diff --git a/modules-mls.conf b/modules-mls.conf index 9d5e452..7e5ccb2 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -1059,3 +1059,31 @@ tzdata = base # Abstract Machine Test Utility (AMTU) # amtu = module + +# Layer: users +# Module: staff +# +# Fully Privledged user. with su/sudo/newrole +# +staff = base + +# Layer: users +# Module: user +# +# Fully Privledged user. without su/sudo/newrole +# +user = base + +# Layer: users +# Module: secadm +# +# Root role used to manage selinux +# +secadm = module + +# Layer: users +# Module: auditadm +# +# Root role used to manage audit system +# +auditadm = module diff --git a/modules-targeted.conf b/modules-targeted.conf index fa8c19b..fa18b18 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -747,6 +747,12 @@ mount = base # mozilla = module +# Layer: apps +# Module: nsplugin +# +# Policy for nspluginwrapper +# +nsplugin = module # Layer: apps # Module: mplayer @@ -755,6 +761,13 @@ mozilla = module # mplayer = module +# Layer: apps +# Module: gpg +# +# Policy for Mozilla and related web browsers +# +gpg = module + # Layer: admin # Module: mrtg # @@ -1572,3 +1585,17 @@ bitlbee = module # soundserver = module +# Layer: users +# Module: staff +# +# Minimally privs guest account on tty logins +# +staff = base + +# Layer: users +# Module: user +# +# Minimally privs guest account on tty logins +# +user = base + diff --git a/policy-20071130.patch b/policy-20071130.patch index 3fc40d6..cee24d2 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -12,6 +12,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u +system_r:remote_login_t:s0 guest_r:guest_t:s0 +system_r:sshd_t:s0 guest_r:guest_t:s0 +system_r:crond_t:s0 guest_r:guest_crond_t:s0 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.2.5/config/appconfig-mcs/root_default_contexts +--- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2007-10-12 08:56:09.000000000 -0400 ++++ serefpolicy-3.2.5/config/appconfig-mcs/root_default_contexts 2008-01-02 11:19:34.000000000 -0500 +@@ -1,11 +1,7 @@ + system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0 + system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 + +-staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +-sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +-user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +- + # + # Uncomment if you want to automatically login as sysadm_r + # +-#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 ++system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.2.5/config/appconfig-mcs/seusers --- nsaserefpolicy/config/appconfig-mcs/seusers 2007-10-12 08:56:09.000000000 -0400 +++ serefpolicy-3.2.5/config/appconfig-mcs/seusers 2007-12-19 05:38:08.000000000 -0500 @@ -64,6 +80,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/gu +system_r:remote_login_t guest_r:guest_t +system_r:sshd_t guest_r:guest_t +system_r:crond_t guest_r:guest_crond_t +diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/root_default_contexts serefpolicy-3.2.5/config/appconfig-standard/root_default_contexts +--- nsaserefpolicy/config/appconfig-standard/root_default_contexts 2007-10-12 08:56:09.000000000 -0400 ++++ serefpolicy-3.2.5/config/appconfig-standard/root_default_contexts 2008-01-02 11:20:32.000000000 -0500 +@@ -1,11 +1,7 @@ + system_r:crond_t unconfined_r:unconfined_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t + system_r:local_login_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t + +-staff_r:staff_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t +-sysadm_r:sysadm_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t +-user_r:user_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t +- + # + # Uncomment if you want to automatically login as sysadm_r + # +-#system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t ++system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.2.5/config/appconfig-standard/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.5/config/appconfig-standard/xguest_u_default_contexts 2007-12-19 05:38:08.000000000 -0500 @@ -925,7 +957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.2.5/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-18 11:12:44.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/admin/rpm.if 2007-12-24 06:06:53.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/admin/rpm.if 2008-01-03 11:32:09.000000000 -0500 @@ -152,6 +152,24 @@ ######################################## @@ -976,11 +1008,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if ## Create, read, write, and delete RPM ## script temporary files. ## -@@ -224,8 +260,29 @@ - type rpm_script_tmp_t; +@@ -225,7 +261,29 @@ ') -- files_search_tmp($1) + files_search_tmp($1) + manage_dirs_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t) manage_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t) + manage_lnk_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t) @@ -1007,7 +1038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if ') ######################################## -@@ -289,3 +346,137 @@ +@@ -289,3 +347,137 @@ dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') @@ -1273,7 +1304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.2.5/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/admin/su.if 2007-12-19 05:38:08.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/admin/su.if 2008-01-03 13:47:22.000000000 -0500 @@ -41,15 +41,13 @@ allow $2 $1_su_t:process signal; @@ -1321,7 +1352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s allow $2 $1_su_t:fd use; allow $2 $1_su_t:fifo_file rw_file_perms; - allow $2 $1_su_t:process sigchld; -+ allow $2 $1_su_t:process { getsched signal }; ++ allow $2 $1_su_t:process { getsched signal sigchld }; kernel_read_system_state($1_su_t) kernel_read_kernel_sysctls($1_su_t) @@ -1344,7 +1375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s files_read_etc_files($1_su_t) files_read_etc_runtime_files($1_su_t) files_search_var_lib($1_su_t) -@@ -226,6 +224,7 @@ +@@ -226,12 +224,14 @@ libs_use_ld_so($1_su_t) libs_use_shared_libs($1_su_t) @@ -1352,7 +1383,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s logging_send_syslog_msg($1_su_t) miscfiles_read_localization($1_su_t) -@@ -295,13 +294,7 @@ + +- userdom_use_user_terminals($1,$1_su_t) ++ userdom_search_sysadm_home_dirs($1_su_t) + userdom_search_user_home_dirs($1,$1_su_t) ++ userdom_use_user_terminals($1,$1_su_t) + + ifdef(`distro_rhel4',` + domain_role_change_exemption($1_su_t) +@@ -295,13 +295,7 @@ xserver_domtrans_user_xauth($1, $1_su_t) ') @@ -1959,13 +1998,564 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te +files_tmp_file(user_gconf_tmp_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.2.5/policy/modules/apps/gpg.fc --- nsaserefpolicy/policy/modules/apps/gpg.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/apps/gpg.fc 2007-12-19 05:38:08.000000000 -0500 -@@ -1,4 +1,4 @@ ++++ serefpolicy-3.2.5/policy/modules/apps/gpg.fc 2008-01-03 16:26:50.000000000 -0500 +@@ -1,6 +1,6 @@ -HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0) +HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:user_gpg_secret_t,s0) - /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) +-/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) ++/usr/bin/gpg2? -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) + /usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0) + /usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.2.5/policy/modules/apps/gpg.if +--- nsaserefpolicy/policy/modules/apps/gpg.if 2007-07-23 10:20:12.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/apps/gpg.if 2008-01-03 17:11:22.000000000 -0500 +@@ -38,6 +38,10 @@ + gen_require(` + type gpg_exec_t, gpg_helper_exec_t; + type gpg_agent_exec_t, pinentry_exec_t; ++ type gpg_t, gpg_helper_t; ++ type gpg_agent_t, gpg_pinentry_t; ++ type user_gpg_agent_tmp_t; ++ type user_gpg_secret_t; + ') + + ######################################## +@@ -45,275 +49,51 @@ + # Declarations + # + +- type $1_gpg_t; +- application_domain($1_gpg_t,gpg_exec_t) +- role $3 types $1_gpg_t; +- +- type $1_gpg_agent_t; +- application_domain($1_gpg_agent_t,gpg_agent_exec_t) +- role $3 types $1_gpg_agent_t; +- +- type $1_gpg_agent_tmp_t; +- files_tmp_file($1_gpg_agent_tmp_t) +- +- type $1_gpg_secret_t; +- userdom_user_home_content($1,$1_gpg_secret_t) +- +- type $1_gpg_helper_t; +- application_domain($1_gpg_helper_t,gpg_helper_exec_t) +- role $3 types $1_gpg_helper_t; +- +- type $1_gpg_pinentry_t; +- application_domain($1_gpg_pinentry_t,pinentry_exec_t) +- role $3 types $1_gpg_pinentry_t; ++ typealias gpg_t alias $1_gpg_t; ++ role $3 types gpg_t; + +- ######################################## +- # +- # GPG local policy +- # +- +- allow $1_gpg_t self:capability { ipc_lock setuid }; +- allow { $2 $1_gpg_t } $1_gpg_t:process signal; +- # setrlimit is for ulimit -c 0 +- allow $1_gpg_t self:process { setrlimit setcap setpgid }; +- +- allow $1_gpg_t self:fifo_file rw_fifo_file_perms; +- allow $1_gpg_t self:tcp_socket create_stream_socket_perms; +- +- # transition from the gpg domain to the helper domain +- domtrans_pattern($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t) +- +- manage_files_pattern($1_gpg_t,$1_gpg_secret_t,$1_gpg_secret_t) +- manage_lnk_files_pattern($1_gpg_t,$1_gpg_secret_t,$1_gpg_secret_t) +- allow $1_gpg_t $1_gpg_secret_t:dir create_dir_perms; +- userdom_user_home_dir_filetrans($1, $1_gpg_t, $1_gpg_secret_t, dir) +- +- # transition from the userdomain to the derived domain +- domtrans_pattern($2,gpg_exec_t,$1_gpg_t) +- +- # allow ps to show gpg +- ps_process_pattern($2,$1_gpg_t) +- +- corenet_all_recvfrom_unlabeled($1_gpg_t) +- corenet_all_recvfrom_netlabel($1_gpg_t) +- corenet_tcp_sendrecv_all_if($1_gpg_t) +- corenet_udp_sendrecv_all_if($1_gpg_t) +- corenet_tcp_sendrecv_all_nodes($1_gpg_t) +- corenet_udp_sendrecv_all_nodes($1_gpg_t) +- corenet_tcp_sendrecv_all_ports($1_gpg_t) +- corenet_udp_sendrecv_all_ports($1_gpg_t) +- corenet_tcp_connect_all_ports($1_gpg_t) +- corenet_sendrecv_all_client_packets($1_gpg_t) +- +- dev_read_rand($1_gpg_t) +- dev_read_urand($1_gpg_t) ++ typealias gpg_agent_t alias $1_gpg_agent_t; ++ role $3 types gpg_agent_t; + +- fs_getattr_xattr_fs($1_gpg_t) ++ typealias gpg_helper_t alias $1_gpg_helper_t; ++ role $3 types gpg_helper_t; + +- domain_use_interactive_fds($1_gpg_t) ++ typealias gpg_pinentry_t alias $1_gpg_pinentry_t; ++ role $3 types gpg_pinentry_t; + +- files_read_etc_files($1_gpg_t) +- files_read_usr_files($1_gpg_t) +- files_dontaudit_search_var($1_gpg_t) +- +- libs_use_shared_libs($1_gpg_t) +- libs_use_ld_so($1_gpg_t) +- +- miscfiles_read_localization($1_gpg_t) +- +- logging_send_syslog_msg($1_gpg_t) +- +- sysnet_read_config($1_gpg_t) +- +- userdom_use_user_terminals($1,$1_gpg_t) +- +- optional_policy(` +- nis_use_ypbind($1_gpg_t) ++ ifelse(`$1',`user',`',` ++ typealias user_gpg_agent_tmp_t alias $1_gpg_agent_tmp_t; ++ typealias user_gpg_secret_t alias $1_gpg_secret_t; + ') + +- ifdef(`TODO',` +- # Read content to encrypt/decrypt/sign +- read_content($1_gpg_t, $1) +- +- # Write content to encrypt/decrypt/sign +- write_trusted($1_gpg_t, $1) +- ') dnl end TODO +- +- ######################################## +- # +- # GPG helper local policy +- # +- +- # for helper programs (which automatically fetch keys) +- # Note: this is only tested with the hkp interface. If you use eg the +- # mail interface you will likely need additional permissions. +- +- allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms; +- allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms }; +- allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms }; +- +- # communicate with the user +- allow $1_gpg_helper_t $2:fd use; +- allow $1_gpg_helper_t $2:fifo_file write; +- +- dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read; +- +- corenet_all_recvfrom_unlabeled($1_gpg_helper_t) +- corenet_all_recvfrom_netlabel($1_gpg_helper_t) +- corenet_tcp_sendrecv_all_if($1_gpg_helper_t) +- corenet_raw_sendrecv_all_if($1_gpg_helper_t) +- corenet_udp_sendrecv_all_if($1_gpg_helper_t) +- corenet_tcp_sendrecv_all_nodes($1_gpg_helper_t) +- corenet_udp_sendrecv_all_nodes($1_gpg_helper_t) +- corenet_raw_sendrecv_all_nodes($1_gpg_helper_t) +- corenet_tcp_sendrecv_all_ports($1_gpg_helper_t) +- corenet_udp_sendrecv_all_ports($1_gpg_helper_t) +- corenet_tcp_bind_all_nodes($1_gpg_helper_t) +- corenet_udp_bind_all_nodes($1_gpg_helper_t) +- corenet_tcp_connect_all_ports($1_gpg_helper_t) +- +- dev_read_urand($1_gpg_helper_t) +- +- files_read_etc_files($1_gpg_helper_t) +- # for nscd +- files_dontaudit_search_var($1_gpg_helper_t) +- +- libs_use_ld_so($1_gpg_helper_t) +- libs_use_shared_libs($1_gpg_helper_t) +- +- sysnet_read_config($1_gpg_helper_t) +- +- tunable_policy(`use_nfs_home_dirs',` +- fs_dontaudit_rw_nfs_files($1_gpg_helper_t) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_dontaudit_rw_cifs_files($1_gpg_helper_t) +- ') +- +- optional_policy(` +- xserver_use_xdm_fds($1_gpg_t) +- xserver_rw_xdm_pipes($1_gpg_t) +- ') +- +- ######################################## +- # +- # GPG agent local policy +- # +- +- # rlimit: gpg-agent wants to prevent coredumps +- allow $1_gpg_agent_t self:process setrlimit; ++ # transition from the userdomain to the derived domain ++ domtrans_pattern($2,gpg_exec_t,gpg_t) + +- allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ; +- allow $1_gpg_agent_t self:fifo_file rw_fifo_file_perms; ++ # Transition from the user domain to the derived domain. ++ domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t) + +- # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) +- manage_dirs_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t) +- manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t) +- manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t) ++ allow $2 gpg_t:process signal_perms; + +- # allow gpg to connect to the gpg agent +- stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t) ++ # allow ps to show gpg ++ ps_process_pattern($2,gpg_t) + + # allow ps to show gpg-agent + ps_process_pattern($2,$1_gpg_agent_t) + + # Allow the user shell to signal the gpg-agent program. +- allow $2 $1_gpg_agent_t:process { signal sigkill }; +- +- manage_dirs_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t) +- manage_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t) +- manage_sock_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t) +- files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir }) +- +- # Transition from the user domain to the derived domain. +- domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t) +- +- corecmd_search_bin($1_gpg_agent_t) +- +- domain_use_interactive_fds($1_gpg_agent_t) +- +- libs_use_ld_so($1_gpg_agent_t) +- libs_use_shared_libs($1_gpg_agent_t) +- +- miscfiles_read_localization($1_gpg_agent_t) ++ allow $2 gpg_agent_t:process signal_perms; + ++ userdom_use_user_terminals($1,gpg_t) + # Write to the user domain tty. +- userdom_use_user_terminals($1,$1_gpg_agent_t) +- # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) +- userdom_search_user_home_dirs($1,$1_gpg_agent_t) +- +- tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs($1_gpg_agent_t) +- fs_manage_nfs_files($1_gpg_agent_t) +- fs_manage_nfs_symlinks($1_gpg_agent_t) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs($1_gpg_agent_t) +- fs_manage_cifs_files($1_gpg_agent_t) +- fs_manage_cifs_symlinks($1_gpg_agent_t) +- ') +- +- ############################## +- # +- # Pinentry local policy +- # ++ userdom_use_user_terminals($1,gpg_agent_t) + +- allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; +- allow $1_gpg_pinentry_t self:fifo_file rw_fifo_file_perms; +- +- # we need to allow gpg-agent to call pinentry so it can get the passphrase +- # from the user. +- domtrans_pattern($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t) +- +- # read /proc/meminfo +- kernel_read_system_state($1_gpg_pinentry_t) +- +- files_read_usr_files($1_gpg_pinentry_t) +- # read /etc/X11/qtrc +- files_read_etc_files($1_gpg_pinentry_t) +- +- libs_use_ld_so($1_gpg_pinentry_t) +- libs_use_shared_libs($1_gpg_pinentry_t) +- +- miscfiles_read_fonts($1_gpg_pinentry_t) +- miscfiles_read_localization($1_gpg_pinentry_t) +- +- # for .Xauthority +- userdom_read_user_home_content_files($1,$1_gpg_pinentry_t) +- +- tunable_policy(`use_nfs_home_dirs',` +- fs_read_nfs_files($1_gpg_pinentry_t) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_read_cifs_files($1_gpg_pinentry_t) +- ') +- +- optional_policy(` +- xserver_stream_connect_xdm_xserver($1_gpg_pinentry_t) +- ') +- +- ifdef(`TODO',` +- allow $1_gpg_pinentry_t tmp_t:dir { getattr search }; +- +- # wants to put some lock files into the user home dir, seems to work fine without +- dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write }; +- dontaudit $1_gpg_pinentry_t $1_home_t:file write; +- +- tunable_policy(`use_nfs_home_dirs',` +- dontaudit $1_gpg_pinentry_t nfs_t:dir write; +- dontaudit $1_gpg_pinentry_t nfs_t:file write; +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- dontaudit $1_gpg_pinentry_t cifs_t:dir write; +- dontaudit $1_gpg_pinentry_t cifs_t:file write; +- ') ++ # communicate with the user ++ allow gpg_helper_t $2:fd use; ++ allow gpg_helper_t $2:fifo_file write; + +- dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search }; +- ') dnl end TODO ++ manage_dirs_pattern($2,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t) ++ manage_files_pattern($2,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t) ++ manage_sock_files_pattern($2,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t) + ') + + ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.2.5/policy/modules/apps/gpg.te +--- nsaserefpolicy/policy/modules/apps/gpg.te 2007-12-19 05:32:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/apps/gpg.te 2008-01-03 17:11:59.000000000 -0500 +@@ -7,15 +7,223 @@ + # + + # Type for gpg or pgp executables. ++type gpg_t; + type gpg_exec_t; ++application_domain(gpg_t,gpg_exec_t) ++ ++type gpg_helper_t; + type gpg_helper_exec_t; +-application_executable_file(gpg_exec_t) +-application_executable_file(gpg_helper_exec_t) ++application_domain(gpg_helper_t,gpg_helper_exec_t) + + # Type for the gpg-agent executable. ++type gpg_agent_t; + type gpg_agent_exec_t; +-application_executable_file(gpg_agent_exec_t) ++application_domain(gpg_agent_t,gpg_agent_exec_t) + + # type for the pinentry executable ++type gpg_pinentry_t; + type pinentry_exec_t; +-application_executable_file(pinentry_exec_t) ++application_domain(gpg_pinentry_t,pinentry_exec_t) ++ ++type user_gpg_agent_tmp_t; ++files_tmp_file(user_gpg_agent_tmp_t) ++ ++type user_gpg_secret_t; ++userdom_user_home_content(user,user_gpg_secret_t) ++ ++######################################## ++# ++# GPG local policy ++# ++ ++allow gpg_t self:capability { ipc_lock setuid }; ++allow gpg_t gpg_t:process signal; ++# setrlimit is for ulimit -c 0 ++allow gpg_t self:process { setrlimit setcap setpgid }; ++ ++allow gpg_t self:fifo_file rw_fifo_file_perms; ++allow gpg_t self:tcp_socket create_stream_socket_perms; ++ ++manage_files_pattern(gpg_t,user_gpg_secret_t,user_gpg_secret_t) ++manage_lnk_files_pattern(gpg_t,user_gpg_secret_t,user_gpg_secret_t) ++allow gpg_t user_gpg_secret_t:dir create_dir_perms; ++userdom_user_home_dir_filetrans(user, gpg_t, user_gpg_secret_t, dir) ++userdom_manage_user_home_content_files(user,gpg_t) ++ ++# transition from the gpg domain to the helper domain ++domtrans_pattern(gpg_t,gpg_helper_exec_t,gpg_helper_t) ++ ++corenet_all_recvfrom_unlabeled(gpg_t) ++corenet_all_recvfrom_netlabel(gpg_t) ++corenet_tcp_sendrecv_all_if(gpg_t) ++corenet_udp_sendrecv_all_if(gpg_t) ++corenet_tcp_sendrecv_all_nodes(gpg_t) ++corenet_udp_sendrecv_all_nodes(gpg_t) ++corenet_tcp_sendrecv_all_ports(gpg_t) ++corenet_udp_sendrecv_all_ports(gpg_t) ++corenet_tcp_connect_all_ports(gpg_t) ++corenet_sendrecv_all_client_packets(gpg_t) ++ ++dev_read_rand(gpg_t) ++dev_read_urand(gpg_t) ++ ++fs_getattr_xattr_fs(gpg_t) ++ ++domain_use_interactive_fds(gpg_t) ++ ++files_read_etc_files(gpg_t) ++files_read_usr_files(gpg_t) ++files_dontaudit_search_var(gpg_t) ++ ++libs_use_shared_libs(gpg_t) ++libs_use_ld_so(gpg_t) ++ ++miscfiles_read_localization(gpg_t) ++ ++logging_send_syslog_msg(gpg_t) ++ ++sysnet_read_config(gpg_t) ++ ++optional_policy(` ++ nis_use_ypbind(gpg_t) ++') ++ ++######################################## ++# ++# GPG helper local policy ++# ++ ++# for helper programs (which automatically fetch keys) ++# Note: this is only tested with the hkp interface. If you use eg the ++# mail interface you will likely need additional permissions. ++ ++allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms; ++allow gpg_helper_t self:tcp_socket { connect connected_socket_perms }; ++allow gpg_helper_t self:udp_socket { connect connected_socket_perms }; ++ ++dontaudit gpg_helper_t user_gpg_secret_t:file read; ++ ++corenet_all_recvfrom_unlabeled(gpg_helper_t) ++corenet_all_recvfrom_netlabel(gpg_helper_t) ++corenet_tcp_sendrecv_all_if(gpg_helper_t) ++corenet_raw_sendrecv_all_if(gpg_helper_t) ++corenet_udp_sendrecv_all_if(gpg_helper_t) ++corenet_tcp_sendrecv_all_nodes(gpg_helper_t) ++corenet_udp_sendrecv_all_nodes(gpg_helper_t) ++corenet_raw_sendrecv_all_nodes(gpg_helper_t) ++corenet_tcp_sendrecv_all_ports(gpg_helper_t) ++corenet_udp_sendrecv_all_ports(gpg_helper_t) ++corenet_tcp_bind_all_nodes(gpg_helper_t) ++corenet_udp_bind_all_nodes(gpg_helper_t) ++corenet_tcp_connect_all_ports(gpg_helper_t) ++ ++dev_read_urand(gpg_helper_t) ++ ++files_read_etc_files(gpg_helper_t) ++# for nscd ++files_dontaudit_search_var(gpg_helper_t) ++ ++libs_use_ld_so(gpg_helper_t) ++libs_use_shared_libs(gpg_helper_t) ++ ++sysnet_read_config(gpg_helper_t) ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_dontaudit_rw_nfs_files(gpg_helper_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_dontaudit_rw_cifs_files(gpg_helper_t) ++') ++ ++optional_policy(` ++ xserver_use_xdm_fds(gpg_t) ++ xserver_rw_xdm_pipes(gpg_t) ++') ++ ++######################################## ++# ++# GPG agent local policy ++# ++ ++# rlimit: gpg-agent wants to prevent coredumps ++allow gpg_agent_t self:process setrlimit; ++ ++allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ; ++allow gpg_agent_t self:fifo_file rw_fifo_file_perms; ++ ++# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) ++manage_dirs_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t) ++manage_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t) ++manage_lnk_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t) ++ ++# allow gpg to connect to the gpg agent ++stream_connect_pattern(gpg_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t,gpg_agent_t) ++ ++files_tmp_filetrans(gpg_agent_t, user_gpg_agent_tmp_t, { file sock_file dir }) ++ ++corecmd_search_bin(gpg_agent_t) ++ ++domain_use_interactive_fds(gpg_agent_t) ++ ++libs_use_ld_so(gpg_agent_t) ++libs_use_shared_libs(gpg_agent_t) ++ ++miscfiles_read_localization(gpg_agent_t) ++ ++# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) ++userdom_search_user_home_dirs(user,gpg_agent_t) ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(gpg_agent_t) ++ fs_manage_nfs_files(gpg_agent_t) ++ fs_manage_nfs_symlinks(gpg_agent_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_dirs(gpg_agent_t) ++ fs_manage_cifs_files(gpg_agent_t) ++ fs_manage_cifs_symlinks(gpg_agent_t) ++') ++ ++############################## ++# ++# Pinentry local policy ++# ++ ++allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; ++allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; ++ ++# we need to allow gpg-agent to call pinentry so it can get the passphrase ++# from the user. ++domtrans_pattern(gpg_agent_t,pinentry_exec_t,gpg_pinentry_t) ++ ++# read /proc/meminfo ++kernel_read_system_state(gpg_pinentry_t) ++ ++files_read_usr_files(gpg_pinentry_t) ++# read /etc/X11/qtrc ++files_read_etc_files(gpg_pinentry_t) ++ ++libs_use_ld_so(gpg_pinentry_t) ++libs_use_shared_libs(gpg_pinentry_t) ++ ++miscfiles_read_fonts(gpg_pinentry_t) ++miscfiles_read_localization(gpg_pinentry_t) ++ ++# for .Xauthority ++userdom_read_user_home_content_files(user,gpg_pinentry_t) ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_read_nfs_files(gpg_pinentry_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_read_cifs_files(gpg_pinentry_t) ++') ++ ++optional_policy(` ++ xserver_stream_connect_xdm_xserver(gpg_pinentry_t) ++') ++ ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc serefpolicy-3.2.5/policy/modules/apps/irc.fc --- nsaserefpolicy/policy/modules/apps/irc.fc 2007-10-12 08:56:02.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/apps/irc.fc 2007-12-19 05:38:08.000000000 -0500 @@ -2437,7 +3027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # /bin diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.2.5/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if 2007-12-26 18:15:18.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if 2008-01-03 17:10:37.000000000 -0500 @@ -35,7 +35,10 @@ template(`mozilla_per_role_template',` gen_require(` @@ -2763,14 +3353,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. - dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t) +# dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t) +# dbus_connectto_user_bus($1,$1_mozilla_t) - ') - - optional_policy(` -+ gnome_exec_gconf($1_mozilla_t) -+ gnome_manage_user_gnome_config($1,$1_mozilla_t) + ') + + optional_policy(` ++ gnome_exec_gconf($1_mozilla_t) ++ gnome_manage_user_gnome_config($1,$1_mozilla_t) + ') + + optional_policy(` + gnome_domtrans_user_gconf($1,$1_mozilla_t) gnome_stream_connect_gconf_template($1,$1_mozilla_t) ') @@ -2781,7 +3371,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') optional_policy(` -@@ -382,25 +318,6 @@ +@@ -370,6 +306,10 @@ + ') + + optional_policy(` ++ nsplugin_per_role_template($1, $1_mozilla_t, $1_r) ++ ') ++ ++ optional_policy(` + mplayer_domtrans_user_mplayer($1, $1_mozilla_t) + mplayer_read_user_home_files($1, $1_mozilla_t) + ') +@@ -382,25 +322,6 @@ thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t) ') @@ -2807,7 +3408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -430,11 +347,11 @@ +@@ -430,11 +351,11 @@ # template(`mozilla_read_user_home_files',` gen_require(` @@ -2822,7 +3423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -464,11 +381,11 @@ +@@ -464,11 +385,11 @@ # template(`mozilla_write_user_home_files',` gen_require(` @@ -2837,7 +3438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -573,3 +490,27 @@ +@@ -573,3 +494,27 @@ allow $2 $1_mozilla_t:tcp_socket rw_socket_perms; ') @@ -2991,35 +3592,302 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. +type user_mplayer_home_t alias user_mplayer_rw_t; +userdom_user_home_content(user,user_mplayer_home_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.5/policy/modules/apps/screen.fc ---- nsaserefpolicy/policy/modules/apps/screen.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/apps/screen.fc 2007-12-19 05:38:08.000000000 -0500 -@@ -1,7 +1,7 @@ - # - # /home - # --HOME_DIR/\.screenrc -- gen_context(system_u:object_r:ROLE_screen_ro_home_t,s0) -+HOME_DIR/\.screenrc -- gen_context(system_u:object_r:user_screen_ro_home_t,s0) - - # - # /usr -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.2.5/policy/modules/apps/screen.if ---- nsaserefpolicy/policy/modules/apps/screen.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/apps/screen.if 2007-12-19 05:38:08.000000000 -0500 -@@ -50,8 +50,9 @@ - type $1_screen_tmp_t; - files_tmp_file($1_screen_tmp_t) - -- type $1_screen_ro_home_t; -- files_type($1_screen_ro_home_t) -+ ifelse(`$1',`user',`',` -+ typealias user_screen_ro_home_t alias $1_screen_ro_home_t; -+ ') - - type $1_screen_var_run_t; - files_pid_file($1_screen_var_run_t) -@@ -81,9 +82,9 @@ - filetrans_pattern($1_screen_t,screen_dir_t,$1_screen_var_run_t,fifo_file) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.2.5/policy/modules/apps/nsplugin.fc +--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.fc 2008-01-03 15:47:01.000000000 -0500 +@@ -0,0 +1,3 @@ ++ ++/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_exec_t,s0) ++/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.2.5/policy/modules/apps/nsplugin.if +--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if 2008-01-03 17:03:53.000000000 -0500 +@@ -0,0 +1,205 @@ ++ ++## policy for nsplugin ++ ++######################################## ++## ++## Execute a domain transition to run nsplugin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`nsplugin_domtrans',` ++ gen_require(` ++ type nsplugin_t; ++ type nsplugin_exec_t; ++ ') ++ ++ domtrans_pattern($1,nsplugin_exec_t,nsplugin_t) ++') ++ ++ ++######################################## ++## ++## Search nsplugin rw directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nsplugin_search_rw_dir',` ++ gen_require(` ++ type nsplugin_rw_t; ++ ') ++ ++ allow $1 nsplugin_rw_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## Read nsplugin rw files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nsplugin_read_rw_files',` ++ gen_require(` ++ type nsplugin_rw_t; ++ ') ++ ++ read_fils_pattern($1, nsplugin_rw_t, nsplugin_rw_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## nsplugin rw files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nsplugin_manage_rw_files',` ++ gen_require(` ++ type nsplugin_rw_t; ++ ') ++ ++ allow $1 nsplugin_rw_t:file manage_file_perms; ++ allow $1 nsplugin_rw_t:dir rw_dir_perms; ++') ++ ++######################################## ++## ++## Manage nsplugin rw files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nsplugin_manage_rw',` ++ gen_require(` ++ type nsplugin_rw_t; ++ ') ++ ++ manage_dirs_pattern($1,nsplugin_rw_t,nsplugin_rw_t) ++ manage_files_pattern($1,nsplugin_rw_t,nsplugin_rw_t) ++ manage_lnk_files_pattern($1,nsplugin_rw_t,nsplugin_rw_t) ++') ++ ++ ++######################################## ++## ++## Execute nsplugin in the nsplugin domain, and ++## allow the specified role the nsplugin domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the nsplugin domain. ++## ++## ++## ++## ++## The type of the role's terminal. ++## ++## ++# ++interface(`nsplugin_run',` ++ gen_require(` ++ type nsplugin_t; ++ ') ++ ++ nsplugin_domtrans($1) ++ role $2 types nsplugin_t; ++ dontaudit nsplugin_t $3:chr_file rw_term_perms; ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an nsplugin environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the syslog domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## ++## ++# ++interface(`nsplugin_admin',` ++ gen_require(` ++ type nsplugin_t; ++ ') ++ ++ allow $1 nsplugin_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, nsplugin_t, nsplugin_t) ++ nsplugin_manage_rw($1) ++ ++') ++ ++####################################### ++## ++## The per role template for the nsplugin module. ++## ++## ++##

++## This template creates a derived domains which are used ++## for nsplugin web browser. ++##

++##

++## This template is invoked automatically for each user, and ++## generally does not need to be invoked directly ++## by policy writers. ++##

++##
++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## The type of the user domain. ++## ++## ++## ++## ++## The role associated with the user domain. ++## ++## ++# ++template(`nsplugin_per_role_template',` ++ gen_require(` ++ type nsplugin_t; ++ ') ++ nsplugin_domtrans($2) ++ role $3 types nsplugin_t; ++ nsplugin_read_rw_files($2) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.2.5/policy/modules/apps/nsplugin.te +--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te 2008-01-03 15:49:43.000000000 -0500 +@@ -0,0 +1,47 @@ ++policy_module(nsplugin,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type nsplugin_t; ++type nsplugin_exec_t; ++application_domain(nsplugin_t, nsplugin_exec_t) ++role system_r types nsplugin_t; ++ ++ ++type nsplugin_rw_t; ++files_type(nsplugin_rw_t) ++ ++######################################## ++# ++# nsplugin local policy ++# ++ ++## internal communication is often done using fifo and unix sockets. ++allow nsplugin_t self:capability { setuid setgid }; ++allow nsplugin_t self:fifo_file rw_file_perms; ++allow nsplugin_t self:unix_stream_socket create_stream_socket_perms; ++ ++can_exec(nsplugin_t, nsplugin_rw_t) ++manage_dirs_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t) ++manage_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t) ++manage_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t) ++ ++corecmd_exec_bin(nsplugin_t) ++corecmd_exec_shell(nsplugin_t) ++ ++kernel_read_system_state(nsplugin_t) ++ ++files_read_etc_files(nsplugin_t) ++files_dontaudit_search_home(nsplugin_t) ++ ++libs_use_ld_so(nsplugin_t) ++libs_use_shared_libs(nsplugin_t) ++ ++miscfiles_read_localization(nsplugin_t) ++ ++userdom_dontaudit_search_all_users_home_content(nsplugin_t) ++ ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.5/policy/modules/apps/screen.fc +--- nsaserefpolicy/policy/modules/apps/screen.fc 2007-10-12 08:56:02.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/apps/screen.fc 2007-12-19 05:38:08.000000000 -0500 +@@ -1,7 +1,7 @@ + # + # /home + # +-HOME_DIR/\.screenrc -- gen_context(system_u:object_r:ROLE_screen_ro_home_t,s0) ++HOME_DIR/\.screenrc -- gen_context(system_u:object_r:user_screen_ro_home_t,s0) + + # + # /usr +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.2.5/policy/modules/apps/screen.if +--- nsaserefpolicy/policy/modules/apps/screen.if 2007-07-23 10:20:12.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/apps/screen.if 2007-12-19 05:38:08.000000000 -0500 +@@ -50,8 +50,9 @@ + type $1_screen_tmp_t; + files_tmp_file($1_screen_tmp_t) + +- type $1_screen_ro_home_t; +- files_type($1_screen_ro_home_t) ++ ifelse(`$1',`user',`',` ++ typealias user_screen_ro_home_t alias $1_screen_ro_home_t; ++ ') + + type $1_screen_var_run_t; + files_pid_file($1_screen_var_run_t) +@@ -81,9 +82,9 @@ + filetrans_pattern($1_screen_t,screen_dir_t,$1_screen_var_run_t,fifo_file) files_pid_filetrans($1_screen_t,screen_dir_t,dir) - allow $1_screen_t $1_screen_ro_home_t:dir list_dir_perms; @@ -3061,6 +3929,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.t +type user_screen_ro_home_t; +userdom_user_home_content(user,user_screen_ro_home_t) + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.2.5/policy/modules/apps/slocate.te +--- nsaserefpolicy/policy/modules/apps/slocate.te 2007-10-02 09:54:50.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/apps/slocate.te 2008-01-03 10:04:21.000000000 -0500 +@@ -39,6 +39,7 @@ + + files_list_all(locate_t) + files_getattr_all_files(locate_t) ++files_getattr_all_pipes(locate_t) + files_getattr_all_sockets(locate_t) + files_read_etc_runtime_files(locate_t) + files_read_etc_files(locate_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.fc serefpolicy-3.2.5/policy/modules/apps/thunderbird.fc --- nsaserefpolicy/policy/modules/apps/thunderbird.fc 2007-10-12 08:56:02.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/apps/thunderbird.fc 2007-12-19 05:38:08.000000000 -0500 @@ -3463,7 +4342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc 2007-12-31 11:50:26.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc 2008-01-03 14:26:07.000000000 -0500 @@ -7,6 +7,7 @@ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -3508,6 +4387,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) +@@ -284,3 +291,6 @@ + ifdef(`distro_suse',` + /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) + ') ++/usr/lib/nspluginwrapper/npconfig gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/nspluginwrapper/npviewer gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/nspluginwrapper/npviewer.bin gen_context(system_u:object_r:bin_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.5/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-11-14 08:17:58.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.if 2007-12-19 05:38:08.000000000 -0500 @@ -3566,7 +4452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.2.5/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/kernel/devices.if 2007-12-19 05:38:08.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/kernel/devices.if 2008-01-02 13:28:34.000000000 -0500 @@ -65,7 +65,7 @@ relabelfrom_dirs_pattern($1,device_t,device_node) @@ -9169,20 +10055,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.5/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2007-12-26 18:16:54.000000000 -0500 -@@ -129,7 +129,12 @@ ++++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2008-01-03 10:56:43.000000000 -0500 +@@ -129,7 +129,9 @@ corenet_udp_bind_generic_port(procmail_t) corenet_dontaudit_udp_bind_all_ports(procmail_t) -+ spamassassin_read_user_home_files(procmail_t) - spamassassin_exec(procmail_t) - spamassassin_exec_client(procmail_t) - spamassassin_read_lib_files(procmail_t) - ') +- spamassassin_exec(procmail_t) +- spamassassin_exec_client(procmail_t) +- spamassassin_read_lib_files(procmail_t) ++ spamassassin_domtrans(procmail_t) ++') + +optional_policy(` + mailscanner_read_spool(procmail_t) -+') + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.2.5/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/pyzor.fc 2007-12-19 05:38:09.000000000 -0500 @@ -10457,85 +11343,251 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam /usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.5/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.if 2007-12-30 10:11:43.000000000 -0500 -@@ -38,6 +38,8 @@ ++++ serefpolicy-3.2.5/policy/modules/services/spamassassin.if 2008-01-03 12:06:11.000000000 -0500 +@@ -37,7 +37,9 @@ + gen_require(` type spamc_exec_t, spamassassin_exec_t; - type spamd_t, spamd_tmp_t; +- type spamd_t, spamd_tmp_t; ++ type spamc_t, spamd_t, spamd_tmp_t; + type user_spamassissin_home_t, user_spamassissin_tmp_t; + type user_spamc_tmp_t; ') ############################## -@@ -49,19 +51,15 @@ - application_domain($1_spamc_t,spamc_exec_t) - role $3 types $1_spamc_t; +@@ -45,278 +47,28 @@ + # Declarations + # +- type $1_spamc_t; +- application_domain($1_spamc_t,spamc_exec_t) +- role $3 types $1_spamc_t; +- - type $1_spamc_tmp_t; - files_tmp_file($1_spamc_tmp_t) - - type $1_spamassassin_t; - application_domain($1_spamassassin_t,spamassassin_exec_t) - role $3 types $1_spamassassin_t; - +- type $1_spamassassin_t; +- application_domain($1_spamassassin_t,spamassassin_exec_t) +- role $3 types $1_spamassassin_t; +- - type $1_spamassassin_home_t alias $1_spamassassin_rw_t; - userdom_user_home_content($1,$1_spamassassin_home_t) - files_poly_member($1_spamassassin_home_t) -- ++ typealias spamc_t alias $1_spamc_t; ++ role $3 types spamc_t; + - type $1_spamassassin_tmp_t; - files_tmp_file($1_spamassassin_tmp_t) -+ ifelse(`$1',`user',`',` -+ typealias user_spamassassin_home_t alias $1_spamassassin_home_t; -+ typealias user_spamassassin_tmp_t alias $1_spamassassin_tmp_t; -+ typealias user_spamc_tmp_t alias $1_spamc_tmp_t; -+ ') - - ############################## - # -@@ -83,9 +81,9 @@ - allow $1_spamc_t self:tcp_socket create_stream_socket_perms; - allow $1_spamc_t self:udp_socket create_socket_perms; ++ typealias spamassassin_t alias $1_spamassassin_t; ++ role $3 types spamassassin_t; +- ############################## +- # +- # $1_spamc_t local policy +- # +- +- allow $1_spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +- allow $1_spamc_t self:fd use; +- allow $1_spamc_t self:fifo_file rw_fifo_file_perms; +- allow $1_spamc_t self:sock_file read_sock_file_perms; +- allow $1_spamc_t self:shm create_shm_perms; +- allow $1_spamc_t self:sem create_sem_perms; +- allow $1_spamc_t self:msgq create_msgq_perms; +- allow $1_spamc_t self:msg { send receive }; +- allow $1_spamc_t self:unix_dgram_socket create_socket_perms; +- allow $1_spamc_t self:unix_stream_socket create_stream_socket_perms; +- allow $1_spamc_t self:unix_dgram_socket sendto; +- allow $1_spamc_t self:unix_stream_socket connectto; +- allow $1_spamc_t self:tcp_socket create_stream_socket_perms; +- allow $1_spamc_t self:udp_socket create_socket_perms; +- - manage_dirs_pattern($1_spamc_t,$1_spamc_tmp_t,$1_spamc_tmp_t) - manage_files_pattern($1_spamc_t,$1_spamc_tmp_t,$1_spamc_tmp_t) - files_tmp_filetrans($1_spamc_t, $1_spamc_tmp_t, { file dir }) -+ manage_dirs_pattern($1_spamc_t,user_spamc_tmp_t,user_spamc_tmp_t) -+ manage_files_pattern($1_spamc_t,user_spamc_tmp_t,user_spamc_tmp_t) -+ files_tmp_filetrans($1_spamc_t, user_spamc_tmp_t, { file dir }) - - # Allow connecting to a local spamd - allow $1_spamc_t spamd_t:unix_stream_socket connectto; -@@ -186,32 +184,32 @@ - allow $1_spamassassin_t self:msgq create_msgq_perms; - allow $1_spamassassin_t self:msg { send receive }; - -- manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) -- manage_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) -- manage_lnk_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) -- manage_fifo_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) -- manage_sock_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) -- userdom_user_home_dir_filetrans($1,$1_spamassassin_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file }) - -- manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_tmp_t,$1_spamassassin_tmp_t) -- manage_files_pattern($1_spamassassin_t, $1_spamassassin_tmp_t,$1_spamassassin_tmp_t) -- files_tmp_filetrans($1_spamassassin_t, $1_spamassassin_tmp_t, { file dir }) +- # Allow connecting to a local spamd +- allow $1_spamc_t spamd_t:unix_stream_socket connectto; +- allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms; - -- manage_dirs_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) -- manage_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) -- manage_lnk_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) -- relabel_dirs_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) -- relabel_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) -- relabel_lnk_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) -+ manage_dirs_pattern($1_spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t) -+ manage_files_pattern($1_spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t) -+ manage_lnk_files_pattern($1_spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t) -+ manage_fifo_files_pattern($1_spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t) -+ manage_sock_files_pattern($1_spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t) -+ userdom_user_home_dir_filetrans($1,$1_spamassassin_t,user_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file }) -+ -+ manage_dirs_pattern($1_spamassassin_t, user_spamassassin_tmp_t,user_spamassassin_tmp_t) -+ manage_files_pattern($1_spamassassin_t, user_spamassassin_tmp_t,user_spamassassin_tmp_t) -+ files_tmp_filetrans($1_spamassassin_t, user_spamassassin_tmp_t, { file dir }) +- domtrans_pattern($2, spamc_exec_t, $1_spamc_t) +- +- kernel_read_kernel_sysctls($1_spamc_t) +- +- corenet_all_recvfrom_unlabeled($1_spamc_t) +- corenet_all_recvfrom_netlabel($1_spamc_t) +- corenet_tcp_sendrecv_generic_if($1_spamc_t) +- corenet_udp_sendrecv_generic_if($1_spamc_t) +- corenet_tcp_sendrecv_all_nodes($1_spamc_t) +- corenet_udp_sendrecv_all_nodes($1_spamc_t) +- corenet_tcp_sendrecv_all_ports($1_spamc_t) +- corenet_udp_sendrecv_all_ports($1_spamc_t) +- corenet_tcp_connect_all_ports($1_spamc_t) +- corenet_sendrecv_all_client_packets($1_spamc_t) +- +- fs_search_auto_mountpoints($1_spamc_t) +- +- # cjp: these should probably be removed: +- corecmd_list_bin($1_spamc_t) +- corecmd_read_bin_symlinks($1_spamc_t) +- corecmd_read_bin_files($1_spamc_t) +- corecmd_read_bin_pipes($1_spamc_t) +- corecmd_read_bin_sockets($1_spamc_t) +- +- domain_use_interactive_fds($1_spamc_t) +- +- files_read_etc_files($1_spamc_t) +- files_read_etc_runtime_files($1_spamc_t) +- files_read_usr_files($1_spamc_t) +- files_dontaudit_search_var($1_spamc_t) +- # cjp: this may be removable: +- files_list_home($1_spamc_t) +- +- libs_use_ld_so($1_spamc_t) +- libs_use_shared_libs($1_spamc_t) +- +- logging_send_syslog_msg($1_spamc_t) +- +- miscfiles_read_localization($1_spamc_t) +- +- # cjp: this should probably be removed: +- seutil_read_config($1_spamc_t) +- +- sysnet_read_config($1_spamc_t) +- +- userdom_use_unpriv_users_fds($1_spamc_t) +- # cjp: this really should just be the +- # terminal specific to the role +- userdom_use_unpriv_users_ptys($1_spamc_t) +- +- # cjp: this should probably be removed: +- tunable_policy(`read_default_t',` +- files_list_default($1_spamc_t) +- files_read_default_files($1_spamc_t) +- files_read_default_symlinks($1_spamc_t) +- files_read_default_sockets($1_spamc_t) +- files_read_default_pipes($1_spamc_t) +- ') +- +- optional_policy(` +- # Allow connection to spamd socket above +- evolution_stream_connect($1,$1_spamc_t) +- ') +- +- optional_policy(` +- nis_use_ypbind($1_spamc_t) +- ') +- +- optional_policy(` +- nscd_socket_use($1_spamc_t) +- ') +- +- optional_policy(` +- mta_read_config($1_spamc_t) +- sendmail_stub($1_spamc_t) +- ') +- +- ############################## +- # +- # $1_spamassassin_t local policy +- # +- +- allow $1_spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +- allow $1_spamassassin_t self:fd use; +- allow $1_spamassassin_t self:fifo_file rw_fifo_file_perms; +- allow $1_spamassassin_t self:sock_file read_sock_file_perms; +- allow $1_spamassassin_t self:unix_dgram_socket create_socket_perms; +- allow $1_spamassassin_t self:unix_stream_socket create_stream_socket_perms; +- allow $1_spamassassin_t self:unix_dgram_socket sendto; +- allow $1_spamassassin_t self:unix_stream_socket connectto; +- allow $1_spamassassin_t self:shm create_shm_perms; +- allow $1_spamassassin_t self:sem create_sem_perms; +- allow $1_spamassassin_t self:msgq create_msgq_perms; +- allow $1_spamassassin_t self:msg { send receive }; +- +- manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) +- manage_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) +- manage_lnk_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) +- manage_fifo_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) +- manage_sock_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t) +- userdom_user_home_dir_filetrans($1,$1_spamassassin_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file }) +- +- manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_tmp_t,$1_spamassassin_tmp_t) +- manage_files_pattern($1_spamassassin_t, $1_spamassassin_tmp_t,$1_spamassassin_tmp_t) +- files_tmp_filetrans($1_spamassassin_t, $1_spamassassin_tmp_t, { file dir }) +- +- manage_dirs_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) +- manage_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) +- manage_lnk_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) +- relabel_dirs_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) +- relabel_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) +- relabel_lnk_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t) +- +- domtrans_pattern($2, spamassassin_exec_t, $1_spamassassin_t) +- +- manage_dirs_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) +- manage_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) +- manage_lnk_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) +- manage_fifo_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) +- manage_sock_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) +- userdom_user_home_dir_filetrans($1,spamd_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file }) +- +- kernel_read_kernel_sysctls($1_spamassassin_t) +- +- dev_read_urand($1_spamassassin_t) +- +- fs_search_auto_mountpoints($1_spamassassin_t) +- +- # this should probably be removed +- corecmd_list_bin($1_spamassassin_t) +- corecmd_read_bin_symlinks($1_spamassassin_t) +- corecmd_read_bin_files($1_spamassassin_t) +- corecmd_read_bin_pipes($1_spamassassin_t) +- corecmd_read_bin_sockets($1_spamassassin_t) +- +- domain_use_interactive_fds($1_spamassassin_t) +- +- files_read_etc_files($1_spamassassin_t) +- files_read_etc_runtime_files($1_spamassassin_t) +- files_list_home($1_spamassassin_t) +- files_read_usr_files($1_spamassassin_t) +- files_dontaudit_search_var($1_spamassassin_t) +- +- libs_use_ld_so($1_spamassassin_t) +- libs_use_shared_libs($1_spamassassin_t) +- +- logging_send_syslog_msg($1_spamassassin_t) +- +- miscfiles_read_localization($1_spamassassin_t) +- +- # cjp: this could probably be removed +- seutil_read_config($1_spamassassin_t) +- +- sysnet_dns_name_resolve($1_spamassassin_t) +- +- userdom_use_unpriv_users_fds($1_spamassassin_t) +- userdom_search_user_home_dirs($1,$1_spamassassin_t) +- # cjp: this really should just be the +- # terminal specific to the role +- userdom_use_unpriv_users_ptys($1_spamassassin_t) +- +- # this should probably be removed: +- tunable_policy(`read_default_t',` +- files_list_default($1_spamassassin_t) +- files_read_default_files($1_spamassassin_t) +- files_read_default_symlinks($1_spamassassin_t) +- files_read_default_sockets($1_spamassassin_t) +- files_read_default_pipes($1_spamassassin_t) +- ') +- +- # set tunable if you have spamassassin do DNS lookups +- tunable_policy(`spamassassin_can_network',` +- allow $1_spamassassin_t self:tcp_socket create_stream_socket_perms; +- allow $1_spamassassin_t self:udp_socket create_socket_perms; ++ ifelse(`$1',`user',`',` ++ typealias user_spamassassin_home_t alias $1_spamassassin_home_t; ++ typealias user_spamassassin_tmp_t alias $1_spamassassin_tmp_t; ++ typealias user_spamc_tmp_t alias $1_spamc_tmp_t; ++ ') + + manage_dirs_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t) + manage_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t) @@ -10544,27 +11596,97 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + relabel_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t) + relabel_lnk_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t) - domtrans_pattern($2, spamassassin_exec_t, $1_spamassassin_t) - -- manage_dirs_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) -- manage_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) -- manage_lnk_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) -- manage_fifo_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) -- manage_sock_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t) -- userdom_user_home_dir_filetrans($1,spamd_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file }) -+ manage_dirs_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t) -+ manage_files_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t) -+ manage_lnk_files_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t) -+ manage_fifo_files_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t) -+ manage_sock_files_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t) -+ userdom_user_home_dir_filetrans($1,spamd_t,user_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file }) - - kernel_read_kernel_sysctls($1_spamassassin_t) - -@@ -407,6 +405,40 @@ +- corenet_all_recvfrom_unlabeled($1_spamassassin_t) +- corenet_all_recvfrom_netlabel($1_spamassassin_t) +- corenet_tcp_sendrecv_generic_if($1_spamassassin_t) +- corenet_udp_sendrecv_generic_if($1_spamassassin_t) +- corenet_tcp_sendrecv_all_nodes($1_spamassassin_t) +- corenet_udp_sendrecv_all_nodes($1_spamassassin_t) +- corenet_tcp_sendrecv_all_ports($1_spamassassin_t) +- corenet_udp_sendrecv_all_ports($1_spamassassin_t) +- corenet_tcp_connect_all_ports($1_spamassassin_t) +- corenet_sendrecv_all_client_packets($1_spamassassin_t) ++ domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) ++ domtrans_pattern($2, spamc_exec_t, spamc_t) + +- sysnet_read_config($1_spamassassin_t) +- ') +- +- tunable_policy(`spamd_enable_home_dirs',` +- userdom_manage_user_home_content_dirs($1,spamd_t) +- userdom_manage_user_home_content_files($1,spamd_t) +- userdom_manage_user_home_content_symlinks($1,spamd_t) +- ') +- +- tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs($1_spamassassin_t) +- fs_manage_nfs_files($1_spamassassin_t) +- fs_manage_nfs_symlinks($1_spamassassin_t) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs($1_spamassassin_t) +- fs_manage_cifs_files($1_spamassassin_t) +- fs_manage_cifs_symlinks($1_spamassassin_t) +- ') +- +- optional_policy(` +- # Write pid file and socket in ~/.evolution/cache/tmp +- evolution_home_filetrans($1,spamd_t,spamd_tmp_t,{ file sock_file }) +- ') +- +- optional_policy(` +- # cjp: clearly some redundancy here +- +- nis_use_ypbind($1_spamassassin_t) +- +- tunable_policy(`spamassassin_can_network && allow_ypbind',` +- nis_use_ypbind_uncond($1_spamassassin_t) +- ') +- ') +- +- optional_policy(` +- mta_read_config($1_spamassassin_t) +- sendmail_stub($1_spamassassin_t) +- ') + ') ######################################## - ## +@@ -398,11 +150,65 @@ + ## + # + template(`spamassassin_domtrans_user_client',` ++ spamassassin_domtrans_spamc($2) ++') ++ ++######################################## ++## ++## Execute spamassassin client in the spamassassin client domain. ++## ++## ++##

++## This is a template and should only be called ++## from per user domain tempaltes. ++##

++##
++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`spamassassin_domtrans_spamc',` + gen_require(` +- type $1_spamc_t, spamc_exec_t; ++ type spamc_t, spamc_exec_t; + ') + +- domtrans_pattern($2,spamc_exec_t,$1_spamc_t) ++ domtrans_pattern($1,spamc_exec_t,spamc_t) ++') ++ ++######################################## ++## +## Read spamassassin per user homedir +## +## @@ -10595,14 +11717,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + + allow $1 user_spamassassin_home_t:dir list_dir_perms; + allow $1 user_spamassassin_home_t:file read_file_perms; + ') + + ######################################## +@@ -446,11 +252,31 @@ + ## + # + template(`spamassassin_domtrans_user_local_client',` ++ spamassassin_domtrans($2) +') + +######################################## +## - ## Execute the spamassassin client - ## program in the caller directory. - ## -@@ -469,6 +501,7 @@ ++## Execute spamassassin in the user spamassassin domain. ++##
++## ++##

++## This is a template and should only be called ++## from per user domain tempaltes. ++##

++##
++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`spamassassin_domtrans',` + gen_require(` +- type $1_spamassassin_t, spamassassin_exec_t; ++ type spamassassin_t, spamassassin_exec_t; + ') + +- domtrans_pattern($2,spamassassin_exec_t,$1_spamassassin_t) ++ domtrans_pattern($1,spamassassin_exec_t,spamassassin_t) + ') + + ######################################## +@@ -469,6 +295,7 @@ ') files_search_var_lib($1) @@ -10610,7 +11762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t) ') -@@ -528,3 +561,22 @@ +@@ -528,3 +355,22 @@ dontaudit $1 spamd_tmp_t:sock_file getattr; ') @@ -10635,11 +11787,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.5/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te 2007-12-19 05:38:09.000000000 -0500 -@@ -44,6 +44,15 @@ - type spamassassin_exec_t; - application_executable_file(spamassassin_exec_t) ++++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te 2008-01-03 12:54:53.000000000 -0500 +@@ -21,8 +21,9 @@ + gen_tunable(spamd_enable_home_dirs,true) + + # spamassassin client executable ++type spamc_t; + type spamc_exec_t; +-application_executable_file(spamc_exec_t) ++application_domain(spamc_t,spamc_exec_t) + + type spamd_t; + type spamd_exec_t; +@@ -42,7 +43,17 @@ + files_pid_file(spamd_var_run_t) + type spamassassin_exec_t; +-application_executable_file(spamassassin_exec_t) ++type spamassassin_t; ++application_domain(spamassassin_t,spamassassin_exec_t) ++ +type user_spamassassin_home_t; +userdom_user_home_content(user,user_spamassassin_home_t) + @@ -10648,11 +11815,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + +type user_spamc_tmp_t; +files_tmp_file(user_spamc_tmp_t) -+ + ######################################## # - # Spamassassin daemon local policy -@@ -81,10 +90,11 @@ +@@ -81,10 +92,11 @@ # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -10665,9 +11831,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) kernel_read_all_sysctls(spamd_t) -@@ -150,10 +160,12 @@ +@@ -149,11 +161,31 @@ + userdom_search_unpriv_users_home_dirs(spamd_t) userdom_dontaudit_search_sysadm_home_dirs(spamd_t) ++manage_dirs_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t) ++manage_files_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t) ++manage_lnk_files_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t) ++manage_fifo_files_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t) ++manage_sock_files_pattern(spamd_t, user_spamassassin_home_t,user_spamassassin_home_t) ++userdom_user_home_dir_filetrans(user,spamd_t,user_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file }) ++ ++optional_policy(` ++ # Write pid file and socket in ~/.evolution/cache/tmp ++ evolution_home_filetrans(user,spamd_t,spamd_tmp_t,{ file sock_file }) ++') ++ ++tunable_policy(`spamd_enable_home_dirs',` ++ userdom_manage_user_home_content_dirs(user,spamd_t) ++ userdom_manage_user_home_content_files(user,spamd_t) ++ userdom_manage_user_home_content_symlinks(user,spamd_t) ++') ++ tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(spamd_t) fs_manage_nfs_files(spamd_t) @@ -10678,7 +11863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam fs_manage_cifs_files(spamd_t) ') -@@ -171,6 +183,7 @@ +@@ -171,6 +203,7 @@ optional_policy(` dcc_domtrans_client(spamd_t) @@ -10686,6 +11871,213 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam dcc_stream_connect_dccifd(spamd_t) ') +@@ -212,3 +245,206 @@ + optional_policy(` + udev_read_db(spamd_t) + ') ++ ++############################## ++# ++# spamassassin_t local policy ++# ++ ++allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; ++allow spamassassin_t self:fd use; ++allow spamassassin_t self:fifo_file rw_fifo_file_perms; ++allow spamassassin_t self:sock_file read_sock_file_perms; ++allow spamassassin_t self:unix_dgram_socket create_socket_perms; ++allow spamassassin_t self:unix_stream_socket create_stream_socket_perms; ++allow spamassassin_t self:unix_dgram_socket sendto; ++allow spamassassin_t self:unix_stream_socket connectto; ++allow spamassassin_t self:shm create_shm_perms; ++allow spamassassin_t self:sem create_sem_perms; ++allow spamassassin_t self:msgq create_msgq_perms; ++allow spamassassin_t self:msg { send receive }; ++ ++manage_dirs_pattern(spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t) ++manage_files_pattern(spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t) ++manage_lnk_files_pattern(spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t) ++manage_fifo_files_pattern(spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t) ++manage_sock_files_pattern(spamassassin_t, user_spamassassin_home_t,user_spamassassin_home_t) ++userdom_user_home_dir_filetrans($1,spamassassin_t,user_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file }) ++ ++manage_dirs_pattern(spamassassin_t, user_spamassassin_tmp_t,user_spamassassin_tmp_t) ++manage_files_pattern(spamassassin_t, user_spamassassin_tmp_t,user_spamassassin_tmp_t) ++files_tmp_filetrans(spamassassin_t, user_spamassassin_tmp_t, { file dir }) ++ ++kernel_read_kernel_sysctls(spamassassin_t) ++ ++dev_read_urand(spamassassin_t) ++ ++fs_search_auto_mountpoints(spamassassin_t) ++ ++# this should probably be removed ++corecmd_list_bin(spamassassin_t) ++corecmd_read_bin_symlinks(spamassassin_t) ++corecmd_read_bin_files(spamassassin_t) ++corecmd_read_bin_pipes(spamassassin_t) ++corecmd_read_bin_sockets(spamassassin_t) ++ ++domain_use_interactive_fds(spamassassin_t) ++ ++files_read_etc_files(spamassassin_t) ++files_read_etc_runtime_files(spamassassin_t) ++files_list_home(spamassassin_t) ++files_read_usr_files(spamassassin_t) ++files_dontaudit_search_var(spamassassin_t) ++ ++libs_use_ld_so(spamassassin_t) ++libs_use_shared_libs(spamassassin_t) ++ ++logging_send_syslog_msg(spamassassin_t) ++ ++miscfiles_read_localization(spamassassin_t) ++ ++# cjp: this could probably be removed ++seutil_read_config(spamassassin_t) ++ ++sysnet_dns_name_resolve(spamassassin_t) ++ ++userdom_use_unpriv_users_fds(spamassassin_t) ++userdom_search_user_home_dirs(user,spamassassin_t) ++# cjp: this really should just be the ++# terminal specific to the role ++userdom_use_unpriv_users_ptys(spamassassin_t) ++ ++# set tunable if you have spamassassin do DNS lookups ++tunable_policy(`spamassassin_can_network',` ++ allow spamassassin_t self:tcp_socket create_stream_socket_perms; ++ allow spamassassin_t self:udp_socket create_socket_perms; ++ ++ corenet_all_recvfrom_unlabeled(spamassassin_t) ++ corenet_all_recvfrom_netlabel(spamassassin_t) ++ corenet_tcp_sendrecv_generic_if(spamassassin_t) ++ corenet_udp_sendrecv_generic_if(spamassassin_t) ++ corenet_tcp_sendrecv_all_nodes(spamassassin_t) ++ corenet_udp_sendrecv_all_nodes(spamassassin_t) ++ corenet_tcp_sendrecv_all_ports(spamassassin_t) ++ corenet_udp_sendrecv_all_ports(spamassassin_t) ++ corenet_tcp_connect_all_ports(spamassassin_t) ++ corenet_sendrecv_all_client_packets(spamassassin_t) ++ ++ sysnet_read_config(spamassassin_t) ++') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(spamassassin_t) ++ fs_manage_nfs_files(spamassassin_t) ++ fs_manage_nfs_symlinks(spamassassin_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_dirs(spamassassin_t) ++ fs_manage_cifs_files(spamassassin_t) ++ fs_manage_cifs_symlinks(spamassassin_t) ++') ++ ++optional_policy(` ++ # cjp: clearly some redundancy here ++ ++ nis_use_ypbind(spamassassin_t) ++ ++ tunable_policy(`spamassassin_can_network && allow_ypbind',` ++ nis_use_ypbind_uncond(spamassassin_t) ++ ') ++') ++ ++optional_policy(` ++ mta_read_config(spamassassin_t) ++ sendmail_stub(spamassassin_t) ++') ++ ++############################## ++# ++# spamc_t local policy ++# ++ ++allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; ++allow spamc_t self:fd use; ++allow spamc_t self:fifo_file rw_fifo_file_perms; ++allow spamc_t self:sock_file read_sock_file_perms; ++allow spamc_t self:shm create_shm_perms; ++allow spamc_t self:sem create_sem_perms; ++allow spamc_t self:msgq create_msgq_perms; ++allow spamc_t self:msg { send receive }; ++allow spamc_t self:unix_dgram_socket create_socket_perms; ++allow spamc_t self:unix_stream_socket create_stream_socket_perms; ++allow spamc_t self:unix_dgram_socket sendto; ++allow spamc_t self:unix_stream_socket connectto; ++allow spamc_t self:tcp_socket create_stream_socket_perms; ++allow spamc_t self:udp_socket create_socket_perms; ++ ++manage_dirs_pattern(spamc_t,user_spamc_tmp_t,user_spamc_tmp_t) ++manage_files_pattern(spamc_t,user_spamc_tmp_t,user_spamc_tmp_t) ++files_tmp_filetrans(spamc_t, user_spamc_tmp_t, { file dir }) ++ ++# Allow connecting to a local spamd ++allow spamc_t spamd_t:unix_stream_socket connectto; ++allow spamc_t spamd_tmp_t:sock_file rw_file_perms; ++ ++kernel_read_kernel_sysctls(spamc_t) ++ ++corenet_all_recvfrom_unlabeled(spamc_t) ++corenet_all_recvfrom_netlabel(spamc_t) ++corenet_tcp_sendrecv_generic_if(spamc_t) ++corenet_udp_sendrecv_generic_if(spamc_t) ++corenet_tcp_sendrecv_all_nodes(spamc_t) ++corenet_udp_sendrecv_all_nodes(spamc_t) ++corenet_tcp_sendrecv_all_ports(spamc_t) ++corenet_udp_sendrecv_all_ports(spamc_t) ++corenet_tcp_connect_all_ports(spamc_t) ++corenet_sendrecv_all_client_packets(spamc_t) ++ ++fs_search_auto_mountpoints(spamc_t) ++ ++# cjp: these should probably be removed: ++corecmd_list_bin(spamc_t) ++corecmd_read_bin_symlinks(spamc_t) ++corecmd_read_bin_files(spamc_t) ++corecmd_read_bin_pipes(spamc_t) ++corecmd_read_bin_sockets(spamc_t) ++ ++domain_use_interactive_fds(spamc_t) ++ ++files_read_etc_files(spamc_t) ++files_read_etc_runtime_files(spamc_t) ++files_read_usr_files(spamc_t) ++files_dontaudit_search_var(spamc_t) ++# cjp: this may be removable: ++files_list_home(spamc_t) ++ ++auth_use_nsswitch(spamc_t) ++ ++libs_use_ld_so(spamc_t) ++libs_use_shared_libs(spamc_t) ++ ++logging_send_syslog_msg(spamc_t) ++ ++miscfiles_read_localization(spamc_t) ++ ++# cjp: this should probably be removed: ++seutil_read_config(spamc_t) ++ ++sysnet_read_config(spamc_t) ++ ++userdom_use_unpriv_users_fds(spamc_t) ++# cjp: this really should just be the ++# terminal specific to the role ++userdom_use_unpriv_users_ptys(spamc_t) ++ ++optional_policy(` ++ # Allow connection to spamd socket above ++ evolution_stream_connect(user,spamc_t) ++') ++ ++optional_policy(` ++ mta_read_config(spamc_t) ++ sendmail_stub(spamc_t) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.2.5/policy/modules/services/squid.fc --- nsaserefpolicy/policy/modules/services/squid.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/squid.fc 2007-12-19 05:38:09.000000000 -0500 @@ -11170,8 +12562,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.5/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2007-12-27 11:37:04.000000000 -0500 -@@ -45,7 +45,7 @@ ++++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2008-01-03 16:24:11.000000000 -0500 +@@ -15,6 +15,7 @@ + template(`xserver_common_domain_template',` + gen_require(` + type xkb_var_lib_t, xserver_exec_t, xserver_log_t; ++ type xdm_xserver_tmp_t; + ') + + ############################## +@@ -45,7 +46,7 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -11180,7 +12580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dontaudit $1_xserver_t self:capability chown; allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_xserver_t self:memprotect mmap_zero; -@@ -115,18 +115,23 @@ +@@ -115,18 +116,23 @@ dev_rw_agp($1_xserver_t) dev_rw_framebuffer($1_xserver_t) dev_manage_dri_dev($1_xserver_t) @@ -11206,7 +12606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files($1_xserver_t) files_read_etc_runtime_files($1_xserver_t) -@@ -140,12 +145,16 @@ +@@ -140,12 +146,16 @@ fs_getattr_xattr_fs($1_xserver_t) fs_search_nfs($1_xserver_t) fs_search_auto_mountpoints($1_xserver_t) @@ -11224,7 +12624,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser term_setattr_unallocated_ttys($1_xserver_t) term_use_unallocated_ttys($1_xserver_t) -@@ -232,39 +241,26 @@ +@@ -223,8 +233,10 @@ + template(`xserver_per_role_template',` + + gen_require(` +- type iceauth_exec_t, xauth_exec_t; +- attribute fonts_type, fonts_cache_type, fonts_config_type; ++ type iceauth_exec_t, iceauth_t, user_iceauth_home_t; ++ type xauth_t, xauth_exec_t, user_xauth_home_t; ++ type user_fonts_t, user_fonts_config_t, user_fonts_cache_t; ++ type xdm_xserver_tmp_t, xdm_xserver_t; + ') + + ############################## +@@ -232,66 +244,51 @@ # Declarations # @@ -11246,38 +12659,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser - - type $1_fonts_config_t, fonts_config_type; - userdom_user_home_content($1,$1_fonts_cache_t) -- - type $1_iceauth_t; - domain_type($1_iceauth_t) - domain_entry_file($1_iceauth_t,iceauth_exec_t) - role $3 types $1_iceauth_t; ++ typealias xauth_t alias $1_xauth_t; ++ role $3 types xauth_t; +- type $1_iceauth_t; +- domain_type($1_iceauth_t) +- domain_entry_file($1_iceauth_t,iceauth_exec_t) +- role $3 types $1_iceauth_t; +- - type $1_iceauth_home_t alias $1_iceauth_rw_t; - files_poly_member($1_iceauth_home_t) - userdom_user_home_content($1,$1_iceauth_home_t) - - type $1_xauth_t; - domain_type($1_xauth_t) - domain_entry_file($1_xauth_t,xauth_exec_t) - role $3 types $1_xauth_t; - +- type $1_xauth_t; +- domain_type($1_xauth_t) +- domain_entry_file($1_xauth_t,xauth_exec_t) +- role $3 types $1_xauth_t; +- - type $1_xauth_home_t alias $1_xauth_rw_t, xauth_home_type; - files_poly_member($1_xauth_home_t) - userdom_user_home_content($1,$1_xauth_home_t) - - type $1_xauth_tmp_t; - files_tmp_file($1_xauth_tmp_t) -- ++ typealias iceauth_t alias $1_iceauth_t; ++ role $3 types iceauth_t; + ############################## # # $1_xserver_t Local policy -@@ -272,12 +268,15 @@ - - domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t) + # ++ domtrans_pattern($1_xserver_t, xauth_exec_t, xauth_t) +- domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t) +- - allow $1_xserver_t $1_xauth_home_t:file { getattr read }; + allow $1_xserver_t user_xauth_home_t:file { getattr read }; -+ allow xdm_t user_xauth_home_t:file append_file_perms; domtrans_pattern($2, xserver_exec_t, $1_xserver_t) allow $1_xserver_t $2:process signal; @@ -11286,85 +12703,163 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow $1_xserver_t $2:shm rw_shm_perms; + allow $1_xserver_t $2:file read_file_perms; - manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t) - manage_files_pattern($2,$1_fonts_t,$1_fonts_t) -@@ -307,6 +306,7 @@ +- manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t) +- manage_files_pattern($2,$1_fonts_t,$1_fonts_t) +- relabel_dirs_pattern($2,$1_fonts_t,$1_fonts_t) +- relabel_files_pattern($2,$1_fonts_t,$1_fonts_t) +- +- manage_dirs_pattern($2,$1_fonts_config_t,$1_fonts_config_t) +- manage_files_pattern($2,$1_fonts_config_t,$1_fonts_config_t) +- relabel_files_pattern($2,$1_fonts_config_t,$1_fonts_config_t) ++ manage_dirs_pattern($2,user_fonts_t,user_fonts_t) ++ manage_files_pattern($2,user_fonts_t,user_fonts_t) ++ relabel_dirs_pattern($2,user_fonts_t,user_fonts_t) ++ relabel_files_pattern($2,user_fonts_t,user_fonts_t) ++ ++ manage_dirs_pattern($2,user_fonts_config_t,user_fonts_config_t) ++ manage_files_pattern($2,user_fonts_config_t,user_fonts_config_t) ++ relabel_files_pattern($2,user_fonts_config_t,user_fonts_config_t) + + # For startup relabel +- allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom }; ++ allow $2 user_fonts_cache_t:{ dir file } { relabelto relabelfrom }; + + stream_connect_pattern($2,$1_xserver_tmp_t,$1_xserver_tmp_t,$1_xserver_t) ++ stream_connect_pattern($2,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) + + allow $2 $1_xserver_tmpfs_t:file rw_file_perms; + +@@ -307,113 +304,49 @@ userdom_use_user_ttys($1,$1_xserver_t) userdom_setattr_user_ttys($1,$1_xserver_t) userdom_rw_user_tmpfs_files($1,$1_xserver_t) + userdom_rw_user_tmp_files($1,$1_xserver_t) xserver_use_user_fonts($1,$1_xserver_t) - xserver_rw_xdm_tmp_files($1_xauth_t) -@@ -330,12 +330,12 @@ - allow $1_xauth_t self:process signal; - allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms; +- xserver_rw_xdm_tmp_files($1_xauth_t) + + optional_policy(` + userhelper_search_config($1_xserver_t) + ') +- ifdef(`TODO',` +- ifdef(`xdm.te', ` +- allow $1_t xdm_tmp_t:sock_file unlink; +- allow $1_xserver_t xdm_var_run_t:dir search; +- ') +- ') dnl end TODO +- + ############################## + # +- # $1_xauth_t Local policy ++ # xauth_t Local policy + # + +- allow $1_xauth_t self:process signal; +- allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms; +- - allow $1_xauth_t $1_xauth_home_t:file manage_file_perms; - userdom_user_home_dir_filetrans($1,$1_xauth_t,$1_xauth_home_t,file) -+ allow $1_xauth_t user_xauth_home_t:file manage_file_perms; -+ userdom_user_home_dir_filetrans($1,$1_xauth_t,user_xauth_home_t,file) - +- - manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t) - manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t) - files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir }) -+ manage_dirs_pattern($1_xauth_t,user_xauth_tmp_t,user_xauth_tmp_t) -+ manage_files_pattern($1_xauth_t,user_xauth_tmp_t,user_xauth_tmp_t) -+ files_tmp_filetrans($1_xauth_t, user_xauth_tmp_t, { file dir }) ++ domtrans_pattern($2, xauth_exec_t, xauth_t) - domtrans_pattern($2, xauth_exec_t, $1_xauth_t) +- domtrans_pattern($2, xauth_exec_t, $1_xauth_t) +- +- allow $2 $1_xauth_t:process signal; ++ allow $2 xauth_t:process signal; -@@ -344,12 +344,6 @@ # allow ps to show xauth - ps_process_pattern($2,$1_xauth_t) - +- ps_process_pattern($2,$1_xauth_t) +- - allow $2 $1_xauth_home_t:file manage_file_perms; - allow $2 $1_xauth_home_t:file { relabelfrom relabelto }; - - allow xdm_t $1_xauth_home_t:file manage_file_perms; - userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file) - - domain_use_interactive_fds($1_xauth_t) +- domain_use_interactive_fds($1_xauth_t) +- +- files_read_etc_files($1_xauth_t) +- files_search_pids($1_xauth_t) +- +- fs_getattr_xattr_fs($1_xauth_t) +- fs_search_auto_mountpoints($1_xauth_t) ++ ps_process_pattern($2,xauth_t) - files_read_etc_files($1_xauth_t) -@@ -378,6 +372,14 @@ - ') +- # cjp: why? +- term_use_ptmx($1_xauth_t) +- +- auth_use_nsswitch($1_xauth_t) +- +- libs_use_ld_so($1_xauth_t) +- libs_use_shared_libs($1_xauth_t) +- +- userdom_use_user_terminals($1,$1_xauth_t) +- userdom_read_user_tmp_files($1,$1_xauth_t) +- +- tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_files($1_xauth_t) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_files($1_xauth_t) +- ') ++ userdom_use_user_terminals($1,xauth_t) ++ userdom_read_user_tmp_files($1,xauth_t) optional_policy(` +- ssh_sigchld($1_xauth_t) +- ssh_read_pipes($1_xauth_t) +- ssh_dontaudit_rw_tcp_sockets($1_xauth_t) + xserver_read_user_xauth($1, $2) -+ ') -+ -+ optional_policy(` -+ xserver_read_user_iceauth($1, $2) -+ ') -+ -+ optional_policy(` - ssh_sigchld($1_xauth_t) - ssh_read_pipes($1_xauth_t) - ssh_dontaudit_rw_tcp_sockets($1_xauth_t) -@@ -390,16 +392,16 @@ - - domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t) + ') + ############################## + # +- # $1_iceauth_t Local policy ++ # iceauth_t Local policy + # +- +- domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t) +- - allow $1_iceauth_t $1_iceauth_home_t:file manage_file_perms; - userdom_user_home_dir_filetrans($1,$1_iceauth_t,$1_iceauth_home_t,file) -+ allow $1_iceauth_t user_iceauth_home_t:file manage_file_perms; -+ userdom_user_home_dir_filetrans($1,$1_iceauth_t,user_iceauth_home_t,file) ++ domtrans_pattern($2, iceauth_exec_t, iceauth_t) # allow ps to show iceauth - ps_process_pattern($2,$1_iceauth_t) - +- ps_process_pattern($2,$1_iceauth_t) +- - allow $2 $1_iceauth_home_t:file manage_file_perms; - allow $2 $1_iceauth_home_t:file { relabelfrom relabelto }; +- +- allow xdm_t $1_iceauth_home_t:file read_file_perms; +- +- fs_search_auto_mountpoints($1_iceauth_t) ++ ps_process_pattern($2,iceauth_t) + +- libs_use_ld_so($1_iceauth_t) +- libs_use_shared_libs($1_iceauth_t) + allow $2 user_iceauth_home_t:file manage_file_perms; + allow $2 user_iceauth_home_t:file { relabelfrom relabelto }; -- allow xdm_t $1_iceauth_home_t:file read_file_perms; -+ allow xdm_t user_iceauth_home_t:file read_file_perms; +- userdom_use_user_terminals($1,$1_iceauth_t) ++ userdom_use_user_terminals($1,iceauth_t) - fs_search_auto_mountpoints($1_iceauth_t) +- tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_files($1_iceauth_t) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_files($1_iceauth_t) ++ optional_policy(` ++ xserver_read_user_iceauth($1, $2) + ') + ') -@@ -523,17 +525,16 @@ +@@ -523,17 +456,16 @@ template(`xserver_user_client_template',` gen_require(` @@ -11389,7 +12884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -542,25 +543,55 @@ +@@ -542,25 +474,55 @@ allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; @@ -11453,7 +12948,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ') -@@ -613,6 +644,24 @@ +@@ -593,26 +555,44 @@ + # + template(`xserver_use_user_fonts',` + gen_require(` +- type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t; ++ type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; + ') + + # Read per user fonts +- allow $2 $1_fonts_t:dir list_dir_perms; +- allow $2 $1_fonts_t:file read_file_perms; ++ allow $2 user_fonts_t:dir list_dir_perms; ++ allow $2 user_fonts_t:file read_file_perms; + + # Manipulate the global font cache +- manage_dirs_pattern($2,$1_fonts_cache_t,$1_fonts_cache_t) +- manage_files_pattern($2,$1_fonts_cache_t,$1_fonts_cache_t) ++ manage_dirs_pattern($2,user_fonts_cache_t,user_fonts_cache_t) ++ manage_files_pattern($2,user_fonts_cache_t,user_fonts_cache_t) + + # Read per user font config +- allow $2 $1_fonts_config_t:dir list_dir_perms; +- allow $2 $1_fonts_config_t:file read_file_perms; ++ allow $2 user_fonts_config_t:dir list_dir_perms; ++ allow $2 user_fonts_config_t:file read_file_perms; + + userdom_search_user_home_dirs($1,$2) + ') ######################################## ## @@ -11475,13 +12997,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + +######################################## +## - ## Transition to a user Xauthority domain. - ## - ## -@@ -646,6 +695,73 @@ - - ######################################## - ## + ## Transition to a user Xauthority domain. + ## + ## +@@ -638,10 +618,77 @@ + # + template(`xserver_domtrans_user_xauth',` + gen_require(` +- type $1_xauth_t, xauth_exec_t; ++ type xauth_exec_t, xauth_t; ++ ') ++ ++ domtrans_pattern($2, xauth_exec_t, xauth_t) ++') ++ ++######################################## ++## +## Read a user Xauthority domain. +## +## @@ -11508,8 +13039,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +template(`xserver_read_user_xauth',` + gen_require(` + type user_xauth_home_t; -+ ') -+ + ') + +- domtrans_pattern($2, xauth_exec_t, $1_xauth_t) + allow $2 user_xauth_home_t:file { getattr read }; +') + @@ -11545,14 +13077,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + + # Read .Iceauthority file + allow $2 user_iceauth_home_t:file { getattr read }; -+') -+ -+######################################## -+## - ## Transition to a user Xauthority domain. - ## - ## -@@ -671,10 +787,10 @@ + ') + + ######################################## +@@ -671,10 +718,10 @@ # template(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` @@ -11565,7 +13093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -760,7 +876,7 @@ +@@ -760,7 +807,7 @@ type xconsole_device_t; ') @@ -11574,7 +13102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -860,6 +976,25 @@ +@@ -860,6 +907,25 @@ ######################################## ## @@ -11600,7 +13128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Read xdm-writable configuration files. ## ## -@@ -914,6 +1049,7 @@ +@@ -914,6 +980,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) @@ -11608,7 +13136,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -974,6 +1110,37 @@ +@@ -974,6 +1041,37 @@ ######################################## ## @@ -11646,7 +13174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1123,7 +1290,7 @@ +@@ -1123,7 +1221,7 @@ type xdm_xserver_tmp_t; ') @@ -11655,7 +13183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1312,3 +1479,45 @@ +@@ -1312,3 +1410,45 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') @@ -11703,7 +13231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.5/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/xserver.te 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/xserver.te 2008-01-03 09:15:47.000000000 -0500 @@ -16,6 +16,13 @@ ## @@ -11718,7 +13246,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Allow xdm logins as sysadm ##

##
-@@ -56,6 +63,12 @@ +@@ -26,11 +33,14 @@ + attribute fonts_config_type; + attribute xauth_home_type; + ++type iceauth_t; + type iceauth_exec_t; +-application_executable_file(iceauth_exec_t) ++application_domain(iceauth_t,iceauth_exec_t) + ++type xauth_t; + type xauth_exec_t; +-application_executable_file(xauth_exec_t) ++application_domain(xauth_t, xauth_exec_t) ++role system_r types xauth_t; + + # this is not actually a device, its a pipe + type xconsole_device_t; +@@ -56,6 +66,12 @@ type xdm_var_run_t; files_pid_file(xdm_var_run_t) @@ -11731,7 +13276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser type xdm_tmp_t; files_tmp_file(xdm_tmp_t) typealias xdm_tmp_t alias ice_tmp_t; -@@ -78,6 +91,26 @@ +@@ -78,6 +94,29 @@ type xserver_log_t; logging_log_file(xserver_log_t) @@ -11752,13 +13297,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +files_poly_member(user_xauth_home_t) +userdom_user_home_content(user,user_xauth_home_t) + ++type admin_xauth_home_t; ++files_type(user_xauth_home_t) ++ +type user_xauth_tmp_t; +files_tmp_file(user_xauth_tmp_t) + xserver_common_domain_template(xdm) init_system_domain(xdm_xserver_t,xserver_exec_t) -@@ -96,7 +129,7 @@ +@@ -96,7 +135,7 @@ # allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; @@ -11767,7 +13315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:shm create_shm_perms; allow xdm_t self:sem create_sem_perms; -@@ -109,6 +142,8 @@ +@@ -109,6 +148,8 @@ allow xdm_t self:key { search link write }; allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; @@ -11776,7 +13324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -131,15 +166,22 @@ +@@ -131,15 +172,22 @@ manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) @@ -11800,7 +13348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xdm_xserver_t:process signal; allow xdm_t xdm_xserver_t:unix_stream_socket connectto; -@@ -153,6 +195,7 @@ +@@ -153,6 +201,7 @@ allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xdm_xserver_t:shm rw_shm_perms; @@ -11808,7 +13356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) -@@ -184,6 +227,7 @@ +@@ -184,6 +233,7 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_all_nodes(xdm_t) corenet_udp_bind_all_nodes(xdm_t) @@ -11816,7 +13364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser corenet_tcp_connect_all_ports(xdm_t) corenet_sendrecv_all_client_packets(xdm_t) # xdm tries to bind to biff_port_t -@@ -196,6 +240,7 @@ +@@ -196,6 +246,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -11824,7 +13372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -208,8 +253,8 @@ +@@ -208,8 +259,8 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -11835,7 +13383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_getattr_power_mgmt_dev(xdm_t) dev_setattr_power_mgmt_dev(xdm_t) -@@ -245,6 +290,7 @@ +@@ -245,6 +296,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -11843,7 +13391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -256,12 +302,11 @@ +@@ -256,12 +308,11 @@ libs_exec_lib_files(xdm_t) logging_read_generic_logs(xdm_t) @@ -11857,7 +13405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_dontaudit_search_sysadm_home_dirs(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -270,6 +315,10 @@ +@@ -270,6 +321,10 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -11868,7 +13416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t) -@@ -304,7 +353,16 @@ +@@ -304,7 +359,16 @@ ') optional_policy(` @@ -11885,7 +13433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -322,6 +380,10 @@ +@@ -322,6 +386,10 @@ ') optional_policy(` @@ -11896,7 +13444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser loadkeys_exec(xdm_t) ') -@@ -343,8 +405,8 @@ +@@ -343,8 +411,8 @@ ') optional_policy(` @@ -11906,7 +13454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -380,7 +442,7 @@ +@@ -380,7 +448,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -11915,7 +13463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) -@@ -392,6 +454,15 @@ +@@ -392,6 +460,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -11931,7 +13479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -404,6 +475,7 @@ +@@ -404,6 +481,7 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_unpriv_users_home_content_files(xdm_xserver_t) @@ -11939,7 +13487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_use_all_users_fonts(xdm_xserver_t) -@@ -420,6 +492,14 @@ +@@ -420,6 +498,14 @@ ') optional_policy(` @@ -11954,7 +13502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser resmgr_stream_connect(xdm_t) ') -@@ -429,47 +509,30 @@ +@@ -429,47 +515,103 @@ ') optional_policy(` @@ -11978,6 +13526,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + # xserver signals unconfined user on startx + unconfined_signal(xdm_xserver_t) + unconfined_getpgid(xdm_xserver_t) ++') ++ ++ ++tunable_policy(`allow_xserver_execmem', ` ++ allow xdm_xserver_t self:process { execheap execmem execstack }; ++') ++ ++ifndef(`distro_redhat',` ++ allow xdm_xserver_t self:process { execheap execmem }; ') -ifdef(`TODO',` @@ -12001,28 +13558,88 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser -allow xdm_t polymember:lnk_file { create unlink }; -# xdm needs access for copying .Xauthority into new home -allow xdm_t polymember:file { create getattr write }; -+ -+tunable_policy(`allow_xserver_execmem', ` -+ allow xdm_xserver_t self:process { execheap execmem execstack }; -+') -+ -+ifndef(`distro_redhat',` -+ allow xdm_xserver_t self:process { execheap execmem }; -+') -+ +ifdef(`distro_rhel4',` + allow xdm_xserver_t self:process { execheap execmem }; ') --# ++############################## + # -# Wants to delete .xsession-errors file --# ++# xauth_t Local policy + # -allow xdm_t user_home_type:file unlink; --# ++domtrans_pattern(xdm_xserver_t, xauth_exec_t, xauth_t) ++ ++userdom_user_home_dir_filetrans(user,xauth_t,user_xauth_home_t,file) ++xserver_rw_xdm_tmp_files(xauth_t) ++allow xauth_t self:process signal; ++allow xauth_t self:unix_stream_socket create_stream_socket_perms; ++ ++allow xauth_t user_xauth_home_t:file manage_file_perms; ++allow xdm_t user_xauth_home_t:file append_file_perms; ++ ++manage_dirs_pattern(xauth_t,user_xauth_tmp_t,user_xauth_tmp_t) ++manage_files_pattern(xauth_t,user_xauth_tmp_t,user_xauth_tmp_t) ++files_tmp_filetrans(xauth_t, user_xauth_tmp_t, { file dir }) ++ ++domain_use_interactive_fds(xauth_t) ++ ++files_read_etc_files(xauth_t) ++files_search_pids(xauth_t) ++ ++fs_getattr_xattr_fs(xauth_t) ++fs_search_auto_mountpoints(xauth_t) ++ ++# cjp: why? ++term_use_ptmx(xauth_t) ++ ++auth_use_nsswitch(xauth_t) ++ ++libs_use_ld_so(xauth_t) ++libs_use_shared_libs(xauth_t) ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_files(xauth_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_files(xauth_t) ++') ++ ++optional_policy(` ++ ssh_sigchld(xauth_t) ++ ssh_read_pipes(xauth_t) ++ ssh_dontaudit_rw_tcp_sockets(xauth_t) ++') ++ ++############################## + # -# Should fix exec of pam_timestamp_check is not closing xdm file descriptor --# ++# iceauth_t Local policy + # -allow pam_t xdm_t:fifo_file { getattr ioctl write }; -') dnl end TODO ++ ++allow iceauth_t user_iceauth_home_t:file manage_file_perms; ++userdom_user_home_dir_filetrans($1,iceauth_t,user_iceauth_home_t,file) ++ ++allow xdm_t user_iceauth_home_t:file read_file_perms; ++ ++fs_search_auto_mountpoints(iceauth_t) ++ ++libs_use_ld_so(iceauth_t) ++libs_use_shared_libs(iceauth_t) ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_files(iceauth_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_files(iceauth_t) ++') ++ ++allow xauth_t admin_xauth_home_t:file manage_file_perms; ++userdom_sysadm_home_dir_filetrans(xauth_t, admin_xauth_home_t, file) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.2.5/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2007-12-12 11:35:28.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/system/authlogin.fc 2007-12-19 05:38:09.000000000 -0500 @@ -12043,7 +13660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.5/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/authlogin.if 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/authlogin.if 2008-01-03 11:25:12.000000000 -0500 @@ -99,7 +99,7 @@ template(`authlogin_per_role_template',` @@ -12861,7 +14478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.2.5/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/libraries.te 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/libraries.te 2008-01-02 15:02:58.000000000 -0500 @@ -23,6 +23,9 @@ init_system_domain(ldconfig_t,ldconfig_exec_t) role system_r types ldconfig_t; @@ -12898,16 +14515,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar files_search_var_lib(ldconfig_t) files_read_etc_files(ldconfig_t) files_search_tmp(ldconfig_t) -@@ -79,6 +87,8 @@ +@@ -79,6 +87,9 @@ logging_send_syslog_msg(ldconfig_t) userdom_use_all_users_fds(ldconfig_t) +userdom_dontaudit_write_unpriv_user_home_content_files(ldconfig_t) +userdom_manage_unpriv_users_tmp_files(ldconfig_t) ++userdom_manage_unpriv_users_tmp_symlinks(ldconfig_t) ifdef(`hide_broken_symptoms',` optional_policy(` -@@ -96,4 +106,6 @@ +@@ -96,4 +107,6 @@ # and executes ldconfig on it. If you dont allow this kernel installs # blow up. rpm_manage_script_tmp_files(ldconfig_t) @@ -13304,7 +14922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.2.5/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/modutils.te 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/modutils.te 2008-01-03 10:41:38.000000000 -0500 @@ -42,7 +42,7 @@ # insmod local policy # @@ -13390,7 +15008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti fs_getattr_xattr_fs(depmod_t) -@@ -202,12 +221,14 @@ +@@ -202,16 +221,19 @@ # Read System.map from home directories. files_list_home(depmod_t) @@ -13407,6 +15025,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ') optional_policy(` + rpm_rw_pipes(depmod_t) ++ rpm_manage_script_tmp_files(depmod_t) + ') + + ################################# diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.2.5/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2006-11-16 17:15:24.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/system/mount.fc 2007-12-19 05:38:09.000000000 -0500 @@ -13418,7 +15041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.2.5/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/mount.te 2007-12-21 02:36:38.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/mount.te 2008-01-02 13:29:31.000000000 -0500 @@ -8,7 +8,7 @@ ## @@ -13450,7 +15073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ######################################## # -@@ -36,20 +37,22 @@ +@@ -36,23 +37,26 @@ # # setuid/setgid needed to mount cifs @@ -13476,7 +15099,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. dev_getattr_all_blk_files(mount_t) dev_list_all_dev_nodes(mount_t) -@@ -62,6 +65,7 @@ ++dev_read_usbfs(mount_t) + dev_rw_lvm_control(mount_t) + dev_dontaudit_getattr_all_chr_files(mount_t) + dev_dontaudit_getattr_memory_dev(mount_t) +@@ -62,6 +66,7 @@ storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -13484,7 +15111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. fs_getattr_xattr_fs(mount_t) fs_getattr_cifs(mount_t) -@@ -100,6 +104,8 @@ +@@ -100,6 +105,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -13493,7 +15120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. auth_use_nsswitch(mount_t) -@@ -161,6 +167,8 @@ +@@ -161,6 +168,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -13502,7 +15129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -175,6 +183,11 @@ +@@ -175,6 +184,11 @@ ') ') @@ -13514,7 +15141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -192,4 +205,26 @@ +@@ -192,4 +206,26 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t,file) unconfined_domain(unconfined_mount_t) @@ -14903,7 +16530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2007-12-24 06:19:27.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-03 16:34:20.000000000 -0500 @@ -29,8 +29,9 @@ ') @@ -15147,7 +16774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # -@@ -262,43 +235,43 @@ +@@ -262,43 +235,44 @@ # # full control of the home directory @@ -15165,16 +16792,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - filetrans_pattern($1_t,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file }) - files_list_home($1_t) + allow $1_t user_home_t:file entrypoint; -+ manage_dirs_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_t) -+ manage_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_t) -+ manage_lnk_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_t) -+ manage_sock_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_t) -+ manage_fifo_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_t) -+ relabel_dirs_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_t) -+ relabel_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_t) -+ relabel_lnk_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_t) -+ relabel_sock_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_t) -+ relabel_fifo_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_t) ++ allow $1_usertype user_home_type:dir_file_class_set { relabelto relabelfrom }; ++ manage_dirs_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) ++ manage_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) ++ manage_lnk_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) ++ manage_sock_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) ++ manage_fifo_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) ++ relabel_dirs_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) ++ relabel_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) ++ relabel_lnk_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) ++ relabel_sock_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) ++ relabel_fifo_files_pattern($1_usertype,{ user_home_dir_t user_home_t },user_home_type) + filetrans_pattern($1_usertype,user_home_dir_t,user_home_t,{ dir file lnk_file sock_file fifo_file }) + files_list_home($1_usertype) @@ -15219,7 +16847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -316,14 +289,20 @@ +@@ -316,14 +290,20 @@ ## # template(`userdom_exec_home_template',` @@ -15245,7 +16873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -341,11 +320,10 @@ +@@ -341,11 +321,10 @@ ## # template(`userdom_poly_home_template',` @@ -15261,7 +16889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -369,18 +347,18 @@ +@@ -369,18 +348,18 @@ # template(`userdom_manage_tmp_template',` gen_require(` @@ -15290,7 +16918,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -396,7 +374,13 @@ +@@ -396,7 +375,13 @@ ## # template(`userdom_exec_tmp_template',` @@ -15305,7 +16933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -510,10 +494,6 @@ +@@ -510,10 +495,6 @@ ## # template(`userdom_exec_generic_pgms_template',` @@ -15316,7 +16944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo corecmd_exec_bin($1_t) ') -@@ -531,9 +511,6 @@ +@@ -531,9 +512,6 @@ ## # template(`userdom_basic_networking_template',` @@ -15326,7 +16954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; -@@ -548,10 +525,6 @@ +@@ -548,10 +526,6 @@ corenet_udp_sendrecv_all_ports($1_t) corenet_tcp_connect_all_ports($1_t) corenet_sendrecv_all_client_packets($1_t) @@ -15337,7 +16965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -568,30 +541,29 @@ +@@ -568,30 +542,29 @@ # template(`userdom_xwindows_client_template',` gen_require(` @@ -15384,7 +17012,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -728,7 +700,6 @@ +@@ -717,6 +690,12 @@ + # Stat lost+found. + files_getattr_lost_found_dirs($1_t) + ++ logging_send_syslog_msg($1_usertype) ++ logging_dontaudit_send_audit_msgs($1_t) ++ # Need to to this just so screensaver will work. Should be moved to screensaver domain ++ logging_send_audit_msgs($1_t) ++ selinux_get_enforce_mode($1_t) ++ + # cjp: some of this probably can be removed + selinux_get_fs_mount($1_t) + selinux_validate_context($1_t) +@@ -728,11 +707,11 @@ # for eject storage_getattr_fixed_disk_dev($1_t) @@ -15392,7 +17033,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo auth_read_login_records($1_t) auth_search_pam_console_data($1_t) auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) -@@ -758,10 +729,6 @@ + auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) ++ authlogin_per_role_template($1, $1_t, $1_r) + + init_read_utmp($1_t) + +@@ -758,10 +737,6 @@ dev_read_mouse($1_t) ') @@ -15403,7 +17049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` alsa_read_rw_config($1_t) ') -@@ -783,20 +750,20 @@ +@@ -783,20 +758,20 @@ ') optional_policy(` @@ -15429,7 +17075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -824,11 +791,18 @@ +@@ -824,11 +799,18 @@ mta_rw_spool($1_t) ') @@ -15452,7 +17098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -@@ -842,13 +816,6 @@ +@@ -842,13 +824,6 @@ ') optional_policy(` @@ -15466,7 +17112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo resmgr_stream_connect($1_t) ') -@@ -889,6 +856,8 @@ +@@ -889,6 +864,8 @@ ## # template(`userdom_login_user_template', ` @@ -15475,7 +17121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_base_user_template($1) userdom_manage_home_template($1) -@@ -917,26 +886,26 @@ +@@ -917,26 +894,26 @@ allow $1_t self:context contains; @@ -15516,7 +17162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo auth_dontaudit_write_login_records($1_t) -@@ -944,43 +913,43 @@ +@@ -944,43 +921,43 @@ # The library functions always try to open read-write first, # then fall back to read-only if it fails. @@ -15578,7 +17224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1014,9 +983,6 @@ +@@ -1014,9 +991,6 @@ domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; @@ -15588,7 +17234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo typeattribute $1_tty_device_t user_ttynode; ############################## -@@ -1025,16 +991,29 @@ +@@ -1025,16 +999,32 @@ # # privileged home directory writers @@ -15621,10 +17267,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo loadkeys_run($1_t,$1_r,$1_tty_device_t) ') + ++ optional_policy(` ++ nsplugin_per_role_template($1, $1_usertype, $1_r) ++ ') ') ####################################### -@@ -1062,6 +1041,13 @@ +@@ -1062,6 +1052,13 @@ userdom_restricted_user_template($1) @@ -15638,7 +17287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_xwindows_client_template($1) ############################## -@@ -1070,14 +1056,14 @@ +@@ -1070,14 +1067,14 @@ # authlogin_per_role_template($1, $1_t, $1_r) @@ -15658,7 +17307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1085,33 +1071,14 @@ +@@ -1085,33 +1082,14 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -15698,7 +17347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1121,10 +1088,10 @@ +@@ -1121,10 +1099,10 @@ ##
## ##

@@ -15713,7 +17362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. -@@ -1187,12 +1154,11 @@ +@@ -1187,12 +1165,11 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) @@ -15728,7 +17377,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') # Run pppd in pppd_t by default for user -@@ -1278,8 +1244,6 @@ +@@ -1278,8 +1255,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -15737,7 +17386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1416,6 +1380,7 @@ +@@ -1416,6 +1391,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -15745,7 +17394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1781,10 +1746,14 @@ +@@ -1781,10 +1757,14 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -15761,7 +17410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1880,11 +1849,11 @@ +@@ -1880,11 +1860,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -15775,7 +17424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1914,11 +1883,11 @@ +@@ -1914,11 +1894,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -15789,7 +17438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1962,12 +1931,12 @@ +@@ -1962,12 +1942,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -15805,7 +17454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1997,10 +1966,10 @@ +@@ -1997,10 +1977,10 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -15818,7 +17467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2032,11 +2001,47 @@ +@@ -2032,11 +2012,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -15868,7 +17517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2068,10 +2073,10 @@ +@@ -2068,10 +2084,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -15881,7 +17530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2101,11 +2106,11 @@ +@@ -2101,11 +2117,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -15895,7 +17544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2135,11 +2140,11 @@ +@@ -2135,11 +2151,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -15910,7 +17559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2169,10 +2174,10 @@ +@@ -2169,10 +2185,10 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -15923,7 +17572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2202,11 +2207,11 @@ +@@ -2202,11 +2218,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -15937,7 +17586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2236,11 +2241,11 @@ +@@ -2236,11 +2252,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -15951,7 +17600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2270,10 +2275,10 @@ +@@ -2270,10 +2286,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -15964,7 +17613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2305,12 +2310,12 @@ +@@ -2305,12 +2321,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -15980,7 +17629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2342,10 +2347,10 @@ +@@ -2342,10 +2358,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -15993,7 +17642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2377,12 +2382,12 @@ +@@ -2377,12 +2393,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -16009,7 +17658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2414,12 +2419,12 @@ +@@ -2414,12 +2430,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -16025,7 +17674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2451,12 +2456,12 @@ +@@ -2451,12 +2467,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -16041,7 +17690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2501,11 +2506,11 @@ +@@ -2501,11 +2517,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -16055,7 +17704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2550,11 +2555,11 @@ +@@ -2550,11 +2566,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -16069,7 +17718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2594,11 +2599,11 @@ +@@ -2594,11 +2610,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -16083,7 +17732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2628,11 +2633,11 @@ +@@ -2628,11 +2644,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -16097,7 +17746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2662,11 +2667,11 @@ +@@ -2662,11 +2678,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -16111,7 +17760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2698,10 +2703,10 @@ +@@ -2698,10 +2714,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -16124,7 +17773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2733,10 +2738,10 @@ +@@ -2733,10 +2749,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -16137,7 +17786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2766,12 +2771,12 @@ +@@ -2766,12 +2782,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -16153,7 +17802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2803,10 +2808,10 @@ +@@ -2803,10 +2819,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -16166,7 +17815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2838,10 +2843,48 @@ +@@ -2838,10 +2854,48 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -16217,7 +17866,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2871,12 +2914,12 @@ +@@ -2871,12 +2925,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -16233,7 +17882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2908,10 +2951,10 @@ +@@ -2908,10 +2962,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -16246,7 +17895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2943,12 +2986,12 @@ +@@ -2943,12 +2997,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -16262,7 +17911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2980,11 +3023,11 @@ +@@ -2980,11 +3034,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -16276,7 +17925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3016,11 +3059,11 @@ +@@ -3016,11 +3070,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -16290,7 +17939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3052,11 +3095,11 @@ +@@ -3052,11 +3106,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -16304,7 +17953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3088,11 +3131,11 @@ +@@ -3088,11 +3142,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -16318,7 +17967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3124,11 +3167,11 @@ +@@ -3124,11 +3178,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -16332,7 +17981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3173,10 +3216,10 @@ +@@ -3173,10 +3227,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -16345,7 +17994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3217,10 +3260,10 @@ +@@ -3217,10 +3271,10 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -16358,7 +18007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3248,6 +3291,42 @@ +@@ -3248,6 +3302,42 @@ ## ## # @@ -16401,7 +18050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo template(`userdom_rw_user_tmpfs_files',` gen_require(` type $1_tmpfs_t; -@@ -4225,11 +4304,11 @@ +@@ -4225,11 +4315,11 @@ # interface(`userdom_search_staff_home_dirs',` gen_require(` @@ -16415,7 +18064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4245,10 +4324,10 @@ +@@ -4245,10 +4335,10 @@ # interface(`userdom_dontaudit_search_staff_home_dirs',` gen_require(` @@ -16428,7 +18077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4264,11 +4343,11 @@ +@@ -4264,11 +4354,11 @@ # interface(`userdom_manage_staff_home_dirs',` gen_require(` @@ -16442,7 +18091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4283,16 +4362,16 @@ +@@ -4283,16 +4373,16 @@ # interface(`userdom_relabelto_staff_home_dirs',` gen_require(` @@ -16462,7 +18111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## users home directory. ## ## -@@ -4301,33 +4380,48 @@ +@@ -4301,12 +4391,27 @@ ## ## # @@ -16475,40 +18124,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - dontaudit $1 staff_home_t:file append; + dontaudit $1 user_home_t:file append_file_perms; - ') - - ######################################## - ##

--## Read files in the staff users home directory. -+## Do not audit attempts to append to the staff -+## users home directory. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`userdom_read_staff_home_content_files',` -- gen_require(` -- type staff_home_dir_t, staff_home_t; -+interface(`userdom_dontaudit_append_staff_home_content_files',` -+ userdom_dontaudit_append_unpriv_home_content_files($1) +') + +######################################## +## -+## Read files in the staff users home directory. ++## Do not audit attempts to append to the staff ++## users home directory. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`userdom_read_staff_home_content_files',` -+ gen_require(` ++interface(`userdom_dontaudit_append_staff_home_content_files',` ++ userdom_dontaudit_append_unpriv_home_content_files($1) + ') + + ######################################## +@@ -4321,13 +4426,13 @@ + # + interface(`userdom_read_staff_home_content_files',` + gen_require(` +- type staff_home_dir_t, staff_home_t; + type user_home_dir_t, user_home_t; ') @@ -16522,7 +18160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4525,10 +4619,10 @@ +@@ -4525,10 +4630,10 @@ # interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` @@ -16535,7 +18173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4545,10 +4639,10 @@ +@@ -4545,10 +4650,10 @@ # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` gen_require(` @@ -16548,7 +18186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4563,10 +4657,10 @@ +@@ -4563,10 +4668,10 @@ # interface(`userdom_search_sysadm_home_dirs',` gen_require(` @@ -16561,7 +18199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4582,10 +4676,10 @@ +@@ -4582,10 +4687,10 @@ # interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` @@ -16574,7 +18212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4600,10 +4694,10 @@ +@@ -4600,10 +4705,10 @@ # interface(`userdom_list_sysadm_home_dirs',` gen_require(` @@ -16587,7 +18225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4619,10 +4713,10 @@ +@@ -4619,10 +4724,10 @@ # interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` @@ -16600,7 +18238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4638,12 +4732,11 @@ +@@ -4638,12 +4743,11 @@ # interface(`userdom_dontaudit_read_sysadm_home_content_files',` gen_require(` @@ -16616,7 +18254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4670,10 +4763,10 @@ +@@ -4670,10 +4774,10 @@ # interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` @@ -16629,7 +18267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4688,10 +4781,10 @@ +@@ -4688,10 +4792,10 @@ # interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` @@ -16642,7 +18280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4706,13 +4799,13 @@ +@@ -4706,13 +4810,13 @@ # interface(`userdom_read_sysadm_home_content_files',` gen_require(` @@ -16660,7 +18298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4748,11 +4841,48 @@ +@@ -4748,11 +4852,48 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -16710,7 +18348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4772,6 +4902,14 @@ +@@ -4772,6 +4913,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -16725,7 +18363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5109,7 +5247,7 @@ +@@ -5109,7 +5258,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` @@ -16734,7 +18372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5298,6 +5436,49 @@ +@@ -5298,6 +5447,49 @@ ######################################## ## @@ -16784,7 +18422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete directories in ## unprivileged users home directories. ## -@@ -5503,6 +5684,24 @@ +@@ -5503,6 +5695,42 @@ ######################################## ## @@ -16806,10 +18444,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + +######################################## +## ++## Write all unprivileged users lnk_files in /tmp ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_manage_unpriv_users_tmp_symlinks',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) ++') ++ ++######################################## ++## ## Read and write unprivileged user ttys. ## ## -@@ -5668,6 +5867,42 @@ +@@ -5668,6 +5896,42 @@ ######################################## ## @@ -16852,7 +18508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5698,3 +5933,277 @@ +@@ -5698,3 +5962,277 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -17132,8 +18788,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.2.5/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/userdomain.te 2007-12-19 05:38:09.000000000 -0500 -@@ -17,20 +17,13 @@ ++++ serefpolicy-3.2.5/policy/modules/system/userdomain.te 2008-01-02 14:18:19.000000000 -0500 +@@ -2,12 +2,7 @@ + policy_module(userdomain,2.5.0) + + gen_require(` +- role sysadm_r, staff_r, user_r; +- +- ifdef(`enable_mls',` +- role secadm_r; +- role auditadm_r; +- ') ++ role sysadm_r; + ') + + ######################################## +@@ -17,20 +12,13 @@ ## ##

@@ -17155,7 +18825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Allow users to connect to PostgreSQL ##

##
-@@ -74,6 +67,9 @@ +@@ -74,6 +62,9 @@ # users home directory contents attribute home_type; @@ -17165,10 +18835,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # The privhome attribute identifies every domain that can create files under # regular user home directories in the regular context (IE act on behalf of # a user in writing regular files) -@@ -101,6 +97,43 @@ +@@ -101,40 +92,49 @@ attribute untrusted_content_type; attribute untrusted_content_tmp_type; +-######################################## +-# +-# Local policy +-# +type admin_home_t, home_type; +files_type(admin_home_t) +files_associate_tmp(admin_home_t) @@ -17192,24 +18866,54 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +files_poly(user_home_dir_t) +files_poly_member(user_home_dir_t) +files_poly_parent(user_home_dir_t) -+ + +-userdom_admin_user_template(sysadm) +-userdom_unpriv_user_template(staff) +-userdom_unpriv_user_template(user) +type user_tmp_t, user_file_type, user_tmpfile; +files_tmp_file(user_tmp_t) -+ + +-# user role change rules: +-# sysadm_r can change to user roles +-userdom_role_change_template(sysadm, user) +-userdom_role_change_template(sysadm, staff) +- +-# only staff_r can change to sysadm_r +-userdom_role_change_template(staff, sysadm) +-dontaudit staff_t admin_terminal:chr_file { read write }; +- +-ifdef(`enable_mls',` +- userdom_unpriv_user_template(secadm) +- userdom_unpriv_user_template(auditadm) +############################## +# +# User home directory file rules +# -+ + +- userdom_role_change_template(staff, auditadm) +- userdom_role_change_template(staff, secadm) +allow user_file_type user_home_t:filesystem associate; -+ + +- userdom_role_change_template(sysadm, secadm) +- userdom_role_change_template(sysadm, auditadm) +# Rules used to associate a homedir as a mountpoint +allow user_home_t self:filesystem associate; -+ + +- userdom_role_change_template(auditadm, secadm) +- userdom_role_change_template(auditadm, sysadm) ++######################################## ++# ++# Local policy ++# + +- userdom_role_change_template(secadm, auditadm) +- userdom_role_change_template(secadm, sysadm) +-') ++userdom_admin_user_template(sysadm) + ######################################## # - # Local policy -@@ -154,6 +187,11 @@ +@@ -154,6 +154,11 @@ init_exec(sysadm_t) @@ -17221,7 +18925,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Following for sending reboot and wall messages userdom_use_unpriv_users_ptys(sysadm_t) userdom_use_unpriv_users_ttys(sysadm_t) -@@ -224,6 +262,10 @@ +@@ -170,46 +175,7 @@ + ') + ') + +-ifdef(`enable_mls',` +- allow auditadm_t self:capability { dac_read_search dac_override }; +- seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) +- domain_kill_all_domains(auditadm_t) +- seutil_read_bin_policy(auditadm_t) +- corecmd_exec_shell(auditadm_t) +- logging_send_syslog_msg(auditadm_t) +- logging_read_generic_logs(auditadm_t) +- logging_manage_audit_log(auditadm_t) +- logging_manage_audit_config(auditadm_t) +- logging_run_auditctl(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) +- logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) +- userdom_dontaudit_read_sysadm_home_content_files(auditadm_t) +- +- allow secadm_t self:capability { dac_read_search dac_override }; +- corecmd_exec_shell(secadm_t) +- domain_obj_id_change_exemption(secadm_t) +- mls_process_read_up(secadm_t) +- mls_file_read_all_levels(secadm_t) +- mls_file_write_all_levels(secadm_t) +- mls_file_upgrade(secadm_t) +- mls_file_downgrade(secadm_t) +- auth_relabel_all_files_except_shadow(secadm_t) +- dev_relabel_all_dev_nodes(secadm_t) +- auth_relabel_shadow(secadm_t) +- init_exec(secadm_t) +- logging_read_audit_log(secadm_t) +- logging_read_generic_logs(secadm_t) +- logging_read_audit_config(secadm_t) +- userdom_dontaudit_append_staff_home_content_files(secadm_t) +- userdom_dontaudit_read_sysadm_home_content_files(secadm_t) +- +- optional_policy(` +- aide_run(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t }) +- ') +- +- optional_policy(` +- netlabel_run_mgmt(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t }) +- ') +-',` ++ifdef(`enable_mls',`',` + logging_manage_audit_log(sysadm_t) + logging_manage_audit_config(sysadm_t) + logging_run_auditctl(sysadm_t, sysadm_r, admin_terminal) +@@ -224,6 +190,10 @@ ') optional_policy(` @@ -17232,7 +18984,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo apache_run_helper(sysadm_t, sysadm_r, admin_terminal) #apache_run_all_scripts(sysadm_t, sysadm_r) #apache_domtrans_sys_script(sysadm_t) -@@ -279,14 +321,6 @@ +@@ -279,14 +249,6 @@ ') optional_policy(` @@ -17247,7 +18999,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo cron_admin_template(sysadm, sysadm_t, sysadm_r) ') -@@ -352,6 +386,10 @@ +@@ -302,12 +264,9 @@ + + optional_policy(` + dmesg_exec(sysadm_t) +- +- ifdef(`enable_mls',` +- dmesg_exec(auditadm_t) +- ') + ') + ++ + optional_policy(` + dmidecode_run(sysadm_t, sysadm_r, admin_terminal) + ') +@@ -352,6 +311,10 @@ ') optional_policy(` @@ -17258,7 +19024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo lvm_run(sysadm_t, sysadm_r, admin_terminal) ') -@@ -387,6 +425,10 @@ +@@ -387,6 +350,10 @@ ') optional_policy(` @@ -17269,7 +19035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo netutils_run(sysadm_t, sysadm_r, admin_terminal) netutils_run_ping(sysadm_t, sysadm_r, admin_terminal) netutils_run_traceroute(sysadm_t, sysadm_r, admin_terminal) -@@ -436,15 +478,20 @@ +@@ -436,15 +403,19 @@ optional_policy(` samba_run_net(sysadm_t, sysadm_r, admin_terminal) @@ -17283,14 +19049,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo seutil_run_runinit(sysadm_t, sysadm_r, admin_terminal) ifdef(`enable_mls',` - userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t sysadm_devpts_t }) +- userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t sysadm_devpts_t }) +# tunable_policy(`allow_sysadm_manage_security',` + userdom_security_admin_template(sysadm_t, sysadm_r, admin_terminal) +# ') ', ` userdom_security_admin_template(sysadm_t, sysadm_r, admin_terminal) ') -@@ -487,3 +534,15 @@ +@@ -487,3 +458,8 @@ optional_policy(` yam_run(sysadm_t, sysadm_r, admin_terminal) ') @@ -17299,13 +19065,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + term_use_console(userdomain) +') + -+optional_policy(` -+ netutils_run_ping_cond(user_t,user_r,{ user_tty_device_t user_devpts_t }) -+ netutils_run_ping_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t }) -+ netutils_run_traceroute_cond(user_t,user_r,{ user_tty_device_t user_devpts_t }) -+ netutils_run_traceroute_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t }) -+') -+ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.2.5/policy/modules/system/virt.fc --- nsaserefpolicy/policy/modules/system/virt.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/system/virt.fc 2007-12-19 05:38:09.000000000 -0500 @@ -17615,6 +19374,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te + fs_read_nfs_symlinks(xend_t) + fstools_manage_nfs(xend_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/auditadm.fc serefpolicy-3.2.5/policy/modules/users/auditadm.fc +--- nsaserefpolicy/policy/modules/users/auditadm.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/users/auditadm.fc 2008-01-02 11:37:55.000000000 -0500 +@@ -0,0 +1 @@ ++# No auditadm file contexts. +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/auditadm.if serefpolicy-3.2.5/policy/modules/users/auditadm.if +--- nsaserefpolicy/policy/modules/users/auditadm.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/users/auditadm.if 2008-01-02 11:36:36.000000000 -0500 +@@ -0,0 +1 @@ ++## Policy for auditadm user +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/auditadm.te serefpolicy-3.2.5/policy/modules/users/auditadm.te +--- nsaserefpolicy/policy/modules/users/auditadm.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/users/auditadm.te 2008-01-02 11:38:04.000000000 -0500 +@@ -0,0 +1,25 @@ ++policy_module(auditadm,1.0.1) ++gen_require(` ++ role staff_r; ++') ++ ++userdom_unpriv_user_template(auditadm) ++ ++userdom_role_change_template(staff, auditadm) ++ ++allow auditadm_t self:capability { dac_read_search dac_override }; ++seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) ++domain_kill_all_domains(auditadm_t) ++seutil_read_bin_policy(auditadm_t) ++corecmd_exec_shell(auditadm_t) ++logging_send_syslog_msg(auditadm_t) ++logging_read_generic_logs(auditadm_t) ++logging_manage_audit_log(auditadm_t) ++logging_manage_audit_config(auditadm_t) ++logging_run_auditctl(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) ++logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) ++userdom_dontaudit_read_sysadm_home_content_files(auditadm_t) ++ ++optional_policy(` ++ dmesg_exec(auditadm_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.2.5/policy/modules/users/guest.fc --- nsaserefpolicy/policy/modules/users/guest.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/users/guest.fc 2007-12-19 05:38:09.000000000 -0500 @@ -17680,6 +19478,143 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/metadat +++ serefpolicy-3.2.5/policy/modules/users/metadata.xml 2007-12-19 05:38:09.000000000 -0500 @@ -0,0 +1 @@ +Policy modules for users +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/secadm.fc serefpolicy-3.2.5/policy/modules/users/secadm.fc +--- nsaserefpolicy/policy/modules/users/secadm.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/users/secadm.fc 2008-01-02 11:40:47.000000000 -0500 +@@ -0,0 +1 @@ ++# No secadm file contexts. +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/secadm.if serefpolicy-3.2.5/policy/modules/users/secadm.if +--- nsaserefpolicy/policy/modules/users/secadm.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/users/secadm.if 2008-01-02 11:40:35.000000000 -0500 +@@ -0,0 +1 @@ ++## Policy for secadm user +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/secadm.te serefpolicy-3.2.5/policy/modules/users/secadm.te +--- nsaserefpolicy/policy/modules/users/secadm.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/users/secadm.te 2008-01-02 14:52:04.000000000 -0500 +@@ -0,0 +1,39 @@ ++policy_module(secadm,1.0.1) ++gen_require(` ++ role staff_r; ++') ++ ++userdom_unpriv_user_template(secadm) ++userdom_role_change_template(staff, secadm) ++ ++allow secadm_t self:capability { dac_read_search dac_override }; ++corecmd_exec_shell(secadm_t) ++domain_obj_id_change_exemption(secadm_t) ++mls_process_read_up(secadm_t) ++mls_file_read_all_levels(secadm_t) ++mls_file_write_all_levels(secadm_t) ++mls_file_upgrade(secadm_t) ++mls_file_downgrade(secadm_t) ++auth_relabel_all_files_except_shadow(secadm_t) ++dev_relabel_all_dev_nodes(secadm_t) ++auth_relabel_shadow(secadm_t) ++init_exec(secadm_t) ++logging_read_audit_log(secadm_t) ++logging_read_generic_logs(secadm_t) ++logging_read_audit_config(secadm_t) ++userdom_dontaudit_append_staff_home_content_files(secadm_t) ++userdom_dontaudit_read_sysadm_home_content_files(secadm_t) ++ ++userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t }) ++ ++optional_policy(` ++ aide_run(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t }) ++') ++ ++optional_policy(` ++ netlabel_run_mgmt(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t }) ++') ++ ++optional_policy(` ++ dmesg_exec(secadm_t) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.fc serefpolicy-3.2.5/policy/modules/users/staff.fc +--- nsaserefpolicy/policy/modules/users/staff.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/users/staff.fc 2008-01-02 11:12:56.000000000 -0500 +@@ -0,0 +1 @@ ++# No staff file contexts. +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.if serefpolicy-3.2.5/policy/modules/users/staff.if +--- nsaserefpolicy/policy/modules/users/staff.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/users/staff.if 2008-01-02 11:13:02.000000000 -0500 +@@ -0,0 +1 @@ ++## Policy for staff user +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.5/policy/modules/users/staff.te +--- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/users/staff.te 2008-01-03 17:06:13.000000000 -0500 +@@ -0,0 +1,31 @@ ++policy_module(staff,1.0.1) ++userdom_unpriv_user_template(staff) ++ ++# only staff_r can change to sysadm_r ++userdom_role_change_template(staff, sysadm) ++userdom_dontaudit_use_sysadm_terms(staff_t) ++ ++optional_policy(` ++ xserver_per_role_template(staff, staff_t, staff_r) ++') ++ ++sudo_per_role_template(staff, staff_t, staff_r) ++seutil_run_newrole(staff_t, staff_r, { staff_tty_device_t staff_devpts_t }) ++ ++optional_policy(` ++ java_per_role_template(staff, staff_t, staff_r) ++') ++ ++optional_policy(` ++ mono_per_role_template(staff, staff_t, staff_r) ++') ++ ++optional_policy(` ++ gpg_per_role_template(staff, staff_usertype, staff_r) ++') ++ ++optional_policy(` ++ netutils_run_ping_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t }) ++ netutils_run_traceroute_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t }) ++') ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.fc serefpolicy-3.2.5/policy/modules/users/user.fc +--- nsaserefpolicy/policy/modules/users/user.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/users/user.fc 2008-01-02 11:13:33.000000000 -0500 +@@ -0,0 +1 @@ ++# No user file contexts. +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.if serefpolicy-3.2.5/policy/modules/users/user.if +--- nsaserefpolicy/policy/modules/users/user.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/users/user.if 2008-01-02 11:13:21.000000000 -0500 +@@ -0,0 +1 @@ ++## Policy for user user +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.te serefpolicy-3.2.5/policy/modules/users/user.te +--- nsaserefpolicy/policy/modules/users/user.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/users/user.te 2008-01-03 13:17:42.000000000 -0500 +@@ -0,0 +1,25 @@ ++policy_module(user,1.0.1) ++userdom_unpriv_user_template(user) ++ ++optional_policy(` ++ java_per_role_template(user, user_t, user_r) ++') ++ ++optional_policy(` ++ mono_per_role_template(user, user_t, user_r) ++') ++ ++optional_policy(` ++ xserver_per_role_template(user, user_t, user_r) ++') ++ ++optional_policy(` ++ gpg_per_role_template(user, user_usertype, user_r) ++') ++ ++optional_policy(` ++ netutils_run_ping_cond(user_t,user_r,{ user_tty_device_t user_devpts_t }) ++ netutils_run_traceroute_cond(user_t,user_r,{ user_tty_device_t user_devpts_t }) ++') ++ ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.2.5/policy/modules/users/webadm.fc --- nsaserefpolicy/policy/modules/users/webadm.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/users/webadm.fc 2007-12-19 05:38:09.000000000 -0500 @@ -17692,7 +19627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm. +## Policy for webadm user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.2.5/policy/modules/users/webadm.te --- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/users/webadm.te 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/users/webadm.te 2008-01-02 11:22:34.000000000 -0500 @@ -0,0 +1,42 @@ +policy_module(webadm,1.0.0) + @@ -17732,10 +19667,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm. +apache_admin(webadm_t, webadm_r, { webadm_devpts_t webadm_tty_device_t }) + +gen_require(` -+ type gadmin_t; ++ type staff_t; +') -+allow gadmin_t webadm_t:process transition; -+allow webadm_t gadmin_t:dir getattr; ++allow staff_t webadm_t:process transition; ++allow webadm_t staff_t:dir getattr; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.fc serefpolicy-3.2.5/policy/modules/users/xguest.fc --- nsaserefpolicy/policy/modules/users/xguest.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/users/xguest.fc 2007-12-19 05:38:09.000000000 -0500 diff --git a/selinux-policy.spec b/selinux-policy.spec index 44830cd..a870114 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.2.5 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -386,6 +386,9 @@ exit 0 %endif %changelog +* Wed Jan 2 2008 Dan Walsh 3.2.5-8 +- Change user and staff roles to work correctly with varied perms + * Mon Dec 31 2007 Dan Walsh 3.2.5-7 - Fix munin log, - Eliminate duplicate mozilla file context