Merged.
On Thu, 2004-11-18 at 09:32, Daniel J Walsh wrote:
> Latest policy-small patch. Many changes to make targeted policy work
> better.
>
> Lots of changes to apache policy.
>
> Check out the changes to core_macros for create/rw socket_perms. Maybe
> more acceptable. :^)
>
> Many other minor changes.
>
>
>
> ______________________________________________________________________
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.19.2/domains/program/ldconfig.te
> --- nsapolicy/domains/program/ldconfig.te 2004-11-09 13:35:12.000000000 -0500
> +++ policy-1.19.2/domains/program/ldconfig.te 2004-11-18 08:48:23.918139878 -0500
> @@ -8,7 +8,7 @@
> #
> # Rules for the ldconfig_t domain.
> #
> -type ldconfig_t, domain, privlog;
> +type ldconfig_t, domain, privlog, etc_writer;
> type ldconfig_exec_t, file_type, sysadmfile, exec_type;
>
> role sysadm_r types ldconfig_t;
> @@ -26,7 +26,7 @@
> allow ldconfig_t lib_t:lnk_file create_lnk_perms;
>
> allow ldconfig_t userdomain:fd use;
> -allow ldconfig_t etc_t:file { getattr read };
> +allow ldconfig_t etc_t:file { getattr read unlink };
> allow ldconfig_t etc_t:lnk_file read;
>
> allow ldconfig_t fs_t:filesystem getattr;
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.19.2/domains/program/login.te
> --- nsapolicy/domains/program/login.te 2004-11-18 08:13:57.000000000 -0500
> +++ policy-1.19.2/domains/program/login.te 2004-11-18 08:48:23.919139766 -0500
> @@ -182,6 +182,9 @@
> # Allow setting of attributes on sound devices.
> allow local_login_t sound_device_t:chr_file { getattr setattr };
>
> +# Allow setting of attributes on power management devices.
> +allow local_login_t power_device_t:chr_file { getattr setattr };
> +
> #################################
> #
> # Rules for the remote_login_t domain.
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/acct.te policy-1.19.2/domains/program/unused/acct.te
> --- nsapolicy/domains/program/unused/acct.te 2004-11-09 13:35:12.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/acct.te 2004-11-18 08:48:23.919139766 -0500
> @@ -63,8 +63,7 @@
>
> ifdef(`logrotate.te', `
> domain_auto_trans(logrotate_t, acct_exec_t, acct_t)
> -allow logrotate_t acct_data_t:dir search;
> -allow logrotate_t acct_data_t:file { create_file_perms };
> +rw_dir_create_file(logrotate_t, acct_data_t)
> can_exec(logrotate_t, acct_data_t)
> ')
>
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.2/domains/program/unused/apache.te
> --- nsapolicy/domains/program/unused/apache.te 2004-11-18 08:13:57.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/apache.te 2004-11-18 08:50:10.113157831 -0500
> @@ -32,6 +32,9 @@
> # Run SSI execs in system CGI script domain.
> bool httpd_ssi_exec false;
>
> +# Allow http daemon to communicate with the TTY
> +bool httpd_tty_comm false;
> +
> #########################################################
> # Apache types
> #########################################################
> @@ -239,10 +242,12 @@
> # connect to mysql
> ifdef(`mysqld.te', `
> can_unix_connect(httpd_php_t, mysqld_t)
> +can_unix_connect(httpd_t, mysqld_t)
> allow httpd_php_t mysqld_var_run_t:dir search;
> allow httpd_php_t mysqld_var_run_t:sock_file write;
> allow httpd_t mysqld_db_t:dir search;
> allow httpd_t mysqld_db_t:sock_file rw_file_perms;
> +allow httpd_t mysqld_var_run_t:sock_file rw_file_perms;
> ')
> allow httpd_t bin_t:dir search;
> allow httpd_t sbin_t:dir search;
> @@ -297,6 +302,7 @@
> #
> type httpd_runtime_t, file_type, sysadmfile;
> file_type_auto_trans(httpd_t, httpd_log_t, httpd_runtime_t, file)
> +allow httpd_sys_script_t httpd_runtime_t:file { getattr append };
> ') dnl distro_redhat
> #
> # Customer reported the following
> @@ -306,9 +312,28 @@
> dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
> ')
>
> -# Running squirrelmail requires this permissions
> +#
> +# The following is needed to make squirrelmail work
> +type httpd_squirrelmail_t, file_type, sysadmfile;
> +create_dir_file(httpd_t, httpd_squirrelmail_t)
> +allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
> ifdef(`mta.te', `
> -allow system_mail_t httpd_log_t:file { append getattr };
> -allow system_mail_t httpd_sys_script_rw_t:file { append read };
> -allow system_mail_t httpd_t:tcp_socket { read write };
> +dontaudit system_mail_t httpd_log_t:file { append getattr };
> +allow system_mail_t httpd_squirrelmail_t:file { append read };
> +dontaudit system_mail_t httpd_t:tcp_socket { read write };
> +')
> +
> +application_domain(httpd_helper)
> +role system_r types httpd_helper_t;
> +domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
> +
> +allow httpd_helper_t devpts_t:dir { search };
> +allow httpd_helper_t devtty_t:chr_file rw_file_perms;
> +allow httpd_helper_t httpd_config_t:file { getattr read };
> +allow httpd_helper_t httpd_log_t:file { append };
> +if (httpd_tty_comm) {
> +ifdef(`targeted_policy', `
> +allow { httpd_helper_t httpd_t } devpts_t:chr_file { read write };
> ')
> +allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
> +}
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.19.2/domains/program/unused/apmd.te
> --- nsapolicy/domains/program/unused/apmd.te 2004-11-09 13:35:12.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/apmd.te 2004-11-18 08:48:23.920139653 -0500
> @@ -114,7 +114,10 @@
> allow consoletype_t apmd_t:fifo_file write;
> ')
> ifdef(`mount.te', `allow mount_t apmd_t:fd use;')
> -ifdef(`crond.te', `domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)')
> +ifdef(`crond.te', `
> +domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)
> +allow apmd_t crond_t:fifo_file { getattr read write ioctl };
> +')
>
> ifdef(`mta.te', `
> domain_auto_trans(apmd_t, sendmail_exec_t, system_mail_t)
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.19.2/domains/program/unused/consoletype.te
> --- nsapolicy/domains/program/unused/consoletype.te 2004-11-09 13:35:12.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/consoletype.te 2004-11-18 08:48:23.921139540 -0500
> @@ -59,5 +59,6 @@
> ')
> dontaudit consoletype_t proc_t:file read;
> dontaudit consoletype_t root_t:file read;
> -allow consoletype_t crond_t:fifo_file read;
> +allow consoletype_t crond_t:fifo_file { read getattr ioctl };
> +allow consoletype_t system_crond_t:fd use;
> allow consoletype_t fs_t:filesystem getattr;
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.19.2/domains/program/unused/cups.te
> --- nsapolicy/domains/program/unused/cups.te 2004-11-18 08:13:57.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/cups.te 2004-11-18 08:51:22.563983161 -0500
> @@ -59,7 +60,6 @@
>
> allow cupsd_t { etc_t etc_runtime_t }:file { getattr read ioctl };
> can_exec(cupsd_t, initrc_exec_t)
> -can_exec(cupsd_t, hostname_exec_t)
> allow cupsd_t proc_t:file r_file_perms;
> allow cupsd_t proc_t:dir r_dir_perms;
> allow cupsd_t self:file { getattr read };
> @@ -185,7 +185,7 @@
> allow cupsd_config_t cupsd_var_run_t:file { getattr read };
> allow cupsd_config_t cupsd_t:process { signal };
> allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
> -allow cupsd_config_t cupsd_t:dir search;
> +r_dir_file(cupsd_config_t, cupsd_t)
>
> allow cupsd_config_t self:capability chown;
>
> @@ -212,8 +212,17 @@
> ')
>
> can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t })
> +ifdef(`hostname.te', `
> +can_exec(cupsd_t, hostname_exec_t)
> +can_exec(cupsd_config_t, hostname_exec_t)
> +')
> allow cupsd_config_t { bin_t sbin_t }:dir { search getattr };
> allow cupsd_config_t { bin_t sbin_t }:lnk_file read;
> +# killall causes the following
> +dontaudit cupsd_config_t domain:dir { getattr search };
> +dontaudit cupsd_config_t selinux_config_t:dir search;
> +
> +can_exec(cupsd_config_t, cupsd_config_exec_t)
>
> allow cupsd_config_t usr_t:file { getattr read };
> allow cupsd_config_t var_lib_t:dir { getattr search };
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.19.2/domains/program/unused/cyrus.te
> --- nsapolicy/domains/program/unused/cyrus.te 2004-11-09 13:35:12.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/cyrus.te 2004-11-18 08:51:47.260196672 -0500
> @@ -45,3 +45,4 @@
> allow system_crond_t cyrus_var_lib_t:file create_file_perms;
> allow system_crond_su_t cyrus_var_lib_t:dir search;
> ')
> +allow cyrus_t mail_port_t:tcp_socket name_bind;
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpd.te policy-1.19.2/domains/program/unused/dhcpd.te
> --- nsapolicy/domains/program/unused/dhcpd.te 2004-10-14 23:25:18.000000000 -0400
> +++ policy-1.19.2/domains/program/unused/dhcpd.te 2004-11-18 08:53:24.057275000 -0500
> @@ -33,6 +33,7 @@
> can_ypbind(dhcpd_t)
> allow dhcpd_t self:unix_dgram_socket create_socket_perms;
> allow dhcpd_t self:unix_stream_socket create_socket_perms;
> +allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
>
> allow dhcpd_t var_lib_t:dir search;
>
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.19.2/domains/program/unused/ftpd.te
> --- nsapolicy/domains/program/unused/ftpd.te 2004-11-18 08:13:58.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/ftpd.te 2004-11-18 08:54:09.695125653 -0500
> @@ -31,11 +31,13 @@
>
> ifdef(`crond.te', `
> system_crond_entry(ftpd_exec_t, ftpd_t)
> +allow system_crond_t xferlog_t:file r_file_perms;
> can_exec(ftpd_t, { sbin_t shell_exec_t })
> allow ftpd_t usr_t:file { getattr read };
> ')
>
> allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
> +allow ftpd_t port_t:tcp_socket name_bind;
>
> # Allow ftpd to run directly without inetd.
> bool ftpd_is_daemon false;
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/innd.te policy-1.19.2/domains/program/unused/innd.te
> --- nsapolicy/domains/program/unused/innd.te 2004-10-19 16:03:06.000000000 -0400
> +++ policy-1.19.2/domains/program/unused/innd.te 2004-11-18 08:54:50.625507454 -0500
> @@ -64,6 +64,9 @@
>
> ifdef(`crond.te', `
> system_crond_entry(innd_exec_t, innd_t)
> +allow system_crond_t innd_etc_t:file { getattr read };
> +rw_dir_create_file(system_crond_t, innd_log_t)
> +rw_dir_create_file(system_crond_t, innd_var_run_t)
> ')
> ifdef(`syslogd.te', `
> allow syslogd_t innd_log_t:dir search;
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.19.2/domains/program/unused/kudzu.te
> --- nsapolicy/domains/program/unused/kudzu.te 2004-11-09 13:35:12.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/kudzu.te 2004-11-18 08:48:23.921139540 -0500
> @@ -21,7 +21,7 @@
> allow kudzu_t proc_t:file { getattr read };
> allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
> allow kudzu_t scsi_generic_device_t:chr_file r_file_perms;
> -allow kudzu_t { bin_t sbin_t }:dir search;
> +allow kudzu_t { bin_t sbin_t }:dir { getattr search };
> allow kudzu_t { bin_t sbin_t }:lnk_file read;
> allow kudzu_t { sysctl_t sysctl_kernel_t }:dir search;
> allow kudzu_t sysctl_dev_t:dir { getattr search read };
> @@ -85,3 +85,7 @@
>
> # for file systems that are not yet mounted
> dontaudit kudzu_t file_t:dir search;
> +ifdef(`lpd.te', `
> +allow kudzu_t printconf_t:file { getattr read };
> +')
> +allow kudzu_t zero_device_t:chr_file r_file_perms;
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.19.2/domains/program/unused/mta.te
> --- nsapolicy/domains/program/unused/mta.te 2004-10-09 21:06:14.000000000 -0400
> +++ policy-1.19.2/domains/program/unused/mta.te 2004-11-18 08:48:23.922139427 -0500
> @@ -20,6 +20,7 @@
> # "mail user@domain"
> mail_domain(system)
>
> +ifelse(`targeted-policy', `', `
> ifdef(`sendmail.te', `
> # sendmail has an ugly design, the one process parses input from the user and
> # then does system things with it.
> @@ -32,11 +33,13 @@
> # allow the sysadmin to do "mail someone < /home/user/whatever"
> allow sysadm_mail_t user_home_dir_type:dir search;
> r_dir_file(sysadm_mail_t, user_home_type)
> -
> +')
> # for a mail server process that does things in response to a user command
> allow mta_user_agent userdomain:process sigchld;
> allow mta_user_agent { userdomain privfd }:fd use;
> +ifdef(`crond.te', `
> allow mta_user_agent crond_t:process sigchld;
> +')
> allow mta_user_agent sysadm_t:fifo_file { read write };
>
> allow { system_mail_t mta_user_agent } privmail:fd use;
> @@ -57,3 +60,13 @@
> allow mta_delivery_agent devtty_t:chr_file rw_file_perms;
> allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };
>
> +# rules are currently defined in sendmail.te, but it is not included in
> +# targeted policy. We could move these rules permanantly here.
> +ifdef(`targeted_policy', `
> +allow system_mail_t self:dir { search };
> +allow system_mail_t proc_t:dir search;
> +allow system_mail_t proc_t:{ file lnk_file } { getattr read };
> +allow system_mail_t fs_t:filesystem getattr;
> +allow system_mail_t { var_t var_spool_t }:dir getattr;
> +create_dir_file( system_mail_t, mqueue_spool_t)
> +')
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.19.2/domains/program/unused/named.te
> --- nsapolicy/domains/program/unused/named.te 2004-11-05 23:24:16.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/named.te 2004-11-18 08:55:41.707743815 -0500
> @@ -77,6 +77,7 @@
>
> allow named_t self:unix_stream_socket create_stream_socket_perms;
> allow named_t self:unix_dgram_socket create_socket_perms;
> +allow named_t self:netlink_route_socket r_netlink_socket_perms;
>
> # Read sysctl kernel variables.
> allow named_t sysctl_t:dir r_dir_perms;
> @@ -149,7 +150,7 @@
> allow ndc_t named_zone_t:file getattr;
> dontaudit ndc_t sysadm_home_t:dir { getattr search read };
> ')
> -allow ndc_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
> +allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
> dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl };
> # Allow init script to cp localtime to named_conf_t
> allow initrc_t named_conf_t:file { write };
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.19.2/domains/program/unused/ntpd.te
> --- nsapolicy/domains/program/unused/ntpd.te 2004-11-18 08:13:58.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/ntpd.te 2004-11-18 09:16:48.946760475 -0500
> @@ -42,18 +42,18 @@
> allow ntpd_t ntp_port_t:udp_socket name_bind;
> allow ntpd_t self:unix_dgram_socket create_socket_perms;
> allow ntpd_t self:unix_stream_socket create_socket_perms;
> +allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
>
> # so the start script can change firewall entries
> allow initrc_t net_conf_t:file { getattr read ioctl };
>
> # for cron jobs
> # system_crond_t is not right, cron is not doing what it should
> -ifdef(`crond.te', `
> -system_crond_entry(ntpd_exec_t, ntpd_t)
> +ifdef(`crond.te', `system_crond_entry(ntpd_exec_t, ntpd_t)')
> can_exec(ntpd_t, initrc_exec_t)
> allow ntpd_t self:fifo_file { read write getattr };
> allow ntpd_t etc_runtime_t:file r_file_perms;
> -can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t logrotate_exec_t ntpd_exec_t })
> +can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t ntpd_exec_t })
> allow ntpd_t { sbin_t bin_t }:dir search;
> allow ntpd_t bin_t:lnk_file read;
> allow ntpd_t sysctl_kernel_t:dir search;
> @@ -63,7 +63,6 @@
> allow ntpd_t self:file { getattr read };
> dontaudit ntpd_t domain:dir search;
> ifdef(`logrotate.te', `can_exec(ntpd_t, logrotate_exec_t)')
> -')
>
> allow ntpd_t devtty_t:chr_file rw_file_perms;
>
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.19.2/domains/program/unused/postgresql.te
> --- nsapolicy/domains/program/unused/postgresql.te 2004-11-18 08:13:58.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/postgresql.te 2004-11-18 08:57:40.718315780 -0500
> @@ -42,10 +42,11 @@
>
> logdir_domain(postgresql)
>
> +ifdef(`crond.te', `
> # allow crond to find /usr/lib/postgresql/bin/do.maintenance
> allow crond_t postgresql_db_t:dir search;
> -
> system_crond_entry(postgresql_exec_t, postgresql_t)
> +')
>
> tmp_domain(postgresql);
> file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t)
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.19.2/domains/program/unused/rpcd.te
> --- nsapolicy/domains/program/unused/rpcd.te 2004-11-09 13:35:12.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/rpcd.te 2004-11-18 08:58:17.120208533 -0500
> @@ -24,6 +24,7 @@
> allow $1_t var_lib_nfs_t:file create_file_perms;
> # do not log when it tries to bind to a port belonging to another domain
> dontaudit $1_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
> +allow $1_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
> allow $1_t self:netlink_route_socket r_netlink_socket_perms;
> allow $1_t self:unix_dgram_socket create_socket_perms;
> allow $1_t self:unix_stream_socket create_stream_socket_perms;
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.19.2/domains/program/unused/snmpd.te
> --- nsapolicy/domains/program/unused/snmpd.te 2004-11-09 13:35:13.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/snmpd.te 2004-11-18 08:58:52.256244113 -0500
> @@ -38,7 +38,7 @@
> allow snmpd_t self:unix_dgram_socket create_socket_perms;
> allow snmpd_t self:unix_stream_socket create_socket_perms;
> allow snmpd_t etc_t:lnk_file read;
> -allow snmpd_t { etc_t etc_runtime_t }:file { getattr read };
> +allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
> allow snmpd_t urandom_device_t:chr_file read;
> allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config };
>
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.19.2/domains/program/unused/squid.te
> --- nsapolicy/domains/program/unused/squid.te 2004-11-09 13:35:13.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/squid.te 2004-11-18 08:59:29.988986705 -0500
> @@ -62,10 +62,12 @@
>
> # to allow running programs from /usr/lib/squid (IE unlinkd)
> # also allow exec()ing itself
> -can_exec(squid_t, { lib_t squid_exec_t } )
> +can_exec(squid_t, { lib_t squid_exec_t bin_t sbin_t } )
> allow squid_t { bin_t sbin_t }:dir search;
> +allow squid_t { bin_t sbin_t }:lnk_file read;
>
> dontaudit squid_t { home_root_t security_t devpts_t }:dir getattr;
> ifdef(`targeted_policy', `
> dontaudit squid_t tty_device_t:chr_file { read write };
> ')
> +allow squid_t urandom_device_t:chr_file { getattr read };
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/vpnc.te policy-1.19.2/domains/program/unused/vpnc.te
> --- nsapolicy/domains/program/unused/vpnc.te 2004-10-14 23:25:18.000000000 -0400
> +++ policy-1.19.2/domains/program/unused/vpnc.te 2004-11-18 09:17:37.765252256 -0500
> @@ -17,6 +17,7 @@
> # Use the network.
> can_network(vpnc_t)
> can_ypbind(vpnc_t)
> +allow vpnc_t self:socket create_socket_perms;
>
> # Use capabilities.
> allow vpnc_t self:capability { net_admin ipc_lock net_bind_service net_raw };
> @@ -28,3 +29,12 @@
> allow vpnc_t self:unix_dgram_socket create_socket_perms;
> allow vpnc_t self:unix_stream_socket create_socket_perms;
> allow vpnc_t admin_tty_type:chr_file rw_file_perms;
> +allow vpnc_t port_t:udp_socket name_bind;
> +allow vpnc_t etc_runtime_t:file { getattr read };
> +allow vpnc_t proc_t:file { getattr read };
> +dontaudit vpnc_t selinux_config_t:dir search;
> +can_exec(vpnc_t, {bin_t sbin_t ifconfig_exec_t shell_exec_t })
> +allow vpnc_t sysctl_net_t:dir search;
> +allow vpnc_t sbin_t:dir search;
> +allow vpnc_t bin_t:dir search;
> +allow vpnc_t bin_t:lnk_file read;
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.19.2/domains/program/unused/xdm.te
> --- nsapolicy/domains/program/unused/xdm.te 2004-11-18 08:13:58.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/xdm.te 2004-11-18 09:01:02.054598887 -0500
> @@ -241,6 +241,9 @@
> # Access sound device.
> allow xdm_t sound_device_t:chr_file { setattr getattr };
>
> +# Allow setting of attributes on power management devices.
> +allow xdm_t power_device_t:chr_file { getattr setattr };
> +
> # Run the X server in a derived domain.
> xserver_domain(xdm)
>
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.19.2/domains/user.te
> --- nsapolicy/domains/user.te 2004-11-18 08:13:57.000000000 -0500
> +++ policy-1.19.2/domains/user.te 2004-11-18 08:48:23.922139427 -0500
> @@ -18,6 +18,9 @@
> # Allow system to run with NIS
> bool allow_ypbind false;
>
> +# Allow system to run with kerberos
> +bool allow_kerberos false;
> +
> # Allow users to rw usb devices
> bool user_rw_usb false;
>
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.19.2/file_contexts/distros.fc
> --- nsapolicy/file_contexts/distros.fc 2004-10-06 16:21:13.000000000 -0400
> +++ policy-1.19.2/file_contexts/distros.fc 2004-11-18 08:48:23.923139314 -0500
> @@ -30,5 +30,6 @@
> /usr/share/system-config-nfs/nfs-export.py -- system_u:object_r:bin_t
> /usr/share/pydict/pydict.py -- system_u:object_r:bin_t
> /usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t
> +/usr/share/pwlib/make/ptlib-config -- system_u:object_r:bin_t
> ')
>
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.19.2/file_contexts/program/apache.fc
> --- nsapolicy/file_contexts/program/apache.fc 2004-11-18 08:13:58.000000000 -0500
> +++ policy-1.19.2/file_contexts/program/apache.fc 2004-11-18 08:48:23.924139201 -0500
> @@ -27,6 +27,7 @@
> /var/cache/mod_ssl(/.*)? system_u:object_r:httpd_cache_t
> /var/run/apache(2)?.pid.* -- system_u:object_r:httpd_var_run_t
> /var/lib/httpd(/.*)? system_u:object_r:httpd_var_lib_t
> +/var/lib/php/session(/.*)? system_u:object_r:httpd_var_run_t
> /etc/apache-ssl(2)?(/.*)? system_u:object_r:httpd_config_t
> /usr/lib/apache-ssl(/.*)? -- system_u:object_r:httpd_exec_t
> /usr/sbin/apache-ssl(2)? -- system_u:object_r:httpd_exec_t
> @@ -37,4 +38,5 @@
> # suse puts shell scripts there :-(
> /usr/share/apache2/.* -- system_u:object_r:bin_t
> ')
> -/var/lib/squirrelmail/prefs(/.*)? system_u:object_r:httpd_sys_script_rw_t
> +/var/lib/squirrelmail/prefs(/.*)? system_u:object_r:httpd_squirrelmail_t
> +/usr/bin/htsslpass -- system_u:object_r:httpd_helper_exec_t
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.19.2/file_contexts/program/cups.fc
> --- nsapolicy/file_contexts/program/cups.fc 2004-10-14 23:25:19.000000000 -0400
> +++ policy-1.19.2/file_contexts/program/cups.fc 2004-11-18 08:48:23.924139201 -0500
> @@ -1,7 +1,7 @@
> # cups printing
> /etc/cups(/.*)? system_u:object_r:cupsd_etc_t
> /usr/share/cups(/.*)? system_u:object_r:cupsd_etc_t
> -/etc/alchemist/namespace/printconf/local.adl system_u:object_r:cupsd_rw_etc_t
> +/etc/alchemist/namespace/printconf(/.*)? system_u:object_r:cupsd_rw_etc_t
> /var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t
> /etc/cups/client\.conf -- system_u:object_r:etc_t
> /etc/cups/cupsd.conf.* -- system_u:object_r:cupsd_rw_etc_t
> @@ -33,3 +33,4 @@
> /usr/sbin/ptal-mlcd -- system_u:object_r:ptal_exec_t
> /var/run/ptal-printd(/.*)? system_u:object_r:ptal_var_run_t
> /var/run/ptal-mlcd(/.*)? system_u:object_r:ptal_var_run_t
> +/usr/share/foomatic/db/oldprinterids -- system_u:object_r:cupsd_rw_etc_t
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/hald.fc policy-1.19.2/file_contexts/program/hald.fc
> --- nsapolicy/file_contexts/program/hald.fc 2004-09-22 16:19:13.000000000 -0400
> +++ policy-1.19.2/file_contexts/program/hald.fc 2004-11-18 08:48:23.925139089 -0500
> @@ -3,3 +3,4 @@
> /usr/libexec/hal-hotplug-map -- system_u:object_r:hald_exec_t
> /etc/hal/device.d/printer_remove.hal -- system_u:object_r:hald_exec_t
> /etc/hal/capability.d/printer_update.hal -- system_u:object_r:hald_exec_t
> +/usr/share/hal/device-manager/hal-device-manager -- system_u:object_r:bin_t
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/sendmail.fc policy-1.19.2/file_contexts/program/sendmail.fc
> --- nsapolicy/file_contexts/program/sendmail.fc 2004-10-07 08:02:02.000000000 -0400
> +++ policy-1.19.2/file_contexts/program/sendmail.fc 2004-11-18 08:48:23.925139089 -0500
> @@ -1,6 +1,5 @@
> # sendmail
> /etc/mail(/.*)? system_u:object_r:etc_mail_t
> -/var/spool/(client)?mqueue(/.*)? system_u:object_r:mqueue_spool_t
> /var/log/sendmail\.st -- system_u:object_r:sendmail_log_t
> /var/log/mail(/.*)? system_u:object_r:sendmail_log_t
> /var/run/sendmail.pid -- system_u:object_r:sendmail_var_run_t
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.19.2/file_contexts/types.fc
> --- nsapolicy/file_contexts/types.fc 2004-11-18 08:13:58.000000000 -0500
> +++ policy-1.19.2/file_contexts/types.fc 2004-11-18 08:48:23.927138863 -0500
> @@ -334,6 +334,7 @@
> /usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
> /usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
> /usr(/.*)?/bin(/.*)? system_u:object_r:bin_t
> +/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t
> /usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t
> /usr/etc(/.*)? system_u:object_r:etc_t
> /usr/inclu.e(/.*)? system_u:object_r:usr_t
> @@ -392,6 +393,7 @@
> #
> /var/spool(/.*)? system_u:object_r:var_spool_t
> /var/spool/texmf(/.*)? system_u:object_r:tetex_data_t
> +/var/spool/(client)?mqueue(/.*)? system_u:object_r:mqueue_spool_t
>
> #
> # /var/log
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.19.2/macros/admin_macros.te
> --- nsapolicy/macros/admin_macros.te 2004-11-18 08:13:58.000000000 -0500
> +++ policy-1.19.2/macros/admin_macros.te 2004-11-18 08:48:23.927138863 -0500
> @@ -196,6 +196,11 @@
> # Grant read and write access to /dev/console.
> allow $1_t console_device_t:chr_file rw_file_perms;
>
> +# Allow MAKEDEV to work
> +allow $1_t device_t:dir rw_dir_perms;
> +allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
> +allow $1_t device_t:lnk_file { create read };
> +
> # for lsof
> allow $1_t domain:socket_class_set getattr;
> allow $1_t eventpollfs_t:file getattr;
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.19.2/macros/base_user_macros.te
> --- nsapolicy/macros/base_user_macros.te 2004-11-18 08:13:58.000000000 -0500
> +++ policy-1.19.2/macros/base_user_macros.te 2004-11-18 09:01:27.432735456 -0500
> @@ -291,6 +291,9 @@
> # Access the sound device.
> allow $1_t sound_device_t:chr_file { getattr read write ioctl };
>
> +# Access the power device.
> +allow $1_t power_device_t:chr_file { getattr read write ioctl };
> +
> allow $1_t var_log_t:dir { getattr search };
> dontaudit $1_t logfile:file getattr;
>
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.19.2/macros/core_macros.te
> --- nsapolicy/macros/core_macros.te 2004-11-09 13:35:13.000000000 -0500
> +++ policy-1.19.2/macros/core_macros.te 2004-11-18 09:05:47.706368626 -0500
> @@ -137,17 +137,27 @@
> #
> # Permissions for creating and using sockets.
> #
> -define(`create_socket_perms', `{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
> +define(`create_socket_perms', `{ create rw_socket_perms }')
>
> #
> # Permissions for using stream sockets.
> #
> -define(`rw_stream_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }')
> +define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
>
> #
> # Permissions for creating and using stream sockets.
> #
> -define(`create_stream_socket_perms', `{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }')
> +define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
> +
> +#
> +# Permissions for creating and using sockets.
> +#
> +define(`connected_socket_perms', `{ create_socket_perms -connect }')
> +
> +#
> +# Permissions for creating and using sockets.
> +#
> +define(`connected_stream_socket_perms', `{ create_stream_socket_perms -connect }')
>
>
> #
> @@ -158,12 +168,12 @@
> #
> # Permissions for using netlink sockets for operations that modify state.
> #
> -define(`rw_netlink_socket_perms', `{ create rw_socket_perms nlmsg_read nlmsg_write }')
> +define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
>
> #
> # Permissions for using netlink sockets for operations that observe state.
> #
> -define(`r_netlink_socket_perms', `{ create rw_socket_perms nlmsg_read }')
> +define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
>
> #
> # Permissions for sending all signals.
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.19.2/macros/program/apache_macros.te
> --- nsapolicy/macros/program/apache_macros.te 2004-11-18 08:13:58.000000000 -0500
> +++ policy-1.19.2/macros/program/apache_macros.te 2004-11-18 09:06:46.828697818 -0500
> @@ -110,11 +110,12 @@
> create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)
> ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
>
> -if (httpd_enable_cgi) && (httpd_unified) {
> +if (httpd_enable_cgi) && (httpd_unified) ifdef(`targeted_policy', ` && ! (httpd_disable_trans)') {
> ifelse($1, sys, `
> domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
> domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
> domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
> +create_dir_file(httpd_t, httpdcontent)
> ', `
> create_dir_file(httpd_$1_script_t, httpdcontent)
> can_exec(httpd_$1_script_t, httpdcontent )
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/inetd_macros.te policy-1.19.2/macros/program/inetd_macros.te
> --- nsapolicy/macros/program/inetd_macros.te 2004-11-18 08:13:59.000000000 -0500
> +++ policy-1.19.2/macros/program/inetd_macros.te 2004-11-18 09:07:36.065142440 -0500
> @@ -44,7 +44,7 @@
> allow $1_t self:dir search;
> allow $1_t self:file { getattr read };
> can_kerberos($1_t)
> -allow $1_t urandom_device_t:chr_file { getattr read };
> +allow $1_t urandom_device_t:chr_file r_file_perms;
> type $1_port_t, port_type, reserved_port_type;
> # Use sockets inherited from inetd.
> ifelse($2, `', `
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/kerberos_macros.te policy-1.19.2/macros/program/kerberos_macros.te
> --- nsapolicy/macros/program/kerberos_macros.te 2004-11-17 14:51:55.000000000 -0500
> +++ policy-1.19.2/macros/program/kerberos_macros.te 2004-11-18 09:08:04.893889675 -0500
> @@ -1,7 +1,9 @@
> define(`can_kerberos',`
> ifdef(`kerberos.te',`
> +if (allow_kerberos) {
> can_network($1)
> dontaudit $1 krb5_conf_t:file write;
> allow $1 krb5_conf_t:file { getattr read };
> +}
> ') dnl kerberos.te
> ')
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/lpr_macros.te policy-1.19.2/macros/program/lpr_macros.te
> --- nsapolicy/macros/program/lpr_macros.te 2004-11-09 13:35:13.000000000 -0500
> +++ policy-1.19.2/macros/program/lpr_macros.te 2004-11-18 09:09:14.527032926 -0500
> @@ -18,7 +18,7 @@
> undefine(`lpr_domain')
> define(`lpr_domain',`
> # Derived domain based on the calling user domain and the program
> -type $1_lpr_t, domain, privlog;
> +type $1_lpr_t, domain, privlog, nscd_client_domain;
>
> # Transition from the user domain to the derived domain.
> domain_auto_trans($1_t, lpr_exec_t, $1_lpr_t)
> @@ -104,6 +104,7 @@
> # Connect to lpd via a TCP socket.
> can_tcp_connect($1_lpr_t, lpd_t)
>
> +allow $1_lpr_t fs_t:filesystem getattr;
> # Send SIGHUP to lpd.
> allow $1_lpr_t lpd_t:process signal;
>
> @@ -120,5 +121,11 @@
> can_tcp_connect({ $1_lpr_t $1_t }, cupsd_t)
> ')dnl end ifdef cups.te
>
> +ifdef(`hide_broken_symptoms', `
> +# thunderbird causes these
> +dontaudit $1_lpr_t $1_t:tcp_socket { read write };
> +dontaudit $1_lpr_t { $1_home_t $1_tmp_t }:file write;
> +')
> +
> ')dnl end macro definition
>
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.2/macros/program/mozilla_macros.te
> --- nsapolicy/macros/program/mozilla_macros.te 2004-11-18 08:13:59.000000000 -0500
> +++ policy-1.19.2/macros/program/mozilla_macros.te 2004-11-18 09:10:42.462111158 -0500
> @@ -105,6 +105,8 @@
> dontaudit $1_mozilla_t bin_t:dir getattr;
> dontaudit $1_mozilla_t port_type:tcp_socket name_bind;
> dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
> +# running mplayer within firefox asks for this
> +allow $1_mozilla_t clock_device_t:chr_file r_file_perms;
> # Mozilla tries to delete .fonts.cache-1
> dontaudit $1_mozilla_t $1_home_t:file unlink;
> dontaudit $1_mozilla_t tmpfile:file getattr;
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.19.2/macros/program/mta_macros.te
> --- nsapolicy/macros/program/mta_macros.te 2004-11-18 08:13:59.000000000 -0500
> +++ policy-1.19.2/macros/program/mta_macros.te 2004-11-18 09:11:15.394395389 -0500
> @@ -61,9 +61,11 @@
> domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
> allow privmail sendmail_exec_t:lnk_file { getattr read };
>
> +ifdef(`crond.te', `
> # Read cron temporary files.
> allow system_mail_t system_crond_tmp_t:file { read getattr ioctl };
> allow mta_user_agent system_crond_tmp_t:file { read getattr };
> +')
> allow system_mail_t initrc_devpts_t:chr_file { read write getattr };
>
> ', `
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.19.2/macros/program/xserver_macros.te
> --- nsapolicy/macros/program/xserver_macros.te 2004-11-09 13:35:13.000000000 -0500
> +++ policy-1.19.2/macros/program/xserver_macros.te 2004-11-18 09:12:18.809240254 -0500
> @@ -27,9 +27,11 @@
> ifdef(`distro_redhat', `
> type $1_xserver_t, domain, privlog, privmem, privmodule, nscd_client_domain;
> allow $1_xserver_t sysctl_modprobe_t:file { getattr read };
> +ifdef(`rpm.te', `
> allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
> allow $1_xserver_t rpm_tmpfs_t:file { read write };
> allow $1_xserver_t rpm_t:fd use;
> +')
>
> ', `
> type $1_xserver_t, domain, privlog, privmem, nscd_client_domain;
> @@ -148,6 +150,7 @@
> allow xdm_xserver_t xdm_t:process signal;
> allow xdm_xserver_t xdm_t:shm rw_shm_perms;
> allow xdm_t xdm_xserver_t:shm rw_shm_perms;
> +dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
> ')
> ', `
> allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
> diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.19.2/targeted/domains/unconfined.te
> --- nsapolicy/targeted/domains/unconfined.te 2004-11-18 08:14:00.000000000 -0500
> +++ policy-1.19.2/targeted/domains/unconfined.te 2004-11-18 08:48:23.928138750 -0500
> @@ -45,4 +45,7 @@
> # Allow system to run with NIS
> bool allow_ypbind false;
>
> +# Allow system to run with Kerberos
> +bool allow_kerberos false;
> +
>
> diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.19.2/tunables/distro.tun
> --- nsapolicy/tunables/distro.tun 2004-08-20 13:57:29.000000000 -0400
> +++ policy-1.19.2/tunables/distro.tun 2004-11-18 08:48:23.929138637 -0500
> @@ -5,7 +5,7 @@
> # appropriate ifdefs.
>
>
> -dnl define(`distro_redhat')
> +define(`distro_redhat')
>
> dnl define(`distro_suse')
>
> diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.19.2/tunables/tunable.tun
> --- nsapolicy/tunables/tunable.tun 2004-11-09 13:35:13.000000000 -0500
> +++ policy-1.19.2/tunables/tunable.tun 2004-11-18 08:48:23.929138637 -0500
> @@ -1,27 +1,27 @@
> # Allow users to execute the mount command
> -dnl define(`user_can_mount')
> +define(`user_can_mount')
>
> # Allow rpm to run unconfined.
> -dnl define(`unlimitedRPM')
> +define(`unlimitedRPM')
>
> # Allow privileged utilities like hotplug and insmod to run unconfined.
> -dnl define(`unlimitedUtils')
> +define(`unlimitedUtils')
>
> # Allow rc scripts to run unconfined, including any daemon
> # started by an rc script that does not have a domain transition
> # explicitly defined.
> -dnl define(`unlimitedRC')
> +define(`unlimitedRC')
>
> # Allow sysadm_t to directly start daemons
> define(`direct_sysadm_daemon')
>
> # Do not audit things that we know to be broken but which
> # are not security risks
> -dnl define(`hide_broken_symptoms')
> +define(`hide_broken_symptoms')
>
> # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
> # Otherwise, only staff_r can do so.
> -dnl define(`user_canbe_sysadm')
> +define(`user_canbe_sysadm')
>
> # Allow xinetd to run unconfined, including any services it starts
> # that do not have a domain transition explicitly defined.
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
Received on Fri 19 Nov 2004 - 17:03:54 EST
