diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te index 4a25d6c..6f801ac 100644 --- a/refpolicy/policy/modules/admin/amanda.te +++ b/refpolicy/policy/modules/admin/amanda.te @@ -37,10 +37,16 @@ files_type(amanda_gnutarlists_t) type amanda_user_exec_t; files_type(amanda_user_exec_t) +# temp: +typeattribute amanda_user_exec_t entry_type; + # type for same awk and other scripts type amanda_script_exec_t; files_type(amanda_script_exec_t) +# temp: +typeattribute amanda_user_exec_t entry_type; + # type for the shell configuration files type amanda_shellconfig_t; files_type(amanda_shellconfig_t) diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index a089a1d..88921ad 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -73,8 +73,15 @@ logging_send_syslog_msg(netutils_t) miscfiles_read_localization(netutils_t) +sysnet_read_config(netutils_t) + userdom_use_all_user_fd(netutils_t) +ifdef(`targeted_policy',` + term_use_generic_pty(netutils_t) + term_use_unallocated_tty(netutils_t) +') + optional_policy(`nis.te',` nis_use_ypbind(netutils_t) ') diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te index b8d10eb..fccdc21 100644 --- a/refpolicy/policy/modules/services/kerberos.te +++ b/refpolicy/policy/modules/services/kerberos.te @@ -55,9 +55,10 @@ files_pid_file(krb5kdc_var_run_t) # Use capabilities. Surplus capabilities may be allowed. allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice }; dontaudit kadmind_t self:capability sys_tty_config; -allow kadmind_t self:tcp_socket connected_stream_socket_perms; allow kadmind_t self:netlink_route_socket r_netlink_socket_perms; allow kadmind_t self:unix_dgram_socket { connect create write }; +allow kadmind_t self:tcp_socket connected_stream_socket_perms; +allow kadmind_t self:udp_socket create_socket_perms; allow kadmind_t kadmind_log_t:file create_file_perms; logging_create_log(kadmind_t,kadmind_log_t) @@ -77,7 +78,8 @@ allow kadmind_t kadmind_tmp_t:dir create_dir_perms; allow kadmind_t kadmind_tmp_t:file create_file_perms; files_create_tmp_files(kadmind_t, kadmind_tmp_t, { file dir }) -allow kadmind_t kadmind_var_run_t:file { getattr create read write append setattr unlink }; +allow kadmind_t kadmind_var_run_t:file create_file_perms; +allow kadmind_t kadmind_var_run_t:dir rw_dir_perms; files_create_pid(kadmind_t,kadmind_var_run_t) kernel_read_kernel_sysctl(kadmind_t) diff --git a/refpolicy/policy/modules/services/ktalk.te b/refpolicy/policy/modules/services/ktalk.te index baeff9f..81a80e3 100644 --- a/refpolicy/policy/modules/services/ktalk.te +++ b/refpolicy/policy/modules/services/ktalk.te @@ -43,6 +43,7 @@ allow ktalkd_t ktalkd_tmp_t:file create_file_perms; files_create_tmp_files(ktalkd_t, ktalkd_tmp_t, { file dir }) allow ktalkd_t ktalkd_var_run_t:file create_file_perms; +allow ktalkd_t ktalkd_var_run_t:dir rw_dir_perms; files_create_pid(ktalkd_t,ktalkd_var_run_t) kernel_read_kernel_sysctl(ktalkd_t) diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te index 796cf67..aa20055 100644 --- a/refpolicy/policy/modules/services/ldap.te +++ b/refpolicy/policy/modules/services/ldap.te @@ -37,6 +37,7 @@ dontaudit slapd_t self:capability sys_tty_config; allow slapd_t self:process setsched; allow slapd_t self:fifo_file { read write }; allow slapd_t self:netlink_route_socket r_netlink_socket_perms; +allow slapd_t self:udp_socket create_socket_perms; # Allow access to the slapd databases allow slapd_t slapd_db_t:dir create_dir_perms; @@ -97,8 +98,11 @@ libs_use_shared_libs(slapd_t) logging_send_syslog_msg(slapd_t) +miscfiles_read_certs(slapd_t) miscfiles_read_localization(slapd_t) +sysnet_read_config(slapd_t) + userdom_dontaudit_use_unpriv_user_fd(slapd_t) userdom_dontaudit_search_sysadm_home_dir(slapd_t) @@ -121,7 +125,6 @@ optional_policy(`udev.te', ` ') ifdef(`TODO',` -r_dir_file(slapd_t, cert_t) optional_policy(`rhgb.te',` rhgb_domain(slapd_t) ') diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te index e0dadf0..db088a1 100644 --- a/refpolicy/policy/modules/services/mysql.te +++ b/refpolicy/policy/modules/services/mysql.te @@ -42,8 +42,11 @@ allow mysqld_t self:udp_socket create_socket_perms; allow mysqld_t mysqld_db_t:dir create_dir_perms; allow mysqld_t mysqld_db_t:file create_file_perms; allow mysqld_t mysqld_db_t:lnk_file create_lnk_perms; +files_create_var_lib(mysqld_t,mysqld_db_t,{ dir file }) allow mysqld_t mysqld_etc_t:file { getattr read }; +allow mysqld_t mysqld_etc_t:lnk_file { getattr read }; +allow mysqld_t mysqld_etc_t:dir list_dir_perms; allow mysqld_t mysqld_log_t:file create_file_perms; logging_create_log(mysqld_t,mysqld_log_t) diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te index 5f902d2..768ee73 100644 --- a/refpolicy/policy/modules/services/nscd.te +++ b/refpolicy/policy/modules/services/nscd.te @@ -49,6 +49,7 @@ logging_create_log(nscd_t,nscd_log_t) allow nscd_t nscd_var_run_t:file create_file_perms; allow nscd_t nscd_var_run_t:sock_file create_file_perms; +allow nscd_t nscd_var_run_t:dir rw_dir_perms; files_create_pid(nscd_t,nscd_var_run_t,{ file sock_file }) kernel_read_kernel_sysctl(nscd_t) @@ -110,7 +111,10 @@ sysnet_read_config(nscd_t) userdom_dontaudit_use_unpriv_user_fd(nscd_t) userdom_dontaudit_search_sysadm_home_dir(nscd_t) -ifdef(`targeted_policy', ` +ifdef(`targeted_policy',` + term_use_unallocated_tty(nscd_t) + term_use_generic_pty(nscd_t) + term_dontaudit_use_unallocated_tty(nscd_t) term_dontaudit_use_generic_pty(nscd_t) files_dontaudit_read_root_file(nscd_t) @@ -120,23 +124,22 @@ optional_policy(`nis.te',` nis_use_ypbind(nscd_t) ') +optional_policy(`samba.te',` + samba_connect_winbind(nscd_t) +') + optional_policy(`udev.te', ` udev_read_db(nscd_t) ') ifdef(`TODO',` optional_policy(`winbind.te', ` - # Handle winbind for samba, Might only be needed for targeted policy - - allow nscd_t winbind_var_run_t:sock_file { read write getattr }; - can_unix_connect(nscd_t, winbind_t) allow nscd_t samba_var_t:dir search; - allow nscd_t winbind_var_run_t:dir { getattr search }; ') optional_policy(`rhgb.te',` rhgb_domain(nscd_t) ') -r_dir_file(nscd_t, cert_t) + allow nscd_t tmp_t:dir { search getattr }; allow nscd_t tmp_t:lnk_file read; ') dnl end TODO diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te index e768390..524fcc3 100644 --- a/refpolicy/policy/modules/services/ntp.te +++ b/refpolicy/policy/modules/services/ntp.te @@ -57,6 +57,7 @@ allow ntpd_t ntpd_tmp_t:file create_file_perms; files_create_tmp_files(ntpd_t, ntpd_tmp_t, { file dir }) allow ntpd_t ntpd_var_run_t:file create_file_perms; +allow ntpd_t ntpd_var_run_t:dir rw_dir_perms; files_create_pid(ntpd_t,ntpd_var_run_t) kernel_read_kernel_sysctl(ntpd_t) diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te index 8a2b38b..0888803 100644 --- a/refpolicy/policy/modules/services/postfix.te +++ b/refpolicy/policy/modules/services/postfix.te @@ -19,6 +19,9 @@ files_type(postfix_etc_t) type postfix_exec_t; files_type(postfix_exec_t) +# temp: +typeattribute postfix_exec_t entry_type; + postfix_server_domain_template(local) mta_mailserver_delivery(postfix_local_t) diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te index a1d107b..a39737c 100644 --- a/refpolicy/policy/modules/services/privoxy.te +++ b/refpolicy/policy/modules/services/privoxy.te @@ -27,7 +27,7 @@ allow privoxy_t self:tcp_socket create_stream_socket_perms; allow privoxy_t privoxy_log_t:file create_file_perms; allow privoxy_t privoxy_log_t:dir rw_dir_perms; -logging_search_logs(privoxy_t,privoxy_log_t,{ file dir }) +logging_create_log(privoxy_t,privoxy_log_t) allow privoxy_t privoxy_var_run_t:file create_file_perms; files_create_pid(privoxy_t,privoxy_var_run_t) diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te index a97532e..1ec9f1a 100644 --- a/refpolicy/policy/modules/services/spamassassin.te +++ b/refpolicy/policy/modules/services/spamassassin.te @@ -157,3 +157,5 @@ allow spamd_t amavisd_lib_t:file create_file_perms; allow spamd_t amavisd_lib_t:lnk_file create_lnk_perms; ') ') dnl end TODO + +typeattribute spamc_exec_t entry_type; diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te index 45b79d6..81f45b2 100644 --- a/refpolicy/policy/modules/services/squid.te +++ b/refpolicy/policy/modules/services/squid.te @@ -31,16 +31,19 @@ files_pid_file(squid_var_run_t) allow squid_t self:capability { setgid setuid dac_override }; dontaudit squid_t self:capability sys_tty_config; allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow squid_t self:unix_stream_socket create_stream_socket_perms; -allow squid_t self:unix_dgram_socket create_socket_perms; -allow squid_t self:unix_dgram_socket sendto; -allow squid_t self:unix_stream_socket connectto; allow squid_t self:fifo_file rw_file_perms; +allow squid_t self:sock_file r_file_perms; allow squid_t self:fd use; allow squid_t self:shm create_shm_perms; allow squid_t self:sem create_sem_perms; allow squid_t self:msgq create_msgq_perms; allow squid_t self:msg { send receive }; +allow squid_t self:unix_stream_socket create_stream_socket_perms; +allow squid_t self:unix_dgram_socket create_socket_perms; +allow squid_t self:unix_dgram_socket sendto; +allow squid_t self:unix_stream_socket connectto; +allow squid_t self:tcp_socket create_stream_socket_perms; +allow squid_t self:udp_socket create_socket_perms; # Grant permissions to create, access, and delete cache files. allow squid_t squid_cache_t:dir create_dir_perms; @@ -58,6 +61,7 @@ allow squid_t squid_log_t:dir rw_dir_perms; logging_create_log(squid_t,squid_log_t,{ file dir }) allow squid_t squid_var_run_t:file create_file_perms; +allow squid_t squid_var_run_t:dir rw_dir_perms; files_create_pid(squid_t,squid_var_run_t) kernel_read_kernel_sysctl(squid_t) @@ -124,6 +128,8 @@ logging_send_syslog_msg(squid_t) miscfiles_read_certs(squid_t) miscfiles_read_localization(squid_t) +sysnet_read_config(squid_t) + userdom_use_unpriv_users_fd(squid_t) userdom_dontaudit_use_unpriv_user_fd(squid_t) userdom_dontaudit_search_sysadm_home_dir(squid_t) @@ -158,6 +164,10 @@ optional_policy(`nscd.te',` nscd_use_socket(squid_t) ') +optional_policy(`samba.te',` + samba_domtrans_winbind_helper(squid_t) +') + optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(squid_t) ') diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te index 5e9ad2e..63615df 100644 --- a/refpolicy/policy/modules/services/xdm.te +++ b/refpolicy/policy/modules/services/xdm.te @@ -24,6 +24,9 @@ init_daemon_domain(xdm_t,xdm_exec_t) type xsession_exec_t; files_type(xsession_exec_t) +# temp: +typeattribute xsession_exec_t entry_type; + type xserver_log_t; files_type(xserver_log_t) diff --git a/refpolicy/policy/modules/system/corecommands.te b/refpolicy/policy/modules/system/corecommands.te index 7ee474b..801da90 100644 --- a/refpolicy/policy/modules/system/corecommands.te +++ b/refpolicy/policy/modules/system/corecommands.te @@ -24,6 +24,9 @@ files_type(sbin_t) type ls_exec_t; files_type(ls_exec_t) +#cjp: temp +typeattribute ls_exec_t entry_type; + # # shell_exec_t is the type of user shells such as /bin/bash. # diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 495874c..a7e665b 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -359,10 +359,9 @@ interface(`domain_dontaudit_use_wide_inherit_fd',` interface(`domain_sigchld_wide_inherit_fd',` gen_require(` attribute privfd; - class process signal; ') - dontaudit $1 privfd:fd use; + allow $1 privfd:process sigchld; ') ######################################## diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index cfa6a2f..a9516ea 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -196,6 +196,7 @@ dontaudit klogd_t self:capability sys_resource; kernel_read_system_state(klogd_t) kernel_read_messages(klogd_t) +kernel_read_kernel_sysctl(klogd_t) # Control syslog and console logging kernel_clear_ring_buffer(klogd_t) kernel_change_ring_buffer_level(klogd_t) @@ -203,8 +204,10 @@ kernel_change_ring_buffer_level(klogd_t) bootloader_read_kernel_symbol_table(klogd_t) dev_read_raw_memory(klogd_t) +dev_read_sysfs(klogd_t) fs_getattr_all_fs(klogd_t) +fs_search_auto_mountpoints(klogd_t) domain_use_wide_inherit_fd(klogd_t) @@ -214,6 +217,7 @@ files_read_etc_runtime_files(klogd_t) files_read_etc_files(klogd_t) init_use_fd(klogd_t) +init_use_script_pty(klogd_t) libs_use_ld_so(klogd_t) libs_use_shared_libs(klogd_t) @@ -222,10 +226,13 @@ logging_send_syslog_msg(klogd_t) miscfiles_read_localization(klogd_t) -ifdef(`TODO',` -ifdef(`targeted_policy', ` -allow klogd_t unconfined_t:system syslog_mod; +optional_policy(`udev.te', ` + udev_read_db(klogd_t) ') + +ifdef(`targeted_policy',` + term_dontaudit_use_generic_pty(klogd_t) + term_dontaudit_use_unallocated_tty(klogd_t) ') ######################################## @@ -261,7 +268,8 @@ allow syslogd_t var_log_t:dir { create setattr }; # manage temporary files allow syslogd_t syslogd_tmp_t:file create_file_perms; -files_create_tmp_files(syslogd_t,syslogd_tmp_t) +allow syslogd_t syslogd_tmp_t:dir create_dir_perms; +files_create_tmp_files(syslogd_t,syslogd_tmp_t,{ dir file }) allow syslogd_t syslogd_var_run_t:file create_file_perms; files_create_pid(syslogd_t,syslogd_var_run_t,file)