diff --git a/Changelog b/Changelog
index 67a18ef..dc1eebf 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,6 @@
+- Move booleans and tunables to modules when it is only used in a single
+ module.
+- Add support for tunables and booleans local to a module.
- Merge sbin_t and ls_exec_t into bin_t.
- Remove disable_trans booleans.
- Output different header sets for kernel and userland from flask headers.
diff --git a/Makefile b/Makefile
index 640b7c4..fa67f45 100644
--- a/Makefile
+++ b/Makefile
@@ -108,7 +108,7 @@ genhomedircon := $(PYTHON) -E $(support)/genhomedircon
# documentation paths
docs := doc
xmldtd = $(docs)/policy.dtd
-layerxml = metadata.xml
+metaxml = metadata.xml
doctemplate = $(docs)/templates
docfiles = $(docs)/Makefile.example $(addprefix $(docs)/,example.te example.if example.fc)
@@ -254,6 +254,10 @@ generated_fc := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.fc.in
# when a generated file is already generated
detected_mods := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te)) $(generated_te))
+modxml := $(detected_mods:.te=.xml)
+layerxml := $(addprefix $(tmpdir)/, $(notdir $(addsuffix .xml,$(all_layers))))
+all_metaxml := $(addsuffix /$(metaxml), $(all_layers))
+
# modules.conf setting for base module
configbase := base
@@ -408,23 +412,36 @@ $(fcsort) : $(support)/fc_sort.c
# Documentation generation
#
-# minimal dependencies here, because we don't want to rebuild
-# this and its dependents every time the dependencies
-# change. Also use all .if files here, rather then just the
-# enabled modules.
-xml: $(polxml)
-$(polxml): $(detected_mods:.te=.if) $(foreach dir,$(all_layers),$(dir)/$(layerxml))
+$(modxml): %.xml: %.if %.te
+ $(verbose) $(genxml) -w -m $* > $@
+
+$(layerxml): %.xml: $(modxml) $(all_metaxml)
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) echo '<layer name="$(*F)">' > $@
+ $(verbose) cat $(addprefix $(moddir)/, $(notdir $*))/$(metaxml) >> $@
+ $(verbose) cat $(filter-out $(addprefix $(moddir)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(moddir)/, $(notdir $*))/%, $(modxml))) >> $@
+ $(verbose) echo '</layer>' >> $@
+
+$(tunxml): $(globaltun)
+ $(verbose) $(genxml) -w -t $< > $@
+
+$(boolxml): $(globalbool)
+ $(verbose) $(genxml) -w -b $< > $@
+
+$(polxml): $(layerxml) $(tunxml) $(boolxml)
@echo "Creating $(@F)"
@test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml))
@test -d $(tmpdir) || mkdir -p $(tmpdir)
$(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
$(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@
- $(verbose) $(genxml) -w -m $(layerxml) -t $(globaltun) -b $(globalbool) -o $(docs) $(all_layers) >> $@
+ $(verbose) echo '<policy>' >> $@
+ $(verbose) cat $(layerxml) $(tunxml) $(boolxml) >> $@
+ $(verbose) echo '</policy>' >> $@
$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
$(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
fi
-$(tunxml) $(boolxml): $(polxml)
+xml: $(polxml)
html $(tmpdir)/html: $(polxml)
@echo "Building html interface reference documentation in $(htmldir)"
@@ -517,7 +534,7 @@ $(contextpath)/users/%: $(appconf)/%_default_contexts
#
# Install policy headers
#
-install-headers: $(tunxml) $(boolxml)
+install-headers: $(layerxml) $(tunxml) $(boolxml)
@mkdir -p $(headerdir)
@echo "Installing $(TYPE) policy headers."
$(verbose) $(INSTALL) -m 644 $(tunxml) $(boolxml) $(headerdir)
@@ -528,7 +545,7 @@ install-headers: $(tunxml) $(boolxml)
$(verbose) for i in $(notdir $(all_layers)); do \
mkdir -p $(headerdir)/$$i ;\
$(INSTALL) -m 644 $(moddir)/$$i/*.if \
- $(moddir)/$$i/metadata.xml \
+ $(moddir)/$$i/*.xml \
$(headerdir)/$$i ;\
done
$(verbose) echo "TYPE ?= $(TYPE)" > $(headerdir)/build.conf
@@ -620,6 +637,8 @@ resetlabels:
#
bare: clean
rm -f $(polxml)
+ rm -f $(layerxml)
+ rm -f $(modxml)
rm -f $(tunxml)
rm -f $(boolxml)
rm -f $(mod_conf)
diff --git a/doc/policy.dtd b/doc/policy.dtd
index dddae6a..e6a4182 100644
--- a/doc/policy.dtd
+++ b/doc/policy.dtd
@@ -4,7 +4,7 @@
<!ELEMENT layer (summary,module+)>
<!ATTLIST layer
name CDATA #REQUIRED>
-<!ELEMENT module (summary,desc?,required?,(interface|template)*)>
+<!ELEMENT module (summary,desc?,required?,(interface|template)*,(bool|tunable)*)>
<!ATTLIST module
name CDATA #REQUIRED
filename CDATA #REQUIRED>
diff --git a/doc/templates/bool_list.html b/doc/templates/bool_list.html
new file mode 100644
index 0000000..2d852da
--- /dev/null
+++ b/doc/templates/bool_list.html
@@ -0,0 +1,23 @@
+<h3>Master boolean index:</h3>
+
+[[for bool in booleans]]
+<div id="interfacesmall">
+[[if bool.has_key('mod_layer')]]
+Module: <a href='[[bool['mod_layer']+ "_" + bool['mod_name'] + ".html#link_" + bool['bool_name']]]'>
+[[bool['mod_name']]]</a><p/>
+Layer: <a href='[[bool['mod_layer']]].html'>
+[[bool['mod_layer']]]</a><p/>
+[[else]]
+Global
+[[end]]
+<div id="codeblock">
+[[bool['bool_name']]]
+<small>(Default: [[bool['def_val']]])</small>
+</div>
+[[if bool['desc']]]
+<div id="description">
+[[bool['desc']]]
+</div>
+[[end]]
+</div>
+[[end]]
diff --git a/doc/templates/boolean.html b/doc/templates/boolean.html
new file mode 100644
index 0000000..ea5a260
--- /dev/null
+++ b/doc/templates/boolean.html
@@ -0,0 +1,13 @@
+[[for bool in booleans]]
+<a name="link_[[bool['bool_name']]]"></a>
+<div id="interface">
+<div id="codeblock">[[bool['bool_name']]]</div>
+<div id="description">
+<h5>Default value</h5>
+<p>[[bool['def_val']]]</p>
+[[if bool['desc']]]
+<h5>Description</h5>
+[[bool['desc']]]
+[[end]]
+</div></div>
+[[end]]
diff --git a/doc/templates/menu.html b/doc/templates/menu.html
index 6d2cce3..9472b2c 100644
--- a/doc/templates/menu.html
+++ b/doc/templates/menu.html
@@ -16,6 +16,10 @@
<p/><br/><p/>
<a href="index.html">* Layer Index</a>
<br/><p/>
+ <a href="booleans.html">* Boolean Index</a>
+ <br/><p/>
+ <a href="tunables.html">* Tunable Index</a>
+ <br/><p/>
<a href="interfaces.html">* Interface Index</a>
<br/><p/>
<a href="templates.html">* Template Index</a>
diff --git a/doc/templates/module.html b/doc/templates/module.html
index 71341fe..a8d008a 100644
--- a/doc/templates/module.html
+++ b/doc/templates/module.html
@@ -1,8 +1,16 @@
<a name="top":></a>
<h1>Layer: [[mod_layer]]</h1><p/>
<h2>Module: [[mod_name]]</h2><p/>
-[[if interfaces and templates]]
+[[if booleans]]
+<a href=#booleans>Booleans</a>
+[[end]]
+[[if tunables]]
+<a href=#tunables>Tunables</a>
+[[end]]
+[[if interfaces]]
<a href=#interfaces>Interfaces</a>
+[[end]]
+[[if templates]]
<a href=#templates>Templates</a>
[[end]]
<h3>Description:</h3>
@@ -14,6 +22,19 @@
[[if mod_req]]
<p>This module is required to be included in all policies.</p>
[[end]]
+<hr>
+[[if booleans]]
+<a name="booleans"></a>
+<h3>Booleans: </h3>
+[[booleans]]
+<a href=#top>Return</a>
+[[end]]
+[[if tunables]]
+<a name="tunables"></a>
+<h3>Tunables: </h3>
+[[tunables]]
+<a href=#top>Return</a>
+[[end]]
[[if interfaces]]
<a name="interfaces"></a>
<h3>Interfaces: </h3>
@@ -26,6 +47,6 @@
[[templates]]
<a href=#top>Return</a>
[[end]]
-[[if not templates and not interfaces]]
-<h3>No interfaces or templates.</h3>
+[[if not templates and not interfaces and not tunables]]
+<h3>No booleans, tunables, interfaces, or templates.</h3>
[[end]]
diff --git a/doc/templates/tun_list.html b/doc/templates/tun_list.html
new file mode 100644
index 0000000..278f284
--- /dev/null
+++ b/doc/templates/tun_list.html
@@ -0,0 +1,23 @@
+<h3>Master tunable index:</h3>
+
+[[for tun in tunables]]
+<div id="interfacesmall">
+[[if tun.has_key('mod_layer')]]
+Module: <a href='[[tun['mod_layer']+ "_" + tun['mod_name'] + ".html#link_" + tun['tun_name']]]'>
+[[tun['mod_name']]]</a><p/>
+Layer: <a href='[[tun['mod_layer']]].html'>
+[[tun['mod_layer']]]</a><p/>
+[[else]]
+Global
+[[end]]
+<div id="codeblock">
+[[tun['tun_name']]]
+<small>(Default: [[tun['def_val']]])</small>
+</div>
+[[if tun['desc']]]
+<div id="description">
+[[tun['desc']]]
+</div>
+[[end]]
+</div>
+[[end]]
diff --git a/doc/templates/tunable.html b/doc/templates/tunable.html
new file mode 100644
index 0000000..9316779
--- /dev/null
+++ b/doc/templates/tunable.html
@@ -0,0 +1,13 @@
+[[for tun in tunables]]
+<a name="link_[[tun['tun_name']]]"></a>
+<div id="interface">
+<div id="codeblock">[[tun['tun_name']]]</div>
+<div id="description">
+<h5>Default value</h5>
+<p>[[tun['def_val']]]</p>
+[[if tun['desc']]]
+<h5>Description</h5>
+[[tun['desc']]]
+[[end]]
+</div></div>
+[[end]]
diff --git a/policy/global_tunables b/policy/global_tunables
index 05b19ff..9a44314 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -11,22 +11,6 @@
## <desc>
## <p>
-## Allow cvs daemon to read shadow
-## </p>
-## </desc>
-#
-gen_tunable(allow_cvs_read_shadow,false)
-
-## <desc>
-## <p>
-## Allow zebra daemon to write it configuration files
-## </p>
-## </desc>
-#
-gen_tunable(allow_zebra_write_config,false)
-
-## <desc>
-## <p>
## Allow making the heap executable.
## </p>
## </desc>
@@ -58,82 +42,6 @@ gen_tunable(allow_execstack,false)
## <desc>
## <p>
-## Allow ftp servers to modify public files
-## used for public file transfer services.
-## </p>
-## </desc>
-gen_tunable(allow_ftpd_anon_write,false)
-
-## <desc>
-## <p>
-## Allow ftp servers to login to local users and
-## read/write all files on the system, governed by DAC.
-## </p>
-## </desc>
-gen_tunable(allow_ftpd_full_access,false)
-
-## <desc>
-## <p>
-## Allow ftp servers to use cifs
-## used for public file transfer services.
-## </p>
-## </desc>
-gen_tunable(allow_ftpd_use_cifs,false)
-
-## <desc>
-## <p>
-## Allow ftp servers to use nfs
-## used for public file transfer services.
-## </p>
-## </desc>
-gen_tunable(allow_ftpd_use_nfs,false)
-
-## <desc>
-## <p>
-## Allow gssd to read temp directory.
-## </p>
-## </desc>
-gen_tunable(allow_gssd_read_tmp,true)
-
-## <desc>
-## <p>
-## Allow Apache to modify public files
-## used for public file transfer services.
-## </p>
-## </desc>
-gen_tunable(allow_httpd_anon_write,false)
-
-## <desc>
-## <p>
-## Allow Apache to use mod_auth_pam
-## </p>
-## </desc>
-gen_tunable(allow_httpd_mod_auth_pam,false)
-
-## <desc>
-## <p>
-## Allow java executable stack
-## </p>
-## </desc>
-gen_tunable(allow_java_execstack,false)
-
-## <desc>
-## <p>
-## Allow system to run with kerberos
-## </p>
-## </desc>
-gen_tunable(allow_kerberos,false)
-
-## <desc>
-## <p>
-## Allow nfs servers to modify public files
-## used for public file transfer services.
-## </p>
-## </desc>
-gen_tunable(allow_nfsd_anon_write,false)
-
-## <desc>
-## <p>
## Enable polyinstantiated directory support.
## </p>
## </desc>
@@ -141,30 +49,6 @@ gen_tunable(allow_polyinstantiation,false)
## <desc>
## <p>
-## Allow rsync to modify public files
-## used for public file transfer services.
-## </p>
-## </desc>
-gen_tunable(allow_rsync_anon_write,false)
-
-## <desc>
-## <p>
-## Allow sasl to read shadow
-## </p>
-## </desc>
-gen_tunable(allow_saslauthd_read_shadow,false)
-
-## <desc>
-## <p>
-## Allow samba to modify public files
-## used for public file transfer services.
-## </p>
-## </desc>
-gen_tunable(allow_smbd_anon_write,false)
-
-
-## <desc>
-## <p>
## Allow system to run with NIS
## </p>
## </desc>
@@ -172,28 +56,6 @@ gen_tunable(allow_ypbind,false)
## <desc>
## <p>
-## Enable extra rules in the cron domain
-## to support fcron.
-## </p>
-## </desc>
-gen_tunable(fcron_crond,false)
-
-## <desc>
-## <p>
-## Allow ftp to read and write files in the user home directories
-## </p>
-## </desc>
-gen_tunable(ftp_home_dir,false)
-
-## <desc>
-## <p>
-## Allow ftpd to run directly without inetd
-## </p>
-## </desc>
-gen_tunable(ftpd_is_daemon,false)
-
-## <desc>
-## <p>
## Enable reading of urandom for all domains.
## </p>
## <p>
@@ -207,85 +69,6 @@ gen_tunable(global_ssp,false)
## <desc>
## <p>
-## Allow httpd to use built in scripting (usually php)
-## </p>
-## </desc>
-gen_tunable(httpd_builtin_scripting,false)
-
-## <desc>
-## <p>
-## Allow http daemon to tcp connect
-## </p>
-## </desc>
-gen_tunable(httpd_can_network_connect,false)
-
-## <desc>
-## <p>
-## Allow httpd to connect to mysql/posgresql
-## </p>
-## </desc>
-gen_tunable(httpd_can_network_connect_db, false)
-
-## <desc>
-## <p>
-## Allow httpd to act as a relay
-## </p>
-## </desc>
-gen_tunable(httpd_can_network_relay, false)
-
-## <desc>
-## <p>
-## Allow httpd cgi support
-## </p>
-## </desc>
-gen_tunable(httpd_enable_cgi,false)
-
-## <desc>
-## <p>
-## Allow httpd to act as a FTP server by
-## listening on the ftp port.
-## </p>
-## </desc>
-gen_tunable(httpd_enable_ftp_server,false)
-
-## <desc>
-## <p>
-## Allow httpd to read home directories
-## </p>
-## </desc>
-gen_tunable(httpd_enable_homedirs,false)
-
-## <desc>
-## <p>
-## Run SSI execs in system CGI script domain.
-## </p>
-## </desc>
-gen_tunable(httpd_ssi_exec,false)
-
-## <desc>
-## <p>
-## Allow http daemon to communicate with the TTY
-## </p>
-## </desc>
-gen_tunable(httpd_tty_comm,false)
-
-## <desc>
-## <p>
-## Run CGI in the main httpd domain
-## </p>
-## </desc>
-gen_tunable(httpd_unified,false)
-
-## <desc>
-## <p>
-## Allow BIND to write the master zone files.
-## Generally this is used for dynamic DNS.
-## </p>
-## </desc>
-gen_tunable(named_write_master_zones,false)
-
-## <desc>
-## <p>
## Allow nfs to be exported read/write.
## </p>
## </desc>
@@ -300,13 +83,6 @@ gen_tunable(nfs_export_all_ro,false)
## <desc>
## <p>
-## Allow pppd to load kernel modules for certain modems
-## </p>
-## </desc>
-gen_tunable(pppd_can_insmod,false)
-
-## <desc>
-## <p>
## Allow reading of default_t files.
## </p>
## </desc>
@@ -314,43 +90,6 @@ gen_tunable(read_default_t,false)
## <desc>
## <p>
-## Allow samba to export user home directories.
-## </p>
-## </desc>
-gen_tunable(samba_enable_home_dirs,false)
-
-## <desc>
-## <p>
-## Allow samba to export NFS volumes.
-## </p>
-## </desc>
-gen_tunable(samba_share_nfs,false)
-
-## <desc>
-## <p>
-## Allow squid to connect to all ports, not just
-## HTTP, FTP, and Gopher ports.
-## </p>
-## </desc>
-gen_tunable(squid_connect_any,false)
-
-## <desc>
-## <p>
-## Allow ssh logins as sysadm_r:sysadm_t
-## </p>
-## </desc>
-gen_tunable(ssh_sysadm_login,false)
-
-## <desc>
-## <p>
-## Configure stunnel to be a standalone daemon or
-## inetd service.
-## </p>
-## </desc>
-gen_tunable(stunnel_is_daemon,false)
-
-## <desc>
-## <p>
## Support NFS home directories
## </p>
## </desc>
@@ -363,13 +102,6 @@ gen_tunable(use_nfs_home_dirs,false)
## </desc>
gen_tunable(use_samba_home_dirs,false)
-## <desc>
-## <p>
-## Allow xdm logins as sysadm
-## </p>
-## </desc>
-gen_tunable(xdm_sysadm_login,false)
-
########################################
#
# Strict policy specific
@@ -378,102 +110,6 @@ gen_tunable(xdm_sysadm_login,false)
ifdef(`strict_policy',`
## <desc>
## <p>
-## Control users use of ping and traceroute
-## </p>
-## </desc>
-gen_tunable(user_ping,false)
-
-## <desc>
-## <p>
-## Allow gpg executable stack
-## </p>
-## </desc>
-gen_tunable(allow_gpg_execstack,false)
-
-## <desc>
-## <p>
-## Allow mplayer executable stack
-## </p>
-## </desc>
-gen_tunable(allow_mplayer_execstack,false)
-
-## <desc>
-## <p>
-## Allow sysadm to ptrace all processes
-## </p>
-## </desc>
-gen_tunable(allow_ptrace,false)
-
-## <desc>
-## <p>
-## allow host key based authentication
-## </p>
-## </desc>
-gen_tunable(allow_ssh_keysign,false)
-
-## <desc>
-## <p>
-## Allow users to connect to mysql
-## </p>
-## </desc>
-gen_tunable(allow_user_mysql_connect,false)
-
-## <desc>
-## <p>
-## Allows clients to write to the X server shared
-## memory segments.
-## </p>
-## </desc>
-gen_tunable(allow_write_xshm,false)
-
-## <desc>
-## <p>
-## Allow cdrecord to read various content.
-## nfs, samba, removable devices, user temp
-## and untrusted content files
-## </p>
-## </desc>
-gen_tunable(cdrecord_read_content,false)
-
-## <desc>
-## <p>
-## Allow system cron jobs to relabel filesystem
-## for restoring file contexts.
-## </p>
-## </desc>
-gen_tunable(cron_can_relabel,false)
-
-## <desc>
-## <p>
-## force to games to run in user_t
-## mapping executable (text relocation).
-## </p>
-## </desc>
-gen_tunable(disable_games_trans,false)
-
-## <desc>
-## <p>
-## Disable transitions to evolution domains.
-## </p>
-## </desc>
-gen_tunable(disable_evolution_trans,false)
-
-## <desc>
-## <p>
-## Disable transitions to user mozilla domains
-## </p>
-## </desc>
-gen_tunable(disable_mozilla_trans,false)
-
-## <desc>
-## <p>
-## Disable transitions to user thunderbird domains
-## </p>
-## </desc>
-gen_tunable(disable_thunderbird_trans,false)
-
-## <desc>
-## <p>
## Allow email client to various content.
## nfs, samba, removable devices, user temp
## and untrusted content files
@@ -483,20 +119,6 @@ gen_tunable(mail_read_content,false)
## <desc>
## <p>
-## Control mozilla content access
-## </p>
-## </desc>
-gen_tunable(mozilla_read_content,false)
-
-## <desc>
-## <p>
-## Allow pppd to be run for a regular user
-## </p>
-## </desc>
-gen_tunable(pppd_for_user,false)
-
-## <desc>
-## <p>
## Allow applications to read untrusted content
## If this is disallowed, Internet content has
## to be manually relabeled for read access to be granted
@@ -506,65 +128,6 @@ gen_tunable(read_untrusted_content,false)
## <desc>
## <p>
-## Allow ssh to run from inetd instead of as a daemon.
-## </p>
-## </desc>
-gen_tunable(run_ssh_inetd,false)
-
-## <desc>
-## <p>
-## Allow user spamassassin clients to use the network.
-## </p>
-## </desc>
-gen_tunable(spamassassin_can_network,false)
-
-## <desc>
-## <p>
-## Allow staff_r users to search the sysadm home
-## dir and read files (such as ~/.bashrc)
-## </p>
-## </desc>
-gen_tunable(staff_read_sysadm_file,false)
-
-## <desc>
-## <p>
-## Use lpd server instead of cups
-## </p>
-## </desc>
-gen_tunable(use_lpd_server,false)
-
-## <desc>
-## <p>
-## Allow regular users direct mouse access
-## </p>
-## </desc>
-gen_tunable(user_direct_mouse,false)
-
-## <desc>
-## <p>
-## Allow users to read system messages.
-## </p>
-## </desc>
-gen_tunable(user_dmesg,false)
-
-## <desc>
-## <p>
-## Allow users to control network interfaces
-## (also needs USERCTL=true)
-## </p>
-## </desc>
-gen_tunable(user_net_control,false)
-
-## <desc>
-## <p>
-## Allow user to r/w files on filesystems
-## that do not have extended attributes (FAT, CDROM, FLOPPY)
-## </p>
-## </desc>
-gen_tunable(user_rw_noexattrfile,false)
-
-## <desc>
-## <p>
## Allow users to run TCP servers (bind to ports and accept connection from
## the same domain and outside users) disabling this forces FTP passive mode
## and may change other protocols.
@@ -574,13 +137,6 @@ gen_tunable(user_tcp_server,false)
## <desc>
## <p>
-## Allow w to display everyone
-## </p>
-## </desc>
-gen_tunable(user_ttyfile_stat,false)
-
-## <desc>
-## <p>
## Allow applications to write untrusted content
## If this is disallowed, no Internet content
## will be stored.
@@ -588,31 +144,3 @@ gen_tunable(user_ttyfile_stat,false)
## </desc>
gen_tunable(write_untrusted_content,false)
')
-
-########################################
-#
-# Targeted policy specific
-#
-
-ifdef(`targeted_policy',`
-## <desc>
-## <p>
-## Allow all daemons the ability to use unallocated ttys
-## </p>
-## </desc>
-gen_tunable(allow_daemons_use_tty,false)
-
-## <desc>
-## <p>
-## Allow mount to mount any file
-## </p>
-## </desc>
-gen_tunable(allow_mount_anyfile,false)
-
-## <desc>
-## <p>
-## Allow spamd to read/write user home directories.
-## </p>
-## </desc>
-gen_tunable(spamd_enable_home_dirs,true)
-')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index d27eaf6..b34146e 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,11 +1,20 @@
-policy_module(netutils,1.3.0)
+policy_module(netutils,1.3.1)
########################################
#
# Declarations
#
+ifdef(`strict_policy',`
+## <desc>
+## <p>
+## Control users use of ping and traceroute
+## </p>
+## </desc>
+gen_tunable(user_ping,false)
+')
+
type netutils_t;
type netutils_exec_t;
init_system_domain(netutils_t,netutils_exec_t)
diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te
index abdf579..760ce28 100644
--- a/policy/modules/apps/cdrecord.te
+++ b/policy/modules/apps/cdrecord.te
@@ -1,10 +1,21 @@
-policy_module(cdrecord,1.1.0)
+policy_module(cdrecord,1.1.1)
########################################
#
# Declarations
#
+ifdef(`strict_policy',`
+## <desc>
+## <p>
+## Allow cdrecord to read various content.
+## nfs, samba, removable devices, user temp
+## and untrusted content files
+## </p>
+## </desc>
+gen_tunable(cdrecord_read_content,false)
+')
+
type cdrecord_exec_t;
corecmd_executable_file(cdrecord_exec_t)
diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if
index dee79e0..b167857 100644
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@@ -187,7 +187,6 @@ template(`evolution_per_role_template',`
corecmd_exec_shell($1_evolution_t)
# Run various programs
corecmd_exec_bin($1_evolution_t)
- corecmd_exec_bin($1_evolution_t)
corenet_non_ipsec_sendrecv($1_evolution_t)
corenet_tcp_sendrecv_generic_if($1_evolution_t)
@@ -674,7 +673,8 @@ template(`evolution_per_role_template',`
allow $1_evolution_server_t $1_evolution_alarm_t:unix_stream_socket connectto;
allow $1_evolution_server_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
- allow $1_evolution_server_t $2:fd use;
+ # Transition from user type
+ domain_auto_trans($2, evolution_server_exec_t, $1_evolution_server_t)
kernel_read_system_state($1_evolution_server_t)
@@ -718,11 +718,6 @@ template(`evolution_per_role_template',`
# until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_evolution_server_t)
- # Transition from user type
- tunable_policy(`!disable_evolution_trans',`
- domain_auto_trans($2, evolution_server_exec_t, $1_evolution_server_t)
- ')
-
# Access evolution home
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_evolution_server_t)
diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index e6d1b5c..b3a0856 100644
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@@ -1,5 +1,5 @@
-policy_module(evolution,1.1.1)
+policy_module(evolution,1.1.2)
########################################
#
diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if
index dedbd6d..7aa39b3 100644
--- a/policy/modules/apps/games.if
+++ b/policy/modules/apps/games.if
@@ -84,6 +84,7 @@ template(`games_per_role_template',`
can_exec($1_games_t, games_exec_t)
+ domain_auto_trans($2, games_exec_t, $1_games_t)
allow $2 $1_games_t:unix_stream_socket connectto;
allow $1_games_t $2:unix_stream_socket connectto;
@@ -136,11 +137,6 @@ template(`games_per_role_template',`
# Suppress .icons denial until properly implemented
userdom_dontaudit_read_user_home_content_files($1,$1_games_t)
- # Type transition
- tunable_policy(`!disable_games_trans',`
- domain_auto_trans($2, games_exec_t, $1_games_t)
- ')
-
tunable_policy(`allow_execmem',`
allow $1_games_t self:process execmem;
')
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index d3b63bc..4c462b8 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -1,5 +1,5 @@
-policy_module(games,1.1.2)
+policy_module(games,1.1.3)
########################################
#
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
index bb18d37..7c06120 100644
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -1,11 +1,18 @@
-policy_module(java,1.3.3)
+policy_module(java,1.3.4)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## Allow java executable stack
+## </p>
+## </desc>
+gen_tunable(allow_java_execstack,false)
+
type java_t;
type java_exec_t;
init_system_domain(java_t,java_exec_t)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index 4261617..5056fb1 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -105,6 +105,10 @@ template(`mozilla_per_role_template',`
allow $1_mozilla_t $2:process signull;
+ domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
+ # Unrestricted inheritance from the caller.
+ allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
+
# Allow the user domain to signal/ps.
ps_process_pattern($2,$1_mozilla_t)
allow $2 $1_mozilla_t:process signal_perms;
@@ -207,13 +211,6 @@ template(`mozilla_per_role_template',`
fs_manage_cifs_symlinks($1_mozilla_t)
')
- # Type transition
- tunable_policy(`! disable_mozilla_trans',`
- domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
- # Unrestricted inheritance from the caller.
- allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
- ')
-
# Uploads, local html
tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
fs_list_auto_mountpoints($1_mozilla_t)
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 7752e69..6832f0e 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -1,11 +1,20 @@
-policy_module(mozilla,1.1.1)
+policy_module(mozilla,1.1.2)
########################################
#
# Declarations
#
+ifdef(`strict_policy',`
+## <desc>
+## <p>
+## Control mozilla content access
+## </p>
+## </desc>
+gen_tunable(mozilla_read_content,false)
+')
+
type mozilla_conf_t;
files_config_file(mozilla_conf_t)
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
index dd9b1a4..1ee51bf 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -1,11 +1,20 @@
-policy_module(mplayer,1.1.1)
+policy_module(mplayer,1.1.2)
########################################
#
# Declarations
#
+ifdef(`strict_policy',`
+## <desc>
+## <p>
+## Allow mplayer executable stack
+## </p>
+## </desc>
+gen_tunable(allow_mplayer_execstack,false)
+')
+
type mplayer_etc_t;
files_config_file(mplayer_etc_t)
diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if
index 7edcec6..fe9dcc5 100644
--- a/policy/modules/apps/thunderbird.if
+++ b/policy/modules/apps/thunderbird.if
@@ -77,6 +77,7 @@ template(`thunderbird_per_role_template',`
manage_sock_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t)
fs_tmpfs_filetrans($1_thunderbird_t,$1_thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+ domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t)
allow $2 $1_thunderbird_t:fd use;
allow $2 $1_thunderbird_t:shm { associate getattr };
allow $2 $1_thunderbird_t:unix_stream_socket connectto;
@@ -166,11 +167,6 @@ template(`thunderbird_per_role_template',`
xserver_read_xdm_tmp_files($1_thunderbird_t)
xserver_dontaudit_getattr_xdm_tmp_sockets($1_thunderbird_t)
- # Transition from user type
- tunable_policy(`! disable_thunderbird_trans',`
- domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t)
- ')
-
# Access ~/.thunderbird
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_thunderbird_t)
diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
index 0d1c693..54e5575 100644
--- a/policy/modules/apps/thunderbird.te
+++ b/policy/modules/apps/thunderbird.te
@@ -1,5 +1,5 @@
-policy_module(thunderbird,1.1.1)
+policy_module(thunderbird,1.1.2)
########################################
#
diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te
index f2bcebf..bf1bee7 100644
--- a/policy/modules/apps/usernetctl.te
+++ b/policy/modules/apps/usernetctl.te
@@ -1,11 +1,21 @@
-policy_module(usernetctl,1.0.0)
+policy_module(usernetctl,1.0.1)
########################################
#
# Declarations
#
+ifdef(`strict_policy',`
+## <desc>
+## <p>
+## Allow users to control network interfaces
+## (also needs USERCTL=true)
+## </p>
+## </desc>
+gen_tunable(user_net_control,false)
+')
+
type usernetctl_t;
type usernetctl_exec_t;
domain_type(usernetctl_t)
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index c11832c..8c4c998 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
-policy_module(apache,1.5.4)
+policy_module(apache,1.5.5)
#
# NOTES:
@@ -20,6 +20,92 @@ policy_module(apache,1.5.4)
# Declarations
#
+## <desc>
+## <p>
+## Allow Apache to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_httpd_anon_write,false)
+
+## <desc>
+## <p>
+## Allow Apache to use mod_auth_pam
+## </p>
+## </desc>
+gen_tunable(allow_httpd_mod_auth_pam,false)
+
+## <desc>
+## <p>
+## Allow httpd to use built in scripting (usually php)
+## </p>
+## </desc>
+gen_tunable(httpd_builtin_scripting,false)
+
+## <desc>
+## <p>
+## Allow http daemon to tcp connect
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_connect,false)
+
+## <desc>
+## <p>
+## Allow httpd to connect to mysql/posgresql
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_connect_db, false)
+
+## <desc>
+## <p>
+## Allow httpd to act as a relay
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_relay, false)
+
+## <desc>
+## <p>
+## Allow httpd cgi support
+## </p>
+## </desc>
+gen_tunable(httpd_enable_cgi,false)
+
+## <desc>
+## <p>
+## Allow httpd to act as a FTP server by
+## listening on the ftp port.
+## </p>
+## </desc>
+gen_tunable(httpd_enable_ftp_server,false)
+
+## <desc>
+## <p>
+## Allow httpd to read home directories
+## </p>
+## </desc>
+gen_tunable(httpd_enable_homedirs,false)
+
+## <desc>
+## <p>
+## Run SSI execs in system CGI script domain.
+## </p>
+## </desc>
+gen_tunable(httpd_ssi_exec,false)
+
+## <desc>
+## <p>
+## Allow http daemon to communicate with the TTY
+## </p>
+## </desc>
+gen_tunable(httpd_tty_comm,false)
+
+## <desc>
+## <p>
+## Run CGI in the main httpd domain
+## </p>
+## </desc>
+gen_tunable(httpd_unified,false)
+
attribute httpdcontent;
# domains that can exec all users scripts
@@ -507,13 +593,7 @@ allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
allow httpd_suexec_t self:netlink_route_socket r_netlink_socket_perms;
-ifdef(`targeted_policy',`
- gen_tunable(httpd_suexec_disable_trans,false)
-
- tunable_policy(`httpd_suexec_disable_trans',`',`
- domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
- ')
-')
+domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
create_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t)
append_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index cec18b0..6bb3966 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -1,11 +1,19 @@
-policy_module(bind,1.3.1)
+policy_module(bind,1.3.2)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## Allow BIND to write the master zone files.
+## Generally this is used for dynamic DNS.
+## </p>
+## </desc>
+gen_tunable(named_write_master_zones,false)
+
# for DNSSEC key files
type dnssec_t;
files_security_file(dnssec_t)
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index bb08029..d9cb1bb 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -1,5 +1,5 @@
-policy_module(cron,1.5.1)
+policy_module(cron,1.5.2)
gen_require(`
class passwd rootok;
@@ -9,6 +9,23 @@ gen_require(`
#
# Declarations
#
+
+## <desc>
+## <p>
+## Allow system cron jobs to relabel filesystem
+## for restoring file contexts.
+## </p>
+## </desc>
+gen_tunable(cron_can_relabel,false)
+
+## <desc>
+## <p>
+## Enable extra rules in the cron domain
+## to support fcron.
+## </p>
+## </desc>
+gen_tunable(fcron_crond,false)
+
attribute cron_spool_type;
type anacron_exec_t;
diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
index 35ddd02..43721b5 100644
--- a/policy/modules/services/cvs.te
+++ b/policy/modules/services/cvs.te
@@ -1,11 +1,18 @@
-policy_module(cvs,1.3.0)
+policy_module(cvs,1.3.1)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## Allow cvs daemon to read shadow
+## </p>
+## </desc>
+gen_tunable(allow_cvs_read_shadow,false)
+
type cvs_t;
type cvs_exec_t;
inetd_tcp_service_domain(cvs_t,cvs_exec_t)
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
index 31585d1..e3bbfb5 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@@ -28,13 +28,11 @@ template(`ftp_per_role_template',`
type ftpd_t;
')
- tunable_policy(`ftpd_is_daemon',`
- userdom_manage_user_home_content_files($1,ftpd_t)
- userdom_manage_user_home_content_symlinks($1,ftpd_t)
- userdom_manage_user_home_content_sockets($1,ftpd_t)
- userdom_manage_user_home_content_pipes($1,ftpd_t)
- userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
- ')
+ userdom_manage_user_home_content_files($1,ftpd_t)
+ userdom_manage_user_home_content_symlinks($1,ftpd_t)
+ userdom_manage_user_home_content_sockets($1,ftpd_t)
+ userdom_manage_user_home_content_pipes($1,ftpd_t)
+ userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
')
########################################
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 3138f0c..033d90a 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -1,11 +1,50 @@
-policy_module(ftp,1.4.3)
+policy_module(ftp,1.4.4)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## Allow ftp servers to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_ftpd_anon_write,false)
+
+## <desc>
+## <p>
+## Allow ftp servers to login to local users and
+## read/write all files on the system, governed by DAC.
+## </p>
+## </desc>
+gen_tunable(allow_ftpd_full_access,false)
+
+## <desc>
+## <p>
+## Allow ftp servers to use cifs
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_ftpd_use_cifs,false)
+
+## <desc>
+## <p>
+## Allow ftp servers to use nfs
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_ftpd_use_nfs,false)
+
+## <desc>
+## <p>
+## Allow ftp to read and write files in the user home directories
+## </p>
+## </desc>
+gen_tunable(ftp_home_dir,false)
+
type ftpd_t;
type ftpd_exec_t;
init_daemon_domain(ftpd_t,ftpd_exec_t)
@@ -13,7 +52,6 @@ init_daemon_domain(ftpd_t,ftpd_exec_t)
type ftpd_etc_t;
files_config_file(ftpd_etc_t)
-# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
type ftpd_lock_t;
files_lock_file(ftpd_lock_t)
@@ -53,6 +91,9 @@ allow ftpd_t self:udp_socket create_socket_perms;
allow ftpd_t ftpd_etc_t:file read_file_perms;
+allow ftpd_t ftpd_lock_t:file manage_file_perms;
+files_lock_filetrans(ftpd_t,ftpd_lock_t,file)
+
manage_dirs_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t)
manage_files_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t)
files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
@@ -198,13 +239,6 @@ tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
fs_read_cifs_symlinks(ftpd_t)
')
-tunable_policy(`ftpd_is_daemon',`
- allow ftpd_t ftpd_lock_t:file manage_file_perms;
- files_lock_filetrans(ftpd_t,ftpd_lock_t,file)
-
- corenet_tcp_bind_ftp_port(ftpd_t)
-')
-
optional_policy(`
tunable_policy(`ftp_home_dir',`
apache_search_sys_content(ftpd_t)
@@ -232,17 +266,10 @@ optional_policy(`
')
optional_policy(`
- #reh: typeattributes not allowed in conditionals yet.
- #tunable_policy(`! ftpd_is_daemon',`
- # inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
- #')
-
inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
optional_policy(`
- tunable_policy(`! ftpd_is_daemon',`
- tcpd_domtrans(tcpd_t)
- ')
+ tcpd_domtrans(tcpd_t)
')
')
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
index c746cd4..344c57a 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@@ -1,5 +1,5 @@
-policy_module(inetd,1.2.3)
+policy_module(inetd,1.2.4)
########################################
#
@@ -228,13 +228,6 @@ ifdef(`targeted_policy',`
')
optional_policy(`
- tunable_policy(`ftpd_is_daemon',`
- # Allows it to check exec privs on daemon
- ftp_check_exec(inetd_t)
- ')
-')
-
-optional_policy(`
kerberos_use(inetd_child_t)
')
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index a384b13..142974b 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -1,11 +1,18 @@
-policy_module(kerberos,1.3.3)
+policy_module(kerberos,1.3.4)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## Allow system to run with kerberos
+## </p>
+## </desc>
+gen_tunable(allow_kerberos,false)
+
type kadmind_t;
type kadmind_exec_t;
init_daemon_domain(kadmind_t,kadmind_exec_t)
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 5d74d24..ef0f8ed 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -1,11 +1,18 @@
-policy_module(lpd,1.4.2)
+policy_module(lpd,1.4.3)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## Use lpd server instead of cups
+## </p>
+## </desc>
+gen_tunable(use_lpd_server,false)
+
type checkpc_t;
type checkpc_exec_t;
init_system_domain(checkpc_t,checkpc_exec_t)
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 7b7d00a..f7c683e 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -1,11 +1,27 @@
-policy_module(ppp,1.3.1)
+policy_module(ppp,1.3.2)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## Allow pppd to load kernel modules for certain modems
+## </p>
+## </desc>
+gen_tunable(pppd_can_insmod,false)
+
+ifdef(`strict_policy',`
+## <desc>
+## <p>
+## Allow pppd to be run for a regular user
+## </p>
+## </desc>
+gen_tunable(pppd_for_user,false)
+')
+
# pppd_t is the domain for the pppd program.
# pppd_exec_t is the type of the pppd executable.
type pppd_t;
@@ -172,20 +188,6 @@ ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_ttys(pppd_t)
term_dontaudit_use_generic_ptys(pppd_t)
files_dontaudit_read_root_files(pppd_t)
-
- optional_policy(`
- gen_require(`
- bool postfix_disable_trans;
- ')
-
- if(!postfix_disable_trans) {
- postfix_domtrans_master(pppd_t)
- }
- ')
-',`
- optional_policy(`
- postfix_domtrans_master(pppd_t)
- ')
')
optional_policy(`
@@ -211,6 +213,10 @@ optional_policy(`
')
optional_policy(`
+ postfix_domtrans_master(pppd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(pppd_t)
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index e21f3e7..697d780 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -1,11 +1,26 @@
-policy_module(rpc,1.4.3)
+policy_module(rpc,1.4.4)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## Allow gssd to read temp directory.
+## </p>
+## </desc>
+gen_tunable(allow_gssd_read_tmp,true)
+
+## <desc>
+## <p>
+## Allow nfs servers to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_nfsd_anon_write,false)
+
type exports_t;
files_type(exports_t)
diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
index 5e12b87..682d5f2 100644
--- a/policy/modules/services/rsync.te
+++ b/policy/modules/services/rsync.te
@@ -1,11 +1,19 @@
-policy_module(rsync,1.3.1)
+policy_module(rsync,1.3.2)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## Allow rsync to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_rsync_anon_write,false)
+
type rsync_t;
type rsync_exec_t;
init_daemon_domain(rsync_t,rsync_exec_t)
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index b2a5004..a114c46 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -1,11 +1,33 @@
-policy_module(samba,1.4.2)
+policy_module(samba,1.4.3)
#################################
#
# Declarations
#
+## <desc>
+## <p>
+## Allow samba to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_smbd_anon_write,false)
+
+## <desc>
+## <p>
+## Allow samba to export user home directories.
+## </p>
+## </desc>
+gen_tunable(samba_enable_home_dirs,false)
+
+## <desc>
+## <p>
+## Allow samba to export NFS volumes.
+## </p>
+## </desc>
+gen_tunable(samba_share_nfs,false)
+
type nmbd_t;
type nmbd_exec_t;
init_daemon_domain(nmbd_t,nmbd_exec_t)
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
index a20ace8..6128b90 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -1,11 +1,18 @@
-policy_module(sasl,1.4.1)
+policy_module(sasl,1.4.2)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## Allow sasl to read shadow
+## </p>
+## </desc>
+gen_tunable(allow_saslauthd_read_shadow,false)
+
type saslauthd_t;
type saslauthd_exec_t;
init_daemon_domain(saslauthd_t,saslauthd_exec_t)
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 2a8e3a4..f5e023e 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -1,11 +1,29 @@
-policy_module(spamassassin,1.5.5)
+policy_module(spamassassin,1.5.6)
########################################
#
# Declarations
#
+ifdef(`strict_policy',`
+## <desc>
+## <p>
+## Allow user spamassassin clients to use the network.
+## </p>
+## </desc>
+gen_tunable(spamassassin_can_network,false)
+')
+
+ifdef(`targeted_policy',`
+## <desc>
+## <p>
+## Allow spamd to read/write user home directories.
+## </p>
+## </desc>
+gen_tunable(spamd_enable_home_dirs,true)
+')
+
# spamassassin client executable
type spamc_exec_t;
corecmd_executable_file(spamc_exec_t)
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index 18ebdd8..8fa700f 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -1,11 +1,19 @@
-policy_module(squid,1.2.1)
+policy_module(squid,1.2.2)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## Allow squid to connect to all ports, not just
+## HTTP, FTP, and Gopher ports.
+## </p>
+## </desc>
+gen_tunable(squid_connect_any,false)
+
type squid_t;
type squid_exec_t;
init_daemon_domain(squid_t,squid_exec_t)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index b22317c..4b05a15 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -476,6 +476,7 @@ template(`ssh_server_template', `
corenet_non_ipsec_sendrecv($1_t)
corenet_tcp_bind_all_nodes($1_t)
corenet_udp_bind_all_nodes($1_t)
+ corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_ssh_server_packets($1_t)
@@ -517,25 +518,6 @@ template(`ssh_server_template', `
fs_read_cifs_files($1_t)
')
- # cjp: commenting out until typeattribute works in conditional
- # and require block in optional else is resolved
- #optional_policy(`
- # tunable_policy(`run_ssh_inetd',`
- # allow $1_t self:process signal;
- # files_list_pids($1_t)
- # ',`
- # corenet_tcp_bind_ssh_port($1_t)
- # init_use_fds($1_t)
- # init_use_script_ptys($1_t)
- # ')
- #',`
- # These rules should match the else block
- # of the run_ssh_inetd tunable directly above
- corenet_tcp_bind_ssh_port($1_t)
- init_use_fds($1_t)
- init_use_script_ptys($1_t)
- #')
-
optional_policy(`
kerberos_use($1_t)
')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index cf9cceb..cbe8c0d 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,11 +1,25 @@
-policy_module(ssh,1.5.1)
+policy_module(ssh,1.5.2)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## allow host key based authentication
+## </p>
+## </desc>
+gen_tunable(allow_ssh_keysign,false)
+
+## <desc>
+## <p>
+## Allow ssh logins as sysadm_r:sysadm_t
+## </p>
+## </desc>
+gen_tunable(ssh_sysadm_login,false)
+
attribute ssh_server;
# Type for the ssh-agent executable.
@@ -140,6 +154,8 @@ tunable_policy(`ssh_sysadm_login',`
ifdef(`strict_policy',`
ifdef(`TODO',`
+ domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
+
domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain)
# Signal the user domains.
allow sshd_extern_t user_mini_domain:process signal;
@@ -159,15 +175,7 @@ ifdef(`strict_policy',`
allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms;
optional_policy(`
- tunable_policy(`run_ssh_inetd',`
- domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
- ',`
- domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
- ')
- ',`
- # These rules should match the else block
- # of the run_ssh_inetd tunable directly above
- domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
+ domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
')
ifdef(`direct_sysadm_daemon', `
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
index 73160ea..09443a4 100644
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
@@ -1,5 +1,5 @@
-policy_module(stunnel,1.2.1)
+policy_module(stunnel,1.2.2)
########################################
#
@@ -127,13 +127,9 @@ ifdef(`distro_gentoo', `
')
')
-tunable_policy(`stunnel_is_daemon',`
- allow stunnel_t self:tcp_socket create_stream_socket_perms;
-
- # hack since this port has no interfaces since it doesnt
- # have net_contexts
- gen_require(`
- type stunnel_port_t;
- ')
- allow stunnel_t stunnel_port_t:tcp_socket name_bind;
+# hack since this port has no interfaces since it doesnt
+# have net_contexts
+gen_require(`
+ type stunnel_port_t;
')
+allow stunnel_t stunnel_port_t:tcp_socket name_bind;
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 4c299e2..c94dc60 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,11 +1,28 @@
-policy_module(xserver,1.3.3)
+policy_module(xserver,1.3.4)
########################################
#
# Declarations
#
+ifdef(`strict_policy',`
+## <desc>
+## <p>
+## Allows clients to write to the X server shared
+## memory segments.
+## </p>
+## </desc>
+gen_tunable(allow_write_xshm,false)
+')
+
+## <desc>
+## <p>
+## Allow xdm logins as sysadm
+## </p>
+## </desc>
+gen_tunable(xdm_sysadm_login,false)
+
attribute fonts_type;
attribute fonts_cache_type;
attribute fonts_config_type;
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
index c32fe07..27cb571 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -1,11 +1,19 @@
-policy_module(zebra,1.3.1)
+policy_module(zebra,1.3.2)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## Allow zebra daemon to write it configuration files
+## </p>
+## </desc>
+#
+gen_tunable(allow_zebra_write_config,false)
+
type zebra_t;
type zebra_exec_t;
init_daemon_domain(zebra_t,zebra_exec_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d92065f..cf355f6 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.5.4)
+policy_module(init,1.5.5)
gen_require(`
class passwd rootok;
@@ -10,6 +10,15 @@ gen_require(`
# Declarations
#
+ifdef(`targeted_policy',`
+## <desc>
+## <p>
+## Allow all daemons the ability to use unallocated ttys
+## </p>
+## </desc>
+gen_tunable(allow_daemons_use_tty,false)
+')
+
# used for direct running of init scripts
# by admin domains
attribute direct_run_init;
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 1d09528..d7ae4b7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,11 +1,20 @@
-policy_module(mount,1.5.0)
+policy_module(mount,1.5.1)
########################################
#
# Declarations
#
+ifdef(`targeted_policy',`
+## <desc>
+## <p>
+## Allow mount to mount any file
+## </p>
+## </desc>
+gen_tunable(allow_mount_anyfile,false)
+')
+
type mount_t;
type mount_exec_t;
init_system_domain(mount_t,mount_exec_t)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index d3fa84e..ec35724 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,2.1.2)
+policy_module(userdomain,2.1.3)
gen_require(`
role sysadm_r, staff_r, user_r;
@@ -15,6 +15,51 @@ gen_require(`
# Declarations
#
+ifdef(`strict_policy',`
+## <desc>
+## <p>
+## Allow sysadm to ptrace all processes
+## </p>
+## </desc>
+gen_tunable(allow_ptrace,false)
+
+## <desc>
+## <p>
+## Allow users to connect to mysql
+## </p>
+## </desc>
+gen_tunable(allow_user_mysql_connect,false)
+
+## <desc>
+## <p>
+## Allow regular users direct mouse access
+## </p>
+## </desc>
+gen_tunable(user_direct_mouse,false)
+
+## <desc>
+## <p>
+## Allow users to read system messages.
+## </p>
+## </desc>
+gen_tunable(user_dmesg,false)
+
+## <desc>
+## <p>
+## Allow user to r/w files on filesystems
+## that do not have extended attributes (FAT, CDROM, FLOPPY)
+## </p>
+## </desc>
+gen_tunable(user_rw_noexattrfile,false)
+
+## <desc>
+## <p>
+## Allow w to display everyone
+## </p>
+## </desc>
+gen_tunable(user_ttyfile_stat,false)
+')
+
# admin users terminals (tty and pty)
attribute admin_terminal;
diff --git a/support/Makefile.devel b/support/Makefile.devel
index 595f778..ccbec6b 100644
--- a/support/Makefile.devel
+++ b/support/Makefile.devel
@@ -33,7 +33,7 @@ genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py
docs = doc
polxml = $(docs)/policy.xml
xmldtd = $(HEADERDIR)/support/policy.dtd
-layerxml = metadata.xml
+metaxml = metadata.xml
globaltun = $(HEADERDIR)/global_tunables.xml
globalbool = $(HEADERDIR)/global_booleans.xml
@@ -84,26 +84,41 @@ M4PARAM += -D hide_broken_symptoms -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$
# policy headers
m4support = $(wildcard $(HEADERDIR)/support/*.spt)
+
all_layers = $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEADERDIR)/*) -maxdepth 0 -type d))
all_interfaces = $(foreach layer,$(all_layers),$(wildcard $(layer)/*.if))
rolemap = $(HEADERDIR)/rolemap
detected_layers = $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d))
+
+clayers = $(addprefix $(CURDIR)/, $(filter $(notdir $(detected_layers)), $(notdir $(all_layers))))
+all_layers_subset = $(addprefix $(HEADERDIR)/, $(filter-out $(notdir $(detected_layers)), $(notdir $(all_layers))))
+detected_layers_subset = $(addprefix $(CURDIR)/, $(filter-out $(notdir $(clayers)), $(notdir $(detected_layers))))
+
3rd_party_mods = $(wildcard *.te)
detected_mods = $(3rd_party_mods) $(foreach layer,$(detected_layers),$(wildcard $(layer)/*.te))
+detected_mods_subset = $(3rd_party_mods) $(foreach layer,$(detected_layers_subset),$(wildcard $(layer)/*.te))
+
detected_ifs = $(detected_mods:.te=.if)
detected_fcs = $(detected_mods:.te=.fc)
all_packages = $(notdir $(detected_mods:.te=.pp))
+modxml = $(addprefix $(CURDIR)/, $(detected_mods_subset:.te=.xml))
+layerxml = $(addprefix tmp/, $(notdir $(addsuffix .xml, $(detected_layers_subset) $(CURDIR))))
+
+hmodxml = $(all_interfaces:.if=.xml)
+hlayerxml = $(addsuffix .xml, $(addprefix tmp/, $(notdir $(all_layers_subset))))
+hmetaxml = $(foreach layer, $(all_layers_subset), $(layer)/$(metaxml))
+
+cmods = $(foreach layer, $(clayers), $(wildcard $(layer)/*.te))
+cmodxml = $(cmods:.te=.xml)
+clayerxml= $(addsuffix .xml, $(addprefix tmp/, $(notdir $(clayers))))
+cmetaxml = $(foreach layer, $(notdir $(clayers)), $(HEADERDIR)/$(layer)/$(metaxml))
+
vpath %.te $(detected_layers)
vpath %.if $(detected_layers)
vpath %.fc $(detected_layers)
-# if there are modules in the current directory, add them into the third party layer
-ifneq "$(3rd_party_mods)" ""
- genxml += -3 .
-endif
-
########################################
#
# Functions
@@ -197,18 +212,45 @@ $(detected_ifs) $(detected_fcs):
# Documentation generation
#
-# minimal dependencies here, because we don't want to rebuild
-# this and its dependents every time the dependencies
-# change. Also use all .if files here, rather then just the
-# enabled modules.
-$(polxml): $(detected_ifs) $(foreach dir,$(all_layers),$(dir)/$(layerxml))
- @echo "Creating $@"
- @mkdir -p doc
+$(clayerxml): %.xml: $(cmodxml) $(hmodxml) $(cmetaxml)
+ @test -d tmp || mkdir -p tmp
+ $(verbose) echo '<layer name="$(*F)">' > $@
+ $(verbose) cat $(addprefix $(HEADERDIR)/, $(notdir $*)/$(metaxml)) >> $@;
+ $(verbose) cat $(filter $(addprefix $(CURDIR)/, $(notdir $*))/%, $(cmodxml)) >> $@
+ $(verbose) cat $(filter-out $(addprefix $(HEADERDIR)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(HEADERDIR)/, $(notdir $*))/%, $(hmodxml))) >> $@
+ $(verbose) echo '</layer>' >> $@
+
+$(hlayerxml): %.xml: $(hmodxml) $(hmetaxml)
+ @test -d tmp || mkdir -p tmp
+ $(verbose) echo '<layer name="$(*F)">' > $@
+ $(verbose) cat $(addprefix $(HEADERDIR)/, $(notdir $*)/$(metaxml)) >> $@;
+ $(verbose) cat $(filter-out $(addprefix $(HEADERDIR)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(HEADERDIR)/, $(notdir $*))/%, $(hmodxml))) >> $@
+ $(verbose) echo '</layer>' >> $@
+
+$(cmodxml) $(modxml): %.xml: %.if %.te
+ $(verbose) $(genxml) -w -m $* > $@
+
+$(layerxml): %.xml: $(modxml)
+ @test -d tmp || mkdir -p tmp
+ $(verbose) echo '<layer name="$(*F)">' > $@
+ $(verbose) if test -f '$(metaxml)'; then \
+ cat $(metaxml) >> $@; \
+ else \
+ echo '<summary>This is all third-party generated modules.</summary>' >> $@; \
+ fi
+ $(verbose) cat $(filter-out %/$(metaxml), $^) >> $@
+ $(verbose) echo '</layer>' >> $@
+
+$(polxml): $(clayerxml) $(hlayerxml) $(layerxml) $(globaltun) $(globalbool)
+ @echo "Creating $(@F)"
+ @test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml))
$(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
- $(verbose) echo '<!DOCTYPE policy SYSTEM "$(xmldtd)">' >> $@
- $(verbose) $(genxml) -m $(layerxml) --tunables-xml $(globaltun) --booleans-xml $(globalbool) $(all_layers) $(detected_layers) >> $@
+ $(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@
+ $(verbose) echo '<policy>' >> $@
+ $(verbose) cat $(sort $(clayerxml) $(hlayerxml) $(layerxml)) $(globaltun) $(globalbool) >> $@
+ $(verbose) echo '</policy>' >> $@
$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
- $(XMLLINT) --noout --dtdvalid $(xmldtd) $@ ;\
+ $(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
fi
########################################
diff --git a/support/sedoctool.py b/support/sedoctool.py
index 55eee3b..f15a5b5 100644
--- a/support/sedoctool.py
+++ b/support/sedoctool.py
@@ -1,6 +1,7 @@
#!/usr/bin/python
# Author: Joshua Brindle <jbrindle@tresys.com>
+# Caleb Case <ccase@tresys.com>
#
# Copyright (C) 2005 - 2006 Tresys Technology, LLC
# This program is free software; you can redistribute it and/or modify
@@ -317,6 +318,12 @@ def gen_docs(doc, working_dir, templatedir):
templatefile = open(templatedir + "/template.html", "r")
templatedata = templatefile.read()
templatefile.close()
+ tunfile = open(templatedir + "/tunable.html", "r")
+ tundata = tunfile.read()
+ tunfile.close()
+ boolfile = open(templatedir + "/boolean.html", "r")
+ booldata = boolfile.read()
+ boolfile.close()
menufile = open(templatedir + "/menu.html", "r")
menudata = menufile.read()
menufile.close()
@@ -332,12 +339,18 @@ def gen_docs(doc, working_dir, templatedir):
templistfile = open(templatedir + "/temp_list.html", "r")
templistdata = templistfile.read()
templistfile.close()
- boollistfile = open(templatedir + "/global_bool_list.html", "r")
- boollistdata = boollistfile.read()
- boollistfile.close()
- tunlistfile = open(templatedir + "/global_tun_list.html", "r")
+ tunlistfile = open(templatedir + "/tun_list.html", "r")
tunlistdata = tunlistfile.read()
tunlistfile.close()
+ boollistfile = open(templatedir + "/bool_list.html", "r")
+ boollistdata = boollistfile.read()
+ boollistfile.close()
+ gboollistfile = open(templatedir + "/global_bool_list.html", "r")
+ gboollistdata = gboollistfile.read()
+ gboollistfile.close()
+ gtunlistfile = open(templatedir + "/global_tun_list.html", "r")
+ gtunlistdata = gtunlistfile.read()
+ gtunlistfile.close()
except:
error("Could not open templates")
@@ -412,6 +425,8 @@ def gen_docs(doc, working_dir, templatedir):
all_interfaces = []
all_templates = []
+ all_tunables = []
+ all_booleans = []
for node in doc.getElementsByTagName("module"):
mod_name = mod_layer = mod_desc = interface_buf = ''
@@ -511,6 +526,54 @@ def gen_docs(doc, working_dir, templatedir):
template_tpl = pyplate.Template(templatedata)
template_buf = template_tpl.execute_string({"templates" : templates})
+ #generate 'boolean' pages
+ booleans = []
+ for boolean in node.getElementsByTagName("bool"):
+ boolean_parameters = []
+ boolean_desc = None
+ boolean_name = boolean.getAttribute("name")
+ boolean_dftval = boolean.getAttribute("dftval")
+ for desc in boolean.childNodes:
+ if desc.nodeName == "desc":
+ boolean_desc = format_html_desc(desc)
+
+ booleans.append({ "bool_name" : boolean_name,
+ "desc" : boolean_desc,
+ "def_val" : boolean_dftval })
+ #all_booleans is for the main boolean index with all booleans
+ all_booleans.append({ "bool_name" : boolean_name,
+ "desc" : boolean_desc,
+ "def_val" : boolean_dftval,
+ "mod_name": mod_name,
+ "mod_layer" : mod_layer })
+ booleans.sort(bool_cmp)
+ boolean_tpl = pyplate.Template(booldata)
+ boolean_buf = boolean_tpl.execute_string({"booleans" : booleans})
+
+ #generate 'tunable' pages
+ tunables = []
+ for tunable in node.getElementsByTagName("tunable"):
+ tunable_parameters = []
+ tunable_desc = None
+ tunable_name = tunable.getAttribute("name")
+ tunable_dftval = tunable.getAttribute("dftval")
+ for desc in tunable.childNodes:
+ if desc.nodeName == "desc":
+ tunable_desc = format_html_desc(desc)
+
+ tunables.append({ "tun_name" : tunable_name,
+ "desc" : tunable_desc,
+ "def_val" : tunable_dftval })
+ #all_tunables is for the main tunable index with all tunables
+ all_tunables.append({ "tun_name" : tunable_name,
+ "desc" : tunable_desc,
+ "def_val" : tunable_dftval,
+ "mod_name": mod_name,
+ "mod_layer" : mod_layer })
+ tunables.sort(tun_cmp)
+ tunable_tpl = pyplate.Template(tundata)
+ tunable_buf = tunable_tpl.execute_string({"tunables" : tunables})
+
menu = gen_doc_menu(mod_layer, module_list)
@@ -531,6 +594,10 @@ def gen_docs(doc, working_dir, templatedir):
interface_buf = None
if not template_buf.strip():
template_buf = None
+ if not tunable_buf.strip():
+ tunable_buf = None
+ if not boolean_buf.strip():
+ boolean_buf = None
module_args = { "mod_layer" : mod_layer,
"mod_name" : mod_name,
@@ -538,7 +605,9 @@ def gen_docs(doc, working_dir, templatedir):
"mod_desc" : mod_desc,
"mod_req" : mod_req,
"interfaces" : interface_buf,
- "templates": template_buf }
+ "templates" : template_buf,
+ "tunables" : tunable_buf,
+ "booleans" : boolean_buf }
module_tpl = pyplate.Template(moduledata)
module_buf = module_tpl.execute_string(module_args)
@@ -590,19 +659,19 @@ def gen_docs(doc, working_dir, templatedir):
#build the global tunable index
- global_tun_buf = []
+ global_tun = []
for tunable in doc.getElementsByTagName("tunable"):
if tunable.parentNode.nodeName == "policy":
tunable_name = tunable.getAttribute("name")
default_value = tunable.getAttribute("dftval")
for desc in tunable.getElementsByTagName("desc"):
description = format_html_desc(desc)
- global_tun_buf.append( { "tun_name" : tunable_name,
+ global_tun.append( { "tun_name" : tunable_name,
"def_val" : default_value,
"desc" : description } )
- global_tun_buf.sort(tun_cmp)
- global_tun_tpl = pyplate.Template(tunlistdata)
- global_tun_buf = global_tun_tpl.execute_string({"tunables" : global_tun_buf})
+ global_tun.sort(tun_cmp)
+ global_tun_tpl = pyplate.Template(gtunlistdata)
+ global_tun_buf = global_tun_tpl.execute_string({"tunables" : global_tun})
global_tun_file = "global_tunables.html"
global_tun_fh = open(global_tun_file, "w")
body_tpl = pyplate.Template(bodydata)
@@ -613,21 +682,35 @@ def gen_docs(doc, working_dir, templatedir):
body_tpl.execute(global_tun_fh, body_args)
global_tun_fh.close()
+ #build the tunable index
+ all_tunables = all_tunables + global_tun
+ all_tunables.sort(tun_cmp)
+ tunable_tpl = pyplate.Template(tunlistdata)
+ tunable_buf = tunable_tpl.execute_string({"tunables" : all_tunables})
+ temp_file = "tunables.html"
+ temp_fh = open(temp_file, "w")
+ body_tpl = pyplate.Template(bodydata)
+
+ body_args = { "menu" : menu_buf,
+ "content" : tunable_buf }
+
+ body_tpl.execute(temp_fh, body_args)
+ temp_fh.close()
#build the global boolean index
- global_bool_buf = []
+ global_bool = []
for boolean in doc.getElementsByTagName("bool"):
if boolean.parentNode.nodeName == "policy":
bool_name = boolean.getAttribute("name")
default_value = boolean.getAttribute("dftval")
for desc in boolean.getElementsByTagName("desc"):
description = format_html_desc(desc)
- global_bool_buf.append( { "bool_name" : bool_name,
+ global_bool.append( { "bool_name" : bool_name,
"def_val" : default_value,
"desc" : description } )
- global_bool_buf.sort(bool_cmp)
- global_bool_tpl = pyplate.Template(boollistdata)
- global_bool_buf = global_bool_tpl.execute_string({"booleans" : global_bool_buf})
+ global_bool.sort(bool_cmp)
+ global_bool_tpl = pyplate.Template(gboollistdata)
+ global_bool_buf = global_bool_tpl.execute_string({"booleans" : global_bool})
global_bool_file = "global_booleans.html"
global_bool_fh = open(global_bool_file, "w")
body_tpl = pyplate.Template(bodydata)
@@ -637,6 +720,21 @@ def gen_docs(doc, working_dir, templatedir):
body_tpl.execute(global_bool_fh, body_args)
global_bool_fh.close()
+
+ #build the boolean index
+ all_booleans = all_booleans + global_bool
+ all_booleans.sort(bool_cmp)
+ boolean_tpl = pyplate.Template(boollistdata)
+ boolean_buf = boolean_tpl.execute_string({"booleans" : all_booleans})
+ temp_file = "booleans.html"
+ temp_fh = open(temp_file, "w")
+ body_tpl = pyplate.Template(bodydata)
+
+ body_args = { "menu" : menu_buf,
+ "content" : boolean_buf }
+
+ body_tpl.execute(temp_fh, body_args)
+ temp_fh.close()
diff --git a/support/segenxml.py b/support/segenxml.py
index 10cc8bd..d6c4fd5 100644
--- a/support/segenxml.py
+++ b/support/segenxml.py
@@ -3,6 +3,7 @@
# Author(s): Donald Miner <dminer@tresys.com>
# Dave Sugar <dsugar@tresys.com>
# Brian Williams <bwilliams@tresys.com>
+# Caleb Case <ccase@tresys.com>
#
# Copyright (C) 2005 - 2006 Tresys Technology, LLC
# This program is free software; you can redistribute it and/or modify
@@ -18,6 +19,7 @@ import sys
import os
import glob
import re
+import getopt
# GLOBALS
@@ -70,9 +72,15 @@ def getModuleXML(file_name):
Returns the XML data for a module in a list, one line per list item.
'''
+ # Gather information.
+ module_dir = os.path.dirname(file_name)
+ module_name = os.path.basename(file_name)
+ module_te = "%s/%s.te" % (module_dir, module_name)
+ module_if = "%s/%s.if" % (module_dir, module_name)
+
# Try to open the file, if it cant, just ignore it.
try:
- module_file = open(file_name, "r")
+ module_file = open(module_if, "r")
module_code = module_file.readlines()
module_file.close()
except:
@@ -83,7 +91,7 @@ def getModuleXML(file_name):
# Infer the module name, which is the base of the file name.
module_buf.append("<module name=\"%s\" filename=\"%s\">\n"
- % (os.path.splitext(os.path.split(file_name)[-1])[0], file_name))
+ % (os.path.splitext(os.path.split(file_name)[-1])[0], module_if))
temp_buf = []
interface = None
@@ -175,54 +183,13 @@ def getModuleXML(file_name):
elif temp_buf:
warning("orphan XML comments at bottom of file %s" % file_name)
+ # Process the TE file if it exists.
+ module_buf = module_buf + getTunableXML(module_te, "both")
+
module_buf.append("</module>\n")
return module_buf
-def getLayerXML (layerName, directories):
- '''
- Returns the XML documentation for a layer.
- '''
-
- layer_buf = []
-
- # Infer the layer name from the directory name.
- layer_buf.append("<layer name=\"%s\">\n" % layerName)
-
- # Try to file the metadata file for this layer and if it exists,
- # append the contents to the buffer.
- bFoundMeta = False
- for directory in directories:
- metafile = directory + "/" + meta
-
- if not bFoundMeta and os.path.isfile (metafile):
- layer_meta = open (metafile, "r")
- layer_buf += layer_meta.readlines ()
- layer_meta.close()
- bFoundMeta = True
-
- # force the metadata for the third party layer
- if not bFoundMeta:
- if layerName == third_party:
- layer_buf.append ("<summary>This is all third-party generated modules.</summary>\n")
- bFoundMeta = True
-
- # didn't find meta data for this layer - oh well
- if not bFoundMeta:
- layer_buf.append ("<summary>Summary is missing!.</summary>\n")
- warning ("unable to find %s for layer %s" % (meta, layerName))
-
- # For each module file in the layer, add its XML.
- for directory in directories:
- modules = glob.glob("%s/*.if" % directory)
- modules.sort()
- for module in modules:
- layer_buf += getModuleXML(module)
-
- layer_buf.append("</layer>\n")
-
- return layer_buf
-
def getTunableXML(file_name, kind):
'''
Return all the XML for the tunables/bools in the file specified.
@@ -257,8 +224,10 @@ def getTunableXML(file_name, kind):
if boolean:
# If there is a gen_bool in a tunable file or a
# gen_tunable in a boolean file, error and exit.
- if boolean.group(1) != kind:
- error("%s in a %s file." % (boolean.group(1), kind))
+ # Skip if both kinds are valid.
+ if kind != "both":
+ if boolean.group(1) != kind:
+ error("%s in a %s file." % (boolean.group(1), kind))
tunable_buf.append("<%s name=\"%s\" dftval=\"%s\">\n" % boolean.groups())
tunable_buf += temp_buf
@@ -341,39 +310,15 @@ def usage():
Displays a message describing the proper usage of this script.
"""
- sys.stdout.write("usage: %s [-w] [-m file] "\
- % sys.argv[0])
-
- sys.stdout.write("layerdirectory [layerdirectory...]\n\n")
-
- sys.stdout.write("Options:\n")
-
- sys.stdout.write ("-h --help -- "+\
- "show command line options\n")
-
- sys.stdout.write("-w --warn -- "+\
- "show warnings\n")
+ sys.stdout.write("usage: %s [-w] [-mtb] <file>\n\n" % sys.argv[0])
+ sys.stdout.write("-w --warn\t\t\tshow warnings\n"+\
+ "-m --module <file>\t\tname of module to process\n"+\
+ "-t --tunable <file>\t\tname of global tunable file to process\n"+\
+ "-b --boolean <file>\t\tname of global boolean file to process\n\n")
- sys.stdout.write("-m --meta <file> -- "+\
- "the filename of the metadata in each layer\n")
-
- sys.stdout.write("-t --tunable <file> -- "+\
- "A file containing tunable declarations\n")
-
- sys.stdout.write("-b --bool <file> -- "+\
- "A file containing bool declarations\n")
-
- sys.stdout.write("-o --output-dir <directory> -- "+\
- "A directory to output global_tunables.xml and global_booleans.xml\n")
-
- sys.stdout.write("--tunables-xml <file> -- "+\
- "A file containing tunable declarations already in XML format\n")
-
- sys.stdout.write("--booleans-xml <file> -- "+\
- "A file containing bool declarations already in XML format\n")
-
- sys.stdout.write ("-3 --third-party <directory> -- "+\
- "Look for 3rd Party modules in directory.\n")
+ sys.stdout.write("examples:\n")
+ sys.stdout.write("> %s -w -m policy/modules/apache\n" % sys.argv[0])
+ sys.stdout.write("> %s -t policy/global_tunables\n" % sys.argv[0])
def warning(description):
'''
@@ -397,79 +342,50 @@ def error(description):
# MAIN PROGRAM
+
+# Defaults
+warn = False
+module = False
+tunable = False
+boolean = False
+
# Check that there are command line arguments.
if len(sys.argv) <= 1:
usage()
sys.exit(1)
-
-# Parse the command line arguments
-for i in range(1, len(sys.argv)):
- if sys.argv[i-1] in ("-m", "--meta",\
- "-t", "--tunable", "-b", "--bool",\
- "-o", "--output-dir", "-3", "--third-party", \
- "--tunables-xml", "--booleans-xml"):
- continue
- elif sys.argv[i] in ("-w", "--warn"):
+# Parse command line args
+try:
+ opts, args = getopt.getopt(sys.argv[1:], 'whm:t:b:', ['warn', 'help', 'module=', 'tunable=', 'boolean='])
+except getopt.GetoptError:
+ usage()
+ sys.exit(2)
+for o, a in opts:
+ if o in ('-w', '--warn'):
warn = True
- elif sys.argv[i] in ("-m", "--meta"):
- if i < len(sys.argv)-1:
- meta = sys.argv[i+1]
- else:
- usage()
- elif sys.argv[i] in ("-t", "--tunable"):
- if i < len(sys.argv)-1:
- tunable_files.append(sys.argv[i+1])
- else:
- usage()
- elif sys.argv[i] in ("-b", "--bool"):
- if i < len(sys.argv)-1:
- bool_files.append(sys.argv[i+1])
- else:
- usage()
-
- elif sys.argv[i] == "--tunables-xml":
- if i < len(sys.argv)-1:
- xml_bool_files.append (sys.argv[i+1])
- else:
- usage ()
-
- elif sys.argv[i] == "--booleans-xml":
- if i < len(sys.argv)-1:
- xml_tunable_files.append (sys.argv[i+1])
- else:
- usage ()
-
- elif sys.argv[i] in ("-o", "--output-dir"):
- if i < len(sys.argv)-1:
- output_dir = sys.argv[i+1]
- else:
- usage ()
-
- elif sys.argv[i] in ("-3", "--third-party"):
- if i < len(sys.argv) -1:
- if layers.has_key (third_party):
- layers[third_party].append (sys.argv[i+1])
- else:
- layers[third_party] = [sys.argv[i+1]]
- else:
- usage ()
-
- elif sys.argv[i] in ("-h", "--help"):
- usage ()
- sys.exit (1)
-
+ elif o in ('-h', '--help'):
+ usage()
+ sys.exit(0)
+ elif o in ('-m', '--module'):
+ module = a
+ break
+ elif o in ('-t', '--tunable'):
+ tunable = a
+ break
+ elif o in ('-b', '--boolean'):
+ boolean = a
+ break
else:
- # store directories in hash stored by layer name
- splitlayer = os.path.split(sys.argv[i])
- if layers.has_key (splitlayer[1]):
- layers[splitlayer[1]].append (sys.argv[i])
- else:
- layers[splitlayer[1]] = [sys.argv[i]]
-
-
-# Generate the XML and output it to a file
-lines = getPolicyXML()
-for s in lines:
- sys.stdout.write(s)
+ usage()
+ sys.exit(2)
+
+if module:
+ sys.stdout.writelines(getModuleXML(module))
+elif tunable:
+ sys.stdout.writelines(getTunableXML(tunable, "tunable"))
+elif boolean:
+ sys.stdout.writelines(getTunableXML(boolean, "bool"))
+else:
+ usage()
+ sys.exit(2)