diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index 61f46ad..016682c 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -67,6 +67,7 @@ optional_policy(`authlogin.te', `
optional_policy(`cron.te',`
cron_read_pipe(consoletype_t)
+ cron_use_system_job_fd(consoletype_t)
')
optional_policy(`firstboot.te',`
@@ -95,8 +96,6 @@ optional_policy(`userdomain.te',`
ifdef(`TODO',`
allow consoletype_t nfs_t:file write;
-allow consoletype_t system_crond_t:fd use;
-
optional_policy(`xdm.te', `
allow consoletype_t xdm_tmp_t:file rw_file_perms;
')
diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te
index f39a053..7ad75c4 100644
--- a/refpolicy/policy/modules/admin/firstboot.te
+++ b/refpolicy/policy/modules/admin/firstboot.te
@@ -120,8 +120,10 @@ optional_policy(`samba.te',`
')
optional_policy(`usermanage.te',`
- usermanage_domtrans_useradd(firstboot_t)
+ usermanage_domtrans_chfn(firstboot_t)
usermanage_domtrans_groupadd(firstboot_t)
+ usermanage_domtrans_passwd(firstboot_t)
+ usermanage_domtrans_useradd(firstboot_t)
')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index 1a1e714..5ddfe4b 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -85,6 +85,8 @@ corecmd_exec_ls(logrotate_t)
domain_signal_all_domains(logrotate_t)
domain_use_wide_inherit_fd(logrotate_t)
domain_getattr_all_entry_files(logrotate_t)
+# Read /proc/PID directories for all domains.
+domain_read_all_domains_state(logrotate_t)
files_read_usr_files(logrotate_t)
files_read_etc_files(logrotate_t)
@@ -163,21 +165,11 @@ optional_policy(`squid.te',`
')
ifdef(`TODO',`
-
-#from privmail this needs more work:
-allow mta_user_agent logrotate_t:fd use;
-allow mta_user_agent logrotate_t:process sigchld;
-allow mta_user_agent logrotate_t:fifo_file { read write };
-
ifdef(`gnome-pty-helper.te', `allow logrotate_t sysadm_gph_t:fd use;')
# it should not require this
allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search };
-# Read /proc/PID directories for all domains.
-allow logrotate_t domain:notdevfile_class_set r_file_perms;
-allow logrotate_t domain:dir r_dir_perms;
-
# for /var/backups on Debian
ifdef(`backup.te', `
rw_dir_create_file(logrotate_t, backup_store_t)
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 01b3216..b6ce0ea 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -1,5 +1,5 @@
-policy_module(devices,1.0)
+policy_module(netutils,1.0)
########################################
#
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index bb43066..1da113f 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -6,11 +6,12 @@ policy_module(rpm,1.0)
# Declarations
#
-type rpm_t; #, priv_system_role;
+type rpm_t;
type rpm_exec_t;
init_system_domain(rpm_t,rpm_exec_t)
domain_obj_id_change_exempt(rpm_t)
domain_role_change_exempt(rpm_t)
+domain_system_change_exempt(rpm_t)
domain_wide_inherit_fd(rpm_t)
role system_r types rpm_t;
@@ -30,9 +31,10 @@ type rpm_var_lib_t;
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
-type rpm_script_t; #, admin, privmem, priv_system_role;
+type rpm_script_t;
type rpm_script_exec_t;
domain_obj_id_change_exempt(rpm_script_t)
+domain_system_change_exempt(rpm_script_t)
corecmd_shell_entry_type(rpm_script_t)
domain_type(rpm_script_t)
domain_entry_file(rpm_t,rpm_script_exec_t)
@@ -92,7 +94,7 @@ fs_create_tmpfs_data(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }
# Access /var/lib/rpm files
allow rpm_t rpm_var_lib_t:file create_file_perms;
allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
-#files_create_private_libraries(rpm_t,rpm_var_lib_t,dir)
+files_create_var_lib(rpm_t,rpm_var_lib_t,dir)
kernel_read_system_state(rpm_t)
kernel_read_kernel_sysctl(rpm_t)
@@ -114,7 +116,7 @@ dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
#devices_manage_all_device_types(rpm_t)
-#fs_manage_nfs_dir(rpm_t)
+fs_manage_nfs_dirs(rpm_t)
fs_manage_nfs_files(rpm_t)
fs_manage_nfs_symlinks(rpm_t)
fs_getattr_all_fs(rpm_t)
@@ -183,10 +185,6 @@ ifdef(`TODO',`
# cjp: this seems way out of place
role sysadm_r types initrc_t;
-type_transition rpm_t tmpfs_t:{ dir file lnk_file sock_file fifo_file } rpm_tmpfs_t;
-
-dontaudit rpm_t domain:process ptrace;
-
# read/write/create any files in the system
dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
allow rpm_t ttyfile:chr_file unlink;
@@ -312,10 +310,6 @@ seutil_domtrans_restorecon(rpm_script_t)
userdom_use_all_user_fd(rpm_script_t)
-if (allow_execmem) {
- allow rpm_script_t self:process execmem;
-}
-
# this should be tunable_policy, but
# typeattribute does not work in conditionals
ifdef(`unlimitedRPM',`
@@ -323,6 +317,10 @@ ifdef(`unlimitedRPM',`
unconfined_domain_template(rpm_script_t)
')
+tunable_policy(`allow_execmem',`
+ allow rpm_script_t self:process execmem;
+')
+
optional_policy(`bootloader.te',`
bootloader_domtrans(rpm_script_t)
')
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 4452dee..b3ed57c 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -96,6 +96,9 @@ fs_search_auto_mountpoints(chfn_t)
# for SSP
dev_read_urand(chfn_t)
+auth_domtrans_chk_passwd(chfn_t)
+auth_dontaudit_read_shadow(chfn_t)
+
# can exec /sbin/unix_chkpwd
corecmd_search_bin(chfn_t)
corecmd_search_sbin(chfn_t)
@@ -117,31 +120,23 @@ miscfiles_read_localization(chfn_t)
logging_send_syslog_msg(chfn_t)
-auth_domtrans_chk_passwd(chfn_t)
-auth_dontaudit_read_shadow(chfn_t)
+# uses unix_chkpwd for checking passwords
+seutil_dontaudit_search_config(chfn_t)
userdom_use_unpriv_users_fd(chfn_t)
+# user generally runs this from their home directory, so do not audit a search
+# on user home dir
+userdom_dontaudit_search_all_users_home(chfn_t)
optional_policy(`nis.te',`
nis_use_ypbind(chfn_t)
')
ifdef(`TODO',`
-ifdef(`firstboot.te',`
-domain_auto_trans(firstboot_t, chfn_exec_t, chfn_t)
-')
-
ifdef(`gnome-pty-helper.te', `allow chfn_t gphdomain:fd use;')
# allow checking if a shell is executable
allow chfn_t shell_exec_t:file execute;
-
-# user generally runs this from their home directory, so do not audit a search
-# on user home dir
-dontaudit chfn_t { user_home_dir_type user_home_type }:dir search;
-
-# uses unix_chkpwd for checking passwords
-dontaudit chfn_t selinux_config_t:dir search;
') dnl endif TODO
########################################
@@ -180,16 +175,11 @@ libs_use_shared_libs(crack_t)
logging_send_syslog_msg(crack_t)
-ifdef(`TODO',`
-ifdef(`crond.te', `
-domain_auto_trans(system_crond_t, crack_exec_t, crack_t)
-allow crack_t crond_t:fifo_file rw_file_perms;
-allow crack_t crond_t:fd use;
-allow crack_t crond_t:process sigchld;
-')
+userdom_dontaudit_search_sysadm_home_dir(crack_t)
-dontaudit crack_t sysadm_home_dir_t:dir { getattr search };
-') dnl endif TODO
+optional_policy(`cron.te',`
+ cron_system_entry(crack_t,crack_exec_t)
+')
########################################
#
@@ -250,6 +240,8 @@ auth_rw_lastlog(groupadd_t)
seutil_read_config(groupadd_t)
userdom_use_unpriv_users_fd(groupadd_t)
+# for when /root is the cwd
+userdom_dontaudit_search_sysadm_home_dir(groupadd_t)
optional_policy(`nis.te',`
nis_use_ypbind(groupadd_t)
@@ -265,15 +257,11 @@ optional_policy(`rpm.te',`
')
ifdef(`TODO',`
-
# Update /etc/shadow and /etc/passwd
allow groupadd_t { etc_t shadow_t }:file { relabelfrom relabelto };
# Access terminals.
ifdef(`gnome-pty-helper.te', `allow groupadd_t gphdomain:fd use;')
-
-# for when /root is the cwd
-dontaudit groupadd_t sysadm_home_dir_t:dir search;
') dnl end TODO
########################################
@@ -314,6 +302,8 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
+auth_manage_shadow(passwd_t)
+
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_script_pid(passwd_t)
@@ -323,6 +313,7 @@ domain_use_wide_inherit_fd(passwd_t)
files_read_etc_runtime_files(passwd_t)
files_manage_etc_files(passwd_t)
files_search_var(passwd_t)
+files_dontaudit_search_pids(passwd_t)
libs_use_ld_so(passwd_t)
libs_use_shared_libs(passwd_t)
@@ -331,20 +322,18 @@ logging_send_syslog_msg(passwd_t)
miscfiles_read_localization(passwd_t)
-auth_manage_shadow(passwd_t)
+seutil_dontaudit_search_config(passwd_t)
userdom_use_unpriv_users_fd(passwd_t)
+# user generally runs this from their home directory, so do not audit a search
+# on user home dir
+userdom_dontaudit_search_all_users_home(passwd_t)
optional_policy(`nis.te',`
nis_use_ypbind(passwd_t)
')
ifdef(`TODO',`
-
-ifdef(`firstboot.te',`
-domain_auto_trans(firstboot_t, passwd_exec_t, passwd_t)
-')
-
# Update /etc/shadow and /etc/passwd
allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
@@ -354,18 +343,10 @@ ifdef(`gnome-pty-helper.te', `allow passwd_t gphdomain:fd use;')
# allow checking if a shell is executable
allow passwd_t shell_exec_t:file execute;
-# user generally runs this from their home directory, so do not audit a search
-# on user home dir
-dontaudit passwd_t { user_home_dir_type user_home_type }:dir search;
-
# make sure that getcon succeeds
allow passwd_t userdomain:dir search;
allow passwd_t userdomain:file read;
allow passwd_t userdomain:process getattr;
-
-dontaudit passwd_t selinux_config_t:dir search;
-
-dontaudit passwd_t var_run_t:dir search;
') dnl endif TODO
########################################
@@ -424,6 +405,8 @@ domain_use_wide_inherit_fd(sysadm_passwd_t)
files_manage_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
+# for nscd lookups
+files_dontaudit_search_pids(sysadm_passwd_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
@@ -436,7 +419,12 @@ miscfiles_read_localization(sysadm_passwd_t)
logging_send_syslog_msg(sysadm_passwd_t)
+seutil_dontaudit_search_config(sysadm_passwd_t)
+
userdom_use_unpriv_users_fd(sysadm_passwd_t)
+# user generally runs this from their home directory, so do not audit a search
+# on user home dir
+userdom_dontaudit_search_all_users_home(sysadm_passwd_t)
optional_policy(`nis.te',`
nis_use_ypbind(sysadm_passwd_t)
@@ -452,20 +440,9 @@ ifdef(`gnome-pty-helper.te', `allow sysadm_passwd_t gphdomain:fd use;')
# allow checking if a shell is executable
allow sysadm_passwd_t shell_exec_t:file execute;
-# user generally runs this from their home directory, so do not audit a search
-# on user home dir
-dontaudit sysadm_passwd_t { user_home_dir_type user_home_type }:dir search;
-
# Update /etc/shadow and /etc/passwd
allow sysadm_passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
-# for vipw - vi looks in the root home directory for config
-dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search };
-
-# for nscd lookups
-dontaudit sysadm_passwd_t var_run_t:dir search;
-
-dontaudit sysadm_passwd_t selinux_config_t:dir search;
ifdef(`targeted_policy', `
role system_r types sysadm_passwd_t;
allow sysadm_passwd_t devpts_t:chr_file rw_file_perms;
@@ -534,6 +511,12 @@ seutil_read_config(useradd_t)
seutil_read_file_contexts(useradd_t)
userdom_use_unpriv_users_fd(useradd_t)
+# for when /root is the cwd
+userdom_dontaudit_search_sysadm_home_dir(useradd_t)
+# Add/remove user home directories
+userdom_create_user_home_dir(useradd_t)
+userdom_manage_user_home_dir(useradd_t)
+userdom_create_user_home(useradd_t,notdevfile_class_set)
mta_manage_spool(useradd_t)
@@ -551,21 +534,12 @@ optional_policy(`rpm.te',`
')
ifdef(`TODO',`
-
# Update /etc/shadow and /etc/passwd
allow useradd_t { etc_t shadow_t }:file { relabelfrom relabelto };
# Access terminals.
ifdef(`gnome-pty-helper.te', `allow useradd_t gphdomain:fd use;')
-# for when /root is the cwd
-dontaudit useradd_t sysadm_home_dir_t:dir search;
-
-# Add/remove user home directories
-file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir)
-file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t)
-
# /var/mail is a link to /var/spool/mail
allow useradd_t mail_spool_t:lnk_file read;
-
') dnl end TODO
diff --git a/refpolicy/policy/modules/admin/vpn.te b/refpolicy/policy/modules/admin/vpn.te
index 0eba8d1..b95df4e 100644
--- a/refpolicy/policy/modules/admin/vpn.te
+++ b/refpolicy/policy/modules/admin/vpn.te
@@ -96,6 +96,7 @@ sysnet_create_config(vpnc_t)
sysnet_manage_config(vpnc_t)
userdom_use_all_user_fd(vpnc_t)
+userdom_dontaudit_search_all_users_home(vpnc_t)
optional_policy(`mount.te',`
mount_send_nfs_client_request(vpnc_t)
@@ -108,7 +109,3 @@ optional_policy(`nis.te',`
optional_policy(`nscd.te',`
nscd_use_socket(vpnc_t)
')
-
-ifdef(`TODO',`
-dontaudit vpnc_t user_home_dir_type:dir search;
-')
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index e642b2a..6689e65 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -98,6 +98,8 @@ template(`cron_per_userdomain_template',`
fs_getattr_all_fs($1_crond_t)
domain_exec_all_entry_files($1_crond_t)
+ # quiet other ps operations
+ domain_dontaudit_read_all_domains_state($1_crond_t)
files_read_usr_files($1_crond_t)
files_exec_etc_files($1_crond_t)
@@ -113,6 +115,8 @@ template(`cron_per_userdomain_template',`
libs_exec_ld_so($1_crond_t)
files_read_etc_runtime_files($1_crond_t)
+ files_read_var_files($1_crond_t)
+ files_search_spool($1_crond_t)
logging_search_logs($1_crond_t)
@@ -126,6 +130,13 @@ template(`cron_per_userdomain_template',`
userdom_manage_user_tmp_sockets($1,$1_crond_t)
# Run scripts in user home directory and access shared libs.
userdom_exec_user_home_files($1,$1_crond_t)
+ # Access user files and dirs.
+# userdom_manage_user_home_subdir_dirs($1,$1_crond_t)
+ userdom_manage_user_home_subdir_files($1,$1_crond_t)
+ userdom_manage_user_home_subdir_symlinks($1,$1_crond_t)
+ userdom_manage_user_home_subdir_pipes($1,$1_crond_t)
+ userdom_manage_user_home_subdir_sockets($1,$1_crond_t)
+# userdom_create_user_home($1,$1_crond_t,notdevfile_class_set)
tunable_policy(`fcron_crond', `
allow crond_t $1_cron_spool_t:file create_file_perms;
@@ -136,9 +147,6 @@ template(`cron_per_userdomain_template',`
')
ifdef(`TODO',`
- # Access user files and dirs.
- file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t)
-
allow $1_crond_t tmp_t:dir rw_dir_perms;
type_transition $1_crond_t $1_tmp_t:{ file lnk_file sock_file fifo_file } $1_tmp_t;
@@ -150,13 +158,6 @@ template(`cron_per_userdomain_template',`
dontaudit $1_mail_t crond_t:fifo_file write;
allow mta_user_agent $1_crond_t:fd use;
')
-
- allow $1_crond_t var_spool_t:dir search;
- allow $1_crond_t var_t:dir r_dir_perms;
- allow $1_crond_t var_t:file r_file_perms;
-
- # quiet other ps operations
- dontaudit $1_crond_t domain:dir { getattr search };
') dnl endif TODO
##############################
@@ -171,6 +172,12 @@ template(`cron_per_userdomain_template',`
allow $1_crontab_t $2:fifo_file rw_file_perms;
allow $1_crontab_t $2:process sigchld;
+ # crontab shows up in user ps
+ allow $2 $1_crontab_t:dir { search getattr read };
+ allow $2 $1_crontab_t:{ file lnk_file } { read getattr };
+ allow $2 $1_crontab_t:process getattr;
+ dontaudit $2 $1_crontab_t:process ptrace;
+
# for ^Z
allow $2 $1_crontab_t:process signal;
@@ -229,15 +236,10 @@ template(`cron_per_userdomain_template',`
')
ifdef(`TODO',`
- can_ps($1_t, $1_crontab_t)
-
- dontaudit $1_crontab_t proc_t:dir search;
-
allow $1_crond_t tmp_t:dir rw_dir_perms;
type_transition $1_crond_t $1_tmp_t:{ file dir } $1_tmp_t;
# Read user crontabs
- allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms;
dontaudit $1_crontab_t $1_home_dir_t:dir write;
# Inherit and use descriptors from gnome-pty-helper.
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index c8f3573..214eb03 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -13,7 +13,7 @@ files_type(anacron_exec_t)
type cron_spool_t;
files_type(cron_spool_t)
-type crond_t; #, privmail
+type crond_t;
type crond_exec_t;
init_daemon_domain(crond_t,crond_exec_t)
domain_wide_inherit_fd(crond_t)
@@ -31,7 +31,7 @@ files_type(crontab_exec_t)
type system_cron_spool_t, cron_spool_type;
files_type(system_cron_spool_t)
-type system_crond_t; #, privmail
+type system_crond_t;
init_daemon_domain(system_crond_t,anacron_exec_t)
corecmd_shell_entry_type(system_crond_t)
role system_r types system_crond_t;
@@ -100,6 +100,9 @@ domain_use_wide_inherit_fd(crond_t)
files_read_etc_files(crond_t)
files_read_generic_spools(crond_t)
+# Read from /var/spool/cron.
+files_search_var_lib(crond_t)
+files_search_default(crond_t)
init_use_fd(crond_t)
init_use_script_pty(crond_t)
@@ -117,6 +120,8 @@ miscfiles_read_localization(crond_t)
userdom_use_unpriv_users_fd(crond_t)
+mta_send_mail(crond_t)
+
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
@@ -169,10 +174,6 @@ optional_policy(`rhgb.te', `
rhgb_domain(crond_t)
')
-# Read from /var/spool/cron.
-allow crond_t var_lib_t:dir search;
-allow crond_t default_t:dir search;
-
# crond tries to search /root. Not sure why.
allow crond_t sysadm_home_dir_t:dir r_dir_perms;
@@ -257,6 +258,8 @@ corecmd_exec_bin(system_crond_t)
corecmd_exec_sbin(system_crond_t)
domain_exec_all_entry_files(system_crond_t)
+# quiet other ps operations
+domain_dontaudit_read_all_domains_state(system_crond_t)
files_exec_etc_files(system_crond_t)
files_read_etc_files(system_crond_t)
@@ -296,6 +299,8 @@ miscfiles_manage_man_pages(system_crond_t)
seutil_read_config(system_crond_t)
+mta_send_mail(system_crond_t)
+
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
@@ -342,9 +347,6 @@ optional_policy(`squid.te',`
ifdef(`TODO',`
dontaudit userdomain system_crond_t:fd use;
-# quiet other ps operations
-dontaudit system_crond_t domain:dir { getattr search };
-
# Do not audit attempts to search unlabeled directories (e.g. slocate).
dontaudit system_crond_t unlabeled_t:dir r_dir_perms;
dontaudit system_crond_t unlabeled_t:file r_file_perms;
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index 12869b9..25db7d4 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -6,7 +6,7 @@ policy_module(inetd,1.0)
# Declarations
#
-type inetd_t; # ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')
+type inetd_t;
type inetd_exec_t;
init_daemon_domain(inetd_t,inetd_exec_t)
@@ -127,6 +127,11 @@ optional_policy(`mount.te',`
mount_send_nfs_client_request(inetd_t)
')
+# Communicate with the portmapper.
+optional_policy(`portmap.te',`
+ portmap_udp_sendto(inetd_t)
+')
+
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(inetd_t)
')
@@ -146,13 +151,9 @@ ifdef(`unlimitedInetd', `
')
ifdef(`TODO',`
-
optional_policy(`rhgb.te',`
rhgb_domain(inetd_t)
')
-
-# Communicate with the portmapper.
-ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
') dnl TODO
########################################
diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te
index da1ded3..27fac58 100644
--- a/refpolicy/policy/modules/services/kerberos.te
+++ b/refpolicy/policy/modules/services/kerberos.te
@@ -145,9 +145,6 @@ ifdef(`TODO',`
optional_policy(`rhgb.te',`
rhgb_domain(kadmind_t)
')
-
-# cjp: not sure, but I think this has no effect
-can_tcp_connect(kerberos_admin_port_t, kadmind_t)
') dnl end TODO
########################################
@@ -250,9 +247,4 @@ optional_policy(`rhgb.te',`
# Allow user programs to talk to KDC
allow krb5kdc_t userdomain:udp_socket recvfrom;
allow userdomain krb5kdc_t:udp_socket recvfrom;
-
-# cjp: not sure, but I think these have no effect
-can_udp_send(kerberos_port_t, krb5kdc_t)
-can_udp_send(krb5kdc_t, kerberos_port_t)
-can_tcp_connect(kerberos_port_t, krb5kdc_t)
') dnl end TODO
diff --git a/refpolicy/policy/modules/services/ldap.if b/refpolicy/policy/modules/services/ldap.if
index 833e02c..2f3b0ea 100644
--- a/refpolicy/policy/modules/services/ldap.if
+++ b/refpolicy/policy/modules/services/ldap.if
@@ -35,3 +35,21 @@ interface(`ldap_read_config',`
files_search_etc($1)
allow $1 slapd_etc_t:file { getattr read };
')
+
+########################################
+##
+## Use LDAP over TCP connection.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`ldap_use',`
+ gen_require(`
+ type slapd_t;
+ ')
+
+ allow $1 slapd_t:tcp_socket { connectto recvfrom };
+ allow slapd_t $1:tcp_socket { acceptfrom recvfrom };
+ kernel_tcp_recvfrom($1)
+')
diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te
index e55e70d..18ec509 100644
--- a/refpolicy/policy/modules/services/ldap.te
+++ b/refpolicy/policy/modules/services/ldap.te
@@ -59,6 +59,7 @@ files_create_pid(slapd_t,slapd_var_run_t)
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctl(slapd_t)
+kernel_tcp_recvfrom(slapd_t)
corenet_tcp_sendrecv_all_if(slapd_t)
corenet_udp_sendrecv_all_if(slapd_t)
@@ -124,7 +125,4 @@ r_dir_file(slapd_t, cert_t)
optional_policy(`rhgb.te',`
rhgb_domain(slapd_t)
')
-# allow any domain to connect to the LDAP server
-# cjp: how does this relate to the old can_ldap() macro?
-can_tcp_connect(domain, slapd_t)
') dnl end TODO
diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te
index abb9b6e..0e5f6f7 100644
--- a/refpolicy/policy/modules/services/nscd.te
+++ b/refpolicy/policy/modules/services/nscd.te
@@ -2,7 +2,7 @@
policy_module(nscd,1.0)
gen_require(`
- class nscd { admin getstat };
+ class nscd all_nscd_perms;
')
########################################
diff --git a/refpolicy/policy/modules/services/rshd.te b/refpolicy/policy/modules/services/rshd.te
index 717ac4a..ba7c21b 100644
--- a/refpolicy/policy/modules/services/rshd.te
+++ b/refpolicy/policy/modules/services/rshd.te
@@ -86,7 +86,4 @@ ifdef(`TODO',`
optional_policy(`rlogind.te', `
allow rshd_t rlogind_tmp_t:file rw_file_perms;
')
-
-allow rshd_t selinux_config_t:lnk_file { getattr read };
-allow rshd_t default_context_t:lnk_file { getattr read };
')
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index 03bc86d..b73bd1d 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -21,6 +21,7 @@ files_type(samba_log_t)
type samba_net_t;
domain_type(samba_net_t)
+role system_r types samba_net_t;
type samba_net_exec_t;
domain_entry_file(samba_net_t,samba_net_exec_t)
@@ -126,7 +127,6 @@ optional_policy(`nscd.te',`
')
ifdef(`TODO',`
-role system_r types samba_net_t;
in_user_role(samba_net_t)
')
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 1e34ffc..5afaeea 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -32,13 +32,6 @@ template(`authlogin_per_userdomain_template',`
gen_require(`
attribute can_read_shadow_passwords;
type chkpwd_exec_t, system_chkpwd_t, shadow_t;
- class file rx_file_perms;
- class process { getattr transition sigchld };
- class capability setuid;
- class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
- class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
- class fd use;
- class fifo_file rw_file_perms;
')
type $1_chkpwd_t, can_read_shadow_passwords;
@@ -63,6 +56,8 @@ template(`authlogin_per_userdomain_template',`
allow $1_chkpwd_t $2:fifo_file rw_file_perms;
allow $1_chkpwd_t $2:process sigchld;
+ dontaudit $2 shadow_t:file { getattr read };
+
# is_selinux_enabled
kernel_read_system_state($1_chkpwd_t)
@@ -114,7 +109,6 @@ template(`authlogin_per_userdomain_template',`
ifdef(`TODO',`
can_winbind($1)
r_dir_file($1, cert_t)
- dontaudit $1 shadow_t:file { getattr read };
')
')
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 6e5af0f..5da415f 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -71,6 +71,11 @@ interface(`domain_type',`
unconfined_sigchld($1)
')
+ # allow any domain to connect to the LDAP server
+ optional_policy(`ldap.te',`
+ ldap_use($1)
+ ')
+
# this seems highly questionable:
optional_policy(`rpm.te',`
rpm_use_fd($1)
@@ -131,6 +136,24 @@ interface(`domain_dyntrans_type',`
########################################
##
+## Makes caller and execption to the constraint
+## preventing changing to the system user
+## identity and system role.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`domain_system_change_exempt',`
+ gen_require(`
+ attribute can_system_change;
+ ')
+
+ typeattribute $1 can_system_change;
+')
+
+########################################
+##
## Makes caller an exception to the constraint preventing
## changing of user identity.
##
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 514724b..10118fe 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -78,6 +78,8 @@ corecmd_exec_shell(hotplug_t)
corecmd_exec_sbin(hotplug_t)
domain_use_wide_inherit_fd(hotplug_t)
+# for ps
+domain_dontaudit_read_all_domains_state(hotplug_t)
files_read_etc_files(hotplug_t)
files_manage_etc_runtime_files(hotplug_t)
@@ -187,16 +189,9 @@ optional_policy(`rhgb.te',`
rhgb_domain(hotplug_t)
')
-# for ps
-dontaudit hotplug_t domain:dir { getattr search };
dontaudit hotplug_t { init_t kernel_t }:file read;
optional_policy(`hald.te', `
allow hotplug_t hald_t:unix_dgram_socket sendto;
')
-
-# this block goes to hald:
-optional_policy(`hotplug.te',`
- hotplug_read_config(hald_t)
-')
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te
index 5a0665c..f65de87 100644
--- a/refpolicy/policy/modules/system/raid.te
+++ b/refpolicy/policy/modules/system/raid.te
@@ -6,7 +6,7 @@ policy_module(raid,1.0)
# Declarations
#
-type mdadm_t; # privmail
+type mdadm_t;
type mdadm_exec_t;
init_daemon_domain(mdadm_t,mdadm_exec_t)
role system_r types mdadm_t;
@@ -67,6 +67,8 @@ miscfiles_read_localization(mdadm_t)
userdom_dontaudit_use_unpriv_user_fd(mdadm_t)
userdom_dontaudit_use_sysadm_tty(mdadm_t)
+mta_send_mail(mdadm_t)
+
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_tty(mdadm_t)
term_dontaudit_use_generic_pty(mdadm_t)