diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index a49a055..66d899e 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -35,6 +35,7 @@ kernel_use_fd(consoletype_t)
kernel_dontaudit_read_system_state(consoletype_t)
fs_getattr_all_fs(consoletype_t)
+fs_search_auto_mountpoints(consoletype_t)
term_use_console(consoletype_t)
term_use_unallocated_tty(consoletype_t)
@@ -58,6 +59,10 @@ optional_policy(`authlogin.te', `
auth_read_pam_pid(consoletype_t)
')
+optional_policy(`nis.te',`
+ nis_use_ypbind(consoletype_t)
+')
+
optional_policy(`userdomain.te',`
userdom_use_unpriv_users_fd(consoletype_t)
')
@@ -73,12 +78,6 @@ allow consoletype_t nfs_t:file write;
allow consoletype_t crond_t:fifo_file r_file_perms;
allow consoletype_t system_crond_t:fd use;
-can_ypbind(consoletype_t)
-
-optional_policy(`automount.te', `
-allow consoletype_t autofs_t:dir { search getattr };
-')
-
optional_policy(`xdm.te', `
domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
allow consoletype_t xdm_tmp_t:file rw_file_perms;
diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te
index 110bd14..ead44ee 100644
--- a/refpolicy/policy/modules/admin/dmesg.te
+++ b/refpolicy/policy/modules/admin/dmesg.te
@@ -22,11 +22,14 @@ dontaudit dmesg_t self:capability sys_tty_config;
allow dmesg_t self:process signal_perms;
kernel_read_kernel_sysctl(dmesg_t)
-dev_read_sysfs(dmesg_t)
kernel_read_ring_buffer(dmesg_t)
kernel_clear_ring_buffer(dmesg_t)
kernel_change_ring_buffer_level(dmesg_t)
+dev_read_sysfs(dmesg_t)
+
+fs_search_auto_mountpoints(dmesg_t)
+
term_dontaudit_use_console(dmesg_t)
domain_use_wide_inherit_fd(dmesg_t)
@@ -67,11 +70,7 @@ ifdef(`TODO',`
allow dmesg_t proc_t:dir r_dir_perms;
allow dmesg_t proc_t:lnk_file read;
-optional_policy(`rhgb.te', `
-allow dmesg_t rhgb_t:process sigchld;
-allow dmesg_t rhgb_t:fd use;
-allow dmesg_t rhgb_t:fifo_file rw_file_perms;
+optional_policy(`rhgb.te',`
+rhgb_domain(dmesg_t)
')
-
-allow dmesg_t autofs_t:dir { search getattr };
') dnl endif TODO
diff --git a/refpolicy/policy/modules/admin/netutils.if b/refpolicy/policy/modules/admin/netutils.if
index db3e743..f40ec6c 100644
--- a/refpolicy/policy/modules/admin/netutils.if
+++ b/refpolicy/policy/modules/admin/netutils.if
@@ -1,8 +1,12 @@
## Network analysis utilities
-#######################################
-#
-# netutils_domtrans(domain)
+########################################
+##
+## Execute network utilities in the netutils domain.
+##
+##
+## The type of the process performing this action.
+##
#
interface(`netutils_domtrans',`
gen_require(`
@@ -20,9 +24,39 @@ interface(`netutils_domtrans',`
allow netutils_t $1:process sigchld;
')
-#######################################
+########################################
+##
+## Execute network utilities in the netutils domain, and
+## allow the specified role the netutils domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the netutils domain.
+##
+##
+## The type of the terminal allow the netutils domain to use.
+##
#
-# netutils_exec(domain)
+interface(`netutils_run',`
+ gen_require(`
+ type netutils_t;
+ class chr_file rw_term_perms;
+ ')
+
+ netutils_domtrans($1)
+ role $2 types netutils_t;
+ allow netutils_t $3:chr_file rw_term_perms;
+')
+
+########################################
+##
+## Execute network utilities in the caller domain.
+##
+##
+## The type of the process performing this action.
+##
#
interface(`netutils_exec',`
gen_require(`
@@ -31,3 +65,135 @@ interface(`netutils_exec',`
can_exec($1,netutils_exec_t)
')
+
+########################################
+##
+## Execute ping in the ping domain.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`netutils_domtrans_ping',`
+ gen_require(`
+ type ping_t, ping_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ domain_auto_trans($1,ping_exec_t,ping_t)
+
+ allow $1 ping_t:fd use;
+ allow ping_t $1:fd use;
+ allow ping_t $1:fifo_file rw_file_perms;
+ allow ping_t $1:process sigchld;
+')
+
+########################################
+##
+## Execute ping in the ping domain, and
+## allow the specified role the ping domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the ping domain.
+##
+##
+## The type of the terminal allow the ping domain to use.
+##
+#
+interface(`netutils_run_ping',`
+ gen_require(`
+ type ping_t;
+ class chr_file rw_term_perms;
+ ')
+
+ netutils_domtrans_ping($1)
+ role $2 types ping_t;
+ allow ping_t $3:chr_file rw_term_perms;
+')
+
+########################################
+##
+## Execute ping in the caller domain.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`netutils_exec_ping',`
+ gen_require(`
+ type ping_exec_t;
+ ')
+
+ can_exec($1,ping_exec_t)
+')
+
+########################################
+##
+## Execute traceroute in the traceroute domain.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`netutils_domtrans_traceroute',`
+ gen_require(`
+ type traceroute_t, traceroute_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ domain_auto_trans($1,traceroute_exec_t,traceroute_t)
+
+ allow $1 traceroute_t:fd use;
+ allow traceroute_t $1:fd use;
+ allow traceroute_t $1:fifo_file rw_file_perms;
+ allow traceroute_t $1:process sigchld;
+')
+
+########################################
+##
+## Execute traceroute in the traceroute domain, and
+## allow the specified role the traceroute domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the traceroute domain.
+##
+##
+## The type of the terminal allow the traceroute domain to use.
+##
+#
+interface(`netutils_run_traceroute',`
+ gen_require(`
+ type traceroute_t;
+ class chr_file rw_term_perms;
+ ')
+
+ netutils_domtrans_traceroute($1)
+ role $2 types traceroute_t;
+ allow traceroute_t $3:chr_file rw_term_perms;
+')
+
+########################################
+##
+## Execute traceroute in the caller domain.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`netutils_exec_traceroute',`
+ gen_require(`
+ type traceroute_exec_t;
+ ')
+
+ can_exec($1,traceroute_exec_t)
+')
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index ce6656f..a6b8fb2 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -54,15 +54,15 @@ corenet_udp_bind_all_nodes(netutils_t)
fs_getattr_xattr_fs(netutils_t)
-init_use_fd(netutils_t)
-init_use_script_pty(netutils_t)
-
domain_use_wide_inherit_fd(netutils_t)
files_read_generic_etc_files(netutils_t)
# for nscd
files_dontaudit_search_var(netutils_t)
+init_use_fd(netutils_t)
+init_use_script_pty(netutils_t)
+
libs_use_ld_so(netutils_t)
libs_use_shared_libs(netutils_t)
@@ -70,18 +70,14 @@ logging_send_syslog_msg(netutils_t)
miscfiles_read_localization(netutils_t)
-ifdef(`TODO',`
-role sysadm_r types netutils_t;
-
-can_ypbind(netutils_t)
+userdom_use_all_user_fd(netutils_t)
-domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t)
+optional_policy(`nis.te',`
+ nis_use_ypbind(netutils_t)
+')
-# Inherit and use descriptors from init.
-allow netutils_t userdomain:fd use;
+ifdef(`TODO',`
-# Access terminals.
-allow netutils_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
allow netutils_t proc_t:dir search;
@@ -129,14 +125,11 @@ tunable_policy(`user_ping',`
term_use_all_user_ptys(ping_t)
')
-ifdef(`TODO',`
-can_ypbind(ping_t)
-
-domain_auto_trans(sysadm_t, ping_exec_t, ping_t)
-role sysadm_r types ping_t;
-allow ping_t admin_tty_type:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;')
+optional_policy(`nis.te',`
+ nis_use_ypbind(ping_t)
+')
+ifdef(`TODO',`
in_user_role(ping_t)
tunable_policy(`user_ping',`
domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
@@ -193,23 +186,16 @@ tunable_policy(`user_ping',`
term_use_all_user_ptys(traceroute_t)
')
-ifdef(`TODO',`
-role sysadm_r types traceroute_t;
-
-can_ypbind(traceroute_t)
-
-# Transition into this domain when you run this program.
-domain_auto_trans(sysadm_t, traceroute_exec_t, traceroute_t)
-
-# Access the terminal.
-allow traceroute_t admin_tty_type:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;')
+optional_policy(`nis.te',`
+ nis_use_ypbind(traceroute_t)
+')
+ifdef(`TODO',`
in_user_role(traceroute_t)
tunable_policy(`user_ping',`
domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t)
')
-
+ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;')
#rules needed for nmap
dontaudit traceroute_t userdomain:dir search;
') dnl end TODO
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 1da9add..c2a81ad 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -117,9 +117,10 @@ dev_read_urand(rpm_t)
#devices_manage_all_device_types(rpm_t)
#fs_manage_nfs_dir(rpm_t)
-#fs_manage_nfs_files(rpm_t)
+fs_manage_nfs_files(rpm_t)
fs_manage_nfs_symlinks(rpm_t)
fs_getattr_all_fs(rpm_t)
+fs_search_auto_mountpoints(rpm_t)
storage_raw_write_fixed_disk(rpm_t)
# for installing kernel packages
@@ -159,6 +160,10 @@ userdom_use_unpriv_users_fd(rpm_t)
#cron_transition_from(rpm,rpm_exec_t)
+optional_policy(`nis.te',`
+ nis_use_ypbind(rpm_t)
+')
+
ifdef(`TODO',`
type_transition rpm_t tmpfs_t:{ dir file lnk_file sock_file fifo_file } rpm_tmpfs_t;
@@ -183,16 +188,10 @@ allow rpm_t usbdevfs_t:dir r_dir_perms;
allow rpm_t rpc_pipefs_t:dir search;
-can_ypbind(rpm_t)
-
optional_policy(`gnome-pty-helper.te', `
allow rpm_t sysadm_gph_t:fd use;
')
-optional_policy(`automount.te', `
-allow rpm_t autofs_t:dir { search getattr };
-')
-
optional_policy(`mount.te', `
allow rpm_t mount_t:udp_socket rw_socket_perms;
')
@@ -265,6 +264,7 @@ fs_getattr_nfs(rpm_script_t)
fs_getattr_xattr_fs(rpm_script_t)
fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
+fs_search_auto_mountpoints(rpm_script_t)
storage_raw_read_fixed_disk(rpm_script_t)
storage_raw_write_fixed_disk(rpm_script_t)
@@ -309,7 +309,11 @@ seutil_domtrans_restorecon(rpm_script_t)
userdom_use_all_user_fd(rpm_script_t)
optional_policy(`bootloader.te', `
-bootloader_domtrans(rpm_script_t)
+ bootloader_domtrans(rpm_script_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(rpm_script_t)
')
ifdef(`TODO',`
@@ -318,22 +322,8 @@ allow rpm_script_t sysfs_t:dir r_dir_perms;
can_exec(rpm_script_t,usr_t)
-
-allow rpm_script_t autofs_t:dir { search getattr };
-
-can_ypbind(rpm_script_t)
-
-optional_policy(`automount.te', `
-allow rpm_script_t autofs_t:dir { search getattr };
-')
-
optional_policy(`lpd.te', `
can_exec(rpm_script_t,printconf_t)
-
-')
-
-optional_policy(`ssh.te', `
-allow sshd_t rpm_script_t:fd use;
')
') dnl end TODO
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index cec2a48..9c01380 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -88,18 +88,20 @@ term_use_all_user_ttys(chfn_t)
term_use_all_user_ptys(chfn_t)
fs_getattr_xattr_fs(chfn_t)
+fs_search_auto_mountpoints(chfn_t)
# for SSP
dev_read_urand(chfn_t)
-# /usr/bin/passwd asks for w access to utmp, but it will operate
-# correctly without it. Do not audit write denials to utmp.
-init_dontaudit_rw_script_pid(chfn_t)
-
domain_use_wide_inherit_fd(chfn_t)
files_manage_generic_etc_files(chfn_t)
files_read_etc_runtime_files(chfn_t)
+files_dontaudit_search_var(chfn_t)
+
+# /usr/bin/passwd asks for w access to utmp, but it will operate
+# correctly without it. Do not audit write denials to utmp.
+init_dontaudit_rw_script_pid(chfn_t)
libs_use_ld_so(chfn_t)
libs_use_shared_libs(chfn_t)
@@ -111,20 +113,18 @@ logging_send_syslog_msg(chfn_t)
auth_domtrans_chk_passwd(chfn_t)
auth_dontaudit_read_shadow(chfn_t)
+userdom_use_unpriv_users_fd(chfn_t)
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(chfn_t)
+')
+
ifdef(`TODO',`
role sysadm_r types chfn_t;
in_user_role(chfn_t)
domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t)
-dontaudit chfn_t var_t:dir search;
-
-allow chfn_t unpriv_userdomain:fd use;
-can_ypbind(chfn_t)
-ifdef(`automount.te', `
-allow chfn_t autofs_t:dir { search getattr };
-')
-
ifdef(`gnome-pty-helper.te', `allow chfn_t gphdomain:fd use;')
# allow checking if a shell is executable
@@ -181,7 +181,6 @@ ifdef(`TODO',`
ifdef(`crond.te', `
domain_auto_trans(system_crond_t, crack_exec_t, crack_t)
allow crack_t crond_t:fifo_file rw_file_perms;
-# a rule for privfd may make this obsolete
allow crack_t crond_t:fd use;
allow crack_t crond_t:process sigchld;
')
@@ -209,6 +208,9 @@ allow groupadd_t self:sem create_sem_perms;
allow groupadd_t self:msgq create_msgq_perms;
allow groupadd_t self:msg { send receive };
+fs_getattr_xattr_fs(groupadd_t)
+fs_search_auto_mountpoints(groupadd_t)
+
# Allow access to context for shadow file
selinux_get_fs_mount(groupadd_t)
selinux_validate_context(groupadd_t)
@@ -217,13 +219,12 @@ selinux_compute_create_context(groupadd_t)
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
-fs_getattr_xattr_fs(groupadd_t)
-
term_use_all_user_ttys(groupadd_t)
term_use_all_user_ptys(groupadd_t)
init_use_fd(groupadd_t)
init_read_script_pid(groupadd_t)
+init_dontaudit_write_script_pid(groupadd_t)
domain_use_wide_inherit_fd(groupadd_t)
@@ -245,16 +246,14 @@ auth_rw_lastlog(groupadd_t)
seutil_read_config(groupadd_t)
-ifdef(`TODO',`
-role sysadm_r types groupadd_t;
-domain_auto_trans(sysadm_t, groupadd_exec_t, groupadd_t)
+userdom_use_unpriv_users_fd(groupadd_t)
-allow groupadd_t unpriv_userdomain:fd use;
-can_ypbind(groupadd_t)
-ifdef(`automount.te', `
-allow groupadd_t autofs_t:dir { search getattr };
+optional_policy(`nis.te',`
+ nis_use_ypbind(groupadd_t)
')
+ifdef(`TODO',`
+
# Update /etc/shadow and /etc/passwd
allow groupadd_t { etc_t shadow_t }:file { relabelfrom relabelto };
@@ -263,7 +262,6 @@ ifdef(`gnome-pty-helper.te', `allow groupadd_t gphdomain:fd use;')
# for when /root is the cwd
dontaudit groupadd_t sysadm_home_dir_t:dir search;
-dontaudit groupadd_t initrc_var_run_t:file write;
') dnl end TODO
########################################
@@ -285,6 +283,15 @@ allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
allow passwd_t self:msg { send receive };
+allow passwd_t crack_db_t:dir r_dir_perms;
+allow passwd_t crack_db_t:file r_file_perms;
+
+# for SSP
+dev_read_urand(passwd_t)
+
+fs_getattr_xattr_fs(passwd_t)
+fs_search_auto_mountpoints(passwd_t)
+
selinux_get_fs_mount(passwd_t)
selinux_validate_context(passwd_t)
selinux_compute_access_vector(passwd_t)
@@ -292,11 +299,6 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
-# for SSP
-dev_read_urand(passwd_t)
-
-fs_getattr_xattr_fs(passwd_t)
-
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_script_pid(passwd_t)
@@ -305,6 +307,7 @@ domain_use_wide_inherit_fd(passwd_t)
files_read_etc_runtime_files(passwd_t)
files_manage_generic_etc_files(passwd_t)
+files_search_var(passwd_t)
libs_use_ld_so(passwd_t)
libs_use_shared_libs(passwd_t)
@@ -315,6 +318,12 @@ miscfiles_read_localization(passwd_t)
auth_manage_shadow(passwd_t)
+userdom_use_unpriv_users_fd(passwd_t)
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(passwd_t)
+')
+
ifdef(`TODO',`
ifdef(`firstboot.te',`
@@ -324,12 +333,6 @@ domain_auto_trans(firstboot_t, passwd_exec_t, passwd_t)
# Update /etc/shadow and /etc/passwd
allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
-allow passwd_t unpriv_userdomain:fd use;
-can_ypbind(passwd_t)
-ifdef(`automount.te', `
-allow passwd_t autofs_t:dir { search getattr };
-')
-
# Inherit and use descriptors from login.
ifdef(`gnome-pty-helper.te', `allow passwd_t gphdomain:fd use;')
@@ -347,14 +350,7 @@ allow passwd_t userdomain:process getattr;
dontaudit passwd_t selinux_config_t:dir search;
-ifdef(`crack.te', `
-allow passwd_t var_t:dir search;
dontaudit passwd_t var_run_t:dir search;
-allow passwd_t crack_db_t:dir r_dir_perms;
-allow passwd_t crack_db_t:file r_file_perms;
-', `
-dontaudit passwd_t var_t:dir search;
-')
') dnl endif TODO
########################################
@@ -395,23 +391,26 @@ kernel_read_system_state(sysadm_passwd_t)
dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
+fs_search_auto_mountpoints(sysadm_passwd_t)
term_use_all_user_ttys(sysadm_passwd_t)
term_use_all_user_ptys(sysadm_passwd_t)
-# /usr/bin/passwd asks for w access to utmp, but it will operate
-# correctly without it. Do not audit write denials to utmp.
-init_dontaudit_rw_script_pid(sysadm_passwd_t)
+auth_manage_shadow(sysadm_passwd_t)
+
+# allow vipw to exec the editor
+corecmd_exec_bin(sysadm_passwd_t)
+corecmd_exec_shell(sysadm_passwd_t)
+files_read_usr_files(sysadm_passwd_t)
domain_use_wide_inherit_fd(sysadm_passwd_t)
files_manage_generic_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
-# allow vipw to exec the editor
-corecmd_exec_bin(sysadm_passwd_t)
-corecmd_exec_shell(sysadm_passwd_t)
-files_read_usr_files(sysadm_passwd_t)
+# /usr/bin/passwd asks for w access to utmp, but it will operate
+# correctly without it. Do not audit write denials to utmp.
+init_dontaudit_rw_script_pid(sysadm_passwd_t)
libs_use_ld_so(sysadm_passwd_t)
libs_use_shared_libs(sysadm_passwd_t)
@@ -420,18 +419,16 @@ miscfiles_read_localization(sysadm_passwd_t)
logging_send_syslog_msg(sysadm_passwd_t)
-auth_manage_shadow(sysadm_passwd_t)
+userdom_use_unpriv_users_fd(sysadm_passwd_t)
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(sysadm_passwd_t)
+')
ifdef(`TODO',`
role sysadm_r types sysadm_passwd_t;
domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t)
-allow sysadm_passwd_t unpriv_userdomain:fd use;
-can_ypbind(sysadm_passwd_t)
-ifdef(`automount.te', `
-allow sysadm_passwd_t autofs_t:dir { search getattr };
-')
-
# Inherit and use descriptors from login.
ifdef(`gnome-pty-helper.te', `allow sysadm_passwd_t gphdomain:fd use;')
@@ -483,46 +480,46 @@ selinux_compute_user_contexts(useradd_t)
# for getting the number of groups
kernel_read_kernel_sysctl(useradd_t)
+fs_search_auto_mountpoints(useradd_t)
fs_getattr_xattr_fs(useradd_t)
term_use_all_user_ttys(useradd_t)
term_use_all_user_ptys(useradd_t)
-init_use_fd(useradd_t)
-init_rw_script_pid(useradd_t)
+auth_manage_shadow(useradd_t)
+auth_rw_lastlog(useradd_t)
+
+corecmd_exec_shell(useradd_t)
+# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
+corecmd_exec_bin(useradd_t)
+corecmd_exec_sbin(useradd_t)
domain_use_wide_inherit_fd(useradd_t)
files_manage_generic_etc_files(useradd_t)
+init_use_fd(useradd_t)
+init_rw_script_pid(useradd_t)
+
libs_use_ld_so(useradd_t)
libs_use_shared_libs(useradd_t)
-corecmd_exec_shell(useradd_t)
-# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
-corecmd_exec_bin(useradd_t)
-corecmd_exec_sbin(useradd_t)
+logging_send_syslog_msg(useradd_t)
miscfiles_read_localization(useradd_t)
seutil_read_config(useradd_t)
-logging_send_syslog_msg(useradd_t)
+userdom_use_unpriv_users_fd(useradd_t)
-auth_manage_shadow(useradd_t)
-auth_rw_lastlog(useradd_t)
+mta_manage_spool(useradd_t)
-ifdef(`TODO',`
-
-role sysadm_r types useradd_t;
-domain_auto_trans(sysadm_t, useradd_exec_t, useradd_t)
-
-allow useradd_t unpriv_userdomain:fd use;
-can_ypbind(useradd_t)
-ifdef(`automount.te', `
-allow useradd_t autofs_t:dir { search getattr };
+optional_policy(`nis.te',`
+ nis_use_ypbind(useradd_t)
')
+ifdef(`TODO',`
+
# Update /etc/shadow and /etc/passwd
allow useradd_t { etc_t shadow_t }:file { relabelfrom relabelto };
@@ -536,10 +533,7 @@ dontaudit useradd_t sysadm_home_dir_t:dir search;
file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir)
file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t)
-# create/delete mail spool file in /var/mail
-allow useradd_t var_spool_t:dir search;
-allow useradd_t mail_spool_t:dir { search write add_name remove_name };
-allow useradd_t mail_spool_t:file create_file_perms;
# /var/mail is a link to /var/spool/mail
allow useradd_t mail_spool_t:lnk_file read;
+
') dnl end TODO
diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if
index 1a02004..fdd1690 100644
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@@ -129,9 +129,11 @@ template(`gpg_per_userdomain_template',`
fs_manage_cifs_symlinks($1_gpg_t)
')
- ifdef(`TODO',`
+ optional_policy(`nis.te',`
+ nis_use_ypbind($1_gpg_t)
+ ')
- can_ypbind($1_gpg_t)
+ ifdef(`TODO',`
allow $1_t $1_gpg_secret_t:file getattr;
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 8e1e7d3..e184f51 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -267,6 +267,24 @@ interface(`fs_getattr_autofs',`
')
########################################
+##
+## Search automount filesystem to use automatically
+## mounted filesystems.
+##
+##
+## The type of the domain performing this action.
+##
+#
+interface(`fs_search_auto_mountpoints',`
+ gen_require(`
+ type autofs_t;
+ class dir { getattr search };
+ ')
+
+ allow $1 autofs_t:dir { getattr search };
+')
+
+########################################
##
## Register an interpreter for new binary
## file types, using the kernel binfmt_misc
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index 81d9c97..d547c64 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -116,6 +116,10 @@ template(`cron_per_userdomain_template',`
allow crond_t $1_cron_spool_t:file create_file_perms;
')
+ optional_policy(`nis.te',`
+ nis_use_ypbind($1_crond_t)
+ ')
+
ifdef(`TODO',`
# Access user files and dirs.
allow $1_crond_t home_root_t:dir search;
@@ -135,8 +139,6 @@ template(`cron_per_userdomain_template',`
allow mta_user_agent $1_crond_t:fd use;
')
- # This domain is granted permissions common to most domains.
- can_ypbind($1_crond_t)
allow $1_crond_t var_spool_t:dir search;
allow $1_crond_t var_t:dir r_dir_perms;
allow $1_crond_t var_t:file r_file_perms;
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 6c5bd64..9f333e3 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -87,6 +87,7 @@ selinux_compute_user_contexts(crond_t)
dev_read_urand(crond_t)
fs_getattr_all_fs(crond_t)
+fs_search_auto_mountpoints(crond_t)
term_dontaudit_use_console(crond_t)
@@ -127,6 +128,10 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(crond_t)
')
+optional_policy(`nis.te',`
+ nis_use_ypbind(crond_t)
+')
+
optional_policy(`udev.te', `
udev_read_db(crond_t)
')
@@ -135,18 +140,10 @@ ifdef(`TODO',`
# NB The constraints file has some entries for crond_t, this makes it
# different from all other domains...
-allow crond_t autofs_t:dir { search getattr };
dontaudit crond_t sysadm_home_dir_t:dir search;
optional_policy(`rhgb.te', `
-allow crond_t rhgb_t:process sigchld;
-allow crond_t rhgb_t:fd use;
-allow crond_t rhgb_t:fifo_file { read write };
-')
-
-can_ypbind(crond_t)
-ifdef(`automount.te', `
-allow crond_t autofs_t:dir { search getattr };
+rhgb_domain(crond_t)
')
# Read from /var/spool/cron.
@@ -301,10 +298,11 @@ tunable_policy(`cron_can_relabel',`
seutil_read_file_contexts(system_crond_t)
')
-ifdef(`TODO',`
-
-can_ypbind(system_crond_t)
+optional_policy(`nis.te',`
+ nis_use_ypbind(system_crond_t)
+')
+ifdef(`TODO',`
dontaudit userdomain system_crond_t:fd use;
# quiet other ps operations
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 7dd5c68..f156541 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -70,14 +70,15 @@ template(`mta_per_userdomain_template',`
corenet_udp_sendrecv_dns_port($1_mail_t)
')
+ optional_policy(`nis.te',`
+ nis_use_ypbind($1_mail_t)
+ ')
+
optional_policy(`procmail.te',`
procmail_execute($1_mail_t)
')
ifdef(`TODO',`
-
- can_ypbind($1_mail_t)
-
allow $1_mail_t device_t:dir search;
allow $1_mail_t { var_t var_spool_t }:dir search;
allow $1_mail_t sbin_t:dir search;
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 29ca2ea..2a3e676 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -90,8 +90,12 @@ tunable_policy(`use_dns',`
corenet_udp_sendrecv_dns_port(system_mail_t)
')
+optional_policy(`nis.te',`
+ nis_use_ypbind(system_mail_t)
+')
+
optional_policy(`procmail.te',`
- procmail_execute(system_mail_t)
+ procmail_exec(system_mail_t)
')
ifdef(`TODO',`
@@ -117,9 +121,6 @@ dontaudit system_mail_t system_crond_tmp_t:file append;
')
') dnl end if sendmail
-
-can_ypbind(system_mail_t)
-
allow system_mail_t device_t:dir search;
allow system_mail_t { var_t var_spool_t }:dir search;
allow system_mail_t sbin_t:dir search;
diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te
index 3f5d3fb..c5745ef 100644
--- a/refpolicy/policy/modules/services/nis.te
+++ b/refpolicy/policy/modules/services/nis.te
@@ -77,6 +77,7 @@ corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
dev_read_sysfs(ypbind_t)
fs_getattr_all_fs(ypbind_t)
+fs_search_auto_mountpoints(ypbind_t)
term_dontaudit_use_console(ypbind_t)
@@ -121,7 +122,6 @@ ifdef(`TODO',`
allow ypbind_t proc_t:dir r_dir_perms;
allow ypbind_t proc_t:lnk_file read;
-allow ypbind_t autofs_t:dir { search getattr };
dontaudit ypbind_t sysadm_home_dir_t:dir search;
can_udp_send(ypbind_t, portmap_t)
@@ -172,6 +172,7 @@ corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
dev_read_sysfs(ypserv_t)
fs_getattr_all_fs(ypserv_t)
+fs_search_auto_mountpoints(ypserv_t)
term_dontaudit_use_console(ypserv_t)
@@ -214,7 +215,6 @@ rhgb_domain(ypserv_t)
allow ypserv_t proc_t:dir r_dir_perms;
allow ypserv_t proc_t:lnk_file read;
-allow ypserv_t autofs_t:dir { search getattr };
dontaudit ypserv_t sysadm_home_dir_t:dir search;
# Send to portmap and initrc.
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index 0fd4a22..4c5a5b7 100644
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -54,8 +54,14 @@ selinux_compute_user_contexts(remote_login_t)
dev_read_urand(remote_login_t)
fs_getattr_xattr_fs(remote_login_t)
+fs_search_auto_mountpoints(remote_login_t)
-init_rw_script_pid(remote_login_t)
+auth_domtrans_chk_passwd(remote_login_t)
+auth_dontaudit_read_shadow(remote_login_t)
+auth_rw_login_records(remote_login_t)
+auth_rw_lastlog(remote_login_t)
+auth_exec_pam(remote_login_t)
+auth_manage_pam_console_data(remote_login_t)
domain_read_all_entry_files(remote_login_t)
@@ -64,6 +70,8 @@ files_read_etc_runtime_files(remote_login_t)
files_list_home(remote_login_t)
files_read_usr_files(remote_login_t)
+init_rw_script_pid(remote_login_t)
+
libs_use_ld_so(remote_login_t)
libs_use_shared_libs(remote_login_t)
@@ -72,15 +80,10 @@ logging_send_syslog_msg(remote_login_t)
seutil_read_config(remote_login_t)
seutil_read_default_contexts(remote_login_t)
-auth_domtrans_chk_passwd(remote_login_t)
-auth_dontaudit_read_shadow(remote_login_t)
-auth_rw_login_records(remote_login_t)
-auth_rw_lastlog(remote_login_t)
-auth_exec_pam(remote_login_t)
-auth_manage_pam_console_data(remote_login_t)
-
miscfiles_read_localization(remote_login_t)
+userdom_use_unpriv_users_fd(remote_login_t)
+
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(remote_login_t)
fs_read_nfs_symlinks(remote_login_t)
@@ -91,13 +94,12 @@ tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_symlinks(remote_login_t)
')
-ifdef(`TODO',`
-allow remote_login_t unpriv_userdomain:fd use;
-can_ypbind(remote_login_t)
-ifdef(`automount.te', `
-allow remote_login_t autofs_t:dir { search getattr };
+optional_policy(`nis.te',`
+ nis_use_ypbind(remote_login_t)
')
+ifdef(`TODO',`
+
allow remote_login_t bin_t:dir r_dir_perms;
allow remote_login_t bin_t:notdevfile_class_set r_file_perms;
allow remote_login_t sbin_t:dir r_dir_perms;
@@ -123,7 +125,6 @@ allow remote_login_t device_t:lnk_file r_file_perms;
dontaudit remote_login_t sysfs_t:dir search;
-allow remote_login_t autofs_t:dir r_dir_perms;
allow remote_login_t mnt_t:dir r_dir_perms;
# FIXME: what is this for?
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 49850c8..359b5ae 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -57,43 +57,48 @@ corenet_tcp_bind_smtp_port(sendmail_t)
dev_read_urand(sendmail_t)
fs_getattr_all_fs(sendmail_t)
+fs_search_auto_mountpoints(sendmail_t)
term_dontaudit_use_console(sendmail_t)
-init_use_fd(sendmail_t)
-init_use_script_pty(sendmail_t)
-# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
-init_read_script_pid(sendmail_t)
-init_dontaudit_write_script_pid(sendmail_t)
-
domain_use_wide_inherit_fd(sendmail_t)
files_read_generic_etc_files(sendmail_t)
files_search_spool(sendmail_t)
-logging_send_syslog_msg(sendmail_t)
+init_use_fd(sendmail_t)
+init_use_script_pty(sendmail_t)
+# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
+init_read_script_pid(sendmail_t)
+init_dontaudit_write_script_pid(sendmail_t)
libs_use_ld_so(sendmail_t)
libs_use_shared_libs(sendmail_t)
# Read /usr/lib/sasl2/.*
libs_read_lib(sendmail_t)
+logging_send_syslog_msg(sendmail_t)
+
miscfiles_read_localization(sendmail_t)
+sysnet_read_config(sendmail_t)
+
# Write to /etc/aliases and /etc/mail.
mta_rw_aliases(sendmail_t)
# Write to /var/spool/mail and /var/spool/mqueue.
mta_manage_queue(sendmail_t)
mta_manage_spool(sendmail_t)
-sysnet_read_config(sendmail_t)
-
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(sendmail_t)
term_dontaudit_use_generic_pty(sendmail_t)
files_dontaudit_read_root_file(sendmail_t)
')
+optional_policy(`nis.te',`
+ nis_use_ypbind(sendmail_t)
+')
+
optional_policy(`selinux.te',`
seutil_newrole_sigchld(sendmail_t)
')
@@ -105,18 +110,13 @@ optional_policy(`udev.te', `
ifdef(`TODO',`
optional_policy(`rhgb.te', `
-allow sendmail_t rhgb_t:process sigchld;
-allow sendmail_t rhgb_t:fd use;
-allow sendmail_t rhgb_t:fifo_file { read write };
+rhgb_domain(sendmail_t)
')
allow sendmail_t proc_t:dir r_dir_perms;
allow sendmail_t proc_t:lnk_file read;
dontaudit sendmail_t unpriv_userdomain:fd use;
-allow sendmail_t autofs_t:dir { search getattr };
dontaudit sendmail_t sysadm_home_dir_t:dir search;
-can_ypbind(sendmail_t)
-
#
# Need this transition to create /etc/aliases.db
#
@@ -144,7 +144,7 @@ dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr sear
# Run procmail in its own domain, if defined.
ifdef(`procmail.te',`
corecmd_search_bin(sendmail_t)
-procmail_transition(sendmail_t)
+procmail_domtrans(sendmail_t)
domain_auto_trans(system_mail_t, procmail_exec_t, procmail_t)
')
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index c65d7f2..3a0a884 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -98,6 +98,7 @@ template(`ssh_per_userdomain_template',`
dev_read_urand($1_ssh_t)
fs_getattr_all_fs($1_ssh_t)
+ fs_search_auto_mountpoints($1_ssh_t)
# run helper programs - needed eg for x11-ssh-askpass
corecmd_exec_shell($1_ssh_t)
@@ -124,8 +125,6 @@ template(`ssh_per_userdomain_template',`
userdom_use_unpriv_users_fd($1_ssh_t)
- nis_use_ypbind($1_ssh_t)
-
tunable_policy(`use_dns',`
allow $1_ssh_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
corenet_udp_sendrecv_all_if($1_ssh_t)
@@ -149,10 +148,11 @@ template(`ssh_per_userdomain_template',`
corenet_tcp_bind_ssh_port($1_ssh_t)
')
- ifdef(`TODO',`
- can_ypbind($1_ssh_t)
+ optional_policy(`nis.te',`
+ nis_use_ypbind($1_ssh_t)
+ ')
- allow $1_ssh_t autofs_t:dir { search getattr };
+ ifdef(`TODO',`
allow $1 sbin_t:dir r_dir_perms;
allow $1 sbin_t:notdevfile_class_set r_file_perms;
@@ -244,6 +244,8 @@ template(`ssh_per_userdomain_template',`
dev_read_urand($1_ssh_agent_t)
dev_read_rand($1_ssh_agent_t)
+ fs_search_auto_mountpoints($1_ssh_agent_t)
+
domain_use_wide_inherit_fd($1_ssh_agent_t)
files_read_generic_etc_files($1_ssh_agent_t)
@@ -265,6 +267,10 @@ template(`ssh_per_userdomain_template',`
fs_manage_cifs_files($1_ssh_agent_t)
}
+ optional_policy(`nis.te',`
+ nis_use_ypbind($1_ssh_agent_t)
+ ')
+
ifdef(`TODO',`
# Write to the user domain tty.
@@ -275,9 +281,6 @@ template(`ssh_per_userdomain_template',`
# allow ps to show ssh
can_ps($1_t, $1_ssh_agent_t)
- can_ypbind($1_ssh_agent_t)
- allow $1_ssh_agent_t autofs_t:dir { search getattr };
-
allow $1_ssh_agent_t proc_t:dir search;
dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
dontaudit $1_ssh_agent_t selinux_config_t:dir search;
@@ -449,7 +452,6 @@ template(`sshd_program_domain', `
allow $1_t var_t:dir getattr;
allow $1_t { home_root_t home_dir_type }:dir getattr;
- allow $1_t autofs_t:dir { search getattr };
dontaudit sshd_t userpty_type:chr_file relabelfrom;
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index 6ac8926..8e3a1e6 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -112,6 +112,9 @@ tunable_policy(`run_ssh_inetd',`
# for when the network connection breaks after running newrole -r sysadm_r
dontaudit sshd_t sysadm_devpts_t:chr_file setattr;
+optional_policy(`rpm.te',`
+allow sshd_t rpm_script_t:fd use;
+')
') dnl endif TODO
#################################
@@ -187,6 +190,8 @@ files_create_etc_config(ssh_keygen_t,sshd_key_t,file)
kernel_read_kernel_sysctl(ssh_keygen_t)
+fs_search_auto_mountpoints(ssh_keygen_t)
+
dev_read_sysfs(ssh_keygen_t)
dev_read_urand(ssh_keygen_t)
@@ -231,7 +236,3 @@ optional_policy(`selinux.te',`
optional_policy(`udev.te', `
udev_read_db(ssh_keygen_t)
')
-
-ifdef(`TODO',`
-allow ssh_keygen_t autofs_t:dir { search getattr };
-')
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index a004cfa..3df2761 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -67,7 +67,6 @@ template(`authlogin_per_userdomain_template',`
seutil_read_config($1_chkpwd_t)
- #can_ypbind($1_chkpwd_t)
#can_kerberos($1_chkpwd_t)
#can_ldap($1_chkpwd_t)
@@ -97,6 +96,10 @@ template(`authlogin_per_userdomain_template',`
sysnet_read_config($1_chkpwd_t)
')
+ optional_policy(`nis.te',`
+ nis_use_ypbind($1_chkpwd_t)
+ ')
+
optional_policy(`selinux.te',`
seutil_use_newrole_fd($1_chkpwd_t)
')
@@ -173,9 +176,6 @@ interface(`auth_domtrans_chk_passwd',`
allow system_chkpwd_t $1:process sigchld;
dontaudit $1 shadow_t:file { getattr read };
- #can_ypbind($1_t)
- #can_kerberos($1_t)
- #can_ldap($1_t)
tunable_policy(`use_dns',`
allow $1 self:udp_socket create_socket_perms;
@@ -187,6 +187,13 @@ interface(`auth_domtrans_chk_passwd',`
corenet_udp_sendrecv_dns_port($1)
sysnet_read_config($1)
')
+
+ #can_kerberos($1)
+ #can_ldap($1)
+
+ optional_policy(`nis.te',`
+ nis_use_ypbind($1)
+ ')
')
########################################
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 82d24c0..c33677c 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -93,6 +93,8 @@ files_create_tmp_files(pam_t, pam_tmp_t, { file dir })
kernel_read_system_state(pam_t)
+fs_search_auto_mountpoints(pam_t)
+
term_use_all_user_ttys(pam_t)
term_use_all_user_ptys(pam_t)
@@ -112,12 +114,11 @@ optional_policy(`locallogin.te',`
locallogin_use_fd(pam_t)
')
-ifdef(`TODO',`
-can_ypbind(pam_t)
-ifdef(`automount.te', `
- allow pam_t autofs_t:dir { search getattr };
+optional_policy(`nis.te',`
+ nis_use_ypbind(pam_t)
')
+ifdef(`TODO',`
ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
') dnl endif TODO
@@ -156,6 +157,8 @@ dev_setattr_snd_dev(pam_console_t)
dev_getattr_video_dev(pam_console_t)
dev_setattr_video_dev(pam_console_t)
+fs_search_auto_mountpoints(pam_console_t)
+
storage_getattr_fixed_disk(pam_console_t)
storage_setattr_fixed_disk(pam_console_t)
storage_getattr_removable_device(pam_console_t)
@@ -210,11 +213,8 @@ optional_policy(`udev.te', `
ifdef(`TODO',`
optional_policy(`rhgb.te', `
- allow pam_console_t rhgb_t:process sigchld;
- allow pam_console_t rhgb_t:fd use;
- allow pam_console_t rhgb_t:fifo_file { read write };
+ rhgb_domain(pam_console_t)
')
-allow pam_console_t autofs_t:dir { search getattr };
allow pam_console_t apm_bios_t:chr_file { getattr setattr };
@@ -268,8 +268,11 @@ tunable_policy(`use_dns',`
sysnet_read_config(system_chkpwd_t)
')
+optional_policy(`nis.te',`
+ nis_use_ypbind(system_chkpwd_t)
+')
+
ifdef(`TODO',`
-can_ypbind(system_chkpwd_t)
can_kerberos(system_chkpwd_t)
can_ldap(system_chkpwd_t)
@@ -303,10 +306,10 @@ libs_use_shared_libs(utempter_t)
logging_search_logs(utempter_t)
-ifdef(`TODO',`
# Allow utemper to write to /tmp/.xses-*
-allow utempter_t user_tmpfile:file { getattr write append };
+userdom_write_unpriv_user_tmp(utempter_t)
+ifdef(`TODO',`
ifdef(`xdm.te', `
allow utempter_t xdm_t:fd use;
allow utempter_t xdm_t:fifo_file { write getattr };
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index 9f884b2..5833654 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -35,6 +35,7 @@ dev_read_sysfs(hwclock_t)
dev_rw_realtime_clock(hwclock_t)
fs_getattr_xattr_fs(hwclock_t)
+fs_search_auto_mountpoints(hwclock_t)
term_dontaudit_use_console(hwclock_t)
term_use_unallocated_tty(hwclock_t)
@@ -81,13 +82,9 @@ allow hwclock_t proc_t:dir r_dir_perms;
allow hwclock_t proc_t:lnk_file read;
optional_policy(`rhgb.te', `
-allow hwclock_t rhgb_t:process sigchld;
-allow hwclock_t rhgb_t:fd use;
-allow hwclock_t rhgb_t:fifo_file rw_file_perms;
+rhgb_domain(hwclock_t)
')
-allow hwclock_t autofs_t:dir { search getattr };
-
optional_policy(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;')
optional_policy(`apmd.te', `
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index 8a0404d..0605871 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -11,7 +11,6 @@ type hostname_exec_t;
init_system_domain(hostname_t,hostname_exec_t)
role system_r types hostname_t;
-
########################################
#
# Local policy
@@ -31,6 +30,7 @@ kernel_dontaudit_use_fd(hostname_t)
dev_read_sysfs(hostname_t)
fs_getattr_xattr_fs(hostname_t)
+fs_search_auto_mountpoints(hostname_t)
term_dontaudit_use_console(hostname_t)
term_use_all_user_ttys(hostname_t)
@@ -96,11 +96,7 @@ allow hostname_t proc_t:dir { read getattr lock search ioctl };
allow hostname_t proc_t:lnk_file read;
optional_policy(`rhgb.te', `
-allow hostname_t rhgb_t:process sigchld;
-allow hostname_t rhgb_t:fd use;
-allow hostname_t rhgb_t:fifo_file { read write };
+rhgb_domain(hostname_t)
')
-
-allow hostname_t autofs_t:dir { search getattr };
##end daemon_base_domain
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 288427c..04b5831 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -65,6 +65,7 @@ dev_setattr_snd_dev(hotplug_t)
dev_read_urand(hotplug_t)
fs_getattr_all_fs(hotplug_t)
+fs_search_auto_mountpoints(hotplug_t)
storage_setattr_fixed_disk(hotplug_t)
storage_setattr_removable_device(hotplug_t)
@@ -142,6 +143,10 @@ optional_policy(`mta.te', `
mta_send_mail(hotplug_t)
')
+optional_policy(`nis.te',`
+ nis_use_ypbind(hotplug_t)
+')
+
optional_policy(`selinux.te',`
seutil_newrole_sigchld(hotplug_t)
')
@@ -160,17 +165,13 @@ optional_policy(`updfstab.te', `
')
ifdef(`TODO',`
-allow hotplug_t autofs_t:dir { search getattr };
dontaudit hotplug_t sysadm_home_dir_t:dir search;
-optional_policy(`rhgb.te', `
- allow hotplug_t rhgb_t:process sigchld;
- allow hotplug_t rhgb_t:fd use;
- allow hotplug_t rhgb_t:fifo_file { read write };
+optional_policy(`rhgb.te',`
+rhgb_domain(hotplug_t)
')
allow kernel_t hotplug_etc_t:dir search;
-can_ypbind(hotplug_t)
dbusd_client(system, hotplug)
# for ps
@@ -181,7 +182,7 @@ optional_policy(`hald.te', `
allow hotplug_t hald_t:unix_dgram_socket sendto;
')
-# this goes to hald:
+# this block goes to hald:
optional_policy(`hotplug.te',`
allow hald_t hotplug_etc_t:dir search;
allow hald_t hotplug_etc_t:file { getattr read };
diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te
index 01f62e8..27e8af2 100644
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@@ -46,6 +46,7 @@ kernel_use_fd(iptables_t)
dev_read_sysfs(iptables_t)
fs_getattr_xattr_fs(iptables_t)
+fs_search_auto_mountpoints(iptables_t)
term_dontaudit_use_console(iptables_t)
@@ -71,6 +72,13 @@ sysnet_domtrans_ifconfig(iptables_t)
userdom_use_all_user_fd(iptables_t)
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_tty(iptables_t)
+ term_dontaudit_use_generic_pty(iptables_t)
+
+ files_dontaudit_read_root_file(iptables_t)
+')
+
tunable_policy(`use_dns',`
allow iptables_t self:udp_socket create_socket_perms;
@@ -89,6 +97,11 @@ optional_policy(`modutils.te', `
modutils_domtrans_insmod(iptables_t)
')
+optional_policy(`nis.te',`
+ # for iptables -L
+ nis_use_ypbind(iptables_t)
+')
+
optional_policy(`selinux.te',`
seutil_newrole_sigchld(iptables_t)
')
@@ -97,26 +110,11 @@ optional_policy(`udev.te', `
udev_read_db(iptables_t)
')
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_tty(iptables_t)
- term_dontaudit_use_generic_pty(iptables_t)
-
- files_dontaudit_read_root_file(iptables_t)
-')
-
ifdef(`TODO',`
-
-optional_policy(`rhgb.te', `
-allow iptables_t rhgb_t:process sigchld;
-allow iptables_t rhgb_t:fd use;
-allow iptables_t rhgb_t:fifo_file rw_file_perms;
+optional_policy(`rhgb.te',`
+rhgb_domain(iptables_t)
')
-allow iptables_t autofs_t:dir { search getattr };
-
-# for iptables -L
-can_ypbind(iptables_t)
-
optional_policy(`gnome-pty-helper.te',`
allow iptables_t sysadm_gph_t:fd use;
')
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index cc05181..433c4f7 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -71,6 +71,8 @@ dev_dontaudit_setattr_scanner(local_login_t)
# for SSP/ProPolice
dev_read_urand(local_login_t)
+fs_search_auto_mountpoints(local_login_t)
+
selinux_get_fs_mount(local_login_t)
selinux_validate_context(local_login_t)
selinux_compute_access_vector(local_login_t)
@@ -126,6 +128,13 @@ userdom_use_unpriv_users_fd(local_login_t)
# Search for mail spool file.
mta_getattr_spool(local_login_t)
+# Red Hat systems seem to have a stray
+# fd open from the initrd
+ifdef(`distro_redhat',`
+ kernel_dontaudit_use_fd(local_login_t)
+ files_dontaudit_read_root_file(local_login_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(local_login_t)
fs_read_nfs_symlinks(local_login_t)
@@ -136,20 +145,12 @@ tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_symlinks(local_login_t)
')
-# Red Hat systems seem to have a stray
-# fd open from the initrd
-optional_policy(`distro_redhat',`
- kernel_dontaudit_use_fd(local_login_t)
- files_dontaudit_read_root_file(local_login_t)
+optional_policy(`nis.te',`
+ nis_use_ypbind(local_login_t)
')
ifdef(`TODO',`
-can_ypbind(local_login_t)
-ifdef(`automount.te', `
- allow local_login_t autofs_t:dir { search getattr };
-')
-
allow local_login_t bin_t:dir r_dir_perms;
allow local_login_t bin_t:notdevfile_class_set r_file_perms;
allow local_login_t sbin_t:dir r_dir_perms;
@@ -170,7 +171,6 @@ allow local_login_t var_t:lnk_file read;
dontaudit local_login_t sysfs_t:dir search;
-allow local_login_t autofs_t:dir r_dir_perms;
allow local_login_t mnt_t:dir r_dir_perms;
# FIXME: what is this for?
@@ -221,12 +221,14 @@ allow sulogin_t self:msg { send receive };
kernel_read_system_state(sulogin_t)
-init_get_script_process_group(sulogin_t)
+fs_search_auto_mountpoints(sulogin_t)
files_read_generic_etc_files(sulogin_t)
# because file systems are not mounted:
files_dontaudit_search_isid_type_dir(sulogin_t)
+init_get_script_process_group(sulogin_t)
+
libs_use_ld_so(sulogin_t)
libs_use_shared_libs(sulogin_t)
@@ -259,14 +261,11 @@ ifdef(`sulogin_no_pam', `
selinux_compute_user_contexts(sulogin_t)
')
-ifdef(`TODO',`
-
-allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
-
-can_ypbind(sulogin_t)
-ifdef(`automount.te', `
- allow sulogin_t autofs_t:dir { search getattr };
+optional_policy(`nis.te',`
+ nis_use_ypbind(sulogin_t)
')
+ifdef(`TODO',`
+allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
') dnl endif TODO
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 9dc0e2b..4838db1 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -63,6 +63,7 @@ kernel_read_kernel_sysctl(auditd_t)
dev_read_sysfs(auditd_t)
fs_getattr_all_fs(auditd_t)
+fs_search_auto_mountpoints(auditd_t)
term_dontaudit_use_console(auditd_t)
@@ -80,6 +81,8 @@ libs_use_shared_libs(auditd_t)
miscfiles_read_localization(auditd_t)
+userdom_dontaudit_use_unpriv_user_fd(auditd_t)
+
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(auditd_t)
term_dontaudit_use_generic_pty(auditd_t)
@@ -97,15 +100,13 @@ optional_policy(`udev.te', `
ifdef(`TODO',`
allow auditd_t proc_t:dir r_dir_perms;
allow auditd_t proc_t:lnk_file read;
-dontaudit auditd_t unpriv_userdomain:fd use;
-allow auditd_t autofs_t:dir { search getattr };
-dontaudit auditd_t sysadm_home_dir_t:dir search;
+
optional_policy(`rhgb.te', `
-allow auditd_t rhgb_t:process sigchld;
-allow auditd_t rhgb_t:fd use;
-allow auditd_t rhgb_t:fifo_file { read write };
+rhgb_domain(auditd_t)
')
+dontaudit auditd_t sysadm_home_dir_t:dir search;
+
# cjp: this is questionable:
allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms;
') dnl endif TODO
@@ -192,6 +193,8 @@ kernel_read_kernel_sysctl(syslogd_t)
dev_create_dev_node(syslogd_t,devlog_t,sock_file)
dev_read_sysfs(syslogd_t)
+fs_search_auto_mountpoints(syslogd_t)
+
term_dontaudit_use_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
@@ -250,6 +253,14 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(syslogd_t)
')
+optional_policy(`cron.te',`
+ cron_rw_log(syslogd_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(syslogd_t)
+')
+
optional_policy(`selinux.te',`
seutil_newrole_sigchld(syslogd_t)
')
@@ -258,18 +269,11 @@ optional_policy(`udev.te', `
udev_read_db(syslogd_t)
')
-optional_policy(`cron.te',`
- cron_rw_log(syslogd_t)
-')
-
ifdef(`TODO',`
allow syslogd_t proc_t:lnk_file read;
-allow syslogd_t autofs_t:dir { search getattr };
dontaudit syslogd_t sysadm_home_dir_t:dir search;
optional_policy(`rhgb.te', `
- allow syslogd_t rhgb_t:process sigchld;
- allow syslogd_t rhgb_t:fd use;
- allow syslogd_t rhgb_t:fifo_file { read write };
+ rhgb_domain(syslogd_t)
')
tunable_policy(`direct_sysadm_daemon',`
dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms;
@@ -280,9 +284,6 @@ ifdef(`distro_suse', `
file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
')
-# can_network is for the UDP socket
-can_ypbind(syslogd_t)
-
# log to the xconsole
allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 8656956..0c9eeb9 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -101,6 +101,7 @@ dev_dontaudit_getattr_generic_pipe(lvm_t)
term_dontaudit_getattr_all_user_ttys(lvm_t)
fs_getattr_xattr_fs(lvm_t)
+fs_search_auto_mountpoints(lvm_t)
# LVM creates block devices in /dev/mapper or /dev/
# depending on its version
@@ -157,9 +158,6 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
-
-allow lvm_t autofs_t:dir { search getattr };
-
allow lvm_t default_context_t:dir search;
allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto };
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index a7f4d16..acd8425 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -44,6 +44,7 @@ fs_mount_all_fs(mount_t)
fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t)
fs_relabelfrom_xattr_fs(mount_t)
+fs_search_auto_mountpoints(mount_t)
term_use_console(mount_t)
@@ -88,7 +89,6 @@ ifdef(`distro_redhat',`
optional_policy(`portmap.te', `
# for nfs
- #can_ypbind(mount_t)
#allow portmap_t mount_t:udp_socket { sendto recvfrom };
#allow mount_t portmap_t:udp_socket { sendto recvfrom };
#allow mount_t rpc_pipefs_t:dir search;
@@ -106,6 +106,10 @@ optional_policy(`portmap.te', `
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
corenet_udp_bind_reserved_port(mount_t)
+
+ optional_policy(`nis.te',`
+ nis_use_ypbind(mount_t)
+ ')
')
ifdef(`TODO',`
@@ -127,13 +131,7 @@ allow mount_t sysadm_gph_t:fd use;
')
optional_policy(`rhgb.te', `
-allow mount_t rhgb_t:process sigchld;
-allow mount_t rhgb_t:fd use;
-allow mount_t rhgb_t:fifo_file { read write };
-')
-
-optional_policy(`automount.te', `
-allow mount_t autofs_t:dir read;
+rhgb_domain(mount_t)
')
') dnl endif TODO
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 739518b..ff2423f 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -195,6 +195,7 @@ kernel_read_kernel_sysctl(newrole_t)
dev_read_urand(newrole_t)
fs_getattr_xattr_fs(newrole_t)
+fs_search_auto_mountpoints(newrole_t)
selinux_get_fs_mount(newrole_t)
selinux_validate_context(newrole_t)
@@ -234,13 +235,11 @@ if(secure_mode) {
userdom_spec_domtrans_all_users(newrole_t)
}
-ifdef(`TODO',`
-
-can_ypbind(newrole)
-ifdef(`automount.te', `
-allow newrole_t autofs_t:dir { search getattr };
+optional_policy(`nis.te',`
+ nis_use_ypbind(newrole_t)
')
+ifdef(`TODO',`
# for when the user types "exec newrole" at the command line
allow newrole_t privfd:process sigchld;
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index e4e1bd1..cbccdc3 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -105,6 +105,7 @@ dev_read_sysfs(dhcpc_t)
dev_read_urand(dhcpc_t)
fs_getattr_all_fs(dhcpc_t)
+fs_search_auto_mountpoints(dhcpc_t)
term_dontaudit_use_console(dhcpc_t)
term_dontaudit_use_all_user_ttys(dhcpc_t)
@@ -152,10 +153,23 @@ optional_policy(`hostname.te',`
hostname_domtrans(dhcpc_t)
')
+optional_policy(`nis.te',`
+ nis_use_ypbind(dhcpc_t)
+ # dhclient sometimes starts ypbind
+ init_exec_script(dhcpc_t)
+ #nis_domtrans_ypbind(dhcpc_t)
+')
+
optional_policy(`nscd.te',`
nscd_domtrans(dhcpc_t)
')
+optional_policy(`ntpd.te',`
+ # dhclient sometimes starts ntpd
+ init_exec_script(dhcpc_t)
+ ntpd_domtrans(dhcpc_t)
+')
+
optional_policy(`selinux.te',`
seutil_newrole_sigchld(dhcpc_t)
')
@@ -168,29 +182,13 @@ optional_policy(`userdomain.te',`
userdom_use_all_user_fd(dhcpc_t)
')
-#
-# dhclient sometimes starts ypbind and ntpd
-#
-init_exec_script(dhcpc_t)
-optional_policy(`ypbind.te',`
- ypbind_domtrans(dhcpc_t)
-')
-optional_policy(`ntpd.te',`
- ntpd_domtrans(dhcpc_t)
-')
-
ifdef(`TODO',`
-allow dhcpc_t autofs_t:dir { search getattr };
dontaudit dhcpc_t sysadm_home_dir_t:dir search;
-optional_policy(`rhgb.te', `
-allow dhcpc_t rhgb_t:process sigchld;
-allow dhcpc_t rhgb_t:fd use;
-allow dhcpc_t rhgb_t:fifo_file { read write };
+optional_policy(`rhgb.te',`
+rhgb_domain(dhcpc_t)
')
-can_ypbind(dhcpc_t)
-
ifdef(`cardmgr.te', `
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
allow cardmgr_t dhcpc_var_run_t:file { getattr read };
@@ -208,15 +206,17 @@ logging_syslogd_transition(dhcpc_t)
')dnl end hotplug.te
# for the dhcp client to run ping to check IP addresses
-ifdef(`ping.te', `
-domain_auto_trans(dhcpc_t, ping_exec_t, ping_t)
-ifdef(`hotplug.te',`
-allow ping_t hotplug_t:fd use;
-') dnl end if hotplug
-ifdef(`cardmgr.te', `
-allow ping_t cardmgr_t:fd use;
-') dnl end if cardmgr
-') dnl end if ping
+optional_policy(`netutils.te',`
+ netutils_domtrans_ping(dhcpc_t)
+
+ optional_policy(`hotplug.te',`
+ allow ping_t hotplug_t:fd use;
+ ')
+
+ ifdef(`cardmgr.te',`
+ allow ping_t cardmgr_t:fd use;
+ ')
+')
ifdef(`distro_redhat', `
allow initrc_t dhcp_etc_t:file rw_file_perms;
@@ -266,6 +266,7 @@ kernel_dontaudit_search_sysctl_dir(ifconfig_t)
kernel_dontaudit_search_network_sysctl_dir(ifconfig_t)
fs_getattr_xattr_fs(ifconfig_t)
+fs_search_auto_mountpoints(ifconfig_t)
term_dontaudit_use_all_user_ttys(ifconfig_t)
term_dontaudit_use_all_user_ptys(ifconfig_t)
@@ -289,22 +290,18 @@ seutil_use_runinit_fd(ifconfig_t)
userdom_use_all_user_fd(ifconfig_t)
-ifdef(`TODO',`
-
-can_ypbind(ifconfig_t)
-ifdef(`automount.te', `
-allow ifconfig_t autofs_t:dir { search getattr };
+optional_policy(`nis.te',`
+ nis_use_ypbind(ifconfig_t)
')
-# Access terminals.
+ifdef(`TODO',`
+
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
allow ifconfig_t tun_tap_device_t:chr_file { read write };
optional_policy(`rhgb.te', `
-allow ifconfig_t rhgb_t:process sigchld;
-allow ifconfig_t rhgb_t:fd use;
-allow ifconfig_t rhgb_t:fifo_file { read write };
+rhgb_domain(ifconfig_t)
')
') dnl endif TODO
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 86abffc..4a9c7d6 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -137,6 +137,7 @@ template(`base_user_domain',`
fs_get_all_fs_quotas($1_t)
fs_getattr_all_fs($1_t)
+ fs_search_auto_mountpoints($1_t)
# for eject
storage_getattr_fixed_disk($1_t)
@@ -204,6 +205,10 @@ template(`base_user_domain',`
term_getattr_all_user_ttys($1_t)
')
+ optional_policy(`nis.te',`
+ nis_use_ypbind($1_t)
+ ')
+
optional_policy(`usermanage.te',`
usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
@@ -251,8 +256,6 @@ template(`base_user_domain',`
r_dir_file($1_t, usercanread)
- can_ypbind($1_t)
-
tunable_policy(`allow_execmod',`
# Allow text relocations on system shared libraries, e.g. libGL.
allow $1_t texrel_shlib_t:file execmod;
@@ -271,8 +274,6 @@ template(`base_user_domain',`
dontaudit $1_t sysctl_t:dir_file_class_set getattr;
dontaudit $1_t proc_fs:dir { read search };
- allow $1_t autofs_t:dir { getattr search };
-
can_exec($1_t, { removable_t noexattrfile } )
tunable_policy(`user_rw_noexattrfile',`
@@ -299,8 +300,6 @@ template(`base_user_domain',`
can_resmgrd_connect($1_t)
- can_ypbind($1_t)
-
allow $1_t var_lock_t:dir search;
# Grant permissions to access the system DBus
@@ -385,10 +384,6 @@ template(`base_user_domain',`
allow $1_t apmd_var_run_t:sock_file write;
')
- ifdef(`automount.te', `
- allow $1_t autofs_t:dir { getattr search };
- ')
-
ifdef(`pamconsole.te', `
allow $1_t pam_var_console_t:dir search;
')
@@ -418,7 +413,7 @@ template(`user_domain_template', `
#typeattribute $1_home_dir_t user_home_dir_type;
#typeattribute $1_home_t user_home_type;
- #typeattribute $1_tmp_t, user_tmpfile;
+ typeattribute $1_tmp_t user_tmpfile;
#typeattribute $1_tty_device_t user_tty_type;
@@ -808,11 +803,11 @@ template(`admin_domain_template',`
')
########################################
-##
+##
## Execute a shell in all user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
-##
+##
##
## The type of the process performing this action.
##
@@ -826,11 +821,11 @@ interface(`userdom_spec_domtrans_all_users',`
')
########################################
-##
+##
## Execute a shell in all unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
-##
+##
##
## The type of the process performing this action.
##
@@ -844,9 +839,9 @@ interface(`userdom_spec_domtrans_unpriv_users',`
')
########################################
-##
+##
## Execute a shell in the sysadm domain.
-##
+##
##
## The type of the process performing this action.
##
@@ -860,9 +855,9 @@ interface(`userdom_shell_domtrans_sysadm',`
')
########################################
-##
+##
## Read and write sysadm ttys.
-##
+##
##
## The type of the process performing this action.
##
@@ -879,9 +874,9 @@ interface(`userdom_use_sysadm_tty',`
')
########################################
-##
+##
## Read and write sysadm ttys and ptys.
-##
+##
##
## The type of the process performing this action.
##
@@ -898,9 +893,9 @@ interface(`userdom_use_sysadm_terms',`
')
########################################
-##
+##
## Do not audit attempts to use admin ttys and ptys.
-##
+##
##
## The type of the process performing this action.
##
@@ -915,9 +910,9 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
')
########################################
-##
+##
## Search all users home directories.
-##
+##
##
## The type of the process performing this action.
##
@@ -933,9 +928,9 @@ interface(`userdom_search_all_users_home',`
')
########################################
-##
+##
## Read all files in all users home directories.
-##
+##
##
## The type of the process performing this action.
##
@@ -953,9 +948,26 @@ interface(`userdom_read_all_user_data',`
')
########################################
-##
+##
+## Write all unprivileged users files in /tmp
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`userdom_write_unpriv_user_tmp',`
+ gen_require(`
+ attribute user_tmpfile;
+ class file { getattr write append };
+ ')
+
+ allow $1 user_tmpfile:file { getattr write append };
+')
+
+########################################
+##
## Inherit the file descriptors from all user domains
-##
+##
##
## The type of the process performing this action.
##
@@ -970,9 +982,9 @@ interface(`userdom_use_all_user_fd',`
')
########################################
-##
+##
## Send general signals to all user domains.
-##
+##
##
## The type of the process performing this action.
##
@@ -987,9 +999,9 @@ interface(`userdom_signal_all_users',`
')
########################################
-##
+##
## Send general signals to unprivileged user domains.
-##
+##
##
## The type of the process performing this action.
##
@@ -1004,9 +1016,9 @@ interface(`userdom_signal_unpriv_users',`
')
########################################
-##
-## Inherit the file descriptors from all user domains.
-##
+##
+## Inherit the file descriptors from unprivileged user domains.
+##
##
## The type of the process performing this action.
##
@@ -1021,10 +1033,10 @@ interface(`userdom_use_unpriv_users_fd',`
')
########################################
-##
+##
## Do not audit attempts to inherit the
## file descriptors from all user domains.
-##
+##
##
## The type of the process performing this action.
##
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 422261e..37e4b91 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -20,6 +20,9 @@ attribute home_type;
# a user in writing regular files)
attribute privhome;
+# all unprivileged users tmp files
+attribute user_tmpfile;
+
# all user domains
attribute userdomain;
@@ -107,6 +110,12 @@ optional_policy(`mount.te',`
mount_run(sysadm_t,sysadm_r,admin_terminal)
')
+optional_policy(`netutils.te',`
+ netutils_run(sysadm_t,sysadm_r,admin_terminal)
+ netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
+ netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
+')
+
optional_policy(`rpm.te',`
rpm_run(sysadm_t,sysadm_r,admin_terminal)
')