_exec(postgresql_t, dpkg_exec_t) -') - -ifdef(`distro_gentoo', ` - allow postgresql_t initrc_su_t:process { sigchld }; - # "su - postgres ..." is called from initrc_t - postgresql_search_db(initrc_su_t) - dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms; -') -') diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te index df44c63..5d29747 100644 --- a/policy/modules/services/postgrey.te +++ b/policy/modules/services/postgrey.te @@ -80,12 +80,6 @@ sysnet_read_config(postgrey_t) userdom_dontaudit_use_unpriv_user_fds(postgrey_t) userdom_dontaudit_search_sysadm_home_dirs(postgrey_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(postgrey_t) - term_dontaudit_use_generic_ptys(postgrey_t) - files_dontaudit_read_root_files(postgrey_t) -') - optional_policy(` nis_use_ypbind(postgrey_t) ') diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te index fdf23d6..4739329 100644 --- a/policy/modules/services/ppp.te +++ b/policy/modules/services/ppp.te @@ -13,14 +13,12 @@ policy_module(ppp,1.5.0) ## gen_tunable(pppd_can_insmod,false) -ifdef(`strict_policy',` ## ##

## Allow pppd to be run for a regular user ##

## gen_tunable(pppd_for_user,false) -') # pppd_t is the domain for the pppd program. # pppd_exec_t is the type of the pppd executable. @@ -184,12 +182,6 @@ userdom_search_unpriv_users_home_dirs(pppd_t) ppp_exec(pppd_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(pppd_t) - term_dontaudit_use_generic_ptys(pppd_t) - files_dontaudit_read_root_files(pppd_t) -') - optional_policy(` ddclient_domtrans(pppd_t) ') @@ -295,12 +287,6 @@ sysnet_read_config(pptp_t) userdom_dontaudit_use_unpriv_user_fds(pptp_t) userdom_dontaudit_search_sysadm_home_dirs(pptp_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(pptp_t) - term_dontaudit_use_generic_ptys(pptp_t) - files_dontaudit_read_root_files(pptp_t) -') - optional_policy(` consoletype_exec(pppd_t) ') diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te index c8391e7..92e1525 100644 --- a/policy/modules/services/privoxy.te +++ b/policy/modules/services/privoxy.te @@ -80,12 +80,6 @@ userdom_dontaudit_search_sysadm_home_dirs(privoxy_t) # cjp: this should really not be needed userdom_use_sysadm_terms(privoxy_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(privoxy_t) - term_dontaudit_use_generic_ptys(privoxy_t) - files_dontaudit_read_root_files(privoxy_t) -') - optional_policy(` nis_use_ypbind(privoxy_t) ') diff --git a/policy/modules/services/pxe.te b/policy/modules/services/pxe.te index 2e16ef3..a0b7d91 100644 --- a/policy/modules/services/pxe.te +++ b/policy/modules/services/pxe.te @@ -58,12 +58,6 @@ miscfiles_read_localization(pxe_t) userdom_dontaudit_use_unpriv_user_fds(pxe_t) userdom_dontaudit_search_sysadm_home_dirs(pxe_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(pxe_t) - term_dontaudit_use_generic_ptys(pxe_t) - files_dontaudit_read_root_files(pxe_t) -') - optional_policy(` seutil_sigchld_newrole(pxe_t) ') diff --git a/policy/modules/services/pyzor.fc b/policy/modules/services/pyzor.fc index 0fbe17a..c512523 100644 --- a/policy/modules/services/pyzor.fc +++ b/policy/modules/services/pyzor.fc @@ -1,11 +1,9 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) +HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0) + /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) /var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0) /var/log/pyzord\.log -- gen_context(system_u:object_r:pyzord_log_t,s0) - -ifdef(`strict_policy',` -HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0) -') diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if index 63cd7ec..4589fd1 100644 --- a/policy/modules/services/pyzor.if +++ b/policy/modules/services/pyzor.if @@ -1,5 +1,42 @@ ## Pyzor is a distributed, collaborative spam detection and filtering network. +####################################### +## +## The per role template for the pyzor module. +## +## +##

+## This template allows pyzor to manage files in +## a user home directory, creating files with the +## correct type. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +# +template(`pyzor_per_role_template',` + gen_require(` + type pyzord_t; + ') + + type $1_pyzor_home_t; + userdom_user_home_content($1, $1_pyzor_home_t) + + manage_dirs_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t) + manage_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t) + manage_lnk_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t) + userdom_user_home_dir_filetrans($1, pyzord_t, $1_pyzor_home_t, { dir file lnk_file }) +') + ######################################## ## ## Send generic signals to pyzor @@ -57,41 +94,3 @@ interface(`pyzor_exec',` corecmd_search_bin($1) can_exec($1,pyzor_exec_t) ') - -####################################### -## -## The per role template for the pyzor module. -## -## -##

-## This template allows pyzor to manage files in -## a user home directory, creating files with the -## correct type. -##

-##

-## This template is invoked automatically for each user, and -## generally does not need to be invoked directly -## by policy writers. -##

-## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -# -template(`pyzor_per_role_template',` - gen_require(` - type pyzord_t; - ') - - type $1_pyzor_home_t; - userdom_user_home_content($1,$1_pyzor_home_t) - - manage_dirs_pattern(pyzord_t,$1_pyzor_home_t,$1_pyzor_home_t) - manage_files_pattern(pyzord_t,$1_pyzor_home_t,$1_pyzor_home_t) - manage_lnk_files_pattern(pyzord_t,$1_pyzor_home_t,$1_pyzor_home_t) - userdom_search_user_home_dirs($1,pyzord_t) - userdom_user_home_dir_filetrans($1,pyzord_t,$1_pyzor_home_t,{ dir file lnk_file }) -') diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te index 4c8692b..c14302b 100644 --- a/policy/modules/services/pyzor.te +++ b/policy/modules/services/pyzor.te @@ -70,10 +70,6 @@ miscfiles_read_localization(pyzor_t) userdom_dontaudit_search_sysadm_home_dirs(pyzor_t) -ifdef(`targeted_policy',` - userdom_read_generic_user_home_content_files(pyzor_t) -') - optional_policy(` amavis_manage_lib_files(pyzor_t) amavis_manage_spool_files(pyzor_t) @@ -137,13 +133,6 @@ userdom_dontaudit_search_staff_home_dirs(pyzord_t) mta_manage_spool(pyzord_t) -ifdef(`targeted_policy',` - term_dontaudit_use_generic_ptys(pyzord_t) - term_dontaudit_use_unallocated_ttys(pyzord_t) - - userdom_read_generic_user_home_content_files(pyzord_t) -') - optional_policy(` logging_send_syslog_msg(pyzord_t) ') diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te index c95dccf..4563434 100644 --- a/policy/modules/services/radius.te +++ b/policy/modules/services/radius.te @@ -107,12 +107,6 @@ userdom_dontaudit_use_unpriv_user_fds(radiusd_t) userdom_dontaudit_search_sysadm_home_dirs(radiusd_t) userdom_dontaudit_getattr_sysadm_home_dirs(radiusd_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(radiusd_t) - term_dontaudit_use_generic_ptys(radiusd_t) - files_dontaudit_read_root_files(radiusd_t) -') - optional_policy(` cron_system_entry(radiusd_t,radiusd_exec_t) ') diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te index 6aba1be..d56b426 100644 --- a/policy/modules/services/radvd.te +++ b/policy/modules/services/radvd.te @@ -71,12 +71,6 @@ sysnet_read_config(radvd_t) userdom_dontaudit_use_unpriv_user_fds(radvd_t) userdom_dontaudit_search_sysadm_home_dirs(radvd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(radvd_t) - term_dontaudit_use_generic_ptys(radvd_t) - files_dontaudit_read_root_files(radvd_t) -') - optional_policy(` nis_use_ypbind(radvd_t) ') diff --git a/policy/modules/services/razor.fc b/policy/modules/services/razor.fc index ad74d5b..d50875b 100644 --- a/policy/modules/services/razor.fc +++ b/policy/modules/services/razor.fc @@ -1,6 +1,4 @@ -ifdef(`strict_policy',` HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:ROLE_razor_home_t,s0) -') /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) diff --git a/policy/modules/services/rdisc.te b/policy/modules/services/rdisc.te index df9d7d0..d9af172 100644 --- a/policy/modules/services/rdisc.te +++ b/policy/modules/services/rdisc.te @@ -51,12 +51,6 @@ sysnet_read_config(rdisc_t) userdom_dontaudit_use_unpriv_user_fds(rdisc_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(rdisc_t) - term_dontaudit_use_generic_ptys(rdisc_t) - files_dontaudit_read_root_files(rdisc_t) -') - optional_policy(` seutil_sigchld_newrole(rdisc_t) ') diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te index bd2d695..c641ea5 100644 --- a/policy/modules/services/remotelogin.te +++ b/policy/modules/services/remotelogin.te @@ -95,11 +95,6 @@ userdom_spec_domtrans_unpriv_users(remote_login_t) # Search for mail spool file. mta_getattr_spool(remote_login_t) -ifdef(`targeted_policy',` - unconfined_domain(remote_login_t) - unconfined_shell_domtrans(remote_login_t) -') - tunable_policy(`read_default_t',` files_list_default(remote_login_t) files_read_default_files(remote_login_t) @@ -131,5 +126,10 @@ optional_policy(` ') optional_policy(` + unconfined_domain(remote_login_t) + unconfined_shell_domtrans(remote_login_t) +') + +optional_policy(` usermanage_read_crack_db(remote_login_t) ') diff --git a/policy/modules/services/resmgr.te b/policy/modules/services/resmgr.te index a593279..c4d31a3 100644 --- a/policy/modules/services/resmgr.te +++ b/policy/modules/services/resmgr.te @@ -61,12 +61,6 @@ miscfiles_read_localization(resmgrd_t) userdom_dontaudit_use_unpriv_user_fds(resmgrd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(resmgrd_t) - term_dontaudit_use_generic_ptys(resmgrd_t) - files_dontaudit_read_root_files(resmgrd_t) -') - optional_policy(` seutil_sigchld_newrole(resmgrd_t) ') diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te index e6bddbb..773d785 100644 --- a/policy/modules/services/rhgb.te +++ b/policy/modules/services/rhgb.te @@ -31,6 +31,9 @@ allow rhgb_t self:tcp_socket create_socket_perms; allow rhgb_t self:udp_socket create_socket_perms; allow rhgb_t self:netlink_route_socket r_netlink_socket_perms; +allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr }; +term_create_pty(rhgb_t,rhgb_devpts_t) + manage_dirs_pattern(rhgb_t,rhgb_tmpfs_t,rhgb_tmpfs_t) manage_files_pattern(rhgb_t,rhgb_tmpfs_t,rhgb_tmpfs_t) manage_lnk_files_pattern(rhgb_t,rhgb_tmpfs_t,rhgb_tmpfs_t) @@ -114,20 +117,7 @@ xserver_kill_xdm_xserver(rhgb_t) xserver_read_xkb_libs(rhgb_t) xserver_domtrans_xdm_xserver(rhgb_t) xserver_signal_xdm_xserver(rhgb_t) - -ifdef(`strict_policy',` - allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr }; - term_create_pty(rhgb_t,rhgb_devpts_t) -', ` - files_dontaudit_read_root_files(rhgb_t) - - term_use_generic_ptys(rhgb_t) - term_setattr_generic_ptys(rhgb_t) - term_dontaudit_use_unallocated_ttys(rhgb_t) - - xserver_domtrans_xdm_xserver(rhgb_t) - xserver_read_xdm_tmp_files(rhgb_t) -') +xserver_read_xdm_tmp_files(rhgb_t) optional_policy(` consoletype_exec(rhgb_t) diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te index f467c11..0c49eda 100644 --- a/policy/modules/services/ricci.te +++ b/policy/modules/services/ricci.te @@ -153,11 +153,6 @@ miscfiles_read_localization(ricci_t) sysnet_dns_name_resolve(ricci_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_generic_ptys(ricci_t) - term_dontaudit_use_unallocated_ttys(ricci_t) -') - optional_policy(` ccs_read_config(ricci_t) ') @@ -255,8 +250,10 @@ optional_policy(` oddjob_system_entry(ricci_modcluster_t, ricci_modcluster_exec_t) ') -# XXX This has got to go. -unconfined_domain(ricci_modcluster_t) +optional_policy(` + # XXX This has got to go. + unconfined_domain(ricci_modcluster_t) +') ######################################## # @@ -317,11 +314,6 @@ miscfiles_read_localization(ricci_modclusterd_t) sysnet_domtrans_ifconfig(ricci_modclusterd_t) sysnet_dns_name_resolve(ricci_modclusterd_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_generic_ptys(ricci_modclusterd_t) - term_dontaudit_use_unallocated_ttys(ricci_modclusterd_t) -') - optional_policy(` ccs_domtrans(ricci_modclusterd_t) ccs_stream_connect(ricci_modclusterd_t) diff --git a/policy/modules/services/roundup.te b/policy/modules/services/roundup.te index dfb7e36..c1f3a8e 100644 --- a/policy/modules/services/roundup.te +++ b/policy/modules/services/roundup.te @@ -83,12 +83,6 @@ sysnet_read_config(roundup_t) userdom_dontaudit_use_unpriv_user_fds(roundup_t) userdom_dontaudit_search_sysadm_home_dirs(roundup_t) -ifdef(`targeted_policy',` - files_dontaudit_read_root_files(roundup_t) - term_dontaudit_use_unallocated_ttys(roundup_t) - term_dontaudit_use_generic_ptys(roundup_t) -') - optional_policy(` mysql_stream_connect(roundup_t) mysql_search_db(roundup_t) diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if index bbf5f41..9046f67 100644 --- a/policy/modules/services/rpc.if +++ b/policy/modules/services/rpc.if @@ -112,12 +112,6 @@ template(`rpc_domain_template', ` userdom_dontaudit_use_unpriv_user_fds($1_t) - ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys($1_t) - term_dontaudit_use_generic_ptys($1_t) - files_dontaudit_read_root_files($1_t) - ') - optional_policy(` nis_use_ypbind($1_t) ') diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te index 8db6b2b..667b237 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -158,13 +158,6 @@ files_read_usr_symlinks(gssd_t) miscfiles_read_certs(gssd_t) -ifdef(`targeted_policy',` - files_read_generic_tmp_files(gssd_t) - files_read_generic_tmp_symlinks(gssd_t) - # Manage the users kerberos tgt file - files_manage_generic_tmp_files(gssd_t) -') - tunable_policy(`allow_gssd_read_tmp',` userdom_list_unpriv_users_tmp(gssd_t) userdom_read_unpriv_users_tmp_files(gssd_t) diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te index c5f3df4..94834ff 100644 --- a/policy/modules/services/rshd.te +++ b/policy/modules/services/rshd.te @@ -66,10 +66,6 @@ sysnet_read_config(rshd_t) userdom_search_all_users_home_content(rshd_t) -ifdef(`targeted_policy',` - unconfined_shell_domtrans(rshd_t) -') - tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(rshd_t) fs_read_nfs_symlinks(rshd_t) @@ -91,3 +87,7 @@ optional_policy(` optional_policy(` tcpd_wrapped_domain(rshd_t,rshd_exec_t) ') + +optional_policy(` + unconfined_shell_domtrans(rshd_t) +') diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te index fd90e48..1a7e8ff 100644 --- a/policy/modules/services/rwho.te +++ b/policy/modules/services/rwho.te @@ -59,8 +59,3 @@ libs_use_shared_libs(rwho_t) miscfiles_read_localization(rwho_t) sysnet_dns_name_resolve(rwho_t) - -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(rwho_t) - term_dontaudit_use_generic_ptys(rwho_t) -') diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if index ecda9ab..51543ca 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if @@ -114,6 +114,38 @@ interface(`samba_domtrans_smbmount',` ######################################## ## +## Execute smbmount interactively and do +## a domain transition to the smbmount domain. +## +## +## +## Domain allowed acces. +## +## +## +## +## The role to be allowed the smbmount domain. +## +## +## +## +## The type of the terminal allow the smbmount domain to use. +## +## +## +# +interface(`samba_run_smbmount',` + gen_require(` + type smbmount_t; + ') + + samba_domtrans_smbmount($1) + role $2 types smbmount_t; + allow smbmount_t $3:chr_file rw_term_perms; +') + +######################################## +## ## Allow the specified domain to read ## samba configuration files. ## diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index be13a29..e3fe1e4 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -86,13 +86,6 @@ files_type(samba_secrets_t) type samba_share_t; # customizable files_type(samba_share_t) -type samba_unconfined_script_t; -type samba_unconfined_script_exec_t; -domain_type(samba_unconfined_script_t) -domain_entry_file(samba_unconfined_script_t,samba_unconfined_script_exec_t) -corecmd_shell_entry_type(samba_unconfined_script_t) -role system_r types samba_unconfined_script_t; - type samba_var_t; files_type(samba_var_t) @@ -202,11 +195,6 @@ sysnet_use_ldap(samba_net_t) userdom_dontaudit_search_sysadm_home_dirs(samba_net_t) -ifdef(`targeted_policy',` - term_use_generic_ptys(samba_net_t) - term_use_unallocated_ttys(samba_net_t) -') - optional_policy(` kerberos_use(samba_net_t) ') @@ -345,12 +333,6 @@ ifdef(`hide_broken_symptoms', ` fs_dontaudit_getattr_tmpfs_dirs(smbd_t) ') -ifdef(`targeted_policy', ` - files_dontaudit_read_root_files(smbd_t) - term_dontaudit_use_generic_ptys(smbd_t) - term_dontaudit_use_unallocated_ttys(smbd_t) -') - tunable_policy(`allow_smbd_anon_write',` miscfiles_manage_public_files(smbd_t) ') @@ -486,12 +468,6 @@ userdom_dontaudit_search_sysadm_home_dirs(nmbd_t) userdom_dontaudit_use_unpriv_user_fds(nmbd_t) userdom_use_unpriv_users_fds(nmbd_t) -ifdef(`targeted_policy', ` - files_dontaudit_read_root_files(nmbd_t) - term_dontaudit_use_generic_ptys(nmbd_t) - term_dontaudit_use_unallocated_ttys(nmbd_t) -') - optional_policy(` nis_use_ypbind(nmbd_t) ') @@ -557,7 +533,6 @@ storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) term_list_ptys(smbmount_t) -term_use_controlling_term(smbmount_t) corecmd_list_bin(smbmount_t) @@ -581,11 +556,6 @@ logging_search_logs(smbmount_t) sysnet_read_config(smbmount_t) userdom_use_all_users_fds(smbmount_t) -userdom_use_sysadm_ttys(smbmount_t) - -optional_policy(` - cups_read_rw_config(smbd_t) -') optional_policy(` nis_use_ypbind(smbmount_t) @@ -783,12 +753,6 @@ userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_dontaudit_search_sysadm_home_dirs(winbind_t) userdom_priveleged_home_dir_manager(winbind_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(winbind_t) - term_dontaudit_use_generic_ptys(winbind_t) - files_dontaudit_read_root_files(winbind_t) -') - optional_policy(` kerberos_use(winbind_t) ') @@ -833,11 +797,6 @@ logging_send_syslog_msg(winbind_helper_t) miscfiles_read_localization(winbind_helper_t) -ifdef(`targeted_policy',` - term_use_generic_ptys(winbind_helper_t) - term_use_unallocated_ttys(winbind_helper_t) -') - optional_policy(` nscd_socket_use(winbind_helper_t) ') @@ -852,11 +811,20 @@ optional_policy(` # samba_unconfined_script_t local policy # -allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; -allow smbd_t samba_unconfined_script_exec_t:file ioctl; +optional_policy(` + type samba_unconfined_script_t; + type samba_unconfined_script_exec_t; + domain_type(samba_unconfined_script_t) + domain_entry_file(samba_unconfined_script_t,samba_unconfined_script_exec_t) + corecmd_shell_entry_type(samba_unconfined_script_t) + role system_r types samba_unconfined_script_t; + + allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; + allow smbd_t samba_unconfined_script_exec_t:file ioctl; -unconfined_domain(samba_unconfined_script_t) + unconfined_domain(samba_unconfined_script_t) -tunable_policy(`samba_run_unconfined',` - domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) + tunable_policy(`samba_run_unconfined',` + domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) + ') ') diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te index 6b2b547..dd7b0bd 100644 --- a/policy/modules/services/sasl.te +++ b/policy/modules/services/sasl.te @@ -91,13 +91,7 @@ sysnet_read_config(saslauthd_t) userdom_dontaudit_use_unpriv_user_fds(saslauthd_t) userdom_dontaudit_search_sysadm_home_dirs(saslauthd_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(saslauthd_t) - term_dontaudit_use_generic_ptys(saslauthd_t) - files_dontaudit_read_root_files(saslauthd_t) -') - -# cjp: typeattribute dont work in conditionals yet +# cjp: typeattribute doesnt work in conditionals auth_can_read_shadow_passwords(saslauthd_t) tunable_policy(`allow_saslauthd_read_shadow',` auth_tunable_read_shadow(saslauthd_t) diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te index 076e7d5..4de2953 100644 --- a/policy/modules/services/sendmail.te +++ b/policy/modules/services/sendmail.te @@ -108,12 +108,6 @@ mta_rw_aliases(sendmail_t) mta_manage_queue(sendmail_t) mta_manage_spool(sendmail_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(sendmail_t) - term_dontaudit_use_generic_ptys(sendmail_t) - files_dontaudit_read_root_files(sendmail_t) -') - optional_policy(` clamav_search_lib(sendmail_t) ') diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te index 4f8e9a2..bcb7129 100644 --- a/policy/modules/services/setroubleshoot.te +++ b/policy/modules/services/setroubleshoot.te @@ -106,11 +106,6 @@ sysnet_read_config(setroubleshootd_t) userdom_dontaudit_read_sysadm_home_content_files(setroubleshootd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_generic_ptys(setroubleshootd_t) - term_dontaudit_use_unallocated_ttys(setroubleshootd_t) -') - optional_policy(` rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) diff --git a/policy/modules/services/slrnpull.te b/policy/modules/services/slrnpull.te index 642593f..e258c48 100644 --- a/policy/modules/services/slrnpull.te +++ b/policy/modules/services/slrnpull.te @@ -61,12 +61,6 @@ miscfiles_read_localization(slrnpull_t) userdom_dontaudit_use_unpriv_user_fds(slrnpull_t) userdom_dontaudit_search_sysadm_home_dirs(slrnpull_t) -ifdef(`targeted_policy',` - files_dontaudit_read_root_files(slrnpull_t) - term_dontaudit_use_unallocated_ttys(slrnpull_t) - term_dontaudit_use_generic_ptys(slrnpull_t) -') - optional_policy(` cron_system_entry(slrnpull_t,slrnpull_exec_t) ') diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te index c702de5..2a3d371 100644 --- a/policy/modules/services/smartmon.te +++ b/policy/modules/services/smartmon.te @@ -82,12 +82,6 @@ sysnet_read_config(fsdaemon_t) userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t) userdom_dontaudit_search_sysadm_home_dirs(fsdaemon_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(fsdaemon_t) - term_dontaudit_use_generic_ptys(fsdaemon_t) - files_dontaudit_read_root_files(fsdaemon_t) -') - optional_policy(` mta_send_mail(fsdaemon_t) ') diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te index e116f42..fa6be5e 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -115,12 +115,6 @@ ifdef(`distro_redhat', ` ') ') -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(snmpd_t) - term_dontaudit_use_generic_ptys(snmpd_t) - files_dontaudit_read_root_files(snmpd_t) -') - optional_policy(` amanda_dontaudit_read_dumpdates(snmpd_t) ') diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te index 0b3e1b6..d37dd5b 100644 --- a/policy/modules/services/snort.te +++ b/policy/modules/services/snort.te @@ -88,12 +88,6 @@ sysnet_read_config(snort_t) userdom_dontaudit_use_unpriv_user_fds(snort_t) userdom_dontaudit_search_sysadm_home_dirs(snort_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(snort_t) - term_dontaudit_use_generic_ptys(snort_t) - files_dontaudit_read_root_files(snort_t) -') - optional_policy(` seutil_sigchld_newrole(snort_t) ') diff --git a/policy/modules/services/soundserver.te b/policy/modules/services/soundserver.te index e8728a9..ceedaca 100644 --- a/policy/modules/services/soundserver.te +++ b/policy/modules/services/soundserver.te @@ -98,12 +98,6 @@ sysnet_read_config(soundd_t) userdom_dontaudit_use_unpriv_user_fds(soundd_t) userdom_dontaudit_search_sysadm_home_dirs(soundd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(soundd_t) - term_dontaudit_use_generic_ptys(soundd_t) - files_dontaudit_read_root_files(soundd_t) -') - optional_policy(` seutil_sigchld_newrole(soundd_t) ') diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc index 870dc7d..e4f676b 100644 --- a/policy/modules/services/spamassassin.fc +++ b/policy/modules/services/spamassassin.fc @@ -1,3 +1,4 @@ +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0) /usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) /usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0) @@ -13,7 +14,3 @@ /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) - -ifdef(`strict_policy',` -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0) -') diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if index c2802e1..06b14d9 100644 --- a/policy/modules/services/spamassassin.if +++ b/policy/modules/services/spamassassin.if @@ -280,6 +280,12 @@ template(`spamassassin_per_role_template',` sysnet_read_config($1_spamassassin_t) ') + tunable_policy(`spamd_enable_home_dirs',` + userdom_manage_user_home_content_dirs($1,spamd_t) + userdom_manage_user_home_content_files($1,spamd_t) + userdom_manage_user_home_content_symlinks($1,spamd_t) + ') + tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs($1_spamassassin_t) fs_manage_nfs_files($1_spamassassin_t) diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te index 220162a..8e4a0a1 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -6,23 +6,19 @@ policy_module(spamassassin,1.8.0) # Declarations # -ifdef(`strict_policy',` ## ##

## Allow user spamassassin clients to use the network. ##

## gen_tunable(spamassassin_can_network,false) -') -ifdef(`targeted_policy',` ## ##

## Allow spamd to read/write user home directories. ##

## gen_tunable(spamd_enable_home_dirs,true) -') # spamassassin client executable type spamc_exec_t; @@ -140,8 +136,6 @@ init_dontaudit_rw_utmp(spamd_t) libs_use_ld_so(spamd_t) libs_use_shared_libs(spamd_t) -# Various Perl bits -libs_use_lib_files(spamd_t) logging_send_syslog_msg(spamd_t) @@ -155,20 +149,6 @@ userdom_use_unpriv_users_fds(spamd_t) userdom_search_unpriv_users_home_dirs(spamd_t) userdom_dontaudit_search_sysadm_home_dirs(spamd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(spamd_t) - term_dontaudit_use_generic_ptys(spamd_t) - - files_dontaudit_read_root_files(spamd_t) - - tunable_policy(`spamd_enable_home_dirs',` - userdom_manage_generic_user_home_content_dirs(spamd_t) - userdom_manage_generic_user_home_content_files(spamd_t) - userdom_manage_generic_user_home_content_symlinks(spamd_t) - userdom_generic_user_home_dir_filetrans_generic_user_home_content(spamd_t,dir) - ') -') - tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(spamd_t) ') diff --git a/policy/modules/services/speedtouch.te b/policy/modules/services/speedtouch.te index b91764d..2c918b6 100644 --- a/policy/modules/services/speedtouch.te +++ b/policy/modules/services/speedtouch.te @@ -56,12 +56,6 @@ miscfiles_read_localization(speedmgmt_t) userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t) userdom_dontaudit_search_sysadm_home_dirs(speedmgmt_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(speedmgmt_t) - term_dontaudit_use_generic_ptys(speedmgmt_t) - files_dontaudit_read_root_files(speedmgmt_t) -') - optional_policy(` seutil_sigchld_newrole(speedmgmt_t) ') diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te index beaba00..9c30fe7 100644 --- a/policy/modules/services/squid.te +++ b/policy/modules/services/squid.te @@ -144,12 +144,6 @@ userdom_use_unpriv_users_fds(squid_t) userdom_dontaudit_use_unpriv_user_fds(squid_t) userdom_dontaudit_search_sysadm_home_dirs(squid_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(squid_t) - term_dontaudit_use_generic_ptys(squid_t) - files_dontaudit_read_root_files(squid_t) -') - tunable_policy(`squid_connect_any',` corenet_tcp_connect_all_ports(squid_t) ') diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc index e83a852..bf53f28 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc @@ -1,19 +1,16 @@ +HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ROLE_home_ssh_t,s0) + /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_dsa_key -- gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0) /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) +/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) -/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) - -ifdef(`targeted_policy', `', ` -/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) - -HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ROLE_home_ssh_t,s0) -') +/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 129bf73..51e058c 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -80,11 +80,6 @@ kernel_link_key(sshd_t) corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) -ifdef(`targeted_policy',` - unconfined_domain(sshd_t) - unconfined_shell_domtrans(sshd_t) -') - tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to @@ -123,6 +118,11 @@ optional_policy(` rssh_read_all_users_ro_content(sshd_t) ') +optional_policy(` + unconfined_domain(sshd_t) + unconfined_shell_domtrans(sshd_t) +') + ifdef(`TODO',` tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd @@ -153,39 +153,37 @@ tunable_policy(`ssh_sysadm_login',` # sshd_extern_t is the domain for ssh from outside our network # -ifdef(`strict_policy',` - ifdef(`TODO',` - domain_trans(initrc_t, sshd_exec_t, sshd_extern_t) +ifdef(`TODO',` +domain_trans(initrc_t, sshd_exec_t, sshd_extern_t) - domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain) - # Signal the user domains. - allow sshd_extern_t user_mini_domain:process signal; +domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain) +# Signal the user domains. +allow sshd_extern_t user_mini_domain:process signal; - ifdef(`xauth.te', ` - domain_trans(sshd_extern_t, xauth_exec_t, user_mini_domain) - ') +ifdef(`xauth.te', ` +domain_trans(sshd_extern_t, xauth_exec_t, user_mini_domain) +') - # Relabel and access ptys created by sshd - # ioctl is necessary for logout() processing for utmp entry and for w to - # display the tty. - # some versions of sshd on the new SE Linux require setattr - allow sshd_extern_t user_mini_domain:chr_file { relabelto read write getattr ioctl setattr }; +# Relabel and access ptys created by sshd +# ioctl is necessary for logout() processing for utmp entry and for w to +# display the tty. +# some versions of sshd on the new SE Linux require setattr +allow sshd_extern_t user_mini_domain:chr_file { relabelto read write getattr ioctl setattr }; - # inheriting stream sockets is needed for "ssh host command" as no pty - # is allocated - allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms; +# inheriting stream sockets is needed for "ssh host command" as no pty +# is allocated +allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms; - optional_policy(` - domain_trans(inetd_t, sshd_exec_t, sshd_extern_t) - ') +optional_policy(` + domain_trans(inetd_t, sshd_exec_t, sshd_extern_t) +') - ifdef(`direct_sysadm_daemon', ` - # Direct execution by sysadm_r. - domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t) - role_transition sysadm_r sshd_exec_t system_r; - ') - ') dnl endif TODO +ifdef(`direct_sysadm_daemon', ` +# Direct execution by sysadm_r. +domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t) +role_transition sysadm_r sshd_exec_t system_r; ') +') dnl endif TODO ######################################## # @@ -227,21 +225,8 @@ logging_send_syslog_msg(ssh_keygen_t) allow ssh_keygen_t proc_t:dir r_dir_perms; allow ssh_keygen_t proc_t:lnk_file read; -userdom_use_sysadm_ttys(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) -# cjp: with the old daemon_(base_)domain being broken up into -# a daemon and system interface, this probably is not needed: -ifdef(`direct_sysadm_daemon',` - userdom_dontaudit_use_sysadm_terms(ssh_keygen_t) -') - -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(ssh_keygen_t) - term_dontaudit_use_generic_ptys(ssh_keygen_t) - files_dontaudit_read_root_files(ssh_keygen_t) -') - optional_policy(` nscd_socket_use(ssh_keygen_t) ') diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te index ff31d9b..b9a386b 100644 --- a/policy/modules/services/stunnel.te +++ b/policy/modules/services/stunnel.te @@ -90,12 +90,6 @@ ifdef(`distro_gentoo', ` userdom_dontaudit_use_unpriv_user_fds(stunnel_t) userdom_dontaudit_search_sysadm_home_dirs(stunnel_t) - ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(stunnel_t) - term_dontaudit_use_generic_ptys(stunnel_t) - files_dontaudit_read_root_files(stunnel_t) - ') - optional_policy(` daemontools_service_domain(stunnel_t, stunnel_exec_t) ') diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te index 00d1262..857ef97 100644 --- a/policy/modules/services/tftp.te +++ b/policy/modules/services/tftp.te @@ -79,12 +79,6 @@ userdom_dontaudit_use_unpriv_user_fds(tftpd_t) userdom_dontaudit_use_sysadm_ttys(tftpd_t) userdom_dontaudit_search_sysadm_home_dirs(tftpd_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(tftpd_t) - term_dontaudit_use_generic_ptys(tftpd_t) - files_dontaudit_read_root_files(tftpd_t) -') - optional_policy(` inetd_udp_service_domain(tftpd_t,tftpd_exec_t) ') diff --git a/policy/modules/services/timidity.te b/policy/modules/services/timidity.te index 96423fa..26c276b 100644 --- a/policy/modules/services/timidity.te +++ b/policy/modules/services/timidity.te @@ -78,12 +78,6 @@ userdom_dontaudit_use_unpriv_user_fds(timidity_t) # cjp: this should be fixed if possible so this rule can be removed. userdom_search_sysadm_home_dirs(timidity_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(timidity_t) - term_dontaudit_use_generic_ptys(timidity_t) - files_dontaudit_read_root_files(timidity_t) -') - optional_policy(` seutil_sigchld_newrole(timidity_t) ') diff --git a/policy/modules/services/transproxy.te b/policy/modules/services/transproxy.te index 7012e74..b06cb9d 100644 --- a/policy/modules/services/transproxy.te +++ b/policy/modules/services/transproxy.te @@ -60,12 +60,6 @@ sysnet_read_config(transproxy_t) userdom_dontaudit_use_unpriv_user_fds(transproxy_t) userdom_dontaudit_search_sysadm_home_dirs(transproxy_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(transproxy_t) - term_dontaudit_use_generic_ptys(transproxy_t) - files_dontaudit_read_root_files(transproxy_t) -') - optional_policy(` seutil_sigchld_newrole(transproxy_t) ') diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te index 078adee..b4b9d7d 100644 --- a/policy/modules/services/uptime.te +++ b/policy/modules/services/uptime.te @@ -64,12 +64,6 @@ miscfiles_read_localization(uptimed_t) userdom_dontaudit_use_unpriv_user_fds(uptimed_t) userdom_dontaudit_search_sysadm_home_dirs(uptimed_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(uptimed_t) - term_dontaudit_use_generic_ptys(uptimed_t) - files_dontaudit_read_root_files(uptimed_t) -') - optional_policy(` mta_send_mail(uptimed_t) ') diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te index c555a84..ed1dbbe 100644 --- a/policy/modules/services/uucp.te +++ b/policy/modules/services/uucp.te @@ -131,11 +131,6 @@ logging_send_syslog_msg(uux_t) miscfiles_read_localization(uux_t) -ifdef(`targeted_policy',` - term_use_unallocated_ttys(uux_t) - term_use_generic_ptys(uux_t) -') - optional_policy(` mta_send_mail(uux_t) ') diff --git a/policy/modules/services/uwimap.te b/policy/modules/services/uwimap.te index e538d36..3d31305 100644 --- a/policy/modules/services/uwimap.te +++ b/policy/modules/services/uwimap.te @@ -82,12 +82,6 @@ userdom_priveleged_home_dir_manager(imapd_t) mta_rw_spool(imapd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(imapd_t) - term_dontaudit_use_generic_ptys(imapd_t) - files_dontaudit_read_root_files(imapd_t) -') - optional_policy(` seutil_sigchld_newrole(imapd_t) ') diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te index 06d8800..50f2772 100644 --- a/policy/modules/services/watchdog.te +++ b/policy/modules/services/watchdog.te @@ -92,12 +92,6 @@ sysnet_read_config(watchdog_t) userdom_dontaudit_use_unpriv_user_fds(watchdog_t) userdom_dontaudit_search_sysadm_home_dirs(watchdog_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(watchdog_t) - term_dontaudit_use_generic_ptys(watchdog_t) - files_dontaudit_read_root_files(watchdog_t) -') - optional_policy(` mta_send_mail(watchdog_t) ') diff --git a/policy/modules/services/xfs.te b/policy/modules/services/xfs.te index 5302588..800c4d2 100644 --- a/policy/modules/services/xfs.te +++ b/policy/modules/services/xfs.te @@ -72,12 +72,6 @@ ifdef(`distro_debian',` init_script_tmp_filetrans(xfs_t,xfs_tmp_t,sock_file) ') -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(xfs_t) - term_dontaudit_use_generic_ptys(xfs_t) - files_dontaudit_read_root_files(xfs_t) -') - optional_policy(` seutil_sigchld_newrole(xfs_t) ') diff --git a/policy/modules/services/xprint.te b/policy/modules/services/xprint.te index 8af8788..ce73458 100644 --- a/policy/modules/services/xprint.te +++ b/policy/modules/services/xprint.te @@ -69,12 +69,6 @@ sysnet_read_config(xprint_t) userdom_dontaudit_use_unpriv_user_fds(xprint_t) userdom_dontaudit_search_sysadm_home_dirs(xprint_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(xprint_t) - term_dontaudit_use_generic_ptys(xprint_t) - files_dontaudit_read_root_files(xprint_t) -') - optional_policy(` cups_read_config(xprint_t) ') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc index 1e86113..c1c87ac 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -1,7 +1,6 @@ # # HOME_DIR # -ifdef(`strict_policy',` HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:ROLE_fonts_config_t,s0) HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:ROLE_fonts_t,s0) HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:ROLE_fonts_cache_t,s0) @@ -9,7 +8,6 @@ HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:ROLE_fonts_cache_t,s HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:ROLE_iceauth_home_t,s0) HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0) -') # # /dev @@ -51,13 +49,10 @@ ifdef(`distro_redhat',` /tmp/\.ICE-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) /tmp/\.ICE-unix/.* -s <> +/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_xserver_tmp_t,s0) /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) /tmp/\.X11-unix/.* -s <> -ifdef(`strict_policy',` -/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_xserver_tmp_t,s0) -') - # # /usr # diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 0a32465..c8b8375 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -736,12 +736,8 @@ interface(`xserver_read_all_users_xauth',` attribute xauth_home_type; ') - ifdef(`strict_policy',` - allow $1 xauth_home_type:file read_file_perms; - userdom_search_all_users_home_dirs($1) - ',` - userdom_read_generic_user_home_content_files($1) - ') + allow $1 xauth_home_type:file read_file_perms; + userdom_search_all_users_home_dirs($1) ') ######################################## diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 0bfbe14..ae61202 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -6,7 +6,6 @@ policy_module(xserver,1.6.0) # Declarations # -ifdef(`strict_policy',` ## ##

## Allows clients to write to the X server shared @@ -14,7 +13,6 @@ ifdef(`strict_policy',` ##

## gen_tunable(allow_write_xshm,false) -') ## ##

@@ -276,20 +274,6 @@ userdom_signal_all_users(xdm_t) xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t) -ifdef(`targeted_policy',` - unconfined_domain(xdm_t) - unconfined_domtrans(xdm_t) - userdom_generic_user_home_dir_filetrans_generic_user_home_content(xdm_t, {file dir }) - - ifndef(`distro_redhat',` - allow xdm_t self:process { execheap execmem }; - ') - - ifdef(`distro_rhel4',` - allow xdm_t self:process { execheap execmem }; - ') -') - tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) fs_manage_nfs_files(xdm_t) @@ -364,6 +348,19 @@ optional_policy(` ') optional_policy(` + unconfined_domain(xdm_t) + unconfined_domtrans(xdm_t) + + ifndef(`distro_redhat',` + allow xdm_t self:process { execheap execmem }; + ') + + ifdef(`distro_rhel4',` + allow xdm_t self:process { execheap execmem }; + ') +') + +optional_policy(` userhelper_dontaudit_search_config(xdm_t) ') @@ -427,7 +424,16 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_symlinks(xdm_xserver_t) ') -ifdef(`targeted_policy',` +optional_policy(` + resmgr_stream_connect(xdm_t) +') + +optional_policy(` + rhgb_rw_shm(xdm_xserver_t) + rhgb_rw_tmpfs_files(xdm_xserver_t) +') + +optional_policy(` unconfined_domain_noaudit(xdm_xserver_t) unconfined_domtrans(xdm_xserver_t) @@ -440,15 +446,6 @@ ifdef(`targeted_policy',` ') ') -optional_policy(` - resmgr_stream_connect(xdm_t) -') - -optional_policy(` - rhgb_rw_shm(xdm_xserver_t) - rhgb_rw_tmpfs_files(xdm_xserver_t) -') - ifdef(`TODO',` # Need to further investigate these permissions and # perhaps define derived types. diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te index ca643b6..ab0b55a 100644 --- a/policy/modules/services/zabbix.te +++ b/policy/modules/services/zabbix.te @@ -43,11 +43,6 @@ libs_use_shared_libs(zabbix_t) miscfiles_read_localization(zabbix_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(zabbix_t) - term_dontaudit_use_generic_ptys(zabbix_t) -') - optional_policy(` mysql_stream_connect(zabbix_t) ') diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te index 0c6112a..013631c 100644 --- a/policy/modules/services/zebra.te +++ b/policy/modules/services/zebra.te @@ -114,13 +114,6 @@ sysnet_read_config(zebra_t) userdom_dontaudit_use_unpriv_user_fds(zebra_t) userdom_dontaudit_search_sysadm_home_dirs(zebra_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(zebra_t) - term_dontaudit_use_generic_ptys(zebra_t) - files_dontaudit_read_root_files(zebra_t) - unconfined_sigchld(zebra_t) -') - tunable_policy(`allow_zebra_write_config',` allow zebra_t zebra_conf_t:dir write; allow zebra_t zebra_conf_t:file write; @@ -141,3 +134,7 @@ optional_policy(` optional_policy(` udev_read_db(zebra_t) ') + +optional_policy(` + unconfined_sigchld(zebra_t) +') diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index cc2c243..fc5889d 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -150,21 +150,12 @@ template(`authlogin_per_role_template',` ## # template(`auth_domtrans_user_chk_passwd',` - ifdef(`targeted_policy',` - gen_require(` - type system_chkpwd_t, chkpwd_exec_t; - ') - - corecmd_search_bin($2) - domtrans_pattern($2,chkpwd_exec_t,system_chkpwd_t) - ',` - gen_require(` - type $1_chkpwd_t, chkpwd_exec_t; - ') - - corecmd_search_bin($2) - domtrans_pattern($2,chkpwd_exec_t,$1_chkpwd_t) + gen_require(` + type $1_chkpwd_t, chkpwd_exec_t; ') + + corecmd_search_bin($2) + domtrans_pattern($2,chkpwd_exec_t,$1_chkpwd_t) ') ######################################## diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 2b71f85..b52bff5 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -216,12 +216,6 @@ seutil_read_file_contexts(pam_console_t) userdom_dontaudit_use_unpriv_user_fds(pam_console_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(pam_console_t) - term_dontaudit_use_generic_ptys(pam_console_t) - files_dontaudit_read_root_files(pam_console_t) -') - optional_policy(` gpm_getattr_gpmctl(pam_console_t) gpm_setattr_gpmctl(pam_console_t) @@ -300,6 +294,11 @@ optional_policy(` ') optional_policy(` + # Allow utemper to write to /tmp/.xses-* + unconfined_write_tmp_files(utempter_t) +') + +optional_policy(` xserver_use_xdm_fds(utempter_t) xserver_rw_xdm_pipes(utempter_t) ') diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te index ba99ccf..a86bb02 100644 --- a/policy/modules/system/clock.te +++ b/policy/modules/system/clock.te @@ -63,12 +63,6 @@ logging_send_syslog_msg(hwclock_t) miscfiles_read_localization(hwclock_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(hwclock_t) - term_dontaudit_use_generic_ptys(hwclock_t) - files_dontaudit_read_root_files(hwclock_t) -') - optional_policy(` apm_append_log(hwclock_t) apm_rw_stream_sockets(hwclock_t) diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index 1300638..6ff5748 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -154,11 +154,6 @@ seutil_read_config(fsadm_t) userdom_use_unpriv_users_fds(fsadm_t) -ifdef(`targeted_policy',` - term_use_unallocated_ttys(fsadm_t) - term_use_generic_ptys(fsadm_t) -') - tunable_policy(`read_default_t',` files_list_default(fsadm_t) files_read_default_files(fsadm_t) diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te index 31706fc..f8ba788 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -114,11 +114,6 @@ ifdef(`distro_gentoo',` sysnet_dontaudit_read_config(getty_t) ') -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(getty_t) - term_dontaudit_use_generic_ptys(getty_t) -') - optional_policy(` mta_send_mail(getty_t) ') diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te index 68469f3..69cdcb2 100644 --- a/policy/modules/system/hotplug.te +++ b/policy/modules/system/hotplug.te @@ -125,11 +125,6 @@ ifdef(`distro_redhat', ` files_getattr_generic_locks(hotplug_t) ') -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(hotplug_t) - term_dontaudit_use_generic_ptys(hotplug_t) -') - optional_policy(` consoletype_exec(hotplug_t) ') diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc index 2e31156..8ec8ef1 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc @@ -9,15 +9,13 @@ /etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) +/etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0) + ifdef(`distro_gentoo',` /etc/vmware/init\.d/vmware -- gen_context(system_u:object_r:initrc_exec_t,s0) /etc/x11/startDM.sh -- gen_context(system_u:object_r:initrc_exec_t,s0) ') -ifdef(`strict_policy',` -/etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0) -') - # # /dev # diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 0c3e3ad..597a5cb 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -931,6 +931,24 @@ interface(`init_dontaudit_stream_connect_script',` dontaudit $1 initrc_t:unix_stream_socket connectto; ') +######################################## +##

+## Send messages to init scripts over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_dbus_send_script',` + gen_require(` + type initrc_t; + class dbus send_msg; + ') + + allow $1 initrc_t:dbus send_msg; +') ######################################## ## diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 8f67002..07c1860 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -10,15 +10,6 @@ gen_require(` # Declarations # -ifdef(`targeted_policy',` -## -##

-## Allow all daemons the ability to use unallocated ttys -##

-## -gen_tunable(allow_daemons_use_tty,false) -') - # used for direct running of init scripts # by admin domains attribute direct_run_init; @@ -172,10 +163,6 @@ ifdef(`distro_redhat',` fs_tmpfs_filetrans(init_t,initctl_t,fifo_file) ') -ifdef(`targeted_policy',` - unconfined_domain(init_t) -') - optional_policy(` auth_rw_login_records(init_t) ') @@ -184,6 +171,10 @@ optional_policy(` nscd_socket_use(init_t) ') +optional_policy(` + unconfined_domain(init_t) +') + # Run the shell in the sysadm_t domain for single-user mode. optional_policy(` userdom_shell_domtrans_sysadm(init_t) @@ -505,37 +496,6 @@ ifdef(`distro_suse',` ') ') -ifdef(`targeted_policy',` - domain_subj_id_change_exemption(initrc_t) - unconfined_domain(initrc_t) - - ifdef(`distro_redhat',` - # system-config-services causes avc messages that should be dontaudited - unconfined_dontaudit_rw_pipes(daemon) - ') - - tunable_policy(`allow_daemons_use_tty',` - term_use_unallocated_ttys(daemon) - term_use_generic_ptys(daemon) - ') - - optional_policy(` - mono_domtrans(initrc_t) - ') -',` - # cjp: require doesnt work in the else of optionals :\ - # this also would result in a type transition - # conflict if sendmail is enabled -# optional_policy(`',` -# mta_send_mail(initrc_t) -# ') - - # allow init scripts to su - optional_policy(` - su_restricted_domain_template(initrc,initrc_t,system_r) - ') -') - optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) @@ -672,6 +632,12 @@ optional_policy(` mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') +# cjp: require doesnt work in the else of optionals :\ +# this also would result in a type transition +# conflict if sendmail is enabled +#optional_policy(`',` +# mta_send_mail(initrc_t) +#') optional_policy(` ifdef(`distro_redhat',` @@ -750,6 +716,11 @@ optional_policy(` ') optional_policy(` + # allow init scripts to su + su_restricted_domain_template(initrc,initrc_t,system_r) +') + +optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) ') @@ -766,6 +737,19 @@ optional_policy(` ') optional_policy(` + unconfined_domain(initrc_t) + + ifdef(`distro_redhat',` + # system-config-services causes avc messages that should be dontaudited + unconfined_dontaudit_rw_pipes(daemon) + ') + + optional_policy(` + mono_domtrans(initrc_t) + ') +') + +optional_policy(` vmware_read_system_config(initrc_t) vmware_append_system_config(initrc_t) ') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index 5be38a2..ec5ea2b 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -139,12 +139,6 @@ sysnet_read_config(ipsec_t) userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_sysadm_home_dirs(ipsec_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(ipsec_t) - term_dontaudit_use_generic_ptys(ipsec_t) - files_dontaudit_read_root_files(ipsec_t) -') - optional_policy(` nis_use_ypbind(ipsec_t) ') diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index 0bb1ac1..31048bf 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -79,13 +79,6 @@ sysnet_dns_name_resolve(iptables_t) userdom_use_all_users_fds(iptables_t) -ifdef(`targeted_policy', ` - term_use_unallocated_ttys(iptables_t) - term_use_generic_ptys(iptables_t) - files_dontaudit_read_root_files(iptables_t) - unconfined_rw_pipes(iptables_t) -') - optional_policy(` fail2ban_append_log(iptables_t) ') diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te index 19c19e1..961b0c3 100644 --- a/policy/modules/system/iscsi.te +++ b/policy/modules/system/iscsi.te @@ -76,7 +76,3 @@ logging_send_syslog_msg(iscsid_t) miscfiles_read_localization(iscsid_t) sysnet_dns_name_resolve(iscsid_t) - -ifdef(`targeted_policy',` - term_use_generic_ptys(iscsid_t) -') diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc index dba235d..50019e6 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -3,30 +3,24 @@ # ifdef(`distro_debian',` /emul/ia32-linux/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -/emul/ia32-linux/usr(/.*)?/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0) /emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) /emul/ia32-linux/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -/emul/ia32-linux/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0) /emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) ') ifdef(`distro_gentoo',` /emul/linux/x86/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -/emul/linux/x86/usr(/.*)?/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0) /emul/linux/x86/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -/emul/linux/x86/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0) /emul/linux/x86/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) ') ifdef(`distro_redhat',` /emul/ia32-linux/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -/emul/ia32-linux/usr(/.*)?/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0) -/emul/ia32-linux/usr(/.*)?/java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0) -/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- gen_context(system_u:object_r:shlib_t,s0) -/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- gen_context(system_u:object_r:shlib_t,s0) +/emul/ia32-linux/usr(/.*)?/java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) +/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- gen_context(system_u:object_r:lib_t,s0) +/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- gen_context(system_u:object_r:lib_t,s0) /emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) /emul/ia32-linux/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -/emul/ia32-linux/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0) /emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) ') @@ -36,7 +30,7 @@ ifdef(`distro_redhat',` /etc/ld\.so\.cache -- gen_context(system_u:object_r:ld_so_cache_t,s0) /etc/ld\.so\.preload -- gen_context(system_u:object_r:ld_so_cache_t,s0) -/etc/ppp/plugins/rp-pppoe\.so -- gen_context(system_u:object_r:shlib_t,s0) +/etc/ppp/plugins/rp-pppoe\.so -- gen_context(system_u:object_r:lib_t,s0) # # /lib(64)? @@ -45,8 +39,6 @@ ifdef(`distro_redhat',` /lib/.* gen_context(system_u:object_r:lib_t,s0) /lib64 -d gen_context(system_u:object_r:lib_t,s0) /lib64/.* gen_context(system_u:object_r:lib_t,s0) -/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0) -/lib64/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0) /lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) /lib64/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -62,7 +54,6 @@ ifdef(`distro_gentoo',` /lib -l gen_context(system_u:object_r:lib_t,s0) /lib32 -d gen_context(system_u:object_r:lib_t,s0) /lib32/.* gen_context(system_u:object_r:lib_t,s0) -/lib32/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0) /lib32/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) ') @@ -70,14 +61,10 @@ ifdef(`distro_gentoo',` # /opt # /opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -/opt/(.*/)?lib/.+\.so -- gen_context(system_u:object_r:shlib_t,s0) -/opt/(.*/)?lib/.+\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0) /opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) -/opt/(.*/)?lib64/.+\.so -- gen_context(system_u:object_r:shlib_t,s0) -/opt/(.*/)?lib64/.+\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0) -/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:shlib_t,s0) +/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:shlib_t,s0) +/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -86,24 +73,18 @@ ifdef(`distro_gentoo',` ifdef(`distro_gentoo',` # despite the extensions, they are actually libs -/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0) -/opt/Acrobat[5-9]/Reader/intellinux/plug_ins3d/.*\.x3d -- gen_context(system_u:object_r:shlib_t,s0) -/opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:shlib_t,s0) +/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) +/opt/Acrobat[5-9]/Reader/intellinux/plug_ins3d/.*\.x3d -- gen_context(system_u:object_r:lib_t,s0) +/opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0) /opt/netscape/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0) -/opt/netscape/plugins/.*\.so -- gen_context(system_u:object_r:shlib_t,s0) /opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/RealPlayer/codecs(/.*)? gen_context(system_u:object_r:lib_t,s0) -/opt/RealPlayer/codecs/.*\.so -- gen_context(system_u:object_r:shlib_t,s0) /opt/RealPlayer/common(/.*)? gen_context(system_u:object_r:lib_t,s0) -/opt/RealPlayer/common/.*\.so -- gen_context(system_u:object_r:shlib_t,s0) /opt/RealPlayer/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -/opt/RealPlayer/lib/.*\.so -- gen_context(system_u:object_r:shlib_t,s0) /opt/RealPlayer/mozilla(/.*)? gen_context(system_u:object_r:lib_t,s0) -/opt/RealPlayer/mozilla/.*\.so -- gen_context(system_u:object_r:shlib_t,s0) /opt/RealPlayer/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0) -/opt/RealPlayer/plugins/.*\.so -- gen_context(system_u:object_r:shlib_t,s0) ') # @@ -118,24 +99,18 @@ ifdef(`distro_gentoo',` /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:shlib_t,s0) -/usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:shlib_t,s0) +/usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) +/usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0) /usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -/usr/(.*/)?lib/.+\.so -- gen_context(system_u:object_r:shlib_t,s0) -/usr/(.*/)?lib/.+\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0) /usr/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) -/usr/(.*/)?lib64/.+\.so -- gen_context(system_u:object_r:shlib_t,s0) -/usr/(.*/)?lib64/.+\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0) /usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/transgaming_cedega/gddb_parser.so -- gen_context(system_u:object_r:shlib_t,s0) /usr/lib/vlc/codec/libdmo_plugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/librealaudio_plugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0) /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -155,7 +130,7 @@ ifdef(`distro_gentoo',` /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0) +/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) /usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -175,7 +150,7 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` -/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- gen_context(system_u:object_r:shlib_t,s0) +/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- gen_context(system_u:object_r:lib_t,s0) # The following are libraries with text relocations in need of execmod permissions # Some of them should be fixed and removed from this list @@ -299,9 +274,8 @@ HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_ # /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) -/var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0) -/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:shlib_t,s0) +/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) ifdef(`distro_suse',` /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) @@ -310,6 +284,3 @@ ifdef(`distro_suse',` /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) -/var/spool/postfix/lib(64)?/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0) -/var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0) -/var/spool/postfix/lib(64)?/devfsd/.+\.so.* -- gen_context(system_u:object_r:shlib_t,s0) diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if index 2e71bea..db3945a 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -292,14 +292,8 @@ interface(`libs_exec_lib_files',` ## # interface(`libs_use_lib_files',` - gen_require(` - type lib_t; - ') - - files_list_usr($1) - allow $1 lib_t:dir list_dir_perms; - read_lnk_files_pattern($1,lib_t,lib_t) - mmap_files_pattern($1,lib_t,lib_t) + refpolicywarn(`$0($*) has been deprecated, use libs_use_shared_libs() instead.') + libs_use_shared_libs($1) ') ######################################## @@ -392,10 +386,10 @@ interface(`libs_delete_lib_symlinks',` # cjp: added for prelink interface(`libs_manage_shared_libs',` gen_require(` - type lib_t, shlib_t, textrel_shlib_t; + type lib_t, textrel_shlib_t; ') - manage_files_pattern($1,lib_t,{ shlib_t textrel_shlib_t }) + manage_files_pattern($1,lib_t,{ lib_t textrel_shlib_t }) ') ######################################## @@ -410,13 +404,13 @@ interface(`libs_manage_shared_libs',` # interface(`libs_use_shared_libs',` gen_require(` - type lib_t, shlib_t, textrel_shlib_t; + type lib_t, textrel_shlib_t; ') files_list_usr($1) allow $1 lib_t:dir list_dir_perms; - read_lnk_files_pattern($1,lib_t,{ lib_t shlib_t textrel_shlib_t }) - mmap_files_pattern($1,lib_t,{ shlib_t textrel_shlib_t }) + read_lnk_files_pattern($1,lib_t,{ lib_t textrel_shlib_t }) + mmap_files_pattern($1,lib_t,{ lib_t textrel_shlib_t }) allow $1 textrel_shlib_t:file execmod; ') @@ -433,11 +427,11 @@ interface(`libs_use_shared_libs',` # interface(`libs_legacy_use_shared_libs',` gen_require(` - type shlib_t, textrel_shlib_t; + type lib_t; ') libs_use_shared_libs($1) - allow $1 { shlib_t textrel_shlib_t }:file execmod; + allow $1 lib_t:file execmod; ') ######################################## @@ -454,10 +448,10 @@ interface(`libs_legacy_use_shared_libs',` # cjp: added for prelink interface(`libs_relabel_shared_libs',` gen_require(` - type lib_t, shlib_t, textrel_shlib_t; + type lib_t, textrel_shlib_t; ') - relabel_files_pattern($1,lib_t,{ shlib_t textrel_shlib_t }) + relabel_files_pattern($1,lib_t,{ lib_t textrel_shlib_t }) ') ######################################## @@ -477,11 +471,7 @@ interface(`libs_relabel_shared_libs',` ## # interface(`lib_filetrans_shared_lib',` - gen_require(` - type lib_t, shlib_t; - ') - - filetrans_pattern($1,lib_t,shlib_t,$2) + refpolicywarn(`$0($*) has been deprecated.') ') ######################################## @@ -510,6 +500,5 @@ interface(`lib_filetrans_shared_lib',` ## # interface(`files_lib_filetrans_shared_lib',` - refpolicywarn(`$0($*) has been deprecated, use lib_filetrans_shared_lib() instead.') - lib_filetrans_shared_lib($1,$2) + refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index abb3189..c312700 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -29,21 +29,10 @@ files_tmp_file(ldconfig_tmp_t) # # lib_t is the type of files in the system lib directories. # -type lib_t; +type lib_t alias shlib_t; files_type(lib_t) # -# shlib_t is the type of shared objects in the system lib -# directories. -# -ifdef(`targeted_policy',` - typealias lib_t alias shlib_t; -',` - type shlib_t; - files_type(shlib_t) -') - -# # textrel_shlib_t is the type of shared objects in the system lib # directories, which require text relocation. # @@ -97,13 +86,6 @@ ifdef(`hide_broken_symptoms',` ') ') -ifdef(`targeted_policy',` - allow ldconfig_t lib_t:file read_file_perms; - files_read_generic_tmp_symlinks(ldconfig_t) - term_dontaudit_use_generic_ptys(ldconfig_t) - term_dontaudit_use_unallocated_ttys(ldconfig_t) -') - optional_policy(` # dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway apache_dontaudit_search_modules(ldconfig_t) diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index f23717c..21b3356 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -138,10 +138,6 @@ userdom_use_unpriv_users_fds(local_login_t) userdom_sigchld_all_users(local_login_t) userdom_create_all_users_keys(local_login_t) -ifdef(`targeted_policy',` - unconfined_shell_domtrans(local_login_t) -') - tunable_policy(`read_default_t',` files_list_default(local_login_t) files_read_default_files(local_login_t) @@ -161,7 +157,11 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` - dbus_system_bus_client_template(local_login,local_login_t) + alsa_domtrans(local_login_t) +') + +optional_policy(` + dbus_system_bus_client_template(local_login, local_login_t) dbus_send_system_bus(local_login_t) consolekit_dbus_chat(local_login_t) @@ -186,11 +186,11 @@ optional_policy(` ') optional_policy(` - usermanage_read_crack_db(local_login_t) + unconfined_domain(local_login_t) ') optional_policy(` - alsa_domtrans(local_login_t) + usermanage_read_crack_db(local_login_t) ') optional_policy(` diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index d535027..4111465 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -94,11 +94,6 @@ locallogin_dontaudit_use_fds(auditctl_t) logging_send_syslog_msg(auditctl_t) -ifdef(`targeted_policy',` - term_use_generic_ptys(auditctl_t) - term_use_unallocated_ttys(auditctl_t) -') - ######################################## # # Auditd local policy @@ -161,14 +156,6 @@ seutil_dontaudit_read_config(auditd_t) userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_sysadm_home_dirs(auditd_t) -# cjp: this is questionable -userdom_use_sysadm_ttys(auditd_t) - -ifdef(`targeted_policy',` - term_dontaudit_use_generic_ptys(auditd_t) - term_dontaudit_use_unallocated_ttys(auditd_t) - unconfined_dontaudit_read_pipes(auditd_t) -') optional_policy(` seutil_sigchld_newrole(auditd_t) @@ -230,11 +217,6 @@ optional_policy(` udev_read_db(klogd_t) ') -ifdef(`targeted_policy',` - term_dontaudit_use_generic_ptys(klogd_t) - term_dontaudit_use_unallocated_ttys(klogd_t) -') - optional_policy(` seutil_sigchld_newrole(klogd_t) ') @@ -363,13 +345,6 @@ ifdef(`distro_suse',` files_var_lib_filetrans(syslogd_t,devlog_t,sock_file) ') -ifdef(`targeted_policy',` - allow syslogd_t var_run_t:fifo_file { ioctl read write }; - term_dontaudit_use_unallocated_ttys(syslogd_t) - term_dontaudit_use_generic_ptys(syslogd_t) - files_dontaudit_read_root_files(syslogd_t) -') - optional_policy(` inn_manage_log(syslogd_t) ') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index dc23be3..a178d6a 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -122,12 +122,6 @@ userdom_dontaudit_search_sysadm_home_dirs(clvmd_t) lvm_domtrans(clvmd_t) lvm_read_config(clvmd_t) -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(clvmd_t) - term_dontaudit_use_generic_ptys(clvmd_t) - files_dontaudit_read_root_files(clvmd_t) -') - optional_policy(` ccs_stream_connect(clvmd_t) ') @@ -286,13 +280,6 @@ ifdef(`distro_redhat',` files_rw_isid_type_dirs(lvm_t) ') -ifdef(`targeted_policy', ` - term_use_unallocated_ttys(lvm_t) - term_use_generic_ptys(lvm_t) - - files_dontaudit_read_root_files(lvm_t) -') - optional_policy(` bootloader_rw_tmp_files(lvm_t) ') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 527400f..8e8b003 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -116,11 +116,6 @@ if( ! secure_mode_insmod ) { kernel_domtrans_to(insmod_t,insmod_exec_t) } -ifdef(`targeted_policy',` - term_use_unallocated_ttys(insmod_t) - term_use_generic_ptys(insmod_t) -') - optional_policy(` hotplug_search_config(insmod_t) ') @@ -210,9 +205,9 @@ files_list_home(depmod_t) userdom_read_staff_home_content_files(depmod_t) userdom_read_sysadm_home_content_files(depmod_t) -ifdef(`targeted_policy', ` - term_use_unallocated_ttys(depmod_t) - term_use_generic_ptys(depmod_t) +optional_policy(` + # Read System.map from home directories. + unconfined_read_home_content_files(depmod_t) ') optional_policy(` @@ -287,8 +282,3 @@ ifdef(`distro_gentoo',` consoletype_exec(update_modules_t) ') ') - -ifdef(`targeted_policy',` - term_use_generic_ptys(update_modules_t) - term_use_unallocated_ttys(update_modules_t) -') diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if index e39a5e9..f9717ce 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -49,6 +49,10 @@ interface(`mount_run',` mount_domtrans($1) role $2 types mount_t; allow mount_t $3:chr_file rw_file_perms; + + optional_policy(` + samba_run_smbmount($1, $2, $3) + ') ') ######################################## @@ -128,18 +132,42 @@ interface(`mount_send_nfs_client_request',` ## # interface(`mount_domtrans_unconfined',` - ifdef(`targeted_policy',` - gen_require(` - type unconfined_mount_t, mount_exec_t; - ') + gen_require(` + type unconfined_mount_t, mount_exec_t; + ') - domtrans_pattern($1,mount_exec_t,unconfined_mount_t) + domtrans_pattern($1, mount_exec_t, unconfined_mount_t) +') - allow $1 unconfined_mount_t:fd use; - allow unconfined_mount_t $1:fd use; - allow unconfined_mount_t $1:fifo_file rw_file_perms; - allow unconfined_mount_t $1:process sigchld; - ',` - mount_domtrans($1) +######################################## +## +## Execute mount in the unconfined mount domain, and +## allow the specified role the unconfined mount domain, +## and use the caller's terminal. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the unconfined mount domain. +## +## +## +## +## The type of the terminal allow the unconfined mount domain to use. +## +## +## +# +interface(`mount_run_unconfined',` + gen_require(` + type unconfined_mount_t; ') + + mount_domtrans_unconfined($1) + role $2 types unconfined_mount_t; + allow unconfined_mount_t $3:chr_file rw_file_perms; ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index eb20fb7..2670a9f 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -6,14 +6,12 @@ policy_module(mount,1.8.0) # Declarations # -ifdef(`targeted_policy',` ## ##

## Allow mount to mount any file ##

## gen_tunable(allow_mount_anyfile,false) -') type mount_t; type mount_exec_t; @@ -26,10 +24,11 @@ files_type(mount_loopback_t) type mount_tmp_t; files_tmp_file(mount_tmp_t) -ifdef(`targeted_policy',` - type unconfined_mount_t; - application_domain(unconfined_mount_t,mount_exec_t) -') +# causes problems with interfaces when +# this is optionally declared in monolithic +# policy--duplicate type declaration +type unconfined_mount_t; +application_domain(unconfined_mount_t,mount_exec_t) ######################################## # @@ -128,12 +127,10 @@ ifdef(`distro_redhat',` ') ') -ifdef(`targeted_policy',` - tunable_policy(`allow_mount_anyfile',` - auth_read_all_dirs_except_shadow(mount_t) - auth_read_all_files_except_shadow(mount_t) - files_mounton_non_security(mount_t) - ') +tunable_policy(`allow_mount_anyfile',` + auth_read_all_dirs_except_shadow(mount_t) + auth_read_all_files_except_shadow(mount_t) + files_mounton_non_security(mount_t) ') optional_policy(` @@ -201,7 +198,7 @@ optional_policy(` # Unconfined mount local policy # -ifdef(`targeted_policy',` +optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t,file) unconfined_domain(unconfined_mount_t) ') diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te index 7763585..6c658ee 100644 --- a/policy/modules/system/pcmcia.te +++ b/policy/modules/system/pcmcia.te @@ -112,14 +112,6 @@ sysnet_manage_config(cardmgr_t) userdom_dontaudit_use_unpriv_user_fds(cardmgr_t) userdom_dontaudit_search_sysadm_home_dirs(cardmgr_t) -ifdef(`targeted_policy',` - term_use_unallocated_ttys(cardmgr_t) - term_use_generic_ptys(cardmgr_t) - term_dontaudit_use_unallocated_ttys(cardmgr_t) - term_dontaudit_use_generic_ptys(cardmgr_t) - files_dontaudit_read_root_files(cardmgr_t) -') - optional_policy(` seutil_dontaudit_read_config(cardmgr_t) seutil_sigchld_newrole(cardmgr_t) diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te index d484e80..dde9994 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -74,12 +74,6 @@ userdom_dontaudit_search_all_users_home_content(mdadm_t) mta_send_mail(mdadm_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(mdadm_t) - term_dontaudit_use_generic_ptys(mdadm_t) - files_dontaudit_read_root_files(mdadm_t) -') - optional_policy(` gpm_dontaudit_getattr_gpmctl(mdadm_t) ') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index fe267d9..c707435 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -1,10 +1,8 @@ policy_module(selinuxutil,1.7.0) -ifdef(`strict_policy',` - gen_require(` - bool secure_mode; - ') +gen_require(` + bool secure_mode; ') ######################################## @@ -152,11 +150,6 @@ libs_use_shared_libs(checkpolicy_t) userdom_use_all_users_fds(checkpolicy_t) -ifdef(`targeted_policy',` - term_use_generic_ptys(checkpolicy_t) - term_use_unallocated_ttys(checkpolicy_t) -') - ######################################## # # Load_policy local policy @@ -205,11 +198,6 @@ ifdef(`hide_broken_symptoms',` ') ') -ifdef(`targeted_policy',` - term_use_unallocated_ttys(load_policy_t) - term_use_generic_ptys(load_policy_t) -') - ######################################## # # Newrole local policy @@ -294,15 +282,13 @@ userdom_use_unpriv_users_fds(newrole_t) userdom_dontaudit_search_all_users_home_content(newrole_t) userdom_search_all_users_home_dirs(newrole_t) -ifdef(`strict_policy',` - # if secure mode is enabled, then newrole - # can only transition to unprivileged users - if(secure_mode) { - userdom_spec_domtrans_unpriv_users(newrole_t) - } else { - userdom_spec_domtrans_all_users(newrole_t) - } -') +# if secure mode is enabled, then newrole +# can only transition to unprivileged users +if(secure_mode) { + userdom_spec_domtrans_unpriv_users(newrole_t) +} else { + userdom_spec_domtrans_all_users(newrole_t) +} tunable_policy(`allow_polyinstantiation',` files_polyinstantiate_all(newrole_t) @@ -357,11 +343,6 @@ logging_send_syslog_msg(restorecond_t) miscfiles_read_localization(restorecond_t) -ifdef(`targeted_policy',` - term_dontaudit_use_generic_ptys(restorecond_t) - term_dontaudit_use_unallocated_ttys(restorecond_t) -') - optional_policy(` rpm_use_script_fds(restorecond_t) ') @@ -488,7 +469,6 @@ auth_use_nsswitch(semanage_t) libs_use_ld_so(semanage_t) libs_use_shared_libs(semanage_t) -libs_use_lib_files(semanage_t) locallogin_use_fds(semanage_t) @@ -509,8 +489,6 @@ seutil_get_semanage_read_lock(semanage_t) # netfilter_contexts: seutil_manage_default_contexts(semanage_t) -userdom_search_sysadm_home_dirs(semanage_t) - ifdef(`distro_debian',` files_read_var_lib_files(semanage_t) files_read_var_lib_symlinks(semanage_t) @@ -523,6 +501,11 @@ ifdef(`enable_mls',` # Handle pp files created in homedir and /tmp userdom_read_sysadm_home_content_files(semanage_t) userdom_read_sysadm_tmp_files(semanage_t) + + optional_policy(` + unconfined_read_home_content_files(semanage_t) + unconfined_read_tmp_files(semanage_t) + ') ') ######################################## diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index f757419..d54810e 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -142,12 +142,6 @@ ifdef(`distro_redhat', ` files_exec_etc_files(dhcpc_t) ') -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(dhcpc_t) - term_dontaudit_use_generic_ptys(dhcpc_t) - files_dontaudit_read_root_files(dhcpc_t) -') - optional_policy(` consoletype_domtrans(dhcpc_t) ') @@ -320,15 +314,6 @@ ifdef(`hide_broken_symptoms',` ') ') -ifdef(`targeted_policy',` - term_use_generic_ptys(ifconfig_t) - term_use_unallocated_ttys(ifconfig_t) - - optional_policy(` - unconfined_dontaudit_read_pipes(ifconfig_t) - ') -') - optional_policy(` netutils_domtrans(dhcpc_t) ') diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 6bdbb4a..d63c9d4 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -159,7 +159,6 @@ sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) sysnet_etc_filetrans_config(udev_t) -userdom_use_sysadm_ttys(udev_t) userdom_dontaudit_search_all_users_home_content(udev_t) ifdef(`distro_gentoo',` @@ -184,11 +183,6 @@ ifdef(`distro_redhat',` netutils_domtrans(udev_t) ') -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(udev_t) - term_dontaudit_use_generic_ptys(udev_t) -') - optional_policy(` brctl_domtrans(udev_t) ') diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc index 5d9bb3b..967c66c 100644 --- a/policy/modules/system/unconfined.fc +++ b/policy/modules/system/unconfined.fc @@ -2,12 +2,11 @@ # e.g.: # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t +/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) -ifdef(`targeted_policy',` +/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) + /usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if index 816c263..a49911f 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -12,6 +12,7 @@ # interface(`unconfined_domain_noaudit',` gen_require(` + type unconfined_t; class dbus all_dbus_perms; class nscd all_nscd_perms; class passwd all_passwd_perms; @@ -118,6 +119,56 @@ interface(`unconfined_domain',` ######################################## ## +## Add an alias type to the unconfined domain. (Deprecated) +## +## +##

+## Add an alias type to the unconfined domain. (Deprecated) +##

+##

+## This is added to support targeted policy. Its +## use should be limited. It has no effect +## on the strict policy. +##

+## +## +## +## New alias of the unconfined domain. +## +## +# +interface(`unconfined_alias_domain',` + refpolicywarn(`$0($1) has been deprecated.') +') + +######################################## +## +## Add an alias type to the unconfined execmem +## program file type. (Deprecated) +## +## +##

+## Add an alias type to the unconfined execmem +## program file type. (Deprecated) +##

+##

+## This is added to support targeted policy. Its +## use should be limited. It has no effect +## on the strict policy. +##

+## +## +## +## New alias of the unconfined execmem program type. +## +## +# +interface(`unconfined_execmem_alias_program',` + refpolicywarn(`$0($1) has been deprecated.') +') + +######################################## +## ## Transition to the unconfined domain. ## ## @@ -473,74 +524,69 @@ interface(`unconfined_dbus_chat',` ######################################## ## -## Add an alias type to the unconfined domain. +## Connect to the the unconfined DBUS +## for service (acquire_svc). ## -## -##

-## Add an alias type to the unconfined domain. -##

-##

-## This is added to support targeted policy. Its -## use should be limited. It has no effect -## on the strict policy. -##

-## ## ## -## New alias of the unconfined domain. +## Domain allowed access. ## ## # -interface(`unconfined_alias_domain',` - ifdef(`targeted_policy',` - gen_require(` - type unconfined_t; - ') - - typealias unconfined_t alias $1; - ',` - refpolicywarn(`$0($1) has no effect in strict policy.') +interface(`unconfined_dbus_connect',` + gen_require(` + type unconfined_t; + class dbus acquire_svc; ') + + allow $1 unconfined_t:dbus acquire_svc; ') ######################################## ## -## Add an alias type to the unconfined execmem -## program file type. +## Read files in unconfined users home directories. ## -## -##

-## Add an alias type to the unconfined execmem -## program file type. -##

-##

-## This is added to support targeted policy. Its -## use should be limited. It has no effect -## on the strict policy. -##

-## ## ## -## New alias of the unconfined execmem program type. +## Domain allowed access. ## ## # -interface(`unconfined_execmem_alias_program',` - ifdef(`targeted_policy',` - gen_require(` - type unconfined_execmem_exec_t; - ') +interface(`unconfined_read_home_content_files',` + gen_require(` + type unconfined_home_dir_t, unconfined_home_t; + ') - typealias unconfined_execmem_exec_t alias $1; - ',` - refpolicywarn(`$0($1) has no effect in strict policy.') + files_search_home($1) + allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms; + read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t) + read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t) +') + +######################################## +## +## Read unconfined users temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_read_tmp_files',` + gen_require(` + type unconfined_tmp_t; ') + + files_search_tmp($1) + allow $1 unconfined_tmp_t:dir list_dir_perms; + read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t) + read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t) ') ######################################## ## -## Connect to the the unconfined DBUS -## for service (acquire_svc). +## Write unconfined users temporary files. ## ## ## @@ -548,11 +594,10 @@ interface(`unconfined_execmem_alias_program',` ## ## # -interface(`unconfined_dbus_connect',` +interface(`unconfined_write_tmp_files',` gen_require(` - type unconfined_t; - class dbus acquire_svc; + type unconfined_tmp_t; ') - allow $1 unconfined_t:dbus acquire_svc; + allow $1 unconfined_tmp_t:file { getattr write append }; ') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 1bba626..3b147b0 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -6,192 +6,210 @@ policy_module(unconfined,1.7.0) # Declarations # -type unconfined_t; +# usage in this module of types created by these +# calls is not correct, however we dont currently +# have another method to add access to these types +userdom_base_user_template(unconfined) +userdom_manage_home_template(unconfined) +userdom_manage_tmp_template(unconfined) +userdom_manage_tmpfs_template(unconfined) + type unconfined_exec_t; -init_system_domain(unconfined_t,unconfined_exec_t) +init_system_domain(unconfined_t, unconfined_exec_t) -ifdef(`targeted_policy',` - type unconfined_execmem_t; - type unconfined_execmem_exec_t; - init_system_domain(unconfined_execmem_t,unconfined_execmem_exec_t) -') +type unconfined_execmem_t; +type unconfined_execmem_exec_t; +init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) +role unconfined_r types unconfined_execmem_t; ######################################## # # Local policy # -unconfined_domain(unconfined_t) +domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t) + +files_create_boot_flag(unconfined_t) + +mcs_killall(unconfined_t) +mcs_ptrace_all(unconfined_t) + +init_run_daemon(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + +libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) logging_send_syslog_msg(unconfined_t) +logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -ifdef(`targeted_policy',` - allow unconfined_t self:system syslog_read; - dontaudit unconfined_t self:capability sys_module; +mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - domain_auto_trans(unconfined_t,unconfined_execmem_exec_t,unconfined_execmem_t) +seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - files_create_boot_flag(unconfined_t) +unconfined_domain(unconfined_t) - mcs_killall(unconfined_t) - mcs_ptrace_all(unconfined_t) +userdom_priveleged_home_dir_manager(unconfined_t) - init_domtrans_script(unconfined_t) +optional_policy(` + ada_domtrans(unconfined_t) +') - libs_domtrans_ldconfig(unconfined_t) +optional_policy(` + apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + apache_per_role_template(unconfined, unconfined_t, unconfined_r) + # this is disallowed usage: + unconfined_domain(httpd_unconfined_script_t) +') - logging_domtrans_auditctl(unconfined_t) +optional_policy(` + bind_run_ndc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +') - mount_domtrans_unconfined(unconfined_t) +optional_policy(` + bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +') - seutil_domtrans_setfiles(unconfined_t) - seutil_domtrans_semanage(unconfined_t) +optional_policy(` + cron_per_role_template(unconfined, unconfined_t, unconfined_r) + # this is disallowed usage: + unconfined_domain(unconfined_crond_t) +') - userdom_unconfined(unconfined_t) - userdom_priveleged_home_dir_manager(unconfined_t) +optional_policy(` + init_dbus_chat_script(unconfined_t) - optional_policy(` - ada_domtrans(unconfined_t) - ') + dbus_stub(unconfined_t) optional_policy(` - apache_domtrans_helper(unconfined_t) + avahi_dbus_chat(unconfined_t) ') optional_policy(` - bind_domtrans_ndc(unconfined_t) + bluetooth_dbus_chat(unconfined_t) ') optional_policy(` - bootloader_domtrans(unconfined_t) + consolekit_dbus_chat(unconfined_t) ') optional_policy(` - init_dbus_chat_script(unconfined_t) - - dbus_stub(unconfined_t) - - optional_policy(` - avahi_dbus_chat(unconfined_t) - ') - - optional_policy(` - bluetooth_dbus_chat(unconfined_t) - ') - - optional_policy(` - consolekit_dbus_chat(unconfined_t) - ') - - optional_policy(` - cups_dbus_chat_config(unconfined_t) - ') - - optional_policy(` - hal_dbus_chat(unconfined_t) - ') - - optional_policy(` - networkmanager_dbus_chat(unconfined_t) - ') - - optional_policy(` - oddjob_dbus_chat(unconfined_t) - ') + cups_dbus_chat_config(unconfined_t) ') optional_policy(` - firstboot_domtrans(unconfined_t) + hal_dbus_chat(unconfined_t) ') optional_policy(` - ftp_domtrans_ftpdctl(unconfined_t) + networkmanager_dbus_chat(unconfined_t) ') optional_policy(` - inn_domtrans(unconfined_t) + oddjob_dbus_chat(unconfined_t) ') +') - optional_policy(` - java_domtrans(unconfined_t) - ') +optional_policy(` + firstboot_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +') - optional_policy(` - lpd_domtrans_checkpc(unconfined_t) - ') +optional_policy(` + ftp_run_ftpdctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +') - optional_policy(` - modutils_domtrans_update_mods(unconfined_t) - ') +optional_policy(` + inn_domtrans(unconfined_t) +') - optional_policy(` - mono_domtrans(unconfined_t) - ') +optional_policy(` + java_domtrans(unconfined_t) +') - optional_policy(` - oddjob_domtrans_mkhomedir(unconfined_t) - ') +optional_policy(` + lpd_run_checkpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +') - optional_policy(` - prelink_domtrans(unconfined_t) - ') +optional_policy(` + modutils_run_update_mods(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +') - optional_policy(` - portmap_domtrans_helper(unconfined_t) - ') +optional_policy(` + mono_domtrans(unconfined_t) +') - optional_policy(` - postfix_domtrans_map(unconfined_t) - # cjp: this should probably be removed: - postfix_domtrans_master(unconfined_t) - ') +optional_policy(` + mta_per_role_template(unconfined, unconfined_t, unconfined_r) +') - optional_policy(` - # cjp: this should probably be removed: - rpc_domtrans_nfsd(unconfined_t) - ') +optional_policy(` + oddjob_domtrans_mkhomedir(unconfined_t) +') - optional_policy(` - rpm_domtrans(unconfined_t) - ') +optional_policy(` + prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +') - optional_policy(` - samba_domtrans_net(unconfined_t) - samba_domtrans_winbind_helper(unconfined_t) - ') +optional_policy(` + portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +') - optional_policy(` - sendmail_domtrans(unconfined_t) - ') +optional_policy(` + postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + # cjp: this should probably be removed: + postfix_domtrans_master(unconfined_t) +') - optional_policy(` - sysnet_domtrans_dhcpc(unconfined_t) - sysnet_dbus_chat_dhcpc(unconfined_t) - ') - optional_policy(` - tzdata_domtrans(unconfined_t) - ') +optional_policy(` + pyzor_per_role_template(unconfined) +') - optional_policy(` - usermanage_domtrans_admin_passwd(unconfined_t) - ') +optional_policy(` + # cjp: this should probably be removed: + rpc_domtrans_nfsd(unconfined_t) +') - optional_policy(` - vpn_domtrans(unconfined_t) - ') +optional_policy(` + rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +') - optional_policy(` - webalizer_domtrans(unconfined_t) - ') +optional_policy(` + samba_per_role_template(unconfined) + samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +') - optional_policy(` - wine_domtrans(unconfined_t) - ') +optional_policy(` + spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r) +') - optional_policy(` - xserver_domtrans_xdm_xserver(unconfined_t) - ') +optional_policy(` + sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + sysnet_dbus_chat_dhcpc(unconfined_t) +') + +optional_policy(` + tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +') + +optional_policy(` + usermanage_run_admin_passwd(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +') + +optional_policy(` + vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +') + +optional_policy(` + webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +') + +optional_policy(` + wine_domtrans(unconfined_t) +') + +optional_policy(` + xserver_domtrans_xdm_xserver(unconfined_t) ') ######################################## @@ -199,18 +217,16 @@ ifdef(`targeted_policy',` # Unconfined Execmem Local policy # -ifdef(`targeted_policy',` - allow unconfined_execmem_t self:process { execstack execmem }; - unconfined_domain_noaudit(unconfined_execmem_t) +allow unconfined_execmem_t self:process { execstack execmem }; +unconfined_domain_noaudit(unconfined_execmem_t) - optional_policy(` - dbus_stub(unconfined_execmem_t) +optional_policy(` + dbus_stub(unconfined_execmem_t) - init_dbus_chat_script(unconfined_execmem_t) - unconfined_dbus_chat(unconfined_execmem_t) + init_dbus_chat_script(unconfined_execmem_t) + unconfined_dbus_chat(unconfined_execmem_t) - optional_policy(` - hal_dbus_chat(unconfined_execmem_t) - ') + optional_policy(` + hal_dbus_chat(unconfined_execmem_t) ') ') diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index f01c490..ab74d5a 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1353,11 +1353,7 @@ template(`userdom_security_admin_template',` ## # template(`userdom_role_change_generic_user',` - ifdef(`strict_policy',` - userdom_role_change_template($1,user) - ',` - refpolicywarn(`$0($*) has no effect in targeted policy.') - ') + userdom_role_change_template($1, user) ') ######################################## @@ -1384,11 +1380,7 @@ template(`userdom_role_change_generic_user',` ## # template(`userdom_role_change_from_generic_user',` - ifdef(`strict_policy',` - userdom_role_change_template(user,$1) - ',` - refpolicywarn(`$0($*) has no effect in targeted policy.') - ') + userdom_role_change_template(user, $1) ') ######################################## @@ -1414,11 +1406,7 @@ template(`userdom_role_change_from_generic_user',` ## # template(`userdom_role_change_staff',` - ifdef(`strict_policy',` - userdom_role_change_template($1,staff) - ',` - refpolicywarn(`$0($*) has no effect in targeted policy.') - ') + userdom_role_change_template($1, staff) ') ######################################## @@ -1445,11 +1433,7 @@ template(`userdom_role_change_staff',` ## # template(`userdom_role_change_from_staff',` - ifdef(`strict_policy',` - userdom_role_change_template(staff,$1) - ',` - refpolicywarn(`$0($*) has no effect in targeted policy.') - ') + userdom_role_change_template(staff, $1) ') ######################################## @@ -1475,11 +1459,7 @@ template(`userdom_role_change_from_staff',` ## # template(`userdom_role_change_sysadm',` - ifdef(`strict_policy',` - userdom_role_change_template($1,sysadm) - ',` - refpolicywarn(`$0($*) has no effect in targeted policy.') - ') + userdom_role_change_template($1, sysadm) ') ######################################## @@ -1506,11 +1486,7 @@ template(`userdom_role_change_sysadm',` ## # template(`userdom_role_change_from_sysadm',` - ifdef(`strict_policy',` - userdom_role_change_template(sysadm,$1) - ',` - refpolicywarn(`$0($*) has no effect in targeted policy.') - ') + userdom_role_change_template(sysadm, $1) ') ######################################## @@ -1698,13 +1674,11 @@ template(`userdom_user_home_content',` ## # template(`userdom_setattr_user_ptys',` - ifdef(`strict_policy',` - gen_require(` - type $1_devpts_t; - ') - - allow $2 $1_devpts_t:chr_file setattr; + gen_require(` + type $1_devpts_t; ') + + allow $2 $1_devpts_t:chr_file setattr; ') ######################################## @@ -1733,13 +1707,11 @@ template(`userdom_setattr_user_ptys',` ## # template(`userdom_create_user_pty',` - ifdef(`strict_policy',` - gen_require(` - type $1_devpts_t; - ') - - term_create_pty($2,$1_devpts_t) + gen_require(` + type $1_devpts_t; ') + + term_create_pty($2, $1_devpts_t) ') ######################################## @@ -3622,15 +3594,11 @@ interface(`userdom_read_all_tmp_untrusted_content',` ## # template(`userdom_setattr_user_ttys',` - ifdef(`targeted_policy',` - term_setattr_unallocated_ttys($2) - ',` - gen_require(` - type $1_tty_device_t; - ') - - allow $2 $1_tty_device_t:chr_file setattr; + gen_require(` + type $1_tty_device_t; ') + + allow $2 $1_tty_device_t:chr_file setattr; ') ######################################## @@ -3659,15 +3627,11 @@ template(`userdom_setattr_user_ttys',` ## # template(`userdom_use_user_ttys',` - ifdef(`targeted_policy',` - term_use_unallocated_ttys($2) - ',` - gen_require(` - type $1_tty_device_t; - ') - - allow $2 $1_tty_device_t:chr_file rw_term_perms; + gen_require(` + type $1_tty_device_t; ') + + allow $2 $1_tty_device_t:chr_file rw_term_perms; ') ######################################## @@ -3696,18 +3660,13 @@ template(`userdom_use_user_ttys',` ## # template(`userdom_use_user_terminals',` - ifdef(`targeted_policy',` - term_use_unallocated_ttys($2) - term_use_generic_ptys($2) - ',` - gen_require(` - type $1_tty_device_t, $1_devpts_t; - ') - - allow $2 $1_tty_device_t:chr_file rw_term_perms; - allow $2 $1_devpts_t:chr_file rw_term_perms; - term_list_ptys($2) + gen_require(` + type $1_tty_device_t, $1_devpts_t; ') + + allow $2 $1_tty_device_t:chr_file rw_term_perms; + allow $2 $1_devpts_t:chr_file rw_term_perms; + term_list_ptys($2) ') ######################################## @@ -3949,19 +3908,14 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` ## # interface(`userdom_shell_domtrans_sysadm',` - ifdef(`targeted_policy',` - #cjp: need to doublecheck this one - unconfined_shell_domtrans($1) - ',` - gen_require(` - type sysadm_t; - ') - - corecmd_shell_domtrans($1,sysadm_t) - allow sysadm_t $1:fd use; - allow sysadm_t $1:fifo_file rw_file_perms; - allow sysadm_t $1:process sigchld; + gen_require(` + type sysadm_t; ') + + corecmd_shell_domtrans($1, sysadm_t) + allow sysadm_t $1:fd use; + allow sysadm_t $1:fifo_file rw_file_perms; + allow sysadm_t $1:process sigchld; ') ######################################## @@ -4170,16 +4124,12 @@ interface(`userdom_dontaudit_search_staff_home_dirs',` ## # interface(`userdom_manage_staff_home_dirs',` - ifdef(`targeted_policy',` - userdom_manage_generic_user_home_dirs($1) - ',` - gen_require(` - type staff_home_dir_t; - ') - - files_search_home($1) - allow $1 staff_home_dir_t:dir manage_dir_perms; + gen_require(` + type staff_home_dir_t; ') + + files_search_home($1) + allow $1 staff_home_dir_t:dir manage_dir_perms; ') ######################################## @@ -4193,16 +4143,12 @@ interface(`userdom_manage_staff_home_dirs',` ## # interface(`userdom_relabelto_staff_home_dirs',` - ifdef(`targeted_policy',` - userdom_relabelto_generic_user_home_dirs($1) - ',` - gen_require(` - type staff_home_dir_t; - ') - - files_search_home($1) - allow $1 staff_home_dir_t:dir relabelto; + gen_require(` + type staff_home_dir_t; ') + + files_search_home($1) + allow $1 staff_home_dir_t:dir relabelto; ') ######################################## @@ -4256,15 +4202,11 @@ interface(`userdom_read_staff_home_content_files',` ## # interface(`userdom_sigchld_sysadm',` - ifdef(`targeted_policy',` - unconfined_sigchld($1) - ',` - gen_require(` - type sysadm_t; - ') - - allow $1 sysadm_t:process sigchld; + gen_require(` + type sysadm_t; ') + + allow $1 sysadm_t:process sigchld; ') ######################################## @@ -4279,15 +4221,11 @@ interface(`userdom_sigchld_sysadm',` ## # interface(`userdom_dontaudit_getattr_sysadm_ttys',` - ifdef(`targeted_policy',` - term_dontaudit_getattr_unallocated_ttys($1) - ',` - gen_require(` - type sysadm_tty_device_t; - ') - - dontaudit $1 sysadm_tty_device_t:chr_file getattr; + gen_require(` + type sysadm_tty_device_t; ') + + dontaudit $1 sysadm_tty_device_t:chr_file getattr; ') ######################################## @@ -4301,17 +4239,13 @@ interface(`userdom_dontaudit_getattr_sysadm_ttys',` ## # interface(`userdom_use_sysadm_ttys',` - ifdef(`targeted_policy',` - term_use_unallocated_ttys($1) - ',` - gen_require(` - type sysadm_tty_device_t; - ') - - dev_list_all_dev_nodes($1) - term_list_ptys($1) - allow $1 sysadm_tty_device_t:chr_file rw_term_perms; + gen_require(` + type sysadm_tty_device_t; ') + + dev_list_all_dev_nodes($1) + term_list_ptys($1) + allow $1 sysadm_tty_device_t:chr_file rw_term_perms; ') ######################################## @@ -4325,15 +4259,11 @@ interface(`userdom_use_sysadm_ttys',` ## # interface(`userdom_dontaudit_use_sysadm_ttys',` - ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys($1) - ',` - gen_require(` - type sysadm_tty_device_t; - ') - - dontaudit $1 sysadm_tty_device_t:chr_file { read write }; + gen_require(` + type sysadm_tty_device_t; ') + + dontaudit $1 sysadm_tty_device_t:chr_file { read write }; ') ######################################## @@ -4347,17 +4277,13 @@ interface(`userdom_dontaudit_use_sysadm_ttys',` ## # interface(`userdom_use_sysadm_ptys',` - ifdef(`targeted_policy',` - term_use_generic_ptys($1) - ',` - gen_require(` - type sysadm_devpts_t; - ') - - dev_list_all_dev_nodes($1) - term_list_ptys($1) - allow $1 sysadm_devpts_t:chr_file rw_term_perms; + gen_require(` + type sysadm_devpts_t; ') + + dev_list_all_dev_nodes($1) + term_list_ptys($1) + allow $1 sysadm_devpts_t:chr_file rw_term_perms; ') ######################################## @@ -4371,15 +4297,11 @@ interface(`userdom_use_sysadm_ptys',` ## # interface(`userdom_dontaudit_use_sysadm_ptys',` - ifdef(`targeted_policy',` - term_dontaudit_use_generic_ptys($1) - ',` - gen_require(` - type sysadm_devpts_t; - ') - - dontaudit $1 sysadm_devpts_t:chr_file { read write }; + gen_require(` + type sysadm_devpts_t; ') + + dontaudit $1 sysadm_devpts_t:chr_file { read write }; ') ######################################## @@ -4408,15 +4330,11 @@ interface(`userdom_use_sysadm_terms',` ## # interface(`userdom_dontaudit_use_sysadm_terms',` - ifdef(`targeted_policy',` - term_dontaudit_use_generic_ptys($1) - ',` - gen_require(` - attribute admin_terminal; - ') - - dontaudit $1 admin_terminal:chr_file { read write }; + gen_require(` + attribute admin_terminal; ') + + dontaudit $1 admin_terminal:chr_file { read write }; ') ######################################## @@ -4430,15 +4348,11 @@ interface(`userdom_dontaudit_use_sysadm_terms',` ## # interface(`userdom_use_sysadm_fds',` - ifdef(`targeted_policy',` - unconfined_use_fds($1) - ',` - gen_require(` - type sysadm_t; - ') - - allow $1 sysadm_t:fd use; + gen_require(` + type sysadm_t; ') + + allow $1 sysadm_t:fd use; ') ######################################## @@ -4452,16 +4366,11 @@ interface(`userdom_use_sysadm_fds',` ## # interface(`userdom_rw_sysadm_pipes',` - ifdef(`targeted_policy',` - #cjp: need to doublecheck this one - unconfined_rw_pipes($1) - ',` - gen_require(` - type sysadm_t; - ') - - allow $1 sysadm_t:fifo_file rw_fifo_file_perms; + gen_require(` + type sysadm_t; ') + + allow $1 sysadm_t:fifo_file rw_fifo_file_perms; ') ######################################## @@ -4496,19 +4405,11 @@ interface(`userdom_getattr_sysadm_home_dirs',` ## # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` - ifdef(`targeted_policy',` - gen_require(` - type user_home_dir_t; - ') - - dontaudit $1 user_home_dir_t:dir getattr; - ', ` - gen_require(` - type sysadm_home_dir_t; - ') - - dontaudit $1 sysadm_home_dir_t:dir getattr; + gen_require(` + type sysadm_home_dir_t; ') + + dontaudit $1 sysadm_home_dir_t:dir getattr; ') ######################################## @@ -4541,19 +4442,11 @@ interface(`userdom_search_sysadm_home_dirs',` ## # interface(`userdom_dontaudit_search_sysadm_home_dirs',` - ifdef(`targeted_policy',` - gen_require(` - type user_home_dir_t; - ') - - dontaudit $1 user_home_dir_t:dir search_dir_perms; - ',` - gen_require(` - type sysadm_home_dir_t; - ') - - dontaudit $1 sysadm_home_dir_t:dir search_dir_perms; + gen_require(` + type sysadm_home_dir_t; ') + + dontaudit $1 sysadm_home_dir_t:dir search_dir_perms; ') ######################################## @@ -4605,23 +4498,13 @@ interface(`userdom_dontaudit_list_sysadm_home_dirs',` ## # interface(`userdom_dontaudit_read_sysadm_home_content_files',` - ifdef(`targeted_policy',` - gen_require(` - type user_home_dir_t, user_home_t; - ') - - dontaudit $1 user_home_dir_t:dir search_dir_perms; - dontaudit $1 user_home_t:dir search_dir_perms; - dontaudit $1 user_home_t:file r_file_perms; - ',` - gen_require(` - type sysadm_home_dir_t, sysadm_home_t; - ') - - dontaudit $1 sysadm_home_dir_t:dir search_dir_perms; - dontaudit $1 sysadm_home_t:dir search_dir_perms; - dontaudit $1 sysadm_home_t:file r_file_perms; + gen_require(` + type sysadm_home_dir_t, sysadm_home_t; ') + + dontaudit $1 sysadm_home_dir_t:dir search_dir_perms; + dontaudit $1 sysadm_home_t:dir search_dir_perms; + dontaudit $1 sysadm_home_t:file read_file_perms; ') ######################################## @@ -4683,23 +4566,19 @@ interface(`userdom_search_sysadm_home_content_dirs',` ## # interface(`userdom_read_sysadm_home_content_files',` - ifdef(`strict_policy',` - gen_require(` - type sysadm_home_dir_t, sysadm_home_t; - ') - - files_search_home($1) - allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms; - read_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t) - read_lnk_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t) - ',` - userdom_read_generic_user_home_content_files($1) + gen_require(` + type sysadm_home_dir_t, sysadm_home_t; ') + + files_search_home($1) + allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms; + read_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t) + read_lnk_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t) ') ######################################## ## -## Read files in the sysadm users home directory. +## Read sysadm temporary files. ## ## ## @@ -4708,18 +4587,14 @@ interface(`userdom_read_sysadm_home_content_files',` ## # interface(`userdom_read_sysadm_tmp_files',` - ifdef(`strict_policy',` - gen_require(` - type sysadm_tmp_t; - ') - - files_search_tmp($1) - allow $1 sysadm_tmp_t:dir list_dir_perms; - read_files_pattern($1,sysadm_tmp_t,sysadm_tmp_t) - read_lnk_files_pattern($1,sysadm_tmp_t,sysadm_tmp_t) - ',` - files_read_generic_tmp_files($1) + gen_require(` + type sysadm_tmp_t; ') + + files_search_tmp($1) + allow $1 sysadm_tmp_t:dir list_dir_perms; + read_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t) + read_lnk_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t) ') ######################################## @@ -5351,16 +5226,12 @@ interface(`userdom_setattr_unpriv_users_ptys',` ## # interface(`userdom_use_unpriv_users_ptys',` - ifdef(`targeted_policy',` - term_use_generic_ptys($1) - ',` - gen_require(` - attribute user_ptynode; - ') - - term_search_ptys($1) - allow $1 user_ptynode:chr_file rw_file_perms; + gen_require(` + attribute user_ptynode; ') + + term_search_ptys($1) + allow $1 user_ptynode:chr_file rw_file_perms; ') ######################################## @@ -5375,15 +5246,11 @@ interface(`userdom_use_unpriv_users_ptys',` ## # interface(`userdom_dontaudit_use_unpriv_users_ptys',` - ifdef(`targeted_policy',` - term_dontaudit_use_generic_ptys($1) - ',` - gen_require(` - attribute user_ptynode; - ') - - dontaudit $1 user_ptynode:chr_file rw_file_perms; + gen_require(` + attribute user_ptynode; ') + + dontaudit $1 user_ptynode:chr_file rw_file_perms; ') ######################################## @@ -5434,15 +5301,11 @@ interface(`userdom_dontaudit_relabelfrom_unpriv_users_ptys',` ## # interface(`userdom_list_unpriv_users_tmp',` - ifdef(`targeted_policy',` - files_list_tmp($1) - ',` - gen_require(` - attribute user_tmpfile; - ') - - allow $1 user_tmpfile:dir list_dir_perms; + gen_require(` + attribute user_tmpfile; ') + + allow $1 user_tmpfile:dir list_dir_perms; ') ######################################## @@ -5456,15 +5319,11 @@ interface(`userdom_list_unpriv_users_tmp',` ## # interface(`userdom_read_unpriv_users_tmp_files',` - ifdef(`targeted_policy',` - files_read_generic_tmp_files($1) - ',` - gen_require(` - attribute user_tmpfile; - ') - - allow $1 user_tmpfile:file { read getattr }; + gen_require(` + attribute user_tmpfile; ') + + allow $1 user_tmpfile:file { read getattr }; ') ######################################## @@ -5478,15 +5337,11 @@ interface(`userdom_read_unpriv_users_tmp_files',` ## # interface(`userdom_read_unpriv_users_tmp_symlinks',` - ifdef(`targeted_policy',` - files_read_generic_tmp_symlinks($1) - ',` - gen_require(` - attribute user_tmpfile; - ') - - allow $1 user_tmpfile:lnk_file { getattr read }; + gen_require(` + attribute user_tmpfile; ') + + allow $1 user_tmpfile:lnk_file { getattr read }; ') ######################################## @@ -5518,15 +5373,11 @@ interface(`userdom_write_unpriv_users_tmp_files',` ## # interface(`userdom_use_unpriv_users_ttys',` - ifdef(`targeted_policy',` - term_use_unallocated_ttys($1) - ',` - gen_require(` - attribute user_ttynode; - ') - - allow $1 user_ttynode:chr_file rw_term_perms; + gen_require(` + attribute user_ttynode; ') + + allow $1 user_ttynode:chr_file rw_term_perms; ') ######################################## @@ -5541,15 +5392,11 @@ interface(`userdom_use_unpriv_users_ttys',` ## # interface(`userdom_dontaudit_use_unpriv_users_ttys',` - ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys($1) - ',` - gen_require(` - attribute user_ttynode; - ') - - dontaudit $1 user_ttynode:chr_file rw_file_perms; + gen_require(` + attribute user_ttynode; ') + + dontaudit $1 user_ttynode:chr_file rw_file_perms; ') ######################################## @@ -5673,15 +5520,11 @@ interface(`userdom_sigchld_all_users',` ## # interface(`userdom_create_all_users_keys',` - ifdef(`strict_policy',` - gen_require(` - attribute userdomain; - ') - - allow $1 userdomain:key create; - ',` - unconfined_create_keys($1) + gen_require(` + attribute userdomain; ') + + allow $1 userdomain:key create; ') ######################################## @@ -5705,7 +5548,7 @@ interface(`userdom_dbus_send_all_users',` ######################################## ## -## Unconfined access to user domains. +## Unconfined access to user domains. (Deprecated) ## ## ## @@ -5714,10 +5557,5 @@ interface(`userdom_dbus_send_all_users',` ## # interface(`userdom_unconfined',` - gen_require(` - type user_home_dir_t; - ') - - allow $1 user_home_dir_t:dir manage_dir_perms; - files_home_filetrans($1,user_home_dir_t,dir) + refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index eb915d1..80c2300 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -15,7 +15,6 @@ gen_require(` # Declarations # -ifdef(`strict_policy',` ## ##

## Allow sysadm to ptrace all processes @@ -65,7 +64,6 @@ gen_tunable(user_rw_noexattrfile,false) ##

## gen_tunable(user_ttyfile_stat,false) -') # admin users terminals (tty and pty) attribute admin_terminal; @@ -108,451 +106,391 @@ attribute untrusted_content_tmp_type; # Local policy # -ifdef(`strict_policy',` - userdom_admin_user_template(sysadm) - userdom_unpriv_user_template(staff) - userdom_unpriv_user_template(user) +userdom_admin_user_template(sysadm) +userdom_unpriv_user_template(staff) +userdom_unpriv_user_template(user) - # user role change rules: - # sysadm_r can change to user roles - userdom_role_change_template(sysadm, user) - userdom_role_change_template(sysadm, staff) +# user role change rules: +# sysadm_r can change to user roles +userdom_role_change_template(sysadm, user) +userdom_role_change_template(sysadm, staff) - # only staff_r can change to sysadm_r - userdom_role_change_template(staff, sysadm) - dontaudit staff_t admin_terminal:chr_file { read write }; +# only staff_r can change to sysadm_r +userdom_role_change_template(staff, sysadm) +dontaudit staff_t admin_terminal:chr_file { read write }; - ifdef(`enable_mls',` - userdom_unpriv_user_template(secadm) - userdom_unpriv_user_template(auditadm) +ifdef(`enable_mls',` + userdom_unpriv_user_template(secadm) + userdom_unpriv_user_template(auditadm) - userdom_role_change_template(staff,auditadm) - userdom_role_change_template(staff,secadm) + userdom_role_change_template(staff, auditadm) + userdom_role_change_template(staff, secadm) - userdom_role_change_template(sysadm,secadm) - userdom_role_change_template(sysadm,auditadm) + userdom_role_change_template(sysadm, secadm) + userdom_role_change_template(sysadm, auditadm) - userdom_role_change_template(auditadm,secadm) - userdom_role_change_template(auditadm,sysadm) + userdom_role_change_template(auditadm, secadm) + userdom_role_change_template(auditadm, sysadm) - userdom_role_change_template(secadm,auditadm) - userdom_role_change_template(secadm,sysadm) - ') + userdom_role_change_template(secadm, auditadm) + userdom_role_change_template(secadm, sysadm) +') - # this should be tunable_policy, but - # currently type_change and RBAC allow - # do not work in conditionals - ifdef(`user_canbe_sysadm',` - userdom_role_change_template(user,sysadm) - ') +# this should be tunable_policy, but +# currently type_change and RBAC allow +# do not work in conditionals +ifdef(`user_canbe_sysadm',` + userdom_role_change_template(user, sysadm) +') - ######################################## - # - # Sysadm local policy - # +######################################## +# +# Sysadm local policy +# - # for su - allow sysadm_t userdomain:fd use; +# for su +allow sysadm_t userdomain:fd use; - # Add/remove user home directories - allow sysadm_t user_home_dir_t:dir manage_dir_perms; - files_home_filetrans(sysadm_t,user_home_dir_t,dir) +# Add/remove user home directories +allow sysadm_t user_home_dir_t:dir manage_dir_perms; +files_home_filetrans(sysadm_t, user_home_dir_t, dir) - corecmd_exec_shell(sysadm_t) +corecmd_exec_shell(sysadm_t) - mls_process_read_up(sysadm_t) +mls_process_read_up(sysadm_t) - init_exec(sysadm_t) +init_exec(sysadm_t) - # Following for sending reboot and wall messages - userdom_use_unpriv_users_ptys(sysadm_t) - userdom_use_unpriv_users_ttys(sysadm_t) +# Following for sending reboot and wall messages +userdom_use_unpriv_users_ptys(sysadm_t) +userdom_use_unpriv_users_ttys(sysadm_t) - ifdef(`direct_sysadm_daemon',` - optional_policy(` - init_run_daemon(sysadm_t,sysadm_r,admin_terminal) - ') - ',` - ifdef(`distro_gentoo',` - optional_policy(` - seutil_init_script_run_runinit(sysadm_t,sysadm_r,admin_terminal) - ') - ') +ifdef(`direct_sysadm_daemon',` + optional_policy(` + init_run_daemon(sysadm_t, sysadm_r, admin_terminal) ') - - ifdef(`enable_mls',` - allow auditadm_t self:capability { dac_read_search dac_override }; - seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) - domain_kill_all_domains(auditadm_t) - seutil_read_bin_policy(auditadm_t) - corecmd_exec_shell(auditadm_t) - logging_send_syslog_msg(auditadm_t) - logging_read_generic_logs(auditadm_t) - logging_manage_audit_log(auditadm_t) - logging_manage_audit_config(auditadm_t) - logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t }) - logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) - userdom_dontaudit_read_sysadm_home_content_files(auditadm_t) - - allow secadm_t self:capability { dac_read_search dac_override }; - corecmd_exec_shell(secadm_t) - domain_obj_id_change_exemption(secadm_t) - mls_process_read_up(secadm_t) - mls_file_read_all_levels(secadm_t) - mls_file_write_all_levels(secadm_t) - mls_file_upgrade(secadm_t) - mls_file_downgrade(secadm_t) - auth_relabel_all_files_except_shadow(secadm_t) - dev_relabel_all_dev_nodes(secadm_t) - auth_relabel_shadow(secadm_t) - init_exec(secadm_t) - logging_read_audit_log(secadm_t) - logging_read_generic_logs(secadm_t) - logging_read_audit_config(secadm_t) - userdom_dontaudit_append_staff_home_content_files(secadm_t) - userdom_dontaudit_read_sysadm_home_content_files(secadm_t) - +',` + ifdef(`distro_gentoo',` optional_policy(` - aide_run(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t }) + seutil_init_script_run_runinit(sysadm_t, sysadm_r, admin_terminal) ') - - optional_policy(` - netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t }) - ') - ',` - logging_manage_audit_log(sysadm_t) - logging_manage_audit_config(sysadm_t) - logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal) - ') - - tunable_policy(`allow_ptrace',` - domain_ptrace_all_domains(sysadm_t) - ') - - optional_policy(` - amanda_run_recover(sysadm_t,sysadm_r,admin_terminal) - ') - - optional_policy(` - apache_run_helper(sysadm_t,sysadm_r,admin_terminal) - #apache_run_all_scripts(sysadm_t,sysadm_r) - #apache_domtrans_sys_script(sysadm_t) ') +') - optional_policy(` - tzdata_domtrans(sysadm_t) - ') +ifdef(`enable_mls',` + allow auditadm_t self:capability { dac_read_search dac_override }; + seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) + domain_kill_all_domains(auditadm_t) + seutil_read_bin_policy(auditadm_t) + corecmd_exec_shell(auditadm_t) + logging_send_syslog_msg(auditadm_t) + logging_read_generic_logs(auditadm_t) + logging_manage_audit_log(auditadm_t) + logging_manage_audit_config(auditadm_t) + logging_run_auditctl(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) + logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) + userdom_dontaudit_read_sysadm_home_content_files(auditadm_t) + + allow secadm_t self:capability { dac_read_search dac_override }; + corecmd_exec_shell(secadm_t) + domain_obj_id_change_exemption(secadm_t) + mls_process_read_up(secadm_t) + mls_file_read_all_levels(secadm_t) + mls_file_write_all_levels(secadm_t) + mls_file_upgrade(secadm_t) + mls_file_downgrade(secadm_t) + auth_relabel_all_files_except_shadow(secadm_t) + dev_relabel_all_dev_nodes(secadm_t) + auth_relabel_shadow(secadm_t) + init_exec(secadm_t) + logging_read_audit_log(secadm_t) + logging_read_generic_logs(secadm_t) + logging_read_audit_config(secadm_t) + userdom_dontaudit_append_staff_home_content_files(secadm_t) + userdom_dontaudit_read_sysadm_home_content_files(secadm_t) + + optional_policy(` + aide_run(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t }) + ') + + optional_policy(` + netlabel_run_mgmt(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t }) + ') +',` + logging_manage_audit_log(sysadm_t) + logging_manage_audit_config(sysadm_t) + logging_run_auditctl(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - raid_domtrans_mdadm(sysadm_t) - ') +tunable_policy(`allow_ptrace',` + domain_ptrace_all_domains(sysadm_t) +') - optional_policy(` - # cjp: why is this not apm_run_client - apm_domtrans_client(sysadm_t) - ') +optional_policy(` + amanda_run_recover(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - apt_run(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + apache_run_helper(sysadm_t, sysadm_r, admin_terminal) + #apache_run_all_scripts(sysadm_t, sysadm_r) + #apache_domtrans_sys_script(sysadm_t) +') - optional_policy(` - backup_run(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + tzdata_domtrans(sysadm_t) +') - optional_policy(` - bootloader_run(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + raid_domtrans_mdadm(sysadm_t) +') - optional_policy(` - bind_run_ndc(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + # cjp: why is this not apm_run_client + apm_domtrans_client(sysadm_t) +') - optional_policy(` - bluetooth_run_helper(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + apt_run(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - consoletype_run(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + backup_run(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - clock_run(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + bootloader_run(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - clockspeed_run_cli(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + bind_run_ndc(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - certwatch_run(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + certwatch_run(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - cvs_exec(sysadm_t) - ') +optional_policy(` + consoletype_run(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - consoletype_exec(sysadm_t) +optional_policy(` + clock_run(sysadm_t, sysadm_r, admin_terminal) +') - ifdef(`enable_mls',` - consoletype_exec(auditadm_t) - ') - ') +optional_policy(` + clockspeed_run_cli(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - cron_admin_template(sysadm,sysadm_t,sysadm_r) - ') +optional_policy(` + cvs_exec(sysadm_t) +') - optional_policy(` - dcc_run_cdcc(sysadm_t,sysadm_r,admin_terminal) - dcc_run_client(sysadm_t,sysadm_r,admin_terminal) - dcc_run_dbclean(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + consoletype_exec(sysadm_t) - optional_policy(` - ddcprobe_run(sysadm_t,sysadm_r,admin_terminal) + ifdef(`enable_mls',` + consoletype_exec(auditadm_t) ') +') - optional_policy(` - dmesg_exec(sysadm_t) +optional_policy(` + cron_admin_template(sysadm, sysadm_t, sysadm_r) +') - ifdef(`enable_mls',` - dmesg_exec(auditadm_t) - ') - ') +optional_policy(` + dcc_run_cdcc(sysadm_t, sysadm_r, admin_terminal) + dcc_run_client(sysadm_t, sysadm_r, admin_terminal) + dcc_run_dbclean(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - dmidecode_run(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + ddcprobe_run(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - dpkg_run(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + dmesg_exec(sysadm_t) - optional_policy(` - ethereal_run_tethereal(sysadm_t,sysadm_r,admin_terminal) - ethereal_admin_template(sysadm,sysadm_t,sysadm_r) + ifdef(`enable_mls',` + dmesg_exec(auditadm_t) ') +') - optional_policy(` - firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t) - ') +optional_policy(` + dmidecode_run(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - fstools_run(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + dpkg_run(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - hostname_run(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + ethereal_run_tethereal(sysadm_t, sysadm_r, admin_terminal) + ethereal_admin_template(sysadm, sysadm_t, sysadm_r) +') - optional_policy(` - # allow system administrator to use the ipsec script to look - # at things (e.g., ipsec auto --status) - # probably should create an ipsec_admin role for this kind of thing - ipsec_exec_mgmt(sysadm_t) - ipsec_stream_connect(sysadm_t) - # for lsof - ipsec_getattr_key_sockets(sysadm_t) - ') +optional_policy(` + firstboot_run(sysadm_t, sysadm_r, sysadm_tty_device_t) +') - optional_policy(` - iptables_run(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + fstools_run(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + hostname_run(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - lvm_run(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + # allow system administrator to use the ipsec script to look + # at things (e.g., ipsec auto --status) + # probably should create an ipsec_admin role for this kind of thing + ipsec_exec_mgmt(sysadm_t) + ipsec_stream_connect(sysadm_t) + # for lsof + ipsec_getattr_key_sockets(sysadm_t) +') - optional_policy(` - logrotate_run(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + iptables_run(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - lpd_run_checkpc(sysadm_t,sysadm_r,admin_terminal) - lpr_admin_template(sysadm,sysadm_t,sysadm_r) - ') +optional_policy(` + libs_run_ldconfig(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - kudzu_run(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + lvm_run(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal) - modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal) - modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + logrotate_run(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - mount_run(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + lpd_run_checkpc(sysadm_t, sysadm_r, admin_terminal) + lpr_admin_template(sysadm, sysadm_t, sysadm_r) +') - optional_policy(` - mta_admin_template(sysadm,sysadm_t,sysadm_r) - ') +optional_policy(` + kudzu_run(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - mysql_stream_connect(sysadm_t) - ') +optional_policy(` + modutils_run_depmod(sysadm_t, sysadm_r, admin_terminal) + modutils_run_insmod(sysadm_t, sysadm_r, admin_terminal) + modutils_run_update_mods(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - netutils_run(sysadm_t,sysadm_r,admin_terminal) - netutils_run_ping(sysadm_t,sysadm_r,admin_terminal) - netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + mount_run(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - rpc_domtrans_nfsd(sysadm_t) - ') +optional_policy(` + mta_admin_template(sysadm, sysadm_t, sysadm_r) +') - optional_policy(` - munin_stream_connect(sysadm_t) - ') +optional_policy(` + mysql_stream_connect(sysadm_t) +') - optional_policy(` - ntp_stub() - corenet_udp_bind_ntp_port(sysadm_t) - ') +optional_policy(` + netutils_run(sysadm_t, sysadm_r, admin_terminal) + netutils_run_ping(sysadm_t, sysadm_r, admin_terminal) + netutils_run_traceroute(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - oav_run_update(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + rpc_domtrans_nfsd(sysadm_t) +') - optional_policy(` - pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + munin_stream_connect(sysadm_t) +') - optional_policy(` - portage_run(sysadm_t,sysadm_r,admin_terminal) - portage_run_gcc_config(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + ntp_stub() + corenet_udp_bind_ntp_port(sysadm_t) +') - optional_policy(` - portmap_run_helper(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + oav_run_update(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - quota_run(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + pcmcia_run_cardctl(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - rpm_run(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + portage_run(sysadm_t, sysadm_r, admin_terminal) + portage_run_gcc_config(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - rsync_exec(sysadm_t) - ') +optional_policy(` + portmap_run_helper(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - samba_run_net(sysadm_t,sysadm_r,admin_terminal) - samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + quota_run(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal) - seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal) +optional_policy(` + rpm_run(sysadm_t, sysadm_r, admin_terminal) +') - ifdef(`enable_mls',` - userdom_security_admin_template(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t }) - ', ` - userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal) - ') - ') +optional_policy(` + rsync_exec(sysadm_t) +') - optional_policy(` - sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal) - sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + samba_run_net(sysadm_t, sysadm_r, admin_terminal) + samba_run_winbind_helper(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - tripwire_run_siggen(sysadm_t,sysadm_r,admin_terminal) - tripwire_run_tripwire(sysadm_t,sysadm_r,admin_terminal) - tripwire_run_twadmin(sysadm_t,sysadm_r,admin_terminal) - tripwire_run_twprint(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + seutil_run_setfiles(sysadm_t, sysadm_r, admin_terminal) + seutil_run_runinit(sysadm_t, sysadm_r, admin_terminal) - optional_policy(` - unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal) + ifdef(`enable_mls',` + userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t sysadm_devpts_t }) + ', ` + userdom_security_admin_template(sysadm_t, sysadm_r, admin_terminal) ') +') - optional_policy(` - usbmodules_run(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + sysnet_run_ifconfig(sysadm_t, sysadm_r, admin_terminal) + sysnet_run_dhcpc(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal) - usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal) - usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + tripwire_run_siggen(sysadm_t, sysadm_r, admin_terminal) + tripwire_run_tripwire(sysadm_t, sysadm_r, admin_terminal) + tripwire_run_twadmin(sysadm_t, sysadm_r, admin_terminal) + tripwire_run_twprint(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - vpn_run(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + unconfined_domtrans(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - webalizer_run(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + usbmodules_run(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - yam_run(sysadm_t,sysadm_r,admin_terminal) - ') +optional_policy(` + usermanage_run_admin_passwd(sysadm_t, sysadm_r, admin_terminal) + usermanage_run_groupadd(sysadm_t, sysadm_r, admin_terminal) + usermanage_run_useradd(sysadm_t, sysadm_r, admin_terminal) ') -ifdef(`targeted_policy',` - # Define some type aliases to help with compatibility with - # strict policy. - unconfined_alias_domain(secadm_t) - unconfined_alias_domain(auditadm_t) - unconfined_alias_domain(sysadm_t) - - # User home directory type. - type user_home_t alias { staff_home_t sysadm_home_t }, home_type, user_home_type; - files_type(user_home_t) - files_associate_tmp(user_home_t) - fs_associate_tmpfs(user_home_t) - - type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type, user_home_dir_type; - files_type(user_home_dir_t) - files_associate_tmp(user_home_dir_t) - fs_associate_tmpfs(user_home_dir_t) - - # compatibility for switching from strict -# dominance { role secadm_r { role system_r; }} -# dominance { role auditadm_r { role system_r; }} -# dominance { role sysadm_r { role system_r; }} -# dominance { role user_r { role system_r; }} -# dominance { role staff_r { role system_r; }} - - # dont need to use the full role_change() - allow sysadm_r system_r; - allow sysadm_r user_r; - allow user_r system_r; - allow user_r sysadm_r; - allow system_r sysadm_r; - allow system_r sysadm_r; - - manage_dirs_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) - manage_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) - manage_lnk_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) - manage_sock_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) - manage_fifo_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) - filetrans_pattern(privhome,user_home_dir_t,user_home_t,{ dir file lnk_file sock_file fifo_file }) - files_search_home(privhome) +optional_policy(` + vpn_run(sysadm_t, sysadm_r, admin_terminal) +') - ifdef(`enable_mls',` - allow secadm_r system_r; - allow auditadm_r system_r; - allow secadm_r user_r; - allow staff_r secadm_r; - allow staff_r auditadm_r; - ') +optional_policy(` + webalizer_run(sysadm_t, sysadm_r, admin_terminal) +') - optional_policy(` - samba_per_role_template(user) - ') +optional_policy(` + yam_run(sysadm_t, sysadm_r, admin_terminal) ') diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index 031b7cf..cbe6502 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -217,15 +217,6 @@ optional_policy(` consoletype_exec(xend_t) ') -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(xend_t) - term_dontaudit_use_generic_ptys(xend_t) - - optional_policy(` - unconfined_rw_pipes(xend_t) - ') -') - ######################################## # # Xen console local policy diff --git a/policy/rolemap b/policy/rolemap index 3e8d368..729ed88 100644 --- a/policy/rolemap +++ b/policy/rolemap @@ -8,13 +8,11 @@ # syntax: role prefix user_domain # -ifdef(`strict_policy',` - user_r user user_t - staff_r staff staff_t - sysadm_r sysadm sysadm_t +user_r user user_t +staff_r staff staff_t +sysadm_r sysadm sysadm_t - ifdef(`enable_mls',` - secadm_r secadm secadm_t - auditadm_r auditadm auditadm_t - ') +ifdef(`enable_mls',` + secadm_r secadm secadm_t + auditadm_r auditadm auditadm_t ') diff --git a/policy/users b/policy/users index e2053ab..f82b604 100644 --- a/policy/users +++ b/policy/users @@ -25,13 +25,12 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) # SELinux user identity for a Linux user. If you do not want to # permit any access to such users, then remove this entry. # -ifdef(`targeted_policy',` -gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -',` gen_user(user_u, user, user_r, s0, s0) gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) -') + +# Until order dependence is fixed for users: +gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) # # The following users correspond to Unix identities. @@ -40,12 +39,8 @@ gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # role should use the staff_r role instead of the user_r role when # not in the sysadm_r. # -ifdef(`targeted_policy',` - gen_user(root, user, user_r sysadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +ifdef(`direct_sysadm_daemon',` + gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) ',` - ifdef(`direct_sysadm_daemon',` - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) - ',` - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) - ') + gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) ') diff --git a/support/Makefile.devel b/support/Makefile.devel index 34fd708..a944df0 100644 --- a/support/Makefile.devel +++ b/support/Makefile.devel @@ -24,7 +24,7 @@ SEMOD_PKG := $(BINDIR)/semodule_package XMLLINT := $(BINDIR)/xmllint # set default build options if missing -TYPE ?= strict +TYPE ?= standard DIRECT_INITRC ?= n POLY ?= n QUIET ?= y @@ -39,25 +39,15 @@ metaxml := metadata.xml globaltun = $(HEADERDIR)/global_tunables.xml globalbool = $(HEADERDIR)/global_booleans.xml -# compile strict policy if requested. -ifneq ($(findstring strict,$(TYPE)),) - M4PARAM += -D strict_policy -endif - -# compile targeted policy if requested. -ifneq ($(findstring targeted,$(TYPE)),) - M4PARAM += -D targeted_policy -endif - # enable MLS if requested. -ifneq ($(findstring -mls,$(TYPE)),) +ifeq "$(TYPE)" "mls" M4PARAM += -D enable_mls CHECKPOLICY += -M CHECKMODULE += -M endif # enable MLS if MCS requested. -ifneq ($(findstring -mcs,$(TYPE)),) +ifeq "$(TYPE)" "mcs" M4PARAM += -D enable_mcs CHECKPOLICY += -M CHECKMODULE += -M