diff --git a/docs/macro_conversion_guide b/docs/macro_conversion_guide
index f01429c..0d6aeb2 100644
--- a/docs/macro_conversion_guide
+++ b/docs/macro_conversion_guide
@@ -301,16 +301,7 @@ optional_policy(`kerberos.te',`
#
# can_ldap(): complete
#
-optional_policy(`ldap.te',`
- allow $1 self:tcp_socket create_socket_perms;
- corenet_tcp_sendrecv_all_if($1)
- corenet_raw_sendrecv_all_if($1)
- corenet_tcp_sendrecv_all_nodes($1)
- corenet_raw_sendrecv_all_nodes($1)
- corenet_tcp_sendrecv_ldap_port($1)
- corenet_tcp_bind_all_nodes($1)
- sysnet_read_config($1)
-')
+sysnet_use_ldap($1)
#
# can_loadpol(): complete
@@ -421,18 +412,14 @@ allow $1 $2:process ptrace;
allow $2 $1:process sigchld;
#
+# can_portmap():
+#
+sysnet_use_portmap($1)
+
+#
# can_resolve(): complete
#
-tunable_policy(`use_dns',`
- allow $1 self:udp_socket create_socket_perms;
- corenet_udp_sendrecv_all_if($1)
- corenet_raw_sendrecv_all_if($1)
- corenet_udp_sendrecv_all_nodes($1)
- corenet_raw_sendrecv_all_nodes($1)
- corenet_udp_sendrecv_dns_port($1)
- corenet_udp_bind_all_nodes($1)
- sysnet_read_config($1)
-')
+sysnet_dns_name_resolve($1)
#
# can_setbool(): complete
@@ -790,7 +777,7 @@ optional_policy(`nscd.te',`
#
# legacy_domain(): complete
#
-allow $1_t self:process execmem;
+allow $1_t self:process { execmem execstack };
libs_legacy_use_shared_libs($1_t)
libs_legacy_use_ld_so($1_t)
@@ -827,6 +814,30 @@ can_exec($1, $2)
allow $1 $2:{ sock_file fifo_file } { create ioctl read getattr lock write setattr append link unlink rename };
#
+# polyinstantiater():
+#
+ifdef(`support_polyinstantiation', `
+# Need to give access to /selinux/member
+selinux_compute_member($1)
+# Need sys_admin capability for mounting
+allow $1 self:capability sys_admin;
+# Need to give access to the directories to be polyinstantiated
+allow $1 polydir:dir { getattr mounton add_name create setattr write search };
+# Need to give access to the polyinstantiated subdirectories
+allow $1 polymember:dir {getattr search };
+# Need to give access to parent directories where original
+# is remounted for polyinstantiation aware programs (like gdm)
+allow $1 polyparent:dir { getattr mounton };
+# Need to give permission to create directories where applicable
+allow $1 polymember: dir { create setattr };
+allow $1 polydir: dir { write add_name };
+allow $1 self:process setfscreate;
+allow $1 polyparent:dir { write add_name };
+# Default type for mountpoints
+allow $1 poly_t:dir { create mounton };
+')
+
+#
# pty_slave_label():
#
type $1_devpts_t, file_type, sysadmfile, ptyfile $2;
diff --git a/strict/ChangeLog b/strict/ChangeLog
index 0e38453..20fcfc3 100644
--- a/strict/ChangeLog
+++ b/strict/ChangeLog
@@ -1,3 +1,206 @@
+1.26 2005-09-06
+ * Updated version for release.
+
+1.25.4 2005-08-10
+ * Merged small patches from Russell Coker for the restorecon,
+ kudzu, lvm, radvd, and spamassasin policies.
+ * Added fs_use_trans rule for mqueue from Mark Gebhart to support
+ the work he has done on providing SELinux support for mqueue.
+ * Merged a patch from Dan Walsh. Removes the user_can_mount
+ tunable. Adds disable_evolution_trans and disable_thunderbird_trans
+ booleans. Adds the nscd_client_domain attribute to insmod_t.
+ Removes the user_ping boolean from targeted policy. Adds
+ hugetlbfs, inotifyfs, and mqueue filesystems to genfs_contexts.
+ Adds the isakmp_port for vpnc. Creates the pptp daemon domain.
+ Allows getty to run sbin_t for pppd. Allows initrc to write to
+ default_t for booting. Allows Hotplug_t sys_rawio for prism54
+ card at boot. Other minor fixes.
+
+1.25.3 2005-07-18
+ * Merged patch from Dan Walsh. Adds auth_bool attribute to allow
+ domains to have read access to shadow_t. Creates pppd_can_insmod
+ boolean to control the loading of modem kernel modules. Allows
+ nfs to export noexattrfile types. Allows unix_chpwd to access
+ cert files and random devices for encryption purposes. Other
+ minor cleanups and fixes.
+
+1.25.2 2005-07-11
+ * Merged patch from Dan Walsh. Added allow_ptrace boolean to
+ allow sysadm_t to ptrace and debug apps. Gives auth_chkpwd the
+ audit_control and audit_write capabilities. Stops targeted policy
+ from transitioning from unconfined_t to netutils. Allows cupsd to
+ audit messages. Gives prelink the execheap, execmem, and execstack
+ permissions by default. Adds can_winbind boolean and functions to
+ better handle samba and winbind communications. Eliminates
+ allow_execmod checks around texrel_shlib_t libraries. Other minor
+ cleanups and fixes.
+
+1.25.1 2005-07-05
+ * Moved role_tty_type_change, reach_sysadm, and priv_user macros
+ from user.te to user_macros.te as suggested by Steve.
+ * Modified admin_domain macro so autrace would work and removed
+ privuser attribute for dhcpc as suggested by Russell Coker.
+ * Merged rather large patch from Dan Walsh. Moves
+ targeted/strict/mls policies closer together. Adds local.te for
+ users to customize. Includes minor fixes to auditd, cups,
+ cyrus_imapd, dhcpc, and dovecot. Includes Russell Coker's patch
+ that defines all ports in network.te. Ports are always defined
+ now, no ifdefs are used in network.te. Also includes Ivan
+ Gyurdiev's user home directory policy patches. These patches add
+ alsa, bonobo, ethereal, evolution, gconf, gnome, gnome_vfs,
+ iceauth, orbit, and thunderbird policy. They create read_content,
+ write_trusted, and write_untrusted macros in content.te. They
+ create network_home, write_network_home, read_network_home,
+ base_domain_ro_access, home_domain_access, home_domain, and
+ home_domain_ro macros in home_macros.te. They also create
+ $3_read_content, $3_write_content, and write_untrusted booleans.
+
+1.24 2005-06-20
+ * Updated version for release.
+
+1.23.18 2005-05-31
+ * Merged minor fixes to pppd.fc and courier.te by Russell Coker.
+ * Removed devfsd policy as suggested by Russell Coker.
+ * Merged patch from Dan Walsh. Includes beginnings of Ivan
+ Gyurdiev's Font Config policy. Don't transition to fsadm_t from
+ unconfined_t (sysadm_t) in targeted policy. Add support for
+ debugfs in modutil. Allow automount to create and delete
+ directories in /root and /home dirs. Move can_ypbind to
+ chkpwd_macro.te. Allow useradd to create additional files and
+ types via the skell mechanism. Other minor cleanups and fixes.
+
+1.23.17 2005-05-23
+ * Merged minor fixes by Petre Rodan to the daemontools, dante,
+ gpg, kerberos, and ucspi-tcp policies.
+ * Merged minor fixes by Russell Coker to the bluetooth, crond,
+ initrc, postfix, and udev policies. Modifies constraints so that
+ newaliases can be run. Modifies types.fc so that objects in
+ lost+found directories will not be relabled.
+ * Modified fc rules for nvidia.
+ * Added Chad Sellers policy for polyinstantiation support, which
+ creates the polydir, polyparent, and polymember attributes. Also
+ added the support_polyinstantiation tunable.
+ * Merged patch from Dan Walsh. Includes mount_point attribute,
+ read_font macros and some other policy fixes from Ivan Gyurdiev.
+ Adds privkmsg and secadmfile attributes and ddcprobe policy.
+ Removes the use_syslogng boolean. Many other minor fixes.
+
+1.23.16 2005-05-13
+ * Added rdisc policy from Russell Coker.
+ * Merged minor fix to named policy by Petre Rodan.
+ * Merged minor fixes to policy from Russell Coker for kudzu,
+ named, screen, setfiles, telnet, and xdm.
+ * Merged minor fix to Makefile from Russell Coker.
+
+1.23.15 2005-05-06
+ * Added tripwire and yam policy from David Hampton.
+ * Merged minor fixes to amavid and a clarification to the
+ httpdcontent attribute comments from David Hampton.
+ * Merged patch from Dan Walsh. Includes fixes for restorecon,
+ games, and postfix from Russell Coker. Adds support for debugfs.
+ Restores support for reiserfs. Allows udev to work with tmpfs_t
+ before /dev is labled. Removes transition from sysadm_t
+ (unconfined_t) to ifconfig_t for the targeted policy. Other minor
+ cleanups and fixes.
+
+1.23.14 2005-04-29
+ * Added afs policy from Andrew Reisse.
+ * Merged patch from Lorenzo Hernández García-Hierro which defines
+ execstack and execheap permissions. The patch excludes these
+ permissions from general_domain_access and updates the macros for
+ X, legacy binaries, users, and unconfined domains.
+ * Added nlmsg_relay permisison where netlink_audit_socket class is
+ used. Added nlmsg_readpriv permission to auditd_t and auditctl_t.
+ * Merged some minor cleanups from Russell Coker and David Hampton.
+ * Merged patch from Dan Walsh. Many changes made to allow
+ targeted policy to run closer to strict and now almost all of
+ non-userspace is protected via SELinux. Kernel is now in
+ unconfined_domain for targeted and runs as root:system_r:kernel_t.
+ Added transitionbool to daemon_sub_domain, mainly to turn off
+ httpd_suexec transitioning. Implemented web_client_domain
+ name_connect rules. Added yp support for cups. Now the real
+ hotplug, udev, initial_sid_contexts are used for the targeted
+ policy. Other minor cleanups and fixes. Auditd fixes by Paul
+ Moore.
+
+1.23.13 2005-04-22
+ * Merged more changes from Dan Walsh to initrc_t for removal of
+ unconfined_domain.
+ * Merged Dan Walsh's split of auditd policy into auditd_t for the
+ audit daemon and auditctl_t for the autoctl program.
+ * Added use of name_connect to uncond_can_ypbind macro by Dan
+ Walsh.
+ * Merged other cleanup and fixes by Dan Walsh.
+
+1.23.12 2005-04-20
+ * Merged Dan Walsh's Netlink changes to handle new auditing pam
+ modules.
+ * Merged Dan Walsh's patch removing the sysadmfile attribute from
+ policy files to separate sysadm_t from secadm_t.
+ * Added CVS and uucpd policy from Dan Walsh.
+ * Cleanup by Dan Walsh to handle turning off unlimitedRC.
+ * Merged Russell Coker's fixes to ntpd, postgrey, and named
+ policy.
+ * Cleanup of chkpwd_domain and added permissions to su_domain
+ macro due to pam changes to support audit.
+ * Added nlmsg_relay and nlmsg_readpriv permissions to the
+ netlink_audit_socket class.
+
+1.23.11 2005-04-14
+ * Merged Dan Walsh's separation of the security manager and system
+ administrator.
+ * Removed screensaver.te as suggested by Thomas Bleher
+ * Cleanup of typealiases that are no longer used by Thomas Bleher.
+ * Cleanup of fc files and additional rules for SuSE by Thomas
+ Bleher.
+ * Merged changes to auditd and named policy by Russell Coker.
+ * Merged MLS change from Darrel Goeddel to support the policy
+ hierarchy patch.
+
+1.23.10 2005-04-08
+ * Removed pump.te, pump.fc, and targeted/domains/program/modutil.te
+
+1.23.9 2005-04-07
+ * Merged diffs from Dan Walsh. Includes Ivan Gyurdiev's cleanup
+ of x_client apps.
+ * Added dmidecode policy from Ivan Gyurdiev.
+
+1.23.8 2005-04-05
+ * Added netlink_kobject_uevent_socket class.
+ * Removed empty files pump.te and pump.fc.
+ * Added NetworkManager policy from Dan Walsh.
+ * Merged Dan Walsh's major restructuring of Apache's policy.
+
+1.23.7 2005-04-04
+ * Merged David Hampton's amavis and clamav cleanups.
+ * Added David Hampton's dcc, pyzor, and razor policy.
+
+1.23.6 2005-04-01
+ * Merged cleanup of the Makefile and other stuff from Dan Walsh.
+ Dan's patch includes some desktop changes from Ivan Gyurdiev.
+ * Merged Thomas Bleher's patches which increase the usage of
+ lock_domain() and etc_domain(), changes var_lib_DOMAIN_t usage to
+ DOMAIN_var_lib_t, and removes use of notdevfile_class_set where
+ possible.
+ * Merged Greg Norris's cleanup of fetchmail.
+
+1.23.5 2005-03-23
+ * Added name_connect support from Dan Walsh.
+ * Added httpd_unconfined_t from Dan Walsh.
+ * Merged cleanup of assert.te to allow unresticted full access
+ from Dan Walsh.
+
+1.23.4 2005-03-21
+ * Merged diffs from Dan Walsh:
+ * Cleanup of x_client_macro, tvtime, mozilla, and mplayer by Ivan
+ Gyurdiev.
+ * Added syslogng support to syslog.te.
+
+1.23.3 2005-03-15
+ * Added policy for nx_server from Thomas Bleher.
+ * Added policies for clockspeed, daemontools, djbdns, ucspi-tcp, and
+ publicfile from Petre Rodan.
+
1.23.2 2005-03-14
* Merged diffs from Dan Walsh. Dan's patch includes Ivan Gyurdiev's
gift policy.
diff --git a/strict/Makefile b/strict/Makefile
index 5a70bc7..fec8c3e 100644
--- a/strict/Makefile
+++ b/strict/Makefile
@@ -60,7 +60,7 @@ POLICYFILES += $(USER_FILES)
POLICYFILES += constraints
POLICYFILES += $(DEFCONTEXTFILES)
CONTEXTFILES = $(DEFCONTEXTFILES)
-POLICY_DIRS = domains/program domains/misc
+POLICY_DIRS = domains domains/program domains/misc macros macros/program
UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
@@ -70,19 +70,19 @@ FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/pro
CONTEXTFILES += $(FCFILES)
APPDIR=$(CONTEXTPATH)
-APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
+APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types port_types) $(CONTEXTPATH)/files/media
CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media
ROOTFILES = $(addprefix $(APPDIR)/users/,root)
all: policy
-tmp/valid_fc: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH)
- @echo "Validating file_contexts ..."
- $(SETFILES) -q -c $(LOADPATH) $(FCPATH)
+tmp/valid_fc: $(LOADPATH) $(FC)
+ @echo "Validating file contexts files ..."
+ $(SETFILES) -q -c $(LOADPATH) $(FC)
@touch tmp/valid_fc
-install: tmp/valid_fc $(USERPATH)/local.users
+install: $(FCPATH) $(APPFILES) $(ROOTFILES) $(USERPATH)/local.users
$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
@mkdir -p $(USERPATH)
@@ -91,61 +91,64 @@ $(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
@echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
@echo "# Please edit local.users to make local changes." >> tmp/system.users
@echo "#" >> tmp/system.users
- m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users
+ @m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users
install -m 644 tmp/system.users $@
$(USERPATH)/local.users: local.users
@mkdir -p $(USERPATH)
- install -C -b -m 644 $< $@
+ install -b -m 644 $< $@
$(CONTEXTPATH)/files/media: appconfig/media
- mkdir -p $(CONTEXTPATH)/files/
+ @mkdir -p $(CONTEXTPATH)/files/
install -m 644 $< $@
$(APPDIR)/default_contexts: appconfig/default_contexts
- mkdir -p $(APPDIR)
+ @mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/removable_context: appconfig/removable_context
- mkdir -p $(APPDIR)
+ @mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/customizable_types: policy.conf
- mkdir -p $(APPDIR)
+ @mkdir -p $(APPDIR)
@grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
install -m 644 tmp/customizable_types $@
+$(APPDIR)/port_types: policy.conf
+ @mkdir -p $(APPDIR)
+ @grep "^type .*port_type" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/port_types
+ install -m 644 tmp/port_types $@
+
$(APPDIR)/default_type: appconfig/default_type
- mkdir -p $(APPDIR)
+ @mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/userhelper_context: appconfig/userhelper_context
- mkdir -p $(APPDIR)
+ @mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/initrc_context: appconfig/initrc_context
- mkdir -p $(APPDIR)
+ @mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/failsafe_context: appconfig/failsafe_context
- mkdir -p $(APPDIR)
+ @mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/dbus_contexts: appconfig/dbus_contexts
- mkdir -p $(APPDIR)
+ @mkdir -p $(APPDIR)
install -m 644 $< $@
$(APPDIR)/users/root: appconfig/root_default_contexts
- mkdir -p $(APPDIR)/users
+ @mkdir -p $(APPDIR)/users
install -m 644 $< $@
-$(LOADPATH): policy.conf $(CHECKPOLICY)
- mkdir -p $(POLICYPATH)
+$(LOADPATH): policy.conf $(CHECKPOLICY)
+ @echo "Compiling policy ..."
+ @mkdir -p $(POLICYPATH)
$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
ifneq ($(MLS),y)
-ifneq ($(VERS),18)
- $(CHECKPOLICY) -c 18 -o $(POLICYPATH)/policy.18 policy.conf
-endif
endif
# Note: Can't use install, so not sure how to deal with mode, user, and group
# other than by default.
@@ -154,46 +157,39 @@ policy: $(POLICYVER)
$(POLICYVER): policy.conf $(FC) $(CHECKPOLICY)
$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
-ifneq ($(MLS),y)
-ifneq ($(VERS),18)
- $(CHECKPOLICY) -c 18 -o policy.18 policy.conf
-endif
-endif
- @echo "Validating file_contexts ..."
+ @echo "Validating file contexts files ..."
$(SETFILES) -q -c $(POLICYVER) $(FC)
-reload tmp/load: $(FCPATH) $(LOADPATH)
-ifeq ($(VERS), $(KERNVERS))
+reload tmp/load: $(LOADPATH)
+ @echo "Loading Policy ..."
$(LOADPOLICY) $(LOADPATH)
-else
- $(LOADPOLICY) $(POLICYPATH)/policy.18
-endif
touch tmp/load
-load: tmp/load
+load: tmp/load $(FCPATH)
enableaudit: policy.conf
grep -v dontaudit policy.conf > policy.audit
mv policy.audit policy.conf
policy.conf: $(POLICYFILES) $(POLICY_DIRS)
- mkdir -p tmp
+ @echo "Building policy.conf ..."
+ @mkdir -p tmp
m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp
- mv $@.tmp $@
+ @mv $@.tmp $@
install-src:
rm -rf $(SRCPATH)/policy.old
-mv $(SRCPATH)/policy $(SRCPATH)/policy.old
- mkdir -p $(SRCPATH)/policy
+ @mkdir -p $(SRCPATH)/policy
cp -R . $(SRCPATH)/policy
tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program
- mkdir -p tmp
+ @mkdir -p tmp
( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp
( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp
mv $@.tmp $@
-FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';`
+FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs | reiserfs ).*rw/{print $$3}';`
checklabels: $(SETFILES)
$(SETFILES) -v -n $(FC) $(FILESYSTEMS)
@@ -205,20 +201,20 @@ relabel: $(FC) $(SETFILES)
$(SETFILES) $(FC) $(FILESYSTEMS)
file_contexts/misc:
- mkdir -p file_contexts/misc
-
+ @mkdir -p file_contexts/misc
-$(FCPATH): $(FC) $(USERPATH)/system.users
+$(FCPATH): tmp/valid_fc $(USERPATH)/system.users $(APPDIR)/customizable_types $(APPDIR)/port_types
+ @echo "Installing file contexts files..."
@mkdir -p $(CONTEXTPATH)/files
- install -m 644 $(FC) $(FCPATH)
install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
+ install -m 644 $(FC) $(FCPATH)
@$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)
$(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd
- @echo "Building file_contexts ..."
+ @echo "Building file contexts files..."
@m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp
- @grep -v -e HOME -e ROLE $@.tmp > $@
- @grep -e HOME -e ROLE $@.tmp > $(HOMEDIR_TEMPLATE)
+ @grep -v -e HOME -e ROLE -e USER $@.tmp > $@
+ @grep -e HOME -e ROLE -e USER $@.tmp > $(HOMEDIR_TEMPLATE)
@-rm $@.tmp
# Create a tags-file for the policy:
@@ -239,7 +235,7 @@ tags: $(wildcard *.te types/*.te domains/*.te domains/misc/*.te domains/program/
--regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' $^
clean:
- rm -f policy.conf $(POLICYVER) policy.18
+ rm -f policy.conf $(POLICYVER)
rm -f tags
rm -f tmp/*
rm -f $(FC)
@@ -324,8 +320,11 @@ mlsconvert:
done
@for file in $(USER_FILES); do \
echo "Converting $$file"; \
- sed -e 's/;/ level s0 range s0 - s9 : c0 . c127;/' $$file > $$file.new && \
+ sed -e 's/;/ level s0 range s0 - s9:c0.c127;/' $$file > $$file.new && \
mv $$file.new $$file; \
done
- @sed -e '/sid kernel/s/s0/s0 - s9 : c0 . c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
+ @sed -e '/sid kernel/s/s0/s0 - s9:c0.c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
+ @echo "Enabling MLS in the Makefile"
+ @sed "s/MLS=n/MLS=y/" Makefile > Makefile.new
+ @mv Makefile.new Makefile
@echo "Done"
diff --git a/strict/VERSION b/strict/VERSION
index aa3e574..24cffb8 100644
--- a/strict/VERSION
+++ b/strict/VERSION
@@ -1 +1 @@
-1.23.2-1
+1.26
diff --git a/strict/attrib.te b/strict/attrib.te
index cc79235..ca9d8e8 100644
--- a/strict/attrib.te
+++ b/strict/attrib.te
@@ -110,6 +110,10 @@ attribute privlog;
# and an allow rule to permit it
attribute privmodule;
+# The privsysmod attribute identifies every domain that can have the
+# sys_module capability
+attribute privsysmod;
+
# The privmem attribute identifies every domain that can
# access kernel memory devices.
# This attribute is used in the TE assertions to verify
@@ -117,6 +121,13 @@ attribute privmodule;
# tagged with this attribute.
attribute privmem;
+# The privkmsg attribute identifies every domain that can
+# read kernel messages (/proc/kmsg)
+# This attribute is used in the TE assertions to verify
+# that such access is limited to domains that are explicitly
+# tagged with this attribute.
+attribute privkmsg;
+
# The privfd attribute identifies every domain that should have
# file handles inherited widely (IE sshd_t and getty_t).
attribute privfd;
@@ -251,6 +262,12 @@ attribute sysadmfile;
# overall filesystem statistics.
attribute fs_type;
+# The mount_point attribute identifies all types that can serve
+# as a mount point (for the mount binary). It is used in the mount
+# policy to grant mounton permission, and in other domains to grant
+# getattr permission over all the mount points.
+attribute mount_point;
+
# The exec_type attribute identifies all types assigned
# to entrypoint executables for domains. This attribute is
# used in TE rules and assertions that should be applied to all
@@ -413,7 +430,11 @@ attribute nscd_client_domain;
# For clients of nscd that can use shmem interface.
attribute nscd_shmem_domain;
-# For labeling of content for httpd
+# For labeling of content for httpd. This attribute is only used by
+# the httpd_unified domain, which says treat all httpdcontent the
+# same. If you want content to be served in a "non-unified" system
+# you must specifically add "r_dir_file(httpd_t, your_content_t)" to
+# your policy.
attribute httpdcontent;
# For labeling of domains whos transition can be disabled
diff --git a/strict/constraints b/strict/constraints
index 17fccc0..46a9875 100644
--- a/strict/constraints
+++ b/strict/constraints
@@ -61,6 +61,10 @@ ifdef(`crond.te', `
')
ifdef(`userhelper.te',
`or (t1 == userhelperdomain)')
+ifdef(`postfix.te', `
+ifdef(`direct_sysadm_daemon',
+ `or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )')
+')
or (t1 == priv_system_role and r2 == system_r )
);
diff --git a/strict/domains/program/crond.te b/strict/domains/program/crond.te
index d92a422..43d6bbe 100644
--- a/strict/domains/program/crond.te
+++ b/strict/domains/program/crond.te
@@ -86,6 +86,8 @@ allow crond_t rpm_log_t: file create_file_perms;
system_crond_entry(rpm_exec_t, rpm_t)
allow system_crond_t rpm_log_t:file create_file_perms;
+#read ahead wants to read this
+allow initrc_t system_cron_spool_t:file { getattr read };
')
')
diff --git a/strict/domains/program/dhcpc.te b/strict/domains/program/dhcpc.te
index 3703ce4..442d46f 100644
--- a/strict/domains/program/dhcpc.te
+++ b/strict/domains/program/dhcpc.te
@@ -64,6 +64,9 @@ allow ping_t hotplug_t:fd use;
ifdef(`cardmgr.te', `
allow ping_t cardmgr_t:fd use;
') dnl end if cardmgr
+', `
+allow dhcpc_t self:capability setuid;
+allow dhcpc_t self:rawip_socket create_socket_perms;
') dnl end if ping
ifdef(`dhcpd.te', `', `
@@ -116,7 +119,7 @@ allow dhcpc_t self:packet_socket create_socket_perms;
allow dhcpc_t var_lib_t:dir search;
file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
-allow dhcpc_t bin_t:dir search;
+allow dhcpc_t bin_t:dir { getattr search };
allow dhcpc_t bin_t:lnk_file read;
can_exec(dhcpc_t, { bin_t shell_exec_t })
diff --git a/strict/domains/program/hotplug.te b/strict/domains/program/hotplug.te
index 65f5396..38e1d52 100644
--- a/strict/domains/program/hotplug.te
+++ b/strict/domains/program/hotplug.te
@@ -65,7 +65,7 @@ allow hotplug_t usbfs_t:file { getattr read };
allow hotplug_t etc_t:dir r_dir_perms;
allow hotplug_t etc_t:{ file lnk_file } r_file_perms;
-allow hotplug_t kernel_t:process sigchld;
+allow hotplug_t kernel_t:process { sigchld setpgid };
ifdef(`distro_redhat', `
allow hotplug_t var_lock_t:dir search;
@@ -128,9 +128,9 @@ dontaudit hotplug_t initctl_t:fifo_file { read write };
# Read /usr/lib/gconv/.*
allow hotplug_t lib_t:file { getattr read };
-allow hotplug_t self:capability { net_admin sys_tty_config mknod };
-allow hotplug_t sysfs_t:dir { getattr read search };
-allow hotplug_t sysfs_t:file { getattr read };
+allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
+allow hotplug_t sysfs_t:dir { getattr read search write };
+allow hotplug_t sysfs_t:file rw_file_perms;
allow hotplug_t sysfs_t:lnk_file { getattr read };
allow hotplug_t udev_runtime_t:file rw_file_perms;
ifdef(`lpd.te', `
@@ -156,10 +156,7 @@ ifdef(`mta.te', `
domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)
')
-allow restorecon_t hotplug_t:fd use;
+allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr };
+allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
-ifdef(`unlimitedUtils', `
-unconfined_domain(hotplug_t)
-')
-
-allow kernel_t hotplug_etc_t:dir search;
+dontaudit hotplug_t selinux_config_t:dir search;
diff --git a/strict/domains/program/ipsec.te b/strict/domains/program/ipsec.te
index dd32f69..3bb4bad 100644
--- a/strict/domains/program/ipsec.te
+++ b/strict/domains/program/ipsec.te
@@ -185,9 +185,8 @@ allow ipsec_t etc_t:file { read getattr };
allow ipsec_mgmt_t null_device_t:chr_file rw_file_perms;
allow ipsec_t null_device_t:chr_file rw_file_perms;
-# Allow scripts to use /var/locl/subsys/ipsec
-allow ipsec_mgmt_t var_lock_t:dir rw_dir_perms;
-allow ipsec_mgmt_t var_lock_t:file create_file_perms;
+# Allow scripts to use /var/lock/subsys/ipsec
+lock_domain(ipsec_mgmt)
# allow tncfg to create sockets
allow ipsec_mgmt_t self:udp_socket { create ioctl };
diff --git a/strict/domains/program/klogd.te b/strict/domains/program/klogd.te
index 42a136e..dd0b79c 100644
--- a/strict/domains/program/klogd.te
+++ b/strict/domains/program/klogd.te
@@ -43,3 +43,6 @@ allow klogd_t kernel_t:system { syslog_mod syslog_console };
# Read /boot/System.map*
allow klogd_t system_map_t:file r_file_perms;
allow klogd_t boot_t:dir r_dir_perms;
+ifdef(`targeted_policy', `
+allow klogd_t unconfined_t:system syslog_mod;
+')
diff --git a/strict/domains/program/load_policy.te b/strict/domains/program/load_policy.te
index 8276f58..e10a6e2 100644
--- a/strict/domains/program/load_policy.te
+++ b/strict/domains/program/load_policy.te
@@ -11,6 +11,7 @@
type load_policy_t, domain;
role sysadm_r types load_policy_t;
+role secadm_r types load_policy_t;
role system_r types load_policy_t;
type load_policy_exec_t, file_type, exec_type, sysadmfile;
@@ -19,7 +20,7 @@ type load_policy_exec_t, file_type, exec_type, sysadmfile;
#
# Rules
-domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
+domain_auto_trans(secadmin, load_policy_exec_t, load_policy_t)
allow load_policy_t console_device_t:chr_file { read write };
diff --git a/strict/domains/program/login.te b/strict/domains/program/login.te
index 540b68f..887aa58 100644
--- a/strict/domains/program/login.te
+++ b/strict/domains/program/login.te
@@ -13,7 +13,7 @@
# $1 is the name of the domain (local or remote)
define(`login_domain', `
-type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain;
+type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade;
role system_r types $1_login_t;
dontaudit $1_login_t shadow_t:file { getattr read };
@@ -83,6 +83,9 @@ if (use_samba_home_dirs) {
r_dir_file($1_login_t, cifs_t)
}
+# Login can polyinstantiate
+polyinstantiater($1_login_t)
+
# FIXME: what is this for?
ifdef(`xdm.te', `
allow xdm_t $1_login_t:process signull;
@@ -166,9 +169,7 @@ dontaudit local_login_t mnt_t:dir r_dir_perms;
# Create lock file.
-allow local_login_t var_lock_t:dir rw_dir_perms;
-allow local_login_t var_lock_t:file create_file_perms;
-
+lock_domain(local_login)
# Read and write ttys.
allow local_login_t tty_device_t:chr_file { setattr rw_file_perms };
diff --git a/strict/domains/program/logrotate.te b/strict/domains/program/logrotate.te
index 9cdcf6f..33c1d51 100644
--- a/strict/domains/program/logrotate.te
+++ b/strict/domains/program/logrotate.te
@@ -46,7 +46,7 @@ allow logrotate_t etc_runtime_t:file r_file_perms;
allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search };
# create lock files
-rw_dir_create_file(logrotate_t, var_lock_t)
+lock_domain(logrotate)
# Create temporary files.
tmp_domain(logrotate)
diff --git a/strict/domains/program/modutil.te b/strict/domains/program/modutil.te
index ca8d7c1..64028d6 100644
--- a/strict/domains/program/modutil.te
+++ b/strict/domains/program/modutil.te
@@ -71,7 +71,7 @@ r_dir_file(depmod_t, { staff_home_t sysadm_home_t })
# Rules for the insmod_t domain.
#
-type insmod_t, domain, privlog, sysctl_kernel_writer, privmem ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' )
+type insmod_t, domain, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' ), mlsfilewrite, nscd_client_domain
;
role system_r types insmod_t;
role sysadm_r types insmod_t;
diff --git a/strict/domains/program/mount.te b/strict/domains/program/mount.te
index 8f1b7c1..9efd6a4 100644
--- a/strict/domains/program/mount.te
+++ b/strict/domains/program/mount.te
@@ -11,7 +11,7 @@
type mount_exec_t, file_type, sysadmfile, exec_type;
-mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain')
+mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain, mlsfileread, mlsfilewrite')
mount_loopback_privs(sysadm, mount)
role sysadm_r types mount_t;
role system_r types mount_t;
@@ -39,20 +39,16 @@ allow mount_t file_t:file { getattr read unlink };
allow mount_t fs_type:filesystem mount_fs_perms;
allow mount_t mount_point:dir mounton;
allow mount_t nfs_t:dir search;
-# nfsv4 has a filesystem to mount for its userspace daemons
-allow mount_t var_lib_nfs_t:dir mounton;
-
-# On some RedHat systems, /boot is a mount point
-allow mount_t boot_t:dir mounton;
-allow mount_t device_t:dir mounton;
-# mount binfmt_misc on /proc/sys/fs/binfmt_misc
-allow mount_t sysctl_t:dir { mounton search };
+allow mount_t sysctl_t:dir search;
allow mount_t root_t:filesystem unmount;
+can_portmap(mount_t)
+
ifdef(`portmap.te', `
# for nfs
can_network(mount_t)
+allow mount_t port_type:tcp_socket name_connect;
can_ypbind(mount_t)
allow mount_t port_t:{ tcp_socket udp_socket } name_bind;
allow mount_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
@@ -83,11 +79,7 @@ dontaudit mount_t kernel_t:fd use;
allow mount_t userdomain:fd use;
can_exec(mount_t, { sbin_t bin_t })
allow mount_t device_t:dir r_dir_perms;
-ifdef(`distro_redhat', `
allow mount_t tmpfs_t:chr_file { read write };
-allow mount_t tmpfs_t:dir mounton;
-')
-
# tries to read /init
dontaudit mount_t root_t:file { getattr read };
diff --git a/strict/domains/program/mta.te b/strict/domains/program/mta.te
index 096c734..6c141c4 100644
--- a/strict/domains/program/mta.te
+++ b/strict/domains/program/mta.te
@@ -13,8 +13,6 @@
ifdef(`sendmail.te', `', `
type sendmail_exec_t, file_type, exec_type, sysadmfile;
')
-type smtp_port_t, port_type, reserved_port_type;
-
# create a system_mail_t domain for daemons, init scripts, etc when they run
# "mail user@domain"
@@ -25,6 +23,7 @@ ifdef(`targeted_policy', `
# targeted policy. We could move these rules permanantly here.
ifdef(`postfix.te', `', `can_exec_any(system_mail_t)')
allow system_mail_t self:dir { search };
+allow system_mail_t self:lnk_file read;
r_dir_file(system_mail_t, { proc_t proc_net_t })
allow system_mail_t fs_t:filesystem getattr;
allow system_mail_t { var_t var_spool_t }:dir getattr;
@@ -59,15 +58,6 @@ allow { system_mail_t mta_user_agent } privmail:process sigchld;
allow { system_mail_t mta_user_agent } privmail:fifo_file { read write };
allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write };
-ifdef(`arpwatch.te', `
-# why is mail delivered to a directory of type arpwatch_data_t?
-allow mta_delivery_agent arpwatch_data_t:dir search;
-allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
-ifdef(`hide_broken_symptoms', `
-dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
-')
-')dnl end if arpwatch.te
-
allow mta_delivery_agent home_root_t:dir { getattr search };
# for /var/spool/mail
@@ -81,4 +71,4 @@ allow mta_delivery_agent devtty_t:chr_file rw_file_perms;
allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };
allow system_mail_t etc_runtime_t:file { getattr read };
-allow system_mail_t urandom_device_t:chr_file read;
+allow system_mail_t { random_device_t urandom_device_t }:chr_file { getattr read };
diff --git a/strict/domains/program/mysqld.te b/strict/domains/program/mysqld.te
index 84934de..1bd9073 100644
--- a/strict/domains/program/mysqld.te
+++ b/strict/domains/program/mysqld.te
@@ -10,15 +10,13 @@
#
# mysqld_exec_t is the type of the mysqld executable.
#
-daemon_domain(mysqld)
+daemon_domain(mysqld, `, nscd_client_domain')
-type mysqld_port_t, port_type;
allow mysqld_t mysqld_port_t:tcp_socket name_bind;
allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
etcdir_domain(mysqld)
-typealias mysqld_etc_t alias etc_mysqld_t;
type mysqld_db_t, file_type, sysadmfile;
log_domain(mysqld)
@@ -36,7 +34,7 @@ allow initrc_t mysqld_var_run_t:sock_file write;
allow initrc_t mysqld_log_t:file { write append setattr ioctl };
allow mysqld_t self:capability { dac_override setgid setuid net_bind_service };
-allow mysqld_t self:process getsched;
+allow mysqld_t self:process { setsched getsched };
allow mysqld_t proc_t:file { getattr read };
@@ -90,3 +88,4 @@ allow userdomain mysqld_var_run_t:sock_file write;
}
')
+allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
diff --git a/strict/domains/program/named.te b/strict/domains/program/named.te
index 028667e..39924d7 100644
--- a/strict/domains/program/named.te
+++ b/strict/domains/program/named.te
@@ -10,11 +10,13 @@
#
# Rules for the named_t domain.
#
-type rndc_port_t, port_type, reserved_port_type;
daemon_domain(named, `, nscd_client_domain')
tmp_domain(named)
+type named_checkconf_exec_t, file_type, exec_type, sysadmfile;
+domain_auto_trans(initrc_t, named_checkconf_exec_t, named_t)
+
# For /var/run/ndc used in BIND 8
file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file)
@@ -54,11 +56,13 @@ allow named_t etc_runtime_t:{ file lnk_file } { getattr read };
#Named can use network
can_network(named_t)
+allow named_t port_type:tcp_socket name_connect;
can_ypbind(named_t)
# allow UDP transfer to/from any program
can_udp_send(domain, named_t)
can_udp_send(named_t, domain)
can_tcp_connect(domain, named_t)
+log_domain(named)
# Bind to the named port.
allow named_t dns_port_t:udp_socket name_bind;
@@ -103,6 +107,7 @@ type ndc_exec_t, file_type,sysadmfile, exec_type;
domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t)
uses_shlib(ndc_t)
can_network_client_tcp(ndc_t)
+allow ndc_t rndc_port_t:tcp_socket name_connect;
can_ypbind(ndc_t)
can_resolve(ndc_t)
read_locale(ndc_t)
@@ -113,6 +118,7 @@ ifdef(`distro_redhat', `
allow { ndc_t initrc_t } named_conf_t:dir search;
# Allow init script to cp localtime to named_conf_t
allow initrc_t named_conf_t:file { setattr write };
+allow initrc_t named_conf_t:dir create_dir_perms;
')
allow { ndc_t initrc_t } named_conf_t:file { getattr read };
diff --git a/strict/domains/program/newrole.te b/strict/domains/program/newrole.te
index 6f6489e..8d66e4b 100644
--- a/strict/domains/program/newrole.te
+++ b/strict/domains/program/newrole.te
@@ -17,3 +17,4 @@ newrole_domain(newrole)
allow newrole_t var_run_t:dir r_dir_perms;
allow newrole_t initrc_var_run_t:file rw_file_perms;
+role secadm_r types newrole_t;
diff --git a/strict/domains/program/nscd.te b/strict/domains/program/nscd.te
index 40ffbbc..77e2eb7 100644
--- a/strict/domains/program/nscd.te
+++ b/strict/domains/program/nscd.te
@@ -73,3 +73,6 @@ allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
allow nscd_t tmp_t:dir { search getattr };
allow nscd_t tmp_t:lnk_file read;
allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
+log_domain(nscd)
+r_dir_file(nscd_t, cert_t)
+allow nscd_t tun_tap_device_t:chr_file { read write };
diff --git a/strict/domains/program/ntpd.te b/strict/domains/program/ntpd.te
index 2b7480c..80ea965 100644
--- a/strict/domains/program/ntpd.te
+++ b/strict/domains/program/ntpd.te
@@ -43,6 +43,7 @@ can_network(ntpd_t)
allow ntpd_t ntp_port_t:tcp_socket name_connect;
can_ypbind(ntpd_t)
allow ntpd_t ntp_port_t:udp_socket name_bind;
+allow sysadm_t ntp_port_t:udp_socket name_bind;
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
diff --git a/strict/domains/program/pam.te b/strict/domains/program/pam.te
index 7c5710f..2d71222 100644
--- a/strict/domains/program/pam.te
+++ b/strict/domains/program/pam.te
@@ -37,4 +37,9 @@ dontaudit pam_t self:capability sys_tty_config;
allow initrc_t pam_var_run_t:dir rw_dir_perms;
allow initrc_t pam_var_run_t:file { getattr read unlink };
-dontaudit pam_t initrc_var_run_t:file { read write };
+dontaudit pam_t initrc_var_run_t:file rw_file_perms;
+
+# Supress xdm denial
+ifdef(`xdm.te', `
+dontaudit pam_t xdm_t:fd use;
+') dnl ifdef
diff --git a/strict/domains/program/ping.te b/strict/domains/program/ping.te
index c23d92b..cc1407e 100644
--- a/strict/domains/program/ping.te
+++ b/strict/domains/program/ping.te
@@ -17,6 +17,7 @@ role system_r types ping_t;
in_user_role(ping_t)
type ping_exec_t, file_type, sysadmfile, exec_type;
+ifdef(`targeted_policy', `', `
bool user_ping false;
if (user_ping) {
@@ -25,6 +26,7 @@ if (user_ping) {
allow ping_t { ttyfile ptyfile }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
}
+')
# Transition into this domain when you run this program.
domain_auto_trans(sysadm_t, ping_exec_t, ping_t)
@@ -32,6 +34,7 @@ domain_auto_trans(initrc_t, ping_exec_t, ping_t)
uses_shlib(ping_t)
can_network_client(ping_t)
+can_resolve(ping_t)
can_ypbind(ping_t)
allow ping_t etc_t:file { getattr read };
allow ping_t self:unix_stream_socket create_socket_perms;
diff --git a/strict/domains/program/udev.te b/strict/domains/program/udev.te
index fb70a35..ae4760c 100644
--- a/strict/domains/program/udev.te
+++ b/strict/domains/program/udev.te
@@ -28,18 +28,19 @@ can_exec_any(udev_t)
type udev_tdb_t, file_type, sysadmfile, dev_fs;
typealias udev_tdb_t alias udev_tbl_t;
file_type_auto_trans(udev_t, device_t, udev_tdb_t, file)
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin sys_rawio };
allow udev_t self:file { getattr read };
allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
allow udev_t self:unix_dgram_socket create_socket_perms;
allow udev_t self:fifo_file rw_file_perms;
allow udev_t self:netlink_kobject_uevent_socket { create bind read };
+allow udev_t device_t:file { unlink rw_file_perms };
allow udev_t device_t:sock_file create_file_perms;
allow udev_t device_t:lnk_file create_lnk_perms;
allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
ifdef(`distro_redhat', `
-allow udev_t tmpfs_t:dir rw_dir_perms;
-allow udev_t tmpfs_t:sock_file create_file_perms;
+allow udev_t tmpfs_t:dir create_dir_perms;
+allow udev_t tmpfs_t:{ sock_file file } create_file_perms;
allow udev_t tmpfs_t:lnk_file create_lnk_perms;
allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
allow udev_t tmpfs_t:dir search;
@@ -53,7 +54,7 @@ allow udev_t { sbin_t bin_t }:lnk_file read;
allow udev_t bin_t:lnk_file read;
can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } )
can_exec(udev_t, udev_exec_t)
-r_dir_file(udev_t, sysfs_t)
+rw_dir_file(udev_t, sysfs_t)
allow udev_t sysadm_tty_device_t:chr_file { read write };
# to read the file_contexts file
@@ -138,3 +139,8 @@ file_type_auto_trans(udev_t, etc_t, dhcp_etc_t, file)
')
r_dir_file(udev_t, domain)
allow udev_t modules_dep_t:file r_file_perms;
+
+ifdef(`unlimitedUtils', `
+unconfined_domain(udev_t)
+')
+dontaudit hostname_t udev_t:fd use;
diff --git a/strict/domains/user.te b/strict/domains/user.te
index 02f6be9..39a76d6 100644
--- a/strict/domains/user.te
+++ b/strict/domains/user.te
@@ -10,10 +10,15 @@ bool user_dmesg false;
# Support NFS home directories
bool use_nfs_home_dirs false;
-# Allow execution of anonymous mappings, e.g. executable stack.
+# Allow making anonymous memory executable, e.g.
+# for runtime-code generation or executable stack.
bool allow_execmem false;
-# Support Share libraries with Text Relocation
+# Allow making the stack executable via mprotect.
+# Also requires allow_execmem.
+bool allow_execstack false;
+
+# Allow making a modified private file mapping executable (text relocation).
bool allow_execmod false;
# Support SAMBA home directories
@@ -126,7 +131,16 @@ dontaudit unpriv_userdomain { sysadm_home_dir_t staff_home_dir_t }:dir { getattr
role_tty_type_change(sysadm, user)
role_tty_type_change(staff, sysadm)
role_tty_type_change(sysadm, staff)
+role_tty_type_change(sysadm, secadm)
+role_tty_type_change(staff, secadm)
# "ps aux" and "ls -l /dev/pts" make too much noise without this
dontaudit unpriv_userdomain ptyfile:chr_file getattr;
+# to allow w to display everyone...
+bool user_ttyfile_stat false;
+
+if (user_ttyfile_stat) {
+allow userdomain ttyfile:chr_file getattr;
+}
+
diff --git a/strict/fs_use b/strict/fs_use
index 8f167a7..1dec535 100644
--- a/strict/fs_use
+++ b/strict/fs_use
@@ -8,6 +8,7 @@ fs_use_xattr ext2 system_u:object_r:fs_t;
fs_use_xattr ext3 system_u:object_r:fs_t;
fs_use_xattr xfs system_u:object_r:fs_t;
fs_use_xattr jfs system_u:object_r:fs_t;
+fs_use_xattr reiserfs system_u:object_r:fs_t;
# Use the allocating task SID to label inodes in the following filesystem
# types, and label the filesystem itself with the specified context.
@@ -25,6 +26,7 @@ fs_use_task sockfs system_u:object_r:fs_t;
fs_use_trans devpts system_u:object_r:devpts_t;
fs_use_trans tmpfs system_u:object_r:tmpfs_t;
fs_use_trans shm system_u:object_r:tmpfs_t;
+fs_use_trans mqueue system_u:object_r:tmpfs_t;
# The separate genfs_contexts configuration can be used for filesystem
# types that cannot support persistent label mappings or use
diff --git a/strict/genfs_contexts b/strict/genfs_contexts
index 3c2438b..6686d2e 100644
--- a/strict/genfs_contexts
+++ b/strict/genfs_contexts
@@ -91,8 +91,10 @@ genfscon nfs / system_u:object_r:nfs_t
genfscon nfs4 / system_u:object_r:nfs_t
genfscon afs / system_u:object_r:nfs_t
-# reiserfs - until xattr security support works properly
-genfscon reiserfs / system_u:object_r:nfs_t
+genfscon debugfs / system_u:object_r:debugfs_t
+genfscon inotifyfs / system_u:object_r:inotifyfs_t
+genfscon hugetlbfs / system_u:object_r:hugetlbfs_t
+genfscon mqueue / system_u:object_r:mqueue_t
# needs more work
genfscon eventpollfs / system_u:object_r:eventpollfs_t
diff --git a/strict/macros/base_user_macros.te b/strict/macros/base_user_macros.te
index 06bd8b3..6281fca 100644
--- a/strict/macros/base_user_macros.te
+++ b/strict/macros/base_user_macros.te
@@ -35,7 +35,8 @@ r_dir_file($1_t, usercanread)
general_domain_access($1_t)
if (allow_execmem) {
-# Allow loading DSOs that require executable stack.
+# Allow making anonymous memory executable, e.g.
+# for runtime-code generation or executable stack.
allow $1_t self:process execmem;
}
@@ -131,10 +132,6 @@ ifdef(`cardmgr.te', `
allow $1_t cardmgr_var_run_t:file { getattr read };
')
-# Read and write /var/catman.
-allow $1_t catman_t:dir rw_dir_perms;
-allow $1_t catman_t:file create_file_perms;
-
# Modify mail spool file.
allow $1_t mail_spool_t:dir r_dir_perms;
allow $1_t mail_spool_t:file rw_file_perms;
@@ -176,19 +173,38 @@ ifdef(`crontab.te', `crontab_domain($1)')
ifdef(`screen.te', `screen_domain($1)')
ifdef(`tvtime.te', `tvtime_domain($1)')
ifdef(`mozilla.te', `mozilla_domain($1)')
+ifdef(`thunderbird.te', `thunderbird_domain($1)')
ifdef(`samba.te', `samba_domain($1)')
-ifdef(`games.te', `games_domain($1)')
ifdef(`gpg.te', `gpg_domain($1)')
ifdef(`xauth.te', `xauth_domain($1)')
+ifdef(`iceauth.te', `iceauth_domain($1)')
ifdef(`startx.te', `xserver_domain($1)')
ifdef(`lpr.te', `lpr_domain($1)')
ifdef(`ssh.te', `ssh_domain($1)')
ifdef(`irc.te', `irc_domain($1)')
ifdef(`using_spamassassin', `spamassassin_domain($1)')
+ifdef(`pyzor.te', `pyzor_domain($1)')
+ifdef(`razor.te', `razor_domain($1)')
ifdef(`uml.te', `uml_domain($1)')
ifdef(`cdrecord.te', `cdrecord_domain($1)')
ifdef(`mplayer.te', `mplayer_domains($1)')
+
+fontconfig_domain($1)
+
+# GNOME
+ifdef(`gnome.te', `
+gnome_domain($1)
+ifdef(`games.te', `games_domain($1)')
ifdef(`gift.te', `gift_domains($1)')
+ifdef(`evolution.te', `evolution_domains($1)')
+ifdef(`ethereal.te', `ethereal_domain($1)')
+')
+
+# ICE communication channel
+ice_domain($1, $1)
+
+# ORBit communication channel (independent of GNOME)
+orbit_domain($1, $1)
# Instantiate a derived domain for user cron jobs.
ifdef(`crond.te', `crond_domain($1)')
@@ -213,7 +229,9 @@ dontaudit $1_t self:netlink_route_socket create_netlink_socket_perms;
# Use the network.
can_network($1_t)
+allow $1_t port_type:tcp_socket name_connect;
can_ypbind($1_t)
+can_winbind($1_t)
ifdef(`pamconsole.te', `
allow $1_t pam_var_console_t:dir search;
@@ -321,13 +339,12 @@ allow $1_t mnt_t:dir { getattr search };
# Get attributes of file systems.
allow $1_t fs_type:filesystem getattr;
-allow $1_t removable_t:filesystem getattr;
# Read and write /dev/tty and /dev/null.
allow $1_t devtty_t:chr_file rw_file_perms;
allow $1_t null_device_t:chr_file rw_file_perms;
allow $1_t zero_device_t:chr_file { rw_file_perms execute };
-allow $1_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl };
+allow $1_t { random_device_t urandom_device_t }:chr_file ra_file_perms;
#
# Added to allow reading of cdrom
#
@@ -347,8 +364,11 @@ dontaudit $1_t wtmp_t:file write;
# Read the devpts root directory.
allow $1_t devpts_t:dir r_dir_perms;
-allow $1_t src_t:dir r_dir_perms;
-allow $1_t src_t:notdevfile_class_set r_file_perms;
+r_dir_file($1_t, src_t)
+
+# Allow user to read default_t files
+# This is different from reading default_t content,
+# because it also includes sockets, fifos, and links
if (read_default_t) {
allow $1_t default_t:dir r_dir_perms;
@@ -368,8 +388,6 @@ dontaudit $1_t initrc_devpts_t:chr_file { ioctl read write };
dontaudit $1_t self:socket create;
dontaudit $1_t sysctl_net_t:dir search;
-dontaudit $1_t default_context_t:dir search;
-
ifdef(`rpcd.te', `
create_dir_file($1_t, nfsd_rw_t)
')
diff --git a/strict/macros/core_macros.te b/strict/macros/core_macros.te
index 37f2975..b744fe5 100644
--- a/strict/macros/core_macros.te
+++ b/strict/macros/core_macros.te
@@ -662,9 +662,9 @@ allow $1_t $2_devpts_t:chr_file { setattr rw_file_perms };
#
define(`general_domain_access',`
# Access other processes in the same domain.
-# Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, and execmem.
+# Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, execmem, execstack and execheap.
# These must be granted separately if desired.
-allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem};
+allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap};
# Access /proc/PID files for processes in the same domain.
allow $1 self:dir r_dir_perms;
diff --git a/strict/macros/global_macros.te b/strict/macros/global_macros.te
index cfb47cd..b4cccc4 100644
--- a/strict/macros/global_macros.te
+++ b/strict/macros/global_macros.te
@@ -60,7 +60,7 @@ allow $1 self:file { getattr read write };
# read_sysctl(domain)
#
# Permissions for reading sysctl variables.
-# If the second parameter is 'full', allow
+# If the second parameter is full, allow
# reading of any sysctl variables, else only
# sysctl_kernel_t.
#
@@ -106,6 +106,7 @@ allow $1 ld_so_t:file rx_file_perms;
allow $1 ld_so_t:lnk_file r_file_perms;
allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms;
allow $1 { texrel_shlib_t shlib_t }:lnk_file r_file_perms;
+allow $1 texrel_shlib_t:file execmod;
allow $1 ld_so_cache_t:file r_file_perms;
allow $1 device_t:dir search;
allow $1 null_device_t:chr_file rw_file_perms;
@@ -156,7 +157,6 @@ allow $1 lib_t:file r_file_perms;
r_dir_file($1, locale_t)
')
-
###################################
#
# access_terminal(domain, typeprefix)
@@ -253,7 +253,7 @@ allow $1_t self:process { signal_perms fork };
uses_shlib($1_t)
allow $1_t { self proc_t }:dir r_dir_perms;
-allow $1_t { self proc_t }:lnk_file read;
+allow $1_t { self proc_t }:lnk_file { getattr read };
allow $1_t device_t:dir r_dir_perms;
ifdef(`udev.te', `
@@ -293,6 +293,8 @@ domain_auto_trans(init_t, $1_exec_t, $1_t)
# Define a daemon domain with a base set of type declarations
# and permissions that are common to most daemons.
# attribs is the list of attributes which must start with "," if it is not empty
+# nosysadm may be given as an optional third parameter, to specify that the
+# sysadmin should not transition to the domain when directly calling the executable
#
# Author: Russell Coker <russell@coker.com.au>
#
@@ -353,6 +355,14 @@ file_type_auto_trans($1_t, var_run_t, $1_var_run_t, $2)
allow $1_t var_t:dir search;
allow $1_t $1_var_run_t:dir rw_dir_perms;
')
+
+#######################
+# daemon_domain(domain_prefix, attribs)
+#
+# see daemon_base_domain for calling details
+# daemon_domain defines some additional privileges needed by many domains,
+# like pid files and locale support
+
define(`daemon_domain', `
ifdef(`targeted_policy', `
daemon_base_domain($1, `$2, transitionbool', $3)
@@ -396,8 +406,19 @@ type $2_exec_t, file_type, sysadmfile, exec_type;
role system_r types $2_t;
+ifelse(index(`$3',`transitionbool'), -1, `
+
domain_auto_trans($1, $2_exec_t, $2_t)
+', `
+
+bool $2_disable_trans false;
+
+if (! $2_disable_trans) {
+domain_auto_trans($1, $2_exec_t, $2_t)
+}
+
+');
# Inherit and use descriptors from parent.
allow $2_t $1:fd use;
allow $2_t $1:process sigchld;
@@ -422,16 +443,23 @@ ifelse($3, `',
`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `$3')')
')
+# grant access to /tmp. Do not perform an automatic transition.
+define(`tmp_domain_notrans', `
+type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2;
+')
+
define(`tmpfs_domain', `
+ifdef(`$1_tmpfs_t_defined',`', `
+define(`$1_tmpfs_t_defined')
type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile;
# Use this type when creating tmpfs/shm objects.
file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t)
allow $1_tmpfs_t tmpfs_t:filesystem associate;
')
+')
define(`var_lib_domain', `
type $1_var_lib_t, file_type, sysadmfile;
-typealias $1_var_lib_t alias var_lib_$1_t;
file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t, file)
allow $1_t $1_var_lib_t:dir rw_dir_perms;
')
@@ -474,105 +502,6 @@ type $1_lock_t, file_type, sysadmfile, lockfile;
file_type_auto_trans($1_t, var_lock_t, $1_lock_t, file)
')
-####################################################################
-# home_domain_ro_access(source, user, app)
-#
-# Gives source access to the read-only home
-# domain of app for the given user type
-#
-
-define(`home_domain_ro_access', `
-
-allow $1 home_root_t:dir search;
-
-if (use_nfs_home_dirs) {
-r_dir_file($1, nfs_t)
-}
-if (use_samba_home_dirs) {
-r_dir_file($1, cifs_t)
-}
-allow $1 autofs_t:dir { search getattr };
-
-r_dir_file($1, $2_$3_ro_home_t)
-
-') dnl home_domain_ro_access
-
-####################################################################
-# home_domain_access(source, user, app)
-#
-# Gives source full access to the home
-# domain of app for the given user type
-#
-
-define(`home_domain_access', `
-
-allow $1 home_root_t:dir search;
-
-if (use_nfs_home_dirs) {
-create_dir_file($1, nfs_t)
-}
-if (use_samba_home_dirs) {
-create_dir_file($1, cifs_t)
-}
-allow $1 autofs_t:dir { search getattr };
-
-file_type_auto_trans($1, $2_home_dir_t, $2_$3_home_t)
-
-') dnl home_domain_access
-
-####################################################################
-# home_domain (prefix, app)
-#
-# Creates a domain in the prefix home where an application can
-# store its settings. It's accessible by the prefix domain.
-#
-
-define(`home_domain', `
-
-# Declare home domain
-# FIXME: the second alias is problematic because
-# home_domain and home_domain_ro cannot be used in parallel
-# Remove the second alias when compatibility is no longer an issue
-
-type $1_$2_home_t, file_type, $1_file_type, sysadmfile;
-typealias $1_$2_home_t alias $1_$2_rw_t;
-typealias $1_$2_home_t alias $1_home_$2_t;
-
-# User side access
-create_dir_file($1_t, $1_$2_home_t)
-allow $1_t $1_$2_home_t:{ dir file lnk_file } { relabelfrom relabelto };
-
-# App side access
-home_domain_access($1_$2_t, $1, $2)
-')
-
-####################################################################
-# home_domain_ro (user, app)
-#
-# Creates a read-only domain in the user home where an application can
-# store its settings. It's fully accessible by the user, but
-# it's read-only for the application.
-#
-
-define(`home_domain_ro', `
-
-# Declare home domain
-# FIXME: the second alias is problematic because
-# home_domain and home_domain_ro cannot be used in parallel
-# Remove the second alias when compatibility is no longer an issue
-
-type $1_$2_ro_home_t, file_type, $1_file_type, sysadmfile;
-typealias $1_$2_ro_home_t alias $1_$2_ro_t;
-typealias $1_$2_ro_home_t alias $1_home_$2_t;
-
-# User side access
-create_dir_file($1_t, $1_$2_ro_home_t)
-allow $1_t $1_$2_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto };
-
-# App side access
-home_domain_ro_access($1_$2_t, $1, $2)
-')
-
#######################
# application_domain(domain_prefix)
#
@@ -589,12 +518,6 @@ domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
uses_shlib($1_t)
')
-define(`user_application_domain', `
-application_domain($1, `$2')
-in_user_role($1_t)
-domain_auto_trans(userdomain, $1_exec_t, $1_t)
-')
-
define(`system_domain', `
type $1_t, domain, privlog $2;
type $1_exec_t, file_type, sysadmfile, exec_type;
@@ -603,23 +526,25 @@ uses_shlib($1_t)
allow $1_t etc_t:dir r_dir_perms;
')
-# Do not flood message log, if the user does a browse
-define(`file_browse_domain', `
+# Dontaudit macros to prevent flooding the log
-# Regular files/directories that are not security sensitive
+define(`dontaudit_getattr', `
dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr;
-dontaudit $1 file_type - secure_file_type:dir { read search };
-
-# /dev
-dontaudit $1 dev_fs:dir_file_class_set getattr;
-dontaudit $1 dev_fs:dir { read search };
-
-# /proc
-dontaudit $1 sysctl_t:dir_file_class_set getattr;
-dontaudit $1 proc_fs:dir { read search };
-
-')dnl end file_browse_domain
-
+dontaudit $1 unlabeled_t:dir_file_class_set getattr;
+dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr;
+')dnl end dontaudit_getattr
+
+define(`dontaudit_search_dir', `
+dontaudit $1 file_type - secure_file_type:dir search;
+dontaudit $1 unlabeled_t:dir search;
+dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search;
+')dnl end dontaudit_search_dir
+
+define(`dontaudit_read_dir', `
+dontaudit $1 file_type - secure_file_type:dir read;
+dontaudit $1 unlabeled_t:dir read;
+dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read;
+')dnl end dontaudit_read_dir
# Define legacy_domain for legacy binaries (java)
# "legacy" binary == lacks PT_GNU_STACK header, i.e. built with an old
@@ -629,12 +554,46 @@ dontaudit $1 proc_fs:dir { read search };
# shlib_t and ld_so_t unlike non-legacy binaries.
define(`legacy_domain', `
-allow $1_t self:process { execmem };
+allow $1_t self:process { execmem execstack };
allow $1_t { texrel_shlib_t shlib_t }:file execmod;
allow $1_t ld_so_t:file execmod;
allow $1_t ld_so_cache_t:file execute;
')
+
+# Allow domain to perform polyinstantiation functions
+# polyinstantiater(domain)
+
+define(`polyinstantiater', `
+
+ifdef(`support_polyinstantiation', `
+# Need to give access to /selinux/member
+allow $1 security_t:security compute_member;
+
+# Need to give access to the directories to be polyinstantiated
+allow $1 polydir:dir { getattr mounton add_name create setattr write search };
+
+# Need to give access to the polyinstantiated subdirectories
+allow $1 polymember:dir {getattr search };
+
+# Need to give access to parent directories where original
+# is remounted for polyinstantiation aware programs (like gdm)
+allow $1 polyparent:dir { getattr mounton };
+
+# Need to give permission to create directories where applicable
+allow $1 polymember: dir { create setattr };
+allow $1 polydir: dir { write add_name };
+allow $1 self:process setfscreate;
+allow $1 polyparent:dir { write add_name };
+# Default type for mountpoints
+allow $1 poly_t:dir { create mounton };
+
+# Need sys_admin capability for mounting
+allow $1 self:capability sys_admin;
+')dnl end else support_polyinstantiation
+
+')dnl end polyinstantiater
+
#
# Define a domain that can do anything, so that it is
# effectively unconfined by the SELinux policy. This
@@ -679,6 +638,7 @@ can_sysctl($1)
allow $1 node_type:node *;
allow $1 netif_type:netif *;
allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg };
+allow $1 port_type:tcp_socket name_connect;
# Bind to any network address.
allow $1 port_type:{ tcp_socket udp_socket } name_bind;
@@ -698,13 +658,24 @@ allow $1 domain:process ~{ transition dyntransition execmem };
allow $1 self:process transition;
if (allow_execmem) {
-# Allow loading DSOs that require executable stack.
+# Allow making anonymous memory executable, e.g.
+# for runtime-code generation or executable stack.
allow $1 self:process execmem;
}
+if (allow_execmem && allow_execstack) {
+# Allow making the stack executable via mprotect.
+allow $1 self:process execstack;
+}
+
if (allow_execmod) {
# Allow text relocations on system shared libraries, e.g. libGL.
+ifdef(`targeted_policy', `
+allow $1 file_type:file execmod;
+', `
allow $1 texrel_shlib_t:file execmod;
+allow $1 home_type:file execmod;
+')
}
# Create/access any System V IPC objects.
@@ -737,3 +708,22 @@ allow $1 nscd_t:nscd *;
')
')dnl end unconfined_domain
+
+
+define(`access_removable_media', `
+
+can_exec($1, { removable_t noexattrfile } )
+if (user_rw_noexattrfile) {
+create_dir_file($1, noexattrfile)
+create_dir_file($1, removable_t)
+# Write floppies
+allow $1 removable_device_t:blk_file rw_file_perms;
+allow $1 usbtty_device_t:chr_file write;
+} else {
+r_dir_file($1, noexattrfile)
+r_dir_file($1, removable_t)
+allow $1 removable_device_t:blk_file r_file_perms;
+}
+allow $1 removable_t:filesystem getattr;
+
+')
diff --git a/strict/macros/network_macros.te b/strict/macros/network_macros.te
index bf6761f..d5eaca1 100644
--- a/strict/macros/network_macros.te
+++ b/strict/macros/network_macros.te
@@ -155,14 +155,23 @@ allow $1 mount_t:udp_socket rw_socket_perms;
')dnl end can_network definition
define(`can_resolve',`
-ifdef(`use_dns',`
can_network_udp($1, `dns_port_t')
')
+
+define(`can_portmap',`
+can_network_client($1, `portmap_port_t')
+allow $1 portmap_port_t:tcp_socket name_connect;
')
define(`can_ldap',`
-ifdef(`slapd.te',`
can_network_client_tcp($1, `ldap_port_t')
-')
+allow $1 ldap_port_t:tcp_socket name_connect;
')
+define(`can_winbind',`
+ifdef(`winbind.te', `
+allow $1 winbind_var_run_t:dir { getattr search };
+allow $1 winbind_t:unix_stream_socket connectto;
+allow $1 winbind_var_run_t:sock_file { getattr read write };
+')
+')
diff --git a/strict/macros/program/games_domain.te b/strict/macros/program/games_domain.te
index 9816896..d4c1d05 100644
--- a/strict/macros/program/games_domain.te
+++ b/strict/macros/program/games_domain.te
@@ -10,49 +10,80 @@
#
#
define(`games_domain', `
-x_client_domain($1, `games', `, transitionbool')
+type $1_games_t, domain, nscd_client_domain;
+
+# Type transition
+if (! disable_games_trans) {
+domain_auto_trans($1_t, games_exec_t, $1_games_t)
+}
+can_exec($1_games_t, games_exec_t)
+role $1_r types $1_games_t;
+
+can_create_pty($1_games)
+
+# X access, GNOME, /tmp files
+x_client_domain($1_games, $1)
+tmp_domain($1_games, `', { dir notdevfile_class_set })
+gnome_application($1_games, $1)
+gnome_file_dialog($1_games, $1)
+
+# Games seem to need this
+if (allow_execmem) {
+allow $1_games_t self:process execmem;
+}
+
+allow $1_games_t texrel_shlib_t:file execmod;
allow $1_games_t var_t:dir { search getattr };
rw_dir_create_file($1_games_t, games_data_t)
allow $1_games_t sound_device_t:chr_file rw_file_perms;
-r_dir_file($1_games_t, usr_t)
can_udp_send($1_games_t, $1_games_t)
can_tcp_connect($1_games_t, $1_games_t)
# Access /home/user/.gnome2
-create_dir_file($1_games_t, $1_home_t)
-allow $1_games_t $1_home_dir_t:dir search;
-allow $1_games_t $1_home_t:dir { read getattr };
+# FIXME: Change to use per app types
+create_dir_file($1_games_t, $1_gnome_settings_t)
+# FIXME: why is this necessary - ORBit?
+# ORBit works differently now
create_dir_file($1_games_t, $1_tmp_t)
allow $1_games_t $1_tmp_t:sock_file create_file_perms;
+can_unix_connect($1_t, $1_games_t)
+can_unix_connect($1_games_t, $1_t)
-dontaudit $1_games_t sysctl_t:dir search;
-
-tmp_domain($1_games)
-allow $1_games_t urandom_device_t:chr_file { getattr ioctl read };
ifdef(`xdm.te', `
allow $1_games_t xdm_tmp_t:dir rw_dir_perms;
allow $1_games_t xdm_tmp_t:sock_file create_file_perms;
allow $1_games_t xdm_var_lib_t:file { getattr read };
')dnl end if xdm.te
-can_unix_connect($1_t, $1_games_t)
-can_unix_connect($1_games_t, $1_t)
-
allow $1_games_t var_lib_t:dir search;
r_dir_file($1_games_t, man_t)
-allow $1_games_t proc_t:file { read getattr };
+allow $1_games_t { proc_t self }:dir search;
+allow $1_games_t { proc_t self }:{ file lnk_file } { read getattr };
ifdef(`mozilla.te', `
dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
')
allow $1_games_t event_device_t:chr_file getattr;
allow $1_games_t mouse_device_t:chr_file getattr;
+
allow $1_games_t self:file { getattr read };
+allow $1_games_t self:sem create_sem_perms;
+
+allow $1_games_t { bin_t sbin_t }:dir { getattr search };
+can_exec($1_games_t, { shell_exec_t bin_t utempter_exec_t })
+allow $1_games_t bin_t:lnk_file read;
-# kpat spews errors
-dontaudit $1_games_t bin_t:dir getattr;
dontaudit $1_games_t var_run_t:dir search;
+dontaudit $1_games_t initrc_var_run_t:file { read write };
+dontaudit $1_games_t var_log_t:dir search;
+
+can_network($1_games_t)
+allow $1_games_t port_t:tcp_socket name_bind;
+allow $1_games_t port_t:tcp_socket name_connect;
+
+# Suppress .icons denial until properly implemented
+dontaudit $1_games_t $1_home_t:dir read;
')dnl end macro definition
diff --git a/strict/macros/program/gift_macros.te b/strict/macros/program/gift_macros.te
index 3589c05..c75a061 100644
--- a/strict/macros/program/gift_macros.te
+++ b/strict/macros/program/gift_macros.te
@@ -12,49 +12,34 @@
define(`gift_domain', `
-# Connect to X
-x_client_domain($1, gift, `')
-
-# Transition
+# Type transition
+type $1_gift_t, domain, nscd_client_domain;
domain_auto_trans($1_t, gift_exec_t, $1_gift_t)
-can_exec($1_gift_t, gift_exec_t)
role $1_r types $1_gift_t;
-# Self permissions
-allow $1_gift_t self:process getsched;
-
-# Home files
+# X access, Home files, GNOME, /tmp
+x_client_domain($1_gift, $1)
+gnome_application($1_gift, $1)
home_domain($1, gift)
+file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir)
-# Fonts, icons
-r_dir_file($1_gift_t, usr_t)
-r_dir_file($1_gift_t, fonts_t)
+# Allow the user domain to signal/ps.
+can_ps($1_t, $1_gift_t)
+allow $1_t $1_gift_t:process signal_perms;
# Launch gift daemon
-allow $1_gift_t self:process fork;
+allow $1_gift_t bin_t:dir search;
domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t)
# Connect to gift daemon
-can_network($1_gift_t)
+can_network_client_tcp($1_gift_t, giftd_port_t)
+allow $1_gift_t giftd_port_t:tcp_socket name_connect;
# Read /proc/meminfo
allow $1_gift_t proc_t:dir search;
allow $1_gift_t proc_t:file { getattr read };
-# Tmp/ORBit
-tmp_domain($1_gift)
-file_type_auto_trans($1_gift_t, $1_tmp_t, $1_gift_tmp_t)
-can_unix_connect($1_t, $1_gift_t)
-can_unix_connect($1_gift_t, $1_t)
-allow $1_t $1_gift_tmp_t:sock_file write;
-allow $1_gift_t $1_tmp_t:file { getattr read write lock };
-allow $1_gift_t $1_tmp_t:sock_file { read write };
-dontaudit $1_gift_t $1_tmp_t:dir setattr;
-
-# Access random device
-allow $1_gift_t urandom_device_t:chr_file { read getattr ioctl };
-
-# giftui looks in .icons, .themes, .fonts-cache.
+# giftui looks in .icons, .themes.
dontaudit $1_gift_t $1_home_t:dir { getattr read search };
dontaudit $1_gift_t $1_home_t:file { getattr read };
@@ -79,26 +64,34 @@ allow $1_giftd_t self:unix_stream_socket create_socket_perms;
read_sysctl($1_giftd_t)
read_locale($1_giftd_t)
uses_shlib($1_giftd_t)
+access_terminal($1_giftd_t, $1)
+
+# Read /proc/meminfo
+allow $1_giftd_t proc_t:dir search;
+allow $1_giftd_t proc_t:file { getattr read };
+
+# Read /etc/mtab
+allow $1_giftd_t etc_runtime_t:file { getattr read };
# Access home domain
home_domain_access($1_giftd_t, $1, gift)
-
-# Allow networking
-allow $1_giftd_t port_t:tcp_socket name_bind;
-allow $1_giftd_t port_t:udp_socket name_bind;
+file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir)
+
+# Serve content on various p2p networks. Ports can be random.
can_network_server($1_giftd_t)
-can_network_client($1_giftd_t)
+allow $1_giftd_t self:udp_socket listen;
+allow $1_giftd_t port_type:{ tcp_socket udp_socket } name_bind;
-# FIXME: ???
-dontaudit $1_giftd_t self:udp_socket listen;
+# Connect to various p2p networks. Ports can be random.
+can_network_client($1_giftd_t)
+allow $1_giftd_t port_type:tcp_socket name_connect;
# Plugins
r_dir_file($1_giftd_t, usr_t)
# Connect to xdm
ifdef(`xdm.te', `
-allow $1_giftd_t xdm_t:fd use;
-allow $1_giftd_t xdm_t:fifo_file write;
+can_pipe_xdm($1_giftd_t)
')
') dnl giftd_domain
diff --git a/strict/macros/program/userhelper_macros.te b/strict/macros/program/userhelper_macros.te
index 109b973..2c715d3 100644
--- a/strict/macros/program/userhelper_macros.te
+++ b/strict/macros/program/userhelper_macros.te
@@ -76,8 +76,7 @@ allow $1_userhelper_t devpts_t:dir r_dir_perms;
allow $1_userhelper_t etc_t:file r_file_perms;
# Read /var.
-allow $1_userhelper_t var_t:dir r_dir_perms;
-allow $1_userhelper_t var_t:notdevfile_class_set r_file_perms;
+r_dir_file($1_userhelper_t, var_t)
# Read /dev directories and any symbolic links.
allow $1_userhelper_t device_t:dir r_dir_perms;
@@ -97,7 +96,7 @@ can_getsecurity($1_userhelper_t)
allow $1_userhelper_t fs_t:filesystem getattr;
# for some PAM modules and for cwd
-dontaudit $1_userhelper_t { home_root_t home_type }:dir search;
+allow $1_userhelper_t { home_root_t $1_home_dir_t }:dir search;
allow $1_userhelper_t proc_t:dir search;
allow $1_userhelper_t proc_t:file { getattr read };
@@ -120,8 +119,7 @@ role system_r types $1_userhelper_t;
r_dir_file($1_userhelper_t, nfs_t)
ifdef(`xdm.te', `
-allow $1_userhelper_t xdm_t:fd use;
-allow $1_userhelper_t xdm_t:fifo_file rw_file_perms;
+can_pipe_xdm($1_userhelper_t)
allow $1_userhelper_t xdm_var_run_t:dir search;
')
diff --git a/strict/macros/program/ypbind_macros.te b/strict/macros/program/ypbind_macros.te
index 2157995..61db7cc 100644
--- a/strict/macros/program/ypbind_macros.te
+++ b/strict/macros/program/ypbind_macros.te
@@ -1,10 +1,12 @@
define(`uncond_can_ypbind', `
-dontaudit $1 reserved_port_type:{ tcp_socket udp_socket } name_bind;
can_network($1)
r_dir_file($1,var_yp_t)
allow $1 { reserved_port_t port_t }:{ tcp_socket udp_socket } name_bind;
+allow $1 { portmap_port_t reserved_port_t port_t }:tcp_socket name_connect;
dontaudit $1 self:capability net_bind_service;
+dontaudit $1 reserved_port_type:tcp_socket name_connect;
+dontaudit $1 reserved_port_type:{ tcp_socket udp_socket } name_bind;
')
define(`can_ypbind', `
diff --git a/strict/tunables/distro.tun b/strict/tunables/distro.tun
index 00b6eca..2d49189 100644
--- a/strict/tunables/distro.tun
+++ b/strict/tunables/distro.tun
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-define(`distro_redhat')
+dnl define(`distro_redhat')
dnl define(`distro_suse')
diff --git a/strict/tunables/tunable.tun b/strict/tunables/tunable.tun
index bd8b797..a6cc2f4 100644
--- a/strict/tunables/tunable.tun
+++ b/strict/tunables/tunable.tun
@@ -1,27 +1,27 @@
-# Allow users to execute the mount command
-define(`user_can_mount')
-
# Allow rpm to run unconfined.
-#define(`unlimitedRPM')
+dnl define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
-#define(`unlimitedUtils')
+dnl define(`unlimitedUtils')
# Allow rc scripts to run unconfined, including any daemon
# started by an rc script that does not have a domain transition
# explicitly defined.
-#define(`unlimitedRC')
+dnl define(`unlimitedRC')
# Allow sysadm_t to directly start daemons
define(`direct_sysadm_daemon')
+# Do not allow sysadm_t to be in the security manager domain
+dnl define(`separate_secadm')
+
# Do not audit things that we know to be broken but which
# are not security risks
-define(`hide_broken_symptoms')
+dnl define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
-define(`user_canbe_sysadm')
+dnl define(`user_canbe_sysadm')
# Allow xinetd to run unconfined, including any services it starts
# that do not have a domain transition explicitly defined.
@@ -29,3 +29,6 @@ dnl define(`unlimitedInetd')
# for ndc_t to be used for restart shell scripts
dnl define(`ndc_shell_script')
+
+# Enable Polyinstantiation support
+dnl define(`support_polyinstatiation')
diff --git a/strict/types/nfs.te b/strict/types/nfs.te
index 154a65b..9076bb8 100644
--- a/strict/types/nfs.te
+++ b/strict/types/nfs.te
@@ -13,7 +13,7 @@
# The nfs_*_t types are used for specific NFS
# servers in net_contexts or net_contexts.mls.
#
-type nfs_t, fs_type;
+type nfs_t, mount_point, fs_type;
#
# Allow NFS files to be associated with an NFS file system.
diff --git a/strict/types/procfs.te b/strict/types/procfs.te
index 0cab0fa..20703ac 100644
--- a/strict/types/procfs.te
+++ b/strict/types/procfs.te
@@ -14,7 +14,7 @@
# proc_mdstat_t is the type of /proc/mdstat.
# proc_net_t is the type of /proc/net.
#
-type proc_t, fs_type, proc_fs;
+type proc_t, fs_type, mount_point, proc_fs;
type proc_kmsg_t, proc_fs;
type proc_kcore_t, proc_fs;
type proc_mdstat_t, proc_fs;
@@ -35,7 +35,7 @@ type proc_net_t, proc_fs;
# These types are applied to both the entries in
# /proc/sys and the corresponding sysctl parameters.
#
-type sysctl_t, sysctl_type;
+type sysctl_t, mount_point, sysctl_type;
type sysctl_fs_t, sysctl_type;
type sysctl_kernel_t, sysctl_type;
type sysctl_modprobe_t, sysctl_type;