diff --git a/policy-20070703.patch b/policy-20070703.patch index 479f324..e0f07bb 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -3994,7 +3994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-11-14 09:49:45.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-11-16 13:24:55.000000000 -0500 @@ -4,6 +4,7 @@ /dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -4003,41 +4003,95 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/(misc/)?agpgart -c gen_context(system_u:object_r:agp_device_t,s0) /dev/aload.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/amidi.* -c gen_context(system_u:object_r:sound_device_t,s0) -@@ -20,6 +21,7 @@ +@@ -14,22 +15,29 @@ + /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) ++/dev/gtrsc.* -c gen_context(system_u:object_r:clock_device_t,s0) ++/dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0) + /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) + /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/event.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) /dev/full -c gen_context(system_u:object_r:null_device_t,s0) +/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0) ++/dev/hfmodem -c gen_context(system_u:object_r:sound_device_t,s0) /dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0) -@@ -30,6 +32,7 @@ + /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0) + /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0) + /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0) + /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0) ++/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) ++/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) +/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,mls_systemhigh) /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) -@@ -49,6 +52,7 @@ +@@ -41,6 +49,11 @@ + /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0) + /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/null -c gen_context(system_u:object_r:null_device_t,s0) ++ ++/dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0) ++/dev/gfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0) ++/dev/3dfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0) ++/dev/graphics -c gen_context(system_u:object_r:xserver_misc_device_t,s0) + /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) + /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) + /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) +@@ -49,6 +62,9 @@ /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) ++/dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0) ++/dev/jbm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0) /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0) -@@ -98,6 +102,7 @@ +@@ -65,9 +81,11 @@ + /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) ++/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) + /dev/usbmon[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) + /dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0) + /dev/usb[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) ++/dev/usb/.+ -c gen_context(system_u:object_r:usb_device_t,s0) + /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) + ifdef(`distro_suse', ` + /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) +@@ -95,11 +113,21 @@ + /dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0) + + /dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) ++/dev/input/keyboard.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0) ++/dev/pc110pad -c gen_context(system_u:object_r:mouse_device_t,s0) ++/dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0) ++/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) ++/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) ++/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0) ++/dev/bometric/sensor.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0) ++/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) ++/dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) + + /dev/pts(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.8/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-22 13:21:41.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-11-12 23:22:11.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-11-16 13:36:12.000000000 -0500 @@ -65,7 +65,7 @@ relabelfrom_dirs_pattern($1,device_t,device_node) @@ -4072,7 +4126,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Allow full relabeling (to and from) of directories in /dev. ## ## -@@ -1306,6 +1324,44 @@ +@@ -667,6 +685,7 @@ + ') + + dontaudit $1 device_node:blk_file getattr; ++ dev_dontaudit_getattr_generic_blk_files($1) + ') + + ######################################## +@@ -704,6 +723,7 @@ + ') + + dontaudit $1 device_node:chr_file getattr; ++ dev_dontaudit_getattr_generic_chr_files($1) + ') + + ######################################## +@@ -1306,6 +1326,44 @@ ######################################## ## @@ -4117,7 +4187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Read input event devices (/dev/input). ## ## -@@ -1623,6 +1679,78 @@ +@@ -1623,6 +1681,78 @@ ######################################## ## @@ -4259,7 +4329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.8/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-11-12 15:59:14.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-11-16 09:41:59.000000000 -0500 @@ -6,6 +6,22 @@ # Declarations # @@ -4297,7 +4367,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain # Use trusted objects in /dev dev_rw_null(domain) -@@ -134,3 +154,32 @@ +@@ -134,3 +154,31 @@ # act on all domains keys allow unconfined_domain_type domain:key *; @@ -4326,7 +4396,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +optional_policy(` + rpm_rw_pipes(domain) +') -+ +optional_policy(` + unconfined_dontaudit_rw_pipes(domain) +') @@ -4345,7 +4414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.8/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-22 13:21:41.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2007-11-13 21:17:02.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2007-11-16 17:46:24.000000000 -0500 @@ -343,8 +343,7 @@ ######################################## @@ -5099,17 +5168,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ## Do not audit attempts to list unlabeled directories. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.0.8/policy/modules/kernel/kernel.te ---- nsaserefpolicy/policy/modules/kernel/kernel.te 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.te 2007-10-30 19:49:01.000000000 -0400 -@@ -278,6 +278,7 @@ - - optional_policy(` - logging_send_syslog_msg(kernel_t) -+ logging_unconfined(kernel_t) - ') - - optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.0.8/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-10-22 13:21:42.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/kernel/selinux.if 2007-10-29 23:59:29.000000000 -0400 @@ -5228,8 +5286,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.0.8/policy/modules/kernel/storage.fc --- nsaserefpolicy/policy/modules/kernel/storage.fc 2007-10-22 13:21:41.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/storage.fc 2007-11-01 11:47:11.000000000 -0400 -@@ -31,6 +31,7 @@ ++++ serefpolicy-3.0.8/policy/modules/kernel/storage.fc 2007-11-16 13:30:44.000000000 -0500 +@@ -6,6 +6,7 @@ + /dev/n?pt[0-9]+ -c gen_context(system_u:object_r:tape_device_t,s0) + /dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0) + /dev/[shmx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) ++/dev/ad[[a-z] -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0) +@@ -18,6 +19,8 @@ + /dev/hitcd -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0) + /dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) ++/dev/iseries/vt.* -c gen_context(system_u:object_r:tape_device_t,s0) ++/dev/iseries/nvt.* -c gen_context(system_u:object_r:tape_device_t,s0) + /dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +@@ -31,6 +34,7 @@ /dev/pcd[0-3] -b gen_context(system_u:object_r:removable_device_t,s0) /dev/pd[a-d][^/]* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0) @@ -5237,7 +5312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag /dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -@@ -39,6 +40,7 @@ +@@ -39,6 +43,7 @@ ') /dev/s(cd|r)[^/]* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/sbpcd.* -b gen_context(system_u:object_r:removable_device_t,s0) @@ -5245,7 +5320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag /dev/sg[0-9]+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0) /dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0) -@@ -52,7 +54,7 @@ +@@ -52,7 +57,7 @@ /dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) @@ -5337,15 +5412,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.0.8/policy/modules/kernel/terminal.fc --- nsaserefpolicy/policy/modules/kernel/terminal.fc 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/terminal.fc 2007-10-29 23:59:29.000000000 -0400 -@@ -8,6 +8,7 @@ ++++ serefpolicy-3.0.8/policy/modules/kernel/terminal.fc 2007-11-16 13:34:08.000000000 -0500 +@@ -2,18 +2,27 @@ + /dev/.*tty[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/[pt]ty[a-ep-z][0-9a-f] -c gen_context(system_u:object_r:bsdpty_device_t,s0) + /dev/adb.* -c gen_context(system_u:object_r:tty_device_t,s0) ++/dev/bc[0-9] -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/capi.* -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/console -c gen_context(system_u:object_r:console_device_t,s0) + /dev/cu.* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) ++/dev/holter[0=9] -c gen_context(system_u:object_r:tty_device_t,s0) /dev/hvc.* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/hvsi.* -c gen_context(system_u:object_r:tty_device_t,s0) +/dev/i2c[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/ircomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) ++/dev/isictl.* -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) + /dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) +-/dev/tty -c gen_context(system_u:object_r:devtty_t,s0) ++/dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) ++/dev/slm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) ++/dev/specialix_sxctl -c gen_context(system_u:object_r:tty_device_t,s0) ++/dev/specialix_rioctl -c gen_context(system_u:object_r:tty_device_t,s0) ++/dev/tcldrv -c gen_context(system_u:object_r:tty_device_t,s0) ++/dev/tty -c gen_context(system_u:object_r:devtty_t,s0) + /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.0.8/policy/modules/kernel/terminal.te --- nsaserefpolicy/policy/modules/kernel/terminal.te 2007-10-22 13:21:42.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/kernel/terminal.te 2007-10-29 23:59:29.000000000 -0400 @@ -5406,7 +5502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.8/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/apache.if 2007-11-12 10:17:21.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/apache.if 2007-11-16 17:29:13.000000000 -0500 @@ -18,10 +18,6 @@ attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; @@ -5495,27 +5591,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac optional_policy(` tunable_policy(`httpd_enable_cgi && allow_ypbind',` nis_use_ypbind_uncond(httpd_$1_script_t) -@@ -270,8 +219,11 @@ +@@ -265,12 +214,19 @@ + template(`apache_per_role_template', ` + gen_require(` + attribute httpdcontent, httpd_script_domains; +- attribute httpd_exec_scripts; ++ attribute httpd_exec_scripts, httpd_user_content_type; ++ attribute httpd_user_script_exec_type; + type httpd_t, httpd_suexec_t, httpd_log_t; ') apache_content_template($1) -+ manage_dirs_pattern($1_t,httpd_$1_content_t,httpd_$1_content_t) -+ manage_files_pattern($1_t,httpd_$1_content_t,httpd_$1_content_t) -+ manage_lnk_files_pattern($1_t,httpd_$1_content_t,httpd_$1_content_t) -- typeattribute httpd_$1_script_t httpd_script_domains; -+ typeattribute httpd_$1_content_t httpd_script_domains; ++ typeattribute httpd_$1_content_t httpd_user_content_type; ++ typeattribute httpd_$1_script_ra_t httpd_user_content_type; ++ typeattribute httpd_$1_script_rw_t httpd_user_content_type; ++ typeattribute httpd_$1_script_ro_t httpd_user_content_type; ++ typeattribute httpd_$1_script_exec_t httpd_user_script_exec_type; ++ + typeattribute httpd_$1_script_t httpd_script_domains; userdom_user_home_content($1,httpd_$1_content_t) - role $3 types httpd_$1_script_t; -@@ -345,12 +297,12 @@ +@@ -345,12 +301,11 @@ # template(`apache_read_user_scripts',` gen_require(` - type httpd_$1_script_exec_t; + attribute httpd_user_script_exec_type; ') - +- - allow $2 httpd_$1_script_exec_t:dir list_dir_perms; - read_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) - read_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) @@ -5525,7 +5629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -371,12 +323,12 @@ +@@ -371,12 +326,12 @@ # template(`apache_read_user_content',` gen_require(` @@ -5542,32 +5646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -436,6 +388,24 @@ - - ######################################## - ## -+## getattr apache.process -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`apache_getattr',` -+ gen_require(` -+ type httpd_t; -+ ') -+ -+ allow $1 httpd_t:process getattr; -+') -+ -+######################################## -+## - ## Inherit and use file descriptors from Apache. - ## - ## -@@ -754,6 +724,7 @@ +@@ -754,6 +709,7 @@ ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -5575,7 +5654,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -838,6 +809,10 @@ +@@ -838,6 +794,10 @@ type httpd_sys_script_t; ') @@ -5586,7 +5665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern($1, httpdcontent, httpd_sys_script_t) ') -@@ -925,7 +900,7 @@ +@@ -925,7 +885,7 @@ type httpd_squirrelmail_t; ') @@ -5595,153 +5674,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -987,7 +962,26 @@ +@@ -1005,6 +965,31 @@ ######################################## ## --## Search apache system CGI directories. -+## Search system script state directory. ++## Create, read, write, and delete all user web content. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## ++## +# -+interface(`apache_search_sys_script_state',` ++interface(`apache_manage_all_user_content',` + gen_require(` -+ type httpd_sys_script_t; ++ attribute httpd_user_content_type, httpd_user_script_exec_type; + ') + -+ allow $1 httpd_sys_script_t:dir search_dir_perms; ++ manage_dirs_pattern($1,httpd_user_content_type,httpd_user_content_type) ++ manage_files_pattern($1,httpd_user_content_type,httpd_user_content_type) ++ manage_lnk_files_pattern($1,httpd_user_content_type,httpd_user_content_type) ++ ++ manage_dirs_pattern($1,httpd_user_script_exec_type,httpd_user_script_exec_type) ++ manage_files_pattern($1,httpd_user_script_exec_type,httpd_user_script_exec_type) ++ manage_lnk_files_pattern($1,httpd_user_script_exec_type,httpd_user_script_exec_type) +') + +######################################## +## -+## Allow the specified domain to manage -+## apache modules. + ## Search system script state directory. ## ## - ## -@@ -995,17 +989,57 @@ - ## - ## - # --interface(`apache_search_sys_scripts',` -+interface(`apache_manage_modules',` - gen_require(` -- type httpd_sys_content_t, httpd_sys_script_exec_t; -+ type httpd_modules_t; - ') +@@ -1056,3 +1041,138 @@ -- search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t) -+ manage_dirs_pattern($1,httpd_modules_t,httpd_modules_t) -+ manage_files_pattern($1,httpd_modules_t,httpd_modules_t) -+ manage_lnk_files_pattern($1,httpd_modules_t,httpd_modules_t) + allow httpd_t $1:process signal; ') - - ######################################## - ## --## Search system script state directory. -+## Allow the specified domain to create -+## apache lock file -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`apache_manage_lock',` -+ gen_require(` -+ type httpd_lock_t; -+ ') -+ allow $1 httpd_lock_t:file manage_file_perms; -+ files_lock_filetrans($1, httpd_lock_t, file) -+') + +######################################## +## -+## Allow the specified domain to manage -+## apache pid file -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`apache_manage_pid',` -+ gen_require(` -+ type httpd_var_run_t; -+ ') -+ manage_files_pattern($1,httpd_var_run_t,httpd_var_run_t) -+ files_pid_filetrans($1,httpd_var_run_t, file) -+') -+ -+######################################## -+## -+##f Read apache system state - ## - ## - ## -@@ -1013,46 +1047,147 @@ - ## - ## - # --interface(`apache_search_sys_script_state',` -+interface(`apache_read_state',` - gen_require(` -- type httpd_sys_script_t; -+ type httpd_t; - ') -+ kernel_search_proc($1) -+ allow $1 httpd_t:dir list_dir_perms; -+ read_files_pattern($1,httpd_t,httpd_t) -+ read_lnk_files_pattern($1,httpd_t,httpd_t) -+ dontaudit $1 httpd_t:process ptrace; -+') - -- allow $1 httpd_sys_script_t:dir search_dir_perms; -+######################################## -+## -+## allow domain to relabel apache content ++## Allow the specified domain to search ++## apache bugzilla directories. +## +## +## -+## Domain to not audit. -+## -+## -+# -+interface(`apache_relabel',` -+ gen_require(` -+ attribute httpdcontent; -+ attribute httpd_script_exec_type; -+ ') -+ -+ allow $1 { httpd_script_exec_type httpdcontent}:dir { relabelto relabelfrom }; -+ allow $1 { httpd_script_exec_type httpdcontent}:file { relabelto relabelfrom }; - ') - - ######################################## - ## --## Execute CGI in the specified domain. -+## Allow the specified domain to search -+## apache bugzilla directories. - ## --## --##

--## Execute CGI in the specified domain. --##

--##

--## This is an interface to support third party modules --## and its use is not allowed in upstream reference --## policy. --##

--## - ## - ## --## Domain run the cgi script in. +## Domain allowed access. +## +## @@ -5804,136 +5780,190 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +## +## +## Domain allowed access. - ## - ## --## ++## ++## +## - ## --## Type of the executable to enter the cgi domain. ++## +## The role to be allowed to manage the apache domain. - ## - ## ++## ++## +## - # --interface(`apache_cgi_domain',` ++# +interface(`apache_admin',` + - gen_require(` -- type httpd_t, httpd_sys_script_exec_t; -+ type httpd_t; ++ gen_require(` ++ type httpd_t, httpd_script_exec_t, httpd_config_t; ++ type httpd_log_t, httpd_modules_t, httpd_lock_t; ++ type httpd_var_run_t; ++ attribute httpdcontent; ++ attribute httpd_script_exec_type; + type httpd_bool_t; -+ type httpd_script_exec_t; - ') - -- domtrans_pattern(httpd_t, $2, $1) -- apache_search_sys_scripts($1) -+ allow $2 httpd_t:process { ptrace signal_perms }; - -- allow httpd_t $1:process signal; -+ # Allow $2 to restart the apache service -+ apache_script_domtrans($2) -+ domain_system_change_exemption($2) -+ role_transition $3 httpd_script_exec_t system_r; -+ allow $3 system_r; ++ ') + -+ apache_manage_all_content($2) -+ apache_manage_config($2) -+ apache_manage_log($2) -+ apache_manage_modules($2) -+ apache_manage_lock($2) -+ apache_manage_pid($2) -+ apache_read_state($2) -+ apache_getattr($2) -+ apache_relabel($2) ++ allow $1 httpd_t:process { getattr ptrace signal_perms }; + -+ seutil_domtrans_setfiles($2) ++ # Allow $1 to restart the apache service ++ apache_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 httpd_script_exec_t system_r; ++ allow $2 system_r; + -+ seutil_setsebool_per_role_template($1, $2, $3) -+ allow $1_setsebool_t httpd_bool_t:dir list_dir_perms; -+ allow $1_setsebool_t httpd_bool_t:file rw_file_perms; - ') ++ apache_manage_all_content($1) + ++ files_search_etc($1) ++ manage_dirs_pattern($1,httpd_config_t,httpd_config_t) ++ manage_files_pattern($1,httpd_config_t,httpd_config_t) ++ read_lnk_files_pattern($1,httpd_config_t,httpd_config_t) + ++ logging_search_logs($1) ++ manage_dirs_pattern($1,httpd_log_t,httpd_log_t) ++ manage_files_pattern($1,httpd_log_t,httpd_log_t) ++ read_lnk_files_pattern($1,httpd_log_t,httpd_log_t) + ++ manage_dirs_pattern($1,httpd_modules_t,httpd_modules_t) ++ manage_files_pattern($1,httpd_modules_t,httpd_modules_t) ++ manage_lnk_files_pattern($1,httpd_modules_t,httpd_modules_t) ++ ++ allow $1 httpd_lock_t:file manage_file_perms; ++ files_lock_filetrans($1, httpd_lock_t, file) ++ ++ manage_files_pattern($1,httpd_var_run_t,httpd_var_run_t) ++ files_pid_filetrans($1,httpd_var_run_t, file) ++ ++ kernel_search_proc($1) ++ allow $1 httpd_t:dir list_dir_perms; ++ read_files_pattern($1,httpd_t,httpd_t) ++ read_lnk_files_pattern($1,httpd_t,httpd_t) ++ ++ allow $1 { httpd_script_exec_type httpdcontent}:dir { relabelto relabelfrom }; ++ allow $1 { httpd_script_exec_type httpdcontent}:file { relabelto relabelfrom }; ++ ++ seutil_domtrans_setfiles($1) ++ ++# apache_set_booleans($1, $2, $3, httpd_bool_t ) ++# seutil_setsebool_per_role_template($1, httpd, $3) ++# allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms; ++# allow httpd_setsebool_t httpd_bool_t:file rw_file_perms; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.8/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-11-12 17:44:48.000000000 -0500 -@@ -20,6 +20,9 @@ ++++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-11-16 17:49:37.000000000 -0500 +@@ -1,5 +1,5 @@ + +-policy_module(apache,1.7.1) ++policy_module(apache,1.8.2) + + # + # NOTES: +@@ -20,20 +20,22 @@ # Declarations # +selinux_genbool(httpd_bool_t) + -+ ## ##

## Allow Apache to modify public files -@@ -30,6 +33,13 @@ +-## used for public file transfer services. ++## used for public file transfer services. Directories/Files must be labeled public_content_rw_t. + ##

+ ## + gen_tunable(allow_httpd_anon_write,false) + + ## + ##

+-## Allow Apache to use mod_auth_pam ++## Allow Apache to communicate with avahi service via dbus + ##

+ ## +-gen_tunable(allow_httpd_mod_auth_pam,false) ++gen_tunable(allow_httpd_dbus_avahi,false) ## ##

-+## Allow Apache to communicate with avahi via dbus +@@ -44,14 +46,21 @@ + + ## + ##

+-## Allow http daemon to tcp connect ++## Allow http daemon to send mail +##

+## -+gen_tunable(allow_httpd_dbus_avahi,false) ++gen_tunable(httpd_can_sendmail,false) + +## +##

- ## Allow Apache to use mod_auth_pam ++## Allow HTTPD scripts and modules to connect to the network ##

## -@@ -47,6 +57,13 @@ - ## Allow http daemon to tcp connect + gen_tunable(httpd_can_network_connect,false) + + ## + ##

+-## Allow httpd to connect to mysql/posgresql ++## Allow HTTPD scripts and modules to network connect to databases, mysql/posgresql ##

## -+gen_tunable(httpd_can_sendmail,false) -+ -+## -+##

-+## Allow http daemon to tcp connect -+##

-+## - gen_tunable(httpd_can_network_connect,false) + gen_tunable(httpd_can_network_connect_db, false) +@@ -87,31 +96,54 @@ ## -@@ -97,7 +114,7 @@ - ## Allow http daemon to communicate with the TTY + ##

+-## Run SSI execs in system CGI script domain. ++## Allow HTTPD to run SSI executables in the same domain as system CGI scripts + ##

+ ## + gen_tunable(httpd_ssi_exec,false) + + ## + ##

+-## Allow http daemon to communicate with the TTY ++## Unify HTTPD to communicate with the terminal. Needed for handling certificates ##

## --gen_tunable(httpd_tty_comm,false) -+gen_tunable(httpd_tty_comm,true) + gen_tunable(httpd_tty_comm,false) ## ##

-@@ -106,6 +123,27 @@ +-## Run CGI in the main httpd domain ++## Unify HTTPD handling of all content files + ##

## gen_tunable(httpd_unified,false) +## +##

-+## Allow httpd to read nfs files ++## Allow httpd to access nfs file systems +##

+## +gen_tunable(httpd_use_nfs,false) + +## +##

-+## Allow httpd to read cifs files ++## Allow httpd to access cifs file systems +##

+## +gen_tunable(httpd_use_cifs,false) + +## +##

-+## Allow apache scripts to write to public content ++## Allow apache scripts to write to public content. Directories/Files must be labeled public_content_rw_t. +##

+## +gen_tunable(allow_httpd_sys_script_anon_write,false) + attribute httpdcontent; ++attribute httpd_user_content_type; # domains that can exec all users scripts -@@ -142,6 +180,9 @@ + attribute httpd_exec_scripts; + + attribute httpd_script_exec_type; ++attribute httpd_user_script_exec_type; + + # user script domains + attribute httpd_script_domains; +@@ -142,6 +174,9 @@ type httpd_log_t; logging_log_file(httpd_log_t) @@ -5943,7 +5973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # httpd_modules_t is the type given to module files (libraries) # that come with Apache /etc/httpd/modules and /usr/lib/apache type httpd_modules_t; -@@ -202,9 +243,11 @@ +@@ -202,7 +237,7 @@ # Apache server local policy # @@ -5951,12 +5981,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -+dontaudit httpd_t self:process setfscreate; -+ allow httpd_t self:fd use; - allow httpd_t self:sock_file read_sock_file_perms; - allow httpd_t self:fifo_file rw_fifo_file_perms; -@@ -244,6 +287,7 @@ +@@ -244,6 +279,7 @@ allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) @@ -5964,7 +5990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. -@@ -284,6 +328,7 @@ +@@ -284,6 +320,7 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -5972,7 +5998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -330,6 +375,10 @@ +@@ -330,6 +367,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -5983,26 +6009,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) -@@ -348,7 +397,9 @@ +@@ -344,12 +385,8 @@ + seutil_dontaudit_search_config(httpd_t) + +-sysnet_read_config(httpd_t) +- userdom_use_unpriv_users_fds(httpd_t) -mta_send_mail(httpd_t) -+tunable_policy(`httpd_enable_homedirs',` -+ userdom_search_unpriv_users_home_dirs(httpd_t) -+') - +- tunable_policy(`allow_httpd_anon_write',` miscfiles_manage_public_files(httpd_t) -@@ -360,6 +411,7 @@ + ') +@@ -358,8 +395,16 @@ # + # We need optionals to be able to be within booleans to make this work + # ++## ++##

++## Allow Apache to use mod_auth_pam ++##

++## ++gen_tunable(allow_httpd_mod_auth_pam,false) ++ tunable_policy(`allow_httpd_mod_auth_pam',` auth_domtrans_chk_passwd(httpd_t) + auth_domtrans_upd_passwd(httpd_t) ') ') -@@ -367,6 +419,16 @@ +@@ -367,6 +412,16 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -6019,7 +6056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_connect_db',` # allow httpd to connect to mysql/posgresql corenet_tcp_connect_postgresql_port(httpd_t) -@@ -387,6 +449,10 @@ +@@ -387,6 +442,10 @@ corenet_sendrecv_http_cache_client_packets(httpd_t) ') @@ -6030,7 +6067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) -@@ -404,11 +470,21 @@ +@@ -404,11 +463,21 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -6052,7 +6089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -430,6 +506,12 @@ +@@ -430,6 +499,12 @@ ') optional_policy(` @@ -6065,12 +6102,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac calamaris_read_www_files(httpd_t) ') -@@ -442,8 +524,15 @@ +@@ -442,8 +517,14 @@ ') optional_policy(` + dbus_system_bus_client_template(httpd,httpd_t) -+ dbus_send_system_bus(httpd_t) + tunable_policy(`allow_httpd_dbus_avahi',` + avahi_dbus_chat(httpd_t) + ') @@ -6082,7 +6118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -457,11 +546,11 @@ +@@ -457,11 +538,11 @@ optional_policy(` mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) @@ -6095,7 +6131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -481,6 +570,7 @@ +@@ -481,6 +562,7 @@ ') optional_policy(` @@ -6103,11 +6139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -512,10 +602,16 @@ - tunable_policy(`httpd_tty_comm',` - # cjp: this is redundant: - term_use_controlling_term(httpd_helper_t) -- +@@ -516,6 +598,13 @@ userdom_use_sysadm_terms(httpd_helper_t) ') @@ -6121,7 +6153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -553,6 +649,7 @@ +@@ -553,6 +642,7 @@ optional_policy(` mysql_stream_connect(httpd_php_t) @@ -6129,7 +6161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -567,7 +664,6 @@ +@@ -567,7 +657,6 @@ allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; @@ -6137,7 +6169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -581,6 +677,10 @@ +@@ -581,6 +670,10 @@ manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -6148,26 +6180,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -606,6 +706,10 @@ - - miscfiles_read_localization(httpd_suexec_t) - -+tunable_policy(`httpd_enable_homedirs',` -+ userdom_search_generic_user_home_dirs(httpd_suexec_t) -+') -+ - tunable_policy(`httpd_can_network_connect',` - allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; - allow httpd_suexec_t self:udp_socket create_socket_perms; -@@ -620,7 +724,6 @@ +@@ -620,8 +713,6 @@ corenet_udp_sendrecv_all_ports(httpd_suexec_t) corenet_tcp_connect_all_ports(httpd_suexec_t) corenet_sendrecv_all_client_packets(httpd_suexec_t) - - sysnet_read_config(httpd_suexec_t) +- sysnet_read_config(httpd_suexec_t) ') -@@ -634,6 +737,12 @@ + tunable_policy(`httpd_enable_cgi && httpd_unified',` +@@ -634,6 +725,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -6180,7 +6202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -651,18 +760,6 @@ +@@ -651,18 +748,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -6199,7 +6221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -672,7 +769,8 @@ +@@ -672,7 +757,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -6209,7 +6231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -686,15 +784,66 @@ +@@ -686,15 +772,62 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -6220,10 +6242,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -+tunable_policy(`httpd_enable_homedirs',` -+ userdom_search_generic_user_home_dirs(httpd_sys_script_t) -+') -+ +tunable_policy(`httpd_use_nfs', ` fs_read_nfs_files(httpd_sys_script_t) fs_read_nfs_symlinks(httpd_sys_script_t) @@ -6277,7 +6295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -707,6 +856,7 @@ +@@ -707,6 +840,7 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -6285,7 +6303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -728,3 +878,48 @@ +@@ -728,3 +862,46 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -6332,8 +6350,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +optional_policy(` + postgresql_stream_connect(httpd_bugzilla_script_t) +') -+ -+ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.0.8/policy/modules/services/apcupsd.if --- nsaserefpolicy/policy/modules/services/apcupsd.if 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/apcupsd.if 2007-10-29 23:59:29.000000000 -0400 @@ -7095,7 +7111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.0.8/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/cron.te 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/cron.te 2007-11-16 09:49:26.000000000 -0500 @@ -50,6 +50,7 @@ type crond_tmp_t; @@ -7307,21 +7323,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -433,9 +477,13 @@ +@@ -433,15 +477,12 @@ ') optional_policy(` - unconfined_domain(system_crond_t) +- +- userdom_priveleged_home_dir_manager(system_crond_t) + unconfined_dbus_send(crond_t) + unconfined_shell_domtrans(crond_t) -+') ++ unconfined_domain(crond_t) + ') +-ifdef(`TODO',` +-ifdef(`mta.te', ` +-allow system_crond_t mail_spool_t:lnk_file read; +-allow mta_user_agent system_crond_t:fd use; +-r_dir_file(system_mail_t, crond_tmp_t) +optional_policy(` - userdom_priveleged_home_dir_manager(system_crond_t) ++ userdom_priveleged_home_dir_manager(system_crond_t) + unconfined_domain(system_crond_t) ') - - ifdef(`TODO',` +-') dnl end TODO diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.0.8/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2007-10-22 13:21:36.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/cups.fc 2007-11-14 10:50:26.000000000 -0500 @@ -9005,7 +9028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb +/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.8/policy/modules/services/kerberos.if --- nsaserefpolicy/policy/modules/services/kerberos.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/kerberos.if 2007-11-12 16:50:00.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/kerberos.if 2007-11-16 17:43:19.000000000 -0500 @@ -42,11 +42,17 @@ dontaudit $1 krb5_conf_t:file write; dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; @@ -9683,7 +9706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq +/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.0.8/policy/modules/services/mysql.if --- nsaserefpolicy/policy/modules/services/mysql.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/mysql.if 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/mysql.if 2007-11-16 17:28:30.000000000 -0500 @@ -157,3 +157,79 @@ logging_search_logs($1) allow $1 mysqld_log_t:file { write append setattr ioctl }; @@ -9740,29 +9763,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq + type mysqld_script_exec_t; + ') + -+ allow $2 mysqld_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($2, mysqld_t, mysqld_t) ++ allow $1 mysqld_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, mysqld_t, mysqld_t) + -+ # Allow $2 to restart the apache service -+ mysql_script_domtrans($2) -+ domain_system_change_exemption($2) -+ role_transition $3 mysqld_script_exec_t system_r; -+ allow $3 system_r; ++ # Allow $1 to restart the apache service ++ mysql_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 mysqld_script_exec_t system_r; ++ allow $2 system_r; + -+ manage_dirs_pattern($2,mysqld_var_run_t,mysqld_var_run_t) -+ manage_files_pattern($2,mysqld_var_run_t,mysqld_var_run_t) ++ manage_dirs_pattern($1,mysqld_var_run_t,mysqld_var_run_t) ++ manage_files_pattern($1,mysqld_var_run_t,mysqld_var_run_t) + -+ manage_dirs_pattern($2,mysqld_db_t,mysqld_db_t) -+ manage_files_pattern($2,mysqld_db_t,mysqld_db_t) ++ manage_dirs_pattern($1,mysqld_db_t,mysqld_db_t) ++ manage_files_pattern($1,mysqld_db_t,mysqld_db_t) + -+ manage_dirs_pattern($2,mysqld_etc_t,mysqld_etc_t) -+ manage_files_pattern($2,mysqld_etc_t,mysqld_etc_t) ++ manage_dirs_pattern($1,mysqld_etc_t,mysqld_etc_t) ++ manage_files_pattern($1,mysqld_etc_t,mysqld_etc_t) + -+ manage_dirs_pattern($2,mysqld_log_t,mysqld_log_t) -+ manage_files_pattern($2,mysqld_log_t,mysqld_log_t) ++ manage_dirs_pattern($1,mysqld_log_t,mysqld_log_t) ++ manage_files_pattern($1,mysqld_log_t,mysqld_log_t) + -+ manage_dirs_pattern($2,mysqld_tmp_t,mysqld_tmp_t) -+ manage_files_pattern($2,mysqld_tmp_t,mysqld_tmp_t) ++ manage_dirs_pattern($1,mysqld_tmp_t,mysqld_tmp_t) ++ manage_files_pattern($1,mysqld_tmp_t,mysqld_tmp_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.0.8/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2007-10-22 13:21:39.000000000 -0400 @@ -9972,7 +9995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.8/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2007-11-16 17:50:34.000000000 -0500 @@ -13,6 +13,9 @@ type NetworkManager_var_run_t; files_pid_file(NetworkManager_var_run_t) @@ -10033,7 +10056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ppp_domtrans(NetworkManager_t) ppp_read_pid_files(NetworkManager_t) ppp_signal(NetworkManager_t) -+ ppp_read_read_config(NetworkManager_t) ++ ppp_read_config(NetworkManager_t) ') optional_policy(` @@ -10984,7 +11007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.0.8/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/postgresql.if 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/postgresql.if 2007-11-16 17:28:53.000000000 -0500 @@ -113,3 +113,77 @@ # Some versions of postgresql put the sock file in /tmp allow $1 postgresql_tmp_t:sock_file write; @@ -11039,29 +11062,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + type postgresql_log_t; + ') + -+ allow $2 postgresql_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($2, postgresql_t, postgresql_t) ++ allow $1 postgresql_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, postgresql_t, postgresql_t) + -+ # Allow $2 to restart the apache service -+ postgresql_script_domtrans($2) -+ domain_system_change_exemption($2) -+ role_transition $3 postgresql_script_exec_t system_r; -+ allow $3 system_r; ++ # Allow $1 to restart the apache service ++ postgresql_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 postgresql_script_exec_t system_r; ++ allow $2 system_r; + -+ manage_dirs_pattern($2,postgresql_var_run_t,postgresql_var_run_t) -+ manage_files_pattern($2,postgresql_var_run_t,postgresql_var_run_t) ++ manage_dirs_pattern($1,postgresql_var_run_t,postgresql_var_run_t) ++ manage_files_pattern($1,postgresql_var_run_t,postgresql_var_run_t) + -+ manage_dirs_pattern($2,postgresql_db_t,postgresql_db_t) -+ manage_files_pattern($2,postgresql_db_t,postgresql_db_t) ++ manage_dirs_pattern($1,postgresql_db_t,postgresql_db_t) ++ manage_files_pattern($1,postgresql_db_t,postgresql_db_t) + -+ manage_dirs_pattern($2,postgresql_etc_t,postgresql_etc_t) -+ manage_files_pattern($2,postgresql_etc_t,postgresql_etc_t) ++ manage_dirs_pattern($1,postgresql_etc_t,postgresql_etc_t) ++ manage_files_pattern($1,postgresql_etc_t,postgresql_etc_t) + -+ manage_dirs_pattern($2,postgresql_log_t,postgresql_log_t) -+ manage_files_pattern($2,postgresql_log_t,postgresql_log_t) ++ manage_dirs_pattern($1,postgresql_log_t,postgresql_log_t) ++ manage_files_pattern($1,postgresql_log_t,postgresql_log_t) + -+ manage_dirs_pattern($2,postgresql_tmp_t,postgresql_tmp_t) -+ manage_files_pattern($2,postgresql_tmp_t,postgresql_tmp_t) ++ manage_dirs_pattern($1,postgresql_tmp_t,postgresql_tmp_t) ++ manage_files_pattern($1,postgresql_tmp_t,postgresql_tmp_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.0.8/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2007-10-22 13:21:39.000000000 -0400 @@ -11128,7 +11151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. # Fix pptp sockets diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.0.8/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/ppp.if 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/ppp.if 2007-11-16 17:50:58.000000000 -0500 @@ -159,6 +159,25 @@ ######################################## @@ -11141,7 +11164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. +## +## +# -+interface(`ppp_read_read_config',` ++interface(`ppp_read_config',` + gen_require(` + type pppd_etc_t; + ') @@ -12955,7 +12978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.0.8/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/ssh.if 2007-11-14 09:59:47.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/ssh.if 2007-11-16 10:11:34.000000000 -0500 @@ -202,6 +202,7 @@ # template(`ssh_per_role_template',` @@ -12964,7 +12987,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. type ssh_agent_exec_t, ssh_keysign_exec_t; ') -@@ -443,13 +444,14 @@ +@@ -383,10 +384,6 @@ + xserver_rw_xdm_pipes($1_ssh_agent_t) + ') + +- ifdef(`TODO',` +- dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read }; +- ') dnl endif TODO +- + ############################## + # + # $1_ssh_keysign_t local policy +@@ -443,13 +440,14 @@ type $1_var_run_t; files_pid_file($1_var_run_t) @@ -12980,7 +13014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; term_create_pty($1_t,$1_devpts_t) -@@ -478,7 +480,11 @@ +@@ -478,7 +476,11 @@ corenet_udp_bind_all_nodes($1_t) corenet_tcp_bind_ssh_port($1_t) corenet_tcp_connect_all_ports($1_t) @@ -12992,7 +13026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. fs_dontaudit_getattr_all_fs($1_t) -@@ -494,6 +500,8 @@ +@@ -494,6 +496,8 @@ files_read_etc_files($1_t) files_read_etc_runtime_files($1_t) @@ -13001,7 +13035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. libs_use_ld_so($1_t) libs_use_shared_libs($1_t) -@@ -506,12 +514,14 @@ +@@ -506,12 +510,14 @@ userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t) userdom_search_all_users_home_dirs($1_t) @@ -13016,7 +13050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') tunable_policy(`use_samba_home_dirs',` -@@ -520,6 +530,7 @@ +@@ -520,6 +526,7 @@ optional_policy(` kerberos_use($1_t) @@ -13024,7 +13058,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') optional_policy(` -@@ -708,3 +719,42 @@ +@@ -675,6 +682,25 @@ + + ######################################## + ## ++## Execute the ssh agent client in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ssh_agent_exec',` ++ gen_require(` ++ type ssh_agent_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1,ssh_agent_exec_t) ++') ++ ++######################################## ++## + ## Execute the ssh key generator in the ssh keygen domain. + ## + ## +@@ -708,3 +734,42 @@ dontaudit $1 sshd_key_t:file { getattr read }; ') @@ -14262,7 +14322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-11-15 10:20:36.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-11-16 10:15:21.000000000 -0500 @@ -26,7 +26,8 @@ type $1_chkpwd_t, can_read_shadow_passwords; application_domain($1_chkpwd_t,chkpwd_exec_t) @@ -14326,7 +14386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo selinux_get_fs_mount($1) selinux_validate_context($1) selinux_compute_access_vector($1) -@@ -196,20 +218,42 @@ +@@ -196,20 +218,47 @@ mls_fd_share_all_levels($1) auth_domtrans_chk_passwd($1) @@ -14364,13 +14424,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + ') + + optional_policy(` ++ ssh_agent_exec($1) ++ userdom_read_all_users_home_content_files($1) ++ ') ++ ++ optional_policy(` + unconfined_set_rlimitnh($1) + ') + tunable_policy(`allow_polyinstantiation',` files_polyinstantiate_all($1) ') -@@ -309,9 +353,6 @@ +@@ -309,9 +358,6 @@ type system_chkpwd_t, chkpwd_exec_t, shadow_t; ') @@ -14380,7 +14445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo corecmd_search_bin($1) domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t) -@@ -329,6 +370,8 @@ +@@ -329,6 +375,8 @@ optional_policy(` kerberos_use($1) @@ -14389,7 +14454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') optional_policy(` -@@ -347,6 +390,37 @@ +@@ -347,6 +395,37 @@ ######################################## ## @@ -14427,7 +14492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## Get the attributes of the shadow passwords file. ## ## -@@ -695,6 +769,24 @@ +@@ -695,6 +774,24 @@ ######################################## ## @@ -14452,7 +14517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## Execute pam programs in the PAM domain. ## ## -@@ -1318,16 +1410,14 @@ +@@ -1318,16 +1415,14 @@ ## # interface(`auth_use_nsswitch',` @@ -14472,7 +14537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo miscfiles_read_certs($1) sysnet_dns_name_resolve($1) -@@ -1347,6 +1437,8 @@ +@@ -1347,6 +1442,8 @@ optional_policy(` samba_stream_connect_winbind($1) @@ -14481,7 +14546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -@@ -1381,3 +1473,181 @@ +@@ -1381,3 +1478,181 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -15452,7 +15517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.0.8/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/ipsec.te 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/ipsec.te 2007-11-16 09:54:16.000000000 -0500 @@ -55,11 +55,11 @@ allow ipsec_t self:capability { net_admin dac_override dac_read_search }; @@ -15544,7 +15609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. # manage pid file manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t) -@@ -299,11 +303,15 @@ +@@ -299,11 +303,16 @@ allow racoon_t ipsec_spd_t:association setcontext; @@ -15557,6 +15622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. corenet_udp_bind_isakmp_port(racoon_t) +corenet_udp_bind_all_nodes(racoon_t) +corenet_udp_sendrecv_all_if(racoon_t) ++corenet_udp_bind_ipsecnat_port(ipsec_t) dev_read_urand(racoon_t) @@ -15832,18 +15898,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.8/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/logging.if 2007-11-14 15:02:16.000000000 -0500 -@@ -33,8 +33,27 @@ - ## ++++ serefpolicy-3.0.8/policy/modules/system/logging.if 2007-11-16 17:25:25.000000000 -0500 +@@ -34,6 +34,51 @@ # interface(`logging_send_audit_msgs',` -+ gen_require(` -+ attribute can_send_audit_msgs; -+ ') -+ -+ typeattribute $1 can_send_audit_msgs; allow $1 self:capability audit_write; -- allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay }; +') + @@ -15858,35 +15917,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +## +# +interface(`logging_dontaudit_send_audit_msgs',` ++ dontaudit $1 self:capability audit_write; + dontaudit $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay }; - ') - - ######################################## -@@ -238,6 +257,63 @@ - - ######################################## - ## -+## Manage the syslogd configuration files. ++') ++ ++######################################## ++## ++## Set login uid +## +## +## +## Domain allowed access. +## +## -+## +# -+interface(`logging_manage_syslog_config',` -+ gen_require(` -+ type syslog_conf_t; -+ ') -+ -+ files_search_etc($1) -+ manage_files_pattern($1,syslog_conf_t,syslog_conf_t) ++interface(`logging_set_loginuid',` ++ allow $1 self:capability audit_control; ++ allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay }; +') + -+####################################### ++######################################## +## -+## Automatic transition from etc to syslog_conf_t. ++## Set up audit +## +## +## @@ -15894,16 +15946,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +## +## +# -+interface(`logging_etc_filetrans_syslog_conf',` -+ gen_require(` -+ type syslog_conf_t; -+ ') -+ -+ files_etc_filetrans($1,syslog_conf_t,file) -+') -+ -+######################################## -+## ++interface(`logging_set_audit_parameters',` ++ allow $1 self:capability { audit_write audit_control }; + allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + ') + +@@ -219,6 +264,25 @@ + + ######################################## + ## +## Execute klogd in the klog domain. +## +## @@ -15923,10 +15974,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + +######################################## +## - ## Create an object in the log directory, with a private - ## type using a type transition. + ## Execute syslogd in the syslog domain. ## -@@ -465,12 +541,11 @@ + ## +@@ -465,12 +529,11 @@ interface(`logging_read_all_logs',` gen_require(` attribute logfile; @@ -15937,11 +15988,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin - allow $1 var_log_t:dir list_dir_perms; - read_files_pattern($1,var_log_t,logfile) + allow $1 logfile:dir list_dir_perms; -+ read_files_pattern($1,logfile, logfile) ++ read_files_pattern($1, logfile, logfile) ') ######################################## -@@ -514,6 +589,8 @@ +@@ -514,6 +577,8 @@ files_search_var($1) manage_files_pattern($1,logfile,logfile) read_lnk_files_pattern($1,logfile,logfile) @@ -15950,106 +16001,152 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') ######################################## -@@ -597,3 +674,258 @@ +@@ -597,3 +662,183 @@ files_search_var($1) manage_files_pattern($1,var_log_t,var_log_t) ') + +######################################## +## -+## Set login uid ++## All of the rules required to administrate ++## the audit environment +## +## +## +## Domain allowed access. +## +## ++## ++## ++## The role to be allowed to manage the audit domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## ++## +# -+interface(`logging_set_loginuid',` ++interface(`logging_admin_audit',` + gen_require(` -+ attribute can_set_loginuid; -+ attribute can_send_audit_msgs; ++ type auditd_t, auditd_etc_t, auditd_log_t; ++ type auditd_script_exec_t; ++ type auditd_var_run_t; + ') + -+ typeattribute $1 can_set_loginuid, can_send_audit_msgs; ++ allow $1 auditd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, auditd_t) ++ ++ manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) ++ manage_files_pattern($1, auditd_etc_t, auditd_etc_t) ++ ++ manage_dirs_pattern($1, auditd_log_t, auditd_log_t) ++ manage_files_pattern($1, auditd_log_t, auditd_log_t) ++ ++ manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t) ++ manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t) ++ ++ logging_run_auditctl($1, $2, $3) ++ ++ # Allow $1 to restart the audit service ++ logging_audit_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 auditd_script_exec_t system_r; ++ allow $2 system_r; + -+ allow $1 self:capability audit_control; -+ allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay }; +') + +######################################## +## -+## Set up audit ++## All of the rules required to administrate ++## the syslog environment +## +## +## +## Domain allowed access. +## +## -+# -+interface(`logging_set_audit',` -+ gen_require(` -+ attribute can_set_audit; -+ attribute can_send_audit_msgs; -+ ') -+ -+ typeattribute $1 can_set_audit, can_send_audit_msgs; -+ allow $1 self:capability { audit_write audit_control }; -+ allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -+') -+ -+######################################## -+## -+## Set audit control rules -+## -+## ++## +## -+## Domain allowed access. ++## The role to be allowed to manage the syslog domain. ++## ++## ++## ++## ++## The type of the user terminal. +## +## ++## +# -+interface(`logging_set_auditctl',` ++interface(`logging_admin_syslog',` + gen_require(` -+ attribute can_set_auditctl; ++ type syslogd_t, klogd_t, syslog_conf_t; ++ type syslogd_tmp_t, syslogd_var_lib_t; ++ type syslogd_var_run_t, klogd_var_run_t; ++ type klogd_tmp_t, var_log_t; ++ type syslogd_script_exec_t; + ') + -+ typeattribute $1 can_set_auditctl; -+ logging_set_audit($1) -+ allow $1 self:netlink_audit_socket nlmsg_readpriv; ++ allow $1 syslogd_t:process { ptrace signal_perms }; ++ allow $1 klogd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, syslogd_t) ++ ps_process_pattern($1, klogd_t) ++ ++ manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) ++ manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) ++ ++ manage_dirs_pattern($1, klogd_tmp_t, klogd_tmp_t) ++ manage_files_pattern($1, klogd_tmp_t, klogd_tmp_t) ++ ++ manage_dirs_pattern($1, syslogd_tmp_t, syslogd_tmp_t) ++ manage_files_pattern($1, syslogd_tmp_t, syslogd_tmp_t) ++ ++ manage_dirs_pattern($1, syslog_conf_t, syslog_conf_t) ++ manage_files_pattern($1, syslog_conf_t, syslog_conf_t) ++ files_etc_filetrans($1, syslog_conf_t, file) ++ ++ manage_dirs_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t) ++ manage_files_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t) ++ ++ manage_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t) ++ manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) ++ ++ logging_manage_all_logs($1) ++ ++ # Allow $1 to restart the syslog service ++ logging_syslog_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 syslogd_script_exec_t system_r; ++ allow $2 system_r; ++ +') + +######################################## +## -+## Unconfined access to the loggin module. ++## All of the rules required to administrate ++## the logging environment +## -+## -+##

-+## Unconfined access to the authlogin module. -+##

-+##

-+## Currently, this only allows assertions for -+## the audit susbsystem to be passed. -+## No access is granted yet. -+##

-+## +## +## +## Domain allowed access. +## +## ++## ++## ++## The role to be allowed to manage the syslog domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## ++## +# -+interface(`logging_unconfined',` -+ gen_require(` -+ attribute can_set_audit; -+ attribute can_set_auditctl; -+ attribute can_send_audit_msgs; -+ attribute can_set_loginuid; -+ ') -+ -+ typeattribute $1 can_set_loginuid; -+ typeattribute $1 can_set_audit; -+ typeattribute $1 can_set_auditctl; -+ typeattribute $1 can_send_audit_msgs; ++interface(`logging_admin',` ++ logging_admin_audit($1, $2, $3) ++ logging_admin_syslog($1, $2, $3) +') + +######################################## @@ -16088,148 +16185,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + init_script_domtrans_spec($1,auditd_script_exec_t) +') + -+ -+######################################## -+## -+## All of the rules required to administrate an audit environment -+## -+## -+## -+## Prefix of the domain. Example, user would be -+## the prefix for the uder_t domain. -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the audit domain. -+## -+## -+## -+# -+interface(`logging_audit_admin',` -+ -+ gen_require(` -+ type auditd_t; -+ type auditd_script_exec_t; -+ type auditd_etc_t; -+ type auditd_log_t; -+ type auditd_var_run_t; -+ ') -+ -+ allow $2 auditd_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($2, auditd_t, auditd_t) -+ -+ # Allow $2 to restart the audit service -+ logging_audit_script_domtrans($2) -+ domain_system_change_exemption($2) -+ role_transition $3 auditd_script_exec_t system_r; -+ allow $3 system_r; -+ -+ manage_dirs_pattern($2,auditd_etc_t,auditd_etc_t) -+ manage_files_pattern($2,auditd_etc_t,auditd_etc_t) -+ -+ manage_dirs_pattern($2,auditd_log_t,auditd_log_t) -+ manage_files_pattern($2,auditd_log_t,auditd_log_t) -+ -+ manage_dirs_pattern($2,auditd_var_run_t,auditd_var_run_t) -+ manage_files_pattern($2,auditd_var_run_t,auditd_var_run_t) -+ logging_run_auditctl($2, $3,{ $1_devpts_t $1_tty_device_t }) -+') -+ -+######################################## -+## -+## All of the rules required to administrate an audit environment -+## -+## -+## -+## Prefix of the domain. Example, user would be -+## the prefix for the uder_t domain. -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the audit domain. -+## -+## -+## -+# -+interface(`logging_syslog_admin',` -+ -+ gen_require(` -+ type syslogd_t; -+ type klogd_t; -+ type syslogd_script_exec_t; -+ type syslog_conf_t; -+ type syslogd_tmp_t; -+ type syslogd_var_lib_t; -+ type syslogd_var_run_t; -+ type klogd_var_run_t; -+ type klogd_tmp_t; -+ type var_log_t; -+ ') -+ -+ allow $2 syslogd_t:process { ptrace signal_perms getattr }; -+ allow $2 klogd_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($2, syslogd_t, syslogd_t) -+ read_files_pattern($2, klogd_t, klogd_t) -+ -+ # Allow $2 to restart the syslog service -+ logging_syslog_script_domtrans($2) -+ domain_system_change_exemption($2) -+ role_transition $3 syslogd_script_exec_t system_r; -+ allow $3 system_r; -+ -+ manage_dirs_pattern($2, klogd_var_run_t,klogd_var_run_t) -+ manage_files_pattern($2,klogd_var_run_t,klogd_var_run_t) -+ -+ manage_dirs_pattern($2,klogd_tmp_t,klogd_tmp_t) -+ manage_files_pattern($2,klogd_tmp_t,klogd_tmp_t) -+ -+ manage_dirs_pattern($2,syslogd_tmp_t,syslogd_tmp_t) -+ manage_files_pattern($2,syslogd_tmp_t,syslogd_tmp_t) -+ -+ manage_dirs_pattern($2,syslog_conf_t,syslog_conf_t) -+ manage_files_pattern($2,syslog_conf_t,syslog_conf_t) -+ -+ manage_dirs_pattern($2,syslogd_var_lib_t,syslogd_var_lib_t) -+ manage_files_pattern($2,syslogd_var_lib_t,syslogd_var_lib_t) -+ -+ manage_dirs_pattern($2,syslogd_var_run_t,syslogd_var_run_t) -+ manage_files_pattern($2,syslogd_var_run_t,syslogd_var_run_t) -+ -+ logging_manage_all_logs($2) -+') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.8/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/logging.te 2007-10-29 23:59:29.000000000 -0400 -@@ -7,6 +7,10 @@ - # ++++ serefpolicy-3.0.8/policy/modules/system/logging.te 2007-11-16 17:40:27.000000000 -0500 +@@ -1,5 +1,5 @@ - attribute logfile; -+attribute can_set_audit; -+attribute can_set_auditctl; -+attribute can_set_loginuid; -+attribute can_send_audit_msgs; +-policy_module(logging,1.7.3) ++policy_module(logging,1.8.2) - type auditctl_t; - type auditctl_exec_t; -@@ -45,9 +49,15 @@ - type syslogd_exec_t; - init_daemon_domain(syslogd_t,syslogd_exec_t) + ######################################## + # +@@ -41,6 +41,9 @@ + type klogd_var_run_t; + files_pid_file(klogd_var_run_t) +type syslog_conf_t; +files_type(syslog_conf_t) + + type syslogd_t; + type syslogd_exec_t; + init_daemon_domain(syslogd_t,syslogd_exec_t) +@@ -48,6 +51,9 @@ type syslogd_tmp_t; files_tmp_file(syslogd_tmp_t) @@ -16239,7 +16215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin type syslogd_var_run_t; files_pid_file(syslogd_var_run_t) -@@ -55,23 +65,35 @@ +@@ -55,23 +61,30 @@ logging_log_file(var_log_t) files_mountpoint(var_log_t) @@ -16253,12 +16229,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh) ') -+neverallow ~{ can_set_loginuid can_set_audit } self:capability audit_control; -+neverallow ~can_set_audit self:netlink_audit_socket nlmsg_write; -+neverallow ~can_set_auditctl self:netlink_audit_socket nlmsg_readpriv; -+neverallow ~can_send_audit_msgs self:capability audit_write; -+neverallow ~can_send_audit_msgs self:netlink_audit_socket nlmsg_relay; -+ ######################################## # -# Auditd local policy @@ -16268,6 +16238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin -allow auditctl_t self:capability { audit_write audit_control }; -allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; +allow auditctl_t self:capability { fsetid dac_read_search dac_override }; ++allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t) allow auditctl_t auditd_etc_t:dir list_dir_perms; @@ -16278,15 +16249,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin files_read_etc_files(auditctl_t) kernel_read_kernel_sysctls(auditctl_t) -@@ -91,6 +113,7 @@ +@@ -91,6 +104,7 @@ locallogin_dontaudit_use_fds(auditctl_t) -+logging_set_auditctl(auditctl_t) ++logging_set_audit_parameters(auditctl_t) logging_send_syslog_msg(auditctl_t) ######################################## -@@ -98,12 +121,11 @@ +@@ -98,16 +112,15 @@ # Auditd local policy # @@ -16300,27 +16271,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin allow auditd_t self:fifo_file rw_file_perms; allow auditd_t auditd_etc_t:dir list_dir_perms; -@@ -141,6 +163,7 @@ +-allow auditd_t auditd_etc_t:file r_file_perms; ++allow auditd_t auditd_etc_t:file read_file_perms; + + manage_files_pattern(auditd_t,auditd_log_t,auditd_log_t) + manage_lnk_files_pattern(auditd_t,auditd_log_t,auditd_log_t) +@@ -141,6 +154,7 @@ init_telinit(auditd_t) -+logging_set_audit(auditd_t) ++logging_set_audit_parameters(auditd_t) logging_send_syslog_msg(auditd_t) libs_use_ld_so(auditd_t) -@@ -150,6 +173,7 @@ +@@ -194,6 +208,7 @@ - mls_file_read_all_levels(auditd_t) - mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory -+mls_fd_use_all_levels(auditd_t) + fs_getattr_all_fs(klogd_t) + fs_search_auto_mountpoints(klogd_t) ++fs_search_tmpfs(klogd_t) - seutil_dontaudit_read_config(auditd_t) + domain_use_interactive_fds(klogd_t) -@@ -241,12 +265,18 @@ +@@ -241,12 +256,16 @@ allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; -+allow syslogd_t syslog_conf_t:file r_file_perms; ++allow syslogd_t syslog_conf_t:file read_file_perms; + # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file manage_sock_file_perms; @@ -16328,24 +16304,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # create/append log files. manage_files_pattern(syslogd_t,var_log_t,var_log_t) -+allow syslogd_t var_run_t:fifo_file { ioctl read write }; -+# r/w log fifo_files files. +rw_fifo_files_pattern(syslogd_t,var_log_t,var_log_t) + # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; -@@ -255,6 +285,9 @@ +@@ -255,6 +274,9 @@ manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t) files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file }) ++manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) +files_search_var_lib(syslogd_t) -+manage_files_pattern(syslogd_t,syslogd_var_lib_t,syslogd_var_lib_t) + allow syslogd_t syslogd_var_run_t:file manage_file_perms; files_pid_filetrans(syslogd_t,syslogd_var_run_t,file) -@@ -312,6 +345,7 @@ +@@ -312,6 +334,7 @@ domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) @@ -16366,7 +16340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc /etc/lvm/lock(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.0.8/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/lvm.te 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/lvm.te 2007-11-16 09:37:23.000000000 -0500 @@ -44,9 +44,9 @@ # Cluster LVM daemon local policy # @@ -16492,7 +16466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te term_getattr_all_user_ttys(lvm_t) term_list_ptys(lvm_t) -@@ -254,6 +267,7 @@ +@@ -254,10 +267,12 @@ domain_use_interactive_fds(lvm_t) @@ -16500,7 +16474,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: -@@ -275,6 +289,8 @@ + files_dontaudit_search_isid_type_dirs(lvm_t) ++files_search_mnt(lvm_t) + + init_use_fds(lvm_t) + init_dontaudit_getattr_initctl(lvm_t) +@@ -275,6 +290,8 @@ seutil_search_default_contexts(lvm_t) seutil_sigchld_newrole(lvm_t) @@ -16509,7 +16488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te ifdef(`distro_redhat',` # this is from the initrd: files_rw_isid_type_dirs(lvm_t) -@@ -293,5 +309,14 @@ +@@ -293,5 +310,18 @@ ') optional_policy(` @@ -16517,6 +16496,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te +') + +optional_policy(` ++ unconfined_domain(lvm_t) ++') ++ ++optional_policy(` udev_read_db(lvm_t) ') + @@ -16911,7 +16894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.8/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-11-10 07:25:22.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-11-16 17:44:12.000000000 -0500 @@ -585,7 +585,7 @@ type selinux_config_t; ') @@ -17743,7 +17726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-11-14 09:50:10.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-11-16 17:33:54.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -17778,18 +17761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf kernel_unconfined($1) corenet_unconfined($1) -@@ -79,6 +79,10 @@ - ') - - optional_policy(` -+ logging_unconfined($1) -+ ') -+ -+ optional_policy(` - nscd_unconfined($1) - ') - -@@ -399,12 +403,11 @@ +@@ -399,12 +399,11 @@ ######################################## ## @@ -17804,7 +17776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ## ## # -@@ -413,9 +416,10 @@ +@@ -413,9 +412,10 @@ type unconfined_t; ') @@ -17816,7 +17788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ######################################## ## ## Connect to the unconfined domain using -@@ -437,6 +441,25 @@ +@@ -437,6 +437,25 @@ ######################################## ## @@ -17842,7 +17814,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ## Do not audit attempts to read or write ## unconfined domain tcp sockets. ## -@@ -558,7 +581,7 @@ +@@ -558,7 +577,7 @@ ') files_search_home($1) @@ -17851,7 +17823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf read_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t) read_lnk_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t) ') -@@ -601,3 +624,216 @@ +@@ -601,3 +620,216 @@ allow $1 unconfined_tmp_t:file { getattr write append }; ') @@ -18330,7 +18302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-14 14:05:33.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-16 17:13:34.000000000 -0500 @@ -29,8 +29,9 @@ ') @@ -19085,7 +19057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +## +## +# -+template(`userdom_unpriv_login_user', ` ++template(`userdom_restricted_user_template',` + gen_require(` + attribute unpriv_userdomain; + attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode; @@ -19128,8 +19100,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +## +# +template(`userdom_unpriv_user_template', ` ++ userdom_restricted_user_template($1) + -+ userdom_unpriv_login_user($1) + + # Find CDROM devices: + kernel_read_device_sysctls($1_t) @@ -19622,7 +19594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +## +## +# -+template(`userdom_unpriv_xwindows_login_user', ` ++template(`userdom_restricted_xwindows_user_template', ` + +userdom_unpriv_login_user($1) +# Should be optional but policy will not build because of compiler problems @@ -20244,11 +20216,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.i +## Policy for guest user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.8/policy/modules/users/guest.te --- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.0.8/policy/modules/users/guest.te 2007-11-08 09:00:10.000000000 -0500 -@@ -0,0 +1,3 @@ -+policy_module(guest,1.0.0) -+userdom_unpriv_login_user(guest) -+userdom_unpriv_login_user(gadmin) ++++ serefpolicy-3.0.8/policy/modules/users/guest.te 2007-11-16 17:15:41.000000000 -0500 +@@ -0,0 +1,4 @@ ++policy_module(guest,1.0.1) ++userdom_restricted_user_template(guest) ++userdom_restricted_user_template(gadmin) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.8/policy/modules/users/logadm.fc --- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.0.8/policy/modules/users/logadm.fc 2007-10-29 23:59:29.000000000 -0400 @@ -20348,18 +20321,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest. +## Policy for xguest user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.0.8/policy/modules/users/xguest.te --- nsaserefpolicy/policy/modules/users/xguest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.0.8/policy/modules/users/xguest.te 2007-11-08 09:00:00.000000000 -0500 -@@ -0,0 +1,11 @@ -+policy_module(xguest,1.0.0) -+userdom_unpriv_xwindows_login_user(xguest) ++++ serefpolicy-3.0.8/policy/modules/users/xguest.te 2007-11-16 17:11:08.000000000 -0500 +@@ -0,0 +1,45 @@ ++policy_module(xguest,1.0.1) ++ ++## ++##

++## Allow xguest users to mount removable media ++##

++## ++gen_tunable(xguest_mount_media,false) ++ ++## ++##

++## Allow xguest to configure Network Manager ++##

++## ++gen_tunable(xguest_connect_network,false) ++ ++## ++##

++## Allow xguest to use blue tooth devices ++##

++## ++gen_tunable(xguest_use_bluetooth,false) ++ ++userdom_restricted_xwindows_user_template(xguest) ++ +mozilla_per_role_template(xguest, xguest_t, xguest_r) ++ +# Allow mounting of file systems +optional_policy(` -+ hal_dbus_chat(xguest_t) ++ tunable_policy(`xguest_mount_media',` ++ hal_dbus_chat(xguest_t) ++ ') +') + +optional_policy(` -+ bluetooth_dbus_chat(xguest_t) ++ tunable_policy(`xguest_connect_network',` ++ networkmanager_dbus_chat(xguest_t) ++ ') ++') ++ ++optional_policy(` ++ tunable_policy(`xguest_use_bluetooth',` ++ bluetooth_dbus_chat(xguest_t) ++ ') +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.0.8/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-10-22 13:21:43.000000000 -0400