diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 3579887..01b3216 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -121,9 +121,18 @@ sysnet_dns_name_resolve(ping_t)
logging_send_syslog_msg(ping_t)
-tunable_policy(`user_ping',`
+ifdef(`hide_broken_symptoms',`
+ init_dontaudit_use_fd(ping_t)
+')
+
+ifdef(`targeted_policy',`
term_use_all_user_ttys(ping_t)
term_use_all_user_ptys(ping_t)
+',`
+ tunable_policy(`user_ping',`
+ term_use_all_user_ttys(ping_t)
+ term_use_all_user_ptys(ping_t)
+ ')
')
optional_policy(`nis.te',`
@@ -134,6 +143,10 @@ optional_policy(`nscd.te',`
nscd_use_socket(ping_t)
')
+optional_policy(`pcmcia.te',`
+ pcmcia_use_cardmgr_fd(ping_t)
+')
+
optional_policy(`sysnetwork.te',`
optional_policy(`hotplug.te',`
hotplug_use_fd(ping_t)
@@ -146,9 +159,6 @@ tunable_policy(`user_ping',`
domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
')
-ifdef(`cardmgr.te',`
- allow ping_t cardmgr_t:fd use;
-')
') dnl end TODO
########################################
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 13cad13..bb43066 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -6,10 +6,11 @@ policy_module(rpm,1.0)
# Declarations
#
-type rpm_t; #, admin, privmem, priv_system_role;
+type rpm_t; #, priv_system_role;
type rpm_exec_t;
init_system_domain(rpm_t,rpm_exec_t)
domain_obj_id_change_exempt(rpm_t)
+domain_role_change_exempt(rpm_t)
domain_wide_inherit_fd(rpm_t)
role system_r types rpm_t;
@@ -179,6 +180,8 @@ optional_policy(`nis.te',`
')
ifdef(`TODO',`
+# cjp: this seems way out of place
+role sysadm_r types initrc_t;
type_transition rpm_t tmpfs_t:{ dir file lnk_file sock_file fifo_file } rpm_tmpfs_t;
diff --git a/refpolicy/policy/modules/admin/tmpreaper.te b/refpolicy/policy/modules/admin/tmpreaper.te
index a2afcf3..c236076 100644
--- a/refpolicy/policy/modules/admin/tmpreaper.te
+++ b/refpolicy/policy/modules/admin/tmpreaper.te
@@ -37,6 +37,7 @@ libs_use_shared_libs(tmpreaper_t)
logging_send_syslog_msg(tmpreaper_t)
miscfiles_read_localization(tmpreaper_t)
+miscfiles_delete_man_pages(tmpreaper_t)
cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 978c2b0..4953fae 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -675,6 +675,38 @@ interface(`dev_setattr_all_chr_files',`
########################################
##
+## Dontaudit read on all block file device nodes.
+##
+##
+## Domain to not audit.
+##
+#
+interface(`dev_dontaudit_read_all_blk_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ dontaudit $1 device_node:blk_file { getattr read };
+')
+
+########################################
+##
+## Dontaudit read on all character file device nodes.
+##
+##
+## Domain to not audit.
+##
+#
+interface(`dev_dontaudit_read_all_chr_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ dontaudit $1 device_node:chr_file { getattr read };
+')
+
+########################################
+##
## Read, write, create, and delete all block device files.
##
##
@@ -2171,6 +2203,44 @@ interface(`dev_dontaudit_setattr_video_dev',`
########################################
##
+## Get the attributes of X server miscellaneous devices.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_getattr_xserver_misc_dev',`
+ gen_require(`
+ type device_t, xserver_misc_device_t;
+ class dir r_dir_perms;
+ class chr_file getattr;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 xserver_misc_device_t:chr_file getattr;
+')
+
+########################################
+##
+## Set the attributes of X server miscellaneous devices.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_setattr_xserver_misc_dev',`
+ gen_require(`
+ type device_t, xserver_misc_device_t;
+ class dir r_dir_perms;
+ class chr_file setattr;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 xserver_misc_device_t:chr_file setattr;
+')
+
+########################################
+##
## Read and write to the zero device (/dev/zero).
##
##
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index a3c784f..e987e51 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -1969,6 +1969,23 @@ interface(`fs_set_all_quotas',`
########################################
##
+## Relabelfrom all filesystems.
+##
+##
+## The type of the domain doing the
+## getattr on the filesystem.
+##
+#
+interface(`fs_relabelfrom_all_fs',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:filesystem relabelfrom;
+')
+
+########################################
+##
## List all directories with a filesystem type.
##
##
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index d4d9bf7..78e4cfe 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -203,6 +203,16 @@ files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
+ifdef(`TODO',`
+ifdef(`targeted_policy', `
+unconfined_domain(kernel_t)
+')
+ifdef(`mls_policy', `
+# run init with maximum MLS range
+range_transition kernel_t init_exec_t s0 - s9:c0.c127;
+')
+') dnl end TODO
+
########################################
#
# Unlabeled process local policy
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index f8dd882..d33b92d 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -287,7 +287,7 @@ logging_read_generic_logs(system_crond_t)
logging_send_syslog_msg(system_crond_t)
miscfiles_read_localization(system_crond_t)
-miscfiles_read_man_pages(system_crond_t)
+miscfiles_manage_man_pages(system_crond_t)
seutil_read_config(system_crond_t)
@@ -311,6 +311,10 @@ tunable_policy(`cron_can_relabel',`
seutil_read_file_contexts(system_crond_t)
')
+optional_policy(`mysql.te',`
+ mysql_read_config(system_crond_t)
+')
+
optional_policy(`nis.te',`
nis_use_ypbind(system_crond_t)
')
diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te
index 10fc119..1ad01fb 100644
--- a/refpolicy/policy/modules/services/rsync.te
+++ b/refpolicy/policy/modules/services/rsync.te
@@ -88,5 +88,5 @@ optional_policy(`nscd.te',`
')
ifdef(`TODO',`
-r_dir_file(rsync_t, ftpd_anon_t)
+anonymous_domain(rsync)
') dnl end TODO
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index daf9875..03bc86d 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -279,6 +279,7 @@ ifdef(`TODO',`
optional_policy(`rhgb.te',`
rhgb_domain(smbd_t)
')
+anonymous_domain(smbd)
can_winbind(smbd_t)
')
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 6fab73a..ca7b37e 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -438,8 +438,10 @@ template(`ssh_server_template', `
auth_domtrans_chk_passwd($1_t)
auth_rw_login_records($1_t)
auth_rw_lastlog($1_t)
+ auth_append_faillog($1_t)
corecmd_read_bin_symlink($1_t)
+ corecmd_getattr_bin_file($1_t)
# for sshd subsystems, such as sftp-server.
corecmd_getattr_bin_file($1_t)
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 3bfa449..20850a0 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -381,6 +381,24 @@ interface(`auth_relabelto_shadow',`
')
#######################################
+##
+## Append to the login failure log.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`auth_append_faillog',`
+ gen_require(`
+ type faillog_t;
+ class file { getattr append };
+ ')
+
+ logging_search_logs($1)
+ allow $1 faillog_t:file { getattr append };
+')
+
+#######################################
#
# auth_rw_faillog(domain)
#
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 0769638..e1fb21d 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -167,6 +167,8 @@ dev_getattr_snd_dev(pam_console_t)
dev_setattr_snd_dev(pam_console_t)
dev_getattr_video_dev(pam_console_t)
dev_setattr_video_dev(pam_console_t)
+dev_getattr_xserver_misc_dev(pam_console_t)
+dev_setattr_xserver_misc_dev(pam_console_t)
fs_search_auto_mountpoints(pam_console_t)
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index f16a8bf..c6de011 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -186,8 +186,8 @@ dev_read_sysfs(sysfs_t)
# perhaps this should be blk_files?
dev_relabel_generic_symlinks(lvm_t)
# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
-dev_dontaudit_getattr_all_chr_files(lvm_t)
-dev_dontaudit_getattr_all_blk_files(lvm_t)
+dev_dontaudit_read_all_chr_files(lvm_t)
+dev_dontaudit_read_all_blk_files(lvm_t)
dev_dontaudit_getattr_generic_chr_file(lvm_t)
dev_dontaudit_getattr_generic_blk_file(lvm_t)
dev_dontaudit_getattr_generic_pipe(lvm_t)
@@ -264,4 +264,5 @@ optional_policy(`gnome-pty-helper.te', `
optional_policy(`rhgb.te',`
rhgb_domain(lvm_t)
')
+dontaudit lvm_t xconsole_device_t:fifo_file getattr;
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if
index b86b245..7a553a1 100644
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@@ -70,10 +70,10 @@ interface(`miscfiles_legacy_read_localization',`
########################################
##
-## Allow process to read man pages
+## Read man pages
##
##
-## Type type of the process performing this action.
+## Domain allowed access.
##
#
interface(`miscfiles_read_man_pages',`
@@ -92,6 +92,51 @@ interface(`miscfiles_read_man_pages',`
########################################
##
+## Delete man pages
+##
+##
+## Domain allowed access.
+##
+# cjp: added for tmpreaper
+#
+interface(`miscfiles_delete_man_pages',`
+ gen_require(`
+ type man_t;
+ class dir { setattr rw_dir_perms rmdir };
+ class file { getattr unlink };
+ class lnk_file { getattr unlink };
+ ')
+
+ files_search_usr($1)
+ allow $1 man_t:dir { setattr rw_dir_perms rmdir };
+ allow $1 man_t:file { getattr unlink };
+ allow $1 man_t:lnk_file { getattr unlink };
+')
+
+########################################
+##
+## Create, read, write, and delete man pages
+##
+##
+## Domain allowed access.
+##
+#
+interface(`miscfiles_manage_man_pages',`
+ gen_require(`
+ type man_t;
+ class dir create_dir_perms;
+ class file create_file_perms;
+ class lnk_file r_file_perms;
+ ')
+
+ files_search_usr($1)
+ allow $1 man_t:dir create_dir_perms;
+ allow $1 man_t:file create_file_perms;
+ allow $1 man_t:lnk_file r_file_perms;
+')
+
+########################################
+##
## Read TeX data
##
##
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index ae357bf..ad198c2 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -127,9 +127,12 @@ optional_policy(`rpm.te',`
rpm_rw_pipe(insmod_t)
')
-#optional_policy(`xserver.te',`
-# xserver_getattr_log(insmod_t)
-#')
+ifdef(`TODO',`
+optional_policy(`xserver.te',`
+ xserver_getattr_log(insmod_t)
+ allow insmod_t xserver_misc_device_t:chr_file { read write };
+')
+')
########################################
#
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 4e5d709..09570be 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -43,7 +43,7 @@ fs_getattr_xattr_fs(mount_t)
fs_mount_all_fs(mount_t)
fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t)
-fs_relabelfrom_xattr_fs(mount_t)
+fs_relabelfrom_all_fs(mount_t)
fs_search_auto_mountpoints(mount_t)
fs_use_tmpfs_chr_dev(mount_t)
diff --git a/refpolicy/policy/modules/system/pcmcia.if b/refpolicy/policy/modules/system/pcmcia.if
index 96cddbf..c86414e 100644
--- a/refpolicy/policy/modules/system/pcmcia.if
+++ b/refpolicy/policy/modules/system/pcmcia.if
@@ -11,9 +11,6 @@
interface(`pcmcia_domtrans_cardmgr',`
gen_require(`
type cardmgr_t, cardmgr_exec_t;
- class process sigchld;
- class fd use;
- class fifo_file rw_file_perms;
')
domain_auto_trans($1,cardmgr_exec_t,cardmgr_t)
@@ -26,6 +23,22 @@ interface(`pcmcia_domtrans_cardmgr',`
########################################
##
+## Inherit and use file descriptors from cardmgr.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`pcmcia_use_cardmgr_fd',`
+ gen_require(`
+ type cardmgr_t;
+ ')
+
+ allow $1 cardmgr_t:fd use;
+')
+
+########################################
+##
## Execute cardctl in the cardmgr domain.
##
##
@@ -35,9 +48,6 @@ interface(`pcmcia_domtrans_cardmgr',`
interface(`pcmcia_domtrans_cardctl',`
gen_require(`
type cardmgr_t, cardctl_exec_t;
- class process sigchld;
- class fd use;
- class fifo_file rw_file_perms;
')
domain_auto_trans($1,cardctl_exec_t,cardmgr_t)
@@ -66,7 +76,6 @@ interface(`pcmcia_domtrans_cardctl',`
interface(`pcmcia_run_cardctl',`
gen_require(`
type cardmgr_t;
- class chr_file rw_term_perms;
')
pcmcia_domtrans_cardctl($1)
@@ -85,8 +94,6 @@ interface(`pcmcia_run_cardctl',`
interface(`pcmcia_read_pid',`
gen_require(`
type cardmgr_var_run_t;
- class dir r_dir_perms;
- class file r_file_perms;
')
files_search_pids($1)
@@ -106,8 +113,6 @@ interface(`pcmcia_read_pid',`
interface(`pcmcia_manage_pid',`
gen_require(`
type cardmgr_var_run_t;
- class dir rw_dir_perms;
- class file create_file_perms;
')
files_search_pids($1)
@@ -127,8 +132,6 @@ interface(`pcmcia_manage_pid',`
interface(`pcmcia_manage_runtime_chr',`
gen_require(`
type cardmgr_var_run_t;
- class dir rw_dir_perms;
- class chr_file create_file_perms;
')
files_search_pids($1)
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index cc19cb5..ea798ea 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -288,6 +288,8 @@ selinux_compute_relabel_context(restorecon_t)
selinux_compute_user_contexts(restorecon_t)
term_use_unallocated_tty(restorecon_t)
+term_use_all_user_ttys(restorecon_t)
+term_use_all_user_ptys(restorecon_t)
init_use_fd(restorecon_t)
init_use_script_pty(restorecon_t)
@@ -332,6 +334,9 @@ ifdef(`TODO',`
# for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that restorecon can not be run!
allow restorecon_t lib_t:file { read execute };
+ifdef(`dpkg.te', `
+domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t)
+')
') dnl endif TODO
#################################
diff --git a/strict/domains/misc/kernel.te b/strict/domains/misc/kernel.te
index 3901bc4..640309a 100644
--- a/strict/domains/misc/kernel.te
+++ b/strict/domains/misc/kernel.te
@@ -28,6 +28,11 @@ allow kernel_t { usbfs_t usbdevfs_t }:dir search;
# Run init in the init_t domain.
domain_auto_trans(kernel_t, init_exec_t, init_t)
+ifdef(`mls_policy', `
+# run init with maximum MLS range
+range_transition kernel_t init_exec_t s0 - s9:c0.c127;
+')
+
# Share state with the init process.
allow kernel_t init_t:process share;
@@ -65,4 +70,6 @@ can_loadpol(kernel_t)
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
can_exec(kernel_t, bin_t)
-
+ifdef(`targeted_policy', `
+unconfined_domain(kernel_t)
+')
diff --git a/strict/domains/program/crond.te b/strict/domains/program/crond.te
index 43d6bbe..536824f 100644
--- a/strict/domains/program/crond.te
+++ b/strict/domains/program/crond.te
@@ -128,9 +128,8 @@ allow system_crond_t var_lib_t:dir rw_dir_perms;
allow system_crond_t var_lib_t:file create_file_perms;
# Update whatis files.
-allow system_crond_t catman_t:dir create_dir_perms;
-allow system_crond_t catman_t:file create_file_perms;
-allow system_crond_t man_t:file r_file_perms;
+allow system_crond_t man_t:dir create_dir_perms;
+allow system_crond_t man_t:file create_file_perms;
allow system_crond_t man_t:lnk_file read;
# Write /var/lock/makewhatis.lock.
diff --git a/strict/domains/program/lvm.te b/strict/domains/program/lvm.te
index b3df265..c5ce785 100644
--- a/strict/domains/program/lvm.te
+++ b/strict/domains/program/lvm.te
@@ -97,10 +97,11 @@ allow lvm_t devpts_t:dir { search getattr read };
read_locale(lvm_t)
# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
-dontaudit lvm_t device_type:{ chr_file blk_file } getattr;
+dontaudit lvm_t device_type:{ chr_file blk_file } { getattr read };
dontaudit lvm_t ttyfile:chr_file getattr;
dontaudit lvm_t device_t:{ fifo_file dir chr_file blk_file } getattr;
dontaudit lvm_t devpts_t:dir { getattr read };
+dontaudit lvm_t xconsole_device_t:fifo_file getattr;
ifdef(`gpm.te', `
dontaudit lvm_t gpmctl_t:sock_file getattr;
diff --git a/strict/domains/program/modutil.te b/strict/domains/program/modutil.te
index 64028d6..dbdae1b 100644
--- a/strict/domains/program/modutil.te
+++ b/strict/domains/program/modutil.te
@@ -116,6 +116,7 @@ allow insmod_t modules_object_t:file write;
allow insmod_t { var_t var_log_t }:dir search;
ifdef(`xserver.te', `
allow insmod_t xserver_log_t:file getattr;
+allow insmod_t xserver_misc_device_t:chr_file { read write };
')
rw_dir_create_file(insmod_t, var_log_ksyms_t)
allow insmod_t { etc_t etc_runtime_t }:file { getattr read };
diff --git a/strict/domains/program/mount.te b/strict/domains/program/mount.te
index 9efd6a4..ab6c359 100644
--- a/strict/domains/program/mount.te
+++ b/strict/domains/program/mount.te
@@ -68,7 +68,7 @@ rhgb_domain(mount_t)
# for localization
allow mount_t lib_t:file { getattr read };
allow mount_t autofs_t:dir read;
-allow mount_t fs_t:filesystem relabelfrom;
+allow mount_t fs_type:filesystem relabelfrom;
#
# This rule needs to be generalized. Only admin, initrc should have it.
#
diff --git a/strict/domains/program/mysqld.te b/strict/domains/program/mysqld.te
index 1bd9073..ea0315b 100644
--- a/strict/domains/program/mysqld.te
+++ b/strict/domains/program/mysqld.te
@@ -88,4 +88,7 @@ allow userdomain mysqld_var_run_t:sock_file write;
}
')
+ifdef(`crond.te', `
+allow system_crond_t mysqld_etc_t:file { getattr read };
+')
allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
diff --git a/strict/domains/program/pamconsole.te b/strict/domains/program/pamconsole.te
index cbb84af..ed85882 100644
--- a/strict/domains/program/pamconsole.te
+++ b/strict/domains/program/pamconsole.te
@@ -30,7 +30,7 @@ r_dir_file(pam_console_t, pam_var_console_t)
allow pam_console_t device_t:dir { getattr read };
allow pam_console_t device_t:lnk_file { getattr read };
# mouse_device_t is for joy sticks
-allow pam_console_t { framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr };
+allow pam_console_t { xserver_misc_device_t framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr };
allow pam_console_t { removable_device_t fixed_disk_device_t }:blk_file { getattr setattr };
allow pam_console_t mnt_t:dir r_dir_perms;
diff --git a/strict/domains/program/ping.te b/strict/domains/program/ping.te
index 3a54e81..c0c664f 100644
--- a/strict/domains/program/ping.te
+++ b/strict/domains/program/ping.te
@@ -17,7 +17,9 @@ role system_r types ping_t;
in_user_role(ping_t)
type ping_exec_t, file_type, sysadmfile, exec_type;
-ifdef(`targeted_policy', `', `
+ifdef(`targeted_policy', `
+ allow ping_t { devpts_t ttyfile ptyfile }:chr_file rw_file_perms;
+', `
bool user_ping false;
if (user_ping) {
@@ -55,4 +57,7 @@ dontaudit ping_t fs_t:filesystem getattr;
dontaudit ping_t var_t:dir search;
dontaudit ping_t devtty_t:chr_file { read write };
dontaudit ping_t self:capability sys_tty_config;
+ifdef(`hide_broken_symptoms', `
+allow ping_t init_t:fd use;
+')
diff --git a/strict/domains/program/portmap.te b/strict/domains/program/portmap.te
index adc364d..54cad6f 100644
--- a/strict/domains/program/portmap.te
+++ b/strict/domains/program/portmap.te
@@ -58,7 +58,7 @@ role system_r types portmap_helper_t;
domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t)
dontaudit portmap_helper_t self:capability { net_admin };
allow portmap_helper_t self:capability { net_bind_service };
-allow portmap_helper_t { var_run_t initrc_var_run_t } :file rw_file_perms;
+allow portmap_helper_t initrc_var_run_t:file rw_file_perms;
file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file)
allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
can_network(portmap_helper_t)
diff --git a/strict/domains/program/restorecon.te b/strict/domains/program/restorecon.te
index 058dcd1..0e3a278 100644
--- a/strict/domains/program/restorecon.te
+++ b/strict/domains/program/restorecon.te
@@ -17,11 +17,12 @@ type restorecon_exec_t, file_type, sysadmfile, exec_type;
role system_r types restorecon_t;
role sysadm_r types restorecon_t;
+role secadm_r types restorecon_t;
allow restorecon_t initrc_devpts_t:chr_file { read write ioctl };
-allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl };
+allow restorecon_t { tty_device_t admin_tty_type user_tty_type devtty_t }:chr_file { read write ioctl };
-domain_auto_trans({ initrc_t sysadm_t }, restorecon_exec_t, restorecon_t)
+domain_auto_trans({ initrc_t sysadm_t secadm_t }, restorecon_exec_t, restorecon_t)
allow restorecon_t { userdomain init_t privfd }:fd use;
uses_shlib(restorecon_t)
@@ -44,6 +45,9 @@ allow restorecon_t { device_t device_type }:{ chr_file blk_file } { getattr rela
ifdef(`distro_redhat', `
allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto };
')
+ifdef(`dpkg.te', `
+domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t)
+')
allow restorecon_t ptyfile:chr_file getattr;
diff --git a/strict/domains/program/rpm.te b/strict/domains/program/rpm.te
index e245f57..8405e84 100644
--- a/strict/domains/program/rpm.te
+++ b/strict/domains/program/rpm.te
@@ -114,7 +114,7 @@ allow rpm_script_t {devpts_t devtty_t}:chr_file rw_file_perms;
allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
-type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role;
+type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, privrole, priv_system_role;
# policy for rpm scriptlet
role system_r types rpm_script_t;
uses_shlib(rpm_script_t)
@@ -194,6 +194,7 @@ domain_auto_trans(rpm_script_t, restorecon_exec_t, restorecon_t)
domain_auto_trans(rpm_script_t, ldconfig_exec_t, ldconfig_t)
domain_auto_trans(rpm_script_t, depmod_exec_t, depmod_t)
+role sysadm_r types initrc_t;
domain_auto_trans(rpm_script_t, initrc_exec_t, initrc_t)
ifdef(`bootloader.te', `
domain_auto_trans(rpm_script_t, bootloader_exec_t, bootloader_t)
diff --git a/strict/domains/program/rsync.te b/strict/domains/program/rsync.te
index c7d5378..8786fb8 100644
--- a/strict/domains/program/rsync.te
+++ b/strict/domains/program/rsync.te
@@ -14,6 +14,6 @@
inetd_child_domain(rsync)
type rsync_data_t, file_type, sysadmfile;
r_dir_file(rsync_t, rsync_data_t)
-r_dir_file(rsync_t, ftpd_anon_t)
+anonymous_domain(rsync)
diff --git a/strict/domains/program/samba.te b/strict/domains/program/samba.te
index a1570b6..1ce50e5 100644
--- a/strict/domains/program/samba.te
+++ b/strict/domains/program/samba.te
@@ -79,6 +79,7 @@ allow smbd_t usr_t:file { getattr read };
# Access Samba shares.
create_dir_file(smbd_t, samba_share_t)
+anonymous_domain(smbd)
ifdef(`logrotate.te', `
# the application should be changed
diff --git a/strict/domains/program/ssh.te b/strict/domains/program/ssh.te
index 221ec7a..28c9bea 100644
--- a/strict/domains/program/ssh.te
+++ b/strict/domains/program/ssh.te
@@ -115,6 +115,9 @@ can_create_pty($1, `, server_pty')
allow $1_t $1_devpts_t:chr_file { setattr getattr relabelfrom };
dontaudit sshd_t userpty_type:chr_file relabelfrom;
+allow $1_t faillog_t:file { append getattr };
+allow $1_t sbin_t:file getattr;
+
# Allow checking users mail at login
allow $1_t { var_spool_t mail_spool_t }:dir search;
allow $1_t mail_spool_t:lnk_file read;
diff --git a/strict/domains/program/tmpreaper.te b/strict/domains/program/tmpreaper.te
index 8b2111b..2373a50 100644
--- a/strict/domains/program/tmpreaper.te
+++ b/strict/domains/program/tmpreaper.te
@@ -16,8 +16,8 @@ role system_r types tmpreaper_t;
system_crond_entry(tmpreaper_exec_t, tmpreaper_t)
uses_shlib(tmpreaper_t)
# why does it need setattr?
-allow tmpreaper_t tmpfile:dir { setattr rw_dir_perms rmdir };
-allow tmpreaper_t tmpfile:notdevfile_class_set { getattr unlink };
+allow tmpreaper_t { man_t tmpfile }:dir { setattr rw_dir_perms rmdir };
+allow tmpreaper_t { man_t tmpfile }:notdevfile_class_set { getattr unlink };
allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink };
allow tmpreaper_t self:process { fork sigchld };
allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
diff --git a/strict/macros/core_macros.te b/strict/macros/core_macros.te
index b744fe5..4ff37c7 100644
--- a/strict/macros/core_macros.te
+++ b/strict/macros/core_macros.te
@@ -361,6 +361,7 @@ define(`can_loadpol',`
# Get the selinuxfs mount point via /proc/self/mounts.
allow $1 proc_t:dir search;
allow $1 proc_t:lnk_file read;
+allow $1 proc_t:file { getattr read };
allow $1 self:dir search;
allow $1 self:file { getattr read };
# Access selinuxfs.
diff --git a/strict/macros/global_macros.te b/strict/macros/global_macros.te
index b4cccc4..cdde6aa 100644
--- a/strict/macros/global_macros.te
+++ b/strict/macros/global_macros.te
@@ -595,6 +595,18 @@ allow $1 self:capability sys_admin;
')dnl end polyinstantiater
#
+# Domain that is allow to read anonymous data off the network
+# without providing authentication.
+# Also define boolean to allow anonymous writing
+#
+define(`anonymous_domain', `
+r_dir_file($1_t, ftpd_anon_t)
+bool allow_$1_anon_write false;
+if (allow_$1_anon_write) {
+create_dir_file($1_t,ftpd_anon_rw_t)
+}
+')
+#
# Define a domain that can do anything, so that it is
# effectively unconfined by the SELinux policy. This
# means that it is only restricted by the normal Linux
@@ -727,3 +739,15 @@ allow $1 removable_device_t:blk_file r_file_perms;
allow $1 removable_t:filesystem getattr;
')
+
+define(`authentication_domain', `
+can_ypbind($1)
+can_kerberos($1)
+can_ldap($1)
+can_resolve($1)
+can_winbind($1)
+r_dir_file($1, cert_t)
+allow $1 { random_device_t urandom_device_t }:chr_file { getattr read };
+allow $1 self:capability { audit_write audit_control };
+dontaudit $1 shadow_t:file { getattr read };
+')
diff --git a/strict/macros/network_macros.te b/strict/macros/network_macros.te
index d5eaca1..0c8817a 100644
--- a/strict/macros/network_macros.te
+++ b/strict/macros/network_macros.te
@@ -16,9 +16,7 @@ allow $1 self:$2_socket connected_socket_perms;
# Allow the domain to send or receive using any network interface.
# netif_type is a type attribute for all network interface types.
#
-allow $1 netif_type:netif { $2_send rawip_send };
-allow $1 netif_type:netif { $2_recv rawip_recv };
-
+allow $1 netif_t:netif { $2_recv $2_send rawip_send rawip_recv };
#
# Allow the domain to send to or receive from any node.
# node_type is a type attribute for all node types.