diff --git a/Changelog b/Changelog index a3e9f69..7b518cc 100644 --- a/Changelog +++ b/Changelog @@ -1,5 +1,7 @@ - Fix explicit use of httpd_t in openca_domtrans(). - Clean up file context regexes in apache and java, from Eamon Walsh. +- Patches from Dan Walsh: + Thu, 25 Jan 2007 * Tue Dec 12 2006 Chris PeBenito - 20061212 - Add policy patterns support macros. This changes the behavior of diff --git a/config/appconfig-strict-mcs/seusers b/config/appconfig-strict-mcs/seusers index ce614b4..dc5f1e4 100644 --- a/config/appconfig-strict-mcs/seusers +++ b/config/appconfig-strict-mcs/seusers @@ -1,2 +1,3 @@ +system_u:system_u:s0-mcs_systemhigh root:root:s0-mcs_systemhigh __default__:user_u:s0 diff --git a/config/appconfig-strict-mls/seusers b/config/appconfig-strict-mls/seusers index 4e500b0..dc156bf 100644 --- a/config/appconfig-strict-mls/seusers +++ b/config/appconfig-strict-mls/seusers @@ -1,2 +1,3 @@ +system_u:system_u:s0-mls_systemhigh root:root:s0-mls_systemhigh __default__:user_u:s0 diff --git a/config/appconfig-strict/seusers b/config/appconfig-strict/seusers index f7c5bd2..36b193b 100644 --- a/config/appconfig-strict/seusers +++ b/config/appconfig-strict/seusers @@ -1,2 +1,3 @@ +system_u:system_u root:root __default__:user_u diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8 index e9d4774..3330e00 100644 --- a/man/man8/httpd_selinux.8 +++ b/man/man8/httpd_selinux.8 @@ -1,4 +1,12 @@ .TH "httpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation" +.de EX +.nf +.ft CW +.. +.de EE +.ft R +.fi +.. .SH "NAME" httpd_selinux \- Security Enhanced Linux Policy for the httpd daemon .SH "DESCRIPTION" @@ -9,38 +17,32 @@ control. SELinux requires files to have an extended attribute to define the file type. Policy governs the access daemons have to these files. SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible. -.TP +.PP The following file contexts types are defined for httpd: -.br - +.EX httpd_sys_content_t -.br +.EE - Set files with httpd_sys_content_t for content which is available from all httpd scripts and the daemon. -.br - +.EX httpd_sys_script_exec_t -.br +.EE - Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types. -.br - +.EX httpd_sys_script_ro_t -.br +.EE - Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other sys scripts from access. -.br - +.EX httpd_sys_script_rw_t -.br +.EE - Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access. -.br - +.EX httpd_sys_script_ra_t -.br +.EE - Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access. - +.EX httpd_unconfined_script_exec_t -.br +.EE - Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd. -.br .SH NOTE With certain policies you can define addional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts. @@ -48,71 +50,81 @@ With certain policies you can define addional file contexts based on roles like .SH SHARING FILES If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute: +.EX setsebool -P allow_httpd_anon_write=1 +.EE or +.EX setsebool -P allow_httpd_sys_script_anon_write=1 +.EE .SH BOOLEANS SELinux policy is customizable based on least access required. So by default SElinux prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. -.TP +.PP httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this -.br +.EX setsebool -P httpd_enable_cgi 1 +.EE -.TP +.PP httpd by default is not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir. -.br +.EX setsebool -P httpd_enable_homedirs 1 -.br chcon -R -t httpd_sys_content_t ~user/public_html +.EE -.TP +.PP httpd by default is not allowed access to the controling terminal. In most cases this is prefered, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access. -.br +.EX setsebool -P httpd_tty_comm 1 +.EE -.TP +.PP httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/execute. Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another. -.br +.EX setsebool -P httpd_unified 0 +.EE -.TP +.PP httpd can be configured to turn off internal scripting (PHP). PHP and other loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts. -.br +.EX setsebool -P httpd_builtin_scripting 0 +.EE -.TP +.PP httpd scripts by default are not allowed to connect out to the network. This would prevent a hacker from breaking into you httpd server and attacking other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on. -.br +.EX setsebool -P httpd_can_network_connect 1 +.EE -.TP +.PP You can disable suexec transition, set httpd_suexec_disable_trans deny this -.br +.EX setsebool -P httpd_suexec_disable_trans 1 +.EE -.TP +.PP You can disable SELinux protection for the httpd daemon by executing: -.br +.EX setsebool -P httpd_disable_trans 1 -.br service httpd restart +.EE -.TP +.PP system-config-securitylevel is a GUI tool available to customize SELinux policy settings. .SH AUTHOR This manual page was written by Dan Walsh . diff --git a/man/man8/kerberos_selinux.8 b/man/man8/kerberos_selinux.8 index 94b3228..b614c40 100644 --- a/man/man8/kerberos_selinux.8 +++ b/man/man8/kerberos_selinux.8 @@ -1,4 +1,12 @@ .TH "kerberos_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "kerberos Selinux Policy documentation" +.de EX +.nf +.ft CW +.. +.de EE +.ft R +.fi +.. .SH "NAME" kerberos_selinux \- Security Enhanced Linux Policy for Kerberos. .SH "DESCRIPTION" @@ -6,23 +14,19 @@ kerberos_selinux \- Security Enhanced Linux Policy for Kerberos. Security-Enhanced Linux secures the system via flexible mandatory access control. By default Kerberos access is not allowed, since it requires daemons to be allowed greater access to certain secure files and addtional access to the network. .SH BOOLEANS -.TP +.PP You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment. -.TP +.EX setsebool -P allow_kerberos 1 -.TP +.EE If you are running Kerberos daemons kadmind or krb5kdc you can disable the SELinux protection on these daemons by setting the krb5kdc_disable_trans and kadmind_disable_trans booleans. -.br - +.EX setsebool -P krb5kdc_disable_trans 1 -.br service krb5kdc restart -.br setsebool -P kadmind_disable_trans booleans 1 -.br service kadmind restart - -.TP +.EE +.PP system-config-securitylevel is a GUI tool available to customize SELinux policy settings. .SH AUTHOR This manual page was written by Dan Walsh . diff --git a/man/man8/named_selinux.8 b/man/man8/named_selinux.8 index 2381614..d2f601b 100644 --- a/man/man8/named_selinux.8 +++ b/man/man8/named_selinux.8 @@ -1,4 +1,12 @@ .TH "named_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "named Selinux Policy documentation" +.de EX +.nf +.ft CW +.. +.de EE +.ft R +.fi +.. .SH "NAME" named_selinux \- Security Enhanced Linux Policy for the Internet Name server (named) daemon .SH "DESCRIPTION" @@ -8,17 +16,16 @@ control. .SH BOOLEANS SELinux policy is customizable based on least access required. So by default SElinux policy does not allow named to write master zone files. If you want to have named update the master zone files you need to set the named_write_master_zones boolean. -.TP -.br +.EX setsebool -P named_write_master_zones 1 - -.TP +.EE +.PP You can disable SELinux protection for the named daemon by executing: -.TP +.EX setsebool -P named_disable_trans 1 -.br service named restart -.TP +.EE +.PP system-config-securitylevel is a GUI tool available to customize SELinux policy settings. .SH AUTHOR This manual page was written by Dan Walsh . diff --git a/man/man8/rsync_selinux.8 b/man/man8/rsync_selinux.8 index 8ff4429..fece9c7 100644 --- a/man/man8/rsync_selinux.8 +++ b/man/man8/rsync_selinux.8 @@ -1,4 +1,12 @@ .TH "rsync_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation" +.de EX +.nf +.ft CW +.. +.de EE +.ft R +.fi +.. .SH "NAME" rsync_selinux \- Security Enhanced Linux Policy for the rsync daemon .SH "DESCRIPTION" @@ -14,24 +22,25 @@ would need to label the directory with the chcon tool. chcon -t public_content_t /var/rsync .TP If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file. -.TP +.EX /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local -.br /var/rsync(/.*)? system_u:object_r:public_content_t +.EE .SH SHARING FILES If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for rsync you would execute: +.EX setsebool -P allow_rsync_anon_write=1 - +.EE .SH BOOLEANS .TP You can disable SELinux protection for the rsync daemon by executing: -.TP +.EX setsebool -P rsync_disable_trans 1 -.br service xinetd restart +.EE .TP system-config-securitylevel is a GUI tool available to customize SELinux policy settings. .SH AUTHOR diff --git a/policy/global_tunables b/policy/global_tunables index 1cdee7a..05b19ff 100644 --- a/policy/global_tunables +++ b/policy/global_tunables @@ -66,6 +66,14 @@ gen_tunable(allow_ftpd_anon_write,false) ## ##

+## Allow ftp servers to login to local users and +## read/write all files on the system, governed by DAC. +##

+##
+gen_tunable(allow_ftpd_full_access,false) + +## +##

## Allow ftp servers to use cifs ## used for public file transfer services. ##

@@ -328,6 +336,13 @@ gen_tunable(squid_connect_any,false) ## ##

+## Allow ssh logins as sysadm_r:sysadm_t +##

+##
+gen_tunable(ssh_sysadm_login,false) + +## +##

## Configure stunnel to be a standalone daemon or ## inetd service. ##

@@ -348,6 +363,13 @@ gen_tunable(use_nfs_home_dirs,false) ##
gen_tunable(use_samba_home_dirs,false) +## +##

+## Allow xdm logins as sysadm +##

+##
+gen_tunable(xdm_sysadm_login,false) + ######################################## # # Strict policy specific @@ -498,18 +520,18 @@ gen_tunable(spamassassin_can_network,false) ## ##

-## Allow ssh logins as sysadm_r:sysadm_t +## Allow staff_r users to search the sysadm home +## dir and read files (such as ~/.bashrc) ##

##
-gen_tunable(ssh_sysadm_login,false) +gen_tunable(staff_read_sysadm_file,false) ## ##

-## Allow staff_r users to search the sysadm home -## dir and read files (such as ~/.bashrc) +## Use lpd server instead of cups ##

##
-gen_tunable(staff_read_sysadm_file,false) +gen_tunable(use_lpd_server,false) ## ##

@@ -565,13 +587,6 @@ gen_tunable(user_ttyfile_stat,false) ##

##
gen_tunable(write_untrusted_content,false) - -## -##

-## Allow xdm logins as sysadm -##

-##
-gen_tunable(xdm_sysadm_login,false) ') ######################################## diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc index 107cc4a..b638362 100644 --- a/policy/modules/admin/bootloader.fc +++ b/policy/modules/admin/bootloader.fc @@ -2,11 +2,6 @@ /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) -/etc/mkinitrd/scripts/.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) - -/usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0) - /sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) -/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0) /sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index f71b97f..44206fe 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -1,5 +1,5 @@ -policy_module(bootloader,1.4.0) +policy_module(bootloader,1.4.1) ######################################## # @@ -93,6 +93,8 @@ fs_read_tmpfs_symlinks(bootloader_t) fs_manage_dos_files(bootloader_t) mls_file_read_up(bootloader_t) +mls_file_write_down(bootloader_t) + term_getattr_all_user_ttys(bootloader_t) term_dontaudit_manage_pty_dirs(bootloader_t) @@ -163,9 +165,6 @@ ifdef(`distro_redhat',` # new file system defaults to file_t, granting file_t access is still bad. allow bootloader_t boot_runtime_t:file { read_file_perms unlink }; - # mkinitrd mount initrd on bootloader temp dir - files_mountpoint(bootloader_tmp_t) - # new file system defaults to file_t, granting file_t access is still bad. files_manage_isid_type_dirs(bootloader_t) files_manage_isid_type_files(bootloader_t) diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te index 831a863..a07ab94 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te @@ -1,5 +1,5 @@ -policy_module(consoletype,1.2.0) +policy_module(consoletype,1.2.1) ######################################## # @@ -88,6 +88,11 @@ optional_policy(` ') optional_policy(` + hal_dontaudit_use_fds(consoletype_t) + hal_dontaudit_rw_pipes(consoletype_t) +') + +optional_policy(` logrotate_dontaudit_use_fds(consoletype_t) ') diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te index f54ad40..2ab7def 100644 --- a/policy/modules/admin/logwatch.te +++ b/policy/modules/admin/logwatch.te @@ -1,5 +1,5 @@ -policy_module(logwatch,1.3.0) +policy_module(logwatch,1.3.1) ################################# # @@ -58,6 +58,7 @@ dev_search_sysfs(logwatch_t) # Read /proc/PID directories for all domains. domain_read_all_domains_state(logwatch_t) +files_list_var(logwatch_t) files_read_etc_files(logwatch_t) files_read_etc_runtime_files(logwatch_t) files_read_usr_files(logwatch_t) @@ -113,6 +114,10 @@ optional_policy(` ') optional_policy(` + nis_use_ypbind(logwatch_t) +') + +optional_policy(` nscd_socket_use(logwatch_t) ') diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te index ab158e8..bba13dc 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -1,5 +1,5 @@ -policy_module(prelink,1.3.0) +policy_module(prelink,1.3.1) ######################################## # @@ -18,6 +18,9 @@ files_type(prelink_cache_t) type prelink_log_t; logging_log_file(prelink_log_t) +type prelink_tmp_t; +files_tmp_file(prelink_tmp_t) + ######################################## # # Local policy @@ -37,6 +40,10 @@ append_files_pattern(prelink_t,prelink_log_t,prelink_log_t) read_lnk_files_pattern(prelink_t,prelink_log_t,prelink_log_t) logging_log_filetrans(prelink_t, prelink_log_t, file) +allow prelink_t prelink_tmp_t:file { manage_file_perms execute }; +files_tmp_filetrans(prelink_t, prelink_tmp_t, file) +fs_tmpfs_filetrans(prelink_t, prelink_tmp_t, file) + # prelink misc objects that are not system # libraries or entrypoints allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom }; diff --git a/policy/modules/admin/quota.fc b/policy/modules/admin/quota.fc index b760aa3..f387230 100644 --- a/policy/modules/admin/quota.fc +++ b/policy/modules/admin/quota.fc @@ -1,14 +1,19 @@ +HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) + +/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) + +/boot/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) + +/etc/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) /sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) +/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0) +/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) + ifdef(`distro_redhat',` /usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) ',` /sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) ') - -HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - -/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - -/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0) diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te index 8171764..276c5b1 100644 --- a/policy/modules/admin/quota.te +++ b/policy/modules/admin/quota.te @@ -1,5 +1,5 @@ -policy_module(quota,1.1.0) +policy_module(quota,1.1.1) ######################################## # @@ -26,7 +26,15 @@ dontaudit quota_t self:capability sys_tty_config; allow quota_t self:process signal_perms; # for /quota.* -allow quota_t quota_db_t:file { read write quotaon }; +allow quota_t quota_db_t:file { manage_file_perms quotaon }; +files_root_filetrans(quota_t, quota_db_t, file) +files_boot_filetrans(quota_t, quota_db_t, file) +files_etc_filetrans(quota_t, quota_db_t, file) +files_tmp_filetrans(quota_t, quota_db_t, file) +files_home_filetrans(quota_t, quota_db_t, file) +files_usr_filetrans(quota_t, quota_db_t, file) +files_var_filetrans(quota_t, quota_db_t, file) +files_spool_filetrans(quota_t, quota_db_t, file) kernel_list_proc(quota_t) kernel_read_proc_symlinks(quota_t) @@ -55,6 +63,7 @@ files_read_all_files(quota_t) files_read_all_symlinks(quota_t) files_getattr_all_pipes(quota_t) files_getattr_all_sockets(quota_t) +files_getattr_all_file_type_fs(quota_t) # Read /etc/mtab. files_read_etc_runtime_files(quota_t) @@ -81,12 +90,3 @@ optional_policy(` optional_policy(` udev_read_db(quota_t) ') - -ifdef(`TODO',` -# quotacheck creates new quota_db_t files -file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t }, quota_db_t, file) - -allow quota_t file_t:file quotaon; - -allow quota_t proc_t:file getattr; -') dnl end TODO diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index ecf5af3..3bff0b6 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -1,5 +1,5 @@ -policy_module(rpm,1.5.0) +policy_module(rpm,1.5.1) ######################################## # @@ -188,11 +188,11 @@ ifdef(`targeted_policy',` ') optional_policy(` - hal_dbus_chat(rpm_t) + cron_system_entry(rpm_t,rpm_exec_t) ') optional_policy(` - cron_system_entry(rpm_t,rpm_exec_t) + hal_dbus_chat(rpm_t) ') optional_policy(` @@ -369,6 +369,11 @@ optional_policy(` ') optional_policy(` + tzdata_domtrans(rpm_t) + tzdata_domtrans(rpm_script_t) +') + +optional_policy(` usermanage_domtrans_groupadd(rpm_script_t) usermanage_domtrans_useradd(rpm_script_t) ') diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index dee1ca1..b6f6a84 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -61,6 +61,7 @@ template(`su_restricted_domain_template', ` kernel_read_system_state($1_su_t) kernel_read_kernel_sysctls($1_su_t) kernel_search_key($1_su_t) + kernel_link_key($1_su_t) # for SSP dev_read_urand($1_su_t) @@ -160,11 +161,12 @@ template(`su_restricted_domain_template', ` # template(`su_per_role_template',` gen_require(` + attribute su_domain_type; type su_exec_t; bool secure_mode; ') - type $1_su_t; + type $1_su_t, su_domain_type; domain_entry_file($1_su_t,su_exec_t) domain_type($1_su_t) domain_interactive_fd($1_su_t) @@ -177,6 +179,7 @@ template(`su_per_role_template',` allow $1_su_t self:process { setexec setsched setrlimit }; allow $1_su_t self:fifo_file rw_fifo_file_perms; allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; + allow $1_su_t self:key { search write }; # Transition from the user domain to this domain. domtrans_pattern($2, su_exec_t, $1_su_t) @@ -189,12 +192,17 @@ template(`su_per_role_template',` kernel_read_system_state($1_su_t) kernel_read_kernel_sysctls($1_su_t) + kernel_search_key($1_su_t) + kernel_link_key($1_su_t) # for SSP dev_read_urand($1_su_t) fs_search_auto_mountpoints($1_su_t) + # needed for pam_rootok + selinux_compute_access_vector($1_su_t) + auth_domtrans_user_chk_passwd($1,$1_su_t) auth_dontaudit_read_shadow($1_su_t) auth_use_nsswitch($1_su_t) @@ -213,6 +221,8 @@ template(`su_per_role_template',` # Write to utmp. init_rw_utmp($1_su_t) + mls_file_write_down($1_su_t) + libs_use_ld_so($1_su_t) libs_use_shared_libs($1_su_t) @@ -230,7 +240,6 @@ template(`su_per_role_template',` selinux_get_fs_mount($1_su_t) selinux_validate_context($1_su_t) - selinux_compute_access_vector($1_su_t) selinux_compute_create_context($1_su_t) selinux_compute_relabel_context($1_su_t) selinux_compute_user_contexts($1_su_t) @@ -297,9 +306,7 @@ template(`su_per_role_template',` # Modify .Xauthority file (via xauth program). optional_policy(` -# file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file) -# file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file) -# file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file) + xserver_user_home_dir_filetrans_user_xauth($1, su_domain_type) xserver_domtrans_user_xauth($1, $1_su_t) ') diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te index 00999ce..886edbd 100644 --- a/policy/modules/admin/su.te +++ b/policy/modules/admin/su.te @@ -1,10 +1,12 @@ -policy_module(su,1.5.0) +policy_module(su,1.5.1) ######################################## # # Declarations # +attribute su_domain_type; + type su_exec_t; corecmd_executable_file(su_exec_t) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index e0ae7c0..da47fa9 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -71,6 +71,7 @@ template(`sudo_per_role_template',` allow $1_sudo_t self:unix_dgram_socket sendto; allow $1_sudo_t self:unix_stream_socket connectto; allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read }; + allow $1_sudo_t self:netlink_route_socket r_netlink_socket_perms; # Enter this derived domain from the user domain domtrans_pattern($2, sudo_exec_t, $1_sudo_t) @@ -83,6 +84,7 @@ template(`sudo_per_role_template',` kernel_read_kernel_sysctls($1_sudo_t) kernel_read_system_state($1_sudo_t) + kernel_search_key($1_sudo_t) dev_read_urand($1_sudo_t) @@ -90,6 +92,8 @@ template(`sudo_per_role_template',` fs_getattr_xattr_fs($1_sudo_t) auth_domtrans_chk_passwd($1_sudo_t) + # sudo stores a token in the pam_pid directory + auth_manage_pam_pid($1_sudo_t) corecmd_getattr_bin_files($1_sudo_t) corecmd_read_sbin_symlinks($1_sudo_t) @@ -140,9 +144,5 @@ template(`sudo_per_role_template',` domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t) ') - ifdef(`pam.te', ` - allow $1_sudo_t pam_var_run_t:dir manage_dir_perms; - allow $1_sudo_t pam_var_run_t:file manage_file_perms; - ') ') dnl end TODO ') diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te index 54c1f3c..bf3ea5f 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te @@ -1,5 +1,5 @@ -policy_module(sudo,1.0.0) +policy_module(sudo,1.0.1) ######################################## # diff --git a/policy/modules/admin/tzdata.fc b/policy/modules/admin/tzdata.fc new file mode 100644 index 0000000..04b8548 --- /dev/null +++ b/policy/modules/admin/tzdata.fc @@ -0,0 +1 @@ +/usr/sbin/tzdata-update -- gen_context(system_u:object_r:tzdata_exec_t,s0) diff --git a/policy/modules/admin/tzdata.if b/policy/modules/admin/tzdata.if new file mode 100644 index 0000000..af803bf --- /dev/null +++ b/policy/modules/admin/tzdata.if @@ -0,0 +1,19 @@ +## Time zone updater + +######################################## +## +## Execute a domain transition to run tzdata. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`tzdata_domtrans',` + gen_require(` + type tzdata_t, tzdata_exec_t; + ') + + domtrans_pattern($1,tzdata_exec_t,tzdata_t) +') diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te new file mode 100644 index 0000000..b4c48f6 --- /dev/null +++ b/policy/modules/admin/tzdata.te @@ -0,0 +1,40 @@ + +policy_module(tzdata,1.0.0) + +######################################## +# +# Declarations +# + +type tzdata_t; +type tzdata_exec_t; +init_daemon_domain(tzdata_t, tzdata_exec_t) + +######################################## +# +# tzdata local policy +# + +files_read_etc_files(tzdata_t) +files_search_spool(tzdata_t) + +term_dontaudit_list_ptys(tzdata_t) + +libs_use_ld_so(tzdata_t) +libs_use_shared_libs(tzdata_t) + +locallogin_dontaudit_use_fds(tzdata_t) + +miscfiles_read_localization(tzdata_t) +miscfiles_manage_localization(tzdata_t) +miscfiles_etc_filetrans_localization(tzdata_t) + +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_ttys(tzdata_t) + term_dontaudit_use_generic_ptys(tzdata_t) +') + +# tzdata looks for /var/spool/postfix/etc/localtime. +optional_policy(` + postfix_search_spool(tzdata_t) +') diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 6af8f3f..56705bc 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -1,5 +1,5 @@ -policy_module(usermanage,1.5.0) +policy_module(usermanage,1.5.1) ######################################## # @@ -112,6 +112,7 @@ domain_use_interactive_fds(chfn_t) files_manage_etc_files(chfn_t) files_read_etc_runtime_files(chfn_t) files_dontaudit_search_var(chfn_t) +files_dontaudit_search_home(chfn_t) # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. @@ -486,6 +487,8 @@ files_read_etc_runtime_files(useradd_t) fs_search_auto_mountpoints(useradd_t) fs_getattr_xattr_fs(useradd_t) +mls_file_upgrade(useradd_t) + # Allow access to context for shadow file selinux_get_fs_mount(useradd_t) selinux_validate_context(useradd_t) @@ -517,16 +520,16 @@ miscfiles_read_localization(useradd_t) seutil_read_config(useradd_t) seutil_read_file_contexts(useradd_t) seutil_read_default_contexts(useradd_t) +seutil_domtrans_semanage(useradd_t) +seutil_domtrans_restorecon(useradd_t) userdom_use_unpriv_users_fds(useradd_t) # for when /root is the cwd userdom_dontaudit_search_sysadm_home_dirs(useradd_t) # Add/remove user home directories userdom_home_filetrans_generic_user_home_dir(useradd_t) -userdom_manage_generic_user_home_content_dirs(useradd_t) -userdom_manage_generic_user_home_content_files(useradd_t) -userdom_manage_generic_user_home_dirs(useradd_t) -userdom_manage_staff_home_dirs(useradd_t) +userdom_manage_all_users_home_content_dirs(useradd_t) +userdom_manage_all_users_home_content_files(useradd_t) userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set) mta_manage_spool(useradd_t) diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te index f6af2c3..f6acf4b 100644 --- a/policy/modules/admin/vpn.te +++ b/policy/modules/admin/vpn.te @@ -1,5 +1,5 @@ -policy_module(vpn,1.3.0) +policy_module(vpn,1.3.1) ######################################## # @@ -95,6 +95,7 @@ logging_send_syslog_msg(vpnc_t) miscfiles_read_localization(vpnc_t) seutil_dontaudit_search_config(vpnc_t) +seutil_use_newrole_fds(vpnc_t) sysnet_exec_ifconfig(vpnc_t) sysnet_etc_filetrans_config(vpnc_t) diff --git a/policy/modules/apps/ethereal.if b/policy/modules/apps/ethereal.if index 91789da..2a2e86d 100644 --- a/policy/modules/apps/ethereal.if +++ b/policy/modules/apps/ethereal.if @@ -34,6 +34,10 @@ # template(`ethereal_per_role_template',` + gen_require(` + type ethereal_exec_t; + ') + ############################## # # Declarations diff --git a/policy/modules/apps/ethereal.te b/policy/modules/apps/ethereal.te index 433765a..c3449c0 100644 --- a/policy/modules/apps/ethereal.te +++ b/policy/modules/apps/ethereal.te @@ -1,5 +1,5 @@ -policy_module(ethereal,1.1.0) +policy_module(ethereal,1.1.1) ######################################## # diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if index 02ccdba..17c8b79 100644 --- a/policy/modules/apps/evolution.if +++ b/policy/modules/apps/evolution.if @@ -53,7 +53,7 @@ template(`evolution_per_role_template',` userdom_user_home_content($1,$1_evolution_home_t) type $1_evolution_orbit_tmp_t; - files_type($1_evolution_orbit_tmp_t) + files_tmp_file($1_evolution_orbit_tmp_t) type $1_evolution_alarm_t; domain_type($1_evolution_alarm_t) @@ -64,7 +64,7 @@ template(`evolution_per_role_template',` files_tmpfs_file($1_evolution_alarm_tmpfs_t) type $1_evolution_alarm_orbit_tmp_t; - files_type($1_evolution_alarm_orbit_tmp_t) + files_tmp_file($1_evolution_alarm_orbit_tmp_t) type $1_evolution_exchange_t; domain_type($1_evolution_exchange_t) @@ -78,7 +78,7 @@ template(`evolution_per_role_template',` files_tmp_file($1_evolution_exchange_tmp_t) type $1_evolution_exchange_orbit_tmp_t; - files_type($1_evolution_exchange_orbit_tmp_t) + files_tmp_file($1_evolution_exchange_orbit_tmp_t) type $1_evolution_server_t; domain_type($1_evolution_server_t) @@ -86,7 +86,7 @@ template(`evolution_per_role_template',` role $3 types $1_evolution_server_t; type $1_evolution_server_orbit_tmp_t; - files_type($1_evolution_server_orbit_tmp_t) + files_tmp_file($1_evolution_server_orbit_tmp_t) type $1_evolution_webcal_t; domain_type($1_evolution_webcal_t) @@ -97,7 +97,7 @@ template(`evolution_per_role_template',` files_tmpfs_file($1_evolution_webcal_tmpfs_t) type $1_orbit_tmp_t; - files_type($1_orbit_tmp_t) + files_tmp_file($1_orbit_tmp_t) ######################################## # @@ -129,6 +129,10 @@ template(`evolution_per_role_template',` allow $1_evolution_t $1_evolution_orbit_tmp_t:file manage_file_perms; files_tmp_filetrans($1_evolution_t,$1_evolution_orbit_tmp_t,{ dir file }) + allow $1_evolution_server_t $1_evolution_orbit_tmp_t:dir manage_dir_perms; + allow $1_evolution_server_t $1_evolution_orbit_tmp_t:file manage_file_perms; + files_tmp_filetrans($1_evolution_server_t,$1_evolution_orbit_tmp_t,{ dir file }) + allow $1_evolution_t $1_evolution_server_t:dir search_dir_perms; allow $1_evolution_t $1_evolution_server_t:file read; @@ -171,6 +175,8 @@ template(`evolution_per_role_template',` allow $2 $1_evolution_t:{ file lnk_file } { read getattr }; allow $2 $1_evolution_t:process getattr; + domain_dontaudit_read_all_domains_state($1_evolution_t) + #FIXME check to see if really needed kernel_read_kernel_sysctls($1_evolution_t) kernel_read_system_state($1_evolution_t) @@ -238,6 +244,7 @@ template(`evolution_per_role_template',` userdom_manage_user_tmp_dirs($1,$1_evolution_t) userdom_manage_user_tmp_sockets($1,$1_evolution_t) userdom_manage_user_tmp_files($1,$1_evolution_t) + userdom_use_user_terminals($1, $1_evolution_t) # FIXME: suppress access to .local/.icons/.themes until properly implemented # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) # until properly implemented @@ -246,6 +253,7 @@ template(`evolution_per_role_template',` mta_read_config($1_evolution_t) xserver_user_client_template($1,$1_evolution_t,$1_evolution_tmpfs_t) + xserver_read_xdm_tmp_files($1_evolution_t) tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs($1_evolution_t) @@ -367,7 +375,10 @@ template(`evolution_per_role_template',` tunable_policy(`write_untrusted_content',` files_search_home($1_evolution_t) - userdom_manage_user_untrusted_content_files($1,$1_evolution_t,{ dir file }) + userdom_manage_user_untrusted_content_files($1,$1_evolution_t) + userdom_user_home_dir_filetrans($1,$1_evolution_t,$1_untrusted_content_tmp_t, { file dir }) + userdom_user_home_content_filetrans($1,$1_evolution_t,$1_untrusted_content_tmp_t, { file dir }) + ',` files_dontaudit_list_home($1_evolution_t) files_dontaudit_list_tmp($1_evolution_t) @@ -394,6 +405,10 @@ template(`evolution_per_role_template',` dbus_send_user_bus($1,$1_evolution_t) ') + optional_policy(` + gnome_stream_connect_gconf_template($1, $1_evolution_t) + ') + # Encrypt mail optional_policy(` gpg_domtrans_user_gpg($1,$1_evolution_t) @@ -404,13 +419,18 @@ template(`evolution_per_role_template',` lpd_domtrans_user_lpr($1,$1_evolution_t) ') + optional_policy(` + mozilla_read_user_home_files($1, $1_evolution_t) + mozilla_domtrans_user_mozilla($1, $1_evolution_t) + ') + # Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing) optional_policy(` nis_use_ypbind($1_evolution_t) ') optional_policy(` - nscd_socket_use($1_evolution_exchange_t) + nscd_socket_use($1_evolution_t) ') ### Junk mail filtering (start spamd) @@ -427,9 +447,6 @@ template(`evolution_per_role_template',` ifdef(`TODO',` - #dbus connect to - allow $1_evolution_t $1_dbusd_t:unix_stream_socket connectto; - # Gnome common stuff gnome_application($1_evolution, $1) @@ -450,12 +467,6 @@ template(`evolution_per_role_template',` ifdef(`TODO',` gnome_file_dialog($1_evolution, $1) ') - # Start links in web browser - ifdef(`mozilla', ` - corecmd_exec_shell($1_evolution_t) - domain_auto_trans($1_evolution_t, mozilla_exec_t, $1_mozilla_t) - ') - ') ######################################## @@ -463,7 +474,8 @@ template(`evolution_per_role_template',` # Evolution alarm local policy # - allow $1_evolution_alarm_t self:fifo_file { read write }; + allow $1_evolution_alarm_t self:process { signal getsched }; + allow $1_evolution_alarm_t self:fifo_file rw_fifo_file_perms; allow $1_evolution_alarm_t $1_evolution_t:unix_stream_socket connectto; allow $1_evolution_alarm_t $1_evolution_orbit_tmp_t:sock_file write; @@ -489,7 +501,15 @@ template(`evolution_per_role_template',` domain_auto_trans($2, evolution_alarm_exec_t, $1_evolution_alarm_t) allow $1_evolution_alarm_t $2:fd use; + dev_read_urand($1_evolution_alarm_t) + + files_read_etc_files($1_evolution_alarm_t) + files_read_usr_files($1_evolution_alarm_t) + fs_search_auto_mountpoints($1_evolution_alarm_t) + + libs_use_ld_so($1_evolution_alarm_t) + libs_use_shared_libs($1_evolution_alarm_t) miscfiles_read_localization($1_evolution_alarm_t) @@ -512,6 +532,15 @@ template(`evolution_per_role_template',` ') optional_policy(` + dbus_user_bus_client_template($1,$1_evolution_alarm,$1_evolution_alarm_t) + dbus_send_user_bus($1,$1_evolution_alarm_t) + ') + + optional_policy(` + gnome_stream_connect_gconf_template($1, $1_evolution_alarm_t) + ') + + optional_policy(` nscd_socket_use($1_evolution_alarm_t) ') @@ -525,6 +554,9 @@ template(`evolution_per_role_template',` # Evolution exchange connector local policy # + allow $1_evolution_exchange_t self:process getsched; + allow $1_evolution_exchange_t self:fifo_file rw_fifo_file_perms; + allow $1_evolution_exchange_t self:tcp_socket create_socket_perms; allow $1_evolution_exchange_t self:udp_socket create_socket_perms; @@ -571,8 +603,18 @@ template(`evolution_per_role_template',` # Allow netstat corecmd_exec_bin($1_evolution_exchange_t) + dev_read_urand($1_evolution_exchange_t) + + files_read_etc_files($1_evolution_exchange_t) + files_read_usr_files($1_evolution_exchange_t) + # Access evolution home fs_search_auto_mountpoints($1_evolution_exchange_t) + + libs_use_ld_so($1_evolution_exchange_t) + libs_use_shared_libs($1_evolution_exchange_t) + + miscfiles_read_localization($1_evolution_exchange_t) # Access evolution home userdom_search_user_home_dirs($1,$1_evolution_exchange_t) @@ -591,6 +633,10 @@ template(`evolution_per_role_template',` tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files($1_evolution_exchange_t) ') + + optional_policy(` + gnome_stream_connect_gconf_template($1, $1_evolution_exchange_t) + ') optional_policy(` nscd_socket_use($1_evolution_exchange_t) @@ -606,6 +652,8 @@ template(`evolution_per_role_template',` # Evolution data server local policy # + allow $1_evolution_server_t self:process { getsched signal }; + allow $1_evolution_server_t self:fifo_file { read write }; allow $1_evolution_server_t self:unix_stream_socket { accept connectto }; # Talk to ldap (address book), @@ -643,6 +691,8 @@ template(`evolution_per_role_template',` corenet_sendrecv_http_client_packets($1_evolution_server_t) corenet_sendrecv_http_cache_client_packets($1_evolution_server_t) + dev_read_urand($1_evolution_server_t) + files_read_etc_files($1_evolution_server_t) # Obtain weather data via http (read server name from xml file in /usr) files_read_usr_files($1_evolution_server_t) @@ -652,6 +702,7 @@ template(`evolution_per_role_template',` libs_use_ld_so($1_evolution_server_t) libs_use_shared_libs($1_evolution_server_t) + miscfiles_read_localization($1_evolution_server_t) # Look in /etc/pki miscfiles_read_certs($1_evolution_server_t) @@ -682,6 +733,10 @@ template(`evolution_per_role_template',` ') optional_policy(` + gnome_stream_connect_gconf_template($1, $1_evolution_server_t) + ') + + optional_policy(` nscd_socket_use($1_evolution_server_t) ') @@ -813,3 +868,45 @@ template(`evolution_stream_connect',` allow $2 $1_evolution_t:unix_stream_socket connectto; allow $2 $1_evolution_home_t:dir search; ') + +######################################## +## +## Send and receive messages from +## evolution over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`evolution_dbus_chat',` + gen_require(` + type $1_evolution_t; + class dbus send_msg; + ') + + allow $2 $1_evolution_t:dbus send_msg; + allow $1_evolution_t $2:dbus send_msg; +') + +######################################## +## +## Send and receive messages from +## evolution_alarm over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`evolution_alarm_dbus_chat',` + gen_require(` + type $1_evolution_alarm_t; + class dbus send_msg; + ') + + allow $2 $1_evolution_alarm_t:dbus send_msg; + allow $1_evolution_alarm_t $2:dbus send_msg; +') diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te index 1848879..e6d1b5c 100644 --- a/policy/modules/apps/evolution.te +++ b/policy/modules/apps/evolution.te @@ -1,5 +1,5 @@ -policy_module(evolution,1.1.0) +policy_module(evolution,1.1.1) ######################################## # diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if index 91fe9e7..3337616 100644 --- a/policy/modules/apps/games.if +++ b/policy/modules/apps/games.if @@ -34,6 +34,10 @@ # template(`games_per_role_template',` + gen_require(` + type games_exec_t, games_data_t; + ') + ######################################## # # Declarations diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te index cf2d88e..a090d13 100644 --- a/policy/modules/apps/games.te +++ b/policy/modules/apps/games.te @@ -1,5 +1,5 @@ -policy_module(games,1.1.0) +policy_module(games,1.1.1) ######################################## # diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc index 0146bd4..c812095 100644 --- a/policy/modules/apps/gnome.fc +++ b/policy/modules/apps/gnome.fc @@ -1,3 +1,5 @@ +HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:ROLE_gnome_home_t,s0) + /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if index d9b5fc9..a0e35fc 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -35,19 +35,24 @@ template(`gnome_per_role_template',` gen_require(` type gconfd_exec_t; + attribute gnomedomain; ') ############################## # # Declarations # - type $1_gconfd_t; + type $1_gconfd_t, gnomedomain; + domain_type($1_gconfd_t) domain_entry_file($1_gconfd_t, gconfd_exec_t) role $3 types $1_gconfd_t; type $1_gconf_home_t; - files_type($1_gconf_home_t) + userdom_user_home_content($1, $1_gconf_home_t) + + type $1_gnome_home_t; + userdom_user_home_content($1, $1_gnome_home_t) type $1_gconf_tmp_t; files_tmp_file($1_gconf_tmp_t) @@ -58,6 +63,7 @@ template(`gnome_per_role_template',` # allow $1_gconfd_t self:process getsched; + allow $1_gconfd_t self:fifo_file rw_fifo_file_perms; manage_dirs_pattern($1_gconfd_t,$1_gconf_home_t,$1_gconf_home_t) manage_files_pattern($1_gconfd_t,$1_gconf_home_t,$1_gconf_home_t) @@ -75,6 +81,8 @@ template(`gnome_per_role_template',` allow $1_gconfd_t gconf_etc_t:dir list_dir_perms; read_files_pattern($1_gconfd_t,gconf_etc_t,gconf_etc_t) + ps_process_pattern($2,$1_gconfd_t) + dev_read_urand($1_gconfd_t) files_read_etc_files($1_gconfd_t) @@ -124,6 +132,64 @@ template(`gnome_stream_connect_gconf_template',` type $1_gconf_tmp_t; ') + read_files_pattern($2,$1_gconf_tmp_t,$1_gconf_tmp_t) allow $2 $1_gconfd_t:unix_stream_socket connectto; - allow $2 $1_gconf_tmp_t:file read_file_perms; +') + +######################################## +## +## Run gconfd in the role-specific gconfd domain. +## +## +##

+## Run gconfd in the role-specfic gconfd domain. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`gnome_domtrans_user_gconf',` + gen_require(` + type $1_gconfd_t, gconfd_exec_t; + ') + + domtrans_pattern($2,gconfd_exec_t,$1_gconfd_t) +') + +######################################## +## +## manage gnome homedir content (.config) +## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +# +template(`gnome_manage_user_gnome_config',` + gen_require(` + type $1_gnome_home_t; + ') + + allow $2 $1_gnome_home_t:dir manage_dir_perms; + allow $2 $1_gnome_home_t:file manage_file_perms; ') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te index 996809a..7fede6f 100644 --- a/policy/modules/apps/gnome.te +++ b/policy/modules/apps/gnome.te @@ -1,11 +1,13 @@ -policy_module(gnome,1.0.0) +policy_module(gnome,1.0.1) ############################## # # Declarations # +attribute gnomedomain; + type gconf_etc_t; files_type(gconf_etc_t) diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if index 00e7744..52426e3 100644 --- a/policy/modules/apps/java.if +++ b/policy/modules/apps/java.if @@ -171,6 +171,39 @@ template(`java_per_role_template',` ######################################## ## +## Run java in javaplugin domain. +## +## +##

+## Run java in javaplugin domain. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`java_domtrans_user_javaplugin',` + gen_require(` + type $1_javaplugin_t, java_exec_t; + ') + + domtrans_pattern($2,java_exec_t,$1_javaplugin_t) +') + +######################################## +## ## Execute the java program in the java domain. ## ## diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te index 0e776e1..51eb769 100644 --- a/policy/modules/apps/java.te +++ b/policy/modules/apps/java.te @@ -1,5 +1,5 @@ -policy_module(java,1.3.1) +policy_module(java,1.3.2) ######################################## # @@ -18,6 +18,10 @@ init_system_domain(java_t,java_exec_t) ifdef(`targeted_policy',` # execheap is needed for itanium/BEA jrocket allow java_t self:process { execstack execmem execheap }; - unconfined_domain_noaudit(java_t) role system_r types java_t; + + init_dbus_chat_script(java_t) + + unconfined_domain_noaudit(java_t) + unconfined_dbus_chat(java_t) ') diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te index a8e2e11..6cc288b 100644 --- a/policy/modules/apps/loadkeys.te +++ b/policy/modules/apps/loadkeys.te @@ -1,5 +1,5 @@ -policy_module(loadkeys,1.0.0) +policy_module(loadkeys,1.0.1) ######################################## # @@ -15,10 +15,8 @@ ifdef(`targeted_policy',` # all user domain ttys type loadkeys_t; - domain_type(loadkeys_t) - type loadkeys_exec_t; - domain_entry_file(loadkeys_t,loadkeys_exec_t) + init_system_domain(loadkeys_t,loadkeys_exec_t) ') ######################################## @@ -29,15 +27,22 @@ ifdef(`targeted_policy',` ifdef(`targeted_policy',` # loadkeys domain disabled in targeted policy ',` - allow loadkeys_t self:capability { setuid sys_tty_config }; + allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_config }; allow loadkeys_t self:fifo_file rw_fifo_file_perms; kernel_read_system_state(loadkeys_t) corecmd_exec_bin(loadkeys_t) corecmd_exec_shell(loadkeys_t) + corecmd_search_sbin(loadkeys_t) + + files_read_etc_files(loadkeys_t) + files_read_etc_runtime_files(loadkeys_t) + + term_dontaudit_use_console(loadkeys_t) + term_dontaudit_use_unallocated_ttys(loadkeys_t) - files_dontaudit_read_etc_runtime_files(loadkeys_t) + init_dontaudit_use_script_ptys(loadkeys_t) libs_use_ld_so(loadkeys_t) libs_use_shared_libs(loadkeys_t) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if index 2e443c1..2d2990d 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -60,7 +60,7 @@ template(`mozilla_per_role_template',` allow $1_mozilla_t self:capability { sys_nice setgid setuid }; allow $1_mozilla_t self:process { sigkill signal setsched getsched setrlimit }; - allow $1_mozilla_t self:fifo_file { getattr read write }; + allow $1_mozilla_t self:fifo_file rw_fifo_file_perms; allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create }; allow $1_mozilla_t self:sem create_sem_perms; allow $1_mozilla_t self:socket create_socket_perms; @@ -150,6 +150,7 @@ template(`mozilla_per_role_template',` dev_write_sound($1_mozilla_t) dev_read_sound($1_mozilla_t) dev_dontaudit_rw_dri($1_mozilla_t) + dev_getattr_sysfs_dirs($1_mozilla_t) files_read_etc_runtime_files($1_mozilla_t) files_read_usr_files($1_mozilla_t) @@ -159,10 +160,13 @@ template(`mozilla_per_role_template',` # interacting with gstreamer files_read_var_files($1_mozilla_t) files_read_var_symlinks($1_mozilla_t) + files_dontaudit_getattr_boot_dirs($1_mozilla_t) fs_search_auto_mountpoints($1_mozilla_t) - fs_search_inotifyfs($1_mozilla_t) + fs_list_inotifyfs($1_mozilla_t) fs_rw_tmpfs_files($1_mozilla_t) + + term_dontaudit_getattr_pty_dirs($1_mozilla_t) libs_use_ld_so($1_mozilla_t) libs_use_lib_files($1_mozilla_t) @@ -185,7 +189,9 @@ template(`mozilla_per_role_template',` userdom_manage_user_tmp_sockets($1,$1_mozilla_t) xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t) - + xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t) + xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t) + tunable_policy(`allow_execmem',` allow $1_mozilla_t self:process { execmem execstack }; ') @@ -318,12 +324,14 @@ template(`mozilla_per_role_template',` tunable_policy(`write_untrusted_content',` files_search_home($1_mozilla_t) + userdom_manage_user_untrusted_content_tmp_files($1, $1_mozilla_t) files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,file) files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,dir) - userdom_manage_user_untrusted_content_files($1,$1_mozilla_t,file) - userdom_manage_user_untrusted_content_files($1,$1_mozilla_t,dir) - ',` + userdom_manage_user_untrusted_content_files($1,$1_mozilla_t) + userdom_user_home_dir_filetrans($1,$1_mozilla_t,$1_untrusted_content_tmp_t, { file dir }) + userdom_user_home_content_filetrans($1,$1_mozilla_t,$1_untrusted_content_tmp_t, { file dir }) + ',` files_dontaudit_list_home($1_mozilla_t) files_dontaudit_list_tmp($1_mozilla_t) @@ -340,62 +348,53 @@ template(`mozilla_per_role_template',` ') optional_policy(` + automount_dontaudit_getattr_tmp_dirs($1_mozilla_t) + ') + + optional_policy(` cups_read_rw_config($1_mozilla_t) + cups_dbus_chat($1_mozilla_t) ') optional_policy(` dbus_system_bus_client_template($1_mozilla,$1_mozilla_t) dbus_send_system_bus($1_mozilla_t) - ifdef(`TODO',` - optional_policy(` - allow cupsd_t $1_mozilla_t:dbus send_msg; - ') - ') + dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t) + dbus_send_user_bus($1,$1_mozilla_t) ') optional_policy(` - nscd_socket_use($1_mozilla_t) + gnome_stream_connect_gconf_template($1,$1_mozilla_t) + ') + + optional_policy(` + java_domtrans_user_javaplugin($1, $1_mozilla_t) ') optional_policy(` lpd_domtrans_user_lpr($1,$1_mozilla_t) ') - ifdef(`TODO',` - # Java plugin - optional_policy(` - #reh, these are hacked in types due to the use of the java_per_role_template - type $1_mozilla_tmp_t; - files_tmp_file($1_mozilla_tmp_t) - - #this looks even more ugly. - type $1_mozilla_tty_device_t; - term_tty($1_mozilla_t,$1_mozilla_tty_device_t) - type $1_mozilla_devpts_t; - term_pty($1_mozilla_devpts_t) - type $1_mozilla_home_dir_t; - userdom_user_home_content($1,$1_mozilla_home_dir_t) - - java_per_role_template($1_mozilla,$2,$3) - ') + optional_policy(` + mplayer_domtrans_user_mplayer($1, $1_mozilla_t) + mplayer_read_user_home_files($1, $1_mozilla_t) + ') - ######### Launch mplayer - optional_policy(` - domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t) - dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write }; - dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write }; - dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write }; - ') + optional_policy(` + nscd_socket_use($1_mozilla_t) + ') + + optional_policy(` + thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t) + ') + + ifdef(`TODO',` #NOTE commented out in strict. ######### Launch email client, and make webcal links work #ifdef(`evolution.te', ` #domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t) #domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t) #') - #NOTE commented out in strict - #ifdef(`thunderbird.te', ` - #domain_auto_trans($1_mozilla_t, thunderbird_exec_t, $1_thunderbird_t) - #') # Macros for mozilla/mozilla (or other browser) domains. # FIXME: Rules were removed to centralize policy in a gnome_app macro @@ -409,3 +408,174 @@ template(`mozilla_per_role_template',` ') ') ') + +######################################## +## +## Read mozilla per user homedir +## +## +##

+## Read mozilla per user homedir +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`mozilla_read_user_home_files',` + gen_require(` + type $1_mozilla_home_t; + ') + + allow $2 $1_mozilla_home_t:dir list_dir_perms; + allow $2 $1_mozilla_home_t:file read_file_perms; +') + +######################################## +## +## write mozilla per user homedir +## +## +##

+## Read mozilla per user homedir +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`mozilla_write_user_home_files',` + gen_require(` + type $1_mozilla_home_t; + ') + + allow $2 $1_mozilla_home_t:dir list_dir_perms; + allow $2 $1_mozilla_home_t:file write; +') + +######################################## +## +## Run mozilla in user mozilla domain. +## +## +##

+## Run mozilla in mozilla domain. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`mozilla_domtrans_user_mozilla',` + gen_require(` + type $1_mozilla_t, mozilla_exec_t; + ') + + domtrans_pattern($2, mozilla_exec_t,$1_mozilla_t) +') + +######################################## +## +## Send and receive messages from +## mozilla over dbus. +## +## +##

+## Send and receive messages from +## mozilla over dbus. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`mozilla_dbus_chat',` + gen_require(` + type $1_mozilla_t; + class dbus send_msg; + ') + + allow $2 $1_mozilla_t:dbus send_msg; + allow $1_mozilla_t $2:dbus send_msg; +') + +######################################## +## +## read/write mozilla per user tcp_socket +## +## +##

+## read/write mozilla per user tcp_socket +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`mozilla_rw_user_tcp_sockets',` + gen_require(` + type $1_mozilla_t; + ') + + allow $2 $1_mozilla_t:tcp_socket rw_socket_perms; +') diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index 846e70a..7752e69 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -1,5 +1,5 @@ -policy_module(mozilla,1.1.0) +policy_module(mozilla,1.1.1) ######################################## # diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if index 47ee8ec..99bc933 100644 --- a/policy/modules/apps/mplayer.if +++ b/policy/modules/apps/mplayer.if @@ -33,6 +33,9 @@ ## # template(`mplayer_per_role_template',` + gen_require(` + type mencoder_exec_t, mplayer_exec_t; + ') ######################################## # @@ -198,6 +201,10 @@ template(`mplayer_per_role_template',` userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_mencoder_t) ') + tunable_policy(`write_untrusted_content',` + userdom_manage_user_untrusted_content_files($1, $1_mplayer_t) + ') + # Save encoded files tunable_policy(`write_untrusted_content && use_nfs_home_dirs',` files_search_home($1_mencoder_t) @@ -249,6 +256,7 @@ template(`mplayer_per_role_template',` allow $1_mplayer_t self:process { signal_perms getsched }; allow $1_mplayer_t self:fifo_file rw_fifo_file_perms; + allow $1_mplayer_t self:sem create_sem_perms; manage_dirs_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t) manage_files_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t) @@ -320,6 +328,7 @@ template(`mplayer_per_role_template',` fs_dontaudit_getattr_all_fs($1_mplayer_t) fs_search_auto_mountpoints($1_mplayer_t) + fs_list_inotifyfs($1_mplayer_t) libs_use_ld_so($1_mplayer_t) libs_use_shared_libs($1_mplayer_t) @@ -435,3 +444,69 @@ template(`mplayer_per_role_template',` nscd_socket_use($1_mplayer_t) ') ') + +######################################## +## +## Run mplayer in mplayer domain. +## +## +##

+## Run mplayer in mplayer domain. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`mplayer_domtrans_user_mplayer',` + gen_require(` + type $1_mplayer_t, mplayer_exec_t; + ') + + domtrans_pattern($2, mplayer_exec_t,$1_mplayer_t) +') + +######################################## +## +## Read mplayer per user homedir +## +## +##

+## Read mplayer per user homedir +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`mplayer_read_user_home_files',` + gen_require(` + type $1_mplayer_home_t; + ') + + read_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t) +') diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te index 337d3a9..dd9b1a4 100644 --- a/policy/modules/apps/mplayer.te +++ b/policy/modules/apps/mplayer.te @@ -1,5 +1,5 @@ -policy_module(mplayer,1.1.0) +policy_module(mplayer,1.1.1) ######################################## # diff --git a/policy/modules/apps/slocate.if b/policy/modules/apps/slocate.if index 1d3e061..0346700 100644 --- a/policy/modules/apps/slocate.if +++ b/policy/modules/apps/slocate.if @@ -19,3 +19,23 @@ interface(`slocate_create_append_log',` create_files_pattern($1,locate_log_t,locate_log_t) append_files_pattern($1,locate_log_t,locate_log_t) ') + +######################################## +## +## Read locate lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`locate_read_lib_files',` + gen_require(` + type locate_var_lib_t; + ') + + read_files_pattern($1,locate_var_lib_t,locate_var_lib_t) + allow $1 locate_var_lib_t:dir list_dir_perms; + files_search_var_lib($1) +') diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te index b8bad11..7371469 100644 --- a/policy/modules/apps/slocate.te +++ b/policy/modules/apps/slocate.te @@ -1,5 +1,5 @@ -policy_module(slocate,1.3.0) +policy_module(slocate,1.3.1) ################################# # @@ -44,6 +44,7 @@ files_read_etc_files(locate_t) fs_getattr_xattr_fs(locate_t) fs_getattr_rpc_pipefs(locate_t) +fs_getattr_rpc_dirs(locate_t) libs_use_shared_libs(locate_t) libs_use_ld_so(locate_t) diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if index 9a77b22..38bde70 100644 --- a/policy/modules/apps/thunderbird.if +++ b/policy/modules/apps/thunderbird.if @@ -46,6 +46,7 @@ template(`thunderbird_per_role_template',` type $1_thunderbird_home_t alias $1_thunderbird_rw_t; files_poly_member($1_thunderbird_home_t) + userdom_user_home_content($1, $1_thunderbird_home_t) type $1_thunderbird_tmpfs_t; files_tmpfs_file($1_thunderbird_tmpfs_t) @@ -62,6 +63,7 @@ template(`thunderbird_per_role_template',` allow $1_thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind }; allow $1_thunderbird_t self:tcp_socket create_socket_perms; allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write }; + allow $1_thunderbird_t self:netlink_route_socket r_netlink_socket_perms; # Access ~/.thunderbird manage_dirs_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t) @@ -89,16 +91,19 @@ template(`thunderbird_per_role_template',` manage_dirs_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t) manage_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t) manage_lnk_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t) + relabel_dirs_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t) relabel_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t) relabel_lnk_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t) # Allow netstat kernel_read_network_state($1_thunderbird_t) + kernel_read_net_sysctls($1_thunderbird_t) + kernel_read_system_state($1_thunderbird_t) corecmd_exec_shell($1_thunderbird_t) # Startup shellscript - corecmd_exec_bin($1_thunderbird_t) + corecmd_search_sbin($1_thunderbird_t) corenet_non_ipsec_sendrecv($1_thunderbird_t) corenet_tcp_sendrecv_generic_if($1_thunderbird_t) @@ -122,11 +127,22 @@ template(`thunderbird_per_role_template',` corenet_sendrecv_pop_client_packets($1_thunderbird_t) corenet_sendrecv_http_client_packets($1_thunderbird_t) + dev_read_urand($1_thunderbird_t) + dev_dontaudit_search_sysfs($1_thunderbird_t) + files_list_tmp($1_thunderbird_t) files_read_usr_files($1_thunderbird_t) files_read_etc_files($1_thunderbird_t) + files_read_etc_runtime_files($1_thunderbird_t) + files_read_var_files($1_thunderbird_t) + files_read_var_symlinks($1_thunderbird_t) + files_dontaudit_getattr_all_tmp_files($1_thunderbird_t) + files_dontaudit_getattr_boot_dirs($1_thunderbird_t) + files_dontaudit_getattr_lost_found_dirs($1_thunderbird_t) + files_dontaudit_search_mnt($1_thunderbird_t) fs_getattr_xattr_fs($1_thunderbird_t) + fs_list_inotifyfs($1_thunderbird_t) # Access ~/.thunderbird fs_search_auto_mountpoints($1_thunderbird_t) @@ -134,6 +150,7 @@ template(`thunderbird_per_role_template',` libs_use_ld_so($1_thunderbird_t) miscfiles_read_fonts($1_thunderbird_t) + miscfiles_read_localization($1_thunderbird_t) sysnet_read_config($1_thunderbird_t) # Allow DNS @@ -147,7 +164,9 @@ template(`thunderbird_per_role_template',` userdom_read_user_home_content_files($1,$1_thunderbird_t) xserver_user_client_template($1,$1_thunderbird_t,$1_thunderbird_tmpfs_t) - + xserver_read_xdm_tmp_files($1_thunderbird_t) + xserver_dontaudit_getattr_xdm_tmp_sockets($1_thunderbird_t) + # Transition from user type tunable_policy(`! disable_thunderbird_trans',` domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t) @@ -200,7 +219,6 @@ template(`thunderbird_per_role_template',` userdom_read_user_tmp_symlinks($1,$1_thunderbird_t) userdom_search_user_home_dirs($1,$1_thunderbird_t) userdom_read_user_home_content_files($1,$1_thunderbird_t) - userdom_read_user_home_content_symlinks($1,$1_thunderbird_t) ifndef(`enable_mls',` fs_search_removable($1_thunderbird_t) @@ -284,9 +302,10 @@ template(`thunderbird_per_role_template',` files_search_home($1_thunderbird_t) files_tmp_filetrans($1_thunderbird_t,$1_untrusted_content_tmp_t,file) files_tmp_filetrans($1_thunderbird_t,$1_untrusted_content_tmp_t,dir) - - userdom_manage_user_untrusted_content_files($1,$1_thunderbird_t,file) - userdom_manage_user_untrusted_content_files($1,$1_thunderbird_t,dir) + userdom_manage_user_untrusted_content_files($1,$1_thunderbird_t) + userdom_manage_user_untrusted_content_tmp_files($1, $1_thunderbird_t) + userdom_user_home_dir_filetrans($1,$1_thunderbird_t,$1_untrusted_content_tmp_t, { file dir }) + userdom_user_home_content_filetrans($1,$1_thunderbird_t,$1_untrusted_content_tmp_t, { file dir }) ',` files_dontaudit_list_home($1_thunderbird_t) files_dontaudit_list_tmp($1_thunderbird_t) @@ -305,11 +324,14 @@ template(`thunderbird_per_role_template',` ') optional_policy(` - lpd_domtrans_user_lpr($1,$1_thunderbird_t) + cups_read_rw_config($1_thunderbird_t) + cups_dbus_chat($1_thunderbird_t) ') optional_policy(` - cups_read_rw_config($1_thunderbird_t) + gnome_stream_connect_gconf_template($1,$1_thunderbird_t) + gnome_domtrans_user_gconf($1, $1_thunderbird_t) + gnome_manage_user_gnome_config($1, $1_thunderbird_t) ') optional_policy(` @@ -317,32 +339,66 @@ template(`thunderbird_per_role_template',` ') optional_policy(` + lpd_domtrans_user_lpr($1,$1_thunderbird_t) + ') + + optional_policy(` + mozilla_read_user_home_files($1, $1_thunderbird_t) + mozilla_domtrans_user_mozilla($1, $1_thunderbird_t) + mozilla_dbus_chat($1, $1_thunderbird_t) + ') + + optional_policy(` nis_use_ypbind($1_thunderbird_t) ') + optional_policy(` + nscd_socket_use($1_thunderbird_t) + ') + ifdef(`TODO',` # FIXME: Rules were removed to centralize policy in a gnome_app macro # A similar thing might be necessary for mozilla compiled without GNOME # support (is this possible?). - # Start links in web browser - ifdef(`mozilla.te', ` - can_exec($1_thunderbird_t, shell_exec_t) - domain_auto_trans($1_thunderbird_t, mozilla_exec_t, $1_mozilla_t) - ') - # GNOME support optional_policy(` gnome_application($1_thunderbird, $1) gnome_file_dialog($1_thunderbird, $1) allow $1_thunderbird_t $1_gnome_settings_t:file { read write }; ') - optinal_policy(` - allow $1_t $2_dbusd_t:dbus send_msg; - ifdef(`cups.te', ` - allow cupsd_t $1_t:dbus send_msg; - ') - ') + ') +') +######################################## +## +## Run thunderbird in the user thunderbird domain. +## +## +##

+## Run thunderbird in the user thunderbird domain. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`thunderbird_domtrans_user_thunderbird',` + gen_require(` + type $1_thunderbird_t, thunderbird_exec_t; ') + + domtrans_pattern($2, thunderbird_exec_t,$1_thunderbird_t) ') diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te index ff5d477..0d1c693 100644 --- a/policy/modules/apps/thunderbird.te +++ b/policy/modules/apps/thunderbird.te @@ -1,5 +1,5 @@ -policy_module(thunderbird,1.1.0) +policy_module(thunderbird,1.1.1) ######################################## # diff --git a/policy/modules/apps/tvtime.if b/policy/modules/apps/tvtime.if index 679e1b9..ef67d5e 100644 --- a/policy/modules/apps/tvtime.if +++ b/policy/modules/apps/tvtime.if @@ -33,6 +33,9 @@ ## # template(`tvtime_per_role_template',` + gen_require(` + type tvtime_exec_t; + ') ######################################## # diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te index 8a74bd9..158534e 100644 --- a/policy/modules/apps/tvtime.te +++ b/policy/modules/apps/tvtime.te @@ -1,5 +1,5 @@ -policy_module(tvtime,1.1.0) +policy_module(tvtime,1.1.1) ######################################## # diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if index 37c5c7e..efa6b07 100644 --- a/policy/modules/apps/uml.if +++ b/policy/modules/apps/uml.if @@ -34,6 +34,10 @@ # template(`uml_per_role_template',` + gen_require(` + type uml_ro_t, uml_exec_t; + ') + ######################################## # # Declarations diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te index 4791630..7e4dcf1 100644 --- a/policy/modules/apps/uml.te +++ b/policy/modules/apps/uml.te @@ -1,5 +1,5 @@ -policy_module(uml,1.1.0) +policy_module(uml,1.1.1) ######################################## # diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if index 4cd3e01..100f140 100644 --- a/policy/modules/apps/userhelper.if +++ b/policy/modules/apps/userhelper.if @@ -49,7 +49,7 @@ template(`userhelper_per_role_template',` domain_obj_id_change_exemption($1_userhelper_t) domain_interactive_fd($1_userhelper_t) domain_subj_id_change_exemption($1_userhelper_t) - role system_r types $1_userhelper_t; + role $3 types $1_userhelper_t; ######################################## # @@ -287,3 +287,21 @@ template(`userhelper_sigchld_user',` allow $2 $1_userhelper_t:process sigchld; ') + +######################################## +## +## Execute the userhelper program in the caller domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`userhelper_exec',` + gen_require(` + type userhelper_exec_t; + ') + + can_exec($1,userhelper_exec_t) +') diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te index 5cd61eb..1914e6c 100644 --- a/policy/modules/apps/userhelper.te +++ b/policy/modules/apps/userhelper.te @@ -1,5 +1,5 @@ -policy_module(userhelper,1.1.0) +policy_module(userhelper,1.1.1) ######################################## # diff --git a/policy/modules/apps/vmware.if b/policy/modules/apps/vmware.if index 2033523..6bb0915 100644 --- a/policy/modules/apps/vmware.if +++ b/policy/modules/apps/vmware.if @@ -33,6 +33,9 @@ ## # template(`vmware_per_role_template',` + gen_require(` + type vmware_exec_t, vmware_sys_conf_t; + ') ############################## # diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te index 2fd5956..e189c79 100644 --- a/policy/modules/apps/vmware.te +++ b/policy/modules/apps/vmware.te @@ -1,5 +1,5 @@ -policy_module(vmware,1.0.0) +policy_module(vmware,1.0.1) ######################################## # diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te index ace13c2..4f7ef2a 100644 --- a/policy/modules/apps/webalizer.te +++ b/policy/modules/apps/webalizer.te @@ -1,5 +1,5 @@ -policy_module(webalizer,1.3.0) +policy_module(webalizer,1.3.1) ######################################## # @@ -67,6 +67,7 @@ corenet_tcp_sendrecv_all_nodes(webalizer_t) corenet_tcp_sendrecv_all_ports(webalizer_t) fs_search_auto_mountpoints(webalizer_t) +fs_getattr_xattr_fs(webalizer_t) files_read_etc_files(webalizer_t) files_read_etc_runtime_files(webalizer_t) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index ecf1bec..74234f1 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -73,6 +73,7 @@ ifdef(`distro_debian',` ifdef(`targeted_policy',` /etc/X11/prefdm -- gen_context(system_u:object_r:bin_t,s0) +/usr/games/nethack-3.4.3/nethack -- gen_context(system_u:object_r:bin_t,s0) ') # @@ -189,7 +190,12 @@ ifdef(`distro_redhat', ` /usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/authconfig/authconfig.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if index 6531489..cc7c620 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -465,6 +465,25 @@ interface(`corecmd_list_sbin',` ######################################## ## +## Do not audit attempts to write +## sbin directories. +## +## +## +## Domain to not audit. +## +## +# +interface(`corecmd_dontaudit_write_sbin_dirs',` + gen_require(` + type sbin_t; + ') + + dontaudit $1 sbin_t:dir write; +') + +######################################## +## ## Get the attributes of sbin files. ## ## diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index 7b2d1e0..007d955 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,5 +1,5 @@ -policy_module(corecommands,1.5.0) +policy_module(corecommands,1.5.1) ######################################## # diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in index 0af6336..864395b 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -1005,6 +1005,25 @@ interface(`corenet_tcp_connect_all_ports',` ######################################## ## +## Do not audit attempts to connect TCP sockets +## to all ports. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_tcp_connect_all_ports',` + gen_require(` + attribute port_type; + ') + + dontaudit $1 port_type:tcp_socket name_connect; +') + +######################################## +## ## Send and receive TCP network traffic on generic reserved ports. ## ## @@ -1273,6 +1292,42 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` ######################################## ## +## Bind TCP sockets to all ports > 1024. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`corenet_tcp_bind_all_unreserved_ports',` + gen_require(` + attribute port_type, reserved_port_type; + ') + + allow $1 { port_type -reserved_port_type }:tcp_socket name_bind; +') + +######################################## +## +## Bind UDP sockets to all ports > 1024. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`corenet_udp_bind_all_unreserved_ports',` + gen_require(` + attribute port_type, reserved_port_type; + ') + + allow $1 { port_type -reserved_port_type }:udp_socket name_bind; +') + +######################################## +## ## Connect TCP sockets to reserved ports. ## ## @@ -1512,6 +1567,35 @@ interface(`corenet_dontaudit_udp_recv_netlabel',` ######################################## ## +## Receive Raw IP packets from a NetLabel connection. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_raw_recv_netlabel',` + kernel_raw_recvfrom_unlabeled($1) +') + +######################################## +## +## Do not audit attempts to receive Raw IP packets from a NetLabel +## connection. +## +## +## +## Domain to not audit. +## +## +# +interface(`corenet_dontaudit_raw_recv_netlabel',` + kernel_dontaudit_raw_recvfrom_unlabeled($1) +') + +######################################## +## ## Send generic client packets. ## ## diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index b3f13bc..140e4ae 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork,1.2.3) +policy_module(corenetwork,1.2.4) ######################################## # @@ -111,7 +111,7 @@ network_port(netsupport, tcp,5405,s0, udp,5405,s0) network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0) network_port(ntp, udp,123,s0) network_port(ocsp, tcp,9080,s0) -network_port(openvpn, udp,1194,s0) +network_port(openvpn, tcp,1194,s0, udp,1194,s0) network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) @@ -196,6 +196,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo,s0 - mls_systemhigh) +',` +typealias netif_t alias netif_lo_t; ') ######################################## diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if index b2557fd..4228a0e 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -1055,6 +1055,25 @@ interface(`domain_dontaudit_getattr_all_pipes',` ######################################## ## +## Allow specified type to set context of all +## domains IPSEC associations. +## +## +## +## Type of subject to be allowed this. +## +## +# +interface(`domain_ipsec_setcontext_all_domains',` + gen_require(` + attribute domain; + ') + + allow $1 domain:association setcontext; +') + +######################################## +## ## Get the attributes of entry point ## files for all domains. ## @@ -1114,6 +1133,24 @@ interface(`domain_exec_all_entry_files',` ######################################## ## +## dontaudit checking for execute on all entry point files +## +## +## +## Domain to not audit. +## +## +# +interface(`domain_dontaudit_exec_all_entry_files',` + gen_require(` + attribute entry_type; + ') + + dontaudit $1 entry_type:file exec_file_perms; +') + +######################################## +## ## Create, read, write, and delete all ## entrypoint files. ## diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index ea99772..dc73444 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -1,5 +1,5 @@ -policy_module(domain,1.2.0) +policy_module(domain,1.2.1) ######################################## # diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 5e78a96..38a25c9 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1004,6 +1004,29 @@ interface(`files_dontaudit_search_all_dirs',` ######################################## ## +## Get the attributes of all filesystems +## with the type of a file. +## +## +## +## Domain allowed access. +## +## +# +# dwalsh: This interface is to allow quotacheck to work on a +# a filesystem mounted with the --context switch +# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212957 +# +interface(`files_getattr_all_file_type_fs',` + gen_require(` + attribute file_type; + ') + + allow $1 file_type:filesystem getattr; +') + +######################################## +## ## Relabel a filesystem to the type of a file. ## ## @@ -1939,6 +1962,24 @@ interface(`files_read_etc_symlinks',` ######################################## ## +## Create, read, write, and delete symbolic links in /etc. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_etc_symlinks',` + gen_require(` + type etc_t; + ') + + manage_lnk_files_pattern($1,etc_t,etc_t) +') + +######################################## +## ## Create objects in /etc with a private ## type using a type_transition. ## @@ -2489,6 +2530,25 @@ interface(`files_getattr_lost_found_dirs',` ######################################## ## +## Do not audit attempts to get the attributes of +## lost+found directories. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_getattr_lost_found_dirs',` + gen_require(` + type lost_found_t; + ') + + dontaudit $1 lost_found_t:dir getattr; +') + +######################################## +## ## Create, read, write, and delete objects in ## lost+found directories. ## @@ -3131,6 +3191,43 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## ## +## Do not audit attempts to get the attributes +## of all tmp files. +## +## +## +## Domain not to audit. +## +## +# +interface(`files_dontaudit_getattr_all_tmp_files',` + gen_require(` + attribute tmpfile; + ') + + dontaudit $1 tmpfile:file getattr; +') + +######################################## +## +## Read all tmp files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_read_all_tmp_files',` + gen_require(` + attribute tmpfile; + ') + + read_files_pattern($1,tmpfile,tmpfile) +') + +######################################## +## ## Create an object in the tmp directories, with a private ## type using a type transition. ## @@ -3515,6 +3612,24 @@ interface(`files_dontaudit_write_var_dirs',` ######################################## ## +## Allow attempts to write to /var.dirs +## +## +## +## Domain to not audit. +## +## +# +interface(`files_write_var_dirs',` + gen_require(` + type var_t; + ') + + allow $1 var_t:dir write; +') + +######################################## +## ## Do not audit attempts to search ## the contents of /var. ## @@ -3786,6 +3901,7 @@ interface(`files_read_var_lib_files',` type var_t, var_lib_t; ') + allow $1 var_lib_t:dir list_dir_perms; read_files_pattern($1,{ var_t var_lib_t },var_lib_t) ') @@ -4421,7 +4537,7 @@ interface(`files_polyinstantiate_all',` selinux_compute_member($1) # Need sys_admin capability for mounting - allow $1 self:capability sys_admin; + allow $1 self:capability { chown fsetid sys_admin }; # Need to give access to the directories to be polyinstantiated allow $1 polydir:dir { create getattr search write add_name setattr mounton rmdir }; @@ -4437,7 +4553,7 @@ interface(`files_polyinstantiate_all',` allow $1 self:process setfscreate; allow $1 polymember: dir { create setattr relabelto }; allow $1 polydir: dir { write add_name }; - allow $1 polyparent:dir { write add_name relabelfrom relabelto }; + allow $1 polyparent:dir { read write remove_name add_name relabelfrom relabelto }; # Default type for mountpoints allow $1 poly_t:dir { create mounton }; diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index d6ff141..f6d234a 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files,1.4.0) +policy_module(files,1.4.1) ######################################## # @@ -50,6 +50,8 @@ files_mountpoint(default_t) # type etc_t; files_type(etc_t) +# compatibility aliases for removed types: +typealias etc_t alias automount_etc_t; # # etc_runtime_t is the type of various diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 3effc68..2857769 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -2721,6 +2721,25 @@ interface(`fs_tmpfs_filetrans',` ######################################## ## +## Do not audit attempts to getattr +## generic tmpfs files. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_dontaudit_getattr_tmpfs_files',` + gen_require(` + type tmpfs_t; + ') + + dontaudit $1 tmpfs_t:file getattr; +') + +######################################## +## ## Do not audit attempts to read or write ## generic tmpfs files. ## @@ -2735,7 +2754,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` type tmpfs_t; ') - dontaudit $1 tmpfs_t:file { read write }; + dontaudit $1 tmpfs_t:file rw_file_perms; ') ######################################## diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index e57cf37..33f3447 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,5 +1,5 @@ -policy_module(filesystem,1.5.0) +policy_module(filesystem,1.5.1) ######################################## # @@ -103,6 +103,7 @@ genfscon cramfs / gen_context(system_u:object_r:romfs_t,s0) type rpc_pipefs_t; fs_type(rpc_pipefs_t) genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0) +files_mountpoint(rpc_pipefs_t) # # tmpfs_t is the type for tmpfs filesystems @@ -139,6 +140,7 @@ genfscon automount / gen_context(system_u:object_r:autofs_t,s0) # type cifs_t alias sambafs_t; fs_noxattr_type(cifs_t) +files_mountpoint(cifs_t) genfscon cifs / gen_context(system_u:object_r:cifs_t,s0) genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0) @@ -151,6 +153,7 @@ fs_noxattr_type(dosfs_t) allow dosfs_t fs_t:filesystem associate; genfscon fat / gen_context(system_u:object_r:dosfs_t,s0) genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0) +genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0) genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0) genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 1b65900..39fd13f 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -2302,6 +2302,67 @@ interface(`kernel_dontaudit_udp_recvfrom_unlabeled',` ######################################## ## +## Receive Raw IP packets from a NetLabel connection. +## +## +##

+## Receive Raw IP packets from a NetLabel connection, NetLabel is an +## explicit packet labeling framework which implements CIPSO and +## similar protocols. +##

+##

+## The corenetwork interface +## corenet_raw_recv_netlabel() should +## be used instead of this one. +##

+##
+## +## +## Domain allowed access. +## +## +# +interface(`kernel_raw_recvfrom_unlabeled',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:rawip_socket recvfrom; +') + +######################################## +## +## Do not audit attempts to receive Raw IP packets from a NetLabel +## connection. +## +## +##

+## Do not audit attempts to receive Raw IP packets from a NetLabel +## connection. NetLabel is an explicit packet labeling framework +## which implements CIPSO and similar protocols. +##

+##

+## The corenetwork interface +## corenet_dontaudit_raw_recv_netlabel() should +## be used instead of this one. +##

+##
+## +## +## Domain to not audit. +## +## +# +interface(`kernel_dontaudit_raw_recvfrom_unlabeled',` + gen_require(` + type unlabeled_t; + ') + + dontaudit $1 unlabeled_t:rawip_socket recvfrom; +') + +######################################## +## ## Send and receive unlabeled packets. ## ## diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 5a3e4b1..82df349 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -1,5 +1,5 @@ -policy_module(kernel,1.5.0) +policy_module(kernel,1.5.1) ######################################## # @@ -239,6 +239,11 @@ mcs_process_set_categories(kernel_t) mls_process_read_up(kernel_t) mls_process_write_down(kernel_t) +ifdef(`distro_redhat',` + # Bugzilla 222337 + fs_rw_tmpfs_chr_files(kernel_t) +') + ifdef(`targeted_policy',` unconfined_domain(kernel_t) ') @@ -345,7 +350,7 @@ optional_policy(` # Rules for unconfined acccess to this module # -allow kern_unconfined proc_type:{ dir file } *; +allow kern_unconfined proc_type:{ dir file lnk_file } *; allow kern_unconfined sysctl_t:{ dir file } *; diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index e0d1aeb..2921718 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -1,5 +1,5 @@ -policy_module(apache,1.5.1) +policy_module(apache,1.5.2) # # NOTES: @@ -425,6 +425,11 @@ optional_policy(` ') optional_policy(` + snmp_dontaudit_read_snmp_var_lib_files(httpd_t) + snmp_dontaudit_write_snmp_var_lib_files(httpd_t) +') + +optional_policy(` udev_read_db(httpd_t) ') @@ -684,10 +689,6 @@ optional_policy(` nscd_socket_use(httpd_unconfined_script_t) ') -optional_policy(` - snmp_dontaudit_read_snmp_var_lib_files(httpd_t) -') - ######################################## # # httpd_rotatelogs local policy diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te index f4875ea..fa62ace 100644 --- a/policy/modules/services/apm.te +++ b/policy/modules/services/apm.te @@ -1,5 +1,5 @@ -policy_module(apm,1.3.0) +policy_module(apm,1.3.1) ######################################## # @@ -109,6 +109,7 @@ term_dontaudit_use_console(apmd_t) corecmd_exec_all_executables(apmd_t) domain_read_all_domains_state(apmd_t) +domain_dontaudit_ptrace_all_domains(apmd_t) domain_use_interactive_fds(apmd_t) domain_dontaudit_getattr_all_sockets(apmd_t) domain_dontaudit_getattr_all_key_sockets(apmd_t) # Excessive? diff --git a/policy/modules/services/automount.fc b/policy/modules/services/automount.fc index 746c120..4a150eb 100644 --- a/policy/modules/services/automount.fc +++ b/policy/modules/services/automount.fc @@ -2,7 +2,6 @@ # /etc # /etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0) -/etc/auto\..+ -- gen_context(system_u:object_r:automount_etc_t,s0) # # /usr diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te index 0e7ba1b..ec2f092 100644 --- a/policy/modules/services/automount.te +++ b/policy/modules/services/automount.te @@ -1,5 +1,5 @@ -policy_module(automount,1.4.0) +policy_module(automount,1.4.1) ######################################## # @@ -13,9 +13,6 @@ init_daemon_domain(automount_t,automount_exec_t) type automount_var_run_t; files_pid_file(automount_var_run_t) -type automount_etc_t; -files_config_file(automount_etc_t) - type automount_lock_t; files_lock_file(automount_lock_t) @@ -28,7 +25,7 @@ files_mountpoint(automount_tmp_t) # Local policy # -allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override sys_admin }; +allow automount_t self:capability { net_bind_service setgid setuid sys_nice sys_resource dac_override sys_admin }; dontaudit automount_t self:capability sys_tty_config; allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit }; allow automount_t self:fifo_file rw_fifo_file_perms; @@ -40,9 +37,6 @@ allow automount_t self:rawip_socket create_socket_perms; allow automount_t self:netlink_route_socket r_netlink_socket_perms; -allow automount_t automount_etc_t:file { getattr read }; -# because config files can be shell scripts -can_exec(automount_t, automount_etc_t) can_exec(automount_t, automount_exec_t) allow automount_t automount_lock_t:file manage_file_perms; diff --git a/policy/modules/services/ccs.fc b/policy/modules/services/ccs.fc index 12ac6d7..0ec5ba1 100644 --- a/policy/modules/services/ccs.fc +++ b/policy/modules/services/ccs.fc @@ -4,5 +4,7 @@ /usr/sbin/aisexec -- gen_context(system_u:object_r:ccs_exec_t,s0) +/var/lib/openais(/.*)? gen_context(system_u:object_r:ccs_var_lib_t,s0) + /var/run/cluster(/.*)? gen_context(system_u:object_r:ccs_var_run_t,s0) /var/run/cman_.* -s gen_context(system_u:object_r:ccs_var_run_t,s0) diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te index ce2c80f..e18344b 100644 --- a/policy/modules/services/ccs.te +++ b/policy/modules/services/ccs.te @@ -1,5 +1,5 @@ -policy_module(ccs,1.0.0) +policy_module(ccs,1.0.1) ######################################## # @@ -18,6 +18,10 @@ files_type(cluster_conf_t) type ccs_var_log_t; logging_log_file(ccs_var_log_t) +# var lib files +type ccs_var_lib_t; +logging_log_file(ccs_var_lib_t) + # pid files type ccs_var_run_t; files_pid_file(ccs_var_run_t) @@ -27,7 +31,7 @@ files_pid_file(ccs_var_run_t) # ccs local policy # -allow ccs_t self:capability { ipc_lock sys_nice sys_resource }; +allow ccs_t self:capability { ipc_lock sys_nice sys_resource sys_admin }; allow ccs_t self:process { signal setrlimit setsched }; allow ccs_t self:fifo_file { read write }; allow ccs_t self:unix_stream_socket { connectto create_stream_socket_perms }; @@ -46,6 +50,11 @@ manage_sock_files_pattern(ccs_t,ccs_var_log_t,ccs_var_log_t) allow ccs_t ccs_var_log_t:dir setattr; logging_log_filetrans(ccs_t,ccs_var_log_t,{ sock_file file dir }) +# var lib files +manage_dirs_pattern(ccs_t,ccs_var_lib_t,ccs_var_lib_t) +manage_files_pattern(ccs_t,ccs_var_lib_t,ccs_var_lib_t) +files_var_lib_filetrans(ccs_t,ccs_var_lib_t,{ file dir }) + # pid file manage_dirs_pattern(ccs_t,ccs_var_run_t,ccs_var_run_t) manage_files_pattern(ccs_t,ccs_var_run_t,ccs_var_run_t) @@ -87,6 +96,11 @@ miscfiles_read_localization(ccs_t) sysnet_dns_name_resolve(ccs_t) +ifdef(`hide_broken_symptoms', ` + corecmd_dontaudit_write_sbin_dirs(ccs_t) + files_manage_isid_type_files(ccs_t) +') + ifdef(`targeted_policy',` term_dontaudit_use_generic_ptys(ccs_t) term_dontaudit_use_unallocated_ttys(ccs_t) diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te index 8aaab57..85d6770 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -1,5 +1,5 @@ -policy_module(cups,1.5.0) +policy_module(cups,1.5.1) ######################################## # @@ -203,6 +203,10 @@ files_read_var_files(cupsd_t) files_read_var_symlinks(cupsd_t) # for /etc/printcap files_dontaudit_write_etc_files(cupsd_t) +# smbspool seems to be iterating through all existing tmp files. +# redhat bug #214953 +# cjp: this might be a broken behavior +files_dontaudit_getattr_all_tmp_files(cupsd_t) selinux_compute_access_vector(cupsd_t) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if index 4dca3f6..02a89a7 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -71,6 +71,7 @@ template(`dbus_per_role_template',` allow $1_dbusd_t self:process { getattr sigkill signal }; allow $1_dbusd_t self:file { getattr read write }; + allow $1_dbusd_t self:fifo_file rw_fifo_file_perms; allow $1_dbusd_t self:dbus { send_msg acquire_svc }; allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms; allow $1_dbusd_t self:unix_dgram_socket create_socket_perms; @@ -102,22 +103,6 @@ template(`dbus_per_role_template',` kernel_read_system_state($1_dbusd_t) kernel_read_kernel_sysctls($1_dbusd_t) - corenet_non_ipsec_sendrecv($1_dbusd_t) - corenet_tcp_sendrecv_all_if($1_dbusd_t) - corenet_tcp_sendrecv_all_nodes($1_dbusd_t) - corenet_tcp_sendrecv_all_ports($1_dbusd_t) - corenet_tcp_bind_all_nodes($1_dbusd_t) - corenet_tcp_bind_reserved_port($1_dbusd_t) - - dev_read_urand($1_dbusd_t) - - selinux_get_fs_mount($1_dbusd_t) - selinux_validate_context($1_dbusd_t) - selinux_compute_access_vector($1_dbusd_t) - selinux_compute_create_context($1_dbusd_t) - selinux_compute_relabel_context($1_dbusd_t) - selinux_compute_user_contexts($1_dbusd_t) - corecmd_list_bin($1_dbusd_t) corecmd_read_bin_symlinks($1_dbusd_t) corecmd_read_bin_files($1_dbusd_t) @@ -129,11 +114,32 @@ template(`dbus_per_role_template',` corecmd_read_sbin_pipes($1_dbusd_t) corecmd_read_sbin_sockets($1_dbusd_t) + corenet_non_ipsec_sendrecv($1_dbusd_t) + corenet_tcp_sendrecv_all_if($1_dbusd_t) + corenet_tcp_sendrecv_all_nodes($1_dbusd_t) + corenet_tcp_sendrecv_all_ports($1_dbusd_t) + corenet_tcp_bind_all_nodes($1_dbusd_t) + corenet_tcp_bind_reserved_port($1_dbusd_t) + + dev_read_urand($1_dbusd_t) + + domain_use_interactive_fds($1_dbusd_t) + files_read_etc_files($1_dbusd_t) files_list_home($1_dbusd_t) files_read_usr_files($1_dbusd_t) files_dontaudit_search_var($1_dbusd_t) + fs_getattr_romfs($1_dbusd_t) + fs_getattr_xattr_fs($1_dbusd_t) + + selinux_get_fs_mount($1_dbusd_t) + selinux_validate_context($1_dbusd_t) + selinux_compute_access_vector($1_dbusd_t) + selinux_compute_create_context($1_dbusd_t) + selinux_compute_relabel_context($1_dbusd_t) + selinux_compute_user_contexts($1_dbusd_t) + auth_read_pam_console_data($1_dbusd_t) libs_use_ld_so($1_dbusd_t) diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 51f6d4f..27d83f1 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -1,5 +1,5 @@ -policy_module(dbus,1.4.0) +policy_module(dbus,1.4.1) gen_require(` class dbus { send_msg acquire_svc }; diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if index 86c18ec..954a746 100644 --- a/policy/modules/services/ftp.if +++ b/policy/modules/services/ftp.if @@ -24,6 +24,10 @@ ## # template(`ftp_per_role_template',` + gen_require(` + type ftpd_t; + ') + tunable_policy(`ftpd_is_daemon',` userdom_manage_user_home_content_files($1,ftpd_t) userdom_manage_user_home_content_symlinks($1,ftpd_t) diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te index 4d45942..c4a5d18 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -1,5 +1,5 @@ -policy_module(ftp,1.4.0) +policy_module(ftp,1.4.1) ######################################## # @@ -102,6 +102,8 @@ corenet_tcp_bind_all_nodes(ftpd_t) corenet_tcp_bind_ftp_port(ftpd_t) corenet_tcp_bind_ftp_data_port(ftpd_t) corenet_tcp_bind_generic_port(ftpd_t) +corenet_tcp_bind_all_unreserved_ports(ftpd_t) +corenet_dontaudit_tcp_bind_all_ports(ftpd_t) corenet_tcp_connect_all_ports(ftpd_t) corenet_sendrecv_ftp_server_packets(ftpd_t) @@ -123,6 +125,7 @@ auth_domtrans_chk_passwd(ftpd_t) auth_append_login_records(ftpd_t) #kerberized ftp requires the following auth_write_login_records(ftpd_t) +auth_append_faillog(ftpd_t) init_use_fds(ftpd_t) init_use_script_ptys(ftpd_t) @@ -173,6 +176,11 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` fs_manage_nfs_files(ftpd_t) ') +tunable_policy(`allow_ftpd_full_access',` + allow ftpd_t self:capability { dac_override dac_read_search }; + auth_manage_all_files_except_shadow(ftpd_t) +') + tunable_policy(`ftp_home_dir',` allow ftpd_t self:capability { dac_override dac_read_search }; diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if index 6a37e69..d220329 100644 --- a/policy/modules/services/hal.if +++ b/policy/modules/services/hal.if @@ -20,6 +20,43 @@ interface(`hal_domtrans',` ######################################## ## +## Do not audit attempts to use file descriptors from hal. +## +## +## +## Domain to not audit. +## +## +# +interface(`hal_dontaudit_use_fds',` + gen_require(` + type hald_t; + ') + + dontaudit $1 hald_t:fd use; +') + +######################################## +## +## Do not audit attempts to read and write to +## hald unnamed pipes. +## +## +## +## Domain to not audit. +## +## +# +interface(`hal_dontaudit_rw_pipes',` + gen_require(` + type hald_t; + ') + + dontaudit $1 hald_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## ## Send to hal over a unix domain ## datagram socket. ## diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te index 7d7caab..955e4ff 100644 --- a/policy/modules/services/hal.te +++ b/policy/modules/services/hal.te @@ -1,5 +1,5 @@ -policy_module(hal,1.5.0) +policy_module(hal,1.5.1) ######################################## # diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te index f1431a2..f5f590b 100644 --- a/policy/modules/services/inetd.te +++ b/policy/modules/services/inetd.te @@ -1,5 +1,5 @@ -policy_module(inetd,1.2.0) +policy_module(inetd,1.2.1) ######################################## # @@ -37,10 +37,11 @@ files_pid_file(inetd_child_var_run_t) allow inetd_t self:capability { setuid setgid }; dontaudit inetd_t self:capability sys_tty_config; -allow inetd_t self:process setsched; +allow inetd_t self:process { setsched setexec }; allow inetd_t self:fifo_file rw_fifo_file_perms; allow inetd_t self:tcp_socket create_stream_socket_perms; allow inetd_t self:udp_socket create_socket_perms; +allow inetd_t self:fd use; allow inetd_t inetd_log_t:file manage_file_perms; logging_log_filetrans(inetd_t,inetd_log_t,file) @@ -55,6 +56,8 @@ files_pid_filetrans(inetd_t,inetd_var_run_t,file) kernel_read_kernel_sysctls(inetd_t) kernel_list_proc(inetd_t) kernel_read_proc_symlinks(inetd_t) +kernel_read_system_state(inetd_t) +kernel_tcp_recvfrom_unlabeled(inetd_t) # base networking: corenet_non_ipsec_sendrecv(inetd_t) @@ -88,6 +91,7 @@ corenet_udp_bind_rsync_port(inetd_t) corenet_tcp_bind_swat_port(inetd_t) corenet_udp_bind_swat_port(inetd_t) corenet_udp_bind_tftp_port(inetd_t) +corenet_tcp_bind_ssh_port(inetd_t) # service port packets: corenet_sendrecv_amanda_server_packets(inetd_t) @@ -109,6 +113,9 @@ dev_read_sysfs(inetd_t) fs_getattr_all_fs(inetd_t) fs_search_auto_mountpoints(inetd_t) +selinux_validate_context(inetd_t) +selinux_compute_create_context(inetd_t) + term_dontaudit_use_console(inetd_t) # Run other daemons in the inetd_child_t domain. @@ -129,11 +136,23 @@ logging_send_syslog_msg(inetd_t) miscfiles_read_localization(inetd_t) +# xinetd needs MLS override privileges to work +mls_fd_use_all_levels(inetd_t) +mls_fd_share_all_levels(inetd_t) +mls_socket_read_to_clearance(inetd_t) +mls_process_set_level(inetd_t) +mls_socket_read_to_clearance(inetd_t) + sysnet_read_config(inetd_t) userdom_dontaudit_use_unpriv_user_fds(inetd_t) userdom_dontaudit_search_sysadm_home_dirs(inetd_t) +ifdef(`enable_mls',` + corenet_tcp_recv_netlabel(inetd_t) + corenet_udp_recv_netlabel(inetd_t) +') + ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(inetd_t) term_dontaudit_use_generic_ptys(inetd_t) @@ -209,10 +228,8 @@ miscfiles_read_localization(inetd_child_t) sysnet_read_config(inetd_child_t) -ifdef(`strict_policy',` - tunable_policy(`run_ssh_inetd',` - corenet_tcp_bind_ssh_port(inetd_t) - ') +ifdef(`targeted_policy',` + unconfined_domain(inetd_child_t) ') optional_policy(` diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te index 5c73ace..9dee225 100644 --- a/policy/modules/services/irqbalance.te +++ b/policy/modules/services/irqbalance.te @@ -1,5 +1,5 @@ -policy_module(irqbalance,1.0.0) +policy_module(irqbalance,1.0.1) ######################################## # @@ -18,12 +18,16 @@ files_pid_file(irqbalance_var_run_t) # Local policy # +allow irqbalance_t self:capability net_admin; +allow irqbalance_t self:udp_socket create_socket_perms; + dontaudit irqbalance_t self:capability sys_tty_config; allow irqbalance_t self:process signal_perms; manage_files_pattern(irqbalance_t,irqbalance_var_run_t,irqbalance_var_run_t) files_pid_filetrans(irqbalance_t,irqbalance_var_run_t,file) +kernel_read_network_state(irqbalance_t) kernel_read_system_state(irqbalance_t) kernel_read_kernel_sysctls(irqbalance_t) kernel_rw_irq_sysctls(irqbalance_t) diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if index 99a57b8..14d3719 100644 --- a/policy/modules/services/kerberos.if +++ b/policy/modules/services/kerberos.if @@ -40,7 +40,8 @@ interface(`kerberos_use',` files_search_etc($1) allow $1 krb5_conf_t:file { getattr read }; dontaudit $1 krb5_conf_t:file write; - dontaudit $1 krb5kdc_conf_t:dir r_dir_perms; + dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; + dontaudit $1 krb5kdc_conf_t:file read_file_perms; tunable_policy(`allow_kerberos',` allow $1 self:tcp_socket create_socket_perms; @@ -63,6 +64,12 @@ interface(`kerberos_use',` sysnet_read_config($1) sysnet_dns_name_resolve($1) ') + + optional_policy(` + tunable_policy(`allow_kerberos',` + pcscd_stream_connect($1) + ') + ') ') ######################################## diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te index 60b2d44..e5d8f46 100644 --- a/policy/modules/services/kerberos.te +++ b/policy/modules/services/kerberos.te @@ -1,5 +1,5 @@ -policy_module(kerberos,1.3.0) +policy_module(kerberos,1.3.1) ######################################## # diff --git a/policy/modules/services/ktalk.fc b/policy/modules/services/ktalk.fc index 379e4e8..47d0bf3 100644 --- a/policy/modules/services/ktalk.fc +++ b/policy/modules/services/ktalk.fc @@ -1,4 +1,7 @@ -/usr/bin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) /usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) + +/usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) +/usr/sbin/in\.ntalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) + /var/log/talkd.* -- gen_context(system_u:object_r:ktalkd_log_t,s0) diff --git a/policy/modules/services/ktalk.te b/policy/modules/services/ktalk.te index bef8d80..4b6cdd0 100644 --- a/policy/modules/services/ktalk.te +++ b/policy/modules/services/ktalk.te @@ -1,5 +1,5 @@ -policy_module(ktalk,1.3.0) +policy_module(ktalk,1.3.1) ######################################## # @@ -77,6 +77,11 @@ miscfiles_read_localization(ktalkd_t) sysnet_read_config(ktalkd_t) +ifdef(`targeted_policy',` + term_dontaudit_use_generic_ptys(ktalkd_t) + term_dontaudit_use_unallocated_ttys(ktalkd_t) +') + optional_policy(` nis_use_ypbind(ktalkd_t) ') diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if index 84ec5d2..ce2b1f6 100644 --- a/policy/modules/services/lpd.if +++ b/policy/modules/services/lpd.if @@ -64,31 +64,33 @@ template(`lpd_per_role_template',` allow $1_lpr_t self:udp_socket create_socket_perms; allow $1_lpr_t self:netlink_route_socket r_netlink_socket_perms; - # lpr can run in lightweight mode, without a local print spooler. - allow $1_lpr_t lpd_var_run_t:dir search; - allow $1_lpr_t lpd_var_run_t:sock_file write; - files_read_var_files($1_lpr_t) - - # Connect to lpd via a Unix domain socket. - allow $1_lpr_t printer_t:sock_file rw_file_perms; - allow $1_lpr_t lpd_t:unix_stream_socket connectto; - # Send SIGHUP to lpd. - allow $1_lpr_t lpd_t:process signal; - can_exec($1_lpr_t,lpr_exec_t) - manage_dirs_pattern($1_lpr_t,$1_lpr_tmp_t,$1_lpr_tmp_t) - manage_files_pattern($1_lpr_t,$1_lpr_tmp_t,$1_lpr_tmp_t) - files_tmp_filetrans($1_lpr_t, $1_lpr_tmp_t, { file dir }) - - manage_files_pattern($1_lpr_t,print_spool_t,$1_print_spool_t) - filetrans_pattern($1_lpr_t,print_spool_t,$1_print_spool_t,file) - # Read and write shared files in the spool directory. - allow $1_lpr_t print_spool_t:file rw_file_perms; - - allow $1_lpr_t printconf_t:dir list_dir_perms; - read_files_pattern($1_lpr_t,printconf_t,printconf_t) - read_lnk_files_pattern($1_lpr_t,printconf_t,printconf_t) + tunable_policy(`use_lpd_server',` + # lpr can run in lightweight mode, without a local print spooler. + allow $1_lpr_t lpd_var_run_t:dir search; + allow $1_lpr_t lpd_var_run_t:sock_file write; + files_read_var_files($1_lpr_t) + + # Connect to lpd via a Unix domain socket. + allow $1_lpr_t printer_t:sock_file rw_sock_file_perms; + allow $1_lpr_t lpd_t:unix_stream_socket connectto; + # Send SIGHUP to lpd. + allow $1_lpr_t lpd_t:process signal; + + manage_dirs_pattern($1_lpr_t,$1_lpr_tmp_t,$1_lpr_tmp_t) + manage_files_pattern($1_lpr_t,$1_lpr_tmp_t,$1_lpr_tmp_t) + files_tmp_filetrans($1_lpr_t, $1_lpr_tmp_t, { file dir }) + + manage_files_pattern($1_lpr_t,print_spool_t,$1_print_spool_t) + filetrans_pattern($1_lpr_t,print_spool_t,$1_print_spool_t,file) + # Read and write shared files in the spool directory. + allow $1_lpr_t print_spool_t:file rw_file_perms; + + allow $1_lpr_t printconf_t:dir list_dir_perms; + read_files_pattern($1_lpr_t,printconf_t,printconf_t) + read_lnk_files_pattern($1_lpr_t,printconf_t,printconf_t) + ') dontaudit $1_lpr_t $2:unix_stream_socket { read write }; @@ -215,10 +217,14 @@ template(`lpd_per_role_template',` template(`lpr_admin_template',` gen_require(` type $1_lpr_t; + type print_spool_t; ') userdom_read_all_users_home_content_files($1_lpr_t) + # Read and write shared files in the spool directory. + allow $1_lpr_t print_spool_t:file rw_file_perms; + # Allow per user lpr domain read acces for specific user. tunable_policy(`read_untrusted_content',` userdom_read_all_untrusted_content($1_lpr_t) diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te index 9ccebb5..26c1f0b 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -1,5 +1,5 @@ -policy_module(lpd,1.4.0) +policy_module(lpd,1.4.1) ######################################## # diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index 1a03d84..768578b 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -40,6 +40,11 @@ interface(`mta_stub',` # template(`mta_base_mail_template',` + gen_require(` + attribute user_mail_domain; + type sendmail_exec_t; + ') + ############################## # # $1_mail_t declarations @@ -174,6 +179,10 @@ template(`mta_base_mail_template',` ## # template(`mta_per_role_template',` + gen_require(` + attribute mta_user_agent; + attribute mailserver_delivery; + ') ############################## # diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index 41762f2..0f081b4 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -1,5 +1,5 @@ -policy_module(mta,1.5.0) +policy_module(mta,1.5.1) ######################################## # @@ -58,6 +58,7 @@ dev_read_urand(system_mail_t) init_use_script_ptys(system_mail_t) userdom_use_sysadm_terms(system_mail_t) +userdom_dontaudit_search_sysadm_home_dirs(system_mail_t) ifdef(`targeted_policy',` typealias system_mail_t alias sysadm_mail_t; diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te index 5651f8b..7722bc2 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -1,5 +1,5 @@ -policy_module(networkmanager,1.5.0) +policy_module(networkmanager,1.5.1) ######################################## # @@ -119,6 +119,8 @@ ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(NetworkManager_t) term_dontaudit_use_generic_ptys(NetworkManager_t) files_dontaudit_read_root_files(NetworkManager_t) + # Read gnome-keyring + userdom_read_generic_user_home_content_files(NetworkManager_t) optional_policy(` unconfined_rw_pipes(NetworkManager_t) diff --git a/policy/modules/services/nis.fc b/policy/modules/services/nis.fc index ff9ec1e..cc23fb5 100644 --- a/policy/modules/services/nis.fc +++ b/policy/modules/services/nis.fc @@ -6,7 +6,7 @@ /usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) -/usr/sbin/rpc\.ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) +/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) /usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0) /var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if index df40154..1634307 100644 --- a/policy/modules/services/nis.if +++ b/policy/modules/services/nis.if @@ -50,12 +50,12 @@ interface(`nis_use_ypbind_uncond',` corenet_udp_bind_generic_port($1) corenet_tcp_bind_reserved_port($1) corenet_udp_bind_reserved_port($1) - corenet_dontaudit_tcp_bind_all_reserved_ports($1) - corenet_dontaudit_udp_bind_all_reserved_ports($1) + corenet_dontaudit_tcp_bind_all_ports($1) + corenet_dontaudit_udp_bind_all_ports($1) corenet_tcp_connect_portmap_port($1) corenet_tcp_connect_reserved_port($1) corenet_tcp_connect_generic_port($1) - corenet_dontaudit_tcp_connect_all_reserved_ports($1) + corenet_dontaudit_tcp_connect_all_ports($1) corenet_sendrecv_portmap_client_packets($1) corenet_sendrecv_generic_client_packets($1) corenet_sendrecv_generic_server_packets($1) @@ -81,8 +81,6 @@ interface(`nis_use_ypbind',` tunable_policy(`allow_ypbind',` nis_use_ypbind_uncond($1) - ',` - dontaudit $1 var_yp_t:dir search; ') ') diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te index b4b8f56..f8cbabd 100644 --- a/policy/modules/services/nis.te +++ b/policy/modules/services/nis.te @@ -1,5 +1,5 @@ -policy_module(nis,1.3.0) +policy_module(nis,1.3.1) ######################################## # @@ -285,6 +285,7 @@ corecmd_exec_bin(ypserv_t) domain_use_interactive_fds(ypserv_t) files_read_var_files(ypserv_t) +files_read_etc_files(ypserv_t) init_use_fds(ypserv_t) init_use_script_ptys(ypserv_t) @@ -324,6 +325,10 @@ optional_policy(` # allow ypxfr_t self:unix_stream_socket create_stream_socket_perms; +allow ypxfr_t self:tcp_socket connected_socket_perms; +allow ypxfr_t self:udp_socket create_socket_perms; + +manage_files_pattern(ypxfr_t, var_yp_t, var_yp_t) allow ypxfr_t ypserv_t:tcp_socket { read write }; allow ypxfr_t ypserv_t:udp_socket { read write }; @@ -352,3 +357,5 @@ files_search_usr(ypxfr_t) libs_use_shared_libs(ypxfr_t) libs_use_ld_so(ypxfr_t) + +sysnet_read_config(ypxfr_t) diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te index 3a4925b..fe31de3 100644 --- a/policy/modules/services/nscd.te +++ b/policy/modules/services/nscd.te @@ -1,5 +1,5 @@ -policy_module(nscd,1.3.0) +policy_module(nscd,1.3.1) gen_require(` class nscd all_nscd_perms; @@ -35,7 +35,6 @@ allow nscd_t self:fifo_file { read write }; allow nscd_t self:unix_stream_socket create_stream_socket_perms; allow nscd_t self:unix_dgram_socket create_socket_perms; allow nscd_t self:netlink_selinux_socket create_socket_perms; -allow nscd_t self:netlink_route_socket r_netlink_socket_perms; allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow nscd_t self:tcp_socket create_socket_perms; allow nscd_t self:udp_socket create_socket_perms; @@ -66,6 +65,7 @@ term_dontaudit_use_console(nscd_t) # for when /etc/passwd has just been updated and has the wrong type auth_getattr_shadow(nscd_t) +auth_use_nsswitch(nscd_t) corenet_non_ipsec_sendrecv(nscd_t) corenet_tcp_sendrecv_all_if(nscd_t) @@ -99,14 +99,12 @@ libs_use_shared_libs(nscd_t) logging_send_syslog_msg(nscd_t) -miscfiles_read_certs(nscd_t) miscfiles_read_localization(nscd_t) seutil_read_config(nscd_t) seutil_read_default_contexts(nscd_t) seutil_sigchld_newrole(nscd_t) -sysnet_dns_name_resolve(nscd_t) sysnet_read_config(nscd_t) userdom_dontaudit_use_unpriv_user_fds(nscd_t) @@ -122,14 +120,6 @@ ifdef(`targeted_policy',` ') optional_policy(` - nis_use_ypbind(nscd_t) -') - -optional_policy(` - samba_stream_connect_winbind(nscd_t) -') - -optional_policy(` udev_read_db(nscd_t) ') diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te index 5f0e997..9419a6d 100644 --- a/policy/modules/services/openvpn.te +++ b/policy/modules/services/openvpn.te @@ -1,5 +1,5 @@ -policy_module(openvpn,1.1.0) +policy_module(openvpn,1.1.1) ######################################## # @@ -28,11 +28,11 @@ files_pid_file(openvpn_var_run_t) # openvpn local policy # -allow openvpn_t self:capability { net_admin setgid setuid sys_tty_config }; +allow openvpn_t self:capability { net_bind_service net_admin setgid setuid sys_tty_config }; allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow openvpn_t self:udp_socket create_socket_perms; -allow openvpn_t self:tcp_socket create_socket_perms; +allow openvpn_t self:tcp_socket server_stream_socket_perms; allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms; allow openvpn_t openvpn_etc_t:dir list_dir_perms; diff --git a/policy/modules/services/pcscd.fc b/policy/modules/services/pcscd.fc new file mode 100644 index 0000000..f2df0fc --- /dev/null +++ b/policy/modules/services/pcscd.fc @@ -0,0 +1,5 @@ +/var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0) +/var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0) +/var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0) + +/usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0) diff --git a/policy/modules/services/pcscd.if b/policy/modules/services/pcscd.if new file mode 100644 index 0000000..5c77c32 --- /dev/null +++ b/policy/modules/services/pcscd.if @@ -0,0 +1,58 @@ +## PCSC smart card service + +######################################## +## +## Execute a domain transition to run pcscd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`pcscd_domtrans',` + gen_require(` + type pcscd_t, pcscd_exec_t; + ') + + domtrans_pattern($1,pcscd_exec_t,pcscd_t) +') + +######################################## +## +## Read pcscd pub files. +## +## +## +## Domain allowed access. +## +## +# +interface(`pcscd_read_pub_files',` + gen_require(` + type pcscd_var_run_t; + ') + + files_search_pids($1) + allow $1 pcscd_var_run_t:file read_file_perms; +') + +######################################## +## +## Connect to pcscd over an unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`pcscd_stream_connect',` + gen_require(` + type pcscd_t, pcscd_var_run_t; + ') + + files_search_pids($1) + allow $1 pcscd_var_run_t:sock_file write; + allow $1 pcscd_t:unix_stream_socket connectto; +') diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te new file mode 100644 index 0000000..f065d8a --- /dev/null +++ b/policy/modules/services/pcscd.te @@ -0,0 +1,69 @@ + +policy_module(pcscd,1.0.0) + +######################################## +# +# Declarations +# + +type pcscd_t; +type pcscd_exec_t; +domain_type(pcscd_t) +init_daemon_domain(pcscd_t, pcscd_exec_t) + +# pid files +type pcscd_var_run_t; +files_pid_file(pcscd_var_run_t) + +######################################## +# +# pcscd local policy +# + +allow pcscd_t self:capability { dac_override dac_read_search }; +allow pcscd_t self:fifo_file { read write }; +allow pcscd_t self:unix_stream_socket create_stream_socket_perms; +allow pcscd_t self:unix_dgram_socket create_socket_perms; +allow pcscd_t self:tcp_socket create_stream_socket_perms; + +manage_files_pattern(pcscd_t,pcscd_var_run_t,pcscd_var_run_t) +manage_sock_files_pattern(pcscd_t,pcscd_var_run_t,pcscd_var_run_t) +files_pid_filetrans(pcscd_t,pcscd_var_run_t, { file sock_file }) + +corenet_tcp_sendrecv_all_if(pcscd_t) +corenet_tcp_sendrecv_all_nodes(pcscd_t) +corenet_tcp_sendrecv_all_ports(pcscd_t) +corenet_non_ipsec_sendrecv(pcscd_t) +corenet_tcp_connect_http_port(pcscd_t) + +dev_rw_generic_usb_dev(pcscd_t) +dev_rw_usbfs(pcscd_t) +dev_search_sysfs(pcscd_t) + +files_read_etc_files(pcscd_t) +files_read_etc_runtime_files(pcscd_t) + +term_dontaudit_getattr_pty_dirs(pcscd_t) + +init_dontaudit_use_fds(pcscd_t) + +libs_use_ld_so(pcscd_t) +libs_use_shared_libs(pcscd_t) + +locallogin_use_fds(pcscd_t) + +logging_send_syslog_msg(pcscd_t) + +miscfiles_read_localization(pcscd_t) + +sysnet_dns_name_resolve(pcscd_t) + +ifdef(`targeted_policy',` + term_dontaudit_use_generic_ptys(pcscd_t) + term_dontaudit_use_unallocated_ttys(pcscd_t) + term_dontaudit_use_console(pcscd_t) +') + +optional_policy(` + rpm_use_script_fds(pcscd_t) +') diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te index f430d8f..f89dd6f 100644 --- a/policy/modules/services/pyzor.te +++ b/policy/modules/services/pyzor.te @@ -1,5 +1,5 @@ -policy_module(pyzor,1.1.0) +policy_module(pyzor,1.1.1) ######################################## # @@ -60,6 +60,10 @@ miscfiles_read_localization(pyzor_t) userdom_dontaudit_search_sysadm_home_dirs(pyzor_t) +ifdef(`targeted_policy',` + userdom_read_generic_user_home_content_files(pyzor_t) +') + optional_policy(` amavis_manage_lib_files(pyzor_t) amavis_manage_spool_files(pyzor_t) diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te index 970a713..2be5e67 100644 --- a/policy/modules/services/radvd.te +++ b/policy/modules/services/radvd.te @@ -1,5 +1,5 @@ -policy_module(radvd,1.2.0) +policy_module(radvd,1.2.1) ######################################## # @@ -28,7 +28,7 @@ allow radvd_t self:rawip_socket create_socket_perms; allow radvd_t self:tcp_socket create_stream_socket_perms; allow radvd_t self:udp_socket create_socket_perms; -allow radvd_t radvd_etc_t:file { getattr read }; +allow radvd_t radvd_etc_t:file read_file_perms; manage_files_pattern(radvd_t,radvd_var_run_t,radvd_var_run_t) files_pid_filetrans(radvd_t,radvd_var_run_t,file) diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if index c58bfdf..5c5b99d 100644 --- a/policy/modules/services/razor.if +++ b/policy/modules/services/razor.if @@ -23,6 +23,9 @@ ## # template(`razor_common_domain_template',` + gen_require(` + type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t; + ') allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_t self:fd use; @@ -131,6 +134,9 @@ template(`razor_common_domain_template',` ## # template(`razor_per_role_template',` + gen_require(` + type razor_exec_t; + ') type $1_razor_t; domain_type($1_razor_t) diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te index 29916f8..3a613b3 100644 --- a/policy/modules/services/razor.te +++ b/policy/modules/services/razor.te @@ -1,5 +1,5 @@ -policy_module(razor,1.1.0) +policy_module(razor,1.1.1) ######################################## # @@ -10,7 +10,6 @@ type razor_t; type razor_exec_t; domain_type(razor_t) domain_entry_file(razor_t,razor_exec_t) -razor_common_domain_template(razor) role system_r types razor_t; type razor_etc_t; @@ -22,6 +21,8 @@ logging_log_file(razor_log_t) type razor_var_lib_t; files_type(razor_var_lib_t) +razor_common_domain_template(razor) + ######################################## # # Local policy diff --git a/policy/modules/services/rhgb.if b/policy/modules/services/rhgb.if index 639ece6..c859f23 100644 --- a/policy/modules/services/rhgb.if +++ b/policy/modules/services/rhgb.if @@ -36,6 +36,42 @@ interface(`rhgb_use_fds',` ######################################## ## +## Get the process group of rhgb. +## +## +## +## Domain allowed access. +## +## +# +interface(`rhgb_getpgid',` + gen_require(` + type rhgb_t; + ') + + allow $1 rhgb_t:process getpgid; +') + +######################################## +## +## Send a signal to rhgb. +## +## +## +## Domain allowed access. +## +## +# +interface(`rhgb_signal',` + gen_require(` + type rhgb_t; + ') + + allow $1 rhgb_t:process signal; +') + +######################################## +## ## Read and write to unix stream sockets. ## ## @@ -109,6 +145,42 @@ interface(`rhgb_rw_shm',` ######################################## ## +## Read from and write to the rhgb devpts. +## +## +## +## Domain allowed access. +## +## +# +interface(`rhgb_use_ptys',` + gen_require(` + type rhgb_devpts_t; + ') + + allow $1 rhgb_devpts_t:chr_file rw_term_perms; +') + +######################################## +## +## dontaudit Read from and write to the rhgb devpts. +## +## +## +## Domain allowed access. +## +## +# +interface(`rhgb_dontaudit_use_ptys',` + gen_require(` + type rhgb_devpts_t; + ') + + dontaudit $1 rhgb_devpts_t:chr_file rw_term_perms; +') + +######################################## +## ## Read and write to rhgb temporary file system. ## ## diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te index 0c73211..cdf3651 100644 --- a/policy/modules/services/rhgb.te +++ b/policy/modules/services/rhgb.te @@ -1,5 +1,5 @@ -policy_module(rhgb,1.2.0) +policy_module(rhgb,1.2.1) ######################################## # @@ -114,6 +114,8 @@ xserver_read_xdm_xserver_tmp_files(rhgb_t) xserver_kill_xdm_xserver(rhgb_t) # for running setxkbmap xserver_read_xkb_libs(rhgb_t) +xserver_domtrans_xdm_xserver(rhgb_t) +xserver_signal_xdm_xserver(rhgb_t) ifdef(`strict_policy',` allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr }; @@ -126,7 +128,6 @@ ifdef(`strict_policy',` term_dontaudit_use_unallocated_ttys(rhgb_t) xserver_domtrans_xdm_xserver(rhgb_t) - xserver_signal_xdm_xserver(rhgb_t) xserver_read_xdm_tmp_files(rhgb_t) ') diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te index a72c725..9ff934b 100644 --- a/policy/modules/services/ricci.te +++ b/policy/modules/services/ricci.te @@ -1,5 +1,5 @@ -policy_module(ricci,1.0.0) +policy_module(ricci,1.0.1) ######################################## # @@ -74,6 +74,9 @@ domain_type(ricci_modstorage_t) domain_entry_file(ricci_modstorage_t, ricci_modstorage_exec_t) role system_r types ricci_modstorage_t; +type ricci_modstorage_lock_t; +files_lock_file(ricci_modstorage_lock_t) + ######################################## # # ricci local policy @@ -377,6 +380,8 @@ optional_policy(` allow ricci_modrpm_t self:fifo_file { getattr read }; +kernel_read_kernel_sysctls(ricci_modrpm_t) + corecmd_exec_bin(ricci_modrpm_t) libs_use_ld_so(ricci_modrpm_t) @@ -414,6 +419,8 @@ corecmd_exec_shell(ricci_modservice_t) files_read_etc_files(ricci_modservice_t) files_read_etc_runtime_files(ricci_modservice_t) files_search_usr(ricci_modservice_t) +# Needed for running chkconfig +files_manage_etc_symlinks(ricci_modservice_t) consoletype_exec(ricci_modservice_t) @@ -449,6 +456,9 @@ allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms; kernel_read_kernel_sysctls(ricci_modstorage_t) kernel_read_system_state(ricci_modstorage_t) +create_files_pattern(ricci_modstorage_t,ricci_modstorage_lock_t,ricci_modstorage_lock_t) +files_lock_filetrans(ricci_modstorage_t,ricci_modstorage_lock_t,file) + corecmd_exec_bin(ricci_modstorage_t) corecmd_exec_sbin(ricci_modstorage_t) @@ -456,10 +466,13 @@ dev_read_sysfs(ricci_modstorage_t) dev_read_urand(ricci_modstorage_t) dev_manage_generic_blk_files(ricci_modstorage_t) +domain_dontaudit_read_all_domains_state(ricci_modstorage_t) + #Needed for editing /etc/fstab files_manage_etc_files(ricci_modstorage_t) files_read_etc_runtime_files(ricci_modstorage_t) files_read_usr_files(ricci_modstorage_t) +files_read_kernel_modules(ricci_modstorage_t) storage_raw_read_fixed_disk(ricci_modstorage_t) diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te index 9fa8c6f..2b917ff 100644 --- a/policy/modules/services/rlogin.te +++ b/policy/modules/services/rlogin.te @@ -1,5 +1,5 @@ -policy_module(rlogin,1.2.0) +policy_module(rlogin,1.2.1) ######################################## # @@ -61,9 +61,11 @@ corenet_udp_sendrecv_all_ports(rlogind_t) dev_read_urand(rlogind_t) fs_getattr_xattr_fs(rlogind_t) +fs_search_auto_mountpoints(rlogind_t) auth_domtrans_chk_passwd(rlogind_t) auth_rw_login_records(rlogind_t) +auth_use_nsswitch(rlogind_t) files_read_etc_files(rlogind_t) files_read_etc_runtime_files(rlogind_t) @@ -91,17 +93,6 @@ remotelogin_domtrans(rlogind_t) optional_policy(` kerberos_read_keytab(rlogind_t) - - # for identd; cjp: this should probably only be inetd_child rules? - kerberos_use(rlogind_t) -') - -optional_policy(` - nis_use_ypbind(rlogind_t) -') - -optional_policy(` - nscd_socket_use(rlogind_t) ') ifdef(`TODO',` diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc index 4e6471d..9dc1709 100644 --- a/policy/modules/services/rpc.fc +++ b/policy/modules/services/rpc.fc @@ -11,7 +11,6 @@ # # /usr # -/usr/sbin/exportfs -- gen_context(system_u:object_r:nfsd_exec_t,s0) /usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0) /usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0) /usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0) diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te index 4077615..b487385 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -1,5 +1,5 @@ -policy_module(rpc,1.4.0) +policy_module(rpc,1.4.1) ######################################## # diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te index e0d10d5..308423f 100644 --- a/policy/modules/services/sendmail.te +++ b/policy/modules/services/sendmail.te @@ -1,5 +1,5 @@ -policy_module(sendmail,1.3.0) +policy_module(sendmail,1.3.1) ######################################## # @@ -115,6 +115,10 @@ ifdef(`targeted_policy',` ') optional_policy(` + clamav_search_lib(sendmail_t) +') + +optional_policy(` nis_use_ypbind(sendmail_t) ') diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if index 1627cae..50c7135 100644 --- a/policy/modules/services/setroubleshoot.if +++ b/policy/modules/services/setroubleshoot.if @@ -1 +1,21 @@ ## SELinux troubleshooting service + +######################################## +## +## Connect to setroubleshootd over an unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`setroubleshoot_stream_connect',` + gen_require(` + type setroubleshootd_t, setroubleshoot_var_run_t; + ') + + files_search_pids($1) + allow $1 setroubleshoot_var_run_t:sock_file write; + allow $1 setroubleshootd_t:unix_stream_socket connectto; +') diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te index 9a11afd..2dee8bd 100644 --- a/policy/modules/services/setroubleshoot.te +++ b/policy/modules/services/setroubleshoot.te @@ -1,5 +1,5 @@ -policy_module(setroubleshoot,1.2.0) +policy_module(setroubleshoot,1.2.1) ######################################## # @@ -53,6 +53,7 @@ files_pid_filetrans(setroubleshootd_t,setroubleshoot_var_run_t, { file sock_file kernel_read_kernel_sysctls(setroubleshootd_t) kernel_read_system_state(setroubleshootd_t) +kernel_read_network_state(setroubleshootd_t) corecmd_exec_sbin(setroubleshootd_t) corecmd_exec_bin(setroubleshootd_t) diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if index a21eb21..e311ba2 100644 --- a/policy/modules/services/snmp.if +++ b/policy/modules/services/snmp.if @@ -54,7 +54,7 @@ interface(`snmp_read_snmp_var_lib_files',` ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # @@ -66,3 +66,21 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',` dontaudit $1 snmpd_var_lib_t:file read_file_perms; dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read }; ') + +######################################## +## +## dontaudit write snmpd libraries files. +## +## +## +## Domain to not audit. +## +## +# +interface(`snmp_dontaudit_write_snmp_var_lib_files',` + gen_require(` + type snmpd_var_lib_t; + ') + + dontaudit $1 snmpd_var_lib_t:file write; +') diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te index be5f9c0..22617e9 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -1,5 +1,5 @@ -policy_module(snmp,1.3.0) +policy_module(snmp,1.3.1) ######################################## # diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if index 46273d2..6723760 100644 --- a/policy/modules/services/spamassassin.if +++ b/policy/modules/services/spamassassin.if @@ -35,6 +35,11 @@ # toggled on activation of spamc, and similarly for spamd. template(`spamassassin_per_role_template',` + gen_require(` + type spamc_exec_t, spamassassin_exec_t; + type spamd_t, spamd_tmp_t; + ') + ############################## # # Declarations diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te index e381241..b1643ce 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -1,5 +1,5 @@ -policy_module(spamassassin,1.5.0) +policy_module(spamassassin,1.5.1) ######################################## # @@ -107,7 +107,8 @@ domain_use_interactive_fds(spamd_t) files_read_usr_files(spamd_t) files_read_etc_files(spamd_t) files_read_etc_runtime_files(spamd_t) -files_search_var_lib(spamd_t) +# /var/lib/spamassin +files_read_var_lib_files(spamd_t) init_use_fds(spamd_t) init_use_script_ptys(spamd_t) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index ffc7eb8..2299734 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -35,11 +35,7 @@ template(`ssh_basic_client_template',` gen_require(` attribute ssh_server; - type ssh_exec_t, sshd_key_t; - - ifdef(`strict_policy',` - type sshd_tmp_t; - ') + type ssh_exec_t, sshd_key_t, sshd_tmp_t; ') ############################## @@ -80,6 +76,11 @@ template(`ssh_basic_client_template',` # Read the ssh key file. allow $1_ssh_t sshd_key_t:file read_file_perms; + # Access the ssh temporary files. + allow $1_ssh_t sshd_tmp_t:dir manage_dir_perms; + allow $1_ssh_t sshd_tmp_t:file manage_file_perms; + files_tmp_filetrans($1_ssh_t, sshd_tmp_t, { file dir }) + # Transition from the domain to the derived domain. domtrans_pattern($2, ssh_exec_t, $1_ssh_t) @@ -147,13 +148,6 @@ template(`ssh_basic_client_template',` sysnet_read_config($1_ssh_t) sysnet_dns_name_resolve($1_ssh_t) - ifdef(`strict_policy',` - # Access the ssh temporary files. - allow $1_ssh_t sshd_tmp_t:dir manage_dir_perms; - allow $1_ssh_t sshd_tmp_t:file manage_file_perms; - files_tmp_filetrans($1_ssh_t, sshd_tmp_t, { file dir }) - ') - tunable_policy(`read_default_t',` files_list_default($1_ssh_t) files_read_default_files($1_ssh_t) @@ -225,6 +219,7 @@ template(`ssh_per_role_template',` type $1_ssh_agent_t; domain_type($1_ssh_agent_t) domain_entry_file($1_ssh_agent_t,ssh_agent_exec_t) + domain_interactive_fd($1_ssh_agent_t) role $3 types $1_ssh_agent_t; type $1_ssh_agent_tmp_t; @@ -258,11 +253,15 @@ template(`ssh_per_role_template',` allow $1_ssh_t sshd_t:unix_stream_socket connectto; + allow $2 $1_ssh_t:process signal; + userdom_use_unpriv_users_fds($1_ssh_t) userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t) userdom_search_user_home_dirs($1,$1_ssh_t) # Write to the user domain tty. userdom_use_user_terminals($1,$1_ssh_t) + # needs to read krb tgt + userdom_read_user_tmp_files($1, $1_ssh_t) tunable_policy(`allow_ssh_keysign',` domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t) @@ -292,8 +291,6 @@ template(`ssh_per_role_template',` ') ifdef(`TODO',` - allow $1_ssh_t $1_tmp_t:dir r_dir_perms; - # for /bin/sh used to execute xauth dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read }; @@ -661,6 +658,24 @@ interface(`ssh_tcp_connect',` ######################################## ## +## Execute the ssh daemon sshd domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_domtrans',` + gen_require(` + type sshd_t, sshd_exec_t; + ') + + domtrans_pattern($1,sshd_exec_t,sshd_t) +') + +######################################## +## ## Execute the ssh client in the caller domain. ## ## diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index abd1e0d..cf9cceb 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -1,5 +1,5 @@ -policy_module(ssh,1.5.0) +policy_module(ssh,1.5.1) ######################################## # @@ -8,6 +8,10 @@ policy_module(ssh,1.5.0) attribute ssh_server; +# Type for the ssh-agent executable. +type ssh_agent_exec_t; +files_type(ssh_agent_exec_t) + # ssh client executable. type ssh_exec_t; corecmd_executable_file(ssh_exec_t) @@ -23,46 +27,20 @@ corecmd_executable_file(ssh_keysign_exec_t) type sshd_exec_t; corecmd_executable_file(sshd_exec_t) -type sshd_key_t; -files_type(sshd_key_t) - -ifdef(`targeted_policy',` - unconfined_alias_domain(sshd_t) - init_system_domain(sshd_t,sshd_exec_t) +ssh_server_template(sshd) +init_daemon_domain(sshd_t,sshd_exec_t) - type sshd_var_run_t; - files_type(sshd_var_run_t) +ssh_server_template(sshd_extern) - ifdef(`enable_mcs',` - init_ranged_system_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh) - ') -',` - # Type for the ssh-agent executable. - type ssh_agent_exec_t; - files_type(ssh_agent_exec_t) - - ssh_server_template(sshd) - ssh_server_template(sshd_extern) - - # cjp: commenting this out until typeattribute works in a conditional -# optional_policy(` -# tunable_policy(`run_ssh_inetd',` -# inetd_tcp_service_domain(sshd_t,sshd_exec_t) -# ',` -# init_daemon_domain(sshd_t,sshd_exec_t) -# ') -# ',` - # These rules should match the else block - # of the run_ssh_inetd tunable directly above - init_daemon_domain(sshd_t,sshd_exec_t) +type sshd_key_t; +files_type(sshd_key_t) - ifdef(`enable_mcs',` - init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh) - ') -# ') +type sshd_tmp_t; +files_tmp_file(sshd_tmp_t) +files_poly_parent(sshd_tmp_t) - type sshd_tmp_t; - files_tmp_file(sshd_tmp_t) +ifdef(`enable_mcs',` + init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh) ') ################################# @@ -72,79 +50,86 @@ ifdef(`targeted_policy',` # sshd_t is the domain for the sshd program. # -ifdef(`strict_policy',` - # so a tunnel can point to another ssh tunnel - allow sshd_t self:netlink_route_socket r_netlink_socket_perms; - allow sshd_t self:key { search link write }; - - manage_dirs_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t) - manage_files_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t) - manage_sock_files_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t) - files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file }) - - kernel_link_key(sshd_t) - - # for X forwarding - corenet_tcp_bind_xserver_port(sshd_t) - corenet_sendrecv_xserver_server_packets(sshd_t) - - tunable_policy(`ssh_sysadm_login',` - # Relabel and access ptys created by sshd - # ioctl is necessary for logout() processing for utmp entry and for w to - # display the tty. - # some versions of sshd on the new SE Linux require setattr - term_use_all_user_ptys(sshd_t) - term_setattr_all_user_ptys(sshd_t) - term_relabelto_all_user_ptys(sshd_t) - - userdom_spec_domtrans_all_users(sshd_t) - userdom_signal_all_users(sshd_t) - ',` - userdom_spec_domtrans_unpriv_users(sshd_t) - userdom_signal_unpriv_users(sshd_t) +# so a tunnel can point to another ssh tunnel +allow sshd_t self:netlink_route_socket r_netlink_socket_perms; +allow sshd_t self:key { search link write }; - userdom_setattr_unpriv_users_ptys(sshd_t) - userdom_relabelto_unpriv_users_ptys(sshd_t) - userdom_use_unpriv_users_ptys(sshd_t) - ') +manage_dirs_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t) +manage_files_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t) +manage_sock_files_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t) +files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file }) - optional_policy(` - daemontools_service_domain(sshd_t, sshd_exec_t) - ') +kernel_search_key(sshd_t) +kernel_link_key(sshd_t) - optional_policy(` - rpm_use_script_fds(sshd_t) - ') +# for X forwarding +corenet_tcp_bind_xserver_port(sshd_t) +corenet_sendrecv_xserver_server_packets(sshd_t) + +ifdef(`targeted_policy',` + unconfined_domain(sshd_t) +') + +tunable_policy(`ssh_sysadm_login',` + # Relabel and access ptys created by sshd + # ioctl is necessary for logout() processing for utmp entry and for w to + # display the tty. + # some versions of sshd on the new SE Linux require setattr + term_use_all_user_ptys(sshd_t) + term_setattr_all_user_ptys(sshd_t) + term_relabelto_all_user_ptys(sshd_t) + + userdom_spec_domtrans_all_users(sshd_t) + userdom_signal_all_users(sshd_t) +',` + userdom_spec_domtrans_unpriv_users(sshd_t) + userdom_signal_unpriv_users(sshd_t) + + userdom_setattr_unpriv_users_ptys(sshd_t) + userdom_relabelto_unpriv_users_ptys(sshd_t) + userdom_use_unpriv_users_ptys(sshd_t) +') + +optional_policy(` + daemontools_service_domain(sshd_t, sshd_exec_t) +') + +optional_policy(` + inetd_tcp_service_domain(sshd_t, sshd_exec_t) +') + +optional_policy(` + rpm_use_script_fds(sshd_t) +') + +optional_policy(` + rssh_spec_domtrans_all_users(sshd_t) + # For reading /home/user/.ssh + rssh_read_all_users_ro_content(sshd_t) +') + +ifdef(`TODO',` +tunable_policy(`ssh_sysadm_login',` + # Relabel and access ptys created by sshd + # ioctl is necessary for logout() processing for utmp entry and for w to + # display the tty. + # some versions of sshd on the new SE Linux require setattr + allow sshd_t ptyfile:chr_file relabelto; optional_policy(` - rssh_spec_domtrans_all_users(sshd_t) - # For reading /home/user/.ssh - rssh_read_all_users_ro_content(sshd_t) + domain_trans(sshd_t, xauth_exec_t, userdomain) ') - - ifdef(`TODO',` - tunable_policy(`ssh_sysadm_login',` - # Relabel and access ptys created by sshd - # ioctl is necessary for logout() processing for utmp entry and for w to - # display the tty. - # some versions of sshd on the new SE Linux require setattr - allow sshd_t ptyfile:chr_file relabelto; - - optional_policy(` - domain_trans(sshd_t, xauth_exec_t, userdomain) - ') - ',` - optional_policy(` - domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain) - ') - # Relabel and access ptys created by sshd - # ioctl is necessary for logout() processing for utmp entry and for w to - # display the tty. - # some versions of sshd on the new SE Linux require setattr - allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr }; +',` + optional_policy(` + domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain) ') - ') dnl endif TODO + # Relabel and access ptys created by sshd + # ioctl is necessary for logout() processing for utmp entry and for w to + # display the tty. + # some versions of sshd on the new SE Linux require setattr + allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr }; ') +') dnl endif TODO ################################# # diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc index 32fb0f2..084c18d 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -44,7 +44,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0) # /tmp # -/tmp/\.ICE-unix -d gen_context(system_u:object_r:ice_tmp_t,s0) +/tmp/\.ICE-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) /tmp/\.ICE-unix/.* -s <> /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) /tmp/\.X11-unix/.* -s <> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 46bbc13..bec19bc 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -45,7 +45,7 @@ template(`xserver_common_domain_template',` # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack - allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; + allow $1_xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; dontaudit $1_xserver_t self:capability chown; allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_xserver_t self:fd use; @@ -138,6 +138,7 @@ template(`xserver_common_domain_template',` fs_getattr_xattr_fs($1_xserver_t) fs_search_nfs($1_xserver_t) fs_search_auto_mountpoints($1_xserver_t) + fs_search_ramfs($1_xserver_t) init_getpgid($1_xserver_t) @@ -183,6 +184,11 @@ template(`xserver_common_domain_template',` ') optional_policy(` + rhgb_getpgid($1_xserver_t) + rhgb_signal($1_xserver_t) + ') + + optional_policy(` xfs_stream_connect($1_xserver_t) ') ') @@ -309,6 +315,7 @@ template(`xserver_per_role_template',` userdom_rw_user_tmpfs_files($1,$1_xserver_t) xserver_use_user_fonts($1,$1_xserver_t) + xserver_rw_xdm_tmp_files($1_xauth_t) optional_policy(` userhelper_search_config($1_xserver_t) @@ -402,6 +409,8 @@ template(`xserver_per_role_template',` allow $2 $1_iceauth_home_t:file manage_file_perms; allow $2 $1_iceauth_home_t:file { relabelfrom relabelto }; + allow xdm_t $1_iceauth_home_t:file r_file_perms; + fs_search_auto_mountpoints($1_iceauth_t) libs_use_ld_so($1_iceauth_t) @@ -525,7 +534,7 @@ template(`xserver_user_client_template',` gen_require(` type xdm_t, xdm_tmp_t; - type $1_xauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t; + type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t; ') allow $2 self:shm create_shm_perms; @@ -534,6 +543,7 @@ template(`xserver_user_client_template',` # Read .Xauthority file allow $2 $1_xauth_home_t:file { getattr read }; + allow $2 $1_iceauth_home_t:file { getattr read }; # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; @@ -555,6 +565,8 @@ template(`xserver_user_client_template',` xserver_rw_session_template($1,$2,$3) xserver_use_user_fonts($1,$2) + xserver_read_xdm_tmp_files($2) + # Client write xserver shm tunable_policy(`allow_write_xshm',` allow $2 $1_xserver_t:shm rw_shm_perms; @@ -644,6 +656,39 @@ template(`xserver_domtrans_user_xauth',` ######################################## ## +## Transition to a user Xauthority domain. +## +## +##

+## Transition to a user Xauthority domain. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`xserver_user_home_dir_filetrans_user_xauth',` + gen_require(` + type $1_xauth_home_t; + ') + + userdom_user_home_dir_filetrans($1, $2, $1_xauth_home_t, file) +') + +######################################## +## ## Read all users fonts, user font configurations, ## and manage all users font caches. ## @@ -914,6 +959,7 @@ interface(`xserver_domtrans_xdm_xserver',` type xdm_xserver_t, xserver_exec_t; ') + allow $1 xdm_xserver_t:process siginh; domtrans_pattern($1,xserver_exec_t,xdm_xserver_t) ') @@ -1029,6 +1075,7 @@ interface(`xserver_delete_log',` logging_search_logs($1) allow $1 xserver_log_t:dir list_dir_perms; delete_files_pattern($1,xserver_log_t,xserver_log_t) + delete_fifo_files_pattern($1,xserver_log_t,xserver_log_t) ') ######################################## @@ -1085,11 +1132,86 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') + files_search_tmp($1) read_files_pattern($1,xdm_tmp_t,xdm_tmp_t) ') ######################################## ## +## Do not audit attempts to read xdm temporary files. +## +## +## +## Domain to not audit +## +## +# +interface(`xserver_dontaudit_read_xdm_tmp_files',` + gen_require(` + type xdm_tmp_t; + ') + + dontaudit $1 xdm_tmp_t:dir search_dir_perms; + dontaudit $1 xdm_tmp_t:file r_file_perms; +') + +######################################## +## +## Read write xdm temporary files. +## +## +## +## Domain to not audit +## +## +# +interface(`xserver_rw_xdm_tmp_files',` + gen_require(` + type xdm_tmp_t; + ') + + allow $1 xdm_tmp_t:dir search_dir_perms; + allow $1 xdm_tmp_t:file rw_file_perms; +') + +######################################## +## +## Create, read, write, and delete xdm temporary files. +## +## +## +## Domain to not audit +## +## +# +interface(`xserver_manage_xdm_tmp_files',` + gen_require(` + type xdm_tmp_t; + ') + + manage_files_pattern($1,xdm_tmp_t,xdm_tmp_t) +') + +######################################## +## +## dontaudit getattr xdm temporary named sockets. +## +## +## +## Domain to not audit +## +## +# +interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` + gen_require(` + type xdm_tmp_t; + ') + + dontaudit $1 xdm_tmp_t:sock_file getattr; +') + +######################################## +## ## Signal XDM X servers ## ## @@ -1145,6 +1267,25 @@ interface(`xserver_dontaudit_rw_xdm_xserver_tcp_sockets',` ######################################## ## +## Do not audit attempts to read and write xdm_xserver +## unix domain stream sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_dontaudit_rw_xdm_stream_sockets',` + gen_require(` + type xdm_xserver_t; + ') + + dontaudit $1 xdm_xserver_t:unix_stream_socket { read write }; +') + +######################################## +## ## Connect to xdm_xserver over a unix domain ## stream socket. ## diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 4d584bb..25d82d4 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1,5 +1,5 @@ -policy_module(xserver,1.3.0) +policy_module(xserver,1.3.1) ######################################## # @@ -10,9 +10,6 @@ attribute fonts_type; attribute fonts_cache_type; attribute fonts_config_type; -type ice_tmp_t; -files_tmp_file(ice_tmp_t) - type iceauth_exec_t; corecmd_executable_file(iceauth_exec_t) @@ -45,6 +42,7 @@ files_pid_file(xdm_var_run_t) type xdm_tmp_t; files_tmp_file(xdm_tmp_t) +typealias xdm_tmp_t alias ice_tmp_t; type xdm_tmpfs_t; files_tmpfs_file(xdm_tmpfs_t) @@ -95,23 +93,64 @@ allow xdm_t self:socket create_socket_perms; allow xdm_t self:appletalk_socket create_socket_perms; allow xdm_t self:key { search link write }; -# Supress permission check on .ICE-unix -dontaudit xdm_t ice_tmp_t:dir { getattr setattr }; - allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; -manage_dirs_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t) -manage_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t) -manage_sock_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t) -files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) - # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) +allow xdm_t xdm_lock_t:file manage_file_perms; +files_lock_filetrans(xdm_t,xdm_lock_t,file) + # wdm has its own config dir /etc/X11/wdm # this is ugly, daemons should not create files under /etc! manage_files_pattern(xdm_t,xdm_rw_etc_t,xdm_rw_etc_t) +manage_dirs_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t) +manage_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t) +manage_sock_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t) +files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) + +manage_dirs_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) +manage_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) +manage_lnk_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) +manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) +manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) +fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + +manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) +manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) +files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file) + +manage_dirs_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t) +manage_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t) +manage_fifo_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t) +files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file }) + +allow xdm_t xdm_xserver_t:process signal; +allow xdm_t xdm_xserver_t:unix_stream_socket connectto; + +allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms; +allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms }; + +# transition to the xdm xserver +domtrans_pattern(xdm_t, xserver_exec_t, xdm_xserver_t) +allow xdm_xserver_t xdm_t:process signal; +allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; + +allow xdm_t xdm_xserver_t:shm rw_shm_perms; + +# connect to xdm xserver over stream socket +stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) + +# Remove /tmp/.X11-unix/X0. +delete_files_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t) +delete_sock_files_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t) + +manage_dirs_pattern(xdm_t,xserver_log_t,xserver_log_t) +manage_files_pattern(xdm_t,xserver_log_t,xserver_log_t) +manage_fifo_files_pattern(xdm_t,xserver_log_t,xserver_log_t) +logging_log_filetrans(xdm_t,xserver_log_t,file) + kernel_read_system_state(xdm_t) kernel_read_kernel_sysctls(xdm_t) kernel_read_net_sysctls(xdm_t) @@ -189,6 +228,7 @@ term_dontaudit_use_console(xdm_t) term_use_unallocated_ttys(xdm_t) term_setattr_unallocated_ttys(xdm_t) +auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) auth_rw_faillog(xdm_t) @@ -219,71 +259,7 @@ userdom_read_unpriv_users_home_content_files(xdm_t) userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) -ifdef(`strict_policy',` - allow xdm_t xdm_lock_t:file manage_file_perms; - files_lock_filetrans(xdm_t,xdm_lock_t,file) - - manage_dirs_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) - manage_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) - manage_lnk_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) - manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) - manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) - fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - - manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) - manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) - files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file) - - manage_dirs_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t) - manage_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t) - manage_fifo_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t) - files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file }) - - allow xdm_t xdm_xserver_t:process signal; - allow xdm_t xdm_xserver_t:unix_stream_socket connectto; - - allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms; - allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms }; - - # transition to the xdm xserver - domtrans_pattern(xdm_t, xserver_exec_t, xdm_xserver_t) - allow xdm_xserver_t xdm_t:process signal; - allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; - - allow xdm_t xdm_xserver_t:shm rw_shm_perms; - - # connect to xdm xserver over stream socket - stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) - - # Remove /tmp/.X11-unix/X0. - delete_files_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t) - delete_sock_files_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t) - - manage_dirs_pattern(xdm_t,xserver_log_t,xserver_log_t) - manage_files_pattern(xdm_t,xserver_log_t,xserver_log_t) - manage_fifo_files_pattern(xdm_t,xserver_log_t,xserver_log_t) - logging_log_filetrans(xdm_t,xserver_log_t,file) - - auth_domtrans_pam_console(xdm_t) - - xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t) - - tunable_policy(`xdm_sysadm_login',` - userdom_xsession_spec_domtrans_all_users(xdm_t) - # FIXME: -# xserver_rw_session_template(xdm,userdomain) - ',` - userdom_xsession_spec_domtrans_unpriv_users(xdm_t) - # FIXME: -# xserver_rw_session_template(xdm,unpriv_userdomain) -# dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write }; -# allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms; - ') - - optional_policy(` - alsa_domtrans(xdm_t) - ') -') +xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t) ifdef(`targeted_policy',` unconfined_domain(xdm_t) @@ -313,6 +289,22 @@ tunable_policy(`use_samba_home_dirs',` fs_exec_cifs_files(xdm_t) ') +tunable_policy(`xdm_sysadm_login',` + userdom_xsession_spec_domtrans_all_users(xdm_t) + # FIXME: +# xserver_rw_session_template(xdm,userdomain) +',` + userdom_xsession_spec_domtrans_unpriv_users(xdm_t) + # FIXME: +# xserver_rw_session_template(xdm,unpriv_userdomain) +# dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write }; +# allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms; +') + +optional_policy(` + alsa_domtrans(xdm_t) +') + optional_policy(` consoletype_exec(xdm_t) ') @@ -396,6 +388,14 @@ fs_search_auto_mountpoints(xdm_xserver_t) init_use_fds(xdm_xserver_t) +# FIXME: After per user fonts are properly working +# xdm_xserver_t may no longer have any reason +# to read ROLE_home_t - examine this in more detail +# (xauth?) +userdom_read_unpriv_users_home_content_files(xdm_xserver_t) + +xserver_use_all_users_fonts(xdm_xserver_t) + tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_xserver_t) fs_manage_nfs_files(xdm_xserver_t) @@ -408,16 +408,6 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_symlinks(xdm_xserver_t) ') -ifdef(`strict_policy',` - # FIXME: After per user fonts are properly working - # xdm_xserver_t may no longer have any reason - # to read ROLE_home_t - examine this in more detail - # (xauth?) - userdom_read_unpriv_users_home_content_files(xdm_xserver_t) - - xserver_use_all_users_fonts(xdm_xserver_t) -') - ifdef(`targeted_policy',` unconfined_domain_noaudit(xdm_xserver_t) unconfined_domtrans(xdm_xserver_t) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index d39159e..46a75e9 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -204,6 +204,7 @@ interface(`auth_login_pgm_domain',` mls_file_upgrade($1) mls_file_downgrade($1) mls_process_set_level($1) + mls_fd_share_all_levels($1) auth_domtrans_chk_passwd($1) auth_dontaudit_read_shadow($1) @@ -345,6 +346,11 @@ interface(`auth_domtrans_chk_passwd',` ') optional_policy(` + pcscd_read_pub_files($1) + pcscd_stream_connect($1) + ') + + optional_policy(` samba_stream_connect_winbind($1) ') ') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index f0fa13a..a9c8840 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -1,5 +1,5 @@ -policy_module(authlogin,1.5.0) +policy_module(authlogin,1.5.1) ######################################## # diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te index 1b4909f..5a75b5b 100644 --- a/policy/modules/system/clock.te +++ b/policy/modules/system/clock.te @@ -1,5 +1,5 @@ -policy_module(clock,1.2.0) +policy_module(clock,1.2.1) ######################################## # @@ -32,8 +32,7 @@ send_audit_msgs_pattern(hwclock_t) allow hwclock_t adjtime_t:file { rw_file_perms setattr }; kernel_read_kernel_sysctls(hwclock_t) -kernel_list_proc(hwclock_t) -kernel_read_proc_symlinks(hwclock_t) +kernel_read_system_state(hwclock_t) corecmd_exec_bin(hwclock_t) corecmd_exec_shell(hwclock_t) diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index dc0ca89..4f91934 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -1,5 +1,5 @@ -policy_module(fstools,1.5.0) +policy_module(fstools,1.5.1) ######################################## # @@ -9,7 +9,6 @@ policy_module(fstools,1.5.0) type fsadm_t; type fsadm_exec_t; init_system_domain(fsadm_t,fsadm_exec_t) -mls_file_read_up(fsadm_t) role system_r types fsadm_t; type fsadm_log_t; @@ -27,7 +26,7 @@ files_type(swapfile_t) # # ipc_lock is for losetup -allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search }; +allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search }; allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap }; allow fsadm_t self:fd use; allow fsadm_t self:fifo_file rw_file_perms; @@ -53,7 +52,7 @@ manage_files_pattern(fsadm_t,fsadm_log_t,fsadm_log_t) logging_log_filetrans(fsadm_t,fsadm_log_t,file) # Enable swapping to files -allow fsadm_t swapfile_t:file { read write getattr swapon }; +allow fsadm_t swapfile_t:file { rw_file_perms swapon }; kernel_read_system_state(fsadm_t) kernel_read_kernel_sysctls(fsadm_t) diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te index 96f011a..e59d0d8 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -1,5 +1,5 @@ -policy_module(getty,1.2.0) +policy_module(getty,1.2.1) ######################################## # @@ -35,7 +35,8 @@ files_pid_file(getty_var_run_t) # Use capabilities. allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid }; dontaudit getty_t self:capability sys_tty_config; -allow getty_t self:process { getpgid getsession signal_perms }; +allow getty_t self:process { getpgid setpgid getsession signal_perms }; +allow getty_t self:fifo_file rw_fifo_file_perms; read_files_pattern(getty_t,getty_etc_t,getty_etc_t) read_lnk_files_pattern(getty_t,getty_etc_t,getty_etc_t) @@ -80,6 +81,7 @@ auth_rw_login_records(getty_t) corecmd_search_bin(getty_t) corecmd_search_sbin(getty_t) +corecmd_read_bin_symlinks(getty_t) files_rw_generic_pids(getty_t) files_read_etc_runtime_files(getty_t) @@ -131,5 +133,9 @@ optional_policy(` ') optional_policy(` + rhgb_dontaudit_use_ptys(getty_t) +') + +optional_policy(` udev_read_db(getty_t) ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index a9593c9..32745e7 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,5 +1,5 @@ -policy_module(init,1.5.0) +policy_module(init,1.5.1) gen_require(` class passwd rootok; @@ -431,6 +431,8 @@ ifdef(`distro_redhat',` # this is from kmodule, which should get its own policy: allow initrc_t self:capability sys_admin; + allow initrc_t self:process setfscreate; + # Red Hat systems seem to have a stray # fd open from the initrd kernel_dontaudit_use_fds(initrc_t) @@ -452,6 +454,8 @@ ifdef(`distro_redhat',` # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) + # Needs to cp localtime to /var dirs + files_write_var_dirs(initrc_t) fs_rw_tmpfs_chr_files(initrc_t) @@ -462,6 +466,11 @@ ifdef(`distro_redhat',` # readahead asks for these auth_dontaudit_read_shadow(initrc_t) + # init scripts cp /etc/localtime over other directories localtime + miscfiles_rw_localization(initrc_t) + miscfiles_setattr_localization(initrc_t) + miscfiles_relabel_localization(initrc_t) + miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc index f0aa1f1..a850b14 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc @@ -7,7 +7,7 @@ /etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) -/sbin/setkey -- gen_context(system_u:object_r:ipsec_exec_t,s0) +/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) /usr/lib(64)?/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /usr/lib(64)?/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) @@ -26,8 +26,8 @@ /usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) -/usr/sbin/racoon -- gen_context(system_u:object_r:ipsec_exec_t,s0) -/usr/sbin/setkey -- gen_context(system_u:object_r:ipsec_exec_t,s0) +/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) +/usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index eef0989..d796b43 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -1,5 +1,5 @@ -policy_module(ipsec,1.2.0) +policy_module(ipsec,1.2.1) ######################################## # @@ -19,6 +19,9 @@ files_type(ipsec_conf_file_t) type ipsec_key_file_t; files_type(ipsec_key_file_t) +# Default type for IPSEC SPD entries +type ipsec_spd_t; + # type for runtime files, including pluto.ctl type ipsec_var_run_t; files_pid_file(ipsec_var_run_t) @@ -35,6 +38,16 @@ files_lock_file(ipsec_mgmt_lock_t) type ipsec_mgmt_var_run_t; files_pid_file(ipsec_mgmt_var_run_t) +type racoon_t; +type racoon_exec_t; +init_daemon_domain(racoon_t,racoon_exec_t) +role system_r types racoon_t; + +type setkey_t; +type setkey_exec_t; +init_system_domain(setkey_t,setkey_exec_t) +role system_r types setkey_t; + ######################################## # # ipsec Local policy @@ -265,3 +278,83 @@ file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file) allow ipsec_mgmt_t dev_fs:file_class_set getattr; ') dnl end TODO + +######################################## +# +# Racoon local policy +# + +allow racoon_t self:capability { net_admin net_bind_service }; +allow racoon_t self:netlink_route_socket create_netlink_socket_perms; +allow racoon_t self:unix_dgram_socket { connect create ioctl write }; +allow racoon_t self:netlink_selinux_socket { bind create read }; +allow racoon_t self:udp_socket create_socket_perms; +allow racoon_t self:key_socket { create read setopt write }; + +# manage pid file +manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t) +manage_sock_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t) +files_pid_filetrans(racoon_t,ipsec_var_run_t,file) + +allow racoon_t ipsec_conf_file_t:dir list_dir_perms; +read_files_pattern(racoon_t,ipsec_conf_file_t,ipsec_conf_file_t) +read_lnk_files_pattern(racoon_t,ipsec_conf_file_t,ipsec_conf_file_t) + +allow racoon_t ipsec_key_file_t:dir list_dir_perms; +read_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t) +read_lnk_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t) + +allow racoon_t ipsec_spd_t:association setcontext; + +kernel_read_network_state(racoon_t) + +corenet_non_ipsec_sendrecv(racoon_t) +corenet_tcp_bind_all_nodes(racoon_t) +corenet_udp_bind_isakmp_port(racoon_t) + +dev_read_urand(racoon_t) + +# allow racoon to set contexts on ipsec policy and SAs +domain_ipsec_setcontext_all_domains(racoon_t) + +files_read_etc_files(racoon_t) + +# allow racoon to use avc_has_perm to check context on proposed SA +selinux_compute_access_vector(racoon_t) + +libs_use_ld_so(racoon_t) +libs_use_shared_libs(racoon_t) + +locallogin_use_fds(racoon_t) + +logging_send_syslog_msg(racoon_t) + +miscfiles_read_localization(racoon_t) + +seutil_read_config(setkey_t) + +######################################## +# +# Setkey local policy +# + +allow setkey_t self:capability net_admin; +allow setkey_t self:key_socket { create read setopt write }; +allow setkey_t self:netlink_route_socket create_netlink_socket_perms; + +# allow setkey to set the context for ipsec SAs and policy. +allow setkey_t ipsec_spd_t:association setcontext; + +# allow setkey utility to set contexts on SA's and policy +domain_ipsec_setcontext_all_domains(setkey_t) + +files_read_etc_files(setkey_t) + +locallogin_use_fds(setkey_t) + +libs_use_ld_so(setkey_t) +libs_use_shared_libs(setkey_t) + +miscfiles_read_localization(setkey_t) + +seutil_read_config(setkey_t) diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index bd5d181..cc40dcb 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -1,5 +1,5 @@ -policy_module(iptables,1.2.0) +policy_module(iptables,1.2.1) ######################################## # @@ -97,6 +97,10 @@ optional_policy(` ') optional_policy(` + nscd_socket_use(iptables_t) +') + +optional_policy(` ppp_dontaudit_use_fds(iptables_t) ') diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc index 4a4b470..f7e2c00 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -79,6 +79,7 @@ ifdef(`distro_gentoo',` /opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:shlib_t,s0) /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:shlib_t,s0) +/opt/ibm/java2-ppc64-50/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ifdef(`distro_gentoo',` # despite the extensions, they are actually libs @@ -242,6 +243,7 @@ ifdef(`distro_redhat',` /usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) # Flash plugin, Macromedia +HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -254,6 +256,8 @@ HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_ /usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + # vmware /usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index 1c1d33f..3d763c7 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -1,5 +1,5 @@ -policy_module(libraries,1.5.0) +policy_module(libraries,1.5.1) ######################################## # diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 34f5789..74aeece 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,5 +1,5 @@ -policy_module(logging,1.5.0) +policy_module(logging,1.5.1) ######################################## # @@ -320,6 +320,13 @@ corenet_udp_sendrecv_all_nodes(syslogd_t) corenet_udp_sendrecv_all_ports(syslogd_t) corenet_udp_bind_all_nodes(syslogd_t) corenet_udp_bind_syslogd_port(syslogd_t) +# syslog-ng can listen and connect on tcp port 514 (rsh) +corenet_tcp_sendrecv_all_if(syslogd_t) +corenet_tcp_sendrecv_all_nodes(syslogd_t) +corenet_tcp_sendrecv_all_ports(syslogd_t) +corenet_tcp_bind_rsh_port(syslogd_t) +corenet_tcp_connect_rsh_port(syslogd_t) + # syslog-ng can send or receive logs corenet_sendrecv_syslogd_client_packets(syslogd_t) corenet_sendrecv_syslogd_server_packets(syslogd_t) diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index ea2ed51..360df31 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -1,5 +1,5 @@ -policy_module(lvm,1.5.0) +policy_module(lvm,1.5.1) ######################################## # @@ -44,6 +44,7 @@ files_tmp_file(lvm_tmp_t) # Cluster LVM daemon local policy # +allow clvmd_t self:capability { sys_admin mknod }; dontaudit clvmd_t self:capability sys_tty_config; allow clvmd_t self:process signal_perms; allow clvmd_t self:socket create_socket_perms; @@ -62,9 +63,11 @@ kernel_read_system_state(clvmd_t) kernel_list_proc(clvmd_t) kernel_read_proc_symlinks(clvmd_t) kernel_search_debugfs(clvmd_t) +kernel_dontaudit_getattr_core_if(clvmd_t) corecmd_exec_shell(clvmd_t) corecmd_read_bin_symlinks(clvmd_t) +corecmd_getattr_sbin_files(clvmd_t) corecmd_read_sbin_symlinks(clvmd_t) corenet_non_ipsec_sendrecv(clvmd_t) @@ -83,12 +86,18 @@ corenet_sendrecv_generic_server_packets(clvmd_t) dev_read_sysfs(clvmd_t) dev_manage_generic_chr_files(clvmd_t) +dev_rw_lvm_control(clvmd_t) +dev_dontaudit_getattr_all_blk_files(clvmd_t) +dev_dontaudit_getattr_all_chr_files(clvmd_t) files_read_etc_files(clvmd_t) files_list_usr(clvmd_t) fs_getattr_all_fs(clvmd_t) fs_search_auto_mountpoints(clvmd_t) +fs_dontaudit_list_tmpfs(clvmd_t) + +storage_dontaudit_getattr_removable_dev(clvmd_t) term_dontaudit_use_console(clvmd_t) @@ -128,6 +137,10 @@ optional_policy(` ') optional_policy(` + gpm_dontaudit_getattr_gpmctl(clvmd_t) +') + +optional_policy(` nis_use_ypbind(clvmd_t) ') @@ -157,6 +170,8 @@ allow lvm_t self:fifo_file rw_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; +allow lvm_t clvmd_t:unix_stream_socket connectto; + manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir }) @@ -228,6 +243,7 @@ fs_search_auto_mountpoints(lvm_t) fs_list_tmpfs(lvm_t) fs_read_tmpfs_symlinks(lvm_t) fs_dontaudit_read_removable_files(lvm_t) +fs_dontaudit_getattr_tmpfs_files(lvm_t) storage_relabel_fixed_disk(lvm_t) storage_dontaudit_read_removable_device(lvm_t) @@ -240,8 +256,8 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) -term_dontaudit_getattr_all_user_ttys(lvm_t) -term_dontaudit_getattr_pty_dirs(lvm_t) +term_getattr_all_user_ttys(lvm_t) +term_list_ptys(lvm_t) corecmd_exec_sbin(lvm_t) @@ -274,8 +290,8 @@ ifdef(`distro_redhat',` ') ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(lvm_t) - term_dontaudit_use_generic_ptys(lvm_t) + term_use_unallocated_ttys(lvm_t) + term_use_generic_ptys(lvm_t) files_dontaudit_read_root_files(lvm_t) ') diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index 276ad3c..cf640b6 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -93,6 +93,26 @@ interface(`miscfiles_read_hwdata',` ######################################## ## +## Allow process to setattr localization info +## +## +## +## Domain allowed access. +## +## +# +interface(`miscfiles_setattr_localization',` + gen_require(` + type locale_t; + ') + + files_search_usr($1) + allow $1 locale_t:dir list_dir_perms; + allow $1 locale_t:file setattr; +') + +######################################## +## ## Allow process to read localization info ## ## @@ -138,6 +158,25 @@ interface(`miscfiles_rw_localization',` ######################################## ## +## Allow process to relabel localization info +## +## +## +## Domain allowed access. +## +## +# +interface(`miscfiles_relabel_localization',` + gen_require(` + type locale_t; + ') + + files_search_usr($1) + relabel_files_pattern($1,locale_t,locale_t) +') + +######################################## +## ## Allow process to read legacy time localization info ## ## @@ -387,3 +426,44 @@ interface(`miscfiles_exec_test_files',` exec_files_pattern($1,test_file_t,test_file_t) read_lnk_files_pattern($1,test_file_t,test_file_t) ') + +######################################## +## +## Execute test files. +## +## +## +## Domain allowed access. +## +## +# +interface(`miscfiles_etc_filetrans_localization',` + gen_require(` + type locale_t; + ') + + files_etc_filetrans($1, locale_t, file) + +') + +######################################## +## +## Create, read, write, and delete localization +## +## +## +## Domain allowed access. +## +## +## +# +interface(`miscfiles_manage_localization',` + gen_require(` + type locale_t; + ') + + manage_dirs_pattern($1,locale_t,locale_t) + manage_files_pattern($1,locale_t,locale_t) + manage_lnk_files_pattern($1,locale_t,locale_t) +') + diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te index 38f9861..afd7d9a 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te @@ -1,5 +1,5 @@ -policy_module(miscfiles,1.2.0) +policy_module(miscfiles,1.2.1) ######################################## # diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 81e2f20..3236e4f 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -1,5 +1,5 @@ -policy_module(modutils,1.2.0) +policy_module(modutils,1.2.1) gen_require(` bool secure_mode_insmod; @@ -117,10 +117,6 @@ if( ! secure_mode_insmod ) { kernel_domtrans_to(insmod_t,insmod_exec_t) } -ifdef(`hide_broken_symptoms',` - dev_dontaudit_rw_cardmgr(insmod_t) -') - ifdef(`targeted_policy',` unconfined_domain(insmod_t) ') @@ -145,6 +141,11 @@ optional_policy(` fs_manage_ramfs_files(insmod_t) rhgb_use_fds(insmod_t) + rhgb_dontaudit_use_ptys(insmod_t) + + xserver_dontaudit_write_log(insmod_t) + xserver_stream_connect_xdm_xserver(insmod_t) + xserver_dontaudit_rw_xdm_stream_sockets(insmod_t) ifdef(`hide_broken_symptoms',` xserver_dontaudit_rw_xdm_xserver_tcp_sockets(insmod_t) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 639a6f6..7f859e9 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -1,5 +1,5 @@ -policy_module(selinuxutil,1.4.0) +policy_module(selinuxutil,1.4.1) ifdef(`strict_policy',` gen_require(` @@ -292,6 +292,7 @@ domain_sigchld_interactive_fds(newrole_t) # Write to utmp. init_rw_utmp(newrole_t) +init_use_fds(newrole_t) files_read_etc_files(newrole_t) files_read_var_files(newrole_t) @@ -307,6 +308,7 @@ miscfiles_read_localization(newrole_t) userdom_use_unpriv_users_fds(newrole_t) # for some PAM modules and for cwd userdom_dontaudit_search_all_users_home_content(newrole_t) +userdom_search_all_users_home_dirs(newrole_t) ifdef(`strict_policy',` # if secure mode is enabled, then newrole @@ -318,6 +320,10 @@ ifdef(`strict_policy',` } ') +tunable_policy(`allow_polyinstantiation',` + files_polyinstantiate_all(newrole_t) +') + optional_policy(` nis_use_ypbind(newrole_t) ') @@ -409,6 +415,11 @@ ifdef(`hide_broken_symptoms',` optional_policy(` udev_dontaudit_rw_dgram_sockets(restorecon_t) ') + + optional_policy(` + unconfined_dontaudit_rw_pipes(restorecon_t) + unconfined_dontaudit_rw_tcp_sockets(restorecon_t) + ') ') optional_policy(` @@ -669,6 +680,7 @@ auth_relabelto_shadow(setfiles_t) init_use_fds(setfiles_t) init_use_script_fds(setfiles_t) init_use_script_ptys(setfiles_t) +init_exec_script_files(setfiles_t) domain_use_interactive_fds(setfiles_t) @@ -688,3 +700,10 @@ miscfiles_read_localization(setfiles_t) userdom_use_all_users_fds(setfiles_t) # for config files in a home directory userdom_read_all_users_home_content_files(setfiles_t) + +ifdef(`hide_broken_symptoms',` + # cjp: cover up stray file descriptors. + optional_policy(` + unconfined_dontaudit_read_pipes(setfiles_t) + ') +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 8161430..26cca2b 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -1,5 +1,5 @@ -policy_module(sysnetwork,1.2.0) +policy_module(sysnetwork,1.2.1) ######################################## # @@ -326,6 +326,10 @@ ifdef(`hide_broken_symptoms',` ifdef(`targeted_policy',` term_use_generic_ptys(ifconfig_t) term_use_unallocated_ttys(ifconfig_t) + + optional_policy(` + unconfined_dontaudit_read_pipes(ifconfig_t) + ') ') optional_policy(` diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc index b772df3..5d9bb3b 100644 --- a/policy/modules/system/unconfined.fc +++ b/policy/modules/system/unconfined.fc @@ -6,6 +6,7 @@ ifdef(`targeted_policy',` /usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if index 2c7c721..816c263 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -31,6 +31,7 @@ interface(`unconfined_domain_noaudit',` allow $1 self:nscd *; allow $1 self:dbus *; allow $1 self:passwd *; + allow $1 self:association *; kernel_unconfined($1) corenet_unconfined($1) diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index c18d90e..19df0fb 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined,1.5.0) +policy_module(unconfined,1.5.1) ######################################## # @@ -63,6 +63,10 @@ ifdef(`targeted_policy',` ') optional_policy(` + bootloader_domtrans(unconfined_t) + ') + + optional_policy(` init_dbus_chat_script(unconfined_t) dbus_stub(unconfined_t) @@ -162,6 +166,10 @@ ifdef(`targeted_policy',` ') optional_policy(` + tzdata_domtrans(unconfined_t) + ') + + optional_policy(` usermanage_domtrans_admin_passwd(unconfined_t) ') diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc index a7146d8..ebb37c5 100644 --- a/policy/modules/system/userdomain.fc +++ b/policy/modules/system/userdomain.fc @@ -1,11 +1,4 @@ -ifdef(`strict_policy',` HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0) /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) -') - -ifdef(`targeted_policy',` -HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0) -HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) -') diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 0f1edf6..2361425 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -102,6 +102,9 @@ template(`userdom_base_user_template',` libs_exec_ld_so($1_t) miscfiles_read_localization($1_t) + miscfiles_read_certs($1_t) + + sysnet_read_config($1_t) tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. @@ -154,6 +157,7 @@ template(`userdom_ro_home_template',` files_mountpoint($1_home_dir_t) files_associate_tmp($1_home_dir_t) fs_associate_tmpfs($1_home_dir_t) + files_poly_member($1_home_dir_t) ############################## # @@ -337,12 +341,11 @@ template(`userdom_exec_home_template',` ## # template(`userdom_poly_home_template',` - ifdef(`enable_polyinstantiation',` - type_member $1_t $1_home_dir_t:dir $1_home_t; - - files_poly($1_home_dir_t) - files_poly_member($1_home_t) - ') + type_member $1_t $1_home_dir_t:dir $1_home_dir_t; + files_poly($1_home_dir_t) + files_poly_parent($1_home_dir_t) + files_poly_parent($1_home_t) + files_poly_member($1_home_t) ') ####################################### @@ -409,9 +412,7 @@ template(`userdom_exec_tmp_template',` ## # template(`userdom_poly_tmp_template',` - ifdef(`enable_polyinstantiation',` - files_poly_member_tmp($1_t,$1_tmp_t) - ') + files_poly_member_tmp($1_t,tmp_t) ') ####################################### @@ -593,6 +594,8 @@ template(`userdom_xwindows_client_template',` xserver_read_xdm_pid($1_t) # gnome-session creates socket under /tmp/.ICE-unix/ xserver_create_xdm_tmp_sockets($1_t) + # Needed for escd, remove if we get escd policy + xserver_manage_xdm_tmp_files($1_t) ') ') @@ -727,6 +730,8 @@ template(`userdom_common_user_template',` dev_write_sound_mixer($1_t) domain_use_interactive_fds($1_t) + # Command completion can fire hundreds of denials + domain_dontaudit_exec_all_entry_files($1_t) files_exec_etc_files($1_t) files_search_locks($1_t) @@ -784,6 +789,8 @@ template(`userdom_common_user_template',` seutil_read_default_contexts($1_t) seutil_read_config($1_t) seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) + seutil_exec_checkpolicy($1_t) + seutil_exec_setfiles($1_t) # for when the network connection is killed # this is needed when a login role can change # to this one. @@ -809,6 +816,10 @@ template(`userdom_common_user_template',` ') optional_policy(` + alsa_read_rw_config($1_t) + ') + + optional_policy(` # Allow graphical boot to check battery lifespan apm_stream_connect($1_t) ') @@ -818,10 +829,12 @@ template(`userdom_common_user_template',` ') optional_policy(` + cups_stream_connect($1_t) cups_stream_connect_ptal($1_t) ') optional_policy(` + allow $1_t self:dbus send_msg; dbus_system_bus_client_template($1,$1_t) optional_policy(` @@ -829,6 +842,11 @@ template(`userdom_common_user_template',` ') optional_policy(` + evolution_dbus_chat($1,$1_t) + evolution_alarm_dbus_chat($1,$1_t) + ') + + optional_policy(` cups_dbus_chat_config($1_t) ') @@ -852,6 +870,10 @@ template(`userdom_common_user_template',` inn_read_news_spool($1_t) ') + optional_policy(` + locate_read_lib_files($1_t) + ') + # for running depmod as part of the kernel packaging process optional_policy(` modutils_read_module_config($1_t) @@ -881,6 +903,11 @@ template(`userdom_common_user_template',` ') optional_policy(` + pcscd_read_pub_files($1_t) + pcscd_stream_connect($1_t) + ') + + optional_policy(` quota_dontaudit_getattr_db($1_t) ') @@ -1025,6 +1052,10 @@ template(`userdom_unpriv_user_template', ` ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) ') + optional_policy(` + setroubleshoot_stream_connect($1_t) + ') + ifdef(`TODO',` ifdef(`xdm.te', ` # this should cause the .xsession-errors file to be written to /tmp @@ -1212,14 +1243,106 @@ template(`userdom_admin_user_template',` mta_admin_template($1,$1_t,$1_r) ') - ifdef(`TODO',` - ifdef(`xserver.te', ` - tunable_policy(`xdm_sysadm_login',` - allow xdm_t $1_home_t:lnk_file read; - allow xdm_t $1_home_t:dir search; - ') + optional_policy(` + userhelper_exec($1_t) + ') +') + +######################################## +## +## Allow user to run as a secadm +## +## +##

+## Create objects in a user home directory +## with an automatic type transition to +## a specified private type. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +## +## +## The role of the object to create. +## +## +## +## +## The terminal +## +## +# +template(`userdom_security_admin_template',` + allow $1 self:capability { dac_read_search dac_override }; + + corecmd_exec_shell($1) + + domain_obj_id_change_exemption($1) + + dev_relabel_all_dev_nodes($1) + + files_create_boot_flag($1) + + # Necessary for managing /boot/efi + fs_manage_dos_files($1) + + mls_process_read_up($1) + mls_file_read_up($1) + mls_file_upgrade($1) + mls_file_downgrade($1) + + selinux_set_enforce_mode($1) + selinux_set_boolean($1) + selinux_set_parameters($1) + + auth_relabel_all_files_except_shadow($1) + auth_relabel_shadow($1) + + init_exec($1) + + logging_send_syslog_msg($1) + logging_read_audit_log($1) + logging_read_generic_logs($1) + logging_read_audit_config($1) + + seutil_manage_bin_policy($1) + seutil_run_checkpolicy($1,$2,$3) + seutil_run_loadpolicy($1,$2,$3) + seutil_run_semanage($1,$2,$3) + seutil_run_setfiles($1, $2, $3) + seutil_run_restorecon($1,$2,$3) + + userdom_dontaudit_append_staff_home_content_files($1) + userdom_dontaudit_read_sysadm_home_content_files($1) + + optional_policy(` + aide_run($1,$2, $3) + ') + + optional_policy(` + consoletype_exec($1) + ') + + optional_policy(` + dmesg_exec($1) + ') + + optional_policy(` + netlabel_run_mgmt($1,$2, $3) ') - ') dnl endif TODO ') ######################################## @@ -2293,6 +2416,55 @@ template(`userdom_user_home_dir_filetrans',` ## ## Create objects in a user home directory ## with an automatic type transition to +## a specified private type. +## +## +##

+## Create objects in a user home directory +## with an automatic type transition to +## a specified private type. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. If not +## specified, file is used. +## +## +# +template(`userdom_user_home_content_filetrans',` + gen_require(` + type $1_home_t; + ') + + files_search_home($2) + filetrans_pattern($2,$1_home_t,$3,$4) +') + +######################################## +## +## Create objects in a user home directory +## with an automatic type transition to ## the user home file type. ## ## @@ -3128,6 +3300,39 @@ template(`userdom_manage_user_untrusted_content_files',` ######################################## ## +## Manage user untrusted tmp files. +## +## +##

+## Create, read, write, and delete untrusted tmp files. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`userdom_manage_user_untrusted_content_tmp_files',` + gen_require(` + type $1_untrusted_content_tmp_t; + ') + + manage_files_pattern($2,$1_untrusted_content_tmp_t,$1_untrusted_content_tmp_t) +') + +######################################## +## ## Do not audit attempts to read users ## untrusted files. ## diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index f2af46e..1e5a0b4 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,2.1.0) +policy_module(userdomain,2.1.1) gen_require(` role sysadm_r, staff_r, user_r; @@ -68,6 +68,7 @@ ifdef(`strict_policy',` # only staff_r can change to sysadm_r userdom_role_change_template(staff, sysadm) + dontaudit staff_t admin_terminal:chr_file { read write }; ifdef(`enable_mls',` userdom_unpriv_user_template(secadm) @@ -187,6 +188,14 @@ ifdef(`strict_policy',` ') optional_policy(` + tzdata_domtrans(sysadm_t) + ') + + optional_policy(` + raid_domtrans_mdadm(sysadm_t) + ') + + optional_policy(` # cjp: why is this not apm_run_client apm_domtrans_client(sysadm_t) ') @@ -235,7 +244,6 @@ ifdef(`strict_policy',` consoletype_exec(sysadm_t) ifdef(`enable_mls',` - consoletype_exec(secadm_t) consoletype_exec(auditadm_t) ') ') @@ -254,7 +262,6 @@ ifdef(`strict_policy',` dmesg_exec(sysadm_t) ifdef(`enable_mls',` - dmesg_exec(secadm_t) dmesg_exec(auditadm_t) ') ') @@ -389,27 +396,9 @@ ifdef(`strict_policy',` seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal) ifdef(`enable_mls',` - selinux_set_enforce_mode(secadm_t) - selinux_set_boolean(secadm_t) - selinux_set_parameters(secadm_t) - - seutil_manage_bin_policy(secadm_t) - seutil_run_checkpolicy(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t }) - seutil_run_loadpolicy(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t }) - seutil_run_semanage(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t }) - seutil_run_setfiles(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t }) - seutil_run_restorecon(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t }) - logging_send_syslog_msg(secadm_t) + userdom_security_admin_template(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t }) ', ` - selinux_set_enforce_mode(sysadm_t) - selinux_set_boolean(sysadm_t) - selinux_set_parameters(sysadm_t) - - seutil_manage_bin_policy(sysadm_t) - seutil_run_checkpolicy(sysadm_t,sysadm_r,admin_terminal) - seutil_run_loadpolicy(sysadm_t,sysadm_r,admin_terminal) - seutil_run_semanage(sysadm_t,sysadm_r,admin_terminal) - seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal) + userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal) ') ')