diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 0a6eece..dce01c9 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -130,54 +130,6 @@ class capability sys_module;
########################################
#
-# kernel_kill_unlabeled_process(domain)
-#
-define(`kernel_kill_unlabeled_process',`
-requires_block_template(`$0'_depend)
-allow $1 unlabeled_t:process sigkill;
-')
-
-define(`kernel_kill_unlabeled_process_depend',`
-type unlabeled_t;
-class process sigkill;
-')
-
-########################################
-#
-# kernel_ignore_get_unlabeled_block_device_attributes(domain)
-#
-define(`kernel_ignore_get_unlabeled_block_device_attributes',`
-requires_block_template(`$0'_depend)
-allow $1 unlabeled_t:blk_file getattr;
-')
-
-define(`kernel_ignore_get_unlabeled_block_device_attributes_depend',`
-type unlabeled_t;
-class process getattr;
-')
-
-########################################
-#
-# kernel_relabel_unlabeled_object(domain)
-#
-define(`kernel_relabel_unlabeled_object',`
-requires_block_template(`$0'_depend)
-allow $1 unlabeled_t:{ dir file lnk_file fifo_file sock_file chr_file blk_file } { getattr relabelfrom };
-')
-
-define(`kernel_relabel_unlabeled_object_depend',`
-type unlabeled_t;
-class dir { getattr relabelfrom };
-class file { getattr relabelfrom };
-class lnk_file { getattr relabelfrom };
-class fifo_file { getattr relabelfrom };
-class sock_file { getattr relabelfrom };
-class chr_file { getattr relabelfrom };
-class blk_file { getattr relabelfrom };
-')
-
-########################################
-#
# kernel_get_selinux_enforcement_mode(domain)
#
define(`kernel_get_selinux_enforcement_mode',`
@@ -1054,6 +1006,145 @@ class lnk_file { getattr read };
')
########################################
+##
+##
+## Send a kill signal to unlabeled processes.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`kernel_kill_unlabeled_process',`
+requires_block_template(`$0'_depend)
+allow $1 unlabeled_t:process sigkill;
+')
+
+define(`kernel_kill_unlabeled_process_depend',`
+type unlabeled_t;
+class process sigkill;
+')
+
+########################################
+##
+##
+## Send general signals to unlabeled processes.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`kernel_signal_unlabeled_process',`
+requires_block_template(`$0'_depend)
+allow $1 unlabeled_t:process signal;
+')
+
+define(`kernel_signal_unlabeled_process_depend',`
+type unlabeled_t;
+class process signal;
+')
+
+########################################
+##
+##
+## Send a null signal to unlabeled processes.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`kernel_signull_unlabeled_process',`
+requires_block_template(`$0'_depend)
+allow $1 unlabeled_t:process signull;
+')
+
+define(`kernel_signull_unlabeled_process_depend',`
+type unlabeled_t;
+class process signull;
+')
+
+########################################
+##
+##
+## Send a stop signal to unlabeled processes.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`kernel_sigstop_unlabeled_process',`
+requires_block_template(`$0'_depend)
+allow $1 unlabeled_t:process sigstop;
+')
+
+define(`kernel_sigstop_unlabeled_process_depend',`
+type unlabeled_t;
+class process sigstop;
+')
+
+########################################
+##
+##
+## Send a child terminated signal to unlabeled processes.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`kernel_sigchld_unlabeled_process',`
+requires_block_template(`$0'_depend)
+allow $1 unlabeled_t:process sigchld;
+')
+
+define(`kernel_sigchld_unlabeled_process_depend',`
+type unlabeled_t;
+class process sigchld;
+')
+
+########################################
+#
+# kernel_ignore_get_unlabeled_block_device_attributes(domain)
+#
+define(`kernel_ignore_get_unlabeled_block_device_attributes',`
+requires_block_template(`$0'_depend)
+allow $1 unlabeled_t:blk_file getattr;
+')
+
+define(`kernel_ignore_get_unlabeled_block_device_attributes_depend',`
+type unlabeled_t;
+class process getattr;
+')
+
+########################################
+#
+# kernel_relabel_unlabeled_object(domain)
+#
+define(`kernel_relabel_unlabeled_object',`
+requires_block_template(`$0'_depend)
+allow $1 unlabeled_t:{ dir file lnk_file fifo_file sock_file chr_file blk_file } { getattr relabelfrom };
+')
+
+define(`kernel_relabel_unlabeled_object_depend',`
+type unlabeled_t;
+class dir { getattr relabelfrom };
+class file { getattr relabelfrom };
+class lnk_file { getattr relabelfrom };
+class fifo_file { getattr relabelfrom };
+class sock_file { getattr relabelfrom };
+class chr_file { getattr relabelfrom };
+class blk_file { getattr relabelfrom };
+')
+
+########################################
#
# kernel_list_usb_hardware(domain)
#
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 63c73d7..d727d8f 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -126,8 +126,15 @@ class process setsched;
')
########################################
-#
-# domain_signal_all_domains(domain)
+##
+##
+## Send general signals to all domains.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`domain_signal_all_domains',`
requires_block_template(`$0'_depend)
@@ -161,8 +168,57 @@ class process signull;
')
########################################
+##
+##
+## Send a stop signal to all domains.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`domain_sigstop_all_domains',`
+requires_block_template(`$0'_depend)
+allow $1 domain:process sigstop;
+')
+
+define(`domain_sigstop_all_domains_depend',`
+attribute domain;
+class process sigstop;
+')
+
+########################################
+##
+##
+## Send a child terminated signal to all domains.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
-# domain_kill_all_domains(domain)
+define(`domain_sigchld_all_domains',`
+requires_block_template(`$0'_depend)
+allow $1 domain:process sigchld;
+')
+
+define(`domain_sigchld_all_domains_depend',`
+attribute domain;
+class process sigchld;
+')
+
+########################################
+##
+##
+## Send a kill signal to all domains.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
#
define(`domain_kill_all_domains',`
requires_block_template(`$0'_depend)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index f9c1fba..1e87cb8 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -100,8 +100,12 @@ corecommands_chroot(init_t)
corecommands_execute_general_programs(init_t)
corecommands_execute_system_programs(init_t)
-domain_signal_all_domains(init_t)
domain_kill_all_domains(init_t)
+domain_signal_all_domains(init_t)
+domain_signull_all_domains(init_t)
+domain_sigstop_all_domains(init_t)
+domain_sigstop_all_domains(init_t)
+domain_sigchld_all_domains(init_t)
files_modify_system_runtime_data(init_t)
# file descriptors inherited from the rootfs:
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 7763d49..84c3f5a 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -13,10 +13,37 @@ define(`base_user_domain',`
attribute $1_file_type;
type $1_t, userdomain;
+domain_make_domain($1_t)
corecommands_make_shell_entrypoint($1_t)
role $1_r types $1_t;
allow system_r $1_r;
+# user pseudoterminal
+type $1_devpts_t;
+terminal_make_user_pseudoterminal($1_t,$1_devpts_t)
+
+# type for contents of home directory
+type $1_home_t, $1_file_type, home_type;
+files_make_file($1_home_t)
+
+# type of home directory
+type $1_home_dir_t, home_dir_type, home_type;
+files_make_file($1_home_t)
+
+type $1_tmp_t, $1_file_type;
+files_make_temporary_file($1_tmp_t)
+
+type $1_tmpfs_t;
+files_make_tmpfs_file($1_tmpfs_t)
+
+type $1_tty_device_t;
+terminal_make_physical_terminal($1_t,$1_tty_device_t)
+
+##############################
+#
+# Local policy
+#
+
allow $1_t self:capability { setgid chown fowner };
dontaudit $1_t self:capability { sys_nice fsetid };
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
@@ -57,6 +84,13 @@ allow $1_t $1_tmp_t:file { getattr read execute execute_no_trans };
# cjp: this is combination is not checked and should be removed
allow $1_t $1_tmp_t:unix_stream_socket name_bind;
+allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
+allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
+allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+filesystem_create_private_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
allow $1_t $1_tty_device_t:chr_file { setattr getattr read write append ioctl lock };
allow $1_t unpriv_userdomain:fd use;
@@ -70,10 +104,12 @@ per_userdomain_templates($1)
kernel_read_kernel_sysctl($1_t)
kernel_get_selinuxfs_mount_point($1_t)
-# Very permissive allowing every domain to see every type.
+# Very permissive allowing every domain to see every type:
kernel_get_sysvipc_info($1_t)
-# Find CDROM devices
+# Find CDROM devices:
kernel_read_device_sysctl($1_t)
+# GNOME checks for usb and other devices:
+kernel_modify_usb_hardware_config_option($1_t)
corenetwork_network_tcp_on_all_interfaces($1_t)
corenetwork_network_raw_on_all_interfaces($1_t)
@@ -247,19 +283,12 @@ allow $1_t removable_device_t:blk_file r_file_perms;
}
allow $1_t usbtty_device_t:chr_file read;
-# GNOME checks for usb and other devices
-rw_dir_file($1_t,usbfs_t)
-
can_exec($1_t, noexattrfile)
# for running TeX programs
r_dir_file($1_t, tetex_data_t)
can_exec($1_t, tetex_data_t)
-type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile;
-file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t)
-allow $1_tmpfs_t tmpfs_t:filesystem associate;
-
# Run programs developed by other users in the same domain.
can_resmgrd_connect($1_t)
@@ -378,25 +407,15 @@ define(`user_domain_template', `
base_user_domain($1)
typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain;
-domain_make_domain($1_t)
domain_make_file_descriptors_widely_inheritable($1_t)
-type $1_devpts_t; # userpty_type, user_tty_type;
-terminal_make_user_pseudoterminal($1_t,$1_devpts_t)
-
-# Type for home directory.
-type $1_home_dir_t, home_dir_type, home_type; #, user_home_dir_type;
-files_make_file($1_home_dir_t)
+#typeattribute $1_devpts_t userpty_type, user_tty_type;
+#typeattribute $1_home_dir_t user_home_dir_type;
+#typeattribute $1_home_t user_home_type;
-# Type for files and directories in the home directory
-type $1_home_t, $1_file_type, home_type; #, user_home_type;
-files_make_file($1_home_t)
-
-type $1_tmp_t, $1_file_type; #, user_tmpfile
-files_make_temporary_file($1_tmp_t)
+#typeattribute $1_tmp_t, user_tmpfile;
-type $1_tty_device_t; #, sysadmfile, ttyfile, user_tty_type, dev_fs;
-terminal_make_physical_terminal($1_t,$1_tty_device_t)
+#typeattribute $1_tty_device_t user_tty_type;
##############################
#
@@ -591,27 +610,14 @@ base_user_domain($1)
typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
kernel_make_object_identity_change_constraint_exception($1_t)
-domain_make_domain($1_t)
role system_r types $1_t;
#ifdef(`direct_sysadm_daemon', `, priv_system_role')
#; dnl end of sysadm_t type declaration
-# Type and access for pty devices.
-type $1_devpts_t, admin_terminal;
-terminal_make_pseudoterminal($1_devpts_t)
+typeattribute $1_devpts_t admin_terminal;
-type $1_home_t, $1_file_type; #, home_type;
-files_make_file($1_home_t)
-
-type $1_home_dir_t; #, home_dir_type, home_type;
-files_make_file($1_home_t)
-
-type $1_tmp_t, $1_file_type;
-files_make_temporary_file($1_tmp_t)
-
-type $1_tty_device_t, admin_terminal;
-terminal_make_physical_terminal($1_t,$1_tty_device_t)
+typeattribute $1_tty_device_t admin_terminal;
##############################
#
@@ -663,6 +669,12 @@ kernel_compute_selinux_access_vector($1_t)
kernel_compute_selinux_create_context($1_t)
kernel_compute_selinux_relabel_context($1_t)
kernel_compute_selinux_reachable_user_contexts($1_t)
+# signal unlabeled processes:
+kernel_kill_unlabeled_process($1_t)
+kernel_signal_unlabeled_process($1_t)
+kernel_sigstop_unlabeled_process($1_t)
+kernel_signull_unlabeled_process($1_t)
+kernel_sigchld_unlabeled_process($1_t)
corenetwork_bind_tcp_on_general_port($1_t)
@@ -689,6 +701,13 @@ authlogin_relabel_all_files_except_shadow($1_t)
domain_set_all_domains_priorities($1_t)
domain_read_all_domains_process_state($1_t)
+# signal all domains:
+domain_kill_all_domains($1_t)
+domain_signal_all_domains($1_t)
+domain_signull_all_domains($1_t)
+domain_sigstop_all_domains($1_t)
+domain_sigstop_all_domains($1_t)
+domain_sigchld_all_domains($1_t)
files_execute_system_source_code_scripts($1_t)
@@ -719,9 +738,6 @@ allow $1_t shadow_t:file getattr;
# for lsof
allow $1_t mtrr_device_t:file getattr;
-# Send signals to all processes.
-allow $1_t { domain unlabeled_t }:process signal_perms;
-
allow $1_t serial_device:chr_file setattr;
# allow setting up tunnels