##
-## Run gconfd in the role-specfic gconfd domain.
+## Run gconfd in the role-specific gconfd domain.
##
##
## This is a templated interface, and should only
@@ -170,6 +237,30 @@
########################################
##
+## read gnome homedir content (.config)
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+template(`gnome_read_user_gnome_config',`
+ gen_require(`
+ type $1_gnome_home_t;
+ ')
+
+ read_files_pattern($2, $1_gnome_home_t, $1_gnome_home_t)
+')
+
+########################################
+##
## manage gnome homedir content (.config)
##
##
@@ -189,6 +280,26 @@
type $1_gnome_home_t;
')
- allow $2 $1_gnome_home_t:dir manage_dir_perms;
- allow $2 $1_gnome_home_t:file manage_file_perms;
+ manage_dirs_pattern($2, $1_gnome_home_t, $1_gnome_home_t)
+ manage_files_pattern($2, $1_gnome_home_t, $1_gnome_home_t)
')
+
+########################################
+##
+## Execute gconf programs in
+## in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`gnome_exec_gconf',`
+ gen_require(`
+ type gconfd_exec_t;
+ ')
+
+ can_exec($1, gconfd_exec_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.0.8/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2007-07-25 10:37:37.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/gnome.te 2007-09-17 16:20:18.000000000 -0400
@@ -8,8 +8,5 @@
attribute gnomedomain;
-type gconf_etc_t;
-files_type(gconf_etc_t)
-
type gconfd_exec_t;
application_executable_file(gconfd_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.0.8/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2007-05-29 14:10:48.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/java.fc 2007-09-20 18:08:22.000000000 -0400
@@ -11,6 +11,7 @@
#
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -20,5 +21,11 @@
/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/lib(64)?/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.8/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2007-08-02 08:17:26.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/java.if 2007-09-20 18:26:14.000000000 -0400
@@ -32,7 +32,7 @@
##
##
#
-template(`java_per_role_template',`
+template(`java_plugin_per_role_template',`
gen_require(`
type java_exec_t;
')
@@ -81,8 +81,7 @@
can_exec($1_javaplugin_t, java_exec_t)
- # The user role is authorized for this domain.
- domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
+ domain_auto_trans($2, java_exec_t, $1_javaplugin_t)
allow $1_javaplugin_t $2:fd use;
# Unrestricted inheritance from the caller.
allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
@@ -166,6 +165,62 @@
optional_policy(`
xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
')
+
+')
+
+#######################################
+##
+## The per role template for the java module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for java applications.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+#
+template(`java_per_role_template',`
+ gen_require(`
+ type java_exec_t;
+ ')
+
+ type $1_java_t;
+ domain_type($1_java_t)
+ domain_entry_file($1_java_t,java_exec_t)
+ role $3 types $1_java_t;
+
+ domain_interactive_fd($1_java_t)
+
+ userdom_unpriv_usertype($1, $1_java_t)
+
+ allow $1_java_t self:process { getsched sigkill execheap execmem execstack };
+
+ domtrans_pattern($2, java_exec_t, $1_java_t)
+
+ dev_read_urand($1_java_t)
+ dev_read_rand($1_java_t)
+
+ fs_dontaudit_rw_tmpfs_files($1_java_t)
+
+ optional_policy(`
+ xserver_xdm_rw_shm($1_java_t)
+ ')
')
########################################
@@ -219,3 +274,66 @@
corecmd_search_bin($1)
domtrans_pattern($1, java_exec_t, java_t)
')
+
+########################################
+##
+## Execute a java in the specified domain
+##
+##
+##
+## Execute the java command in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the new process.
+##
+##
+#
+interface(`java_spec_domtrans',`
+ gen_require(`
+ type java_exec_t;
+ ')
+
+ domain_trans($1,java_exec_t,$2)
+ type_transition $1 java_exec_t:process $2;
+')
+
+########################################
+##
+## Execute java in the java domain, and
+## allow the specified role the java domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+##
+## The role to be allowed the java domain.
+##
+##
+##
+##
+## The type of the terminal allow the java domain to use.
+##
+##
+#
+interface(`java_run',`
+ gen_require(`
+ type java_t;
+ ')
+
+ java_domtrans($1)
+ role $2 types java_t;
+ allow java_t $3:chr_file rw_term_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.0.8/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2007-07-25 10:37:37.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/java.te 2007-09-20 18:14:17.000000000 -0400
@@ -23,7 +23,7 @@
#
# execheap is needed for itanium/BEA jrocket
-allow java_t self:process { execstack execmem execheap };
+allow java_t self:process { getsched sigkill execheap execmem execstack };
init_dbus_chat_script(java_t)
@@ -31,3 +31,7 @@
unconfined_domain_noaudit(java_t)
unconfined_dbus_chat(java_t)
')
+
+optional_policy(`
+ xserver_xdm_rw_shm(java_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.8/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-05-29 14:10:48.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/mono.if 2007-09-20 18:25:48.000000000 -0400
@@ -18,3 +18,103 @@
corecmd_search_bin($1)
domtrans_pattern($1, mono_exec_t, mono_t)
')
+
+########################################
+##
+## Read and write to mono shared memory.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`mono_rw_shm',`
+ gen_require(`
+ type mono_t;
+ ')
+
+ allow $1 mono_t:shm rw_shm_perms;
+')
+
+########################################
+##
+## Execute mono in the mono domain, and
+## allow the specified role the mono domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+##
+## The role to be allowed the mono domain.
+##
+##
+##
+##
+## The type of the terminal allow the mono domain to use.
+##
+##
+#
+interface(`mono_run',`
+ gen_require(`
+ type mono_t;
+ ')
+
+ mono_domtrans($1)
+ role $2 types mono_t;
+ allow mono_t $3:chr_file rw_term_perms;
+')
+
+#######################################
+##
+## The per role template for the mono module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for mono applications.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+#
+template(`mono_per_role_template',`
+ gen_require(`
+ type mono_exec_t;
+ ')
+
+ type $1_mono_t;
+ domain_type($1_mono_t)
+ domain_entry_file($1_mono_t,mono_exec_t)
+ role $3 types $1_mono_t;
+
+ domain_interactive_fd($1_mono_t)
+
+ userdom_unpriv_usertype($1, $1_mono_t)
+
+ allow $1_mono_t self:process { signal getsched execheap execmem };
+ allow $2 $1_mono_t:process noatsecure;
+
+ domtrans_pattern($2, mono_exec_t, $1_mono_t)
+
+ optional_policy(`
+ xserver_xdm_rw_shm($1_mono_t)
+ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.0.8/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2007-05-29 14:10:48.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/mono.te 2007-09-20 11:41:50.000000000 -0400
@@ -15,7 +15,7 @@
# Local policy
#
-allow mono_t self:process { execheap execmem };
+allow mono_t self:process { signal getsched execheap execmem };
userdom_generic_user_home_dir_filetrans_generic_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
@@ -46,3 +46,7 @@
unconfined_dbus_chat(mono_t)
unconfined_dbus_connect(mono_t)
')
+
+optional_policy(`
+ xserver_xdm_rw_shm(mono_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.8/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-08-02 08:17:26.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2007-09-17 16:20:18.000000000 -0400
@@ -36,6 +36,8 @@
gen_require(`
type mozilla_conf_t, mozilla_exec_t;
')
+ gen_tunable(browser_confine_$1,false)
+ gen_tunable(browser_write_$1_data,false)
########################################
#
@@ -52,6 +54,14 @@
type $1_mozilla_tmpfs_t;
files_tmpfs_file($1_mozilla_tmpfs_t)
+ type $1_mozilla_tmp_t;
+ files_tmp_file($1_mozilla_tmp_t)
+
+ ########################################
+ #
+ # Local booleans
+ #
+
########################################
#
# Local policy
@@ -96,15 +106,37 @@
relabel_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
relabel_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
- manage_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
- manage_lnk_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
- manage_fifo_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
- manage_sock_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
- fs_tmpfs_filetrans($1_mozilla_t,$1_mozilla_tmpfs_t,{ file lnk_file sock_file fifo_file })
-
allow $1_mozilla_t $2:process signull;
- domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
+ tunable_policy(`browser_confine_$1',`
+ domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
+ ',`
+ can_exec($2, mozilla_exec_t)
+ ')
+
+ userdom_read_user_home_content_files($1,$1_mozilla_t)
+ userdom_read_user_home_content_symlinks($1,$1_mozilla_t)
+ userdom_read_user_tmp_files($1,$1_mozilla_t)
+ userdom_list_user_files($1,$1_mozilla_t)
+ userdom_manage_user_tmp_dirs($1,$1_mozilla_t)
+ userdom_manage_user_tmp_files($1,$1_mozilla_t)
+ userdom_manage_user_tmp_sockets($1,$1_mozilla_t)
+ userdom_tmp_filetrans_user_tmp($1,$1_mozilla_t, { file dir sock_file })
+
+ ifdef(`enable_mls',`',`
+ fs_search_removable($1_mozilla_t)
+ fs_read_removable_files($1_mozilla_t)
+ fs_read_removable_symlinks($1_mozilla_t)
+ ')
+
+ tunable_policy(`browser_write_$1_data',`
+ userdom_manage_user_home_content_dirs($1,$1_mozilla_t)
+ userdom_manage_user_home_content_files($1,$1_mozilla_t)
+ userdom_read_user_home_content_symlinks($1,$1_mozilla_t)
+ ', `
+ # helper apps will try to create .files
+ userdom_dontaudit_create_user_home_content_files($1,$1_mozilla_t)
+ ')
# Unrestricted inheritance from the caller.
allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
@@ -115,8 +147,9 @@
kernel_read_kernel_sysctls($1_mozilla_t)
kernel_read_network_state($1_mozilla_t)
# Access /proc, sysctl
- kernel_read_system_state($1_mozilla_t)
- kernel_read_net_sysctls($1_mozilla_t)
+ kernel_dontaudit_read_system_state($1_mozilla_t)
+# kernel_read_system_state($1_mozilla_t)
+# kernel_read_net_sysctls($1_mozilla_t)
# Look for plugins
corecmd_list_bin($1_mozilla_t)
@@ -165,11 +198,20 @@
files_read_var_files($1_mozilla_t)
files_read_var_symlinks($1_mozilla_t)
files_dontaudit_getattr_boot_dirs($1_mozilla_t)
+ files_dontaudit_list_non_security($1_mozilla_t)
+ files_dontaudit_getattr_non_security_files($1_mozilla_t)
+ files_dontaudit_getattr_non_security_symlinks($1_mozilla_t)
+ files_dontaudit_getattr_non_security_pipes($1_mozilla_t)
+ files_dontaudit_getattr_non_security_sockets($1_mozilla_t)
+ files_dontaudit_getattr_non_security_blk_files($1_mozilla_t)
+ files_dontaudit_getattr_non_security_chr_files($1_mozilla_t)
fs_search_auto_mountpoints($1_mozilla_t)
fs_list_inotifyfs($1_mozilla_t)
fs_rw_tmpfs_files($1_mozilla_t)
+ selinux_dontaudit_getattr_fs($1_mozilla_t)
+
term_dontaudit_getattr_pty_dirs($1_mozilla_t)
libs_use_ld_so($1_mozilla_t)
@@ -184,16 +226,14 @@
sysnet_dns_name_resolve($1_mozilla_t)
sysnet_read_config($1_mozilla_t)
- userdom_manage_user_home_content_dirs($1,$1_mozilla_t)
- userdom_manage_user_home_content_files($1,$1_mozilla_t)
- userdom_manage_user_home_content_symlinks($1,$1_mozilla_t)
- userdom_manage_user_tmp_dirs($1,$1_mozilla_t)
- userdom_manage_user_tmp_files($1,$1_mozilla_t)
- userdom_manage_user_tmp_sockets($1,$1_mozilla_t)
+ userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t)
+ userdom_dontaudit_use_user_terminals($1,$1_mozilla_t)
+ userdom_user_home_dir_filetrans($1,$1_mozilla_t, $1_mozilla_home_t,dir)
xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t)
+ xserver_xdm_sigchld($1_mozilla_t)
tunable_policy(`allow_execmem',`
allow $1_mozilla_t self:process { execmem execstack };
@@ -211,131 +251,8 @@
fs_manage_cifs_symlinks($1_mozilla_t)
')
- # Uploads, local html
- tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
- fs_list_auto_mountpoints($1_mozilla_t)
- files_list_home($1_mozilla_t)
- fs_read_nfs_files($1_mozilla_t)
- fs_read_nfs_symlinks($1_mozilla_t)
-
- ',`
- files_dontaudit_list_home($1_mozilla_t)
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_read_nfs_files($1_mozilla_t)
- fs_dontaudit_list_nfs($1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
- fs_list_auto_mountpoints($1_mozilla_t)
- files_list_home($1_mozilla_t)
- fs_read_cifs_files($1_mozilla_t)
- fs_read_cifs_symlinks($1_mozilla_t)
- ',`
- files_dontaudit_list_home($1_mozilla_t)
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_read_cifs_files($1_mozilla_t)
- fs_dontaudit_list_cifs($1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content',`
- userdom_list_user_tmp($1,$1_mozilla_t)
- userdom_read_user_tmp_files($1,$1_mozilla_t)
- userdom_read_user_tmp_symlinks($1,$1_mozilla_t)
- userdom_search_user_home_dirs($1,$1_mozilla_t)
- userdom_read_user_home_content_files($1,$1_mozilla_t)
- userdom_read_user_home_content_symlinks($1,$1_mozilla_t)
-
- ifdef(`enable_mls',`',`
- fs_search_removable($1_mozilla_t)
- fs_read_removable_files($1_mozilla_t)
- fs_read_removable_symlinks($1_mozilla_t)
- ')
- ',`
- files_dontaudit_list_tmp($1_mozilla_t)
- files_dontaudit_list_home($1_mozilla_t)
- fs_dontaudit_list_removable($1_mozilla_t)
- fs_dontaudit_read_removable_files($1_mozilla_t)
- userdom_dontaudit_list_user_tmp($1,$1_mozilla_t)
- userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t)
- userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
- userdom_dontaudit_read_user_home_content_files($1,$1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content && read_default_t',`
- files_list_default($1_mozilla_t)
- files_read_default_files($1_mozilla_t)
- files_read_default_symlinks($1_mozilla_t)
- ',`
- files_dontaudit_read_default_files($1_mozilla_t)
- files_dontaudit_list_default($1_mozilla_t)
- ')
-
- tunable_policy(`mozilla_read_content && read_untrusted_content',`
- files_list_tmp($1_mozilla_t)
- files_list_home($1_mozilla_t)
- userdom_search_user_home_dirs($1,$1_mozilla_t)
-
- userdom_list_user_untrusted_content($1,$1_mozilla_t)
- userdom_read_user_untrusted_content_files($1,$1_mozilla_t)
- userdom_read_user_untrusted_content_symlinks($1,$1_mozilla_t)
- userdom_list_user_tmp_untrusted_content($1,$1_mozilla_t)
- userdom_read_user_tmp_untrusted_content_files($1,$1_mozilla_t)
- userdom_read_user_tmp_untrusted_content_symlinks($1,$1_mozilla_t)
- ',`
- files_dontaudit_list_tmp($1_mozilla_t)
- files_dontaudit_list_home($1_mozilla_t)
- userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
- userdom_dontaudit_list_user_untrusted_content($1,$1_mozilla_t)
- userdom_dontaudit_read_user_untrusted_content_files($1,$1_mozilla_t)
- userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_mozilla_t)
- userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_mozilla_t)
- ')
-
- # Save web pages
- tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
- files_search_home($1_mozilla_t)
-
- fs_search_auto_mountpoints($1_mozilla_t)
- fs_manage_nfs_dirs($1_mozilla_t)
- fs_manage_nfs_files($1_mozilla_t)
- fs_manage_nfs_symlinks($1_mozilla_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_manage_nfs_dirs($1_mozilla_t)
- fs_dontaudit_manage_nfs_files($1_mozilla_t)
- ')
-
- tunable_policy(`write_untrusted_content && use_samba_home_dirs',`
- files_search_home($1_mozilla_t)
-
- fs_search_auto_mountpoints($1_mozilla_t)
- fs_manage_cifs_dirs($1_mozilla_t)
- fs_manage_cifs_files($1_mozilla_t)
- fs_manage_cifs_symlinks($1_mozilla_t)
- ',`
- fs_dontaudit_list_auto_mountpoints($1_mozilla_t)
- fs_dontaudit_manage_cifs_dirs($1_mozilla_t)
- fs_dontaudit_manage_cifs_files($1_mozilla_t)
- ')
-
- tunable_policy(`write_untrusted_content',`
- files_search_home($1_mozilla_t)
- userdom_manage_user_untrusted_content_tmp_files($1, $1_mozilla_t)
- files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,file)
- files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,dir)
-
- userdom_manage_user_untrusted_content_files($1,$1_mozilla_t)
- userdom_user_home_dir_filetrans($1,$1_mozilla_t,$1_untrusted_content_tmp_t, { file dir })
- userdom_user_home_content_filetrans($1,$1_mozilla_t,$1_untrusted_content_tmp_t, { file dir })
- ',`
- files_dontaudit_list_home($1_mozilla_t)
- files_dontaudit_list_tmp($1_mozilla_t)
-
- userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
- userdom_dontaudit_manage_user_tmp_dirs($1,$1_mozilla_t)
- userdom_dontaudit_manage_user_tmp_files($1,$1_mozilla_t)
- userdom_dontaudit_manage_user_home_content_dirs($1,$1_mozilla_t)
-
+ optional_policy(`
+ alsa_read_rw_config($1_mozilla_t)
')
optional_policy(`
@@ -350,21 +267,28 @@
optional_policy(`
cups_read_rw_config($1_mozilla_t)
cups_dbus_chat($1_mozilla_t)
+ cups_stream_connect($1_mozilla_t)
')
optional_policy(`
dbus_system_bus_client_template($1_mozilla,$1_mozilla_t)
dbus_send_system_bus($1_mozilla_t)
- dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
- dbus_send_user_bus($1,$1_mozilla_t)
+# dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
+# dbus_send_user_bus($1,$1_mozilla_t)
+ ')
+
+ optional_policy(`
+ gnome_exec_gconf($1_mozilla_t)
+ gnome_manage_user_gnome_config($1,$1_mozilla_t)
')
optional_policy(`
+ gnome_domtrans_user_gconf($1,$1_mozilla_t)
gnome_stream_connect_gconf_template($1,$1_mozilla_t)
')
optional_policy(`
- java_domtrans_user_javaplugin($1, $1_mozilla_t)
+ java_plugin_per_role_template($1, $1_mozilla_t, $1_r)
')
optional_policy(`
@@ -384,25 +308,6 @@
thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
')
- ifdef(`TODO',`
- #NOTE commented out in strict.
- ######### Launch email client, and make webcal links work
- #ifdef(`evolution.te', `
- #domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t)
- #domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
- #')
-
- # Macros for mozilla/mozilla (or other browser) domains.
- # FIXME: Rules were removed to centralize policy in a gnome_app macro
- # A similar thing might be necessary for mozilla compiled without GNOME
- # support (is this possible?).
-
- # GNOME integration
- optional_policy(`
- gnome_application($1_mozilla, $1)
- gnome_file_dialog($1_mozilla, $1)
- ')
- ')
')
########################################
@@ -575,3 +480,27 @@
allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
')
+
+########################################
+##
+## mozilla connection template.
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+#
+template(`mozilla_stream_connect_template',`
+ gen_require(`
+ type $1_mozilla_t;
+ ')
+
+ allow $2 $1_mozilla_t:unix_stream_socket connectto;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.0.8/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2007-07-25 10:37:37.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/mozilla.te 2007-09-17 16:20:18.000000000 -0400
@@ -6,13 +6,6 @@
# Declarations
#
-##
-##
-## Control mozilla content access
-##
-##
-gen_tunable(mozilla_read_content,false)
-
type mozilla_conf_t;
files_config_file(mozilla_conf_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.0.8/policy/modules/apps/userhelper.if
--- nsaserefpolicy/policy/modules/apps/userhelper.if 2007-07-25 10:37:37.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/userhelper.if 2007-09-17 16:20:18.000000000 -0400
@@ -130,6 +130,7 @@
term_use_all_user_ptys($1_userhelper_t)
auth_domtrans_chk_passwd($1_userhelper_t)
+ auth_domtrans_upd_passwd($1_userhelper_t)
auth_manage_pam_pid($1_userhelper_t)
auth_manage_var_auth($1_userhelper_t)
auth_search_pam_console_data($1_userhelper_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.0.8/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2007-09-12 10:34:49.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/vmware.te 2007-09-17 16:20:18.000000000 -0400
@@ -29,7 +29,7 @@
allow vmware_host_t self:capability { setuid net_raw };
dontaudit vmware_host_t self:capability sys_tty_config;
-allow vmware_host_t self:process signal_perms;
+allow vmware_host_t self:process { execstack execmem signal_perms };
allow vmware_host_t self:fifo_file rw_fifo_file_perms;
allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
allow vmware_host_t self:rawip_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.0.8/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2007-05-29 14:10:48.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/wine.if 2007-09-20 08:56:45.000000000 -0400
@@ -18,3 +18,84 @@
corecmd_search_bin($1)
domtrans_pattern($1, wine_exec_t, wine_t)
')
+
+########################################
+##
+## Execute wine in the wine domain, and
+## allow the specified role the wine domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+##
+## The role to be allowed the wine domain.
+##
+##
+##
+##
+## The type of the terminal allow the wine domain to use.
+##
+##
+#
+interface(`wine_run',`
+ gen_require(`
+ type wine_t;
+ ')
+
+ wine_domtrans($1)
+ role $2 types wine_t;
+ allow wine_t $3:chr_file rw_term_perms;
+')
+
+#######################################
+##
+## The per role template for the wine module.
+##
+##
+##
+## This template creates a derived domains which are used
+## for wine applications.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+#
+template(`wine_per_role_template',`
+ gen_require(`
+ type wine_exec_t;
+ ')
+
+ type $1_wine_t;
+ domain_type($1_wine_t)
+ domain_entry_file($1_wine_t,wine_exec_t)
+ role $3 types $1_wine_t;
+
+ domain_interactive_fd($1_wine_t)
+
+ userdom_unpriv_usertype($1, $1_wine_t)
+
+ allow $1_wine_t self:process { execheap execmem };
+
+ domtrans_pattern($2, wine_exec_t, $1_wine_t)
+
+ optional_policy(`
+ xserver_xdm_rw_shm($1_wine_t)
+ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.0.8/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2007-07-25 10:37:37.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/wine.te 2007-09-20 09:45:04.000000000 -0400
@@ -9,6 +9,7 @@
type wine_t;
type wine_exec_t;
application_domain(wine_t,wine_exec_t)
+role system_r types wine_t;
########################################
#
@@ -20,7 +21,12 @@
unconfined_domain_noaudit(wine_t)
files_execmod_all_files(wine_t)
- optional_policy(`
- hal_dbus_chat(wine_t)
- ')
+')
+
+optional_policy(`
+ hal_dbus_chat(wine_t)
+')
+
+optional_policy(`
+ xserver_xdm_rw_shm(wine_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-08-22 07:14:06.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2007-09-24 09:59:57.000000000 -0400
@@ -36,6 +36,11 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.daily/.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.hourly/.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.monthly/.* -- gen_context(system_u:object_r:bin_t,s0)
+
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
@@ -126,10 +131,10 @@
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/cups/backend(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/cups/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/cups/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cups/backend(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cups/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
@@ -164,6 +169,7 @@
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/Brother/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Brother/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -259,3 +265,9 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
+
+/etc/gdm/XKeepsCrashing[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
+/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:bin_t,s0)
+/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2007-07-03 07:05:38.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in 2007-09-17 16:20:18.000000000 -0400
@@ -1449,6 +1449,43 @@
########################################
##
+## Connect TCP sockets to rpc ports.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`corenet_tcp_connect_all_rpc_ports',`
+ gen_require(`
+ attribute rpc_port_type;
+ ')
+
+ allow $1 rpc_port_type:tcp_socket name_connect;
+')
+
+########################################
+##
+## Do not audit attempts to connect TCP sockets
+## all rpc ports.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
+ gen_require(`
+ attribute rpc_port_type;
+ ')
+
+ dontaudit $1 rpc_port_type:tcp_socket name_connect;
+')
+
+########################################
+##
## Read and write the TUN/TAP virtual network device.
##
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-07-03 07:05:38.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2007-09-17 16:20:18.000000000 -0400
@@ -55,6 +55,11 @@
type reserved_port_t, port_type, reserved_port_type;
#
+# hi_reserved_port_t is the type of INET port numbers between 600-1023.
+#
+type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+
+#
# server_packet_t is the default type of IPv4 and IPv6 server packets.
#
type server_packet_t, packet_type, server_packet_type;
@@ -93,10 +98,10 @@
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
network_port(howl, tcp,5335,s0, udp,5353,s0)
-network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
+network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
-network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
+network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
network_port(ipp, tcp,631,s0, udp,631,s0)
network_port(ircd, tcp,6667,s0)
@@ -108,12 +113,13 @@
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
-network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
+network_port(ldap, tcp,3268,s0, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
network_port(lmtp, tcp,24,s0, udp,24,s0)
network_port(mail, tcp,2000,s0)
network_port(monopd, tcp,1234,s0)
-network_port(mysqld, tcp,3306,s0)
+network_port(mysqld, tcp,3306,s0, tcp,1186,s0)
+portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
network_port(netsupport, tcp,5405,s0, udp,5405,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
@@ -146,7 +152,7 @@
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
network_port(spamd, tcp,783,s0)
network_port(ssh, tcp,22,s0)
-network_port(soundd, tcp,8000,s0, tcp,9433,s0)
+network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
@@ -160,13 +166,19 @@
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
network_port(vnc, tcp,5900,s0)
+network_port(wccp, udp,2048,s0)
+network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
-network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
+network_port(xfs, tcp,7100,s0)
+network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0, tcp,6020,s0)
network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0)
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
+
+portcon tcp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon udp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-09-12 10:34:49.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-09-22 08:10:42.000000000 -0400
@@ -20,6 +20,7 @@
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
+/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
@@ -98,6 +99,7 @@
/dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0)
/dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.8/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-06-15 14:54:30.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-09-22 08:11:28.000000000 -0400
@@ -1306,6 +1306,44 @@
########################################
##
+## Get the attributes of the event devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_getattr_event_dev',`
+ gen_require(`
+ type device_t, event_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 event_device_t:chr_file getattr;
+')
+
+########################################
+##
+## Set the attributes of the event devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_setattr_event_dev',`
+ gen_require(`
+ type device_t, event_device_t;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 event_device_t:chr_file setattr;
+')
+
+########################################
+##
## Read input event devices (/dev/input).
##
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.0.8/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2007-06-19 16:23:34.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/domain.if 2007-09-17 16:20:18.000000000 -0400
@@ -45,6 +45,11 @@
# start with basic domain
domain_base_type($1)
+ optional_policy(`
+ unconfined_use_fds($1)
+ unconfined_sigchld($1)
+ ')
+
# send init a sigchld and signull
optional_policy(`
init_sigchld($1)
@@ -59,6 +64,7 @@
')
optional_policy(`
+ selinux_dontaudit_getattr_fs($1)
selinux_dontaudit_read_fs($1)
')
@@ -1271,3 +1277,20 @@
typeattribute $1 mmap_low_domain_type;
')
+########################################
+##
+## Allow specified type to associate ipsec packets from any domain
+##
+##
+##
+## Type of subject to be allowed this.
+##
+##
+#
+interface(`domain_ipsec_labels',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:association { sendto recvfrom };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.8/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-07-25 10:37:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-09-17 16:20:18.000000000 -0400
@@ -6,6 +6,22 @@
# Declarations
#
+ifdef(`enable_mls',`
+##
+##
+## Allow all domains to use netlabel labeled packets
+##
+##
+gen_tunable(allow_netlabel,true)
+')
+
+##
+##
+## Allow unlabeled packets to work on system
+##
+##
+gen_tunable(allow_unlabeled_packets,true)
+
# Mark process types as domains
attribute domain;
@@ -134,3 +150,22 @@
# act on all domains keys
allow unconfined_domain_type domain:key *;
+
+# xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
+optional_policy(`
+ xserver_dontaudit_use_xdm_fds(domain)
+ xserver_dontaudit_rw_xdm_pipes(domain)
+')
+
+tunable_policy(`allow_unlabeled_packets',`
+ kernel_sendrecv_unlabeled_association(domain)
+ corenet_sendrecv_unlabeled_packets(domain)
+')
+
+ifdef(`enable_mls',`
+ tunable_policy(`allow_netlabel',`
+ kernel_raw_recvfrom_unlabeled(domain)
+ kernel_tcp_recvfrom_unlabeled(domain)
+ kernel_udp_recvfrom_unlabeled(domain)
+ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.0.8/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2007-09-12 10:34:49.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/files.fc 2007-09-18 20:56:27.000000000 -0400
@@ -210,6 +210,7 @@
/usr/lost\+found/.* <>
/usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0)
+/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.8/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-07-03 07:05:38.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2007-09-17 16:20:18.000000000 -0400
@@ -343,8 +343,7 @@
########################################
##
-## Mount a filesystem on all non-security
-## directories and files.
+## Mount a filesystem on all non-security directories.
##
##
##
@@ -352,12 +351,29 @@
##
##
#
-interface(`files_mounton_non_security',`
+interface(`files_mounton_non_security_dir',`
gen_require(`
attribute file_type, security_file_type;
')
allow $1 { file_type -security_file_type }:dir mounton;
+')
+
+########################################
+##
+## Mount a filesystem on all non-security and files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_mounton_non_security_files',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
allow $1 { file_type -security_file_type }:file mounton;
')
@@ -376,7 +392,7 @@
attribute file_type, security_file_type;
')
- allow $1 { file_type -security_file_type }:dir write;
+ allow $1 { file_type -security_file_type }:dir rw_dir_perms;
')
########################################
@@ -885,6 +901,8 @@
attribute file_type;
')
+ # Have to be able to read badly labeled files like file_context and ld.so.cache
+ files_read_all_files($1)
allow $1 { file_type $2 }:dir list_dir_perms;
relabel_dirs_pattern($1,{ file_type $2 },{ file_type $2 })
relabel_files_pattern($1,{ file_type $2 },{ file_type $2 })
@@ -1106,6 +1124,24 @@
########################################
##
+## search all mount points.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_search_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ allow $1 mountpoint:dir search_dir_perms;
+')
+
+########################################
+##
## List the contents of the root directory.
##
##
@@ -3107,6 +3143,24 @@
########################################
##
+## Manage temporary directories in /tmp.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`files_manage_generic_tmp_dirs',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ manage_dirs_pattern($1,tmp_t,tmp_t)
+')
+
+########################################
+##
## Manage temporary files and directories in /tmp.
##
##
@@ -3323,6 +3377,42 @@
########################################
##
+## dontaudit Add and remove entries from /usr directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_dontaudit_rw_usr_dirs',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ dontaudit $1 usr_t:dir rw_dir_perms;
+')
+
+########################################
+##
+## Create, read, write, and delete files in the /usr directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_manage_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ manage_files_pattern($1, usr_t, usr_t)
+')
+
+########################################
+##
## Get the attributes of files in /usr.
##
##
@@ -3381,7 +3471,7 @@
########################################
##
-## Create, read, write, and delete files in the /usr directory.
+## Relabel a file to the type used in /usr.
##
##
##
@@ -3389,17 +3479,17 @@
##
##
#
-interface(`files_manage_usr_files',`
+interface(`files_relabelto_usr_files',`
gen_require(`
type usr_t;
')
- manage_files_pattern($1, usr_t, usr_t)
+ relabelto_files_pattern($1,usr_t,usr_t)
')
########################################
##
-## Relabel a file to the type used in /usr.
+## Relabel a file from the type used in /usr.
##
##
##
@@ -3407,12 +3497,12 @@
##
##
#
-interface(`files_relabelto_usr_files',`
+interface(`files_relabelfrom_usr_files',`
gen_require(`
type usr_t;
')
- relabelto_files_pattern($1,usr_t,usr_t)
+ relabelfrom_files_pattern($1,usr_t,usr_t)
')
########################################
@@ -4043,7 +4133,7 @@
type var_t, var_lock_t;
')
- rw_dirs_pattern($1,var_t,var_lock_t)
+ rw_files_pattern($1,var_t,var_lock_t)
')
########################################
@@ -4560,6 +4650,8 @@
# Need to give access to /selinux/member
selinux_compute_member($1)
+ files_search_home($1)
+
# Need sys_admin capability for mounting
allow $1 self:capability { chown fsetid sys_admin };
@@ -4582,6 +4674,11 @@
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
+ corecmd_exec_bin($1)
+ seutil_domtrans_setfiles($1)
+ fs_mount_tmpfs($1)
+ fs_unmount_tmpfs($1)
+
')
########################################
@@ -4619,3 +4716,28 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
+
+########################################
+##
+## Create a core files in /
+##
+##
+##
+## Create a core file in /,
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_dump_core',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir rw_dir_perms;
+ allow $1 root_t:file { create getattr write };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.0.8/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2007-09-12 10:34:49.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/files.te 2007-09-18 12:11:13.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(files,1.6.1)
+policy_module(files,1.6.0)
########################################
#
@@ -55,6 +55,9 @@
# compatibility aliases for removed types:
typealias etc_t alias automount_etc_t;
typealias etc_t alias snmpd_etc_t;
+typealias etc_t alias gconf_etc_t;
+typealias etc_t alias soundd_etc_t;
+typealias etc_t alias hplip_etc_t;
#
# etc_runtime_t is the type of various
@@ -188,6 +191,7 @@
fs_associate(file_type)
fs_associate_noxattr(file_type)
fs_associate_tmpfs(file_type)
+fs_associate_ramfs(file_type)
########################################
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-08-22 07:14:06.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-09-21 19:16:08.000000000 -0400
@@ -271,45 +271,6 @@
########################################
##
-## Read files on anon_inodefs file systems.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`fs_read_anon_inodefs_files',`
- gen_require(`
- type anon_inodefs_t;
-
- ')
-
- read_files_pattern($1,anon_inodefs_t,anon_inodefs_t)
-')
-
-########################################
-##
-## Read and write files on anon_inodefs
-## file systems.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`fs_rw_anon_inodefs_files',`
- gen_require(`
- type anon_inodefs_t;
-
- ')
-
- rw_files_pattern($1,anon_inodefs_t,anon_inodefs_t)
-')
-
-########################################
-##
## Mount an automount pseudo filesystem.
##
##
@@ -1231,7 +1192,7 @@
########################################
##
-## Unmount a FUSE filesystem.
+## unmount a FUSE filesystem.
##
##
##
@@ -2139,6 +2100,7 @@
rw_files_pattern($1,nfsd_fs_t,nfsd_fs_t)
')
+
########################################
##
## Mount a RAM filesystem.
@@ -2214,6 +2176,24 @@
########################################
##
+## Allow the type to associate to ramfs filesystems.
+##
+##
+##
+## The type of the object to be associated.
+##
+##
+#
+interface(`fs_associate_ramfs',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:filesystem associate;
+')
+
+########################################
+##
## Search directories on a ramfs
##
##
@@ -2276,7 +2256,7 @@
## Domain allowed access.
##
##
-#
+
interface(`fs_dontaudit_read_ramfs_files',`
gen_require(`
type ramfs_t;
@@ -3533,3 +3513,42 @@
relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
')
+
+########################################
+##
+## Read files of anon_inodefs file system files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_read_anon_inodefs_files',`
+ gen_require(`
+ type anon_inodefs_t;
+
+ ')
+
+ read_files_pattern($1,anon_inodefs_t,anon_inodefs_t)
+')
+
+########################################
+##
+## Read/wrie files of anon_inodefs file system files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_rw_anon_inodefs_files',`
+ gen_require(`
+ type anon_inodefs_t;
+
+ ')
+
+ rw_files_pattern($1,anon_inodefs_t,anon_inodefs_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.8/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-09-12 10:34:49.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te 2007-09-17 16:20:18.000000000 -0400
@@ -80,6 +80,7 @@
type fusefs_t;
fs_noxattr_type(fusefs_t)
allow fusefs_t self:filesystem associate;
+allow fusefs_t fs_t:filesystem associate;
genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.8/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-08-22 07:14:06.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2007-09-17 16:20:18.000000000 -0400
@@ -1867,6 +1867,27 @@
########################################
##
+## Read the process state (/proc/pid) of all unlabeled_t.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_read_unlabeled_state',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir list_dir_perms;
+ read_files_pattern($1,unlabeled_t,unlabeled_t)
+ read_lnk_files_pattern($1,unlabeled_t,unlabeled_t)
+')
+
+
+########################################
+##
## Do not audit attempts to list unlabeled directories.
##
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.0.8/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2007-08-22 07:14:06.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.te 2007-09-17 16:20:18.000000000 -0400
@@ -278,6 +278,7 @@
optional_policy(`
logging_send_syslog_msg(kernel_t)
+ logging_unconfined(kernel_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.0.8/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-07-03 07:05:38.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/selinux.if 2007-09-17 16:20:18.000000000 -0400
@@ -138,6 +138,7 @@
type security_t;
')
+ selinux_dontaudit_getattr_fs($1)
dontaudit $1 security_t:dir search_dir_perms;
dontaudit $1 security_t:file { getattr read };
')
@@ -159,6 +160,7 @@
type security_t;
')
+ selinux_get_fs_mount($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file { getattr read };
')
@@ -239,6 +241,34 @@
########################################
##
+## Allow caller to read the state of Booleans
+##
+##
+##
+## Allow caller read the state of Booleans
+##
+##
+##
+##
+## The process type allowed to set the Boolean.
+##
+##
+##
+#
+interface(`selinux_get_boolean',`
+ gen_require(`
+ type security_t;
+ attribute booleans_type;
+ bool secure_mode_policyload;
+ ')
+
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 booleans_type:dir list_dir_perms;
+ allow $1 booleans_type:file read_file_perms;
+')
+
+########################################
+##
## Allow caller to set the state of Booleans to
## enable or disable conditional portions of the policy.
##
@@ -262,11 +292,13 @@
interface(`selinux_set_boolean',`
gen_require(`
type security_t;
+ attribute booleans_type;
bool secure_mode_policyload;
')
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file { getattr read write };
+ allow $1 booleans_type:dir list_dir_perms;
+ allow $1 booleans_type:file { getattr read write };
if(!secure_mode_policyload) {
allow $1 security_t:security setbool;
@@ -463,3 +495,42 @@
typeattribute $1 selinux_unconfined_type;
')
+
+########################################
+##
+## Generate a file context for a boolean type
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`selinux_genbool',`
+ gen_require(`
+ attribute booleans_type;
+ ')
+
+ type $1, booleans_type;
+ fs_type($1)
+ mls_trusted_object($1)
+')
+
+########################################
+##
+## Generate a file context for a boolean type
+##
+##
+##
+## Type of the boolean
+##
+##
+##
+##
+## name of the boolean
+##
+##
+#
+interface(`selinux_genbool_mapping',`
+ genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-3.0.8/policy/modules/kernel/selinux.te
--- nsaserefpolicy/policy/modules/kernel/selinux.te 2007-07-25 10:37:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/selinux.te 2007-09-17 16:20:18.000000000 -0400
@@ -10,6 +10,7 @@
attribute can_setenforce;
attribute can_setsecparam;
attribute selinux_unconfined_type;
+attribute booleans_type;
#
# security_t is the target type when checking
@@ -22,6 +23,11 @@
sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
+type boolean_t, booleans_type;
+fs_type(boolean_t)
+mls_trusted_object(boolean_t)
+#genfscon selinuxfs /booleans gen_context(system_u:object_r:boolean_t,s0)
+
neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.0.8/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2007-08-22 07:14:06.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/storage.fc 2007-09-17 16:20:18.000000000 -0400
@@ -52,7 +52,7 @@
/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-/dev/fuse -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,mls_systemhigh)
/dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.0.8/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2007-08-22 07:14:06.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/storage.if 2007-09-17 16:20:18.000000000 -0400
@@ -673,3 +673,61 @@
typeattribute $1 storage_unconfined_type;
')
+
+########################################
+##
+## Allow the caller to get the attributes
+## of device nodes of fuse devices.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`storage_getattr_fuse_dev',`
+ gen_require(`
+ type fuse_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 fuse_device_t:chr_file getattr;
+')
+
+########################################
+##
+## read or write fuse device interfaces.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`storage_rw_fuse',`
+ gen_require(`
+ type fuse_device_t;
+ ')
+
+ allow $1 fuse_device_t:chr_file rw_file_perms;
+')
+
+########################################
+##
+## Do not audit attempts to read or write
+## fuse device interfaces.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`storage_dontaudit_rw_fuse',`
+ gen_require(`
+ type fuse_device_t;
+ ')
+
+ dontaudit $1 fuse_device_t:chr_file rw_file_perms;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.te serefpolicy-3.0.8/policy/modules/kernel/storage.te
--- nsaserefpolicy/policy/modules/kernel/storage.te 2007-08-22 07:14:06.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/storage.te 2007-09-17 16:20:18.000000000 -0400
@@ -23,6 +23,12 @@
neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
#
+# fuse_device_t is the type of /dev/fuse
+#
+type fuse_device_t;
+dev_node(fuse_device_t)
+
+#
# scsi_generic_device_t is the type of /dev/sg*
# it gives access to ALL SCSI devices (both fixed and removable)
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.0.8/policy/modules/kernel/terminal.fc
--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2007-05-29 14:10:48.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/terminal.fc 2007-09-17 16:20:18.000000000 -0400
@@ -8,6 +8,7 @@
/dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/hvc.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/hvsi.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/i2c[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ircomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.0.8/policy/modules/kernel/terminal.te
--- nsaserefpolicy/policy/modules/kernel/terminal.te 2007-09-12 10:34:49.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/terminal.te 2007-09-17 16:38:07.000000000 -0400
@@ -28,6 +28,7 @@
type devpts_t;
files_mountpoint(devpts_t)
fs_associate_tmpfs(devpts_t)
+files_associate_tmp(devpts_t)
fs_type(devpts_t)
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.0.8/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2007-05-29 14:10:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/apache.fc 2007-09-17 16:20:18.000000000 -0400
@@ -16,7 +16,6 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
@@ -71,5 +70,16 @@
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+#Bugzilla file context
+/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_script_rw_t,s0)
+#viewvc file context
+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t, s0)
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.8/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-08-22 07:14:07.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/apache.if 2007-09-17 16:20:18.000000000 -0400
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
')
- # allow write access to public file transfer
- # services files.
- gen_tunable(allow_httpd_$1_script_anon_write,false)
-
#This type is for webpages
type httpd_$1_content_t, httpdcontent; # customizable
files_type(httpd_$1_content_t)
@@ -71,7 +67,7 @@
logging_search_logs(httpd_$1_script_t)
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
- allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms;
+ allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
read_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
@@ -87,7 +83,6 @@
manage_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
manage_fifo_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
manage_sock_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
- files_tmp_filetrans(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file })
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
@@ -120,10 +115,6 @@
can_exec(httpd_$1_script_t, httpdcontent)
')
- tunable_policy(`allow_httpd_$1_script_anon_write',`
- miscfiles_manage_public_files(httpd_$1_script_t)
- ')
-
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
@@ -177,48 +168,6 @@
miscfiles_read_localization(httpd_$1_script_t)
')
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_$1_script_t self:udp_socket create_socket_perms;
-
- corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
- corenet_all_recvfrom_netlabel(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
- corenet_udp_sendrecv_all_if(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
- corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
- corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
- corenet_sendrecv_postgresql_client_packets(httpd_$1_script_t)
- corenet_sendrecv_mysqld_client_packets(httpd_$1_script_t)
-
- sysnet_read_config(httpd_$1_script_t)
- ')
-
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_$1_script_t self:udp_socket create_socket_perms;
-
- corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
- corenet_all_recvfrom_netlabel(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
- corenet_udp_sendrecv_all_if(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
- corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
- corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_tcp_connect_all_ports(httpd_$1_script_t)
- corenet_sendrecv_all_client_packets(httpd_$1_script_t)
-
- sysnet_read_config(httpd_$1_script_t)
- ')
-
- optional_policy(`
- mta_send_mail(httpd_$1_script_t)
- ')
-
optional_policy(`
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t)
@@ -270,8 +219,11 @@
')
apache_content_template($1)
+ manage_dirs_pattern($1_t,httpd_$1_content_t,httpd_$1_content_t)
+ manage_files_pattern($1_t,httpd_$1_content_t,httpd_$1_content_t)
+ manage_lnk_files_pattern($1_t,httpd_$1_content_t,httpd_$1_content_t)
- typeattribute httpd_$1_script_t httpd_script_domains;
+ typeattribute httpd_$1_content_t httpd_script_domains;
userdom_user_home_content($1,httpd_$1_content_t)
role $3 types httpd_$1_script_t;
@@ -436,6 +388,24 @@
########################################
##
+## getattr apache.process
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_getattr',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ allow $1 httpd_t:process getattr;
+')
+
+########################################
+##
## Inherit and use file descriptors from Apache.
##
##
@@ -754,6 +724,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
+ read_lnk_files_pattern($1,httpd_modules_t,httpd_modules_t)
')
########################################
@@ -838,6 +809,10 @@
type httpd_sys_script_t;
')
+ tunable_policy(`httpd_enable_cgi',`
+ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
+ ')
+
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
')
@@ -925,7 +900,7 @@
type httpd_squirrelmail_t;
')
- allow $1 httpd_squirrelmail_t:file { getattr read };
+ read_files_pattern($1,httpd_squirrelmail_t,httpd_squirrelmail_t)
')
########################################
@@ -987,7 +962,26 @@
########################################
##
-## Search apache system CGI directories.
+## Search system script state directory.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`apache_search_sys_script_state',`
+ gen_require(`
+ type httpd_sys_script_t;
+ ')
+
+ allow $1 httpd_sys_script_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Allow the specified domain to manage
+## apache modules.
##
##
##
@@ -995,17 +989,57 @@
##
##
#
-interface(`apache_search_sys_scripts',`
+interface(`apache_manage_modules',`
gen_require(`
- type httpd_sys_content_t, httpd_sys_script_exec_t;
+ type httpd_modules_t;
')
- search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t)
+ manage_dirs_pattern($1,httpd_modules_t,httpd_modules_t)
+ manage_files_pattern($1,httpd_modules_t,httpd_modules_t)
+ manage_lnk_files_pattern($1,httpd_modules_t,httpd_modules_t)
')
########################################
##
-## Search system script state directory.
+## Allow the specified domain to create
+## apache lock file
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_manage_lock',`
+ gen_require(`
+ type httpd_lock_t;
+ ')
+ allow $1 httpd_lock_t:file manage_file_perms;
+ files_lock_filetrans($1, httpd_lock_t, file)
+')
+
+########################################
+##
+## Allow the specified domain to manage
+## apache pid file
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_manage_pid',`
+ gen_require(`
+ type httpd_var_run_t;
+ ')
+ manage_files_pattern($1,httpd_var_run_t,httpd_var_run_t)
+ files_pid_filetrans($1,httpd_var_run_t, file)
+')
+
+########################################
+##
+##f Read apache system state
##
##
##
@@ -1013,46 +1047,147 @@
##
##
#
-interface(`apache_search_sys_script_state',`
+interface(`apache_read_state',`
gen_require(`
- type httpd_sys_script_t;
+ type httpd_t;
')
+ kernel_search_proc($1)
+ allow $1 httpd_t:dir list_dir_perms;
+ read_files_pattern($1,httpd_t,httpd_t)
+ read_lnk_files_pattern($1,httpd_t,httpd_t)
+ dontaudit $1 httpd_t:process ptrace;
+')
- allow $1 httpd_sys_script_t:dir search_dir_perms;
+########################################
+##
+## allow domain to relabel apache content
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`apache_relabel',`
+ gen_require(`
+ attribute httpdcontent;
+ attribute httpd_script_exec_type;
+ ')
+
+ allow $1 { httpd_script_exec_type httpdcontent}:dir { relabelto relabelfrom };
+ allow $1 { httpd_script_exec_type httpdcontent}:file { relabelto relabelfrom };
')
########################################
##
-## Execute CGI in the specified domain.
+## Allow the specified domain to search
+## apache bugzilla directories.
##
-##
-##
-## Execute CGI in the specified domain.
-##
-##
-## This is an interface to support third party modules
-## and its use is not allowed in upstream reference
-## policy.
-##
-##
##
##
-## Domain run the cgi script in.
+## Domain allowed access.
+##
+##
+#
+interface(`apache_search_bugzilla_dirs',`
+ gen_require(`
+ type httpd_bugzilla_content_t;
+ ')
+
+ allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Do not audit attempts to read and write Apache
+## bugzill script unix domain stream sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_dontaudit_rw_bugzilla_script_stream_sockets',`
+ gen_require(`
+ type httpd_bugzilla_script_t;
+ ')
+
+ dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
+')
+
+########################################
+##
+## Execute apache server in the ntpd domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`apache_script_domtrans',`
+ gen_require(`
+ type httpd_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1,httpd_script_exec_t)
+')
+
+########################################
+##
+## All of the rules required to administrate an apache environment
+##
+##
+##
+## Prefix of the domain. Example, user would be
+## the prefix for the uder_t domain.
+##
+##
+##
+##
+## Domain allowed access.
##
##
-##
+##
##
-## Type of the executable to enter the cgi domain.
+## The role to be allowed to manage the apache domain.
##
##
+##
#
-interface(`apache_cgi_domain',`
+template(`apache_admin',`
+
gen_require(`
- type httpd_t, httpd_sys_script_exec_t;
+ type httpd_t;
+ type httpd_bool_t;
+ type httpd_script_exec_t;
')
- domtrans_pattern(httpd_t, $2, $1)
- apache_search_sys_scripts($1)
+ allow $2 httpd_t:process { ptrace signal_perms };
- allow httpd_t $1:process signal;
+ # Allow $2 to restart the apache service
+ apache_script_domtrans($2)
+ domain_system_change_exemption($2)
+ role_transition $3 httpd_script_exec_t system_r;
+ allow $3 system_r;
+
+ apache_manage_all_content($2)
+ apache_manage_config($2)
+ apache_manage_log($2)
+ apache_manage_modules($2)
+ apache_manage_lock($2)
+ apache_manage_pid($2)
+ apache_read_state($2)
+ apache_getattr($2)
+ apache_relabel($2)
+
+ seutil_domtrans_setfiles($2)
+
+ seutil_setsebool_per_role_template($1, $2, $3)
+ allow $1_setsebool_t httpd_bool_t:dir list_dir_perms;
+ allow $1_setsebool_t httpd_bool_t:file rw_file_perms;
')
+
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.8/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-08-22 07:14:07.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-09-22 07:26:32.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
+selinux_genbool(httpd_bool_t)
+
##
##
## Allow Apache to modify public files
@@ -30,6 +32,13 @@
##
##
+## Allow Apache to communicate with avahi via dbus
+##
+##
+gen_tunable(allow_httpd_dbus_avahi,false)
+
+##
+##
## Allow Apache to use mod_auth_pam
##
##
@@ -47,6 +56,13 @@
## Allow http daemon to tcp connect
##
##
+gen_tunable(httpd_can_sendmail,false)
+
+##
+##
+## Allow http daemon to tcp connect
+##
+##
gen_tunable(httpd_can_network_connect,false)
##
@@ -97,7 +113,7 @@
## Allow http daemon to communicate with the TTY
##
##
-gen_tunable(httpd_tty_comm,false)
+gen_tunable(httpd_tty_comm,true)
##