diff --git a/strict/domains/program/bluetooth.te b/strict/domains/program/bluetooth.te index fc09db6..c25544d 100644 --- a/strict/domains/program/bluetooth.te +++ b/strict/domains/program/bluetooth.te @@ -11,16 +11,23 @@ daemon_domain(bluetooth) file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file) +file_type_auto_trans(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t) tmp_domain(bluetooth) +var_lib_domain(bluetooth) # Use capabilities. +allow bluetooth_t self:file read; allow bluetooth_t self:capability { net_admin net_raw sys_tty_config }; +allow bluetooth_t self:process getsched; +allow bluetooth_t proc_t:file { getattr read }; + +allow bluetooth_t self:shm create_shm_perms; lock_domain(bluetooth) # Use the network. -can_network_server(bluetooth_t) +can_network(bluetooth_t) can_ypbind(bluetooth_t) ifdef(`dbusd.te', ` dbusd_client(system, bluetooth) @@ -35,6 +42,7 @@ dontaudit bluetooth_t sysadm_devpts_t:chr_file { read write }; # bluetooth_conf_t is the type of the /etc/bluetooth dir. type bluetooth_conf_t, file_type, sysadmfile; +type bluetooth_conf_rw_t, file_type, sysadmfile; # Read /etc/bluetooth allow bluetooth_t bluetooth_conf_t:dir search; @@ -44,5 +52,56 @@ allow initrc_t usbfs_t:file { getattr read }; allow bluetooth_t usbfs_t:dir r_dir_perms; allow bluetooth_t usbfs_t:file rw_file_perms; allow bluetooth_t bin_t:dir search; -can_exec(bluetooth_t, bin_t) +can_exec(bluetooth_t, { bin_t shell_exec_t }) +allow bluetooth_t bin_t:lnk_file read; + +#Handle bluetooth serial devices +allow bluetooth_t tty_device_t:chr_file rw_file_perms; +allow bluetooth_t self:fifo_file rw_file_perms; +allow bluetooth_t { etc_t etc_runtime_t }:file { getattr read }; +r_dir_file(bluetooth_t, fonts_t) +allow bluetooth_t urandom_device_t:chr_file r_file_perms; +allow bluetooth_t usr_t:file { getattr read }; + +application_domain(bluetooth_helper, `, nscd_client_domain') +domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t) +role system_r types bluetooth_helper_t; +read_locale(bluetooth_helper_t) +typeattribute bluetooth_helper_t unrestricted; +r_dir_file(bluetooth_helper_t, domain) +allow bluetooth_helper_t bin_t:dir { getattr search }; +can_exec(bluetooth_helper_t, { bin_t shell_exec_t }) +allow bluetooth_helper_t bin_t:lnk_file read; +allow bluetooth_helper_t self:capability sys_nice; +allow bluetooth_helper_t self:fifo_file rw_file_perms; +allow bluetooth_helper_t self:process fork; +allow bluetooth_helper_t self:shm create_shm_perms; +allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms; +allow bluetooth_helper_t { etc_t etc_runtime_t }:file { getattr read }; +r_dir_file(bluetooth_helper_t, fonts_t) +r_dir_file(bluetooth_helper_t, proc_t) +read_sysctl(bluetooth_helper_t) +allow bluetooth_helper_t tmp_t:dir search; +allow bluetooth_helper_t usr_t:file { getattr read }; +allow bluetooth_helper_t home_dir_type:dir search; +ifdef(`xserver.te', ` +allow bluetooth_helper_t xserver_log_t:dir search; +allow bluetooth_helper_t xserver_log_t:file { getattr read }; +') +ifdef(`targeted_policy', ` +allow bluetooth_helper_t tmp_t:sock_file { read write }; +allow bluetooth_helper_t tmpfs_t:file { read write }; +allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto; +allow bluetooth_t unconfined_t:dbus send_msg; +allow unconfined_t bluetooth_t:dbus send_msg; +', ` +ifdef(`xdm.te', ` +allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write }; +') +allow bluetooth_t unpriv_userdomain:dbus send_msg; +allow unpriv_userdomain bluetooth_t:dbus send_msg; +') +allow bluetooth_helper_t bluetooth_t:socket { read write }; +dontaudit bluetooth_helper_t default_t:dir { read search }; +dontaudit bluetooth_helper_t { devtty_t ttyfile }:chr_file { read write }; diff --git a/strict/domains/program/crond.te b/strict/domains/program/crond.te index ceb0a45..4649348 100644 --- a/strict/domains/program/crond.te +++ b/strict/domains/program/crond.te @@ -44,7 +44,7 @@ allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr; read_locale(crond_t) # Use capabilities. -allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice }; +allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice audit_control }; dontaudit crond_t self:capability sys_resource; # Get security policy decisions. @@ -208,4 +208,7 @@ dontaudit system_crond_t removable_t:filesystem getattr; dontaudit crond_t self:capability sys_tty_config; ifdef(`apache.te', ` allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read }; +allow system_crond_t httpd_modules_t:lnk_file read; +# Needed for certwatch +can_exec(system_crond_t, httpd_modules_t) ') diff --git a/strict/domains/program/dhcpc.te b/strict/domains/program/dhcpc.te index c12bc42..2fff8f5 100644 --- a/strict/domains/program/dhcpc.te +++ b/strict/domains/program/dhcpc.te @@ -135,7 +135,6 @@ allow dhcpc_t { userdomain kernel_t }:fd use; allow dhcpc_t home_root_t:dir search; allow initrc_t dhcpc_state_t:file { getattr read }; dontaudit dhcpc_t var_lock_t:dir search; -dontaudit dhcpc_t selinux_config_t:dir search; allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms; dontaudit dhcpc_t domain:dir getattr; allow dhcpc_t initrc_var_run_t:file rw_file_perms; @@ -146,6 +145,7 @@ can_exec(dhcpc_t, initrc_exec_t) ifdef(`ypbind.te', ` domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t) allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink }; +allow dhcpc_t ypbind_t:process signal; ') ifdef(`ntpd.te', ` domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t) diff --git a/strict/domains/program/fsadm.te b/strict/domains/program/fsadm.te index d5a6220..1d01c3d 100644 --- a/strict/domains/program/fsadm.te +++ b/strict/domains/program/fsadm.te @@ -118,3 +118,6 @@ allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms; allow fsadm_t usbfs_t:dir { getattr search }; allow fsadm_t ramfs_t:fifo_file rw_file_perms; allow fsadm_t device_type:chr_file getattr; + +# for tune2fs +allow fsadm_t file_type:dir { getattr search }; diff --git a/strict/domains/program/ftpd.te b/strict/domains/program/ftpd.te index ab5101e..b20252b 100644 --- a/strict/domains/program/ftpd.te +++ b/strict/domains/program/ftpd.te @@ -99,9 +99,11 @@ bool ftp_home_dir false; if (ftp_home_dir) { # allow access to /home -allow ftpd_t home_root_t:dir { getattr search }; -allow ftpd_t home_dir_type:dir r_dir_perms; +allow ftpd_t home_root_t:dir r_dir_perms; create_dir_file(ftpd_t, home_type) +ifdef(`targeted_policy', ` +file_type_auto_trans(ftpd_t, user_home_dir_t, user_home_t) +') } if (use_nfs_home_dirs && ftp_home_dir) { r_dir_file(ftpd_t, nfs_t) diff --git a/strict/domains/program/hald.te b/strict/domains/program/hald.te index 9792bee..a51709a 100644 --- a/strict/domains/program/hald.te +++ b/strict/domains/program/hald.te @@ -24,7 +24,8 @@ dbusd_client(system, hald) allow hald_t self:dbus send_msg; ') -allow hald_t { self proc_t }:file { getattr read }; +allow hald_t self:file { getattr read }; +allow hald_t proc_t:file rw_file_perms; allow hald_t { bin_t sbin_t }:dir search; allow hald_t self:fifo_file rw_file_perms; diff --git a/strict/domains/program/login.te b/strict/domains/program/login.te index f0fb1cb..289879b 100644 --- a/strict/domains/program/login.te +++ b/strict/domains/program/login.te @@ -62,6 +62,11 @@ can_exec($1_login_t, pam_exec_t) ifdef(`pamconsole.te', ` rw_dir_create_file($1_login_t, pam_var_console_t) +domain_auto_trans($1_login_t, pam_console_exec_t, pam_console_t) +') + +ifdef(`alsa.te', ` +domain_auto_trans($1_login_t, alsa_exec_t, alsa_t) ') # Use capabilities diff --git a/strict/domains/program/modutil.te b/strict/domains/program/modutil.te index 27d960a..f69f2bb 100644 --- a/strict/domains/program/modutil.te +++ b/strict/domains/program/modutil.te @@ -140,8 +140,9 @@ allow insmod_t initrc_t:fifo_file { getattr read write }; allow insmod_t fs_t:filesystem getattr; allow insmod_t sysfs_t:dir search; -allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:dir search; +allow insmod_t { usbfs_t usbdevfs_t }:dir search; allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:filesystem mount; +r_dir_file(insmod_t, debugfs_t) # Rules for /proc/sys/kernel/tainted read_sysctl(insmod_t) diff --git a/strict/domains/program/mysqld.te b/strict/domains/program/mysqld.te index 8a96d2a..2047b44 100644 --- a/strict/domains/program/mysqld.te +++ b/strict/domains/program/mysqld.te @@ -42,7 +42,7 @@ allow mysqld_t proc_t:file { getattr read }; create_dir_file(mysqld_t, mysqld_db_t) allow mysqld_t var_lib_t:dir { getattr search }; -can_network_server(mysqld_t) +can_network(mysqld_t) can_ypbind(mysqld_t) # read config files diff --git a/strict/domains/program/named.te b/strict/domains/program/named.te index 04c0712..08d6718 100644 --- a/strict/domains/program/named.te +++ b/strict/domains/program/named.te @@ -36,7 +36,7 @@ allow named_t sbin_t:dir search; allow named_t self:process { setsched setcap setrlimit }; # A type for configuration files of named. -type named_conf_t, file_type, sysadmfile; +type named_conf_t, file_type, sysadmfile, mount_point; # for primary zone files type named_zone_t, file_type, sysadmfile; @@ -101,6 +101,13 @@ allow named_t random_device_t:chr_file r_file_perms; # Use a pipe created by self. allow named_t self:fifo_file rw_file_perms; +# Enable named dbus support: +ifdef(`dbusd.te', ` +dbusd_client(system, named) +allow named_t system_dbusd_t:dbus { acquire_svc send_msg }; +allow named_t self:dbus send_msg; +') + # Set own capabilities. #A type for /usr/sbin/ndc type ndc_exec_t, file_type,sysadmfile, exec_type; diff --git a/strict/domains/program/restorecon.te b/strict/domains/program/restorecon.te index dc58221..52fff2f 100644 --- a/strict/domains/program/restorecon.te +++ b/strict/domains/program/restorecon.te @@ -63,3 +63,4 @@ allow restorecon_t kernel_t:fd use; allow restorecon_t kernel_t:fifo_file { read write }; allow restorecon_t kernel_t:unix_dgram_socket { read write }; r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } ) +allow restorecon_t autofs_t:dir search; diff --git a/strict/file_contexts/distros.fc b/strict/file_contexts/distros.fc index 33c7f5e..6024f6a 100644 --- a/strict/file_contexts/distros.fc +++ b/strict/file_contexts/distros.fc @@ -1,67 +1,67 @@ ifdef(`distro_redhat', ` -/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t:s0 -/etc/sysconfig/networking/profiles/.*/resolv\.conf -- system_u:object_r:net_conf_t:s0 -/etc/sysconfig/network-scripts/.*resolv\.conf -- system_u:object_r:net_conf_t:s0 -/usr/share/rhn/rhn_applet/applet\.py -- system_u:object_r:bin_t:s0 -/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t:s0 -/usr/share/rhn/rhn_applet/needed-packages\.py -- system_u:object_r:bin_t:s0 -/usr/share/authconfig/authconfig-gtk\.py -- system_u:object_r:bin_t:s0 -/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t:s0 -/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t:s0 -/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t:s0 -/usr/share/system-logviewer/system-logviewer\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-lvm/system-config-lvm.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-date/system-config-date\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t:s0 -/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t:s0 -/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t:s0 -/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t:s0 -/usr/share/system-config-netboot/system-config-netboot\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-netboot/pxeos\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-netboot/pxeboot\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-nfs/system-config-nfs\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t:s0 -/usr/share/system-config-samba/system-config-samba\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-services/serviceconf\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t:s0 -/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t:s0 -/usr/share/switchdesk/switchdesk-gui\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-network/neat-control\.py -- system_u:object_r:bin_t:s0 -/usr/share/system-config-nfs/nfs-export\.py -- system_u:object_r:bin_t:s0 -/usr/share/pydict/pydict\.py -- system_u:object_r:bin_t:s0 -/usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t:s0 -/usr/share/pwlib/make/ptlib-config -- system_u:object_r:bin_t:s0 -/usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t:s0 -/usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t:s0 -/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t:s0 -/etc/rhgb(/.*)? -d system_u:object_r:mnt_t:s0 -/usr/share/ssl/misc(/.*)? system_u:object_r:bin_t:s0 +/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t +/etc/sysconfig/networking/profiles/.*/resolv\.conf -- system_u:object_r:net_conf_t +/etc/sysconfig/network-scripts/.*resolv\.conf -- system_u:object_r:net_conf_t +/usr/share/rhn/rhn_applet/applet\.py -- system_u:object_r:bin_t +/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t +/usr/share/rhn/rhn_applet/needed-packages\.py -- system_u:object_r:bin_t +/usr/share/authconfig/authconfig-gtk\.py -- system_u:object_r:bin_t +/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t +/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t +/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t +/usr/share/system-logviewer/system-logviewer\.py -- system_u:object_r:bin_t +/usr/share/system-config-lvm/system-config-lvm.py -- system_u:object_r:bin_t +/usr/share/system-config-date/system-config-date\.py -- system_u:object_r:bin_t +/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t +/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t +/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t +/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t +/usr/share/system-config-netboot/system-config-netboot\.py -- system_u:object_r:bin_t +/usr/share/system-config-netboot/pxeos\.py -- system_u:object_r:bin_t +/usr/share/system-config-netboot/pxeboot\.py -- system_u:object_r:bin_t +/usr/share/system-config-nfs/system-config-nfs\.py -- system_u:object_r:bin_t +/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t +/usr/share/system-config-samba/system-config-samba\.py -- system_u:object_r:bin_t +/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- system_u:object_r:bin_t +/usr/share/system-config-services/serviceconf\.py -- system_u:object_r:bin_t +/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t +/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t +/usr/share/switchdesk/switchdesk-gui\.py -- system_u:object_r:bin_t +/usr/share/system-config-network/neat-control\.py -- system_u:object_r:bin_t +/usr/share/system-config-nfs/nfs-export\.py -- system_u:object_r:bin_t +/usr/share/pydict/pydict\.py -- system_u:object_r:bin_t +/usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t +/usr/share/pwlib/make/ptlib-config -- system_u:object_r:bin_t +/usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t +/usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t +/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t +/etc/rhgb(/.*)? -d system_u:object_r:mnt_t +/usr/share/ssl/misc(/.*)? system_u:object_r:bin_t # # /emul/ia32-linux/usr # -/emul(/.*)? system_u:object_r:usr_t:s0 -/emul/ia32-linux/usr(/.*)?/lib(/.*)? system_u:object_r:lib_t:s0 -/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 -/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 -/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t:s0 -/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t:s0 -/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t:s0 -/emul/ia32-linux/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t:s0 -/emul/ia32-linux/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t:s0 -/emul/ia32-linux/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t:s0 -/emul/ia32-linux/usr/libexec(/.*)? system_u:object_r:bin_t:s0 +/emul(/.*)? system_u:object_r:usr_t +/emul/ia32-linux/usr(/.*)?/lib(/.*)? system_u:object_r:lib_t +/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t +/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t +/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t +/emul/ia32-linux/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t +/emul/ia32-linux/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t +/emul/ia32-linux/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t +/emul/ia32-linux/usr/libexec(/.*)? system_u:object_r:bin_t # /emul/ia32-linux/lib -/emul/ia32-linux/lib(/.*)? system_u:object_r:lib_t:s0 -/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 -/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0 +/emul/ia32-linux/lib(/.*)? system_u:object_r:lib_t +/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t # /emul/ia32-linux/bin -/emul/ia32-linux/bin(/.*)? system_u:object_r:bin_t:s0 +/emul/ia32-linux/bin(/.*)? system_u:object_r:bin_t # /emul/ia32-linux/sbin -/emul/ia32-linux/sbin(/.*)? system_u:object_r:sbin_t:s0 +/emul/ia32-linux/sbin(/.*)? system_u:object_r:sbin_t ifdef(`dbusd.te', `', ` -/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t:s0 +/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t ') # The following are libraries with text relocations in need of execmod permissions @@ -69,96 +69,96 @@ ifdef(`dbusd.te', `', ` # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php -/usr/lib/gstreamer-.*/libgstffmpeg\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/gstreamer-.*/libgstmms\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libg\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libglide3\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libdv\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/helix/plugins/oggfformat\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/helix/plugins/theorarend\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/helix/plugins/vorbisrend\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/helix/codecs/colorcvt\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/helix/codecs/cvt1\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libSDL-.*\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/X11R6/lib/modules/dri/.*\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/X11R6/lib/libOSMesa\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/X11R6/lib/libfglrx_gamma\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libHermes\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/valgrind/hp2ps -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/valgrind/stage2 -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/valgrind/vg.*\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/.*/libxpcom_core.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/.*/program(/.*)? system_u:object_r:bin_t:s0 -/usr/lib/.*/program/.*\.so.* system_u:object_r:shlib_t:s0 -/usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/.*/program/libswd680li\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib(64)?/.*/program/librecentfile\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib(64)?/.*/program/libsvx680li\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib(64)?/.*/program/libsoffice\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/gstreamer-.*/libgstffmpeg\.so.* -- system_u:object_r:texrel_shlib_t +/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/gstreamer-.*/libgstmms\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t +/usr/lib/libg\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t +/usr/lib/libglide3\.so.* -- system_u:object_r:texrel_shlib_t +/usr/lib/libdv\.so.* -- system_u:object_r:texrel_shlib_t +/usr/lib/helix/plugins/oggfformat\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/helix/plugins/theorarend\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/helix/plugins/vorbisrend\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/helix/codecs/colorcvt\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/helix/codecs/cvt1\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/libSDL-.*\.so.* -- system_u:object_r:texrel_shlib_t +/usr/X11R6/lib/modules/dri/.*\.so -- system_u:object_r:texrel_shlib_t +/usr/X11R6/lib/libOSMesa\.so.* -- system_u:object_r:texrel_shlib_t +/usr/X11R6/lib/libfglrx_gamma\.so.* -- system_u:object_r:texrel_shlib_t +/usr/lib/libHermes\.so.* -- system_u:object_r:texrel_shlib_t +/usr/lib/valgrind/hp2ps -- system_u:object_r:texrel_shlib_t +/usr/lib/valgrind/stage2 -- system_u:object_r:texrel_shlib_t +/usr/lib/valgrind/vg.*\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/.*/libxpcom_core.so -- system_u:object_r:texrel_shlib_t +/usr/lib/.*/program(/.*)? system_u:object_r:bin_t +/usr/lib/.*/program/.*\.so.* system_u:object_r:shlib_t +/usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t +/usr/lib/.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/.*/program/libswd680li\.so -- system_u:object_r:texrel_shlib_t +/usr/lib(64)?/.*/program/librecentfile\.so -- system_u:object_r:texrel_shlib_t +/usr/lib(64)?/.*/program/libsvx680li\.so -- system_u:object_r:texrel_shlib_t +/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- system_u:object_r:texrel_shlib_t +/usr/lib(64)?/.*/program/libsoffice\.so -- system_u:object_r:texrel_shlib_t # Fedora Extras packages: ladspa, imlib2, ocaml -/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/bandpass_a_iir_1893\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/bandpass_iir_1892\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/butterworth_1902\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/fm_osc_1415\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/gsm_1215\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/gverb_1216\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/hermes_filter_1200\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/highpass_iir_1890\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/lowpass_iir_1891\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/notch_iir_1894\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/pitch_scale_1193\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/pitch_scale_1194\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/sc1_1425\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/sc2_1426\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/sc3_1427\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/sc4_1882\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ladspa/se4_1883\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libImlib2\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/ocaml/stublibs/dllnums\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/httpd/modules/libphp5\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/php/modules/.*\.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/bandpass_a_iir_1893\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/bandpass_iir_1892\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/butterworth_1902\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/fm_osc_1415\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/gsm_1215\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/gverb_1216\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/hermes_filter_1200\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/highpass_iir_1890\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/lowpass_iir_1891\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/notch_iir_1894\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/pitch_scale_1193\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/pitch_scale_1194\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/sc1_1425\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/sc2_1426\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/sc3_1427\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/sc4_1882\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/ladspa/se4_1883\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/libImlib2\.so.* -- system_u:object_r:texrel_shlib_t +/usr/lib/ocaml/stublibs/dllnums\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/httpd/modules/libphp5\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/php/modules/.*\.so -- system_u:object_r:texrel_shlib_t # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame -/usr/lib/xmms/Input/libmpg123\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libpostproc\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libavformat-.*\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libavcodec-.*\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libxvidcore\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/xine/plugins/.*\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libgsm\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libmp3lame\.so.* -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/xmms/Input/libmpg123\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/libpostproc\.so.* -- system_u:object_r:texrel_shlib_t +/usr/lib/libavformat-.*\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/libavcodec-.*\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/libxvidcore\.so.* -- system_u:object_r:texrel_shlib_t +/usr/lib/xine/plugins/.*\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/libgsm\.so.* -- system_u:object_r:texrel_shlib_t +/usr/lib/libmp3lame\.so.* -- system_u:object_r:texrel_shlib_t # Flash plugin, Macromedia -HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0 +HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t +/usr/lib/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t # Jai, Sun Microsystems (Jpackage SPRM) -/usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libdivxdecore.so.0 -- system_u:object_r:texrel_shlib_t:s0 -/usr/lib/libdivxencore.so.0 -- system_u:object_r:texrel_shlib_t:s0 +/usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t +/usr/lib/libdivxdecore.so.0 -- system_u:object_r:texrel_shlib_t +/usr/lib/libdivxencore.so.0 -- system_u:object_r:texrel_shlib_t # Java, Sun Microsystems (JPackage SRPM) -/usr/.*/jre/lib/i386/libdeploy.so -- system_u:object_r:texrel_shlib_t:s0 +/usr/.*/jre/lib/i386/libdeploy.so -- system_u:object_r:texrel_shlib_t -/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t:s0 -/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t:s0 -/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- system_u:object_r:texrel_shlib_t:s0 -/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl -- system_u:object_r:texrel_shlib_t:s0 +/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t +/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t +/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- system_u:object_r:texrel_shlib_t +/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl -- system_u:object_r:texrel_shlib_t ') ifdef(`distro_suse', ` -/var/lib/samba/bin/.+ system_u:object_r:bin_t:s0 -/var/lib/samba/bin/.*\.so(\.[^/]*)* -l system_u:object_r:lib_t:s0 -/usr/lib/samba/classic/.* -- system_u:object_r:bin_t:s0 -/usr/lib/samba/classic/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0 -/success -- system_u:object_r:etc_runtime_t:s0 -/etc/defkeymap\.map -- system_u:object_r:etc_runtime_t:s0 +/var/lib/samba/bin/.+ system_u:object_r:bin_t +/var/lib/samba/bin/.*\.so(\.[^/]*)* -l system_u:object_r:lib_t +/usr/lib/samba/classic/.* -- system_u:object_r:bin_t +/usr/lib/samba/classic/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t +/success -- system_u:object_r:etc_runtime_t +/etc/defkeymap\.map -- system_u:object_r:etc_runtime_t ') diff --git a/strict/file_contexts/program/bluetooth.fc b/strict/file_contexts/program/bluetooth.fc index 69fecd7..da6b056 100644 --- a/strict/file_contexts/program/bluetooth.fc +++ b/strict/file_contexts/program/bluetooth.fc @@ -1,8 +1,11 @@ # bluetooth /etc/bluetooth(/.*)? system_u:object_r:bluetooth_conf_t +/etc/bluetooth/link_key system_u:object_r:bluetooth_conf_rw_t /usr/bin/rfcomm -- system_u:object_r:bluetooth_exec_t /usr/sbin/hcid -- system_u:object_r:bluetooth_exec_t /usr/sbin/sdpd -- system_u:object_r:bluetooth_exec_t /usr/sbin/hciattach -- system_u:object_r:bluetooth_exec_t /var/run/sdp -s system_u:object_r:bluetooth_var_run_t /usr/sbin/hid2hci -- system_u:object_r:bluetooth_exec_t +/usr/bin/blue.*pin -- system_u:object_r:bluetooth_helper_exec_t +/var/lib/bluetooth(/.*)? system_u:object_r:bluetooth_var_lib_t diff --git a/strict/file_contexts/program/dhcpc.fc b/strict/file_contexts/program/dhcpc.fc index 1390839..a035faa 100644 --- a/strict/file_contexts/program/dhcpc.fc +++ b/strict/file_contexts/program/dhcpc.fc @@ -4,9 +4,11 @@ /etc/dhclient.*conf -- system_u:object_r:dhcp_etc_t /etc/dhclient-script -- system_u:object_r:dhcp_etc_t /sbin/dhcpcd -- system_u:object_r:dhcpc_exec_t +/sbin/dhcdbd -- system_u:object_r:dhcpc_exec_t /sbin/dhclient.* -- system_u:object_r:dhcpc_exec_t /var/lib/dhcp(3)?/dhclient.* system_u:object_r:dhcpc_state_t /var/lib/dhcpcd(/.*)? system_u:object_r:dhcpc_state_t +/var/lib/dhclient(/.*)? system_u:object_r:dhcpc_state_t /var/run/dhclient.*\.pid -- system_u:object_r:dhcpc_var_run_t /var/run/dhclient.*\.leases -- system_u:object_r:dhcpc_var_run_t # pump diff --git a/strict/file_contexts/program/dhcpd.fc b/strict/file_contexts/program/dhcpd.fc index 3e010c3..d26d56d 100644 --- a/strict/file_contexts/program/dhcpd.fc +++ b/strict/file_contexts/program/dhcpd.fc @@ -13,6 +13,7 @@ ifdef(`distro_gentoo', ` /etc/dhcp -d system_u:object_r:dhcp_etc_t /etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t /var/lib/dhcp -d system_u:object_r:dhcp_state_t +/var/lib/dhcpd(/.*)? system_u:object_r:dhcpd_state_t /var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t /var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t diff --git a/strict/file_contexts/program/ftpd.fc b/strict/file_contexts/program/ftpd.fc index 6865fc5..c75f7f1 100644 --- a/strict/file_contexts/program/ftpd.fc +++ b/strict/file_contexts/program/ftpd.fc @@ -10,7 +10,8 @@ /var/run/proftpd/proftpd\.scoreboard -- system_u:object_r:ftpd_var_run_t /var/log/muddleftpd\.log.* -- system_u:object_r:xferlog_t /var/log/xferlog.* -- system_u:object_r:xferlog_t +/var/log/vsftpd.* -- system_u:object_r:xferlog_t /var/log/xferreport.* -- system_u:object_r:xferlog_t /etc/cron\.monthly/proftpd -- system_u:object_r:ftpd_exec_t -/var/ftp(/.*)? system_u:object_r:ftpd_anon_t -/srv/([^/]*/)?ftp(/.*)? system_u:object_r:ftpd_anon_t +/var/ftp(/.*)? system_u:object_r:public_content_t +/srv/([^/]*/)?ftp(/.*)? system_u:object_r:public_content_t diff --git a/strict/file_contexts/program/ipsec.fc b/strict/file_contexts/program/ipsec.fc index 7df06bb..e915b75 100644 --- a/strict/file_contexts/program/ipsec.fc +++ b/strict/file_contexts/program/ipsec.fc @@ -21,6 +21,7 @@ /usr/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t /usr/local/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t /var/run/pluto(/.*)? system_u:object_r:ipsec_var_run_t +/var/racoon(/.*)? system_u:object_r:ipsec_var_run_t # Kame /usr/sbin/racoon -- system_u:object_r:ipsec_exec_t diff --git a/strict/file_contexts/program/mdadm.fc b/strict/file_contexts/program/mdadm.fc index 7ca9f0d..6f295ca 100644 --- a/strict/file_contexts/program/mdadm.fc +++ b/strict/file_contexts/program/mdadm.fc @@ -1,4 +1,4 @@ # mdadm - manage MD devices aka Linux Software Raid. /sbin/mdmpd -- system_u:object_r:mdadm_exec_t /sbin/mdadm -- system_u:object_r:mdadm_exec_t -/var/run/mdadm(/.*)? system_u:object_r:mdadm_var_run_t +/var/run/mdadm(/.*)? system_u:object_r:mdadm_var_run_t diff --git a/strict/file_contexts/program/postgresql.fc b/strict/file_contexts/program/postgresql.fc index b433c60..dc644c1 100644 --- a/strict/file_contexts/program/postgresql.fc +++ b/strict/file_contexts/program/postgresql.fc @@ -16,5 +16,5 @@ /usr/lib/pgsql/test/regress/pg_regress -- system_u:object_r:postgresql_exec_t ifdef(`distro_redhat', ` /usr/share/jonas/pgsql(/.*)? system_u:object_r:postgresql_db_t -/var/log/rhdb/rhdb(/.*)? system_u:object_r:postgresql_log_t +/var/log/rhdb/rhdb(/.*)? system_u:object_r:postgresql_log_t ') diff --git a/strict/file_contexts/program/rpm.fc b/strict/file_contexts/program/rpm.fc index 7d60837..c659e65 100644 --- a/strict/file_contexts/program/rpm.fc +++ b/strict/file_contexts/program/rpm.fc @@ -5,7 +5,7 @@ /usr/bin/yum -- system_u:object_r:rpm_exec_t /usr/bin/apt-get -- system_u:object_r:rpm_exec_t /usr/bin/apt-shell -- system_u:object_r:rpm_exec_t -/usr/bin/synaptic -- system_u:object_r:rpm_exec_t +/usr/bin/synaptic -- system_u:object_r:rpm_exec_t /usr/lib(64)?/rpm/rpmd -- system_u:object_r:bin_t /usr/lib(64)?/rpm/rpmq -- system_u:object_r:bin_t /usr/lib(64)?/rpm/rpmk -- system_u:object_r:bin_t @@ -23,3 +23,7 @@ ifdef(`distro_suse', ` /var/lib/YaST2(/.*)? system_u:object_r:rpm_var_lib_t /var/log/YaST2(/.*)? system_u:object_r:rpm_log_t ') + +ifdef(`mls_policy', ` +/sbin/cpio -- system_u:object_r:rpm_exec_t +') diff --git a/strict/file_contexts/program/rsync.fc b/strict/file_contexts/program/rsync.fc index a146940..9bce3d5 100644 --- a/strict/file_contexts/program/rsync.fc +++ b/strict/file_contexts/program/rsync.fc @@ -1,3 +1,3 @@ # rsync program /usr/bin/rsync -- system_u:object_r:rsync_exec_t -/srv/([^/]*/)?rsync(/.*)? system_u:object_r:ftpd_anon_t +/srv/([^/]*/)?rsync(/.*)? system_u:object_r:public_content_t diff --git a/strict/file_contexts/program/xdm.fc b/strict/file_contexts/program/xdm.fc index 6ee91a1..16c2d7d 100644 --- a/strict/file_contexts/program/xdm.fc +++ b/strict/file_contexts/program/xdm.fc @@ -3,7 +3,7 @@ /usr/X11R6/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t /opt/kde3/bin/kdm -- system_u:object_r:xdm_exec_t /usr/bin/gpe-dm -- system_u:object_r:xdm_exec_t -/usr/bin/gdm-binary -- system_u:object_r:xdm_exec_t +/usr/(s)?bin/gdm-binary -- system_u:object_r:xdm_exec_t /var/[xgk]dm(/.*)? system_u:object_r:xserver_log_t /usr/var/[xgkw]dm(/.*)? system_u:object_r:xserver_log_t /var/log/[kw]dm\.log -- system_u:object_r:xserver_log_t diff --git a/strict/file_contexts/program/ypserv.fc b/strict/file_contexts/program/ypserv.fc index 5622afb..519a5a4 100644 --- a/strict/file_contexts/program/ypserv.fc +++ b/strict/file_contexts/program/ypserv.fc @@ -1,3 +1,4 @@ # ypserv /usr/sbin/ypserv -- system_u:object_r:ypserv_exec_t +/usr/lib/yp/.+ -- system_u:object_r:bin_t /etc/ypserv\.conf -- system_u:object_r:ypserv_conf_t diff --git a/strict/file_contexts/types.fc b/strict/file_contexts/types.fc index b712037..d8fe1b6 100644 --- a/strict/file_contexts/types.fc +++ b/strict/file_contexts/types.fc @@ -133,6 +133,7 @@ HOME_DIR/.+ system_u:object_r:ROLE_home_t /dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t /dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t /dev/ircomm[0-9]+ -c system_u:object_r:tty_device_t +/dev/rfcomm[0-9]+ -c system_u:object_r:tty_device_t /dev/isdn.* -c system_u:object_r:tty_device_t /dev/.*tty[^/]* -c system_u:object_r:tty_device_t /dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f] -c system_u:object_r:bsdpty_device_t @@ -485,6 +486,7 @@ HOME_ROOT/lost\+found/.* <> # Turboprint # /usr/share/turboprint/lib(/.*)? -- system_u:object_r:bin_t +/usr/share/hwdata(/.*)? system_u:object_r:hwdata_t # # initrd mount point, only used during boot diff --git a/strict/macros/base_user_macros.te b/strict/macros/base_user_macros.te index 4db1e62..4c5b36a 100644 --- a/strict/macros/base_user_macros.te +++ b/strict/macros/base_user_macros.te @@ -40,6 +40,12 @@ file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t, { fifo_file sock_file lnk_f allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto }; can_setfscreate($1_t) +ifdef(`ftpd.te' , ` +if (ftpd_is_daemon) { +file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t) +} +') + allow $1_t self:capability { setgid chown fowner }; dontaudit $1_t self:capability { sys_nice fsetid }; diff --git a/strict/macros/program/apache_macros.te b/strict/macros/program/apache_macros.te index b19d3f7..ea98391 100644 --- a/strict/macros/program/apache_macros.te +++ b/strict/macros/program/apache_macros.te @@ -84,6 +84,7 @@ allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_per # the perl executable will be able to run a perl script ######################################################################### can_exec_any(httpd_$1_script_t) + allow httpd_$1_script_t etc_t:file { getattr read }; dontaudit httpd_$1_script_t selinux_config_t:dir search; diff --git a/strict/macros/program/cdrecord_macros.te b/strict/macros/program/cdrecord_macros.te index 8b94a00..fc1fc95 100644 --- a/strict/macros/program/cdrecord_macros.te +++ b/strict/macros/program/cdrecord_macros.te @@ -41,7 +41,7 @@ allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl }; allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio }; allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill }; -allow $1_cdrecord_t $1_devpts_t:chr_file rw_file_perms; +can_access_pty($1_cdrecord_t, $1) allow $1_cdrecord_t $1_home_t:dir search; allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms; allow $1_cdrecord_t $1_home_t:file r_file_perms; diff --git a/strict/macros/program/mta_macros.te b/strict/macros/program/mta_macros.te index cc73d63..930d1a2 100644 --- a/strict/macros/program/mta_macros.te +++ b/strict/macros/program/mta_macros.te @@ -68,7 +68,7 @@ ifdef(`crond.te', ` allow system_mail_t system_crond_tmp_t:file { read getattr ioctl }; allow mta_user_agent system_crond_tmp_t:file { read getattr }; ') -allow system_mail_t initrc_devpts_t:chr_file { read write getattr }; +can_access_pty(system_mail_t, initrc) ', ` # For when the user wants to send mail via port 25 localhost diff --git a/strict/macros/program/newrole_macros.te b/strict/macros/program/newrole_macros.te index c7a143e..0d52282 100644 --- a/strict/macros/program/newrole_macros.te +++ b/strict/macros/program/newrole_macros.te @@ -20,6 +20,8 @@ uses_shlib($1_t) read_locale($1_t) read_sysctl($1_t) +allow $1_t self:netlink_audit_socket { create bind write nlmsg_read read }; + # for when the user types "exec newrole" at the command line allow $1_t privfd:process sigchld; diff --git a/strict/macros/program/su_macros.te b/strict/macros/program/su_macros.te index ca2f2be..206f58e 100644 --- a/strict/macros/program/su_macros.te +++ b/strict/macros/program/su_macros.te @@ -54,7 +54,7 @@ allow $1_su_t proc_t:file read; allow $1_su_t self:process { setsched setrlimit }; allow $1_su_t device_t:dir search; allow $1_su_t self:process { fork sigchld }; -can_ypbind($1_su_t) +nsswitch_domain($1_su_t) r_dir_file($1_su_t, selinux_config_t) dontaudit $1_su_t shadow_t:file { getattr read };