diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te
index 39d9f79..cb0cb3b 100644
--- a/refpolicy/policy/modules/admin/amanda.te
+++ b/refpolicy/policy/modules/admin/amanda.te
@@ -201,7 +201,7 @@ allow amanda_recover_t amanda_recover_dir_t:file create_file_perms;
allow amanda_recover_t amanda_recover_dir_t:lnk_file create_lnk_perms;
allow amanda_recover_t amanda_recover_dir_t:sock_file create_file_perms;
allow amanda_recover_t amanda_recover_dir_t:fifo_file create_file_perms;
-userdom_create_sysadm_home(amanda_recover_t,amanda_recover_dir_t,{ file lnk_file sock_file fifo_file })
+userdom_create_sysadm_home(amanda_recover_t,amanda_recover_dir_t,{ dir file lnk_file sock_file fifo_file })
allow amanda_recover_t amanda_tmp_t:dir create_dir_perms;
allow amanda_recover_t amanda_tmp_t:file create_file_perms;
diff --git a/refpolicy/policy/modules/admin/anaconda.te b/refpolicy/policy/modules/admin/anaconda.te
index b988381..a07668f 100644
--- a/refpolicy/policy/modules/admin/anaconda.te
+++ b/refpolicy/policy/modules/admin/anaconda.te
@@ -35,6 +35,10 @@ optional_policy(`dmesg.te',`
dmesg_domtrans(anaconda_t)
')
+optional_policy(`kudzu.te',`
+ kudzu_domtrans(anaconda_t)
+')
+
optional_policy(`rpm.te',`
rpm_domtrans(anaconda_t)
')
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index 19295dd..b5ab0c6 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -41,6 +41,7 @@ kernel_dontaudit_read_system_state(consoletype_t)
fs_getattr_all_fs(consoletype_t)
fs_search_auto_mountpoints(consoletype_t)
+fs_write_nfs_files(consoletype_t)
term_use_console(consoletype_t)
term_use_unallocated_tty(consoletype_t)
@@ -48,6 +49,7 @@ term_use_unallocated_tty(consoletype_t)
init_use_fd(consoletype_t)
init_use_script_pty(consoletype_t)
init_use_script_fd(consoletype_t)
+init_write_script_pipe(consoletype_t)
domain_use_wide_inherit_fd(consoletype_t)
@@ -107,8 +109,6 @@ optional_policy(`userdomain.te',`
')
ifdef(`TODO',`
-allow consoletype_t nfs_t:file write;
-
optional_policy(`xdm.te', `
allow consoletype_t xdm_tmp_t:file rw_file_perms;
')
diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te
index 31691cd..957965b 100644
--- a/refpolicy/policy/modules/admin/kudzu.te
+++ b/refpolicy/policy/modules/admin/kudzu.te
@@ -155,9 +155,6 @@ allow kudzu_t modules_conf_t:file unlink;
optional_policy(`rhgb.te',`
rhgb_domain(kudzu_t)
')
-optional_policy(`anaconda.te', `
- domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t)
-')
optional_policy(`lpd.te',`
allow kudzu_t printconf_t:file { getattr read };
')
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index b7fd8de..cca5d2c 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -56,7 +56,10 @@ template(`su_restricted_domain_template', `
domain_use_wide_inherit_fd($1_su_t)
files_read_etc_files($1_su_t)
+ files_search_var_lib($1_su_t)
+ init_dontaudit_use_fd($1_su_t)
+ init_dontaudit_use_script_pty($1_su_t)
# Write to utmp.
init_rw_script_pid($1_su_t)
@@ -73,7 +76,7 @@ template(`su_restricted_domain_template', `
# Only allow transitions to unprivileged user domains.
userdom_spec_domtrans_unpriv_users($1_su_t)
- optional_policy(`crond.te',`
+ optional_policy(`cron.te',`
cron_read_pipe($1_su_t)
')
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index fb77e18..b12829c 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -68,6 +68,7 @@ allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit exe
allow chfn_t self:process { setrlimit setfscreate };
allow chfn_t self:fd use;
allow chfn_t self:fifo_file rw_file_perms;
+allow chfn_t self:sock_file r_file_perms;
allow chfn_t self:shm create_shm_perms;
allow chfn_t self:sem create_sem_perms;
allow chfn_t self:msgq create_msgq_perms;
@@ -102,6 +103,8 @@ auth_dontaudit_read_shadow(chfn_t)
# can exec /sbin/unix_chkpwd
corecmd_search_bin(chfn_t)
corecmd_search_sbin(chfn_t)
+# allow checking if a shell is executable
+corecmd_check_exec_shell(chfn_t)
domain_use_wide_inherit_fd(chfn_t)
@@ -134,9 +137,6 @@ optional_policy(`nis.te',`
ifdef(`TODO',`
ifdef(`gnome-pty-helper.te', `allow chfn_t gphdomain:fd use;')
-
-# allow checking if a shell is executable
-allow chfn_t shell_exec_t:file execute;
') dnl endif TODO
########################################
@@ -310,9 +310,8 @@ term_use_all_user_ptys(passwd_t)
auth_manage_shadow(passwd_t)
-# /usr/bin/passwd asks for w access to utmp, but it will operate
-# correctly without it. Do not audit write denials to utmp.
-init_dontaudit_rw_script_pid(passwd_t)
+# allow checking if a shell is executable
+corecmd_check_exec_shell(passwd_t)
domain_use_wide_inherit_fd(passwd_t)
@@ -321,6 +320,10 @@ files_manage_etc_files(passwd_t)
files_search_var(passwd_t)
files_dontaudit_search_pids(passwd_t)
+# /usr/bin/passwd asks for w access to utmp, but it will operate
+# correctly without it. Do not audit write denials to utmp.
+init_dontaudit_rw_script_pid(passwd_t)
+
libs_use_ld_so(passwd_t)
libs_use_shared_libs(passwd_t)
@@ -346,9 +349,6 @@ allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
# Inherit and use descriptors from login.
ifdef(`gnome-pty-helper.te', `allow passwd_t gphdomain:fd use;')
-# allow checking if a shell is executable
-allow passwd_t shell_exec_t:file execute;
-
# make sure that getcon succeeds
allow passwd_t userdomain:dir search;
allow passwd_t userdomain:file read;
@@ -365,6 +365,7 @@ allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setr
allow sysadm_passwd_t self:process { setrlimit setfscreate };
allow sysadm_passwd_t self:fd use;
allow sysadm_passwd_t self:fifo_file rw_file_perms;
+allow sysadm_passwd_t self:sock_file r_file_perms;
allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms;
allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms;
allow sysadm_passwd_t self:unix_dgram_socket sendto;
@@ -403,6 +404,7 @@ term_use_all_user_ptys(sysadm_passwd_t)
auth_manage_shadow(sysadm_passwd_t)
# allow vipw to exec the editor
+corecmd_search_sbin(sysadm_passwd_t)
corecmd_exec_bin(sysadm_passwd_t)
corecmd_exec_shell(sysadm_passwd_t)
files_read_usr_files(sysadm_passwd_t)
diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if
index 83e3fb6..e620283 100644
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@@ -164,6 +164,9 @@ interface(`bootloader_read_kernel_symbol_table',`
allow $1 boot_t:dir r_dir_perms;
allow $1 system_map_t:file r_file_perms;
+
+ # cjp: this should be dropped:
+ allow $1 boot_t:file { getattr read };
')
########################################
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index c1b5862..4a7ce1b 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -792,6 +792,23 @@ interface(`dev_rw_apm_bios',`
########################################
##
+## Read and write the PCMCIA card manager device.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_rw_cardmgr',`
+ gen_require(`
+ type cardmgr_dev_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 cardmgr_dev_t:chr_file { read write };
+')
+
+########################################
+##
## Do not audit attempts to read and
## write the PCMCIA card manager device.
##
@@ -1356,7 +1373,9 @@ interface(`dev_getattr_mtrr',`
')
allow $1 device_t:dir r_dir_perms;
- allow $1 mtrr_device_t:chr_file getattr;
+
+ # proc entry is a file. added for nmbd_t
+ allow $1 mtrr_device_t:{ file chr_file } getattr;
')
########################################
@@ -1967,6 +1986,23 @@ interface(`dev_getattr_usbfs_dir',`
########################################
##
+## Do not audit attempts to get the attributes
+## of a directory in the usb filesystem.
+##
+##
+## Domain to not audit.
+##
+#
+interface(`dev_dontaudit_getattr_usbfs_dir',`
+ gen_require(`
+ type usbfs_t;
+ ')
+
+ dontaudit $1 usbfs_t:dir getattr;
+')
+
+########################################
+##
## Search the directory containing USB hardware information.
##
##
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 69a8354..f12e5d4 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -462,7 +462,7 @@ interface(`fs_getattr_cifs',`
## Search directories on a CIFS or SMB filesystem.
##
##
-## The type of the domain reading the files.
+## Domain allowed access.
##
#
interface(`fs_search_cifs',`
@@ -480,7 +480,7 @@ interface(`fs_search_cifs',`
## CIFS or SMB filesystem.
##
##
-## The type of the domain reading the files.
+## Domain allowed access.
##
#
interface(`fs_list_cifs',`
@@ -514,7 +514,7 @@ interface(`fs_dontaudit_list_cifs',`
## Read files on a CIFS or SMB filesystem.
##
##
-## The type of the domain reading the files.
+## Domain allowed access.
##
#
interface(`fs_read_cifs_files',`
@@ -1085,7 +1085,7 @@ interface(`fs_getattr_nfs',`
## Search directories on a NFS filesystem.
##
##
-## The type of the domain reading the files.
+## Domain allowed access.
##
#
interface(`fs_search_nfs',`
@@ -1119,7 +1119,7 @@ interface(`fs_dontaudit_list_nfs',`
## Read files on a NFS filesystem.
##
##
-## The type of the domain reading the files.
+## Domain allowed access.
##
#
interface(`fs_read_nfs_files',`
@@ -1152,6 +1152,23 @@ interface(`fs_dontaudit_read_nfs_files',`
########################################
##
+## Read files on a NFS filesystem.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`fs_write_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir r_dir_perms;
+ allow $1 nfs_t:file write;
+')
+
+########################################
+##
## Execute files on a NFS filesystem.
##
##
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index bdd44b9..2b238ee 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -2,7 +2,7 @@
## Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
##
##
-## This policy has initial SIDs.
+## This module has initial SIDs.
##
########################################
@@ -27,9 +27,9 @@ interface(`kernel_userland_entry',`
domain_auto_trans(kernel_t, $2, $1)
- allow $1 kernel_t:fd use;
allow kernel_t $1:fd use;
- allow kernel_t $1:fifo_file rw_file_perms;
+ allow $1 kernel_t:fd use;
+ allow $1 kernel_t:fifo_file rw_file_perms;
allow $1 kernel_t:process sigchld;
')
@@ -494,6 +494,23 @@ interface(`kernel_list_proc',`
########################################
##
+## Do not audit attempts to list the
+## contents of directories in /proc.
+##
+##
+## Domain to not audit.
+##
+#
+interface(`kernel_dontaudit_list_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ dontaudit $1 proc_t:dir list_dir_perms;
+')
+
+########################################
+##
## Read symbolic links in /proc.
##
##
@@ -1502,6 +1519,23 @@ interface(`kernel_dontaudit_getattr_unlabeled_file',`
########################################
##
+## Do not audit attempts by caller to
+## read an unlabeled file.
+##
+##
+## Domain to not audit.
+##
+#
+interface(`kernel_dontaudit_read_unlabeled_file',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:file { getattr read };
+')
+
+########################################
+##
## Do not audit attempts by caller to get attributes for
## unlabeled block devices.
##
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index fd5eced..f4c7fc6 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -124,7 +124,7 @@ interface(`term_create_pty',`
## ttys and all ptys.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_use_all_terms',`
@@ -143,7 +143,7 @@ interface(`term_use_all_terms',`
## Write to the console.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_write_console',`
@@ -160,7 +160,7 @@ interface(`term_write_console',`
## Read from and write to the console.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_use_console',`
@@ -178,7 +178,7 @@ interface(`term_use_console',`
## or write to the console.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_dontaudit_use_console',`
@@ -195,7 +195,7 @@ interface(`term_dontaudit_use_console',`
## device node.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_setattr_console',`
@@ -230,7 +230,7 @@ interface(`term_dontaudit_getattr_pty_dir',`
## Search the contents of the /dev/pts directory.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_search_ptys',`
@@ -248,7 +248,7 @@ interface(`term_search_ptys',`
## list all ptys.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_list_ptys',`
@@ -302,7 +302,7 @@ interface(`term_dontaudit_manage_pty_dir',`
## ioctl of generic pty types.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
# cjp: added for ppp
@@ -323,7 +323,7 @@ interface(`term_ioctl_generic_pty',`
## the targeted policy.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_use_generic_pty',`
@@ -361,7 +361,7 @@ interface(`term_dontaudit_use_generic_pty',`
## terminal (/dev/tty).
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_use_controlling_term',`
@@ -413,7 +413,7 @@ interface(`term_dontaudit_use_ptmx',`
## pty device nodes.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_getattr_all_user_ptys',`
@@ -435,7 +435,7 @@ interface(`term_getattr_all_user_ptys',`
## device nodes.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_dontaudit_getattr_all_user_ptys',`
@@ -455,7 +455,7 @@ interface(`term_dontaudit_getattr_all_user_ptys',`
## pty device nodes.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_setattr_all_user_ptys',`
@@ -475,7 +475,7 @@ interface(`term_setattr_all_user_ptys',`
## Relabel to all user ptys.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_relabelto_all_user_ptys',`
@@ -492,7 +492,7 @@ interface(`term_relabelto_all_user_ptys',`
## Read and write all user ptys.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_use_all_user_ptys',`
@@ -529,7 +529,7 @@ interface(`term_dontaudit_use_all_user_ptys',`
## user pty device nodes.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_relabel_all_user_ptys',`
@@ -550,7 +550,7 @@ interface(`term_relabel_all_user_ptys',`
## tty device nodes.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_getattr_unallocated_ttys',`
@@ -569,7 +569,7 @@ interface(`term_getattr_unallocated_ttys',`
## of all unallocated tty device nodes.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_dontaudit_getattr_unallocated_ttys',`
@@ -587,7 +587,7 @@ interface(`term_dontaudit_getattr_unallocated_ttys',`
## tty device nodes.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_setattr_unallocated_ttys',`
@@ -606,7 +606,7 @@ interface(`term_setattr_unallocated_ttys',`
## tty type.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_relabel_unallocated_ttys',`
@@ -625,7 +625,7 @@ interface(`term_relabel_unallocated_ttys',`
## the unallocated tty type.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_reset_tty_labels',`
@@ -642,10 +642,27 @@ interface(`term_reset_tty_labels',`
########################################
##
+## Do not audit attempts to get the attributes
+## of unallocated ttys.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`term_dontaudit_getattr_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dontaudit $1 tty_device_t:chr_file getattr;
+')
+
+########################################
+##
## Write to unallocated ttys.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_write_unallocated_ttys',`
@@ -663,7 +680,7 @@ interface(`term_write_unallocated_ttys',`
## Read and write unallocated ttys.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_use_unallocated_tty',`
@@ -699,7 +716,7 @@ interface(`term_dontaudit_use_unallocated_tty',`
## device nodes.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_getattr_all_user_ttys',`
@@ -719,7 +736,7 @@ interface(`term_getattr_all_user_ttys',`
## device nodes.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_dontaudit_getattr_all_user_ttys',`
@@ -738,7 +755,7 @@ interface(`term_dontaudit_getattr_all_user_ttys',`
## device nodes.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_setattr_all_user_ttys',`
@@ -757,7 +774,7 @@ interface(`term_setattr_all_user_ttys',`
## user tty device nodes.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_relabel_all_user_ttys',`
@@ -775,7 +792,7 @@ interface(`term_relabel_all_user_ttys',`
## Write to all user ttys.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_write_all_user_ttys',`
@@ -793,7 +810,7 @@ interface(`term_write_all_user_ttys',`
## Read and write all user to all user ttys.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_use_all_user_ttys',`
@@ -811,7 +828,7 @@ interface(`term_use_all_user_ttys',`
## any user ttys.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`term_dontaudit_use_all_user_ttys',`
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index 2a61cf3..9cc5489 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -179,6 +179,8 @@ allow httpd_t httpd_squirrelmail_t:dir create_dir_perms;
allow httpd_t httpd_squirrelmail_t:lnk_file create_lnk_perms;
allow httpd_t httpd_squirrelmail_t:file create_file_perms;
+allow httpd_t httpd_suexec_exec_t:file { getattr read };
+
allow httpd_t httpd_sys_content_t:dir r_dir_perms;
allow httpd_t httpd_sys_content_t:file r_file_perms;
@@ -393,13 +395,6 @@ optional_policy(`mailman.te',`
mailman_read_archive(httpd_t)
')
-optional_policy(`mta.te',`
- mta_stub()
-
- # apache should set close-on-exec
- dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
-')
-
optional_policy(`mysql.te',`
mysql_stream_connect(httpd_t)
mysql_rw_db_socket(httpd_t)
@@ -409,6 +404,11 @@ optional_policy(`nscd.te',`
nscd_use_socket(httpd_t)
')
+optional_policy(`postgresql.te',`
+ # Allow httpd to work with postgresql
+ postgresql_unix_connect(httpd_t)
+')
+
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(httpd_t)
')
@@ -544,6 +544,7 @@ corecmd_exec_shell(httpd_suexec_t)
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
files_dontaudit_search_pids(httpd_suexec_t)
+files_search_home(httpd_suexec_t)
libs_use_ld_so(httpd_suexec_t)
libs_use_shared_libs(httpd_suexec_t)
@@ -619,6 +620,13 @@ optional_policy(`mount.te',`
')
')
+optional_policy(`mta.te',`
+ mta_stub(httpd_suexec_t)
+
+ # apache should set close-on-exec
+ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
+')
+
optional_policy(`nis.te',`
nis_use_ypbind(httpd_suexec_t)
')
diff --git a/refpolicy/policy/modules/services/apm.if b/refpolicy/policy/modules/services/apm.if
index ed346a9..4cac734 100644
--- a/refpolicy/policy/modules/services/apm.if
+++ b/refpolicy/policy/modules/services/apm.if
@@ -86,3 +86,21 @@ interface(`apm_append_log',`
logging_search_logs($1)
allow $1 apmd_log_t:file append;
')
+
+########################################
+##
+## Connect to apmd over an unix stream socket.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`apm_stream_connect',`
+ gen_require(`
+ type apmd_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 apmd_var_run_t:sock_file write;
+ allow $1 apmd_t:unix_stream_socket connectto;
+')
diff --git a/refpolicy/policy/modules/services/arpwatch.if b/refpolicy/policy/modules/services/arpwatch.if
index dc5b070..2e0dedd 100644
--- a/refpolicy/policy/modules/services/arpwatch.if
+++ b/refpolicy/policy/modules/services/arpwatch.if
@@ -51,6 +51,22 @@ interface(`arpwatch_rw_tmp_files',`
########################################
##
+## Read and write arpwatch temporary files.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`arpwatch_manage_tmp_files',`
+ gen_require(`
+ type arpwatch_tmp_t;
+ ')
+
+ allow $1 arpwatch_tmp_t:file manage_file_perms;
+')
+
+########################################
+##
## Do not audit attempts to read and write
## arpwatch packet sockets.
##
diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te
index a4db2f7..7c31188 100644
--- a/refpolicy/policy/modules/services/bind.te
+++ b/refpolicy/policy/modules/services/bind.te
@@ -148,7 +148,6 @@ ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_tty(named_t)
term_dontaudit_use_generic_pty(named_t)
files_dontaudit_read_root_file(named_t)
- #dontaudit ndc_t unlabeled_t:file { getattr read };
')
optional_policy(`dbus.te',`
@@ -247,7 +246,9 @@ ifdef(`distro_redhat',`
allow ndc_t named_conf_t:dir search;
')
-ifdef(`targeted_policy', `
+ifdef(`targeted_policy',`
+ kernel_dontaudit_read_unlabeled_file(ndc_t)
+
term_use_unallocated_tty(ndc_t)
term_use_generic_pty(ndc_t)
')
@@ -270,6 +271,10 @@ optional_policy(`nscd.te',`
nscd_use_socket(ndc_t)
')
+optional_policy(`bind.te',`
+ ppp_dontaudit_use_fd(ndc_t)
+')
+
###########################################################
#
# Partially converted rules. THESE ARE ONLY TEMPORARY
diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te
index 1ab8ded..5d6e7bb 100644
--- a/refpolicy/policy/modules/services/bluetooth.te
+++ b/refpolicy/policy/modules/services/bluetooth.te
@@ -206,6 +206,8 @@ logging_send_syslog_msg(bluetooth_helper_t)
miscfiles_read_localization(bluetooth_helper_t)
miscfiles_read_fonts(bluetooth_helper_t)
+userdom_search_all_users_home(bluetooth_helper_t)
+
optional_policy(`nscd.te',`
nscd_use_socket(bluetooth_helper_t)
')
@@ -213,20 +215,12 @@ optional_policy(`nscd.te',`
ifdef(`TODO',`
allow bluetooth_helper_t tmp_t:dir search;
-allow bluetooth_helper_t home_dir_type:dir search;
-
ifdef(`xserver.te', `
allow bluetooth_helper_t xserver_log_t:dir search;
allow bluetooth_helper_t xserver_log_t:file { getattr read };
')
-ifdef(`targeted_policy', `
- allow bluetooth_helper_t tmp_t:sock_file { read write };
- allow bluetooth_helper_t tmpfs_t:file { read write };
- allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
- allow bluetooth_t unconfined_t:dbus send_msg;
- allow unconfined_t bluetooth_t:dbus send_msg;
-', `
+ifdef(`targeted_policy', `', `
ifdef(`xdm.te', `
allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write };
')
@@ -237,6 +231,11 @@ ifdef(`targeted_policy', `
') dnl end TODO
ifdef(`targeted_policy',`
+ allow bluetooth_helper_t tmp_t:sock_file { read write };
+ allow bluetooth_helper_t tmpfs_t:file { read write };
+ allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
+ allow bluetooth_t unconfined_t:dbus send_msg;
+ allow unconfined_t bluetooth_t:dbus send_msg;
allow bluetooth_t unconfined_t:dbus send_msg;
allow unconfined_t bluetooth_t:dbus send_msg;
')
diff --git a/refpolicy/policy/modules/services/comsat.te b/refpolicy/policy/modules/services/comsat.te
index 57eb700..3f13e1c 100644
--- a/refpolicy/policy/modules/services/comsat.te
+++ b/refpolicy/policy/modules/services/comsat.te
@@ -75,6 +75,8 @@ miscfiles_read_localization(comsat_t)
sysnet_read_config(comsat_t)
+userdom_dontaudit_getattr_sysadm_tty(comsat_t)
+
mta_getattr_spool(comsat_t)
optional_policy(`kerberos.te',`
@@ -89,6 +91,4 @@ optional_policy(`nscd.te',`
nscd_use_socket(comsat_t)
')
-ifdef(`TODO',`
-dontaudit comsat_t sysadm_tty_device_t:chr_file getattr;
-')
+
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index c20e965..3df2e37 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -375,10 +375,9 @@ interface(`cron_sigchld',`
interface(`cron_read_pipe',`
gen_require(`
type crond_t;
- class file r_file_perms;
')
- allow $1 crond_t:file r_file_perms;
+ allow $1 crond_t:fifo_file r_file_perms;
')
########################################
diff --git a/refpolicy/policy/modules/services/cups.if b/refpolicy/policy/modules/services/cups.if
index d1e86d0..5ef539b 100644
--- a/refpolicy/policy/modules/services/cups.if
+++ b/refpolicy/policy/modules/services/cups.if
@@ -2,6 +2,27 @@
########################################
##
+## Execute cups_config in the cups_config domain.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`cups_domtrans_config',`
+ gen_require(`
+ type cupsd_config_t, cupsd_config_exec_t;
+ ')
+
+ domain_auto_trans($1,cupsd_config_exec_t,cupsd_config_t)
+
+ allow $1 cupsd_config_t:fd use;
+ allow cupsd_config_t $1:fd use;
+ allow cupsd_config_t $1:fifo_file rw_file_perms;
+ allow cupsd_config_t $1:process sigchld;
+')
+
+########################################
+##
## Read cups-writable configuration files.
##
##
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index b3517f7..33ce8a0 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -661,7 +661,6 @@ optional_policy(`hal.te', `
')
allow hald_t cupsd_config_t:process signal;
- domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
')
# killall causes the following
diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te
index ce2cfb9..f38f3bd 100644
--- a/refpolicy/policy/modules/services/finger.te
+++ b/refpolicy/policy/modules/services/finger.te
@@ -136,3 +136,7 @@ optional_policy(`rhgb.te',`
rhgb_domain(fingerd_t)
')
')
+
+# stop it accessing sub-directories, prevents checking a Maildir for new mail,
+# have to change this when we create a type for Maildir
+dontaudit fingerd_t user_home_t:dir search;
diff --git a/refpolicy/policy/modules/services/ftp.if b/refpolicy/policy/modules/services/ftp.if
index 71042be..bf1c3dd 100644
--- a/refpolicy/policy/modules/services/ftp.if
+++ b/refpolicy/policy/modules/services/ftp.if
@@ -1,5 +1,40 @@
## File transfer protocol service
+#######################################
+##
+## The per user domain template for the ftp module.
+##
+##
+##
+## This template allows ftpd to manage files in
+## a user home directory, creating files with the
+## correct type.
+##
+##
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+#
+template(`ftp_per_userdomain_template',`
+ gen_require(`
+ type ftpd_t;
+ ')
+
+ tunable_policy(`ftpd_is_daemon',`
+ userdom_manage_user_home_subdir_files($1,ftpd_t)
+ userdom_manage_user_home_subdir_symlinks($1,ftpd_t)
+ userdom_manage_user_home_subdir_sockets($1,ftpd_t)
+ userdom_manage_user_home_subdir_pipes($1,ftpd_t)
+ userdom_create_user_home($1,ftpd_t,{ dir file lnk_file sock_file fifo_file })
+ ')
+')
+
########################################
##
## Use ftp by connecting over TCP.
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index 9577069..d19d772 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -97,6 +97,7 @@ auth_append_login_records(ftpd_t)
auth_write_login_records(ftpd_t)
corecmd_exec_bin(ftpd_t)
+corecmd_exec_sbin(ftpd_t)
# Execute /bin/ls (can comment this out for proftpd)
# also may need rules to allow tar etc...
corecmd_exec_ls(ftpd_t)
@@ -130,6 +131,17 @@ ifdef(`targeted_policy',`
term_dontaudit_use_generic_pty(ftpd_t)
term_dontaudit_use_unallocated_tty(ftpd_t)
+
+ optional_policy(`ftp.te',`
+ tunable_policy(`ftpd_is_daemon',`
+ # cjp: fix this to use regular interfaces
+ userdom_manage_user_home_subdir_files(user,ftpd_t)
+ userdom_manage_user_home_subdir_symlinks(user,ftpd_t)
+ userdom_manage_user_home_subdir_sockets(user,ftpd_t)
+ userdom_manage_user_home_subdir_pipes(user,ftpd_t)
+ userdom_create_user_home(user,ftpd_t,{ dir file lnk_file sock_file fifo_file })
+ ')
+ ')
')
tunable_policy(`allow_ftpd_anon_write',`
@@ -213,13 +225,4 @@ ifdef(`TODO',`
optional_policy(`rhgb.te',`
rhgb_domain(ftpd_t)
')
-
-# cjp: this was in base user macro, but we cannot
-# use typeattribute ftpd_t privhome; interface
-# since typeattribute doesnt work in conditionals
-ifdef(`ftpd.te' , `
-if (ftpd_is_daemon) {
-file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
-}
-')
')
diff --git a/refpolicy/policy/modules/services/hal.if b/refpolicy/policy/modules/services/hal.if
index 68f262d..ca45cde 100644
--- a/refpolicy/policy/modules/services/hal.if
+++ b/refpolicy/policy/modules/services/hal.if
@@ -20,3 +20,20 @@ interface(`hal_domtrans',`
allow hald_t $1:fifo_file rw_file_perms;
allow hald_t $1:process sigchld;
')
+
+########################################
+##
+## Send to hal over a unix domain
+## datagram socket.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`hal_dgram_sendto',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ allow $1 hald_t:unix_dgram_socket sendto;
+')
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 6c80d20..725485c 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -125,6 +125,16 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(hald_t)
')
+optional_policy(`apm.te',`
+ # For /usr/libexec/hald-addon-acpi
+ # writes to /var/run/acpid.socket
+ apm_stream_connect(hald_t)
+')
+
+optional_policy(`cups.te',`
+ cups_domtrans_config(hald_t)
+')
+
optional_policy(`dbus.te',`
allow hald_t self:dbus send_msg;
dbus_system_bus_client_template(hald,hald_t)
@@ -181,12 +191,6 @@ allow hald_t device_t:dir create_dir_perms;
optional_policy(`hald.te',`
allow udev_t hald_t:unix_dgram_socket sendto;
')
-
-# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket
-ifdef(`apmd.te', `
-allow hald_t apmd_var_run_t:sock_file write;
-allow hald_t apmd_t:unix_stream_socket connectto;
-')
') dnl end TODO
ifdef(`targeted_policy', `
diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te
index 11b1b03..83655c1 100644
--- a/refpolicy/policy/modules/services/inn.te
+++ b/refpolicy/policy/modules/services/inn.te
@@ -86,6 +86,8 @@ term_dontaudit_use_console(innd_t)
corecmd_exec_bin(innd_t)
corecmd_exec_shell(innd_t)
+corecmd_search_sbin(innd_t)
+corecmd_read_sbin_symlink(innd_t)
domain_use_wide_inherit_fd(innd_t)
diff --git a/refpolicy/policy/modules/services/mailman.te b/refpolicy/policy/modules/services/mailman.te
index 3e3613b..8687b89 100644
--- a/refpolicy/policy/modules/services/mailman.te
+++ b/refpolicy/policy/modules/services/mailman.te
@@ -51,6 +51,9 @@ optional_policy(`apache.te',`
apache_sigchld(mailman_cgi_t)
apache_use_fd(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
+
+ # FIXME:
+ allow mailman_cgi_t httpd_sys_script_t:dir search;
')
########################################
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 5334c09..d85e550 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -191,6 +191,9 @@ optional_policy(`postfix.te',`
optional_policy(`crond.te',`
cron_crw_tcp_socket(system_mail_t)
')
+
+ allow mta_user_agent sysadm_t:fifo_file { read write };
+ type_transition postfix_master_t postfix_etc_t:dir etc_aliases_t;
')
optional_policy(`sendmail.te',`
@@ -230,10 +233,13 @@ optional_policy(`qmail.te',`
allow system_mail_t qmail_etc_t:dir search;
allow system_mail_t qmail_etc_t:{ file lnk_file } read;
')
+') dnl end TODO
+
+allow mta_user_agent system_crond_tmp_t:file { read getattr };
optional_policy(`arpwatch.te',`
# why is mail delivered to a directory of type arpwatch_data_t?
- arpwatch_search_data_dir(mta_delivery_agent)
+ arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(system_mail_t)
arpwatch_manage_tmp_files(mta_user_agent)
ifdef(`hide_broken_symptoms', `
@@ -241,5 +247,3 @@ optional_policy(`arpwatch.te',`
arpwatch_dontaudit_rw_packet_socket(mta_user_agent)
')
')
-
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if
index 2451eb2..649d341 100644
--- a/refpolicy/policy/modules/services/nis.if
+++ b/refpolicy/policy/modules/services/nis.if
@@ -204,3 +204,54 @@ interface(`nis_tcp_connect_ypbind',`
allow ypbind_t $1:tcp_socket { acceptfrom recvfrom };
allow $1 kernel_t:tcp_socket recvfrom;
')
+
+########################################
+##
+## Read ypbind pid files.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`nis_read_ypbind_pid',`
+ gen_require(`
+ type ypbind_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 ypbind_t:file r_file_perms;
+')
+
+########################################
+##
+## Delete ypbind pid files.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`nis_delete_ypbind_pid',`
+ gen_require(`
+ type ypbind_t;
+ ')
+
+ # TODO: add delete pid from dir call to files
+ allow $1 ypbind_t:file unlink;
+')
+
+########################################
+##
+## Read ypserv configuration files.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`nis_read_ypserv_config',`
+ gen_require(`
+ type ypserv_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 ypserv_t:file { getattr read };
+')
diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te
index 559589e..afeff3e 100644
--- a/refpolicy/policy/modules/services/nscd.te
+++ b/refpolicy/policy/modules/services/nscd.te
@@ -90,6 +90,7 @@ selinux_compute_user_contexts(nscd_t)
domain_use_wide_inherit_fd(nscd_t)
files_read_etc_files(nscd_t)
+files_read_generic_tmp_symlinks(nscd_t)
init_use_fd(nscd_t)
init_use_script_pty(nscd_t)
@@ -126,6 +127,7 @@ optional_policy(`nis.te',`
optional_policy(`samba.te',`
samba_connect_winbind(nscd_t)
+ samba_search_var(nscd_t)
')
optional_policy(`udev.te', `
@@ -133,13 +135,7 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
-optional_policy(`winbind.te', `
- allow nscd_t samba_var_t:dir search;
-')
optional_policy(`rhgb.te',`
rhgb_domain(nscd_t)
')
-
-allow nscd_t tmp_t:dir { search getattr };
-allow nscd_t tmp_t:lnk_file read;
') dnl end TODO
diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te
index 524fcc3..748c48e 100644
--- a/refpolicy/policy/modules/services/ntp.te
+++ b/refpolicy/policy/modules/services/ntp.te
@@ -112,6 +112,7 @@ miscfiles_read_localization(ntpd_t)
sysnet_read_config(ntpd_t)
userdom_dontaudit_use_unpriv_user_fd(ntpd_t)
+userdom_list_sysadm_home_dir(ntpd_t)
userdom_dontaudit_list_sysadm_home_dir(ntpd_t)
ifdef(`targeted_policy', `
@@ -145,6 +146,12 @@ optional_policy(`nscd.te',`
nscd_use_socket(ntpd_t)
')
+optional_policy(`samba.te',`
+ # cjp: the connect was previously missing
+ # so it might be ok to drop this
+ samba_connect_winbind(ntpd_t)
+')
+
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(ntpd_t)
')
@@ -162,9 +169,4 @@ allow sysadm_t ntpd_t:udp_socket recvfrom;
allow sysadm_t ntpd_t:udp_socket sendto;
allow ntpd_t sysadm_t:udp_socket recvfrom;
-
-ifdef(`winbind.te', `
-allow ntpd_t winbind_var_run_t:dir r_dir_perms;
-allow ntpd_t winbind_var_run_t:sock_file rw_file_perms;
-')
') dnl end TODO
diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te
index c9dcd28..1f4c4db 100644
--- a/refpolicy/policy/modules/services/portmap.te
+++ b/refpolicy/policy/modules/services/portmap.te
@@ -200,6 +200,11 @@ sysnet_read_config(portmap_helper_t)
userdom_dontaudit_use_all_user_fd(portmap_helper_t)
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_tty(portmap_helper_t)
+ term_dontaudit_use_generic_pty(portmap_helper_t)
+')
+
optional_policy(`mount.te',`
mount_send_nfs_client_request(portmap_helper_t)
')
diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te
index e7ddccc..e589926 100644
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@@ -93,6 +93,8 @@ allow postfix_master_t self:fifo_file rw_file_perms;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
allow postfix_master_t self:udp_socket create_socket_perms;
+allow postfix_master_t postfix_etc_t:file rw_file_perms;
+
can_exec(postfix_master_t,postfix_exec_t)
allow postfix_master_t postfix_map_exec_t:file rx_file_perms;
@@ -333,6 +335,7 @@ allow postfix_map_t postfix_map_tmp_t:file create_file_perms;
files_create_tmp_files(postfix_map_t, postfix_map_tmp_t, { file dir })
kernel_read_kernel_sysctl(postfix_map_t)
+kernel_dontaudit_list_proc(postfix_map_t)
corenet_tcp_sendrecv_all_if(postfix_map_t)
corenet_udp_sendrecv_all_if(postfix_map_t)
@@ -463,6 +466,11 @@ optional_policy(`crond.te',`
cron_rw_system_job_pipe(postfix_postdrop_t)
')
+optional_policy(`ppp.te',`
+ ppp_use_fd(postfix_postqueue_t)
+ ppp_sigchld(postfix_postqueue_t)
+')
+
#######################################
#
# Postfix postqueue local policy
diff --git a/refpolicy/policy/modules/services/postgresql.te b/refpolicy/policy/modules/services/postgresql.te
index 5c19d7f..fd1de40 100644
--- a/refpolicy/policy/modules/services/postgresql.te
+++ b/refpolicy/policy/modules/services/postgresql.te
@@ -212,12 +212,4 @@ ifdef(`distro_gentoo', `
postgresql_search_db_dir(initrc_su_t)
dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
')
-
-# Goes to apache.te:
-# Allow httpd to work with postgresql
-optional_policy(`postgresql.te', `
- # Original policy had apache connecting to postgresql_tmp_t:sock_file
- # instead of what is assumed to be correct: postgresql_var_run_t. -Don
- postgresql_unix_connect(httpd_t)
-')
')
diff --git a/refpolicy/policy/modules/services/ppp.if b/refpolicy/policy/modules/services/ppp.if
index 88c7fba..aa5e4d9 100644
--- a/refpolicy/policy/modules/services/ppp.if
+++ b/refpolicy/policy/modules/services/ppp.if
@@ -18,6 +18,23 @@ interface(`ppp_use_fd',`
########################################
##
+## Do not audit attempts to inherit
+## and use PPP file discriptors.
+##
+##
+## Domain to not audit.
+##
+#
+interface(`ppp_dontaudit_use_fd',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ dontaudit $1 pppd_t:fd use;
+')
+
+########################################
+##
## Allow domain to send sigchld to parent of PPP domain type.
##
##
@@ -35,7 +52,7 @@ interface(`ppp_sigchld',`
########################################
##
-## Allow domain to send a signal to PPP domain type.
+## Send a generic signal to PPP.
##
##
## Domain allowed access.
@@ -51,6 +68,22 @@ interface(`ppp_signal',`
########################################
##
+## Send a SIGCHLD signal to PPP.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`ppp_sigchld',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ allow $1 pppd_t:process sigchld;
+')
+
+########################################
+##
## Execute domain in the ppp domain.
##
##
diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te
index 8734731..cb55c54 100644
--- a/refpolicy/policy/modules/services/ppp.te
+++ b/refpolicy/policy/modules/services/ppp.te
@@ -107,9 +107,8 @@ allow pppd_t pppd_secret_t:file r_file_perms;
# Automatically label newly created files under /etc/ppp with this type
type_transition pppd_t pppd_etc_t:file pppd_etc_rw_t;
-kernel_list_proc(pppd_t)
kernel_read_kernel_sysctl(pppd_t)
-kernel_read_proc_symlinks(pppd_t)
+kernel_read_system_state(pppd_t)
kernel_read_net_sysctl(pppd_t)
kernel_read_network_state(pppd_t)
kernel_load_module(pppd_t)
@@ -318,23 +317,22 @@ optional_policy(`udev.te',`
')
ifdef(`TODO',`
-ifdef(`postfix.te', `
- allow pppd_t postfix_etc_t:dir search;
- allow pppd_t postfix_etc_t:file r_file_perms;
- allow pppd_t postfix_master_exec_t:file { getattr read };
-
- ppp_use_fd(postfix_postqueue_t)
- ppp_signal_daemon(postfix_postqueue_t)
-')
optional_policy(`rhgb.te',`
rhgb_domain(pppd_t)
')
optional_policy(`rhgb.te',`
rhgb_domain(pptp_t)
')
-ifdef(`named.te', `
- dontaudit ndc_t pppd_t:fd use;
')
-domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
+ifdef(`postfix.te', `
+ allow pppd_t postfix_etc_t:dir search;
+ allow pppd_t postfix_etc_t:file r_file_perms;
+ allow pppd_t postfix_master_exec_t:file { getattr read };
')
+
+domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
+allow pppd_t initrc_t:fd use;
+allow initrc_t pppd_t:fd use;
+allow initrc_t pppd_t:fifo_file rw_file_perms;
+allow initrc_t pppd_t:process sigchld;
diff --git a/refpolicy/policy/modules/services/radius.te b/refpolicy/policy/modules/services/radius.te
index b8ad337..c07e206 100644
--- a/refpolicy/policy/modules/services/radius.te
+++ b/refpolicy/policy/modules/services/radius.te
@@ -76,6 +76,7 @@ auth_read_shadow(radiusd_t)
corecmd_exec_bin(radiusd_t)
corecmd_exec_shell(radiusd_t)
+corecmd_search_sbin(radiusd_t)
domain_use_wide_inherit_fd(radiusd_t)
diff --git a/refpolicy/policy/modules/services/rlogin.te b/refpolicy/policy/modules/services/rlogin.te
index 17d8e1e..abc611e 100644
--- a/refpolicy/policy/modules/services/rlogin.te
+++ b/refpolicy/policy/modules/services/rlogin.te
@@ -87,6 +87,7 @@ seutil_dontaudit_search_config(rlogind_t)
sysnet_read_config(rlogind_t)
+userdom_setattr_unpriv_user_pty(rlogind_t)
# cjp: this is egregious
userdom_read_all_user_files(rlogind_t)
diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te
index c67e85b..b8ade12 100644
--- a/refpolicy/policy/modules/services/rpc.te
+++ b/refpolicy/policy/modules/services/rpc.te
@@ -62,13 +62,17 @@ files_manage_mounttab(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
-# FIXME
-dontaudit userdomain exports_t:file getattr;
-
ifdef(`distro_redhat',`
allow rpcd_t self:capability { chown dac_override setgid setuid };
')
+optional_policy(`nis.te',`
+ nis_read_ypserv_config(rpcd_t)
+')
+
+# FIXME
+dontaudit userdomain exports_t:file getattr;
+
########################################
#
# NFSD local policy
@@ -132,9 +136,9 @@ fs_read_rpc_dirs(gssd_t)
fs_read_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
-files_read_tmp(gssd_t)
-files_read_tmp_files(gssd_t)
-files_read_tmp_symlinks(gssd_t)
+files_list_tmp(gssd_t)
+files_read_generic_tmp_files(gssd_t)
+files_read_generic_tmp_symlinks(gssd_t)
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_unpriv_user_tmp(gssd_t)
diff --git a/refpolicy/policy/modules/services/rshd.te b/refpolicy/policy/modules/services/rshd.te
index 5ab132e..d5c5711 100644
--- a/refpolicy/policy/modules/services/rshd.te
+++ b/refpolicy/policy/modules/services/rshd.te
@@ -74,8 +74,8 @@ tunable_policy(`use_nfs_home_dirs',`
')
tunable_policy(`use_samba_home_dirs',`
- fs_read_nfs_files(rshd_t)
- fs_read_nfs_symlinks(rshd_t)
+ fs_read_cifs_files(rshd_t)
+ fs_read_cifs_symlinks(rshd_t)
')
optional_policy(`kerberos.te',`
diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if
index d28ba60..3e9a0a5 100644
--- a/refpolicy/policy/modules/services/samba.if
+++ b/refpolicy/policy/modules/services/samba.if
@@ -197,6 +197,24 @@ interface(`samba_read_secrets',`
########################################
##
+## Allow the specified domain to search
+## samba /var directories.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`samba_search_var',`
+ gen_require(`
+ type samba_var_t;
+ ')
+
+ files_search_var($1)
+ allow $1 samba_var_t:dir search_dir_perms;
+')
+
+########################################
+##
## Allow the specified domain to write to smbmount tcp sockets.
##
##
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index 7702c76..47e8ead 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -233,6 +233,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
dev_read_sysfs(smbd_t)
dev_read_urand(smbd_t)
+dev_dontaudit_getattr_usbfs_dir(smbd_t)
fs_getattr_all_fs(smbd_t)
fs_get_xattr_fs_quotas(smbd_t)
diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te
index 45b81a3..b5cfae2 100644
--- a/refpolicy/policy/modules/services/snmp.te
+++ b/refpolicy/policy/modules/services/snmp.te
@@ -146,6 +146,15 @@ ifdef(`TODO',`
can_udp_send(sysadm_t, snmpd_t)
can_udp_send(snmpd_t, sysadm_t)
+optional_policy(`cupsd.te', `
+ allow snmpd_t cupsd_rw_etc_t:file { getattr read };
+')
+
+optional_policy(`rhgb.te',`
+ rhgb_domain(snmpd_t)
+')
+') dnl end TODO
+
ifdef(`distro_redhat', `
optional_policy(`rpm.te', `
dontaudit snmpd_t rpm_var_lib_t:dir write;
@@ -153,20 +162,9 @@ ifdef(`distro_redhat', `
')
')
-dontaudit snmpd_t rpc_pipefs_t:dir getattr;
-allow snmpd_t rpc_pipefs_t:dir getattr;
-
optional_policy(`amanda.te', `
dontaudit snmpd_t amanda_dumpdates_t:file { getattr read };
')
-optional_policy(`cupsd.te', `
- allow snmpd_t cupsd_rw_etc_t:file { getattr read };
-')
-
+allow snmpd_t rpc_pipefs_t:dir getattr;
allow snmpd_t var_lib_nfs_t:dir search;
-
-optional_policy(`rhgb.te',`
- rhgb_domain(snmpd_t)
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te
index 1ec9f1a..f872211 100644
--- a/refpolicy/policy/modules/services/spamassassin.te
+++ b/refpolicy/policy/modules/services/spamassassin.te
@@ -37,6 +37,7 @@ dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
allow spamd_t self:fifo_file rw_file_perms;
+allow spamd_t self:sock_file r_file_perms;
allow spamd_t self:shm create_shm_perms;
allow spamd_t self:sem create_sem_perms;
allow spamd_t self:msgq create_msgq_perms;
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 6bc464a..ee6fd72 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -262,16 +262,22 @@ ifdef(`xdm.te', `
allow system_chkpwd_t self:capability setuid;
allow system_chkpwd_t self:process getattr;
+allow system_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow system_chkpwd_t shadow_t:file { getattr read };
# is_selinux_enabled
kernel_read_system_state(system_chkpwd_t)
+dev_read_rand(system_chkpwd_t)
+dev_read_urand(system_chkpwd_t)
+
fs_dontaudit_getattr_xattr_fs(system_chkpwd_t)
term_dontaudit_use_unallocated_tty(system_chkpwd_t)
+corecmd_search_sbin(system_chkpwd_t)
+
domain_dontaudit_use_wide_inherit_fd(system_chkpwd_t)
files_read_etc_files(system_chkpwd_t)
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index 2853222..ff622fa 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -61,7 +61,7 @@ logging_send_syslog_msg(hwclock_t)
miscfiles_read_localization(hwclock_t)
-ifdef(`targeted_policy', `
+ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_tty(hwclock_t)
term_dontaudit_use_generic_pty(hwclock_t)
files_dontaudit_read_root_file(hwclock_t)
diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if
index 821170f..a1b9b4e 100644
--- a/refpolicy/policy/modules/system/corecommands.if
+++ b/refpolicy/policy/modules/system/corecommands.if
@@ -54,7 +54,7 @@ interface(`corecmd_list_bin',`
## Get the attributes of files in bin directories.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`corecmd_getattr_bin_file',`
@@ -71,7 +71,7 @@ interface(`corecmd_getattr_bin_file',`
## Read files in bin directories.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`corecmd_read_bin_file',`
@@ -90,7 +90,7 @@ interface(`corecmd_read_bin_file',`
## Read symbolic links in bin directories.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`corecmd_read_bin_symlink',`
@@ -109,7 +109,7 @@ interface(`corecmd_read_bin_symlink',`
## Read pipes in bin directories.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`corecmd_read_bin_pipe',`
@@ -128,7 +128,7 @@ interface(`corecmd_read_bin_pipe',`
## Read named sockets in bin directories.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`corecmd_read_bin_socket',`
@@ -183,7 +183,7 @@ interface(`corecmd_exec_bin',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
## The type of the new process.
@@ -259,7 +259,7 @@ interface(`corecmd_dontaudit_getattr_sbin_file',`
## Read files in sbin directories.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`corecmd_read_sbin_file',`
@@ -278,7 +278,7 @@ interface(`corecmd_read_sbin_file',`
## Read symbolic links in sbin directories.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`corecmd_read_sbin_symlink',`
@@ -297,7 +297,7 @@ interface(`corecmd_read_sbin_symlink',`
## Read named pipes in sbin directories.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`corecmd_read_sbin_pipe',`
@@ -316,7 +316,7 @@ interface(`corecmd_read_sbin_pipe',`
## Read named sockets in sbin directories.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`corecmd_read_sbin_socket',`
@@ -371,7 +371,7 @@ interface(`corecmd_exec_sbin',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
## The type of the new process.
@@ -391,6 +391,24 @@ interface(`corecmd_sbin_domtrans',`
')
########################################
+##
+## Check if a shell is executable (DAC-wise).
+##
+##
+## Domain allowed access.
+##
+#
+interface(`corecmd_check_exec_shell',`
+ gen_require(`
+ type bin_t, shell_exec_t;
+ ')
+
+ allow $1 bin_t:dir r_dir_perms;
+ allow $1 bin_t:lnk_file r_file_perms;
+ allow $1 shell_exec_t:file execute;
+')
+
+########################################
#
# corecmd_exec_shell(domain)
#
@@ -441,7 +459,7 @@ interface(`corecmd_exec_ls',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
## The type of the shell process.
@@ -475,7 +493,7 @@ interface(`corecmd_shell_spec_domtrans',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
## The type of the shell process.
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 6bfabae..c7b547c 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -2067,13 +2067,12 @@ interface(`files_search_tmp',`
## The type of the process performing this action.
##
#
-interface(`files_read_tmp',`
+interface(`files_list_tmp',`
gen_require(`
type tmp_t;
- class dir r_dir_perms;
')
- allow $1 tmp_t:dir r_dir_perms;
+ allow $1 tmp_t:dir list_dir_perms;
')
########################################
@@ -2084,12 +2083,12 @@ interface(`files_read_tmp',`
## The type of the process performing this action.
##
#
-interface(`files_read_tmp_files',`
+interface(`files_read_generic_tmp_files',`
gen_require(`
type tmp_t;
- class file r_file_perms;
')
+ allow $1 tmp_t:dir search_dir_perms;
allow $1 tmp_t:file r_file_perms;
')
@@ -2101,12 +2100,12 @@ interface(`files_read_tmp_files',`
## The type of the process performing this action.
##
#
-interface(`files_read_tmp_symlinks',`
+interface(`files_read_generic_tmp_symlinks',`
gen_require(`
type tmp_t;
- class lnk_file r_file_perms;
')
+ allow $1 tmp_t:dir search_dir_perms;
allow $1 tmp_t:lnk_file r_file_perms;
')
@@ -2339,7 +2338,7 @@ interface(`files_dontaudit_search_src',`
type src_t;
')
- allow $1 src_t:dir search;
+ dontaudit $1 src_t:dir search;
')
########################################
diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te
index 8efec44..7439c4d 100644
--- a/refpolicy/policy/modules/system/fstools.te
+++ b/refpolicy/policy/modules/system/fstools.te
@@ -28,6 +28,7 @@ allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_
allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
allow fsadm_t self:fd use;
allow fsadm_t self:fifo_file rw_file_perms;
+allow fsadm_t self:sock_file r_file_perms;
allow fsadm_t self:unix_dgram_socket create_socket_perms;
allow fsadm_t self:unix_stream_socket create_stream_socket_perms;
allow fsadm_t self:unix_dgram_socket sendto;
@@ -133,6 +134,11 @@ seutil_read_config(fsadm_t)
userdom_use_unpriv_users_fd(fsadm_t)
+ifdef(`targeted_policy',`
+ term_use_unallocated_tty(fsadm_t)
+ term_use_generic_pty(fsadm_t)
+')
+
tunable_policy(`read_default_t',`
files_list_default(fsadm_t)
files_read_default_files(fsadm_t)
@@ -151,7 +157,8 @@ optional_policy(`nis.te',`
')
ifdef(`TODO',`
-allow fsadm_t tmpfs_t:file { read write };
-allow fsadm_t ramfs_t:fifo_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
') dnl end TODO
+
+allow fsadm_t tmpfs_t:file { read write };
+allow fsadm_t ramfs_t:fifo_file rw_file_perms;
diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te
index 7c2b7ea..5821b22 100644
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@@ -113,5 +113,5 @@ optional_policy(`ppp.te',`
')
optional_policy(`udev.te',`
- udev_read_db(system_dbusd_t)
+ udev_read_db(getty_t)
')
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 666ed22..c39d43a 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -14,7 +14,7 @@ init_daemon_domain(hotplug_t,hotplug_exec_t)
type hotplug_etc_t;
files_config_file(hotplug_etc_t)
kernel_search_from(hotplug_etc_t)
-domain_entry_file(hotplug_t,hotplug_etc_t)
+init_daemon_domain(hotplug_t,hotplug_etc_t)
type hotplug_var_run_t;
files_pid_file(hotplug_var_run_t)
@@ -150,6 +150,10 @@ optional_policy(`fstools.te',`
fstools_domtrans(hotplug_t)
')
+optional_policy(`hal.te',`
+ hal_dgram_sendto(hotplug_t)
+')
+
optional_policy(`hostname.te',`
hostname_exec(hotplug_t)
')
@@ -207,7 +211,4 @@ rhgb_domain(hotplug_t)
dontaudit hotplug_t { init_t kernel_t }:file read;
-optional_policy(`hald.te', `
- allow hotplug_t hald_t:unix_dgram_socket sendto;
-')
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 4c92dfa..3a9e940 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -346,7 +346,7 @@ interface(`init_dontaudit_use_fd',`
## Send UDP network traffic to init.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`init_udp_sendto',`
@@ -392,7 +392,7 @@ interface(`init_domtrans_script',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
## The role to be performing this action.
@@ -415,6 +415,22 @@ interface(`init_run_daemon',`
########################################
##
+## Write an init script unnamed pipe.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`init_write_script_pipe',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:fifo_file write;
+')
+
+########################################
+##
## Allow the specified domain to connect to
## init scripts with a unix domain stream socket.
##
@@ -484,7 +500,7 @@ interface(`init_exec_script',`
## Read the process state (/proc/pid) of the init scripts.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`init_read_script_process_state',`
@@ -552,7 +568,7 @@ interface(`init_get_script_process_group',`
## Send SIGCHLD signals to init scripts.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`init_sigchld_script',`
@@ -568,7 +584,7 @@ interface(`init_sigchld_script',`
## Read and write init script unnamed pipes.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`init_rw_script_pipe',`
@@ -585,7 +601,7 @@ interface(`init_rw_script_pipe',`
## Send UDP network traffic to init scripts.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`init_udp_sendto_script',`
@@ -629,7 +645,7 @@ interface(`init_unix_connect_script',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`init_use_script_pty',`
@@ -663,7 +679,7 @@ interface(`init_dontaudit_use_script_pty',`
## Read init scripts.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`init_read_script_file',`
@@ -681,7 +697,7 @@ interface(`init_read_script_file',`
## Read and write init script temporary data.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`init_rw_script_tmp_files',`
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 23cd161..44d9301 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -366,6 +366,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
modutils_read_module_conf(initrc_t)
+modutils_domtrans_insmod(initrc_t)
seutil_read_config(initrc_t)
@@ -480,7 +481,6 @@ optional_policy(`bind.te',`
# Allow init script to cp localtime to named_conf_t
bind_write_config(initrc_t)
')
-
')
optional_policy(`bluetooth.te',`
@@ -488,7 +488,7 @@ optional_policy(`bluetooth.te',`
')
optional_policy(`cpucontrol.te',`
- cpucontrol_stub()
+ cpucontrol_stub(initrc_t)
dev_getattr_cpu(initrc_t)
')
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index f226777..3ff19d7 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -95,9 +95,7 @@ ifdef(`targeted_policy',`
unconfined_domain_template(ldconfig_t)
')
-ifdef(`TODO',`
optional_policy(`apache.te',`
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
dontaudit ldconfig_t httpd_modules_t:dir search;
')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 750f9b5..075a824 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -41,6 +41,7 @@ allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrli
allow local_login_t self:process { setrlimit setexec };
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_file_perms;
+allow local_login_t self:sock_file r_file_perms;
allow local_login_t self:unix_dgram_socket create_socket_perms;
allow local_login_t self:unix_stream_socket create_stream_socket_perms;
allow local_login_t self:unix_dgram_socket sendto;
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 77e6b6e..3d3f9bb 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -229,6 +229,8 @@ logging_send_syslog_msg(klogd_t)
miscfiles_read_localization(klogd_t)
+userdom_dontaudit_search_sysadm_home_dir(klogd_t)
+
optional_policy(`udev.te', `
udev_read_db(klogd_t)
')
@@ -238,6 +240,10 @@ ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_tty(klogd_t)
')
+optional_policy(`selinuxutil.te',`
+ seutil_sigchld_newrole(klogd_t)
+')
+
########################################
#
# syslogd local policy
diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if
index 29a53bc..11724cd 100644
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@@ -36,7 +36,7 @@ interface(`modutils_read_module_conf',`
files_search_etc($1)
bootloader_search_boot($1)
- allow $1 modules_conf_t:file r_file_perms;
+ allow $1 modules_conf_t:{ file lnk_file } r_file_perms;
')
########################################
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 5613a7a..e74fc19 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -16,7 +16,6 @@ files_type(modules_dep_t)
type insmod_t;
type insmod_exec_t;
-kernel_userland_entry(insmod_t,insmod_exec_t)
init_system_domain(insmod_t,insmod_exec_t)
mls_file_write_down(insmod_t)
role system_r types insmod_t;
@@ -110,6 +109,10 @@ logging_search_logs(insmod_t)
miscfiles_read_localization(insmod_t)
+if( ! secure_mode_insmod ) {
+ kernel_userland_entry(insmod_t,insmod_exec_t)
+}
+
ifdef(`hide_broken_symptoms',`
dev_dontaudit_rw_cardmgr(insmod_t)
')
diff --git a/refpolicy/policy/modules/system/pcmcia.if b/refpolicy/policy/modules/system/pcmcia.if
index c86414e..3f9ca2f 100644
--- a/refpolicy/policy/modules/system/pcmcia.if
+++ b/refpolicy/policy/modules/system/pcmcia.if
@@ -2,6 +2,20 @@
########################################
##
+## PCMCIA stub interface. No access allowed.
+##
+##
+## N/A
+##
+#
+interface(`pcmcia_stub',`
+ gen_require(`
+ type cardmgr_t;
+ ')
+')
+
+########################################
+##
## Execute cardmgr in the cardmgr domain.
##
##
@@ -99,6 +113,7 @@ interface(`pcmcia_read_pid',`
files_search_pids($1)
allow $1 cardmgr_var_run_t:dir r_dir_perms;
allow $1 cardmgr_var_run_t:file r_file_perms;
+ allow $1 cardmgr_var_run_t:lnk_file { getattr read };
')
########################################
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 982dded..0fd52e0 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -202,6 +202,7 @@ allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
allow newrole_t self:fifo_file rw_file_perms;
+allow newrole_t self:sock_file r_file_perms;
allow newrole_t self:shm create_shm_perms;
allow newrole_t self:sem create_sem_perms;
allow newrole_t self:msgq create_msgq_perms;
@@ -242,6 +243,9 @@ term_relabel_all_user_ptys(newrole_t)
auth_domtrans_chk_passwd(newrole_t)
+corecmd_list_bin(newrole_t)
+corecmd_read_bin_symlink(newrole_t)
+
domain_use_wide_inherit_fd(newrole_t)
# for when the user types "exec newrole" at the command line:
domain_sigchld_wide_inherit_fd(newrole_t)
@@ -251,6 +255,7 @@ init_rw_script_pid(newrole_t)
files_read_etc_files(newrole_t)
files_read_var_files(newrole_t)
+files_read_var_symlink(newrole_t)
libs_use_ld_so(newrole_t)
libs_use_shared_libs(newrole_t)
@@ -377,6 +382,8 @@ domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t)
')
') dnl endif TODO
+allow restorecon_t kernel_t:unix_dgram_socket { read write };
+
#################################
#
# Run_init local policy
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 07b155f..507905c 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -206,6 +206,9 @@ optional_policy(`netutils.te',`
optional_policy(`nis.te',`
nis_use_ypbind(dhcpc_t)
nis_signal_ypbind(dhcpc_t)
+ nis_read_ypbind_pid(dhcpc_t)
+ nis_delete_ypbind_pid(dhcpc_t)
+
# dhclient sometimes starts ypbind
init_exec_script(dhcpc_t)
nis_domtrans_ypbind(dhcpc_t)
@@ -222,6 +225,11 @@ optional_policy(`ntp.te',`
ntp_domtrans(dhcpc_t)
')
+optional_policy(`pcmcia.te',`
+ pcmcia_stub(dhcpc_t)
+ dev_rw_cardmgr(dhcpc_t)
+')
+
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -236,27 +244,6 @@ optional_policy(`userdomain.te',`
')
ifdef(`TODO',`
-ifdef(`cardmgr.te',`
-allow dhcpc_t cardmgr_dev_t:chr_file { read write };
-')
-
-ifdef(`ypbind.te',`
-allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink };
-')
-
-ifdef(`dbusd.te', `
-dbusd_client(system, dhcpc)
-domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
-allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
-allow dhcpc_t self:dbus send_msg;
-allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
-allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
-ifdef(`unconfined.te', `
-allow unconfined_t dhcpc_t:dbus send_msg;
-allow dhcpc_t unconfined_t:dbus send_msg;
-')dnl end ifdef unconfined.te
-')
-
optional_policy(`rhgb.te',`
rhgb_domain(dhcpc_t)
')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 953d2cf..615afb0 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -992,7 +992,7 @@ template(`admin_user_template',`
## is the prefix for user_t).
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
template(`userdom_search_user_home',`
@@ -1024,7 +1024,7 @@ template(`userdom_search_user_home',`
## is the prefix for user_t).
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
template(`userdom_manage_user_home_subdirs',`
@@ -1055,7 +1055,7 @@ template(`userdom_manage_user_home_subdirs',`
## is the prefix for user_t).
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
template(`userdom_read_user_home_files',`
@@ -1087,7 +1087,7 @@ template(`userdom_read_user_home_files',`
## is the prefix for user_t).
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
template(`userdom_exec_user_home_files',`
@@ -1121,7 +1121,7 @@ template(`userdom_exec_user_home_files',`
## is the prefix for user_t).
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
template(`userdom_manage_user_home_subdir_files',`
@@ -1155,7 +1155,7 @@ template(`userdom_manage_user_home_subdir_files',`
## is the prefix for user_t).
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
template(`userdom_manage_user_home_subdir_symlinks',`
@@ -1189,7 +1189,7 @@ template(`userdom_manage_user_home_subdir_symlinks',`
## is the prefix for user_t).
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
template(`userdom_manage_user_home_subdir_pipes',`
@@ -1223,7 +1223,7 @@ template(`userdom_manage_user_home_subdir_pipes',`
## is the prefix for user_t).
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
template(`userdom_manage_user_home_subdir_sockets',`
@@ -1256,7 +1256,7 @@ template(`userdom_manage_user_home_subdir_sockets',`
## is the prefix for user_t).
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
## The class of the object to be created. If not
@@ -1299,7 +1299,7 @@ template(`userdom_create_user_home',`
## is the prefix for user_t).
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
template(`userdom_manage_user_tmp_dirs',`
@@ -1331,7 +1331,7 @@ template(`userdom_manage_user_tmp_dirs',`
## is the prefix for user_t).
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
template(`userdom_manage_user_tmp_files',`
@@ -1364,7 +1364,7 @@ template(`userdom_manage_user_tmp_files',`
## is the prefix for user_t).
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
template(`userdom_manage_user_tmp_symlinks',`
@@ -1397,7 +1397,7 @@ template(`userdom_manage_user_tmp_symlinks',`
## is the prefix for user_t).
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
template(`userdom_manage_user_tmp_pipes',`
@@ -1430,7 +1430,7 @@ template(`userdom_manage_user_tmp_pipes',`
## is the prefix for user_t).
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
template(`userdom_manage_user_tmp_sockets',`
@@ -1461,7 +1461,7 @@ template(`userdom_manage_user_tmp_sockets',`
## is the prefix for user_t).
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
template(`userdom_use_user_terminals',`
@@ -1486,7 +1486,7 @@ template(`userdom_use_user_terminals',`
## caller to use setexeccon().
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`userdom_spec_domtrans_all_users',`
@@ -1504,7 +1504,7 @@ interface(`userdom_spec_domtrans_all_users',`
## caller to use setexeccon().
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`userdom_spec_domtrans_unpriv_users',`
@@ -1520,7 +1520,7 @@ interface(`userdom_spec_domtrans_unpriv_users',`
## Execute a shell in the sysadm domain.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`userdom_shell_domtrans_sysadm',`
@@ -1580,7 +1580,7 @@ interface(`userdom_dontaudit_search_staff_home_dir',`
## Read files in the staff users home directory.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`userdom_read_staff_home_files',`
@@ -1598,7 +1598,7 @@ interface(`userdom_read_staff_home_files',`
## Send a SIGCHLD signal to sysadm users.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`userdom_sigchld_sysadm',`
@@ -1615,10 +1615,31 @@ interface(`userdom_sigchld_sysadm',`
########################################
##
+## Do not audit attepts to get the attributes
+## of sysadm ttys.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`userdom_dontaudit_getattr_sysadm_tty',`
+ ifdef(`targeted_policy',`
+ term_dontaudit_getattr_unallocated_ttys($1)
+ ',`
+ gen_require(`
+ type sysadm_tty_device_t;
+ ')
+
+ dontaudit $1 sysadm_tty_device_t:chr_file getattr;
+ ')
+')
+
+########################################
+##
## Read and write sysadm ttys.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`userdom_use_sysadm_tty',`
@@ -1660,7 +1681,7 @@ interface(`userdom_dontaudit_use_sysadm_tty',`
## Read and write sysadm ptys.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`userdom_use_sysadm_pty',`
@@ -1702,7 +1723,7 @@ interface(`userdom_dontaudit_use_sysadm_pty',`
## Read and write sysadm ttys and ptys.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`userdom_use_sysadm_terms',`
@@ -1735,7 +1756,7 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
## Inherit and use sysadm file descriptors
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`userdom_use_sysadm_fd',`
@@ -1756,7 +1777,7 @@ interface(`userdom_use_sysadm_fd',`
## Read and write sysadm user unnamed pipes.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`userdom_rw_sysadm_pipe',`
@@ -1842,6 +1863,22 @@ interface(`userdom_dontaudit_search_sysadm_home_dir',`
########################################
##
+## List the sysadm users home directory.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`userdom_list_sysadm_home_dir',`
+ gen_require(`
+ type sysadm_home_dir_t;
+ ')
+
+ allow $1 sysadm_home_dir_t:dir list_dir_perms;
+')
+
+########################################
+##
## Do not audit attempts to list the sysadm
## users home directory.
##
@@ -1854,7 +1891,7 @@ interface(`userdom_dontaudit_list_sysadm_home_dir',`
type sysadm_home_dir_t;
')
- dontaudit $1 sysadm_home_dir_t:dir r_dir_perms;
+ dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;
')
########################################
@@ -1913,7 +1950,7 @@ interface(`userdom_search_sysadm_home_subdirs',`
## Read files in the sysadm users home directory.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`userdom_read_sysadm_home_files',`
@@ -1931,7 +1968,7 @@ interface(`userdom_read_sysadm_home_files',`
## Search all users home directories.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`userdom_search_all_users_home',`
@@ -1964,7 +2001,7 @@ interface(`userdom_dontaudit_search_all_users_home',`
## Read all files in all users home directories.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`userdom_read_all_user_files',`
@@ -1983,7 +2020,7 @@ interface(`userdom_read_all_user_files',`
## in all users home directories.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`userdom_manage_all_user_dirs',`
@@ -2001,7 +2038,7 @@ interface(`userdom_manage_all_user_dirs',`
## in all users home directories.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`userdom_manage_all_user_files',`
@@ -2020,7 +2057,7 @@ interface(`userdom_manage_all_user_files',`
## in all users home directories.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`userdom_manage_all_user_symlinks',`
@@ -2048,7 +2085,7 @@ interface(`userdom_manage_all_user_symlinks',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`userdom_priveleged_home_dir_manager',`
@@ -2065,7 +2102,7 @@ interface(`userdom_priveleged_home_dir_manager',`
## Send general signals to unprivileged user domains.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`userdom_signal_unpriv_users',`
@@ -2081,7 +2118,7 @@ interface(`userdom_signal_unpriv_users',`
## Inherit the file descriptors from unprivileged user domains.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`userdom_use_unpriv_users_fd',`
@@ -2098,7 +2135,7 @@ interface(`userdom_use_unpriv_users_fd',`
## file descriptors from all user domains.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`userdom_dontaudit_use_unpriv_user_fd',`
@@ -2328,18 +2365,38 @@ interface(`userdom_read_unpriv_user_home_files',`
########################################
##
-## Read all unprivileged users temporary directories.
+## Set the attributes of user ptys.
##
##
## Domain allowed access.
##
#
-interface(`userdom_list_unpriv_user_tmp',`
+interface(`userdom_setattr_unpriv_user_pty',`
gen_require(`
- attribute user_tmpfile;
+ attribute user_ptynode;
')
- allow $1 user_tmpfile:dir list_dir_perms;
+ allow $1 user_ptynode:chr_file setattr;
+')
+
+########################################
+##
+## Read all unprivileged users temporary directories.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`userdom_list_unpriv_user_tmp',`
+ ifdef(`targeted_policy',`
+ files_list_tmp($1)
+ ',`
+ gen_require(`
+ attribute user_tmpfile;
+ ')
+
+ allow $1 user_tmpfile:dir list_dir_perms;
+ ')
')
########################################
@@ -2351,11 +2408,15 @@ interface(`userdom_list_unpriv_user_tmp',`
##
#
interface(`userdom_read_unpriv_user_tmp_files',`
- gen_require(`
- attribute user_tmpfile;
- ')
+ ifdef(`targeted_policy',`
+ files_read_generic_tmp_files($1)
+ ',`
+ gen_require(`
+ attribute user_tmpfile;
+ ')
- allow $1 user_tmpfile:file { read getattr };
+ allow $1 user_tmpfile:file { read getattr };
+ ')
')
########################################
@@ -2367,11 +2428,15 @@ interface(`userdom_read_unpriv_user_tmp_files',`
##
#
interface(`userdom_read_unpriv_user_tmp_symlinks',`
- gen_require(`
- attribute user_tmpfile;
- ')
+ ifdef(`targeted_policy',`
+ files_read_generic_tmp_symlinks($1)
+ ',`
+ gen_require(`
+ attribute user_tmpfile;
+ ')
- allow $1 user_tmpfile:lnk_file { getattr read };
+ allow $1 user_tmpfile:lnk_file { getattr read };
+ ')
')
########################################
@@ -2379,7 +2444,7 @@ interface(`userdom_read_unpriv_user_tmp_symlinks',`
## Write all unprivileged users files in /tmp
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`userdom_write_unpriv_user_tmp',`
@@ -2396,7 +2461,7 @@ interface(`userdom_write_unpriv_user_tmp',`
## user ttys.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`userdom_dontaudit_use_unpriv_user_tty',`
@@ -2412,7 +2477,7 @@ interface(`userdom_dontaudit_use_unpriv_user_tty',`
## Inherit the file descriptors from all user domains
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`userdom_use_all_user_fd',`
@@ -2445,7 +2510,7 @@ interface(`userdom_dontaudit_use_all_user_fd',`
## Send general signals to all user domains.
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
#
interface(`userdom_signal_all_users',`