diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/x_contexts serefpolicy-3.6.32/config/appconfig-mcs/x_contexts --- nsaserefpolicy/config/appconfig-mcs/x_contexts 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/config/appconfig-mcs/x_contexts 2010-03-03 10:39:47.565861817 +0100 @@ -13,7 +13,7 @@ # The default client rule defines a context to be used for all clients # connecting to the server from a remote host. # -client * system_u:object_r:remote_xclient_t:s0 +client * system_u:object_r:remote_t:s0 # @@ -27,25 +27,10 @@ # rule indicated by an asterisk should follow all other property rules. # # Properties that normal clients may only read -property XFree86_VT system_u:object_r:info_xproperty_t:s0 -property XFree86_DDC_EDID1_RAWDATA system_u:object_r:info_xproperty_t:s0 -property RESOURCE_MANAGER system_u:object_r:info_xproperty_t:s0 -property SCREEN_RESOURCES system_u:object_r:info_xproperty_t:s0 -property _MIT_PRIORITY_COLORS system_u:object_r:info_xproperty_t:s0 -property AT_SPI_IOR system_u:object_r:info_xproperty_t:s0 -property _SELINUX_CLIENT_CONTEXT system_u:object_r:info_xproperty_t:s0 -property _NET_WORKAREA system_u:object_r:info_xproperty_t:s0 -property _XKB_RULES_NAMES system_u:object_r:info_xproperty_t:s0 +property _SELINUX_* system_u:object_r:seclabel_xproperty_t:s0 # Clipboard and selection properties -property CUT_BUFFER0 system_u:object_r:clipboard_xproperty_t:s0 -property CUT_BUFFER1 system_u:object_r:clipboard_xproperty_t:s0 -property CUT_BUFFER2 system_u:object_r:clipboard_xproperty_t:s0 -property CUT_BUFFER3 system_u:object_r:clipboard_xproperty_t:s0 -property CUT_BUFFER4 system_u:object_r:clipboard_xproperty_t:s0 -property CUT_BUFFER5 system_u:object_r:clipboard_xproperty_t:s0 -property CUT_BUFFER6 system_u:object_r:clipboard_xproperty_t:s0 -property CUT_BUFFER7 system_u:object_r:clipboard_xproperty_t:s0 +property CUT_BUFFER? system_u:object_r:clipboard_xproperty_t:s0 # Default fallback type property * system_u:object_r:xproperty_t:s0 @@ -61,57 +46,11 @@ # Extension rules map an extension name to a context. A default extension # rule indicated by an asterisk should follow all other extension rules. # -# Standard extensions -extension BIG-REQUESTS system_u:object_r:std_xext_t:s0 -extension SHAPE system_u:object_r:std_xext_t:s0 -extension SYNC system_u:object_r:std_xext_t:s0 -extension XC-MISC system_u:object_r:std_xext_t:s0 -extension XFIXES system_u:object_r:std_xext_t:s0 -extension XInputExtension system_u:object_r:std_xext_t:s0 -extension XKEYBOARD system_u:object_r:std_xext_t:s0 -extension DAMAGE system_u:object_r:std_xext_t:s0 -extension RENDER system_u:object_r:std_xext_t:s0 -extension XINERAMA system_u:object_r:std_xext_t:s0 - -# Direct hardware access extensions -extension XFree86-DGA system_u:object_r:directhw_xext_t:s0 -extension XFree86-VidModeExtension system_u:object_r:directhw_xext_t:s0 - -# Screen management and multihead extensions -extension RANDR system_u:object_r:output_xext_t:s0 -extension Composite system_u:object_r:output_xext_t:s0 - -# Screensaver, power management extensions -extension DPMS system_u:object_r:screensaver_xext_t:s0 -extension MIT-SCREEN-SAVER system_u:object_r:screensaver_xext_t:s0 - -# Shared memory extensions -extension MIT-SHM system_u:object_r:shmem_xext_t:s0 -extension XFree86-Bigfont system_u:object_r:shmem_xext_t:s0 - -# Accelerated graphics, OpenGL, direct rendering extensions -extension GLX system_u:object_r:accelgraphics_xext_t:s0 -extension NV-CONTROL system_u:object_r:accelgraphics_xext_t:s0 -extension NV-GLX system_u:object_r:accelgraphics_xext_t:s0 -extension NVIDIA-GLX system_u:object_r:accelgraphics_xext_t:s0 - -# Debugging, testing, and recording extensions -extension RECORD system_u:object_r:debug_xext_t:s0 -extension X-Resource system_u:object_r:debug_xext_t:s0 -extension XTEST system_u:object_r:debug_xext_t:s0 - -# Security-related extensions -extension SECURITY system_u:object_r:security_xext_t:s0 -extension SELinux system_u:object_r:security_xext_t:s0 -extension XAccessControlExtension system_u:object_r:security_xext_t:s0 -extension XC-APPGROUP system_u:object_r:security_xext_t:s0 - -# Video extensions -extension XVideo system_u:object_r:video_xext_t:s0 -extension XVideo-MotionCompensation system_u:object_r:video_xext_t:s0 +# Restricted extensions +extension SELinux system_u:object_r:security_xextension_t:s0 -# Default fallback type -extension * system_u:object_r:xext_t:s0 +# Standard extensions +extension * system_u:object_r:xextension_t:s0 # @@ -124,8 +63,6 @@ # rule indicated by an asterisk should follow all other selection rules. # # Standard selections -selection XA_PRIMARY system_u:object_r:clipboard_xselection_t:s0 -selection XA_SECONDARY system_u:object_r:clipboard_xselection_t:s0 selection PRIMARY system_u:object_r:clipboard_xselection_t:s0 selection CLIPBOARD system_u:object_r:clipboard_xselection_t:s0 @@ -149,7 +86,6 @@ event X11:ButtonPress system_u:object_r:input_xevent_t:s0 event X11:ButtonRelease system_u:object_r:input_xevent_t:s0 event X11:MotionNotify system_u:object_r:input_xevent_t:s0 -event X11:SelectionNotify system_u:object_r:input_xevent_t:s0 event XInputExtension:DeviceKeyPress system_u:object_r:input_xevent_t:s0 event XInputExtension:DeviceKeyRelease system_u:object_r:input_xevent_t:s0 event XInputExtension:DeviceButtonPress system_u:object_r:input_xevent_t:s0 @@ -159,36 +95,11 @@ event XInputExtension:ProximityIn system_u:object_r:input_xevent_t:s0 event XInputExtension:ProximityOut system_u:object_r:input_xevent_t:s0 -# Focus events -event X11:FocusIn system_u:object_r:focus_xevent_t:s0 -event X11:FocusOut system_u:object_r:focus_xevent_t:s0 -event X11:EnterNotify system_u:object_r:focus_xevent_t:s0 -event X11:LeaveNotify system_u:object_r:focus_xevent_t:s0 - -# Property events -event X11:PropertyNotify system_u:object_r:property_xevent_t:s0 - # Client message events event X11:ClientMessage system_u:object_r:client_xevent_t:s0 - -# Manager events -event X11:ConfigureRequest system_u:object_r:manage_xevent_t:s0 -event X11:ResizeRequest system_u:object_r:manage_xevent_t:s0 -event X11:MapRequest system_u:object_r:manage_xevent_t:s0 -event X11:CirculateRequest system_u:object_r:manage_xevent_t:s0 -event X11:CreateNotify system_u:object_r:manage_xevent_t:s0 -event X11:DestroyNotify system_u:object_r:manage_xevent_t:s0 -event X11:MapNotify system_u:object_r:manage_xevent_t:s0 -event X11:UnmapNotify system_u:object_r:manage_xevent_t:s0 -event X11:ReparentNotify system_u:object_r:manage_xevent_t:s0 -event X11:ConfigureNotify system_u:object_r:manage_xevent_t:s0 -event X11:GravityNotify system_u:object_r:manage_xevent_t:s0 -event X11:CirculateNotify system_u:object_r:manage_xevent_t:s0 -event X11:Expose system_u:object_r:manage_xevent_t:s0 -event X11:VisibilityNotify system_u:object_r:manage_xevent_t:s0 - -# Unknown events (that are not registered in the X server's name database) -event system_u:object_r:unknown_xevent_t:s0 +event X11:SelectionNotify system_u:object_r:client_xevent_t:s0 +event X11:UnmapNotify system_u:object_r:client_xevent_t:s0 +event X11:ConfigureNotify system_u:object_r:client_xevent_t:s0 # Default fallback type event * system_u:object_r:xevent_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/x_contexts serefpolicy-3.6.32/config/appconfig-mls/x_contexts --- nsaserefpolicy/config/appconfig-mls/x_contexts 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/config/appconfig-mls/x_contexts 2010-03-03 10:39:47.576877249 +0100 @@ -13,7 +13,7 @@ # The default client rule defines a context to be used for all clients # connecting to the server from a remote host. # -client * system_u:object_r:remote_xclient_t:s0 +client * system_u:object_r:remote_t:s0 # @@ -27,25 +27,10 @@ # rule indicated by an asterisk should follow all other property rules. # # Properties that normal clients may only read -property XFree86_VT system_u:object_r:info_xproperty_t:s0 -property XFree86_DDC_EDID1_RAWDATA system_u:object_r:info_xproperty_t:s0 -property RESOURCE_MANAGER system_u:object_r:info_xproperty_t:s0 -property SCREEN_RESOURCES system_u:object_r:info_xproperty_t:s0 -property _MIT_PRIORITY_COLORS system_u:object_r:info_xproperty_t:s0 -property AT_SPI_IOR system_u:object_r:info_xproperty_t:s0 -property _SELINUX_CLIENT_CONTEXT system_u:object_r:info_xproperty_t:s0 -property _NET_WORKAREA system_u:object_r:info_xproperty_t:s0 -property _XKB_RULES_NAMES system_u:object_r:info_xproperty_t:s0 +property _SELINUX_* system_u:object_r:seclabel_xproperty_t:s0 # Clipboard and selection properties -property CUT_BUFFER0 system_u:object_r:clipboard_xproperty_t:s0 -property CUT_BUFFER1 system_u:object_r:clipboard_xproperty_t:s0 -property CUT_BUFFER2 system_u:object_r:clipboard_xproperty_t:s0 -property CUT_BUFFER3 system_u:object_r:clipboard_xproperty_t:s0 -property CUT_BUFFER4 system_u:object_r:clipboard_xproperty_t:s0 -property CUT_BUFFER5 system_u:object_r:clipboard_xproperty_t:s0 -property CUT_BUFFER6 system_u:object_r:clipboard_xproperty_t:s0 -property CUT_BUFFER7 system_u:object_r:clipboard_xproperty_t:s0 +property CUT_BUFFER? system_u:object_r:clipboard_xproperty_t:s0 # Default fallback type property * system_u:object_r:xproperty_t:s0 @@ -61,57 +46,11 @@ # Extension rules map an extension name to a context. A default extension # rule indicated by an asterisk should follow all other extension rules. # -# Standard extensions -extension BIG-REQUESTS system_u:object_r:std_xext_t:s0 -extension SHAPE system_u:object_r:std_xext_t:s0 -extension SYNC system_u:object_r:std_xext_t:s0 -extension XC-MISC system_u:object_r:std_xext_t:s0 -extension XFIXES system_u:object_r:std_xext_t:s0 -extension XInputExtension system_u:object_r:std_xext_t:s0 -extension XKEYBOARD system_u:object_r:std_xext_t:s0 -extension DAMAGE system_u:object_r:std_xext_t:s0 -extension RENDER system_u:object_r:std_xext_t:s0 -extension XINERAMA system_u:object_r:std_xext_t:s0 - -# Direct hardware access extensions -extension XFree86-DGA system_u:object_r:directhw_xext_t:s0 -extension XFree86-VidModeExtension system_u:object_r:directhw_xext_t:s0 - -# Screen management and multihead extensions -extension RANDR system_u:object_r:output_xext_t:s0 -extension Composite system_u:object_r:output_xext_t:s0 - -# Screensaver, power management extensions -extension DPMS system_u:object_r:screensaver_xext_t:s0 -extension MIT-SCREEN-SAVER system_u:object_r:screensaver_xext_t:s0 - -# Shared memory extensions -extension MIT-SHM system_u:object_r:shmem_xext_t:s0 -extension XFree86-Bigfont system_u:object_r:shmem_xext_t:s0 - -# Accelerated graphics, OpenGL, direct rendering extensions -extension GLX system_u:object_r:accelgraphics_xext_t:s0 -extension NV-CONTROL system_u:object_r:accelgraphics_xext_t:s0 -extension NV-GLX system_u:object_r:accelgraphics_xext_t:s0 -extension NVIDIA-GLX system_u:object_r:accelgraphics_xext_t:s0 - -# Debugging, testing, and recording extensions -extension RECORD system_u:object_r:debug_xext_t:s0 -extension X-Resource system_u:object_r:debug_xext_t:s0 -extension XTEST system_u:object_r:debug_xext_t:s0 - -# Security-related extensions -extension SECURITY system_u:object_r:security_xext_t:s0 -extension SELinux system_u:object_r:security_xext_t:s0 -extension XAccessControlExtension system_u:object_r:security_xext_t:s0 -extension XC-APPGROUP system_u:object_r:security_xext_t:s0 - -# Video extensions -extension XVideo system_u:object_r:video_xext_t:s0 -extension XVideo-MotionCompensation system_u:object_r:video_xext_t:s0 +# Restricted extensions +extension SELinux system_u:object_r:security_xextension_t:s0 -# Default fallback type -extension * system_u:object_r:xext_t:s0 +# Standard extensions +extension * system_u:object_r:xextension_t:s0 # @@ -124,8 +63,6 @@ # rule indicated by an asterisk should follow all other selection rules. # # Standard selections -selection XA_PRIMARY system_u:object_r:clipboard_xselection_t:s0 -selection XA_SECONDARY system_u:object_r:clipboard_xselection_t:s0 selection PRIMARY system_u:object_r:clipboard_xselection_t:s0 selection CLIPBOARD system_u:object_r:clipboard_xselection_t:s0 @@ -149,7 +86,6 @@ event X11:ButtonPress system_u:object_r:input_xevent_t:s0 event X11:ButtonRelease system_u:object_r:input_xevent_t:s0 event X11:MotionNotify system_u:object_r:input_xevent_t:s0 -event X11:SelectionNotify system_u:object_r:input_xevent_t:s0 event XInputExtension:DeviceKeyPress system_u:object_r:input_xevent_t:s0 event XInputExtension:DeviceKeyRelease system_u:object_r:input_xevent_t:s0 event XInputExtension:DeviceButtonPress system_u:object_r:input_xevent_t:s0 @@ -159,36 +95,11 @@ event XInputExtension:ProximityIn system_u:object_r:input_xevent_t:s0 event XInputExtension:ProximityOut system_u:object_r:input_xevent_t:s0 -# Focus events -event X11:FocusIn system_u:object_r:focus_xevent_t:s0 -event X11:FocusOut system_u:object_r:focus_xevent_t:s0 -event X11:EnterNotify system_u:object_r:focus_xevent_t:s0 -event X11:LeaveNotify system_u:object_r:focus_xevent_t:s0 - -# Property events -event X11:PropertyNotify system_u:object_r:property_xevent_t:s0 - # Client message events event X11:ClientMessage system_u:object_r:client_xevent_t:s0 - -# Manager events -event X11:ConfigureRequest system_u:object_r:manage_xevent_t:s0 -event X11:ResizeRequest system_u:object_r:manage_xevent_t:s0 -event X11:MapRequest system_u:object_r:manage_xevent_t:s0 -event X11:CirculateRequest system_u:object_r:manage_xevent_t:s0 -event X11:CreateNotify system_u:object_r:manage_xevent_t:s0 -event X11:DestroyNotify system_u:object_r:manage_xevent_t:s0 -event X11:MapNotify system_u:object_r:manage_xevent_t:s0 -event X11:UnmapNotify system_u:object_r:manage_xevent_t:s0 -event X11:ReparentNotify system_u:object_r:manage_xevent_t:s0 -event X11:ConfigureNotify system_u:object_r:manage_xevent_t:s0 -event X11:GravityNotify system_u:object_r:manage_xevent_t:s0 -event X11:CirculateNotify system_u:object_r:manage_xevent_t:s0 -event X11:Expose system_u:object_r:manage_xevent_t:s0 -event X11:VisibilityNotify system_u:object_r:manage_xevent_t:s0 - -# Unknown events (that are not registered in the X server's name database) -event system_u:object_r:unknown_xevent_t:s0 +event X11:SelectionNotify system_u:object_r:client_xevent_t:s0 +event X11:UnmapNotify system_u:object_r:client_xevent_t:s0 +event X11:ConfigureNotify system_u:object_r:client_xevent_t:s0 # Default fallback type event * system_u:object_r:xevent_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/x_contexts serefpolicy-3.6.32/config/appconfig-standard/x_contexts --- nsaserefpolicy/config/appconfig-standard/x_contexts 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/config/appconfig-standard/x_contexts 2010-03-03 10:39:47.579611725 +0100 @@ -13,7 +13,7 @@ # The default client rule defines a context to be used for all clients # connecting to the server from a remote host. # -client * system_u:object_r:remote_xclient_t +client * system_u:object_r:remote_t # @@ -27,25 +27,10 @@ # rule indicated by an asterisk should follow all other property rules. # # Properties that normal clients may only read -property XFree86_VT system_u:object_r:info_xproperty_t -property XFree86_DDC_EDID1_RAWDATA system_u:object_r:info_xproperty_t -property RESOURCE_MANAGER system_u:object_r:info_xproperty_t -property SCREEN_RESOURCES system_u:object_r:info_xproperty_t -property _MIT_PRIORITY_COLORS system_u:object_r:info_xproperty_t -property AT_SPI_IOR system_u:object_r:info_xproperty_t -property _SELINUX_CLIENT_CONTEXT system_u:object_r:info_xproperty_t -property _NET_WORKAREA system_u:object_r:info_xproperty_t -property _XKB_RULES_NAMES system_u:object_r:info_xproperty_t +property _SELINUX_* system_u:object_r:seclabel_xproperty_t # Clipboard and selection properties -property CUT_BUFFER0 system_u:object_r:clipboard_xproperty_t -property CUT_BUFFER1 system_u:object_r:clipboard_xproperty_t -property CUT_BUFFER2 system_u:object_r:clipboard_xproperty_t -property CUT_BUFFER3 system_u:object_r:clipboard_xproperty_t -property CUT_BUFFER4 system_u:object_r:clipboard_xproperty_t -property CUT_BUFFER5 system_u:object_r:clipboard_xproperty_t -property CUT_BUFFER6 system_u:object_r:clipboard_xproperty_t -property CUT_BUFFER7 system_u:object_r:clipboard_xproperty_t +property CUT_BUFFER? system_u:object_r:clipboard_xproperty_t # Default fallback type property * system_u:object_r:xproperty_t @@ -61,57 +46,11 @@ # Extension rules map an extension name to a context. A default extension # rule indicated by an asterisk should follow all other extension rules. # -# Standard extensions -extension BIG-REQUESTS system_u:object_r:std_xext_t -extension SHAPE system_u:object_r:std_xext_t -extension SYNC system_u:object_r:std_xext_t -extension XC-MISC system_u:object_r:std_xext_t -extension XFIXES system_u:object_r:std_xext_t -extension XInputExtension system_u:object_r:std_xext_t -extension XKEYBOARD system_u:object_r:std_xext_t -extension DAMAGE system_u:object_r:std_xext_t -extension RENDER system_u:object_r:std_xext_t -extension XINERAMA system_u:object_r:std_xext_t - -# Direct hardware access extensions -extension XFree86-DGA system_u:object_r:directhw_xext_t -extension XFree86-VidModeExtension system_u:object_r:directhw_xext_t - -# Screen management and multihead extensions -extension RANDR system_u:object_r:output_xext_t -extension Composite system_u:object_r:output_xext_t - -# Screensaver, power management extensions -extension DPMS system_u:object_r:screensaver_xext_t -extension MIT-SCREEN-SAVER system_u:object_r:screensaver_xext_t - -# Shared memory extensions -extension MIT-SHM system_u:object_r:shmem_xext_t -extension XFree86-Bigfont system_u:object_r:shmem_xext_t - -# Accelerated graphics, OpenGL, direct rendering extensions -extension GLX system_u:object_r:accelgraphics_xext_t -extension NV-CONTROL system_u:object_r:accelgraphics_xext_t -extension NV-GLX system_u:object_r:accelgraphics_xext_t -extension NVIDIA-GLX system_u:object_r:accelgraphics_xext_t - -# Debugging, testing, and recording extensions -extension RECORD system_u:object_r:debug_xext_t -extension X-Resource system_u:object_r:debug_xext_t -extension XTEST system_u:object_r:debug_xext_t - -# Security-related extensions -extension SECURITY system_u:object_r:security_xext_t -extension SELinux system_u:object_r:security_xext_t -extension XAccessControlExtension system_u:object_r:security_xext_t -extension XC-APPGROUP system_u:object_r:security_xext_t - -# Video extensions -extension XVideo system_u:object_r:video_xext_t -extension XVideo-MotionCompensation system_u:object_r:video_xext_t +# Restricted extensions +extension SELinux system_u:object_r:security_xextension_t -# Default fallback type -extension * system_u:object_r:xext_t +# Standard extensions +extension * system_u:object_r:xextension_t # @@ -124,8 +63,6 @@ # rule indicated by an asterisk should follow all other selection rules. # # Standard selections -selection XA_PRIMARY system_u:object_r:clipboard_xselection_t -selection XA_SECONDARY system_u:object_r:clipboard_xselection_t selection PRIMARY system_u:object_r:clipboard_xselection_t selection CLIPBOARD system_u:object_r:clipboard_xselection_t @@ -149,7 +86,6 @@ event X11:ButtonPress system_u:object_r:input_xevent_t event X11:ButtonRelease system_u:object_r:input_xevent_t event X11:MotionNotify system_u:object_r:input_xevent_t -event X11:SelectionNotify system_u:object_r:input_xevent_t event XInputExtension:DeviceKeyPress system_u:object_r:input_xevent_t event XInputExtension:DeviceKeyRelease system_u:object_r:input_xevent_t event XInputExtension:DeviceButtonPress system_u:object_r:input_xevent_t @@ -159,36 +95,11 @@ event XInputExtension:ProximityIn system_u:object_r:input_xevent_t event XInputExtension:ProximityOut system_u:object_r:input_xevent_t -# Focus events -event X11:FocusIn system_u:object_r:focus_xevent_t -event X11:FocusOut system_u:object_r:focus_xevent_t -event X11:EnterNotify system_u:object_r:focus_xevent_t -event X11:LeaveNotify system_u:object_r:focus_xevent_t - -# Property events -event X11:PropertyNotify system_u:object_r:property_xevent_t - # Client message events event X11:ClientMessage system_u:object_r:client_xevent_t - -# Manager events -event X11:ConfigureRequest system_u:object_r:manage_xevent_t -event X11:ResizeRequest system_u:object_r:manage_xevent_t -event X11:MapRequest system_u:object_r:manage_xevent_t -event X11:CirculateRequest system_u:object_r:manage_xevent_t -event X11:CreateNotify system_u:object_r:manage_xevent_t -event X11:DestroyNotify system_u:object_r:manage_xevent_t -event X11:MapNotify system_u:object_r:manage_xevent_t -event X11:UnmapNotify system_u:object_r:manage_xevent_t -event X11:ReparentNotify system_u:object_r:manage_xevent_t -event X11:ConfigureNotify system_u:object_r:manage_xevent_t -event X11:GravityNotify system_u:object_r:manage_xevent_t -event X11:CirculateNotify system_u:object_r:manage_xevent_t -event X11:Expose system_u:object_r:manage_xevent_t -event X11:VisibilityNotify system_u:object_r:manage_xevent_t - -# Unknown events (that are not registered in the X server's name database) -event system_u:object_r:unknown_xevent_t +event X11:SelectionNotify system_u:object_r:client_xevent_t +event X11:UnmapNotify system_u:object_r:client_xevent_t +event X11:ConfigureNotify system_u:object_r:client_xevent_t # Default fallback type event * system_u:object_r:xevent_t diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.6.32/policy/flask/access_vectors --- nsaserefpolicy/policy/flask/access_vectors 2010-01-18 18:24:22.532789358 +0100 +++ serefpolicy-3.6.32/policy/flask/access_vectors 2010-03-03 10:39:47.581611826 +0100 @@ -94,6 +94,33 @@ } # +# Define a common prefix for pointer and keyboard access vectors. +# + +common x_device +{ + getattr + setattr + use + read + write + getfocus + setfocus + bell + force_cursor + freeze + grab + manage + list_property + get_property + set_property + add + remove + create + destroy +} + +# # Define the access vectors. # # class class_name [ inherits common_name ] { permission_name ... } @@ -526,27 +553,7 @@ } class x_device -{ - getattr - setattr - use - read - write - getfocus - setfocus - bell - force_cursor - freeze - grab - manage - list_property - get_property - set_property - add - remove - create - destroy -} +inherits x_device class x_server { @@ -803,3 +810,9 @@ class tun_socket inherits socket + +class x_pointer +inherits x_device + +class x_keyboard +inherits x_device diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/security_classes serefpolicy-3.6.32/policy/flask/security_classes --- nsaserefpolicy/policy/flask/security_classes 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/flask/security_classes 2010-03-03 10:39:47.582624099 +0100 @@ -121,4 +121,8 @@ class tun_socket +# Still More SE-X Windows stuff +class x_pointer # userspace +class x_keyboard # userspace + # FLASK diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.6.32/policy/modules/admin/consoletype.if --- nsaserefpolicy/policy/modules/admin/consoletype.if 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/admin/consoletype.if 2010-02-21 19:47:22.082308968 +0100 @@ -19,6 +19,10 @@ corecmd_search_bin($1) domtrans_pattern($1, consoletype_exec_t, consoletype_t) + + ifdef(`hide_broken_symptoms', ` + dontaudit consoletype_t $1:socket_class_set { read write }; + ') ') ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.32/policy/modules/admin/dmesg.fc --- nsaserefpolicy/policy/modules/admin/dmesg.fc 2010-01-18 18:24:22.545542516 +0100 +++ serefpolicy-3.6.32/policy/modules/admin/dmesg.fc 2010-02-03 20:56:22.897834567 +0100 @@ -1,4 +1,3 @@ /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) -/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.32/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2010-01-18 18:24:22.549542536 +0100 +++ serefpolicy-3.6.32/policy/modules/admin/logrotate.te 2010-02-23 10:29:44.779867996 +0100 @@ -215,5 +215,9 @@ ') optional_policy(` + su_exec(logrotate_t) +') + +optional_policy(` varnishd_manage_log(logrotate_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.32/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2010-01-18 18:24:22.550542523 +0100 +++ serefpolicy-3.6.32/policy/modules/admin/logwatch.te 2010-02-17 16:16:54.606863741 +0100 @@ -103,6 +103,11 @@ mta_send_mail(logwatch_t) +ifdef(`hide_broken_symptoms',` + #Bugzilla 554754 + files_dontaudit_write_etc_dirs(logwatch_t) +') + ifdef(`distro_redhat',` files_search_all(logwatch_t) files_getattr_all_file_type_fs(logwatch_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.fc serefpolicy-3.6.32/policy/modules/admin/mcelog.fc --- nsaserefpolicy/policy/modules/admin/mcelog.fc 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.6.32/policy/modules/admin/mcelog.fc 2010-02-03 17:54:52.841394806 +0100 @@ -0,0 +1,2 @@ + +/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.if serefpolicy-3.6.32/policy/modules/admin/mcelog.if --- nsaserefpolicy/policy/modules/admin/mcelog.if 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.6.32/policy/modules/admin/mcelog.if 2010-02-03 17:55:31.442144688 +0100 @@ -0,0 +1,20 @@ + +## policy for mcelog + +######################################## +## +## Execute a domain transition to run mcelog. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`mcelog_domtrans',` + gen_require(` + type mcelog_t, mcelog_exec_t; + ') + + domtrans_pattern($1, mcelog_exec_t, mcelog_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.6.32/policy/modules/admin/mcelog.te --- nsaserefpolicy/policy/modules/admin/mcelog.te 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.6.32/policy/modules/admin/mcelog.te 2010-02-09 09:59:05.624865373 +0100 @@ -0,0 +1,31 @@ + +policy_module(mcelog,1.0.0) + +######################################## +# +# Declarations +# + +type mcelog_t; +type mcelog_exec_t; +application_domain(mcelog_t, mcelog_exec_t) +cron_system_entry(mcelog_t, mcelog_exec_t) + +permissive mcelog_t; + +######################################## +# +# mcelog local policy +# +allow mcelog_t self:capability sys_admin; + +kernel_read_system_state(mcelog_t) + +dev_read_raw_memory(mcelog_t) +dev_read_kmsg(mcelog_t) + +files_read_etc_files(mcelog_t) + +miscfiles_read_localization(mcelog_t) + +logging_send_syslog_msg(mcelog_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.6.32/policy/modules/admin/netutils.fc --- nsaserefpolicy/policy/modules/admin/netutils.fc 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/admin/netutils.fc 2010-02-21 19:56:24.909309647 +0100 @@ -10,5 +11,6 @@ /usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) +/usr/sbin/fping -- gen_context(system_u:object_r:ping_exec_t,s0) /usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0) /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.32/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2010-01-18 18:24:22.552539984 +0100 +++ serefpolicy-3.6.32/policy/modules/admin/netutils.te 2010-03-01 13:34:16.025492348 +0100 @@ -132,6 +132,8 @@ kernel_read_system_state(ping_t) +term_use_all_terms(ping_t) + auth_use_nsswitch(ping_t) logging_send_syslog_msg(ping_t) @@ -158,6 +160,10 @@ ') optional_policy(` + nagios_rw_inerited_tmp_files(ping_t) +') + +optional_policy(` pcmcia_use_cardmgr_fds(ping_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.32/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2010-01-18 18:24:22.564530406 +0100 +++ serefpolicy-3.6.32/policy/modules/admin/prelink.te 2010-02-01 20:30:49.318160848 +0100 @@ -108,6 +108,7 @@ miscfiles_read_localization(prelink_t) userdom_use_user_terminals(prelink_t) +userdom_execmod_user_home_files(prelink_t) userdom_manage_user_home_content(prelink_t) optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.6.32/policy/modules/admin/quota.te --- nsaserefpolicy/policy/modules/admin/quota.te 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/admin/quota.te 2010-02-11 17:52:39.497458571 +0100 @@ -39,6 +39,7 @@ kernel_list_proc(quota_t) kernel_read_proc_symlinks(quota_t) kernel_read_kernel_sysctls(quota_t) +kernel_setsched(quota_t) dev_read_sysfs(quota_t) dev_getattr_all_blk_files(quota_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.32/policy/modules/admin/readahead.te --- nsaserefpolicy/policy/modules/admin/readahead.te 2010-01-18 18:24:22.565530533 +0100 +++ serefpolicy-3.6.32/policy/modules/admin/readahead.te 2010-02-09 10:21:28.868615982 +0100 @@ -62,6 +62,8 @@ fs_search_auto_mountpoints(readahead_t) fs_getattr_all_pipes(readahead_t) fs_getattr_all_files(readahead_t) +fs_read_cgroup_files(readahead_t) +fs_read_tmpfs_files(readahead_t) fs_read_tmpfs_symlinks(readahead_t) fs_list_inotifyfs(readahead_t) fs_dontaudit_search_ramfs(readahead_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2010-01-18 18:24:22.567540216 +0100 +++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2010-02-26 16:58:42.643856793 +0100 @@ -189,22 +189,23 @@ type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t; ') - dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms; - dontaudit $1 rpm_t:tcp_socket rw_socket_perms; - dontaudit $1 rpm_t:unix_dgram_socket rw_socket_perms; + dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms; + dontaudit $1 rpm_t:tcp_socket { read write }; + dontaudit $1 rpm_t:unix_dgram_socket { read write }; dontaudit $1 rpm_t:shm rw_shm_perms; dontaudit $1 rpm_script_t:fd use; - dontaudit $1 rpm_script_t:fifo_file rw_fifo_file_perms; + dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms; - dontaudit $1 rpm_var_run_t:file write_file_perms; + dontaudit $1 rpm_var_run_t:file write; - dontaudit $1 rpm_tmp_t:file rw_file_perms; + dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms; dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms; - dontaudit $1 rpm_tmpfs_t:file write_file_perms; - dontaudit $1 rpm_script_tmp_t:file write_file_perms; - dontaudit $1 rpm_var_lib_t:file { read write }; - dontaudit $1 rpm_var_cache_t:file { read write }; + dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms; + dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms; + dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms; + dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms; + dontaudit $1 rpm_var_run_t:file rw_inherited_file_perms; ') ######################################## @@ -273,6 +274,26 @@ ##################################### ## ## Allow the specified domain to append +## to rpm tmp files. +## +## +## +## Domain allowed access. +## +## +# +interface(`rpm_append_tmp',` + gen_require(` + type rpm_tmp_t; + ') + + files_search_tmp($1) + append_files_pattern($1, rpm_tmp_t, rpm_tmp_t) +') + +##################################### +## +## Allow the specified domain to append ## to rpm log files. ## ## @@ -599,8 +620,10 @@ interface(`rpm_transition_script',` gen_require(` type rpm_script_t; + attribute rpm_transition_domain; ') + typeattribute $1 rpm_transition_domain; allow $1 rpm_script_t:process transition; allow $1 rpm_script_t:fd use; @@ -627,3 +650,20 @@ allow $1 rpm_t:process signull; ') +######################################## +## +## Send a null signal to rpm. +## +## +## +## Domain allowed access. +## +## +# +interface(`rpm_inherited_fifo',` + gen_require(` + attribute rpm_transition_domain; + ') + + allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.32/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2010-01-18 18:24:22.568530565 +0100 +++ serefpolicy-3.6.32/policy/modules/admin/rpm.te 2010-02-26 16:50:05.472606689 +0100 @@ -1,6 +1,8 @@ policy_module(rpm, 1.10.0) +attribute rpm_transition_domain; + ######################################## # # Declarations diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.6.32/policy/modules/admin/smoltclient.te --- nsaserefpolicy/policy/modules/admin/smoltclient.te 2010-01-18 18:24:22.573543214 +0100 +++ serefpolicy-3.6.32/policy/modules/admin/smoltclient.te 2010-01-25 11:03:49.548441857 +0100 @@ -48,6 +48,8 @@ files_read_etc_files(smoltclient_t) files_read_usr_files(smoltclient_t) +logging_send_syslog_msg(smoltclient_t) + miscfiles_read_localization(smoltclient_t) optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.32/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-01-18 18:24:22.584530156 +0100 +++ serefpolicy-3.6.32/policy/modules/admin/usermanage.te 2010-02-08 14:09:13.659608943 +0100 @@ -122,6 +122,10 @@ # on user home dir userdom_dontaudit_search_user_home_content(chfn_t) +optional_policy(` + nx_exec_server(chfn_t) +') + ######################################## # # Crack local policy @@ -252,7 +256,7 @@ # Passwd local policy # -allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; +allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource }; allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow passwd_t self:process { setrlimit setfscreate }; allow passwd_t self:fd use; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.32/policy/modules/admin/vbetool.te --- nsaserefpolicy/policy/modules/admin/vbetool.te 2010-01-18 18:24:22.585539991 +0100 +++ serefpolicy-3.6.32/policy/modules/admin/vbetool.te 2010-02-25 10:44:22.592616500 +0100 @@ -6,6 +6,15 @@ # Declarations # +## +##

+## Ignore vbetool mmap_zero errors +##

+## +# +gen_tunable(vbetool_mmap_zero_ignore, false) + + type vbetool_t; type vbetool_exec_t; init_system_domain(vbetool_t, vbetool_exec_t) @@ -34,6 +43,10 @@ miscfiles_read_localization(vbetool_t) +tunable_policy(`vbetool_mmap_zero_ignore',` + dontaudit vbetool_t self:memprotect mmap_zero; +') + optional_policy(` hal_rw_pid_files(vbetool_t) hal_write_log(vbetool_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.te serefpolicy-3.6.32/policy/modules/apps/cdrecord.te --- nsaserefpolicy/policy/modules/apps/cdrecord.te 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/apps/cdrecord.te 2010-02-09 09:59:13.342615577 +0100 @@ -32,6 +32,8 @@ allow cdrecord_t self:unix_dgram_socket create_socket_perms; allow cdrecord_t self:unix_stream_socket create_stream_socket_perms; +corecmd_exec_bin(cdrecord_t) + # allow searching for cdrom-drive dev_list_all_dev_nodes(cdrecord_t) dev_read_sysfs(cdrecord_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.6.32/policy/modules/apps/chrome.te --- nsaserefpolicy/policy/modules/apps/chrome.te 2010-01-18 18:24:22.588542189 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2010-03-03 10:39:47.584615400 +0100 @@ -23,8 +23,7 @@ # # chrome_sandbox local policy # -allow chrome_sandbox_t self:capability { setuid sys_admin dac_override sys_chroot chown fsetid setgid }; -dontaudit chrome_sandbox_t self:capability { sys_ptrace }; +allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace }; allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; allow chrome_sandbox_t self:fifo_file manage_file_perms; allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms; @@ -59,15 +58,17 @@ miscfiles_read_fonts(chrome_sandbox_t) optional_policy(` - gnome_write_inherited_config(chrome_sandbox_t) + execmem_exec(chrome_sandbox_t) ') optional_policy(` - execmem_exec(chrome_sandbox_t) + gnome_rw_inherited_config(chrome_sandbox_t) + gnome_list_home_config(chrome_sandbox_t) ') optional_policy(` - xserver_read_home_fonts(chrome_sandbox_t) + xserver_use_user_fonts(chrome_sandbox_t) + xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t) ') tunable_policy(`use_nfs_home_dirs',` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.6.32/policy/modules/apps/execmem.if --- nsaserefpolicy/policy/modules/apps/execmem.if 2010-01-18 18:24:22.590539929 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2010-03-03 10:39:47.586612078 +0100 @@ -74,7 +74,11 @@ ') optional_policy(` - xserver_common_app($1_execmem_t) + nsplugin_rw_shm($1_execmem_t) + nsplugin_rw_semaphores($1_execmem_t) + ') + + optional_policy(` xserver_role($2, $1_execmem_t) ') ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.6.32/policy/modules/apps/firewallgui.te --- nsaserefpolicy/policy/modules/apps/firewallgui.te 2010-01-18 18:24:22.593530742 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/firewallgui.te 2010-02-21 23:44:58.357559518 +0100 @@ -53,12 +53,18 @@ nscd_dontaudit_search_pid(firewallgui_t) nscd_socket_use(firewallgui_t) +logging_send_syslog_msg(firewallgui_t) + miscfiles_read_localization(firewallgui_t) iptables_domtrans(firewallgui_t) iptables_initrc_domtrans(firewallgui_t) optional_policy(` + gnome_read_gconf_home_files(firewallgui_t) +') + +optional_policy(` policykit_dbus_chat(firewallgui_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.32/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-01-18 18:24:22.594539949 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/gnome.fc 2010-02-03 10:39:06.085145272 +0100 @@ -3,6 +3,15 @@ HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) + +/root/\.config(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) +/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) +/root/\.pulse(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) +/root/\.Xdefaults -- gen_context(system_u:object_r:gnome_home_t,s0) /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.32/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2010-01-18 18:24:22.595534558 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/gnome.if 2010-02-03 22:59:15.907072357 +0100 @@ -72,6 +72,24 @@ domtrans_pattern($1, gconfd_exec_t, gconfd_t) ') +####################################### +## +## Dontaudit search gnome homedir content +## +## +## +## The type of the user domain. +## +## +# +interface(`gnome_dontaudit_search_config',` + gen_require(` + attribute gnome_home_type; + ') + + dontaudit $1 gnome_home_type:dir search_dir_perms; +') + ######################################## ## ## manage gnome homedir content (.config) @@ -84,12 +102,12 @@ # interface(`gnome_manage_config',` gen_require(` - type gnome_home_t; + attribute gnome_home_type; ') - allow $1 gnome_home_t:dir manage_dir_perms; - allow $1 gnome_home_t:file manage_file_perms; - allow $1 gnome_home_t:lnk_file manage_lnk_file_perms; + allow $1 gnome_home_type:dir manage_dir_perms; + allow $1 gnome_home_type:file manage_file_perms; + allow $1 gnome_home_type:lnk_file manage_lnk_file_perms; userdom_search_user_home_dirs($1) ') @@ -129,17 +147,17 @@ # template(`gnome_read_config',` gen_require(` - type gnome_home_t; + attribute gnome_home_type; ') - list_dirs_pattern($1, gnome_home_t, gnome_home_t) - read_files_pattern($1, gnome_home_t, gnome_home_t) - read_lnk_files_pattern($1, gnome_home_t, gnome_home_t) + list_dirs_pattern($1, gnome_home_type, gnome_home_type) + read_files_pattern($1, gnome_home_type, gnome_home_type) + read_lnk_files_pattern($1, gnome_home_type, gnome_home_type) ') ######################################## ## -## read gconf config files +## Read gconf config files ## ## ## @@ -238,6 +256,24 @@ manage_files_pattern($1, gconf_home_t, gconf_home_t) ') +####################################### +## +## Read gnome homedir content +## +## +## +## The type of the user domain. +## +## +# +template(`gnome_list_home_config',` + gen_require(` + type gnome_home_t; + ') + + allow $1 gnome_home_t:dir list_dir_perms; +') + ######################################## ## ## Connect to gnome over an unix stream socket. @@ -255,11 +291,29 @@ # interface(`gnome_stream_connect',` gen_require(` - type gnome_home_t; + attribute gnome_home_type; ') # Connect to pulseaudit server - stream_connect_pattern($1, gnome_home_t, gnome_home_t, $2) + stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2) +') + +####################################### +## +## Read/Write all inherited gnome home config +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_rw_inherited_config',` + gen_require(` + attribute gnome_home_type; + ') + + allow $1 gnome_home_type:file rw_inherited_file_perms; ') ######################################## @@ -274,8 +328,9 @@ # interface(`gnome_write_inherited_config',` gen_require(` - type gnome_home_t; + attribute gnome_home_type; ') - allow $1 gnome_home_t:file rw_inherited_file_perms; + allow $1 gnome_home_type:file rw_inherited_file_perms; ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.32/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2010-01-18 18:24:22.596529936 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/gnome.te 2010-02-03 22:11:10.235822052 +0100 @@ -7,11 +7,12 @@ # attribute gnomedomain; +attribute gnome_home_type; type gconf_etc_t; files_config_file(gconf_etc_t) -type gconf_home_t; +type gconf_home_t, gnome_home_type; typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; typealias gconf_home_t alias unconfined_gconf_home_t; @@ -31,12 +32,15 @@ application_domain(gconfd_t, gconfd_exec_t) ubac_constrained(gconfd_t) -type gnome_home_t; +type gnome_home_t, gnome_home_type; typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t }; typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t }; typealias gnome_home_t alias unconfined_gnome_home_t; userdom_user_home_content(gnome_home_t) +type gstreamer_home_t, gnome_home_type; +userdom_user_home_content(gstreamer_home_t) + type gconfdefaultsm_t; type gconfdefaultsm_exec_t; dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.6.32/policy/modules/apps/gpg.fc --- nsaserefpolicy/policy/modules/apps/gpg.fc 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/apps/gpg.fc 2010-01-19 12:03:52.541857693 +0100 @@ -1,5 +1,7 @@ HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) +/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) + /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) /usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.32/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2010-01-18 18:24:22.605530382 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/gpg.te 2010-03-03 10:39:47.587612339 +0100 @@ -112,11 +112,6 @@ userdom_use_user_terminals(gpg_t) -optional_policy(` - cron_system_entry(gpg_t, gpg_exec_t) - cron_read_system_job_tmp_files(gpg_t) -') - ######################################## # # GPG helper local policy @@ -271,6 +266,6 @@ ') optional_policy(` - xserver_common_app(gpg_pinentry_t) + xserver_stream_connect(gpg_pinentry_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.32/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2010-01-18 18:24:22.607530707 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/java.if 2010-03-03 10:39:47.588611900 +0100 @@ -196,7 +196,6 @@ files_execmod_all_files($1_java_t) optional_policy(` - xserver_common_app($1_java_t) xserver_role($1_r, $1_java_t) ') ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.32/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2010-01-18 18:24:22.608531393 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/java.te 2010-03-03 10:39:47.589622916 +0100 @@ -131,7 +131,6 @@ ') optional_policy(` - xserver_common_app(java_t) xserver_user_x_domain_template(java, java_t, java_tmpfs_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.6.32/policy/modules/apps/kdumpgui.te --- nsaserefpolicy/policy/modules/apps/kdumpgui.te 2010-01-18 18:24:22.610530600 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/kdumpgui.te 2010-02-08 11:58:12.837586833 +0100 @@ -56,6 +56,10 @@ userdom_dontaudit_search_admin_dir(kdumpgui_t) optional_policy(` + gnome_dontaudit_search_config(kdumpgui_t) +') + +optional_policy(` dev_rw_lvm_control(kdumpgui_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.32/policy/modules/apps/mozilla.fc --- nsaserefpolicy/policy/modules/apps/mozilla.fc 2010-01-18 18:24:22.616539953 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/mozilla.fc 2010-01-18 18:27:02.741544960 +0100 @@ -11,6 +11,7 @@ /usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.32/policy/modules/apps/nsplugin.fc --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 2010-01-18 18:24:22.626536127 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.fc 2010-01-21 18:31:18.271612626 +0100 @@ -1,6 +1,5 @@ HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) -HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0) HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.32/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 2010-01-18 18:24:22.627530248 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if 2010-03-03 10:39:47.590622757 +0100 @@ -130,8 +130,6 @@ optional_policy(` pulseaudio_role($1, nsplugin_t) ') - - xserver_communicate(nsplugin_t, $2) ') ####################################### @@ -321,3 +319,39 @@ allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms; ') + +######################################## +## +## Read and write to nsplugin shared memory. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`nsplugin_rw_shm',` + gen_require(` + type nsplugin_t; + ') + + allow $1 nsplugin_t:shm rw_shm_perms; +') + +##################################### +## +## Allow read and write access to nsplugin semaphores. +## +## +## +## Domain allowed access. +## +## +# +interface(`nsplugin_rw_semaphores',` + gen_require(` + type nsplugin_t; + ') + + allow $1 nsplugin_t:sem rw_sem_perms; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.32/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 2010-01-18 18:24:22.628540083 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.te 2010-03-03 10:39:47.592612032 +0100 @@ -190,13 +190,13 @@ type user_tmpfs_t; ') xserver_user_x_domain_template(nsplugin, nsplugin_t, user_tmpfs_t) - xserver_common_app(nsplugin_t) xserver_rw_shm(nsplugin_t) + xserver_read_xdm_pid(nsplugin_t) xserver_read_xdm_tmp_files(nsplugin_t) xserver_read_user_xauth(nsplugin_t) xserver_read_user_iceauth(nsplugin_t) xserver_use_user_fonts(nsplugin_t) - xserver_manage_home_fonts(nsplugin_t) + xserver_rw_inherited_user_fonts(nsplugin_t) ') ######################################## @@ -273,7 +273,7 @@ domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t) optional_policy(` - xserver_read_home_fonts(nsplugin_config_t) + xserver_use_user_fonts(nsplugin_config_t) ') optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.32/policy/modules/apps/openoffice.if --- nsaserefpolicy/policy/modules/apps/openoffice.if 2010-01-18 18:24:22.629540210 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/openoffice.if 2010-03-03 10:39:47.593622978 +0100 @@ -87,7 +87,6 @@ allow $3 $1_openoffice_t:process { signal sigkill }; allow $1_openoffice_t $3:unix_stream_socket connectto; optional_policy(` - xserver_common_app($1_openoffice_t) xserver_common_x_domain_template($1, $1_openoffice_t) ') ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.32/policy/modules/apps/podsleuth.te --- nsaserefpolicy/policy/modules/apps/podsleuth.te 2010-01-18 18:24:22.631540185 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/podsleuth.te 2010-01-19 11:53:14.080857057 +0100 @@ -73,6 +73,7 @@ sysnet_dns_name_resolve(podsleuth_t) +userdom_read_user_tmpfs_files(podsleuth_t) userdom_signal_unpriv_users(podsleuth_t) optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.6.32/policy/modules/apps/pulseaudio.fc --- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.fc 2010-02-01 17:25:46.487082096 +0100 @@ -1 +1,3 @@ +/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) + /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if --- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2010-01-18 18:24:22.632542198 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if 2010-02-11 17:58:33.409458697 +0100 @@ -29,7 +29,7 @@ ps_process_pattern($2, pulseaudio_t) allow pulseaudio_t $2:process { signal signull }; - allow $2 pulseaudio_t:process { signal signull }; + allow $2 pulseaudio_t:process { signal signull sigkill }; ps_process_pattern(pulseaudio_t, $2) allow pulseaudio_t $2:unix_stream_socket connectto; @@ -137,10 +137,10 @@ # interface(`pulseaudio_stream_connect',` gen_require(` - type pulseaudio_t; + type pulseaudio_t, pulseaudio_var_run_t; ') allow $1 pulseaudio_t:process signull; allow pulseaudio_t $1:process signull; - allow $1 pulseaudio_t:unix_stream_socket connectto; + stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-02-21 20:47:43.404568303 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2010-03-03 10:39:47.595611765 +0100 @@ -8,14 +8,22 @@ type pulseaudio_t; type pulseaudio_exec_t; +init_daemon_domain(pulseaudio_t, pulseaudio_exec_t) application_domain(pulseaudio_t, pulseaudio_exec_t) role system_r types pulseaudio_t; +type pulseaudio_var_run_t; +files_pid_file(pulseaudio_var_run_t) + +type pulseaudio_tmpfs_t; +files_tmpfs_file(pulseaudio_tmpfs_t) + ######################################## # # pulseaudio local policy # +allow pulseaudio_t self:capability { setuid sys_nice setgid }; allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull }; allow pulseaudio_t self:fifo_file rw_file_perms; allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -24,6 +32,11 @@ allow pulseaudio_t self:udp_socket create_socket_perms; allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; +manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) +manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) +manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) +files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file }) + can_exec(pulseaudio_t, pulseaudio_exec_t) kernel_getattr_proc(pulseaudio_t) @@ -72,6 +85,8 @@ ') optional_policy(` + dbus_system_domain(pulseaudio_t, pulseaudio_exec_t) + dbus_system_bus_client(pulseaudio_t) dbus_session_bus_client(pulseaudio_t) dbus_connect_session_bus(pulseaudio_t) @@ -110,5 +125,5 @@ optional_policy(` xserver_manage_xdm_tmp_files(pulseaudio_t) xserver_read_xdm_lib_files(pulseaudio_t) - xserver_common_app(pulseaudio_t) + xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.32/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2010-01-18 18:24:22.644530315 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/qemu.te 2010-02-26 17:10:10.725606301 +0100 @@ -116,6 +116,7 @@ domain_type(qemu_unconfined_t) unconfined_domain_noaudit(qemu_unconfined_t) userdom_manage_tmpfs_role(unconfined_r, qemu_unconfined_t) + userdom_unpriv_usertype(unconfined,qemu_unconfined_t) application_type(qemu_unconfined_t) role unconfined_r types qemu_unconfined_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.32/policy/modules/apps/sambagui.te --- nsaserefpolicy/policy/modules/apps/sambagui.te 2010-01-18 18:24:22.646540277 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/sambagui.te 2010-02-08 10:39:43.173336716 +0100 @@ -52,6 +52,10 @@ userdom_dontaudit_search_admin_dir(sambagui_t) optional_policy(` + gnome_dontaudit_search_config(sambagui_t) +') + +optional_policy(` consoletype_exec(sambagui_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 2010-01-18 18:24:22.648539903 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2010-02-11 17:41:13.265459296 +0100 @@ -29,7 +29,7 @@ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh }; role $2 types sandbox_domain; allow sandbox_domain $1:process sigchld; - allow sandbox_domain $1:fifo_file rw_fifo_file_perms; + allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms; allow $1 sandbox_x_domain:process { signal_perms transition }; dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh }; @@ -37,7 +37,7 @@ role $2 types sandbox_x_domain; role $2 types sandbox_xserver_t; allow $1 sandbox_xserver_t:process signal_perms; - dontaudit sandbox_xserver_t $1:fifo_file rw_fifo_file_perms; + dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms; dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms; dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms; allow sandbox_xserver_t $1:unix_stream_socket { read write }; @@ -45,9 +45,10 @@ allow sandbox_x_domain $1:process { sigchld signal }; allow sandbox_x_domain sandbox_x_domain:process signal; # Dontaudit leaked file descriptors - dontaudit sandbox_x_domain $1:fifo_file rw_fifo_file_perms; + dontaudit sandbox_x_domain $1:fifo_file { read write }; dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms; dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms; + dontaudit sandbox_x_domain $1:unix_stream_socket { read write }; manage_files_pattern($1, sandbox_file_type, sandbox_file_type); manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type); @@ -103,9 +104,10 @@ # template(`sandbox_x_domain_template',` gen_require(` - type xserver_exec_t; + type xserver_exec_t, sandbox_devpts_t; type sandbox_xserver_t; attribute sandbox_domain, sandbox_x_domain; + attribute sandbox_file_type; ') type $1_t, sandbox_x_domain; @@ -122,7 +124,7 @@ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t) # window manager - miscfiles_setattr_fonts_dirs($1_t) + miscfiles_setattr_fonts_cache_dirs($1_t) allow $1_t self:capability setuid; type $1_client_t, sandbox_x_domain; @@ -156,6 +158,8 @@ ps_process_pattern(sandbox_xserver_t, $1_t) allow sandbox_xserver_t $1_client_t:shm rw_shm_perms; allow sandbox_xserver_t $1_t:shm rw_shm_perms; + allow $1_client_t $1_t:unix_stream_socket connectto; + allow $1_t $1_client_t:unix_stream_socket connectto; can_exec($1_client_t, $1_file_t) manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t) @@ -163,10 +167,6 @@ manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t) manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t) manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t) - - optional_policy(` - xserver_common_app($1_t) - ') ') ######################################## @@ -187,3 +187,39 @@ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms; ') + +######################################## +## +## allow domain to delete sandbox files +## +## +## +## Domain to not audit. +## +## +# +interface(`sandbox_delete_files',` + gen_require(` + attribute sandbox_file_type; + ') + + delete_files_pattern($1, sandbox_file_type, sandbox_file_type) +') + +######################################## +## +## allow domain to delete sandbox files +## +## +## +## Domain to not audit. +## +## +# +interface(`sandbox_delete_dirs',` + gen_require(` + attribute sandbox_file_type; + ') + + delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 2010-01-18 18:24:22.649539960 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2010-02-11 17:45:05.778708766 +0100 @@ -10,14 +10,15 @@ # sandbox_domain_template(sandbox) +sandbox_x_domain_template(sandbox_min) sandbox_x_domain_template(sandbox_x) sandbox_x_domain_template(sandbox_web) sandbox_x_domain_template(sandbox_net) type sandbox_xserver_t; domain_type(sandbox_xserver_t) -xserver_common_app(sandbox_xserver_t) permissive sandbox_xserver_t; +xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t) type sandbox_xserver_tmpfs_t; files_tmpfs_file(sandbox_xserver_tmpfs_t) @@ -92,10 +93,6 @@ ') ') -optional_policy(` - xserver_common_app(sandbox_xserver_t) -') - ######################################## # # sandbox local policy @@ -104,7 +101,7 @@ ## internal communication is often done using fifo and unix sockets. allow sandbox_domain self:fifo_file manage_file_perms; allow sandbox_domain self:unix_stream_socket create_stream_socket_perms; -allow sandbox_domain self:unix_dgram_socket create_socket_perms; +allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms }; gen_require(` type usr_t, lib_t, locale_t; @@ -132,7 +129,7 @@ allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem }; allow sandbox_x_domain self:shm create_shm_perms; allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms }; -allow sandbox_x_domain self:unix_dgram_socket create_socket_perms; +allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms }; allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto; dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; @@ -161,14 +158,14 @@ auth_dontaudit_read_login_records(sandbox_x_domain) auth_dontaudit_write_login_records(sandbox_x_domain) -#auth_use_nsswitch(sandbox_x_domain) +auth_use_nsswitch(sandbox_x_domain) auth_search_pam_console_data(sandbox_x_domain) init_read_utmp(sandbox_x_domain) init_dontaudit_write_utmp(sandbox_x_domain) miscfiles_read_localization(sandbox_x_domain) -miscfiles_dontaudit_setattr_fonts_dirs(sandbox_x_domain) +miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain) term_getattr_pty_fs(sandbox_x_domain) term_use_ptmx(sandbox_x_domain) @@ -179,12 +176,24 @@ miscfiles_read_fonts(sandbox_x_domain) optional_policy(` + cups_stream_connect(sandbox_x_domain) + cups_read_rw_config(sandbox_x_domain) +') + +optional_policy(` + dbus_system_bus_client(sandbox_x_domain) +') + +optional_policy(` gnome_read_gconf_config(sandbox_x_domain) ') optional_policy(` - cups_stream_connect(sandbox_x_domain) - cups_read_rw_config(sandbox_x_domain) + nscd_dontaudit_search_pid(sandbox_x_domain) +') + +optional_policy(` + sssd_dontaudit_search_lib(sandbox_x_domain) ') userdom_dontaudit_use_user_terminals(sandbox_x_domain) @@ -207,10 +216,8 @@ corenet_tcp_connect_ipp_port(sandbox_x_client_t) -#auth_use_nsswitch(sandbox_x_client_t) +auth_use_nsswitch(sandbox_x_client_t) -dbus_system_bus_client(sandbox_x_client_t) -dbus_read_config(sandbox_x_client_t) selinux_get_fs_mount(sandbox_x_client_t) selinux_validate_context(sandbox_x_client_t) selinux_compute_access_vector(sandbox_x_client_t) @@ -239,6 +246,8 @@ kernel_dontaudit_search_kernel_sysctl(sandbox_web_client_t) dev_read_rand(sandbox_web_client_t) +dev_write_sound(sandbox_web_client_t) +dev_read_sound(sandbox_web_client_t) # Browse the web, connect to printer corenet_all_recvfrom_unlabeled(sandbox_web_client_t) @@ -249,14 +258,19 @@ corenet_raw_sendrecv_all_nodes(sandbox_web_client_t) corenet_tcp_sendrecv_http_port(sandbox_web_client_t) corenet_tcp_sendrecv_http_cache_port(sandbox_web_client_t) +corenet_tcp_connect_flash_port(sandbox_web_client_t) corenet_tcp_sendrecv_ftp_port(sandbox_web_client_t) corenet_tcp_sendrecv_ipp_port(sandbox_web_client_t) +corenet_tcp_connect_streaming_port(sandbox_web_client_t) +corenet_tcp_connect_pulseaudio_port(sandbox_web_client_t) +corenet_tcp_connect_speech_port(sandbox_web_client_t) corenet_tcp_connect_http_port(sandbox_web_client_t) corenet_tcp_connect_http_cache_port(sandbox_web_client_t) corenet_tcp_connect_ftp_port(sandbox_web_client_t) corenet_tcp_connect_ipp_port(sandbox_web_client_t) corenet_tcp_connect_generic_port(sandbox_web_client_t) corenet_tcp_connect_soundd_port(sandbox_web_client_t) +corenet_tcp_connect_speech_port(sandbox_web_client_t) corenet_sendrecv_http_client_packets(sandbox_web_client_t) corenet_sendrecv_http_cache_client_packets(sandbox_web_client_t) corenet_sendrecv_ftp_client_packets(sandbox_web_client_t) @@ -265,9 +279,8 @@ # Should not need other ports corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_client_t) corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t) -corenet_tcp_connect_speech_port(sandbox_web_client_t) -#auth_use_nsswitch(sandbox_web_client_t) +auth_use_nsswitch(sandbox_web_client_t) dbus_system_bus_client(sandbox_web_client_t) dbus_read_config(sandbox_web_client_t) @@ -279,6 +292,8 @@ selinux_compute_user_contexts(sandbox_web_client_t) seutil_read_default_contexts(sandbox_web_client_t) +userdom_rw_user_tmpfs_files(sandbox_web_client_t) + optional_policy(` nsplugin_read_rw_files(sandbox_web_client_t) nsplugin_rw_exec(sandbox_web_client_t) @@ -310,7 +325,7 @@ corenet_tcp_connect_all_ports(sandbox_net_client_t) corenet_sendrecv_all_client_packets(sandbox_net_client_t) -#auth_use_nsswitch(sandbox_net_client_t) +auth_use_nsswitch(sandbox_net_client_t) dbus_system_bus_client(sandbox_net_client_t) dbus_read_config(sandbox_net_client_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.6.32/policy/modules/apps/slocate.te --- nsaserefpolicy/policy/modules/apps/slocate.te 2010-01-18 18:24:22.654539968 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/slocate.te 2010-02-15 15:04:15.236661606 +0100 @@ -31,6 +31,7 @@ kernel_read_system_state(locate_t) kernel_dontaudit_search_sysctl(locate_t) +kernel_dontaudit_search_network_state(locate_t) corecmd_exec_bin(locate_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.6.32/policy/modules/apps/vmware.if --- nsaserefpolicy/policy/modules/apps/vmware.if 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/apps/vmware.if 2010-01-25 17:40:10.448685801 +0100 @@ -30,6 +30,24 @@ allow $2 vmware_t:process signal; ') +####################################### +## +## Execute vmware host executables +## +## +## +## Domain allowed access. +## +## +# +interface(`vmware_exec_host',` + gen_require(` + type vmware_host_exec_t; + ') + + can_exec($1, vmware_host_exec_t) +') + ######################################## ## ## Read VMWare system configuration files. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.32/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2010-01-18 18:24:22.655542539 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/vmware.te 2010-03-03 10:39:47.596621872 +0100 @@ -32,6 +32,10 @@ type vmware_host_pid_t alias vmware_var_run_t; files_pid_file(vmware_host_pid_t) +type vmware_host_tmp_t; +files_tmp_file(vmware_host_tmp_t) +ubac_constrained(vmware_host_tmp_t) + type vmware_log_t; typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t }; typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t }; @@ -87,6 +91,11 @@ manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t) logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir }) +manage_dirs_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) +manage_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) +manage_sock_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) +files_tmp_filetrans(vmware_host_t, vmware_host_tmp_t, { file dir }) + kernel_read_kernel_sysctls(vmware_host_t) kernel_read_system_state(vmware_host_t) @@ -157,7 +166,6 @@ optional_policy(` xserver_read_tmp_files(vmware_host_t) xserver_read_xdm_pid(vmware_host_t) - xserver_common_app(vmware_host_t) ') ifdef(`TODO',` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.32/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2010-01-18 18:24:22.657540000 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/wine.if 2010-03-03 10:39:47.597611866 +0100 @@ -143,6 +143,10 @@ userdom_unpriv_usertype($1, $1_wine_t) userdom_manage_tmpfs_role($2, $1_wine_t) + tunable_policy(`wine_mmap_zero_ignore',` + dontaudit $1_wine_t self:memprotect mmap_zero; + ') + domain_mmap_low_type($1_wine_t) tunable_policy(`mmap_low_allowed',` domain_mmap_low($1_wine_t) @@ -154,7 +158,6 @@ corecmd_bin_domtrans($1_wine_t, $1_t) optional_policy(` - xserver_common_app($1_wine_t) xserver_role($1_r, $1_wine_t) ') ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.32/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2010-01-18 18:24:22.664530344 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/wine.te 2010-03-03 12:25:02.223612892 +0100 @@ -6,6 +6,15 @@ # Declarations # +## +##

+## Ignore wine mmap_zero errors +##

+## +# +gen_tunable(wine_mmap_zero_ignore, false) + + type wine_t; type wine_exec_t; application_domain(wine_t, wine_exec_t) @@ -29,6 +38,11 @@ manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) files_tmp_filetrans(wine_t, wine_tmp_t,{ file dir }) +tunable_policy(`wine_mmap_zero_ignore',` + dontaudit wine_t self:memprotect mmap_zero; +') + + domain_mmap_low_type(wine_t) tunable_policy(`mmap_low_allowed',` domain_mmap_low(wine_t) @@ -44,11 +58,10 @@ optional_policy(` unconfined_domain(wine_t) + unconfined_domain_noaudit(wine_t) ') optional_policy(` - xserver_common_app(wine_t) xserver_read_xdm_pid(wine_t) - xserver_common_app(wine_t) xserver_rw_shm(wine_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-01-18 18:24:22.665531100 +0100 +++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2010-03-01 09:10:51.189491683 +0100 @@ -166,6 +166,7 @@ /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -218,8 +219,9 @@ /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) -/usr/share/cluster/ocf-shellfunc -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/SAPInstance -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/SAPDatabase -- gen_context(system_u:object_r:bin_t,s0) @@ -237,6 +239,7 @@ /usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.if.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.if.in 2010-02-02 15:20:43.717067439 +0100 @@ -1703,6 +1703,24 @@ allow $1 tun_tap_device_t:chr_file rw_chr_file_perms; ') +####################################### +## +## dontaudit Read and write the TUN/TAP virtual network device. +## +## +## +## The domain allowed access. +## +## +# +interface(`corenet_dontaudit_rw_tun_tap_dev',` + gen_require(` + type tun_tap_device_t; + ') + + dontaudit $1 tun_tap_device_t:chr_file { read write }; +') + ######################################## ## ## Getattr the point-to-point device. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-01-18 18:24:22.668540002 +0100 +++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2010-03-01 09:53:43.085750129 +0100 @@ -85,6 +85,7 @@ network_port(clamd, tcp,3310,s0) network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) +network_port(cobbler, tcp,25151,s0) network_port(comsat, udp,512,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0) @@ -92,11 +93,12 @@ network_port(dbskkd, tcp,1178,s0) network_port(dcc, udp,6276,s0, udp,6277,s0) network_port(dccm, tcp,5679,s0, udp,5679,s0) -network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,547,s0, tcp, 547,s0) -network_port(dhcpd, udp,67,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) +network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) +network_port(dhcpd, udp,67,s0, udp,547,s0, tcp,547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) network_port(dns, udp,53,s0, tcp,53,s0) +network_port(epmap, udp,135,s0, tcp,135,s0) network_port(festival, tcp,1314,s0) network_port(fingerd, tcp,79,s0) network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-01-18 18:24:22.670530409 +0100 +++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-02-26 09:33:34.628548195 +0100 @@ -64,6 +64,7 @@ /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/misc/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0) /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/modem -c gen_context(system_u:object_r:modem_device_t,s0) @@ -83,6 +84,7 @@ /dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0) /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) +/dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0) /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0) @@ -104,6 +106,7 @@ /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) /dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) +/dev/usbmon.+ -c gen_context(system_u:object_r:usbmon_device_t,s0) /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) @@ -145,6 +148,7 @@ /dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0) +/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0) @@ -162,6 +166,8 @@ /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0) +/dev/uio[0-9]+ -c gen_context(system_u:object_r:userio_device_t,s0) + /dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0) /dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2010-01-18 18:24:22.673530022 +0100 +++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-02-26 09:33:41.069548571 +0100 @@ -147,6 +147,24 @@ ######################################## ## +## Add entries to directories in /dev. +## +## +## +## Domain allowed to add entries. +## +## +# +interface(`dev_remove_entry_generic_dirs',` + gen_require(` + type device_t; + ') + + allow $1 device_t:dir del_entry_dir_perms; +') + +######################################## +## ## Create a directory in the device directory. ## ## @@ -418,6 +436,24 @@ ######################################## ## +## Dontaudit getattr for generic character device files. +## +## +## +## Domain to dontaudit access. +## +## +# +interface(`dev_rw_generic_chr_files',` + gen_require(` + type device_t; + ') + + allow $1 device_t:chr_file rw_chr_file_perms; +') + +######################################## +## ## Dontaudit setattr for generic character device files. ## ## @@ -873,6 +909,42 @@ ######################################## ## +## rw all inherited character device files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_all_inherited_chr_files',` + gen_require(` + attribute device_node; + ') + + allow $1 device_node:chr_file rw_inherited_chr_file_perms; +') + +######################################## +## +## rw all inherited blk device files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_all_inherited_blk_files',` + gen_require(` + attribute device_node; + ') + + allow $1 device_node:blk_file rw_inherited_blk_file_perms; +') + +######################################## +## ## Delete all block device files. ## ## @@ -1398,6 +1470,42 @@ rw_chr_files_pattern($1, device_t, crypt_device_t) ') +####################################### +## +## Set the attributes of the dlm control devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_dlm_control',` + gen_require(` + type device_t, kvm_device_t; + ') + + setattr_chr_files_pattern($1, device_t, dlm_control_device_t) +') + +####################################### +## +## Read and write the the dlm control device +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_dlm_control',` + gen_require(` + type device_t, dlm_control_device_t; + ') + + rw_chr_files_pattern($1, device_t, dlm_control_device_t) +') + ######################################## ## ## getattr the dri devices. @@ -1728,6 +1836,24 @@ ######################################## ## +## Write to the kernel messages device +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_write_kmsg',` + gen_require(` + type device_t, kmsg_device_t; + ') + + write_chr_files_pattern($1, device_t, kmsg_device_t) +') + +######################################## +## ## Get the attributes of the ksm devices. ## ## @@ -1963,7 +2089,7 @@ ######################################## ## -## Delete the lvm control device. +## Do not audit attempts to read and write lvm control device. ## ## ## @@ -1971,17 +2097,17 @@ ## ## # -interface(`dev_delete_lvm_control_dev',` +interface(`dev_dontaudit_rw_lvm_control',` gen_require(` - type device_t, lvm_control_t; + type lvm_control_t; ') - delete_chr_files_pattern($1, device_t, lvm_control_t) + dontaudit $1 lvm_control_t:chr_file rw_file_perms; ') ######################################## ## -## Do not audit attempts to read and write lvm control device. +## Delete the lvm control device. ## ## ## @@ -1989,15 +2115,14 @@ ## ## # -interface(`dev_dontaudit_rw_lvm_control',` +interface(`dev_delete_lvm_control_dev',` gen_require(` - type lvm_control_t; + type device_t, lvm_control_t; ') - dontaudit $1 lvm_control_t:chr_file rw_file_perms; + delete_chr_files_pattern($1, device_t, lvm_control_t) ') - ######################################## ## ## dontaudit getattr raw memory devices (e.g. /dev/mem). @@ -2487,6 +2612,24 @@ ######################################## ## +## Dontaudit write the memory type range registers (MTRR). +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_dontaudit_write_mtrr',` + gen_require(` + type mtrr_device_t; + ') + + dontaudit $1 mtrr_device_t:chr_file write; +') + +######################################## +## ## Get the attributes of the network control device ## ## @@ -2590,8 +2733,7 @@ type device_t, null_device_t; ') - allow $1 device_t:dir del_entry_dir_perms; - allow $1 null_device_t:chr_file unlink; + delete_chr_files_pattern($1, device_t, null_device_t) ') ######################################## @@ -3553,6 +3695,24 @@ ######################################## ## +## Read USB monitor devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_usbmon_dev',` + gen_require(` + type device_t, usbmon_device_t; + ') + + read_chr_files_pattern($1, device_t, usbmon_device_t) +') + +######################################## +## ## Mount a usbfs filesystem. ## ## @@ -3741,6 +3901,24 @@ getattr_chr_files_pattern($1, device_t, v4l_device_t) ') +###################################### +## +## Read or write userio device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_userio_dev',` + gen_require(` + type device_t, userio_device_t; + ') + + rw_chr_files_pattern($1, device_t, userio_device_t) +') + ######################################## ## ## Do not audit attempts to get the attributes diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.32/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2010-01-18 18:24:22.675530137 +0100 +++ serefpolicy-3.6.32/policy/modules/kernel/devices.te 2010-03-01 13:31:38.484740499 +0100 @@ -1,5 +1,5 @@ -policy_module(devices, 1.8.2) +policy_module(devices, 1.9.2) ######################################## # @@ -59,6 +59,12 @@ type crypt_device_t; dev_node(crypt_device_t) +# +# dlm_misc_device_t is the type of /dev/misc/dlm.* +# +type dlm_control_device_t; +dev_node(dlm_control_device_t) + type dri_device_t; dev_node(dri_device_t) @@ -84,8 +90,7 @@ dev_node(kmsg_device_t) # -# ksm_device_t is the type of -# /dev/ksm +# ksm_device_t is the type of /dev/ksm # type ksm_device_t; dev_node(ksm_device_t) @@ -233,6 +238,18 @@ type usb_device_t; dev_node(usb_device_t) +# +# usb_device_t is the type for /dev/usbmon +# +type usbmon_device_t; +dev_node(usbmon_device_t) + +# +# userio_device_t is the type for /dev/uio[0-9]+ +# +type userio_device_t; +dev_node(userio_device_t) + type v4l_device_t; dev_node(v4l_device_t) @@ -278,5 +295,5 @@ # allow devices_unconfined_type self:capability sys_rawio; -allow devices_unconfined_type device_node:{ blk_file chr_file } *; +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.32/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2010-01-18 18:24:22.683530317 +0100 +++ serefpolicy-3.6.32/policy/modules/kernel/domain.if 2010-02-26 09:33:54.830549053 +0100 @@ -718,10 +718,6 @@ dontaudit $1 domain:dir list_dir_perms; dontaudit $1 domain:lnk_file read_lnk_file_perms; dontaudit $1 domain:file read_file_perms; - - # cjp: these should be removed: - dontaudit $1 domain:sock_file read_sock_file_perms; - dontaudit $1 domain:fifo_file read_fifo_file_perms; ') ######################################## @@ -763,6 +759,24 @@ ######################################## ## +## Get the process group ID of all domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`domain_getpgid_all_domains',` + gen_require(` + attribute domain; + ') + + allow $1 domain:process getpgid; +') + +######################################## +## ## Get the scheduler information of all domains. ## ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.32/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2010-01-18 18:24:22.685530781 +0100 +++ serefpolicy-3.6.32/policy/modules/kernel/domain.te 2010-03-02 17:30:45.367615524 +0100 @@ -105,8 +105,10 @@ kernel_dontaudit_search_key(domain) kernel_dontaudit_link_key(domain) +kernel_dontaudit_search_debugfs(domain) + # create child processes in the domain -allow domain self:process { fork sigchld }; +allow domain self:process { fork getsched sigchld }; # Use trusted objects in /dev dev_rw_null(domain) @@ -216,8 +218,10 @@ optional_policy(` rpm_use_fds(domain) rpm_read_pipes(domain) + rpm_append_tmp(domain) rpm_dontaudit_leaks(domain) rpm_read_script_tmp_files(domain) + rpm_inherited_fifo(domain) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.32/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2010-02-21 20:44:28.920309784 +0100 +++ serefpolicy-3.6.32/policy/modules/kernel/files.fc 2010-02-21 20:53:20.192309481 +0100 @@ -100,7 +100,7 @@ # HOME_ROOT # expanded by genhomedircon # -HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh) +HOME_ROOT gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh) HOME_ROOT/\.journal <> HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) HOME_ROOT/lost\+found/.* <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2010-02-21 20:44:28.921325502 +0100 +++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2010-02-21 20:53:36.436310090 +0100 @@ -1152,6 +1152,102 @@ allow $1 file_type:filesystem unmount; ') +############################################# +## +## Manage all configuration directories on filesystem +## +## +## +## The type of domain performing this action +## +## +## +# +interface(`files_manage_config_dirs',` + gen_require(` + attribute configfile; + ') + + manage_dirs_pattern($1, configfile, configfile) +') + +######################################### +## +## Relabel configuration directories +## +## +## +## Type of domain performing this action +## +## +## +# +interface(`files_relabel_config_dirs',` + gen_require(` + attribute configfile; + ') + + relabel_dirs_pattern($1, configfile, configfile) +') + +######################################## +## +## Read config files in /etc. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_read_config_files',` + gen_require(` + attribute configfile; + ') + + allow $1 configfile:dir list_dir_perms; + read_files_pattern($1, configfile, configfile) + read_lnk_files_pattern($1, configfile, configfile) +') + +########################################### +## +## Manage all configuration files on filesystem +## +## +## +## The type of domain performing this action +## +## +## +# +interface(`files_manage_config_files',` + gen_require(` + attribute configfile; + ') + + manage_files_pattern($1, configfile, configfile) +') + +####################################### +## +## Relabel configuration files +## +## +## +## Type of domain performing this action +## +## +## +# +interface(`files_relabel_config_files',` + gen_require(` + attribute configfile; + ') + + relabel_files_pattern($1, configfile, configfile) +') + ######################################## ## ## Mount a filesystem on all mount points. @@ -1478,6 +1574,24 @@ ######################################## ## +## List the /boot directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_list_boot',` + gen_require(` + type boot_t; + ') + + allow $1 boot_t:dir list_dir_perms; +') + +######################################## +## ## Create directories in /boot ## ## @@ -1772,7 +1886,8 @@ ######################################## ## -## Manage a filesystem on a directory with the default file type. +## Create, read, write, and delete directories with +## the default file type. ## ## ## @@ -1780,13 +1895,12 @@ ## ## # -interface(`files_manage_default',` +interface(`files_manage_default_dirs',` gen_require(` type default_t; ') manage_dirs_pattern($1, default_t, default_t) - manage_files_pattern($1, default_t, default_t) ') ######################################## @@ -1865,6 +1979,25 @@ ######################################## ## +## Create, read, write, and delete files with +## the default file type. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_default_files',` + gen_require(` + type default_t; + ') + + manage_files_pattern($1, default_t, default_t) +') + +######################################## +## ## Read symbolic links with the default file type. ## ## @@ -1991,7 +2124,7 @@ ######################################## ## -## Read generic files in /etc. +## Do not audit attempts to write to /etc dirs. ## ## ## @@ -1999,21 +2132,36 @@ ## ## # -interface(`files_read_etc_files',` +interface(`files_dontaudit_write_etc_dirs',` gen_require(` type etc_t; ') - allow $1 etc_t:dir list_dir_perms; - read_files_pattern($1, etc_t, etc_t) - read_lnk_files_pattern($1, etc_t, etc_t) - files_read_etc_runtime_files($1) - files_read_config_files($1) + dontaudit $1 etc_t:dir write; +') + +########################################## +## +## Manage generic directories in /etc +## +## +## +## Domain allowed access +## +## +## +# +interface(`files_manage_etc_dirs',` + gen_require(` + type etc_t; + ') + + manage_dirs_pattern($1, etc_t, etc_t) ') ######################################## ## -## Read config files in /etc. +## Read generic files in /etc. ## ## ## @@ -2021,14 +2169,16 @@ ## ## # -interface(`files_read_config_files',` +interface(`files_read_etc_files',` gen_require(` - attribute configfile; + type etc_t; ') - allow $1 configfile:dir list_dir_perms; - read_files_pattern($1, configfile, configfile) - read_lnk_files_pattern($1, configfile, configfile) + allow $1 etc_t:dir list_dir_perms; + read_files_pattern($1, etc_t, etc_t) + read_lnk_files_pattern($1, etc_t, etc_t) + files_read_etc_runtime_files($1) + files_read_config_files($1) ') ######################################## @@ -2276,8 +2426,8 @@ ') allow $1 etc_t:dir list_dir_perms; - read_files_pattern($1, etc_runtime_t, etc_runtime_t) - read_lnk_files_pattern($1, etc_runtime_t, etc_runtime_t) + read_files_pattern($1, etc_t, etc_runtime_t) + read_lnk_files_pattern($1, etc_t, etc_runtime_t) ') ######################################## @@ -2654,6 +2804,7 @@ ') allow $1 home_root_t:dir getattr; + allow $1 home_root_t:lnk_file getattr; ') ######################################## @@ -2674,6 +2825,7 @@ ') dontaudit $1 home_root_t:dir getattr; + dontaudit $1 home_root_t:lnk_file getattr; ') ######################################## @@ -2692,6 +2844,7 @@ ') allow $1 home_root_t:dir search_dir_perms; + allow $1 home_root_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -2711,6 +2864,7 @@ ') dontaudit $1 home_root_t:dir search_dir_perms; + dontaudit $1 home_root_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -2730,6 +2884,7 @@ ') dontaudit $1 home_root_t:dir list_dir_perms; + dontaudit $1 home_root_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -2748,6 +2903,7 @@ ') allow $1 home_root_t:dir list_dir_perms; + allow $1 home_root_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -3598,26 +3754,25 @@ ######################################## ## -## Do not audit attempts to get the attributes -## of all tmp files. +## List all tmp directories. ## ## ## -## Domain not to audit. +## Domain allowed access. ## ## # -interface(`files_dontaudit_getattr_all_tmp_files',` +interface(`files_list_all_tmp',` gen_require(` attribute tmpfile; ') - dontaudit $1 tmpfile:file getattr; + allow $1 tmpfile:dir list_dir_perms; ') ######################################## ## -## Allow attempts to get the attributes +## Do not audit attempts to get the attributes ## of all tmp files. ## ## @@ -3626,18 +3781,18 @@ ## ## # -interface(`files_getattr_all_tmp_files',` +interface(`files_dontaudit_getattr_all_tmp_files',` gen_require(` attribute tmpfile; ') - allow $1 tmpfile:file getattr; + dontaudit $1 tmpfile:file getattr; ') ######################################## ## -## Do not audit attempts to get the attributes -## of all tmp sock_file. +## Allow attempts to get the attributes +## of all tmp files. ## ## ## @@ -3645,30 +3800,31 @@ ## ## # -interface(`files_dontaudit_getattr_all_tmp_sockets',` +interface(`files_getattr_all_tmp_files',` gen_require(` attribute tmpfile; ') - dontaudit $1 tmpfile:sock_file getattr; + allow $1 tmpfile:file getattr; ') ######################################## ## -## List all tmp directories. +## Do not audit attempts to get the attributes +## of all tmp sock_file. ## ## ## -## Domain allowed access. +## Domain not to audit. ## ## # -interface(`files_list_all_tmp',` +interface(`files_dontaudit_getattr_all_tmp_sockets',` gen_require(` attribute tmpfile; ') - allow $1 tmppfile:dir list_dir_perms; + dontaudit $1 tmpfile:sock_file getattr; ') ######################################## @@ -4438,7 +4594,7 @@ ######################################## ## -## Set the attributes of the /var/run directory. +## Search the /var/lib directory. ## ## ## @@ -4446,17 +4602,17 @@ ## ## # -interface(`files_setattr_pid_dirs',` +interface(`files_search_var_lib',` gen_require(` - type var_run_t; + type var_t, var_lib_t; ') - allow $1 var_run_t:dir setattr; + search_dirs_pattern($1, var_t, var_lib_t) ') ######################################## ## -## Search the /var/lib directory. +## List the contents of the /var/lib directory. ## ## ## @@ -4464,17 +4620,17 @@ ## ## # -interface(`files_search_var_lib',` +interface(`files_list_var_lib',` gen_require(` type var_t, var_lib_t; ') - search_dirs_pattern($1, var_t, var_lib_t) + list_dirs_pattern($1, var_t, var_lib_t) ') -######################################## +########################################### ## -## List the contents of the /var/lib directory. +## Read-write /var/lib directories ## ## ## @@ -4482,12 +4638,12 @@ ## ## # -interface(`files_list_var_lib',` +interface(`files_rw_var_lib_dirs',` gen_require(` - type var_t, var_lib_t; + type var_lib_t; ') - list_dirs_pattern($1, var_t, var_lib_t) + rw_dirs_pattern($1, var_lib_t, var_lib_t) ') ######################################## @@ -4846,6 +5002,25 @@ search_dirs_pattern($1, var_t, var_run_t) ') +####################################### +## +## Create generic pid directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_create_var_run_dirs',` + gen_require(` + type var_t, var_run_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 var_run_t:dir create_dir_perms; +') + ######################################## ## ## Do not audit attempts to search @@ -4970,9 +5145,9 @@ rw_files_pattern($1, var_run_t, var_run_t) ') -####################################### +######################################## ## -## Create generic pid directory. +## Do not audit attempts to getattr daemon runtime data files. ## ## ## @@ -4980,13 +5155,12 @@ ## ## # -interface(`files_create_var_run_dirs',` +interface(`files_dontaudit_getattr_all_pids',` gen_require(` - type var_t, var_run_t; + attribute pidfile; ') - allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:dir create_dir_perms; + dontaudit $1 pidfile:file getattr; ') ######################################## @@ -5009,24 +5183,6 @@ ######################################## ## -## Do not audit attempts to getattr daemon runtime data files. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_dontaudit_getattr_all_pids',` - gen_require(` - attribute pidfile; - ') - - dontaudit $1 pidfile:file getattr; -') - -######################################## -## ## Do not audit attempts to ioctl daemon runtime data files. ## ## @@ -5131,6 +5287,24 @@ ######################################## ## +## Set the attributes of the /var/run directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_setattr_pid_dirs',` + gen_require(` + type var_run_t; + ') + + allow $1 var_run_t:dir setattr; +') + +######################################## +## ## Search the contents of generic spool ## directories (/var/spool). ## @@ -5537,3 +5711,23 @@ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms; ') + +######################################## +## +## Do not audit attempts to read or write +## all leaked files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_dontaudit_leaks',` + gen_require(` + attribute file_type; + ') + + dontaudit $1 file_type:file rw_inherited_file_perms; + dontaudit $1 file_type:lnk_file { read }; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.32/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2010-02-21 20:44:28.935574123 +0100 +++ serefpolicy-3.6.32/policy/modules/kernel/files.te 2010-02-21 20:53:45.874571808 +0100 @@ -1,5 +1,5 @@ -policy_module(files, 1.12.0) +policy_module(files, 1.12.2) ######################################## # @@ -11,6 +11,7 @@ attribute lockfile; attribute mountpoint; attribute pidfile; +attribute configfile; # For labeling types that are to be polyinstantiated attribute polydir; @@ -53,9 +54,6 @@ # # etc_t is the type of the system etc directories. # -attribute etcfile; -attribute configfile; - type etc_t, configfile; files_type(etc_t) # compatibility aliases for removed types: diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-01-18 18:24:22.697530142 +0100 +++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2010-02-22 12:09:52.108626415 +0100 @@ -988,6 +988,25 @@ exec_files_pattern($1, cifs_t, cifs_t) ') +###################################### +## +## Make general progams in cifs an entrypoint for +## the specified domain. +## +## +## +## The domain for which cifs_t is an entrypoint. +## +## +# +interface(`fs_cifs_entry_type',` + gen_require(` + type cifs_t; + ') + + allow $1 cifs_t:file entrypoint; +') + ######################################## ## ## Create, read, write, and delete directories @@ -1632,6 +1651,36 @@ ######################################## ## +## Create an object in a hugetlbfs filesystem, with a private +## type using a type transition. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created. +## +## +## +## +## The object class of the object being created. +## +## +# +interface(`fs_hugetlbfs_filetrans',` + gen_require(` + type hugetlbfs_t; + ') + + allow $2 hugetlbfs_t:filesystem associate; + filetrans_pattern($1, hugetlbfs_t, $2, $3) +') + +######################################## +## ## Search inotifyfs filesystem. ## ## @@ -1668,6 +1717,24 @@ ######################################## ## +## Dontaudit List inotifyfs filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_dontaudit_list_inotifyfs',` + gen_require(` + type inotifyfs_t; + ') + + dontaudit $1 inotifyfs_t:dir list_dir_perms; +') + +######################################## +## ## Mount an iso9660 filesystem, which ## is usually used on CDs. ## @@ -2010,6 +2077,25 @@ exec_files_pattern($1, nfs_t, nfs_t) ') +###################################### +## +## Make general progams in nfs an entrypoint for +## the specified domain. +## +## +## +## The domain for which nfs_t is an entrypoint. +## +## +# +interface(`fs_nfs_entry_type',` + gen_require(` + type nfs_t; + ') + + allow $1 nfs_t:file entrypoint; +') + ######################################## ## ## Append files @@ -3496,6 +3582,24 @@ ######################################## ## +## Read generic tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_read_tmpfs_files',` + gen_require(` + type tmpfs_t; + ') + + read_files_pattern($1, tmpfs_t, tmpfs_t) +') + +######################################## +## ## Read and write generic tmpfs files. ## ## @@ -3722,7 +3826,7 @@ ######################################## ## -## Mount a XENFS filesystem. +## Search the XENFS filesystem. ## ## ## @@ -3730,17 +3834,17 @@ ## ## # -interface(`fs_mount_xenfs',` +interface(`fs_search_xenfs',` gen_require(` type xenfs_t; ') - allow $1 xenfs_t:filesystem mount; + allow $1 xenfs_t:dir search_dir_perms; ') ######################################## ## -## Search the XENFS filesystem. +## Mount a XENFS filesystem. ## ## ## @@ -3748,12 +3852,12 @@ ## ## # -interface(`fs_search_xenfs',` +interface(`fs_mount_xenfs',` gen_require(` type xenfs_t; ') - allow $1 xenfs_t:dir search_dir_perms; + allow $1 xenfs_t:filesystem mount; ') ######################################## @@ -4297,6 +4401,26 @@ ######################################## ## +## Read files on cgroup +## file systems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_read_cgroup_files',` + gen_require(` + type cgroup_t; + + ') + + read_files_pattern($1, cgroup_t, cgroup_t) +') + +######################################## +## ## Read and write files on cgroup ## file systems. ## @@ -4409,3 +4533,23 @@ write_files_pattern($1, cgroup_t, cgroup_t) ') + +######################################## +## +## Do not audit attempts to read or write +## all leaked filesystems files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_dontaudit_leaks',` + gen_require(` + attribute filesystem_type; + ') + + dontaudit $1 filesystem_type:file rw_inherited_file_perms; + dontaudit $1 filesystem_type:lnk_file { read }; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.32/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2010-01-18 18:24:22.705531020 +0100 +++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.te 2010-02-11 20:29:53.802696084 +0100 @@ -1,5 +1,5 @@ -policy_module(filesystem, 1.12.0) +policy_module(filesystem, 1.12.1) ######################################## # @@ -178,6 +178,11 @@ allow tmpfs_t noxattrfs:filesystem associate; +type xenfs_t; +fs_noxattr_type(xenfs_t) +files_mountpoint(xenfs_t) +genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0) + ############################## # # Filesystems without extended attribute support @@ -260,11 +265,6 @@ genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) -type xenfs_t; -fs_noxattr_type(xenfs_t) -files_mountpoint(xenfs_t) -genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0) - ######################################## # # Rules for all filesystem types diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.32/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-01-18 18:24:22.708530703 +0100 +++ serefpolicy-3.6.32/policy/modules/kernel/kernel.if 2010-03-03 10:57:00.705612069 +0100 @@ -610,6 +610,24 @@ search_dirs_pattern($1, debugfs_t, debugfs_t) ') +####################################### +## +## dontaudit search the contents of a kernel debugging filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_dontaudit_search_debugfs',` + gen_require(` + type debugfs_t; + ') + + dontaudit $1 debugfs_t:dir search_dir_perms; +') + ######################################## ## ## Read information from the debugging filesystem. @@ -2732,3 +2750,21 @@ allow $1 kernel_t:unix_stream_socket connectto; ') + +####################################### +## +## Send a kill signal to kernel processes. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_sigkill',` + gen_require(` + type kernel_t; + ') + + allow $1 kernel_t:process sigkill; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.32/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-01-18 18:24:22.716539752 +0100 +++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2010-02-26 09:33:59.084547345 +0100 @@ -241,6 +241,25 @@ ######################################## ## +## Do not audit attempts to read from the console. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`term_dontaudit_read_console',` + gen_require(` + type console_device_t; + ') + + dontaudit $1 console_device_t:chr_file read_chr_file_perms; +') + +######################################## +## ## Read from and write to the console. ## ## @@ -273,11 +292,11 @@ interface(`term_dontaudit_use_console',` gen_require(` type console_device_t; - type tty_device_t; ') + dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms; + term_dontaudit_use_unallocated_ttys($1) + term_dontaudit_use_generic_ptys($1) - dontaudit $1 console_device_t:chr_file rw_chr_file_perms; - dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; ') ######################################## @@ -654,6 +673,126 @@ ######################################## ## +## Relabel to all ptys. +## +## +## +## Domain allowed access. +## +## +# +interface(`term_relabelto_all_ptys',` + gen_require(` + attribute ptynode; + ') + + allow $1 ptynode:chr_file relabelto; +') + +######################################## +## +## Write to all ptys. +## +## +## +## Domain allowed access. +## +## +# +interface(`term_write_all_ptys',` + gen_require(` + attribute ptynode; + ') + + dev_list_all_dev_nodes($1) + allow $1 ptynode:chr_file write_chr_file_perms; +') + +######################################## +## +## Read and write all ptys. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`term_use_all_ptys',` + gen_require(` + attribute ptynode; + type devpts_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 devpts_t:dir list_dir_perms; + allow $1 ptynode:chr_file { rw_term_perms lock append }; +') + +######################################## +## +## Do not audit attempts to read or write any ptys. +## +## +## +## Domain to not audit. +## +## +# +interface(`term_dontaudit_use_all_ptys',` + gen_require(` + attribute ptynode; + ') + + dontaudit $1 ptynode:chr_file { rw_term_perms lock append }; +') + +######################################## +## +## Relabel from and to all pty device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`term_relabel_all_ptys',` + gen_require(` + attribute ptynode; + type devpts_t; + ') + + dev_list_all_dev_nodes($1) + relabel_chr_files_pattern($1, devpts_t, ptynode) +') + +######################################## +## +## Get the attributes of all user +## pty device nodes. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`term_getattr_all_user_ptys',` + gen_require(` + attribute ptynode; + type devpts_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 devpts_t:dir list_dir_perms; + allow $1 ptynode:chr_file getattr; +') + +######################################## +## ## Do not audit attempts to read and ## write the pty multiplexor (/dev/ptmx). ## @@ -673,7 +812,7 @@ ######################################## ## -## Get the attributes of all user +## Get the attributes of all ## pty device nodes. ## ## @@ -683,7 +822,7 @@ ## ## # -interface(`term_getattr_all_user_ptys',` +interface(`term_getattr_all_ptys',` gen_require(` attribute ptynode; type devpts_t; @@ -697,6 +836,26 @@ ######################################## ## ## Do not audit attempts to get the +## attributes of any pty +## device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`term_dontaudit_getattr_all_ptys',` + gen_require(` + attribute ptynode; + ') + + dontaudit $1 ptynode:chr_file getattr; +') + +######################################## +## +## Do not audit attempts to get the ## attributes of any user pty ## device nodes. ## @@ -1098,6 +1257,25 @@ allow $1 ttynode:chr_file getattr; ') +####################################### +## +## Relabel from and to all tty device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`term_relabel_all_ttys',` + gen_require(` + attribute ttynode; + ') + + dev_list_all_dev_nodes($1) + allow $1 ttynode:chr_file { relabelfrom relabelto }; +') + ######################################## ## ## Do not audit attempts to get the @@ -1142,6 +1320,26 @@ ######################################## ## +## Set the attributes of all tty device nodes. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`term_setattr_all_ttys',` + gen_require(` + attribute ttynode; + ') + + dev_list_all_dev_nodes($1) + allow $1 ttynode:chr_file setattr; +') + +######################################## +## ## Relabel from and to all user ## user tty device nodes. ## @@ -1201,6 +1399,45 @@ ######################################## ## +## Read and write all ttys. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`term_use_all_ttys',` + gen_require(` + attribute ttynode; + ') + + dev_list_all_dev_nodes($1) + allow $1 ttynode:chr_file rw_chr_file_perms; +') + +######################################## +## +## Do not audit attempts to read or write +## any ttys. +## +## +## +## Domain allowed access. +## +## +# +interface(`term_dontaudit_use_all_ttys',` + gen_require(` + attribute ttynode; + ') + + dontaudit $1 ttynode:chr_file rw_chr_file_perms; +') + +######################################## +## ## Do not audit attempts to read or write ## any user ttys. ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.6.32/policy/modules/roles/auditadm.te --- nsaserefpolicy/policy/modules/roles/auditadm.te 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/roles/auditadm.te 2010-02-26 17:30:38.456615603 +0100 @@ -33,6 +33,8 @@ seutil_run_runinit(auditadm_t, auditadm_r) seutil_read_bin_policy(auditadm_t) +userdom_dontaudit_search_admin_dir(auditadm_t) + optional_policy(` consoletype_exec(auditadm_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.te serefpolicy-3.6.32/policy/modules/roles/secadm.te --- nsaserefpolicy/policy/modules/roles/secadm.te 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/roles/secadm.te 2010-02-26 17:31:00.881606103 +0100 @@ -40,6 +40,8 @@ logging_read_generic_logs(secadm_t) logging_read_audit_config(secadm_t) +userdom_dontaudit_search_admin_dir(secadm_t) + optional_policy(` aide_run(secadm_t, secadm_r) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.32/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2010-01-18 18:24:22.718544267 +0100 +++ serefpolicy-3.6.32/policy/modules/roles/staff.te 2010-03-01 16:05:50.238492151 +0100 @@ -26,6 +26,8 @@ auth_domtrans_pam_console(staff_t) seutil_run_newrole(staff_t, staff_r) +seutil_read_module_store(staff_t) + netutils_run_ping(staff_t, staff_r) optional_policy(` @@ -76,20 +78,20 @@ webadm_role_change(staff_r) ') -domain_read_all_domains_state(staff_t) -domain_getattr_all_domains(staff_t) +domain_read_all_domains_state(staff_usertype) +domain_getattr_all_domains(staff_usertype) domain_obj_id_change_exemption(staff_t) -files_read_kernel_modules(staff_t) +files_read_kernel_modules(staff_usertype) -kernel_read_fs_sysctls(staff_t) +kernel_read_fs_sysctls(staff_usertype) -modutils_read_module_config(staff_t) -modutils_read_module_deps(staff_t) +modutils_read_module_config(staff_usertype) +modutils_read_module_deps(staff_usertype) -miscfiles_read_hwdata(staff_t) +miscfiles_read_hwdata(staff_usertype) -term_use_unallocated_ttys(staff_t) +term_use_unallocated_ttys(staff_usertype) optional_policy(` gnomeclock_dbus_chat(staff_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.32/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-01-18 18:24:22.719529727 +0100 +++ serefpolicy-3.6.32/policy/modules/roles/sysadm.te 2010-02-26 16:50:28.348855779 +0100 @@ -29,6 +29,7 @@ corecmd_exec_shell(sysadm_t) mls_process_read_up(sysadm_t) +mls_file_read_to_clearance(sysadm_t) ubac_process_exempt(sysadm_t) ubac_file_exempt(sysadm_t) @@ -129,6 +130,10 @@ ') optional_policy(` + daemonstools_run_start(sysadm_t, sysadm_r) +') + +optional_policy(` dcc_run_cdcc(sysadm_t, sysadm_r) dcc_run_client(sysadm_t, sysadm_r) dcc_run_dbclean(sysadm_t, sysadm_r) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 2010-01-18 18:24:22.720530134 +0100 +++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc 2010-02-02 10:47:12.668175161 +0100 @@ -2,7 +2,10 @@ # e.g.: # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t -/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) +/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) +/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0) +/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) + /usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) /usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2010-01-18 18:24:22.722530039 +0100 +++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2010-03-03 10:39:47.599611967 +0100 @@ -39,6 +39,8 @@ type unconfined_exec_t; init_system_domain(unconfined_t, unconfined_exec_t) role unconfined_r types unconfined_t; +role_transition system_r unconfined_exec_t unconfined_r; +allow system_r unconfined_r; domain_user_exemption_target(unconfined_t) allow system_r unconfined_r; @@ -171,7 +173,7 @@ optional_policy(` xserver_rw_shm(unconfined_usertype) xserver_run_xauth(unconfined_usertype, unconfined_r) - xserver_xdm_dbus_chat(unconfined_usertype) + xserver_dbus_chat_xdm(unconfined_usertype) ') ') @@ -344,7 +346,7 @@ ') optional_policy(` - tzdata_run(unconfined_t, unconfined_r) + tzdata_run(unconfined_usertype, unconfined_r) ') optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.32/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 2010-01-18 18:24:22.724546986 +0100 +++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2010-02-16 17:36:22.545598200 +0100 @@ -15,7 +15,7 @@ ## ##

-## Allow xguest to configure Network Manager +## Allow xguest to configure Network Manager and connect to apache ports ##

## gen_tunable(xguest_connect_network, true) @@ -55,6 +55,10 @@ allow xguest_t self:process execmem; +tunable_policy(`allow_execstack',` + allow xguest_t self:process execstack; +') + # Allow mounting of file systems optional_policy(` tunable_policy(`xguest_mount_media',` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.6.32/policy/modules/services/abrt.if --- nsaserefpolicy/policy/modules/services/abrt.if 2010-01-18 18:24:22.726539977 +0100 +++ serefpolicy-3.6.32/policy/modules/services/abrt.if 2010-02-01 21:01:00.945160840 +0100 @@ -35,6 +35,11 @@ ') domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t) + + ifdef(`hide_broken_symptoms', ` + dontaudit abrt_helper_t $1:socket_class_set { read write }; + fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) + ') ') ###################################### diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-18 18:24:22.727540243 +0100 +++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-03-02 17:01:58.927615554 +0100 @@ -96,6 +96,7 @@ corenet_tcp_connect_ftp_port(abrt_t) corenet_tcp_connect_all_ports(abrt_t) +dev_getattr_all_chr_files(abrt_t) dev_read_urand(abrt_t) dev_rw_sysfs(abrt_t) dev_dontaudit_read_memory_dev(abrt_t) @@ -106,6 +107,7 @@ files_getattr_all_files(abrt_t) files_read_etc_files(abrt_t) files_read_var_lib_files(abrt_t) +files_read_var_symlinks(abrt_t) files_read_usr_files(abrt_t) files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) @@ -176,6 +178,16 @@ sssd_stream_connect(abrt_t) ') +ifdef(`hide_broken_symptoms', ` + gen_require(` + attribute domain; + ') + + allow abrt_t self:capability sys_resource; + allow abrt_t domain:file write; + allow abrt_t domain:process setrlimit; +') + permissive abrt_t; ######################################## @@ -200,10 +212,16 @@ files_read_etc_files(abrt_helper_t) files_dontaudit_all_non_security_leaks(abrt_helper_t) +fs_getattr_all_fs(abrt_helper_t) fs_list_inotifyfs(abrt_helper_t) +term_dontaudit_use_all_ttys(abrt_helper_t) +term_dontaudit_use_all_ptys(abrt_helper_t) + auth_use_nsswitch(abrt_helper_t) +logging_send_syslog_msg(abrt_helper_t) + miscfiles_read_localization(abrt_helper_t) userdom_dontaudit_use_user_terminals(abrt_helper_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.32/policy/modules/services/afs.te --- nsaserefpolicy/policy/modules/services/afs.te 2010-01-18 18:24:22.729540009 +0100 +++ serefpolicy-3.6.32/policy/modules/services/afs.te 2010-01-20 13:19:16.795611181 +0100 @@ -1,5 +1,5 @@ -policy_module(afs, 1.5.0) +policy_module(afs, 1.5.1) ######################################## # @@ -72,7 +72,7 @@ # allow afs_t self:capability { sys_admin sys_nice sys_tty_config }; -allow afs_t self:process setsched; +allow afs_t self:process { fork setsched signal }; allow afs_t self:udp_socket create_socket_perms; allow afs_t self:fifo_file rw_file_perms; allow afs_t self:unix_stream_socket create_stream_socket_perms; @@ -105,6 +105,8 @@ miscfiles_read_localization(afs_t) +sysnet_dns_name_resolve(afs_t) + ######################################## # # AFS bossserver local policy diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.6.32/policy/modules/services/aisexec.fc --- nsaserefpolicy/policy/modules/services/aisexec.fc 2010-01-18 18:24:22.729540009 +0100 +++ serefpolicy-3.6.32/policy/modules/services/aisexec.fc 2010-02-17 15:26:59.638613137 +0100 @@ -8,5 +8,3 @@ /var/log/cluster/aisexec\.log -- gen_context(system_u:object_r:aisexec_var_log_t,s0) /var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0) - -/var/run/cman_.* -s gen_context(system_u:object_r:aisexec_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.6.32/policy/modules/services/aisexec.te --- nsaserefpolicy/policy/modules/services/aisexec.te 2010-01-18 18:24:22.731542358 +0100 +++ serefpolicy-3.6.32/policy/modules/services/aisexec.te 2010-02-17 12:12:36.836863654 +0100 @@ -75,8 +75,6 @@ corenet_tcp_bind_reserved_port(aisexec_t) corenet_udp_bind_cluster_port(aisexec_t) -ccs_stream_connect(aisexec_t) - corecmd_exec_bin(aisexec_t) kernel_read_system_state(aisexec_t) @@ -95,6 +93,11 @@ logging_send_syslog_msg(aisexec_t) +optional_policy(` + ccs_stream_connect(aisexec_t) +') + +optional_policy(` # to communication with RHCS dlm_controld_manage_tmpfs_files(aisexec_t) dlm_controld_rw_semaphores(aisexec_t) @@ -109,4 +112,5 @@ groupd_manage_tmpfs_files(aisexec_t) groupd_rw_semaphores(aisexec_t) groupd_rw_shm(aisexec_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.6.32/policy/modules/services/amavis.te --- nsaserefpolicy/policy/modules/services/amavis.te 2010-01-18 18:24:22.732530124 +0100 +++ serefpolicy-3.6.32/policy/modules/services/amavis.te 2010-02-01 21:16:32.215094407 +0100 @@ -138,6 +138,7 @@ auth_dontaudit_read_shadow(amavis_t) +init_read_utmp(amavis_t) init_stream_connect_script(amavis_t) logging_send_syslog_msg(amavis_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2010-01-18 18:24:22.733530530 +0100 +++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2010-03-01 16:56:36.009747781 +0100 @@ -8,10 +8,12 @@ /etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) /etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) /etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) +/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) /etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) +/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -47,6 +49,7 @@ /usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) @@ -66,11 +69,14 @@ /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) +#/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) + +/var/lib/koji(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) + /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) @@ -108,6 +114,7 @@ /usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) /usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) /var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_rw_t,s0) +/var/lib/smokeping(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2010-01-18 18:24:22.736530563 +0100 +++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-03-01 15:49:14.043490674 +0100 @@ -16,6 +16,7 @@ attribute httpd_exec_scripts; attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; + type httpd_sys_content_t; ') #This type is for webpages type httpd_$1_content_t; @@ -55,6 +56,7 @@ allow httpd_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; allow httpd_$1_script_t self:fifo_file rw_file_perms; + allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms; allow httpd_$1_script_t self:unix_stream_socket connectto; allow httpd_$1_script_t httpd_t:fifo_file write; @@ -123,6 +125,8 @@ allow httpd_t httpd_$1_content_t:dir list_dir_perms; read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) + + allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms; ') tunable_policy(`httpd_enable_cgi',` @@ -833,6 +837,27 @@ domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) ') +####################################### +## +## Allow the specified domain to list +## apache system content files. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_list_sys_content',` + gen_require(` + type httpd_sys_content_t; + ') + + list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) + read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) + files_search_var($1) +') + ######################################## ## ## Allow the specified domain to manage @@ -1167,6 +1192,29 @@ allow $1 httpd_bugzilla_content_t:dir search_dir_perms; ') +####################################### +## +## dontaudit read and write an leaked file descriptors +## +## +## +## The type of the process performing this action. +## +## +# +interface(`apache_dontaudit_leaks',` + gen_require(` + type httpd_t; + ') + + dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; + dontaudit $1 httpd_t:tcp_socket { read write }; + dontaudit $1 httpd_t:unix_dgram_socket { read write }; + dontaudit $1 httpd_t:unix_stream_socket { read write }; +') + + + ######################################## ## ## Do not audit attempts to read and write Apache diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-01-18 18:24:22.739530246 +0100 +++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-03-01 09:52:48.889491880 +0100 @@ -67,6 +67,13 @@ ## ##

+## Allow HTTPD scripts and modules to connect to cobbler over the network. +##

+## +gen_tunable(httpd_can_network_connect_cobbler, false) + +## +##

## Allow HTTPD scripts and modules to connect to databases over the network. ##

## @@ -309,7 +316,7 @@ manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) -files_var_filetrans(httpd_t, httpd_cache_t, dir) +files_var_filetrans(httpd_t, httpd_cache_t, { file dir }) # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; @@ -363,10 +370,10 @@ manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) -setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) +manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file }) +files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir }) manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -400,6 +407,7 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) +fs_list_inotifyfs(httpd_t) fs_search_auto_mountpoints(httpd_t) fs_read_iso9660_files(httpd_t) @@ -483,8 +491,14 @@ corenet_tcp_connect_pop_port(httpd_t) corenet_sendrecv_pop_client_packets(httpd_t) mta_send_mail(httpd_t) - mta_send_mail(httpd_sys_script_t) mta_signal(httpd_t) + + corenet_tcp_connect_smtp_port(httpd_sys_script_t) + corenet_sendrecv_smtp_client_packets(httpd_sys_script_t) + corenet_tcp_connect_pop_port(httpd_sys_script_t) + corenet_sendrecv_pop_client_packets(httpd_sys_script_t) + mta_send_mail(httpd_sys_script_t) + mta_signal(httpd_sys_script_t) ') tunable_policy(`httpd_can_network_relay',` @@ -588,6 +602,9 @@ optional_policy(` cobbler_search_lib(httpd_t) + tunable_policy(`httpd_can_network_connect_cobbler',` + corenet_tcp_connect_cobbler_port(httpd_t) + ') ') optional_policy(` @@ -612,6 +629,11 @@ avahi_dbus_chat(httpd_t) ') ') + +optional_policy(` + gitosis_read_var_lib(httpd_t) +') + optional_policy(` kerberos_keytab_template(httpd, httpd_t) ') @@ -895,6 +917,9 @@ sysnet_read_config(httpd_sys_script_t) +logging_inherit_append_all_logs(httpd_sys_script_t) +logging_send_syslog_msg(httpd_sys_script_t) + ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') @@ -906,6 +931,7 @@ fs_manage_nfs_files(httpd_sys_script_t) fs_manage_nfs_symlinks(httpd_sys_script_t) fs_exec_nfs_files(httpd_sys_script_t) + fs_nfs_entry_type(httpd_sys_script_t) fs_manage_nfs_dirs(httpd_suexec_t) fs_manage_nfs_files(httpd_suexec_t) @@ -945,6 +970,7 @@ fs_manage_cifs_files(httpd_suexec_t) fs_manage_cifs_symlinks(httpd_suexec_t) fs_exec_cifs_files(httpd_suexec_t) + fs_cifs_entry_type(httpd_sys_script_t) ') tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.6.32/policy/modules/services/apcupsd.te --- nsaserefpolicy/policy/modules/services/apcupsd.te 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/apcupsd.te 2010-01-18 18:27:02.757542944 +0100 @@ -31,7 +31,7 @@ # allow apcupsd_t self:capability { dac_override setgid sys_tty_config }; -allow apcupsd_t self:process signal; +allow apcupsd_t self:process { signal signull }; allow apcupsd_t self:fifo_file rw_file_perms; allow apcupsd_t self:unix_stream_socket create_stream_socket_perms; allow apcupsd_t self:tcp_socket create_stream_socket_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.6.32/policy/modules/services/arpwatch.te --- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-01-18 18:24:22.741530430 +0100 +++ serefpolicy-3.6.32/policy/modules/services/arpwatch.te 2010-02-11 20:25:58.833441037 +0100 @@ -64,6 +64,8 @@ corenet_udp_sendrecv_all_ports(arpwatch_t) dev_read_sysfs(arpwatch_t) +dev_read_usbmon_dev(arpwatch_t) +dev_rw_generic_usb_dev(arpwatch_t) fs_getattr_all_fs(arpwatch_t) fs_search_auto_mountpoints(arpwatch_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.6.32/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2010-01-18 18:24:22.742540405 +0100 +++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2010-03-01 16:56:10.526493733 +0100 @@ -128,6 +128,7 @@ files_read_usr_files(asterisk_t) fs_getattr_all_fs(asterisk_t) +fs_list_inotifyfs(asterisk_t) fs_search_auto_mountpoints(asterisk_t) auth_use_nsswitch(asterisk_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.6.32/policy/modules/services/avahi.fc --- nsaserefpolicy/policy/modules/services/avahi.fc 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/avahi.fc 2010-01-19 21:19:40.967763409 +0100 @@ -6,4 +6,4 @@ /var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0) -/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0) +/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.32/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2010-01-18 18:24:22.745530450 +0100 +++ serefpolicy-3.6.32/policy/modules/services/bind.if 2010-03-01 15:52:05.256741085 +0100 @@ -290,6 +290,25 @@ read_files_pattern($1, named_zone_t, named_zone_t) ') +####################################### +## +## Manage BIND zone files. +## +## +## +## Domain allowed access. +## +## +# +interface(`bind_manage_zone',` + gen_require(` + type named_zone_t; + ') + + files_search_var($1) + manage_files_pattern($1, named_zone_t, named_zone_t) +') + ######################################## ## ## Send and receive datagrams to and from named. (Deprecated) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.6.32/policy/modules/services/cachefilesd.fc --- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.6.32/policy/modules/services/cachefilesd.fc 2010-03-01 09:30:08.471741607 +0100 @@ -0,0 +1,28 @@ +############################################################################### +# +# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. +# Written by David Howells (dhowells@redhat.com) +# Karl MacMillan (kmacmill@redhat.com) +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version +# 2 of the License, or (at your option) any later version. +# +############################################################################### + +# +# Define the contexts to be assigned to various files and directories of +# importance to the CacheFiles kernel module and userspace management daemon. +# + +# cachefilesd executable will have: +# label: system_u:object_r:cachefilesd_exec_t +# MLS sensitivity: s0 +# MCS categories: + +/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0) +/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0) +/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) + +/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.6.32/policy/modules/services/cachefilesd.if --- nsaserefpolicy/policy/modules/services/cachefilesd.if 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.6.32/policy/modules/services/cachefilesd.if 2010-03-01 09:30:08.471741607 +0100 @@ -0,0 +1,41 @@ +############################################################################### +# +# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. +# Written by David Howells (dhowells@redhat.com) +# Karl MacMillan (kmacmill@redhat.com) +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version +# 2 of the License, or (at your option) any later version. +# +############################################################################### + +# +# Define the policy interface for the CacheFiles userspace management daemon. +# + +## policy for cachefilesd + +######################################## +## +## Execute a domain transition to run cachefilesd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`cachefilesd_domtrans',` + gen_require(` + type cachefilesd_t, cachefilesd_exec_t; + ') + + domain_auto_trans($1,cachefilesd_exec_t,cachefilesd_t) + + allow $1 cachefilesd_t:fd use; + allow cachefilesd_t $1:fd use; + allow cachefilesd_t $1:fifo_file rw_file_perms; + allow cachefilesd_t $1:process sigchld; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.6.32/policy/modules/services/cachefilesd.te --- nsaserefpolicy/policy/modules/services/cachefilesd.te 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.6.32/policy/modules/services/cachefilesd.te 2010-03-01 09:30:08.471741607 +0100 @@ -0,0 +1,146 @@ +############################################################################### +# +# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved. +# Written by David Howells (dhowells@redhat.com) +# Karl MacMillan (kmacmill@redhat.com) +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version +# 2 of the License, or (at your option) any later version. +# +############################################################################### + +# +# This security policy governs access by the CacheFiles kernel module and +# userspace management daemon to the files and directories in the on-disk +# cache, on behalf of the processes accessing the cache through a network +# filesystem such as NFS +# +policy_module(cachefilesd,1.0.17) + +############################################################################### +# +# Declarations +# +require { type kernel_t; } + +# +# Files in the cache are created by the cachefiles module with security ID +# cachefiles_var_t +# +type cachefiles_var_t; +files_type(cachefiles_var_t) + +# +# The /dev/cachefiles character device has security ID cachefiles_dev_t +# +type cachefiles_dev_t; +dev_node(cachefiles_dev_t) + +# +# The cachefilesd daemon normally runs with security ID cachefilesd_t +# +type cachefilesd_t; +type cachefilesd_exec_t; +domain_type(cachefilesd_t) +init_daemon_domain(cachefilesd_t, cachefilesd_exec_t) + +# +# The cachefilesd daemon pid file context +# +type cachefilesd_var_run_t; +files_pid_file(cachefilesd_var_run_t) + +# +# The CacheFiles kernel module causes processes accessing the cache files to do +# so acting as security ID cachefiles_kernel_t +# +type cachefiles_kernel_t; +domain_type(cachefiles_kernel_t) +domain_obj_id_change_exemption(cachefiles_kernel_t) +role system_r types cachefiles_kernel_t; + +############################################################################### +# +# Permit RPM to deal with files in the cache +# +rpm_use_script_fds(cachefilesd_t) + +############################################################################### +# +# cachefilesd local policy +# +# These define what cachefilesd is permitted to do. This doesn't include very +# much: startup stuff, logging, pid file, scanning the cache superstructure and +# deleting files from the cache. It is not permitted to read/write files in +# the cache. +# +# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow +# rules. +# +allow cachefilesd_t self : capability { setuid setgid sys_admin dac_override }; + +# Basic access +files_read_etc_files(cachefilesd_t) +libs_use_ld_so(cachefilesd_t) +libs_use_shared_libs(cachefilesd_t) +miscfiles_read_localization(cachefilesd_t) +logging_send_syslog_msg(cachefilesd_t) +init_dontaudit_use_script_ptys(cachefilesd_t) +term_dontaudit_use_generic_ptys(cachefilesd_t) +term_dontaudit_getattr_unallocated_ttys(cachefilesd_t) + +# Allow manipulation of pid file +allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms; +manage_files_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t) +manage_dirs_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t) +files_pid_file(cachefilesd_var_run_t) +files_pid_filetrans(cachefilesd_t,cachefilesd_var_run_t,file) + +# Allow access to cachefiles device file +allow cachefilesd_t cachefiles_dev_t : chr_file rw_file_perms; + +# Allow access to cache superstructure +allow cachefilesd_t cachefiles_var_t : dir rw_dir_perms; +allow cachefilesd_t cachefiles_var_t : file { getattr rename unlink }; + +# Permit statfs on the backing filesystem +fs_getattr_xattr_fs(cachefilesd_t) + +############################################################################### +# +# When cachefilesd invokes the kernel module to begin caching, it has to tell +# the kernel module the security context in which it should act, and this +# policy has to approve that. +# +# There are two parts to this: +# +# (1) the security context used by the module to access files in the cache, +# as set by the 'secctx' command in /etc/cachefilesd.conf, and +# +allow cachefilesd_t cachefiles_kernel_t : kernel_service { use_as_override }; + +# +# (2) the label that will be assigned to new files and directories created in +# the cache by the module, which will be the same as the label on the +# directory pointed to by the 'dir' command. +# +allow cachefilesd_t cachefiles_var_t : kernel_service { create_files_as }; + +############################################################################### +# +# cachefiles kernel module local policy +# +# This governs what the kernel module is allowed to do the contents of the +# cache. +# +allow cachefiles_kernel_t self:capability { dac_override dac_read_search }; +allow cachefiles_kernel_t initrc_t:process sigchld; + +manage_dirs_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t) +manage_files_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t) + +fs_getattr_xattr_fs(cachefiles_kernel_t) + +dev_search_sysfs(cachefiles_kernel_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.6.32/policy/modules/services/ccs.te --- nsaserefpolicy/policy/modules/services/ccs.te 2010-01-18 18:24:22.749530749 +0100 +++ serefpolicy-3.6.32/policy/modules/services/ccs.te 2010-02-17 15:18:32.630863465 +0100 @@ -74,8 +74,6 @@ manage_sock_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t) files_pid_filetrans(ccs_t, ccs_var_run_t, { dir file sock_file }) -aisexec_stream_connect(ccs_t) - kernel_read_kernel_sysctls(ccs_t) corecmd_list_bin(ccs_t) @@ -117,5 +115,9 @@ ') optional_policy(` + aisexec_stream_connect(ccs_t) + corosync_stream_connect(ccs_t) +') +optional_policy(` unconfined_use_fds(ccs_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.6.32/policy/modules/services/chronyd.fc --- nsaserefpolicy/policy/modules/services/chronyd.fc 2010-01-18 18:24:22.753540198 +0100 +++ serefpolicy-3.6.32/policy/modules/services/chronyd.fc 2010-02-02 18:56:12.191317011 +0100 @@ -1,4 +1,6 @@ +/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0) + /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.6.32/policy/modules/services/chronyd.te --- nsaserefpolicy/policy/modules/services/chronyd.te 2010-01-18 18:24:22.755539963 +0100 +++ serefpolicy-3.6.32/policy/modules/services/chronyd.te 2010-02-02 18:55:49.615067744 +0100 @@ -12,6 +12,9 @@ type chronyd_initrc_exec_t; init_script_file(chronyd_initrc_exec_t) +type chronyd_keys_t; +files_type(chronyd_keys_t) + # var/lib files type chronyd_var_lib_t; files_type(chronyd_var_lib_t) @@ -30,11 +33,14 @@ # chronyd local policy # -allow chronyd_t self:capability { setuid setgid sys_time }; -allow chronyd_t self:process { getcap setcap }; +allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time }; +allow chronyd_t self:process { getcap setcap setrlimit }; allow chronyd_t self:udp_socket create_socket_perms; allow chronyd_t self:unix_dgram_socket create_socket_perms; +allow chronyd_t self:shm create_shm_perms; + +allow chronyd_t chronyd_keys_t:file read_file_perms; # chronyd var/lib files manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) @@ -64,4 +70,7 @@ miscfiles_read_localization(chronyd_t) -permissive chronyd_t; +optional_policy(` + gpsd_rw_shm(chronyd_t) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.6.32/policy/modules/services/clogd.if --- nsaserefpolicy/policy/modules/services/clogd.if 2010-01-18 18:24:22.757540078 +0100 +++ serefpolicy-3.6.32/policy/modules/services/clogd.if 2010-02-17 11:59:55.124863336 +0100 @@ -42,26 +42,6 @@ ##################################### ## -## Manage clogd tmpfs files. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`clogd_manage_tmpfs_files',` - gen_require(` - type clogd_tmpfs_t; - ') - - fs_search_tmpfs($1) - manage_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) - manage_lnk_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) -') - -##################################### -## ## Allow read and write access to clogd semaphores. ## ## @@ -94,5 +74,9 @@ ') allow $1 clogd_t:shm { rw_shm_perms destroy }; + allow $1 clogd_tmpfs_t:dir list_dir_perms; + rw_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) + read_lnk_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) + fs_search_tmpfs($1) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.6.32/policy/modules/services/clogd.te --- nsaserefpolicy/policy/modules/services/clogd.te 2010-01-18 18:24:22.758539996 +0100 +++ serefpolicy-3.6.32/policy/modules/services/clogd.te 2010-02-17 15:17:36.815613535 +0100 @@ -41,8 +41,6 @@ manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t) files_pid_filetrans(clogd_t,clogd_var_run_t, { file }) -aisexec_stream_connect(clogd_t) - dev_manage_generic_blk_files(clogd_t) storage_raw_read_fixed_disk(clogd_t) @@ -56,6 +54,11 @@ miscfiles_read_localization(clogd_t) optional_policy(` + aisexec_stream_connect(clogd_t) + corosync_stream_connect(clogd_t) +') + +optional_policy(` dev_read_lvm_control(clogd_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.6.32/policy/modules/services/cobbler.fc --- nsaserefpolicy/policy/modules/services/cobbler.fc 2010-01-18 18:24:22.758539996 +0100 +++ serefpolicy-3.6.32/policy/modules/services/cobbler.fc 2010-03-01 09:49:55.450759811 +0100 @@ -1,2 +1,7 @@ +/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0) +/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0) + +/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0) /var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.6.32/policy/modules/services/cobbler.if --- nsaserefpolicy/policy/modules/services/cobbler.if 2010-01-18 18:24:22.759530345 +0100 +++ serefpolicy-3.6.32/policy/modules/services/cobbler.if 2010-03-01 09:49:55.450759811 +0100 @@ -1,10 +1,111 @@ +## Cobbler installation server. +## +##

+## Cobbler is a Linux installation server that allows for +## rapid setup of network installation environments. It +## glues together and automates many associated Linux +## tasks so you do not have to hop between lots of various +## commands and applications when rolling out new systems, +## and, in some cases, changing existing ones. +##

+## + +######################################## +## +## Execute a domain transition to run cobblerd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`cobblerd_domtrans',` + gen_require(` + type cobblerd_t, cobblerd_exec_t; + ') + + domtrans_pattern($1, cobblerd_exec_t, cobblerd_t) +') + +######################################## +## +## Execute cobblerd server in the cobblerd domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`cobblerd_initrc_domtrans',` + gen_require(` + type cobblerd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, cobblerd_initrc_exec_t) +') + +######################################## +## +## Read Cobbler content in /etc +## +## +## +## Domain allowed access. +## +## +# +interface(`cobbler_read_config',` + gen_require(` + type cobbler_etc_t; + ') + + read_files_pattern($1, cobbler_etc_t, cobbler_etc_t); + files_search_etc($1) +') + +######################################## +## +## Do not audit attempts to read and write +## Cobbler log files (leaked fd). +## +## +## +## Domain allowed access. +## +## +# +interface(`cobbler_dontaudit_rw_log',` + gen_require(` + type cobbler_var_log_t; + ') + + dontaudit $1 cobbler_var_log_t:file rw_file_perms; +') + +######################################## ## -## Cobbler var_lib_t +## Search cobbler dirs in /var/lib ## +## +## +## Domain allowed access. +## +## +# +interface(`cobbler_search_lib',` + gen_require(` + type cobbler_var_lib_t; + ') + + search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + files_search_var_lib($1) +') ######################################## ## -## Read cobbler lib files. +## Read cobbler files in /var/lib ## ## ## @@ -18,7 +119,6 @@ ') read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) - allow $1 cobbler_var_lib_t:dir list_dir_perms; files_search_var_lib($1) ') @@ -22,10 +122,9 @@ files_search_var_lib($1) ') - ######################################## ## -## Read cobbler lib files. +## Manage cobbler files in /var/lib ## ## ## @@ -33,12 +132,55 @@ ## ## # -interface(`cobbler_search_lib',` +interface(`cobbler_manage_lib_files',` gen_require(` type cobbler_var_lib_t; ') - allow $1 cobbler_var_lib_t:dir search_dir_perms; + manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) files_search_var_lib($1) ') +######################################## +## +## All of the rules required to administrate +## an cobblerd environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`cobblerd_admin',` + gen_require(` + type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; + type cobbler_etc_t; + type httpd_cobbler_content_rw_t; + ') + + allow $1 cobblerd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, cobblerd_t, cobblerd_t) + + files_search_etc($1) + admin_pattern($1, cobbler_etc_t) + + files_list_var_lib($1) + admin_pattern($1, cobbler_var_lib_t) + + files_search_var_log($1) + admin_pattern($1, cobbler_var_log_t) + + admin_pattern($1, httpd_cobbler_content_rw_t) + + cobblerd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 cobblerd_initrc_exec_t system_r; + allow $2 system_r; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.6.32/policy/modules/services/cobbler.te --- nsaserefpolicy/policy/modules/services/cobbler.te 2010-01-18 18:24:22.760530473 +0100 +++ serefpolicy-3.6.32/policy/modules/services/cobbler.te 2010-03-01 15:49:21.826741385 +0100 @@ -1,5 +1,135 @@ -policy_module(cobbler, 1.10.0) +policy_module(cobbler, 1.0.0) + +######################################## +# +# Cobbler personal declarations. +# + +## +##

+## Allow Cobbler to modify public files +## used for public file transfer services. +##

+## +gen_tunable(cobbler_anon_write, false) + +type cobblerd_t; +type cobblerd_exec_t; +init_daemon_domain(cobblerd_t, cobblerd_exec_t) + +permissive cobblerd_t; + +type cobblerd_initrc_exec_t; +init_script_file(cobblerd_initrc_exec_t) + +type cobbler_etc_t; +files_config_file(cobbler_etc_t) + +type cobbler_var_log_t; +logging_log_file(cobbler_var_log_t) type cobbler_var_lib_t; files_type(cobbler_var_lib_t) + +######################################## +# +# Cobbler personal policy. +# + +allow cobblerd_t self:capability { chown dac_override fowner sys_nice }; +allow cobblerd_t self:process { getsched setsched signal }; +allow cobblerd_t self:fifo_file rw_fifo_file_perms; +allow cobblerd_t self:tcp_socket create_stream_socket_perms; + +list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) +read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) + +manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) +manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) +files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file }) + +append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) +logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) + +kernel_read_system_state(cobblerd_t) + +corecmd_exec_bin(cobblerd_t) +corecmd_exec_shell(cobblerd_t) + +corenet_all_recvfrom_netlabel(cobblerd_t) +corenet_all_recvfrom_unlabeled(cobblerd_t) +corenet_sendrecv_cobbler_server_packets(cobblerd_t) +corenet_tcp_bind_cobbler_port(cobblerd_t) +corenet_tcp_bind_generic_node(cobblerd_t) +corenet_tcp_sendrecv_generic_if(cobblerd_t) +corenet_tcp_sendrecv_generic_node(cobblerd_t) +corenet_tcp_sendrecv_generic_port(cobblerd_t) + +dev_read_urand(cobblerd_t) + +# read /etc/nsswitch.conf +files_read_etc_files(cobblerd_t) +files_read_usr_files(cobblerd_t) +files_list_boot(cobblerd_t) +files_list_tmp(cobblerd_t) + +miscfiles_read_localization(cobblerd_t) +miscfiles_read_public_files(cobblerd_t) + +sysnet_read_config(cobblerd_t) +sysnet_rw_dhcp_config(cobblerd_t) +sysnet_write_config(cobblerd_t) + +tunable_policy(`cobbler_anon_write',` + miscfiles_manage_public_files(cobblerd_t) +') + +optional_policy(` + apache_list_sys_content(cobblerd_t) +') + +optional_policy(` + bind_read_config(cobblerd_t) + bind_write_config(cobblerd_t) + bind_domtrans_ndc(cobblerd_t) + bind_domtrans(cobblerd_t) + bind_initrc_domtrans(cobblerd_t) + bind_manage_zone(cobblerd_t) +') + +optional_policy(` + dhcpd_domtrans(cobblerd_t) + dhcpd_initrc_domtrans(cobblerd_t) +') + +optional_policy(` + dnsmasq_domtrans(cobblerd_t) + dnsmasq_initrc_domtrans(cobblerd_t) + dnsmasq_write_config(cobblerd_t) +') + +optional_policy(` + rpm_exec(cobblerd_t) +') + +optional_policy(` + rsync_read_config(cobblerd_t) + rsync_write_config(cobblerd_t) +') + +optional_policy(` + tftp_manage_rw_content(cobblerd_t) +') + +######################################## +# +# Cobbler web local policy. +# + +apache_content_template(cobbler) +manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) +manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.32/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2010-02-21 20:46:52.740325173 +0100 +++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2010-03-03 10:48:14.219612204 +0100 @@ -16,6 +16,9 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) +type consolekit_tmpfs_t; +files_tmpfs_file(consolekit_tmpfs_t) + ######################################## # # consolekit local policy @@ -80,13 +83,11 @@ hal_ptrace(consolekit_t) tunable_policy(`use_nfs_home_dirs',` - fs_dontaudit_list_nfs(consolekit_t) - fs_dontaudit_rw_nfs_files(consolekit_t) + fs_read_nfs_files(consolekit_t) ') tunable_policy(`use_samba_home_dirs',` - fs_dontaudit_list_cifs(consolekit_t) - fs_dontaudit_rw_cifs_files(consolekit_t) + fs_read_cifs_files(consolekit_t) ') optional_policy(` @@ -118,10 +119,10 @@ optional_policy(` xserver_read_xdm_pid(consolekit_t) xserver_read_user_xauth(consolekit_t) - xserver_common_app(consolekit_t) - xserver_ptrace_xdm(consolekit_t) - xserver_common_app(consolekit_t) + xserver_non_drawing_client(consolekit_t) corenet_tcp_connect_xserver_port(consolekit_t) + xserver_stream_connect(consolekit_t) + xserver_user_x_domain_template(consolekit, consolekit_t, consolekit_tmpfs_t) ') optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.6.32/policy/modules/services/corosync.fc --- nsaserefpolicy/policy/modules/services/corosync.fc 2010-01-18 18:24:22.762530308 +0100 +++ serefpolicy-3.6.32/policy/modules/services/corosync.fc 2010-02-17 15:36:57.020864395 +0100 @@ -9,5 +9,5 @@ /var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0) +/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0) /var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) - diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.6.32/policy/modules/services/corosync.te --- nsaserefpolicy/policy/modules/services/corosync.te 2010-01-18 18:24:22.764539991 +0100 +++ serefpolicy-3.6.32/policy/modules/services/corosync.te 2010-02-21 19:02:15.511309414 +0100 @@ -72,6 +72,9 @@ files_pid_filetrans(corosync_t,corosync_var_run_t, { file sock_file }) kernel_read_system_state(corosync_t) +kernel_read_network_state(corosync_t) + +domain_read_all_domains_state(corosync_t) corenet_udp_bind_netsupport_port(corosync_t) @@ -92,6 +95,7 @@ userdom_rw_user_tmpfs_files(corosync_t) +optional_policy(` # to communication with RHCS dlm_controld_manage_tmpfs_files(corosync_t) dlm_controld_rw_semaphores(corosync_t) @@ -101,6 +105,11 @@ gfs_controld_manage_tmpfs_files(corosync_t) gfs_controld_rw_semaphores(corosync_t) +') + +optional_policy(` + rgmanager_manage_tmpfs_files(corosync_t) +') optional_policy(` ccs_read_config(corosync_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.32/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2010-01-18 18:24:22.769530360 +0100 +++ serefpolicy-3.6.32/policy/modules/services/cron.te 2010-02-11 12:37:32.141868288 +0100 @@ -268,6 +268,11 @@ ') optional_policy(` + djbdns_search_key_tinydns(crond_t) + djbdns_link_key_tinydns(crond_t) +') + +optional_policy(` locallogin_search_keys(crond_t) locallogin_link_keys(crond_t) ') @@ -323,6 +328,10 @@ udev_read_db(crond_t) ') +optional_policy(` + mta_system_content(crond_var_run_t) +') + ######################################## # # System cron process domain diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2010-01-18 18:24:22.771540183 +0100 +++ serefpolicy-3.6.32/policy/modules/services/cups.te 2010-02-17 16:19:02.686863774 +0100 @@ -265,6 +265,7 @@ # invoking ghostscript needs to read fonts miscfiles_read_fonts(cupsd_t) miscfiles_setattr_fonts_dirs(cupsd_t) +miscfiles_setattr_fonts_cache_dirs(cupsd_t) seutil_read_config(cupsd_t) sysnet_exec_ifconfig(cupsd_t) @@ -430,10 +431,12 @@ userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) +userdom_read_all_users_state(cupsd_config_t) userdom_rw_user_tmp_files(cupsd_config_t) cups_stream_connect(cupsd_config_t) +gnome_dontaudit_search_config(cupsd_config_t) lpd_read_config(cupsd_config_t) ifdef(`distro_redhat',` @@ -555,6 +558,7 @@ logging_send_syslog_msg(cupsd_lpd_t) miscfiles_read_localization(cupsd_lpd_t) +miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t) cups_stream_connect(cupsd_lpd_t) @@ -567,7 +571,7 @@ # cups_pdf local policy # -allow cups_pdf_t self:capability { chown fsetid setuid setgid dac_override }; +allow cups_pdf_t self:capability { chown fsetid fowner setuid setgid dac_override }; allow cups_pdf_t self:fifo_file rw_file_perms; allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; @@ -689,6 +693,7 @@ domain_use_interactive_fds(hplip_t) +files_dontaudit_write_usr_dirs(hplip_t) files_read_etc_files(hplip_t) files_read_etc_runtime_files(hplip_t) files_read_usr_files(hplip_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.32/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2010-01-18 18:24:22.774530577 +0100 +++ serefpolicy-3.6.32/policy/modules/services/dbus.if 2010-03-03 10:39:47.602620848 +0100 @@ -165,10 +165,6 @@ optional_policy(` hal_dbus_chat($1_dbusd_t) ') - - optional_policy(` - xserver_use_xdm($1_dbusd_t) - ') ') ####################################### @@ -375,6 +371,9 @@ dbus_system_bus_client($1) dbus_connect_system_bus($1) + ps_process_pattern(system_dbusd_t, $1) + + userdom_read_all_users_state($1) userdom_dontaudit_search_admin_dir($1) optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.32/policy/modules/services/dcc.te --- nsaserefpolicy/policy/modules/services/dcc.te 2010-01-18 18:24:22.776530971 +0100 +++ serefpolicy-3.6.32/policy/modules/services/dcc.te 2010-02-23 16:38:38.729526813 +0100 @@ -81,7 +81,7 @@ # dcc daemon controller local policy # -allow cdcc_t self:capability setuid; +allow cdcc_t self:capability { setgid setuid }; allow cdcc_t self:unix_dgram_socket create_socket_perms; allow cdcc_t self:udp_socket create_socket_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.32/policy/modules/services/devicekit.fc --- nsaserefpolicy/policy/modules/services/devicekit.fc 2010-01-18 18:24:22.778530038 +0100 +++ serefpolicy-3.6.32/policy/modules/services/devicekit.fc 2010-02-26 09:34:03.326558032 +0100 @@ -1,8 +1,12 @@ /usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) /usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) /usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) +/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) +/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) /var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) +/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) /var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) /var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.32/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2010-01-18 18:24:22.780530921 +0100 +++ serefpolicy-3.6.32/policy/modules/services/devicekit.te 2010-03-02 17:01:05.295607149 +0100 @@ -62,8 +62,8 @@ # DeviceKit disk local policy # -allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_nice sys_ptrace sys_rawio }; -allow devicekit_disk_t self:process signal_perms; +allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio }; +allow devicekit_disk_t self:process { getsched signal_perms }; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -82,6 +82,7 @@ kernel_getattr_message_if(devicekit_disk_t) kernel_read_fs_sysctls(devicekit_disk_t) +kernel_read_network_state(devicekit_disk_t) kernel_read_software_raid_state(devicekit_disk_t) kernel_read_system_state(devicekit_disk_t) kernel_request_load_module(devicekit_disk_t) @@ -96,12 +97,14 @@ dev_getattr_usbfs_dirs(devicekit_disk_t) dev_manage_generic_files(devicekit_disk_t) dev_getattr_all_chr_files(devicekit_disk_t) +dev_getattr_mtrr_dev(devicekit_disk_t) domain_getattr_all_pipes(devicekit_disk_t) domain_getattr_all_sockets(devicekit_disk_t) domain_getattr_all_stream_sockets(devicekit_disk_t) domain_read_all_domains_state(devicekit_disk_t) +files_dontaudit_read_all_symlinks(devicekit_disk_t) files_getattr_all_sockets(devicekit_disk_t) files_getattr_all_mountpoints(devicekit_disk_t) files_getattr_all_files(devicekit_disk_t) @@ -122,6 +125,9 @@ storage_raw_read_removable_device(devicekit_disk_t) storage_raw_write_removable_device(devicekit_disk_t) +mls_file_read_all_levels(devicekit_disk_t) +mls_file_write_to_clearance(devicekit_disk_t) + term_use_all_terms(devicekit_disk_t) auth_use_nsswitch(devicekit_disk_t) @@ -182,6 +188,7 @@ # allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; +allow devicekit_power_t self:process getsched; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -205,6 +212,7 @@ dev_read_input(devicekit_power_t) dev_rw_generic_usb_dev(devicekit_power_t) +dev_rw_generic_chr_files(devicekit_power_t) dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) @@ -220,6 +228,8 @@ miscfiles_read_localization(devicekit_power_t) +sysnet_domtrans_ifconfig(devicekit_power_t) + sysnet_read_config(devicekit_power_t) sysnet_read_dhcp_config(devicekit_power_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.32/policy/modules/services/dhcp.if --- nsaserefpolicy/policy/modules/services/dhcp.if 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/dhcp.if 2010-03-01 15:53:56.974502467 +0100 @@ -2,6 +2,25 @@ ######################################## ## +## Transition to dhcpd. +## +## +## +## Domain allowed access. +## +## +# +interface(`dhcpd_domtrans',` + gen_require(` + type dhcpd_t, dhcpd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dhcpd_exec_t, dhcpd_t) +') + +######################################## +## ## Set the attributes of the DCHP ## server state files. ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.6.32/policy/modules/services/dhcp.te --- nsaserefpolicy/policy/modules/services/dhcp.te 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/dhcp.te 2010-03-01 09:56:40.715740296 +0100 @@ -112,6 +112,10 @@ ') optional_policy(` + cobbler_dontaudit_rw_log(dhcpd_t) +') + +optional_policy(` dbus_system_bus_client(dhcpd_t) dbus_connect_system_bus(dhcpd_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.6.32/policy/modules/services/djbdns.if --- nsaserefpolicy/policy/modules/services/djbdns.if 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/djbdns.if 2010-02-11 12:35:57.243619172 +0100 @@ -26,6 +26,8 @@ daemontools_read_svc(djbdns_$1_t) allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot }; + allow djbdns_$1_t self:process signal; + allow djbdns_$1_t self:fifo_file rw_fifo_file_perms; allow djbdns_$1_t self:tcp_socket create_stream_socket_perms; allow djbdns_$1_t self:udp_socket create_socket_perms; @@ -50,3 +52,39 @@ files_search_var(djbdns_$1_t) ') + +###################################### +## +## Allow search the djbdns-tinydns key ring. +## +## +## +## Domain allowed access. +## +## +# +interface(`djbdns_search_key_tinydns',` + gen_require(` + type djbdns_tinydns_t; + ') + + allow $1 djbdns_tinydns_t:key search; +') + +###################################### +## +## Allow link to the djbdns-tinydns key ring. +## +## +## +## Domain allowed access. +## +## +# +interface(`djbdns_link_key_tinydns',` + gen_require(` + type djbdns_tinydn_t; + ') + + allow $1 djbdns_tinydn_t:key link; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.6.32/policy/modules/services/djbdns.te --- nsaserefpolicy/policy/modules/services/djbdns.te 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/djbdns.te 2010-02-11 14:26:09.789868676 +0100 @@ -42,3 +42,11 @@ files_search_var(djbdns_axfrdns_t) ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t) + +##################################### +# +# Local policy for djbdns_tinydns_t +# + +init_dontaudit_use_script_fds(djbdns_tinydns_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.6.32/policy/modules/services/dnsmasq.fc --- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/dnsmasq.fc 2010-02-12 17:25:06.991714829 +0100 @@ -5,5 +5,7 @@ /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) +/var/log/dnsmasq\.log -- gen_context(system_u:object_r:dnsmasq_var_log_t,s0) + /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.6.32/policy/modules/services/dnsmasq.if --- nsaserefpolicy/policy/modules/services/dnsmasq.if 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/dnsmasq.if 2010-03-01 15:57:23.556490055 +0100 @@ -96,6 +96,44 @@ allow $1 dnsmasq_t:process sigkill; ') +####################################### +## +## Read dnsmasq config files. +## +## +## +## Domain allowed. +## +## +# +interface(`dnsmasq_read_config',` + gen_require(` + type dnsmasq_etc_t; + ') + + read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) + files_search_etc($1) +') + +####################################### +## +## Write to dnsmasq config files. +## +## +## +## Domain allowed. +## +## +# +interface(`dnsmasq_write_config',` + gen_require(` + type dnsmasq_etc_t; + ') + + write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) + files_search_etc($1) +') + ######################################## ## ## Delete dnsmasq pid files diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.32/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-01-18 18:24:22.780530921 +0100 +++ serefpolicy-3.6.32/policy/modules/services/dnsmasq.te 2010-02-12 17:24:31.727729095 +0100 @@ -16,6 +16,9 @@ type dnsmasq_lease_t; files_type(dnsmasq_lease_t) +type dnsmasq_var_log_t; +logging_log_file(dnsmasq_var_log_t) + type dnsmasq_var_run_t; files_pid_file(dnsmasq_var_run_t) @@ -24,7 +27,7 @@ # Local policy # -allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw }; +allow dnsmasq_t self:capability { dac_override chown net_admin setgid setuid net_bind_service net_raw }; dontaudit dnsmasq_t self:capability sys_tty_config; allow dnsmasq_t self:process { getcap setcap signal_perms }; allow dnsmasq_t self:fifo_file rw_fifo_file_perms; @@ -38,6 +41,9 @@ manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t) files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) +manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t) +logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file) + manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-18 18:24:22.782530547 +0100 +++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2010-02-08 11:55:25.971336166 +0100 @@ -82,6 +82,7 @@ manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) +manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) files_pid_filetrans(dovecot_t, dovecot_var_run_t, file) @@ -94,6 +95,7 @@ corenet_tcp_sendrecv_generic_node(dovecot_t) corenet_tcp_sendrecv_all_ports(dovecot_t) corenet_tcp_bind_generic_node(dovecot_t) +corenet_tcp_bind_mail_port(dovecot_t) corenet_tcp_bind_pop_port(dovecot_t) corenet_tcp_connect_all_ports(dovecot_t) corenet_tcp_connect_postgresql_port(dovecot_t) @@ -277,6 +279,8 @@ ') tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(dovecot_deliver_t) + fs_manage_nfs_dirs(dovecot_t) fs_manage_nfs_files(dovecot_deliver_t) fs_manage_nfs_symlinks(dovecot_deliver_t) fs_manage_nfs_files(dovecot_t) @@ -284,6 +288,8 @@ ') tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(dovecot_deliver_t) + fs_manage_cifs_dirs(dovecot_t) fs_manage_cifs_files(dovecot_deliver_t) fs_manage_cifs_symlinks(dovecot_deliver_t) fs_manage_cifs_files(dovecot_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.6.32/policy/modules/services/exim.if --- nsaserefpolicy/policy/modules/services/exim.if 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/exim.if 2010-02-15 12:36:35.630568574 +0100 @@ -18,6 +18,24 @@ domtrans_pattern($1, exim_exec_t, exim_t) ') +################################### +## +## Execute the exim in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`exim_exec',` + gen_require(` + type exim_exec_t; + ') + + can_exec($1, exim_exec_t) +') + ######################################## ## ## Do not audit attempts to read, diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.6.32/policy/modules/services/fail2ban.if --- nsaserefpolicy/policy/modules/services/fail2ban.if 2010-01-18 18:24:22.784531151 +0100 +++ serefpolicy-3.6.32/policy/modules/services/fail2ban.if 2010-01-18 18:27:02.761531161 +0100 @@ -138,6 +138,24 @@ dontaudit $1 fail2ban_t:unix_stream_socket { read write }; ') +####################################### +## +## Read and write to an fail2ban unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`fail2ban_rw_stream_sockets',` + gen_require(` + type fail2ban_t; + ') + + allow $1 fail2ban_t:unix_stream_socket { getattr read write ioctl }; +') + ######################################## ## ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.6.32/policy/modules/services/ftp.fc --- nsaserefpolicy/policy/modules/services/ftp.fc 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/ftp.fc 2010-02-16 17:34:27.415598063 +0100 @@ -22,7 +22,7 @@ # # /var # -/var/run/proftpd(/.*)? gen_context(system_u:object_r:ftpd_var_run_t,s0) +/var/run/proftpd.* gen_context(system_u:object_r:ftpd_var_run_t,s0) /var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.6.32/policy/modules/services/ftp.if --- nsaserefpolicy/policy/modules/services/ftp.if 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/ftp.if 2010-02-08 00:21:16.418154590 +0100 @@ -115,6 +115,43 @@ role $2 types ftpdctl_t; ') +###################################### +## +## Allow domain dyntransition to sftpd-anon domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`ftp_dyntransition_sftpd_anon',` + gen_require(` + type sftpd_anon_t; + ') + + allow $1 sftpd_anon_t:process dyntransition; +') + +###################################### +## +## Allow domain dyntransition to sftpd domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`ftp_dyntransition_sftpd',` + gen_require(` + type sftpd_t; + ') + + allow $1 sftpd_t:process dyntransition; + allow sftpd_t $1:process sigchld; +') + ######################################## ## ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.32/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2010-01-18 18:24:22.787539983 +0100 +++ serefpolicy-3.6.32/policy/modules/services/ftp.te 2010-02-16 17:41:51.446598108 +0100 @@ -53,6 +53,39 @@ ## gen_tunable(ftp_home_dir, false) +## +##

+## Allow anon internal-sftp to upload files, used for +## public file transfer services. Directories must be labeled +## public_content_rw_t. +##

+## +gen_tunable(sftpd_anon_write, false) + +## +##

+## Allow sftp-internal to login to local users and +## read/write all files on the system, governed by DAC. +##

+## +gen_tunable(sftpd_full_access, false) + +## +##

+## Allow interlnal-sftp to read and write files +## in the user ssh home directories. +##

+## +gen_tunable(sftpd_write_ssh_home, false) + +## +##

+## Allow sftp-internal to read and write files +## in the user home directories +##

+## +gen_tunable(sftp_enable_homedirs, false) + type ftpd_t; type ftpd_exec_t; init_daemon_domain(ftpd_t, ftpd_exec_t) @@ -93,6 +126,14 @@ init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh) ') +type sftpd_t; +domain_type(sftpd_t) +role system_r types sftpd_t; + +type sftpd_anon_t; +domain_type(sftpd_anon_t) +role system_r types sftpd_anon_t; + ######################################## # # ftpd local policy @@ -101,7 +142,7 @@ allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_admin sys_nice sys_resource }; dontaudit ftpd_t self:capability sys_tty_config; allow ftpd_t self:process signal_perms; -allow ftpd_t self:process { getcap setcap setsched setrlimit }; +allow ftpd_t self:process { getpgid getcap setcap setsched setrlimit }; allow ftpd_t self:fifo_file rw_fifo_file_perms; allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; allow ftpd_t self:unix_stream_socket create_stream_socket_perms; @@ -342,3 +383,76 @@ files_read_etc_files(ftpdctl_t) userdom_use_user_terminals(ftpdctl_t) + +####################################### +# +# sftpd-anon local policy +# + +files_read_etc_files(sftpd_anon_t) + +miscfiles_read_public_files(sftpd_anon_t) + +tunable_policy(`sftpd_anon_write',` + miscfiles_manage_public_files(sftpd_anon_t) +') + +####################################### +# +# sftpd local policy +# + +files_read_etc_files(sftpd_t) + +# allow read access to /home by default +userdom_read_user_home_content_files(sftpd_t) +userdom_read_user_home_content_symlinks(sftpd_t) +userdom_dontaudit_list_admin_dir(sftpd_t) + +tunable_policy(`sftpd_full_access',` + allow sftpd_t self:capability { dac_override dac_read_search }; + fs_read_noxattr_fs_files(sftpd_t) + auth_manage_all_files_except_shadow(sftpd_t) +') + +tunable_policy(`sftpd_write_ssh_home',` + ssh_manage_user_home_files(sftpd_t) +') + +tunable_policy(`sftp_enable_homedirs',` + allow sftpd_t self:capability { dac_override dac_read_search }; + + # allow access to /home + files_list_home(sftpd_t) + userdom_read_user_home_content_files(sftpd_t) + userdom_manage_user_home_content(sftpd_t) + + auth_read_all_dirs_except_shadow(sftpd_t) + auth_read_all_files_except_shadow(sftpd_t) + auth_read_all_symlinks_except_shadow(sftpd_t) +', ` + # Needed for permissive mode, to make sure everything gets labeled correctly + userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file }) +') + +tunable_policy(`sftp_enable_homedirs && use_nfs_home_dirs',` + fs_manage_nfs_dirs(sftpd_t) + fs_manage_nfs_files(sftpd_t) + fs_manage_nfs_symlinks(sftpd_t) +') + +tunable_policy(`sftp_enable_homedirs && use_samba_home_dirs',` + fs_manage_cifs_dirs(sftpd_t) + fs_manage_cifs_files(sftpd_t) + fs_manage_cifs_symlinks(sftpd_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_read_cifs_files(sftpd_t) + fs_read_cifs_symlinks(sftpd_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files(sftpd_t) + fs_read_nfs_symlinks(ftpd_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.6.32/policy/modules/services/git.fc --- nsaserefpolicy/policy/modules/services/git.fc 2010-01-18 18:24:22.788540040 +0100 +++ serefpolicy-3.6.32/policy/modules/services/git.fc 2010-02-09 12:46:59.674881314 +0100 @@ -1,9 +1,16 @@ -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0) -/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t, s0) +HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t, s0) -/srv/git(/.*)? gen_context(system_u:object_r:git_data_t, s0) +/srv/git(/.*)? gen_context(system_u:object_r:git_system_content_t, s0) /usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t, s0) -# Conflict with Fedora cgit fc spec. -/var/lib/git(/.*)? gen_context(system_u:object_r:git_data_t, s0) +/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_content_rw_t,s0) +/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) + +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) + +/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) + +/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t, s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.6.32/policy/modules/services/git.if --- nsaserefpolicy/policy/modules/services/git.if 2010-01-18 18:24:22.789540167 +0100 +++ serefpolicy-3.6.32/policy/modules/services/git.if 2010-02-09 12:46:59.675881993 +0100 @@ -1,4 +1,4 @@ -## Git daemon is a really simple server for Git repositories. +## Git - Fast Version Control System. ## ##

## A really simple TCP git daemon that normally listens on @@ -6,27 +6,6 @@ ## connection asking for a service, and will serve that ## service if it is enabled. ##

-##

-## It verifies that the directory has the magic file -## git-daemon-export-ok, and it will refuse to export any -## git directory that has not explicitly been marked for -## export this way (unless the --export-all parameter is -## specified). If you pass some directory paths as -## git-daemon arguments, you can further restrict the -## offers to a whitelist comprising of those. -##

-##

-## By default, only upload-pack service is enabled, which -## serves git-fetch-pack and git-ls-remote clients, which -## are invoked from git-fetch, git-pull, and git-clone. -##

-##

-## This is ideally suited for read-only updates, i.e., -## pulling from git repositories. -##

-##

-## An upload-archive also exists to serve git-archive. -##

## ####################################### @@ -46,50 +25,172 @@ # interface(`git_session_role', ` gen_require(` - type gitd_session_t, gitd_exec_t, git_home_t; + type git_session_t, gitd_exec_t; ') ######################################## # - # Git daemon session data declarations. + # Git daemon session shared declarations. # - ## - ##

- ## Allow transitions to the Git daemon - ## session domain. - ##

- ## - gen_tunable(gitd_session_transition, false) + role $1 types git_session_t; + + ######################################## + # + # Git daemon session shared policy. + # + + domtrans_pattern($2, gitd_exec_t, git_session_t) + + allow $2 git_session_t:process { ptrace signal_perms }; + ps_process_pattern($2, git_session_t) +') + +######################################## +## +## Create a set of derived types for Git +## daemon shared repository content. +## +## +## +## The prefix to be used for deriving type names. +## +## +# +template(`git_content_template',` - role $1 types gitd_session_t; + gen_require(` + attribute git_system_content; + attribute git_content; + ') ######################################## # - # Git daemon session data policy. + # Git daemon content shared declarations. + # + + type git_$1_content_t, git_system_content, git_content; + files_type(git_$1_content_t) +') + +######################################## +## +## Create a set of derived types for Git +## daemon shared repository roles. +## +## +## +## The prefix to be used for deriving type names. +## +## # +template(`git_role_template',` - tunable_policy(`gitd_session_transition', ` - domtrans_pattern($2, gitd_exec_t, gitd_session_t) - ', ` - can_exec($2, gitd_exec_t) + gen_require(` + class context contains; + role system_r; ') - allow $2 gitd_session_t:process { ptrace signal_perms }; - ps_process_pattern($2, gitd_session_t) + ######################################## + # + # Git daemon role shared declarations. + # + + attribute $1_usertype; - exec_files_pattern($2, git_home_t, git_home_t) - manage_dirs_pattern($2, git_home_t, git_home_t) - manage_files_pattern($2, git_home_t, git_home_t) + type $1_t; + userdom_unpriv_usertype($1, $1_t) + domain_type($1_t) - relabel_dirs_pattern($2, git_home_t, git_home_t) - relabel_files_pattern($2, git_home_t, git_home_t) + role $1_r types $1_t; + allow system_r $1_r; + + ######################################## + # + # Git daemon role shared policy. + # + + allow $1_t self:context contains; + allow $1_t self:fifo_file rw_fifo_file_perms; + + corecmd_exec_bin($1_t) + corecmd_bin_entry_type($1_t) + corecmd_shell_entry_type($1_t) + + domain_interactive_fd($1_t) + domain_user_exemption_target($1_t) + + kernel_read_system_state($1_t) + + files_read_etc_files($1_t) + files_dontaudit_search_home($1_t) + + miscfiles_read_localization($1_t) + + git_rwx_generic_system_content($1_t) + + ssh_rw_stream_sockets($1_t) + + tunable_policy(`git_system_use_cifs',` + fs_exec_cifs_files($1_t) + fs_manage_cifs_dirs($1_t) + fs_manage_cifs_files($1_t) + ') + + tunable_policy(`git_system_use_nfs',` + fs_exec_nfs_files($1_t) + fs_manage_nfs_dirs($1_t) + fs_manage_nfs_files($1_t) + ') + + optional_policy(` + nscd_read_pid($1_t) + ') +') + +####################################### +## +## Allow specified domain access to the +## specified Git daemon content. +## +## +## +## Domain allowed access. +## +## +## +## +## Type of the object that access is allowed to. +## +## +# +interface(`git_content_delegation',` + gen_require(` + type $1, $2; + ') + + exec_files_pattern($1, $2, $2) + manage_dirs_pattern($1, $2, $2) + manage_files_pattern($1, $2, $2) + files_search_var($1) + + tunable_policy(`git_system_use_cifs',` + fs_exec_cifs_files($1) + fs_manage_cifs_dirs($1) + fs_manage_cifs_files($1) + ') + + tunable_policy(`git_system_use_nfs',` + fs_exec_nfs_files($1) + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + ') ') ######################################## ## -## Allow the specified domain to execute -## Git daemon data files. +## Allow the specified domain to manage +## and execute all Git daemon content. ## ## ## @@ -98,19 +199,46 @@ ## ## # -interface(`git_execute_data_files', ` +interface(`git_rwx_all_content',` gen_require(` - type git_data_t; + attribute git_content; ') - exec_files_pattern($1, git_data_t, git_data_t) + exec_files_pattern($1, git_content, git_content) + manage_dirs_pattern($1, git_content, git_content) + manage_files_pattern($1, git_content, git_content) + userdom_search_user_home_dirs($1) files_search_var($1) + + tunable_policy(`use_nfs_home_dirs',` + fs_exec_nfs_files($1) + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_exec_cifs_files($1) + fs_manage_cifs_dirs($1) + fs_manage_cifs_files($1) + ') + + tunable_policy(`git_system_use_cifs',` + fs_exec_cifs_files($1) + fs_manage_cifs_dirs($1) + fs_manage_cifs_files($1) + ') + + tunable_policy(`git_system_use_nfs',` + fs_exec_nfs_files($1) + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + ') ') ######################################## ## ## Allow the specified domain to manage -## Git daemon data content. +## and execute all Git daemon system content. ## ## ## @@ -119,20 +247,33 @@ ## ## # -interface(`git_manage_data_content', ` +interface(`git_rwx_all_system_content',` gen_require(` - type git_data_t; + attribute git_system_content; ') - manage_dirs_pattern($1, git_data_t, git_data_t) - manage_files_pattern($1, git_data_t, git_data_t) + exec_files_pattern($1, git_system_content, git_system_content) + manage_dirs_pattern($1, git_system_content, git_system_content) + manage_files_pattern($1, git_system_content, git_system_content) files_search_var($1) + + tunable_policy(`git_system_use_cifs',` + fs_exec_cifs_files($1) + fs_manage_cifs_dirs($1) + fs_manage_cifs_files($1) + ') + + tunable_policy(`git_system_use_nfs',` + fs_exec_nfs_files($1) + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + ') ') ######################################## ## ## Allow the specified domain to manage -## Git daemon home content. +## and execute Git daemon generic system content. ## ## ## @@ -141,20 +282,33 @@ ## ## # -interface(`git_manage_home_content', ` +interface(`git_rwx_generic_system_content',` gen_require(` - type git_home_t; + type git_system_content_t; + ') + + exec_files_pattern($1, git_system_content_t, git_system_content_t) + manage_dirs_pattern($1, git_system_content_t, git_system_content_t) + manage_files_pattern($1, git_system_content_t, git_system_content_t) + files_search_var($1) + + tunable_policy(`git_system_use_cifs',` + fs_exec_cifs_files($1) + fs_manage_cifs_dirs($1) + fs_manage_cifs_files($1) ') - manage_dirs_pattern($1, git_home_t, git_home_t) - manage_files_pattern($1, git_home_t, git_home_t) - files_search_home($1) + tunable_policy(`git_system_use_nfs',` + fs_exec_nfs_files($1) + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + ') ') ######################################## ## ## Allow the specified domain to read -## Git daemon home content. +## all Git daemon content files. ## ## ## @@ -163,20 +317,41 @@ ## ## # -interface(`git_read_home_content', ` +interface(`git_read_all_content_files',` gen_require(` - type git_home_t; + attribute git_content; + ') + + list_dirs_pattern($1, git_content, git_content) + read_files_pattern($1, git_content, git_content) + userdom_search_user_home_dirs($1) + files_search_var_lib($1) + + tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_list_cifs($1) + fs_read_cifs_files($1) + ') + + tunable_policy(`git_system_use_cifs',` + fs_list_cifs($1) + fs_read_cifs_files($1) ') - list_dirs_pattern($1, git_home_t, git_home_t) - read_files_pattern($1, git_home_t, git_home_t) - files_search_home($1) + tunable_policy(`git_system_use_nfs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + ') ') ######################################## ## ## Allow the specified domain to read -## Git daemon data content. +## Git daemon session content files. ## ## ## @@ -185,20 +360,30 @@ ## ## # -interface(`git_read_data_content', ` +interface(`git_read_session_content_files',` gen_require(` - type git_data_t; + type git_session_content_t; ') - list_dirs_pattern($1, git_data_t, git_data_t) - read_files_pattern($1, git_data_t, git_data_t) - files_search_var($1) + list_dirs_pattern($1, git_session_content_t, git_session_content_t) + read_files_pattern($1, git_session_content_t, git_session_content_t) + userdom_search_user_home_dirs($1) + + tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_list_cifs($1) + fs_read_cifs_files($1) + ') ') ######################################## ## -## Allow the specified domain to relabel -## Git daemon data content. +## Allow the specified domain to read +## all Git daemon system content files. ## ## ## @@ -207,20 +392,30 @@ ## ## # -interface(`git_relabel_data_content', ` +interface(`git_read_all_system_content_files',` gen_require(` - type git_data_t; + attribute git_system_content; ') - relabel_dirs_pattern($1, git_data_t, git_data_t) - relabel_files_pattern($1, git_data_t, git_data_t) - files_search_var($1) + list_dirs_pattern($1, git_system_content, git_system_content) + read_files_pattern($1, git_system_content, git_system_content) + files_search_var_lib($1) + + tunable_policy(`git_system_use_cifs',` + fs_list_cifs($1) + fs_read_cifs_files($1) + ') + + tunable_policy(`git_system_use_nfs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + ') ') ######################################## ## -## Allow the specified domain to relabel -## Git daemon home content. +## Allow the specified domain to read +## Git daemon generic system content files. ## ## ## @@ -229,57 +424,112 @@ ## ## # -interface(`git_relabel_home_content', ` +interface(`git_read_generic_system_content_files',` gen_require(` - type git_home_t; + type git_system_content_t; ') - relabel_dirs_pattern($1, git_home_t, git_home_t) - relabel_files_pattern($1, git_home_t, git_home_t) - files_search_home($1) + list_dirs_pattern($1, git_system_content_t, git_system_content_t) + read_files_pattern($1, git_system_content_t, git_system_content_t) + files_search_var_lib($1) + + tunable_policy(`git_system_use_cifs',` + fs_list_cifs($1) + fs_read_cifs_files($1) + ') + + tunable_policy(`git_system_use_nfs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + ') ') ######################################## ## -## All of the rules required to administrate an -## Git daemon system environment +## Allow the specified domain to relabel +## all Git daemon content. ## -## +## ## -## Prefix of the domain. Example, user would be -## the prefix for the user_t domain. +## Domain allowed access. ## ## +## +# +interface(`git_relabel_all_content',` + gen_require(` + attribute git_content; + ') + + relabel_dirs_pattern($1, git_content, git_content) + relabel_files_pattern($1, git_content, git_content) + userdom_search_user_home_dirs($1) + files_search_var_lib($1) +') + +######################################## +## +## Allow the specified domain to relabel +## all Git daemon system content. +## ## ## ## Domain allowed access. ## ## -## +## +# +interface(`git_relabel_all_system_content',` + gen_require(` + attribute git_system_content; + ') + + relabel_dirs_pattern($1, git_system_content, git_system_content) + relabel_files_pattern($1, git_system_content, git_system_content) + files_search_var_lib($1) +') + +######################################## ## -## The role to be allowed to manage the Git daemon domain. +## Allow the specified domain to relabel +## Git daemon generic system content. +## +## +## +## Domain allowed access. ## ## ## # -interface(`git_system_admin', ` +interface(`git_relabel_generic_system_content',` gen_require(` - type gitd_t, gitd_exec_t; + type git_system_content_t; ') - allow $1 gitd_t:process { getattr ptrace signal_perms }; - ps_process_pattern($1, gitd_t) - - kernel_search_proc($1) - - manage_files_pattern($1, gitd_exec_t, gitd_exec_t) - - # This will not work since git-shell needs to execute gitd content thus public content files. - # There is currently no clean way to execute public content files. - # miscfiles_manage_public_files($1) + relabel_dirs_pattern($1, git_system_content_t, git_system_content_t) + relabel_files_pattern($1, git_system_content_t, git_system_content_t) + files_search_var_lib($1) +') - git_manage_data_content($1) - git_relabel_data_content($1) +######################################## +## +## Allow the specified domain to relabel +## Git daemon session content. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`git_relabel_session_content',` + gen_require(` + type git_session_content_t; + ') - seutil_domtrans_setfiles($1) + relabel_dirs_pattern($1, git_session_content_t, git_session_content_t) + relabel_files_pattern($1, git_session_content_t, git_session_content_t) + userdom_search_user_home_dirs($1) ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.6.32/policy/modules/services/git.te --- nsaserefpolicy/policy/modules/services/git.te 2010-01-18 18:24:22.790540016 +0100 +++ serefpolicy-3.6.32/policy/modules/services/git.te 2010-02-09 12:46:59.675881993 +0100 @@ -1,13 +1,5 @@ -policy_module(git, 1.0) - -attribute gitd_type; -attribute git_content_type; - -######################################## -# -# Git daemon system private declarations. -# +policy_module(git, 1.0.3) ## ##

@@ -34,20 +26,29 @@ # # Git daemon global private declarations. # + +attribute git_domains; +attribute git_system_content; +attribute git_content; + type gitd_exec_t; -type gitd_t, gitd_type; -inetd_service_domain(gitd_t, gitd_exec_t) -role system_r types gitd_t; +######################################## +# +# Git daemon system private declarations. +# -type git_data_t, git_content_type; -files_type(git_data_t) +type git_system_t, git_domains; +inetd_service_domain(git_system_t, gitd_exec_t) +role system_r types git_system_t; -permissive gitd_t; +type git_system_content_t, git_system_content, git_content; +files_type(git_system_content_t) +typealias git_system_content_t alias git_data_t; ######################################## # -# Git daemon session session private declarations. +# Git daemon session private declarations. # ## @@ -58,85 +59,82 @@ ## gen_tunable(git_session_bind_all_unreserved_ports, false) -type gitd_session_t, gitd_type; -application_domain(gitd_session_t, gitd_exec_t) -ubac_constrained(gitd_session_t) - -type git_home_t, git_content_type; -userdom_user_home_content(git_home_t) +type git_session_t, git_domains; +application_domain(git_session_t, gitd_exec_t) +ubac_constrained(git_session_t) -permissive gitd_session_t; +type git_session_content_t, git_content; +userdom_user_home_content(git_session_content_t) ######################################## # # Git daemon global private policy. # -allow gitd_type self:fifo_file rw_fifo_file_perms; -allow gitd_type self:tcp_socket create_socket_perms; -allow gitd_type self:udp_socket create_socket_perms; -allow gitd_type self:unix_dgram_socket create_socket_perms; +allow git_domains self:fifo_file rw_fifo_file_perms; +allow git_domains self:netlink_route_socket create_netlink_socket_perms; +allow git_domains self:tcp_socket { create_socket_perms listen }; +allow git_domains self:udp_socket create_socket_perms; +allow git_domains self:unix_dgram_socket create_socket_perms; -corenet_all_recvfrom_netlabel(gitd_type) -corenet_all_recvfrom_unlabeled(gitd_type) +corenet_all_recvfrom_netlabel(git_domains) +corenet_all_recvfrom_unlabeled(git_domains) -corenet_tcp_sendrecv_all_if(gitd_type) -corenet_tcp_sendrecv_all_nodes(gitd_type) -corenet_tcp_sendrecv_all_ports(gitd_type) +corenet_tcp_bind_generic_node(git_domains) -corenet_tcp_bind_all_nodes(gitd_type) -corenet_tcp_bind_git_port(gitd_type) +corenet_tcp_sendrecv_generic_if(git_domains) +corenet_tcp_sendrecv_generic_node(git_domains) +corenet_tcp_sendrecv_generic_port(git_domains) -corecmd_exec_bin(gitd_type) +corenet_tcp_bind_git_port(git_domains) +corenet_sendrecv_git_server_packets(git_domains) -files_read_etc_files(gitd_type) -files_read_usr_files(gitd_type) +corecmd_exec_bin(git_domains) -fs_search_auto_mountpoints(gitd_type) +files_read_etc_files(git_domains) +files_read_usr_files(git_domains) -kernel_read_system_state(gitd_type) +fs_search_auto_mountpoints(git_domains) -logging_send_syslog_msg(gitd_type) +kernel_read_system_state(git_domains) -auth_use_nsswitch(gitd_type) +auth_use_nsswitch(git_domains) -miscfiles_read_localization(gitd_type) +logging_send_syslog_msg(git_domains) + +miscfiles_read_localization(git_domains) ######################################## # # Git daemon system repository private policy. # -list_dirs_pattern(gitd_t, git_content_type, git_content_type) -read_files_pattern(gitd_t, git_content_type, git_content_type) -files_search_var(gitd_t) - -# This will not work since git-shell needs to execute gitd content thus public content files. -# There is currently no clean way to execute public content files. -# miscfiles_read_public_files(gitd_t) +list_dirs_pattern(git_system_t, git_content, git_content) +read_files_pattern(git_system_t, git_content, git_content) +files_search_var(git_system_t) tunable_policy(`git_system_enable_homedirs', ` - userdom_search_user_home_dirs(gitd_t) + userdom_search_user_home_dirs(git_system_t) ') tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', ` - fs_list_nfs(gitd_t) - fs_read_nfs_files(gitd_t) + fs_list_nfs(git_system_t) + fs_read_nfs_files(git_system_t) ') tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', ` - fs_list_cifs(gitd_t) - fs_read_cifs_files(gitd_t) + fs_list_cifs(git_system_t) + fs_read_cifs_files(git_system_t) ') tunable_policy(`git_system_use_cifs', ` - fs_list_cifs(gitd_t) - fs_read_cifs_files(gitd_t) + fs_list_cifs(git_system_t) + fs_read_cifs_files(git_system_t) ') tunable_policy(`git_system_use_nfs', ` - fs_list_nfs(gitd_t) - fs_read_nfs_files(gitd_t) + fs_list_nfs(git_system_t) + fs_read_nfs_files(git_system_t) ') ######################################## @@ -144,24 +142,24 @@ # Git daemon session repository private policy. # -list_dirs_pattern(gitd_session_t, git_home_t, git_home_t) -read_files_pattern(gitd_session_t, git_home_t, git_home_t) -userdom_search_user_home_dirs(gitd_session_t) +list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t) +read_files_pattern(git_session_t, git_session_content_t, git_session_content_t) +userdom_search_user_home_dirs(git_session_t) -userdom_use_user_terminals(gitd_session_t) +userdom_use_user_terminals(git_session_t) tunable_policy(`git_session_bind_all_unreserved_ports', ` - corenet_tcp_bind_all_unreserved_ports(gitd_session_t) + corenet_tcp_bind_all_unreserved_ports(git_session_t) ') tunable_policy(`use_nfs_home_dirs', ` - fs_list_nfs(gitd_session_t) - fs_read_nfs_files(gitd_session_t) + fs_list_nfs(git_session_t) + fs_read_nfs_files(git_session_t) ') tunable_policy(`use_samba_home_dirs', ` - fs_list_cifs(gitd_session_t) - fs_read_cifs_files(gitd_session_t) + fs_list_cifs(git_session_t) + fs_read_cifs_files(git_session_t) ') ######################################## @@ -169,5 +167,16 @@ # cgi git Declarations # +optional_policy(` apache_content_template(git) -git_read_data_content(httpd_git_script_t) + git_read_session_content_files(httpd_git_script_t) + files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) +') + +######################################## +# +# Git-shell private policy. +# + +#git_role_template(git_shell) +#gen_user(git_shell_u, user, git_shell_r, s0, s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.fc serefpolicy-3.6.32/policy/modules/services/gpm.fc --- nsaserefpolicy/policy/modules/services/gpm.fc 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/gpm.fc 2010-02-16 22:45:57.818609498 +0100 @@ -5,3 +5,5 @@ /etc/gpm(/.*)? gen_context(system_u:object_r:gpm_conf_t,s0) /usr/sbin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0) + +/var/run/gpm\.pid -- gen_context(system_u:object_r:gpm_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.32/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2010-01-18 18:24:22.795530524 +0100 +++ serefpolicy-3.6.32/policy/modules/services/hal.te 2010-03-01 15:09:45.271494370 +0100 @@ -121,6 +121,7 @@ corenet_udp_sendrecv_all_ports(hald_t) dev_rw_usbfs(hald_t) +dev_read_rand(hald_t) dev_read_urand(hald_t) dev_read_input(hald_t) dev_read_mouse(hald_t) @@ -272,6 +273,10 @@ ') optional_policy(` + gnome_read_config(hald_t) +') + +optional_policy(` gpm_dontaudit_getattr_gpmctl(hald_t) ') @@ -331,6 +336,10 @@ ') optional_policy(` + usbmuxd_stream_connect(hald_t) +') + +optional_policy(` vbetool_domtrans(hald_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.6.32/policy/modules/services/inn.te --- nsaserefpolicy/policy/modules/services/inn.te 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/inn.te 2010-03-01 15:13:35.203742322 +0100 @@ -104,6 +104,7 @@ sysnet_read_config(innd_t) +userdom_stream_connect(innd_t) userdom_dontaudit_use_unpriv_user_fds(innd_t) userdom_dontaudit_search_user_home_dirs(innd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.32/policy/modules/services/kerberos.if --- nsaserefpolicy/policy/modules/services/kerberos.if 2010-01-18 18:24:22.799531033 +0100 +++ serefpolicy-3.6.32/policy/modules/services/kerberos.if 2010-01-22 17:08:10.300604739 +0100 @@ -85,7 +85,7 @@ seutil_dontaudit_read_file_contexts($1) optional_policy(` - sssd_read_config_files($1) + sssd_read_public_files($1) ') tunable_policy(`allow_kerberos',` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.6.32/policy/modules/services/ldap.fc --- nsaserefpolicy/policy/modules/services/ldap.fc 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/ldap.fc 2010-02-23 14:49:51.037529698 +0100 @@ -1,5 +1,7 @@ /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) +/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) + /etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) @@ -15,3 +17,4 @@ /var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) +#/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.6.32/policy/modules/services/ldap.te --- nsaserefpolicy/policy/modules/services/ldap.te 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/ldap.te 2010-01-29 10:41:13.184864510 +0100 @@ -28,6 +28,9 @@ type slapd_replog_t; files_type(slapd_replog_t) +type slapd_log_t; +logging_log_file(slapd_log_t) + type slapd_tmp_t; files_tmp_file(slapd_tmp_t) @@ -68,6 +71,10 @@ manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) +manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t) +manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t) +logging_log_filetrans(slapd_t, slapd_log_t, { file dir }) + manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir }) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.32/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 2010-01-18 18:24:22.806540025 +0100 +++ serefpolicy-3.6.32/policy/modules/services/lircd.te 2010-02-01 20:50:49.950161278 +0100 @@ -1,5 +1,5 @@ -policy_module(lircd, 1.0.0) +policy_module(lircd, 1.0.1) ######################################## # @@ -24,9 +24,10 @@ # lircd local policy # -allow lircd_t self:process signal; +allow lircd_t self:capability { chown kill sys_admin }; +allow lircd_t self:process { fork signal }; allow lircd_t self:unix_dgram_socket create_socket_perms; -allow lircd_t self:fifo_file rw_file_perms; +allow lircd_t self:fifo_file rw_fifo_file_perms; allow lircd_t self:tcp_socket create_stream_socket_perms; # etc file diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.32/policy/modules/services/mailman.te --- nsaserefpolicy/policy/modules/services/mailman.te 2010-01-18 18:24:22.808530642 +0100 +++ serefpolicy-3.6.32/policy/modules/services/mailman.te 2010-01-22 17:16:41.576604913 +0100 @@ -55,6 +55,7 @@ apache_search_sys_script_state(mailman_cgi_t) apache_read_config(mailman_cgi_t) apache_dontaudit_rw_stream_sockets(mailman_cgi_t) + apache_dontaudit_leaks(mailman_cgi_t) ') ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.32/policy/modules/services/memcached.te --- nsaserefpolicy/policy/modules/services/memcached.te 2010-01-18 18:24:22.809536705 +0100 +++ serefpolicy-3.6.32/policy/modules/services/memcached.te 2010-01-19 11:45:44.999857263 +0100 @@ -1,5 +1,5 @@ -policy_module(memcached, 1.1.0) +policy_module(memcached, 1.1.1) ######################################## # @@ -22,9 +22,12 @@ # allow memcached_t self:capability { setuid setgid }; +dontaudit memcached_t self:capability sys_tty_config; +allow memcached_t self:process { fork setrlimit signal_perms }; allow memcached_t self:tcp_socket create_stream_socket_perms; allow memcached_t self:udp_socket { create_socket_perms listen }; allow memcached_t self:fifo_file rw_fifo_file_perms; +allow memcached_t self:unix_stream_socket create_stream_socket_perms; corenet_all_recvfrom_unlabeled(memcached_t) corenet_udp_sendrecv_generic_if(memcached_t) @@ -42,12 +45,15 @@ manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir }) -files_read_etc_files(memcached_t) - +kernel_read_kernel_sysctls(memcached_t) kernel_read_system_state(memcached_t) +files_read_etc_files(memcached_t) + auth_use_nsswitch(memcached_t) miscfiles_read_localization(memcached_t) -sysnet_dns_name_resolve(memcached_t) +term_dontaudit_use_all_user_ptys(memcached_t) +term_dontaudit_use_all_user_ttys(memcached_t) +term_dontaudit_use_console(memcached_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.6.32/policy/modules/services/modemmanager.te --- nsaserefpolicy/policy/modules/services/modemmanager.te 2010-01-18 18:24:22.810530337 +0100 +++ serefpolicy-3.6.32/policy/modules/services/modemmanager.te 2010-02-16 17:07:08.660598103 +0100 @@ -16,7 +16,7 @@ # # ModemManager local policy # -allow modemmanager_t self:capability { sys_admin sys_tty_config }; +allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config }; allow modemmanager_t self:process signal; allow modemmanager_t self:fifo_file rw_file_perms; allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.32/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2010-01-18 18:24:22.812540439 +0100 +++ serefpolicy-3.6.32/policy/modules/services/mta.if 2010-02-21 18:58:04.580309576 +0100 @@ -786,6 +786,25 @@ allow $1 mqueue_spool_t:dir search_dir_perms; ') +##################################### +##

+## List the mail queue. +## +## +## +## Domain allowed access. +## +## +# +interface(`mta_list_queue',` + gen_require(` + type mqueue_spool_t; + ') + + allow $1 mqueue_spool_t:dir list_dir_perms; + files_search_spool($1) +') + ####################################### ## ## Read the mail queue. @@ -902,3 +921,22 @@ allow $1 system_mail_t:process signal; ') + +####################################### +## +## Dontaudit read and write an leaked file descriptors +## +## +## +## The type of the process performing this action. +## +## +# +interface(`mta_dontaudit_leaks_system_mail',` + gen_require(` + type system_mail_t; + ') + + dontaudit $1 system_mail_t:fifo_file write; + dontaudit $1 system_mail_t:tcp_socket { read write }; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.32/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2010-01-18 18:24:22.813543710 +0100 +++ serefpolicy-3.6.32/policy/modules/services/mta.te 2010-02-02 10:43:31.244162625 +0100 @@ -132,6 +132,7 @@ optional_policy(` fail2ban_append_log(system_mail_t) + fail2ban_dontaudit_leaks(system_mail_t) ') optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.32/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2010-01-18 18:24:22.815530066 +0100 +++ serefpolicy-3.6.32/policy/modules/services/munin.te 2010-02-09 12:34:15.400865901 +0100 @@ -134,6 +134,7 @@ optional_policy(` mta_read_config(munin_t) mta_send_mail(munin_t) + mta_list_queue(munin_t) mta_read_queue(munin_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2010-01-18 18:24:22.819530575 +0100 +++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2010-02-17 16:21:10.049863655 +0100 @@ -44,7 +44,7 @@ # Local policy # -allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service }; +allow mysqld_t self:capability { dac_override setgid setuid sys_resource ipc_lock net_bind_service }; dontaudit mysqld_t self:capability sys_tty_config; allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; allow mysqld_t self:fifo_file rw_fifo_file_perms; @@ -147,6 +147,8 @@ dontaudit mysqld_safe_t self:capability sys_ptrace; allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; +allow mysqld_safe_t mysqld_t:process signal_perms; + domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) @@ -156,6 +158,7 @@ domain_read_all_domains_state(mysqld_safe_t) +files_dontaudit_getattr_all_dirs(mysqld_safe_t) files_dontaudit_search_all_mountpoints(mysqld_safe_t) logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2010-01-18 18:24:22.821530899 +0100 +++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2010-02-15 12:58:59.258318229 +0100 @@ -23,30 +23,68 @@ /usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) /usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) - +# admin plugins +/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0) # check disk plugins /usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) /usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) + +# mail plugins +/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) # system plugins -/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) /usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) /usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) /usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) /usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) # services plugins /usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) /usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) /usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) /usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) /usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) /usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) /usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) /usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) /usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) /usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) /usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + +# unconfined plugins +/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.32/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2010-01-18 18:24:22.821530899 +0100 +++ serefpolicy-3.6.32/policy/modules/services/nagios.if 2010-03-01 16:06:40.837490351 +0100 @@ -119,6 +119,26 @@ read_files_pattern($1, nagios_log_t, nagios_log_t) ') +####################################### +## +## Allow the specified domain to read +## nagios temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`nagios_rw_inerited_tmp_files',` + gen_require(` + type nagios_tmp_t; + ') + + allow $1 nagios_tmp_t:file rw_inherited_file_perms; + files_search_tmp($1) +') + ######################################## ## ## Create a set of derived types for various @@ -134,6 +154,7 @@ gen_require(` type nagios_t, nrpe_t; + type nagios_log_t, nagios_tmp_t; ') type nagios_$1_plugin_t; @@ -150,8 +171,15 @@ # needed by command.cfg domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) + allow nagios_t nagios_$1_plugin_t:process signal_perms; + + allow nagios_$1_plugin_t nagios_tmp_t:file rw_inherited_file_perms; + # cjp: leaked file descriptor dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write }; + dontaudit nagios_$1_plugin_t nagios_log_t:file { read write }; + + files_search_tmp(nagios_$1_plugin_t) miscfiles_read_localization(nagios_$1_plugin_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2010-01-18 18:24:22.823530245 +0100 +++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-03-01 13:28:37.750491019 +0100 @@ -45,10 +45,18 @@ type nrpe_var_run_t; files_pid_file(nrpe_var_run_t) +# creates nagios_admin_plugin_exec_t for executable +# and nagios_admin_plugin_t for domain +nagios_plugin_template(admin) + # creates nagios_checkdisk_plugin_exec_t for executable # and nagios_checkdisk_plugin_t for domain nagios_plugin_template(checkdisk) +# creates nagios_mail_plugin_exec_t for executable +# and nagios_mail_plugin_t for domain +nagios_plugin_template(mail) + # creates nagios_services_plugin_exec_t for executable # and nagios_services_plugin_t for domain nagios_plugin_template(services) @@ -66,7 +74,9 @@ unconfined_domain(nagios_unconfined_plugin_t) ') +permissive nagios_admin_plugin_t; permissive nagios_checkdisk_plugin_t; +permissive nagios_mail_plugin_t; permissive nagios_services_plugin_t; permissive nagios_system_plugin_t; @@ -82,9 +92,6 @@ allow nagios_t self:tcp_socket create_stream_socket_perms; allow nagios_t self:udp_socket create_socket_perms; -# needed by command.cfg -can_exec(nagios_t, nagios_checkdisk_plugin_exec_t) - read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) allow nagios_t nagios_etc_t:dir list_dir_perms; @@ -118,6 +125,9 @@ corenet_udp_sendrecv_all_ports(nagios_t) corenet_tcp_connect_all_ports(nagios_t) +corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t) +corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t) + dev_read_sysfs(nagios_t) dev_read_urand(nagios_t) @@ -253,6 +263,11 @@ ') optional_policy(` + mta_dontaudit_leaks_system_mail(nrpe_t) + mta_send_mail(nrpe_t) +') + +optional_policy(` seutil_sigchld_newrole(nrpe_t) ') @@ -264,6 +279,66 @@ udev_read_db(nrpe_t) ') +##################################### +# +# local policy for admin check plugins +# + +corecmd_read_bin_files(nagios_admin_plugin_t) +corecmd_read_bin_symlinks(nagios_admin_plugin_t) + +dev_read_urand(nagios_admin_plugin_t) + +files_read_etc_files(nagios_admin_plugin_t) + +# for check_file_age plugin +files_getattr_all_dirs(nagios_admin_plugin_t) +files_getattr_all_files(nagios_admin_plugin_t) +files_getattr_all_symlinks(nagios_admin_plugin_t) +files_getattr_all_pipes(nagios_admin_plugin_t) +files_getattr_all_sockets(nagios_admin_plugin_t) +files_getattr_all_file_type_fs(nagios_admin_plugin_t) +dev_getattr_all_chr_files(nagios_admin_plugin_t) +dev_getattr_all_blk_files(nagios_admin_plugin_t) + +###################################### +# +# local policy for mail check plugins +# + +allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; + +allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms; +allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms; +allow nagios_mail_plugin_t self:udp_socket create_socket_perms; + +kernel_read_system_state(nagios_mail_plugin_t) +kernel_read_kernel_sysctls(nagios_mail_plugin_t) + +corecmd_read_bin_files(nagios_mail_plugin_t) +corecmd_read_bin_symlinks(nagios_mail_plugin_t) + +dev_read_urand(nagios_mail_plugin_t) + +files_read_etc_files(nagios_mail_plugin_t) + +libs_use_lib_files(nagios_mail_plugin_t) +libs_use_ld_so(nagios_mail_plugin_t) + +logging_send_syslog_msg(nagios_mail_plugin_t) + +sysnet_read_config(nagios_mail_plugin_t) + +nscd_dontaudit_search_pid(nagios_mail_plugin_t) + +optional_policy(` + mta_send_mail(nagios_mail_plugin_t) +') + +optional_policy(` + postfix_stream_connect_master(nagios_mail_plugin_t) + posftix_exec_postqueue(nagios_mail_plugin_t) +') ###################################### # @@ -290,6 +365,8 @@ allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms; allow nagios_services_plugin_t self:udp_socket create_socket_perms; +kernel_read_system_state(nagios_services_plugin_t) + corecmd_exec_bin(nagios_services_plugin_t) corenet_tcp_connect_all_ports(nagios_services_plugin_t) @@ -315,6 +392,10 @@ mysql_stream_connect(nagios_services_plugin_t) ') +optional_policy(` + snmp_read_snmp_var_lib_files(nagios_services_plugin_t) +') + ###################################### # # local policy for system check plugins diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.32/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2010-01-18 18:24:22.823530245 +0100 +++ serefpolicy-3.6.32/policy/modules/services/networkmanager.fc 2010-02-01 18:05:10.499091573 +0100 @@ -17,6 +17,7 @@ /etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) /var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0) +/var/log/wicd.* gen_context(system_u:object_r:NetworkManager_log_t,s0) /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.32/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-01-18 18:24:22.825542512 +0100 +++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2010-02-01 20:40:02.343160698 +0100 @@ -51,6 +51,7 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; can_exec(NetworkManager_t, NetworkManager_exec_t) +can_exec(NetworkManager_t, NetworkManager_tmp_t) manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.32/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2010-01-18 18:24:22.826540614 +0100 +++ serefpolicy-3.6.32/policy/modules/services/nis.fc 2010-01-29 09:57:02.171614102 +0100 @@ -14,3 +14,8 @@ /usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0) /var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) + +/var/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0) +/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) +/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) +/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.32/policy/modules/services/nis.te --- nsaserefpolicy/policy/modules/services/nis.te 2010-01-18 18:24:22.828542614 +0100 +++ serefpolicy-3.6.32/policy/modules/services/nis.te 2010-02-16 16:52:00.477848263 +0100 @@ -47,6 +47,9 @@ type ypxfr_exec_t; init_daemon_domain(ypxfr_t, ypxfr_exec_t) +type ypxfr_var_run_t; +files_pid_file(ypxfr_var_run_t) + type nis_initrc_exec_t; init_script_file(nis_initrc_exec_t) @@ -56,7 +59,7 @@ dontaudit ypbind_t self:capability { net_admin sys_tty_config }; allow ypbind_t self:fifo_file rw_fifo_file_perms; -allow ypbind_t self:process signal_perms; +allow ypbind_t self:process { signal_perms getsched }; allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; allow ypbind_t self:netlink_route_socket r_netlink_socket_perms; allow ypbind_t self:tcp_socket create_stream_socket_perms; @@ -312,6 +315,9 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms; +manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t) +files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file) + corenet_all_recvfrom_unlabeled(ypxfr_t) corenet_all_recvfrom_netlabel(ypxfr_t) corenet_tcp_sendrecv_generic_if(ypxfr_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.6.32/policy/modules/services/nx.if --- nsaserefpolicy/policy/modules/services/nx.if 2010-01-18 18:24:22.840530591 +0100 +++ serefpolicy-3.6.32/policy/modules/services/nx.if 2010-01-26 14:43:43.595472728 +0100 @@ -18,6 +18,24 @@ spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t) ') +####################################### +## +## Execute the NX server. +## +## +## +## Domain allowed access. +## +## +# +interface(`nx_exec_server',` + gen_require(` + type nx_server_exec_t; + ') + + can_exec($1, nx_server_exec_t) +') + ######################################## ## ## Read nx home directory content diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.32/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2010-01-18 18:24:22.843530414 +0100 +++ serefpolicy-3.6.32/policy/modules/services/openvpn.te 2010-01-26 14:19:37.820463477 +0100 @@ -85,6 +85,7 @@ corenet_udp_bind_generic_node(openvpn_t) corenet_tcp_bind_openvpn_port(openvpn_t) corenet_udp_bind_openvpn_port(openvpn_t) +corenet_tcp_bind_http_port(openvpn_t) corenet_tcp_connect_openvpn_port(openvpn_t) corenet_tcp_connect_http_port(openvpn_t) corenet_tcp_connect_http_cache_port(openvpn_t) @@ -102,6 +103,9 @@ auth_use_pam(openvpn_t) +init_read_utmp(openvpn_t) +init_dontaudit_write_utmp(openvpn_t) + logging_send_syslog_msg(openvpn_t) miscfiles_read_localization(openvpn_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.fc serefpolicy-3.6.32/policy/modules/services/plymouthd.fc --- nsaserefpolicy/policy/modules/services/plymouthd.fc 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.6.32/policy/modules/services/plymouthd.fc 2010-03-03 10:39:47.602620848 +0100 @@ -0,0 +1,9 @@ +/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t, s0) + +/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t, s0) + +/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t, s0) + +/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t, s0) + +/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.if serefpolicy-3.6.32/policy/modules/services/plymouthd.if --- nsaserefpolicy/policy/modules/services/plymouthd.if 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.6.32/policy/modules/services/plymouthd.if 2010-03-03 10:39:47.604621019 +0100 @@ -0,0 +1,322 @@ +## policy for plymouthd + +######################################## +## +## Execute a domain transition to run plymouthd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`plymouthd_domtrans', ` + gen_require(` + type plymouthd_t, plymouthd_exec_t; + ') + + domtrans_pattern($1, plymouthd_exec_t, plymouthd_t) +') + +######################################## +## +## Execute the plymoth daemon in the current domain +## +## +## +## Domain allowed to transition. +## +## +# +interface(`plymouthd_exec', ` + gen_require(` + type plymouthd_exec_t; + ') + + can_exec($1, plymouthd_exec_t) +') + +######################################## +## +## Execute the plymoth command in the current domain +## +## +## +## Domain allowed to transition. +## +## +# +interface(`plymouthd_exec_plymouth', ` + gen_require(` + type plymouth_exec_t; + ') + + can_exec($1, plymouth_exec_t) +') + +######################################## +## +## Execute a domain transition to run plymouthd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`plymouthd_domtrans_plymouth', ` + gen_require(` + type plymouth_t, plymouth_exec_t; + ') + + domtrans_pattern($1, plymouth_exec_t, plymouth_t) +') + + +######################################## +## +## Read plymouthd PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`plymouthd_read_pid_files', ` + gen_require(` + type plymouthd_var_run_t; + ') + + files_search_pids($1) + allow $1 plymouthd_var_run_t:file read_file_perms; +') + +######################################## +## +## Manage plymouthd var_run files. +## +## +## +## Domain allowed access. +## +## +# +interface(`plymouthd_manage_var_run', ` + gen_require(` + type plymouthd_var_run_t; + ') + + manage_dirs_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t) + manage_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t) + manage_lnk_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t) +') + + +######################################## +## +## Search plymouthd lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`plymouthd_search_lib', ` + gen_require(` + type plymouthd_var_lib_t; + ') + + allow $1 plymouthd_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Read plymouthd lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`plymouthd_read_lib_files', ` + gen_require(` + type plymouthd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) +') + +######################################## +## +## Create, read, write, and delete +## plymouthd lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`plymouthd_manage_lib_files', ` + gen_require(` + type plymouthd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) +') + +######################################## +## +## Manage plymouthd var_lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`plymouthd_manage_var_lib', ` + gen_require(` + type plymouthd_var_lib_t; + ') + + manage_dirs_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) + manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) + manage_lnk_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) +') + + +######################################## +## +## Search plymouthd spool directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`plymouthd_search_spool', ` + gen_require(` + type plymouthd_spool_t; + ') + + allow $1 plymouthd_spool_t:dir search_dir_perms; + files_search_spool($1) +') + +######################################## +## +## Read plymouthd spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`plymouthd_read_spool_files', ` + gen_require(` + type plymouthd_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t) +') + +######################################## +## +## Create, read, write, and delete +## plymouthd spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`plymouthd_manage_spool_files', ` + gen_require(` + type plymouthd_spool_t; + ') + + files_search_spool($1) + manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t) +') + +######################################## +## +## Allow domain to manage plymouthd spool files +## +## +## +## Domain allowed access +## +## +# +interface(`plymouthd_manage_spool', ` + gen_require(` + type plymouthd_spool_t; + ') + + manage_dirs_pattern($1, plymouthd_spool_t, plymouthd_spool_t) + manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t) + manage_lnk_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t) +') + +######################################## +## +## All of the rules required to administrate +## an plymouthd environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`plymouthd_admin', ` + gen_require(` + type plymouthd_t; + ') + + allow $1 plymouthd_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, plymouthd_t, plymouthd_t) + + plymouthd_manage_var_run($1) + + plymouthd_manage_var_lib($1) + + plymouthd_manage_spool($1) +') + +######################################## +## +## Allow domain to Stream socket connect +## to Plymouth daemon. +## +## +## +## Domain allowed access. +## +## +# +interface(`plymouthd_stream_connect', ` + gen_require(` + type plymouthd_t; + ') + + allow $1 plymouthd_t:unix_stream_socket connectto; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.6.32/policy/modules/services/plymouthd.te --- nsaserefpolicy/policy/modules/services/plymouthd.te 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.6.32/policy/modules/services/plymouthd.te 2010-03-03 10:39:47.605611921 +0100 @@ -0,0 +1,105 @@ +policy_module(plymouthd, 1.0.0) + +######################################## +# +# Plymouthd private declarations +# + +type plymouthd_t; +type plymouthd_exec_t; +init_daemon_domain(plymouthd_t, plymouthd_exec_t) + +type plymouthd_var_run_t; +files_pid_file(plymouthd_var_run_t) + +type plymouthd_var_lib_t; +files_type(plymouthd_var_lib_t) + +type plymouthd_spool_t; +files_type(plymouthd_spool_t) + +######################################## +# +# Plymouth private declarations +# + +type plymouth_t; +type plymouth_exec_t; +init_daemon_domain(plymouth_t, plymouth_exec_t) + +######################################## +# +# Plymouthd private policy +# + +allow plymouthd_t self:capability { sys_admin sys_tty_config }; +dontaudit plymouthd_t self:capability dac_override; +allow plymouthd_t self:process signal; +allow plymouthd_t self:fifo_file rw_fifo_file_perms; +allow plymouthd_t self:unix_stream_socket create_stream_socket_perms; + +kernel_read_system_state(plymouthd_t) +kernel_request_load_module(plymouthd_t) +kernel_change_ring_buffer_level(plymouthd_t) + +dev_rw_dri(plymouthd_t) +dev_read_sysfs(plymouthd_t) +dev_read_framebuffer(plymouthd_t) +dev_write_framebuffer(plymouthd_t) + +domain_use_interactive_fds(plymouthd_t) + +files_read_etc_files(plymouthd_t) +files_read_usr_files(plymouthd_t) + +miscfiles_read_localization(plymouthd_t) +miscfiles_read_fonts(plymouthd_t) +miscfiles_manage_fonts_cache(plymouthd_t) + +manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) +manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) +files_pid_filetrans(plymouthd_t,plymouthd_var_run_t, { file dir }) + +manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) +manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) +files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir }) + +manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t) +manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t) +manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t) +files_spool_filetrans(plymouthd_t,plymouthd_spool_t, { file dir sock_file }) + +######################################## +# +# Plymouth private policy +# + +allow plymouth_t self:process { signal }; +allow plymouth_t self:fifo_file rw_file_perms; +allow plymouth_t self:unix_stream_socket create_stream_socket_perms; + +kernel_read_system_state(plymouth_t) +kernel_stream_connect(plymouth_t) + +domain_use_interactive_fds(plymouth_t) + +files_read_etc_files(plymouth_t) + +miscfiles_read_localization(plymouth_t) + +sysnet_read_config(plymouth_t) + +term_use_ptmx(plymouth_t) + +plymouthd_stream_connect(plymouth_t) + +optional_policy(` + lvm_domtrans(plymouth_t) +') + +ifdef(`hide_broken_symptoms', ` +optional_policy(` + hal_dontaudit_write_log(plymouth_t) + hal_dontaudit_rw_pipes(plymouth_t) +') +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.fc serefpolicy-3.6.32/policy/modules/services/plymouth.fc --- nsaserefpolicy/policy/modules/services/plymouth.fc 2010-01-18 18:24:22.846530865 +0100 +++ serefpolicy-3.6.32/policy/modules/services/plymouth.fc 1970-01-01 01:00:00.000000000 +0100 @@ -1,5 +0,0 @@ -/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t, s0) -/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t, s0) -/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t, s0) -/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t, s0) -/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.if serefpolicy-3.6.32/policy/modules/services/plymouth.if --- nsaserefpolicy/policy/modules/services/plymouth.if 2010-01-18 18:24:22.847540282 +0100 +++ serefpolicy-3.6.32/policy/modules/services/plymouth.if 1970-01-01 01:00:00.000000000 +0100 @@ -1,304 +0,0 @@ -## policy for plymouthd - -######################################## -## -## Execute a domain transition to run plymouthd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`plymouth_domtrans', ` - gen_require(` - type plymouthd_t, plymouthd_exec_t; - ') - - domtrans_pattern($1, plymouthd_exec_t, plymouthd_t) -') - -######################################## -## -## Execute a plymoth command in the current domain -## -## -## -## Domain allowed to transition. -## -## -# -interface(`plymouth_exec_plymouth', ` - gen_require(` - type plymouth_exec_t; - ') - - can_exec($1, plymouth_exec_t) -') - -######################################## -## -## Execute a domain transition to run plymouthd. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`plymouth_domtrans_plymouth', ` - gen_require(` - type plymouth_t, plymouth_exec_t; - ') - - domtrans_pattern($1, plymouth_exec_t, plymouth_t) -') - - -######################################## -## -## Read plymouthd PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouth_read_pid_files', ` - gen_require(` - type plymouthd_var_run_t; - ') - - files_search_pids($1) - allow $1 plymouthd_var_run_t:file read_file_perms; -') - -######################################## -## -## Manage plymouthd var_run files. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouth_manage_var_run', ` - gen_require(` - type plymouthd_var_run_t; - ') - - manage_dirs_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t) - manage_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t) - manage_lnk_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t) -') - - -######################################## -## -## Search plymouthd lib directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouth_search_lib', ` - gen_require(` - type plymouthd_var_lib_t; - ') - - allow $1 plymouthd_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## -## Read plymouthd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouth_read_lib_files', ` - gen_require(` - type plymouthd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete -## plymouthd lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouth_manage_lib_files', ` - gen_require(` - type plymouthd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) -') - -######################################## -## -## Manage plymouthd var_lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouth_manage_var_lib', ` - gen_require(` - type plymouthd_var_lib_t; - ') - - manage_dirs_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) - manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) - manage_lnk_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) -') - - -######################################## -## -## Search plymouthd spool directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouth_search_spool', ` - gen_require(` - type plymouthd_spool_t; - ') - - allow $1 plymouthd_spool_t:dir search_dir_perms; - files_search_spool($1) -') - -######################################## -## -## Read plymouthd spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouth_read_spool_files', ` - gen_require(` - type plymouthd_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t) -') - -######################################## -## -## Create, read, write, and delete -## plymouthd spool files. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouth_manage_spool_files', ` - gen_require(` - type plymouthd_spool_t; - ') - - files_search_spool($1) - manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t) -') - -######################################## -## -## Allow domain to manage plymouthd spool files -## -## -## -## Domain allowed access -## -## -# -interface(`plymouth_manage_spool', ` - gen_require(` - type plymouthd_spool_t; - ') - - manage_dirs_pattern($1, plymouthd_spool_t, plymouthd_spool_t) - manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t) - manage_lnk_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t) -') - -######################################## -## -## All of the rules required to administrate -## an plymouthd environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`plymouth_admin', ` - gen_require(` - type plymouthd_t; - ') - - allow $1 plymouthd_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, plymouthd_t, plymouthd_t) - - plymouthd_manage_var_run($1) - - plymouthd_manage_var_lib($1) - - plymouthd_manage_spool($1) -') - -######################################## -## -## Allow domain to Stream socket connect -## to Plymouth daemon. -## -## -## -## Domain allowed access. -## -## -# -interface(`plymouth_stream_connect', ` - gen_require(` - type plymouthd_t; - ') - - allow $1 plymouthd_t:unix_stream_socket connectto; -') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.32/policy/modules/services/plymouth.te --- nsaserefpolicy/policy/modules/services/plymouth.te 2010-01-18 18:24:22.847540282 +0100 +++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 1970-01-01 01:00:00.000000000 +0100 @@ -1,102 +0,0 @@ -policy_module(plymouthd, 1.0.0) - -######################################## -# -# Plymouthd private declarations -# - -type plymouthd_t; -type plymouthd_exec_t; -init_daemon_domain(plymouthd_t, plymouthd_exec_t) - -permissive plymouthd_t; - -type plymouthd_var_run_t; -files_pid_file(plymouthd_var_run_t) - -type plymouthd_var_lib_t; -files_type(plymouthd_var_lib_t) - -type plymouthd_spool_t; -files_type(plymouthd_spool_t) - -######################################## -# -# Plymouth private declarations -# - -type plymouth_t; -type plymouth_exec_t; -init_daemon_domain(plymouth_t, plymouth_exec_t) - -permissive plymouth_t; - -######################################## -# -# Plymouthd private policy -# - -allow plymouthd_t self:capability { sys_admin sys_tty_config }; -allow plymouthd_t self:process { signal }; -allow plymouthd_t self:fifo_file rw_fifo_file_perms; -allow plymouthd_t self:unix_stream_socket create_stream_socket_perms; - -kernel_read_system_state(plymouthd_t) -kernel_request_load_module(plymouthd_t) -kernel_change_ring_buffer_level(plymouthd_t) - -dev_rw_dri(plymouthd_t) -dev_read_sysfs(plymouthd_t) -dev_read_framebuffer(plymouthd_t) -dev_write_framebuffer(plymouthd_t) - -domain_use_interactive_fds(plymouthd_t) - -files_read_etc_files(plymouthd_t) -files_read_usr_files(plymouthd_t) - -miscfiles_read_localization(plymouthd_t) -miscfiles_read_fonts(plymouthd_t) - -manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) -manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) -files_pid_filetrans(plymouthd_t,plymouthd_var_run_t, { file dir }) - -manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) -manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) -files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir }) - -manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t) -manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t) -manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t) -files_spool_filetrans(plymouthd_t,plymouthd_spool_t, { file dir sock_file }) - -######################################## -# -# Plymouth private policy -# - -allow plymouth_t self:process { signal }; -allow plymouth_t self:fifo_file rw_file_perms; -allow plymouth_t self:unix_stream_socket create_stream_socket_perms; - -kernel_stream_connect(plymouth_t) - -domain_use_interactive_fds(plymouth_t) - -files_read_etc_files(plymouth_t) - -miscfiles_read_localization(plymouth_t) - -plymouth_stream_connect(plymouth_t) - -optional_policy(` - lvm_domtrans(plymouth_t) -') - -ifdef(`hide_broken_symptoms', ` -optional_policy(` - hal_dontaudit_write_log(plymouth_t) - hal_dontaudit_rw_pipes(plymouth_t) -') -') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2010-01-18 18:24:22.850542758 +0100 +++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2010-03-02 16:54:44.272615486 +0100 @@ -1,5 +1,5 @@ -policy_module(policykit, 1.0.1) +policy_module(policykit, 1.1.0) ######################################## # @@ -36,8 +36,8 @@ # policykit local policy # -allow policykit_t self:capability { setgid setuid sys_ptrace }; -allow policykit_t self:process { getsched getattr }; +allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace }; +allow policykit_t self:process { getsched getattr signal }; allow policykit_t self:fifo_file rw_fifo_file_perms; allow policykit_t self:unix_dgram_socket create_socket_perms; @@ -61,9 +61,9 @@ kernel_read_system_state(policykit_t) kernel_read_kernel_sysctls(policykit_t) -files_dontaudit_search_all_mountpoints(policykit_t) files_read_etc_files(policykit_t) files_read_usr_files(policykit_t) +files_dontaudit_search_all_mountpoints(policykit_t) fs_list_inotifyfs(policykit_t) @@ -89,14 +89,18 @@ ') ') +optional_policy(` + gnome_read_config(policykit_t) +') + ######################################## # # polkit_auth local policy # allow policykit_auth_t self:capability { setgid setuid }; -dontaudit policykit_auth_t self:capability { sys_tty_config }; -allow policykit_auth_t self:process { getattr getsched }; +dontaudit policykit_auth_t self:capability sys_tty_config; +allow policykit_auth_t self:process { getattr getsched signal }; allow policykit_auth_t self:fifo_file rw_fifo_file_perms; allow policykit_auth_t self:unix_dgram_socket create_socket_perms; @@ -115,6 +119,8 @@ manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) +dev_read_video_dev(policykit_auth_t) + files_read_etc_files(policykit_auth_t) files_read_usr_files(policykit_auth_t) files_search_home(policykit_auth_t) @@ -129,8 +135,10 @@ miscfiles_read_localization(policykit_auth_t) miscfiles_read_fonts(policykit_auth_t) +miscfiles_setattr_fonts_cache_dirs(policykit_auth_t) userdom_dontaudit_read_user_home_content_files(policykit_auth_t) +userdom_read_admin_home_files(policykit_auth_t) optional_policy(` dbus_system_domain( policykit_auth_t, policykit_auth_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.32/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2010-01-18 18:24:22.853540347 +0100 +++ serefpolicy-3.6.32/policy/modules/services/postfix.if 2010-02-15 12:27:32.822569677 +0100 @@ -395,6 +395,25 @@ can_exec($1, postfix_master_exec_t) ') +####################################### +## +## Connect to postfix master process using a unix domain stream socket. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`postfix_stream_connect_master',` + gen_require(` + type postfix_master_t, postfix_public_t; + ') + +stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t) +') + ######################################## ## ## Create a named socket in a postfix private directory. @@ -604,6 +623,24 @@ domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t) ') +####################################### +## +## Execute the master postqueue in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`posftix_exec_postqueue',` + gen_require(` + type postfix_postqueue_exec_t; + ') + + can_exec($1, postfix_postqueue_exec_t) +') + ######################################## ## ## Execute the master postdrop in the diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2010-01-18 18:24:22.855540671 +0100 +++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-01-18 18:27:02.768530934 +0100 @@ -443,6 +443,7 @@ optional_policy(` spamassassin_domtrans_client(postfix_pipe_t) + spamassassin_kill_client(postfix_pipe_t) ') optional_policy(` @@ -486,7 +487,7 @@ ') optional_policy(` - sendmail_dontaudit_rw_unix_stream_sockets(postfix_postdrop_t) + sendmail_rw_unix_stream_sockets(postfix_postdrop_t) ') optional_policy(` @@ -573,6 +574,8 @@ # Postfix smtp delivery local policy # +allow postfix_smtp_t self:capability { sys_chroot }; + # connect to master process stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t },postfix_master_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.6.32/policy/modules/services/ppp.fc --- nsaserefpolicy/policy/modules/services/ppp.fc 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/ppp.fc 2010-02-01 15:04:13.696080784 +0100 @@ -3,6 +3,8 @@ # /etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) +/root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0) + /etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) /etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) /etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.32/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2010-01-18 18:24:22.860530341 +0100 +++ serefpolicy-3.6.32/policy/modules/services/ppp.te 2010-02-16 17:01:56.727848442 +0100 @@ -71,7 +71,7 @@ # PPPD Local policy # -allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override }; +allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override }; dontaudit pppd_t self:capability sys_tty_config; allow pppd_t self:process signal; allow pppd_t self:fifo_file rw_fifo_file_perms; @@ -122,6 +122,7 @@ kernel_read_network_state(pppd_t) kernel_request_load_module(pppd_t) +dev_getattr_modem_dev(pppd_t) dev_read_urand(pppd_t) dev_search_sysfs(pppd_t) dev_read_sysfs(pppd_t) @@ -167,6 +168,7 @@ auth_use_nsswitch(pppd_t) +logging_send_audit_msgs(pppd_t) logging_send_syslog_msg(pppd_t) miscfiles_read_localization(pppd_t) @@ -192,6 +194,10 @@ ') optional_policy(` + hal_dontaudit_rw_dgram_sockets(pppd_t) +') + +optional_policy(` mta_send_mail(pppd_t) mta_system_content(pppd_etc_t) mta_system_content(pppd_etc_rw_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.32/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2010-01-18 18:24:22.861530469 +0100 +++ serefpolicy-3.6.32/policy/modules/services/prelude.te 2010-01-26 15:37:38.488473779 +0100 @@ -250,6 +250,8 @@ files_read_etc_files(prelude_lml_t) files_read_etc_runtime_files(prelude_lml_t) +fs_getattr_all_fs(prelude_lml_t) +fs_list_inotifyfs(prelude_lml_t) fs_rw_anon_inodefs_files(prelude_lml_t) auth_use_nsswitch(prelude_lml_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.if serefpolicy-3.6.32/policy/modules/services/qmail.if --- nsaserefpolicy/policy/modules/services/qmail.if 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/qmail.if 2010-02-15 12:32:28.414320834 +0100 @@ -99,6 +99,24 @@ ') ') +##################################### +## +## Execute the qmail_queue in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`qmail_exec_queue',` + gen_require(` + type qmail_queue_exec_t; + ') + + can_exec($1, qmail_queue_exec_t) +') + ######################################## ## ## Read qmail configuration files. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.6.32/policy/modules/services/rgmanager.if --- nsaserefpolicy/policy/modules/services/rgmanager.if 2010-01-18 18:24:22.870539995 +0100 +++ serefpolicy-3.6.32/policy/modules/services/rgmanager.if 2010-02-23 19:35:04.211525807 +0100 @@ -16,7 +16,7 @@ ') corecmd_search_bin($1) - domrans_pattern($1,rgmanager_exec_t,rgmanager_t) + domtrans_pattern($1,rgmanager_exec_t,rgmanager_t) ') @@ -57,3 +57,41 @@ stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t) ') +####################################### +## +## Read/write rgmanager tmpfs files. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`rgmanager_manage_tmpfs_files',` + gen_require(` + type rgmanager_tmpfs_t; + ') + + fs_search_tmpfs($1) + manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t) + manage_lnk_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t) +') + +###################################### +## +## Allow manage rgmanager tmp files. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`rgmanager_manage_tmp_files',` + gen_require(` + type rgmanager_tmp_t; + ') + + manage_dirs_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t) + manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.6.32/policy/modules/services/rgmanager.te --- nsaserefpolicy/policy/modules/services/rgmanager.te 2010-01-18 18:24:22.871540122 +0100 +++ serefpolicy-3.6.32/policy/modules/services/rgmanager.te 2010-03-01 09:17:31.825491287 +0100 @@ -22,6 +22,9 @@ type rgmanager_tmp_t; files_tmp_file(rgmanager_tmp_t) +type rgmanager_tmpfs_t; +files_tmpfs_file(rgmanager_tmpfs_t) + # log files type rgmanager_var_log_t; logging_log_file(rgmanager_var_log_t) @@ -36,8 +39,9 @@ # rgmanager local policy # -allow rgmanager_t self:capability { sys_nice ipc_lock }; +allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; dontaudit rgmanager_t self:capability { sys_ptrace }; + allow rgmanager_t self:process { setsched signal }; dontaudit rgmanager_t self:process { ptrace }; @@ -51,6 +55,10 @@ manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir }) +manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t) +manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t) +fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t,{ dir file }) + # log files manage_files_pattern(rgmanager_t, rgmanager_var_log_t,rgmanager_var_log_t) logging_log_filetrans(rgmanager_t,rgmanager_var_log_t,{ file }) @@ -60,35 +68,44 @@ manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) files_pid_filetrans(rgmanager_t,rgmanager_var_run_t, { file sock_file }) -aisexec_stream_connect(rgmanager_t) -groupd_stream_connect(rgmanager_t) - corecmd_exec_bin(rgmanager_t) corecmd_exec_sbin(rgmanager_t) corecmd_exec_shell(rgmanager_t) +corecmd_exec_ls(rgmanager_t) consoletype_exec(rgmanager_t) kernel_read_kernel_sysctls(rgmanager_t) +kernel_read_rpc_sysctls(rgmanager_t) +kernel_read_system_state(rgmanager_t) +kernel_rw_rpc_sysctls(rgmanager_t) +kernel_sigkill(rgmanager_t) kernel_search_debugfs(rgmanager_t) +kernel_search_network_state(rgmanager_t) -fs_getattr_xattr_fs(rgmanager_t) +fs_getattr_all_fs(rgmanager_t) # need to write to /dev/misc/dlm-control -dev_manage_generic_chr_files(rgmanager_t) +dev_rw_dlm_control(rgmanager_t) +dev_setattr_dlm_control(rgmanager_t) dev_search_sysfs(rgmanager_t) domain_read_all_domains_state(rgmanager_t) domain_getattr_all_domains(rgmanager_t) domain_dontaudit_ptrace_all_domains(rgmanager_t) +storage_raw_read_fixed_disk(rgmanager_t) + # needed by resources scripts auth_read_all_files_except_shadow(rgmanager_t) auth_dontaudit_getattr_shadow(rgmanager_t) -files_list_all(rgmanager_t) -files_getattr_all_symlinks(rgmanager_t) - files_create_var_run_dirs(rgmanager_t) +files_getattr_all_symlinks(rgmanager_t) +files_list_all(rgmanager_t) +files_manage_mnt_files(rgmanager_t) +files_manage_mnt_symlinks(rgmanager_t) +files_manage_isid_type_files(rgmanager_t) +files_manage_isid_type_dirs(rgmanager_t) fs_getattr_xattr_fs(rgmanager_t) @@ -104,11 +121,18 @@ miscfiles_read_localization(rgmanager_t) +mount_domtrans(rgmanager_t) + tunable_policy(`rgmanager_can_network_connect',` corenet_tcp_connect_all_ports(rgmanager_t) ') # rgmanager can run resource scripts +optional_policy(` + aisexec_stream_connect(rgmanager_t) + corosync_stream_connect(rgmanager_t) + groupd_stream_connect(rgmanager_t) +') optional_policy(` apache_domtrans(rgmanager_t) @@ -158,11 +182,16 @@ ') optional_policy(` + ricci_dontaudit_rw_modcluster_pipes(rgmanager_t) +') + +optional_policy(` rpc_initrc_domtrans_nfsd(rgmanager_t) rpc_initrc_domtrans_rpcd(rgmanager_t) rpc_domtrans_nfsd(rgmanager_t) rpc_domtrans_rpcd(rgmanager_t) + rpc_manage_nfs_state_data(rgmanager_t) ') optional_policy(` @@ -183,5 +212,16 @@ udev_read_db(rgmanager_t) ') +optional_policy(` + unconfined_domain(rgmanager_t) +') + +optional_policy(` + virt_stream_connect(rgmanager_t) +') + +optional_policy(` + xen_domtrans_xm(rgmanager_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.6.32/policy/modules/services/rhcs.fc --- nsaserefpolicy/policy/modules/services/rhcs.fc 2010-01-18 18:24:22.872542275 +0100 +++ serefpolicy-3.6.32/policy/modules/services/rhcs.fc 2010-02-17 15:54:23.838864423 +0100 @@ -1,19 +1,20 @@ -/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) /var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) /var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0) -/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) +/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) /usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) +/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) /var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) /var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0) /var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0) -/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) +/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) /var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0) /var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) -/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) +/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) /var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0) /usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.6.32/policy/modules/services/rhcs.if --- nsaserefpolicy/policy/modules/services/rhcs.if 2010-01-18 18:24:22.873540027 +0100 +++ serefpolicy-3.6.32/policy/modules/services/rhcs.if 2010-02-21 18:55:41.750325266 +0100 @@ -1,5 +1,63 @@ ## SELinux policy for RHCS - Red Hat Cluster Suite +####################################### +## +## Creates types and rules for a basic +## cluster init daemon domain. +## +## +## +## Prefix for the domain. +## +## +# +template(`rhcs_domain_template',` + + gen_require(` + attribute cluster_domain; + ') + + ############################## + # + # $1_t declarations + # + + type $1_t, cluster_domain; + type $1_exec_t; + init_daemon_domain($1_t, $1_exec_t) + + type $1_tmpfs_t; + files_tmpfs_file($1_tmpfs_t) + + # log files + type $1_var_log_t; + logging_log_file($1_var_log_t) + + # pid files + type $1_var_run_t; + files_pid_file($1_var_run_t) + + ############################## + # + # $1_t local policy + # + # + + manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + fs_tmpfs_filetrans($1_t, $1_tmpfs_t,{ dir file }) + + manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file }) + + manage_files_pattern($1_t, $1_var_log_t,$1_var_log_t) + manage_sock_files_pattern($1_t, $1_var_log_t,$1_var_log_t) + logging_log_filetrans($1_t,$1_var_log_t,{ file sock_file }) + +') + ###################################### ## ## Execute a domain transition to run groupd. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.6.32/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 2010-01-18 18:24:22.874530726 +0100 +++ serefpolicy-3.6.32/policy/modules/services/rhcs.te 2010-03-01 09:19:23.343490629 +0100 @@ -1,5 +1,5 @@ -policy_module(rhcs,1.0.0) +policy_module(rhcs,1.1.0) ######################################## # @@ -13,125 +13,44 @@ ## gen_tunable(fenced_can_network_connect, false) -type dlm_controld_t; -type dlm_controld_exec_t; -init_daemon_domain(dlm_controld_t, dlm_controld_exec_t) +attribute cluster_domain; -# log files -type dlm_controld_var_log_t; -logging_log_file(dlm_controld_var_log_t) +rhcs_domain_template(dlm_controld) -# pid files -type dlm_controld_var_run_t; -files_pid_file(dlm_controld_var_run_t) - -type dlm_controld_tmpfs_t; -files_tmpfs_file(dlm_controld_tmpfs_t) - - -type fenced_t; -type fenced_exec_t; -init_daemon_domain(fenced_t, fenced_exec_t) +rhcs_domain_template(fenced) # tmp files type fenced_tmp_t; files_tmp_file(fenced_tmp_t) -type fenced_tmpfs_t; -files_tmpfs_file(fenced_tmpfs_t) - -# log files -type fenced_var_log_t; -logging_log_file(fenced_var_log_t) - -# pid files -type fenced_var_run_t; -files_pid_file(fenced_var_run_t) - -type gfs_controld_t; -type gfs_controld_exec_t; -init_daemon_domain(gfs_controld_t, gfs_controld_exec_t) - -# log files -type gfs_controld_var_log_t; -logging_log_file(gfs_controld_var_log_t) +type fenced_lock_t; +files_lock_file(fenced_lock_t) -# pid files -type gfs_controld_var_run_t; -files_pid_file(gfs_controld_var_run_t) +rhcs_domain_template(gfs_controld) -type gfs_controld_tmpfs_t; -files_tmpfs_file(gfs_controld_tmpfs_t) +rhcs_domain_template(groupd) - -type groupd_t; -type groupd_exec_t; -init_daemon_domain(groupd_t, groupd_exec_t) - -# log files -type groupd_var_log_t; -logging_log_file(groupd_var_log_t) - -# pid files -type groupd_var_run_t; -files_pid_file(groupd_var_run_t) - -type groupd_tmpfs_t; -files_tmpfs_file(groupd_tmpfs_t) - -type qdiskd_t; -type qdiskd_exec_t; -init_daemon_domain(qdiskd_t, qdiskd_exec_t) - -type qdiskd_tmpfs_t; -files_tmpfs_file(qdiskd_tmpfs_t) +rhcs_domain_template(qdiskd) # var/lib files type qdiskd_var_lib_t; files_type(qdiskd_var_lib_t) -# log files -type qdiskd_var_log_t; -logging_log_file(qdiskd_var_log_t) - -# pid files -type qdiskd_var_run_t; -files_pid_file(qdiskd_var_run_t) - ##################################### # # dlm_controld local policy # -allow dlm_controld_t self:capability { net_admin sys_admin sys_nice sys_resource }; -allow dlm_controld_t self:process setsched; +allow dlm_controld_t self:capability { net_admin sys_admin sys_resource }; -allow dlm_controld_t self:sem create_sem_perms; -allow dlm_controld_t self:fifo_file rw_fifo_file_perms; -allow dlm_controld_t self:unix_stream_socket { create_stream_socket_perms }; -allow dlm_controld_t self:unix_dgram_socket { create_socket_perms }; allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; -manage_dirs_pattern(dlm_controld_t, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t) -manage_files_pattern(dlm_controld_t, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t) -fs_tmpfs_filetrans(dlm_controld_t, dlm_controld_tmpfs_t,{ dir file }) - -# log files -manage_files_pattern(dlm_controld_t, dlm_controld_var_log_t,dlm_controld_var_log_t) -logging_log_filetrans(dlm_controld_t,dlm_controld_var_log_t,{ file }) - -# pid files -manage_files_pattern(dlm_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t) -manage_sock_files_pattern(dlm_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t) -files_pid_filetrans(dlm_controld_t,dlm_controld_var_run_t, { file }) - stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) -aisexec_stream_connect(dlm_controld_t) -ccs_stream_connect(dlm_controld_t) -groupd_stream_connect(dlm_controld_t) +stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) kernel_read_system_state(dlm_controld_t) +dev_rw_dlm_control(dlm_controld_t) dev_rw_sysfs(dlm_controld_t) fs_manage_configfs_files(dlm_controld_t) @@ -139,25 +58,14 @@ init_rw_script_tmp_files(dlm_controld_t) -libs_use_ld_so(dlm_controld_t) -libs_use_shared_libs(dlm_controld_t) - -logging_send_syslog_msg(dlm_controld_t) - -miscfiles_read_localization(dlm_controld_t) - ####################################### # # fenced local policy # -allow fenced_t self:capability { sys_nice sys_rawio sys_resource }; -allow fenced_t self:process { setsched getsched }; +allow fenced_t self:capability { sys_rawio sys_resource }; +allow fenced_t self:process getsched; -allow fenced_t self:fifo_file rw_fifo_file_perms; -allow fenced_t self:sem create_sem_perms; -allow fenced_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow fenced_t self:unix_dgram_socket create_socket_perms; allow fenced_t self:tcp_socket create_stream_socket_perms; allow fenced_t self:udp_socket create_socket_perms; @@ -166,25 +74,17 @@ # tmp files manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) -files_tmp_filetrans(fenced_t, fenced_tmp_t, { file dir }) +manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) +files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) -manage_dirs_pattern(fenced_t, fenced_tmpfs_t, fenced_tmpfs_t) -manage_files_pattern(fenced_t, fenced_tmpfs_t, fenced_tmpfs_t) -fs_tmpfs_filetrans(fenced_t, fenced_tmpfs_t,{ dir file }) - -# log files -manage_files_pattern(fenced_t, fenced_var_log_t,fenced_var_log_t) -logging_log_filetrans(fenced_t,fenced_var_log_t,{ file }) - -# pid file -manage_files_pattern(fenced_t, fenced_var_run_t,fenced_var_run_t) -manage_sock_files_pattern(fenced_t, fenced_var_run_t, fenced_var_run_t) -manage_fifo_files_pattern(fenced_t, fenced_var_run_t, fenced_var_run_t) -files_pid_filetrans(fenced_t,fenced_var_run_t, { file fifo_file }) +manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) +files_lock_filetrans(fenced_t,fenced_lock_t,file) stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) -aisexec_stream_connect(fenced_t) -ccs_stream_connect(fenced_t) + +kernel_read_system_state(fenced_t) + +corenet_tcp_connect_http_port(fenced_t) corecmd_exec_bin(fenced_t) @@ -195,19 +95,13 @@ storage_raw_write_fixed_disk(fenced_t) storage_raw_read_removable_device(fenced_t) +term_getattr_pty_fs(fenced_t) term_use_ptmx(fenced_t) auth_use_nsswitch(fenced_t) files_read_usr_symlinks(fenced_t) -libs_use_ld_so(fenced_t) -libs_use_shared_libs(fenced_t) - -logging_send_syslog_msg(fenced_t) - -miscfiles_read_localization(fenced_t) - tunable_policy(`fenced_can_network_connect',` corenet_tcp_connect_all_ports(fenced_t) ') @@ -217,10 +111,6 @@ ') optional_policy(` - corosync_stream_connect(fenced_t) -') - -optional_policy(` lvm_domtrans(fenced_t) lvm_read_config(fenced_t) ') @@ -230,53 +120,26 @@ # gfs_controld local policy # -allow gfs_controld_t self:capability { net_admin sys_nice sys_resource }; -allow gfs_controld_t self:process setsched; +allow gfs_controld_t self:capability { net_admin sys_resource }; -allow gfs_controld_t self:sem create_sem_perms; allow gfs_controld_t self:shm create_shm_perms; -allow gfs_controld_t self:fifo_file rw_fifo_file_perms; -allow gfs_controld_t self:unix_stream_socket { create_stream_socket_perms }; -allow gfs_controld_t self:unix_dgram_socket { create_socket_perms }; allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms; -manage_dirs_pattern(gfs_controld_t, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) -manage_files_pattern(gfs_controld_t, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) -fs_tmpfs_filetrans(gfs_controld_t, gfs_controld_tmpfs_t,{ dir file }) - -# log files -manage_files_pattern(gfs_controld_t, gfs_controld_var_log_t,gfs_controld_var_log_t) -logging_log_filetrans(gfs_controld_t,gfs_controld_var_log_t,{ file }) - -# pid files -manage_files_pattern(gfs_controld_t, gfs_controld_var_run_t, gfs_controld_var_run_t) -manage_sock_files_pattern(gfs_controld_t, gfs_controld_var_run_t, gfs_controld_var_run_t) -files_pid_filetrans(gfs_controld_t,gfs_controld_var_run_t, { file }) - -stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) - -aisexec_stream_connect(gfs_controld_t) -ccs_stream_connect(gfs_controld_t) -groupd_stream_connect(gfs_controld_t) +stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) +stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) kernel_read_system_state(gfs_controld_t) storage_getattr_removable_dev(gfs_controld_t) -dev_manage_generic_chr_files(gfs_controld_t) -#dev_read_sysfs(gfs_controld_t) +dev_rw_dlm_control(gfs_controld_t) +dev_setattr_dlm_control(gfs_controld_t) + dev_rw_sysfs(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) -libs_use_ld_so(gfs_controld_t) -libs_use_shared_libs(gfs_controld_t) - -logging_send_syslog_msg(gfs_controld_t) - -miscfiles_read_localization(gfs_controld_t) - optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) @@ -290,78 +153,29 @@ allow groupd_t self:capability { sys_nice sys_resource }; allow groupd_t self:process setsched; -allow groupd_t self:sem create_sem_perms; allow groupd_t self:shm create_shm_perms; -allow groupd_t self:fifo_file rw_fifo_file_perms; -allow groupd_t self:unix_stream_socket create_stream_socket_perms; -allow groupd_t self:unix_dgram_socket create_socket_perms; - -manage_dirs_pattern(groupd_t, groupd_tmpfs_t, groupd_tmpfs_t) -manage_files_pattern(groupd_t, groupd_tmpfs_t, groupd_tmpfs_t) -fs_tmpfs_filetrans(groupd_t, groupd_tmpfs_t,{ dir file }) - -# log files -manage_files_pattern(groupd_t, groupd_var_log_t,groupd_var_log_t) -logging_log_filetrans(groupd_t,groupd_var_log_t,{ file }) - -# pid files -manage_files_pattern(groupd_t, groupd_var_run_t,groupd_var_run_t) -manage_sock_files_pattern(groupd_t, groupd_var_run_t,groupd_var_run_t) -files_pid_filetrans(groupd_t, groupd_var_run_t, { file }) - -aisexec_stream_connect(groupd_t) dev_list_sysfs(groupd_t) files_read_etc_files(groupd_t) -libs_use_ld_so(groupd_t) -libs_use_shared_libs(groupd_t) - -logging_send_syslog_msg(groupd_t) - -miscfiles_read_localization(groupd_t) - init_rw_script_tmp_files(groupd_t) -logging_send_syslog_msg(groupd_t) - ###################################### # # qdiskd local policy # -allow qdiskd_t self:capability { sys_nice ipc_lock }; -allow qdiskd_t self:process setsched; +allow qdiskd_t self:capability { ipc_lock sys_boot }; -allow qdiskd_t self:sem create_sem_perms; +allow qdiskd_t self:tcp_socket create_stream_socket_perms; allow qdiskd_t self:udp_socket create_socket_perms; -allow qdiskd_t self:udp_socket create_socket_perms; -allow qdiskd_t self:unix_dgram_socket create_socket_perms; -allow qdiskd_t self:unix_stream_socket create_stream_socket_perms; manage_files_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t) manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t) manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t) files_var_lib_filetrans(qdiskd_t,qdiskd_var_lib_t, { file dir sock_file }) -# log files -manage_files_pattern(qdiskd_t, qdiskd_var_log_t,qdiskd_var_log_t) -manage_sock_files_pattern(qdiskd_t, qdiskd_var_log_t,qdiskd_var_log_t) -logging_log_filetrans(qdiskd_t,qdiskd_var_log_t,{ sock_file file }) - -manage_dirs_pattern(qdiskd_t, qdiskd_tmpfs_t, qdiskd_tmpfs_t) -manage_files_pattern(qdiskd_t, qdiskd_tmpfs_t, qdiskd_tmpfs_t) -fs_tmpfs_filetrans(qdiskd_t, qdiskd_tmpfs_t,{ dir file }) - -# pid files -manage_files_pattern(qdiskd_t, qdiskd_var_run_t,qdiskd_var_run_t) -manage_sock_files_pattern(qdiskd_t, qdiskd_var_run_t,qdiskd_var_run_t) -files_pid_filetrans(qdiskd_t,qdiskd_var_run_t, { file }) - -aisexec_stream_connect(qdiskd_t) -ccs_stream_connect(qdiskd_t) - corecmd_getattr_sbin_files(qdiskd_t) corecmd_exec_shell(qdiskd_t) @@ -391,13 +205,6 @@ files_read_etc_files(qdiskd_t) -libs_use_ld_so(qdiskd_t) -libs_use_shared_libs(qdiskd_t) - -logging_send_syslog_msg(qdiskd_t) - -miscfiles_read_localization(qdiskd_t) - optional_policy(` netutils_domtrans_ping(qdiskd_t) ') @@ -406,5 +213,28 @@ udev_read_db(qdiskd_t) ') +##################################### +# +# rhcs domains common policy +# + +allow cluster_domain self:capability { sys_nice }; +allow cluster_domain self:process setsched; +allow cluster_domain self:sem create_sem_perms; +allow cluster_domain self:fifo_file rw_fifo_file_perms; +allow cluster_domain self:unix_stream_socket create_stream_socket_perms; +allow cluster_domain self:unix_dgram_socket create_socket_perms; + +libs_use_ld_so(cluster_domain) +libs_use_shared_libs(cluster_domain) + +logging_send_syslog_msg(cluster_domain) + +miscfiles_read_localization(cluster_domain) + +optional_policy(` + corosync_stream_connect(cluster_domain) + ccs_stream_connect(cluster_domain) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.32/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2010-02-21 20:45:42.344558749 +0100 +++ serefpolicy-3.6.32/policy/modules/services/ricci.te 2010-02-21 20:53:51.336572739 +0100 @@ -231,6 +231,7 @@ optional_policy(` aisexec_stream_connect(ricci_modcluster_t) + corosync_stream_connect(ricci_modcluster_t) ') optional_policy(` @@ -319,6 +320,7 @@ optional_policy(` aisexec_stream_connect(ricci_modclusterd_t) + corosync_stream_connect(ricci_modclusterd_t) ') optional_policy(` @@ -462,7 +464,8 @@ files_create_default_dir(ricci_modstorage_t) files_mounton_default(ricci_modstorage_t) -files_manage_default(ricci_modstorage_t) +files_manage_default_dirs(ricci_modstorage_t) +files_manage_default_files(ricci_modstorage_t) storage_raw_read_fixed_disk(ricci_modstorage_t) @@ -482,6 +485,7 @@ optional_policy(` aisexec_stream_connect(ricci_modstorage_t) + corosync_stream_connect(ricci_modstorage_t) ') optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.32/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2010-01-18 18:24:22.879530454 +0100 +++ serefpolicy-3.6.32/policy/modules/services/rpc.if 2010-02-23 19:16:59.984776521 +0100 @@ -413,5 +413,6 @@ ') files_search_var_lib($1) + allow $1 var_lib_nfs_t:file { relabelfrom relabelto }; manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.32/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2010-01-18 18:24:22.880531210 +0100 +++ serefpolicy-3.6.32/policy/modules/services/rpc.te 2010-02-23 18:51:13.680527323 +0100 @@ -82,6 +82,8 @@ files_manage_mounttab(rpcd_t) files_getattr_all_dirs(rpcd_t) +files_read_isid_type_files(rpcd_t) +files_read_default_files(rpcd_t) fs_list_rpc(rpcd_t) fs_read_rpc_files(rpcd_t) @@ -100,6 +102,8 @@ userdom_signal_unpriv_users(rpcd_t) +userdom_read_user_home_content_files(rpcd_t) + optional_policy(` automount_signal(rpcd_t) automount_dontaudit_write_pipes(rpcd_t) @@ -113,6 +117,10 @@ domain_unconfined_signal(rpcd_t) ') +optional_policy(` + rgmanager_manage_tmp_files(rpcd_t) +') + ######################################## # # NFSD local policy diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.6.32/policy/modules/services/rsync.if --- nsaserefpolicy/policy/modules/services/rsync.if 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/rsync.if 2010-03-01 16:02:14.881494801 +0100 @@ -103,3 +103,41 @@ can_exec($1, rsync_exec_t) ') + +####################################### +## +## Read rsync config files. +## +## +## +## Domain allowed. +## +## +# +interface(`rsync_read_config',` + gen_require(` + type rsync_etc_t; + ') + + read_files_pattern($1, rsync_etc_t, rsync_etc_t) + files_search_etc($1) +') + +####################################### +## +## Write to rsync config files. +## +## +## +## Domain allowed. +## +## +# +interface(`rsync_write_config',` + gen_require(` + type rsync_etc_t; + ') + + write_files_pattern($1, rsync_etc_t, rsync_etc_t) + files_search_etc($1) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2010-01-18 18:24:22.886540773 +0100 +++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-03-02 16:58:05.254606365 +0100 @@ -208,7 +208,7 @@ files_read_usr_symlinks(samba_net_t) auth_use_nsswitch(samba_net_t) -auth_rw_cache(samba_net_t) +auth_manage_cache(samba_net_t) logging_send_syslog_msg(samba_net_t) @@ -286,6 +286,8 @@ allow smbd_t winbind_t:process { signal signull }; +allow smbd_t swat_t:process signal; + kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) kernel_read_network_state(smbd_t) @@ -313,6 +315,8 @@ corenet_tcp_connect_ipp_port(smbd_t) corenet_tcp_connect_smbd_port(smbd_t) +dev_getattr_all_blk_files(smbd_t) +dev_getattr_all_chr_files(smbd_t) dev_read_sysfs(smbd_t) dev_read_urand(smbd_t) dev_getattr_mtrr_dev(smbd_t) @@ -327,6 +331,7 @@ auth_use_nsswitch(smbd_t) auth_domtrans_chk_passwd(smbd_t) auth_domtrans_upd_passwd(smbd_t) +auth_manage_cache(smbd_t) domain_use_interactive_fds(smbd_t) domain_dontaudit_list_all_domains_state(smbd_t) @@ -350,7 +355,7 @@ miscfiles_read_public_files(smbd_t) userdom_use_unpriv_users_fds(smbd_t) -userdom_dontaudit_search_user_home_dirs(smbd_t) +userdom_search_user_home_content(smbd_t) userdom_signal_all_users(smbd_t) usermanage_read_crack_db(smbd_t) @@ -485,6 +490,8 @@ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) +allow nmbd_t swat_t:process signal; + allow nmbd_t smbcontrol_t:process signal; allow nmbd_t smbd_var_run_t:dir rw_dir_perms; @@ -661,6 +668,7 @@ allow swat_t self:udp_socket create_socket_perms; allow swat_t self:unix_stream_socket connectto; +samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow swat_t nmbd_exec_t:file mmap_file_perms; @@ -693,6 +701,8 @@ manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) +allow swat_t winbind_t:process { signal signull }; + allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) @@ -828,7 +838,9 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) +corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) +corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -838,7 +850,7 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) -auth_rw_cache(winbind_t) +auth_manage_cache(winbind_t) domain_use_interactive_fds(winbind_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.32/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-18 18:24:22.889530888 +0100 +++ serefpolicy-3.6.32/policy/modules/services/sendmail.te 2010-02-09 15:04:54.083866070 +0100 @@ -30,7 +30,7 @@ # allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; -allow sendmail_t self:process { setpgid setrlimit signal signull }; +allow sendmail_t self:process { setpgid setsched setrlimit signal signull }; allow sendmail_t self:fifo_file rw_fifo_file_perms; allow sendmail_t self:unix_stream_socket create_stream_socket_perms; allow sendmail_t self:unix_dgram_socket create_socket_perms; @@ -136,6 +136,8 @@ optional_policy(` fail2ban_read_lib_files(sendmail_t) + fail2ban_rw_stream_sockets(sendmail_t) + ') optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2010-01-18 18:24:22.891530024 +0100 +++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te 2010-02-03 22:59:41.283821731 +0100 @@ -177,6 +177,10 @@ userdom_signull_unpriv_users(setroubleshoot_fixit_t) optional_policy(` + gnome_dontaudit_search_config(setroubleshoot_fixit_t) +') + +optional_policy(` rpm_signull(setroubleshoot_fixit_t) rpm_read_db(setroubleshoot_fixit_t) rpm_dontaudit_manage_db(setroubleshoot_fixit_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.32/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-18 18:24:22.892539860 +0100 +++ serefpolicy-3.6.32/policy/modules/services/snmp.te 2010-01-19 14:20:15.303858953 +0100 @@ -25,9 +25,9 @@ # # Local policy # -allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config }; +allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config }; dontaudit snmpd_t self:capability { sys_module sys_tty_config }; -allow snmpd_t self:process { signal_perms getsched setsched }; +allow snmpd_t self:process { signal signal_perms getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; allow snmpd_t self:unix_dgram_socket create_socket_perms; allow snmpd_t self:unix_stream_socket create_stream_socket_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.32/policy/modules/services/snort.te --- nsaserefpolicy/policy/modules/services/snort.te 2010-01-18 18:24:22.893530558 +0100 +++ serefpolicy-3.6.32/policy/modules/services/snort.te 2010-01-27 17:37:08.744613818 +0100 @@ -78,6 +78,7 @@ dev_read_sysfs(snort_t) dev_read_rand(snort_t) dev_read_urand(snort_t) +dev_read_usbmon_dev(snort_t) domain_use_interactive_fds(snort_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.32/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2010-01-18 18:24:22.895529974 +0100 +++ serefpolicy-3.6.32/policy/modules/services/spamassassin.if 2010-01-18 18:27:02.773531151 +0100 @@ -267,6 +267,24 @@ stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) ') +###################################### +## +## Send kill signal to spamassassin client +## +## +## +## Domain allowed access. +## +## +# +interface(`spamassassin_kill_client',` + gen_require(` + type spamc_t; + ') + + allow $1 spamc_t:process sigkill; +') + ######################################## ## ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.32/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2010-01-18 18:24:22.896530172 +0100 +++ serefpolicy-3.6.32/policy/modules/services/spamassassin.te 2010-02-09 12:37:21.512866130 +0100 @@ -147,6 +147,8 @@ kernel_read_kernel_sysctls(spamassassin_t) +corenet_dontaudit_udp_bind_all_ports(spamassassin_t) + dev_read_urand(spamassassin_t) fs_search_auto_mountpoints(spamassassin_t) @@ -470,6 +473,10 @@ userdom_search_user_home_dirs(spamd_t) optional_policy(` + dcc_domtrans_cdcc(spamd_t) +') + +optional_policy(` exim_manage_spool_dirs(spamd_t) exim_manage_spool_files(spamd_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.32/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2010-01-18 18:24:22.898539086 +0100 +++ serefpolicy-3.6.32/policy/modules/services/ssh.if 2010-02-23 16:04:29.107525602 +0100 @@ -177,7 +177,7 @@ type $1_var_run_t; files_pid_file($1_var_run_t) - allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; + allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; allow $1_t self:fifo_file rw_fifo_file_perms; allow $1_t self:process { signal getsched setsched setrlimit setexec }; allow $1_t self:tcp_socket create_stream_socket_perms; @@ -393,6 +393,7 @@ logging_send_syslog_msg($1_ssh_agent_t) miscfiles_read_localization($1_ssh_agent_t) + miscfiles_read_certs($1_ssh_agent_t) seutil_dontaudit_read_config($1_ssh_agent_t) @@ -400,6 +401,7 @@ userdom_use_user_terminals($1_ssh_agent_t) # for the transition back to normal privs upon exec + userdom_search_user_home_content($1_ssh_agent_t) userdom_user_home_domtrans($1_ssh_agent_t, $3) allow $3 $1_ssh_agent_t:fd use; allow $3 $1_ssh_agent_t:fifo_file rw_file_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2010-01-18 18:24:22.899530064 +0100 +++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2010-03-03 10:40:17.330611966 +0100 @@ -8,31 +8,6 @@ ## ##

-## Allow sftp to upload files, used for public file -## transfer services. Directories must be labeled -## public_content_rw_t. -##

-## -gen_tunable(allow_sftpd_anon_write, false) - -## -##

-## Allow sftp to login to local users and -## read/write all files on the system, governed by DAC. -##

-## -gen_tunable(allow_sftpd_full_access, false) - -## -##

-## Allow interlnal-sftp to read and write files -## in the user ssh home directories. -##

-## -gen_tunable(sftpd_ssh_home_dir, false) - -## -##

## allow host key based authentication ##

## @@ -69,10 +44,6 @@ type sshd_tmpfs_t; files_tmpfs_file(sshd_tmpfs_t) -type sftpd_t; -domain_type(sftpd_t) -role system_r types sftpd_t; - ifdef(`enable_mcs',` init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) ') @@ -209,6 +180,7 @@ # needs to read krb tgt userdom_read_user_tmp_files(ssh_t) userdom_read_user_home_content_symlinks(ssh_t) +userdom_write_user_tmp_files(ssh_t) tunable_policy(`allow_ssh_keysign',` domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) @@ -236,7 +208,6 @@ optional_policy(` xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t) xserver_domtrans_xauth(ssh_t) - xserver_common_app(ssh_t) ') ######################################## @@ -365,7 +337,12 @@ ') optional_policy(` - xserver_getattr_xauth(sshd_t) + ftp_dyntransition_sftpd(sshd_t) + ftp_dyntransition_sftpd_anon(sshd_t) +') + +optional_policy(` + xserver_domtrans_xauth(sshd_t) ') optional_policy(` @@ -468,49 +445,3 @@ udev_read_db(ssh_keygen_t) ') -####################################### -# -# sftp Local policy -# - -allow ssh_server sftpd_t:process dyntransition; - -ssh_sigchld(sftpd_t) - -files_read_all_files(sftpd_t) -files_read_all_symlinks(sftpd_t) - -fs_read_noxattr_fs_files(sftpd_t) -fs_read_nfs_files(sftpd_t) -fs_read_cifs_files(sftpd_t) - -# allow access to /home by default -userdom_manage_user_home_content_dirs(sftpd_t) -userdom_manage_user_home_content_files(sftpd_t) -userdom_manage_user_home_content_symlinks(sftpd_t) - -userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file }) - -tunable_policy(`allow_sftpd_anon_write',` - miscfiles_manage_public_files(sftpd_t) -') - -tunable_policy(`allow_sftpd_full_access',` - allow sftpd_t self:capability { dac_override dac_read_search }; - fs_read_noxattr_fs_files(sftpd_t) - auth_manage_all_files_except_shadow(sftpd_t) -') - -tunable_policy(`sftpd_ssh_home_dir',` - ssh_manage_user_home_files(sftpd_t) -') - -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(sftpd_t) - fs_manage_nfs_files(sftpd_t) -') - -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(sftpd_t) - fs_manage_cifs_files(sftpd_t) -') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.32/policy/modules/services/sssd.fc --- nsaserefpolicy/policy/modules/services/sssd.fc 2010-01-18 18:24:22.900529842 +0100 +++ serefpolicy-3.6.32/policy/modules/services/sssd.fc 2010-01-19 17:08:41.212631842 +0100 @@ -4,6 +4,8 @@ /var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) +/var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) + /var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) /var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.32/policy/modules/services/sssd.if --- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-18 18:24:22.901529830 +0100 +++ serefpolicy-3.6.32/policy/modules/services/sssd.if 2010-01-19 17:08:45.945631552 +0100 @@ -12,8 +12,7 @@ # interface(`sssd_domtrans',` gen_require(` - type sssd_t; - type sssd_exec_t; + type sssd_t, sssd_exec_t; ') domtrans_pattern($1, sssd_exec_t, sssd_t) @@ -26,7 +25,7 @@ ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -40,6 +39,25 @@ ######################################## ## +## Read sssd public files. +## +## +## +## Domain allowed access. +## +## +# +interface(`sssd_read_public_files',` + gen_require(` + type sssd_public_t; + ') + + sssd_search_lib($1) + read_files_pattern($1, sssd_public_t, sssd_public_t) +') + +######################################## +## ## Read sssd PID files. ## ## @@ -59,7 +77,7 @@ ######################################## ## -## Manage sssd var_run files. +## Read sssd config files. ## ## ## @@ -67,18 +85,18 @@ ## ## # -interface(`sssd_manage_pids',` +interface(`sssd_read_config_files',` gen_require(` - type sssd_var_run_t; + type sssd_config_t; ') - manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t) - manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t) + sssd_search_lib($1) + read_files_pattern($1, sssd_config_t, sssd_config_t) ') ######################################## ## -## Search sssd lib directories. +## Manage sssd var_run files. ## ## ## @@ -86,18 +104,18 @@ ## ## # -interface(`sssd_search_lib',` +interface(`sssd_manage_pids',` gen_require(` - type sssd_var_lib_t; + type sssd_var_run_t; ') - allow $1 sssd_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) + manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t) + manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t) ') ######################################## ## -## Read sssd lib files. +## Search sssd lib directories. ## ## ## @@ -105,18 +123,18 @@ ## ## # -interface(`sssd_read_lib_files',` +interface(`sssd_search_lib',` gen_require(` type sssd_var_lib_t; ') + allow $1 sssd_var_lib_t:dir search_dir_perms; files_search_var_lib($1) - read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) ') ######################################## ## -## Read sssd config files. +## dontaudit search sssd lib directories. ## ## ## @@ -124,19 +142,18 @@ ## ## # -interface(`sssd_read_config_files',` +interface(`sssd_dontaudit_search_lib',` gen_require(` - type sssd_config_t; + type sssd_var_lib_t; ') - sssd_search_lib($1) - read_files_pattern($1, sssd_config_t, sssd_config_t) + dontaudit $1 sssd_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) ') ######################################## ## -## Create, read, write, and delete -## sssd lib files. +## Read sssd lib files. ## ## ## @@ -144,18 +161,19 @@ ## ## # -interface(`sssd_manage_lib_files',` +interface(`sssd_read_lib_files',` gen_require(` type sssd_var_lib_t; ') files_search_var_lib($1) - manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) + read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) ') ######################################## ## -## Manage sssd var_lib files. +## Create, read, write, and delete +## sssd lib files. ## ## ## @@ -163,17 +181,15 @@ ## ## # -interface(`sssd_manage_var_lib',` +interface(`sssd_manage_lib_files',` gen_require(` type sssd_var_lib_t; ') - manage_dirs_pattern($1,sssd_var_lib_t,sssd_var_lib_t) + files_search_var_lib($1) manage_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t) - manage_lnk_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t) ') - ######################################## ## ## Send and receive messages from @@ -238,16 +254,13 @@ # interface(`sssd_admin',` gen_require(` - type sssd_t; + type sssd_t, sssd_public_t; + type sssd_initrc_exec_t; ') allow $1 sssd_t:process { ptrace signal_perms getattr }; read_files_pattern($1, sssd_t, sssd_t) - gen_require(` - type sssd_initrc_exec_t; - ') - # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) domain_system_change_exemption($1) @@ -257,4 +270,6 @@ sssd_manage_pids($1) sssd_manage_lib_files($1) + + admin_pattern($1, sssd_public_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.32/policy/modules/services/sssd.te --- nsaserefpolicy/policy/modules/services/sssd.te 2010-01-18 18:24:22.901529830 +0100 +++ serefpolicy-3.6.32/policy/modules/services/sssd.te 2010-02-26 09:34:13.063547326 +0100 @@ -1,5 +1,5 @@ -policy_module(sssd, 1.0.0) +policy_module(sssd, 1.0.1) ######################################## # @@ -13,6 +13,9 @@ type sssd_initrc_exec_t; init_script_file(sssd_initrc_exec_t) +type sssd_public_t; +files_pid_file(sssd_public_t) + type sssd_var_lib_t; files_type(sssd_var_lib_t) @@ -31,6 +34,9 @@ allow sssd_t self:fifo_file rw_file_perms; allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) +manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) + manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) @@ -43,8 +49,6 @@ manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) -fs_list_inotifyfs(sssd_t) - kernel_read_system_state(sssd_t) corecmd_exec_bin(sssd_t) @@ -58,6 +62,10 @@ files_read_etc_files(sssd_t) files_read_usr_files(sssd_t) +fs_list_inotifyfs(sssd_t) + +mls_file_read_to_clearance(sssd_t) + auth_use_nsswitch(sssd_t) auth_domtrans_chk_passwd(sssd_t) auth_domtrans_upd_passwd(sssd_t) @@ -69,7 +77,7 @@ miscfiles_read_localization(sssd_t) -userdom_manage_tmp_role(system_t, sssd_t) +userdom_manage_tmp_role(system_r, sssd_t) optional_policy(` dbus_system_bus_client(sssd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.6.32/policy/modules/services/tftp.if --- nsaserefpolicy/policy/modules/services/tftp.if 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/tftp.if 2010-03-01 15:59:20.787741600 +0100 @@ -18,6 +18,26 @@ read_files_pattern($1, tftpdir_t, tftpdir_t) ') +####################################### +## +## Manage tftp /var/lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`tftp_manage_rw_content',` + gen_require(` + type tftpdir_rw_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) + manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) +') + ######################################## ## ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.6.32/policy/modules/services/tftp.te --- nsaserefpolicy/policy/modules/services/tftp.te 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/tftp.te 2010-01-19 12:02:02.773609654 +0100 @@ -50,6 +50,7 @@ manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t) files_pid_filetrans(tftpd_t, tftpd_var_run_t, file) +kernel_read_system_state(tftpd_t) kernel_read_kernel_sysctls(tftpd_t) kernel_list_proc(tftpd_t) kernel_read_proc_symlinks(tftpd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.6.32/policy/modules/services/tgtd.te --- nsaserefpolicy/policy/modules/services/tgtd.te 2010-01-18 18:24:22.905534669 +0100 +++ serefpolicy-3.6.32/policy/modules/services/tgtd.te 2010-01-26 14:33:27.943463104 +0100 @@ -63,6 +63,7 @@ files_read_etc_files(tgtd_t) storage_getattr_fixed_disk_dev(tgtd_t) +storage_manage_fixed_disk(tgtd_t) logging_send_syslog_msg(tgtd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.6.32/policy/modules/services/tuned.fc --- nsaserefpolicy/policy/modules/services/tuned.fc 2010-01-18 18:24:22.907534364 +0100 +++ serefpolicy-3.6.32/policy/modules/services/tuned.fc 2010-02-03 17:28:43.165143461 +0100 @@ -3,4 +3,7 @@ /usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0) +/var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0) +/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0) + /var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.6.32/policy/modules/services/tuned.te --- nsaserefpolicy/policy/modules/services/tuned.te 2010-01-18 18:24:22.909530847 +0100 +++ serefpolicy-3.6.32/policy/modules/services/tuned.te 2010-02-15 12:09:29.413328973 +0100 @@ -13,6 +13,9 @@ type tuned_initrc_exec_t; init_script_file(tuned_initrc_exec_t) +type tuned_log_t; +logging_log_file(tuned_log_t) + type tuned_var_run_t; files_pid_file(tuned_var_run_t) @@ -26,6 +29,10 @@ dontaudit tuned_t self:capability { dac_override sys_tty_config }; allow tuned_t self:fifo_file rw_fifo_file_perms; +manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t) +manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t) +logging_log_filetrans(tuned_t, tuned_log_t, file) + manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) files_pid_filetrans(tuned_t, tuned_var_run_t, { file }) @@ -36,7 +43,7 @@ kernel_read_system_state(tuned_t) dev_read_sysfs(tuned_t) - +dev_read_urand(tuned_t) # to allow cpu tuning dev_rw_netcontrol(tuned_t) @@ -46,8 +53,14 @@ userdom_dontaudit_search_user_home_dirs(tuned_t) +logging_send_syslog_msg(tuned_t) + miscfiles_read_localization(tuned_t) +optional_policy(` + gnome_dontaudit_search_config(tuned_t) +') + # to allow disk tuning optional_policy(` fstools_domtrans(tuned_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.6.32/policy/modules/services/ucspitcp.te --- nsaserefpolicy/policy/modules/services/ucspitcp.te 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/ucspitcp.te 2010-02-11 14:18:05.345868624 +0100 @@ -92,3 +92,8 @@ daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t) daemontools_read_svc(ucspitcp_t) ') + +optional_policy(` + daemontools_sigchld_run(ucspitcp_t) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.6.32/policy/modules/services/usbmuxd.fc --- nsaserefpolicy/policy/modules/services/usbmuxd.fc 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.fc 2010-02-02 19:00:16.333067308 +0100 @@ -0,0 +1,6 @@ + +/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) + +/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0) + +/var/run/usbmuxd\.lock -- gen_context(system_u:object_r:usbmuxd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.6.32/policy/modules/services/usbmuxd.if --- nsaserefpolicy/policy/modules/services/usbmuxd.if 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.if 2010-02-02 19:06:22.735067968 +0100 @@ -0,0 +1,64 @@ +## Daemon for communicating with Apple's iPod Touch and iPhone + +######################################## +## +## Execute a domain transition to run usbmuxd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`usbmuxd_domtrans',` + gen_require(` + type usbmuxd_t, usbmuxd_exec_t; + ') + + domtrans_pattern($1, usbmuxd_exec_t, usbmuxd_t) +') + +####################################### +## +## Execute usbmuxd in the usbmuxd domain, and +## allow the specified role the usbmuxd domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the usbmuxd domain. +## +## +# +interface(`usbmuxd_run',` + gen_require(` + type usbmuxd_t; + ') + + usbmuxd_domtrans($1) + role $2 types usbmuxd_t; +') + +##################################### +## +## Connect to usbmuxd over a unix domain +## stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`usbmuxd_stream_connect',` + gen_require(` + type usbmuxd_t, usbmuxd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.6.32/policy/modules/services/usbmuxd.te --- nsaserefpolicy/policy/modules/services/usbmuxd.te 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.te 2010-02-11 18:39:18.455708622 +0100 @@ -0,0 +1,48 @@ + +policy_module(usbmuxd,1.0.0) + +######################################## +# +# Declarations +# + +type usbmuxd_t; +type usbmuxd_exec_t; +application_domain(usbmuxd_t, usbmuxd_exec_t) + +type usbmuxd_var_run_t; +files_pid_file(usbmuxd_var_run_t) + +permissive usbmuxd_t; + +######################################## +# +# usbmuxd local policy +# + +allow usbmuxd_t self:capability { kill setgid setuid }; +allow usbmuxd_t self:process { fork }; + +# Init script handling +domain_use_interactive_fds(usbmuxd_t) + +# internal communication is often done using fifo and unix sockets. +allow usbmuxd_t self:fifo_file rw_fifo_file_perms; +allow usbmuxd_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) +manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) +manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) +files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file }) + +kernel_read_system_state(usbmuxd_t) + +dev_rw_generic_usb_dev(usbmuxd_t) + +files_read_etc_files(usbmuxd_t) + +miscfiles_read_localization(usbmuxd_t) + +auth_use_nsswitch(usbmuxd_t) + +logging_send_syslog_msg(usbmuxd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.32/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2010-01-18 18:24:22.913542181 +0100 +++ serefpolicy-3.6.32/policy/modules/services/virt.if 2010-03-03 10:40:17.331612366 +0100 @@ -194,6 +194,7 @@ files_search_var_lib($1) read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) + read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) ') ######################################## @@ -444,6 +445,9 @@ domain_user_exemption_target($1_t) + type $1_devpts_t; + term_pty($1_devpts_t) + type $1_tmp_t; files_tmp_file($1_tmp_t) @@ -457,6 +461,9 @@ type $1_var_run_t; files_pid_file($1_var_run_t) + allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr }; + term_create_pty($1_t, $1_devpts_t) + manage_dirs_pattern($1_t, $1_image_t, $1_image_t) manage_files_pattern($1_t, $1_image_t, $1_image_t) read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) @@ -486,7 +493,6 @@ optional_policy(` xserver_rw_shm($1_t) - xserver_common_app($1_t) ') ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2010-01-18 18:24:22.915540061 +0100 +++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-03-01 17:22:48.963740399 +0100 @@ -1,5 +1,5 @@ -policy_module(virt, 1.2.1) +policy_module(virt, 1.3.0) ######################################## # @@ -226,7 +226,7 @@ sysnet_domtrans_ifconfig(virtd_t) sysnet_read_config(virtd_t) -userdom_dontaudit_list_admin_dir(virtd_t) +userdom_list_admin_dir(virtd_t) userdom_getattr_all_users(virtd_t) userdom_list_user_home_content(virtd_t) userdom_read_all_users_state(virtd_t) @@ -337,6 +337,7 @@ allow svirt_t svirt_image_t:dir search_dir_perms; manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t) manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t) +fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) read_files_pattern(svirt_t, virt_content_t, virt_content_t) @@ -370,6 +371,7 @@ tunable_policy(`virt_use_fusefs',` fs_read_fusefs_files(svirt_t) + fs_read_fusefs_symlinks(svirt_t) ') tunable_policy(`virt_use_nfs',` @@ -429,11 +431,13 @@ corenet_tcp_bind_virt_migration_port(virt_domain) corenet_tcp_connect_virt_migration_port(virt_domain) +dev_read_rand(virt_domain) dev_read_sound(virt_domain) -dev_write_sound(virt_domain) +dev_read_urand(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) +dev_write_sound(virt_domain) domain_use_interactive_fds(virt_domain) @@ -446,6 +450,11 @@ fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) +# we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) + + term_use_all_terms(virt_domain) term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2010-01-18 18:24:22.917530119 +0100 +++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-03-03 10:40:17.332611859 +0100 @@ -51,17 +51,16 @@ # /tmp # -/tmp/\.ICE-unix -d gen_context(system_u:object_r:xserver_tmp_t,s0) -/tmp/\.ICE-unix/.* -s <> /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0) -/tmp/\.X11-unix -d gen_context(system_u:object_r:xserver_tmp_t,s0) -/tmp/\.X11-unix/.* -s <> +/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0) # # /usr # /usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/bin/lxdm gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/bin/lxdm-binary gen_context(system_u:object_r:xdm_exec_t,s0) /usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) @@ -102,6 +101,7 @@ /var/cache/gdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0) +/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0) /var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) @@ -114,9 +114,12 @@ /var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -/var/run/slim\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/lxdm(/*.)? gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) /var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) @@ -125,6 +128,8 @@ /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) ') - /var/lib/nxserver/home/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) /var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/var/lib/pqsql/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.32/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2010-01-18 18:24:22.920530710 +0100 +++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2010-03-03 10:40:17.337612186 +0100 @@ -19,27 +19,9 @@ interface(`xserver_restricted_role',` gen_require(` type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t; - type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; + type user_fonts_t, user_fonts_cache_t, user_fonts_config_t, xdm_tmp_t; type iceauth_t, iceauth_exec_t, iceauth_home_t; type xauth_t, xauth_exec_t, xauth_home_t; - - type info_xproperty_t, rootwindow_t; - - class x_drawable all_x_drawable_perms; - class x_screen all_x_screen_perms; - class x_gc all_x_gc_perms; - class x_font all_x_font_perms; - class x_colormap all_x_colormap_perms; - class x_property all_x_property_perms; - class x_selection all_x_selection_perms; - class x_cursor all_x_cursor_perms; - class x_client all_x_client_perms; - class x_device all_x_device_perms; - class x_server all_x_server_perms; - class x_extension all_x_extension_perms; - class x_resource all_x_resource_perms; - class x_event all_x_event_perms; - class x_synthetic_event all_x_synthetic_event_perms; ') role $1 types { xserver_t xauth_t iceauth_t }; @@ -49,7 +31,7 @@ allow xserver_t $2:shm rw_shm_perms; domtrans_pattern($2, xserver_exec_t, xserver_t) - allow xserver_t $2:process signal; + allow xserver_t $2:process { getpgid signal }; allow xserver_t $2:shm rw_shm_perms; @@ -63,6 +45,7 @@ manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) + allow $2 xserver_tmp_t:sock_file unlink; files_search_tmp($2) # Communicate via System V shared memory. @@ -96,9 +79,10 @@ # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; allow $2 xdm_t:fifo_file { getattr read write ioctl }; - allow $2 xserver_tmp_t:dir search; - allow $2 xserver_tmp_t:sock_file { read write }; + allow $2 xdm_tmp_t:dir search_dir_perms; + allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; + dontaudit $2 xdm_tmp_t:dir setattr; # Client read xserver shm allow $2 xserver_t:fd use; @@ -119,6 +103,7 @@ dev_rw_usbfs($2) miscfiles_read_fonts($2) + miscfiles_setattr_fonts_cache_dirs($2) xserver_common_x_domain_template(user, $2) xserver_xsession_entry_type($2) @@ -136,37 +121,6 @@ allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; ') - - ############################## - # - # User X object manager local policy - # - - # manage: xhost X11:ChangeHosts - # freeze: metacity X11:GrabKey - # force_cursor: metacity X11:GrabPointer - allow $2 xserver_t:x_device { manage freeze force_cursor }; - - # gnome-settings-daemon XKEYBOARD:SetControls - allow $2 xserver_t:x_server manage; - - # gnome-settings-daemon RANDR:SelectInput - allow $2 xserver_t:x_resource write; - - # metacity X11:InstallColormap X11:UninstallColormap - allow $2 rootwindow_t:x_colormap { install uninstall }; - - # read: gnome-settings-daemon RANDR:GetScreenSizeRange - # write: gnome-settings-daemon RANDR:SelectInput - # setattr: gnome-settings-daemon X11:GrabKey - # manage: metacity X11:ChangeWindowAttributes - allow $2 rootwindow_t:x_drawable { read write manage setattr }; - - # setattr: metacity X11:InstallColormap - allow $2 xserver_t:x_screen { saver_getattr saver_setattr setattr }; - - # xrdb X11:ChangeProperty prop=RESOURCE_MANAGER - allow $2 info_xproperty_t:x_property { create append write }; ') ######################################## @@ -218,7 +172,6 @@ relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) - xserver_common_app($2) ') ####################################### @@ -290,6 +243,37 @@ ####################################### ## +## Create non-drawing client sessions on an X server. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_non_drawing_client',` + gen_require(` + class x_drawable { getattr get_property }; + class x_extension { query use }; + class x_gc { create setattr }; + class x_property read; + + type xserver_t, xdm_var_run_t; + type xextension_t, xproperty_t, root_xdrawable_t; + ') + + allow $1 self:x_gc { create setattr }; + + allow $1 xdm_var_run_t:dir search; + allow $1 xserver_t:unix_stream_socket connectto; + + allow $1 xextension_t:x_extension { query use }; + allow $1 root_xdrawable_t:x_drawable { getattr get_property }; + allow $1 xproperty_t:x_property read; +') + +####################################### +## ## Create full client sessions ## on a user X server. ## @@ -307,7 +291,7 @@ interface(`xserver_user_client',` refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') gen_require(` - type xdm_t, xserver_tmp_t; + type xdm_t, xdm_tmp_t; type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; ') @@ -321,9 +305,9 @@ # for when /tmp/.X11-unix is created by the system allow $1 xdm_t:fd use; - allow $1 xdm_t:fifo_file rw_fifo_file_perms; - allow $1 xserver_tmp_t:dir search; - allow $1 xserver_tmp_t:sock_file { read write }; + allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; + allow $1 xdm_tmp_t:dir search; + allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; # Allow connections to X server. @@ -367,24 +351,19 @@ # template(`xserver_common_x_domain_template',` gen_require(` - type $1_xproperty_t, $1_input_xevent_t, $1_property_xevent_t; - type $1_focus_xevent_t, $1_manage_xevent_t, $1_default_xevent_t; - type $1_client_xevent_t; - - type rootwindow_t, xproperty_t; - type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; + type root_xdrawable_t; + type xproperty_t, $1_xproperty_t; type xevent_t, client_xevent_t; + type input_xevent_t, $1_input_xevent_t; - attribute xproperty_type; - attribute xevent_type; + attribute x_domain; + attribute xdrawable_type, xcolormap_type; attribute input_xevent_type; class x_drawable all_x_drawable_perms; class x_property all_x_property_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; - class x_selection all_x_selection_perms; - type xselection_t; ') ############################## @@ -392,27 +371,30 @@ # Local Policy # - # X Properties - # can read and write client properties - allow $2 $1_xproperty_t:x_property { create destroy read write append }; - type_transition $2 xproperty_t:x_property $1_xproperty_t; + # Type attributes + typeattribute $2 x_domain; + typeattribute $2 xdrawable_type, xcolormap_type; - allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive; - allow $2 $1_property_xevent_t:{ x_event x_synthetic_event } receive; - allow $2 $1_focus_xevent_t:{ x_event x_synthetic_event } receive; - allow $2 $1_manage_xevent_t:{ x_event x_synthetic_event } receive; - allow $2 $1_default_xevent_t:{ x_event x_synthetic_event } receive; - allow $2 $1_client_xevent_t:{ x_event x_synthetic_event } receive; - type_transition $2 input_xevent_t:x_event $1_input_xevent_t; - type_transition $2 property_xevent_t:x_event $1_property_xevent_t; - type_transition $2 focus_xevent_t:x_event $1_focus_xevent_t; - type_transition $2 manage_xevent_t:x_event $1_manage_xevent_t; - type_transition $2 client_xevent_t:x_event $1_client_xevent_t; - type_transition $2 xevent_t:x_event $1_default_xevent_t; + # X Properties + # disable property transitions for the time being. +# type_transition $2 xproperty_t:x_property $1_xproperty_t; - allow $2 $1_manage_xevent_t:x_synthetic_event send; + # X Windows + # new windows have the domain type + type_transition $2 root_xdrawable_t:x_drawable $2; - xserver_common_app($2) + # X Input + # distinguish input events + type_transition $2 input_xevent_t:x_event $1_input_xevent_t; + # can send own events + allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } send; + # can receive own events + allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive; + # can receive default events + allow $2 client_xevent_t:{ x_event x_synthetic_event } receive; + allow $2 xevent_t:{ x_event x_synthetic_event } receive; + # dont audit send failures + dontaudit $2 input_xevent_type:x_event send; ') ####################################### @@ -438,27 +420,12 @@ # # Types for properties - type $1_xproperty_t alias $1_default_xproperty_t, xproperty_type; + type $1_xproperty_t, xproperty_type; ubac_constrained($1_xproperty_t) # Types for events type $1_input_xevent_t, input_xevent_type, xevent_type; ubac_constrained($1_input_xevent_t) - - type $1_property_xevent_t, xevent_type; - ubac_constrained($1_property_xevent_t) - - type $1_focus_xevent_t, xevent_type; - ubac_constrained($1_focus_xevent_t) - - type $1_manage_xevent_t, xevent_type; - ubac_constrained($1_manage_xevent_t) - - type $1_default_xevent_t, xevent_type; - ubac_constrained($1_default_xevent_t) - - type $1_client_xevent_t, xevent_type; - ubac_constrained($1_client_xevent_t) ') ####################################### @@ -486,14 +453,13 @@ # template(`xserver_user_x_domain_template',` gen_require(` - type xdm_t, xserver_tmp_t; + type xdm_t, xdm_tmp_t; type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; - class x_screen all_x_screen_perms; ') - allow $2 $2:shm create_shm_perms; - allow $2 $2:unix_dgram_socket create_socket_perms; - allow $2 $2:unix_stream_socket { connectto create_stream_socket_perms }; + allow $2 self:shm create_shm_perms; + allow $2 self:unix_dgram_socket create_socket_perms; + allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file allow $2 xauth_home_t:file read_file_perms; @@ -501,9 +467,9 @@ # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; - allow $2 xdm_t:fifo_file rw_fifo_file_perms; - allow $2 xserver_tmp_t:dir search_dir_perms; - allow $2 xserver_tmp_t:sock_file { read write }; + allow $2 xdm_t:fifo_file { getattr read write ioctl }; + allow $2 xdm_tmp_t:dir search_dir_perms; + allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. @@ -519,6 +485,7 @@ xserver_use_user_fonts($2) xserver_read_xdm_tmp_files($2) + xserver_read_xdm_pid($2) # X object manager xserver_object_types_template($1) @@ -529,10 +496,6 @@ allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; ') - - allow $2 xserver_t:x_screen { saver_hide saver_show }; - - xserver_use_xdm($2) ') ######################################## @@ -592,11 +555,8 @@ ') domtrans_pattern($1, xauth_exec_t, xauth_t) - ifdef(`hide_broken_symptoms', ` - dontaudit xauth_t $1:unix_stream_socket rw_socket_perms; - dontaudit xauth_t $1:tcp_socket rw_socket_perms; - dontaudit xauth_t $1:udp_socket rw_socket_perms; + dontaudit xauth_t $1:socket_class_set { read write }; fs_dontaudit_rw_anon_inodefs_files(xauth_t) ') ') @@ -652,6 +612,7 @@ allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) + xserver_read_xdm_pid($1) ') ######################################## @@ -742,7 +703,7 @@ type xdm_t; ') - allow $1 xdm_t:fifo_file rw_fifo_file_perms; + allow $1 xdm_t:fifo_file { getattr read write }; ') ######################################## @@ -778,11 +739,11 @@ # interface(`xserver_stream_connect_xdm',` gen_require(` - type xdm_t, xserver_tmp_t; + type xdm_t, xdm_tmp_t; ') files_search_tmp($1) - stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xdm_t) + stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) ') ######################################## @@ -816,10 +777,10 @@ # interface(`xserver_setattr_xdm_tmp_dirs',` gen_require(` - type xserver_tmp_t; + type xdm_tmp_t; ') - allow $1 xserver_tmp_t:dir setattr; + allow $1 xdm_tmp_t:dir setattr; ') ######################################## @@ -835,13 +796,12 @@ # interface(`xserver_create_xdm_tmp_sockets',` gen_require(` - type xserver_tmp_t; + type xdm_tmp_t; ') files_search_tmp($1) - allow $1 xserver_tmp_t:dir list_dir_perms; - create_sock_files_pattern($1, xserver_tmp_t, xserver_tmp_t) - allow $1 xserver_tmp_t:sock_file unlink; + allow $1 xdm_tmp_t:dir list_dir_perms; + create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') ######################################## @@ -865,43 +825,6 @@ ######################################## ## -## Manage XDM pid files. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_manage_xdm_pid',` - gen_require(` - type xdm_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, xdm_var_run_t, xdm_var_run_t) -') - -######################################## -## -## Search XDM var lib dirs. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_search_xdm_lib',` - gen_require(` - type xdm_var_lib_t; - ') - - allow $1 xdm_var_lib_t:dir search_dir_perms; -') - -######################################## -## ## Read XDM var lib files. ## ## @@ -920,75 +843,6 @@ ######################################## ## -## Read XDM var lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`xserver_manage_xdm_lib_files',` - gen_require(` - type xdm_var_lib_t; - ') - - manage_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t) - read_lnk_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t) -') - -######################################## -## -## Execute xsever in the xserver domain, and -## allow the specified role the xserver domain. -## -## -## -## The type of the process performing this action. -## -## -## -## -## The role to be allowed the xserver domain. -## -## -# -interface(`xserver_run',` - gen_require(` - type xserver_t; - ') - - xserver_domtrans($1) - role $2 types xserver_t; -') - -######################################## -## -## Execute xsever in the xserver domain, and -## allow the specified role the xserver domain. -## -## -## -## The type of the process performing this action. -## -## -## -## -## The role to be allowed the xserver domain. -## -## -# -interface(`xserver_run_xauth',` - gen_require(` - type xauth_t; - ') - - xserver_domtrans_xauth($1) - role $2 types xauth_t; -') - -######################################## -## ## Make an X session script an entrypoint for the specified domain. ## ## @@ -1007,24 +861,6 @@ ######################################## ## -## Make an X executable an entrypoint for the specified domain. -## -## -## -## The domain for which the shell is an entrypoint. -## -## -# -interface(`xserver_entry_type',` - gen_require(` - type xserver_exec_t; - ') - - domain_entry_file($1, xserver_exec_t) -') - -######################################## -## ## Execute an X session in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). @@ -1100,27 +936,6 @@ ######################################## ## -## Allow append the xdm -## log files. -## -## -## -## Domain to not audit -## -## -# -interface(`xserver_xdm_append_log',` - gen_require(` - type xdm_log_t; - attribute xdmhomewriter; - ') - - typeattribute $1 xdmhomewriter; - append_files_pattern($1, xdm_log_t, xdm_log_t) -') - -######################################## -## ## Do not audit attempts to write the X server ## log files. ## @@ -1174,11 +989,11 @@ # interface(`xserver_read_xdm_tmp_files',` gen_require(` - type xserver_tmp_t; + type xdm_tmp_t; ') files_search_tmp($1) - read_files_pattern($1, xserver_tmp_t, xserver_tmp_t) + read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') ######################################## @@ -1193,11 +1008,11 @@ # interface(`xserver_dontaudit_read_xdm_tmp_files',` gen_require(` - type xserver_tmp_t; + type xdm_tmp_t; ') - dontaudit $1 xserver_tmp_t:dir search_dir_perms; - dontaudit $1 xserver_tmp_t:file read_file_perms; + dontaudit $1 xdm_tmp_t:dir search_dir_perms; + dontaudit $1 xdm_tmp_t:file read_file_perms; ') ######################################## @@ -1212,11 +1027,11 @@ # interface(`xserver_rw_xdm_tmp_files',` gen_require(` - type xserver_tmp_t; + type xdm_tmp_t; ') - allow $1 xserver_tmp_t:dir search_dir_perms; - allow $1 xserver_tmp_t:file rw_file_perms; + allow $1 xdm_tmp_t:dir search_dir_perms; + allow $1 xdm_tmp_t:file rw_file_perms; ') ######################################## @@ -1231,10 +1046,10 @@ # interface(`xserver_manage_xdm_tmp_files',` gen_require(` - type xserver_tmp_t; + type xdm_tmp_t; ') - manage_files_pattern($1, xserver_tmp_t, xserver_tmp_t) + manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') ######################################## @@ -1249,10 +1064,10 @@ # interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` gen_require(` - type xserver_tmp_t; + type xdm_tmp_t; ') - dontaudit $1 xserver_tmp_t:sock_file getattr; + dontaudit $1 xdm_tmp_t:sock_file getattr; ') ######################################## @@ -1267,11 +1082,10 @@ # interface(`xserver_domtrans',` gen_require(` - type xserver_t, xserver_exec_t, xdm_t; + type xserver_t, xserver_exec_t; ') allow $1 xserver_t:process siginh; - allow xdm_t $1:process sigchld; domtrans_pattern($1, xserver_exec_t, xserver_t) ') @@ -1409,7 +1223,9 @@ ######################################## ## -## Read xserver files created in /var/run +## Interface to provide X object permissions on a given X server to +## an X client domain. Gives the domain permission to read the +## virtual core keyboard and virtual core pointer devices. ## ## ## @@ -1417,18 +1233,22 @@ ## ## # -interface(`xserver_read_pid',` +interface(`xserver_manage_core_devices',` gen_require(` - type xserver_var_run_t; + type xserver_t; + class x_device all_x_device_perms; + class x_pointer all_x_pointer_perms; + class x_keyboard all_x_keyboard_perms; ') - files_search_pids($1) - read_files_pattern($1, xserver_var_run_t, xserver_var_run_t) + allow $1 xserver_t:{ x_device x_pointer x_keyboard } *; ') ######################################## ## -## Execute xserver files created in /var/run +## Interface to provide X object permissions on a given X server to +## an X client domain. Gives the domain complete control over the +## display. ## ## ## @@ -1436,81 +1256,95 @@ ## ## # -interface(`xserver_exec_pid',` +interface(`xserver_unconfined',` gen_require(` - type xserver_var_run_t; + attribute x_domain; + attribute xserver_unconfined_type; ') - files_search_pids($1) - exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t) + typeattribute $1 x_domain; + typeattribute $1 xserver_unconfined_type; ') ######################################## ## -## Write xserver files created in /var/run +## Dontaudit append to .xsession-errors file ## ## ## -## Domain allowed access. +## Domain to not audit ## ## # -interface(`xserver_write_pid',` +interface(`xserver_dontaudit_append_xdm_home_files',` gen_require(` - type xserver_var_run_t; + type xdm_home_t; + type xserver_tmp_t; ') - files_search_pids($1) - write_files_pattern($1, xserver_var_run_t, xserver_var_run_t) + dontaudit $1 xdm_home_t:file rw_inherited_file_perms; + dontaudit $1 xserver_tmp_t:file rw_inherited_file_perms; + + tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_rw_nfs_files($1) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_dontaudit_rw_cifs_files($1) + ') ') ######################################## ## -## Read user homedir fonts. +## append to .xsession-errors file ## ## ## -## Domain allowed access. +## Domain to not audit ## ## -## # -interface(`xserver_manage_home_fonts',` +interface(`xserver_append_xdm_home_files',` gen_require(` - type user_fonts_t; - type user_fonts_config_t; + type xdm_home_t; + type xserver_tmp_t; ') - manage_dirs_pattern($1, user_fonts_t, user_fonts_t) - manage_files_pattern($1, user_fonts_t, user_fonts_t) - manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t) + allow $1 xdm_home_t:file append_file_perms; + allow $1 xserver_tmp_t:file append_file_perms; - manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) + tunable_policy(`use_nfs_home_dirs',` + fs_append_nfs_files($1) + ') + + tunable_policy(`use_samba_home_dirs',` + fs_append_cifs_files($1) + ') ') ######################################## ## -## Read user homedir fonts. +## Manage the xdm_spool files ## ## ## ## Domain allowed access. ## ## -## # -interface(`xserver_read_home_fonts',` +interface(`xserver_xdm_manage_spool',` gen_require(` - type user_fonts_t; + type xdm_spool_t; ') - read_files_pattern($1, user_fonts_t, user_fonts_t) - read_lnk_files_pattern($1, user_fonts_t, user_fonts_t) + files_search_spool($1) + manage_files_pattern($1, xdm_spool_t, xdm_spool_t) ') ######################################## ## -## write to .xsession-errors file +## Send and receive messages from +## xdm over dbus. ## ## ## @@ -1518,127 +1352,92 @@ ## ## # -interface(`xserver_rw_xdm_home_files',` +interface(`xserver_dbus_chat_xdm',` gen_require(` - type xdm_home_t; + type xdm_t; + class dbus send_msg; ') - allow $1 xdm_home_t:file rw_inherited_file_perms; + allow $1 xdm_t:dbus send_msg; + allow xdm_t $1:dbus send_msg; ') ######################################## ## -## Dontaudit append to .xsession-errors file +## Read xserver files created in /var/run ## ## ## -## Domain to not audit +## Domain allowed access. ## ## # -interface(`xserver_dontaudit_append_xdm_home_files',` +interface(`xserver_read_pid',` gen_require(` - type xdm_home_t; - type xserver_tmp_t; - ') - - dontaudit $1 xdm_home_t:file rw_inherited_file_perms; - dontaudit $1 xserver_tmp_t:file rw_inherited_file_perms; - - tunable_policy(`use_nfs_home_dirs',` - fs_dontaudit_rw_nfs_files($1) + type xserver_var_run_t; ') - tunable_policy(`use_samba_home_dirs',` - fs_dontaudit_rw_cifs_files($1) - ') + files_search_pids($1) + read_files_pattern($1, xserver_var_run_t, xserver_var_run_t) ') ######################################## ## -## append to .xsession-errors file +## Execute xserver files created in /var/run ## ## ## -## Domain to not audit +## Domain allowed access. ## ## # -interface(`xserver_append_xdm_home_files',` +interface(`xserver_exec_pid',` gen_require(` - type xdm_home_t; - type xserver_tmp_t; - ') - - allow $1 xdm_home_t:file append_file_perms; - allow $1 xserver_tmp_t:file append_file_perms; - - tunable_policy(`use_nfs_home_dirs',` - fs_append_nfs_files($1) + type xserver_var_run_t; ') - tunable_policy(`use_samba_home_dirs',` - fs_append_cifs_files($1) - ') + files_search_pids($1) + exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t) ') - -####################################### +######################################## ## -## Interface to provide X object permissions on a given X server to -## an X client domain. Provides the minimal set required by a basic -## X client application. +## Write xserver files created in /var/run ## ## ## -## Client domain allowed access. +## Domain allowed access. ## ## # -interface(`xserver_use_xdm',` +interface(`xserver_write_pid',` gen_require(` - type xdm_t, xserver_tmp_t; - type xdm_xproperty_t; - type xdm_home_t; - class x_client all_x_client_perms; - class x_drawable all_x_drawable_perms; - class x_property all_x_property_perms; + type xserver_var_run_t; ') - allow $1 xdm_t:fd use; - allow $1 xdm_t:fifo_file rw_fifo_file_perms; - dontaudit $1 xdm_t:tcp_socket { read write }; - - # Allow connections to X server. - xserver_stream_connect_xdm($1) - xserver_read_xdm_tmp_files($1) - xserver_xdm_stream_connect($1) - xserver_setattr_xdm_tmp_dirs($1) - xserver_read_xdm_pid($1) - xserver_search_xdm_lib($1) - - allow $1 xdm_t:x_client { getattr destroy }; - allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child }; - allow $1 xdm_xproperty_t:x_property { write read }; - allow $1 xdm_home_t:file append_file_perms; + files_search_pids($1) + write_files_pattern($1, xserver_var_run_t, xserver_var_run_t) ') ######################################## ## -## Get the attributes of xauth executable +## Allow append the xdm +## log files. ## ## ## -## Domain allowed access. +## Domain to not audit ## ## # -interface(`xserver_getattr_xauth',` +interface(`xserver_xdm_append_log',` gen_require(` - type xauth_exec_t; + type xdm_log_t; + attribute xdmhomewriter; ') - allow $1 xauth_exec_t:file getattr; + typeattribute $1 xdmhomewriter; + append_files_pattern($1, xdm_log_t, xdm_log_t) ') ######################################## @@ -1662,27 +1461,30 @@ ######################################## ## -## Connect to apmd over an unix stream socket. +## Read user homedir fonts. ## ## ## ## Domain allowed access. ## ## +## # -interface(`xserver_xdm_stream_connect',` +interface(`xserver_rw_inherited_user_fonts',` gen_require(` - type xdm_t, xdm_var_run_t; + type user_fonts_t; + type user_fonts_config_t; ') - files_search_pids($1) - allow $1 xdm_var_run_t:sock_file write; - allow $1 xdm_t:unix_stream_socket connectto; + allow $1 user_fonts_t:file rw_inherited_file_perms; + allow $1 user_fonts_t:file read_lnk_file_perms; + + allow $1 user_fonts_config_t:file rw_inherited_file_perms; ') ######################################## ## -## Manage the xdm_spool files +## Search XDM var lib dirs. ## ## ## @@ -1690,145 +1492,102 @@ ## ## # -interface(`xserver_xdm_manage_spool',` +interface(`xserver_search_xdm_lib',` gen_require(` - type xdm_spool_t; - ') - - files_search_spool($1) - manage_files_pattern($1, xdm_spool_t, xdm_spool_t) + type xdm_var_lib_t; ') -######################################## -## -## Ptrace XDM -## -## -## -## Domain to not audit -## -## -# -interface(`xserver_ptrace_xdm',` - gen_require(` - type xdm_t; + allow $1 xdm_var_lib_t:dir search_dir_perms; ') - allow $1 xdm_t:process ptrace; -') ######################################## ## -## Interface to provide X object permissions on a given X server to -## an X client domain. Gives the domain complete control over the -## display. +## Make an X executable an entrypoint for the specified domain. ## ## ## -## Domain allowed access. +## The domain for which the shell is an entrypoint. ## ## # -interface(`xserver_unconfined',` +interface(`xserver_entry_type',` gen_require(` - attribute xserver_unconfined_type; - attribute x_domain; + type xserver_exec_t; ') - typeattribute $1 xserver_unconfined_type; - typeattribute $1 x_domain; + domain_entry_file($1, xserver_exec_t) ') ######################################## ## -## Rules required for using the X Windows server -## and environment. +## Execute xsever in the xserver domain, and +## allow the specified role the xserver domain. ## ## ## -## Domain allowed access. +## The type of the process performing this action. ## ## -## +## ## -## Domain allowed access. +## The role to be allowed the xserver domain. ## ## # -interface(`xserver_communicate',` +interface(`xserver_run',` gen_require(` - class x_drawable all_x_drawable_perms; - class x_resource all_x_resource_perms; + type xserver_t; ') - allow $1 $2:x_drawable all_x_drawable_perms; - allow $2 $1:x_drawable all_x_drawable_perms; - allow $1 $2:x_resource all_x_resource_perms; - allow $2 $1:x_resource all_x_resource_perms; + xserver_domtrans($1) + role $2 types xserver_t; ') -####################################### +######################################## ## -## Interface to provide X object permissions on a given X server to -## an X client domain. Provides the minimal set required by a basic -## X client application. +## Execute xsever in the xserver domain, and +## allow the specified role the xserver domain. ## ## ## -## Client domain allowed access. +## The type of the process performing this action. +## +## +## +## +## The role to be allowed the xserver domain. ## ## # -interface(`xserver_common_app',` - +interface(`xserver_run_xauth',` gen_require(` - attribute x_domain; - attribute xevent_type; - type xselection_t, rootwindow_t; - type user_xproperty_t, xproperty_t; - class x_property all_x_property_perms; - class x_selection all_x_selection_perms; - class x_event all_x_event_perms; - class x_synthetic_event all_x_synthetic_event_perms; + type xauth_t; ') - # Type attributes - typeattribute $1 x_domain; - - allow $1 xselection_t:x_selection setattr; - allow $1 user_xproperty_t:x_property { write read destroy }; - allow $1 xproperty_t:x_property all_x_property_perms; - - # X Windows - # new windows have the domain type - type_transition $1 rootwindow_t:x_drawable $1; - - # X Input - # can receive own events - allow $1 xevent_type:{ x_event x_synthetic_event } { receive send }; - xserver_communicate($1, $1) - xserver_stream_connect($1) - xserver_use_xdm($1) + xserver_domtrans_xauth($1) + role $2 types xauth_t; ') - ######################################## ## -## Send and receive messages from -## xdm over dbus. +## Read user homedir fonts. ## ## ## ## Domain allowed access. ## ## +## # -interface(`xserver_xdm_dbus_chat',` +interface(`xserver_manage_home_fonts',` gen_require(` - type xdm_t; - class dbus send_msg; + type user_fonts_t; + type user_fonts_config_t; ') - allow $1 xdm_t:dbus send_msg; - allow xdm_t $1:dbus send_msg; -') + manage_dirs_pattern($1, user_fonts_t, user_fonts_t) + manage_files_pattern($1, user_fonts_t, user_fonts_t) + manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t) + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-18 18:24:22.923530253 +0100 +++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-03-03 10:40:17.342612584 +0100 @@ -1,5 +1,5 @@ -policy_module(xserver, 3.2.3) +policy_module(xserver, 3.3.2) gen_require(` class x_drawable all_x_drawable_perms; @@ -12,6 +12,8 @@ class x_cursor all_x_cursor_perms; class x_client all_x_client_perms; class x_device all_x_device_perms; + class x_pointer all_x_pointer_perms; + class x_keyboard all_x_keyboard_perms; class x_server all_x_server_perms; class x_extension all_x_extension_perms; class x_resource all_x_resource_perms; @@ -54,56 +56,58 @@ gen_tunable(xserver_object_manager, false) attribute xdmhomewriter; -attribute input_xevent_type; -attribute xserver_unconfined_type; -attribute x_domain; attribute x_userdomain; -attribute xproperty_type; -attribute xselection_type; -attribute xextension_type; + +attribute x_domain; + +# X Events attribute xevent_type; +attribute input_xevent_type; +type xevent_t, xevent_type; +typealias xevent_t alias { user_property_xevent_t staff_property_xevent_t sysadm_property_xevent_t }; +typealias xevent_t alias { auditadm_property_xevent_t secadm_property_xevent_t }; +typealias xevent_t alias { user_focus_xevent_t staff_focus_xevent_t sysadm_focus_xevent_t }; +typealias xevent_t alias { auditadm_focus_xevent_t secadm_focus_xevent_t }; +typealias xevent_t alias { user_manage_xevent_t staff_manage_xevent_t sysadm_manage_xevent_t }; +typealias xevent_t alias { auditadm_manage_xevent_t secadm_manage_xevent_t }; +typealias xevent_t alias { user_default_xevent_t staff_default_xevent_t sysadm_default_xevent_t }; +typealias xevent_t alias { auditadm_default_xevent_t secadm_default_xevent_t }; -type accelgraphics_xext_t, xextension_type; type client_xevent_t, xevent_type; +typealias client_xevent_t alias { user_client_xevent_t staff_client_xevent_t sysadm_client_xevent_t }; +typealias client_xevent_t alias { auditadm_client_xevent_t secadm_client_xevent_t }; + +type input_xevent_t, xevent_type, input_xevent_type; + +# X Extensions +attribute xextension_type; +type xextension_t, xextension_type; +type security_xextension_t, xextension_type; + +# X Properties +attribute xproperty_type; +type xproperty_t, xproperty_type; +type seclabel_xproperty_t, xproperty_type; type clipboard_xproperty_t, xproperty_type; -type clipboard_xselection_t, xselection_type; -type debug_xext_t, xextension_type; -type directhw_xext_t alias disallowed_xext_t, xextension_type; -type focus_xevent_t, xevent_type; -type iceauth_t; -type iceauth_exec_t; -typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t xguest_iceauth_t }; -typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t }; -application_domain(iceauth_t, iceauth_exec_t) -ubac_constrained(iceauth_t) +# X Selections +attribute xselection_type; +type xselection_t, xselection_type; +type clipboard_xselection_t, xselection_type; +#type settings_xselection_t, xselection_type; +#type dbus_xselection_t, xselection_type; -type iceauth_home_t; -typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t }; -typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t xguest_iceauth_home_t }; -files_poly_member(iceauth_home_t) -userdom_user_home_content(iceauth_home_t) +# X Drawables +attribute xdrawable_type; +attribute xcolormap_type; +type root_xdrawable_t, xdrawable_type; +type root_xcolormap_t, xcolormap_type; -type info_xproperty_t, xproperty_type; -type input_xevent_t, xevent_type; -type manage_xevent_t, xevent_type; -type output_xext_t, xextension_type; -type property_xevent_t, xevent_type; -type remote_xclient_t; - -type rootwindow_t; -typealias rootwindow_t alias { user_rootwindow_t staff_rootwindow_t sysadm_rootwindow_t }; -typealias rootwindow_t alias { auditadm_rootwindow_t secadm_rootwindow_t }; -ubac_constrained(rootwindow_t) - -type screensaver_xext_t, xextension_type; -type security_xext_t, xextension_type; -type shmem_xext_t, xextension_type; -type std_xext_t, xextension_type; -type video_xext_t, xextension_type; -type unknown_xevent_t, xevent_type; +attribute xserver_unconfined_type; +xserver_object_types_template(root) xserver_object_types_template(user) + typealias user_xproperty_t alias { staff_xproperty_t sysadm_xproperty_t }; typealias user_xproperty_t alias { auditadm_xproperty_t secadm_xproperty_t }; typealias user_input_xevent_t alias { staff_input_xevent_t sysadm_input_xevent_t }; @@ -108,52 +112,63 @@ typealias user_xproperty_t alias { auditadm_xproperty_t secadm_xproperty_t }; typealias user_input_xevent_t alias { staff_input_xevent_t sysadm_input_xevent_t }; typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xevent_t }; -typealias user_property_xevent_t alias { staff_property_xevent_t sysadm_property_xevent_t }; -typealias user_property_xevent_t alias { auditadm_property_xevent_t secadm_property_xevent_t }; -typealias user_focus_xevent_t alias { staff_focus_xevent_t sysadm_focus_xevent_t }; -typealias user_focus_xevent_t alias { auditadm_focus_xevent_t secadm_focus_xevent_t }; -typealias user_manage_xevent_t alias { staff_manage_xevent_t sysadm_manage_xevent_t }; -typealias user_manage_xevent_t alias { auditadm_manage_xevent_t secadm_manage_xevent_t }; -typealias user_default_xevent_t alias { staff_default_xevent_t sysadm_default_xevent_t }; -typealias user_default_xevent_t alias { auditadm_default_xevent_t secadm_default_xevent_t }; -typealias user_client_xevent_t alias { staff_client_xevent_t sysadm_client_xevent_t }; -typealias user_client_xevent_t alias { auditadm_client_xevent_t secadm_client_xevent_t }; + +type remote_t; +xserver_object_types_template(remote) +xserver_common_x_domain_template(remote,remote_t) type user_fonts_t; -typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t xguest_fonts_t unconfined_fonts_t }; -typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t user_fonts_home_t }; +typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t }; +typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t }; +typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t }; userdom_user_home_content(user_fonts_t) type user_fonts_cache_t; -typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t xguest_fonts_cache_t unconfined_fonts_cache_t }; +typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t }; typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t }; +typealias user_fonts_cache_t alias { xguest_fonts_cache_t unconfined_fonts_cache_t }; +; userdom_user_home_content(user_fonts_cache_t) type user_fonts_config_t; -typealias user_fonts_config_t alias { fonts_config_home_t staff_fonts_config_t sysadm_fonts_config_t xguest_fonts_config_t unconfined_fonts_config_t }; +typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t }; typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t }; +typealias user_fonts_config_t alias { fonts_config_home_t xguest_fonts_config_t unconfined_fonts_config_t }; userdom_user_home_content(user_fonts_config_t) -type xevent_t alias default_xevent_t, xevent_type; -type xext_t alias unknown_xext_t, xextension_type; -type xproperty_t alias default_xproperty_t, xproperty_type; -type xselection_t alias default_xselection_t, xselection_type; +type iceauth_t; +type iceauth_exec_t; +typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t }; +typealias iceauth_t alias { xguest_iceauth_t }; +typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t }; +application_domain(iceauth_t, iceauth_exec_t) +ubac_constrained(iceauth_t) + +type iceauth_home_t; +typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t }; +typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t }; +typealias iceauth_home_t alias { xguest_iceauth_home_t }; +files_poly_member(iceauth_home_t) +userdom_user_home_content(iceauth_home_t) type xauth_t; type xauth_exec_t; typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t }; -typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t xguest_xauth_t unconfined_xauth_t }; +typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t }; +typealias xauth_t alias { xguest_xauth_t unconfined_xauth_t }; application_domain(xauth_t, xauth_exec_t) ubac_constrained(xauth_t) type xauth_home_t; typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t }; -typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t xguest_xauth_home_t unconfined_xauth_home_t }; +typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t }; +typealias xauth_home_t alias { xguest_xauth_home_t unconfined_xauth_home_t }; files_poly_member(xauth_home_t) userdom_user_home_content(xauth_home_t) type xauth_tmp_t; -typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t xguest_xauth_tmp_t unconfined_xauth_tmp_t }; +typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t }; +typealias xauth_tmp_t alias { xguest_xauth_tmp_t unconfined_xauth_tmp_t }; typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; files_tmp_file(xauth_tmp_t) ubac_constrained(xauth_tmp_t) @@ -168,7 +183,9 @@ type xdm_exec_t; auth_login_pgm_domain(xdm_t) init_domain(xdm_t, xdm_exec_t) -init_daemon_domain(xdm_t, xdm_exec_t) +init_system_domain(xdm_t, xdm_exec_t) +xserver_object_types_template(xdm) +xserver_common_x_domain_template(xdm, xdm_t) type xdm_lock_t; files_lock_file(xdm_lock_t) @@ -191,6 +208,12 @@ type xserver_var_run_t; files_pid_file(xserver_var_run_t) +type xdm_tmp_t; +files_tmp_file(xdm_tmp_t) +typealias xdm_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t }; +typealias xdm_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t }; +ubac_constrained(xdm_tmp_t) + type xdm_tmpfs_t; files_tmpfs_file(xdm_tmpfs_t) @@ -209,17 +232,9 @@ type xserver_exec_t; typealias xserver_t alias { user_xserver_t staff_xserver_t sysadm_xserver_t }; typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t }; -xserver_object_types_template(xdm) -xserver_common_x_domain_template(xdm, xdm_t) init_system_domain(xserver_t, xserver_exec_t) ubac_constrained(xserver_t) -type xserver_tmp_t; -typealias xserver_tmp_t alias { xdm_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t }; -typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t }; -files_tmp_file(xserver_tmp_t) -ubac_constrained(xserver_tmp_t) - type xserver_tmpfs_t; typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t }; typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t }; @@ -269,6 +284,7 @@ ') ifdef(`hide_broken_symptoms', ` + dev_dontaudit_read_urand(iceauth_t) dev_dontaudit_rw_dri(iceauth_t) dev_dontaudit_rw_generic_dev_nodes(iceauth_t) fs_list_inotifyfs(iceauth_t) @@ -289,6 +305,9 @@ allow xauth_t self:unix_stream_socket create_stream_socket_perms; allow xauth_t xdm_t:process sigchld; +allow xauth_t xserver_t:unix_stream_socket connectto; + +corenet_tcp_connect_xserver_port(xauth_t) allow xauth_t xauth_home_t:file manage_file_perms; userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file) @@ -301,15 +320,19 @@ manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) -domain_use_interactive_fds(xauth_t) +stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -dev_rw_xserver_misc(xauth_t) +domain_use_interactive_fds(xauth_t) +domain_dontaudit_leaks(xauth_t) files_read_etc_files(xauth_t) files_read_usr_files(xauth_t) files_search_pids(xauth_t) files_dontaudit_getattr_all_dirs(xauth_t) +files_dontaudit_leaks(xauth_t) +files_var_lib_filetrans(xauth_t, xauth_home_t, file) +fs_dontaudit_leaks(xauth_t) fs_getattr_all_fs(xauth_t) fs_search_auto_mountpoints(xauth_t) @@ -325,12 +348,15 @@ ifdef(`hide_broken_symptoms', ` userdom_manage_user_home_content_files(xauth_t) userdom_manage_user_tmp_files(xauth_t) + dev_dontaudit_rw_generic_dev_nodes(xauth_t) + miscfiles_read_fonts(xauth_t) ') xserver_rw_xdm_tmp_files(xauth_t) tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(xauth_t) + fs_read_nfs_symlinks(xauth_t) ') tunable_policy(`use_samba_home_dirs',` @@ -340,7 +366,6 @@ ifdef(`hide_broken_symptoms', ` term_dontaudit_use_unallocated_ttys(xauth_t) dev_dontaudit_rw_dri(xauth_t) - dev_dontaudit_rw_generic_dev_nodes(xauth_t) ') optional_policy(` @@ -394,12 +419,12 @@ # this is ugly, daemons should not create files under /etc! manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t) -manage_dirs_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) -manage_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) -manage_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) -files_tmp_filetrans(xdm_t, xserver_tmp_t, { file dir sock_file }) -relabelfrom_dirs_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) -relabelfrom_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) +manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) +manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) +manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) +files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) +relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) +relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) @@ -433,7 +458,7 @@ manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file }) -allow xdm_t xserver_t:process signal; +allow xdm_t xserver_t:process { signal signull }; allow xdm_t xserver_t:unix_stream_socket connectto; allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms; @@ -504,7 +529,7 @@ dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) -dev_getattr_video_dev(xdm_t) +dev_read_video_dev(xdm_t) dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -549,8 +574,10 @@ storage_dontaudit_rw_fuse(xdm_t) term_setattr_console(xdm_t) +term_use_console(xdm_t) term_use_unallocated_ttys(xdm_t) term_setattr_unallocated_ttys(xdm_t) +term_relabel_all_ttys(xdm_t) auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) @@ -566,7 +593,6 @@ logging_read_generic_logs(xdm_t) -miscfiles_dontaudit_write_fonts(xdm_t) miscfiles_search_man_pages(xdm_t) miscfiles_read_localization(xdm_t) miscfiles_read_fonts(xdm_t) @@ -583,6 +609,7 @@ userdom_signal_all_users(xdm_t) userdom_stream_connect(xdm_t) userdom_manage_user_tmp_dirs(xdm_t) +userdom_manage_user_tmp_files(xdm_t) userdom_manage_user_tmp_sockets(xdm_t) userdom_manage_tmpfs_role(system_r, xdm_t) @@ -635,6 +662,7 @@ dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms; xserver_xdm_append_log(xdm_dbusd_t) + xserver_read_xdm_pid(xdm_dbusd_t) corecmd_bin_entry_type(xdm_t) @@ -668,6 +696,7 @@ optional_policy(` gnome_read_gconf_config(xdm_t) + gnome_read_config(xdm_t) ') optional_policy(` @@ -685,11 +714,6 @@ optional_policy(` # Do not audit attempts to check whether user root has email mta_dontaudit_getattr_spool_files(xdm_t) - mta_dontaudit_read_spool_symlinks(xdm_t) -') - -optional_policy(` - resmgr_stream_connect(xdm_t) ') optional_policy(` @@ -705,13 +729,18 @@ ') optional_policy(` - plymouth_search_spool(xdm_t) - plymouth_exec_plymouth(xdm_t) + plymouthd_search_spool(xdm_t) + plymouthd_exec_plymouth(xdm_t) ') optional_policy(` pulseaudio_exec(xdm_t) pulseaudio_dbus_chat(xdm_t) + pulseaudio_stream_connect(xdm_t) +') + +optional_policy(` + resmgr_stream_connect(xdm_t) ') # On crash gdm execs gdb to dump stack @@ -767,6 +796,14 @@ # X server local policy # +# X Object Manager rules +type_transition xserver_t xserver_t:x_drawable root_xdrawable_t; +type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; + +allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; +allow xserver_t input_xevent_t:x_event send; + # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer # sys_admin, locking shared mem? chowning IPC message queues or semaphores? @@ -802,18 +839,12 @@ allow xserver_t xauth_home_t:file read_file_perms; -# Labeling rules for root windows and colormaps -type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t; - -allow xserver_t { rootwindow_t x_domain }:x_drawable send; -allow xserver_t x_domain:shm rw_shm_perms; - manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) -#filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t,sock_file) +filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) @@ -928,7 +959,6 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) -miscfiles_dontaudit_write_fonts(xserver_t) miscfiles_read_hwdata(xserver_t) modutils_domtrans_insmod(xserver_t) @@ -952,7 +982,7 @@ ') ifdef(`enable_mls',` -# range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh; + range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh; range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') @@ -961,15 +991,17 @@ # but typeattribute doesnt work in conditionals allow xserver_t xserver_t:x_server *; - allow xserver_t { x_domain rootwindow_t }:x_drawable *; + allow xserver_t { x_domain root_xdrawable_t }:x_drawable *; allow xserver_t xserver_t:x_screen *; allow xserver_t x_domain:x_gc *; - allow xserver_t { x_domain rootwindow_t }:x_colormap *; + allow xserver_t { x_domain root_xcolormap_t }:x_colormap *; allow xserver_t xproperty_type:x_property *; allow xserver_t xselection_type:x_selection *; allow xserver_t x_domain:x_cursor *; - allow xserver_t { x_domain remote_xclient_t }:x_client *; + allow xserver_t x_domain:x_client *; allow xserver_t { x_domain xserver_t }:x_device *; + allow xserver_t { x_domain xserver_t }:x_pointer *; + allow xserver_t { x_domain xserver_t }:x_keyboard *; allow xserver_t xextension_type:x_extension *; allow xserver_t { x_domain xserver_t }:x_resource *; allow xserver_t xevent_type:{ x_event x_synthetic_event } *; @@ -1027,9 +1059,9 @@ read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) # Label pid and temporary files with derived types. -manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -manage_lnk_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) +manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. allow xserver_t xkb_var_lib_t:lnk_file read; @@ -1088,136 +1120,139 @@ # # Hacks -# everyone can get the input focus of everyone else -# this is a fundamental brokenness in the X protocol -allow x_domain { x_domain xserver_t }:x_device getfocus; -# everyone can grab the server -# everyone does it, it is basically a free DOS attack -allow x_domain xserver_t:x_server grab; -# everyone can get the font path, etc. -# this could leak out sensitive information -allow x_domain xserver_t:x_server getattr; # everyone can do override-redirect windows. # this could be used to spoof labels allow x_domain self:x_drawable override; -# everyone can receive management events on the root window -# allows to know when new windows appear, among other things -allow x_domain manage_xevent_t:x_event receive; +# firefox gets nosy with other people's windows +allow x_domain x_domain:x_drawable { list_child receive }; # X Server -# can read server-owned resources -allow x_domain xserver_t:x_resource read; -allow x_domain xserver_t:x_device { manage force_cursor }; - +# can get X server attributes +allow x_domain xserver_t:x_server getattr; +# can grab the server +allow x_domain xserver_t:x_server grab; +# can read and write server-owned generic resources +allow x_domain xserver_t:x_resource { read write }; # can mess with own clients -allow x_domain self:x_client { manage destroy }; +allow x_domain self:x_client { getattr manage destroy }; # X Protocol Extensions -allow x_domain std_xext_t:x_extension { query use }; -allow x_domain shmem_xext_t:x_extension { query use }; -dontaudit x_domain xextension_type:x_extension { query use }; +allow x_domain xextension_t:x_extension { query use }; +allow x_domain security_xextension_t:x_extension { query use }; # X Properties -# can read and write cut buffers -allow x_domain clipboard_xproperty_t:x_property { create read write append }; -# can read info properties -allow x_domain info_xproperty_t:x_property read; # can change properties of root window -allow x_domain rootwindow_t:x_drawable { list_property get_property set_property }; -# can change properties of own windows +allow x_domain root_xdrawable_t:x_drawable { list_property get_property set_property }; +# can change properties of my own windows allow x_domain self:x_drawable { list_property get_property set_property }; +# can read and write cut buffers +allow x_domain clipboard_xproperty_t:x_property { create read write append }; +# can read security labels +allow x_domain seclabel_xproperty_t:x_property { getattr read }; +# can change all other properties +allow x_domain xproperty_t:x_property { getattr create read write append destroy }; # X Windows # operations allowed on root windows -allow x_domain rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive }; +allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; - -allow x_domain x_domain:x_drawable { get_property getattr list_child }; +allow x_domain self:x_drawable { blend }; +# operations allowed on all windows +allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; # X Colormaps # can use the default colormap -allow x_domain rootwindow_t:x_colormap { read use add_color }; +allow x_domain root_xcolormap_t:x_colormap { read use add_color remove_color install uninstall }; +# can create and use colormaps +allow x_domain self:x_colormap *; + +# X Devices +# operations allowed on my own devices +allow x_domain self:{ x_device x_pointer x_keyboard } *; +# operations allowed on generic devices +allow x_domain xserver_t:x_device { use getattr setattr getfocus setfocus bell grab freeze force_cursor }; +# operations allowed on core keyboard +allow x_domain xserver_t:x_keyboard { use getattr setattr getfocus setfocus bell grab }; +# operations allowed on core pointer +allow x_domain xserver_t:x_pointer { read use getattr setattr getfocus setfocus bell grab freeze force_cursor }; + +# all devices can generate input events +allow x_domain root_xdrawable_t:x_drawable send; +allow x_domain x_domain:x_drawable send; +allow x_domain input_xevent_t:x_event send; + +# dontaudit keyloggers repeatedly polling +#dontaudit x_domain xserver_t:x_keyboard read; # X Input -# can receive certain root window events -allow x_domain focus_xevent_t:x_event receive; -allow x_domain property_xevent_t:x_event receive; -allow x_domain client_xevent_t:x_synthetic_event receive; -allow x_domain manage_xevent_t:x_synthetic_event receive; +# can receive default events +allow x_domain xevent_t:{ x_event x_synthetic_event } receive; +# can receive ICCCM events +allow x_domain client_xevent_t:{ x_event x_synthetic_event } receive; # can send ICCCM events to the root window -allow x_domain manage_xevent_t:x_synthetic_event send; allow x_domain client_xevent_t:x_synthetic_event send; +# can receive root window input events +allow x_domain root_input_xevent_t:x_event receive; + # X Selections # can use the clipboard allow x_domain clipboard_xselection_t:x_selection { getattr setattr read }; -# can query all other selections -allow x_domain xselection_t:x_selection { getattr read }; +# can use default selections +allow x_domain xselection_t:x_selection { getattr setattr read }; # Other X Objects # can create and use cursors allow x_domain self:x_cursor *; # can create and use graphics contexts allow x_domain self:x_gc *; -# can create and use colormaps -allow x_domain self:x_colormap *; # can read and write own objects allow x_domain self:x_resource { read write }; +# can mess with the screensaver +allow x_domain xserver_t:x_screen { getattr saver_getattr }; + +######################################## +# +# Rules for unconfined access to this module +# tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals allow x_domain xserver_t:x_server *; - allow x_domain { x_domain rootwindow_t }:x_drawable *; + allow x_domain xdrawable_type:x_drawable *; allow x_domain xserver_t:x_screen *; allow x_domain x_domain:x_gc *; - allow x_domain { x_domain rootwindow_t }:x_colormap *; + allow x_domain xcolormap_type:x_colormap *; allow x_domain xproperty_type:x_property *; allow x_domain xselection_type:x_selection *; allow x_domain x_domain:x_cursor *; - allow x_domain { x_domain remote_xclient_t }:x_client *; + allow x_domain x_domain:x_client *; allow x_domain { x_domain xserver_t }:x_device *; + allow x_domain { x_domain xserver_t }:x_pointer *; + allow x_domain { x_domain xserver_t }:x_keyboard *; allow x_domain xextension_type:x_extension *; allow x_domain { x_domain xserver_t }:x_resource *; allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') -######################################## -# -# Rules for unconfined access to this module -# - allow xserver_unconfined_type xserver_t:x_server *; -allow xserver_unconfined_type { x_domain rootwindow_t }:x_drawable *; +allow xserver_unconfined_type xdrawable_type:x_drawable *; allow xserver_unconfined_type xserver_t:x_screen *; allow xserver_unconfined_type x_domain:x_gc *; -allow xserver_unconfined_type { x_domain rootwindow_t }:x_colormap *; +allow xserver_unconfined_type xcolormap_type:x_colormap *; allow xserver_unconfined_type xproperty_type:x_property *; allow xserver_unconfined_type xselection_type:x_selection *; allow xserver_unconfined_type x_domain:x_cursor *; -allow xserver_unconfined_type { x_domain remote_xclient_t }:x_client *; +allow xserver_unconfined_type x_domain:x_client *; allow xserver_unconfined_type { x_domain xserver_t }:x_device *; +allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *; +allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *; allow xserver_unconfined_type xextension_type:x_extension *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; -allow xserver_unconfined_type self:x_drawable all_x_drawable_perms; -allow xserver_unconfined_type self:x_screen all_x_screen_perms; -allow xserver_unconfined_type self:x_gc all_x_gc_perms; -allow xserver_unconfined_type self:x_font all_x_font_perms; -allow xserver_unconfined_type self:x_colormap all_x_colormap_perms; -allow xserver_unconfined_type self:x_property all_x_property_perms; -allow xserver_unconfined_type self:x_selection all_x_selection_perms; -allow xserver_unconfined_type self:x_cursor all_x_cursor_perms; -allow xserver_unconfined_type self:x_client all_x_client_perms; -allow xserver_unconfined_type self:x_device all_x_device_perms; -allow xserver_unconfined_type self:x_server all_x_server_perms; -allow xserver_unconfined_type self:x_extension all_x_extension_perms; -allow xserver_unconfined_type self:x_resource all_x_resource_perms; -allow xserver_unconfined_type self:x_event all_x_event_perms; -allow xserver_unconfined_type self:x_synthetic_event all_x_synthetic_event_perms; - optional_policy(` unconfined_rw_shm(xserver_t) unconfined_execmem_rw_shm(xserver_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.32/policy/modules/system/application.te --- nsaserefpolicy/policy/modules/system/application.te 2010-01-18 18:24:22.925530368 +0100 +++ serefpolicy-3.6.32/policy/modules/system/application.te 2010-02-09 12:51:23.459615874 +0100 @@ -1,5 +1,5 @@ -policy_module(application, 1.1.0) +policy_module(application, 1.1.1) # Attribute of user applications attribute application_domain_type; @@ -7,14 +7,18 @@ # Executables to be run by user attribute application_exec_type; -userdom_append_user_home_content_files(application_domain_type) -userdom_write_user_tmp_files(application_domain_type) -logging_rw_all_logs(application_domain_type) +userdom_inherit_append_user_home_content_files(application_domain_type) userdom_inherit_append_admin_home_files(application_domain_type) +userdom_inherit_append_user_tmp_files(application_domain_type) +logging_inherit_append_all_logs(application_domain_type) files_dontaudit_search_all_dirs(application_domain_type) optional_policy(` + afs_rw_udp_sockets(application_domain_type) +') + +optional_policy(` ssh_sigchld(application_domain_type) ssh_rw_stream_sockets(application_domain_type) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.6.32/policy/modules/system/daemontools.if --- nsaserefpolicy/policy/modules/system/daemontools.if 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/system/daemontools.if 2010-02-11 14:55:16.780616974 +0100 @@ -71,6 +71,32 @@ domtrans_pattern($1, svc_start_exec_t, svc_start_t) ') +####################################### +## +## Execute svc_start in the svc_start domain, and +## allow the specified role the svc_start domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the svc_start domain. +## +## +## +# +interface(`daemonstools_run_start',` + gen_require(` + type svc_start_t; + ') + + daemontools_domtrans_start($1) + role $2 types svc_start_t; +') + ######################################## ## ## Execute in the svc_run_t domain. @@ -127,6 +153,24 @@ allow $1 svc_svc_t:file read_file_perms; ') +####################################### +## +## Search svc_svc_t directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`daemontools_search_svc_dir',` + gen_require(` + type svc_svc_t; + ') + + allow $1 svc_svc_t:dir search_dir_perms; +') + ######################################## ## ## Allow a domain to create svc_svc_t files. @@ -148,3 +192,21 @@ allow $1 svc_svc_t:file manage_file_perms; allow $1 svc_svc_t:lnk_file { read create }; ') + +##################################### +## +## Send a SIGCHLD signal to svc_run domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`daemontools_sigchld_run',` + gen_require(` + type svc_run_t; + ') + + allow $1 svc_run_t:process sigchld; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.6.32/policy/modules/system/daemontools.te --- nsaserefpolicy/policy/modules/system/daemontools.te 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/system/daemontools.te 2010-02-11 14:40:01.632617547 +0100 @@ -39,7 +39,10 @@ # multilog creates /service/*/log/status manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t) +term_write_console(svc_multilog_t) + init_use_fds(svc_multilog_t) +init_dontaudit_use_script_fds(svc_multilog_t) # writes to /var/log/*/* logging_manage_generic_logs(svc_multilog_t) @@ -53,7 +56,7 @@ # ie. softlimit, setuidgid, envuidgid, envdir, fghack .. # -allow svc_run_t self:capability { setgid setuid chown fsetid }; +allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource}; allow svc_run_t self:process setrlimit; allow svc_run_t self:fifo_file rw_fifo_file_perms; allow svc_run_t self:unix_stream_socket create_stream_socket_perms; @@ -65,6 +68,10 @@ kernel_read_system_state(svc_run_t) +dev_read_urand(svc_run_t) + +term_write_console(svc_run_t) + corecmd_exec_bin(svc_run_t) corecmd_exec_shell(svc_run_t) @@ -89,21 +96,36 @@ # ie svc, svscan, supervise ... # -allow svc_start_t svc_run_t:process signal; +allow svc_start_t svc_run_t:process { signal setrlimit }; allow svc_start_t self:fifo_file rw_fifo_file_perms; allow svc_start_t self:capability kill; +allow svc_start_t self:tcp_socket create_stream_socket_perms; allow svc_start_t self:unix_stream_socket create_socket_perms; can_exec(svc_start_t, svc_start_exec_t) +mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t) + +kernel_read_kernel_sysctls(svc_start_t) +kernel_read_system_state(svc_start_t) + corecmd_exec_bin(svc_start_t) corecmd_exec_shell(svc_start_t) +corenet_tcp_bind_generic_node(svc_start_t) +corenet_tcp_bind_generic_port(svc_start_t) + +term_write_console(svc_start_t) + files_read_etc_files(svc_start_t) files_read_etc_runtime_files(svc_start_t) files_search_var(svc_start_t) files_search_pids(svc_start_t) +logging_send_syslog_msg(svc_start_t) + +miscfiles_read_localization(svc_start_t) + daemontools_domtrans_run(svc_start_t) daemontools_manage_svc(svc_start_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.32/policy/modules/system/fstools.fc --- nsaserefpolicy/policy/modules/system/fstools.fc 2010-01-18 18:24:22.930540014 +0100 +++ serefpolicy-3.6.32/policy/modules/system/fstools.fc 2010-02-23 18:55:42.216525227 +0100 @@ -18,6 +18,7 @@ /sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -38,6 +39,7 @@ /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.32/policy/modules/system/hostname.te --- nsaserefpolicy/policy/modules/system/hostname.te 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/system/hostname.te 2010-01-29 10:03:19.733864870 +0100 @@ -27,15 +27,18 @@ dev_read_sysfs(hostname_t) +domain_dontaudit_leaks(hostname_t) domain_use_interactive_fds(hostname_t) files_read_etc_files(hostname_t) +files_dontaudit_leaks(hostname_t) files_dontaudit_search_var(hostname_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(hostname_t) fs_getattr_xattr_fs(hostname_t) fs_search_auto_mountpoints(hostname_t) +fs_dontaudit_leaks(hostname_t) fs_dontaudit_use_tmpfs_chr_dev(hostname_t) term_dontaudit_use_console(hostname_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.6.32/policy/modules/system/hotplug.te --- nsaserefpolicy/policy/modules/system/hotplug.te 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/system/hotplug.te 2010-01-18 18:27:02.780542727 +0100 @@ -125,6 +125,10 @@ ') optional_policy(` + brctl_domtrans(hotplug_t) +') + +optional_policy(` consoletype_exec(hotplug_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.32/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2010-01-18 18:24:22.933540325 +0100 +++ serefpolicy-3.6.32/policy/modules/system/init.if 2010-03-03 10:40:17.345612249 +0100 @@ -165,6 +165,7 @@ type init_t; role system_r; attribute daemon; + attribute initrc_transition_domain; ') typeattribute $1 daemon; @@ -180,6 +181,8 @@ # Handle upstart direct transition to a executable domtrans_pattern(init_t,$2,$1) allow init_t $1:process siginh; + allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; + allow $1 initrc_transition_domain:fd use; # daemons started from init will # inherit fds from init for the console @@ -273,6 +276,7 @@ gen_require(` type initrc_t; role system_r; + attribute initrc_transition_domain; ') application_domain($1,$2) @@ -281,6 +285,8 @@ domtrans_pattern(initrc_t,$2,$1) allow initrc_t $1:process siginh; + allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; + allow $1 initrc_transition_domain:fd use; ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray @@ -309,7 +315,7 @@ ') optional_policy(` - xserver_rw_xdm_home_files($1) + xserver_dontaudit_append_xdm_home_files($1) ') optional_policy(` @@ -554,7 +560,7 @@ ') dev_list_all_dev_nodes($1) - allow $1 initctl_t:fifo_file write; + allow $1 initctl_t:fifo_file write_file_perms; ') ######################################## @@ -775,8 +781,10 @@ interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; + attribute initrc_transition_domain; ') + typeattribute $1 initrc_transition_domain; domtrans_pattern($1, $2, initrc_t) files_search_etc($1) ') @@ -1686,3 +1694,26 @@ allow $1 initrc_t:sem rw_sem_perms; ') +####################################### +## +## Dontaudit read and write an leaked init scrip file descriptors +## +## +## +## The type of the process performing this action. +## +## +# +interface(`init_dontaudit_script_leaks',` + gen_require(` + type initrc_t; + ') + + dontaudit $1 initrc_t:tcp_socket { read write }; + dontaudit $1 initrc_t:udp_socket { read write }; + dontaudit $1 initrc_t:unix_dgram_socket { read write }; + dontaudit $1 initrc_t:unix_stream_socket { read write }; + dontaudit $1 initrc_t:shm rw_shm_perms; + init_dontaudit_use_script_ptys($1) + init_dontaudit_use_script_fds($1) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2010-01-18 18:24:22.936530091 +0100 +++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-02-26 09:34:17.456548521 +0100 @@ -40,6 +40,7 @@ attribute init_script_domain_type; attribute init_script_file_type; attribute init_run_all_scripts_domain; +attribute initrc_transition_domain; # Mark process types as daemons attribute daemon; @@ -47,7 +48,7 @@ # # init_t is the domain of the init process. # -type init_t; +type init_t, initrc_transition_domain; type init_exec_t; domain_type(init_t) domain_entry_file(init_t, init_exec_t) @@ -118,6 +119,7 @@ allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms }; allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms }; +allow initrc_t init_t:fifo_file rw_fifo_file_perms; # For /var/run/shutdown.pid. allow init_t init_var_run_t:file manage_file_perms; @@ -138,6 +140,7 @@ dev_read_sysfs(init_t) +domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) @@ -191,6 +194,7 @@ ') ifdef(`distro_redhat',` + fs_read_tmpfs_symlinks(init_t) fs_rw_tmpfs_chr_files(init_t) fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) ') @@ -204,6 +208,11 @@ ') optional_policy(` + # webmin seems to cause this. + apache_search_sys_content(daemon) +') + +optional_policy(` auth_rw_login_records(init_t) ') @@ -212,6 +221,11 @@ ') optional_policy(` + dbus_connect_system_bus(init_t) + dbus_system_bus_client(init_t) +') + +optional_policy(` # /var/run/dovecot/login/ssl-parameters.dat is a hard link to # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up # the directory. But we do not want to allow this. @@ -224,6 +238,10 @@ ') optional_policy(` + sssd_stream_connect(init_t) +') + +optional_policy(` unconfined_domain(init_t) ') @@ -312,6 +330,7 @@ dev_read_rand(initrc_t) dev_read_urand(initrc_t) +dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) dev_rw_sysfs(initrc_t) @@ -531,6 +550,7 @@ # Needs to cp localtime to /var dirs files_write_var_dirs(initrc_t) + fs_read_tmpfs_symlinks(initrc_t) fs_rw_tmpfs_chr_files(initrc_t) storage_manage_fixed_disk(initrc_t) @@ -584,6 +604,7 @@ domain_dontaudit_use_interactive_fds(daemon) userdom_dontaudit_list_admin_dir(daemon) +userdom_dontaudit_search_user_tmp(daemon) tunable_policy(`allow_daemons_use_tty',` term_use_unallocated_ttys(daemon) @@ -872,6 +893,7 @@ optional_policy(` unconfined_domain(initrc_t) + domain_role_change_exemption(initrc_t) ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited @@ -885,6 +907,9 @@ # Allow SELinux aware applications to request rpm_script_t execution rpm_transition_script(initrc_t) + optional_policy(` + rtkit_daemon_system_domain(initrc_t) + ') optional_policy(` gen_require(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.32/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2010-01-18 18:24:22.939530053 +0100 +++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2010-02-10 13:41:21.003609488 +0100 @@ -182,9 +182,9 @@ # ipsec_mgmt Local policy # -allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap }; +allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; dontaudit ipsec_mgmt_t self:capability sys_tty_config; -allow ipsec_mgmt_t self:process { signal setrlimit ptrace }; +allow ipsec_mgmt_t self:process { getsched signal setrlimit ptrace }; allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; @@ -206,6 +206,10 @@ allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file) +manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t) +manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t) +files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file }) + # _realsetup needs to be able to cat /var/run/pluto.pid, # run ps on that pid, and delete the file read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t) @@ -215,6 +219,8 @@ allow ipsec_mgmt_t self:unix_dgram_socket { create connect write }; allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write }; +dontaudit ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; + allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms; manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) @@ -241,6 +247,7 @@ files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) +files_read_usr_files(ipsec_mgmt_t) # the default updown script wants to run route # the ipsec wrapper wants to run /usr/bin/logger (should we put diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.6.32/policy/modules/system/iptables.if --- nsaserefpolicy/policy/modules/system/iptables.if 2010-01-18 18:24:22.941530168 +0100 +++ serefpolicy-3.6.32/policy/modules/system/iptables.if 2010-02-15 18:56:51.198318435 +0100 @@ -17,6 +17,10 @@ corecmd_search_bin($1) domtrans_pattern($1, iptables_exec_t, iptables_t) + + ifdef(`hide_broken_symptoms', ` + dontaudit iptables_t $1:socket_class_set { read write }; + ') ') ##################################### @@ -67,6 +71,12 @@ optional_policy(` modutils_run_insmod(iptables_t, $2) ') + + ifdef(`hide_broken_symptoms', ` + dontaudit iptables_t $1:unix_stream_socket rw_socket_perms; + dontaudit iptables_t $1:tcp_socket rw_socket_perms; + dontaudit iptables_t $1:udp_socket rw_socket_perms; + ') ') ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.32/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2010-01-18 18:24:22.941530168 +0100 +++ serefpolicy-3.6.32/policy/modules/system/iptables.te 2010-02-10 13:59:49.976859557 +0100 @@ -52,6 +52,7 @@ kernel_use_fds(iptables_t) corenet_relabelto_all_packets(iptables_t) +corenet_dontaudit_rw_tun_tap_dev(iptables_t) dev_read_sysfs(iptables_t) @@ -71,6 +72,7 @@ auth_use_nsswitch(iptables_t) +init_dontaudit_script_leaks(iptables_t) init_use_fds(iptables_t) init_use_script_ptys(iptables_t) # to allow rules to be saved on reboot: @@ -87,6 +89,10 @@ userdom_use_user_terminals(iptables_t) userdom_use_all_users_fds(iptables_t) +ifdef(`hide_broken_symptoms',` + dev_dontaudit_write_mtrr(iptables_t) +') + optional_policy(` fail2ban_append_log(iptables_t) fail2ban_dontaudit_leaks(iptables_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.6.32/policy/modules/system/iscsi.fc --- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/system/iscsi.fc 2010-02-02 15:17:13.812067843 +0100 @@ -1,5 +1,8 @@ + +/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) +/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0) /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.32/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2010-01-18 18:24:22.943530492 +0100 +++ serefpolicy-3.6.32/policy/modules/system/iscsi.te 2010-02-02 15:08:50.761068281 +0100 @@ -14,6 +14,9 @@ type iscsi_lock_t; files_lock_file(iscsi_lock_t) +type iscsi_log_t; +logging_log_file(iscsi_log_t) + type iscsi_tmp_t; files_tmp_file(iscsi_tmp_t) @@ -35,10 +38,13 @@ allow iscsid_t self:unix_dgram_socket create_socket_perms; allow iscsid_t self:sem create_sem_perms; allow iscsid_t self:shm create_shm_perms; +allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms; allow iscsid_t self:netlink_socket create_socket_perms; allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms; allow iscsid_t self:tcp_socket create_stream_socket_perms; +can_exec(iscsid_t, iscsid_exec_t) + manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t) files_lock_filetrans(iscsid_t, iscsi_lock_t, file) @@ -51,6 +57,9 @@ read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) files_search_var_lib(iscsid_t) +manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t) +logging_log_filetrans(iscsid_t, iscsi_log_t, file) + manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t) files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) @@ -67,6 +76,7 @@ corenet_tcp_connect_isns_port(iscsid_t) dev_rw_sysfs(iscsid_t) +dev_rw_userio_dev(iscsid_t) domain_use_interactive_fds(iscsid_t) domain_read_all_domains_state(iscsid_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-18 18:24:22.945540594 +0100 +++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-03-01 15:02:25.227490412 +0100 @@ -245,8 +245,12 @@ # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame /usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/local/lib(64)?/codecs/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -396,10 +400,8 @@ /usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -432,9 +434,22 @@ /usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/autodesk/maya2010-x64/lib/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/lampp/lib/libsybdb\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/Unify/SQLBase/libgptsblmsui11.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/real/RealPlayer/codecs(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/real/RealPlayer/plugins/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/transcode/filter_yuvdenoise\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/local/lexmark/lxk08/lib(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/local/MATHWORKS_R2009B/bin/glnxa(64)?/libtbb\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.32/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2010-01-18 18:24:22.948530849 +0100 +++ serefpolicy-3.6.32/policy/modules/system/locallogin.te 2010-02-26 09:34:21.814810364 +0100 @@ -34,8 +34,7 @@ # allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config }; -allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow local_login_t self:process { setrlimit setexec }; +allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap }; allow local_login_t self:fd use; allow local_login_t self:fifo_file rw_fifo_file_perms; allow local_login_t self:sock_file read_sock_file_perms; @@ -75,6 +74,7 @@ dev_getattr_sound_dev(local_login_t) dev_setattr_sound_dev(local_login_t) dev_rw_generic_usb_dev(local_login_t) +dev_read_video_dev(local_login_t) dev_dontaudit_getattr_apm_bios_dev(local_login_t) dev_dontaudit_setattr_apm_bios_dev(local_login_t) dev_dontaudit_read_framebuffer(local_login_t) @@ -113,11 +113,11 @@ storage_dontaudit_getattr_removable_dev(local_login_t) storage_dontaudit_setattr_removable_dev(local_login_t) -term_use_all_user_ttys(local_login_t) +term_use_all_ttys(local_login_t) term_use_unallocated_ttys(local_login_t) term_relabel_unallocated_ttys(local_login_t) -term_relabel_all_user_ttys(local_login_t) -term_setattr_all_user_ttys(local_login_t) +term_relabel_all_ttys(local_login_t) +term_setattr_all_ttys(local_login_t) term_setattr_unallocated_ttys(local_login_t) auth_rw_login_records(local_login_t) @@ -207,7 +207,7 @@ allow sulogin_t self:capability dac_override; allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow sulogin_t self:fd use; -allow sulogin_t self:fifo_file rw_file_perms; +allow sulogin_t self:fifo_file rw_fifo_file_perms; allow sulogin_t self:unix_dgram_socket create_socket_perms; allow sulogin_t self:unix_stream_socket create_stream_socket_perms; allow sulogin_t self:unix_dgram_socket sendto; @@ -241,6 +241,9 @@ userdom_search_user_home_dirs(sulogin_t) userdom_use_user_ptys(sulogin_t) +term_use_console(sulogin_t) +term_use_unallocated_ttys(sulogin_t) + ifdef(`enable_mls',` sysadm_shell_domtrans(sulogin_t) ',` @@ -252,10 +255,6 @@ # suse and debian do not use pam with sulogin... ifdef(`distro_suse', `define(`sulogin_no_pam')') ifdef(`distro_debian', `define(`sulogin_no_pam')') -ifdef(`distro_redhat',` - define(`sulogin_no_pam') - selinux_compute_user_contexts(sulogin_t) -') ifdef(`sulogin_no_pam', ` allow sulogin_t self:capability sys_tty_config; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.32/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2010-01-18 18:24:22.949542779 +0100 +++ serefpolicy-3.6.32/policy/modules/system/logging.fc 2010-02-16 17:27:23.944598052 +0100 @@ -24,6 +24,8 @@ /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) +/usr/local/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) + /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) /var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) @@ -63,9 +65,14 @@ /var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) +/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) /var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0) /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.32/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2010-01-18 18:24:22.950540043 +0100 +++ serefpolicy-3.6.32/policy/modules/system/logging.if 2010-02-09 12:55:48.458629829 +0100 @@ -641,6 +641,24 @@ append_files_pattern($1, logfile, logfile) ') +###################################### +## +## Append to all log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_inherit_append_all_logs',` + gen_require(` + attribute logfile; + ') + + allow $1 logfile:file { getattr append }; +') + ######################################## ## ## Read all log files. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.32/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2010-01-18 18:24:22.951535142 +0100 +++ serefpolicy-3.6.32/policy/modules/system/logging.te 2010-02-26 09:34:26.434798847 +0100 @@ -101,6 +101,7 @@ kernel_read_kernel_sysctls(auditctl_t) kernel_read_proc_symlinks(auditctl_t) +kernel_setsched(auditctl_t) domain_read_all_domains_state(auditctl_t) domain_use_interactive_fds(auditctl_t) @@ -236,6 +237,7 @@ files_read_etc_files(audisp_t) files_read_etc_runtime_files(audisp_t) +mls_file_read_all_levels(audisp_t) mls_file_write_all_levels(audisp_t) mls_dbus_send_all_levels(audisp_t) @@ -489,6 +491,10 @@ ') optional_policy(` + mysql_stream_connect(syslogd_t) +') + +optional_policy(` postgresql_stream_connect(syslogd_t) ') @@ -497,6 +503,10 @@ ') optional_policy(` + daemontools_search_svc_dir(syslogd_t) +') + +optional_policy(` udev_read_db(syslogd_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.6.32/policy/modules/system/lvm.fc --- nsaserefpolicy/policy/modules/system/lvm.fc 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/system/lvm.fc 2010-02-26 09:34:31.069828424 +0100 @@ -28,6 +28,7 @@ # /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) /lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) +/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0) # # /sbin diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.32/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2010-01-18 18:24:22.953540006 +0100 +++ serefpolicy-3.6.32/policy/modules/system/lvm.te 2010-02-26 09:34:34.736814526 +0100 @@ -143,6 +143,7 @@ optional_policy(` aisexec_stream_connect(clvmd_t) + corosync_stream_connect(clvmd_t) ') optional_policy(` @@ -175,6 +176,7 @@ allow lvm_t self:process { sigchld sigkill sigstop signull signal }; # LVM will complain a lot if it cannot set its priority. allow lvm_t self:process setsched; +allow lvm_t self:sem create_sem_perms; allow lvm_t self:file rw_file_perms; allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; @@ -317,6 +319,7 @@ optional_policy(` aisexec_stream_connect(lvm_t) + corosync_stream_connect(lvm_t) ') optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.6.32/policy/modules/system/miscfiles.fc --- nsaserefpolicy/policy/modules/system/miscfiles.fc 2010-01-18 18:24:22.954530704 +0100 +++ serefpolicy-3.6.32/policy/modules/system/miscfiles.fc 2010-03-01 09:54:58.045489944 +0100 @@ -71,10 +71,15 @@ /var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) +/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) + /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0) /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0) +/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) + +/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) /var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) ifdef(`distro_debian',` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-01-18 18:24:22.955540050 +0100 +++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2010-01-22 16:24:01.851857861 +0100 @@ -618,3 +618,40 @@ manage_lnk_files_pattern($1, locale_t, locale_t) ') +####################################### +## +## Set the attributes on a fonts cache directory. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`miscfiles_setattr_fonts_cache_dirs',` + gen_require(` + type fonts_cache_t; + ') + + allow $1 fonts_cache_t:dir setattr; +') + +####################################### +## +## Dontaudit attempts to set the attributes on a fonts cache directory. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`miscfiles_dontaudit_setattr_fonts_cache_dirs',` + gen_require(` + type fonts_cache_t; + ') + + allow $1 fonts_cache_t:dir setattr; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.32/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2010-01-18 18:24:22.959530712 +0100 +++ serefpolicy-3.6.32/policy/modules/system/modutils.te 2010-03-01 09:21:42.982491122 +0100 @@ -131,6 +131,7 @@ kernel_read_debugfs(insmod_t) # Rules for /proc/sys/kernel/tainted kernel_read_kernel_sysctls(insmod_t) +kernel_request_load_module(insmod_t) kernel_rw_kernel_sysctl(insmod_t) kernel_read_hotplug_sysctls(insmod_t) kernel_setsched(insmod_t) @@ -165,6 +166,7 @@ fs_getattr_xattr_fs(insmod_t) fs_dontaudit_use_tmpfs_chr_dev(insmod_t) +fs_search_rpc(insmod_t) fs_mount_rpc_pipefs(insmod_t) init_rw_initctl(insmod_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.32/policy/modules/system/mount.if --- nsaserefpolicy/policy/modules/system/mount.if 2010-01-18 18:24:22.960539988 +0100 +++ serefpolicy-3.6.32/policy/modules/system/mount.if 2010-02-17 16:23:56.866863904 +0100 @@ -17,6 +17,10 @@ domtrans_pattern($1, mount_exec_t, mount_t) mount_domtrans_fusermount($1) + + ifdef(`hide_broken_symptoms', ` + dontaudit mount_t $1:socket_class_set { read write }; + ') ') ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2010-01-18 18:24:22.961540534 +0100 +++ serefpolicy-3.6.32/policy/modules/system/mount.te 2010-02-11 21:24:42.750703041 +0100 @@ -155,6 +155,8 @@ seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) +userdom_read_user_home_content_symlinks(mount_t) +userdom_read_user_home_content_files(mount_t) userdom_manage_user_home_content_dirs(mount_t) ifdef(`distro_redhat',` @@ -181,6 +183,7 @@ auth_read_all_dirs_except_shadow(mount_t) auth_read_all_files_except_shadow(mount_t) files_mounton_non_security(mount_t) + files_rw_all_inherited_files(mount_t) ') optional_policy(` @@ -260,6 +263,18 @@ samba_read_config(mount_t) ') +optional_policy(` + ssh_exec(mount_t) +') + +optional_policy(` + usbmuxd_stream_connect(mount_t) +') + +optional_policy(` + vmware_exec_host(mount_t) +') + ######################################## # # Unconfined mount local policy @@ -268,6 +283,7 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t, file) unconfined_domain_noaudit(unconfined_mount_t) + userdom_unpriv_usertype(unconfined, unconfined_mount_t) rpc_domtrans_rpcd(unconfined_mount_t) devicekit_dbus_chat_disk(unconfined_mount_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.32/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-01-18 18:24:22.965530078 +0100 +++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if 2010-03-01 16:18:46.909490203 +0100 @@ -1142,6 +1142,27 @@ role $2 types setsebool_t; ') +####################################### +## +## Full management of the semanage +## module store. +## +## +## +## Domain allowed access. +## +## +# +interface(`seutil_read_module_store',` + gen_require(` + type selinux_config_t, semanage_store_t; + ') + + files_search_etc($1) + list_dirs_pattern($1, selinux_config_t, semanage_store_t) + read_files_pattern($1, semanage_store_t, semanage_store_t) +') + ######################################## ## ## Full management of the semanage diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.32/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-01-18 18:24:22.967540599 +0100 +++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te 2010-01-18 18:27:02.789530951 +0100 @@ -190,6 +190,7 @@ init_use_script_fds(load_policy_t) init_use_script_ptys(load_policy_t) +init_write_script_pipes(load_policy_t) miscfiles_read_localization(load_policy_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.32/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2010-01-18 18:24:22.968540028 +0100 +++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.fc 2010-03-01 16:01:07.867490672 +0100 @@ -11,6 +11,7 @@ /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) +/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0) /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.32/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-01-18 18:24:22.969542320 +0100 +++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.if 2010-02-16 16:50:00.011598570 +0100 @@ -430,6 +430,10 @@ corecmd_search_bin($1) domtrans_pattern($1, ifconfig_exec_t, ifconfig_t) + + ifdef(`hide_broken_symptoms', ` + dontaudit ifconfig_t $1:socket_class_set { read write }; + ') ') ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.32/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-01-18 18:24:22.971530073 +0100 +++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te 2010-02-21 19:46:42.369309573 +0100 @@ -87,6 +87,7 @@ kernel_read_system_state(dhcpc_t) kernel_read_network_state(dhcpc_t) +kernel_search_network_sysctl(dhcpc_t) kernel_read_kernel_sysctls(dhcpc_t) kernel_request_load_module(dhcpc_t) kernel_use_fds(dhcpc_t) @@ -157,7 +158,7 @@ ') optional_policy(` - consoletype_exec(dhcpc_t) + consoletype_domtrans(dhcpc_t) ') optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.32/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2010-01-18 18:24:22.973540245 +0100 +++ serefpolicy-3.6.32/policy/modules/system/udev.te 2010-02-09 09:59:57.514626722 +0100 @@ -100,6 +100,7 @@ # udev_node.c/node_symlink() symlink labels are explicitly # preserved, instead of short circuiting the relabel dev_relabel_generic_symlinks(udev_t) +dev_manage_generic_symlinks(udev_t) domain_read_all_domains_state(udev_t) domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these @@ -273,6 +274,10 @@ ') optional_policy(` + usbmuxd_domtrans(udev_t) +') + +optional_policy(` vbetool_domtrans(udev_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.32/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2010-01-18 18:24:22.975530582 +0100 +++ serefpolicy-3.6.32/policy/modules/system/unconfined.if 2010-01-18 18:27:02.790542463 +0100 @@ -21,6 +21,8 @@ allow $1 self:capability all_capabilities; allow $1 self:fifo_file manage_fifo_file_perms; + allow $1 self:socket_class_set create_socket_perms; + # Transition to myself, to make get_ordered_context_list happy. allow $1 self:process transition; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.32/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2010-01-18 18:24:22.977540055 +0100 +++ serefpolicy-3.6.32/policy/modules/system/userdomain.fc 2010-01-18 18:27:02.791532114 +0100 @@ -6,4 +6,5 @@ /dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0) /dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2010-01-18 18:24:22.983531669 +0100 +++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2010-03-03 10:40:17.349611966 +0100 @@ -461,7 +461,7 @@ xserver_create_xdm_tmp_sockets($1) # Needed for escd, remove if we get escd policy xserver_manage_xdm_tmp_files($1) - xserver_xdm_dbus_chat($1) + xserver_dbus_chat_xdm($1) ') ') @@ -951,9 +951,6 @@ userdom_restricted_user_template($1) userdom_xwindows_client($1_usertype) - optional_policy(` - xserver_common_app($1_t) - ') ############################## # @@ -964,7 +961,6 @@ auth_search_pam_console_data($1_usertype) xserver_role($1_r, $1_t) - xserver_communicate($1_usertype, $1_usertype) kernel_dontaudit_list_all_proc($1_usertype) @@ -2316,6 +2312,24 @@ dontaudit $1 user_tmp_t:dir list_dir_perms; ') +####################################### +## +## Dontaudit search user temporary directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_dontaudit_search_user_tmp',` + gen_require(` + type user_tmp_t; + ') + + dontaudit $1 user_tmp_t:dir search_dir_perms; +') + ######################################## ## ## Do not audit attempts to manage users @@ -3631,6 +3645,24 @@ ######################################## ## +## Allow domain to list /root +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_list_admin_dir',` + gen_require(` + type admin_home_t; + ') + + allow $1 admin_home_t:dir list_dir_perms; +') + +######################################## +## ## Allow Search /root ## ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.32/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2010-01-18 18:24:22.986540012 +0100 +++ serefpolicy-3.6.32/policy/modules/system/xen.if 2010-02-22 12:42:55.475866743 +0100 @@ -211,8 +211,10 @@ interface(`xen_domtrans_xm',` gen_require(` type xm_t, xm_exec_t; + attribute xm_transition_domain; ') + typeattribute $1 xm_transition_domain; domtrans_pattern($1, xm_exec_t, xm_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2010-01-18 18:24:22.987540070 +0100 +++ serefpolicy-3.6.32/policy/modules/system/xen.te 2010-03-01 16:28:30.815490952 +0100 @@ -13,6 +13,8 @@ ## gen_tunable(xen_use_nfs, false) +attribute xm_transition_domain; + # console ptys type xen_devpts_t; term_pty(xen_devpts_t) @@ -248,6 +250,7 @@ # allow xenconsoled_t self:capability { dac_override fsetid ipc_lock }; +allow xenconsoled_t self:process setrlimit; allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; allow xenconsoled_t self:fifo_file rw_fifo_file_perms; @@ -268,6 +271,7 @@ domain_dontaudit_ptrace_all_domains(xenconsoled_t) +files_read_etc_files(xenconsoled_t) files_read_usr_files(xenconsoled_t) fs_list_tmpfs(xenconsoled_t) @@ -286,6 +290,10 @@ xen_manage_log(xenconsoled_t) xen_stream_connect_xenstore(xenconsoled_t) +optional_policy(` + ptchown_domtrans(xenconsoled_t) +') + ######################################## # # Xen store local policy @@ -329,6 +337,7 @@ files_read_usr_files(xenstored_t) +fs_manage_xenfs_files(xenstored_t) fs_search_xenfs(xenstored_t) storage_raw_read_fixed_disk(xenstored_t) @@ -413,12 +422,21 @@ xen_stream_connect_xenstore(xm_t) optional_policy(` + dbus_system_bus_client(xm_t) + optional_policy(` + hal_dbus_chat(xm_t) + ') +') + +optional_policy(` vhostmd_rw_tmpfs_files(xm_t) vhostmd_stream_connect(xm_t) vhostmd_dontaudit_rw_stream_connect(xm_t) ') optional_policy(` + virt_domtrans(xm_t) + virt_manage_config(xm_t) virt_manage_images(xm_t) virt_stream_connect(xm_t) ') @@ -431,11 +449,15 @@ kernel_read_xen_state(xm_ssh_t) kernel_write_xen_state(xm_ssh_t) +files_search_tmp(xm_ssh_t) + fs_manage_xenfs_dirs(xm_ssh_t) fs_manage_xenfs_files(xm_ssh_t) userdom_search_admin_dir(xm_ssh_t) +dontaudit xm_ssh_t xm_transition_domain:fifo_file rw_fifo_file_perms; + #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-01-18 18:24:22.988541733 +0100 +++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2010-02-25 12:03:02.296616618 +0100 @@ -28,8 +28,7 @@ # # All socket classes. # -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }') - +define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') # # Datagram socket classes. @@ -227,7 +226,7 @@ define(`create_lnk_file_perms',`{ create getattr }') define(`rename_lnk_file_perms',`{ getattr rename }') define(`delete_lnk_file_perms',`{ getattr unlink }') -define(`manage_lnk_file_perms',`{ create read getattr setattr link unlink rename }') +define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }') define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') define(`relabelto_lnk_file_perms',`{ getattr relabelto }') define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') @@ -291,7 +290,8 @@ define(`read_chr_file_perms',`{ getattr open read lock ioctl }') define(`append_chr_file_perms',`{ getattr open append lock ioctl }') define(`write_chr_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }') +define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }') +define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }') define(`create_chr_file_perms',`{ getattr create }') define(`rename_chr_file_perms',`{ getattr rename }') define(`delete_chr_file_perms',`{ getattr unlink }') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.32/policy/users --- nsaserefpolicy/policy/users 2010-01-18 18:24:22.989541023 +0100 +++ serefpolicy-3.6.32/policy/users 2010-01-18 18:27:02.799531176 +0100 @@ -15,7 +15,7 @@ # and a user process should never be assigned the system user # identity. # -gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) # # user_u is a generic user identity for Linux users who have no