diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index fad69bb..c1ff4e9 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -93,7 +93,7 @@ optional_policy(`xdm.te', `
allow consoletype_t xdm_tmp_t:file rw_file_perms;
')
-# is goes to xserver module
+# this goes to xdm module
optional_policy(`consoletype.te',`
consoletype_domtrans(xdm_t)
')
diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te
index b9b7da1..409a6c9 100644
--- a/refpolicy/policy/modules/admin/dmesg.te
+++ b/refpolicy/policy/modules/admin/dmesg.te
@@ -25,6 +25,8 @@ kernel_read_kernel_sysctl(dmesg_t)
kernel_read_ring_buffer(dmesg_t)
kernel_clear_ring_buffer(dmesg_t)
kernel_change_ring_buffer_level(dmesg_t)
+kernel_list_proc(dmesg_t)
+kernel_read_proc_symlinks(dmesg_t)
dev_read_sysfs(dmesg_t)
@@ -67,9 +69,6 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
-allow dmesg_t proc_t:dir r_dir_perms;
-allow dmesg_t proc_t:lnk_file read;
-
optional_policy(`rhgb.te',`
rhgb_domain(dmesg_t)
')
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index d2fbe05..fd6c32e 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -140,11 +140,11 @@ allow logrotate_t domain:dir r_dir_perms;
allow logrotate_t exec_type:file getattr;
#this should go to squid:
-ifdef(`squid.te', `
-allow squid_t { system_crond_t crond_t }:fd use;
-allow squid_t crond_t:fifo_file { read write };
-allow squid_t system_crond_t:fifo_file write;
-allow squid_t self:capability kill;
+optional_policy(`logrotate.te', `
+ allow squid_t { system_crond_t crond_t }:fd use;
+ allow squid_t crond_t:fifo_file { read write };
+ allow squid_t system_crond_t:fifo_file write;
+ allow squid_t self:capability kill;
')
# for /var/lib/logrotate.status and /var/lib/logcheck
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index a0d80e3..857ea94 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -41,6 +41,8 @@ allow netutils_t netutils_tmp_t:dir create_dir_perms;
allow netutils_t netutils_tmp_t:file create_file_perms;
files_create_tmp_files(netutils_t, netutils_tmp_t, { file dir })
+kernel_search_proc(netutils_t)
+
corenet_tcp_sendrecv_all_if(netutils_t)
corenet_raw_sendrecv_all_if(netutils_t)
corenet_udp_sendrecv_all_if(netutils_t)
@@ -77,10 +79,7 @@ optional_policy(`nis.te',`
')
ifdef(`TODO',`
-
ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
-allow netutils_t proc_t:dir search;
-
') dnl end TODO
########################################
diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if
index bbe16ed..e03b3b8 100644
--- a/refpolicy/policy/modules/admin/rpm.if
+++ b/refpolicy/policy/modules/admin/rpm.if
@@ -71,7 +71,7 @@ interface(`rpm_use_fd',`
########################################
##
-## Read from a RPM pipe.
+## Read from an unnamed RPM pipe.
##
##
## The type of the process performing this action.
@@ -88,6 +88,41 @@ interface(`rpm_read_pipe',`
########################################
##
+## Read and write an unnamed RPM pipe.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`rpm_rw_pipe',`
+ gen_require(`
+ type rpm_t;
+ class fifo_file rw_file_perms;
+ ')
+
+ allow $1 rpm_t:fifo_file rw_file_perms;
+')
+
+########################################
+##
+## Create, read, write, and delete the RPM log.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`rpm_manage_log',`
+ gen_require(`
+ type rpm_log_t;
+ class file create_file_perms;
+ ')
+
+ logging_rw_log_dir($1)
+ allow $1 rpm_log_t:file create_file_perms;
+')
+
+########################################
+##
## Read the RPM package database.
##
##
@@ -117,7 +152,7 @@ interface(`rpm_read_db',`
#
interface(`rpm_manage_db',`
gen_require(`
- type rpm_var_lib_t_t;
+ type rpm_var_lib_t;
class dir rw_dir_perms;
class lnk_file { getattr read write unlink };
class file { getattr create read write append unlink };
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 4bfb49b..6aa503c 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -96,13 +96,6 @@ allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
kernel_read_system_state(rpm_t)
kernel_read_kernel_sysctl(rpm_t)
-selinux_get_fs_mount(rpm_t)
-selinux_validate_context(rpm_t)
-selinux_compute_access_vector(rpm_t)
-selinux_compute_create_context(rpm_t)
-selinux_compute_relabel_context(rpm_t)
-selinux_compute_user_contexts(rpm_t)
-
corenet_tcp_sendrecv_all_if(rpm_t)
corenet_raw_sendrecv_all_if(rpm_t)
corenet_udp_sendrecv_all_if(rpm_t)
@@ -114,6 +107,8 @@ corenet_udp_sendrecv_all_ports(rpm_t)
corenet_tcp_bind_all_nodes(rpm_t)
corenet_udp_bind_all_nodes(rpm_t)
+dev_list_sysfs(rpm_t)
+dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
#devices_manage_all_device_types(rpm_t)
@@ -123,6 +118,13 @@ fs_manage_nfs_symlinks(rpm_t)
fs_getattr_all_fs(rpm_t)
fs_search_auto_mountpoints(rpm_t)
+selinux_get_fs_mount(rpm_t)
+selinux_validate_context(rpm_t)
+selinux_compute_access_vector(rpm_t)
+selinux_compute_create_context(rpm_t)
+selinux_compute_relabel_context(rpm_t)
+selinux_compute_user_contexts(rpm_t)
+
storage_raw_write_fixed_disk(rpm_t)
# for installing kernel packages
storage_raw_read_fixed_disk(rpm_t)
@@ -189,19 +191,11 @@ allow rpm_t fs_type:dir { setattr rw_dir_perms };
allow rpm_t mount_t:tcp_socket write;
-allow rpm_t sysfs_t:dir r_dir_perms;
-allow rpm_t usbdevfs_t:dir r_dir_perms;
-
allow rpm_t rpc_pipefs_t:dir search;
optional_policy(`gnome-pty-helper.te', `
allow rpm_t sysadm_gph_t:fd use;
')
-
-# for kernel package installation
-optional_policy(`mount.te', `
-allow mount_t rpm_t:fifo_file rw_file_perms;
-')
') dnl endif TODO
########################################
@@ -237,14 +231,10 @@ allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms;
fs_create_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
kernel_read_kernel_sysctl(rpm_script_t)
-selinux_get_fs_mount(rpm_script_t)
-selinux_validate_context(rpm_script_t)
-selinux_compute_access_vector(rpm_script_t)
-selinux_compute_create_context(rpm_script_t)
-selinux_compute_relabel_context(rpm_script_t)
-selinux_compute_user_contexts(rpm_script_t)
kernel_read_system_state(rpm_script_t)
+dev_list_sysfs(rpm_script_t)
+
# ideally we would not need this
dev_manage_generic_blk_file(rpm_script_t)
dev_manage_generic_chr_file(rpm_script_t)
@@ -259,6 +249,13 @@ fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
fs_search_auto_mountpoints(rpm_script_t)
+selinux_get_fs_mount(rpm_script_t)
+selinux_validate_context(rpm_script_t)
+selinux_compute_access_vector(rpm_script_t)
+selinux_compute_create_context(rpm_script_t)
+selinux_compute_relabel_context(rpm_script_t)
+selinux_compute_user_contexts(rpm_script_t)
+
storage_raw_read_fixed_disk(rpm_script_t)
storage_raw_write_fixed_disk(rpm_script_t)
@@ -302,7 +299,14 @@ seutil_domtrans_restorecon(rpm_script_t)
userdom_use_all_user_fd(rpm_script_t)
-optional_policy(`bootloader.te', `
+# this should be tunable_policy, but
+# typeattribute does not work in conditionals
+ifdef(`unlimitedRPM',`
+ unconfined_domain_template(rpm_t)
+ unconfined_domain_template(rpm_script_t)
+')
+
+optional_policy(`bootloader.te',`
bootloader_domtrans(rpm_script_t)
')
@@ -310,14 +314,15 @@ optional_policy(`nis.te',`
nis_use_ypbind(rpm_script_t)
')
-ifdef(`TODO',`
-
-allow rpm_script_t sysfs_t:dir r_dir_perms;
+optional_policy(`usermanage.te',`
+ usermanage_domtrans_groupadd(rpm_script_t)
+ usermanage_domtrans_useradd(rpm_script_t)
+')
+ifdef(`TODO',`
optional_policy(`lpd.te', `
can_exec(rpm_script_t,printconf_t)
')
-
') dnl end TODO
########################################
@@ -340,10 +345,6 @@ seutil_read_src_pol(rpmbuild_t)
ifdef(`TODO',`
-allow userdomain var_lib_t:dir { getattr search };
-
-allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
-
optional_policy(`cups.te', `
allow cupsd_t rpm_var_lib_t:dir r_dir_perms;
allow cupsd_t rpm_var_lib_t:file r_file_perms;
@@ -356,32 +357,14 @@ optional_policy(`ssh-agent.te', `
domain_auto_trans(rpm_script_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
')
-optional_policy(`useradd.te', `
-domain_auto_trans(rpm_script_t, useradd_exec_t, useradd_t)
-domain_auto_trans(rpm_script_t, groupadd_exec_t, groupadd_t)
-role system_r types { useradd_t groupadd_t };
-allow { useradd_t groupadd_t } rpm_t:fd use;
-allow { useradd_t groupadd_t } rpm_t:fifo_file { read write };
-')
-
-optional_policy(`bootloader.te',`
-allow bootloader_t rpm_t:fifo_file rw_file_perms;
-')
-
optional_policy(`prelink.te', `
domain_auto_trans(rpm_t, prelink_exec_t, prelink_t)
')
ifdef(`hide_broken_symptoms', `
-optional_policy(`pamconsole.te', `
-domain_trans(rpm_t, pam_console_exec_t, rpm_script_t)
-')
+ optional_policy(`pamconsole.te', `
+ domain_trans(rpm_t, pam_console_exec_t, rpm_script_t)
+ ')
')
-ifdef(`unlimitedRPM', `
-typeattribute rpm_t auth_write;
-unconfined_domain(rpm_t)
-typeattribute rpm_script_t auth_write;
-unconfined_domain(rpm_script_t)
-')
') dnl end TODO
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index b54f634..56fc933 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -252,6 +252,11 @@ optional_policy(`nis.te',`
nis_use_ypbind(groupadd_t)
')
+optional_policy(`rpm.te',`
+ rpm_use_fd(groupadd_t)
+ rpm_rw_pipe(groupadd_t)
+')
+
ifdef(`TODO',`
# Update /etc/shadow and /etc/passwd
@@ -518,6 +523,11 @@ optional_policy(`nis.te',`
nis_use_ypbind(useradd_t)
')
+optional_policy(`rpm.te',`
+ rpm_use_fd(useradd_t)
+ rpm_rw_pipe(useradd_t)
+')
+
ifdef(`TODO',`
# Update /etc/shadow and /etc/passwd
diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index 84eefe8..1579c5f 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -193,6 +193,10 @@ optional_policy(`modutils.te',`
modutils_exec_update_mods(bootloader_t)
')
+optional_policy(`rpm.te',`
+ rpm_rw_pipe(bootloader_t)
+')
+
ifdef(`TODO',`
dontaudit bootloader_t selinux_config_t:dir search;
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 0f9f13a..44edee7 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -1872,7 +1872,7 @@ interface(`dev_getattr_sysfs_dir',`
########################################
##
-## Search sysfs.
+## Search the sysfs directories.
##
##
## The type of the process performing this action.
@@ -1906,6 +1906,23 @@ interface(`dev_dontaudit_search_sysfs',`
########################################
##
+## List the contents of the sysfs directories.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`dev_list_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ class dir r_dir_perms;
+ ')
+
+ allow $1 sysfs_t:dir r_dir_perms;
+')
+
+########################################
+##
## Allow caller to read hardware state information.
##
##
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index d128f10..b8351d4 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -118,8 +118,12 @@ miscfiles_read_localization(crond_t)
userdom_use_unpriv_users_fd(crond_t)
-tunable_policy(`fcron_crond', `
- allow crond_t system_cron_spool_t:file create_file_perms;
+ifdef(`distro_redhat', `
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ # via redirection of standard out.
+ optional_policy(`rpm.te', `
+ rpm_manage_log(crond_t)
+ ')
')
ifdef(`targeted_policy', `
@@ -128,11 +132,15 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(crond_t)
')
+tunable_policy(`fcron_crond', `
+ allow crond_t system_cron_spool_t:file create_file_perms;
+')
+
optional_policy(`nis.te',`
nis_use_ypbind(crond_t)
')
-optional_policy(`crond.te',`
+optional_policy(`rpm.te',`
# Commonly used from postinst scripts
rpm_read_pipe(crond_t)
')
@@ -145,18 +153,12 @@ ifdef(`TODO',`
# NB The constraints file has some entries for crond_t, this makes it
# different from all other domains...
-dontaudit crond_t sysadm_home_dir_t:dir search;
-
optional_policy(`rhgb.te', `
rhgb_domain(crond_t)
')
# Read from /var/spool/cron.
allow crond_t var_lib_t:dir search;
-allow crond_t mail_spool_t:dir search;
-# for if /var/mail is a symlink
-allow crond_t mail_spool_t:lnk_file read;
-
allow crond_t default_t:dir search;
# crond tries to search /root. Not sure why.
@@ -164,17 +166,6 @@ allow crond_t sysadm_home_dir_t:dir r_dir_perms;
# to search /home
allow crond_t user_home_dir_type:dir r_dir_perms;
-
-ifdef(`distro_redhat', `
-# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
-# via redirection of standard out.
-ifdef(`rpm.te', `
-allow crond_t rpm_log_t: file create_file_perms;
-
-system_crond_entry(rpm_exec_t, rpm_t)
-allow system_crond_t rpm_log_t:file create_file_perms;
-')
-')
') dnl endif TODO
########################################
@@ -294,6 +285,14 @@ miscfiles_rw_man_cache(system_crond_t)
seutil_read_config(system_crond_t)
+ifdef(`distro_redhat', `
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ # via redirection of standard out.
+ optional_policy(`rpm.te', `
+ rpm_manage_log(system_crond_t)
+ ')
+')
+
tunable_policy(`cron_can_relabel',`
seutil_domtrans_setfiles(system_crond_t)
',`
@@ -345,12 +344,6 @@ ifdef(`apache.te', `
allow system_crond_t httpd_log_t:file r_file_perms;
')
-ifdef(`distro_redhat', `
-optional_policy(`rpm.te', `
-allow system_crond_t rpm_log_t:file create_file_perms;
-')
-')
-
ifdef(`mta.te', `
mta_send_mail_transition(system_crond_t)
diff --git a/refpolicy/policy/modules/services/inetd.if b/refpolicy/policy/modules/services/inetd.if
index 18cfd35..732db79 100644
--- a/refpolicy/policy/modules/services/inetd.if
+++ b/refpolicy/policy/modules/services/inetd.if
@@ -1,5 +1,6 @@
## Internet services daemon.
+########################################
##
## Define the specified domain as a inetd service.
##
@@ -16,8 +17,8 @@
##
## The type associated with the process program.
##
+#
interface(`inetd_core_service_domain',`
-
gen_require(`
type inetd_t;
role system_r;
@@ -41,6 +42,7 @@ interface(`inetd_core_service_domain',`
allow inetd_t $1:process sigkill;
')
+########################################
##
## Define the specified domain as a TCP inetd service.
##
@@ -50,6 +52,7 @@ interface(`inetd_core_service_domain',`
##
## The type associated with the process program.
##
+#
interface(`inetd_tcp_service_domain',`
gen_require(`
@@ -62,6 +65,7 @@ interface(`inetd_tcp_service_domain',`
allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
')
+########################################
##
## Define the specified domain as a UDP inetd service.
##
@@ -71,8 +75,8 @@ interface(`inetd_tcp_service_domain',`
##
## The type associated with the process program.
##
+#
interface(`inetd_udp_service_domain',`
-
gen_require(`
type inetd_t;
class udp_socket rw_socket_perms;
@@ -83,6 +87,7 @@ interface(`inetd_udp_service_domain',`
allow $1 inetd_t:udp_socket rw_socket_perms;
')
+########################################
##
## Define the specified domain as a TCP and UDP inetd service.
##
@@ -92,6 +97,7 @@ interface(`inetd_udp_service_domain',`
##
## The type associated with the process program.
##
+#
interface(`inetd_service_domain',`
gen_require(`
type inetd_t;
@@ -104,3 +110,24 @@ interface(`inetd_service_domain',`
allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
allow $1 inetd_t:udp_socket rw_socket_perms;
')
+
+########################################
+##
+## Connect to the inetd service using a TCP connection.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`inetd_tcp_connectto',`
+ gen_require(`
+ type inetd_t;
+ class tcp_socket { connectto acceptfrom recvfrom };
+ ')
+
+ allow $1 inetd_t:tcp_socket { connectto recvfrom };
+ allow inetd_t $1:tcp_socket { acceptfrom recvfrom };
+
+ #allow inetd_t kernel_t:tcp_socket recvfrom;
+ #allow $1 kernel_t:tcp_socket recvfrom;
+')
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index 791d7e3..28691d7 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -53,6 +53,8 @@ allow inetd_t inetd_var_run_t:file create_file_perms;
files_create_pid(inetd_t,inetd_var_run_t)
kernel_read_kernel_sysctl(inetd_t)
+kernel_list_proc(inetd_t)
+kernel_read_proc_symlinks(inetd_t)
# networking:
corenet_tcp_sendrecv_all_if(inetd_t)
@@ -109,6 +111,7 @@ miscfiles_read_localization(inetd_t)
sysnet_read_config(inetd_t)
userdom_dontaudit_use_unpriv_user_fd(inetd_t)
+userdom_dontaudit_search_sysadm_home_dir(inetd_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(inetd_t)
@@ -128,19 +131,24 @@ optional_policy(`udev.te', `
udev_read_db(inetd_t)
')
+optional_policy(`unconfined.te', `
+ unconfined_domtrans(inetd_t)
+')
+
+# This should be tunable_policy, but leaving
+# ifdef until typeattribute works in conditionals
+ifdef(`unlimitedInetd', `
+ unconfined_domain_template(inetd_t)
+')
+
ifdef(`TODO',`
-allow inetd_t proc_t:dir r_dir_perms;
-allow inetd_t proc_t:lnk_file read;
-dontaudit inetd_t sysadm_home_dir_t:dir search;
optional_policy(`rhgb.te',`
rhgb_domain(inetd_t)
')
-# allow any domain to connect to inetd
-can_tcp_connect(userdomain, inetd_t)
-
# Bind to the telnet, ftp, rlogin and rsh ports.
+# cjp: these ports currently dont exist in the NSA example
ifdef(`talk.te', `
allow inetd_t talk_port_t:tcp_socket name_bind;
allow inetd_t ntalk_port_t:tcp_socket name_bind;
@@ -148,15 +156,6 @@ allow inetd_t ntalk_port_t:tcp_socket name_bind;
# Communicate with the portmapper.
ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
-
-ifdef(`unconfined.te', `
-domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t)
-')
-
-ifdef(`unlimitedInetd', `
-unconfined_domain(inetd_t)
-')
-
') dnl TODO
########################################
@@ -173,7 +172,7 @@ allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow inetd_child_t self:capability { setuid setgid };
allow inetd_child_t self:dir search;
allow inetd_child_t self:{ lnk_file file } { getattr read };
-#allow inetd_child_t home_root_t:dir search;
+files_search_home(inetd_child_t)
allow inetd_child_t inetd_child_tmp_t:dir create_dir_perms;
allow inetd_child_t inetd_child_tmp_t:file create_file_perms;
diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te
index fcbb15b..da1ded3 100644
--- a/refpolicy/policy/modules/services/kerberos.te
+++ b/refpolicy/policy/modules/services/kerberos.te
@@ -81,6 +81,8 @@ allow kadmind_t kadmind_var_run_t:file { getattr create read write append setatt
files_create_pid(kadmind_t,kadmind_var_run_t)
kernel_read_kernel_sysctl(kadmind_t)
+kernel_list_proc(kadmind_t)
+kernel_read_proc_symlinks(kadmind_t)
corenet_tcp_sendrecv_all_if(kadmind_t)
corenet_raw_sendrecv_all_if(kadmind_t)
@@ -119,6 +121,7 @@ miscfiles_read_localization(kadmind_t)
sysnet_read_config(kadmind_t)
userdom_dontaudit_use_unpriv_user_fd(kadmind_t)
+userdom_dontaudit_search_sysadm_home_dir(kadmind_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(kadmind_t)
@@ -142,9 +145,6 @@ ifdef(`TODO',`
optional_policy(`rhgb.te',`
rhgb_domain(kadmind_t)
')
-allow kadmind_t proc_t:dir r_dir_perms;
-allow kadmind_t proc_t:lnk_file read;
-dontaudit kadmind_t sysadm_home_dir_t:dir search;
# cjp: not sure, but I think this has no effect
can_tcp_connect(kerberos_admin_port_t, kadmind_t)
@@ -185,6 +185,8 @@ files_create_pid(krb5kdc_t,krb5kdc_var_run_t)
kernel_read_system_state(krb5kdc_t)
kernel_read_kernel_sysctl(krb5kdc_t)
+kernel_list_proc(krb5kdc_t)
+kernel_read_proc_symlinks(krb5kdc_t)
corenet_tcp_sendrecv_all_if(krb5kdc_t)
corenet_raw_sendrecv_all_if(krb5kdc_t)
@@ -220,6 +222,7 @@ miscfiles_read_localization(krb5kdc_t)
sysnet_read_config(krb5kdc_t)
userdom_dontaudit_use_unpriv_user_fd(krb5kdc_t)
+userdom_dontaudit_search_sysadm_home_dir(krb5kdc_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(krb5kdc_t)
@@ -240,10 +243,6 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
-allow krb5kdc_t proc_t:dir r_dir_perms;
-allow krb5kdc_t proc_t:lnk_file read;
-dontaudit krb5kdc_t sysadm_home_dir_t:dir search;
-
optional_policy(`rhgb.te',`
rhgb_domain(krb5kdc_t)
')
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 9a692dd..665b6b8 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -53,8 +53,10 @@ template(`mta_per_userdomain_template',`
libs_use_shared_libs($1_mail_t)
corecmd_exec_bin($1_mail_t)
+ corecmd_search_sbin($1_mail_t)
files_read_etc_files($1_mail_t)
+ files_search_spool($1_mail_t)
logging_send_syslog_msg($1_mail_t)
@@ -70,6 +72,11 @@ template(`mta_per_userdomain_template',`
corenet_udp_sendrecv_dns_port($1_mail_t)
')
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files($1_mail_t)
+ fs_manage_cifs_symlinks($1_mail_t)
+ ')
+
optional_policy(`nis.te',`
nis_use_ypbind($1_mail_t)
')
@@ -80,8 +87,6 @@ template(`mta_per_userdomain_template',`
ifdef(`TODO',`
allow $1_mail_t device_t:dir search;
- allow $1_mail_t { var_t var_spool_t }:dir search;
- allow $1_mail_t sbin_t:dir search;
# It wants to check for nscd
dontaudit $1_mail_t var_run_t:dir search;
@@ -92,7 +97,7 @@ template(`mta_per_userdomain_template',`
# Read user temporary files.
allow $1_mail_t $1_tmp_t:file r_file_perms;
dontaudit $1_mail_t $1_tmp_t:file append;
- ifdef(`postfix.te', `
+ ifdef(`postfix.te',`
# postfix seems to need write access if the file handle is opened read/write
allow $1_mail_t $1_tmp_t:file write;
')
@@ -114,10 +119,6 @@ template(`mta_per_userdomain_template',`
# Create dead.letter in user home directories.
file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
- tunable_policy(`use_samba_home_dirs',`
- rw_dir_create_file($1_mail_t, cifs_t)
- ')
-
# if you do not want to allow dead.letter then use the following instead
#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
#allow $1_mail_t $1_home_t:file r_file_perms;
@@ -292,11 +293,13 @@ interface(`mta_rw_spool',`
gen_require(`
type mail_spool_t;
class dir r_dir_perms;
+ class lnk_file { getattr read };
class file { rw_file_perms setattr };
')
files_search_spool($1)
allow $1 mail_spool_t:dir r_dir_perms;
+ allow $1 mail_spool_t:lnk_file { getattr read };
allow $1 mail_spool_t:file { rw_file_perms setattr };
')
@@ -308,11 +311,13 @@ interface(`mta_manage_spool',`
gen_require(`
type mail_spool_t;
class dir rw_dir_perms;
+ class lnk_file { getattr read };
class file create_file_perms;
')
files_search_spool($1)
allow $1 mail_spool_t:dir rw_dir_perms;
+ allow $1 mail_spool_t:lnk_file { getattr read };
allow $1 mail_spool_t:file create_file_perms;
')
@@ -327,7 +332,7 @@ interface(`mta_manage_queue',`
class file create_file_perms;
')
- # FIXME: search /var/spool dir
+ files_search_spool($1)
allow $1 mqueue_spool_t:dir rw_dir_perms;
allow $1 mqueue_spool_t:file create_file_perms;
')
diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te
index c2cda1f..808e081 100644
--- a/refpolicy/policy/modules/services/nis.te
+++ b/refpolicy/policy/modules/services/nis.te
@@ -56,6 +56,8 @@ allow ypbind_t var_yp_t:dir rw_dir_perms;
allow ypbind_t var_yp_t:file create_file_perms;
kernel_read_kernel_sysctl(ypbind_t)
+kernel_list_proc(ypbind_t)
+kernel_read_proc_symlinks(ypbind_t)
corenet_tcp_sendrecv_all_if(ypbind_t)
corenet_udp_sendrecv_all_if(ypbind_t)
@@ -99,6 +101,7 @@ miscfiles_read_localization(ypbind_t)
sysnet_read_config(ypbind_t)
userdom_dontaudit_use_unpriv_user_fd(ypbind_t)
+userdom_dontaudit_search_sysadm_home_dir(ypbind_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(ypbind_t)
@@ -119,17 +122,11 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
-allow ypbind_t proc_t:dir r_dir_perms;
-allow ypbind_t proc_t:lnk_file read;
-
-dontaudit ypbind_t sysadm_home_dir_t:dir search;
-
can_udp_send(ypbind_t, portmap_t)
optional_policy(`rhgb.te', `
rhgb_domain(ypbind_t)
')
-
') dnl end TODO
########################################
@@ -157,6 +154,8 @@ allow ypserv_t ypserv_var_run_t:file { getattr create read write append setattr
files_create_pid(ypserv_t,ypserv_var_run_t)
kernel_read_kernel_sysctl(ypserv_t)
+kernel_list_proc(ypserv_t)
+kernel_read_proc_symlinks(ypserv_t)
corenet_tcp_sendrecv_all_if(ypserv_t)
corenet_raw_sendrecv_all_if(ypserv_t)
@@ -192,6 +191,7 @@ miscfiles_read_localization(ypserv_t)
sysnet_read_config(ypserv_t)
userdom_dontaudit_use_unpriv_user_fd(ypserv_t)
+userdom_dontaudit_search_sysadm_home_dir(ypserv_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(ypserv_t)
@@ -212,11 +212,6 @@ optional_policy(`rhgb.te', `
rhgb_domain(ypserv_t)
')
-allow ypserv_t proc_t:dir r_dir_perms;
-allow ypserv_t proc_t:lnk_file read;
-
-dontaudit ypserv_t sysadm_home_dir_t:dir search;
-
# Send to portmap and initrc.
can_udp_send(ypserv_t, portmap_t)
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index d1c4d85..e1c65e1 100644
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -50,6 +50,9 @@ selinux_compute_create_context(remote_login_t)
selinux_compute_relabel_context(remote_login_t)
selinux_compute_user_contexts(remote_login_t)
+dev_getattr_mouse(remote_login_t)
+dev_setattr_mouse(remote_login_t)
+dev_dontaudit_search_sysfs(remote_login_t)
# for SSP/ProPolice
dev_read_urand(remote_login_t)
@@ -60,15 +63,36 @@ auth_domtrans_chk_passwd(remote_login_t)
auth_dontaudit_read_shadow(remote_login_t)
auth_rw_login_records(remote_login_t)
auth_rw_lastlog(remote_login_t)
+auth_rw_faillog(remote_login_t)
auth_exec_pam(remote_login_t)
auth_manage_pam_console_data(remote_login_t)
+corecmd_list_bin(remote_login_t)
+corecmd_list_sbin(remote_login_t)
+corecmd_read_bin_symlink(remote_login_t)
+corecmd_read_sbin_symlink(remote_login_t)
+# cjp: these are probably not needed:
+corecmd_read_bin_file(remote_login_t)
+corecmd_read_bin_pipe(remote_login_t)
+corecmd_read_bin_socket(remote_login_t)
+corecmd_read_sbin_file(remote_login_t)
+corecmd_read_sbin_pipe(remote_login_t)
+corecmd_read_sbin_socket(remote_login_t)
+
domain_read_all_entry_files(remote_login_t)
files_read_etc_files(remote_login_t)
files_read_etc_runtime_files(remote_login_t)
files_list_home(remote_login_t)
files_read_usr_files(remote_login_t)
+files_list_world_readable(remote_login_t)
+files_read_world_readable_files(remote_login_t)
+files_read_world_readable_symlinks(remote_login_t)
+files_read_world_readable_pipes(remote_login_t)
+files_read_world_readable_sockets(remote_login_t)
+files_list_mnt(remote_login_t)
+# for when /var/mail is a sym-link
+files_read_var_symlink(remote_login_t)
init_rw_script_pid(remote_login_t)
@@ -83,6 +107,39 @@ seutil_read_default_contexts(remote_login_t)
miscfiles_read_localization(remote_login_t)
userdom_use_unpriv_users_fd(remote_login_t)
+userdom_search_all_users_home(remote_login_t)
+# Only permit unprivileged user domains to be entered via rlogin,
+# since very weak authentication is used.
+userdom_signal_unpriv_users(remote_login_t)
+userdom_spec_domtrans_unpriv_users(remote_login_t)
+
+# Search for mail spool file.
+mta_getattr_spool(remote_login_t)
+
+ifdef(`targeted_policy',`
+ unconfined_domain_template(remote_login_t)
+ unconfined_shell_domtrans(remote_login_t)
+')
+
+tunable_policy(`read_default_t',`
+ files_list_default(remote_login_t)
+ files_read_default_files(remote_login_t)
+ files_read_default_symlinks(remote_login_t)
+ files_read_default_sockets(remote_login_t)
+ files_read_default_pipes(remote_login_t)
+')
+
+# Allow remote login to resolve host names (passed in via the -h switch)
+tunable_policy(`use_dns',`
+ allow remote_login_t self:udp_socket create_socket_perms;
+ corenet_udp_sendrecv_all_if(remote_login_t)
+ corenet_raw_sendrecv_all_if(remote_login_t)
+ corenet_udp_sendrecv_all_nodes(remote_login_t)
+ corenet_raw_sendrecv_all_nodes(remote_login_t)
+ corenet_udp_sendrecv_dns_port(remote_login_t)
+ corenet_udp_bind_all_nodes(remote_login_t)
+ sysnet_read_config(remote_login_t)
+')
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(remote_login_t)
@@ -98,89 +155,28 @@ optional_policy(`nis.te',`
nis_use_ypbind(remote_login_t)
')
-ifdef(`TODO',`
-
-allow remote_login_t bin_t:dir r_dir_perms;
-allow remote_login_t bin_t:notdevfile_class_set r_file_perms;
-allow remote_login_t sbin_t:dir r_dir_perms;
-allow remote_login_t sbin_t:notdevfile_class_set r_file_perms;
-tunable_policy(`read_default_t',`
-allow remote_login_t default_t:dir r_dir_perms;
-allow remote_login_t default_t:notdevfile_class_set r_file_perms;
-')
-
-# Read directories and files with the readable_t type.
-# This type is a general type for "world"-readable files.
-allow remote_login_t readable_t:dir r_dir_perms;
-allow remote_login_t readable_t:notdevfile_class_set r_file_perms;
-
-# Read /var, /var/spool
-allow remote_login_t { var_t var_spool_t }:dir search;
-
-# for when /var/mail is a sym-link
-allow remote_login_t var_t:lnk_file read;
-
-# Read /dev directories and any symbolic links.
-allow remote_login_t device_t:lnk_file r_file_perms;
-
-dontaudit remote_login_t sysfs_t:dir search;
-
-allow remote_login_t mnt_t:dir r_dir_perms;
-
-# FIXME: what is this for?
-ifdef(`xdm.te', `
-allow xdm_t remote_login_t:process signull;
-')
-
-ifdef(`crack.te', `
-allow remote_login_t crack_db_t:file r_file_perms;
+optional_policy(`usermanage.te',`
+ usermanage_read_crack_db(remote_login_t)
')
-# Permit login to search the user home directories.
-allow remote_login_t home_dir_type:dir search;
-
-# Write to /var/log/btmp
-allow remote_login_t faillog_t:file { append read write };
-
-# Search for mail spool file.
-allow remote_login_t mail_spool_t:dir r_dir_perms;
-allow remote_login_t mail_spool_t:file getattr;
-allow remote_login_t mail_spool_t:lnk_file read;
-
-
-allow remote_login_t mouse_device_t:chr_file { getattr setattr };
-
-ifdef(`targeted_policy',`
-unconfined_domain(remote_login_t)
-domain_auto_trans(remote_login_t, shell_exec_t, unconfined_t)
+ifdef(`TODO',`
+# this goes to xdm:
+optional_policy(`remotelogin.te',`
+ # FIXME: what is this for?
+ remotelogin_signull(xdm_t)
')
-# Only permit unprivileged user domains to be entered via rlogin,
-# since very weak authentication is used.
-login_spawn_domain(remote_login, unpriv_userdomain)
-
allow remote_login_t devpts_t:dir search;
allow remote_login_t userpty_type:chr_file { setattr write };
+allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl };
-# Use the pty created by rlogind.
-ifdef(`rlogind.te', `
-allow remote_login_t rlogind_devpts_t:chr_file { setattr rw_file_perms };
-
-# Relabel ptys created by rlogind.
-allow remote_login_t rlogind_devpts_t:chr_file { relabelfrom relabelto };
+optional_policy(`rlogind.te', `
+ allow remote_login_t rlogind_devpts_t:chr_file { setattr rw_file_perms };
+ allow remote_login_t rlogind_devpts_t:chr_file { relabelfrom relabelto };
')
-# Use the pty created by telnetd.
-ifdef(`telnetd.te', `
-allow remote_login_t telnetd_devpts_t:chr_file { setattr rw_file_perms };
-
-# Relabel ptys created by telnetd.
-allow remote_login_t telnetd_devpts_t:chr_file { relabelfrom relabelto };
+optional_policy(`telnetd.te', `
+ allow remote_login_t telnetd_devpts_t:chr_file { setattr rw_file_perms };
+ allow remote_login_t telnetd_devpts_t:chr_file { relabelfrom relabelto };
')
-
-allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl };
-
-# Allow remote login to resolve host names (passed in via the -h switch)
-can_resolve(remote_login_t)
-
') dnl endif TODO
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 919a25c..5460dee 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -40,7 +40,8 @@ allow sendmail_t sendmail_var_run_t:file { getattr create read write append seta
files_create_pid(sendmail_t,sendmail_var_run_t)
kernel_read_kernel_sysctl(sendmail_t)
-dev_read_sysfs(sendmail_t)
+kernel_list_proc(sendmail_t)
+kernel_read_proc_symlinks(sendmail_t)
corenet_tcp_sendrecv_all_if(sendmail_t)
corenet_raw_sendrecv_all_if(sendmail_t)
@@ -55,6 +56,7 @@ corenet_udp_bind_all_nodes(sendmail_t)
corenet_tcp_bind_smtp_port(sendmail_t)
dev_read_urand(sendmail_t)
+dev_read_sysfs(sendmail_t)
fs_getattr_all_fs(sendmail_t)
fs_search_auto_mountpoints(sendmail_t)
@@ -83,6 +85,9 @@ miscfiles_read_localization(sendmail_t)
sysnet_read_config(sendmail_t)
+userdom_dontaudit_use_unpriv_user_fd(sendmail_t)
+userdom_dontaudit_search_sysadm_home_dir(sendmail_t)
+
# Write to /etc/aliases and /etc/mail.
mta_rw_aliases(sendmail_t)
# Write to /var/spool/mail and /var/spool/mqueue.
@@ -108,14 +113,9 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
-
optional_policy(`rhgb.te', `
rhgb_domain(sendmail_t)
')
-allow sendmail_t proc_t:dir r_dir_perms;
-allow sendmail_t proc_t:lnk_file read;
-dontaudit sendmail_t unpriv_userdomain:fd use;
-dontaudit sendmail_t sysadm_home_dir_t:dir search;
#
# Need this transition to create /etc/aliases.db
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index a8f2cc8..5410362 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -1324,6 +1324,24 @@ interface(`files_read_var_symlink',`
########################################
##
+## Get the attributes of the /var/lib directory.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`files_getattr_var_lib_dir',`
+ gen_require(`
+ type var_t, var_lib_t;
+ class dir getattr;
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 var_lib_t:dir getattr;
+')
+
+########################################
+##
## Search the /var/lib directory.
##
##
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index cddb631..88e9adc 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -107,6 +107,10 @@ optional_policy(`mount.te',`
mount_domtrans(insmod_t)
')
+optional_policy(`rpm.te',`
+ rpm_rw_pipe(insmod_t)
+')
+
optional_policy(`xserver.te',`
xserver_getattr_log(insmod_t)
')
@@ -154,6 +158,9 @@ files_list_home(depmod_t)
userdom_read_staff_home_files(depmod_t)
userdom_read_sysadm_home_files(depmod_t)
+optional_policy(`rpm.te',`
+ rpm_rw_pipe(depmod_t)
+')
ifdef(`TODO',`
ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 615c980..19ed6b1 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -115,6 +115,11 @@ optional_policy(`portmap.te', `
')
')
+# for kernel package installation
+optional_policy(`mount.te', `
+ rpm_rw_pipe(mount_t)
+')
+
ifdef(`TODO',`
# this goes to the nfs/rpc module
files_mountpoint(var_lib_nfs_t)
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 72daa8a..6b62a14 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -76,6 +76,30 @@ template(`unconfined_domain_template',`
########################################
##
+## Transition to the unconfined domain.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`unconfined_domtrans',`
+ gen_require(`
+ type unconfined_t, unconfined_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ domain_auto_trans($1,unconfined_exec_t,unconfined_t)
+
+ allow $1 unconfined_t:fd use;
+ allow unconfined_t $1:fd use;
+ allow unconfined_t $1:fifo_file rw_file_perms;
+ allow unconfined_t $1:process sigchld;
+')
+
+########################################
+##
## Transition to the unconfined domain by executing a shell.
##
##
@@ -83,9 +107,8 @@ template(`unconfined_domain_template',`
##
#
interface(`unconfined_shell_domtrans',`
-
gen_require(`
- unconfined_t;
+ type unconfined_t;
')
corecmd_domtrans_shell($1,unconfined_t)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 3919ce0..d6be17e 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -224,10 +224,19 @@ template(`base_user_template',`
term_getattr_all_user_ttys($1_t)
')
+ optional_policy(`inetd.te',`
+ inetd_tcp_connectto($1_t)
+ ')
+
optional_policy(`nis.te',`
nis_use_ypbind($1_t)
')
+ optional_policy(`rpm.te',`
+ files_getattr_var_lib_dir($1_t)
+ files_search_var_lib($1_t)
+ ')
+
optional_policy(`usermanage.te',`
usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })