diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index a49a055..66d899e 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -35,6 +35,7 @@ kernel_use_fd(consoletype_t) kernel_dontaudit_read_system_state(consoletype_t) fs_getattr_all_fs(consoletype_t) +fs_search_auto_mountpoints(consoletype_t) term_use_console(consoletype_t) term_use_unallocated_tty(consoletype_t) @@ -58,6 +59,10 @@ optional_policy(`authlogin.te', ` auth_read_pam_pid(consoletype_t) ') +optional_policy(`nis.te',` + nis_use_ypbind(consoletype_t) +') + optional_policy(`userdomain.te',` userdom_use_unpriv_users_fd(consoletype_t) ') @@ -73,12 +78,6 @@ allow consoletype_t nfs_t:file write; allow consoletype_t crond_t:fifo_file r_file_perms; allow consoletype_t system_crond_t:fd use; -can_ypbind(consoletype_t) - -optional_policy(`automount.te', ` -allow consoletype_t autofs_t:dir { search getattr }; -') - optional_policy(`xdm.te', ` domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t) allow consoletype_t xdm_tmp_t:file rw_file_perms; diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te index 110bd14..ead44ee 100644 --- a/refpolicy/policy/modules/admin/dmesg.te +++ b/refpolicy/policy/modules/admin/dmesg.te @@ -22,11 +22,14 @@ dontaudit dmesg_t self:capability sys_tty_config; allow dmesg_t self:process signal_perms; kernel_read_kernel_sysctl(dmesg_t) -dev_read_sysfs(dmesg_t) kernel_read_ring_buffer(dmesg_t) kernel_clear_ring_buffer(dmesg_t) kernel_change_ring_buffer_level(dmesg_t) +dev_read_sysfs(dmesg_t) + +fs_search_auto_mountpoints(dmesg_t) + term_dontaudit_use_console(dmesg_t) domain_use_wide_inherit_fd(dmesg_t) @@ -67,11 +70,7 @@ ifdef(`TODO',` allow dmesg_t proc_t:dir r_dir_perms; allow dmesg_t proc_t:lnk_file read; -optional_policy(`rhgb.te', ` -allow dmesg_t rhgb_t:process sigchld; -allow dmesg_t rhgb_t:fd use; -allow dmesg_t rhgb_t:fifo_file rw_file_perms; +optional_policy(`rhgb.te',` +rhgb_domain(dmesg_t) ') - -allow dmesg_t autofs_t:dir { search getattr }; ') dnl endif TODO diff --git a/refpolicy/policy/modules/admin/netutils.if b/refpolicy/policy/modules/admin/netutils.if index db3e743..f40ec6c 100644 --- a/refpolicy/policy/modules/admin/netutils.if +++ b/refpolicy/policy/modules/admin/netutils.if @@ -1,8 +1,12 @@ ## Network analysis utilities -####################################### -# -# netutils_domtrans(domain) +######################################## +## +## Execute network utilities in the netutils domain. +## +## +## The type of the process performing this action. +## # interface(`netutils_domtrans',` gen_require(` @@ -20,9 +24,39 @@ interface(`netutils_domtrans',` allow netutils_t $1:process sigchld; ') -####################################### +######################################## +## +## Execute network utilities in the netutils domain, and +## allow the specified role the netutils domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the netutils domain. +## +## +## The type of the terminal allow the netutils domain to use. +## # -# netutils_exec(domain) +interface(`netutils_run',` + gen_require(` + type netutils_t; + class chr_file rw_term_perms; + ') + + netutils_domtrans($1) + role $2 types netutils_t; + allow netutils_t $3:chr_file rw_term_perms; +') + +######################################## +## +## Execute network utilities in the caller domain. +## +## +## The type of the process performing this action. +## # interface(`netutils_exec',` gen_require(` @@ -31,3 +65,135 @@ interface(`netutils_exec',` can_exec($1,netutils_exec_t) ') + +######################################## +## +## Execute ping in the ping domain. +## +## +## The type of the process performing this action. +## +# +interface(`netutils_domtrans_ping',` + gen_require(` + type ping_t, ping_exec_t; + class process sigchld; + class fd use; + class fifo_file rw_file_perms; + ') + + domain_auto_trans($1,ping_exec_t,ping_t) + + allow $1 ping_t:fd use; + allow ping_t $1:fd use; + allow ping_t $1:fifo_file rw_file_perms; + allow ping_t $1:process sigchld; +') + +######################################## +## +## Execute ping in the ping domain, and +## allow the specified role the ping domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the ping domain. +## +## +## The type of the terminal allow the ping domain to use. +## +# +interface(`netutils_run_ping',` + gen_require(` + type ping_t; + class chr_file rw_term_perms; + ') + + netutils_domtrans_ping($1) + role $2 types ping_t; + allow ping_t $3:chr_file rw_term_perms; +') + +######################################## +## +## Execute ping in the caller domain. +## +## +## The type of the process performing this action. +## +# +interface(`netutils_exec_ping',` + gen_require(` + type ping_exec_t; + ') + + can_exec($1,ping_exec_t) +') + +######################################## +## +## Execute traceroute in the traceroute domain. +## +## +## The type of the process performing this action. +## +# +interface(`netutils_domtrans_traceroute',` + gen_require(` + type traceroute_t, traceroute_exec_t; + class process sigchld; + class fd use; + class fifo_file rw_file_perms; + ') + + domain_auto_trans($1,traceroute_exec_t,traceroute_t) + + allow $1 traceroute_t:fd use; + allow traceroute_t $1:fd use; + allow traceroute_t $1:fifo_file rw_file_perms; + allow traceroute_t $1:process sigchld; +') + +######################################## +## +## Execute traceroute in the traceroute domain, and +## allow the specified role the traceroute domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the traceroute domain. +## +## +## The type of the terminal allow the traceroute domain to use. +## +# +interface(`netutils_run_traceroute',` + gen_require(` + type traceroute_t; + class chr_file rw_term_perms; + ') + + netutils_domtrans_traceroute($1) + role $2 types traceroute_t; + allow traceroute_t $3:chr_file rw_term_perms; +') + +######################################## +## +## Execute traceroute in the caller domain. +## +## +## The type of the process performing this action. +## +# +interface(`netutils_exec_traceroute',` + gen_require(` + type traceroute_exec_t; + ') + + can_exec($1,traceroute_exec_t) +') diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index ce6656f..a6b8fb2 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -54,15 +54,15 @@ corenet_udp_bind_all_nodes(netutils_t) fs_getattr_xattr_fs(netutils_t) -init_use_fd(netutils_t) -init_use_script_pty(netutils_t) - domain_use_wide_inherit_fd(netutils_t) files_read_generic_etc_files(netutils_t) # for nscd files_dontaudit_search_var(netutils_t) +init_use_fd(netutils_t) +init_use_script_pty(netutils_t) + libs_use_ld_so(netutils_t) libs_use_shared_libs(netutils_t) @@ -70,18 +70,14 @@ logging_send_syslog_msg(netutils_t) miscfiles_read_localization(netutils_t) -ifdef(`TODO',` -role sysadm_r types netutils_t; - -can_ypbind(netutils_t) +userdom_use_all_user_fd(netutils_t) -domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t) +optional_policy(`nis.te',` + nis_use_ypbind(netutils_t) +') -# Inherit and use descriptors from init. -allow netutils_t userdomain:fd use; +ifdef(`TODO',` -# Access terminals. -allow netutils_t admin_tty_type:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;') allow netutils_t proc_t:dir search; @@ -129,14 +125,11 @@ tunable_policy(`user_ping',` term_use_all_user_ptys(ping_t) ') -ifdef(`TODO',` -can_ypbind(ping_t) - -domain_auto_trans(sysadm_t, ping_exec_t, ping_t) -role sysadm_r types ping_t; -allow ping_t admin_tty_type:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;') +optional_policy(`nis.te',` + nis_use_ypbind(ping_t) +') +ifdef(`TODO',` in_user_role(ping_t) tunable_policy(`user_ping',` domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t) @@ -193,23 +186,16 @@ tunable_policy(`user_ping',` term_use_all_user_ptys(traceroute_t) ') -ifdef(`TODO',` -role sysadm_r types traceroute_t; - -can_ypbind(traceroute_t) - -# Transition into this domain when you run this program. -domain_auto_trans(sysadm_t, traceroute_exec_t, traceroute_t) - -# Access the terminal. -allow traceroute_t admin_tty_type:chr_file rw_file_perms; -ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;') +optional_policy(`nis.te',` + nis_use_ypbind(traceroute_t) +') +ifdef(`TODO',` in_user_role(traceroute_t) tunable_policy(`user_ping',` domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t) ') - +ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;') #rules needed for nmap dontaudit traceroute_t userdomain:dir search; ') dnl end TODO diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index 1da9add..c2a81ad 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -117,9 +117,10 @@ dev_read_urand(rpm_t) #devices_manage_all_device_types(rpm_t) #fs_manage_nfs_dir(rpm_t) -#fs_manage_nfs_files(rpm_t) +fs_manage_nfs_files(rpm_t) fs_manage_nfs_symlinks(rpm_t) fs_getattr_all_fs(rpm_t) +fs_search_auto_mountpoints(rpm_t) storage_raw_write_fixed_disk(rpm_t) # for installing kernel packages @@ -159,6 +160,10 @@ userdom_use_unpriv_users_fd(rpm_t) #cron_transition_from(rpm,rpm_exec_t) +optional_policy(`nis.te',` + nis_use_ypbind(rpm_t) +') + ifdef(`TODO',` type_transition rpm_t tmpfs_t:{ dir file lnk_file sock_file fifo_file } rpm_tmpfs_t; @@ -183,16 +188,10 @@ allow rpm_t usbdevfs_t:dir r_dir_perms; allow rpm_t rpc_pipefs_t:dir search; -can_ypbind(rpm_t) - optional_policy(`gnome-pty-helper.te', ` allow rpm_t sysadm_gph_t:fd use; ') -optional_policy(`automount.te', ` -allow rpm_t autofs_t:dir { search getattr }; -') - optional_policy(`mount.te', ` allow rpm_t mount_t:udp_socket rw_socket_perms; ') @@ -265,6 +264,7 @@ fs_getattr_nfs(rpm_script_t) fs_getattr_xattr_fs(rpm_script_t) fs_mount_xattr_fs(rpm_script_t) fs_unmount_xattr_fs(rpm_script_t) +fs_search_auto_mountpoints(rpm_script_t) storage_raw_read_fixed_disk(rpm_script_t) storage_raw_write_fixed_disk(rpm_script_t) @@ -309,7 +309,11 @@ seutil_domtrans_restorecon(rpm_script_t) userdom_use_all_user_fd(rpm_script_t) optional_policy(`bootloader.te', ` -bootloader_domtrans(rpm_script_t) + bootloader_domtrans(rpm_script_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(rpm_script_t) ') ifdef(`TODO',` @@ -318,22 +322,8 @@ allow rpm_script_t sysfs_t:dir r_dir_perms; can_exec(rpm_script_t,usr_t) - -allow rpm_script_t autofs_t:dir { search getattr }; - -can_ypbind(rpm_script_t) - -optional_policy(`automount.te', ` -allow rpm_script_t autofs_t:dir { search getattr }; -') - optional_policy(`lpd.te', ` can_exec(rpm_script_t,printconf_t) - -') - -optional_policy(`ssh.te', ` -allow sshd_t rpm_script_t:fd use; ') ') dnl end TODO diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index cec2a48..9c01380 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -88,18 +88,20 @@ term_use_all_user_ttys(chfn_t) term_use_all_user_ptys(chfn_t) fs_getattr_xattr_fs(chfn_t) +fs_search_auto_mountpoints(chfn_t) # for SSP dev_read_urand(chfn_t) -# /usr/bin/passwd asks for w access to utmp, but it will operate -# correctly without it. Do not audit write denials to utmp. -init_dontaudit_rw_script_pid(chfn_t) - domain_use_wide_inherit_fd(chfn_t) files_manage_generic_etc_files(chfn_t) files_read_etc_runtime_files(chfn_t) +files_dontaudit_search_var(chfn_t) + +# /usr/bin/passwd asks for w access to utmp, but it will operate +# correctly without it. Do not audit write denials to utmp. +init_dontaudit_rw_script_pid(chfn_t) libs_use_ld_so(chfn_t) libs_use_shared_libs(chfn_t) @@ -111,20 +113,18 @@ logging_send_syslog_msg(chfn_t) auth_domtrans_chk_passwd(chfn_t) auth_dontaudit_read_shadow(chfn_t) +userdom_use_unpriv_users_fd(chfn_t) + +optional_policy(`nis.te',` + nis_use_ypbind(chfn_t) +') + ifdef(`TODO',` role sysadm_r types chfn_t; in_user_role(chfn_t) domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t) -dontaudit chfn_t var_t:dir search; - -allow chfn_t unpriv_userdomain:fd use; -can_ypbind(chfn_t) -ifdef(`automount.te', ` -allow chfn_t autofs_t:dir { search getattr }; -') - ifdef(`gnome-pty-helper.te', `allow chfn_t gphdomain:fd use;') # allow checking if a shell is executable @@ -181,7 +181,6 @@ ifdef(`TODO',` ifdef(`crond.te', ` domain_auto_trans(system_crond_t, crack_exec_t, crack_t) allow crack_t crond_t:fifo_file rw_file_perms; -# a rule for privfd may make this obsolete allow crack_t crond_t:fd use; allow crack_t crond_t:process sigchld; ') @@ -209,6 +208,9 @@ allow groupadd_t self:sem create_sem_perms; allow groupadd_t self:msgq create_msgq_perms; allow groupadd_t self:msg { send receive }; +fs_getattr_xattr_fs(groupadd_t) +fs_search_auto_mountpoints(groupadd_t) + # Allow access to context for shadow file selinux_get_fs_mount(groupadd_t) selinux_validate_context(groupadd_t) @@ -217,13 +219,12 @@ selinux_compute_create_context(groupadd_t) selinux_compute_relabel_context(groupadd_t) selinux_compute_user_contexts(groupadd_t) -fs_getattr_xattr_fs(groupadd_t) - term_use_all_user_ttys(groupadd_t) term_use_all_user_ptys(groupadd_t) init_use_fd(groupadd_t) init_read_script_pid(groupadd_t) +init_dontaudit_write_script_pid(groupadd_t) domain_use_wide_inherit_fd(groupadd_t) @@ -245,16 +246,14 @@ auth_rw_lastlog(groupadd_t) seutil_read_config(groupadd_t) -ifdef(`TODO',` -role sysadm_r types groupadd_t; -domain_auto_trans(sysadm_t, groupadd_exec_t, groupadd_t) +userdom_use_unpriv_users_fd(groupadd_t) -allow groupadd_t unpriv_userdomain:fd use; -can_ypbind(groupadd_t) -ifdef(`automount.te', ` -allow groupadd_t autofs_t:dir { search getattr }; +optional_policy(`nis.te',` + nis_use_ypbind(groupadd_t) ') +ifdef(`TODO',` + # Update /etc/shadow and /etc/passwd allow groupadd_t { etc_t shadow_t }:file { relabelfrom relabelto }; @@ -263,7 +262,6 @@ ifdef(`gnome-pty-helper.te', `allow groupadd_t gphdomain:fd use;') # for when /root is the cwd dontaudit groupadd_t sysadm_home_dir_t:dir search; -dontaudit groupadd_t initrc_var_run_t:file write; ') dnl end TODO ######################################## @@ -285,6 +283,15 @@ allow passwd_t self:sem create_sem_perms; allow passwd_t self:msgq create_msgq_perms; allow passwd_t self:msg { send receive }; +allow passwd_t crack_db_t:dir r_dir_perms; +allow passwd_t crack_db_t:file r_file_perms; + +# for SSP +dev_read_urand(passwd_t) + +fs_getattr_xattr_fs(passwd_t) +fs_search_auto_mountpoints(passwd_t) + selinux_get_fs_mount(passwd_t) selinux_validate_context(passwd_t) selinux_compute_access_vector(passwd_t) @@ -292,11 +299,6 @@ selinux_compute_create_context(passwd_t) selinux_compute_relabel_context(passwd_t) selinux_compute_user_contexts(passwd_t) -# for SSP -dev_read_urand(passwd_t) - -fs_getattr_xattr_fs(passwd_t) - # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_script_pid(passwd_t) @@ -305,6 +307,7 @@ domain_use_wide_inherit_fd(passwd_t) files_read_etc_runtime_files(passwd_t) files_manage_generic_etc_files(passwd_t) +files_search_var(passwd_t) libs_use_ld_so(passwd_t) libs_use_shared_libs(passwd_t) @@ -315,6 +318,12 @@ miscfiles_read_localization(passwd_t) auth_manage_shadow(passwd_t) +userdom_use_unpriv_users_fd(passwd_t) + +optional_policy(`nis.te',` + nis_use_ypbind(passwd_t) +') + ifdef(`TODO',` ifdef(`firstboot.te',` @@ -324,12 +333,6 @@ domain_auto_trans(firstboot_t, passwd_exec_t, passwd_t) # Update /etc/shadow and /etc/passwd allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto }; -allow passwd_t unpriv_userdomain:fd use; -can_ypbind(passwd_t) -ifdef(`automount.te', ` -allow passwd_t autofs_t:dir { search getattr }; -') - # Inherit and use descriptors from login. ifdef(`gnome-pty-helper.te', `allow passwd_t gphdomain:fd use;') @@ -347,14 +350,7 @@ allow passwd_t userdomain:process getattr; dontaudit passwd_t selinux_config_t:dir search; -ifdef(`crack.te', ` -allow passwd_t var_t:dir search; dontaudit passwd_t var_run_t:dir search; -allow passwd_t crack_db_t:dir r_dir_perms; -allow passwd_t crack_db_t:file r_file_perms; -', ` -dontaudit passwd_t var_t:dir search; -') ') dnl endif TODO ######################################## @@ -395,23 +391,26 @@ kernel_read_system_state(sysadm_passwd_t) dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) +fs_search_auto_mountpoints(sysadm_passwd_t) term_use_all_user_ttys(sysadm_passwd_t) term_use_all_user_ptys(sysadm_passwd_t) -# /usr/bin/passwd asks for w access to utmp, but it will operate -# correctly without it. Do not audit write denials to utmp. -init_dontaudit_rw_script_pid(sysadm_passwd_t) +auth_manage_shadow(sysadm_passwd_t) + +# allow vipw to exec the editor +corecmd_exec_bin(sysadm_passwd_t) +corecmd_exec_shell(sysadm_passwd_t) +files_read_usr_files(sysadm_passwd_t) domain_use_wide_inherit_fd(sysadm_passwd_t) files_manage_generic_etc_files(sysadm_passwd_t) files_read_etc_runtime_files(sysadm_passwd_t) -# allow vipw to exec the editor -corecmd_exec_bin(sysadm_passwd_t) -corecmd_exec_shell(sysadm_passwd_t) -files_read_usr_files(sysadm_passwd_t) +# /usr/bin/passwd asks for w access to utmp, but it will operate +# correctly without it. Do not audit write denials to utmp. +init_dontaudit_rw_script_pid(sysadm_passwd_t) libs_use_ld_so(sysadm_passwd_t) libs_use_shared_libs(sysadm_passwd_t) @@ -420,18 +419,16 @@ miscfiles_read_localization(sysadm_passwd_t) logging_send_syslog_msg(sysadm_passwd_t) -auth_manage_shadow(sysadm_passwd_t) +userdom_use_unpriv_users_fd(sysadm_passwd_t) + +optional_policy(`nis.te',` + nis_use_ypbind(sysadm_passwd_t) +') ifdef(`TODO',` role sysadm_r types sysadm_passwd_t; domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t) -allow sysadm_passwd_t unpriv_userdomain:fd use; -can_ypbind(sysadm_passwd_t) -ifdef(`automount.te', ` -allow sysadm_passwd_t autofs_t:dir { search getattr }; -') - # Inherit and use descriptors from login. ifdef(`gnome-pty-helper.te', `allow sysadm_passwd_t gphdomain:fd use;') @@ -483,46 +480,46 @@ selinux_compute_user_contexts(useradd_t) # for getting the number of groups kernel_read_kernel_sysctl(useradd_t) +fs_search_auto_mountpoints(useradd_t) fs_getattr_xattr_fs(useradd_t) term_use_all_user_ttys(useradd_t) term_use_all_user_ptys(useradd_t) -init_use_fd(useradd_t) -init_rw_script_pid(useradd_t) +auth_manage_shadow(useradd_t) +auth_rw_lastlog(useradd_t) + +corecmd_exec_shell(useradd_t) +# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. +corecmd_exec_bin(useradd_t) +corecmd_exec_sbin(useradd_t) domain_use_wide_inherit_fd(useradd_t) files_manage_generic_etc_files(useradd_t) +init_use_fd(useradd_t) +init_rw_script_pid(useradd_t) + libs_use_ld_so(useradd_t) libs_use_shared_libs(useradd_t) -corecmd_exec_shell(useradd_t) -# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. -corecmd_exec_bin(useradd_t) -corecmd_exec_sbin(useradd_t) +logging_send_syslog_msg(useradd_t) miscfiles_read_localization(useradd_t) seutil_read_config(useradd_t) -logging_send_syslog_msg(useradd_t) +userdom_use_unpriv_users_fd(useradd_t) -auth_manage_shadow(useradd_t) -auth_rw_lastlog(useradd_t) +mta_manage_spool(useradd_t) -ifdef(`TODO',` - -role sysadm_r types useradd_t; -domain_auto_trans(sysadm_t, useradd_exec_t, useradd_t) - -allow useradd_t unpriv_userdomain:fd use; -can_ypbind(useradd_t) -ifdef(`automount.te', ` -allow useradd_t autofs_t:dir { search getattr }; +optional_policy(`nis.te',` + nis_use_ypbind(useradd_t) ') +ifdef(`TODO',` + # Update /etc/shadow and /etc/passwd allow useradd_t { etc_t shadow_t }:file { relabelfrom relabelto }; @@ -536,10 +533,7 @@ dontaudit useradd_t sysadm_home_dir_t:dir search; file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir) file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t) -# create/delete mail spool file in /var/mail -allow useradd_t var_spool_t:dir search; -allow useradd_t mail_spool_t:dir { search write add_name remove_name }; -allow useradd_t mail_spool_t:file create_file_perms; # /var/mail is a link to /var/spool/mail allow useradd_t mail_spool_t:lnk_file read; + ') dnl end TODO diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index 1a02004..fdd1690 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -129,9 +129,11 @@ template(`gpg_per_userdomain_template',` fs_manage_cifs_symlinks($1_gpg_t) ') - ifdef(`TODO',` + optional_policy(`nis.te',` + nis_use_ypbind($1_gpg_t) + ') - can_ypbind($1_gpg_t) + ifdef(`TODO',` allow $1_t $1_gpg_secret_t:file getattr; diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 8e1e7d3..e184f51 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -267,6 +267,24 @@ interface(`fs_getattr_autofs',` ') ######################################## +## +## Search automount filesystem to use automatically +## mounted filesystems. +## +## +## The type of the domain performing this action. +## +# +interface(`fs_search_auto_mountpoints',` + gen_require(` + type autofs_t; + class dir { getattr search }; + ') + + allow $1 autofs_t:dir { getattr search }; +') + +######################################## ## ## Register an interpreter for new binary ## file types, using the kernel binfmt_misc diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index 81d9c97..d547c64 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -116,6 +116,10 @@ template(`cron_per_userdomain_template',` allow crond_t $1_cron_spool_t:file create_file_perms; ') + optional_policy(`nis.te',` + nis_use_ypbind($1_crond_t) + ') + ifdef(`TODO',` # Access user files and dirs. allow $1_crond_t home_root_t:dir search; @@ -135,8 +139,6 @@ template(`cron_per_userdomain_template',` allow mta_user_agent $1_crond_t:fd use; ') - # This domain is granted permissions common to most domains. - can_ypbind($1_crond_t) allow $1_crond_t var_spool_t:dir search; allow $1_crond_t var_t:dir r_dir_perms; allow $1_crond_t var_t:file r_file_perms; diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 6c5bd64..9f333e3 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -87,6 +87,7 @@ selinux_compute_user_contexts(crond_t) dev_read_urand(crond_t) fs_getattr_all_fs(crond_t) +fs_search_auto_mountpoints(crond_t) term_dontaudit_use_console(crond_t) @@ -127,6 +128,10 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_file(crond_t) ') +optional_policy(`nis.te',` + nis_use_ypbind(crond_t) +') + optional_policy(`udev.te', ` udev_read_db(crond_t) ') @@ -135,18 +140,10 @@ ifdef(`TODO',` # NB The constraints file has some entries for crond_t, this makes it # different from all other domains... -allow crond_t autofs_t:dir { search getattr }; dontaudit crond_t sysadm_home_dir_t:dir search; optional_policy(`rhgb.te', ` -allow crond_t rhgb_t:process sigchld; -allow crond_t rhgb_t:fd use; -allow crond_t rhgb_t:fifo_file { read write }; -') - -can_ypbind(crond_t) -ifdef(`automount.te', ` -allow crond_t autofs_t:dir { search getattr }; +rhgb_domain(crond_t) ') # Read from /var/spool/cron. @@ -301,10 +298,11 @@ tunable_policy(`cron_can_relabel',` seutil_read_file_contexts(system_crond_t) ') -ifdef(`TODO',` - -can_ypbind(system_crond_t) +optional_policy(`nis.te',` + nis_use_ypbind(system_crond_t) +') +ifdef(`TODO',` dontaudit userdomain system_crond_t:fd use; # quiet other ps operations diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 7dd5c68..f156541 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -70,14 +70,15 @@ template(`mta_per_userdomain_template',` corenet_udp_sendrecv_dns_port($1_mail_t) ') + optional_policy(`nis.te',` + nis_use_ypbind($1_mail_t) + ') + optional_policy(`procmail.te',` procmail_execute($1_mail_t) ') ifdef(`TODO',` - - can_ypbind($1_mail_t) - allow $1_mail_t device_t:dir search; allow $1_mail_t { var_t var_spool_t }:dir search; allow $1_mail_t sbin_t:dir search; diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index 29ca2ea..2a3e676 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -90,8 +90,12 @@ tunable_policy(`use_dns',` corenet_udp_sendrecv_dns_port(system_mail_t) ') +optional_policy(`nis.te',` + nis_use_ypbind(system_mail_t) +') + optional_policy(`procmail.te',` - procmail_execute(system_mail_t) + procmail_exec(system_mail_t) ') ifdef(`TODO',` @@ -117,9 +121,6 @@ dontaudit system_mail_t system_crond_tmp_t:file append; ') ') dnl end if sendmail - -can_ypbind(system_mail_t) - allow system_mail_t device_t:dir search; allow system_mail_t { var_t var_spool_t }:dir search; allow system_mail_t sbin_t:dir search; diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te index 3f5d3fb..c5745ef 100644 --- a/refpolicy/policy/modules/services/nis.te +++ b/refpolicy/policy/modules/services/nis.te @@ -77,6 +77,7 @@ corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t) dev_read_sysfs(ypbind_t) fs_getattr_all_fs(ypbind_t) +fs_search_auto_mountpoints(ypbind_t) term_dontaudit_use_console(ypbind_t) @@ -121,7 +122,6 @@ ifdef(`TODO',` allow ypbind_t proc_t:dir r_dir_perms; allow ypbind_t proc_t:lnk_file read; -allow ypbind_t autofs_t:dir { search getattr }; dontaudit ypbind_t sysadm_home_dir_t:dir search; can_udp_send(ypbind_t, portmap_t) @@ -172,6 +172,7 @@ corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) dev_read_sysfs(ypserv_t) fs_getattr_all_fs(ypserv_t) +fs_search_auto_mountpoints(ypserv_t) term_dontaudit_use_console(ypserv_t) @@ -214,7 +215,6 @@ rhgb_domain(ypserv_t) allow ypserv_t proc_t:dir r_dir_perms; allow ypserv_t proc_t:lnk_file read; -allow ypserv_t autofs_t:dir { search getattr }; dontaudit ypserv_t sysadm_home_dir_t:dir search; # Send to portmap and initrc. diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index 0fd4a22..4c5a5b7 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -54,8 +54,14 @@ selinux_compute_user_contexts(remote_login_t) dev_read_urand(remote_login_t) fs_getattr_xattr_fs(remote_login_t) +fs_search_auto_mountpoints(remote_login_t) -init_rw_script_pid(remote_login_t) +auth_domtrans_chk_passwd(remote_login_t) +auth_dontaudit_read_shadow(remote_login_t) +auth_rw_login_records(remote_login_t) +auth_rw_lastlog(remote_login_t) +auth_exec_pam(remote_login_t) +auth_manage_pam_console_data(remote_login_t) domain_read_all_entry_files(remote_login_t) @@ -64,6 +70,8 @@ files_read_etc_runtime_files(remote_login_t) files_list_home(remote_login_t) files_read_usr_files(remote_login_t) +init_rw_script_pid(remote_login_t) + libs_use_ld_so(remote_login_t) libs_use_shared_libs(remote_login_t) @@ -72,15 +80,10 @@ logging_send_syslog_msg(remote_login_t) seutil_read_config(remote_login_t) seutil_read_default_contexts(remote_login_t) -auth_domtrans_chk_passwd(remote_login_t) -auth_dontaudit_read_shadow(remote_login_t) -auth_rw_login_records(remote_login_t) -auth_rw_lastlog(remote_login_t) -auth_exec_pam(remote_login_t) -auth_manage_pam_console_data(remote_login_t) - miscfiles_read_localization(remote_login_t) +userdom_use_unpriv_users_fd(remote_login_t) + tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(remote_login_t) fs_read_nfs_symlinks(remote_login_t) @@ -91,13 +94,12 @@ tunable_policy(`use_samba_home_dirs',` fs_read_cifs_symlinks(remote_login_t) ') -ifdef(`TODO',` -allow remote_login_t unpriv_userdomain:fd use; -can_ypbind(remote_login_t) -ifdef(`automount.te', ` -allow remote_login_t autofs_t:dir { search getattr }; +optional_policy(`nis.te',` + nis_use_ypbind(remote_login_t) ') +ifdef(`TODO',` + allow remote_login_t bin_t:dir r_dir_perms; allow remote_login_t bin_t:notdevfile_class_set r_file_perms; allow remote_login_t sbin_t:dir r_dir_perms; @@ -123,7 +125,6 @@ allow remote_login_t device_t:lnk_file r_file_perms; dontaudit remote_login_t sysfs_t:dir search; -allow remote_login_t autofs_t:dir r_dir_perms; allow remote_login_t mnt_t:dir r_dir_perms; # FIXME: what is this for? diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index 49850c8..359b5ae 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -57,43 +57,48 @@ corenet_tcp_bind_smtp_port(sendmail_t) dev_read_urand(sendmail_t) fs_getattr_all_fs(sendmail_t) +fs_search_auto_mountpoints(sendmail_t) term_dontaudit_use_console(sendmail_t) -init_use_fd(sendmail_t) -init_use_script_pty(sendmail_t) -# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console -init_read_script_pid(sendmail_t) -init_dontaudit_write_script_pid(sendmail_t) - domain_use_wide_inherit_fd(sendmail_t) files_read_generic_etc_files(sendmail_t) files_search_spool(sendmail_t) -logging_send_syslog_msg(sendmail_t) +init_use_fd(sendmail_t) +init_use_script_pty(sendmail_t) +# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console +init_read_script_pid(sendmail_t) +init_dontaudit_write_script_pid(sendmail_t) libs_use_ld_so(sendmail_t) libs_use_shared_libs(sendmail_t) # Read /usr/lib/sasl2/.* libs_read_lib(sendmail_t) +logging_send_syslog_msg(sendmail_t) + miscfiles_read_localization(sendmail_t) +sysnet_read_config(sendmail_t) + # Write to /etc/aliases and /etc/mail. mta_rw_aliases(sendmail_t) # Write to /var/spool/mail and /var/spool/mqueue. mta_manage_queue(sendmail_t) mta_manage_spool(sendmail_t) -sysnet_read_config(sendmail_t) - ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(sendmail_t) term_dontaudit_use_generic_pty(sendmail_t) files_dontaudit_read_root_file(sendmail_t) ') +optional_policy(`nis.te',` + nis_use_ypbind(sendmail_t) +') + optional_policy(`selinux.te',` seutil_newrole_sigchld(sendmail_t) ') @@ -105,18 +110,13 @@ optional_policy(`udev.te', ` ifdef(`TODO',` optional_policy(`rhgb.te', ` -allow sendmail_t rhgb_t:process sigchld; -allow sendmail_t rhgb_t:fd use; -allow sendmail_t rhgb_t:fifo_file { read write }; +rhgb_domain(sendmail_t) ') allow sendmail_t proc_t:dir r_dir_perms; allow sendmail_t proc_t:lnk_file read; dontaudit sendmail_t unpriv_userdomain:fd use; -allow sendmail_t autofs_t:dir { search getattr }; dontaudit sendmail_t sysadm_home_dir_t:dir search; -can_ypbind(sendmail_t) - # # Need this transition to create /etc/aliases.db # @@ -144,7 +144,7 @@ dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr sear # Run procmail in its own domain, if defined. ifdef(`procmail.te',` corecmd_search_bin(sendmail_t) -procmail_transition(sendmail_t) +procmail_domtrans(sendmail_t) domain_auto_trans(system_mail_t, procmail_exec_t, procmail_t) ') diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index c65d7f2..3a0a884 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -98,6 +98,7 @@ template(`ssh_per_userdomain_template',` dev_read_urand($1_ssh_t) fs_getattr_all_fs($1_ssh_t) + fs_search_auto_mountpoints($1_ssh_t) # run helper programs - needed eg for x11-ssh-askpass corecmd_exec_shell($1_ssh_t) @@ -124,8 +125,6 @@ template(`ssh_per_userdomain_template',` userdom_use_unpriv_users_fd($1_ssh_t) - nis_use_ypbind($1_ssh_t) - tunable_policy(`use_dns',` allow $1_ssh_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect }; corenet_udp_sendrecv_all_if($1_ssh_t) @@ -149,10 +148,11 @@ template(`ssh_per_userdomain_template',` corenet_tcp_bind_ssh_port($1_ssh_t) ') - ifdef(`TODO',` - can_ypbind($1_ssh_t) + optional_policy(`nis.te',` + nis_use_ypbind($1_ssh_t) + ') - allow $1_ssh_t autofs_t:dir { search getattr }; + ifdef(`TODO',` allow $1 sbin_t:dir r_dir_perms; allow $1 sbin_t:notdevfile_class_set r_file_perms; @@ -244,6 +244,8 @@ template(`ssh_per_userdomain_template',` dev_read_urand($1_ssh_agent_t) dev_read_rand($1_ssh_agent_t) + fs_search_auto_mountpoints($1_ssh_agent_t) + domain_use_wide_inherit_fd($1_ssh_agent_t) files_read_generic_etc_files($1_ssh_agent_t) @@ -265,6 +267,10 @@ template(`ssh_per_userdomain_template',` fs_manage_cifs_files($1_ssh_agent_t) } + optional_policy(`nis.te',` + nis_use_ypbind($1_ssh_agent_t) + ') + ifdef(`TODO',` # Write to the user domain tty. @@ -275,9 +281,6 @@ template(`ssh_per_userdomain_template',` # allow ps to show ssh can_ps($1_t, $1_ssh_agent_t) - can_ypbind($1_ssh_agent_t) - allow $1_ssh_agent_t autofs_t:dir { search getattr }; - allow $1_ssh_agent_t proc_t:dir search; dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read }; dontaudit $1_ssh_agent_t selinux_config_t:dir search; @@ -449,7 +452,6 @@ template(`sshd_program_domain', ` allow $1_t var_t:dir getattr; allow $1_t { home_root_t home_dir_type }:dir getattr; - allow $1_t autofs_t:dir { search getattr }; dontaudit sshd_t userpty_type:chr_file relabelfrom; diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te index 6ac8926..8e3a1e6 100644 --- a/refpolicy/policy/modules/services/ssh.te +++ b/refpolicy/policy/modules/services/ssh.te @@ -112,6 +112,9 @@ tunable_policy(`run_ssh_inetd',` # for when the network connection breaks after running newrole -r sysadm_r dontaudit sshd_t sysadm_devpts_t:chr_file setattr; +optional_policy(`rpm.te',` +allow sshd_t rpm_script_t:fd use; +') ') dnl endif TODO ################################# @@ -187,6 +190,8 @@ files_create_etc_config(ssh_keygen_t,sshd_key_t,file) kernel_read_kernel_sysctl(ssh_keygen_t) +fs_search_auto_mountpoints(ssh_keygen_t) + dev_read_sysfs(ssh_keygen_t) dev_read_urand(ssh_keygen_t) @@ -231,7 +236,3 @@ optional_policy(`selinux.te',` optional_policy(`udev.te', ` udev_read_db(ssh_keygen_t) ') - -ifdef(`TODO',` -allow ssh_keygen_t autofs_t:dir { search getattr }; -') diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index a004cfa..3df2761 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -67,7 +67,6 @@ template(`authlogin_per_userdomain_template',` seutil_read_config($1_chkpwd_t) - #can_ypbind($1_chkpwd_t) #can_kerberos($1_chkpwd_t) #can_ldap($1_chkpwd_t) @@ -97,6 +96,10 @@ template(`authlogin_per_userdomain_template',` sysnet_read_config($1_chkpwd_t) ') + optional_policy(`nis.te',` + nis_use_ypbind($1_chkpwd_t) + ') + optional_policy(`selinux.te',` seutil_use_newrole_fd($1_chkpwd_t) ') @@ -173,9 +176,6 @@ interface(`auth_domtrans_chk_passwd',` allow system_chkpwd_t $1:process sigchld; dontaudit $1 shadow_t:file { getattr read }; - #can_ypbind($1_t) - #can_kerberos($1_t) - #can_ldap($1_t) tunable_policy(`use_dns',` allow $1 self:udp_socket create_socket_perms; @@ -187,6 +187,13 @@ interface(`auth_domtrans_chk_passwd',` corenet_udp_sendrecv_dns_port($1) sysnet_read_config($1) ') + + #can_kerberos($1) + #can_ldap($1) + + optional_policy(`nis.te',` + nis_use_ypbind($1) + ') ') ######################################## diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 82d24c0..c33677c 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -93,6 +93,8 @@ files_create_tmp_files(pam_t, pam_tmp_t, { file dir }) kernel_read_system_state(pam_t) +fs_search_auto_mountpoints(pam_t) + term_use_all_user_ttys(pam_t) term_use_all_user_ptys(pam_t) @@ -112,12 +114,11 @@ optional_policy(`locallogin.te',` locallogin_use_fd(pam_t) ') -ifdef(`TODO',` -can_ypbind(pam_t) -ifdef(`automount.te', ` - allow pam_t autofs_t:dir { search getattr }; +optional_policy(`nis.te',` + nis_use_ypbind(pam_t) ') +ifdef(`TODO',` ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;') ') dnl endif TODO @@ -156,6 +157,8 @@ dev_setattr_snd_dev(pam_console_t) dev_getattr_video_dev(pam_console_t) dev_setattr_video_dev(pam_console_t) +fs_search_auto_mountpoints(pam_console_t) + storage_getattr_fixed_disk(pam_console_t) storage_setattr_fixed_disk(pam_console_t) storage_getattr_removable_device(pam_console_t) @@ -210,11 +213,8 @@ optional_policy(`udev.te', ` ifdef(`TODO',` optional_policy(`rhgb.te', ` - allow pam_console_t rhgb_t:process sigchld; - allow pam_console_t rhgb_t:fd use; - allow pam_console_t rhgb_t:fifo_file { read write }; + rhgb_domain(pam_console_t) ') -allow pam_console_t autofs_t:dir { search getattr }; allow pam_console_t apm_bios_t:chr_file { getattr setattr }; @@ -268,8 +268,11 @@ tunable_policy(`use_dns',` sysnet_read_config(system_chkpwd_t) ') +optional_policy(`nis.te',` + nis_use_ypbind(system_chkpwd_t) +') + ifdef(`TODO',` -can_ypbind(system_chkpwd_t) can_kerberos(system_chkpwd_t) can_ldap(system_chkpwd_t) @@ -303,10 +306,10 @@ libs_use_shared_libs(utempter_t) logging_search_logs(utempter_t) -ifdef(`TODO',` # Allow utemper to write to /tmp/.xses-* -allow utempter_t user_tmpfile:file { getattr write append }; +userdom_write_unpriv_user_tmp(utempter_t) +ifdef(`TODO',` ifdef(`xdm.te', ` allow utempter_t xdm_t:fd use; allow utempter_t xdm_t:fifo_file { write getattr }; diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te index 9f884b2..5833654 100644 --- a/refpolicy/policy/modules/system/clock.te +++ b/refpolicy/policy/modules/system/clock.te @@ -35,6 +35,7 @@ dev_read_sysfs(hwclock_t) dev_rw_realtime_clock(hwclock_t) fs_getattr_xattr_fs(hwclock_t) +fs_search_auto_mountpoints(hwclock_t) term_dontaudit_use_console(hwclock_t) term_use_unallocated_tty(hwclock_t) @@ -81,13 +82,9 @@ allow hwclock_t proc_t:dir r_dir_perms; allow hwclock_t proc_t:lnk_file read; optional_policy(`rhgb.te', ` -allow hwclock_t rhgb_t:process sigchld; -allow hwclock_t rhgb_t:fd use; -allow hwclock_t rhgb_t:fifo_file rw_file_perms; +rhgb_domain(hwclock_t) ') -allow hwclock_t autofs_t:dir { search getattr }; - optional_policy(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;') optional_policy(`apmd.te', ` diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te index 8a0404d..0605871 100644 --- a/refpolicy/policy/modules/system/hostname.te +++ b/refpolicy/policy/modules/system/hostname.te @@ -11,7 +11,6 @@ type hostname_exec_t; init_system_domain(hostname_t,hostname_exec_t) role system_r types hostname_t; - ######################################## # # Local policy @@ -31,6 +30,7 @@ kernel_dontaudit_use_fd(hostname_t) dev_read_sysfs(hostname_t) fs_getattr_xattr_fs(hostname_t) +fs_search_auto_mountpoints(hostname_t) term_dontaudit_use_console(hostname_t) term_use_all_user_ttys(hostname_t) @@ -96,11 +96,7 @@ allow hostname_t proc_t:dir { read getattr lock search ioctl }; allow hostname_t proc_t:lnk_file read; optional_policy(`rhgb.te', ` -allow hostname_t rhgb_t:process sigchld; -allow hostname_t rhgb_t:fd use; -allow hostname_t rhgb_t:fifo_file { read write }; +rhgb_domain(hostname_t) ') - -allow hostname_t autofs_t:dir { search getattr }; ##end daemon_base_domain ') dnl end TODO diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 288427c..04b5831 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -65,6 +65,7 @@ dev_setattr_snd_dev(hotplug_t) dev_read_urand(hotplug_t) fs_getattr_all_fs(hotplug_t) +fs_search_auto_mountpoints(hotplug_t) storage_setattr_fixed_disk(hotplug_t) storage_setattr_removable_device(hotplug_t) @@ -142,6 +143,10 @@ optional_policy(`mta.te', ` mta_send_mail(hotplug_t) ') +optional_policy(`nis.te',` + nis_use_ypbind(hotplug_t) +') + optional_policy(`selinux.te',` seutil_newrole_sigchld(hotplug_t) ') @@ -160,17 +165,13 @@ optional_policy(`updfstab.te', ` ') ifdef(`TODO',` -allow hotplug_t autofs_t:dir { search getattr }; dontaudit hotplug_t sysadm_home_dir_t:dir search; -optional_policy(`rhgb.te', ` - allow hotplug_t rhgb_t:process sigchld; - allow hotplug_t rhgb_t:fd use; - allow hotplug_t rhgb_t:fifo_file { read write }; +optional_policy(`rhgb.te',` +rhgb_domain(hotplug_t) ') allow kernel_t hotplug_etc_t:dir search; -can_ypbind(hotplug_t) dbusd_client(system, hotplug) # for ps @@ -181,7 +182,7 @@ optional_policy(`hald.te', ` allow hotplug_t hald_t:unix_dgram_socket sendto; ') -# this goes to hald: +# this block goes to hald: optional_policy(`hotplug.te',` allow hald_t hotplug_etc_t:dir search; allow hald_t hotplug_etc_t:file { getattr read }; diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index 01f62e8..27e8af2 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -46,6 +46,7 @@ kernel_use_fd(iptables_t) dev_read_sysfs(iptables_t) fs_getattr_xattr_fs(iptables_t) +fs_search_auto_mountpoints(iptables_t) term_dontaudit_use_console(iptables_t) @@ -71,6 +72,13 @@ sysnet_domtrans_ifconfig(iptables_t) userdom_use_all_user_fd(iptables_t) +ifdef(`targeted_policy', ` + term_dontaudit_use_unallocated_tty(iptables_t) + term_dontaudit_use_generic_pty(iptables_t) + + files_dontaudit_read_root_file(iptables_t) +') + tunable_policy(`use_dns',` allow iptables_t self:udp_socket create_socket_perms; @@ -89,6 +97,11 @@ optional_policy(`modutils.te', ` modutils_domtrans_insmod(iptables_t) ') +optional_policy(`nis.te',` + # for iptables -L + nis_use_ypbind(iptables_t) +') + optional_policy(`selinux.te',` seutil_newrole_sigchld(iptables_t) ') @@ -97,26 +110,11 @@ optional_policy(`udev.te', ` udev_read_db(iptables_t) ') -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_tty(iptables_t) - term_dontaudit_use_generic_pty(iptables_t) - - files_dontaudit_read_root_file(iptables_t) -') - ifdef(`TODO',` - -optional_policy(`rhgb.te', ` -allow iptables_t rhgb_t:process sigchld; -allow iptables_t rhgb_t:fd use; -allow iptables_t rhgb_t:fifo_file rw_file_perms; +optional_policy(`rhgb.te',` +rhgb_domain(iptables_t) ') -allow iptables_t autofs_t:dir { search getattr }; - -# for iptables -L -can_ypbind(iptables_t) - optional_policy(`gnome-pty-helper.te',` allow iptables_t sysadm_gph_t:fd use; ') diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index cc05181..433c4f7 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -71,6 +71,8 @@ dev_dontaudit_setattr_scanner(local_login_t) # for SSP/ProPolice dev_read_urand(local_login_t) +fs_search_auto_mountpoints(local_login_t) + selinux_get_fs_mount(local_login_t) selinux_validate_context(local_login_t) selinux_compute_access_vector(local_login_t) @@ -126,6 +128,13 @@ userdom_use_unpriv_users_fd(local_login_t) # Search for mail spool file. mta_getattr_spool(local_login_t) +# Red Hat systems seem to have a stray +# fd open from the initrd +ifdef(`distro_redhat',` + kernel_dontaudit_use_fd(local_login_t) + files_dontaudit_read_root_file(local_login_t) +') + tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(local_login_t) fs_read_nfs_symlinks(local_login_t) @@ -136,20 +145,12 @@ tunable_policy(`use_samba_home_dirs',` fs_read_cifs_symlinks(local_login_t) ') -# Red Hat systems seem to have a stray -# fd open from the initrd -optional_policy(`distro_redhat',` - kernel_dontaudit_use_fd(local_login_t) - files_dontaudit_read_root_file(local_login_t) +optional_policy(`nis.te',` + nis_use_ypbind(local_login_t) ') ifdef(`TODO',` -can_ypbind(local_login_t) -ifdef(`automount.te', ` - allow local_login_t autofs_t:dir { search getattr }; -') - allow local_login_t bin_t:dir r_dir_perms; allow local_login_t bin_t:notdevfile_class_set r_file_perms; allow local_login_t sbin_t:dir r_dir_perms; @@ -170,7 +171,6 @@ allow local_login_t var_t:lnk_file read; dontaudit local_login_t sysfs_t:dir search; -allow local_login_t autofs_t:dir r_dir_perms; allow local_login_t mnt_t:dir r_dir_perms; # FIXME: what is this for? @@ -221,12 +221,14 @@ allow sulogin_t self:msg { send receive }; kernel_read_system_state(sulogin_t) -init_get_script_process_group(sulogin_t) +fs_search_auto_mountpoints(sulogin_t) files_read_generic_etc_files(sulogin_t) # because file systems are not mounted: files_dontaudit_search_isid_type_dir(sulogin_t) +init_get_script_process_group(sulogin_t) + libs_use_ld_so(sulogin_t) libs_use_shared_libs(sulogin_t) @@ -259,14 +261,11 @@ ifdef(`sulogin_no_pam', ` selinux_compute_user_contexts(sulogin_t) ') -ifdef(`TODO',` - -allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write }; - -can_ypbind(sulogin_t) -ifdef(`automount.te', ` - allow sulogin_t autofs_t:dir { search getattr }; +optional_policy(`nis.te',` + nis_use_ypbind(sulogin_t) ') +ifdef(`TODO',` +allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write }; allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search; ') dnl endif TODO diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 9dc0e2b..4838db1 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -63,6 +63,7 @@ kernel_read_kernel_sysctl(auditd_t) dev_read_sysfs(auditd_t) fs_getattr_all_fs(auditd_t) +fs_search_auto_mountpoints(auditd_t) term_dontaudit_use_console(auditd_t) @@ -80,6 +81,8 @@ libs_use_shared_libs(auditd_t) miscfiles_read_localization(auditd_t) +userdom_dontaudit_use_unpriv_user_fd(auditd_t) + ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(auditd_t) term_dontaudit_use_generic_pty(auditd_t) @@ -97,15 +100,13 @@ optional_policy(`udev.te', ` ifdef(`TODO',` allow auditd_t proc_t:dir r_dir_perms; allow auditd_t proc_t:lnk_file read; -dontaudit auditd_t unpriv_userdomain:fd use; -allow auditd_t autofs_t:dir { search getattr }; -dontaudit auditd_t sysadm_home_dir_t:dir search; + optional_policy(`rhgb.te', ` -allow auditd_t rhgb_t:process sigchld; -allow auditd_t rhgb_t:fd use; -allow auditd_t rhgb_t:fifo_file { read write }; +rhgb_domain(auditd_t) ') +dontaudit auditd_t sysadm_home_dir_t:dir search; + # cjp: this is questionable: allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms; ') dnl endif TODO @@ -192,6 +193,8 @@ kernel_read_kernel_sysctl(syslogd_t) dev_create_dev_node(syslogd_t,devlog_t,sock_file) dev_read_sysfs(syslogd_t) +fs_search_auto_mountpoints(syslogd_t) + term_dontaudit_use_console(syslogd_t) # Allow syslog to a terminal term_write_unallocated_ttys(syslogd_t) @@ -250,6 +253,14 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_file(syslogd_t) ') +optional_policy(`cron.te',` + cron_rw_log(syslogd_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(syslogd_t) +') + optional_policy(`selinux.te',` seutil_newrole_sigchld(syslogd_t) ') @@ -258,18 +269,11 @@ optional_policy(`udev.te', ` udev_read_db(syslogd_t) ') -optional_policy(`cron.te',` - cron_rw_log(syslogd_t) -') - ifdef(`TODO',` allow syslogd_t proc_t:lnk_file read; -allow syslogd_t autofs_t:dir { search getattr }; dontaudit syslogd_t sysadm_home_dir_t:dir search; optional_policy(`rhgb.te', ` - allow syslogd_t rhgb_t:process sigchld; - allow syslogd_t rhgb_t:fd use; - allow syslogd_t rhgb_t:fifo_file { read write }; + rhgb_domain(syslogd_t) ') tunable_policy(`direct_sysadm_daemon',` dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms; @@ -280,9 +284,6 @@ ifdef(`distro_suse', ` file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file) ') -# can_network is for the UDP socket -can_ypbind(syslogd_t) - # log to the xconsole allow syslogd_t xconsole_device_t:fifo_file { ioctl read write }; diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index 8656956..0c9eeb9 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -101,6 +101,7 @@ dev_dontaudit_getattr_generic_pipe(lvm_t) term_dontaudit_getattr_all_user_ttys(lvm_t) fs_getattr_xattr_fs(lvm_t) +fs_search_auto_mountpoints(lvm_t) # LVM creates block devices in /dev/mapper or /dev/ # depending on its version @@ -157,9 +158,6 @@ optional_policy(`udev.te', ` ') ifdef(`TODO',` - -allow lvm_t autofs_t:dir { search getattr }; - allow lvm_t default_context_t:dir search; allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto }; diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index a7f4d16..acd8425 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -44,6 +44,7 @@ fs_mount_all_fs(mount_t) fs_unmount_all_fs(mount_t) fs_remount_all_fs(mount_t) fs_relabelfrom_xattr_fs(mount_t) +fs_search_auto_mountpoints(mount_t) term_use_console(mount_t) @@ -88,7 +89,6 @@ ifdef(`distro_redhat',` optional_policy(`portmap.te', ` # for nfs - #can_ypbind(mount_t) #allow portmap_t mount_t:udp_socket { sendto recvfrom }; #allow mount_t portmap_t:udp_socket { sendto recvfrom }; #allow mount_t rpc_pipefs_t:dir search; @@ -106,6 +106,10 @@ optional_policy(`portmap.te', ` corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) corenet_udp_bind_reserved_port(mount_t) + + optional_policy(`nis.te',` + nis_use_ypbind(mount_t) + ') ') ifdef(`TODO',` @@ -127,13 +131,7 @@ allow mount_t sysadm_gph_t:fd use; ') optional_policy(`rhgb.te', ` -allow mount_t rhgb_t:process sigchld; -allow mount_t rhgb_t:fd use; -allow mount_t rhgb_t:fifo_file { read write }; -') - -optional_policy(`automount.te', ` -allow mount_t autofs_t:dir read; +rhgb_domain(mount_t) ') ') dnl endif TODO diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 739518b..ff2423f 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -195,6 +195,7 @@ kernel_read_kernel_sysctl(newrole_t) dev_read_urand(newrole_t) fs_getattr_xattr_fs(newrole_t) +fs_search_auto_mountpoints(newrole_t) selinux_get_fs_mount(newrole_t) selinux_validate_context(newrole_t) @@ -234,13 +235,11 @@ if(secure_mode) { userdom_spec_domtrans_all_users(newrole_t) } -ifdef(`TODO',` - -can_ypbind(newrole) -ifdef(`automount.te', ` -allow newrole_t autofs_t:dir { search getattr }; +optional_policy(`nis.te',` + nis_use_ypbind(newrole_t) ') +ifdef(`TODO',` # for when the user types "exec newrole" at the command line allow newrole_t privfd:process sigchld; diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index e4e1bd1..cbccdc3 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -105,6 +105,7 @@ dev_read_sysfs(dhcpc_t) dev_read_urand(dhcpc_t) fs_getattr_all_fs(dhcpc_t) +fs_search_auto_mountpoints(dhcpc_t) term_dontaudit_use_console(dhcpc_t) term_dontaudit_use_all_user_ttys(dhcpc_t) @@ -152,10 +153,23 @@ optional_policy(`hostname.te',` hostname_domtrans(dhcpc_t) ') +optional_policy(`nis.te',` + nis_use_ypbind(dhcpc_t) + # dhclient sometimes starts ypbind + init_exec_script(dhcpc_t) + #nis_domtrans_ypbind(dhcpc_t) +') + optional_policy(`nscd.te',` nscd_domtrans(dhcpc_t) ') +optional_policy(`ntpd.te',` + # dhclient sometimes starts ntpd + init_exec_script(dhcpc_t) + ntpd_domtrans(dhcpc_t) +') + optional_policy(`selinux.te',` seutil_newrole_sigchld(dhcpc_t) ') @@ -168,29 +182,13 @@ optional_policy(`userdomain.te',` userdom_use_all_user_fd(dhcpc_t) ') -# -# dhclient sometimes starts ypbind and ntpd -# -init_exec_script(dhcpc_t) -optional_policy(`ypbind.te',` - ypbind_domtrans(dhcpc_t) -') -optional_policy(`ntpd.te',` - ntpd_domtrans(dhcpc_t) -') - ifdef(`TODO',` -allow dhcpc_t autofs_t:dir { search getattr }; dontaudit dhcpc_t sysadm_home_dir_t:dir search; -optional_policy(`rhgb.te', ` -allow dhcpc_t rhgb_t:process sigchld; -allow dhcpc_t rhgb_t:fd use; -allow dhcpc_t rhgb_t:fifo_file { read write }; +optional_policy(`rhgb.te',` +rhgb_domain(dhcpc_t) ') -can_ypbind(dhcpc_t) - ifdef(`cardmgr.te', ` domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t) allow cardmgr_t dhcpc_var_run_t:file { getattr read }; @@ -208,15 +206,17 @@ logging_syslogd_transition(dhcpc_t) ')dnl end hotplug.te # for the dhcp client to run ping to check IP addresses -ifdef(`ping.te', ` -domain_auto_trans(dhcpc_t, ping_exec_t, ping_t) -ifdef(`hotplug.te',` -allow ping_t hotplug_t:fd use; -') dnl end if hotplug -ifdef(`cardmgr.te', ` -allow ping_t cardmgr_t:fd use; -') dnl end if cardmgr -') dnl end if ping +optional_policy(`netutils.te',` + netutils_domtrans_ping(dhcpc_t) + + optional_policy(`hotplug.te',` + allow ping_t hotplug_t:fd use; + ') + + ifdef(`cardmgr.te',` + allow ping_t cardmgr_t:fd use; + ') +') ifdef(`distro_redhat', ` allow initrc_t dhcp_etc_t:file rw_file_perms; @@ -266,6 +266,7 @@ kernel_dontaudit_search_sysctl_dir(ifconfig_t) kernel_dontaudit_search_network_sysctl_dir(ifconfig_t) fs_getattr_xattr_fs(ifconfig_t) +fs_search_auto_mountpoints(ifconfig_t) term_dontaudit_use_all_user_ttys(ifconfig_t) term_dontaudit_use_all_user_ptys(ifconfig_t) @@ -289,22 +290,18 @@ seutil_use_runinit_fd(ifconfig_t) userdom_use_all_user_fd(ifconfig_t) -ifdef(`TODO',` - -can_ypbind(ifconfig_t) -ifdef(`automount.te', ` -allow ifconfig_t autofs_t:dir { search getattr }; +optional_policy(`nis.te',` + nis_use_ypbind(ifconfig_t) ') -# Access terminals. +ifdef(`TODO',` + ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;') allow ifconfig_t tun_tap_device_t:chr_file { read write }; optional_policy(`rhgb.te', ` -allow ifconfig_t rhgb_t:process sigchld; -allow ifconfig_t rhgb_t:fd use; -allow ifconfig_t rhgb_t:fifo_file { read write }; +rhgb_domain(ifconfig_t) ') ') dnl endif TODO diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 86abffc..4a9c7d6 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -137,6 +137,7 @@ template(`base_user_domain',` fs_get_all_fs_quotas($1_t) fs_getattr_all_fs($1_t) + fs_search_auto_mountpoints($1_t) # for eject storage_getattr_fixed_disk($1_t) @@ -204,6 +205,10 @@ template(`base_user_domain',` term_getattr_all_user_ttys($1_t) ') + optional_policy(`nis.te',` + nis_use_ypbind($1_t) + ') + optional_policy(`usermanage.te',` usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) @@ -251,8 +256,6 @@ template(`base_user_domain',` r_dir_file($1_t, usercanread) - can_ypbind($1_t) - tunable_policy(`allow_execmod',` # Allow text relocations on system shared libraries, e.g. libGL. allow $1_t texrel_shlib_t:file execmod; @@ -271,8 +274,6 @@ template(`base_user_domain',` dontaudit $1_t sysctl_t:dir_file_class_set getattr; dontaudit $1_t proc_fs:dir { read search }; - allow $1_t autofs_t:dir { getattr search }; - can_exec($1_t, { removable_t noexattrfile } ) tunable_policy(`user_rw_noexattrfile',` @@ -299,8 +300,6 @@ template(`base_user_domain',` can_resmgrd_connect($1_t) - can_ypbind($1_t) - allow $1_t var_lock_t:dir search; # Grant permissions to access the system DBus @@ -385,10 +384,6 @@ template(`base_user_domain',` allow $1_t apmd_var_run_t:sock_file write; ') - ifdef(`automount.te', ` - allow $1_t autofs_t:dir { getattr search }; - ') - ifdef(`pamconsole.te', ` allow $1_t pam_var_console_t:dir search; ') @@ -418,7 +413,7 @@ template(`user_domain_template', ` #typeattribute $1_home_dir_t user_home_dir_type; #typeattribute $1_home_t user_home_type; - #typeattribute $1_tmp_t, user_tmpfile; + typeattribute $1_tmp_t user_tmpfile; #typeattribute $1_tty_device_t user_tty_type; @@ -808,11 +803,11 @@ template(`admin_domain_template',` ') ######################################## -## +## ## Execute a shell in all user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). -## +## ## ## The type of the process performing this action. ## @@ -826,11 +821,11 @@ interface(`userdom_spec_domtrans_all_users',` ') ######################################## -## +## ## Execute a shell in all unprivileged user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). -## +## ## ## The type of the process performing this action. ## @@ -844,9 +839,9 @@ interface(`userdom_spec_domtrans_unpriv_users',` ') ######################################## -## +## ## Execute a shell in the sysadm domain. -## +## ## ## The type of the process performing this action. ## @@ -860,9 +855,9 @@ interface(`userdom_shell_domtrans_sysadm',` ') ######################################## -## +## ## Read and write sysadm ttys. -## +## ## ## The type of the process performing this action. ## @@ -879,9 +874,9 @@ interface(`userdom_use_sysadm_tty',` ') ######################################## -## +## ## Read and write sysadm ttys and ptys. -## +## ## ## The type of the process performing this action. ## @@ -898,9 +893,9 @@ interface(`userdom_use_sysadm_terms',` ') ######################################## -## +## ## Do not audit attempts to use admin ttys and ptys. -## +## ## ## The type of the process performing this action. ## @@ -915,9 +910,9 @@ interface(`userdom_dontaudit_use_sysadm_terms',` ') ######################################## -## +## ## Search all users home directories. -## +## ## ## The type of the process performing this action. ## @@ -933,9 +928,9 @@ interface(`userdom_search_all_users_home',` ') ######################################## -## +## ## Read all files in all users home directories. -## +## ## ## The type of the process performing this action. ## @@ -953,9 +948,26 @@ interface(`userdom_read_all_user_data',` ') ######################################## -## +## +## Write all unprivileged users files in /tmp +## +## +## The type of the process performing this action. +## +# +interface(`userdom_write_unpriv_user_tmp',` + gen_require(` + attribute user_tmpfile; + class file { getattr write append }; + ') + + allow $1 user_tmpfile:file { getattr write append }; +') + +######################################## +## ## Inherit the file descriptors from all user domains -## +## ## ## The type of the process performing this action. ## @@ -970,9 +982,9 @@ interface(`userdom_use_all_user_fd',` ') ######################################## -## +## ## Send general signals to all user domains. -## +## ## ## The type of the process performing this action. ## @@ -987,9 +999,9 @@ interface(`userdom_signal_all_users',` ') ######################################## -## +## ## Send general signals to unprivileged user domains. -## +## ## ## The type of the process performing this action. ## @@ -1004,9 +1016,9 @@ interface(`userdom_signal_unpriv_users',` ') ######################################## -## -## Inherit the file descriptors from all user domains. -## +## +## Inherit the file descriptors from unprivileged user domains. +## ## ## The type of the process performing this action. ## @@ -1021,10 +1033,10 @@ interface(`userdom_use_unpriv_users_fd',` ') ######################################## -## +## ## Do not audit attempts to inherit the ## file descriptors from all user domains. -## +## ## ## The type of the process performing this action. ## diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 422261e..37e4b91 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -20,6 +20,9 @@ attribute home_type; # a user in writing regular files) attribute privhome; +# all unprivileged users tmp files +attribute user_tmpfile; + # all user domains attribute userdomain; @@ -107,6 +110,12 @@ optional_policy(`mount.te',` mount_run(sysadm_t,sysadm_r,admin_terminal) ') +optional_policy(`netutils.te',` + netutils_run(sysadm_t,sysadm_r,admin_terminal) + netutils_run_ping(sysadm_t,sysadm_r,admin_terminal) + netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal) +') + optional_policy(`rpm.te',` rpm_run(sysadm_t,sysadm_r,admin_terminal) ')