diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if index 53e1c60..06ae950 100644 --- a/policy/modules/admin/apt.if +++ b/policy/modules/admin/apt.if @@ -188,5 +188,5 @@ interface(`apt_dontaudit_manage_db',` dontaudit $1 apt_var_lib_t:dir rw_dir_perms; dontaudit $1 apt_var_lib_t:file manage_file_perms; - dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_perms; + dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms; ') diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if index 4da4442..f3aebbc 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -34,7 +34,7 @@ # template(`gnome_per_role_template',` gen_require(` - type gconfd_exec_t; + type gconfd_exec_t, gconf_etc_t; attribute gnomedomain; ') diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if index ff7c010..9390298 100644 --- a/policy/modules/apps/mplayer.if +++ b/policy/modules/apps/mplayer.if @@ -75,7 +75,7 @@ template(`mplayer_per_role_template',` domtrans_pattern($2, mencoder_exec_t, $1_mencoder_t) # Allow the user domain to signal/ps. - ps_process_pattern($2,$1_mencoder_t,$1_mencoder_t) + ps_process_pattern($2,$1_mencoder_t) allow $2 $1_mencoder_t:process signal_perms; # Read /proc files and directories @@ -235,9 +235,8 @@ template(`mplayer_per_role_template',` files_tmp_filetrans($1_mencoder_t,$1_untrusted_content_tmp_t,file) files_tmp_filetrans($1_mencoder_t,$1_untrusted_content_tmp_t,dir) - userdom_manage_user_untrusted_content_files($1,$1_mencoder_t,file) - userdom_manage_user_untrusted_content_files($1,$1_mencoder_t,dir) - + userdom_manage_user_untrusted_content_dirs($1,$1_mencoder_t) + userdom_manage_user_untrusted_content_files($1,$1_mencoder_t) ',` files_dontaudit_list_home($1_mencoder_t) files_dontaudit_list_tmp($1_mencoder_t) diff --git a/policy/modules/apps/rssh.if b/policy/modules/apps/rssh.if index 32659b7..3f46fe8 100644 --- a/policy/modules/apps/rssh.if +++ b/policy/modules/apps/rssh.if @@ -24,6 +24,11 @@ ## # template(`rssh_per_role_template',` + gen_require(` + type rssh_exec_t; + attribute rssh_domain_type; + attribute rssh_ro_content_type; + ') ############################## # diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index df40869..4895ac5 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -473,10 +473,10 @@ interface(`fs_manage_autofs_symlinks',` # interface(`fs_getattr_binfmt_misc_dirs',` gen_require(` - type binfmt_misc_t; + type binfmt_misc_fs_t; ') - allow $1 binfmt_misc_t:dir getattr; + allow $1 binfmt_misc_fs_tt:dir getattr; ') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 186b2a6..1823f4f 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -110,7 +110,7 @@ optional_policy(` ') optional_policy(` - cron_admin_template(sysadm, sysadm_t, sysadm_r) + cron_admin_template(sysadm) ') optional_policy(` @@ -141,7 +141,7 @@ optional_policy(` optional_policy(` ethereal_run_tethereal(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) - ethereal_admin_template(sysadm, sysadm_t, sysadm_r) + ethereal_admin_template(sysadm) ') optional_policy(` @@ -184,7 +184,7 @@ optional_policy(` optional_policy(` lpd_run_checkpc(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) - lpr_admin_template(sysadm, sysadm_t, sysadm_r) + lpr_admin_template(sysadm) ') optional_policy(` @@ -202,7 +202,7 @@ optional_policy(` ') optional_policy(` - mta_admin_template(sysadm, sysadm_t, sysadm_r) + mta_admin_template(sysadm, sysadm_t) ') optional_policy(` @@ -296,7 +296,7 @@ optional_policy(` ') optional_policy(` - unconfined_domtrans(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) + unconfined_domtrans(sysadm_t) ') optional_policy(` diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if index 9cf2c59..133ca19 100644 --- a/policy/modules/services/aide.if +++ b/policy/modules/services/aide.if @@ -60,16 +60,6 @@ interface(`aide_run',` ## Domain allowed access. ## ## -## -## -## The role to be allowed to manage the aide domain. -## -## -## -## -## The type of the user terminal. -## -## ## # interface(`aide_admin',` @@ -84,5 +74,5 @@ interface(`aide_admin',` manage_files_pattern($1, aide_db_t, aide_db_t) logging_list_logs($1) - manage_all_pattern($1, aide_log_t, aide_log_t) + manage_files_pattern($1, aide_log_t, aide_log_t) ') diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if index 8366797..ec1a204 100644 --- a/policy/modules/services/amavis.if +++ b/policy/modules/services/amavis.if @@ -197,21 +197,11 @@ interface(`amavis_create_pid_files',` ## Domain allowed access. ## ## -## -## -## The role to be allowed to manage the amavis domain. -## -## -## -## -## The type of the user terminal. -## -## ## # interface(`amavis_admin',` gen_require(` - type amavis_t, amavis_tmp_t, amavis_log_t; + type amavis_t, amavis_tmp_t, amavis_var_log_t; type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t; type amavis_etc_t, amavis_quarantine_t; ') @@ -228,7 +218,7 @@ interface(`amavis_admin',` manage_files_pattern($1, amavis_etc_t, amavis_etc_t) logging_list_logs($1) - manage_files_pattern($1, amavis_log_t, amavis_log_t) + manage_files_pattern($1, amavis_var_log_t, amavis_var_log_t) files_list_spool($1) manage_files_pattern($1, amavis_spool_t, amavis_spool_t) diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if index de8b91b..1a3789b 100644 --- a/policy/modules/services/apcupsd.if +++ b/policy/modules/services/apcupsd.if @@ -72,7 +72,7 @@ interface(`apcupsd_read_log',` # interface(`apcupsd_append_log',` gen_require(` - type var_log_t, apcupsd_log_t; + type apcupsd_log_t; ') logging_search_logs($1) diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if index 6d971f0..9ce5b29 100644 --- a/policy/modules/services/bluetooth.if +++ b/policy/modules/services/bluetooth.if @@ -36,6 +36,7 @@ template(`bluetooth_per_role_template',` gen_require(` attribute bluetooth_helper_domain; type bluetooth_helper_exec_t; + type bluetooth_t; ') type $1_bluetooth_t, bluetooth_helper_domain; diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te index 5a00230..c013fae 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -255,7 +255,7 @@ optional_policy(` ') optional_policy(` - inetd_core_service_domain(cupsd_t,cupsd_exec_t,cupsd_t) + inetd_core_service_domain(cupsd_t, cupsd_exec_t) ') optional_policy(` diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te index 6e3588c..2320feb 100644 --- a/policy/modules/services/cvs.te +++ b/policy/modules/services/cvs.te @@ -42,7 +42,7 @@ allow cvs_t self:capability { setuid setgid }; manage_dirs_pattern(cvs_t,cvs_data_t,cvs_data_t) manage_files_pattern(cvs_t,cvs_data_t,cvs_data_t) -manage_lnk_files_pattern(cvs_t,cvs_data_t,cvs_data_t,cvs_data_t) +manage_lnk_files_pattern(cvs_t,cvs_data_t,cvs_data_t) manage_dirs_pattern(cvs_t,cvs_tmp_t,cvs_tmp_t) manage_files_pattern(cvs_t,cvs_tmp_t,cvs_tmp_t) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index 1708315..9488fb0 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -172,6 +172,7 @@ template(`mta_per_role_template',` gen_require(` attribute mta_user_agent; attribute mailserver_delivery; + type sendmail_exec_t; ') ############################## @@ -332,11 +333,7 @@ interface(`mta_mailserver',` ## The type to be used for the mail server. ## ## -## -## -## The type to be used for the domain entry point program. -## -## +# interface(`mta_sendmail_mailserver',` gen_require(` attribute mailserver_domain; diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if index 01ef9cc..b157ca5 100644 --- a/policy/modules/services/sasl.if +++ b/policy/modules/services/sasl.if @@ -33,17 +33,17 @@ interface(`sasl_connect',` # interface(`sasl_admin',` gen_require(` - type sasl_t; - type sasl_tmp_t; - type sasl_var_run_t; + type saslauthd_t; + type saslauthd_tmp_t; + type saslauthd_var_run_t; ') - allow $1 sasl_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, sasl_t) + allow $1 saslauthd_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, saslauthd_t) files_list_tmp($1) - manage_files_pattern($1, sasl_tmp_t, sasl_tmp_t) + manage_files_pattern($1, saslauthd_tmp_t, saslauthd_tmp_t) files_list_pids($1) - manage_files_pattern($1, sasl_var_run_t, sasl_var_run_t) + manage_files_pattern($1, saslauthd_var_run_t, saslauthd_var_run_t) ') diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if index 56e1f72..b695c2e 100644 --- a/policy/modules/services/smartmon.if +++ b/policy/modules/services/smartmon.if @@ -32,15 +32,15 @@ interface(`smartmon_read_tmp_files',` # interface(`smartmon_admin',` gen_require(` - type smartmon_t, smartmon_tmp_t, smartmon_var_run_t; + type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t; ') - allow $1 smartmon_t:process { ptrace signal_perms getattr }; - ps_process_pattern($1, smartmon_t) + allow $1 fsdaemon_t:process { ptrace signal_perms getattr }; + ps_process_pattern($1, fsdaemon_t) files_list_tmp($1) - manage_files_pattern($1, smartmon_tmp_t, smartmon_tmp_t) + manage_files_pattern($1, fsdaemon_tmp_t, fsdaemon_tmp_t) files_list_pids($1) - manage_files_pattern($1, smartmon_var_run_t, smartmon_var_run_t) + manage_files_pattern($1, fsdaemon_var_run_t, fsdaemon_var_run_t) ') diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index f4eb2c8..9279c9f 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -202,7 +202,7 @@ template(`ssh_basic_client_template',` # template(`ssh_per_role_template',` gen_require(` - type ssh_agent_exec_t, ssh_keysign_exec_t; + type ssh_agent_exec_t, ssh_keysign_exec_t, sshd_t, sshd_key_t; ') ############################## diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if index bdd8cbc..0f87847 100644 --- a/policy/modules/services/zabbix.if +++ b/policy/modules/services/zabbix.if @@ -51,7 +51,7 @@ interface(`zabbix_read_log',` # interface(`zabbix_append_log',` gen_require(` - type var_log_t, zabbix_log_t; + type zabbix_log_t; ') logging_search_logs($1) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 824005d..dd2c793 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1402,11 +1402,6 @@ template(`userdom_admin_user_template',` ## The role of the object to create. ## ## -## -## -## The terminal -## -## # template(`userdom_security_admin_template',` allow $1 self:capability { dac_read_search dac_override }; @@ -3276,6 +3271,39 @@ template(`userdom_dontaudit_list_user_untrusted_content',` ######################################## ## +## Create, read, write, and delete users untrusted directories. +## +## +##

+## Create, read, write, and delete users untrusted directories. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +# +template(`userdom_manage_user_untrusted_content_dirs',` + gen_require(` + type $1_untrusted_content_t; + ') + + allow $2 $1_untrusted_content_t:dir manage_dir_perms; +') + +######################################## +## ## Read user untrusted files. ## ## diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if index 4c9ea79..a2f67b2 100644 --- a/policy/modules/system/xen.if +++ b/policy/modules/system/xen.if @@ -87,7 +87,7 @@ interface(`xen_read_image_files',` # interface(`xen_append_log',` gen_require(` - type var_log_t, xend_var_log_t; + type xend_var_log_t; ') logging_search_logs($1) @@ -108,7 +108,7 @@ interface(`xen_append_log',` # interface(`xen_manage_log',` gen_require(` - type var_log_t, xend_var_log_t; + type xend_var_log_t; ') logging_search_logs($1) diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index 58ed41d..5b5e992 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -223,7 +223,8 @@ define(`relabel_file_perms',`{ getattr relabelfrom relabelto }') define(`getattr_lnk_file_perms',`{ getattr }') define(`setattr_lnk_file_perms',`{ setattr }') define(`read_lnk_file_perms',`{ getattr read }') -define(`write_lnk_file_perms',`{ getattr write lock ioctl }') +define(`append_lnk_file_perms',`{ getattr append lock ioctl }') +define(`write_lnk_file_perms',`{ getattr append write lock ioctl }') define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') define(`create_lnk_file_perms',`{ create getattr }') define(`rename_lnk_file_perms',`{ getattr rename }')