diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 2c80653..fb54e81 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -5,9 +5,11 @@
- Added policies:
ktalk
portmap
+ postgresql
samba
snmp
tftp
+ vpn
zebra
* Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 1bed344..b8a1b9e 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -46,6 +46,11 @@ gen_tunable(named_write_master_zones,false)
## Allow reading of default_t files.
gen_tunable(read_default_t,false)
+## Allow applications to read untrusted content
+## If this is disallowed, Internet content has
+## to be manually relabeled for read access to be granted
+gen_tunable(read_untrusted_content,false)
+
## Allow ssh to run from inetd instead of as a daemon.
gen_tunable(run_ssh_inetd,false)
@@ -97,3 +102,8 @@ gen_tunable(user_tcp_server,false)
## Allow w to display everyone
gen_tunable(user_ttyfile_stat,false)
+
+## Allow applications to write untrusted content
+## If this is disallowed, no Internet content
+## will be stored.
+gen_tunable(write_untrusted_content,false)
diff --git a/refpolicy/policy/modules/admin/vpn.fc b/refpolicy/policy/modules/admin/vpn.fc
new file mode 100644
index 0000000..b529d6c
--- /dev/null
+++ b/refpolicy/policy/modules/admin/vpn.fc
@@ -0,0 +1,9 @@
+#
+# /usr
+#
+/usr/sbin/vpnc -- context_template(system_u:object_r:vpnc_exec_t,s0)
+
+#
+# sbin
+#
+/sbin/vpnc -- context_template(system_u:object_r:vpnc_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/vpn.if b/refpolicy/policy/modules/admin/vpn.if
new file mode 100644
index 0000000..6d6a3e3
--- /dev/null
+++ b/refpolicy/policy/modules/admin/vpn.if
@@ -0,0 +1,51 @@
+## <summary>Virtual Private Networking client</summary>
+
+########################################
+## <summary>
+## Execute VPN clients in the vpnc domain.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`vpn_domtrans',`
+ gen_require(`
+ type vpnc_t, vpnc_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ domain_auto_trans($1,vpnc_exec_t,vpnc_t)
+
+ allow $1 vpnc_t:fd use;
+ allow vpnc_t $1:fd use;
+ allow vpnc_t $1:fifo_file rw_file_perms;
+ allow vpnc_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute VPN clients in the vpnc domain, and
+## allow the specified role the vpnc domain.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+## <param name="role">
+## The role to be allowed the vpnc domain.
+## </param>
+## <param name="terminal">
+## The type of the terminal allow the vpnc domain to use.
+## </param>
+#
+interface(`vpn_run',`
+ gen_require(`
+ type vpnc_t;
+ class chr_file rw_term_perms;
+ ')
+
+ vpn_domtrans($1)
+ role $2 types vpnc_t;
+ allow vpnc_t $3:chr_file rw_term_perms;
+')
diff --git a/refpolicy/policy/modules/admin/vpn.te b/refpolicy/policy/modules/admin/vpn.te
new file mode 100644
index 0000000..0eba8d1
--- /dev/null
+++ b/refpolicy/policy/modules/admin/vpn.te
@@ -0,0 +1,114 @@
+
+policy_module(vpnc,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type vpnc_t;
+domain_type(vpnc_t)
+
+type vpnc_exec_t;
+domain_entry_file(vpnc_t,vpnc_exec_t)
+
+type vpnc_tmp_t;
+files_tmp_file(vpnc_tmp_t)
+
+type vpnc_var_run_t;
+files_pid_file(vpnc_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow vpnc_t self:capability { net_admin ipc_lock net_raw };
+allow vpnc_t self:fifo_file { getattr ioctl read write };
+allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
+allow vpnc_t self:tcp_socket create_stream_socket_perms;
+allow vpnc_t self:udp_socket create_socket_perms;
+allow vpnc_t self:rawip_socket create_socket_perms;
+allow vpnc_t self:unix_dgram_socket create_socket_perms;
+allow vpnc_t self:unix_stream_socket create_socket_perms;
+# cjp: this needs to be fixed
+allow vpnc_t self:socket create_socket_perms;
+
+allow vpnc_t vpnc_tmp_t:dir create_dir_perms;
+allow vpnc_t vpnc_tmp_t:file create_file_perms;
+files_create_tmp_files(vpnc_t, vpnc_tmp_t, { file dir })
+
+allow vpnc_t vpnc_var_run_t:file create_file_perms;
+allow vpnc_t vpnc_var_run_t:dir rw_dir_perms;
+files_create_pid(vpnc_t,vpnc_var_run_t)
+
+kernel_read_system_state(vpnc_t)
+kernel_read_network_state(vpnc_t)
+kernel_read_kernel_sysctl(vpnc_t)
+kernel_rw_net_sysctl(vpnc_t)
+
+corenet_tcp_sendrecv_all_if(vpnc_t)
+corenet_udp_sendrecv_all_if(vpnc_t)
+corenet_raw_sendrecv_all_if(vpnc_t)
+corenet_tcp_sendrecv_all_nodes(vpnc_t)
+corenet_udp_sendrecv_all_nodes(vpnc_t)
+corenet_raw_sendrecv_all_nodes(vpnc_t)
+corenet_tcp_sendrecv_all_ports(vpnc_t)
+corenet_udp_sendrecv_all_ports(vpnc_t)
+corenet_tcp_bind_all_nodes(vpnc_t)
+corenet_udp_bind_all_nodes(vpnc_t)
+corenet_udp_bind_generic_port(vpnc_t)
+corenet_udp_bind_isakmp_port(vpnc_t)
+corenet_tcp_connect_all_ports(vpnc_t)
+corenet_use_tun_tap_device(vpnc_t)
+
+dev_read_rand(vpnc_t)
+dev_read_urand(vpnc_t)
+dev_read_sysfs(vpnc_t)
+
+fs_getattr_xattr_fs(vpnc_t)
+
+term_use_all_user_ptys(vpnc_t)
+term_use_all_user_ttys(vpnc_t)
+
+corecmd_exec_bin(vpnc_t)
+corecmd_exec_sbin(vpnc_t)
+corecmd_exec_shell(vpnc_t)
+
+domain_exec_all_entry_files(vpnc_t)
+
+files_exec_etc_files(vpnc_t)
+files_read_etc_runtime_files(vpnc_t)
+files_read_etc_files(vpnc_t)
+files_dontaudit_search_home(vpnc_t)
+
+libs_exec_ld_so(vpnc_t)
+libs_exec_lib_files(vpnc_t)
+libs_use_ld_so(vpnc_t)
+libs_use_shared_libs(vpnc_t)
+
+miscfiles_read_localization(vpnc_t)
+
+seutil_dontaudit_search_config(vpnc_t)
+
+sysnet_exec_ifconfig(vpnc_t)
+sysnet_create_config(vpnc_t)
+sysnet_manage_config(vpnc_t)
+
+userdom_use_all_user_fd(vpnc_t)
+
+optional_policy(`mount.te',`
+ mount_send_nfs_client_request(vpnc_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(vpnc_t)
+')
+
+optional_policy(`nscd.te',`
+ nscd_use_socket(vpnc_t)
+')
+
+ifdef(`TODO',`
+dontaudit vpnc_t user_home_dir_type:dir search;
+')
diff --git a/refpolicy/policy/modules/apps/gpg.te b/refpolicy/policy/modules/apps/gpg.te
index 1097ac2..c9bf387 100644
--- a/refpolicy/policy/modules/apps/gpg.te
+++ b/refpolicy/policy/modules/apps/gpg.te
@@ -20,5 +20,7 @@ files_type(gpg_agent_exec_t)
type pinentry_exec_t;
files_type(pinentry_exec_t)
-#allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search;
-#allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
+ifdef(`TODO',`
+allow sysadm_gpg_t { home_root_t user_home_dir_type }:dir search;
+allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
+')
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index e987e51..d174806 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -474,6 +474,23 @@ interface(`fs_list_cifs',`
########################################
## <summary>
+## Do not audit attempts to list the contents
+## of directories on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`fs_dontaudit_list_cifs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
## Read files on a CIFS or SMB filesystem.
## </summary>
## <param name="domain">
@@ -483,8 +500,6 @@ interface(`fs_list_cifs',`
interface(`fs_read_cifs_files',`
gen_require(`
type cifs_t;
- class dir r_dir_perms;
- class file r_file_perms;
')
allow $1 cifs_t:dir r_dir_perms;
@@ -493,6 +508,23 @@ interface(`fs_read_cifs_files',`
########################################
## <summary>
+## Do not audit attempts to read
+## files on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## The type of the domain to not audit.
+## </param>
+#
+interface(`fs_dontaudit_read_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:file r_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read or
## write files on a CIFS or SMB filesystem.
## </summary>
@@ -503,7 +535,6 @@ interface(`fs_read_cifs_files',`
interface(`fs_dontaudit_rw_cifs_files',`
gen_require(`
type cifs_t;
- class file { read write };
')
dontaudit $1 cifs_t:file { read write };
@@ -578,10 +609,27 @@ interface(`fs_read_cifs_files',`
interface(`fs_manage_cifs_dirs',`
gen_require(`
type cifs_t;
- class dir create_dir_perms;
')
- allow $1 cifs_t:dir create_file_perms;
+ allow $1 cifs_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create, read,
+## write, and delete directories
+## on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+## The type of the domain managing the directories.
+## </param>
+#
+interface(`fs_dontaudit_manage_cifs_dirs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:dir create_dir_perms;
')
########################################
@@ -606,6 +654,24 @@ interface(`fs_manage_cifs_files',`
########################################
## <summary>
+## Do not audit attempts to create, read,
+## write, and delete files
+## on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`fs_dontaudit_manage_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:file create_file_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete symbolic links
## on a CIFS or SMB network filesystem.
## </summary>
@@ -961,6 +1027,23 @@ interface(`fs_search_nfs',`
########################################
## <summary>
+## Do not audit attempts to list the contents
+## of directories on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`fs_dontaudit_list_nfs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ dontaudit $1 nfs_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
## Read files on a NFS filesystem.
## </summary>
## <param name="domain">
@@ -980,6 +1063,23 @@ interface(`fs_read_nfs_files',`
########################################
## <summary>
+## Do not audit attempts to read
+## files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## The type of the domain to not audit.
+## </param>
+#
+interface(`fs_dontaudit_read_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ dontaudit $1 nfs_t:file r_file_perms;
+')
+
+########################################
+## <summary>
## Execute files on a NFS filesystem.
## </summary>
## <param name="domain">
@@ -1008,7 +1108,6 @@ interface(`fs_execute_nfs_files',`
interface(`fs_dontaudit_rw_nfs_files',`
gen_require(`
type nfs_t;
- class file { read write };
')
dontaudit $1 nfs_t:file { read write };
@@ -1053,6 +1152,24 @@ interface(`fs_manage_nfs_dirs',`
########################################
## <summary>
+## Do not audit attempts to create, read,
+## write, and delete directories
+## on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`fs_dontaudit_manage_nfs_dirs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ dontaudit $1 nfs_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete files
## on a NFS filesystem.
## </summary>
@@ -1071,6 +1188,24 @@ interface(`fs_manage_nfs_files',`
allow $1 nfs_t:file create_file_perms;
')
+########################################
+## <summary>
+## Do not audit attempts to create,
+## read, write, and delete files
+## on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`fs_dontaudit_manage_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ dontaudit $1 nfs_t:file create_file_perms;
+')
+
#########################################
## <summary>
## Create, read, write, and delete symbolic links
@@ -1986,6 +2121,23 @@ interface(`fs_relabelfrom_all_fs',`
########################################
## <summary>
+## Search all directories with a filesystem type.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`fs_search_all',`
+ gen_require(`
+ attribute filesystem_type;
+ class dir { getattr search };
+ ')
+
+ allow $1 filesystem_type:dir { getattr search };
+')
+
+########################################
+## <summary>
## List all directories with a filesystem type.
## </summary>
## <param name="domain">
@@ -2001,7 +2153,6 @@ interface(`fs_list_all',`
allow $1 filesystem_type:dir r_dir_perms;
')
-
########################################
#
# fs_getattr_all_files(type)
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index e6e9584..15082ed 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -44,9 +44,6 @@ type binfmt_misc_fs_t, filesystem_type;
files_mountpoint(binfmt_misc_fs_t)
genfscon binfmt_misc / context_template(system_u:object_r:binfmt_misc_fs_t,s0)
-type debugfs_t, filesystem_type;
-allow debugfs_t self:filesystem associate;
-
type eventpollfs_t, filesystem_type;
genfscon eventpollfs / context_template(system_u:object_r:eventpollfs_t,s0)
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 89f26ff..39193e7 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -345,6 +345,86 @@ interface(`kernel_get_sysvipc_info',`
########################################
## <summary>
+## Get the attributes of a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`kernel_getattr_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ allow $1 debugfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Mount a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+## The type of the domain mounting the filesystem.
+## </param>
+#
+interface(`kernel_mount_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ allow $1 debugfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Unmount a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+## The type of the domain unmounting the filesystem.
+## </param>
+#
+interface(`kernel_unmount_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ allow $1 debugfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Remount a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+## The type of the domain remounting the filesystem.
+## </param>
+#
+interface(`kernel_remount_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ allow $1 debugfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Search the contents of a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`kernel_search_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ allow $1 debugfs_t:dir search;
+')
+
+########################################
+## <summary>
## Get the attributes of the proc filesystem.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 78e4cfe..987a40a 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -31,6 +31,15 @@ domain_base_type(kernel_t)
sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127, c0.c127)
#
+# DebugFS
+#
+
+type debugfs_t;
+fs_type(debugfs_t)
+allow debugfs_t self:filesystem associate;
+genfscon debugfs / context_template(system_u:object_r:debugfs_t,s0)
+
+#
# Procfs types
#
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index d33b92d..c8f3573 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -152,6 +152,11 @@ optional_policy(`rpm.te',`
rpm_read_pipe(crond_t)
')
+optional_policy(`postgresql.te', `
+ # allow crond to find /usr/lib/postgresql/bin/do.maintenance
+ postgresql_search_db_dir(crond_t)
+')
+
optional_policy(`udev.te', `
udev_read_db(crond_t)
')
diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te
index 0ceff77..5524cc8 100644
--- a/refpolicy/policy/modules/services/dbus.te
+++ b/refpolicy/policy/modules/services/dbus.te
@@ -1,6 +1,10 @@
policy_module(dbus,1.0)
+gen_require(`
+ class dbus { send_msg acquire_svc };
+')
+
##############################
#
# Delcarations
@@ -29,8 +33,9 @@ files_pid_file(system_dbusd_var_run_t)
allow system_dbusd_t self:capability { dac_override setgid setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process getattr;
+allow system_dbusd_t self:fifo_file { read write };
allow system_dbusd_t self:dbus { send_msg acquire_svc };
-allow system_dbusd_t self:unix_stream_socket create_stream_socket_perms;
+allow system_dbusd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
# Receive notifications of policy reloads and enforcing status changes.
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
@@ -75,6 +80,7 @@ corecmd_read_sbin_symlink(system_dbusd_t)
corecmd_read_sbin_file(system_dbusd_t)
corecmd_read_sbin_pipe(system_dbusd_t)
corecmd_read_sbin_socket(system_dbusd_t)
+corecmd_exec_sbin(system_dbusd_t)
domain_use_wide_inherit_fd(system_dbusd_t)
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 8963214..8b9f2d9 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -16,6 +16,11 @@ files_tmp_file(hald_tmp_t)
type hald_var_run_t;
files_pid_file(hald_var_run_t)
+########################################
+#
+# Local policy
+#
+
allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
dontaudit hald_t self:capability sys_tty_config;
allow hald_t self:fifo_file rw_file_perms;
@@ -46,15 +51,17 @@ corenet_tcp_sendrecv_all_ports(hald_t)
corenet_tcp_bind_all_nodes(hald_t)
dev_read_sysfs(hald_t)
-dev_read_usbfs(hald_t)
+dev_rw_usbfs(hald_t)
dev_read_urand(hald_t)
dev_read_input(hald_t)
dev_read_mouse(hald_t)
dev_rw_printer(hald_t)
+dev_read_lvm_control(hald_t)
dev_getattr_all_chr_files(hald_t)
dev_manage_generic_chr_file(hald_t)
fs_getattr_all_fs(hald_t)
+fs_search_all(hald_t)
fs_search_auto_mountpoints(hald_t)
selinux_get_fs_mount(hald_t)
@@ -120,6 +127,10 @@ optional_policy(`hotplug.te',`
hotplug_read_config(hald_t)
')
+optional_policy(`mount.te',`
+ mount_domtrans(hald_t)
+')
+
optional_policy(`nis.te',`
nis_use_ypbind(hald_t)
')
@@ -164,4 +175,18 @@ allow udev_t hald_t:unix_dgram_socket sendto;
allow hald_t initrc_t:dbus send_msg;
allow initrc_t hald_t:dbus send_msg;
+
+# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket
+ifdef(`apmd.te', `
+allow hald_t apmd_var_run_t:sock_file write;
+allow hald_t apmd_t:unix_stream_socket connectto;
+')
+
+# For /usr/libexec/hald-probe-smbios
+domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t)
+
+ifdef(`targeted_policy', `
+allow unconfined_t hald_t:dbus send_msg;
+allow hald_t unconfined_t:dbus send_msg;
+')
') dnl end TODO
diff --git a/refpolicy/policy/modules/services/postgresql.fc b/refpolicy/policy/modules/services/postgresql.fc
new file mode 100644
index 0000000..d037cbb
--- /dev/null
+++ b/refpolicy/policy/modules/services/postgresql.fc
@@ -0,0 +1,36 @@
+#
+# /etc
+#
+/etc/postgresql(/.*)? context_template(system_u:object_r:postgresql_etc_t,s0)
+
+#
+# /usr
+#
+/usr/bin/initdb -- context_template(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/postgres -- context_template(system_u:object_r:postgresql_exec_t,s0)
+
+/usr/lib/pgsql/test/regres(/.*)? context_template(system_u:object_r:postgresql_db_t,s0)
+/usr/lib/pgsql/test/regress/pg_regress -- context_template(system_u:object_r:postgresql_exec_t,s0)
+
+/usr/lib(64)?/postgresql/bin/.* -- context_template(system_u:object_r:postgresql_exec_t,s0)
+
+ifdef(`distro_redhat', `
+/usr/share/jonas/pgsql(/.*)? context_template(system_u:object_r:postgresql_db_t,s0)
+')
+
+#
+# /var
+#
+/var/lib/postgres(ql)?(/.*)? context_template(system_u:object_r:postgresql_db_t,s0)
+
+/var/lib/pgsql/data(/.*)? context_template(system_u:object_r:postgresql_db_t,s0)
+/var/lib/pgsql/pgstartup.log context_template(system_u:object_r:postgresql_log_t,s0)
+
+/var/log/postgres\.log.* -- context_template(system_u:object_r:postgresql_log_t,s0)
+/var/log/postgresql(/.*)? context_template(system_u:object_r:postgresql_log_t,s0)
+
+ifdef(`distro_redhat', `
+/var/log/rhdb/rhdb(/.*)? context_template(system_u:object_r:postgresql_log_t,s0)
+')
+
+/var/run/postgresql(/.*)? context_template(system_u:object_r:postgresql_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/postgresql.if b/refpolicy/policy/modules/services/postgresql.if
new file mode 100644
index 0000000..692d8b1
--- /dev/null
+++ b/refpolicy/policy/modules/services/postgresql.if
@@ -0,0 +1,110 @@
+## <summary>PostgreSQL relational database</summary>
+
+########################################
+## <summary>
+## Allow the specified domain to search postgresql's database directory.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`postgresql_search_db_dir',`
+ gen_require(`
+ type postgresql_db_t;
+ ')
+
+ allow $1 postgresql_db_t:dir search;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage postgresql's database.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+interface(`postgresql_manage_db',`
+ gen_require(`
+ type postgresql_db_t;
+ ')
+
+ allow $1 postgresql_db_t:dir rw_dir_perms;
+ allow $1 postgresql_db_t:file rw_file_perms;
+ allow $1 postgresql_db_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Execute postgresql in the postgresql domain.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`postgresql_domtrans',`
+ gen_require(`
+ type postgresql_t, postgresql_exec_t;
+ ')
+
+ domain_auto_trans($1,postgresql_exec_t,postgresql_t)
+
+ allow $1 postgresql_t:fd use;
+ allow postgresql_t $1:fd use;
+ allow postgresql_t $1:fifo_file rw_file_perms;
+ allow postgresql_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read postgresql's etc.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`postgresql_read_config',`
+ gen_require(`
+ type postgresql_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 postgresql_etc_t:dir { getattr read search };
+ allow $1 postgresql_etc_t:file { read getattr };
+ allow $1 postgresql_etc_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to postgresql with a tcp socket.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`postgresql_tcp_connect',`
+ gen_require(`
+ type postgresql_t;
+ ')
+
+ kernel_tcp_recvfrom($1)
+ allow $1 postgresql_t:tcp_socket { connectto recvfrom };
+ allow postgresql_t $1:tcp_socket { acceptfrom recvfrom };
+')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to postgresql with a unix socket.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`postgresql_unix_connect',`
+ gen_require(`
+ type postgresql_t, postgresql_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 postgresql_t:unix_stream_socket connectto;
+ allow $1 postgresql_var_run_t:sock_file write;
+')
diff --git a/refpolicy/policy/modules/services/postgresql.te b/refpolicy/policy/modules/services/postgresql.te
new file mode 100644
index 0000000..40823d6
--- /dev/null
+++ b/refpolicy/policy/modules/services/postgresql.te
@@ -0,0 +1,223 @@
+
+policy_module(postgresql,1.0)
+
+#################################
+#
+# Declarations
+#
+type postgresql_t;
+type postgresql_exec_t;
+init_daemon_domain(postgresql_t,postgresql_exec_t)
+
+type postgresql_db_t;
+files_type(postgresql_db_t)
+
+type postgresql_etc_t; #, usercanread;
+files_type(postgresql_etc_t)
+
+type postgresql_lock_t;
+files_lock_file(postgresql_lock_t)
+
+type postgresql_log_t;
+logging_log_file(postgresql_log_t)
+
+type postgresql_tmp_t;
+files_tmp_file(postgresql_tmp_t)
+
+type postgresql_var_run_t;
+files_pid_file(postgresql_var_run_t)
+
+########################################
+#
+# postgresql Local policy
+#
+allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
+allow postgresql_t self:fifo_file { getattr read write ioctl };
+allow postgresql_t self:file { getattr read };
+allow postgresql_t self:sem create_sem_perms;
+allow postgresql_t self:shm create_shm_perms;
+allow postgresql_t self:tcp_socket create_stream_socket_perms;
+allow postgresql_t self:udp_socket create_stream_socket_perms;
+allow postgresql_t self:unix_dgram_socket create_socket_perms;
+allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
+dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
+
+allow postgresql_t postgresql_db_t:dir create_dir_perms;
+allow postgresql_t postgresql_db_t:fifo_file create_file_perms;
+allow postgresql_t postgresql_db_t:file create_file_perms;
+allow postgresql_t postgresql_db_t:lnk_file create_lnk_perms;
+allow postgresql_t postgresql_db_t:sock_file create_file_perms;
+files_create_var_lib(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
+
+allow postgresql_t postgresql_etc_t:dir r_dir_perms;
+allow postgresql_t postgresql_etc_t:file r_file_perms;
+allow postgresql_t postgresql_etc_t:lnk_file { getattr read };
+
+allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
+can_exec(postgresql_t, postgresql_exec_t )
+
+allow postgresql_t postgresql_lock_t:file create_file_perms;
+files_create_lock(postgresql_t,postgresql_lock_t)
+
+allow postgresql_t postgresql_log_t:dir rw_dir_perms;
+allow postgresql_t postgresql_log_t:file create_file_perms;
+logging_create_log(postgresql_t,postgresql_log_t,{ file dir })
+
+allow postgresql_t postgresql_tmp_t:dir create_dir_perms;
+allow postgresql_t postgresql_tmp_t:fifo_file create_file_perms;
+allow postgresql_t postgresql_tmp_t:file create_file_perms;
+allow postgresql_t postgresql_tmp_t:lnk_file create_lnk_perms;
+allow postgresql_t postgresql_tmp_t:sock_file create_file_perms;
+files_create_tmp_files(postgresql_t, postgresql_tmp_t, { dir file sock_file })
+fs_create_tmpfs_data(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
+
+allow postgresql_t postgresql_var_run_t:dir rw_dir_perms;
+allow postgresql_t postgresql_var_run_t:file create_file_perms;
+allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
+files_create_pid(postgresql_t,postgresql_var_run_t)
+
+kernel_read_kernel_sysctl(postgresql_t)
+kernel_read_system_state(postgresql_t)
+kernel_list_proc(postgresql_t)
+kernel_read_all_sysctl(postgresql_t)
+kernel_read_proc_symlinks(postgresql_t)
+kernel_tcp_recvfrom(postgresql_t)
+
+corenet_tcp_sendrecv_all_if(postgresql_t)
+corenet_udp_sendrecv_all_if(postgresql_t)
+corenet_raw_sendrecv_all_if(postgresql_t)
+corenet_tcp_sendrecv_all_nodes(postgresql_t)
+corenet_udp_sendrecv_all_nodes(postgresql_t)
+corenet_raw_sendrecv_all_nodes(postgresql_t)
+corenet_tcp_sendrecv_all_ports(postgresql_t)
+corenet_udp_sendrecv_all_ports(postgresql_t)
+corenet_tcp_bind_all_nodes(postgresql_t)
+corenet_udp_bind_all_nodes(postgresql_t)
+corenet_tcp_bind_postgresql_port(postgresql_t)
+corenet_tcp_connect_auth_port(postgresql_t)
+
+dev_read_sysfs(postgresql_t)
+dev_read_urand(postgresql_t)
+
+fs_getattr_all_fs(postgresql_t)
+fs_search_auto_mountpoints(postgresql_t)
+
+term_use_controlling_term(postgresql_t)
+term_dontaudit_use_console(postgresql_t)
+
+corecmd_exec_bin(postgresql_t)
+corecmd_exec_ls(postgresql_t)
+corecmd_exec_sbin(postgresql_t)
+corecmd_exec_shell(postgresql_t)
+
+domain_dontaudit_list_all_domains_proc(postgresql_t)
+domain_use_wide_inherit_fd(postgresql_t)
+
+files_dontaudit_search_home(postgresql_t)
+files_manage_etc_files(postgresql_t)
+files_search_etc(postgresql_t)
+files_read_etc_runtime_files(postgresql_t)
+files_read_usr_files(postgresql_t)
+
+init_read_script_pid(postgresql_t)
+init_use_fd(postgresql_t)
+init_use_script_pty(postgresql_t)
+
+libs_use_ld_so(postgresql_t)
+libs_use_shared_libs(postgresql_t)
+
+logging_send_syslog_msg(postgresql_t)
+
+miscfiles_read_localization(postgresql_t)
+
+seutil_dontaudit_search_config(postgresql_t)
+
+sysnet_read_config(postgresql_t)
+
+userdom_dontaudit_search_sysadm_home_dir(postgresql_t)
+userdom_dontaudit_use_sysadm_tty(postgresql_t)
+userdom_dontaudit_use_unpriv_user_fd(postgresql_t)
+
+mta_getattr_spool(postgresql_t)
+
+ifdef(`targeted_policy', `
+ files_dontaudit_read_root_file(postgresql_t)
+ term_dontaudit_use_generic_pty(postgresql_t)
+ term_dontaudit_use_unallocated_tty(postgresql_t)
+')
+
+tunable_policy(`allow_execmem',`
+ allow postgresql_t self:process execmem;
+')
+
+optional_policy(`consoletype.te', `
+ consoletype_exec(postgresql_t)
+')
+
+optional_policy(`cron.te',`
+ cron_search_spool(postgresql_t)
+ cron_system_entry(postgresql_t,postgresql_exec_t)
+')
+
+optional_policy(`hostname.te', `
+ hostname_exec(postgresql_t)
+')
+
+optional_policy(`kerberos.te',`
+ kerberos_use(postgresql_t)
+')
+
+optional_policy(`mount.te',`
+ mount_send_nfs_client_request(postgresql_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(postgresql_t)
+')
+
+optional_policy(`rhgb.te',`
+ rhgb_domain(postgresql_t)
+')
+
+optional_policy(`selinuxutil.te',`
+ seutil_sigchld_newrole(postgresql_t)
+')
+
+optional_policy(`udev.te', `
+ udev_read_db(postgresql_t)
+')
+
+ifdef(`TODO',`
+ifdef(`targeted_policy', `', `
+bool allow_user_postgresql_connect false;
+
+if (allow_user_postgresql_connect) {
+# allow any user domain to connect to the database server
+can_tcp_connect(userdomain, postgresql_t)
+allow userdomain postgresql_t:unix_stream_socket connectto;
+allow userdomain postgresql_var_run_t:sock_file write;
+allow userdomain postgresql_tmp_t:sock_file write;
+}
+')
+ifdef(`distro_debian', `
+ init_exec_script(postgresql_t)
+ # gross hack
+ postgresql_domtrans(dpkg_t)
+ can_exec(postgresql_t, dpkg_exec_t)
+')
+
+ifdef(`distro_gentoo', `
+ allow postgresql_t initrc_su_t:process { sigchld };
+ # "su - postgres ..." is called from initrc_t
+ postgresql_search_db_dir(initrc_su_t)
+ dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
+')
+
+# Goes to apache.te:
+# Allow httpd to work with postgresql
+optional_policy(`postgresql.te', `
+ # Original policy had apache connecting to postgresql_tmp_t:sock_file
+ # instead of what is assumed to be correct: postgresql_var_run_t. -Don
+ postgresql_unix_connect(httpd_t)
+')
+')
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 20850a0..1e34ffc 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -600,6 +600,25 @@ interface(`auth_manage_pam_console_data',`
allow $1 pam_var_console_t:lnk_file create_lnk_perms;
')
+#######################################
+## <summary>
+## Delete pam_console data.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`auth_delete_pam_console_data',`
+ gen_require(`
+ type pam_var_console_t;
+ ')
+
+ files_search_var($1)
+ files_search_pids($1)
+ allow $1 pam_var_console_t:dir rw_dir_perms;
+ allow $1 pam_var_console_t:file unlink;
+')
+
########################################
## <summary>
## Relabel all files on the filesystem, except
diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc
index 850b48d..e993eb9 100644
--- a/refpolicy/policy/modules/system/corecommands.fc
+++ b/refpolicy/policy/modules/system/corecommands.fc
@@ -69,6 +69,8 @@ ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- context_template(system_u:object_r:bin_t,s0)
')
+/usr/lib/pgsql/test/regress/.*\.sh -- context_template(system_u:object_r:bin_t,s0)
+
/usr/lib(64)?/sftp-server -- context_template(system_u:object_r:bin_t,s0)
/usr/lib(64)?/emacsen-common/.* context_template(system_u:object_r:bin_t,s0)
/usr/lib(64)?/ipsec/.* -- context_template(system_u:object_r:sbin_t,s0)
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index c22f519..6a8e214 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -74,6 +74,85 @@ interface(`files_pid_file',`
########################################
## <summary>
+## Make the specified type a
+## polyinstantiated directory.
+## </summary>
+## <param name="file_type">
+## Type of the file to be used as a
+## polyinstantiated directory.
+## </param>
+#
+interface(`files_poly',`
+ gen_require(`
+ attribute polydir;
+ ')
+
+ files_type($1)
+ typeattribute $1 polydir;
+')
+
+########################################
+## <summary>
+## Make the specified type a parent
+## of a polyinstantiated directory.
+## </summary>
+## <param name="file_type">
+## Type of the file to be used as a
+## parent directory.
+## </param>
+#
+interface(`files_poly_parent',`
+ gen_require(`
+ attribute polyparent;
+ ')
+
+ files_type($1)
+ typeattribute $1 polyparent;
+')
+
+########################################
+## <summary>
+## Make the specified type a
+## polyinstantiation member directory.
+## </summary>
+## <param name="file_type">
+## Type of the file to be used as a
+## member directory.
+## </param>
+#
+interface(`files_poly_member',`
+ gen_require(`
+ attribute polymember;
+ ')
+
+ files_type($1)
+ typeattribute $1 polymember;
+')
+
+########################################
+## <summary>
+## Make the domain use the specified
+## type of polyinstantiated directory.
+## </summary>
+## <param name="domain">
+## Domain using the polyinstantiated
+## directory.
+## </param>
+## <param name="file_type">
+## Type of the file to be used as a
+## member directory.
+## </param>
+#
+interface(`files_poly_member_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ type_member $1 tmp_t:dir $2;
+')
+
+########################################
+## <summary>
## Make the specified type a file
## used for temporary files.
## </summary>
@@ -81,14 +160,18 @@ interface(`files_pid_file',`
## Type of the file to be used as a
## temporary file.
## </param>
+#
interface(`files_tmp_file',`
gen_require(`
attribute tmpfile;
+ type tmp_t;
')
files_type($1)
+ files_poly_member($1)
fs_associate_tmpfs($1)
typeattribute $1 tmpfile;
+ allow $1 tmp_t:filesystem associate;
')
########################################
@@ -648,7 +731,6 @@ interface(`files_unmount_rootfs',`
interface(`files_dontaudit_getattr_default_dir',`
gen_require(`
type default_t;
- class dir getattr;
')
dontaudit $1 default_t:dir getattr;
@@ -665,7 +747,6 @@ interface(`files_dontaudit_getattr_default_dir',`
interface(`files_list_default',`
gen_require(`
type default_t;
- class dir r_dir_perms;
')
allow $1 default_t:dir r_dir_perms;
@@ -673,6 +754,23 @@ interface(`files_list_default',`
########################################
## <summary>
+## Do not audit attempts to list contents of
+## directories with the default file type.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_list_default',`
+ gen_require(`
+ type default_t;
+ ')
+
+ dontaudit $1 default_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
## Mount a filesystem on a directory with the default file type.
## </summary>
## <param name="domain">
@@ -682,7 +780,6 @@ interface(`files_list_default',`
interface(`files_mounton_default',`
gen_require(`
type default_t;
- class dir { getattr search mounton };
')
allow $1 default_t:dir { getattr search mounton };
@@ -716,7 +813,6 @@ interface(`files_dontaudit_getattr_default_files',`
interface(`files_read_default_files',`
gen_require(`
type default_t;
- class file r_file_perms;
')
allow $1 default_t:file r_file_perms;
@@ -724,6 +820,23 @@ interface(`files_read_default_files',`
########################################
## <summary>
+## Do not audit attempts to read files
+## with the default file type.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_read_default_files',`
+ gen_require(`
+ type default_t;
+ ')
+
+ dontaudit $1 default_t:file r_file_perms;
+')
+
+########################################
+## <summary>
## Read symbolic links with the default file type.
## </summary>
## <param name="domain">
@@ -1533,6 +1646,24 @@ interface(`files_read_world_readable_sockets',`
########################################
## <summary>
+## Allow the specified type to associate
+## to a filesystem with the type of the
+## temporary directory (/tmp).
+## </summary>
+## <param name="file_type">
+## Type of the file to associate.
+## </param>
+#
+interface(`files_associate_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:filesystem associate;
+')
+
+########################################
+## <summary>
## Do not audit attempts to get the
## attributes of the tmp directory (/tmp).
## </summary>
@@ -2324,6 +2455,20 @@ interface(`files_delete_all_pids',`
########################################
#
+# files_delete_all_pid_dirs(domain)
+#
+interface(`files_delete_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+ type var_t;
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 pidfile:dir { rw_dir_perms rmdir };
+')
+
+########################################
+#
# files_search_spool(domain)
#
interface(`files_search_spool',`
diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te
index 94c867c..281fac4 100644
--- a/refpolicy/policy/modules/system/files.te
+++ b/refpolicy/policy/modules/system/files.te
@@ -10,6 +10,18 @@ attribute file_type;
attribute lockfile;
attribute mountpoint;
attribute pidfile;
+
+# For labeling types that are to be polyinstantiated
+attribute polydir;
+
+# And for labeling the parent directories of those polyinstantiated directories
+# This is necessary for remounting the original in the parent to give
+# security aware apps access
+attribute polyparent;
+
+# And labeling for the member directories
+attribute polymember;
+
attribute tmpfile;
attribute tmpfsfile;
diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te
index 845b705..8dd1fe8 100644
--- a/refpolicy/policy/modules/system/fstools.te
+++ b/refpolicy/policy/modules/system/fstools.te
@@ -55,6 +55,7 @@ kernel_getattr_proc(fsadm_t)
kernel_rw_unlabeled_dir(fsadm_t)
kernel_use_unlabeled_blk_dev(fsadm_t)
+dev_getattr_all_chr_files(fsadm_t)
# mkreiserfs and other programs need this for UUID
dev_read_rand(fsadm_t)
dev_read_urand(fsadm_t)
@@ -145,5 +146,7 @@ optional_policy(`nis.te',`
')
ifdef(`TODO',`
+allow fsadm_t tmpfs_t:file { read write };
+allow fsadm_t ramfs_t:fifo_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index 471b076..e298a69 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -21,7 +21,6 @@ allow hostname_t self:process { sigchld sigkill sigstop signull signal };
allow hostname_t self:capability sys_admin;
dontaudit hostname_t self:capability sys_tty_config;
-kernel_read_kernel_sysctl(hostname_t)
kernel_dontaudit_use_fd(hostname_t)
kernel_list_proc(hostname_t)
kernel_read_proc_symlinks(hostname_t)
@@ -84,9 +83,3 @@ optional_policy(`udev.te',`
udev_dontaudit_use_fd(hostname_t)
udev_read_db(hostname_t)
')
-
-ifdef(`TODO',`
-optional_policy(`rhgb.te', `
-rhgb_domain(hostname_t)
-')
-') dnl end TODO
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 5533bc8..edf52af 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -51,15 +51,15 @@ type initrc_devpts_t;
term_pty(initrc_devpts_t)
files_type(initrc_devpts_t)
-type initrc_var_run_t;
-files_pid_file(initrc_var_run_t)
-
type initrc_state_t;
files_type(initrc_state_t)
type initrc_tmp_t;
files_tmp_file(initrc_tmp_t)
+type initrc_var_run_t;
+files_pid_file(initrc_var_run_t)
+
########################################
#
# Init local policy
@@ -263,7 +263,7 @@ auth_rw_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
auth_delete_pam_pid(initrc_t)
-auth_list_pam_console_data(initrc_t)
+auth_delete_pam_console_data(initrc_t)
corecmd_exec_bin(initrc_t)
corecmd_exec_sbin(initrc_t)
@@ -297,6 +297,7 @@ files_purge_tmp(initrc_t)
files_delete_all_locks(initrc_t)
files_read_all_pids(initrc_t)
files_delete_all_pids(initrc_t)
+files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
files_manage_etc_runtime_files(initrc_t)
files_manage_generic_locks(initrc_t)
@@ -477,6 +478,11 @@ optional_policy(`raid.te',`
raid_manage_mdadm_pid(initrc_t)
')
+optional_policy(`postgresql.te',`
+ postgresql_manage_db(initrc_t)
+ postgresql_read_config(initrc_t)
+')
+
optional_policy(`quota.te',`
quota_manage_flags(initrc_t)
')
@@ -535,6 +541,14 @@ ifdef(`TODO',`
allow initrc_t xconsole_device_t:fifo_file setattr;
allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
+allow initrc_t system_dbusd_t:unix_stream_socket connectto;
+allow initrc_t system_dbusd_var_run_t:sock_file write;
+
+# rhgb-console writes to ramfs
+allow initrc_t ramfs_t:fifo_file write;
+
+# during boot up initrc needs to do the following
+allow initrc_t default_t:dir write;
#
# These rules are here to allow init scripts to su
diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
index 2730a5e..6629b1a 100644
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@@ -26,10 +26,6 @@
#
# /usr
#
-/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
-
-/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
-
/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
/usr(/.*)?/java/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
@@ -43,8 +39,14 @@
/usr(/.*)?/nvidia/.*\.so(\..*)? -- context_template(system_u:object_r:texrel_shlib_t,s0)
+/usr/lib/pgsql/test/regress/.*\.so -- context_template(system_u:object_r:shlib_t,s0)
+
/usr/lib/win32/.* -- context_template(system_u:object_r:shlib_t,s0)
+/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
+
+/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
+
/usr/(local/)?lib/wine/.*\.so -- context_template(system_u:object_r:texrel_shlib_t,s0)
/usr/(local/)?lib/libfame-.*\.so.* -- context_template(system_u:object_r:texrel_shlib_t,s0)
/usr/local/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:shlib_t,s0)
diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if
index e642dba..bcec6d9 100644
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@@ -15,6 +15,7 @@ interface(`logging_log_file',`
')
files_type($1)
+ files_associate_tmp($1)
fs_associate_tmpfs($1)
typeattribute $1 logfile;
')
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 1af5ed5..4302a1c 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -51,6 +51,7 @@ files_pid_file(syslogd_var_run_t)
type var_log_t, logfile;
files_type(var_log_t)
+files_associate_tmp(var_log_t)
########################################
#
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index c6de011..2b34fa7 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -30,6 +30,9 @@ files_lock_file(lvm_lock_t)
type lvm_metadata_t;
files_type(lvm_metadata_t)
+type lvm_var_run_t;
+files_pid_file(lvm_var_run_t)
+
type lvm_tmp_t;
files_tmp_file(lvm_tmp_t)
@@ -148,6 +151,10 @@ allow lvm_t lvm_lock_t:dir rw_dir_perms;
allow lvm_t lvm_lock_t:file create_file_perms;
files_create_lock(lvm_t,lvm_lock_t)
+allow lvm_t lvm_var_run_t:file create_file_perms;
+allow lvm_t lvm_var_run_t:dir create_dir_perms;
+files_create_pid(lvm_t,lvm_var_run_t)
+
allow lvm_t lvm_etc_t:file r_file_perms;
allow lvm_t lvm_etc_t:lnk_file r_file_perms;
# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
@@ -213,7 +220,6 @@ domain_use_wide_inherit_fd(lvm_t)
files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
-files_dontaudit_getattr_pid_dir(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dir(lvm_t)
@@ -258,6 +264,10 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
+# it has no reason to need this
+allow lvm_t var_t:dir { search getattr };
+allow lvm_t ramfs_t:filesystem unmount;
+
optional_policy(`gnome-pty-helper.te', `
allow lvm_t sysadm_gph_t:fd use;
')
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index ad198c2..cdf9e8b 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -51,6 +51,8 @@ can_exec(insmod_t, insmod_exec_t)
kernel_load_module(insmod_t)
kernel_read_system_state(insmod_t)
+kernel_mount_debugfs(insmod_t)
+kernel_search_debugfs(insmod_t)
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctl(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
@@ -128,6 +130,7 @@ optional_policy(`rpm.te',`
')
ifdef(`TODO',`
+allow insmod_t proc_t:file rw_file_perms;
optional_policy(`xserver.te',`
xserver_getattr_log(insmod_t)
allow insmod_t xserver_misc_device_t:chr_file { read write };
@@ -182,6 +185,7 @@ optional_policy(`rpm.te',`
')
ifdef(`TODO',`
+allow depmod_t modules_object_t:file unlink;
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
') dnl end ifdef TODO
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
index 461415a..96f4d05 100644
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@@ -140,6 +140,10 @@ optional_policy(`udev.te', `
ifdef(`TODO',`
allow cardmgr_t modules_object_t:dir search;
+ifdef(`dhcpc.te',`
+allow cardmgr_t dhcpc_var_run_t:file unlink;
+')
+
# Create device files in /tmp.
# cjp: why is this created all over the place?
file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index e4053ca..47293bb 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -27,6 +27,31 @@ interface(`sysnet_domtrans_dhcpc',`
########################################
## <summary>
+## Execute DHCP clients in the dhcpc domain, and
+## allow the specified role the dhcpc domain.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+## <param name="role">
+## The role to be allowed the clock domain.
+## </param>
+## <param name="terminal">
+## The type of the terminal allow the clock domain to use.
+## </param>
+#
+interface(`sysnet_run_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ sysnet_domtrans_dhcpc($1)
+ role $2 types dhcpc_t;
+ allow dhcpc_t $3:chr_file { getattr read write ioctl };
+')
+
+########################################
+## <summary>
## Send a SIGCHLD signal to the dhcp client.
## </summary>
## <param name="domain">
@@ -227,9 +252,6 @@ interface(`sysnet_read_dhcpc_pid',`
interface(`sysnet_domtrans_ifconfig',`
gen_require(`
type ifconfig_t, ifconfig_exec_t;
- class process sigchld;
- class fd use;
- class fifo_file rw_file_perms;
')
corecmd_search_sbin($1)
@@ -260,7 +282,6 @@ interface(`sysnet_domtrans_ifconfig',`
interface(`sysnet_run_ifconfig',`
gen_require(`
type ifconfig_t;
- class chr_file rw_term_perms;
')
corecmd_search_sbin($1)
@@ -269,6 +290,23 @@ interface(`sysnet_run_ifconfig',`
allow ifconfig_t $3:chr_file rw_term_perms;
')
+#######################################
+## <summary>
+## Execute ifconfig in the caller domain.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`sysnet_exec_ifconfig',`
+ gen_require(`
+ type ifconfig_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ can_exec($1,ifconfig_exec_t)
+')
+
########################################
## <summary>
## Read the DHCP configuration files.
@@ -280,8 +318,6 @@ interface(`sysnet_run_ifconfig',`
interface(`sysnet_read_dhcp_config',`
gen_require(`
type dhcp_etc_t;
- class dir search;
- class file { getattr read };
')
files_search_etc($1)
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 7a0554f..9ea6f3f 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -112,6 +112,7 @@ term_dontaudit_use_console(dhcpc_t)
term_dontaudit_use_all_user_ttys(dhcpc_t)
term_dontaudit_use_all_user_ptys(dhcpc_t)
term_dontaudit_use_unallocated_tty(dhcpc_t)
+term_dontaudit_use_generic_pty(dhcpc_t)
corecmd_exec_bin(dhcpc_t)
corecmd_exec_sbin(dhcpc_t)
@@ -209,6 +210,27 @@ optional_policy(`userdomain.te',`
')
ifdef(`TODO',`
+ifdef(`cardmgr.te',`
+allow dhcpc_t cardmgr_dev_t:chr_file { read write };
+')
+
+ifdef(`ypbind.te',`
+allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink };
+')
+
+ifdef(`dbusd.te', `
+dbusd_client(system, dhcpc)
+domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
+allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
+allow dhcpc_t self:dbus send_msg;
+allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
+allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
+ifdef(`unconfined.te', `
+allow unconfined_t dhcpc_t:dbus send_msg;
+allow dhcpc_t unconfined_t:dbus send_msg;
+')dnl end ifdef unconfined.te
+')
+
optional_policy(`rhgb.te',`
rhgb_domain(dhcpc_t)
')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 85a7b4d..721e51a 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -41,11 +41,13 @@ template(`base_user_template',`
# type for contents of home directory
type $1_home_t, $1_file_type, home_type;
files_type($1_home_t)
+ files_associate_tmp($1_home_t)
fs_associate_tmpfs($1_home_t)
# type of home directory
type $1_home_dir_t, home_dir_type, home_type;
files_type($1_home_dir_t)
+ files_associate_tmp($1_home_dir_t)
fs_associate_tmpfs($1_home_dir_t)
type $1_tmp_t, $1_file_type;
@@ -54,6 +56,14 @@ template(`base_user_template',`
type $1_tmpfs_t;
files_tmpfs_file($1_tmpfs_t)
+ # types for network-obtained content
+ type $1_untrusted_content_t, $1_file_type; #, customizable
+ files_type($1_untrusted_content_t)
+ files_poly_member($1_untrusted_content_t)
+
+ type $1_untrusted_content_tmp_t, $1_file_type; # customizable
+ files_tmp_file($1_untrusted_content_tmp_t)
+
type $1_tty_device_t;
term_tty($1_t,$1_tty_device_t)
@@ -77,8 +87,7 @@ template(`base_user_template',`
allow $1_t self:msgq create_msgq_perms;
allow $1_t self:msg { send receive };
dontaudit $1_t self:socket create;
- # Irrelevant until we have labeled networking.
- #allow $1_t self:udp_socket { sendto recvfrom };
+ allow $1_t self:udp_socket { sendto recvfrom };
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
@@ -93,11 +102,19 @@ template(`base_user_template',`
allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
- allow $1_t $1_home_dir_t:dir create_dir_perms;
+ allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
can_exec($1_t,$1_tmp_t)
+ # user temporary files
+ allow $1_t $1_tmp_t:file create_file_perms;
+ allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
+ allow $1_t $1_tmp_t:dir create_dir_perms;
+ allow $1_t $1_tmp_t:sock_file create_file_perms;
+ allow $1_t $1_tmp_t:fifo_file create_file_perms;
+ files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
+
# Bind to a Unix domain socket in /tmp.
# cjp: this is combination is not checked and should be removed
allow $1_t $1_tmp_t:unix_stream_socket name_bind;
@@ -111,6 +128,10 @@ template(`base_user_template',`
allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
+ # Allow user to relabel untrusted content
+ allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
+ allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
+
allow $1_t unpriv_userdomain:fd use;
# Instantiate derived domains for a number of programs.
@@ -160,7 +181,14 @@ template(`base_user_template',`
fs_get_all_fs_quotas($1_t)
fs_getattr_all_fs($1_t)
fs_search_auto_mountpoints($1_t)
- fs_exec_noxattr($1_t)
+
+ # cjp: some of this probably can be removed
+ selinux_get_fs_mount($1_t)
+ selinux_validate_context($1_t)
+ selinux_compute_access_vector($1_t)
+ selinux_compute_create_context($1_t)
+ selinux_compute_relabel_context($1_t)
+ selinux_compute_user_contexts($1_t)
# for eject
storage_getattr_fixed_disk($1_t)
@@ -196,10 +224,13 @@ template(`base_user_template',`
logging_dontaudit_getattr_all_logs($1_t)
miscfiles_read_localization($1_t)
+ miscfiles_read_fonts($1_t)
# for running TeX programs
miscfiles_read_tetex_data($1_t)
miscfiles_exec_tetex_data($1_t)
+ seutil_read_file_contexts($1_t)
+ seutil_read_default_contexts($1_t)
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
mta_rw_spool($1_t)
@@ -209,12 +240,29 @@ template(`base_user_template',`
allow $1_t self:process execmem;
')
+ tunable_policy(`allow_execmem && allow_execstack',`
+ # Allow making the stack executable via mprotect.
+ allow $1_t self:process execstack;
+ ')
+
tunable_policy(`read_default_t',`
files_list_default($1_t)
files_read_default_files($1_t)
files_read_default_symlinks($1_t)
files_read_default_sockets($1_t)
files_read_default_pipes($1_t)
+ ',`
+ files_dontaudit_list_default($1_t)
+ files_dontaudit_read_default_files($1_t)
+ ')
+
+ tunable_policy(`read_untrusted_content',`
+ allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir r_dir_perms;
+ allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file r_file_perms;
+ allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:lnk_file { getattr read };
+ ',`
+ dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir r_dir_perms;
+ dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file r_file_perms;
')
tunable_policy(`use_nfs_home_dirs',`
@@ -224,6 +272,9 @@ template(`base_user_template',`
fs_manage_nfs_named_sockets($1_t)
fs_manage_nfs_named_pipes($1_t)
fs_execute_nfs_files($1_t)
+ ',`
+ fs_dontaudit_manage_nfs_dirs($1_t)
+ fs_dontaudit_manage_nfs_files($1_t)
')
tunable_policy(`use_samba_home_dirs',`
@@ -233,6 +284,9 @@ template(`base_user_template',`
fs_manage_cifs_named_sockets($1_t)
fs_manage_cifs_named_pipes($1_t)
fs_execute_cifs_files($1_t)
+ ',`
+ fs_dontaudit_manage_cifs_dirs($1_t)
+ fs_dontaudit_manage_cifs_files($1_t)
')
tunable_policy(`user_direct_mouse',`
@@ -329,36 +383,17 @@ template(`base_user_template',`
r_dir_file($1_t, usercanread)
- tunable_policy(`allow_execmod',`
- # Allow text relocations on system shared libraries, e.g. libGL.
- allow $1_t texrel_shlib_t:file execmod;
- ')
-
allow $1_t fs_type:dir getattr;
- # old "file_browse_domain":
- # Regular files/directories that are not security sensitive
- dontaudit $1_t file_type - secure_file_type:dir_file_class_set getattr;
- dontaudit $1_t file_type - secure_file_type:dir { read search };
- # /dev
- dontaudit $1_t dev_fs:dir_file_class_set getattr;
- dontaudit $1_t dev_fs:dir { read search };
- # /proc
- dontaudit $1_t sysctl_t:dir_file_class_set getattr;
- dontaudit $1_t proc_fs:dir { read search };
-
- tunable_policy(`user_rw_noexattrfile',`
- create_dir_file($1_t, noexattrfile)
- # Write floppies
- storage_raw_read_removable_device($1_t)
- storage_raw_write_removable_device($1_t)
- # cjp: what does this have to do with removable devices?
- allow $1_t usbtty_device_t:chr_file write;
- ',`
- r_dir_file($1_t, noexattrfile)
- r_dir_file($1_t, removable_t)
- allow $1_t removable_device_t:blk_file r_file_perms;
- ')
+ dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr;
+ dontaudit $1 file_type - secure_file_type:dir search;
+ dontaudit $1 file_type - secure_file_type:dir read;
+ dontaudit $1 unlabeled_t:dir_file_class_set getattr;
+ dontaudit $1 unlabeled_t:dir search;
+ dontaudit $1 unlabeled_t:dir read;
+ dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr;
+ dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search;
+ dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read;
allow $1_t usbtty_device_t:chr_file read;
@@ -390,21 +425,16 @@ template(`base_user_template',`
# Connect to portmap.
ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
+ # Use X
+ x_client_domain($1, $1)
+
ifdef(`xserver.te', `
- # for /tmp/.ICE-unix
- file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
')
ifdef(`xdm.te', `
# Connect to the X server run by the X Display Manager.
can_unix_connect($1_t, xdm_t)
- allow $1_t xdm_tmp_t:sock_file rw_file_perms;
- allow $1_t xdm_tmp_t:dir r_dir_perms;
- allow $1_t xdm_tmp_t:file r_file_perms;
- allow $1_t xdm_xserver_tmp_t:sock_file { read write };
- allow $1_t xdm_xserver_tmp_t:dir search;
- allow $1_t xdm_xserver_t:unix_stream_socket connectto;
# certain apps want to read xdm.pid file
r_dir_file($1_t, xdm_var_run_t)
allow $1_t xdm_var_lib_t:file r_file_perms;
@@ -412,11 +442,25 @@ template(`base_user_template',`
ifdef(`xauth.te', `
file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
')
+ ')
+
+ # start read_fonts()
+
+ # cjp: this macro is unconditional, though
+ # its in a conditional file.
- # for shared memory
- allow xdm_xserver_t $1_tmpfs_t:file { read write };
+ # Manipulate the global font cache
+ create_dir_file($1, $1_fonts_cache_t)
+ # Read per user fonts and font config
+ r_dir_file($1, $1_fonts_t)
+ r_dir_file($1, $1_fonts_config_t)
+
+ # There are some fonts in .gnome2
+ ifdef(`gnome.te', `
+ allow $1 $2_gnome_settings_t:dir { getattr search };
')
+ # end read_fonts()
ifdef(`rpcd.te', `
create_dir_file($1_t, nfsd_rw_t)
@@ -467,8 +511,13 @@ template(`unpriv_user_template', `
domain_wide_inherit_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
+
typeattribute $1_home_dir_t user_home_dir_type;
+ files_poly($1_home_dir_t)
+
typeattribute $1_home_t user_home_type;
+ files_poly_member($1_home_t)
+
typeattribute $1_tmp_t user_tmpfile;
typeattribute $1_tty_device_t user_ttynode;
@@ -484,14 +533,6 @@ template(`unpriv_user_template', `
allow $1_home_t self:filesystem associate;
allow $1_file_type $1_home_t:filesystem associate;
- # user temporary files
- allow $1_t $1_tmp_t:file create_file_perms;
- allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
- allow $1_t $1_tmp_t:dir create_dir_perms;
- allow $1_t $1_tmp_t:sock_file create_file_perms;
- allow $1_t $1_tmp_t:fifo_file create_file_perms;
- files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
-
# privileged home directory writers
allow privhome $1_home_t:file create_file_perms;
allow privhome $1_home_t:lnk_file create_lnk_perms;
@@ -537,6 +578,11 @@ template(`unpriv_user_template', `
# so it can be used without privilege to write real binary policy file
seutil_exec_checkpol($1_t)
+ ifdef(`enable_polyinstantiation',`
+ type_member $1_t $1_home_dir_t:dir $1_home_t;
+ files_poly_member_tmp($1_t)
+ ')
+
tunable_policy(`user_dmesg',`
kernel_read_ring_buffer($1_t)
',`
@@ -575,6 +621,22 @@ template(`unpriv_user_template', `
ifdef(`TODO',`
+ ifdef(`enable_mls',`',`
+ fs_exec_noxattr($1_t)
+ tunable_policy(`user_rw_noexattrfile',`
+ create_dir_file($1_t, noexattrfile)
+ # Write floppies
+ storage_raw_read_removable_device($1_t)
+ storage_raw_write_removable_device($1_t)
+ # cjp: what does this have to do with removable devices?
+ allow $1_t usbtty_device_t:chr_file write;
+ ',`
+ r_dir_file($1_t, noexattrfile)
+ r_dir_file($1_t, removable_t)
+ allow $1_t removable_device_t:blk_file r_file_perms;
+ ')
+ ')
+
dontaudit $1_t boot_t:lnk_file read;
dontaudit $1_t boot_t:file read;
@@ -596,16 +658,20 @@ template(`unpriv_user_template', `
')
')
+ ifdef(`useradd.te', `
+ # Useradd relabels /etc/skel files so needs these privs
+ allow useradd_t $1_file_type:dir create_dir_perms;
+ allow useradd_t $1_file_type:notdevfile_class_set create_file_perms;
+ ')
+
# Stat lost+found.
allow $1_t lost_found_t:dir getattr;
# Read /var, /var/spool, /var/run.
- allow $1_t var_t:dir r_dir_perms;
- allow $1_t var_t:notdevfile_class_set r_file_perms;
- allow $1_t var_spool_t:dir r_dir_perms;
- allow $1_t var_spool_t:notdevfile_class_set r_file_perms;
- allow $1_t var_run_t:dir r_dir_perms;
- allow $1_t var_run_t:{ file lnk_file } r_file_perms;
+ r_dir_file($1_t, var_t)
+ # what about pipes and sockets under /var/spool?
+ r_dir_file($1_t, var_spool_t)
+ r_dir_file($1_t, var_run_t)
allow $1_t var_lib_t:dir r_dir_perms;
allow $1_t var_lib_t:file { getattr read };
@@ -631,23 +697,6 @@ template(`unpriv_user_template', `
allow $1_t initrc_t:fifo_file write;
- ifdef(`user_can_mount', `
- #
- # Allow users to mount file systems like floppies and cdrom
- #
- mount_domain($1, $1_mount, `, fs_domain')
- r_dir_file($1_t, mnt_t)
- allow $1_mount_t device_t:lnk_file read;
- allow $1_mount_t removable_device_t:blk_file read;
- allow $1_mount_t iso9660_t:filesystem relabelfrom;
- allow $1_mount_t removable_t:filesystem { mount relabelto };
- allow $1_mount_t removable_t:dir mounton;
- ifdef(`xdm.te', `
- allow $1_mount_t xdm_t:fd use;
- allow $1_mount_t xdm_t:fifo_file { read write };
- ')
- ')
-
') dnl end TODO
')
@@ -721,16 +770,11 @@ template(`admin_user_template',`
# for the administrator to run TCP servers directly
allow $1_t self:tcp_socket { acceptfrom connectto recvfrom };
+ allow $1_t self:netlink_audit_socket nlmsg_readpriv;
+
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
term_create_pty($1_t,$1_devpts_t)
- allow $1_t $1_tmp_t:dir create_dir_perms;
- allow $1_t $1_tmp_t:file create_file_perms;
- allow $1_t $1_tmp_t:lnk_file create_file_perms;
- allow $1_t $1_tmp_t:fifo_file create_file_perms;
- allow $1_t $1_tmp_t:sock_file create_file_perms;
- files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
-
kernel_read_system_state($1_t)
kernel_read_network_state($1_t)
kernel_read_software_raid_state($1_t)
@@ -761,6 +805,7 @@ template(`admin_user_template',`
fs_getattr_all_fs($1_t)
fs_set_all_quotas($1_t)
+ fs_exec_noxattr($1_t)
selinux_set_enforce_mode($1_t)
selinux_set_boolean($1_t)
@@ -847,7 +892,7 @@ template(`admin_user_template',`
allow xdm_t $1_home_t:lnk_file read;
allow xdm_t $1_home_t:dir search;
')
- allow $1_t xdm_t:fifo_file rw_file_perms;
+ can_pipe_xdm($1_t)
')
# Connect data port to ftpd.
@@ -877,6 +922,21 @@ template(`admin_user_template',`
# Run programs from staff home directories.
# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
can_exec($1_t, staff_home_t)
+
+ tunable_policy(`user_rw_noexattrfile',`
+ create_dir_file($1_t, noexattrfile)
+ # Write floppies
+ storage_raw_read_removable_device($1_t)
+ storage_raw_write_removable_device($1_t)
+ # cjp: what does this have to do with removable devices?
+ allow $1_t usbtty_device_t:chr_file write;
+ ',`
+ r_dir_file($1_t, noexattrfile)
+ r_dir_file($1_t, removable_t)
+ allow $1_t removable_device_t:blk_file r_file_perms;
+ ')
+ allow $1 removable_t:filesystem getattr;
+
') dnl endif TODO
')
@@ -2037,7 +2097,7 @@ interface(`userdom_sigcld_all_users',`
class process sigchld;
')
- allow $1 userdomain:process sigghld;
+ allow $1 userdomain:process sigchld;
')
########################################
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 6f89062..be596dc 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -223,6 +223,7 @@ ifdef(`targeted_policy',`
optional_policy(`sysnetwork.te',`
sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
+ sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`unconfined.te',`
@@ -233,4 +234,8 @@ ifdef(`targeted_policy',`
usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
')
+
+ optional_policy(`vpn.te',`
+ vpn_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
')
diff --git a/strict/domains/admin.te b/strict/domains/admin.te
index b88654f..bc29a78 100644
--- a/strict/domains/admin.te
+++ b/strict/domains/admin.te
@@ -17,19 +17,27 @@ general_proc_read_access(sysadm_t)
# sysadm_t is also granted permissions specific to administrator domains.
admin_domain(sysadm)
-# Allow administrator domains to set the enforcing flag.
-can_setenforce(sysadm_t)
-
-# Allow administrator domains to set policy booleans.
-can_setbool(sysadm_t)
-
-# Allow administrator domains to set security parameters
-can_setsecparam(sysadm_t)
-
# for su
allow sysadm_t userdomain:fd use;
-define(`admin_tty_type', `{ sysadm_tty_device_t sysadm_devpts_t }')
+ifdef(`separate_secadm', `', `
+security_manager_domain(sysadm_t)
+')
# Add/remove user home directories
file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
+
+limited_user_role(secadm)
+typeattribute secadm_t admin;
+role secadm_r types secadm_t;
+security_manager_domain(secadm_t)
+r_dir_file(secadm_t, { var_t var_log_t })
+
+typeattribute secadm_tty_device_t admin_tty_type;
+typeattribute secadm_devpts_t admin_tty_type;
+
+bool allow_ptrace false;
+
+if (allow_ptrace) {
+can_ptrace(sysadm_t, domain)
+}
diff --git a/strict/domains/misc/screensaver.te b/strict/domains/misc/screensaver.te
deleted file mode 100644
index d420266..0000000
--- a/strict/domains/misc/screensaver.te
+++ /dev/null
@@ -1,18 +0,0 @@
-#
-# Alias file to stop blow up during policy upgrade, since
-# screensaver policy is being removed.
-#
-typealias bin_t alias screensaver_exec_t;
-typealias sysadm_home_t alias sysadm_screensaver_t;
-typealias sysadm_home_t alias sysadm_screensaver_rw_t;
-typealias sysadm_home_t alias sysadm_screensaver_ro_t;
-typealias sysadm_home_t alias sysadm_screensaver_tmpfs_t;
-typealias user_home_t alias user_screensaver_t;
-typealias user_home_t alias user_screensaver_rw_t;
-typealias user_home_t alias user_screensaver_ro_t;
-typealias user_home_t alias user_screensaver_tmpfs_t;
-typealias staff_home_t alias staff_screensaver_t;
-typealias staff_home_t alias staff_screensaver_rw_t;
-typealias staff_home_t alias staff_screensaver_ro_t;
-typealias staff_home_t alias staff_screensaver_tmpfs_t;
-
diff --git a/strict/domains/program/dbusd.te b/strict/domains/program/dbusd.te
index 8216b06..4c72b6b 100644
--- a/strict/domains/program/dbusd.te
+++ b/strict/domains/program/dbusd.te
@@ -17,4 +17,9 @@ can_ypbind(system_dbusd_t)
# I expect we need more than this
allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
+allow initrc_t system_dbusd_t:unix_stream_socket connectto;
+allow initrc_t system_dbusd_var_run_t:sock_file write;
+can_exec(system_dbusd_t, sbin_t)
+allow system_dbusd_t self:fifo_file { read write };
+allow system_dbusd_t self:unix_stream_socket connectto;
diff --git a/strict/domains/program/dhcpc.te b/strict/domains/program/dhcpc.te
index 442d46f..0308ed9 100644
--- a/strict/domains/program/dhcpc.te
+++ b/strict/domains/program/dhcpc.te
@@ -43,6 +43,8 @@ ifdef(`cardmgr.te', `
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
allow cardmgr_t dhcpc_var_run_t:file { getattr read };
allow cardmgr_t dhcpc_t:process signal_perms;
+allow cardmgr_t dhcpc_var_run_t:file unlink;
+allow dhcpc_t cardmgr_dev_t:chr_file { read write };
')
ifdef(`hotplug.te', `
domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
@@ -126,7 +128,7 @@ can_exec(dhcpc_t, { bin_t shell_exec_t })
ifdef(`hostname.te', `
domain_auto_trans(dhcpc_t, hostname_exec_t, hostname_t)
')
-dontaudit dhcpc_t { ttyfile ptyfile tty_device_t }:chr_file { read write };
+dontaudit dhcpc_t { devpts_t ttyfile ptyfile tty_device_t }:chr_file rw_file_perms;
allow dhcpc_t { userdomain kernel_t }:fd use;
allow dhcpc_t home_root_t:dir search;
@@ -142,7 +144,22 @@ allow dhcpc_t initrc_var_run_t:file rw_file_perms;
can_exec(dhcpc_t, initrc_exec_t)
ifdef(`ypbind.te', `
domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t)
+allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink };
')
ifdef(`ntpd.te', `
domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t)
')
+role sysadm_r types dhcpc_t;
+domain_auto_trans(sysadm_t, dhcpc_exec_t, dhcpc_t)
+ifdef(`dbusd.te', `
+dbusd_client(system, dhcpc)
+domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
+allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
+allow dhcpc_t self:dbus send_msg;
+allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
+allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
+ifdef(`unconfined.te', `
+allow unconfined_t dhcpc_t:dbus send_msg;
+allow dhcpc_t unconfined_t:dbus send_msg;
+')dnl end ifdef unconfined.te
+')
diff --git a/strict/domains/program/fsadm.te b/strict/domains/program/fsadm.te
index 56295e3..5611451 100644
--- a/strict/domains/program/fsadm.te
+++ b/strict/domains/program/fsadm.te
@@ -29,6 +29,7 @@ read_sysctl(fsadm_t)
# for /dev/shm
allow fsadm_t tmpfs_t:dir { getattr search };
+allow fsadm_t tmpfs_t:file { read write };
base_file_read_access(fsadm_t)
@@ -115,3 +116,5 @@ system_crond_entry(fsadm_exec_t, fsadm_t)
allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms;
allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
allow fsadm_t usbfs_t:dir { getattr search };
+allow fsadm_t ramfs_t:fifo_file rw_file_perms;
+allow fsadm_t device_type:chr_file getattr;
diff --git a/strict/domains/program/gpg.te b/strict/domains/program/gpg.te
index 65e2ca5..b9cadb5 100644
--- a/strict/domains/program/gpg.te
+++ b/strict/domains/program/gpg.te
@@ -8,11 +8,8 @@
type gpg_exec_t, file_type, sysadmfile, exec_type;
type gpg_helper_exec_t, file_type, sysadmfile, exec_type;
-allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search;
+allow sysadm_gpg_t { home_root_t user_home_dir_type }:dir search;
allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
-# Allow gpg exec stack
-bool allow_gpg_execstack false;
-
# Everything else is in the gpg_domain macro in
# macros/program/gpg_macros.te.
diff --git a/strict/domains/program/hald.te b/strict/domains/program/hald.te
index 1d1ce66..5cd42b1 100644
--- a/strict/domains/program/hald.te
+++ b/strict/domains/program/hald.te
@@ -65,10 +65,9 @@ allow hald_t udev_tbl_t:file { getattr read };
ifdef(`hotplug.te', `
r_dir_file(hald_t, hotplug_etc_t)
')
-allow hald_t usbdevfs_t:dir search;
-allow hald_t usbdevfs_t:file { getattr read };
-allow hald_t usbfs_t:dir search;
-allow hald_t usbfs_t:file { getattr read };
+allow hald_t fs_type:dir { search getattr };
+allow hald_t usbfs_t:dir r_dir_perms;
+allow hald_t { usbdevfs_t usbfs_t }:file rw_file_perms;
allow hald_t bin_t:lnk_file read;
r_dir_file(hald_t, { selinux_config_t default_context_t } )
allow hald_t initrc_t:dbus send_msg;
@@ -80,3 +79,25 @@ allow hald_t device_t:chr_file create_file_perms;
tmp_domain(hald)
allow hald_t mnt_t:dir search;
r_dir_file(hald_t, proc_net_t)
+
+# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket
+ifdef(`apmd.te', `
+allow hald_t apmd_var_run_t:sock_file write;
+allow hald_t apmd_t:unix_stream_socket connectto;
+')
+
+# For /usr/libexec/hald-probe-smbios
+domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t)
+
+# ??
+ifdef(`lvm.te', `
+allow hald_t lvm_control_t:chr_file r_file_perms;
+')
+ifdef(`targeted_policy', `
+allow unconfined_t hald_t:dbus send_msg;
+allow hald_t unconfined_t:dbus send_msg;
+')
+ifdef(`mount.te', `
+domain_auto_trans(hald_t, mount_exec_t, mount_t)
+')
+
diff --git a/strict/domains/program/hostname.te b/strict/domains/program/hostname.te
index 579cd97..07169c8 100644
--- a/strict/domains/program/hostname.te
+++ b/strict/domains/program/hostname.te
@@ -4,9 +4,7 @@
# X-Debian-Packages: hostname
# for setting the hostname
-daemon_base_domain(hostname, , nosysadm)
-role sysadm_r types hostname_t;
-
+daemon_core_rules(hostname, , nosysadm)
allow hostname_t self:capability sys_admin;
allow hostname_t etc_t:file { getattr read };
diff --git a/strict/domains/program/initrc.te b/strict/domains/program/initrc.te
index 8832423..2715d03 100644
--- a/strict/domains/program/initrc.te
+++ b/strict/domains/program/initrc.te
@@ -123,7 +123,10 @@ allow initrc_t fs_type:filesystem mount_fs_perms;
allow initrc_t file_t:dir { read search getattr mounton };
# during boot up initrc needs to do the following
-allow initrc_t default_t:dir { read search getattr mounton };
+allow initrc_t default_t:dir { write read search getattr mounton };
+
+# rhgb-console writes to ramfs
+allow initrc_t ramfs_t:fifo_file write;
# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME.
file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
@@ -233,7 +236,7 @@ allow initrc_t home_type:file r_file_perms;
allow initrc_t pidfile:file { getattr read unlink };
# for system start scripts
-allow initrc_t pidfile:dir rw_dir_perms;
+allow initrc_t pidfile:dir { rmdir rw_dir_perms };
allow initrc_t pidfile:sock_file unlink;
rw_dir_create_file(initrc_t, var_lib_t)
@@ -316,3 +319,6 @@ domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
')
allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
allow initrc_t device_t:lnk_file create_file_perms;
+ifdef(`dbusd.te', `
+allow initrc_t system_dbusd_var_run_t:sock_file write;
+')
diff --git a/strict/domains/program/lvm.te b/strict/domains/program/lvm.te
index c5ce785..b2e47eb 100644
--- a/strict/domains/program/lvm.te
+++ b/strict/domains/program/lvm.te
@@ -108,11 +108,11 @@ dontaudit lvm_t gpmctl_t:sock_file getattr;
')
dontaudit lvm_t initctl_t:fifo_file getattr;
allow lvm_t sbin_t:dir search;
-dontaudit lvm_t sbin_t:file getattr;
+dontaudit lvm_t sbin_t:file { getattr read };
allow lvm_t lvm_control_t:chr_file rw_file_perms;
allow initrc_t lvm_control_t:chr_file { getattr read unlink };
allow initrc_t device_t:chr_file create;
-dontaudit lvm_t var_run_t:dir getattr;
+var_run_domain(lvm)
# for when /usr is not mounted
dontaudit lvm_t file_t:dir search;
@@ -122,6 +122,8 @@ r_dir_file(lvm_t, selinux_config_t)
# it has no reason to need this
dontaudit lvm_t proc_kcore_t:file getattr;
+allow lvm_t var_t:dir { search getattr };
+allow lvm_t ramfs_t:filesystem unmount;
# cluster LVM daemon
daemon_domain(clvmd)
diff --git a/strict/domains/program/modutil.te b/strict/domains/program/modutil.te
index dbdae1b..0af4cf5 100644
--- a/strict/domains/program/modutil.te
+++ b/strict/domains/program/modutil.te
@@ -56,6 +56,7 @@ file_type_auto_trans(depmod_t, modules_object_t, modules_dep_t, file)
# Read module objects.
allow depmod_t modules_object_t:dir r_dir_perms;
allow depmod_t modules_object_t:{ file lnk_file } r_file_perms;
+allow depmod_t modules_object_t:file unlink;
# Access terminals.
allow depmod_t { console_device_t initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
@@ -137,15 +138,15 @@ allow insmod_t initrc_t:fifo_file { getattr read write };
allow insmod_t fs_t:filesystem getattr;
allow insmod_t sysfs_t:dir search;
-allow insmod_t { usbfs_t usbdevfs_t }:dir search;
-allow insmod_t { usbfs_t usbdevfs_t }:filesystem mount;
+allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:dir search;
+allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:filesystem mount;
# Rules for /proc/sys/kernel/tainted
read_sysctl(insmod_t)
allow insmod_t proc_t:dir search;
allow insmod_t sysctl_kernel_t:file { setattr rw_file_perms };
-allow insmod_t proc_t:file { getattr read };
+allow insmod_t proc_t:file rw_file_perms;
allow insmod_t proc_t:lnk_file read;
# Write to /proc/mtrr.
diff --git a/strict/domains/program/pamconsole.te b/strict/domains/program/pamconsole.te
index ed85882..488bed3 100644
--- a/strict/domains/program/pamconsole.te
+++ b/strict/domains/program/pamconsole.te
@@ -45,5 +45,6 @@ allow pam_console_t hotplug_t:fd use;
ifdef(`xdm.te', `
allow pam_console_t xdm_var_run_t:file { getattr read };
')
-allow initrc_t pam_var_console_t:dir r_dir_perms;
+allow initrc_t pam_var_console_t:dir rw_dir_perms;
+allow initrc_t pam_var_console_t:file unlink;
allow pam_console_t file_context_t:file { getattr read };
diff --git a/strict/domains/program/postgresql.te b/strict/domains/program/postgresql.te
index f46ac65..a86d9d4 100644
--- a/strict/domains/program/postgresql.te
+++ b/strict/domains/program/postgresql.te
@@ -10,7 +10,6 @@
#
# postgresql_exec_t is the type of the postgresql executable.
#
-type postgresql_port_t, port_type;
daemon_domain(postgresql)
allow initrc_t postgresql_exec_t:lnk_file read;
allow postgresql_t usr_t:file { getattr read };
@@ -37,7 +36,6 @@ allow postgresql_t self:capability { kill dac_override dac_read_search chown fow
dontaudit postgresql_t self:capability sys_admin;
etcdir_domain(postgresql)
-typealias postgresql_etc_t alias etc_postgresql_t;
type postgresql_db_t, file_type, sysadmfile;
logdir_domain(postgresql)
@@ -52,7 +50,7 @@ tmp_domain(postgresql, `', `{ dir file sock_file }')
file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t)
# Use the network.
-can_network_server(postgresql_t)
+can_network(postgresql_t)
can_ypbind(postgresql_t)
allow postgresql_t self:fifo_file { getattr read write ioctl };
allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
@@ -69,6 +67,7 @@ if (allow_user_postgresql_connect) {
can_tcp_connect(userdomain, postgresql_t)
allow userdomain postgresql_t:unix_stream_socket connectto;
allow userdomain postgresql_var_run_t:sock_file write;
+allow userdomain postgresql_tmp_t:sock_file write;
}
')
ifdef(`consoletype.te', `
@@ -80,6 +79,7 @@ can_exec(postgresql_t, hostname_exec_t)
')
allow postgresql_t postgresql_port_t:tcp_socket name_bind;
+allow postgresql_t auth_port_t:tcp_socket name_connect;
allow postgresql_t { proc_t self }:file { getattr read };
@@ -110,9 +110,9 @@ allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
allow postgresql_t self:sem create_sem_perms;
allow postgresql_t initrc_var_run_t:file { getattr read lock };
-dontaudit postgresql_t selinux_config_t:dir { search };
-allow postgresql_t mail_spool_t:dir { search };
-rw_dir_create_file(postgresql_t, var_lock_t)
+dontaudit postgresql_t selinux_config_t:dir search;
+allow postgresql_t mail_spool_t:dir search;
+lock_domain(postgresql)
can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } )
ifdef(`apache.te', `
#
@@ -124,11 +124,15 @@ can_unix_connect(httpd_t, postgresql_t)
ifdef(`distro_gentoo', `
# "su - postgres ..." is called from initrc_t
-allow initrc_su_t postgresql_db_t:dir { search };
-allow postgresql_t initrc_su_t:process { sigchld };
+allow initrc_su_t postgresql_db_t:dir search;
+allow postgresql_t initrc_su_t:process sigchld;
dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
')
dontaudit postgresql_t home_root_t:dir search;
can_kerberos(postgresql_t)
allow postgresql_t urandom_device_t:chr_file { getattr read };
+
+if (allow_execmem) {
+allow postgresql_t self:process execmem;
+}
diff --git a/strict/domains/program/vpnc.te b/strict/domains/program/vpnc.te
index b2fff63..01ddac1 100644
--- a/strict/domains/program/vpnc.te
+++ b/strict/domains/program/vpnc.te
@@ -10,9 +10,9 @@
# vpnc_t is the domain for the vpnc program.
# vpnc_exec_t is the type of the vpnc executable.
#
-daemon_domain(vpnc, `, sysctl_net_writer')
+application_domain(vpnc, `, sysctl_net_writer, nscd_client_domain')
-allow vpnc_t { random_device_t urandom_device_t }:chr_file read;
+allow vpnc_t { random_device_t urandom_device_t }:chr_file { getattr read };
# Use the network.
can_network(vpnc_t)
@@ -31,7 +31,7 @@ allow vpnc_t tun_tap_device_t:chr_file { ioctl read write };
allow vpnc_t self:rawip_socket create_socket_perms;
allow vpnc_t self:unix_dgram_socket create_socket_perms;
allow vpnc_t self:unix_stream_socket create_socket_perms;
-allow vpnc_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
+allow vpnc_t { devtty_t user_tty_type admin_tty_type }:chr_file rw_file_perms;
allow vpnc_t port_t:udp_socket name_bind;
allow vpnc_t etc_runtime_t:file { getattr read };
allow vpnc_t proc_t:file { getattr read };
@@ -42,6 +42,8 @@ allow vpnc_t sysctl_net_t:file write;
allow vpnc_t sbin_t:dir search;
allow vpnc_t bin_t:dir search;
allow vpnc_t bin_t:lnk_file read;
+allow vpnc_t self:dir search;
+r_dir_file(vpnc_t, proc_t)
r_dir_file(vpnc_t, proc_net_t)
tmp_domain(vpnc)
allow vpnc_t self:fifo_file { getattr ioctl read write };
@@ -49,3 +51,12 @@ allow vpnc_t self:file { getattr read };
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
file_type_auto_trans(vpnc_t, etc_t, net_conf_t, file)
allow vpnc_t etc_t:file { execute execute_no_trans ioctl };
+dontaudit vpnc_t home_root_t:dir search;
+dontaudit vpnc_t user_home_dir_type:dir search;
+var_run_domain(vpnc)
+allow vpnc_t userdomain:fd use;
+r_dir_file(vpnc_t, sysfs_t)
+allow vpnc_t self:process { fork sigchld };
+read_locale(vpnc_t)
+read_sysctl(vpnc_t)
+allow vpnc_t fs_t:filesystem getattr;
diff --git a/strict/domains/user.te b/strict/domains/user.te
index 39a76d6..d86e5d4 100644
--- a/strict/domains/user.te
+++ b/strict/domains/user.te
@@ -4,6 +4,16 @@
# Booleans for user domains.
+# Allow applications to read untrusted content
+# If this is disallowed, Internet content has
+# to be manually relabeled for read access to be granted
+bool read_untrusted_content false;
+
+# Allow applications to write untrusted content
+# If this is disallowed, no Internet content
+# will be stored.
+bool write_untrusted_content false;
+
# Allow users to read system messages.
bool user_dmesg false;
@@ -54,54 +64,6 @@ bool read_default_t false;
# files (such as ~/.bashrc)
bool staff_read_sysadm_file false;
-# change from role $1_r to $2_r and relabel tty appropriately
-define(`role_tty_type_change', `
-allow $1_r $2_r;
-type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
-type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
-# avoid annoying messages on terminal hangup
-dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
-')
-
-# Reach sysadm_t via programs like userhelper/sudo/su
-undefine(`reach_sysadm')
-define(`reach_sysadm', `
-ifdef(`userhelper.te', `userhelper_domain($1)')
-ifdef(`sudo.te', `sudo_domain($1)')
-ifdef(`su.te', `
-su_domain($1)
-# When an ordinary user domain runs su, su may try to
-# update the /root/.Xauthority file, and the user shell may
-# try to update the shell history. This is not allowed, but
-# we dont need to audit it.
-dontaudit $1_su_t { sysadm_home_dir_t staff_home_dir_t }:dir search;
-dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms;
-dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms;
-') dnl ifdef su.te
-')
-
-# Privileged user domain
-undefine(`priv_user')
-define(`priv_user', `
-# Reach sysadm_t
-reach_sysadm($1)
-
-# Read file_contexts for rpm and get security decisions.
-r_dir_file($1_t, file_context_t)
-can_getsecurity($1_t)
-
-# Signal and see information about unprivileged user domains.
-allow $1_t unpriv_userdomain:process signal_perms;
-can_ps($1_t, unpriv_userdomain)
-allow $1_t { ttyfile ptyfile tty_device_t }:chr_file getattr;
-
-# Read /root files if boolean is enabled.
-if (staff_read_sysadm_file) {
-allow $1_t sysadm_home_dir_t:dir { getattr search };
-allow $1_t sysadm_home_t:file { getattr read };
-}
-
-') dnl priv_user
full_user_role(user)
diff --git a/strict/file_contexts/program/postgresql.fc b/strict/file_contexts/program/postgresql.fc
index 1feef35..b433c60 100644
--- a/strict/file_contexts/program/postgresql.fc
+++ b/strict/file_contexts/program/postgresql.fc
@@ -14,3 +14,7 @@
/usr/lib/pgsql/test/regress/.*\.so -- system_u:object_r:shlib_t
/usr/lib/pgsql/test/regress/.*\.sh -- system_u:object_r:bin_t
/usr/lib/pgsql/test/regress/pg_regress -- system_u:object_r:postgresql_exec_t
+ifdef(`distro_redhat', `
+/usr/share/jonas/pgsql(/.*)? system_u:object_r:postgresql_db_t
+/var/log/rhdb/rhdb(/.*)? system_u:object_r:postgresql_log_t
+')
diff --git a/strict/macros/admin_macros.te b/strict/macros/admin_macros.te
index ebd92a9..aaa816e 100644
--- a/strict/macros/admin_macros.te
+++ b/strict/macros/admin_macros.te
@@ -20,15 +20,19 @@ type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type;
type $1_home_t, file_type, sysadmfile, home_type, $1_file_type;
# Type and access for pty devices.
-can_create_pty($1)
+can_create_pty($1, `, admin_tty_type')
-tmp_domain($1, `, $1_file_type', `{ file dir lnk_file sock_file fifo_file }')
+# Transition manually for { lnk sock fifo }. The rest is in content macros.
+tmp_domain_notrans($1, `, $1_file_type')
+file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file })
+allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom };
# Type for tty devices.
-type $1_tty_device_t, sysadmfile, ttyfile, dev_fs;
+type $1_tty_device_t, sysadmfile, ttyfile, dev_fs, admin_tty_type;
# Inherit rules for ordinary users.
base_user_domain($1)
+access_removable_media($1_t)
allow $1_t self:capability setuid;
@@ -36,11 +40,6 @@ ifdef(`su.te', `su_domain($1)')
ifdef(`userhelper.te', `userhelper_domain($1)')
ifdef(`sudo.te', `sudo_domain($1)')
-# Violates the goal of limiting write access to checkpolicy.
-# But presently necessary for installing the file_contexts file.
-create_dir_file($1_t, policy_config_t)
-r_dir_file($1_t, selinux_config_t)
-
# Let admin stat the shadow file.
allow $1_t shadow_t:file getattr;
@@ -51,12 +50,12 @@ allow $1_crond_t var_log_t:file r_file_perms;
# Allow system log read
allow $1_t kernel_t:system syslog_read;
+# Allow autrace
+# allow sysadm_t self:netlink_audit_socket nlmsg_readpriv;
+
# Use capabilities other than sys_module.
allow $1_t self:capability ~sys_module;
-# Get security policy decisions.
-can_getsecurity($1_t)
-
# Use system operations.
allow $1_t kernel_t:system *;
@@ -82,12 +81,6 @@ allow $1_t sysadmfile:dir create_dir_perms;
allow $1_t mtrr_device_t:file getattr;
allow $1_t fs_type:dir getattr;
-# Set an exec context, e.g. for runcon.
-can_setexec($1_t)
-
-# Set a context other than the default one for newly created files.
-can_setfscreate($1_t)
-
# Access removable devices.
allow $1_t removable_device_t:devfile_class_set rw_file_perms;
@@ -124,18 +117,6 @@ can_exec($1_t, staff_home_t)
# Run programs from /usr/src.
can_exec($1_t, src_t)
-# Run admin programs that require different permissions in their own domain.
-# These rules were moved into the appropriate program domain file.
-
-# added by mayerf@tresys.com
-# The following rules are temporary until such time that a complete
-# policy management infrastructure is in place so that an administrator
-# cannot directly manipulate policy files with arbitrary programs.
-#
-allow $1_t policy_src_t:file create_file_perms;
-allow $1_t policy_src_t:lnk_file create_lnk_perms;
-allow $1_t policy_src_t:dir create_dir_perms;
-
# Relabel all files.
# Actually this will not allow relabeling ALL files unless you change
# sysadmfile to file_type (and change the assertion in assert.te that
@@ -157,7 +138,7 @@ if (xdm_sysadm_login) {
allow xdm_t $1_home_t:lnk_file read;
allow xdm_t $1_home_t:dir search;
}
-allow $1_t xdm_t:fifo_file rw_file_perms;
+can_pipe_xdm($1_t)
')dnl end ifdef xauth.te
')dnl end ifdef xdm.te
@@ -205,3 +186,42 @@ allow $1_t device_t:lnk_file { create read };
allow $1_t domain:socket_class_set getattr;
allow $1_t eventpollfs_t:file getattr;
')
+
+define(`security_manager_domain', `
+
+typeattribute $1 secadmin;
+# Allow administrator domains to set the enforcing flag.
+can_setenforce($1)
+
+# Allow administrator domains to set policy booleans.
+can_setbool($1)
+
+# Get security policy decisions.
+can_getsecurity($1)
+
+# Allow administrator domains to set security parameters
+can_setsecparam($1)
+
+# Run admin programs that require different permissions in their own domain.
+# These rules were moved into the appropriate program domain file.
+
+# added by mayerf@tresys.com
+# The following rules are temporary until such time that a complete
+# policy management infrastructure is in place so that an administrator
+# cannot directly manipulate policy files with arbitrary programs.
+#
+allow $1 secadmfile:file { relabelto relabelfrom create_file_perms };
+allow $1 secadmfile:lnk_file { relabelto relabelfrom create_lnk_perms };
+allow $1 secadmfile:dir { relabelto relabelfrom create_dir_perms };
+
+# Set an exec context, e.g. for runcon.
+can_setexec($1)
+
+# Set a context other than the default one for newly created files.
+can_setfscreate($1)
+
+allow $1 self:netlink_audit_socket nlmsg_readpriv;
+
+')
+
+
diff --git a/strict/macros/base_user_macros.te b/strict/macros/base_user_macros.te
index 6281fca..4db1e62 100644
--- a/strict/macros/base_user_macros.te
+++ b/strict/macros/base_user_macros.te
@@ -2,12 +2,6 @@
# Macros for all user login domains.
#
-define(`network_home_dir', `
-create_dir_file($1, $2)
-can_exec($1, $2)
-allow $1 $2:{ sock_file fifo_file } create_file_perms;
-')
-
#
# base_user_domain(domain_prefix)
#
@@ -22,6 +16,30 @@ allow $1 $2:{ sock_file fifo_file } create_file_perms;
undefine(`base_user_domain')
define(`base_user_domain', `
+# Type for network-obtained content
+type $1_untrusted_content_t, file_type, $1_file_type, sysadmfile, customizable, polymember;
+type $1_untrusted_content_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile, customizable, polymember;
+
+# Allow user to relabel untrusted content
+allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
+allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
+
+# Read content
+read_content($1_t, $1)
+
+# Write trusted content. This includes proper transition
+# for /home, and /tmp, so no other transition is necessary (or allowed)
+write_trusted($1_t, $1)
+
+# Maybe the home directory is networked
+network_home($1_t)
+
+# Transition for { lnk, fifo, sock }. The rest is covered by write_trusted.
+# Relabel files in the home directory
+file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t, { fifo_file sock_file lnk_file });
+allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto };
+can_setfscreate($1_t)
+
allow $1_t self:capability { setgid chown fowner };
dontaudit $1_t self:capability { sys_nice fsetid };
@@ -40,10 +58,13 @@ if (allow_execmem) {
allow $1_t self:process execmem;
}
-if (allow_execmod) {
+if (allow_execmem && allow_execstack) {
+# Allow making the stack executable via mprotect.
+allow $1_t self:process execstack;
+}
+
# Allow text relocations on system shared libraries, e.g. libGL.
allow $1_t texrel_shlib_t:file execmod;
-}
#
# kdeinit wants this access
@@ -63,38 +84,23 @@ allow $1_t event_device_t:chr_file { getattr read ioctl };
allow $1_t dri_device_t:chr_file getattr;
dontaudit $1_t dri_device_t:chr_file rw_file_perms;
-file_browse_domain($1_t)
+# Supress ls denials:
+# getattr() - ls -l
+# search_dir() - symlink path resolution
+# read_dir() - deep ls: ls parent/...
+
+dontaudit_getattr($1_t)
+dontaudit_search_dir($1_t)
+dontaudit_read_dir($1_t)
# allow ptrace
can_ptrace($1_t, $1_t)
-# Create, access, and remove files in home directory.
-file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t)
-allow $1_t $1_home_t:notdevfile_class_set { relabelfrom relabelto };
-can_setfscreate($1_t)
-
-allow $1_t autofs_t:dir { search getattr };
-
-if (use_nfs_home_dirs) {
-network_home_dir($1_t, nfs_t)
-}
-
-if (use_samba_home_dirs) {
-network_home_dir($1_t, cifs_t)
-}
+# Allow user to run restorecon and relabel files
+can_getsecurity($1_t)
+r_dir_file($1_t, default_context_t)
+r_dir_file($1_t, file_context_t)
-can_exec($1_t, { removable_t noexattrfile } )
-if (user_rw_noexattrfile) {
-create_dir_file($1_t, noexattrfile)
-create_dir_file($1_t, removable_t)
-# Write floppies
-allow $1_t removable_device_t:blk_file rw_file_perms;
-allow $1_t usbtty_device_t:chr_file write;
-} else {
-r_dir_file($1_t, noexattrfile)
-r_dir_file($1_t, removable_t)
-allow $1_t removable_device_t:blk_file r_file_perms;
-}
allow $1_t usbtty_device_t:chr_file read;
# GNOME checks for usb and other devices
@@ -104,16 +110,9 @@ can_exec($1_t, noexattrfile)
# Bind to a Unix domain socket in /tmp.
allow $1_t $1_tmp_t:unix_stream_socket name_bind;
-# Access ttys.
-allow $1_t privfd:fd use;
-allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
-
# Use the type when relabeling terminal devices.
type_change $1_t tty_device_t:chr_file $1_tty_device_t;
-# read localization information
-read_locale($1_t)
-
# Debian login is from shadow utils and does not allow resetting the perms.
# have to fix this!
type_change $1_t ttyfile:chr_file $1_tty_device_t;
@@ -297,21 +296,16 @@ dontaudit $1_t domain:process { getattr getsession };
#
dontaudit $1_t usr_t:file setattr;
+# Use X
+x_client_domain($1, $1)
+
ifdef(`xserver.te', `
-# for /tmp/.ICE-unix
-file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
')
ifdef(`xdm.te', `
# Connect to the X server run by the X Display Manager.
can_unix_connect($1_t, xdm_t)
-allow $1_t xdm_tmp_t:sock_file rw_file_perms;
-allow $1_t xdm_tmp_t:dir r_dir_perms;
-allow $1_t xdm_tmp_t:file { getattr read };
-allow $1_t xdm_xserver_tmp_t:sock_file { read write };
-allow $1_t xdm_xserver_tmp_t:dir search;
-allow $1_t xdm_xserver_t:unix_stream_socket connectto;
# certain apps want to read xdm.pid file
r_dir_file($1_t, xdm_var_run_t)
allow $1_t xdm_var_lib_t:file { getattr read };
@@ -320,9 +314,6 @@ ifdef(`xauth.te', `
file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
')
-# for shared memory
-allow xdm_xserver_t $1_tmpfs_t:file { read write };
-
')dnl end ifdef xdm.te
# Access the sound device.
@@ -375,6 +366,9 @@ allow $1_t default_t:dir r_dir_perms;
allow $1_t default_t:notdevfile_class_set r_file_perms;
}
+# Read fonts
+read_fonts($1_t, $1)
+
read_sysctl($1_t);
#
diff --git a/strict/macros/global_macros.te b/strict/macros/global_macros.te
index cdde6aa..8bd5d7b 100644
--- a/strict/macros/global_macros.te
+++ b/strict/macros/global_macros.te
@@ -437,7 +437,7 @@ allow $2_t device_t:dir getattr;
# by default, only plain files and dirs may be stored there.
# This can be overridden with a third parameter
define(`tmp_domain', `
-type $1_tmp_t, file_type, sysadmfile, tmpfile $2;
+type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2;
ifelse($3, `',
`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `{ file dir }')',
`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `$3')')
diff --git a/strict/macros/user_macros.te b/strict/macros/user_macros.te
index d6f34f2..dfc6c17 100644
--- a/strict/macros/user_macros.te
+++ b/strict/macros/user_macros.te
@@ -2,6 +2,76 @@
# Macros for all user login domains.
#
+# role_tty_type_change(starting_role, ending_role)
+#
+# change from role $1_r to $2_r and relabel tty appropriately
+#
+
+undefine(`role_tty_type_change')
+define(`role_tty_type_change', `
+allow $1_r $2_r;
+type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
+type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
+# avoid annoying messages on terminal hangup
+dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
+')
+
+#
+# reach_sysadm(user)
+#
+# Reach sysadm_t via programs like userhelper/sudo/su
+#
+
+undefine(`reach_sysadm')
+define(`reach_sysadm', `
+ifdef(`userhelper.te', `userhelper_domain($1)')
+ifdef(`sudo.te', `sudo_domain($1)')
+ifdef(`su.te', `
+su_domain($1)
+# When an ordinary user domain runs su, su may try to
+# update the /root/.Xauthority file, and the user shell may
+# try to update the shell history. This is not allowed, but
+# we dont need to audit it.
+dontaudit $1_su_t { sysadm_home_dir_t staff_home_dir_t }:dir search;
+dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms;
+dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms;
+') dnl ifdef su.te
+ifdef(`xauth.te', `
+file_type_auto_trans($1_xauth_t, sysadm_home_dir_t, sysadm_xauth_home_t,file)
+ifdef(`userhelper.te', `
+file_type_auto_trans($1_userhelper_t, sysadm_home_dir_t, sysadm_xauth_home_t,file)
+') dnl userhelper.te
+') dnl xauth.te
+') dnl reach_sysadm
+
+#
+# priv_user(user)
+#
+# Privileged user domain
+#
+
+undefine(`priv_user')
+define(`priv_user', `
+# Reach sysadm_t
+reach_sysadm($1)
+
+# Read file_contexts for rpm and get security decisions.
+r_dir_file($1_t, file_context_t)
+can_getsecurity($1_t)
+
+# Signal and see information about unprivileged user domains.
+allow $1_t unpriv_userdomain:process signal_perms;
+can_ps($1_t, unpriv_userdomain)
+allow $1_t { ttyfile ptyfile tty_device_t }:chr_file getattr;
+
+# Read /root files if boolean is enabled.
+if (staff_read_sysadm_file) {
+allow $1_t sysadm_home_dir_t:dir { getattr search };
+allow $1_t sysadm_home_t:file { getattr read };
+}
+
+') dnl priv_user
+
#
# user_domain(domain_prefix)
#
@@ -18,18 +88,23 @@ define(`user_domain', `
# Use capabilities
# Type for home directory.
-type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type;
-type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type;
+type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type, polydir;
+type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type, polymember;
-tmp_domain($1, `, user_tmpfile, $1_file_type', `{ file lnk_file dir sock_file fifo_file }')
+# Transition manually for { lnk sock fifo }. The rest is in content macros.
+tmp_domain_notrans($1, `, user_tmpfile, $1_file_type')
+file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file })
+allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom };
-# Type and access for pty devices.
-can_create_pty($1, `, userpty_type, user_tty_type')
+ifdef(`support_polyinstantiation', `
+type_member $1_t tmp_t:dir $1_tmp_t;
+type_member $1_t $1_home_dir_t:dir $1_home_t;
+')
-#Type for tty devices.
-type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs;
-
base_user_domain($1)
+ifdef(`mls_policy', `', `
+access_removable_media($1_t)
+')
# do not allow privhome access to sysadm_home_dir_t
file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t)
@@ -44,7 +119,9 @@ allow $1_t system_map_t:file { getattr read };
# user domain and the program, and allow us to maintain separation
# between different instances of the program being run by different
# user domains.
-ifdef(`apache.te', `apache_domain($1)')
+ifelse($1, sysadm, `',`
+ifdef(`apache.te', `apache_user_domain($1)')
+')
ifdef(`slocate.te', `locate_domain($1)')
ifdef(`lockdev.te', `lockdev_domain($1)')
@@ -110,19 +187,73 @@ file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
#
# Domains for ordinary users.
#
-undefine(`full_user_role')
-define(`full_user_role', `
-
+undefine(`limited_user_role')
+define(`limited_user_role', `
# user_t/$1_t is an unprivileged users domain.
-type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, nscd_client_domain, privfd;
+type $1_t, domain, userdomain, unpriv_userdomain, nscd_client_domain, privfd;
+
+#Type for tty devices.
+type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs;
+# Type and access for pty devices.
+can_create_pty($1, `, userpty_type, user_tty_type')
+
+# Access ttys.
+allow $1_t privfd:fd use;
+allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
-attribute $1_file_type;
# Grant read/search permissions to some of /proc.
r_dir_file($1_t, proc_t)
r_dir_file($1_t, proc_net_t)
base_file_read_access($1_t)
+# Execute from the system shared libraries.
+uses_shlib($1_t)
+
+# Read /etc.
+r_dir_file($1_t, etc_t)
+allow $1_t etc_runtime_t:file r_file_perms;
+allow $1_t etc_runtime_t:lnk_file { getattr read };
+
+allow $1_t self:process { fork sigchld setpgid signal_perms };
+
+# read localization information
+read_locale($1_t)
+
+read_sysctl($1_t)
+can_exec($1_t, { bin_t sbin_t shell_exec_t ls_exec_t })
+
+allow $1_t self:dir search;
+allow $1_t self:file { getattr read };
+allow secadm_t self:fifo_file rw_file_perms;
+
+allow $1_t self:lnk_file read;
+allow $1_t self:unix_stream_socket create_socket_perms;
+allow $1_t urandom_device_t:chr_file { getattr read };
+dontaudit $1_t { var_spool_t var_log_t }:dir search;
+
+# Read /dev directories and any symbolic links.
+allow $1_t device_t:dir r_dir_perms;
+allow $1_t device_t:lnk_file { getattr read };
+allow $1_t devtty_t:chr_file { read write };
+
+')
+
+undefine(`full_user_role')
+define(`full_user_role', `
+
+limited_user_role($1)
+
+typeattribute $1_t web_client_domain;
+
+attribute $1_file_type;
+
+ifdef(`useradd.te', `
+# Useradd relabels /etc/skel files so needs these privs
+allow useradd_t $1_file_type:dir create_dir_perms;
+allow useradd_t $1_file_type:notdevfile_class_set create_file_perms;
+')
+
can_exec($1_t, usr_t)
# Read directories and files with the readable_t type.
@@ -134,28 +265,18 @@ allow $1_t readable_t:notdevfile_class_set r_file_perms;
allow $1_t lost_found_t:dir getattr;
# Read /var, /var/spool, /var/run.
-allow $1_t var_t:dir r_dir_perms;
-allow $1_t var_t:notdevfile_class_set r_file_perms;
-allow $1_t var_spool_t:dir r_dir_perms;
-allow $1_t var_spool_t:notdevfile_class_set r_file_perms;
-allow $1_t var_run_t:dir r_dir_perms;
-allow $1_t var_run_t:{ file lnk_file } r_file_perms;
+r_dir_file($1_t, var_t)
+# what about pipes and sockets under /var/spool?
+r_dir_file($1_t, var_spool_t)
+r_dir_file($1_t, var_run_t)
allow $1_t var_lib_t:dir r_dir_perms;
allow $1_t var_lib_t:file { getattr read };
-read_sysctl($1_t)
-
-# Read /etc.
-allow $1_t etc_t:dir r_dir_perms;
-allow $1_t etc_t:notdevfile_class_set r_file_perms;
-allow $1_t etc_runtime_t:{ file lnk_file } r_file_perms;
-
# for running depmod as part of the kernel packaging process
allow $1_t modules_conf_t:file { getattr read };
# Read man directories and files.
-allow $1_t man_t:dir r_dir_perms;
-allow $1_t man_t:notdevfile_class_set r_file_perms;
+r_dir_file($1_t, man_t)
# Allow users to rw usb devices
if (user_rw_usb) {
@@ -166,16 +287,9 @@ r_dir_file($1_t,usbdevfs_t)
r_dir_file($1_t,sysfs_t)
-# Read /dev directories and any symbolic links.
-allow $1_t device_t:dir r_dir_perms;
-allow $1_t device_t:lnk_file r_file_perms;
-
# Do not audit write denials to /etc/ld.so.cache.
dontaudit $1_t ld_so_cache_t:file write;
-# Execute from the system shared libraries.
-uses_shlib($1_t);
-
# $1_t is also granted permissions specific to user domains.
user_domain($1)
@@ -193,22 +307,6 @@ dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
dontaudit $1_t init_t:fd use;
dontaudit $1_t initrc_t:fd use;
allow $1_t initrc_t:fifo_file write;
-ifdef(`user_can_mount', `
-#
-# Allow users to mount file systems like floppies and cdrom
-#
-mount_domain($1, $1_mount, `, fs_domain')
-r_dir_file($1_t, mnt_t)
-allow $1_mount_t device_t:lnk_file read;
-allow $1_mount_t removable_device_t:blk_file read;
-allow $1_mount_t iso9660_t:filesystem relabelfrom;
-allow $1_mount_t removable_t:filesystem { mount relabelto };
-allow $1_mount_t removable_t:dir mounton;
-ifdef(`xdm.te', `
-allow $1_mount_t xdm_t:fd use;
-allow $1_mount_t xdm_t:fifo_file { read write };
-')
-')
#
# Rules used to associate a homedir as a mountpoint
diff --git a/strict/types/file.te b/strict/types/file.te
index 5b319e5..24d0023 100644
--- a/strict/types/file.te
+++ b/strict/types/file.te
@@ -278,7 +278,7 @@ allow devpts_t self:filesystem associate;
type tmpfs_t, file_type, mount_point, sysadmfile, fs_type;
allow { logfile tmpfs_t tmpfile home_type } tmpfs_t:filesystem associate;
-allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
+allow { logfile tmpfile home_type } tmp_t:filesystem associate;
ifdef(`distro_redhat', `
allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate;
')