diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te index c524171..698b763 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -161,6 +161,8 @@ storage_raw_read_removable_device(nfsd_t) # Read access to public_content_t and public_content_rw_t miscfiles_read_public_files(nfsd_t) +userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir }) + # Write access to public_content_t and public_content_rw_t tunable_policy(`allow_nfsd_anon_write',` miscfiles_manage_public_files(nfsd_t) @@ -173,7 +175,6 @@ tunable_policy(`nfs_export_all_rw',` fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) ') -userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir }) tunable_policy(`nfs_export_all_ro',` dev_getattr_all_blk_files(nfsd_t) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 135bb1b..f03a8ce 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -45,10 +45,6 @@ init_script_file(sshd_initrc_exec_t) type sshd_key_t; files_type(sshd_key_t) -ifdef(`enable_mcs',` - init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) -') - type ssh_t; type ssh_exec_t; typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t }; @@ -83,6 +79,10 @@ typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_ho typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; userdom_user_home_content(ssh_home_t) +ifdef(`enable_mcs',` + init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) +') + ############################## # # SSH client local policy @@ -296,15 +296,17 @@ term_use_ptmx(sshd_t) corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) -tunable_policy(`sshd_forward_ports',` - corenet_tcp_bind_all_unreserved_ports(sshd_t) - corenet_tcp_connect_all_ports(sshd_t) -') - userdom_read_user_home_content_files(sshd_t) userdom_read_user_home_content_symlinks(sshd_t) userdom_search_admin_dir(sshd_t) userdom_manage_tmp_role(system_r, sshd_t) +userdom_spec_domtrans_unpriv_users(sshd_t) +userdom_signal_unpriv_users(sshd_t) + +tunable_policy(`sshd_forward_ports',` + corenet_tcp_bind_all_unreserved_ports(sshd_t) + corenet_tcp_connect_all_ports(sshd_t) +') tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd @@ -314,9 +316,6 @@ tunable_policy(`ssh_sysadm_login',` userdom_signal_all_users(sshd_t) ') -userdom_spec_domtrans_unpriv_users(sshd_t) -userdom_signal_unpriv_users(sshd_t) - optional_policy(` daemontools_service_domain(sshd_t, sshd_exec_t) ') diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te index abd06df..9cc4d7d 100644 --- a/policy/modules/services/stunnel.te +++ b/policy/modules/services/stunnel.te @@ -8,12 +8,6 @@ policy_module(stunnel, 1.9.1) type stunnel_t; type stunnel_exec_t; -ifdef(`distro_gentoo',` - init_daemon_domain(stunnel_t, stunnel_exec_t) -',` - inetd_tcp_service_domain(stunnel_t, stunnel_exec_t) -') - type stunnel_etc_t; files_config_file(stunnel_etc_t) @@ -23,6 +17,12 @@ files_tmp_file(stunnel_tmp_t) type stunnel_var_run_t; files_pid_file(stunnel_var_run_t) +ifdef(`distro_gentoo',` + init_daemon_domain(stunnel_t, stunnel_exec_t) +',` + inetd_tcp_service_domain(stunnel_t, stunnel_exec_t) +') + ######################################## # # Local policy diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te index fcdde4c..d9d8e18 100644 --- a/policy/modules/services/telnet.te +++ b/policy/modules/services/telnet.te @@ -83,11 +83,6 @@ userdom_setattr_user_ptys(telnetd_t) userdom_manage_user_tmp_files(telnetd_t) userdom_tmp_filetrans_user_tmp(telnetd_t, file) -optional_policy(` - kerberos_keytab_template(telnetd, telnetd_t) - kerberos_manage_host_rcache(telnetd_t) -') - tunable_policy(`use_nfs_home_dirs',` fs_search_nfs(telnetd_t) ') @@ -95,3 +90,9 @@ tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_samba_home_dirs',` fs_search_cifs(telnetd_t) ') + +optional_policy(` + kerberos_keytab_template(telnetd, telnetd_t) + kerberos_manage_host_rcache(telnetd_t) +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index b8d770d..3812d23 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -358,6 +358,8 @@ userdom_use_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) userdom_read_all_users_state(xauth_t) +xserver_rw_xdm_tmp_files(xauth_t) + ifdef(`hide_broken_symptoms',` fs_dontaudit_rw_anon_inodefs_files(xauth_t) fs_dontaudit_list_inotifyfs(xauth_t) @@ -367,8 +369,6 @@ ifdef(`hide_broken_symptoms',` miscfiles_read_fonts(xauth_t) ') -xserver_rw_xdm_tmp_files(xauth_t) - tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(xauth_t) fs_read_nfs_symlinks(xauth_t) @@ -651,6 +651,14 @@ application_signal(xdm_t) xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) +ifndef(`distro_redhat',` + allow xdm_t self:process { execheap execmem }; +') + +ifdef(`distro_rhel4',` + allow xdm_t self:process { execheap execmem }; +') + tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) fs_manage_nfs_files(xdm_t) @@ -815,14 +823,6 @@ optional_policy(` unconfined_signal(xdm_t) ') -ifndef(`distro_redhat',` - allow xdm_t self:process { execheap execmem }; -') - -ifdef(`distro_rhel4',` - allow xdm_t self:process { execheap execmem }; -') - optional_policy(` userhelper_dontaudit_search_config(xdm_t) ') @@ -1142,10 +1142,6 @@ userdom_read_all_users_state(xserver_t) xserver_use_user_fonts(xserver_t) -optional_policy(` - userhelper_search_config(xserver_t) -') - tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) @@ -1175,6 +1171,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') +optional_policy(` + userhelper_search_config(xserver_t) +') + ######################################## # # Rules common to all X window domains @@ -1281,6 +1281,22 @@ allow x_domain xserver_t:x_screen getattr; # Rules for unconfined access to this module # +allow xserver_unconfined_type xserver_t:x_server *; +allow xserver_unconfined_type xdrawable_type:x_drawable *; +allow xserver_unconfined_type xserver_t:x_screen *; +allow xserver_unconfined_type x_domain:x_gc *; +allow xserver_unconfined_type xcolormap_type:x_colormap *; +allow xserver_unconfined_type xproperty_type:x_property *; +allow xserver_unconfined_type xselection_type:x_selection *; +allow xserver_unconfined_type x_domain:x_cursor *; +allow xserver_unconfined_type x_domain:x_client *; +allow xserver_unconfined_type { x_domain xserver_t }:x_device *; +allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *; +allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *; +allow xserver_unconfined_type xextension_type:x_extension *; +allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; +allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; + tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals @@ -1302,31 +1318,6 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') -allow xserver_unconfined_type xserver_t:x_server *; -allow xserver_unconfined_type xdrawable_type:x_drawable *; -allow xserver_unconfined_type xserver_t:x_screen *; -allow xserver_unconfined_type x_domain:x_gc *; -allow xserver_unconfined_type xcolormap_type:x_colormap *; -allow xserver_unconfined_type xproperty_type:x_property *; -allow xserver_unconfined_type xselection_type:x_selection *; -allow xserver_unconfined_type x_domain:x_cursor *; -allow xserver_unconfined_type x_domain:x_client *; -allow xserver_unconfined_type { x_domain xserver_t }:x_device *; -allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *; -allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *; -allow xserver_unconfined_type xextension_type:x_extension *; -allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; -allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; - -optional_policy(` - unconfined_rw_shm(xserver_t) - unconfined_execmem_rw_shm(xserver_t) - - # xserver signals unconfined user on startx - unconfined_signal(xserver_t) - unconfined_getpgid(xserver_t) -') - tunable_policy(`allow_xserver_execmem',` allow xserver_t self:process { execheap execmem execstack }; ') @@ -1347,3 +1338,12 @@ tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_samba_home_dirs',` fs_append_cifs_files(xdmhomewriter) ') + +optional_policy(` + unconfined_rw_shm(xserver_t) + unconfined_execmem_rw_shm(xserver_t) + + # xserver signals unconfined user on startx + unconfined_signal(xserver_t) + unconfined_getpgid(xserver_t) +')