diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index b04973a..c2b4898 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -8,6 +8,7 @@
* Added policies:
acct
mysql
+ su
tmpreaper
updfstab
diff --git a/refpolicy/policy/modules.conf.targeted_example b/refpolicy/policy/modules.conf.targeted_example
index 488d6f8..c0fbd0a 100644
--- a/refpolicy/policy/modules.conf.targeted_example
+++ b/refpolicy/policy/modules.conf.targeted_example
@@ -60,6 +60,34 @@ files = base
domain = base
# Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+#
+usermanage = base
+
+# Layer: admin
+# Module: rpm
+#
+# Policy for the RPM package manager.
+#
+rpm = off
+
+# Layer: admin
+# Module: dmesg
+#
+# Policy for dmesg.
+#
+dmesg = base
+
+# Layer: admin
+# Module: logrotate
+#
+# Rotate and archive system logs
+#
+logrotate = off
+
+# Layer: admin
# Module: consoletype
#
# Determine of the console connected to the controlling terminal.
@@ -74,32 +102,32 @@ consoletype = base
netutils = base
# Layer: admin
-# Module: usermanage
+# Module: acct
#
-# Policy for managing user accounts.
+# Berkeley process accounting
#
-usermanage = base
+acct = base
# Layer: admin
-# Module: rpm
+# Module: tmpreaper
#
-# Policy for the RPM package manager.
+# Manage temporary directory sizes and file ages
#
-rpm = off
+tmpreaper = base
# Layer: admin
-# Module: dmesg
+# Module: updfstab
#
-# Policy for dmesg.
+# Red Hat utility to change /etc/fstab.
#
-dmesg = base
+updfstab = base
# Layer: admin
-# Module: logrotate
+# Module: su
#
-# Rotate and archive system logs
+# Run shells with substitute user and group
#
-logrotate = off
+su = off
# Layer: apps
# Module: gpg
@@ -137,25 +165,25 @@ storage = base
terminal = base
# Layer: services
-# Module: cron
+# Module: remotelogin
#
-# Periodic execution of scheduled commands.
+# Policy for rshd, rlogind, and telnetd.
#
-cron = base
+remotelogin = base
# Layer: services
-# Module: ssh
+# Module: nscd
#
-# Secure shell client and server policy.
+# Name service cache daemon
#
-ssh = off
+nscd = base
# Layer: services
-# Module: remotelogin
+# Module: nis
#
-# Policy for rshd, rlogind, and telnetd.
+# Policy for NIS (YP) servers and clients
#
-remotelogin = base
+nis = base
# Layer: services
# Module: sendmail
@@ -165,18 +193,18 @@ remotelogin = base
sendmail = off
# Layer: services
-# Module: mta
+# Module: ssh
#
-# Policy common to all email tranfer agents.
+# Secure shell client and server policy.
#
-mta = base
+ssh = off
# Layer: services
-# Module: nis
+# Module: cron
#
-# Policy for NIS (YP) servers and clients
+# Periodic execution of scheduled commands.
#
-nis = base
+cron = base
# Layer: services
# Module: inetd
@@ -193,11 +221,32 @@ inetd = base
kerberos = base
# Layer: services
-# Module: nscd
+# Module: mta
#
-# Name service cache daemon
+# Policy common to all email tranfer agents.
#
-nscd = base
+mta = base
+
+# Layer: services
+# Module: mysql
+#
+# Policy for MySQL
+#
+mysql = base
+
+# Layer: system
+# Module: unconfined
+#
+# The unconfined domain.
+#
+unconfined = base
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+#
+authlogin = base
# Layer: system
# Module: selinuxutil
@@ -221,11 +270,11 @@ getty = base
mount = base
# Layer: system
-# Module: logging
+# Module: ipsec
#
-# Policy for the kernel message logger and system logging daemon.
+# TCP/IP encryption
#
-logging = base
+ipsec = base
# Layer: system
# Module: locallogin
@@ -235,6 +284,13 @@ logging = base
locallogin = base
# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+#
+logging = base
+
+# Layer: system
# Module: sysnetwork
#
# Policy for network configuration: ifconfig and dhcp client.
@@ -242,6 +298,20 @@ locallogin = base
sysnetwork = base
# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+#
+fstools = base
+
+# Layer: system
+# Module: pcmcia
+#
+# PCMCIA card management services
+#
+pcmcia = base
+
+# Layer: system
# Module: iptables
#
# Policy for iptables.
@@ -256,13 +326,6 @@ iptables = base
userdomain = base
# Layer: system
-# Module: clock
-#
-# Policy for reading and setting the hardware clock.
-#
-clock = base
-
-# Layer: system
# Module: corecommands
#
# Core policy for shells, and generic programs
@@ -279,6 +342,13 @@ corecommands = base
hotplug = base
# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+#
+clock = base
+
+# Layer: system
# Module: lvm
#
# Policy for logical volume management programs.
@@ -293,18 +363,18 @@ lvm = base
modutils = base
# Layer: system
-# Module: udev
+# Module: init
#
-# Policy for udev.
+# System initialization programs (init and init scripts).
#
-udev = base
+init = base
# Layer: system
-# Module: init
+# Module: udev
#
-# System initialization programs (init and init scripts).
+# Policy for udev.
#
-init = base
+udev = base
# Layer: system
# Module: hostname
@@ -314,11 +384,11 @@ init = base
hostname = base
# Layer: system
-# Module: authlogin
+# Module: raid
#
-# Common policy for authentication and user login.
+# RAID array management tools
#
-authlogin = base
+raid = base
# Layer: system
# Module: libraries
@@ -328,44 +398,9 @@ authlogin = base
libraries = base
# Layer: system
-# Module: ipsec
-#
-# TCP/IP encryption
-#
-ipsec = base
-
-# Layer: system
-# Module: unconfined
-#
-# The unconfined domain.
-#
-unconfined = base
-
-# Layer: system
# Module: miscfiles
#
# Miscelaneous files.
#
miscfiles = base
-# Layer: system
-# Module: fstools
-#
-# Tools for filesystem management, such as mkfs and fsck.
-#
-fstools = base
-
-# Layer: system
-# Module: pcmcia
-#
-# PCMCIA card management services
-#
-pcmcia = base
-
-# Layer: system
-# Module: raid
-#
-# RAID array management tools
-#
-raid = base
-
diff --git a/refpolicy/policy/modules/admin/su.fc b/refpolicy/policy/modules/admin/su.fc
new file mode 100644
index 0000000..ed98aba
--- /dev/null
+++ b/refpolicy/policy/modules/admin/su.fc
@@ -0,0 +1,2 @@
+
+/bin/su -- context_template(system_u:object_r:su_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
new file mode 100644
index 0000000..6dc5216
--- /dev/null
+++ b/refpolicy/policy/modules/admin/su.if
@@ -0,0 +1,149 @@
+## Run shells with substitute user and group
+
+template(`su_per_userdomain_template',`
+
+ type $1_su_t;
+ domain_entry_file($1_su_t,su_exec_t)
+ domain_type($1_su_t)
+ domain_role_change_exempt($1_su_t)
+ domain_subj_id_change_exempt($1_su_t)
+ domain_obj_id_change_exempt($1_su_t)
+ domain_wide_inherit_fd($1_su_t)
+ role $1_r types $1_su_t;
+
+ allow $1_t $1_su_t:process signal;
+
+ allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+ dontaudit $1_su_t self:capability sys_tty_config;
+ allow $1_su_t self:process { setexec setsched setrlimit };
+ allow $1_su_t self:fifo_file rw_file_perms;
+
+ # Transition from the user domain to this domain.
+ domain_auto_trans($1_t, su_exec_t, $1_su_t)
+ allow $1_t $1_su_t:fd use;
+ allow $1_su_t $1_t:fd use;
+ allow $1_su_t $1_t:fifo_file rw_file_perms;
+ allow $1_su_t $1_t:process sigchld;
+
+ # By default, revert to the calling domain when a shell is executed.
+ corecmd_shell_domtrans($1_su_t,$1_t)
+ allow $1_t $1_su_t:fd use;
+ allow $1_su_t $1_t:fd use;
+ allow $1_su_t $1_t:fifo_file rw_file_perms;
+ allow $1_su_t $1_t:process sigchld;
+
+ kernel_read_system_state($1_su_t)
+ kernel_read_kernel_sysctl($1_su_t)
+
+ # for SSP
+ dev_read_urand($1_su_t)
+
+ fs_search_auto_mountpoints($1_su_t)
+
+ selinux_get_fs_mount($1_su_t)
+ selinux_validate_context($1_su_t)
+ selinux_compute_access_vector($1_su_t)
+ selinux_compute_create_context($1_su_t)
+ selinux_compute_relabel_context($1_su_t)
+ selinux_compute_user_contexts($1_su_t)
+
+ # Relabel ttys and ptys.
+ term_relabel_all_user_ttys($1_su_t)
+ term_relabel_all_user_ptys($1_su_t)
+ # Close and re-open ttys and ptys to get the fd into the correct domain.
+ term_use_all_user_ttys($1_su_t)
+ term_use_all_user_ptys($1_su_t)
+
+ auth_dontaudit_read_shadow($1_su_t)
+
+ domain_wide_inherit_fd($1_su_t)
+
+ files_read_etc_files($1_su_t)
+ files_search_var_lib($1_su_t)
+
+ init_dontaudit_use_fd($1_su_t)
+ # Write to utmp.
+ init_rw_script_pid($1_su_t)
+
+ libs_use_ld_so($1_su_t)
+ libs_use_shared_libs($1_su_t)
+
+ logging_send_syslog_msg($1_su_t)
+
+ miscfiles_read_localization($1_su_t)
+
+ seutil_read_config($1_su_t)
+ seutil_read_default_contexts($1_su_t)
+
+ if(secure_mode)
+ {
+ # Only allow transitions to unprivileged user domains.
+ userdom_spec_domtrans_unpriv_users($1_su_t)
+ } else {
+ # Allow transitions to all user domains
+ userdom_spec_domtrans_all_users($1_su_t)
+ }
+
+ if (use_nfs_home_dirs) {
+ fs_search_nfs($1_su_t)
+ }
+
+ if (use_samba_home_dirs) {
+ fs_search_cifs($1_su_t)
+ }
+
+ optional_policy(`crond.te',`
+ cron_read_pipe($1_su_t)
+ ')
+
+ optional_policy(`kerberos.te',`
+ kerberos_use($1_su_t)
+ ')
+
+ optional_policy(`nis.te',`
+ nis_use_ypbind($1_su_t)
+ ')
+
+ optional_policy(`nscd.te',`
+ nscd_use_socket($1_su_t)
+ ')
+
+ ifdef(`TODO',`
+ domain_auto_trans($1_su_t, chkpwd_exec_t, $1_chkpwd_t)
+
+ # Caused by su - init scripts
+ dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
+
+ # Inherit and use descriptors from gnome-pty-helper.
+ ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
+
+ # Write to the user domain tty.
+ access_terminal($1_su_t, $1)
+
+ allow $1_su_t { home_root_t $1_home_dir_t }:dir search;
+ allow $1_su_t $1_home_t:file create_file_perms;
+
+ ifdef(`user_canbe_sysadm', `
+ allow $1_su_t home_dir_type:dir { search write };
+ ', `
+ dontaudit $1_su_t home_dir_type:dir { search write };
+ ')
+
+ # Modify .Xauthority file (via xauth program).
+ ifdef(`xauth.te', `
+ file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
+ file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
+ file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
+ domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
+ ')
+
+ ifdef(`cyrus.te', `
+ allow $1_su_t cyrus_var_lib_t:dir search;
+ ')
+ ifdef(`ssh.te', `
+ # Access sshd cookie files.
+ allow $1_su_t sshd_tmp_t:file rw_file_perms;
+ file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
+ ')
+ ') dnl end TODO
+')
diff --git a/refpolicy/policy/modules/admin/su.te b/refpolicy/policy/modules/admin/su.te
new file mode 100644
index 0000000..e01bee1
--- /dev/null
+++ b/refpolicy/policy/modules/admin/su.te
@@ -0,0 +1,12 @@
+
+policy_module(su,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type su_exec_t;
+files_type(su_exec_t)
+
+# Remaining policy in the per-user domain template
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 825818c..09e1c6b 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -403,6 +403,23 @@ interface(`fs_getattr_cifs',`
########################################
##
+## Search directories on a CIFS or SMB filesystem.
+##
+##
+## The type of the domain reading the files.
+##
+#
+interface(`fs_search_cifs',`
+ gen_require(`
+ type cifs_t;
+ class dir search;
+ ')
+
+ allow $1 cifs_t:dir search;
+')
+
+########################################
+##
## Read files on a CIFS or SMB filesystem.
##
##
@@ -873,6 +890,23 @@ interface(`fs_getattr_nfs',`
########################################
##
+## Search directories on a NFS filesystem.
+##
+##
+## The type of the domain reading the files.
+##
+#
+interface(`fs_search_nfs',`
+ gen_require(`
+ type nfs_t;
+ class dir search;
+ ')
+
+ allow $1 nfs_t:dir search;
+')
+
+########################################
+##
## Read files on a NFS filesystem.
##
##