Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListToday's Diffs.
From: Daniel J Walsh <dwalsh_at_redhat.com>
Date: Wed, 06 Oct 2004 13:54:39 -0400
Added reiserfs changes Added getty access to initrc_devpts_t. Some fixes for i18n. Minor fixes for inetd_child stuff. Fixes for rpm_script.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.17.28/domains/program/crond.te --- nsapolicy/domains/program/crond.te 2004-09-29 07:36:46.000000000 -0400@@ -46,7 +46,7 @@ log_domain(crond)
# Use capabilities.
# Get security policy decisions.
# for if /var/mail is a symlink
ifdef(`mta.te', `
--- nsapolicy/domains/program/getty.te 2004-08-20 13:57:27.000000000 -0400@@ -58,3 +58,4 @@
rw_dir_create_file(getty_t, var_lock_t)
r_dir_file(getty_t, sysfs_t)
--- nsapolicy/domains/program/syslogd.te 2004-10-01 15:05:30.000000000 -0400@@ -94,5 +94,5 @@ # /initrd is not umounted before minilog starts # dontaudit syslogd_t file_t:dir search; -allow syslogd_t devpts_t:dir { search }; +allow syslogd_t { tmpfs_t devpts_t }:dir { search }; dontaudit syslogd_t unlabeled_t:file read; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.17.28/domains/program/unused/amanda.te --- nsapolicy/domains/program/unused/amanda.te 2004-10-06 09:18:32.000000000 -0400@@ -302,5 +302,5 @@ # Rules to allow amanda to be run as a service in xinetd # type amanda_port_t, port_type; -allow inetd_t amanda_port_t:udp_socket { name_bind }; +allow inetd_t amanda_port_t:{ tcp_socket udp_socket } { name_bind }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/comsat.te policy-1.17.28/domains/program/unused/comsat.te --- nsapolicy/domains/program/unused/comsat.te 2004-10-06 09:18:32.000000000 -0400@@ -11,7 +11,7 @@ # comsat_exec_t is the type of the comsat executable. #
-inetd_child_domain(comsat, udp)
allow comsat_t initrc_var_run_t:file r_file_perms; dontaudit comsat_t initrc_var_run_t:file write; allow comsat_t mail_spool_t:dir r_dir_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.17.28/domains/program/unused/hald.te --- nsapolicy/domains/program/unused/hald.te 2004-10-06 09:18:32.000000000 -0400@@ -31,7 +31,7 @@ allow hald_t bin_t:file { getattr }; allow hald_t self:netlink_route_socket r_netlink_socket_perms; -allow hald_t self:capability { net_admin sys_admin }; +allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search }; can_network(hald_t) can_ypbind(hald_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/i18n_input.te policy-1.17.28/domains/program/unused/i18n_input.te --- nsapolicy/domains/program/unused/i18n_input.te 2004-08-27 09:30:29.000000000 -0400@@ -25,7 +25,10 @@ allow i18n_input_t i18n_input_port_t:tcp_socket name_bind; allow i18n_input_t self:capability { kill setgid setuid }; -allow i18n_input_t self:process setsched; +allow i18n_input_t self:process { setsched setpgid }; allow i18n_input_t { bin_t sbin_t }:dir search;
+allow i18n_input_t etc_t:file r_file_perms; --- nsapolicy/domains/program/unused/jabberd.te 2004-08-27 09:30:29.000000000 -0400@@ -4,7 +4,7 @@ # X-Debian-Packages: jabber
daemon_domain(jabberd)
type jabber_client_port_t, port_type;
--- nsapolicy/domains/program/unused/ktalkd.te 2004-10-06 09:18:32.000000000 -0400@@ -10,4 +10,4 @@ # ktalkd_exec_t is the type of the ktalkd executable. #
-inetd_child_domain(ktalkd, udp)
--- nsapolicy/domains/program/unused/rpm.te 2004-10-06 09:18:32.000000000 -0400@@ -152,7 +152,7 @@ can_exec_any(rpm_script_t)
# Capabilties needed by rpm scripts utils
-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod };
# ideally we would not need this
allow rpm_t mount_t:tcp_socket { write };
create_dir_file(rpm_t, nfs_t)
allow rpm_script_t userdomain:fd use;
@@ -248,6 +248,8 @@
+allow rpm_script_t userdomain:process { signal }; --- nsapolicy/domains/program/unused/sendmail.te 2004-09-10 11:01:02.000000000 -0400@@ -65,11 +65,6 @@ # Read /usr/lib/sasl2/.* allow sendmail_t lib_t:file { getattr read }; -# /usr/sbin/sendmail asks for w access to utmp, but it will operate -# correctly without it. Do not audit write and lock denials to utmp. -allow sendmail_t initrc_var_run_t:file { getattr read }; -dontaudit sendmail_t initrc_var_run_t:file { lock write }; - # When sendmail runs as user_mail_domain, it needs some extra permissions # to update /etc/mail/statistics. allow user_mail_domain etc_mail_t:file rw_file_perms; diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.17.28/file_contexts/distros.fc --- nsapolicy/file_contexts/distros.fc 1969-12-31 19:00:00.000000000 -0500@@ -0,0 +1,34 @@ +ifdef(`distro_redhat', ` +/usr/share/system-config-network(/netconfig)?/[^/]+.py -- system_u:object_r:bin_t +/etc/sysconfig/networking/profiles/.*/resolv.conf -- system_u:object_r:net_conf_t +/etc/sysconfig/network-scripts/.*resolv.conf -- system_u:object_r:net_conf_t +/usr/share/rhn/rhn_applet/applet.py -- system_u:object_r:bin_t +/usr/share/rhn/rhn_applet/eggtrayiconmodule.so -- system_u:object_r:shlib_t +/usr/share/rhn/rhn_applet/needed-packages.py -- system_u:object_r:bin_t +/usr/share/authconfig/authconfig-gtk.py -- system_u:object_r:bin_t +/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t +/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t +/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t +/usr/share/system-logviewer/system-logviewer.py -- system_u:object_r:bin_t +/usr/share/system-config-date/system-config-date.py -- system_u:object_r:bin_t +/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t +/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t +/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t +/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t +/usr/share/system-config-netboot/system-config-netboot.py -- system_u:object_r:bin_t +/usr/share/system-config-netboot/pxeos.py -- system_u:object_r:bin_t +/usr/share/system-config-netboot/pxeboot.py -- system_u:object_r:bin_t +/usr/share/system-config-nfs/system-config-nfs.py -- system_u:object_r:bin_t +/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t +/usr/share/system-config-samba/system-config-samba.py -- system_u:object_r:bin_t +/usr/share/system-config-securitylevel/system-config-securitylevel.py -- system_u:object_r:bin_t +/usr/share/system-config-services/serviceconf.py -- system_u:object_r:bin_t +/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t +/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t +/usr/share/switchdesk/switchdesk-gui.py -- system_u:object_r:bin_t +/usr/share/system-config-network/neat-control.py -- system_u:object_r:bin_t +/usr/share/system-config-nfs/nfs-export.py -- system_u:object_r:bin_t +/usr/share/pydict/pydict.py -- system_u:object_r:bin_t +/usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t +') + diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/i18n_input.fc policy-1.17.28/file_contexts/program/i18n_input.fc --- nsapolicy/file_contexts/program/i18n_input.fc 2004-06-22 15:14:34.000000000 -0400ifdef(`distro_redhat', ` -/usr/share/system-config-network(/netconfig)?/[^/]+.py -- system_u:object_r:bin_t -/etc/sysconfig/networking/profiles/.*/resolv.conf -- system_u:object_r:net_conf_t -/etc/sysconfig/network-scripts/.*resolv.conf -- system_u:object_r:net_conf_t -/usr/share/rhn/rhn_applet/applet.py -- system_u:object_r:bin_t -/usr/share/rhn/rhn_applet/eggtrayiconmodule.so -- system_u:object_r:shlib_t -/usr/share/rhn/rhn_applet/needed-packages.py -- system_u:object_r:bin_t -/usr/share/authconfig/authconfig-gtk.py -- system_u:object_r:bin_t -/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t -/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t -/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t -/usr/share/system-logviewer/system-logviewer.py -- system_u:object_r:bin_t -/usr/share/system-config-date/system-config-date.py -- system_u:object_r:bin_t -/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t -/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t -/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t -/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t -/usr/share/system-config-netboot/system-config-netboot.py -- system_u:object_r:bin_t -/usr/share/system-config-netboot/pxeos.py -- system_u:object_r:bin_t -/usr/share/system-config-netboot/pxeboot.py -- system_u:object_r:bin_t -/usr/share/system-config-nfs/system-config-nfs.py -- system_u:object_r:bin_t -/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t -/usr/share/system-config-samba/system-config-samba.py -- system_u:object_r:bin_t -/usr/share/system-config-securitylevel/system-config-securitylevel.py -- system_u:object_r:bin_t -/usr/share/system-config-services/serviceconf.py -- system_u:object_r:bin_t -/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t -/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t -/usr/share/switchdesk/switchdesk-gui.py -- system_u:object_r:bin_t -/usr/share/system-config-network/neat-control.py -- system_u:object_r:bin_t -/usr/share/system-config-nfs/nfs-export.py -- system_u:object_r:bin_t -/usr/share/pydict/pydict.py -- system_u:object_r:bin_t -/usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t') # SuSE ifdef(`distro_suse', ` diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/sendmail.fc policy-1.17.28/file_contexts/program/sendmail.fc --- nsapolicy/file_contexts/program/sendmail.fc 2004-02-05 15:17:07.000000000 -0500@@ -401,7 +401,7 @@ # /usr/local/bin # /usr/local/bin(/.*)? system_u:object_r:bin_t - +/usr/local/Acrobat.*/bin/ system_u:object_r:bin_t # # /usr/local/lib(64)? # @@ -517,10 +517,10 @@ # # The Sun Java development kit, RPM install # -/usr/java/j2.*/bin(/.*)? system_u:object_r:bin_t -/usr/java/j2.*/jre/lib(64)?/i386(/.*)? system_u:object_r:lib_t -/usr/java/j2.*/jre/lib(64)?/i386(/.*)?[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t -/usr/java/j2.*/plugin/i386(/.*)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
#
--- nsapolicy/fs_use 2004-06-17 09:39:42.000000000 -0400@@ -7,7 +7,6 @@ fs_use_xattr ext2 system_u:object_r:fs_t; fs_use_xattr ext3 system_u:object_r:fs_t; fs_use_xattr xfs system_u:object_r:fs_t; -fs_use_xattr reiserfs system_u:object_r:fs_t; # Use the allocating task SID to label inodes in the following filesystem # types, and label the filesystem itself with the specified context. diff --exclude-from=exclude -N -u -r nsapolicy/genfs_contexts policy-1.17.28/genfs_contexts --- nsapolicy/genfs_contexts 2004-09-10 10:45:46.000000000 -0400@@ -88,6 +88,8 @@ # nfs genfscon nfs / system_u:object_r:nfs_t
+# reiserfs - until xattr security support works properly
# needs more work
--- nsapolicy/macros/program/dbusd_macros.te 2004-09-13 15:58:20.000000000 -0400@@ -23,6 +23,7 @@ role $1_r types $1_dbusd_t; domain_auto_trans($1_t, dbusd_exec_t, $1_dbusd_t) read_locale($1_dbusd_t) +allow $1_t $1_dbusd_t:process { sigkill signal }; dontaudit $1_dbusd_t var_t:dir { getattr search }; ')dnl end ifdef single_userdomain ')dnl end ifelse system diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.17.28/macros/program/mozilla_macros.te --- nsapolicy/macros/program/mozilla_macros.te 2004-10-06 09:18:33.000000000 -0400@@ -73,6 +73,8 @@ dontaudit $1_lpr_t $1_mozilla_t:unix_stream_socket { read write }; ')
+dontaudit $1_mozilla_t tmp_t:lnk_file read; # # This is another place where I sould like to allow system customization. # We need to allow the admin to select whether then want to allow mozilla diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.17.28/macros/program/ssh_agent_macros.te --- nsapolicy/macros/program/ssh_agent_macros.te 2004-10-01 15:05:32.000000000 -0400@@ -104,6 +104,9 @@ allow $1_ssh_agent_t etc_t:file { getattr read }; allow $1_ssh_agent_t lib_t:file { getattr read };
+allow $1_ssh_agent_t self:dir { search }; --- nsapolicy/Makefile 2004-10-06 09:18:31.000000000 -0400@@ -49,7 +49,7 @@ UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
FC = file_contexts/file_contexts
APPDIR=$(CONTEXTPATH)
--- nsapolicy/targeted/domains/program/rpm.te 1969-12-31 19:00:00.000000000 -0500@@ -0,0 +1,15 @@ +#DESC rpm - Linux configurable dynamic device naming support +# +# Authors: Daniel Walsh <dwalsh@redhat.com> +# + +################################# +# +# Rules for the rpm domain. +# +# rpm_exec_t is the type of the /bin/rpm and other programs. +# This domain is defined just for targeted policy to labeld /var/lib/rpm +# +type rpm_exec_t, file_type, sysadmfile, exec_type; +type rpm_var_lib_t, file_type, sysadmfile; +typealias var_log_t alias rpm_log_t; diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.17.28/targeted/domains/unconfined.te --- nsapolicy/targeted/domains/unconfined.te 2004-09-30 20:48:49.000000000 -0400@@ -14,7 +14,6 @@ # macros and domains from the "strict" policy. typealias bin_t alias su_exec_t; typealias unconfined_t alias { kernel_t init_t initrc_t sysadm_t rpm_t rpm_script_t logrotate_t }; -typealias var_lib_t alias { rpm_var_lib_t }; type mount_t, domain; type initrc_devpts_t, ptyfile; define(`admin_tty_type', `{ tty_device_t devpts_t }') diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.28/tunables/distro.tun --- nsapolicy/tunables/distro.tun 2004-08-20 13:57:29.000000000 -0400@@ -5,7 +5,7 @@ # appropriate ifdefs.
-dnl define(`distro_redhat')
dnl define(`distro_suse') diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.28/tunables/tunable.tun --- nsapolicy/tunables/tunable.tun 2004-09-27 20:48:36.000000000 -0400@@ -1,42 +1,42 @@ # Allow all domains to connect to nscd -dnl define(`nscd_all_connect') +define(`nscd_all_connect') # Allow users to control network interfaces (also needs USERCTL=true) dnl define(`user_net_control')
# Allow users to execute the mount command
-dnl define(`user_can_mount')
# Allow rpm to run unconfined.
# Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
# Support NFS home directories
# Allow users to run games
# Allow ypbind to run with NIS
# Allow rc scripts to run unconfined, including any daemon # started by an rc script that does not have a domain transition # explicitly defined. -dnl define(`unlimitedRC') +define(`unlimitedRC') # Allow sysadm_t to directly start daemons define(`direct_sysadm_daemon')
# Do not audit things that we know to be broken but which
# are not security risks
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
# Allow xinetd to run unconfined, including any services it starts # that do not have a domain transition explicitly defined. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Wed 6 Oct 2004 - 13:54:47 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |