##
-## Run gconfd in the role-specfic gconfd domain.
+## Run gconfd in the role-specific gconfd domain.
##
##
## This is a templated interface, and should only
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-2.6.4/policy/modules/apps/gpg.fc
--- nsaserefpolicy/policy/modules/apps/gpg.fc 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/apps/gpg.fc 2007-06-18 10:18:55.000000000 -0400
@@ -7,6 +7,4 @@
/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
-ifdef(`targeted_policy',`',`
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0)
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-2.6.4/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/apps/java.if 2007-06-18 10:18:55.000000000 -0400
@@ -224,3 +224,35 @@
refpolicywarn(`$0($1) has no effect in strict policy.')
')
')
+
+########################################
+##
+## Execute a java in the specified domain
+##
+##
+##
+## Execute the java command in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the new process.
+##
+##
+#
+interface(`java_spec_domtrans',`
+ gen_require(`
+ type java_exec_t;
+ ')
+
+ domain_trans($1,java_exec_t,$2)
+ type_transition $1 java_exec_t:process $2;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-2.6.4/policy/modules/apps/loadkeys.if
--- nsaserefpolicy/policy/modules/apps/loadkeys.if 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/apps/loadkeys.if 2007-06-18 10:18:55.000000000 -0400
@@ -11,16 +11,12 @@
##
#
interface(`loadkeys_domtrans',`
- ifdef(`strict_policy',`
- gen_require(`
- type loadkeys_t, loadkeys_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, loadkeys_exec_t, loadkeys_t)
- ',`
- refpolicywarn(`$0($*) has no effect in targeted policy.')
+ gen_require(`
+ type loadkeys_t, loadkeys_exec_t;
')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, loadkeys_exec_t, loadkeys_t)
')
########################################
@@ -45,18 +41,13 @@
##
#
interface(`loadkeys_run',`
- ifdef(`targeted_policy',`
- # $0(): disabled in targeted policy as there
- # is no loadkeys domain.
- ',`
- gen_require(`
- type loadkeys_t;
- ')
-
- loadkeys_domtrans($1)
- role $2 types loadkeys_t;
- allow loadkeys_t $3:chr_file rw_term_perms;
+ gen_require(`
+ type loadkeys_t;
')
+
+ loadkeys_domtrans($1)
+ role $2 types loadkeys_t;
+ allow loadkeys_t $3:chr_file rw_term_perms;
')
########################################
@@ -70,15 +61,8 @@
##
#
interface(`loadkeys_exec',`
- ifdef(`targeted_policy',`
- # $0(): the loadkeys program is an alias
- # of generic bin programs.
- corecmd_exec_bin($1)
- ',`
- gen_require(`
- type loadkeys_exec_t;
- ')
-
- can_exec($1,loadkeys_exec_t)
+ gen_require(`
+ type loadkeys_exec_t;
')
+ can_exec($1,loadkeys_exec_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-2.6.4/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/apps/mozilla.if 2007-06-18 10:18:55.000000000 -0400
@@ -150,6 +150,7 @@
corenet_dontaudit_tcp_bind_generic_port($1_mozilla_t)
dev_read_urand($1_mozilla_t)
+ dev_read_rand($1_mozilla_t)
dev_write_sound($1_mozilla_t)
dev_read_sound($1_mozilla_t)
dev_dontaudit_rw_dri($1_mozilla_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-2.6.4/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/apps/slocate.te 2007-06-18 10:18:55.000000000 -0400
@@ -29,8 +29,11 @@
manage_dirs_pattern(locate_t,locate_var_lib_t,locate_var_lib_t)
manage_files_pattern(locate_t,locate_var_lib_t,locate_var_lib_t)
+auth_use_nsswitch(locate_t)
+
kernel_read_system_state(locate_t)
kernel_dontaudit_search_sysctl(locate_t)
+kernel_dontaudit_search_key(locate_t)
corecmd_exec_bin(locate_t)
@@ -39,11 +42,13 @@
files_list_all(locate_t)
files_getattr_all_files(locate_t)
+files_getattr_all_sockets(locate_t)
files_read_etc_runtime_files(locate_t)
files_read_etc_files(locate_t)
fs_getattr_all_fs(locate_t)
-fs_getattr_all_dirs(locate_t)
+fs_getattr_all_files(locate_t)
+fs_list_all(locate_t)
libs_use_shared_libs(locate_t)
libs_use_ld_so(locate_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.if serefpolicy-2.6.4/policy/modules/apps/uml.if
--- nsaserefpolicy/policy/modules/apps/uml.if 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/apps/uml.if 2007-06-18 10:18:55.000000000 -0400
@@ -193,33 +193,6 @@
nis_use_ypbind($1_uml_t)
')
- ifdef(`TODO',`
- # for X
- optional_policy(`
- ifelse($1, sysadm,`
- ',`
- optional_policy(`
- allow $1_uml_t xdm_xserver_tmp_t:dir search;
- ')
- allow $1_uml_t $1_xserver_tmp_t:sock_file write;
- allow $1_uml_t $1_xserver_t:unix_stream_socket connectto;
- ')
- ')
-
- optional_policy(`
- # for uml_net
- domain_auto_trans($1_uml_t, uml_net_exec_t, uml_net_t)
- allow uml_net_t $1_uml_t:unix_stream_socket { read write };
- allow uml_net_t $1_uml_t:unix_dgram_socket { read write };
- dontaudit uml_net_t privfd:fd use;
- can_access_pty(uml_net_t, $1_uml)
- dontaudit uml_net_t $1_uml_rw_t:dir { getattr search };
- ')
- #TODO
- optional_policy(`
- allow $1_uml_t $1_xauth_home_t:file { getattr read };
- ')
- ')
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-2.6.4/policy/modules/apps/userhelper.if
--- nsaserefpolicy/policy/modules/apps/userhelper.if 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/apps/userhelper.if 2007-06-19 09:05:14.000000000 -0400
@@ -131,6 +131,7 @@
term_use_all_user_ptys($1_userhelper_t)
auth_domtrans_chk_passwd($1_userhelper_t)
+ auth_domtrans_upd_passwd($1_userhelper_t)
auth_manage_pam_pid($1_userhelper_t)
auth_manage_var_auth($1_userhelper_t)
auth_search_pam_console_data($1_userhelper_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-05-07 14:51:04.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc 2007-06-18 10:18:55.000000000 -0400
@@ -36,6 +36,11 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.daily/.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.hourly/.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.monthly/.* -- gen_context(system_u:object_r:bin_t,s0)
+
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
@@ -248,6 +253,7 @@
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -256,3 +262,13 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
+/usr/lib/vmware-tools/sbin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/etc/apcupsd/apccontrol -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/changeme -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/commfailure -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/commok -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/masterconnect -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/mastertimeout -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-2.6.4/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-05-07 14:51:04.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.if 2007-06-18 10:18:55.000000000 -0400
@@ -988,3 +988,23 @@
mmap_files_pattern($1,bin_t,exec_type)
')
+
+########################################
+##
+## dontaudit checking for execute privs on all executables
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corecmd_dontaudit_exec_all_executables',`
+ gen_require(`
+ attribute exec_type;
+ ')
+
+ dontaudit $1 exec_type:file execute;
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in 2007-06-18 10:18:55.000000000 -0400
@@ -48,6 +48,11 @@
type reserved_port_t, port_type, reserved_port_type;
#
+# hi_reserved_port_t is the type of INET port numbers between 600-1023.
+#
+type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+
+#
# server_packet_t is the default type of IPv4 and IPv6 server packets.
#
type server_packet_t, packet_type, server_packet_type;
@@ -60,6 +65,7 @@
network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
+network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
@@ -85,7 +91,7 @@
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
network_port(howl, tcp,5335,s0, udp,5353,s0)
-network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
+network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
@@ -100,7 +106,7 @@
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
-network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
+network_port(ldap, tcp,3268,s0, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
network_port(lmtp, tcp,24,s0, udp,24,s0)
network_port(mail, tcp,2000,s0)
@@ -159,6 +165,9 @@
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
+
+portcon tcp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon udp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.6.4/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-05-07 14:51:04.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/devices.fc 2007-06-18 10:18:55.000000000 -0400
@@ -19,6 +19,7 @@
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
+/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
@@ -81,6 +82,8 @@
/dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
+/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
+
/dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0)
/dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.6.4/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/devices.if 2007-06-18 10:18:55.000000000 -0400
@@ -2729,6 +2729,24 @@
########################################
##
+## Get the attributes of a directory in the usb filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_search_usbfs_dirs',`
+ gen_require(`
+ type usbfs_t;
+ ')
+
+ allow $1 usbfs_t:dir search_dir_perms;
+')
+
+########################################
+##
## Do not audit attempts to get the attributes
## of a directory in the usb filesystem.
##
@@ -3210,3 +3228,78 @@
typeattribute $1 devices_unconfined_type;
')
+
+########################################
+##
+## Getattr on smartcard devices
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_getattr_smartcard',`
+ gen_require(`
+ type smartcard_device_t;
+ ')
+
+ allow $1 smartcard_device_t:chr_file getattr;
+
+')
+
+########################################
+##
+## dontaudit getattr on smartcard devices
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_dontaudit_getattr_smartcard',`
+ gen_require(`
+ type smartcard_device_t;
+ ')
+
+ dontaudit $1 smartcard_device_t:chr_file getattr;
+
+')
+
+########################################
+##
+## Read and write smartcard devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_rw_smartcard',`
+ gen_require(`
+ type device_t, smartcard_device_t;
+ ')
+
+ rw_chr_files_pattern($1,device_t,smartcard_device_t)
+')
+
+########################################
+##
+## Create, read, write, and delete smartcard devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_manage_smartcard',`
+ gen_require(`
+ type device_t, smartcard_device_t;
+ ')
+
+ manage_chr_files_pattern($1,device_t,smartcard_device_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-2.6.4/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2007-05-07 14:51:04.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/devices.te 2007-06-18 10:18:55.000000000 -0400
@@ -139,6 +139,12 @@
#
# Type for sound devices and mixers
#
+type smartcard_device_t;
+dev_node(smartcard_device_t)
+
+#
+# Type for sound devices and mixers
+#
type sound_device_t;
dev_node(sound_device_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-2.6.4/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2007-05-07 14:51:04.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/domain.if 2007-06-22 14:12:55.000000000 -0400
@@ -64,6 +64,7 @@
')
optional_policy(`
+ selinux_dontaudit_getattr_fs($1)
selinux_dontaudit_read_fs($1)
')
@@ -1254,3 +1255,44 @@
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
')
+
+########################################
+##
+## Allow specified type to associate ipsec packets from any domain
+##
+##
+##
+## Type of subject to be allowed this.
+##
+##
+#
+interface(`domain_ipsec_labels',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:association { sendto recvfrom };
+')
+
+########################################
+##
+## Ability to mmap a low area of the address space,
+## as configured by /proc/sys/kernel/mmap_min_addr.
+## Preventing such mappings helps protect against
+## exploiting null deref bugs in the kernel.
+##
+##
+##
+## Domain allowed to mmap low memory.
+##
+##
+#
+interface(`domain_mmap_low',`
+ gen_require(`
+ attribute mmap_low_domain_type;
+ ')
+
+ allow $1 self:memprotect mmap_zero;
+
+ typeattribute $1 mmap_low_domain_type;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.6.4/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-05-07 14:51:04.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/domain.te 2007-06-22 14:13:13.000000000 -0400
@@ -6,6 +6,29 @@
# Declarations
#
+ifdef(`enable_mls',`
+##
+##
+## Allow all domains to use netlabel labeled packets
+##
+##
+gen_tunable(allow_netlabel,true)
+
+##
+##
+## Allow all domains to use ipsec labeled packets
+##
+##
+gen_tunable(allow_ipsec_label,true)
+')
+
+##
+##
+## Allow unlabeled packets to work on system
+##
+##
+gen_tunable(allow_unlabeled_packets,true)
+
# Mark process types as domains
attribute domain;
@@ -15,6 +38,10 @@
# Domains that are unconfined
attribute unconfined_domain_type;
+# Domains that can mmap low memory.
+attribute mmap_low_domain_type;
+neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
+
# Domains that can set their current context
# (perform dynamic transitions)
attribute set_curr_context;
@@ -144,3 +171,26 @@
# act on all domains keys
allow unconfined_domain_type domain:key *;
+
+
+# xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
+optional_policy(`
+ xserver_dontaudit_use_xdm_fds(domain)
+ xserver_dontaudit_rw_xdm_pipes(domain)
+')
+
+tunable_policy(`allow_unlabeled_packets',`
+ kernel_sendrecv_unlabeled_association(domain)
+ corenet_sendrecv_unlabeled_packets(domain)
+')
+
+ifdef(`enable_mls',`
+ tunable_policy(`allow_netlabel',`
+ kernel_raw_recvfrom_unlabeled(domain)
+ kernel_tcp_recvfrom_unlabeled(domain)
+ kernel_udp_recvfrom_unlabeled(domain)
+ ')
+ tunable_policy(`allow_ipsec_label',`
+ ipsec_labeled(domain)
+ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.6.4/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/files.fc 2007-06-18 10:18:55.000000000 -0400
@@ -45,7 +45,6 @@
/etc -d gen_context(system_u:object_r:etc_t,s0)
/etc/.* gen_context(system_u:object_r:etc_t,s0)
/etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/asound\.state -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -54,6 +53,7 @@
/etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.6.4/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/files.if 2007-06-18 10:18:55.000000000 -0400
@@ -343,8 +343,7 @@
########################################
##
-## Mount a filesystem on all non-security
-## directories and files.
+## Mount a filesystem on all non-security directories.
##
##
##
@@ -352,12 +351,29 @@
##
##
#
-interface(`files_mounton_non_security',`
+interface(`files_mounton_non_security_dir',`
gen_require(`
attribute file_type, security_file_type;
')
allow $1 { file_type -security_file_type }:dir mounton;
+')
+
+########################################
+##
+## Mount a filesystem on all non-security and files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_mounton_non_security_files',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
allow $1 { file_type -security_file_type }:file mounton;
')
@@ -376,7 +392,7 @@
attribute file_type, security_file_type;
')
- allow $1 { file_type -security_file_type }:dir write;
+ allow $1 { file_type -security_file_type }:dir rw_dir_perms;
')
########################################
@@ -992,7 +1008,7 @@
attribute file_type;
')
- dontaudit $1 file_type:dir search;
+ dontaudit $1 file_type:dir search_dir_perms;
')
########################################
@@ -1320,7 +1336,7 @@
type boot_t;
')
- dontaudit $1 boot_t:dir search;
+ dontaudit $1 boot_t:dir search_dir_perms;
')
########################################
@@ -3310,6 +3326,24 @@
########################################
##
+## Add and remove entries from /usr directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_rw_usr_dirs',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ allow $1 usr_t:dir rw_dir_perms;
+')
+
+########################################
+##
## Get the attributes of files in /usr.
##
##
@@ -3386,6 +3420,24 @@
########################################
##
+## Relabel a file from the type used in /usr.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_relabelfrom_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ relabelfrom_files_pattern($1,usr_t,usr_t)
+')
+
+########################################
+##
## Read symbolic links in /usr.
##
##
@@ -3432,6 +3484,24 @@
########################################
##
+## Create, read, write, and delete files in the /usr directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_manage_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ manage_files_pattern($1, usr_t, usr_t)
+')
+
+########################################
+##
## Do not audit attempts to search /usr/src.
##
##
@@ -3637,7 +3707,7 @@
type var_t;
')
- dontaudit $1 var_t:dir search;
+ dontaudit $1 var_t:dir search_dir_perms;
')
########################################
@@ -3993,7 +4063,7 @@
type var_lock_t;
')
- dontaudit $1 var_lock_t:dir search;
+ dontaudit $1 var_lock_t:dir search_dir_perms;
')
########################################
@@ -4012,7 +4082,7 @@
type var_t, var_lock_t;
')
- rw_dirs_pattern($1,var_t,var_lock_t)
+ rw_files_pattern($1,var_t,var_lock_t)
')
########################################
@@ -4181,7 +4251,7 @@
type var_run_t;
')
- dontaudit $1 var_run_t:dir search;
+ dontaudit $1 var_run_t:dir search_dir_perms;
')
########################################
@@ -4529,6 +4599,8 @@
# Need to give access to /selinux/member
selinux_compute_member($1)
+ files_search_home($1)
+
# Need sys_admin capability for mounting
allow $1 self:capability { chown fsetid sys_admin };
@@ -4551,6 +4623,8 @@
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
+ corecmd_exec_bin($1)
+
')
########################################
@@ -4588,3 +4662,28 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
+
+########################################
+##
+## Create a core files in /
+##
+##
+##
+## Create a core file in /,
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_dump_core',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir rw_dir_perms;
+ allow $1 root_t:file { create getattr write };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-2.6.4/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/files.te 2007-06-18 10:18:55.000000000 -0400
@@ -54,6 +54,7 @@
files_type(etc_t)
# compatibility aliases for removed types:
typealias etc_t alias automount_etc_t;
+typealias etc_t alias snmpd_etc_t;
#
# etc_runtime_t is the type of various
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.6.4/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-05-07 14:51:04.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.if 2007-07-01 21:12:58.000000000 -0400
@@ -1096,6 +1096,24 @@
########################################
##
+## Search dosfs filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_search_dos',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ allow $1 dosfs_t:dir search_dir_perms;
+')
+
+########################################
+##
## Read files on a DOS filesystem.
##
##
@@ -1291,6 +1309,26 @@
########################################
##
+## Read files on an iso9660 filesystem, which
+## is usually used on CDs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_getattr_iso9660_files',`
+ gen_require(`
+ type iso9660_t;
+ ')
+
+ allow $1 iso9660_t:dir list_dir_perms;
+ allow $1 iso9660_t:file getattr;
+')
+
+########################################
+##
## Mount a NFS filesystem.
##
##
@@ -3420,3 +3458,22 @@
relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
')
+
+
+########################################
+##
+## Mount an fuse filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_mount_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ allow $1 fusefs_t:filesystem mount;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.6.4/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.te 2007-06-18 10:18:55.000000000 -0400
@@ -54,17 +54,29 @@
type capifs_t;
fs_type(capifs_t)
+files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
type configfs_t;
fs_type(configfs_t)
genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
+type cpusetfs_t;
+fs_type(cpusetfs_t)
+allow cpusetfs_t self:filesystem associate;
+genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0)
+
type eventpollfs_t;
fs_type(eventpollfs_t)
# change to task SID 20060628
#genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0)
+type fusefs_t;
+fs_noxattr_type(fusefs_t)
+allow fusefs_t self:filesystem associate;
+genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
+genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
+
type futexfs_t;
fs_type(futexfs_t)
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
@@ -83,6 +95,11 @@
fs_type(inotifyfs_t)
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
+type mvfs_t;
+fs_noxattr_type(mvfs_t)
+allow mvfs_t self:filesystem associate;
+genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+
type nfsd_fs_t;
fs_type(nfsd_fs_t)
genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
@@ -105,6 +122,16 @@
genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)
files_mountpoint(rpc_pipefs_t)
+type spufs_t;
+fs_type(spufs_t)
+genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
+files_mountpoint(spufs_t)
+
+type vxfs_t;
+fs_noxattr_type(vxfs_t)
+files_mountpoint(vxfs_t)
+genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
+
#
# tmpfs_t is the type for tmpfs filesystems
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.6.4/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-05-07 14:51:04.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/kernel.if 2007-07-03 12:59:42.000000000 -0400
@@ -333,6 +333,24 @@
########################################
##
+## dontaudit search the kernel key ring.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_dontaudit_search_key',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ dontaudit $1 kernel_t:key search;
+')
+
+########################################
+##
## Allow link to the kernel key ring.
##
##
@@ -1848,6 +1866,26 @@
########################################
##
+## Read the process state (/proc/pid) of all unlabeled_t.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_read_unlabeled_state',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir list_dir_perms;
+ read_files_pattern($1,unlabeled_t,unlabeled_t)
+ read_lnk_files_pattern($1,unlabeled_t,unlabeled_t)
+')
+
+########################################
+##
## Do not audit attempts to list unlabeled directories.
##
##
@@ -2158,9 +2196,6 @@
')
allow $1 unlabeled_t:association { sendto recvfrom };
-
- # temporary hack until labeling on packets is supported
- allow $1 unlabeled_t:packet { send recv };
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.6.4/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2007-05-07 14:51:04.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/kernel.te 2007-06-18 10:18:55.000000000 -0400
@@ -146,6 +146,8 @@
type unlabeled_t;
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+corenet_non_ipsec_sendrecv(unlabeled_t)
+
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid file_labels gen_context(system_u:object_r:unlabeled_t,s0)
@@ -279,6 +281,7 @@
optional_policy(`
logging_send_syslog_msg(kernel_t)
+ logging_unconfined(kernel_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.if serefpolicy-2.6.4/policy/modules/kernel/mls.if
--- nsaserefpolicy/policy/modules/kernel/mls.if 2007-05-07 14:51:04.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/mls.if 2007-06-18 10:18:55.000000000 -0400
@@ -154,6 +154,26 @@
########################################
##
## Make specified domain MLS trusted
+## for writing to sockets at any level
+## that is dominated by the process clearance.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mls_socket_write_to_clearance',`
+ gen_require(`
+ attribute mlsnetwritetoclr;
+ ')
+
+ typeattribute $1 mlsnetwritetoclr;
+')
+
+########################################
+##
+## Make specified domain MLS trusted
## for writing to sockets at any level.
##
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.6.4/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/mls.te 2007-06-18 10:18:55.000000000 -0400
@@ -18,6 +18,7 @@
attribute mlsnetreadtoclr;
attribute mlsnetwrite;
attribute mlsnetwritetoclr;
+attribute mlsnetwriteranged;
attribute mlsnetupgrade;
attribute mlsnetdowngrade;
attribute mlsnetrecvall;
@@ -43,6 +44,8 @@
attribute mlsxwinwritecolormap;
attribute mlsxwinwritexinput;
+# Object attributes that allow MLS overrides for access by all subjects
+attribute mlsrangedobject;
attribute mlstrustedobject;
attribute privrangetrans;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-2.6.4/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-05-07 14:51:04.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/selinux.if 2007-06-20 07:41:33.000000000 -0400
@@ -51,6 +51,44 @@
########################################
##
+## Do not audit attempts to get the
+## attributes of the selinuxfs filesystem
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`selinux_dontaudit_getattr_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+ dontaudit $1 security_t:filesystem getattr;
+')
+
+########################################
+##
+## Allow domain to get the
+## attributes of the selinuxfs filesystem
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`selinux_getattr_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:filesystem getattr;
+')
+
+########################################
+##
## Search selinuxfs.
##
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-2.6.4/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2007-05-07 14:51:04.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/storage.if 2007-06-18 10:18:55.000000000 -0400
@@ -100,6 +100,7 @@
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
+ allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
typeattribute $1 fixed_disk_raw_read;
')
@@ -144,6 +145,7 @@
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file write_blk_file_perms;
+ allow $1 fixed_disk_device_t:chr_file write_chr_file_perms;
typeattribute $1 fixed_disk_raw_write;
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.6.4/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2007-05-07 14:51:04.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/terminal.if 2007-06-18 10:18:55.000000000 -0400
@@ -278,6 +278,25 @@
########################################
##
+## Relabel from and to the console_device_t
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`term_relabel_console',`
+ gen_require(`
+ type console_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 console_device_t:chr_file { relabelfrom relabelto };
+')
+
+########################################
+##
## Create the console device (/dev/console).
##
##
@@ -1052,7 +1071,7 @@
')
dev_list_all_dev_nodes($1)
- allow $1 ttynode:chr_file { getattr write };
+ allow $1 ttynode:chr_file { getattr write append };
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-2.6.4/policy/modules/kernel/terminal.te
--- nsaserefpolicy/policy/modules/kernel/terminal.te 2007-05-07 14:51:04.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/terminal.te 2007-06-18 10:18:55.000000000 -0400
@@ -28,6 +28,7 @@
type devpts_t;
files_mountpoint(devpts_t)
fs_associate_tmpfs(devpts_t)
+files_associate_tmp(devpts_t)
fs_type(devpts_t)
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.fc serefpolicy-2.6.4/policy/modules/services/aide.fc
--- nsaserefpolicy/policy/modules/services/aide.fc 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/aide.fc 2007-06-18 10:18:55.000000000 -0400
@@ -2,5 +2,5 @@
/var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
-/var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
/var/log/aide.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
+/var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.te serefpolicy-2.6.4/policy/modules/services/aide.te
--- nsaserefpolicy/policy/modules/services/aide.te 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/aide.te 2007-06-18 10:18:55.000000000 -0400
@@ -26,7 +26,7 @@
allow aide_t self:capability { dac_override fowner };
-send_audit_msgs_pattern(aide_t)
+logging_send_audit_msg(aide_t)
# database actions
manage_files_pattern(aide_t,aide_db_t,aide_db_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-2.6.4/policy/modules/services/amavis.if
--- nsaserefpolicy/policy/modules/services/amavis.if 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/amavis.if 2007-06-18 10:18:55.000000000 -0400
@@ -167,3 +167,22 @@
allow $1 amavis_var_run_t:file setattr;
files_search_pids($1)
')
+
+########################################
+##
+## Set the create of amavis var run files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`amavis_create_pid_files',`
+ gen_require(`
+ type amavis_var_run_t;
+ ')
+
+ allow $1 amavis_var_run_t:file create_file_perms;
+ files_search_pids($1)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.6.4/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/amavis.te 2007-06-18 10:18:55.000000000 -0400
@@ -170,6 +170,7 @@
optional_policy(`
pyzor_domtrans(amavis_t)
+ pyzor_signal(amavis_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.6.4/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2007-05-07 14:50:57.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/apache.fc 2007-06-18 10:18:55.000000000 -0400
@@ -1,10 +1,5 @@
# temporary hack till genhomedircon is fixed
-ifdef(`targeted_policy',`
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-',`
HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
-')
-
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -21,7 +16,6 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
@@ -78,3 +72,11 @@
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+#Bugzilla file context
+/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_script_rw_t,s0)
+#viewvc file context
+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t, s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.6.4/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/apache.if 2007-06-18 10:18:55.000000000 -0400
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
')
- # allow write access to public file transfer
- # services files.
- gen_tunable(allow_httpd_$1_script_anon_write,false)
-
#This type is for webpages
type httpd_$1_content_t, httpdcontent; # customizable
files_type(httpd_$1_content_t)
@@ -120,10 +116,6 @@
can_exec(httpd_$1_script_t, httpdcontent)
')
- tunable_policy(`allow_httpd_$1_script_anon_write',`
- miscfiles_manage_public_files(httpd_$1_script_t)
- ')
-
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
@@ -268,8 +260,11 @@
')
apache_content_template($1)
+ manage_dirs_pattern($1_t,httpd_$1_content_t,httpd_$1_content_t)
+ manage_files_pattern($1_t,httpd_$1_content_t,httpd_$1_content_t)
+ manage_lnk_files_pattern($1_t,httpd_$1_content_t,httpd_$1_content_t)
- typeattribute httpd_$1_script_t httpd_script_domains;
+ typeattribute httpd_$1_content_t httpd_script_domains;
userdom_user_home_content($1,httpd_$1_content_t)
role $3 types httpd_$1_script_t;
@@ -434,6 +429,24 @@
########################################
##
+## getattr apache.process
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_getattr',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ allow $1 httpd_t:process getattr;
+')
+
+########################################
+##
## Inherit and use file descriptors from Apache.
##
##
@@ -752,6 +765,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
+ read_lnk_files_pattern($1,httpd_modules_t,httpd_modules_t)
')
########################################
@@ -923,7 +937,7 @@
type httpd_squirrelmail_t;
')
- allow $1 httpd_squirrelmail_t:file { getattr read };
+ read_files_pattern($1,httpd_squirrelmail_t,httpd_squirrelmail_t)
')
########################################
@@ -1000,3 +1014,140 @@
allow $1 httpd_sys_script_t:dir search_dir_perms;
')
+
+########################################
+##
+## Allow the specified domain to manage
+## apache modules.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_manage_modules',`
+ gen_require(`
+ type httpd_modules_t;
+ ')
+
+ manage_dirs_pattern($1,httpd_modules_t,httpd_modules_t)
+ manage_files_pattern($1,httpd_modules_t,httpd_modules_t)
+ manage_lnk_files_pattern($1,httpd_modules_t,httpd_modules_t)
+')
+
+########################################
+##
+## Allow the specified domain to create
+## apache lock file
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_manage_lock',`
+ gen_require(`
+ type httpd_lock_t;
+ ')
+ allow $1 httpd_lock_t:file manage_file_perms;
+ files_lock_filetrans($1, httpd_lock_t, file)
+')
+
+########################################
+##
+## Allow the specified domain to manage
+## apache pid file
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_manage_pid',`
+ gen_require(`
+ type httpd_var_run_t;
+ ')
+ manage_files_pattern($1,httpd_var_run_t,httpd_var_run_t)
+ files_pid_filetrans($1,httpd_var_run_t, file)
+')
+
+########################################
+##
+##f Read apache system state
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`apache_read_state',`
+ gen_require(`
+ type httpd_t;
+ ')
+ kernel_search_proc($1)
+ allow $1 httpd_t:dir list_dir_perms;
+ read_files_pattern($1,httpd_t,httpd_t)
+ read_lnk_files_pattern($1,httpd_t,httpd_t)
+ dontaudit $1 httpd_t:process ptrace;
+')
+
+########################################
+##
+##f allow domain to signal apache
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`apache_signal',`
+ gen_require(`
+ type httpd_t;
+ ')
+ allow $1 httpd_t:process signal;
+')
+
+########################################
+##
+## allow domain to relabel apache content
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`apache_relabel',`
+ gen_require(`
+ attribute httpdcontent;
+ attribute httpd_script_exec_type;
+ ')
+
+ allow $1 { httpd_script_exec_type httpdcontent}:dir { relabelto relabelfrom };
+ allow $1 { httpd_script_exec_type httpdcontent}:file { relabelto relabelfrom };
+')
+
+########################################
+##
+## Allow the specified domain to search
+## apache bugzilla directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_search_bugzilla_dirs',`
+ gen_require(`
+ type httpd_bugzilla_content_t;
+ ')
+
+ allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.6.4/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-06-19 09:08:16.000000000 -0400
@@ -47,6 +47,13 @@
## Allow http daemon to tcp connect
##
##
+gen_tunable(httpd_can_sendmail,false)
+
+##