diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/av_permissions.h libselinux-2.0.46/include/selinux/av_permissions.h --- nsalibselinux/include/selinux/av_permissions.h 2007-11-15 15:52:46.000000000 -0500 +++ libselinux-2.0.46/include/selinux/av_permissions.h 2008-01-03 15:23:31.000000000 -0500 @@ -900,6 +900,8 @@ #define PACKET__SEND 0x00000001UL #define PACKET__RECV 0x00000002UL #define PACKET__RELABELTO 0x00000004UL +#define PACKET__FLOW_IN 0x00000008UL +#define PACKET__FLOW_OUT 0x00000010UL #define KEY__VIEW 0x00000001UL #define KEY__READ 0x00000002UL #define KEY__WRITE 0x00000004UL diff --exclude-from=exclude -N -u -r nsalibselinux/src/Makefile libselinux-2.0.46/src/Makefile --- nsalibselinux/src/Makefile 2007-09-26 19:37:45.000000000 -0400 +++ libselinux-2.0.46/src/Makefile 2008-01-05 08:19:27.000000000 -0500 @@ -77,14 +77,14 @@ install: all test -d $(LIBDIR) || install -m 755 -d $(LIBDIR) - install -m 644 $(LIBA) $(LIBDIR) test -d $(SHLIBDIR) || install -m 755 -d $(SHLIBDIR) install -m 755 $(LIBSO) $(SHLIBDIR) cd $(LIBDIR) && ln -sf ../../`basename $(SHLIBDIR)`/$(LIBSO) $(TARGET) install-pywrap: pywrap test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages - install -m 755 $(SWIGFILES) $(PYTHONLIBDIR)/site-packages + install -m 755 $(SWIGSO) $(PYTHONLIBDIR)/site-packages + install -m 644 selinux.py $(PYTHONLIBDIR)/site-packages relabel: /sbin/restorecon $(SHLIBDIR)/$(LIBSO) diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-2.0.46/src/matchpathcon.c --- nsalibselinux/src/matchpathcon.c 2007-09-28 09:48:58.000000000 -0400 +++ libselinux-2.0.46/src/matchpathcon.c 2008-01-03 15:23:32.000000000 -0500 @@ -2,6 +2,7 @@ #include #include #include +#include #include "selinux_internal.h" #include "label_internal.h" #include "callbacks.h" @@ -57,7 +58,7 @@ { va_list ap; va_start(ap, fmt); - vfprintf(stderr, fmt, ap); + vsyslog(LOG_ERR, fmt, ap); va_end(ap); } diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux.py libselinux-2.0.46/src/selinux.py --- nsalibselinux/src/selinux.py 2007-10-05 13:09:54.000000000 -0400 +++ libselinux-2.0.46/src/selinux.py 2008-01-08 05:00:39.000000000 -0500 @@ -1,5 +1,5 @@ # This file was automatically generated by SWIG (http://www.swig.org). -# Version 1.3.31 +# Version 1.3.33 # # Don't modify this file, modify the SWIG interface instead. # This file is compatible with both classic and new-style classes. Binary files nsalibselinux/src/selinux.pyc and libselinux-2.0.46/src/selinux.pyc differ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig.i libselinux-2.0.46/src/selinuxswig.i --- nsalibselinux/src/selinuxswig.i 2007-10-01 09:54:35.000000000 -0400 +++ libselinux-2.0.46/src/selinuxswig.i 2008-01-08 05:00:22.000000000 -0500 @@ -10,6 +10,7 @@ %apply int *OUTPUT { size_t * }; %typedef unsigned mode_t; +%typedef unsigned pid_t; %typemap(in, numinputs=0) (char ***names, int *len) (char **temp1, int temp2) { $1 = &temp1; diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libselinux-2.0.46/src/selinuxswig_wrap.c --- nsalibselinux/src/selinuxswig_wrap.c 2007-10-05 13:09:54.000000000 -0400 +++ libselinux-2.0.46/src/selinuxswig_wrap.c 2008-01-08 05:00:39.000000000 -0500 @@ -1,6 +1,6 @@ /* ---------------------------------------------------------------------------- * This file was automatically generated by SWIG (http://www.swig.org). - * Version 1.3.31 + * Version 1.3.33 * * This file is not intended to be easily readable and contains a number of * coding conventions designed to improve portability and efficiency. Do not make @@ -17,14 +17,14 @@ /* template workaround for compilers that cannot correctly implement the C++ standard */ #ifndef SWIGTEMPLATEDISAMBIGUATOR -# if defined(__SUNPRO_CC) -# if (__SUNPRO_CC <= 0x560) -# define SWIGTEMPLATEDISAMBIGUATOR template -# else -# define SWIGTEMPLATEDISAMBIGUATOR -# endif +# if defined(__SUNPRO_CC) && (__SUNPRO_CC <= 0x560) +# define SWIGTEMPLATEDISAMBIGUATOR template +# elif defined(__HP_aCC) +/* Needed even with `aCC -AA' when `aCC -V' reports HP ANSI C++ B3910B A.03.55 */ +/* If we find a maximum version that requires this, the test would be __HP_aCC <= 35500 for A.03.55 */ +# define SWIGTEMPLATEDISAMBIGUATOR template # else -# define SWIGTEMPLATEDISAMBIGUATOR +# define SWIGTEMPLATEDISAMBIGUATOR # endif #endif @@ -107,6 +107,12 @@ # define _CRT_SECURE_NO_DEPRECATE #endif +/* Deal with Microsoft's attempt at deprecating methods in the standard C++ library */ +#if !defined(SWIG_NO_SCL_SECURE_NO_DEPRECATE) && defined(_MSC_VER) && !defined(_SCL_SECURE_NO_DEPRECATE) +# define _SCL_SECURE_NO_DEPRECATE +#endif + + /* Python.h has to appear first */ #include @@ -343,7 +349,7 @@ while ((*f2 == ' ') && (f2 != l2)) ++f2; if (*f1 != *f2) return (*f1 > *f2) ? 1 : -1; } - return (l1 - f1) - (l2 - f2); + return (int)((l1 - f1) - (l2 - f2)); } /* @@ -1090,14 +1096,14 @@ /* Unpack the argument tuple */ SWIGINTERN int -SWIG_Python_UnpackTuple(PyObject *args, const char *name, int min, int max, PyObject **objs) +SWIG_Python_UnpackTuple(PyObject *args, const char *name, Py_ssize_t min, Py_ssize_t max, PyObject **objs) { if (!args) { if (!min && !max) { return 1; } else { PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got none", - name, (min == max ? "" : "at least "), min); + name, (min == max ? "" : "at least "), (int)min); return 0; } } @@ -1105,14 +1111,14 @@ PyErr_SetString(PyExc_SystemError, "UnpackTuple() argument list is not a tuple"); return 0; } else { - register int l = PyTuple_GET_SIZE(args); + register Py_ssize_t l = PyTuple_GET_SIZE(args); if (l < min) { PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got %d", - name, (min == max ? "" : "at least "), min, l); + name, (min == max ? "" : "at least "), (int)min, (int)l); return 0; } else if (l > max) { PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got %d", - name, (min == max ? "" : "at most "), max, l); + name, (min == max ? "" : "at most "), (int)max, (int)l); return 0; } else { register int i; @@ -1591,9 +1597,11 @@ (unaryfunc)0, /*nb_float*/ (unaryfunc)PySwigObject_oct, /*nb_oct*/ (unaryfunc)PySwigObject_hex, /*nb_hex*/ -#if PY_VERSION_HEX >= 0x02020000 - 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_true_divide */ -#elif PY_VERSION_HEX >= 0x02000000 +#if PY_VERSION_HEX >= 0x02050000 /* 2.5.0 */ + 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_index */ +#elif PY_VERSION_HEX >= 0x02020000 /* 2.2.0 */ + 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_true_divide */ +#elif PY_VERSION_HEX >= 0x02000000 /* 2.0.0 */ 0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_or */ #endif }; @@ -2458,14 +2466,13 @@ #define SWIGTYPE_p_int swig_types[7] #define SWIGTYPE_p_p_char swig_types[8] #define SWIGTYPE_p_p_p_char swig_types[9] -#define SWIGTYPE_p_pid_t swig_types[10] -#define SWIGTYPE_p_security_class_mapping swig_types[11] -#define SWIGTYPE_p_selinux_callback swig_types[12] -#define SWIGTYPE_p_selinux_opt swig_types[13] -#define SWIGTYPE_p_unsigned_int swig_types[14] -#define SWIGTYPE_p_unsigned_short swig_types[15] -static swig_type_info *swig_types[17]; -static swig_module_info swig_module = {swig_types, 16, 0, 0, 0, 0}; +#define SWIGTYPE_p_security_class_mapping swig_types[10] +#define SWIGTYPE_p_selinux_callback swig_types[11] +#define SWIGTYPE_p_selinux_opt swig_types[12] +#define SWIGTYPE_p_unsigned_int swig_types[13] +#define SWIGTYPE_p_unsigned_short swig_types[14] +static swig_type_info *swig_types[16]; +static swig_module_info swig_module = {swig_types, 15, 0, 0, 0, 0}; #define SWIG_TypeQuery(name) SWIG_TypeQueryModule(&swig_module, &swig_module, name) #define SWIG_MangledTypeQuery(name) SWIG_MangledTypeQueryModule(&swig_module, &swig_module, name) @@ -2484,7 +2491,7 @@ #define SWIG_name "_selinux" -#define SWIGVERSION 0x010331 +#define SWIGVERSION 0x010333 #define SWIG_VERSION SWIGVERSION @@ -2577,14 +2584,12 @@ #include -#ifndef LLONG_MIN -# define LLONG_MIN LONG_LONG_MIN -#endif -#ifndef LLONG_MAX -# define LLONG_MAX LONG_LONG_MAX -#endif -#ifndef ULLONG_MAX -# define ULLONG_MAX ULONG_LONG_MAX +#if !defined(SWIG_NO_LLONG_MAX) +# if !defined(LLONG_MAX) && defined(__GNUC__) && defined (__LONG_LONG_MAX__) +# define LLONG_MAX __LONG_LONG_MAX__ +# define LLONG_MIN (-LLONG_MAX - 1LL) +# define ULLONG_MAX (LLONG_MAX * 2ULL + 1ULL) +# endif #endif @@ -2669,13 +2674,18 @@ SWIGINTERN int -SWIG_AsVal_long (PyObject *obj, long* val) +SWIG_AsVal_unsigned_SS_long (PyObject *obj, unsigned long *val) { if (PyInt_Check(obj)) { - if (val) *val = PyInt_AsLong(obj); - return SWIG_OK; + long v = PyInt_AsLong(obj); + if (v >= 0) { + if (val) *val = v; + return SWIG_OK; + } else { + return SWIG_OverflowError; + } } else if (PyLong_Check(obj)) { - long v = PyLong_AsLong(obj); + unsigned long v = PyLong_AsUnsignedLong(obj); if (!PyErr_Occurred()) { if (val) *val = v; return SWIG_OK; @@ -2686,7 +2696,7 @@ #ifdef SWIG_PYTHON_CAST_MODE { int dispatch = 0; - long v = PyInt_AsLong(obj); + unsigned long v = PyLong_AsUnsignedLong(obj); if (!PyErr_Occurred()) { if (val) *val = v; return SWIG_AddCast(SWIG_OK); @@ -2696,8 +2706,8 @@ if (!dispatch) { double d; int res = SWIG_AddCast(SWIG_AsVal_double (obj,&d)); - if (SWIG_IsOK(res) && SWIG_CanCastAsInteger(&d, LONG_MIN, LONG_MAX)) { - if (val) *val = (long)(d); + if (SWIG_IsOK(res) && SWIG_CanCastAsInteger(&d, 0, ULONG_MAX)) { + if (val) *val = (unsigned long)(d); return res; } } @@ -2708,15 +2718,15 @@ SWIGINTERN int -SWIG_AsVal_int (PyObject * obj, int *val) +SWIG_AsVal_unsigned_SS_int (PyObject * obj, unsigned int *val) { - long v; - int res = SWIG_AsVal_long (obj, &v); + unsigned long v; + int res = SWIG_AsVal_unsigned_SS_long (obj, &v); if (SWIG_IsOK(res)) { - if ((v < INT_MIN || v > INT_MAX)) { + if ((v > UINT_MAX)) { return SWIG_OverflowError; } else { - if (val) *val = (int)(v); + if (val) *val = (unsigned int)(v); } } return res; @@ -2724,18 +2734,13 @@ SWIGINTERN int -SWIG_AsVal_unsigned_SS_long (PyObject *obj, unsigned long *val) +SWIG_AsVal_long (PyObject *obj, long* val) { if (PyInt_Check(obj)) { - long v = PyInt_AsLong(obj); - if (v >= 0) { - if (val) *val = v; - return SWIG_OK; - } else { - return SWIG_OverflowError; - } + if (val) *val = PyInt_AsLong(obj); + return SWIG_OK; } else if (PyLong_Check(obj)) { - unsigned long v = PyLong_AsUnsignedLong(obj); + long v = PyLong_AsLong(obj); if (!PyErr_Occurred()) { if (val) *val = v; return SWIG_OK; @@ -2746,7 +2751,7 @@ #ifdef SWIG_PYTHON_CAST_MODE { int dispatch = 0; - unsigned long v = PyLong_AsUnsignedLong(obj); + long v = PyInt_AsLong(obj); if (!PyErr_Occurred()) { if (val) *val = v; return SWIG_AddCast(SWIG_OK); @@ -2756,8 +2761,8 @@ if (!dispatch) { double d; int res = SWIG_AddCast(SWIG_AsVal_double (obj,&d)); - if (SWIG_IsOK(res) && SWIG_CanCastAsInteger(&d, 0, ULONG_MAX)) { - if (val) *val = (unsigned long)(d); + if (SWIG_IsOK(res) && SWIG_CanCastAsInteger(&d, LONG_MIN, LONG_MAX)) { + if (val) *val = (long)(d); return res; } } @@ -2768,15 +2773,15 @@ SWIGINTERN int -SWIG_AsVal_unsigned_SS_int (PyObject * obj, unsigned int *val) +SWIG_AsVal_int (PyObject * obj, int *val) { - unsigned long v; - int res = SWIG_AsVal_unsigned_SS_long (obj, &v); + long v; + int res = SWIG_AsVal_long (obj, &v); if (SWIG_IsOK(res)) { - if ((v > UINT_MAX)) { + if ((v < INT_MIN || v > INT_MAX)) { return SWIG_OverflowError; } else { - if (val) *val = (unsigned int)(v); + if (val) *val = (int)(v); } } return res; @@ -2986,24 +2991,18 @@ pid_t arg1 ; security_context_t *arg2 = (security_context_t *) 0 ; int result; - void *argp1 ; - int res1 = 0 ; + unsigned int val1 ; + int ecode1 = 0 ; security_context_t temp2 = 0 ; PyObject * obj0 = 0 ; arg2 = &temp2; if (!PyArg_ParseTuple(args,(char *)"O:getpidcon",&obj0)) SWIG_fail; - { - res1 = SWIG_ConvertPtr(obj0, &argp1, SWIGTYPE_p_pid_t, 0 ); - if (!SWIG_IsOK(res1)) { - SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "getpidcon" "', argument " "1"" of type '" "pid_t""'"); - } - if (!argp1) { - SWIG_exception_fail(SWIG_ValueError, "invalid null reference " "in method '" "getpidcon" "', argument " "1"" of type '" "pid_t""'"); - } else { - arg1 = *((pid_t *)(argp1)); - } - } + ecode1 = SWIG_AsVal_unsigned_SS_int(obj0, &val1); + if (!SWIG_IsOK(ecode1)) { + SWIG_exception_fail(SWIG_ArgError(ecode1), "in method '" "getpidcon" "', argument " "1"" of type '" "pid_t""'"); + } + arg1 = (pid_t)(val1); result = (int)getpidcon(arg1,arg2); resultobj = SWIG_From_int((int)(result)); if (*arg2) { @@ -3025,24 +3024,18 @@ pid_t arg1 ; security_context_t *arg2 = (security_context_t *) 0 ; int result; - void *argp1 ; - int res1 = 0 ; + unsigned int val1 ; + int ecode1 = 0 ; security_context_t temp2 = 0 ; PyObject * obj0 = 0 ; arg2 = &temp2; if (!PyArg_ParseTuple(args,(char *)"O:getpidcon_raw",&obj0)) SWIG_fail; - { - res1 = SWIG_ConvertPtr(obj0, &argp1, SWIGTYPE_p_pid_t, 0 ); - if (!SWIG_IsOK(res1)) { - SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "getpidcon_raw" "', argument " "1"" of type '" "pid_t""'"); - } - if (!argp1) { - SWIG_exception_fail(SWIG_ValueError, "invalid null reference " "in method '" "getpidcon_raw" "', argument " "1"" of type '" "pid_t""'"); - } else { - arg1 = *((pid_t *)(argp1)); - } - } + ecode1 = SWIG_AsVal_unsigned_SS_int(obj0, &val1); + if (!SWIG_IsOK(ecode1)) { + SWIG_exception_fail(SWIG_ArgError(ecode1), "in method '" "getpidcon_raw" "', argument " "1"" of type '" "pid_t""'"); + } + arg1 = (pid_t)(val1); result = (int)getpidcon_raw(arg1,arg2); resultobj = SWIG_From_int((int)(result)); if (*arg2) { @@ -8149,7 +8142,7 @@ /* -------- TYPE CONVERSION AND EQUIVALENCE RULES (BEGIN) -------- */ static swig_type_info _swigt__p_SELboolean = {"_p_SELboolean", "SELboolean *", 0, 0, (void*)0, 0}; -static swig_type_info _swigt__p_av_decision = {"_p_av_decision", "struct av_decision *", 0, 0, (void*)0, 0}; +static swig_type_info _swigt__p_av_decision = {"_p_av_decision", "struct av_decision *|av_decision *", 0, 0, (void*)0, 0}; static swig_type_info _swigt__p_char = {"_p_char", "char *", 0, 0, (void*)0, 0}; static swig_type_info _swigt__p_f_int_p_q_const__char_v_______int = {"_p_f_int_p_q_const__char_v_______int", "int (*)(int,char const *,...)", 0, 0, (void*)0, 0}; static swig_type_info _swigt__p_f_p_p_char__int = {"_p_f_p_p_char__int", "int (*)(char **)|int (*)(security_context_t *)", 0, 0, (void*)0, 0}; @@ -8158,12 +8151,11 @@ static swig_type_info _swigt__p_int = {"_p_int", "int *", 0, 0, (void*)0, 0}; static swig_type_info _swigt__p_p_char = {"_p_p_char", "char **|security_context_t *", 0, 0, (void*)0, 0}; static swig_type_info _swigt__p_p_p_char = {"_p_p_p_char", "char ***|security_context_t **", 0, 0, (void*)0, 0}; -static swig_type_info _swigt__p_pid_t = {"_p_pid_t", "pid_t *", 0, 0, (void*)0, 0}; -static swig_type_info _swigt__p_security_class_mapping = {"_p_security_class_mapping", "struct security_class_mapping *", 0, 0, (void*)0, 0}; -static swig_type_info _swigt__p_selinux_callback = {"_p_selinux_callback", "union selinux_callback *", 0, 0, (void*)0, 0}; -static swig_type_info _swigt__p_selinux_opt = {"_p_selinux_opt", "selinux_opt *", 0, 0, (void*)0, 0}; -static swig_type_info _swigt__p_unsigned_int = {"_p_unsigned_int", "unsigned int *|access_vector_t *", 0, 0, (void*)0, 0}; -static swig_type_info _swigt__p_unsigned_short = {"_p_unsigned_short", "unsigned short *|security_class_t *", 0, 0, (void*)0, 0}; +static swig_type_info _swigt__p_security_class_mapping = {"_p_security_class_mapping", "struct security_class_mapping *|security_class_mapping *", 0, 0, (void*)0, 0}; +static swig_type_info _swigt__p_selinux_callback = {"_p_selinux_callback", "union selinux_callback *|selinux_callback *", 0, 0, (void*)0, 0}; +static swig_type_info _swigt__p_selinux_opt = {"_p_selinux_opt", "struct selinux_opt *|selinux_opt *", 0, 0, (void*)0, 0}; +static swig_type_info _swigt__p_unsigned_int = {"_p_unsigned_int", "unsigned int *|access_vector_t *|mode_t *|pid_t *", 0, 0, (void*)0, 0}; +static swig_type_info _swigt__p_unsigned_short = {"_p_unsigned_short", "security_class_t *|unsigned short *", 0, 0, (void*)0, 0}; static swig_type_info *swig_type_initial[] = { &_swigt__p_SELboolean, @@ -8176,7 +8168,6 @@ &_swigt__p_int, &_swigt__p_p_char, &_swigt__p_p_p_char, - &_swigt__p_pid_t, &_swigt__p_security_class_mapping, &_swigt__p_selinux_callback, &_swigt__p_selinux_opt, @@ -8194,7 +8185,6 @@ static swig_cast_info _swigc__p_int[] = { {&_swigt__p_int, 0, 0, 0},{0, 0, 0, 0}}; static swig_cast_info _swigc__p_p_char[] = { {&_swigt__p_p_char, 0, 0, 0},{0, 0, 0, 0}}; static swig_cast_info _swigc__p_p_p_char[] = { {&_swigt__p_p_p_char, 0, 0, 0},{0, 0, 0, 0}}; -static swig_cast_info _swigc__p_pid_t[] = { {&_swigt__p_pid_t, 0, 0, 0},{0, 0, 0, 0}}; static swig_cast_info _swigc__p_security_class_mapping[] = { {&_swigt__p_security_class_mapping, 0, 0, 0},{0, 0, 0, 0}}; static swig_cast_info _swigc__p_selinux_callback[] = { {&_swigt__p_selinux_callback, 0, 0, 0},{0, 0, 0, 0}}; static swig_cast_info _swigc__p_selinux_opt[] = { {&_swigt__p_selinux_opt, 0, 0, 0},{0, 0, 0, 0}}; @@ -8212,7 +8202,6 @@ _swigc__p_int, _swigc__p_p_char, _swigc__p_p_p_char, - _swigc__p_pid_t, _swigc__p_security_class_mapping, _swigc__p_selinux_callback, _swigc__p_selinux_opt, diff --exclude-from=exclude -N -u -r nsalibselinux/utils/matchpathcon.c libselinux-2.0.46/utils/matchpathcon.c --- nsalibselinux/utils/matchpathcon.c 2007-07-16 14:20:45.000000000 -0400 +++ libselinux-2.0.46/utils/matchpathcon.c 2008-01-03 15:23:32.000000000 -0500 @@ -17,10 +17,24 @@ exit(1); } +static void +#ifdef __GNUC__ + __attribute__ ((format(printf, 1, 2))) +#endif + myprintf(const char *fmt, ...) +{ + va_list ap; + va_start(ap, fmt); + vfprintf(stderr, fmt, ap); + va_end(ap); +} + int printmatchpathcon(char *path, int header, int mode) { char *buf; - int rc = matchpathcon(path, mode, &buf); + int rc; + set_matchpathcon_printf(myprintf); + rc = matchpathcon(path, mode, &buf); if (rc < 0) { fprintf(stderr, "matchpathcon(%s) failed: %s\n", path, strerror(errno)); diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.2.5/policy/modules/services/inetd.te --- nsaserefpolicy/policy/modules/services/inetd.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/inetd.te 2007-12-19 05:38:09.000000000 -0500 @@ -30,6 +30,10 @@ type inetd_child_var_run_t; files_pid_file(inetd_child_var_run_t) +ifdef(`enable_mcs',` + init_ranged_daemon_domain(inetd_t,inetd_exec_t,s0 - mcs_systemhigh) +') + ######################################## # # Local policy @@ -84,6 +88,7 @@ corenet_udp_bind_ftp_port(inetd_t) corenet_tcp_bind_inetd_child_port(inetd_t) corenet_udp_bind_inetd_child_port(inetd_t) +corenet_tcp_bind_ircd_port(inetd_t) corenet_udp_bind_ktalkd_port(inetd_t) corenet_tcp_bind_printer_port(inetd_t) corenet_udp_bind_rlogind_port(inetd_t) @@ -137,6 +142,7 @@ miscfiles_read_localization(inetd_t) # xinetd needs MLS override privileges to work +mls_fd_use_all_levels(inetd_t) mls_fd_share_all_levels(inetd_t) mls_socket_read_to_clearance(inetd_t) mls_socket_write_to_clearance(inetd_t) @@ -164,6 +170,7 @@ ') optional_policy(` + unconfined_domain(inetd_t) unconfined_domtrans(inetd_t) ') @@ -180,6 +187,9 @@ # for identd allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow inetd_child_t self:capability { setuid setgid }; +allow inetd_child_t self:dir search; +allow inetd_child_t self:{ lnk_file file } { getattr read }; + files_search_home(inetd_child_t) manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t) @@ -226,3 +236,7 @@ optional_policy(` unconfined_domain(inetd_child_t) ') + +optional_policy(` + inetd_service_domain(inetd_child_t,bin_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.2.5/policy/modules/services/inn.te --- nsaserefpolicy/policy/modules/services/inn.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/inn.te 2007-12-19 15:36:20.000000000 -0500 @@ -22,7 +22,7 @@ files_pid_file(innd_var_run_t) type news_spool_t; -files_type(news_spool_t) +files_mountpoint(news_spool_t) ######################################## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.2.5/policy/modules/services/kerberos.fc --- nsaserefpolicy/policy/modules/services/kerberos.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/kerberos.fc 2007-12-19 05:38:09.000000000 -0500 @@ -16,3 +16,4 @@ /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) +/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.2.5/policy/modules/services/kerberos.if --- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-16 14:09:46.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/kerberos.if 2007-12-19 05:38:09.000000000 -0500 @@ -43,7 +43,13 @@ dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; dontaudit $1 krb5kdc_conf_t:file rw_file_perms; + #kerberos libraries are attempting to set the correct file context + dontaudit $1 self:process setfscreate; + seutil_dontaudit_read_file_contexts($1) + tunable_policy(`allow_kerberos',` + fs_rw_tmpfs_files($1) + allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; @@ -61,11 +67,7 @@ corenet_tcp_connect_ocsp_port($1) corenet_sendrecv_kerberos_client_packets($1) corenet_sendrecv_ocsp_client_packets($1) - - sysnet_read_config($1) - sysnet_dns_name_resolve($1) ') - optional_policy(` tunable_policy(`allow_kerberos',` pcscd_stream_connect($1) @@ -172,3 +174,51 @@ allow $1 krb5kdc_conf_t:file read_file_perms; ') + +######################################## +## +## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kerberos_manage_host_rcache',` + gen_require(` + type krb5_host_rcache_t; + ') + + tunable_policy(`allow_kerberos',` + files_search_tmp($1) + allow $1 self:process setfscreate; + selinux_validate_context($1) + seutil_read_file_contexts($1) + allow $1 krb5_host_rcache_t:file manage_file_perms; + ') + # creates files as system_u no matter what the selinux user + domain_obj_id_change_exemption($1) +') + +######################################## +## +## Connect to krb524 service +## +## +## +## Domain allowed access. +## +## +# +interface(`kerberos_524_connect',` + tunable_policy(`allow_kerberos',` + allow $1 self:udp_socket create_socket_perms; + corenet_all_recvfrom_unlabeled($1) + corenet_udp_sendrecv_all_if($1) + corenet_udp_sendrecv_all_nodes($1) + corenet_udp_sendrecv_kerberos_master_port($1) + corenet_udp_bind_all_nodes($1) + ') +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.2.5/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/kerberos.te 2007-12-19 05:38:09.000000000 -0500 @@ -54,6 +54,9 @@ type krb5kdc_var_run_t; files_pid_file(krb5kdc_var_run_t) +type krb5_host_rcache_t; +files_tmp_file(krb5_host_rcache_t) + ######################################## # # kadmind local policy @@ -62,7 +65,7 @@ # Use capabilities. Surplus capabilities may be allowed. allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice }; dontaudit kadmind_t self:capability sys_tty_config; -allow kadmind_t self:process signal_perms; +allow kadmind_t self:process { setfscreate signal_perms }; allow kadmind_t self:netlink_route_socket r_netlink_socket_perms; allow kadmind_t self:unix_dgram_socket { connect create write }; allow kadmind_t self:tcp_socket connected_stream_socket_perms; @@ -91,6 +94,7 @@ kernel_read_kernel_sysctls(kadmind_t) kernel_list_proc(kadmind_t) kernel_read_proc_symlinks(kadmind_t) +kernel_read_system_state(kadmind_t) corenet_all_recvfrom_unlabeled(kadmind_t) corenet_all_recvfrom_netlabel(kadmind_t) @@ -118,6 +122,9 @@ domain_use_interactive_fds(kadmind_t) files_read_etc_files(kadmind_t) +files_read_usr_symlinks(kadmind_t) +files_read_usr_files(kadmind_t) +files_read_var_files(kadmind_t) libs_use_ld_so(kadmind_t) libs_use_shared_libs(kadmind_t) @@ -127,6 +134,7 @@ miscfiles_read_localization(kadmind_t) sysnet_read_config(kadmind_t) +sysnet_use_ldap(kadmind_t) userdom_dontaudit_use_unpriv_user_fds(kadmind_t) userdom_dontaudit_search_sysadm_home_dirs(kadmind_t) @@ -137,6 +145,7 @@ optional_policy(` seutil_sigchld_newrole(kadmind_t) + seutil_read_file_contexts(kadmind_t) ') optional_policy(` @@ -151,7 +160,7 @@ # Use capabilities. Surplus capabilities may be allowed. allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice }; dontaudit krb5kdc_t self:capability sys_tty_config; -allow krb5kdc_t self:process { setsched getsched signal_perms }; +allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms }; allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; allow krb5kdc_t self:tcp_socket create_stream_socket_perms; allow krb5kdc_t self:udp_socket create_socket_perms; @@ -223,6 +232,7 @@ miscfiles_read_localization(krb5kdc_t) sysnet_read_config(krb5kdc_t) +sysnet_use_ldap(krb5kdc_t) userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t) @@ -233,6 +243,7 @@ optional_policy(` seutil_sigchld_newrole(krb5kdc_t) + seutil_read_file_contexts(krb5kdc_t) ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.2.5/policy/modules/services/lpd.if --- nsaserefpolicy/policy/modules/services/lpd.if 2007-11-16 13:45:14.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/lpd.if 2007-12-31 06:40:50.000000000 -0500 @@ -336,10 +336,8 @@ ') files_search_spool($1) + manage_dirs_pattern($1,print_spool_t,print_spool_t) manage_files_pattern($1,print_spool_t,print_spool_t) - - # cjp: cups wants setattr - allow $1 print_spool_t:dir setattr; ') ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.2.5/policy/modules/services/mailman.if --- nsaserefpolicy/policy/modules/services/mailman.if 2007-12-04 11:02:50.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/mailman.if 2007-12-31 14:18:13.000000000 -0500 @@ -211,6 +211,7 @@ type mailman_data_t; ') + manage_dirs_pattern($1,mailman_data_t,mailman_data_t) manage_files_pattern($1,mailman_data_t,mailman_data_t) ') @@ -252,6 +253,25 @@ ####################################### ## +## read +## mailman logs. +## +## +## +## Domain allowed access. +## +## +# +interface(`mailman_read_log',` + gen_require(` + type mailman_log_t; + ') + + read_files_pattern($1,mailman_log_t,mailman_log_t) +') + +####################################### +## ## Append to mailman logs. ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.2.5/policy/modules/services/mailman.te --- nsaserefpolicy/policy/modules/services/mailman.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/mailman.te 2007-12-19 05:38:09.000000000 -0500 @@ -53,10 +53,9 @@ apache_use_fds(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t) apache_search_sys_script_state(mailman_cgi_t) + apache_read_config(mailman_cgi_t) + apache_dontaudit_rw_stream_sockets(mailman_cgi_t) - optional_policy(` - nscd_socket_use(mailman_cgi_t) - ') ') ######################################## @@ -65,6 +64,10 @@ # allow mailman_mail_t self:unix_dgram_socket create_socket_perms; +allow mailman_mail_t initrc_t:process signal; +allow mailman_mail_t self:capability { setuid setgid }; + +files_search_spool(mailman_mail_t) mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.2.5/policy/modules/services/mailscanner.fc --- nsaserefpolicy/policy/modules/services/mailscanner.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/mailscanner.fc 2007-12-19 05:38:09.000000000 -0500 @@ -0,0 +1,2 @@ +/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mailscanner_spool_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.2.5/policy/modules/services/mailscanner.if --- nsaserefpolicy/policy/modules/services/mailscanner.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/mailscanner.if 2007-12-19 05:38:09.000000000 -0500 @@ -0,0 +1,59 @@ +## Anti-Virus and Anti-Spam Filter + +######################################## +## +## Search mailscanner spool directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`mailscanner_search_spool',` + gen_require(` + type mailscanner_spool_t; + ') + + files_search_spool($1) + allow $1 mailscanner_spool_t:dir search_dir_perms; +') + +######################################## +## +## read mailscanner spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mailscanner_read_spool',` + gen_require(` + type mailscanner_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t) +') + +######################################## +## +## Create, read, write, and delete +## mailscanner spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mailscanner_manage_spool',` + gen_require(` + type mailscanner_spool_t; + ') + + files_search_spool($1) + manage_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.2.5/policy/modules/services/mailscanner.te --- nsaserefpolicy/policy/modules/services/mailscanner.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/mailscanner.te 2007-12-19 05:38:09.000000000 -0500 @@ -0,0 +1,5 @@ + +policy_module(mailscanner,1.0.0) + +type mailscanner_spool_t; +files_type(mailscanner_spool_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.5/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2007-12-06 13:12:03.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/mta.if 2008-01-04 10:12:33.000000000 -0500 @@ -133,6 +133,12 @@ sendmail_create_log($1_mail_t) ') + optional_policy(` + exim_read_log($1_mail_t) + exim_append_log($1_mail_t) + exim_manage_spool_files($1_mail_t) + ') + ') ####################################### @@ -217,6 +223,15 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files($1_mail_t) fs_manage_cifs_symlinks($1_mail_t) + fs_manage_cifs_files(mailserver_delivery) + fs_manage_cifs_symlinks(mailserver_delivery) + ') + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files($1_mail_t) + fs_manage_nfs_symlinks($1_mail_t) + fs_manage_nfs_files(mailserver_delivery) + fs_manage_nfs_symlinks(mailserver_delivery) ') optional_policy(` @@ -305,6 +320,42 @@ ######################################## ## +## Make the specified type usable for a mta_send_mail. +## +## +## +## Type to be used as a mail client. +## +## +# +interface(`mta_mailclient',` + gen_require(` + attribute mailclient_exec_type; + ') + + typeattribute $1 mailclient_exec_type; +') + +######################################## +## +## Make the specified type readable for a system_mail_t +## +## +## +## Type to be used as a mail client. +## +## +# +interface(`mta_mailcontent',` + gen_require(` + attribute mailcontent_type; + ') + + typeattribute $1 mailcontent_type; +') + +######################################## +## ## Modified mailserver interface for ## sendmail daemon use. ## @@ -383,11 +434,13 @@ allow $1 mail_spool_t:dir list_dir_perms; create_files_pattern($1,mail_spool_t,mail_spool_t) read_files_pattern($1,mail_spool_t,mail_spool_t) + append_files_pattern($1,mail_spool_t,mail_spool_t) create_lnk_files_pattern($1,mail_spool_t,mail_spool_t) read_lnk_files_pattern($1,mail_spool_t,mail_spool_t) optional_policy(` dovecot_manage_spool($1) + dovecot_domtrans_deliver($1) ') optional_policy(` @@ -422,6 +475,7 @@ # apache should set close-on-exec apache_dontaudit_rw_stream_sockets($1) apache_dontaudit_rw_sys_script_stream_sockets($1) + apache_append_log($1) ') ') @@ -438,20 +492,18 @@ interface(`mta_send_mail',` gen_require(` attribute mta_user_agent; - type system_mail_t, sendmail_exec_t; + type system_mail_t; + attribute mailclient_exec_type; ') - allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms; - domain_auto_trans($1, sendmail_exec_t, system_mail_t) - - allow $1 system_mail_t:fd use; - allow system_mail_t $1:fd use; - allow system_mail_t $1:fifo_file rw_file_perms; - allow system_mail_t $1:process sigchld; + allow $1 mailclient_exec_type:lnk_file read_lnk_file_perms; + domtrans_pattern($1, mailclient_exec_type, system_mail_t) + allow system_mail_t mailclient_exec_type:file entrypoint; allow mta_user_agent $1:fd use; allow mta_user_agent $1:process sigchld; allow mta_user_agent $1:fifo_file { read write }; + ') ######################################## @@ -586,6 +638,25 @@ files_search_etc($1) allow $1 etc_aliases_t:file { rw_file_perms setattr }; ') +######################################## +## +## manage mail aliases. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`mta_manage_aliases',` + gen_require(` + type etc_aliases_t; + ') + + files_search_etc($1) + allow $1 etc_aliases_t:file manage_file_perms; +') ####################################### ## @@ -837,6 +908,25 @@ ######################################## ## +## read mail queue files. +## +## +## +## Domain allowed access. +## +## +# +interface(`mta_read_queue',` + gen_require(` + type mqueue_spool_t; + ') + + files_search_spool($1) + read_files_pattern($1,mqueue_spool_t,mqueue_spool_t) +') + +######################################## +## ## Create, read, write, and delete ## mail queue files. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.5/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/mta.te 2007-12-19 05:38:09.000000000 -0500 @@ -6,6 +6,8 @@ # Declarations # +attribute mailcontent_type; +attribute mailclient_exec_type; attribute mta_user_agent; attribute mailserver_delivery; attribute mailserver_domain; @@ -27,6 +29,7 @@ type sendmail_exec_t; application_executable_file(sendmail_exec_t) +mta_mailclient(sendmail_exec_t) mta_base_mail_template(system) role system_r types system_mail_t; @@ -40,27 +43,40 @@ allow system_mail_t self:capability { dac_override }; read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t) +read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type) kernel_read_system_state(system_mail_t) kernel_read_network_state(system_mail_t) +dev_read_sysfs(system_mail_t) dev_read_rand(system_mail_t) dev_read_urand(system_mail_t) +fs_rw_anon_inodefs_files(system_mail_t) + +selinux_getattr_fs(system_mail_t) + init_use_script_ptys(system_mail_t) userdom_use_sysadm_terms(system_mail_t) userdom_dontaudit_search_sysadm_home_dirs(system_mail_t) +userdom_dontaudit_search_all_users_home_content(system_mail_t) + +optional_policy(` + apcupsd_read_tmp_files(system_mail_t) +') optional_policy(` apache_read_squirrelmail_data(system_mail_t) apache_append_squirrelmail_data(system_mail_t) + apache_search_bugzilla_dirs(system_mail_t) # apache should set close-on-exec apache_dontaudit_append_log(system_mail_t) apache_dontaudit_rw_stream_sockets(system_mail_t) apache_dontaudit_rw_tcp_sockets(system_mail_t) apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) + apache_dontaudit_rw_bugzilla_script_stream_sockets(system_mail_t) ') optional_policy(` @@ -73,6 +89,7 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) + cron_read_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) ') @@ -81,6 +98,11 @@ ') optional_policy(` + exim_domtrans(system_mail_t) + exim_manage_log(system_mail_t) +') + +optional_policy(` logrotate_read_tmp_files(system_mail_t) ') @@ -136,6 +158,14 @@ ') optional_policy(` + clamav_stream_connect(sendmail_t) +') + +optional_policy(` + spamd_stream_connect(system_mail_t) +') + +optional_policy(` smartmon_read_tmp_files(system_mail_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.2.5/policy/modules/services/munin.fc --- nsaserefpolicy/policy/modules/services/munin.fc 2007-04-30 10:41:38.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/munin.fc 2007-12-31 05:55:51.000000000 -0500 @@ -6,6 +6,7 @@ /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) -/var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0) +/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) -/var/www/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) +/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) +/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.2.5/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/munin.te 2007-12-31 06:15:20.000000000 -0500 @@ -37,14 +37,18 @@ allow munin_t self:unix_dgram_socket { create_socket_perms sendto }; allow munin_t self:tcp_socket create_stream_socket_perms; allow munin_t self:udp_socket create_socket_perms; +allow munin_t self:fifo_file manage_fifo_file_perms; + +can_exec(munin_t, munin_exec_t) allow munin_t munin_etc_t:dir list_dir_perms; read_files_pattern(munin_t,munin_etc_t,munin_etc_t) read_lnk_files_pattern(munin_t,munin_etc_t,munin_etc_t) files_search_etc(munin_t) -allow munin_t munin_log_t:file manage_file_perms; -logging_log_filetrans(munin_t,munin_log_t,file) +manage_dirs_pattern(munin_t, munin_log_t, munin_log_t) +manage_files_pattern(munin_t, munin_log_t, munin_log_t) +logging_log_filetrans(munin_t,munin_log_t,{ file dir }) manage_dirs_pattern(munin_t,munin_tmp_t,munin_tmp_t) manage_files_pattern(munin_t,munin_tmp_t,munin_tmp_t) @@ -73,6 +77,7 @@ corenet_udp_sendrecv_all_nodes(munin_t) corenet_tcp_sendrecv_all_ports(munin_t) corenet_udp_sendrecv_all_ports(munin_t) +corenet_tcp_connect_munin_port(munin_t) dev_read_sysfs(munin_t) dev_read_urand(munin_t) @@ -91,6 +96,7 @@ logging_send_syslog_msg(munin_t) +miscfiles_read_fonts(munin_t) miscfiles_read_localization(munin_t) sysnet_read_config(munin_t) @@ -118,3 +124,9 @@ optional_policy(` udev_read_db(munin_t) ') + +#============= http munin policy ============== +apache_content_template(munin) + +manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) +manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.2.5/policy/modules/services/mysql.fc --- nsaserefpolicy/policy/modules/services/mysql.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/mysql.fc 2007-12-19 05:38:09.000000000 -0500 @@ -22,3 +22,5 @@ /var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) /var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0) + +/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.2.5/policy/modules/services/mysql.if --- nsaserefpolicy/policy/modules/services/mysql.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/mysql.if 2007-12-19 05:38:09.000000000 -0500 @@ -157,3 +157,79 @@ logging_search_logs($1) allow $1 mysqld_log_t:file { write append setattr ioctl }; ') + +######################################## +## +## Execute mysql server in the mysqld domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`mysql_script_domtrans',` + gen_require(` + type mysqld_script_exec_t; + ') + + init_script_domtrans_spec($1,mysqld_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate an mysql environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the mysql domain. +## +## +## +## +## The type of the terminal allow the mysql domain to use. +## +## +## +# +interface(`mysql_admin',` + + gen_require(` + type mysqld_t; + type mysqld_var_run_t; + type mysqld_tmp_t; + type mysqld_db_t; + type mysqld_etc_t; + type mysqld_log_t; + type mysqld_script_exec_t; + ') + + allow $1 mysqld_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, mysqld_t, mysqld_t) + + # Allow $1 to restart the apache service + mysql_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 mysqld_script_exec_t system_r; + allow $2 system_r; + + manage_dirs_pattern($1,mysqld_var_run_t,mysqld_var_run_t) + manage_files_pattern($1,mysqld_var_run_t,mysqld_var_run_t) + + manage_dirs_pattern($1,mysqld_db_t,mysqld_db_t) + manage_files_pattern($1,mysqld_db_t,mysqld_db_t) + + manage_dirs_pattern($1,mysqld_etc_t,mysqld_etc_t) + manage_files_pattern($1,mysqld_etc_t,mysqld_etc_t) + + manage_dirs_pattern($1,mysqld_log_t,mysqld_log_t) + manage_files_pattern($1,mysqld_log_t,mysqld_log_t) + + manage_dirs_pattern($1,mysqld_tmp_t,mysqld_tmp_t) + manage_files_pattern($1,mysqld_tmp_t,mysqld_tmp_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.2.5/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/mysql.te 2007-12-31 16:45:48.000000000 -0500 @@ -1,4 +1,3 @@ - policy_module(mysql,1.6.0) ######################################## @@ -25,6 +24,9 @@ type mysqld_tmp_t; files_tmp_file(mysqld_tmp_t) +type mysqld_script_exec_t; +init_script_type(mysqld_script_exec_t) + ######################################## # # Local policy @@ -33,7 +35,8 @@ allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service }; dontaudit mysqld_t self:capability sys_tty_config; allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; -allow mysqld_t self:fifo_file { read write }; +allow mysqld_t self:fifo_file rw_fifo_file_perms; +allow mysqld_t self:shm create_shm_perms; allow mysqld_t self:unix_stream_socket create_stream_socket_perms; allow mysqld_t self:tcp_socket create_stream_socket_perms; allow mysqld_t self:udp_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.2.5/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/nagios.fc 2007-12-19 05:38:09.000000000 -0500 @@ -4,13 +4,15 @@ /usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) /usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) -/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) -/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) +/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) /var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) /var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) +/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) + ifdef(`distro_debian',` /usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) -/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) ') +/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.2.5/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/nagios.if 2007-12-19 05:38:09.000000000 -0500 @@ -44,25 +44,6 @@ ######################################## ## -## Execute the nagios CGI with -## a domain transition. -## -## -## -## Domain allowed access. -## -## -# -interface(`nagios_domtrans_cgi',` - gen_require(` - type nagios_cgi_t, nagios_cgi_exec_t; - ') - - domtrans_pattern($1,nagios_cgi_exec_t,nagios_cgi_t) -') - -######################################## -## ## Execute the nagios NRPE with ## a domain transition. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.2.5/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/nagios.te 2007-12-19 05:38:09.000000000 -0500 @@ -8,11 +8,7 @@ type nagios_t; type nagios_exec_t; -init_daemon_domain(nagios_t, nagios_exec_t) - -type nagios_cgi_t; -type nagios_cgi_exec_t; -init_system_domain(nagios_cgi_t, nagios_cgi_exec_t) +init_daemon_domain(nagios_t,nagios_exec_t) type nagios_etc_t; files_config_file(nagios_etc_t) @@ -26,9 +22,12 @@ type nagios_var_run_t; files_pid_file(nagios_var_run_t) +type nagios_spool_t; +files_type(nagios_spool_t) + type nrpe_t; type nrpe_exec_t; -init_daemon_domain(nrpe_t, nrpe_exec_t) +init_daemon_domain(nrpe_t,nrpe_exec_t) type nrpe_etc_t; files_config_file(nrpe_etc_t) @@ -60,6 +59,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) files_pid_filetrans(nagios_t, nagios_var_run_t, file) +rw_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) + kernel_read_system_state(nagios_t) kernel_read_kernel_sysctls(nagios_t) @@ -130,42 +131,31 @@ # # Nagios CGI local policy # +apache_content_template(nagios) +typealias httpd_nagios_script_t alias nagios_cgi_t; +typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t; -allow nagios_cgi_t self:process signal_perms; -allow nagios_cgi_t self:fifo_file rw_fifo_file_perms; - -read_files_pattern(nagios_cgi_t, nagios_t, nagios_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t) - -allow nagios_cgi_t nagios_etc_t:dir list_dir_perms; -read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) +allow httpd_nagios_script_t self:process signal_perms; -allow nagios_cgi_t nagios_log_t:dir list_dir_perms; -read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) +read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) +read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) -kernel_read_system_state(nagios_cgi_t) +allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; +read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) +read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) -corecmd_exec_bin(nagios_cgi_t) +allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; +read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) +read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) -domain_dontaudit_read_all_domains_state(nagios_cgi_t) +kernel_read_system_state(httpd_nagios_script_t) -files_read_etc_files(nagios_cgi_t) -files_read_etc_runtime_files(nagios_cgi_t) -files_read_kernel_symbol_table(nagios_cgi_t) +domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) -libs_use_ld_so(nagios_cgi_t) -libs_use_shared_libs(nagios_cgi_t) +files_read_etc_runtime_files(httpd_nagios_script_t) +files_read_kernel_symbol_table(httpd_nagios_script_t) -logging_send_syslog_msg(nagios_cgi_t) -logging_search_logs(nagios_cgi_t) - -miscfiles_read_localization(nagios_cgi_t) - -optional_policy(` - apache_append_log(nagios_cgi_t) -') +logging_send_syslog_msg(httpd_nagios_script_t) ######################################## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.2.5/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-09-12 10:34:18.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/networkmanager.fc 2007-12-31 08:48:44.000000000 -0500 @@ -1,7 +1,9 @@ /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/log/wpa_supplicant\.log.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.2.5/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-06-12 10:15:45.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/networkmanager.if 2007-12-31 08:55:52.000000000 -0500 @@ -97,3 +97,21 @@ allow $1 NetworkManager_t:dbus send_msg; allow NetworkManager_t $1:dbus send_msg; ') + +######################################## +## +## Send a generic signal to NetworkManager +## +## +## +## Domain allowed access. +## +## +# +interface(`networkmanager_signal',` + gen_require(` + type NetworkManager_t; + ') + + allow $1 NetworkManager_t:process signal; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.5/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/networkmanager.te 2007-12-26 20:31:36.000000000 -0500 @@ -13,6 +13,9 @@ type NetworkManager_var_run_t; files_pid_file(NetworkManager_var_run_t) +type NetworkManager_log_t; +logging_log_file(NetworkManager_log_t) + ######################################## # # Local policy @@ -20,7 +23,7 @@ # networkmanager will ptrace itself if gdb is installed # and it receives a unexpected signal (rh bug #204161) -allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock }; +allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock }; dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms }; allow NetworkManager_t self:fifo_file rw_fifo_file_perms; @@ -38,6 +41,9 @@ manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t) files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file }) +manage_files_pattern(NetworkManager_t,NetworkManager_log_t,NetworkManager_log_t) +logging_log_filetrans(NetworkManager_t,NetworkManager_log_t, file) + kernel_read_system_state(NetworkManager_t) kernel_read_network_state(NetworkManager_t) kernel_read_kernel_sysctls(NetworkManager_t) @@ -86,6 +92,8 @@ init_read_utmp(NetworkManager_t) init_domtrans_script(NetworkManager_t) +auth_use_nsswitch(NetworkManager_t) + libs_use_ld_so(NetworkManager_t) libs_use_shared_libs(NetworkManager_t) @@ -129,8 +137,11 @@ ') optional_policy(` + allow NetworkManager_t self:dbus send_msg; + dbus_system_bus_client_template(NetworkManager,NetworkManager_t) dbus_connect_system_bus(NetworkManager_t) + dbus_system_domain(NetworkManager_t,NetworkManager_exec_t) ') optional_policy(` @@ -138,12 +149,9 @@ ') optional_policy(` - nis_use_ypbind(NetworkManager_t) -') - -optional_policy(` - nscd_socket_use(NetworkManager_t) nscd_signal(NetworkManager_t) + nscd_script_domtrans(NetworkManager_t) + nscd_domtrans(NetworkManager_t) ') optional_policy(` @@ -155,6 +163,7 @@ ppp_domtrans(NetworkManager_t) ppp_read_pid_files(NetworkManager_t) ppp_signal(NetworkManager_t) + ppp_read_config(NetworkManager_t) ') optional_policy(` @@ -166,11 +175,6 @@ ') optional_policy(` - # Read gnome-keyring - unconfined_read_home_content_files(NetworkManager_t) -') - -optional_policy(` vpn_domtrans(NetworkManager_t) vpn_signal(NetworkManager_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.2.5/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2007-02-19 11:32:53.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/nis.fc 2007-12-19 05:38:09.000000000 -0500 @@ -4,6 +4,7 @@ /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) /usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) +/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.2.5/policy/modules/services/nis.if --- nsaserefpolicy/policy/modules/services/nis.if 2007-07-16 14:09:46.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/nis.if 2007-12-19 05:38:09.000000000 -0500 @@ -49,8 +49,8 @@ corenet_udp_bind_all_nodes($1) corenet_tcp_bind_generic_port($1) corenet_udp_bind_generic_port($1) - corenet_tcp_bind_reserved_port($1) - corenet_udp_bind_reserved_port($1) + corenet_dontaudit_tcp_bind_all_reserved_ports($1) + corenet_dontaudit_udp_bind_all_reserved_ports($1) corenet_dontaudit_tcp_bind_all_ports($1) corenet_dontaudit_udp_bind_all_ports($1) corenet_tcp_connect_portmap_port($1) @@ -87,6 +87,25 @@ ######################################## ## +## Use the nis to authenticate passwords +## +## +## +## The type of the process performing this action. +## +## +## +# +interface(`nis_authenticate',` + tunable_policy(`allow_ypbind',` + nis_use_ypbind_uncond($1) + corenet_tcp_bind_all_rpc_ports($1) + corenet_udp_bind_all_rpc_ports($1) + ') +') + +######################################## +## ## Execute ypbind in the ypbind domain. ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.2.5/policy/modules/services/nis.te --- nsaserefpolicy/policy/modules/services/nis.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/nis.te 2007-12-19 05:38:09.000000000 -0500 @@ -113,6 +113,17 @@ userdom_dontaudit_use_unpriv_user_fds(ypbind_t) userdom_dontaudit_search_sysadm_home_dirs(ypbind_t) + +optional_policy(` + dbus_system_bus_client_template(ypbind,ypbind_t) + dbus_connect_system_bus(ypbind_t) + init_dbus_chat_script(ypbind_t) + + optional_policy(` + networkmanager_dbus_chat(ypbind_t) + ') +') + optional_policy(` seutil_sigchld_newrole(ypbind_t) ') @@ -126,6 +137,7 @@ # yppasswdd local policy # +allow yppasswdd_t self:capability dac_override; dontaudit yppasswdd_t self:capability sys_tty_config; allow yppasswdd_t self:fifo_file rw_fifo_file_perms; allow yppasswdd_t self:process { setfscreate signal_perms }; @@ -156,8 +168,8 @@ corenet_udp_sendrecv_all_ports(yppasswdd_t) corenet_tcp_bind_all_nodes(yppasswdd_t) corenet_udp_bind_all_nodes(yppasswdd_t) -corenet_tcp_bind_reserved_port(yppasswdd_t) -corenet_udp_bind_reserved_port(yppasswdd_t) +corenet_tcp_bind_all_rpc_ports(yppasswdd_t) +corenet_udp_bind_all_rpc_ports(yppasswdd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t) corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t) corenet_sendrecv_generic_server_packets(yppasswdd_t) @@ -247,6 +259,8 @@ corenet_udp_bind_all_nodes(ypserv_t) corenet_tcp_bind_reserved_port(ypserv_t) corenet_udp_bind_reserved_port(ypserv_t) +corenet_tcp_bind_all_rpc_ports(ypserv_t) +corenet_udp_bind_all_rpc_ports(ypserv_t) corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t) corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) corenet_sendrecv_generic_server_packets(ypserv_t) @@ -315,6 +329,8 @@ corenet_udp_bind_all_nodes(ypxfr_t) corenet_tcp_bind_reserved_port(ypxfr_t) corenet_udp_bind_reserved_port(ypxfr_t) +corenet_tcp_bind_all_rpc_ports(ypxfr_t) +corenet_udp_bind_all_rpc_ports(ypxfr_t) corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) corenet_tcp_connect_all_ports(ypxfr_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.2.5/policy/modules/services/nscd.fc --- nsaserefpolicy/policy/modules/services/nscd.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/nscd.fc 2007-12-19 05:38:09.000000000 -0500 @@ -9,3 +9,5 @@ /var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) /var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) + +/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.2.5/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2007-03-26 10:39:04.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/nscd.if 2007-12-19 05:38:09.000000000 -0500 @@ -70,15 +70,14 @@ interface(`nscd_socket_use',` gen_require(` type nscd_t, nscd_var_run_t; - class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; + class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv }; ') allow $1 self:unix_stream_socket create_socket_perms; allow $1 nscd_t:nscd { getpwd getgrp gethost }; dontaudit $1 nscd_t:fd use; - dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; - + dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; files_search_pids($1) stream_connect_pattern($1,nscd_var_run_t,nscd_var_run_t,nscd_t) dontaudit $1 nscd_var_run_t:file { getattr read }; @@ -204,3 +203,22 @@ role $2 types nscd_t; dontaudit nscd_t $3:chr_file rw_term_perms; ') + +######################################## +## +## Execute nscd server in the ntpd domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`nscd_script_domtrans',` + gen_require(` + type nscd_script_exec_t; + ') + + init_script_domtrans_spec($1,nscd_script_exec_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.2.5/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/nscd.te 2007-12-19 05:38:09.000000000 -0500 @@ -23,19 +23,22 @@ type nscd_log_t; logging_log_file(nscd_log_t) +type nscd_script_exec_t; +init_script_type(nscd_script_exec_t) + ######################################## # # Local policy # -allow nscd_t self:capability { kill setgid setuid audit_write }; +allow nscd_t self:capability { kill setgid setuid }; dontaudit nscd_t self:capability sys_tty_config; -allow nscd_t self:process { getattr setsched signal_perms }; +allow nscd_t self:process { getattr setcap setsched signal_perms }; allow nscd_t self:fifo_file { read write }; allow nscd_t self:unix_stream_socket create_stream_socket_perms; allow nscd_t self:unix_dgram_socket create_socket_perms; allow nscd_t self:netlink_selinux_socket create_socket_perms; -allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + allow nscd_t self:tcp_socket create_socket_perms; allow nscd_t self:udp_socket create_socket_perms; @@ -50,6 +53,8 @@ manage_sock_files_pattern(nscd_t,nscd_var_run_t,nscd_var_run_t) files_pid_filetrans(nscd_t,nscd_var_run_t,{ file sock_file }) +can_exec(nscd_t, nscd_exec_t) + kernel_read_kernel_sysctls(nscd_t) kernel_list_proc(nscd_t) kernel_read_proc_symlinks(nscd_t) @@ -73,6 +78,8 @@ corenet_udp_sendrecv_all_nodes(nscd_t) corenet_tcp_sendrecv_all_ports(nscd_t) corenet_udp_sendrecv_all_ports(nscd_t) +corenet_udp_bind_all_nodes(nscd_t) +corenet_udp_bind_all_nodes(nscd_t) corenet_tcp_connect_all_ports(nscd_t) corenet_sendrecv_all_client_packets(nscd_t) corenet_rw_tun_tap_dev(nscd_t) @@ -93,6 +100,7 @@ libs_use_ld_so(nscd_t) libs_use_shared_libs(nscd_t) +logging_send_audit_msgs(nscd_t) logging_send_syslog_msg(nscd_t) miscfiles_read_localization(nscd_t) @@ -114,3 +122,12 @@ xen_dontaudit_rw_unix_stream_sockets(nscd_t) xen_append_log(nscd_t) ') + +optional_policy(` + tunable_policy(`samba_domain_controller',` + samba_append_log(nscd_t) + samba_dontaudit_use_fds(nscd_t) + ') + samba_read_config(nscd_t) + samba_read_var_files(nscd_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.2.5/policy/modules/services/ntp.fc --- nsaserefpolicy/policy/modules/services/ntp.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/ntp.fc 2007-12-19 05:38:09.000000000 -0500 @@ -17,3 +17,8 @@ /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) /var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) + +/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0) +/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) + +/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.2.5/policy/modules/services/ntp.if --- nsaserefpolicy/policy/modules/services/ntp.if 2007-03-26 10:39:05.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/ntp.if 2007-12-19 05:38:09.000000000 -0500 @@ -53,3 +53,22 @@ corecmd_search_bin($1) domtrans_pattern($1,ntpdate_exec_t,ntpd_t) ') + +######################################## +## +## Execute ntp server in the ntpd domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`ntp_script_domtrans',` + gen_require(` + type ntpd_script_exec_t; + ') + + init_script_domtrans_spec($1,ntpd_script_exec_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.2.5/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/ntp.te 2007-12-19 05:38:09.000000000 -0500 @@ -25,6 +25,12 @@ type ntpdate_exec_t; init_system_domain(ntpd_t,ntpdate_exec_t) +type ntpd_key_t; +files_type(ntpd_key_t) + +type ntpd_script_exec_t; +init_script_type(ntpd_script_exec_t) + ######################################## # # Local policy @@ -36,6 +42,7 @@ dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; allow ntpd_t self:process { signal_perms setcap setsched setrlimit }; allow ntpd_t self:fifo_file { read write getattr }; +allow ntpd_t self:shm create_shm_perms; allow ntpd_t self:unix_dgram_socket create_socket_perms; allow ntpd_t self:unix_stream_socket create_socket_perms; allow ntpd_t self:tcp_socket create_stream_socket_perms; @@ -49,6 +56,8 @@ manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t) logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir }) +read_files_pattern(ntpd_t,ntpd_key_t,ntpd_key_t) + # for some reason it creates a file in /tmp manage_dirs_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t) manage_files_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t) @@ -82,6 +91,8 @@ fs_getattr_all_fs(ntpd_t) fs_search_auto_mountpoints(ntpd_t) +# Necessary to communicate with gpsd devices +fs_rw_tmpfs_files(ntpd_t) auth_use_nsswitch(ntpd_t) @@ -105,6 +116,10 @@ miscfiles_read_localization(ntpd_t) +sysnet_dontaudit_dhcpc_use_fds(ntpd_t) + +term_use_ptmx(ntpd_t) + userdom_dontaudit_use_unpriv_user_fds(ntpd_t) userdom_list_sysadm_home_dirs(ntpd_t) userdom_dontaudit_list_sysadm_home_dirs(ntpd_t) @@ -120,6 +135,10 @@ ') optional_policy(` + hal_dontaudit_write_log(ntpd_t) +') + +optional_policy(` logrotate_exec(ntpd_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.2.5/policy/modules/services/oddjob.te --- nsaserefpolicy/policy/modules/services/oddjob.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/oddjob.te 2008-01-04 12:24:30.000000000 -0500 @@ -15,6 +15,7 @@ type oddjob_mkhomedir_t; type oddjob_mkhomedir_exec_t; domain_type(oddjob_mkhomedir_t) +domain_obj_id_change_exemption(oddjob_mkhomedir_t) init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) @@ -68,20 +69,38 @@ # oddjob_mkhomedir local policy # +allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; +allow oddjob_mkhomedir_t self:process setfscreate; allow oddjob_mkhomedir_t self:fifo_file { read write }; allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms; files_read_etc_files(oddjob_mkhomedir_t) +kernel_read_system_state(oddjob_mkhomedir_t) + +auth_use_nsswitch(oddjob_mkhomedir_t) + libs_use_ld_so(oddjob_mkhomedir_t) libs_use_shared_libs(oddjob_mkhomedir_t) +logging_send_syslog_msg(oddjob_mkhomedir_t) + miscfiles_read_localization(oddjob_mkhomedir_t) +selinux_get_fs_mount(oddjob_mkhomedir_t) +selinux_validate_context(oddjob_mkhomedir_t) +selinux_compute_access_vector(oddjob_mkhomedir_t) +selinux_compute_create_context(oddjob_mkhomedir_t) +selinux_compute_relabel_context(oddjob_mkhomedir_t) +selinux_compute_user_contexts(oddjob_mkhomedir_t) + +seutil_read_config(oddjob_mkhomedir_t) +seutil_read_file_contexts(oddjob_mkhomedir_t) +seutil_read_default_contexts(oddjob_mkhomedir_t) + # Add/remove user home directories +userdom_manage_unpriv_users_home_content_dirs(oddjob_mkhomedir_t) userdom_home_filetrans_generic_user_home_dir(oddjob_mkhomedir_t) -userdom_manage_generic_user_home_content_dirs(oddjob_mkhomedir_t) -userdom_manage_generic_user_home_content_files(oddjob_mkhomedir_t) -userdom_manage_generic_user_home_dirs(oddjob_mkhomedir_t) -userdom_manage_staff_home_dirs(oddjob_mkhomedir_t) +userdom_manage_all_users_home_content_dirs(oddjob_mkhomedir_t) +userdom_manage_all_users_home_content_files(oddjob_mkhomedir_t) userdom_generic_user_home_dir_filetrans_generic_user_home_content(oddjob_mkhomedir_t,notdevfile_class_set) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.2.5/policy/modules/services/openct.te --- nsaserefpolicy/policy/modules/services/openct.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/openct.te 2007-12-19 05:38:09.000000000 -0500 @@ -22,6 +22,7 @@ allow openct_t self:process signal_perms; manage_files_pattern(openct_t,openct_var_run_t,openct_var_run_t) +manage_sock_files_pattern(openct_t,openct_var_run_t,openct_var_run_t) files_pid_filetrans(openct_t,openct_var_run_t,file) kernel_read_kernel_sysctls(openct_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.2.5/policy/modules/services/openvpn.fc --- nsaserefpolicy/policy/modules/services/openvpn.fc 2007-06-11 16:05:22.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/openvpn.fc 2007-12-19 05:38:09.000000000 -0500 @@ -11,5 +11,5 @@ # # /var # -/var/log/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_log_t,s0) +/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) /var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.2.5/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/openvpn.te 2007-12-19 05:38:09.000000000 -0500 @@ -8,7 +8,7 @@ ## ##

-## Allow openvpn to read home directories +## Allow openvpn service access to users home directories ##

## gen_tunable(openvpn_enable_homedirs,false) @@ -35,7 +35,7 @@ # openvpn local policy # -allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_tty_config }; +allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config }; allow openvpn_t self:process { signal getsched }; allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -110,3 +110,12 @@ networkmanager_dbus_chat(openvpn_t) ') + + +# Need to interact with terminals if config option "auth-user-pass" is used +userdom_use_sysadm_terms(openvpn_t) + +optional_policy(` + unconfined_use_terminals(openvpn_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.2.5/policy/modules/services/pcscd.te --- nsaserefpolicy/policy/modules/services/pcscd.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/pcscd.te 2007-12-19 05:38:09.000000000 -0500 @@ -45,6 +45,7 @@ files_read_etc_files(pcscd_t) files_read_etc_runtime_files(pcscd_t) +term_use_unallocated_ttys(pcscd_t) term_dontaudit_getattr_pty_dirs(pcscd_t) libs_use_ld_so(pcscd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.2.5/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/pegasus.te 2007-12-19 05:38:09.000000000 -0500 @@ -42,6 +42,7 @@ allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink }; allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; +manage_dirs_pattern(pegasus_t,pegasus_data_t,pegasus_data_t) manage_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t) manage_lnk_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t) filetrans_pattern(pegasus_t,pegasus_conf_t,pegasus_data_t,{ file dir }) @@ -95,13 +96,12 @@ auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) +auth_read_shadow(pegasus_t) domain_use_interactive_fds(pegasus_t) domain_read_all_domains_state(pegasus_t) -files_read_etc_files(pegasus_t) -files_list_var_lib(pegasus_t) -files_read_var_lib_files(pegasus_t) +files_read_all_files(pegasus_t) files_read_var_lib_symlinks(pegasus_t) hostname_exec(pegasus_t) @@ -113,19 +113,16 @@ libs_use_shared_libs(pegasus_t) logging_send_audit_msgs(pegasus_t) +logging_send_syslog_msg(pegasus_t) miscfiles_read_localization(pegasus_t) -sysnet_read_config(pegasus_t) +sysnet_domtrans_ifconfig(pegasus_t) userdom_dontaudit_use_unpriv_user_fds(pegasus_t) userdom_dontaudit_search_sysadm_home_dirs(pegasus_t) optional_policy(` - logging_send_syslog_msg(pegasus_t) -') - -optional_policy(` rpm_exec(pegasus_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.2.5/policy/modules/services/polkit.fc --- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/polkit.fc 2007-12-19 09:37:14.000000000 -0500 @@ -0,0 +1,6 @@ + +/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0) + +/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) +/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0) +/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.5/policy/modules/services/polkit.if --- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/polkit.if 2007-12-19 05:38:09.000000000 -0500 @@ -0,0 +1,60 @@ + +## policy for polkit_auth + +######################################## +## +## Execute a domain transition to run polkit_auth. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`polkit_domtrans_auth',` + gen_require(` + type polkit_auth_t; + type polkit_auth_exec_t; + ') + + domtrans_pattern($1,polkit_auth_exec_t,polkit_auth_t) +') + +######################################## +## +## Search polkit lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`polkit_search_lib',` + gen_require(` + type polkit_var_lib_t; + ') + + allow $1 polkit_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## read polkit lib files +## +## +## +## Domain allowed access. +## +## +# +interface(`polkit_read_lib',` + gen_require(` + type polkit_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, polkit_var_lib_t, polkit_var_lib_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.5/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/polkit.te 2007-12-19 15:17:09.000000000 -0500 @@ -0,0 +1,63 @@ +policy_module(polkit_auth,1.0.0) + +######################################## +# +# Declarations +# + +type polkit_auth_t; +type polkit_auth_exec_t; +domain_type(polkit_auth_t) +init_daemon_domain(polkit_auth_t, polkit_auth_exec_t) + +type polkit_var_lib_t; +files_type(polkit_var_lib_t) + +type polkit_var_run_t; +files_pid_file(polkit_var_run_t) + +######################################## +# +# polkit_auth local policy +# + +allow polkit_auth_t self:process getattr; + +allow polkit_auth_t self:unix_dgram_socket create_socket_perms; +allow polkit_auth_t self:fifo_file rw_file_perms; +allow polkit_auth_t self:unix_stream_socket create_stream_socket_perms; + +can_exec(polkit_auth_t, polkit_auth_exec_t) +corecmd_search_bin(polkit_auth_t) + +domain_use_interactive_fds(polkit_auth_t) + +files_read_etc_files(polkit_auth_t) +files_read_usr_files(polkit_auth_t) + +auth_use_nsswitch(polkit_auth_t) + +libs_use_ld_so(polkit_auth_t) +libs_use_shared_libs(polkit_auth_t) + +miscfiles_read_localization(polkit_auth_t) + +logging_send_syslog_msg(polkit_auth_t) + +manage_files_pattern(polkit_auth_t, polkit_var_lib_t, polkit_var_lib_t) + +# pid file +manage_dirs_pattern(polkit_auth_t,polkit_var_run_t,polkit_var_run_t) +manage_files_pattern(polkit_auth_t,polkit_var_run_t,polkit_var_run_t) +files_pid_filetrans(polkit_auth_t,polkit_var_run_t, { file dir }) + +optional_policy(` + dbus_system_bus_client_template(polkit_auth, polkit_auth_t) + consolekit_dbus_chat(polkit_auth_t) +') + +optional_policy(` + hal_getattr(polkit_auth_t) + hal_read_state(polkit_auth_t) +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.2.5/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2007-09-12 10:34:18.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/postfix.fc 2007-12-19 05:38:09.000000000 -0500 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) /usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) -/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) ') /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) /usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.5/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2007-12-04 11:02:50.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/postfix.if 2007-12-19 05:38:09.000000000 -0500 @@ -416,7 +416,7 @@ ## ## # -interface(`postfix_create_pivate_sockets',` +interface(`postfix_create_private_sockets',` gen_require(` type postfix_private_t; ') @@ -427,6 +427,26 @@ ######################################## ## +## manage named socket in a postfix private directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`postfix_manage_private_sockets',` + gen_require(` + type postfix_private_t; + ') + + allow $1 postfix_private_t:dir list_dir_perms; + manage_sock_files_pattern($1,postfix_private_t,postfix_private_t) +') + + +######################################## +## ## Execute the master postfix program in the ## postfix_master domain. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.5/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/postfix.te 2007-12-31 14:18:01.000000000 -0500 @@ -6,6 +6,14 @@ # Declarations # +## +##

+## Allow postfix_local domain full write access to mail_spool directories +## +##

+## +gen_tunable(allow_postfix_local_write_mail_spool,false) + attribute postfix_user_domains; # domains that transition to the # postfix user domains @@ -27,6 +35,10 @@ postfix_server_domain_template(local) mta_mailserver_delivery(postfix_local_t) +tunable_policy(`allow_postfix_local_write_mail_spool', ` + mta_rw_spool(postfix_local_t) +') + type postfix_local_tmp_t; files_tmp_file(postfix_local_tmp_t) @@ -34,6 +46,7 @@ type postfix_map_t; type postfix_map_exec_t; application_domain(postfix_map_t,postfix_map_exec_t) +role system_r types postfix_map_t; type postfix_map_tmp_t; files_tmp_file(postfix_map_tmp_t) @@ -99,6 +112,7 @@ allow postfix_master_t self:fifo_file rw_fifo_file_perms; allow postfix_master_t self:tcp_socket create_stream_socket_perms; allow postfix_master_t self:udp_socket create_socket_perms; +allow postfix_master_t self:process setrlimit; allow postfix_master_t postfix_etc_t:file rw_file_perms; @@ -174,6 +188,7 @@ mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) +mta_getattr_spool(postfix_master_t) optional_policy(` cyrus_stream_connect(postfix_master_t) @@ -248,6 +263,10 @@ corecmd_exec_bin(postfix_cleanup_t) +optional_policy(` + mailman_read_data_files(postfix_cleanup_t) +') + ######################################## # # Postfix local local policy @@ -273,6 +292,8 @@ files_read_etc_files(postfix_local_t) +logging_dontaudit_search_logs(postfix_local_t) + mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin @@ -285,6 +306,8 @@ optional_policy(` # for postalias mailman_manage_data_files(postfix_local_t) + mailman_append_log(postfix_local_t) + mailman_read_log(postfix_local_t) ') optional_policy(` @@ -295,8 +318,7 @@ # # Postfix map local policy # - -allow postfix_map_t self:capability setgid; +allow postfix_map_t self:capability { dac_override setgid setuid }; allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; allow postfix_map_t self:unix_dgram_socket create_socket_perms; allow postfix_map_t self:tcp_socket create_stream_socket_perms; @@ -346,8 +368,6 @@ miscfiles_read_localization(postfix_map_t) -seutil_read_config(postfix_map_t) - tunable_policy(`read_default_t',` files_list_default(postfix_map_t) files_read_default_files(postfix_map_t) @@ -360,6 +380,11 @@ locallogin_dontaudit_use_fds(postfix_map_t) ') +optional_policy(` +# for postalias + mailman_manage_data_files(postfix_map_t) +') + ######################################## # # Postfix pickup local policy @@ -392,6 +417,10 @@ rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t) optional_policy(` + dovecot_domtrans_deliver(postfix_pipe_t) +') + +optional_policy(` procmail_domtrans(postfix_pipe_t) ') @@ -400,6 +429,10 @@ ') optional_policy(` + mta_manage_spool(postfix_pipe_t) +') + +optional_policy(` uucp_domtrans_uux(postfix_pipe_t) ') @@ -532,9 +565,6 @@ # connect to master process stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) -# Connect to policy server -corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) - # for prng_exch allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; allow postfix_smtpd_t postfix_prng_t:file rw_file_perms; @@ -557,6 +587,10 @@ sasl_connect(postfix_smtpd_t) ') +optional_policy(` + dovecot_auth_stream_connect(postfix_smtpd_t) +') + ######################################## # # Postfix virtual local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.2.5/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/postgresql.fc 2007-12-19 05:38:09.000000000 -0500 @@ -38,3 +38,5 @@ ') /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) + +/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.2.5/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2007-11-29 13:29:35.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/postgresql.if 2007-12-19 05:38:09.000000000 -0500 @@ -120,3 +120,77 @@ # Some versions of postgresql put the sock file in /tmp allow $1 postgresql_tmp_t:sock_file write; ') + +######################################## +## +## Execute postgresql server in the posgresql domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`postgresql_script_domtrans',` + gen_require(` + type postgresql_script_exec_t; + ') + + init_script_domtrans_spec($1,postgresql_script_exec_t) +') + +######################################## +## +## All of the rules required to administrate an postgresql environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the postgresql domain. +## +## +## +## +## The type of the terminal allow the postgresql domain to use. +## +## +## +# +interface(`postgresql_admin',` + gen_require(` + type postgresql_t; + type postgresql_var_run_t; + type postgresql_tmp_t; + type postgresql_db_t; + type postgresql_etc_t; + type postgresql_log_t; + ') + + allow $1 postgresql_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, postgresql_t, postgresql_t) + + # Allow $1 to restart the apache service + postgresql_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 postgresql_script_exec_t system_r; + allow $2 system_r; + + manage_dirs_pattern($1,postgresql_var_run_t,postgresql_var_run_t) + manage_files_pattern($1,postgresql_var_run_t,postgresql_var_run_t) + + manage_dirs_pattern($1,postgresql_db_t,postgresql_db_t) + manage_files_pattern($1,postgresql_db_t,postgresql_db_t) + + manage_dirs_pattern($1,postgresql_etc_t,postgresql_etc_t) + manage_files_pattern($1,postgresql_etc_t,postgresql_etc_t) + + manage_dirs_pattern($1,postgresql_log_t,postgresql_log_t) + manage_files_pattern($1,postgresql_log_t,postgresql_log_t) + + manage_dirs_pattern($1,postgresql_tmp_t,postgresql_tmp_t) + manage_files_pattern($1,postgresql_tmp_t,postgresql_tmp_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.2.5/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/postgresql.te 2007-12-19 05:38:09.000000000 -0500 @@ -27,6 +27,9 @@ type postgresql_var_run_t; files_pid_file(postgresql_var_run_t) +type postgresql_script_exec_t; +init_script_type(postgresql_script_exec_t) + ######################################## # # postgresql Local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.2.5/policy/modules/services/ppp.fc --- nsaserefpolicy/policy/modules/services/ppp.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/ppp.fc 2007-12-19 05:38:09.000000000 -0500 @@ -25,7 +25,7 @@ # # /var # -/var/run/(i)?ppp.*pid -- gen_context(system_u:object_r:pppd_var_run_t,s0) +/var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0) /var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0) /var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) # Fix pptp sockets diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.2.5/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/ppp.te 2007-12-31 17:30:15.000000000 -0500 @@ -162,6 +162,8 @@ init_read_utmp(pppd_t) init_dontaudit_write_utmp(pppd_t) +auth_use_nsswitch(pppd_t) + libs_use_ld_so(pppd_t) libs_use_shared_libs(pppd_t) @@ -194,14 +196,12 @@ optional_policy(` mta_send_mail(pppd_t) + mta_mailcontent(pppd_etc_t) + mta_mailcontent(pppd_etc_rw_t) ') optional_policy(` - nis_use_ypbind(pppd_t) -') - -optional_policy(` - nscd_socket_use(pppd_t) + networkmanager_signal(pppd_t) ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.2.5/policy/modules/services/procmail.if --- nsaserefpolicy/policy/modules/services/procmail.if 2007-01-02 12:57:43.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/procmail.if 2007-12-31 15:18:55.000000000 -0500 @@ -39,3 +39,22 @@ corecmd_search_bin($1) can_exec($1,procmail_exec_t) ') + +######################################## +## +## Read procmail tmp files. +## +## +## +## Domain allowed access. +## +## +# +interface(`procmail_read_tmp_files',` + gen_require(` + type procmail_tmp_t; + ') + + files_search_tmp($1) + allow $1 procmail_tmp_t:file read_file_perms; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.5/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2008-01-03 10:56:43.000000000 -0500 @@ -129,7 +129,9 @@ corenet_udp_bind_generic_port(procmail_t) corenet_dontaudit_udp_bind_all_ports(procmail_t) - spamassassin_exec(procmail_t) - spamassassin_exec_client(procmail_t) - spamassassin_read_lib_files(procmail_t) + spamassassin_domtrans(procmail_t) +') + +optional_policy(` + mailscanner_read_spool(procmail_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.2.5/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/pyzor.fc 2007-12-19 05:38:09.000000000 -0500 @@ -1,6 +1,6 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) -HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0) +HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:user_pyzor_home_t,s0) /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.2.5/policy/modules/services/pyzor.if --- nsaserefpolicy/policy/modules/services/pyzor.if 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/pyzor.if 2007-12-19 05:38:09.000000000 -0500 @@ -25,16 +25,18 @@ # template(`pyzor_per_role_template',` gen_require(` - type pyzord_t; + type pyzor_t; + type user_pyzor_home_t; ') - type $1_pyzor_home_t; - userdom_user_home_content($1, $1_pyzor_home_t) + ifelse(`$1',`user',`',` + typealias user_pyzor_home_t alias $1_pyzor_home_t; + ') - manage_dirs_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t) - manage_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t) - manage_lnk_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t) - userdom_user_home_dir_filetrans($1, pyzord_t, $1_pyzor_home_t, { dir file lnk_file }) + manage_dirs_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t) + manage_files_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t) + manage_lnk_files_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t) + userdom_user_home_dir_filetrans($1,pyzor_t,user_pyzor_home_t,{ dir file lnk_file }) ') ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.2.5/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/pyzor.te 2007-12-31 15:19:10.000000000 -0500 @@ -28,6 +28,9 @@ type pyzor_var_lib_t; files_type(pyzor_var_lib_t) +type user_pyzor_home_t; +userdom_user_home_content(user,user_pyzor_home_t) + ######################################## # # Pyzor local policy @@ -68,6 +71,8 @@ miscfiles_read_localization(pyzor_t) +mta_read_queue(pyzor_t) + userdom_dontaudit_search_sysadm_home_dirs(pyzor_t) optional_policy(` @@ -76,8 +81,13 @@ ') optional_policy(` + procmail_read_tmp_files(pyzor_t) +') + +optional_policy(` spamassassin_signal_spamd(pyzor_t) spamassassin_read_spamd_tmp_files(pyzor_t) + userdom_read_user_home_content_files(unconfined,pyzor_t) ') ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.2.5/policy/modules/services/qmail.te --- nsaserefpolicy/policy/modules/services/qmail.te 2007-10-02 09:54:52.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/qmail.te 2008-01-07 16:36:33.000000000 -0500 @@ -85,6 +85,8 @@ libs_use_ld_so(qmail_inject_t) libs_use_shared_libs(qmail_inject_t) +miscfiles_read_localization(qmail_inject_t) + qmail_read_config(qmail_inject_t) ######################################## @@ -106,15 +108,25 @@ kernel_read_system_state(qmail_local_t) +corecmd_exec_bin(qmail_local_t) corecmd_exec_shell(qmail_local_t) +can_exec(qmail_local_t, qmail_local_exec_t) files_read_etc_files(qmail_local_t) files_read_etc_runtime_files(qmail_local_t) +auth_use_nsswitch(qmail_local_t) + +logging_send_syslog(qmail_local_t) + mta_append_spool(qmail_local_t) qmail_domtrans_queue(qmail_local_t) +optional_policy(` + spamassassin_domtrans_spamc(qmail_local_t) +') + ######################################## # # qmail-lspawn local policy @@ -155,6 +167,10 @@ manage_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t) rw_fifo_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t) +corecmd_exec_bin(qmail_queue_t) + +logging_send_syslog(qmail_queue_t) + optional_policy(` daemontools_ipc_domain(qmail_queue_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.5/policy/modules/services/razor.fc --- nsaserefpolicy/policy/modules/services/razor.fc 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/razor.fc 2007-12-19 05:38:09.000000000 -0500 @@ -1,4 +1,4 @@ -HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:ROLE_razor_home_t,s0) +HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:user_razor_home_t,s0) /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.2.5/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2007-07-16 14:09:46.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/razor.if 2007-12-19 05:38:09.000000000 -0500 @@ -137,6 +137,7 @@ template(`razor_per_role_template',` gen_require(` type razor_exec_t; + type user_razor_home_t, user_razor_tmp_t; ') type $1_razor_t; @@ -145,12 +146,10 @@ razor_common_domain_template($1_razor) role $3 types $1_razor_t; - type $1_razor_home_t alias $1_razor_rw_t; - files_poly_member($1_razor_home_t) - userdom_user_home_content($1,$1_razor_home_t) - - type $1_razor_tmp_t; - files_tmp_file($1_razor_tmp_t) + ifelse(`$1',`user',`',` + typealias user_razor_home_t alias $1_razor_home_t; + typealias user_razor_tmp_t alias $1_razor_tmp_t; + ') ############################## # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.2.5/policy/modules/services/razor.te --- nsaserefpolicy/policy/modules/services/razor.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/razor.te 2007-12-19 05:38:09.000000000 -0500 @@ -23,6 +23,12 @@ razor_common_domain_template(razor) +type user_razor_home_t; +userdom_user_home_content(user,user_razor_home_t) + +type user_razor_tmp_t; +files_tmp_file(user_razor_tmp_t) + ######################################## # # Local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.if serefpolicy-3.2.5/policy/modules/services/remotelogin.if --- nsaserefpolicy/policy/modules/services/remotelogin.if 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/remotelogin.if 2007-12-19 05:38:09.000000000 -0500 @@ -18,3 +18,20 @@ auth_domtrans_login_program($1,remote_login_t) ') +######################################## +## +## allow Domain to signal remote login domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`remotelogin_signal',` + gen_require(` + type remote_login_t; + ') + + allow $1 remote_login_t:process signal; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.2.5/policy/modules/services/remotelogin.te --- nsaserefpolicy/policy/modules/services/remotelogin.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/remotelogin.te 2007-12-19 05:38:09.000000000 -0500 @@ -85,6 +85,7 @@ miscfiles_read_localization(remote_login_t) +userdom_read_all_users_home_dirs_symlinks(remote_login_t) userdom_use_unpriv_users_fds(remote_login_t) userdom_search_all_users_home_content(remote_login_t) # Only permit unprivileged user domains to be entered via rlogin, diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.2.5/policy/modules/services/rlogin.te --- nsaserefpolicy/policy/modules/services/rlogin.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/rlogin.te 2007-12-19 05:38:09.000000000 -0500 @@ -36,6 +36,8 @@ allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr }; term_create_pty(rlogind_t,rlogind_devpts_t) +domain_interactive_fd(rlogind_t) + # for /usr/lib/telnetlogin can_exec(rlogind_t, rlogind_exec_t) @@ -82,23 +84,21 @@ miscfiles_read_localization(rlogind_t) -seutil_dontaudit_search_config(rlogind_t) +seutil_read_config(rlogind_t) userdom_setattr_unpriv_users_ptys(rlogind_t) # cjp: this is egregious userdom_read_all_users_home_content_files(rlogind_t) remotelogin_domtrans(rlogind_t) +remotelogin_signal(rlogind_t) optional_policy(` + kerberos_use(rlogind_t) kerberos_read_keytab(rlogind_t) + kerberos_manage_host_rcache(rlogind_t) ') optional_policy(` tcpd_wrapped_domain(rlogind_t, rlogind_exec_t) ') - -ifdef(`TODO',` -# Allow krb5 rlogind to use fork and open /dev/tty for use -allow rlogind_t userpty_type:chr_file setattr; -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.2.5/policy/modules/services/rpcbind.te --- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/rpcbind.te 2007-12-19 05:38:09.000000000 -0500 @@ -21,11 +21,13 @@ # rpcbind local policy # -allow rpcbind_t self:capability setuid; +allow rpcbind_t self:capability { dac_override setuid sys_tty_config }; allow rpcbind_t self:fifo_file rw_file_perms; allow rpcbind_t self:unix_stream_socket create_stream_socket_perms; allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms; allow rpcbind_t self:udp_socket create_socket_perms; +# BROKEN ... +dontaudit rpcbind_t self:udp_socket listen; allow rpcbind_t self:tcp_socket create_stream_socket_perms; manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t) @@ -37,6 +39,7 @@ manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t) files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file }) +kernel_read_system_state(rpcbind_t) kernel_read_network_state(rpcbind_t) corenet_all_recvfrom_unlabeled(rpcbind_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.2.5/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2007-12-04 11:02:50.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/rpc.if 2007-12-19 05:38:09.000000000 -0500 @@ -88,8 +88,11 @@ # bind to arbitary unused ports corenet_tcp_bind_generic_port($1_t) corenet_udp_bind_generic_port($1_t) - corenet_udp_bind_reserved_port($1_t) + corenet_dontaudit_tcp_bind_all_ports($1_t) + corenet_dontaudit_udp_bind_all_ports($1_t) corenet_sendrecv_generic_server_packets($1_t) + corenet_tcp_bind_all_rpc_ports($1_t) + corenet_udp_bind_all_rpc_ports($1_t) fs_rw_rpc_named_pipes($1_t) fs_search_auto_mountpoints($1_t) @@ -208,6 +211,24 @@ ######################################## ## +## Execute domain in nfsd domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`rpc_domtrans_rpcd',` + gen_require(` + type rpcd_t, rpcd_exec_t; + ') + + domtrans_pattern($1,rpcd_exec_t,rpcd_t) +') + +######################################## +## ## Read NFS exported content. ## ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.2.5/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/rpc.te 2007-12-19 05:38:09.000000000 -0500 @@ -60,10 +60,14 @@ manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t) files_pid_filetrans(rpcd_t,rpcd_var_run_t,file) +corecmd_exec_bin(rpcd_t) + kernel_read_system_state(rpcd_t) -kernel_search_network_state(rpcd_t) +kernel_read_network_state(rpcd_t) # for rpc.rquotad kernel_read_sysctl(rpcd_t) +kernel_rw_fs_sysctls(rpcd_t) +kernel_getattr_core_if(nfsd_t) fs_list_rpc(rpcd_t) fs_read_rpc_files(rpcd_t) @@ -77,11 +81,17 @@ miscfiles_read_certs(rpcd_t) seutil_dontaudit_search_config(rpcd_t) +selinux_dontaudit_read_fs(rpcd_t) optional_policy(` nis_read_ypserv_config(rpcd_t) ') +# automount -> mount -> rpcd +optional_policy(` + automount_dontaudit_use_fds(rpcd_t) +') + ######################################## # # NFSD local policy @@ -92,9 +102,13 @@ allow nfsd_t exports_t:file { getattr read }; allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; +dev_dontaudit_getattr_all_blk_files(nfsd_t) +dev_dontaudit_getattr_all_chr_files(nfsd_t) + # for /proc/fs/nfs/exports - should we have a new type? kernel_read_system_state(nfsd_t) kernel_read_network_state(nfsd_t) +kernel_dontaudit_getattr_core_if(nfsd_t) corenet_tcp_bind_all_rpc_ports(nfsd_t) corenet_udp_bind_all_rpc_ports(nfsd_t) @@ -124,6 +138,7 @@ tunable_policy(`nfs_export_all_rw',` fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) + userdom_generic_user_home_dir_filetrans_generic_user_home_content(nfsd_t, { file dir }) ') tunable_policy(`nfs_export_all_ro',` @@ -144,6 +159,7 @@ manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) +kernel_read_system_state(gssd_t) kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_search_network_sysctl(gssd_t) @@ -157,8 +173,13 @@ files_list_tmp(gssd_t) files_read_usr_symlinks(gssd_t) +auth_read_cache(gssd_t) + miscfiles_read_certs(gssd_t) +userdom_dontaudit_search_users_home_dirs(rpcd_t) +userdom_dontaudit_search_sysadm_home_dirs(rpcd_t) + tunable_policy(`allow_gssd_read_tmp',` userdom_list_unpriv_users_tmp(gssd_t) userdom_read_unpriv_users_tmp_files(gssd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.2.5/policy/modules/services/rshd.te --- nsaserefpolicy/policy/modules/services/rshd.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/rshd.te 2007-12-19 05:38:09.000000000 -0500 @@ -16,7 +16,7 @@ # # Local policy # -allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override }; +allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override }; allow rshd_t self:process { signal_perms fork setsched setpgid setexec }; allow rshd_t self:fifo_file rw_fifo_file_perms; allow rshd_t self:tcp_socket create_stream_socket_perms; @@ -33,6 +33,9 @@ corenet_udp_sendrecv_all_ports(rshd_t) corenet_tcp_bind_all_nodes(rshd_t) corenet_tcp_bind_rsh_port(rshd_t) +corenet_tcp_bind_all_rpc_ports(rshd_t) +corenet_tcp_connect_all_ports(rshd_t) +corenet_tcp_connect_all_rpc_ports(rshd_t) corenet_sendrecv_rsh_server_packets(rshd_t) dev_read_urand(rshd_t) @@ -44,20 +47,22 @@ selinux_compute_relabel_context(rshd_t) selinux_compute_user_contexts(rshd_t) -auth_domtrans_chk_passwd(rshd_t) +auth_login_pgm_domain(rshd_t) +auth_write_login_records(rshd_t) corecmd_read_bin_symlinks(rshd_t) files_list_home(rshd_t) files_read_etc_files(rshd_t) -files_search_tmp(rshd_t) +files_manage_generic_tmp_dirs(rshd_t) -auth_use_nsswitch(rshd_t) +init_rw_utmp(rshd_t) libs_use_ld_so(rshd_t) libs_use_shared_libs(rshd_t) logging_send_syslog_msg(rshd_t) +logging_search_logs(rshd_t) miscfiles_read_localization(rshd_t) @@ -78,6 +83,8 @@ optional_policy(` kerberos_use(rshd_t) + kerberos_read_keytab(rshd_t) + kerberos_manage_host_rcache(rshd_t) ') optional_policy(` @@ -86,4 +93,5 @@ optional_policy(` unconfined_shell_domtrans(rshd_t) + unconfined_signal(rshd_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.2.5/policy/modules/services/rsync.fc --- nsaserefpolicy/policy/modules/services/rsync.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/rsync.fc 2007-12-19 05:38:09.000000000 -0500 @@ -1,2 +1,4 @@ /usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) + +/var/log/rsync.log -- gen_context(system_u:object_r:rsync_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.2.5/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/rsync.te 2007-12-19 05:38:09.000000000 -0500 @@ -31,6 +31,9 @@ type rsync_data_t; files_type(rsync_data_t) +type rsync_log_t; +logging_log_file(rsync_log_t) + type rsync_tmp_t; files_tmp_file(rsync_tmp_t) @@ -42,7 +45,7 @@ # Local policy # -allow rsync_t self:capability sys_chroot; +allow rsync_t self:capability { dac_read_search dac_override setuid setgid sys_chroot }; allow rsync_t self:process signal_perms; allow rsync_t self:fifo_file rw_fifo_file_perms; allow rsync_t self:tcp_socket create_stream_socket_perms; @@ -52,7 +55,6 @@ # cjp: this should probably only be inetd_child_t rules? # search home and kerberos also. allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow rsync_t self:capability { setuid setgid }; #end for identd allow rsync_t rsync_data_t:dir list_dir_perms; @@ -95,7 +97,8 @@ libs_use_shared_libs(rsync_t) logging_send_syslog_msg(rsync_t) -logging_dontaudit_search_logs(rsync_t) +manage_files_pattern(rsync_t,rsync_log_t,rsync_log_t) +logging_log_filetrans(rsync_t,rsync_log_t,file) miscfiles_read_localization(rsync_t) miscfiles_read_public_files(rsync_t) @@ -117,7 +120,6 @@ ') tunable_policy(`rsync_export_all_ro',` - allow rsync_t self:capability dac_override; fs_read_noxattr_fs_files(rsync_t) auth_read_all_files_except_shadow(rsync_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.2.5/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/samba.fc 2007-12-19 05:38:09.000000000 -0500 @@ -15,6 +15,7 @@ /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) /usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) /usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0) +/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) /usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) /usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) @@ -30,6 +31,8 @@ /var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) /var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) + /var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.2.5/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/samba.if 2007-12-19 05:38:09.000000000 -0500 @@ -331,6 +331,25 @@ ######################################## ## +## dontaudit the specified domain to +## write samba /var files. +## +## +## +## Domain allowed access. +## +## +# +interface(`samba_dontaudit_write_var_files',` + gen_require(` + type samba_var_t; + ') + + dontaudit $1 samba_var_t:file write; +') + +######################################## +## ## Allow the specified domain to ## read and write samba /var files. ## @@ -348,6 +367,7 @@ files_search_var($1) files_search_var_lib($1) manage_files_pattern($1,samba_var_t,samba_var_t) + manage_lnk_files_pattern($1,samba_var_t,samba_var_t) ') ######################################## @@ -492,3 +512,102 @@ allow $1 samba_var_t:dir search_dir_perms; stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t) ') + +######################################## +## +## Create a set of derived types for apache +## web content. +## +## +## +## The prefix to be used for deriving type names. +## +## +# +template(`samba_helper_template',` + gen_require(` + type smbd_t; + ') + #This type is for samba helper scripts + type samba_$1_script_t; + domain_type(samba_$1_script_t) + role system_r types samba_$1_script_t; + + # This type is used for executable scripts files + type samba_$1_script_exec_t; + corecmd_shell_entry_type(samba_$1_script_t) + domain_entry_file(samba_$1_script_t,samba_$1_script_exec_t) + + domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t) + allow smbd_t samba_$1_script_exec_t:file ioctl; + +') + +######################################## +## +## Allow the specified domain to read samba's shares +## +## +## +## Domain allowed access. +## +## +# +interface(`samba_read_share_files',` + gen_require(` + type samba_share_t; + ') + + read_files_pattern($1, samba_share_t, samba_share_t) +') + +######################################## +## +## Execute a domain transition to run smbcontrol. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`samba_domtrans_smbcontrol',` + gen_require(` + type smbcontrol_t; + type smbcontrol_exec_t; + ') + + domtrans_pattern($1,smbcontrol_exec_t,smbcontrol_t) +') + + +######################################## +## +## Execute smbcontrol in the smbcontrol domain, and +## allow the specified role the smbcontrol domain. +## +## +## +## Domain allowed access +## +## +## +## +## The role to be allowed the smbcontrol domain. +## +## +## +## +## The type of the role's terminal. +## +## +# +interface(`samba_run_smbcontrol',` + gen_require(` + type smbcontrol_t; + ') + + samba_domtrans_smbcontrol($1) + role $2 types smbcontrol_t; + dontaudit smbcontrol_t $3:chr_file rw_term_perms; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.5/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/samba.te 2007-12-19 05:38:09.000000000 -0500 @@ -26,28 +26,28 @@ ## ##

-## Allow samba to share users home directories. +## Allow Samba to share users home directories ##

## gen_tunable(samba_enable_home_dirs,false) ## ##

-## Allow samba to share any file/directory read only. +## Allow Samba to share any file/directory read only ##

## gen_tunable(samba_export_all_ro,false) ## ##

-## Allow samba to share any file/directory read/write. +## Allow Samba to share any file/directory read/write ##

## gen_tunable(samba_export_all_rw,false) ## ##

-## Allow samba to run unconfined scripts +## Allow Samba to run unconfined scripts in /var/lib/samba/scripts directory ##

## gen_tunable(samba_run_unconfined,false) @@ -139,6 +139,11 @@ type winbind_var_run_t; files_pid_file(winbind_var_run_t) +type smbcontrol_t; +type smbcontrol_exec_t; +application_domain(smbcontrol_t, smbcontrol_exec_t) +role system_r types smbcontrol_t; + ######################################## # # Samba net local policy @@ -193,6 +198,8 @@ miscfiles_read_localization(samba_net_t) +samba_read_var_files(samba_net_t) + userdom_dontaudit_search_sysadm_home_dirs(samba_net_t) optional_policy(` @@ -213,7 +220,7 @@ allow smbd_t self:msgq create_msgq_perms; allow smbd_t self:sem create_sem_perms; allow smbd_t self:shm create_shm_perms; -allow smbd_t self:sock_file read_file_perms; +allow smbd_t self:sock_file read_sock_file_perms; allow smbd_t self:tcp_socket create_stream_socket_perms; allow smbd_t self:udp_socket create_socket_perms; allow smbd_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -221,10 +228,8 @@ allow smbd_t samba_etc_t:file { rw_file_perms setattr }; -create_dirs_pattern(smbd_t,samba_log_t,samba_log_t) -create_files_pattern(smbd_t,samba_log_t,samba_log_t) -allow smbd_t samba_log_t:dir setattr; -dontaudit smbd_t samba_log_t:dir remove_name; +manage_dirs_pattern(smbd_t,samba_log_t,samba_log_t) +manage_files_pattern(smbd_t,samba_log_t,samba_log_t) allow smbd_t samba_net_tmp_t:file getattr; @@ -251,7 +256,7 @@ manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t) files_pid_filetrans(smbd_t,smbd_var_run_t,file) -allow smbd_t winbind_var_run_t:sock_file { read write getattr }; +allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms; kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) @@ -340,6 +345,17 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) + fs_manage_nfs_symlinks(smbd_t) + fs_manage_nfs_named_pipes(smbd_t) + fs_manage_nfs_named_sockets(smbd_t) +') + +optional_policy(` + kerberos_read_keytab(smbd_t) +') + +optional_policy(` + lpd_exec_lpr(smbd_t) ') optional_policy(` @@ -391,7 +407,7 @@ allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; -allow nmbd_t self:sock_file read_file_perms; +allow nmbd_t self:sock_file read_sock_file_perms; allow nmbd_t self:tcp_socket create_stream_socket_perms; allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -403,8 +419,7 @@ read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t) manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t) -append_files_pattern(nmbd_t,samba_log_t,samba_log_t) -allow nmbd_t samba_log_t:file unlink; +manage_files_pattern(nmbd_t,samba_log_t,samba_log_t) read_files_pattern(nmbd_t,samba_log_t,samba_log_t) create_files_pattern(nmbd_t,samba_log_t,samba_log_t) @@ -439,6 +454,7 @@ dev_getattr_mtrr_dev(nmbd_t) fs_getattr_all_fs(nmbd_t) +fs_list_inotifyfs(nmbd_t) fs_search_auto_mountpoints(nmbd_t) domain_use_interactive_fds(nmbd_t) @@ -522,6 +538,7 @@ storage_raw_write_fixed_disk(smbmount_t) term_list_ptys(smbmount_t) +term_use_controlling_term(smbmount_t) corecmd_list_bin(smbmount_t) @@ -546,28 +563,37 @@ userdom_use_all_users_fds(smbmount_t) +optional_policy(` + cups_read_rw_config(smbmount_t) +') + ######################################## # # SWAT Local policy # -allow swat_t self:capability { setuid setgid }; -allow swat_t self:process signal_perms; +allow swat_t self:capability { setuid setgid sys_resource }; +allow swat_t self:process { setrlimit signal_perms }; allow swat_t self:fifo_file rw_file_perms; allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow swat_t self:tcp_socket create_stream_socket_perms; allow swat_t self:udp_socket create_socket_perms; -allow swat_t nmbd_exec_t:file { execute read }; +allow swat_t self:unix_stream_socket connectto; +can_exec(swat_t, smbd_exec_t) +allow swat_t smbd_port_t:tcp_socket name_bind; +allow swat_t smbd_t:process { signal signull }; +allow swat_t smbd_var_run_t:file { lock unlink }; + +can_exec(swat_t, nmbd_exec_t) +allow swat_t nmbd_port_t:udp_socket name_bind; +allow swat_t nmbd_t:process { signal signull }; +allow swat_t nmbd_var_run_t:file { lock read unlink }; rw_files_pattern(swat_t,samba_etc_t,samba_etc_t) append_files_pattern(swat_t,samba_log_t,samba_log_t) -allow swat_t smbd_exec_t:file execute ; - -allow swat_t smbd_t:process signull; - allow swat_t smbd_var_run_t:file read; manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t) @@ -577,7 +603,9 @@ manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t) files_pid_filetrans(swat_t,swat_var_run_t,file) -allow swat_t winbind_exec_t:file execute; +can_exec(swat_t, winbind_exec_t) +allow swat_t winbind_var_run_t:dir { write add_name remove_name }; +allow swat_t winbind_var_run_t:sock_file { create unlink }; kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) @@ -602,6 +630,7 @@ dev_read_urand(swat_t) +files_list_var_lib(swat_t) files_read_etc_files(swat_t) files_search_home(swat_t) files_read_usr_files(swat_t) @@ -614,6 +643,7 @@ libs_use_shared_libs(swat_t) logging_send_syslog_msg(swat_t) +logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) miscfiles_read_localization(swat_t) @@ -631,6 +661,17 @@ kerberos_use(swat_t) ') +init_read_utmp(swat_t) +init_dontaudit_write_utmp(swat_t) + +manage_dirs_pattern(swat_t,samba_log_t,samba_log_t) +create_files_pattern(swat_t,samba_log_t,samba_log_t) + +manage_files_pattern(swat_t,samba_etc_t,samba_secrets_t) + +manage_files_pattern(swat_t,samba_var_t,samba_var_t) +files_list_var_lib(swat_t) + ######################################## # # Winbind local policy @@ -679,6 +720,8 @@ manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t) files_pid_filetrans(winbind_t,winbind_var_run_t,file) +corecmd_exec_bin(winbind_t) + kernel_read_kernel_sysctls(winbind_t) kernel_list_proc(winbind_t) kernel_read_proc_symlinks(winbind_t) @@ -766,6 +809,7 @@ optional_policy(` squid_read_log(winbind_helper_t) squid_append_log(winbind_helper_t) + squid_rw_stream_sockets(winbind_helper_t) ') ######################################## @@ -790,3 +834,37 @@ domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) ') ') + +######################################## +# +# smbcontrol local policy +# + +## internal communication is often done using fifo and unix sockets. +allow smbcontrol_t self:fifo_file rw_file_perms; +allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; + +files_read_etc_files(smbcontrol_t) + +libs_use_ld_so(smbcontrol_t) +libs_use_shared_libs(smbcontrol_t) + +miscfiles_read_localization(smbcontrol_t) + +files_search_var_lib(smbcontrol_t) +samba_read_config(smbcontrol_t) +samba_rw_var_files(smbcontrol_t) +samba_search_var(smbcontrol_t) +samba_read_winbind_pid(smbcontrol_t) + +allow smbcontrol_t smbd_t:process signal; +domain_use_interactive_fds(smbcontrol_t) +allow smbd_t smbcontrol_t:process { signal signull }; + +allow nmbd_t smbcontrol_t:process signal; +allow smbcontrol_t nmbd_t:process { signal signull }; + +allow smbcontrol_t winbind_t:process { signal signull }; +allow winbind_t smbcontrol_t:process signal; + +allow smbcontrol_t nmbd_var_run_t:file { read lock }; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.2.5/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/sasl.te 2007-12-19 05:38:09.000000000 -0500 @@ -107,6 +107,10 @@ ') optional_policy(` + nis_authenticate(saslauthd_t) +') + +optional_policy(` seutil_sigchld_newrole(saslauthd_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.2.5/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2007-08-27 13:57:20.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/sendmail.if 2007-12-19 05:38:09.000000000 -0500 @@ -149,3 +149,85 @@ logging_log_filetrans($1,sendmail_log_t,file) ') + +######################################## +## +## Execute the sendmail program in the sendmail domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to allow the sendmail domain. +## +## +## +## +## The type of the terminal allow the sendmail domain to use. +## +## +## +# +interface(`sendmail_run',` + gen_require(` + type sendmail_t; + ') + + sendmail_domtrans($1) + role $2 types sendmail_t; + allow sendmail_t $3:chr_file rw_term_perms; +') + +######################################## +## +## Execute sendmail in the unconfined sendmail domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`sendmail_domtrans_unconfined',` + gen_require(` + type unconfined_sendmail_t, sendmail_exec_t; + ') + + domtrans_pattern($1,sendmail_exec_t,unconfined_sendmail_t) +') + +######################################## +## +## Execute sendmail in the unconfined sendmail domain, and +## allow the specified role the unconfined sendmail domain, +## and use the caller's terminal. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the unconfined sendmail domain. +## +## +## +## +## The type of the terminal allow the unconfined sendmail domain to use. +## +## +## +# +interface(`sendmail_run_unconfined',` + gen_require(` + type unconfined_sendmail_t; + ') + + sendmail_domtrans_unconfined($1) + role $2 types unconfined_sendmail_t; + allow unconfined_sendmail_t $3:chr_file rw_file_perms; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.5/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/sendmail.te 2007-12-31 15:42:11.000000000 -0500 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) +type unconfined_sendmail_t; +application_domain(unconfined_sendmail_t,sendmail_exec_t) +role system_r types unconfined_sendmail_t; + ######################################## # # Sendmail local policy # -allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config }; -allow sendmail_t self:process signal; +allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; +allow sendmail_t self:process { signal signull }; allow sendmail_t self:fifo_file rw_fifo_file_perms; allow sendmail_t self:unix_stream_socket create_stream_socket_perms; allow sendmail_t self:unix_dgram_socket create_socket_perms; @@ -47,6 +51,7 @@ kernel_read_kernel_sysctls(sendmail_t) # for piping mail to a command kernel_read_system_state(sendmail_t) +kernel_read_network_state(sendmail_t) corenet_all_recvfrom_unlabeled(sendmail_t) corenet_all_recvfrom_netlabel(sendmail_t) @@ -97,20 +102,35 @@ userdom_dontaudit_use_unpriv_user_fds(sendmail_t) userdom_dontaudit_search_sysadm_home_dirs(sendmail_t) +userdom_read_all_users_home_content_files(sendmail_t) mta_read_config(sendmail_t) mta_etc_filetrans_aliases(sendmail_t) # Write to /etc/aliases and /etc/mail. -mta_rw_aliases(sendmail_t) +mta_manage_aliases(sendmail_t) # Write to /var/spool/mail and /var/spool/mqueue. mta_manage_queue(sendmail_t) mta_manage_spool(sendmail_t) +mta_sendmail_exec(sendmail_t) + +optional_policy(` + cron_read_pipes(sendmail_t) +') optional_policy(` clamav_search_lib(sendmail_t) ') optional_policy(` + cyrus_stream_connect(sendmail_t) + clamav_stream_connect(sendmail_t) +') + +optional_policy(` + munin_dontaudit_search_lib(sendmail_t) +') + +optional_policy(` postfix_exec_master(sendmail_t) postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) @@ -125,24 +145,25 @@ ') optional_policy(` + sasl_connect(sendmail_t) +') + +optional_policy(` + spamd_stream_connect(sendmail_t) +') + +optional_policy(` udev_read_db(sendmail_t) ') -ifdef(`TODO',` -allow sendmail_t etc_mail_t:dir rw_dir_perms; -allow sendmail_t etc_mail_t:file manage_file_perms; -# for the start script to run make -C /etc/mail -allow initrc_t etc_mail_t:dir rw_dir_perms; -allow initrc_t etc_mail_t:file manage_file_perms; -allow system_mail_t initrc_t:fd use; -allow system_mail_t initrc_t:fifo_file write; - -# When sendmail runs as user_mail_domain, it needs some extra permissions -# to update /etc/mail/statistics. -allow user_mail_domain etc_mail_t:file rw_file_perms; +######################################## +# +# Unconfined sendmail local policy +# Allow unconfined domain to run newalias and have transitions work +# -# Silently deny attempts to access /root. -dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search }; +optional_policy(` + mta_etc_filetrans_aliases(unconfined_sendmail_t) + unconfined_domain(unconfined_sendmail_t) +') -dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; -') dnl end TODO diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te 2007-12-19 05:38:09.000000000 -0500 @@ -27,8 +27,8 @@ # setroubleshootd local policy # -allow setroubleshootd_t self:capability { dac_override sys_tty_config }; -allow setroubleshootd_t self:process { signull signal getattr getsched }; +allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config }; +allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -52,7 +52,9 @@ kernel_read_kernel_sysctls(setroubleshootd_t) kernel_read_system_state(setroubleshootd_t) +kernel_read_net_sysctls(setroubleshootd_t) kernel_read_network_state(setroubleshootd_t) +kernel_dontaudit_list_all_proc(setroubleshootd_t) corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) @@ -73,7 +75,7 @@ files_read_usr_files(setroubleshootd_t) files_read_etc_files(setroubleshootd_t) -files_getattr_all_dirs(setroubleshootd_t) +files_list_all(setroubleshootd_t) files_getattr_all_files(setroubleshootd_t) fs_getattr_all_dirs(setroubleshootd_t) @@ -110,6 +112,7 @@ optional_policy(` dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t) dbus_connect_system_bus(setroubleshootd_t) + dbus_system_domain(setroubleshootd_t,setroubleshootd_exec_t) ') optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.2.5/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/snmp.te 2007-12-19 05:38:09.000000000 -0500 @@ -81,8 +81,7 @@ files_read_usr_files(snmpd_t) files_read_etc_runtime_files(snmpd_t) files_search_home(snmpd_t) -files_getattr_boot_dirs(snmpd_t) -files_dontaudit_getattr_home_dir(snmpd_t) +auth_read_all_dirs_except_shadow(snmpd_t) fs_getattr_all_dirs(snmpd_t) fs_getattr_all_fs(snmpd_t)