diff --git a/modules-mls.conf b/modules-mls.conf index 02bd8f3..e155c9b 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -161,7 +161,7 @@ netutils = base # # Virtual Private Networking client # -vpn = base +vpn = module # Layer: admin # Module: su @@ -189,7 +189,7 @@ anaconda = base # # Automated backup program. # -amanda = base +amanda = module # Layer: admin # Module: logrotate @@ -232,14 +232,14 @@ firstboot = base # # Digital Certificate Tracking # -certwatch = base +certwatch = module # Layer: admin # Module: tmpreaper # # Manage temporary directory sizes and file ages # -tmpreaper = base +tmpreaper = module # Layer: admin # Module: dmidecode @@ -253,7 +253,7 @@ dmidecode = base # # Policy for GNU Privacy Guard and related programs. # -gpg = base +gpg = module # Layer: apps # Module: loadkeys @@ -267,7 +267,7 @@ loadkeys = base # # Web server log analysis # -webalizer = base +webalizer = module # Layer: kernel # Module: bootloader @@ -288,7 +288,7 @@ storage = base # # Policy for NIS (YP) servers and clients # -nis = base +nis = module # Layer: services # Module: distcc @@ -302,7 +302,7 @@ distcc = off # # Remote shell service. # -rshd = base +rshd = module # Layer: services # Module: cpucontrol @@ -323,35 +323,35 @@ vbetool = base # # Berkeley internet name domain DNS server. # -bind = base +bind = module # Layer: services # Module: canna # # Canna - kana-kanji conversion server # -canna = base +canna = module # Layer: services # Module: uucp # # Unix to Unix Copy # -uucp = base +uucp = module # Layer: services # Module: sasl # # SASL authentication server # -sasl = base +sasl = module # Layer: services # Module: pegasus # # The Open Group Pegasus CIM/WBEM Server. # -pegasus = base +pegasus = module # Layer: services # Module: cron @@ -374,7 +374,7 @@ sendmail = base # name Service Switch daemon for resolving names # from Windows NT servers. # -samba = base +samba = module # Layer: services # Module: dbus @@ -388,21 +388,21 @@ dbus = base # # Port of Apple Rendezvous multicast DNS # -howl = base +howl = module # Layer: services # Module: postgresql # # PostgreSQL relational database # -postgresql = base +postgresql = module # Layer: services # Module: snmp # # Simple network management protocol services # -snmp = base +snmp = module # Layer: services # Module: remotelogin @@ -430,56 +430,56 @@ irqbalance = base # # Mailman is for managing electronic mail discussion and e-newsletter lists # -mailman = base +mailman = module # Layer: services # Module: dbskk # # Dictionary server for the SKK Japanese input method system. # -dbskk = base +dbskk = module # Layer: services # Module: ldap # # OpenLDAP directory server # -ldap = base +ldap = module # Layer: services # Module: tftp # # Trivial file transfer protocol daemon # -tftp = base +tftp = module # Layer: services # Module: portmap # # RPC port mapping service. # -portmap = base +portmap = module # Layer: services # Module: arpwatch # # Ethernet activity monitor. # -arpwatch = base +arpwatch = module # Layer: services # Module: dovecot # # Dovecot POP and IMAP mail server # -dovecot = base +dovecot = module # Layer: services # Module: cups # # Common UNIX printing system # -cups = base +cups = module # Layer: services # Module: networkmanager @@ -493,35 +493,35 @@ networkmanager = base # # Internet News NNTP server # -inn = base +inn = module # Layer: services # Module: sysstat # # Policy for sysstat. Reports on various system states # -sysstat = base +sysstat = module # Layer: services # Module: comsat # # Comsat, a biff server. # -comsat = base +comsat = module # Layer: services # Module: squid # # Squid caching http proxy server # -squid = base +squid = module # Layer: services # Module: zebra # # Zebra border gateway protocol network routing service # -zebra = base +zebra = module # Layer: services # Module: xfs @@ -535,35 +535,35 @@ xfs = off # # KDE Talk daemon # -ktalk = base +ktalk = module # Layer: services # Module: procmail # # Procmail mail delivery agent # -procmail = base +procmail = module # Layer: services # Module: lpd # # Line printer daemon # -lpd = base +lpd = module # Layer: services # Module: cyrus # # Cyrus is an IMAP service intended to be run on sealed servers # -cyrus = base +cyrus = module # Layer: services # Module: rdisc # # Network router discovery daemon # -rdisc = base +rdisc = module # Layer: services # Module: xserver @@ -584,21 +584,21 @@ nscd = base # # Point to Point Protocol daemon creates links in ppp networks # -ppp = base +ppp = module # Layer: services # Module: ftp # # File transfer protocol service # -ftp = base +ftp = module # Layer: services # Module: gpm # # General Purpose Mouse driver # -gpm = base +gpm = module # Layer: services # Module: mta @@ -612,28 +612,28 @@ mta = base # # Postfix email server # -postfix = base +postfix = module # Layer: services # Module: fetchmail # # Remote-mail retrieval and forwarding utility # -fetchmail = base +fetchmail = module # Layer: services # Module: ntp # # Network time protocol daemon # -ntp = base +ntp = module # Layer: services # Module: bluetooth # # Bluetooth tools and system services. # -bluetooth = base +bluetooth = module # Layer: services # Module: hal @@ -647,7 +647,7 @@ hal = base # # mDNS/DNS-SD daemon implementing Apple ZeroConf architecture # -avahi = base +avahi = module # Layer: services # Module: rpc @@ -661,35 +661,35 @@ rpc = base # # Apache web server # -apache = base +apache = module # Layer: services # Module: rsync # # Fast incremental file transfer for synchronization # -rsync = base +rsync = module # Layer: services # Module: automount # # Filesystem automounter service. # -automount = base +automount = module # Layer: services # Module: kerberos # # MIT Kerberos admin and KDC # -kerberos = base +kerberos = module # Layer: services # Module: dhcp # # Dynamic host configuration protocol (DHCP) server # -dhcp = base +dhcp = module # Layer: services # Module: ssh @@ -710,42 +710,42 @@ inetd = base # # Policy for MySQL # -mysql = base +mysql = module # Layer: services # Module: dictd # # Dictionary daemon # -dictd = base +dictd = module # Layer: services # Module: finger # # Finger user information service. # -finger = base +finger = module # Layer: services # Module: radius # # RADIUS authentication and accounting server. # -radius = base +radius = module # Layer: services # Module: spamassassin # # Filter used for removing unsolicited email. # -spamassassin = base +spamassassin = module # Layer: services # Module: radvd # # IPv6 router advertisement daemon # -radvd = base +radvd = module # Layer: services # Module: apm @@ -767,35 +767,35 @@ application = base # # Policy for TCP daemon. # -tcpd = base +tcpd = module # Layer: services # Module: stunnel # # SSL Tunneling Proxy # -stunnel = base +stunnel = module # Layer: services # Module: privoxy # # Privacy enhancing web proxy. # -privoxy = base +privoxy = module # Layer: services # Module: cvs # # Concurrent versions system # -cvs = base +cvs = module # Layer: services # Module: rlogin # # Remote login daemon # -rlogin = base +rlogin = module # Layer: system # Module: application @@ -965,7 +965,7 @@ miscfiles = base # # TCP/IP encryption # -ipsec = base +ipsec = module # Layer: apps # Module: java @@ -986,7 +986,7 @@ prelink = base # # locate executable # -slocate = base +slocate = module # Layer: services # Module: logwatch @@ -1008,14 +1008,14 @@ setrans = base # # Policy for OPENVPN full-featured SSL VPN solution # -openvpn = base +openvpn = module # Layer: services # Module: smartmon # # Smart disk monitoring daemon policy # -smartmon = base +smartmon = module # Layer: system # Module: netlabel @@ -1023,14 +1023,14 @@ smartmon = base # # Basic netlabel types and interfaces. # -netlabel = base +netlabel = module # Layer: services # Module: aide # # Policy for aide # -aide = base +aide = module # Layer: service # Module: pcscd @@ -1131,16 +1131,31 @@ courier = module rpcbind = module +# Layer: apps +# Module: wm +# +# X windows window manager +# +wm = module + # Layer: services -# Module: xserver +# Module: virt # -# X windows login display manager +# Virtualization libraries # -xserver = module +virt = module # Layer: apps -# Module: wm +# Module: qemu # -# X windows window manager +# Virtualization emulator # -wm = module +qemu = module + +# Layer: system +# Module: brctl +# +# Utilities for configuring the linux ethernet bridge +# +brctl = base + diff --git a/modules-targeted.conf b/modules-targeted.conf index ecbc05a..533af17 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -108,7 +108,7 @@ authlogin = base # # Filesystem automounter service. # -automount = base +automount = module # Layer: services # Module: avahi @@ -331,7 +331,7 @@ devices = base # # Dynamic host configuration protocol (DHCP) server # -dhcp = base +dhcp = module # Layer: services # Module: dictd @@ -374,7 +374,7 @@ domain = base # # Dovecot POP and IMAP mail server # -dovecot = base +dovecot = module # Layer: apps # Module: gpg @@ -489,7 +489,7 @@ gnomeclock = module # # Hardware abstraction layer # -hal = module +hal = base # Layer: services # Module: polkit @@ -741,7 +741,7 @@ modutils = base # # mono executable # -mono = base +mono = module # Layer: system # Module: mount @@ -785,7 +785,6 @@ gpg = module # mrtg = module - # Layer: services # Module: mta # @@ -985,7 +984,7 @@ qmail = module # # File system quota management # -quota = off +quota = base # Layer: system # Module: raid @@ -1027,7 +1026,7 @@ readahead = base # # X windows login display manager # -rhgb = base +rhgb = module # Layer: services # Module: rdisc @@ -1041,7 +1040,7 @@ rdisc = module # # Policy for rshd, rlogind, and telnetd. # -remotelogin = module +remotelogin = base # Layer: services # Module: ricci @@ -1446,7 +1445,7 @@ updfstab = base # # Virtual Private Networking client # -vpn = base +vpn = module # Layer: admin # Module: vbetool @@ -1663,3 +1662,12 @@ snort = module # high-performance memory object caching system # memcached = module + +# Layer: system +# Module: netlabel +# Required in base +# +# Basic netlabel types and interfaces. +# +netlabel = module + diff --git a/policy-20080710.patch b/policy-20080710.patch index 2aa819b..485411e 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -26600,7 +26600,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.8/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.8/policy/modules/services/ssh.if 2008-09-17 08:49:09.000000000 -0400 ++++ serefpolicy-3.5.8/policy/modules/services/ssh.if 2008-09-18 08:51:19.000000000 -0400 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -26660,15 +26660,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled($1_ssh_t) corenet_all_recvfrom_netlabel($1_ssh_t) -@@ -115,6 +118,7 @@ +@@ -115,6 +118,8 @@ corenet_tcp_sendrecv_all_ports($1_ssh_t) corenet_tcp_connect_ssh_port($1_ssh_t) corenet_sendrecv_ssh_client_packets($1_ssh_t) ++ corenet_tcp_bind_all_nodes($1_ssh_t) + corenet_tcp_bind_all_unreserved_ports($1_ssh_t) dev_read_urand($1_ssh_t) -@@ -212,7 +216,7 @@ +@@ -212,7 +217,7 @@ ssh_basic_client_template($1, $2, $3) @@ -26677,7 +26678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type $1_ssh_agent_t; application_domain($1_ssh_agent_t, ssh_agent_exec_t) -@@ -240,9 +244,9 @@ +@@ -240,9 +245,9 @@ manage_sock_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t) fs_tmpfs_filetrans($1_ssh_t, $1_ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -26690,7 +26691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow the ssh program to communicate with ssh-agent. stream_connect_pattern($1_ssh_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t, $1_ssh_agent_t) -@@ -254,6 +258,8 @@ +@@ -254,6 +259,8 @@ userdom_use_unpriv_users_fds($1_ssh_t) userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t) userdom_search_user_home_dirs($1,$1_ssh_t) @@ -26699,7 +26700,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Write to the user domain tty. userdom_use_user_terminals($1,$1_ssh_t) # needs to read krb tgt -@@ -282,21 +288,10 @@ +@@ -282,21 +289,10 @@ ') optional_policy(` @@ -26722,7 +26723,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # # $1_ssh_agent_t local policy -@@ -383,10 +378,6 @@ +@@ -383,10 +379,6 @@ xserver_rw_xdm_pipes($1_ssh_agent_t) ') @@ -26733,7 +26734,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # # $1_ssh_keysign_t local policy -@@ -413,6 +404,25 @@ +@@ -413,6 +405,25 @@ ') ') @@ -26759,7 +26760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ####################################### ## ## The template to define a ssh server. -@@ -443,13 +453,14 @@ +@@ -443,13 +454,14 @@ type $1_var_run_t; files_pid_file($1_var_run_t) @@ -26775,7 +26776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; term_create_pty($1_t,$1_devpts_t) -@@ -479,6 +490,10 @@ +@@ -479,6 +491,10 @@ corenet_tcp_bind_ssh_port($1_t) corenet_tcp_connect_all_ports($1_t) corenet_sendrecv_ssh_server_packets($1_t) @@ -26786,7 +26787,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_dontaudit_getattr_all_fs($1_t) -@@ -506,9 +521,14 @@ +@@ -506,9 +522,14 @@ userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t) userdom_search_all_users_home_dirs($1_t) @@ -26801,7 +26802,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`use_samba_home_dirs',` -@@ -517,11 +537,7 @@ +@@ -517,11 +538,7 @@ optional_policy(` kerberos_use($1_t) @@ -26814,7 +26815,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -710,3 +726,22 @@ +@@ -710,3 +727,22 @@ dontaudit $1 sshd_key_t:file { getattr read }; ')