rpms/libselinux
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
805402396f
libselinux/libselinux-rhat.patch
Daniel J Walsh 805402396f - Add pid_t typemap for swig bindings
2008-01-08 10:25:03 +00:00

3903 lines
372 KiB
Diff
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/av_permissions.h libselinux-2.0.46/include/selinux/av_permissions.h
--- nsalibselinux/include/selinux/av_permissions.h 2007-11-15 15:52:46.000000000 -0500
+++ libselinux-2.0.46/include/selinux/av_permissions.h 2008-01-03 15:23:31.000000000 -0500
@@ -900,6 +900,8 @@
#define PACKET__SEND 0x00000001UL
#define PACKET__RECV 0x00000002UL
#define PACKET__RELABELTO 0x00000004UL
+#define PACKET__FLOW_IN 0x00000008UL
+#define PACKET__FLOW_OUT 0x00000010UL
#define KEY__VIEW 0x00000001UL
#define KEY__READ 0x00000002UL
#define KEY__WRITE 0x00000004UL
diff --exclude-from=exclude -N -u -r nsalibselinux/src/Makefile libselinux-2.0.46/src/Makefile
--- nsalibselinux/src/Makefile 2007-09-26 19:37:45.000000000 -0400
+++ libselinux-2.0.46/src/Makefile 2008-01-05 08:19:27.000000000 -0500
@@ -77,14 +77,14 @@
install: all
test -d $(LIBDIR) || install -m 755 -d $(LIBDIR)
- install -m 644 $(LIBA) $(LIBDIR)
test -d $(SHLIBDIR) || install -m 755 -d $(SHLIBDIR)
install -m 755 $(LIBSO) $(SHLIBDIR)
cd $(LIBDIR) && ln -sf ../../`basename $(SHLIBDIR)`/$(LIBSO) $(TARGET)
install-pywrap: pywrap
test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages
- install -m 755 $(SWIGFILES) $(PYTHONLIBDIR)/site-packages
+ install -m 755 $(SWIGSO) $(PYTHONLIBDIR)/site-packages
+ install -m 644 selinux.py $(PYTHONLIBDIR)/site-packages
relabel:
/sbin/restorecon $(SHLIBDIR)/$(LIBSO)
diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-2.0.46/src/matchpathcon.c
--- nsalibselinux/src/matchpathcon.c 2007-09-28 09:48:58.000000000 -0400
+++ libselinux-2.0.46/src/matchpathcon.c 2008-01-03 15:23:32.000000000 -0500
@@ -2,6 +2,7 @@
#include <string.h>
#include <errno.h>
#include <stdio.h>
+#include <syslog.h>
#include "selinux_internal.h"
#include "label_internal.h"
#include "callbacks.h"
@@ -57,7 +58,7 @@
{
va_list ap;
va_start(ap, fmt);
- vfprintf(stderr, fmt, ap);
+ vsyslog(LOG_ERR, fmt, ap);
va_end(ap);
}
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux.py libselinux-2.0.46/src/selinux.py
--- nsalibselinux/src/selinux.py 2007-10-05 13:09:54.000000000 -0400
+++ libselinux-2.0.46/src/selinux.py 2008-01-08 05:00:39.000000000 -0500
@@ -1,5 +1,5 @@
# This file was automatically generated by SWIG (http://www.swig.org).
-# Version 1.3.31
+# Version 1.3.33
#
# Don't modify this file, modify the SWIG interface instead.
# This file is compatible with both classic and new-style classes.
Binary files nsalibselinux/src/selinux.pyc and libselinux-2.0.46/src/selinux.pyc differ
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig.i libselinux-2.0.46/src/selinuxswig.i
--- nsalibselinux/src/selinuxswig.i 2007-10-01 09:54:35.000000000 -0400
+++ libselinux-2.0.46/src/selinuxswig.i 2008-01-08 05:00:22.000000000 -0500
@@ -10,6 +10,7 @@
%apply int *OUTPUT { size_t * };
%typedef unsigned mode_t;
+%typedef unsigned pid_t;
%typemap(in, numinputs=0) (char ***names, int *len) (char **temp1, int temp2) {
$1 = &temp1;
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libselinux-2.0.46/src/selinuxswig_wrap.c
--- nsalibselinux/src/selinuxswig_wrap.c 2007-10-05 13:09:54.000000000 -0400
+++ libselinux-2.0.46/src/selinuxswig_wrap.c 2008-01-08 05:00:39.000000000 -0500
@@ -1,6 +1,6 @@
/* ----------------------------------------------------------------------------
* This file was automatically generated by SWIG (http://www.swig.org).
- * Version 1.3.31
+ * Version 1.3.33
*
* This file is not intended to be easily readable and contains a number of
* coding conventions designed to improve portability and efficiency. Do not make
@@ -17,14 +17,14 @@
/* template workaround for compilers that cannot correctly implement the C++ standard */
#ifndef SWIGTEMPLATEDISAMBIGUATOR
-# if defined(__SUNPRO_CC)
-# if (__SUNPRO_CC <= 0x560)
-# define SWIGTEMPLATEDISAMBIGUATOR template
-# else
-# define SWIGTEMPLATEDISAMBIGUATOR
-# endif
+# if defined(__SUNPRO_CC) && (__SUNPRO_CC <= 0x560)
+# define SWIGTEMPLATEDISAMBIGUATOR template
+# elif defined(__HP_aCC)
+/* Needed even with `aCC -AA' when `aCC -V' reports HP ANSI C++ B3910B A.03.55 */
+/* If we find a maximum version that requires this, the test would be __HP_aCC <= 35500 for A.03.55 */
+# define SWIGTEMPLATEDISAMBIGUATOR template
# else
-# define SWIGTEMPLATEDISAMBIGUATOR
+# define SWIGTEMPLATEDISAMBIGUATOR
# endif
#endif
@@ -107,6 +107,12 @@
# define _CRT_SECURE_NO_DEPRECATE
#endif
+/* Deal with Microsoft's attempt at deprecating methods in the standard C++ library */
+#if !defined(SWIG_NO_SCL_SECURE_NO_DEPRECATE) && defined(_MSC_VER) && !defined(_SCL_SECURE_NO_DEPRECATE)
+# define _SCL_SECURE_NO_DEPRECATE
+#endif
+
+
/* Python.h has to appear first */
#include <Python.h>
@@ -343,7 +349,7 @@
while ((*f2 == ' ') && (f2 != l2)) ++f2;
if (*f1 != *f2) return (*f1 > *f2) ? 1 : -1;
}
- return (l1 - f1) - (l2 - f2);
+ return (int)((l1 - f1) - (l2 - f2));
}
/*
@@ -1090,14 +1096,14 @@
/* Unpack the argument tuple */
SWIGINTERN int
-SWIG_Python_UnpackTuple(PyObject *args, const char *name, int min, int max, PyObject **objs)
+SWIG_Python_UnpackTuple(PyObject *args, const char *name, Py_ssize_t min, Py_ssize_t max, PyObject **objs)
{
if (!args) {
if (!min && !max) {
return 1;
} else {
PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got none",
- name, (min == max ? "" : "at least "), min);
+ name, (min == max ? "" : "at least "), (int)min);
return 0;
}
}
@@ -1105,14 +1111,14 @@
PyErr_SetString(PyExc_SystemError, "UnpackTuple() argument list is not a tuple");
return 0;
} else {
- register int l = PyTuple_GET_SIZE(args);
+ register Py_ssize_t l = PyTuple_GET_SIZE(args);
if (l < min) {
PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got %d",
- name, (min == max ? "" : "at least "), min, l);
+ name, (min == max ? "" : "at least "), (int)min, (int)l);
return 0;
} else if (l > max) {
PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got %d",
- name, (min == max ? "" : "at most "), max, l);
+ name, (min == max ? "" : "at most "), (int)max, (int)l);
return 0;
} else {
register int i;
@@ -1591,9 +1597,11 @@
(unaryfunc)0, /*nb_float*/
(unaryfunc)PySwigObject_oct, /*nb_oct*/
(unaryfunc)PySwigObject_hex, /*nb_hex*/
-#if PY_VERSION_HEX >= 0x02020000
- 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_true_divide */
-#elif PY_VERSION_HEX >= 0x02000000
+#if PY_VERSION_HEX >= 0x02050000 /* 2.5.0 */
+ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_index */
+#elif PY_VERSION_HEX >= 0x02020000 /* 2.2.0 */
+ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_true_divide */
+#elif PY_VERSION_HEX >= 0x02000000 /* 2.0.0 */
0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_or */
#endif
};
@@ -2458,14 +2466,13 @@
#define SWIGTYPE_p_int swig_types[7]
#define SWIGTYPE_p_p_char swig_types[8]
#define SWIGTYPE_p_p_p_char swig_types[9]
-#define SWIGTYPE_p_pid_t swig_types[10]
-#define SWIGTYPE_p_security_class_mapping swig_types[11]
-#define SWIGTYPE_p_selinux_callback swig_types[12]
-#define SWIGTYPE_p_selinux_opt swig_types[13]
-#define SWIGTYPE_p_unsigned_int swig_types[14]
-#define SWIGTYPE_p_unsigned_short swig_types[15]
-static swig_type_info *swig_types[17];
-static swig_module_info swig_module = {swig_types, 16, 0, 0, 0, 0};
+#define SWIGTYPE_p_security_class_mapping swig_types[10]
+#define SWIGTYPE_p_selinux_callback swig_types[11]
+#define SWIGTYPE_p_selinux_opt swig_types[12]
+#define SWIGTYPE_p_unsigned_int swig_types[13]
+#define SWIGTYPE_p_unsigned_short swig_types[14]
+static swig_type_info *swig_types[16];
+static swig_module_info swig_module = {swig_types, 15, 0, 0, 0, 0};
#define SWIG_TypeQuery(name) SWIG_TypeQueryModule(&swig_module, &swig_module, name)
#define SWIG_MangledTypeQuery(name) SWIG_MangledTypeQueryModule(&swig_module, &swig_module, name)
@@ -2484,7 +2491,7 @@
#define SWIG_name "_selinux"
-#define SWIGVERSION 0x010331
+#define SWIGVERSION 0x010333
#define SWIG_VERSION SWIGVERSION
@@ -2577,14 +2584,12 @@
#include <limits.h>
-#ifndef LLONG_MIN
-# define LLONG_MIN LONG_LONG_MIN
-#endif
-#ifndef LLONG_MAX
-# define LLONG_MAX LONG_LONG_MAX
-#endif
-#ifndef ULLONG_MAX
-# define ULLONG_MAX ULONG_LONG_MAX
+#if !defined(SWIG_NO_LLONG_MAX)
+# if !defined(LLONG_MAX) && defined(__GNUC__) && defined (__LONG_LONG_MAX__)
+# define LLONG_MAX __LONG_LONG_MAX__
+# define LLONG_MIN (-LLONG_MAX - 1LL)
+# define ULLONG_MAX (LLONG_MAX * 2ULL + 1ULL)
+# endif
#endif
@@ -2669,13 +2674,18 @@
SWIGINTERN int
-SWIG_AsVal_long (PyObject *obj, long* val)
+SWIG_AsVal_unsigned_SS_long (PyObject *obj, unsigned long *val)
{
if (PyInt_Check(obj)) {
- if (val) *val = PyInt_AsLong(obj);
- return SWIG_OK;
+ long v = PyInt_AsLong(obj);
+ if (v >= 0) {
+ if (val) *val = v;
+ return SWIG_OK;
+ } else {
+ return SWIG_OverflowError;
+ }
} else if (PyLong_Check(obj)) {
- long v = PyLong_AsLong(obj);
+ unsigned long v = PyLong_AsUnsignedLong(obj);
if (!PyErr_Occurred()) {
if (val) *val = v;
return SWIG_OK;
@@ -2686,7 +2696,7 @@
#ifdef SWIG_PYTHON_CAST_MODE
{
int dispatch = 0;
- long v = PyInt_AsLong(obj);
+ unsigned long v = PyLong_AsUnsignedLong(obj);
if (!PyErr_Occurred()) {
if (val) *val = v;
return SWIG_AddCast(SWIG_OK);
@@ -2696,8 +2706,8 @@
if (!dispatch) {
double d;
int res = SWIG_AddCast(SWIG_AsVal_double (obj,&d));
- if (SWIG_IsOK(res) && SWIG_CanCastAsInteger(&d, LONG_MIN, LONG_MAX)) {
- if (val) *val = (long)(d);
+ if (SWIG_IsOK(res) && SWIG_CanCastAsInteger(&d, 0, ULONG_MAX)) {
+ if (val) *val = (unsigned long)(d);
return res;
}
}
@@ -2708,15 +2718,15 @@
SWIGINTERN int
-SWIG_AsVal_int (PyObject * obj, int *val)
+SWIG_AsVal_unsigned_SS_int (PyObject * obj, unsigned int *val)
{
- long v;
- int res = SWIG_AsVal_long (obj, &v);
+ unsigned long v;
+ int res = SWIG_AsVal_unsigned_SS_long (obj, &v);
if (SWIG_IsOK(res)) {
- if ((v < INT_MIN || v > INT_MAX)) {
+ if ((v > UINT_MAX)) {
return SWIG_OverflowError;
} else {
- if (val) *val = (int)(v);
+ if (val) *val = (unsigned int)(v);
}
}
return res;
@@ -2724,18 +2734,13 @@
SWIGINTERN int
-SWIG_AsVal_unsigned_SS_long (PyObject *obj, unsigned long *val)
+SWIG_AsVal_long (PyObject *obj, long* val)
{
if (PyInt_Check(obj)) {
- long v = PyInt_AsLong(obj);
- if (v >= 0) {
- if (val) *val = v;
- return SWIG_OK;
- } else {
- return SWIG_OverflowError;
- }
+ if (val) *val = PyInt_AsLong(obj);
+ return SWIG_OK;
} else if (PyLong_Check(obj)) {
- unsigned long v = PyLong_AsUnsignedLong(obj);
+ long v = PyLong_AsLong(obj);
if (!PyErr_Occurred()) {
if (val) *val = v;
return SWIG_OK;
@@ -2746,7 +2751,7 @@
#ifdef SWIG_PYTHON_CAST_MODE
{
int dispatch = 0;
- unsigned long v = PyLong_AsUnsignedLong(obj);
+ long v = PyInt_AsLong(obj);
if (!PyErr_Occurred()) {
if (val) *val = v;
return SWIG_AddCast(SWIG_OK);
@@ -2756,8 +2761,8 @@
if (!dispatch) {
double d;
int res = SWIG_AddCast(SWIG_AsVal_double (obj,&d));
- if (SWIG_IsOK(res) && SWIG_CanCastAsInteger(&d, 0, ULONG_MAX)) {
- if (val) *val = (unsigned long)(d);
+ if (SWIG_IsOK(res) && SWIG_CanCastAsInteger(&d, LONG_MIN, LONG_MAX)) {
+ if (val) *val = (long)(d);
return res;
}
}
@@ -2768,15 +2773,15 @@
SWIGINTERN int
-SWIG_AsVal_unsigned_SS_int (PyObject * obj, unsigned int *val)
+SWIG_AsVal_int (PyObject * obj, int *val)
{
- unsigned long v;
- int res = SWIG_AsVal_unsigned_SS_long (obj, &v);
+ long v;
+ int res = SWIG_AsVal_long (obj, &v);
if (SWIG_IsOK(res)) {
- if ((v > UINT_MAX)) {
+ if ((v < INT_MIN || v > INT_MAX)) {
return SWIG_OverflowError;
} else {
- if (val) *val = (unsigned int)(v);
+ if (val) *val = (int)(v);
}
}
return res;
@@ -2986,24 +2991,18 @@
pid_t arg1 ;
security_context_t *arg2 = (security_context_t *) 0 ;
int result;
- void *argp1 ;
- int res1 = 0 ;
+ unsigned int val1 ;
+ int ecode1 = 0 ;
security_context_t temp2 = 0 ;
PyObject * obj0 = 0 ;
arg2 = &temp2;
if (!PyArg_ParseTuple(args,(char *)"O:getpidcon",&obj0)) SWIG_fail;
- {
- res1 = SWIG_ConvertPtr(obj0, &argp1, SWIGTYPE_p_pid_t, 0 );
- if (!SWIG_IsOK(res1)) {
- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "getpidcon" "', argument " "1"" of type '" "pid_t""'");
- }
- if (!argp1) {
- SWIG_exception_fail(SWIG_ValueError, "invalid null reference " "in method '" "getpidcon" "', argument " "1"" of type '" "pid_t""'");
- } else {
- arg1 = *((pid_t *)(argp1));
- }
- }
+ ecode1 = SWIG_AsVal_unsigned_SS_int(obj0, &val1);
+ if (!SWIG_IsOK(ecode1)) {
+ SWIG_exception_fail(SWIG_ArgError(ecode1), "in method '" "getpidcon" "', argument " "1"" of type '" "pid_t""'");
+ }
+ arg1 = (pid_t)(val1);
result = (int)getpidcon(arg1,arg2);
resultobj = SWIG_From_int((int)(result));
if (*arg2) {
@@ -3025,24 +3024,18 @@
pid_t arg1 ;
security_context_t *arg2 = (security_context_t *) 0 ;
int result;
- void *argp1 ;
- int res1 = 0 ;
+ unsigned int val1 ;
+ int ecode1 = 0 ;
security_context_t temp2 = 0 ;
PyObject * obj0 = 0 ;
arg2 = &temp2;
if (!PyArg_ParseTuple(args,(char *)"O:getpidcon_raw",&obj0)) SWIG_fail;
- {
- res1 = SWIG_ConvertPtr(obj0, &argp1, SWIGTYPE_p_pid_t, 0 );
- if (!SWIG_IsOK(res1)) {
- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "getpidcon_raw" "', argument " "1"" of type '" "pid_t""'");
- }
- if (!argp1) {
- SWIG_exception_fail(SWIG_ValueError, "invalid null reference " "in method '" "getpidcon_raw" "', argument " "1"" of type '" "pid_t""'");
- } else {
- arg1 = *((pid_t *)(argp1));
- }
- }
+ ecode1 = SWIG_AsVal_unsigned_SS_int(obj0, &val1);
+ if (!SWIG_IsOK(ecode1)) {
+ SWIG_exception_fail(SWIG_ArgError(ecode1), "in method '" "getpidcon_raw" "', argument " "1"" of type '" "pid_t""'");
+ }
+ arg1 = (pid_t)(val1);
result = (int)getpidcon_raw(arg1,arg2);
resultobj = SWIG_From_int((int)(result));
if (*arg2) {
@@ -8149,7 +8142,7 @@
/* -------- TYPE CONVERSION AND EQUIVALENCE RULES (BEGIN) -------- */
static swig_type_info _swigt__p_SELboolean = {"_p_SELboolean", "SELboolean *", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_av_decision = {"_p_av_decision", "struct av_decision *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_av_decision = {"_p_av_decision", "struct av_decision *|av_decision *", 0, 0, (void*)0, 0};
static swig_type_info _swigt__p_char = {"_p_char", "char *", 0, 0, (void*)0, 0};
static swig_type_info _swigt__p_f_int_p_q_const__char_v_______int = {"_p_f_int_p_q_const__char_v_______int", "int (*)(int,char const *,...)", 0, 0, (void*)0, 0};
static swig_type_info _swigt__p_f_p_p_char__int = {"_p_f_p_p_char__int", "int (*)(char **)|int (*)(security_context_t *)", 0, 0, (void*)0, 0};
@@ -8158,12 +8151,11 @@
static swig_type_info _swigt__p_int = {"_p_int", "int *", 0, 0, (void*)0, 0};
static swig_type_info _swigt__p_p_char = {"_p_p_char", "char **|security_context_t *", 0, 0, (void*)0, 0};
static swig_type_info _swigt__p_p_p_char = {"_p_p_p_char", "char ***|security_context_t **", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_pid_t = {"_p_pid_t", "pid_t *", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_security_class_mapping = {"_p_security_class_mapping", "struct security_class_mapping *", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_selinux_callback = {"_p_selinux_callback", "union selinux_callback *", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_selinux_opt = {"_p_selinux_opt", "selinux_opt *", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_unsigned_int = {"_p_unsigned_int", "unsigned int *|access_vector_t *", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_unsigned_short = {"_p_unsigned_short", "unsigned short *|security_class_t *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_security_class_mapping = {"_p_security_class_mapping", "struct security_class_mapping *|security_class_mapping *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_selinux_callback = {"_p_selinux_callback", "union selinux_callback *|selinux_callback *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_selinux_opt = {"_p_selinux_opt", "struct selinux_opt *|selinux_opt *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_unsigned_int = {"_p_unsigned_int", "unsigned int *|access_vector_t *|mode_t *|pid_t *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_unsigned_short = {"_p_unsigned_short", "security_class_t *|unsigned short *", 0, 0, (void*)0, 0};
static swig_type_info *swig_type_initial[] = {
&_swigt__p_SELboolean,
@@ -8176,7 +8168,6 @@
&_swigt__p_int,
&_swigt__p_p_char,
&_swigt__p_p_p_char,
- &_swigt__p_pid_t,
&_swigt__p_security_class_mapping,
&_swigt__p_selinux_callback,
&_swigt__p_selinux_opt,
@@ -8194,7 +8185,6 @@
static swig_cast_info _swigc__p_int[] = { {&_swigt__p_int, 0, 0, 0},{0, 0, 0, 0}};
static swig_cast_info _swigc__p_p_char[] = { {&_swigt__p_p_char, 0, 0, 0},{0, 0, 0, 0}};
static swig_cast_info _swigc__p_p_p_char[] = { {&_swigt__p_p_p_char, 0, 0, 0},{0, 0, 0, 0}};
-static swig_cast_info _swigc__p_pid_t[] = { {&_swigt__p_pid_t, 0, 0, 0},{0, 0, 0, 0}};
static swig_cast_info _swigc__p_security_class_mapping[] = { {&_swigt__p_security_class_mapping, 0, 0, 0},{0, 0, 0, 0}};
static swig_cast_info _swigc__p_selinux_callback[] = { {&_swigt__p_selinux_callback, 0, 0, 0},{0, 0, 0, 0}};
static swig_cast_info _swigc__p_selinux_opt[] = { {&_swigt__p_selinux_opt, 0, 0, 0},{0, 0, 0, 0}};
@@ -8212,7 +8202,6 @@
_swigc__p_int,
_swigc__p_p_char,
_swigc__p_p_p_char,
- _swigc__p_pid_t,
_swigc__p_security_class_mapping,
_swigc__p_selinux_callback,
_swigc__p_selinux_opt,
diff --exclude-from=exclude -N -u -r nsalibselinux/utils/matchpathcon.c libselinux-2.0.46/utils/matchpathcon.c
--- nsalibselinux/utils/matchpathcon.c 2007-07-16 14:20:45.000000000 -0400
+++ libselinux-2.0.46/utils/matchpathcon.c 2008-01-03 15:23:32.000000000 -0500
@@ -17,10 +17,24 @@
exit(1);
}
+static void
+#ifdef __GNUC__
+ __attribute__ ((format(printf, 1, 2)))
+#endif
+ myprintf(const char *fmt, ...)
+{
+ va_list ap;
+ va_start(ap, fmt);
+ vfprintf(stderr, fmt, ap);
+ va_end(ap);
+}
+
int printmatchpathcon(char *path, int header, int mode)
{
char *buf;
- int rc = matchpathcon(path, mode, &buf);
+ int rc;
+ set_matchpathcon_printf(myprintf);
+ rc = matchpathcon(path, mode, &buf);
if (rc < 0) {
fprintf(stderr, "matchpathcon(%s) failed: %s\n", path,
strerror(errno));
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.2.5/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/inetd.te 2007-12-19 05:38:09.000000000 -0500
@@ -30,6 +30,10 @@
type inetd_child_var_run_t;
files_pid_file(inetd_child_var_run_t)
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(inetd_t,inetd_exec_t,s0 - mcs_systemhigh)
+')
+
########################################
#
# Local policy
@@ -84,6 +88,7 @@
corenet_udp_bind_ftp_port(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
corenet_udp_bind_inetd_child_port(inetd_t)
+corenet_tcp_bind_ircd_port(inetd_t)
corenet_udp_bind_ktalkd_port(inetd_t)
corenet_tcp_bind_printer_port(inetd_t)
corenet_udp_bind_rlogind_port(inetd_t)
@@ -137,6 +142,7 @@
miscfiles_read_localization(inetd_t)
# xinetd needs MLS override privileges to work
+mls_fd_use_all_levels(inetd_t)
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
@@ -164,6 +170,7 @@
')
optional_policy(`
+ unconfined_domain(inetd_t)
unconfined_domtrans(inetd_t)
')
@@ -180,6 +187,9 @@
# for identd
allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow inetd_child_t self:capability { setuid setgid };
+allow inetd_child_t self:dir search;
+allow inetd_child_t self:{ lnk_file file } { getattr read };
+
files_search_home(inetd_child_t)
manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
@@ -226,3 +236,7 @@
optional_policy(`
unconfined_domain(inetd_child_t)
')
+
+optional_policy(`
+ inetd_service_domain(inetd_child_t,bin_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.2.5/policy/modules/services/inn.te
--- nsaserefpolicy/policy/modules/services/inn.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/inn.te 2007-12-19 15:36:20.000000000 -0500
@@ -22,7 +22,7 @@
files_pid_file(innd_var_run_t)
type news_spool_t;
-files_type(news_spool_t)
+files_mountpoint(news_spool_t)
########################################
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.2.5/policy/modules/services/kerberos.fc
--- nsaserefpolicy/policy/modules/services/kerberos.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/kerberos.fc 2007-12-19 05:38:09.000000000 -0500
@@ -16,3 +16,4 @@
/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.2.5/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-16 14:09:46.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/kerberos.if 2007-12-19 05:38:09.000000000 -0500
@@ -43,7 +43,13 @@
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
+ #kerberos libraries are attempting to set the correct file context
+ dontaudit $1 self:process setfscreate;
+ seutil_dontaudit_read_file_contexts($1)
+
tunable_policy(`allow_kerberos',`
+ fs_rw_tmpfs_files($1)
+
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
@@ -61,11 +67,7 @@
corenet_tcp_connect_ocsp_port($1)
corenet_sendrecv_kerberos_client_packets($1)
corenet_sendrecv_ocsp_client_packets($1)
-
- sysnet_read_config($1)
- sysnet_dns_name_resolve($1)
')
-
optional_policy(`
tunable_policy(`allow_kerberos',`
pcscd_stream_connect($1)
@@ -172,3 +174,51 @@
allow $1 krb5kdc_conf_t:file read_file_perms;
')
+
+########################################
+## <summary>
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kerberos_manage_host_rcache',`
+ gen_require(`
+ type krb5_host_rcache_t;
+ ')
+
+ tunable_policy(`allow_kerberos',`
+ files_search_tmp($1)
+ allow $1 self:process setfscreate;
+ selinux_validate_context($1)
+ seutil_read_file_contexts($1)
+ allow $1 krb5_host_rcache_t:file manage_file_perms;
+ ')
+ # creates files as system_u no matter what the selinux user
+ domain_obj_id_change_exemption($1)
+')
+
+########################################
+## <summary>
+## Connect to krb524 service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_524_connect',`
+ tunable_policy(`allow_kerberos',`
+ allow $1 self:udp_socket create_socket_perms;
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_udp_sendrecv_all_if($1)
+ corenet_udp_sendrecv_all_nodes($1)
+ corenet_udp_sendrecv_kerberos_master_port($1)
+ corenet_udp_bind_all_nodes($1)
+ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.2.5/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/kerberos.te 2007-12-19 05:38:09.000000000 -0500
@@ -54,6 +54,9 @@
type krb5kdc_var_run_t;
files_pid_file(krb5kdc_var_run_t)
+type krb5_host_rcache_t;
+files_tmp_file(krb5_host_rcache_t)
+
########################################
#
# kadmind local policy
@@ -62,7 +65,7 @@
# Use capabilities. Surplus capabilities may be allowed.
allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
dontaudit kadmind_t self:capability sys_tty_config;
-allow kadmind_t self:process signal_perms;
+allow kadmind_t self:process { setfscreate signal_perms };
allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
allow kadmind_t self:unix_dgram_socket { connect create write };
allow kadmind_t self:tcp_socket connected_stream_socket_perms;
@@ -91,6 +94,7 @@
kernel_read_kernel_sysctls(kadmind_t)
kernel_list_proc(kadmind_t)
kernel_read_proc_symlinks(kadmind_t)
+kernel_read_system_state(kadmind_t)
corenet_all_recvfrom_unlabeled(kadmind_t)
corenet_all_recvfrom_netlabel(kadmind_t)
@@ -118,6 +122,9 @@
domain_use_interactive_fds(kadmind_t)
files_read_etc_files(kadmind_t)
+files_read_usr_symlinks(kadmind_t)
+files_read_usr_files(kadmind_t)
+files_read_var_files(kadmind_t)
libs_use_ld_so(kadmind_t)
libs_use_shared_libs(kadmind_t)
@@ -127,6 +134,7 @@
miscfiles_read_localization(kadmind_t)
sysnet_read_config(kadmind_t)
+sysnet_use_ldap(kadmind_t)
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
@@ -137,6 +145,7 @@
optional_policy(`
seutil_sigchld_newrole(kadmind_t)
+ seutil_read_file_contexts(kadmind_t)
')
optional_policy(`
@@ -151,7 +160,7 @@
# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
dontaudit krb5kdc_t self:capability sys_tty_config;
-allow krb5kdc_t self:process { setsched getsched signal_perms };
+allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
allow krb5kdc_t self:udp_socket create_socket_perms;
@@ -223,6 +232,7 @@
miscfiles_read_localization(krb5kdc_t)
sysnet_read_config(krb5kdc_t)
+sysnet_use_ldap(krb5kdc_t)
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
@@ -233,6 +243,7 @@
optional_policy(`
seutil_sigchld_newrole(krb5kdc_t)
+ seutil_read_file_contexts(krb5kdc_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.2.5/policy/modules/services/lpd.if
--- nsaserefpolicy/policy/modules/services/lpd.if 2007-11-16 13:45:14.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/lpd.if 2007-12-31 06:40:50.000000000 -0500
@@ -336,10 +336,8 @@
')
files_search_spool($1)
+ manage_dirs_pattern($1,print_spool_t,print_spool_t)
manage_files_pattern($1,print_spool_t,print_spool_t)
-
- # cjp: cups wants setattr
- allow $1 print_spool_t:dir setattr;
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.2.5/policy/modules/services/mailman.if
--- nsaserefpolicy/policy/modules/services/mailman.if 2007-12-04 11:02:50.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mailman.if 2007-12-31 14:18:13.000000000 -0500
@@ -211,6 +211,7 @@
type mailman_data_t;
')
+ manage_dirs_pattern($1,mailman_data_t,mailman_data_t)
manage_files_pattern($1,mailman_data_t,mailman_data_t)
')
@@ -252,6 +253,25 @@
#######################################
## <summary>
+## read
+## mailman logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_read_log',`
+ gen_require(`
+ type mailman_log_t;
+ ')
+
+ read_files_pattern($1,mailman_log_t,mailman_log_t)
+')
+
+#######################################
+## <summary>
## Append to mailman logs.
## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.2.5/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mailman.te 2007-12-19 05:38:09.000000000 -0500
@@ -53,10 +53,9 @@
apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
apache_search_sys_script_state(mailman_cgi_t)
+ apache_read_config(mailman_cgi_t)
+ apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
- optional_policy(`
- nscd_socket_use(mailman_cgi_t)
- ')
')
########################################
@@ -65,6 +64,10 @@
#
allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
+allow mailman_mail_t initrc_t:process signal;
+allow mailman_mail_t self:capability { setuid setgid };
+
+files_search_spool(mailman_mail_t)
mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.2.5/policy/modules/services/mailscanner.fc
--- nsaserefpolicy/policy/modules/services/mailscanner.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mailscanner.fc 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1,2 @@
+/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mailscanner_spool_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.2.5/policy/modules/services/mailscanner.if
--- nsaserefpolicy/policy/modules/services/mailscanner.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mailscanner.if 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1,59 @@
+## <summary>Anti-Virus and Anti-Spam Filter</summary>
+
+########################################
+## <summary>
+## Search mailscanner spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailscanner_search_spool',`
+ gen_require(`
+ type mailscanner_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mailscanner_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## read mailscanner spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailscanner_read_spool',`
+ gen_require(`
+ type mailscanner_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## mailscanner spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailscanner_manage_spool',`
+ gen_require(`
+ type mailscanner_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.2.5/policy/modules/services/mailscanner.te
--- nsaserefpolicy/policy/modules/services/mailscanner.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mailscanner.te 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1,5 @@
+
+policy_module(mailscanner,1.0.0)
+
+type mailscanner_spool_t;
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.5/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-12-06 13:12:03.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mta.if 2008-01-04 10:12:33.000000000 -0500
@@ -133,6 +133,12 @@
sendmail_create_log($1_mail_t)
')
+ optional_policy(`
+ exim_read_log($1_mail_t)
+ exim_append_log($1_mail_t)
+ exim_manage_spool_files($1_mail_t)
+ ')
+
')
#######################################
@@ -217,6 +223,15 @@
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_mail_t)
fs_manage_cifs_symlinks($1_mail_t)
+ fs_manage_cifs_files(mailserver_delivery)
+ fs_manage_cifs_symlinks(mailserver_delivery)
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files($1_mail_t)
+ fs_manage_nfs_symlinks($1_mail_t)
+ fs_manage_nfs_files(mailserver_delivery)
+ fs_manage_nfs_symlinks(mailserver_delivery)
')
optional_policy(`
@@ -305,6 +320,42 @@
########################################
## <summary>
+## Make the specified type usable for a mta_send_mail.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as a mail client.
+## </summary>
+## </param>
+#
+interface(`mta_mailclient',`
+ gen_require(`
+ attribute mailclient_exec_type;
+ ')
+
+ typeattribute $1 mailclient_exec_type;
+')
+
+########################################
+## <summary>
+## Make the specified type readable for a system_mail_t
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as a mail client.
+## </summary>
+## </param>
+#
+interface(`mta_mailcontent',`
+ gen_require(`
+ attribute mailcontent_type;
+ ')
+
+ typeattribute $1 mailcontent_type;
+')
+
+########################################
+## <summary>
## Modified mailserver interface for
## sendmail daemon use.
## </summary>
@@ -383,11 +434,13 @@
allow $1 mail_spool_t:dir list_dir_perms;
create_files_pattern($1,mail_spool_t,mail_spool_t)
read_files_pattern($1,mail_spool_t,mail_spool_t)
+ append_files_pattern($1,mail_spool_t,mail_spool_t)
create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
optional_policy(`
dovecot_manage_spool($1)
+ dovecot_domtrans_deliver($1)
')
optional_policy(`
@@ -422,6 +475,7 @@
# apache should set close-on-exec
apache_dontaudit_rw_stream_sockets($1)
apache_dontaudit_rw_sys_script_stream_sockets($1)
+ apache_append_log($1)
')
')
@@ -438,20 +492,18 @@
interface(`mta_send_mail',`
gen_require(`
attribute mta_user_agent;
- type system_mail_t, sendmail_exec_t;
+ type system_mail_t;
+ attribute mailclient_exec_type;
')
- allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
- domain_auto_trans($1, sendmail_exec_t, system_mail_t)
-
- allow $1 system_mail_t:fd use;
- allow system_mail_t $1:fd use;
- allow system_mail_t $1:fifo_file rw_file_perms;
- allow system_mail_t $1:process sigchld;
+ allow $1 mailclient_exec_type:lnk_file read_lnk_file_perms;
+ domtrans_pattern($1, mailclient_exec_type, system_mail_t)
+ allow system_mail_t mailclient_exec_type:file entrypoint;
allow mta_user_agent $1:fd use;
allow mta_user_agent $1:process sigchld;
allow mta_user_agent $1:fifo_file { read write };
+
')
########################################
@@ -586,6 +638,25 @@
files_search_etc($1)
allow $1 etc_aliases_t:file { rw_file_perms setattr };
')
+########################################
+## <summary>
+## manage mail aliases.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mta_manage_aliases',`
+ gen_require(`
+ type etc_aliases_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 etc_aliases_t:file manage_file_perms;
+')
#######################################
## <summary>
@@ -837,6 +908,25 @@
########################################
## <summary>
+## read mail queue files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_read_queue',`
+ gen_require(`
+ type mqueue_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1,mqueue_spool_t,mqueue_spool_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## mail queue files.
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.5/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mta.te 2007-12-19 05:38:09.000000000 -0500
@@ -6,6 +6,8 @@
# Declarations
#
+attribute mailcontent_type;
+attribute mailclient_exec_type;
attribute mta_user_agent;
attribute mailserver_delivery;
attribute mailserver_domain;
@@ -27,6 +29,7 @@
type sendmail_exec_t;
application_executable_file(sendmail_exec_t)
+mta_mailclient(sendmail_exec_t)
mta_base_mail_template(system)
role system_r types system_mail_t;
@@ -40,27 +43,40 @@
allow system_mail_t self:capability { dac_override };
read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
+read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type)
kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
+dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
+fs_rw_anon_inodefs_files(system_mail_t)
+
+selinux_getattr_fs(system_mail_t)
+
init_use_script_ptys(system_mail_t)
userdom_use_sysadm_terms(system_mail_t)
userdom_dontaudit_search_sysadm_home_dirs(system_mail_t)
+userdom_dontaudit_search_all_users_home_content(system_mail_t)
+
+optional_policy(`
+ apcupsd_read_tmp_files(system_mail_t)
+')
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
apache_append_squirrelmail_data(system_mail_t)
+ apache_search_bugzilla_dirs(system_mail_t)
# apache should set close-on-exec
apache_dontaudit_append_log(system_mail_t)
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
+ apache_dontaudit_rw_bugzilla_script_stream_sockets(system_mail_t)
')
optional_policy(`
@@ -73,6 +89,7 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
+ cron_read_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
')
@@ -81,6 +98,11 @@
')
optional_policy(`
+ exim_domtrans(system_mail_t)
+ exim_manage_log(system_mail_t)
+')
+
+optional_policy(`
logrotate_read_tmp_files(system_mail_t)
')
@@ -136,6 +158,14 @@
')
optional_policy(`
+ clamav_stream_connect(sendmail_t)
+')
+
+optional_policy(`
+ spamd_stream_connect(system_mail_t)
+')
+
+optional_policy(`
smartmon_read_tmp_files(system_mail_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.2.5/policy/modules/services/munin.fc
--- nsaserefpolicy/policy/modules/services/munin.fc 2007-04-30 10:41:38.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/munin.fc 2007-12-31 05:55:51.000000000 -0500
@@ -6,6 +6,7 @@
/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0)
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
-/var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0)
+/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
-/var/www/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.2.5/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/munin.te 2007-12-31 06:15:20.000000000 -0500
@@ -37,14 +37,18 @@
allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
allow munin_t self:tcp_socket create_stream_socket_perms;
allow munin_t self:udp_socket create_socket_perms;
+allow munin_t self:fifo_file manage_fifo_file_perms;
+
+can_exec(munin_t, munin_exec_t)
allow munin_t munin_etc_t:dir list_dir_perms;
read_files_pattern(munin_t,munin_etc_t,munin_etc_t)
read_lnk_files_pattern(munin_t,munin_etc_t,munin_etc_t)
files_search_etc(munin_t)
-allow munin_t munin_log_t:file manage_file_perms;
-logging_log_filetrans(munin_t,munin_log_t,file)
+manage_dirs_pattern(munin_t, munin_log_t, munin_log_t)
+manage_files_pattern(munin_t, munin_log_t, munin_log_t)
+logging_log_filetrans(munin_t,munin_log_t,{ file dir })
manage_dirs_pattern(munin_t,munin_tmp_t,munin_tmp_t)
manage_files_pattern(munin_t,munin_tmp_t,munin_tmp_t)
@@ -73,6 +77,7 @@
corenet_udp_sendrecv_all_nodes(munin_t)
corenet_tcp_sendrecv_all_ports(munin_t)
corenet_udp_sendrecv_all_ports(munin_t)
+corenet_tcp_connect_munin_port(munin_t)
dev_read_sysfs(munin_t)
dev_read_urand(munin_t)
@@ -91,6 +96,7 @@
logging_send_syslog_msg(munin_t)
+miscfiles_read_fonts(munin_t)
miscfiles_read_localization(munin_t)
sysnet_read_config(munin_t)
@@ -118,3 +124,9 @@
optional_policy(`
udev_read_db(munin_t)
')
+
+#============= http munin policy ==============
+apache_content_template(munin)
+
+manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.2.5/policy/modules/services/mysql.fc
--- nsaserefpolicy/policy/modules/services/mysql.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mysql.fc 2007-12-19 05:38:09.000000000 -0500
@@ -22,3 +22,5 @@
/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
+
+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.2.5/policy/modules/services/mysql.if
--- nsaserefpolicy/policy/modules/services/mysql.if 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mysql.if 2007-12-19 05:38:09.000000000 -0500
@@ -157,3 +157,79 @@
logging_search_logs($1)
allow $1 mysqld_log_t:file { write append setattr ioctl };
')
+
+########################################
+## <summary>
+## Execute mysql server in the mysqld domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`mysql_script_domtrans',`
+ gen_require(`
+ type mysqld_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1,mysqld_script_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate an mysql environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the mysql domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the mysql domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mysql_admin',`
+
+ gen_require(`
+ type mysqld_t;
+ type mysqld_var_run_t;
+ type mysqld_tmp_t;
+ type mysqld_db_t;
+ type mysqld_etc_t;
+ type mysqld_log_t;
+ type mysqld_script_exec_t;
+ ')
+
+ allow $1 mysqld_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, mysqld_t, mysqld_t)
+
+ # Allow $1 to restart the apache service
+ mysql_script_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 mysqld_script_exec_t system_r;
+ allow $2 system_r;
+
+ manage_dirs_pattern($1,mysqld_var_run_t,mysqld_var_run_t)
+ manage_files_pattern($1,mysqld_var_run_t,mysqld_var_run_t)
+
+ manage_dirs_pattern($1,mysqld_db_t,mysqld_db_t)
+ manage_files_pattern($1,mysqld_db_t,mysqld_db_t)
+
+ manage_dirs_pattern($1,mysqld_etc_t,mysqld_etc_t)
+ manage_files_pattern($1,mysqld_etc_t,mysqld_etc_t)
+
+ manage_dirs_pattern($1,mysqld_log_t,mysqld_log_t)
+ manage_files_pattern($1,mysqld_log_t,mysqld_log_t)
+
+ manage_dirs_pattern($1,mysqld_tmp_t,mysqld_tmp_t)
+ manage_files_pattern($1,mysqld_tmp_t,mysqld_tmp_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.2.5/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mysql.te 2007-12-31 16:45:48.000000000 -0500
@@ -1,4 +1,3 @@
-
policy_module(mysql,1.6.0)
########################################
@@ -25,6 +24,9 @@
type mysqld_tmp_t;
files_tmp_file(mysqld_tmp_t)
+type mysqld_script_exec_t;
+init_script_type(mysqld_script_exec_t)
+
########################################
#
# Local policy
@@ -33,7 +35,8 @@
allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
-allow mysqld_t self:fifo_file { read write };
+allow mysqld_t self:fifo_file rw_fifo_file_perms;
+allow mysqld_t self:shm create_shm_perms;
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
allow mysqld_t self:tcp_socket create_stream_socket_perms;
allow mysqld_t self:udp_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.2.5/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nagios.fc 2007-12-19 05:38:09.000000000 -0500
@@ -4,13 +4,15 @@
/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
-/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
+
ifdef(`distro_debian',`
/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
')
+/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.2.5/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nagios.if 2007-12-19 05:38:09.000000000 -0500
@@ -44,25 +44,6 @@
########################################
## <summary>
-## Execute the nagios CGI with
-## a domain transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`nagios_domtrans_cgi',`
- gen_require(`
- type nagios_cgi_t, nagios_cgi_exec_t;
- ')
-
- domtrans_pattern($1,nagios_cgi_exec_t,nagios_cgi_t)
-')
-
-########################################
-## <summary>
## Execute the nagios NRPE with
## a domain transition.
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.2.5/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nagios.te 2007-12-19 05:38:09.000000000 -0500
@@ -8,11 +8,7 @@
type nagios_t;
type nagios_exec_t;
-init_daemon_domain(nagios_t, nagios_exec_t)
-
-type nagios_cgi_t;
-type nagios_cgi_exec_t;
-init_system_domain(nagios_cgi_t, nagios_cgi_exec_t)
+init_daemon_domain(nagios_t,nagios_exec_t)
type nagios_etc_t;
files_config_file(nagios_etc_t)
@@ -26,9 +22,12 @@
type nagios_var_run_t;
files_pid_file(nagios_var_run_t)
+type nagios_spool_t;
+files_type(nagios_spool_t)
+
type nrpe_t;
type nrpe_exec_t;
-init_daemon_domain(nrpe_t, nrpe_exec_t)
+init_daemon_domain(nrpe_t,nrpe_exec_t)
type nrpe_etc_t;
files_config_file(nrpe_etc_t)
@@ -60,6 +59,8 @@
manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
+rw_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+
kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t)
@@ -130,42 +131,31 @@
#
# Nagios CGI local policy
#
+apache_content_template(nagios)
+typealias httpd_nagios_script_t alias nagios_cgi_t;
+typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t;
-allow nagios_cgi_t self:process signal_perms;
-allow nagios_cgi_t self:fifo_file rw_fifo_file_perms;
-
-read_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
-
-allow nagios_cgi_t nagios_etc_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
+allow httpd_nagios_script_t self:process signal_perms;
-allow nagios_cgi_t nagios_log_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
+read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
-kernel_read_system_state(nagios_cgi_t)
+allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
-corecmd_exec_bin(nagios_cgi_t)
+allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
-domain_dontaudit_read_all_domains_state(nagios_cgi_t)
+kernel_read_system_state(httpd_nagios_script_t)
-files_read_etc_files(nagios_cgi_t)
-files_read_etc_runtime_files(nagios_cgi_t)
-files_read_kernel_symbol_table(nagios_cgi_t)
+domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
-libs_use_ld_so(nagios_cgi_t)
-libs_use_shared_libs(nagios_cgi_t)
+files_read_etc_runtime_files(httpd_nagios_script_t)
+files_read_kernel_symbol_table(httpd_nagios_script_t)
-logging_send_syslog_msg(nagios_cgi_t)
-logging_search_logs(nagios_cgi_t)
-
-miscfiles_read_localization(nagios_cgi_t)
-
-optional_policy(`
- apache_append_log(nagios_cgi_t)
-')
+logging_send_syslog_msg(httpd_nagios_script_t)
########################################
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.2.5/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-09-12 10:34:18.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.fc 2007-12-31 08:48:44.000000000 -0500
@@ -1,7 +1,9 @@
/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/log/wpa_supplicant\.log.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.2.5/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-06-12 10:15:45.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.if 2007-12-31 08:55:52.000000000 -0500
@@ -97,3 +97,21 @@
allow $1 NetworkManager_t:dbus send_msg;
allow NetworkManager_t $1:dbus send_msg;
')
+
+########################################
+## <summary>
+## Send a generic signal to NetworkManager
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_signal',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:process signal;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.5/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.te 2007-12-26 20:31:36.000000000 -0500
@@ -13,6 +13,9 @@
type NetworkManager_var_run_t;
files_pid_file(NetworkManager_var_run_t)
+type NetworkManager_log_t;
+logging_log_file(NetworkManager_log_t)
+
########################################
#
# Local policy
@@ -20,7 +23,7 @@
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
@@ -38,6 +41,9 @@
manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
+manage_files_pattern(NetworkManager_t,NetworkManager_log_t,NetworkManager_log_t)
+logging_log_filetrans(NetworkManager_t,NetworkManager_log_t, file)
+
kernel_read_system_state(NetworkManager_t)
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
@@ -86,6 +92,8 @@
init_read_utmp(NetworkManager_t)
init_domtrans_script(NetworkManager_t)
+auth_use_nsswitch(NetworkManager_t)
+
libs_use_ld_so(NetworkManager_t)
libs_use_shared_libs(NetworkManager_t)
@@ -129,8 +137,11 @@
')
optional_policy(`
+ allow NetworkManager_t self:dbus send_msg;
+
dbus_system_bus_client_template(NetworkManager,NetworkManager_t)
dbus_connect_system_bus(NetworkManager_t)
+ dbus_system_domain(NetworkManager_t,NetworkManager_exec_t)
')
optional_policy(`
@@ -138,12 +149,9 @@
')
optional_policy(`
- nis_use_ypbind(NetworkManager_t)
-')
-
-optional_policy(`
- nscd_socket_use(NetworkManager_t)
nscd_signal(NetworkManager_t)
+ nscd_script_domtrans(NetworkManager_t)
+ nscd_domtrans(NetworkManager_t)
')
optional_policy(`
@@ -155,6 +163,7 @@
ppp_domtrans(NetworkManager_t)
ppp_read_pid_files(NetworkManager_t)
ppp_signal(NetworkManager_t)
+ ppp_read_config(NetworkManager_t)
')
optional_policy(`
@@ -166,11 +175,6 @@
')
optional_policy(`
- # Read gnome-keyring
- unconfined_read_home_content_files(NetworkManager_t)
-')
-
-optional_policy(`
vpn_domtrans(NetworkManager_t)
vpn_signal(NetworkManager_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.2.5/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nis.fc 2007-12-19 05:38:09.000000000 -0500
@@ -4,6 +4,7 @@
/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
+/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.2.5/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2007-07-16 14:09:46.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/nis.if 2007-12-19 05:38:09.000000000 -0500
@@ -49,8 +49,8 @@
corenet_udp_bind_all_nodes($1)
corenet_tcp_bind_generic_port($1)
corenet_udp_bind_generic_port($1)
- corenet_tcp_bind_reserved_port($1)
- corenet_udp_bind_reserved_port($1)
+ corenet_dontaudit_tcp_bind_all_reserved_ports($1)
+ corenet_dontaudit_udp_bind_all_reserved_ports($1)
corenet_dontaudit_tcp_bind_all_ports($1)
corenet_dontaudit_udp_bind_all_ports($1)
corenet_tcp_connect_portmap_port($1)
@@ -87,6 +87,25 @@
########################################
## <summary>
+## Use the nis to authenticate passwords
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`nis_authenticate',`
+ tunable_policy(`allow_ypbind',`
+ nis_use_ypbind_uncond($1)
+ corenet_tcp_bind_all_rpc_ports($1)
+ corenet_udp_bind_all_rpc_ports($1)
+ ')
+')
+
+########################################
+## <summary>
## Execute ypbind in the ypbind domain.
## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.2.5/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nis.te 2007-12-19 05:38:09.000000000 -0500
@@ -113,6 +113,17 @@
userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
userdom_dontaudit_search_sysadm_home_dirs(ypbind_t)
+
+optional_policy(`
+ dbus_system_bus_client_template(ypbind,ypbind_t)
+ dbus_connect_system_bus(ypbind_t)
+ init_dbus_chat_script(ypbind_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(ypbind_t)
+ ')
+')
+
optional_policy(`
seutil_sigchld_newrole(ypbind_t)
')
@@ -126,6 +137,7 @@
# yppasswdd local policy
#
+allow yppasswdd_t self:capability dac_override;
dontaudit yppasswdd_t self:capability sys_tty_config;
allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
allow yppasswdd_t self:process { setfscreate signal_perms };
@@ -156,8 +168,8 @@
corenet_udp_sendrecv_all_ports(yppasswdd_t)
corenet_tcp_bind_all_nodes(yppasswdd_t)
corenet_udp_bind_all_nodes(yppasswdd_t)
-corenet_tcp_bind_reserved_port(yppasswdd_t)
-corenet_udp_bind_reserved_port(yppasswdd_t)
+corenet_tcp_bind_all_rpc_ports(yppasswdd_t)
+corenet_udp_bind_all_rpc_ports(yppasswdd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
corenet_sendrecv_generic_server_packets(yppasswdd_t)
@@ -247,6 +259,8 @@
corenet_udp_bind_all_nodes(ypserv_t)
corenet_tcp_bind_reserved_port(ypserv_t)
corenet_udp_bind_reserved_port(ypserv_t)
+corenet_tcp_bind_all_rpc_ports(ypserv_t)
+corenet_udp_bind_all_rpc_ports(ypserv_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
corenet_sendrecv_generic_server_packets(ypserv_t)
@@ -315,6 +329,8 @@
corenet_udp_bind_all_nodes(ypxfr_t)
corenet_tcp_bind_reserved_port(ypxfr_t)
corenet_udp_bind_reserved_port(ypxfr_t)
+corenet_tcp_bind_all_rpc_ports(ypxfr_t)
+corenet_udp_bind_all_rpc_ports(ypxfr_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
corenet_tcp_connect_all_ports(ypxfr_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.2.5/policy/modules/services/nscd.fc
--- nsaserefpolicy/policy/modules/services/nscd.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nscd.fc 2007-12-19 05:38:09.000000000 -0500
@@ -9,3 +9,5 @@
/var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0)
/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.2.5/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2007-03-26 10:39:04.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/nscd.if 2007-12-19 05:38:09.000000000 -0500
@@ -70,15 +70,14 @@
interface(`nscd_socket_use',`
gen_require(`
type nscd_t, nscd_var_run_t;
- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
+ class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
')
allow $1 self:unix_stream_socket create_socket_perms;
allow $1 nscd_t:nscd { getpwd getgrp gethost };
dontaudit $1 nscd_t:fd use;
- dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
-
+ dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
files_search_pids($1)
stream_connect_pattern($1,nscd_var_run_t,nscd_var_run_t,nscd_t)
dontaudit $1 nscd_var_run_t:file { getattr read };
@@ -204,3 +203,22 @@
role $2 types nscd_t;
dontaudit nscd_t $3:chr_file rw_term_perms;
')
+
+########################################
+## <summary>
+## Execute nscd server in the ntpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`nscd_script_domtrans',`
+ gen_require(`
+ type nscd_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1,nscd_script_exec_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.2.5/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nscd.te 2007-12-19 05:38:09.000000000 -0500
@@ -23,19 +23,22 @@
type nscd_log_t;
logging_log_file(nscd_log_t)
+type nscd_script_exec_t;
+init_script_type(nscd_script_exec_t)
+
########################################
#
# Local policy
#
-allow nscd_t self:capability { kill setgid setuid audit_write };
+allow nscd_t self:capability { kill setgid setuid };
dontaudit nscd_t self:capability sys_tty_config;
-allow nscd_t self:process { getattr setsched signal_perms };
+allow nscd_t self:process { getattr setcap setsched signal_perms };
allow nscd_t self:fifo_file { read write };
allow nscd_t self:unix_stream_socket create_stream_socket_perms;
allow nscd_t self:unix_dgram_socket create_socket_perms;
allow nscd_t self:netlink_selinux_socket create_socket_perms;
-allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
allow nscd_t self:tcp_socket create_socket_perms;
allow nscd_t self:udp_socket create_socket_perms;
@@ -50,6 +53,8 @@
manage_sock_files_pattern(nscd_t,nscd_var_run_t,nscd_var_run_t)
files_pid_filetrans(nscd_t,nscd_var_run_t,{ file sock_file })
+can_exec(nscd_t, nscd_exec_t)
+
kernel_read_kernel_sysctls(nscd_t)
kernel_list_proc(nscd_t)
kernel_read_proc_symlinks(nscd_t)
@@ -73,6 +78,8 @@
corenet_udp_sendrecv_all_nodes(nscd_t)
corenet_tcp_sendrecv_all_ports(nscd_t)
corenet_udp_sendrecv_all_ports(nscd_t)
+corenet_udp_bind_all_nodes(nscd_t)
+corenet_udp_bind_all_nodes(nscd_t)
corenet_tcp_connect_all_ports(nscd_t)
corenet_sendrecv_all_client_packets(nscd_t)
corenet_rw_tun_tap_dev(nscd_t)
@@ -93,6 +100,7 @@
libs_use_ld_so(nscd_t)
libs_use_shared_libs(nscd_t)
+logging_send_audit_msgs(nscd_t)
logging_send_syslog_msg(nscd_t)
miscfiles_read_localization(nscd_t)
@@ -114,3 +122,12 @@
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
+
+optional_policy(`
+ tunable_policy(`samba_domain_controller',`
+ samba_append_log(nscd_t)
+ samba_dontaudit_use_fds(nscd_t)
+ ')
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.2.5/policy/modules/services/ntp.fc
--- nsaserefpolicy/policy/modules/services/ntp.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/ntp.fc 2007-12-19 05:38:09.000000000 -0500
@@ -17,3 +17,8 @@
/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
+
+/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
+
+/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.2.5/policy/modules/services/ntp.if
--- nsaserefpolicy/policy/modules/services/ntp.if 2007-03-26 10:39:05.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/ntp.if 2007-12-19 05:38:09.000000000 -0500
@@ -53,3 +53,22 @@
corecmd_search_bin($1)
domtrans_pattern($1,ntpdate_exec_t,ntpd_t)
')
+
+########################################
+## <summary>
+## Execute ntp server in the ntpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ntp_script_domtrans',`
+ gen_require(`
+ type ntpd_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1,ntpd_script_exec_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.2.5/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/ntp.te 2007-12-19 05:38:09.000000000 -0500
@@ -25,6 +25,12 @@
type ntpdate_exec_t;
init_system_domain(ntpd_t,ntpdate_exec_t)
+type ntpd_key_t;
+files_type(ntpd_key_t)
+
+type ntpd_script_exec_t;
+init_script_type(ntpd_script_exec_t)
+
########################################
#
# Local policy
@@ -36,6 +42,7 @@
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
allow ntpd_t self:process { signal_perms setcap setsched setrlimit };
allow ntpd_t self:fifo_file { read write getattr };
+allow ntpd_t self:shm create_shm_perms;
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
allow ntpd_t self:tcp_socket create_stream_socket_perms;
@@ -49,6 +56,8 @@
manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t)
logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir })
+read_files_pattern(ntpd_t,ntpd_key_t,ntpd_key_t)
+
# for some reason it creates a file in /tmp
manage_dirs_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t)
manage_files_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t)
@@ -82,6 +91,8 @@
fs_getattr_all_fs(ntpd_t)
fs_search_auto_mountpoints(ntpd_t)
+# Necessary to communicate with gpsd devices
+fs_rw_tmpfs_files(ntpd_t)
auth_use_nsswitch(ntpd_t)
@@ -105,6 +116,10 @@
miscfiles_read_localization(ntpd_t)
+sysnet_dontaudit_dhcpc_use_fds(ntpd_t)
+
+term_use_ptmx(ntpd_t)
+
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_sysadm_home_dirs(ntpd_t)
userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
@@ -120,6 +135,10 @@
')
optional_policy(`
+ hal_dontaudit_write_log(ntpd_t)
+')
+
+optional_policy(`
logrotate_exec(ntpd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.2.5/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/oddjob.te 2008-01-04 12:24:30.000000000 -0500
@@ -15,6 +15,7 @@
type oddjob_mkhomedir_t;
type oddjob_mkhomedir_exec_t;
domain_type(oddjob_mkhomedir_t)
+domain_obj_id_change_exemption(oddjob_mkhomedir_t)
init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
@@ -68,20 +69,38 @@
# oddjob_mkhomedir local policy
#
+allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
+allow oddjob_mkhomedir_t self:process setfscreate;
allow oddjob_mkhomedir_t self:fifo_file { read write };
allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
files_read_etc_files(oddjob_mkhomedir_t)
+kernel_read_system_state(oddjob_mkhomedir_t)
+
+auth_use_nsswitch(oddjob_mkhomedir_t)
+
libs_use_ld_so(oddjob_mkhomedir_t)
libs_use_shared_libs(oddjob_mkhomedir_t)
+logging_send_syslog_msg(oddjob_mkhomedir_t)
+
miscfiles_read_localization(oddjob_mkhomedir_t)
+selinux_get_fs_mount(oddjob_mkhomedir_t)
+selinux_validate_context(oddjob_mkhomedir_t)
+selinux_compute_access_vector(oddjob_mkhomedir_t)
+selinux_compute_create_context(oddjob_mkhomedir_t)
+selinux_compute_relabel_context(oddjob_mkhomedir_t)
+selinux_compute_user_contexts(oddjob_mkhomedir_t)
+
+seutil_read_config(oddjob_mkhomedir_t)
+seutil_read_file_contexts(oddjob_mkhomedir_t)
+seutil_read_default_contexts(oddjob_mkhomedir_t)
+
# Add/remove user home directories
+userdom_manage_unpriv_users_home_content_dirs(oddjob_mkhomedir_t)
userdom_home_filetrans_generic_user_home_dir(oddjob_mkhomedir_t)
-userdom_manage_generic_user_home_content_dirs(oddjob_mkhomedir_t)
-userdom_manage_generic_user_home_content_files(oddjob_mkhomedir_t)
-userdom_manage_generic_user_home_dirs(oddjob_mkhomedir_t)
-userdom_manage_staff_home_dirs(oddjob_mkhomedir_t)
+userdom_manage_all_users_home_content_dirs(oddjob_mkhomedir_t)
+userdom_manage_all_users_home_content_files(oddjob_mkhomedir_t)
userdom_generic_user_home_dir_filetrans_generic_user_home_content(oddjob_mkhomedir_t,notdevfile_class_set)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.2.5/policy/modules/services/openct.te
--- nsaserefpolicy/policy/modules/services/openct.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/openct.te 2007-12-19 05:38:09.000000000 -0500
@@ -22,6 +22,7 @@
allow openct_t self:process signal_perms;
manage_files_pattern(openct_t,openct_var_run_t,openct_var_run_t)
+manage_sock_files_pattern(openct_t,openct_var_run_t,openct_var_run_t)
files_pid_filetrans(openct_t,openct_var_run_t,file)
kernel_read_kernel_sysctls(openct_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.2.5/policy/modules/services/openvpn.fc
--- nsaserefpolicy/policy/modules/services/openvpn.fc 2007-06-11 16:05:22.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/openvpn.fc 2007-12-19 05:38:09.000000000 -0500
@@ -11,5 +11,5 @@
#
# /var
#
-/var/log/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_log_t,s0)
+/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
/var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.2.5/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/openvpn.te 2007-12-19 05:38:09.000000000 -0500
@@ -8,7 +8,7 @@
## <desc>
## <p>
-## Allow openvpn to read home directories
+## Allow openvpn service access to users home directories
## </p>
## </desc>
gen_tunable(openvpn_enable_homedirs,false)
@@ -35,7 +35,7 @@
# openvpn local policy
#
-allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_tty_config };
+allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
allow openvpn_t self:process { signal getsched };
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -110,3 +110,12 @@
networkmanager_dbus_chat(openvpn_t)
')
+
+
+# Need to interact with terminals if config option "auth-user-pass" is used
+userdom_use_sysadm_terms(openvpn_t)
+
+optional_policy(`
+ unconfined_use_terminals(openvpn_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.2.5/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/pcscd.te 2007-12-19 05:38:09.000000000 -0500
@@ -45,6 +45,7 @@
files_read_etc_files(pcscd_t)
files_read_etc_runtime_files(pcscd_t)
+term_use_unallocated_ttys(pcscd_t)
term_dontaudit_getattr_pty_dirs(pcscd_t)
libs_use_ld_so(pcscd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.2.5/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/pegasus.te 2007-12-19 05:38:09.000000000 -0500
@@ -42,6 +42,7 @@
allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
+manage_dirs_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
manage_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
manage_lnk_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
filetrans_pattern(pegasus_t,pegasus_conf_t,pegasus_data_t,{ file dir })
@@ -95,13 +96,12 @@
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
+auth_read_shadow(pegasus_t)
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-files_read_etc_files(pegasus_t)
-files_list_var_lib(pegasus_t)
-files_read_var_lib_files(pegasus_t)
+files_read_all_files(pegasus_t)
files_read_var_lib_symlinks(pegasus_t)
hostname_exec(pegasus_t)
@@ -113,19 +113,16 @@
libs_use_shared_libs(pegasus_t)
logging_send_audit_msgs(pegasus_t)
+logging_send_syslog_msg(pegasus_t)
miscfiles_read_localization(pegasus_t)
-sysnet_read_config(pegasus_t)
+sysnet_domtrans_ifconfig(pegasus_t)
userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
userdom_dontaudit_search_sysadm_home_dirs(pegasus_t)
optional_policy(`
- logging_send_syslog_msg(pegasus_t)
-')
-
-optional_policy(`
rpm_exec(pegasus_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.2.5/policy/modules/services/polkit.fc
--- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/polkit.fc 2007-12-19 09:37:14.000000000 -0500
@@ -0,0 +1,6 @@
+
+/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0)
+
+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
+/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0)
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.5/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/polkit.if 2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1,60 @@
+
+## <summary>policy for polkit_auth</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run polkit_auth.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`polkit_domtrans_auth',`
+ gen_require(`
+ type polkit_auth_t;
+ type polkit_auth_exec_t;
+ ')
+
+ domtrans_pattern($1,polkit_auth_exec_t,polkit_auth_t)
+')
+
+########################################
+## <summary>
+## Search polkit lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`polkit_search_lib',`
+ gen_require(`
+ type polkit_var_lib_t;
+ ')
+
+ allow $1 polkit_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## read polkit lib files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`polkit_read_lib',`
+ gen_require(`
+ type polkit_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, polkit_var_lib_t, polkit_var_lib_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.5/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/polkit.te 2007-12-19 15:17:09.000000000 -0500
@@ -0,0 +1,63 @@
+policy_module(polkit_auth,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type polkit_auth_t;
+type polkit_auth_exec_t;
+domain_type(polkit_auth_t)
+init_daemon_domain(polkit_auth_t, polkit_auth_exec_t)
+
+type polkit_var_lib_t;
+files_type(polkit_var_lib_t)
+
+type polkit_var_run_t;
+files_pid_file(polkit_var_run_t)
+
+########################################
+#
+# polkit_auth local policy
+#
+
+allow polkit_auth_t self:process getattr;
+
+allow polkit_auth_t self:unix_dgram_socket create_socket_perms;
+allow polkit_auth_t self:fifo_file rw_file_perms;
+allow polkit_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+can_exec(polkit_auth_t, polkit_auth_exec_t)
+corecmd_search_bin(polkit_auth_t)
+
+domain_use_interactive_fds(polkit_auth_t)
+
+files_read_etc_files(polkit_auth_t)
+files_read_usr_files(polkit_auth_t)
+
+auth_use_nsswitch(polkit_auth_t)
+
+libs_use_ld_so(polkit_auth_t)
+libs_use_shared_libs(polkit_auth_t)
+
+miscfiles_read_localization(polkit_auth_t)
+
+logging_send_syslog_msg(polkit_auth_t)
+
+manage_files_pattern(polkit_auth_t, polkit_var_lib_t, polkit_var_lib_t)
+
+# pid file
+manage_dirs_pattern(polkit_auth_t,polkit_var_run_t,polkit_var_run_t)
+manage_files_pattern(polkit_auth_t,polkit_var_run_t,polkit_var_run_t)
+files_pid_filetrans(polkit_auth_t,polkit_var_run_t, { file dir })
+
+optional_policy(`
+ dbus_system_bus_client_template(polkit_auth, polkit_auth_t)
+ consolekit_dbus_chat(polkit_auth_t)
+')
+
+optional_policy(`
+ hal_getattr(polkit_auth_t)
+ hal_read_state(polkit_auth_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.2.5/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2007-09-12 10:34:18.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/postfix.fc 2007-12-19 05:38:09.000000000 -0500
@@ -29,12 +29,10 @@
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
')
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.5/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2007-12-04 11:02:50.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/postfix.if 2007-12-19 05:38:09.000000000 -0500
@@ -416,7 +416,7 @@
## </summary>
## </param>
#
-interface(`postfix_create_pivate_sockets',`
+interface(`postfix_create_private_sockets',`
gen_require(`
type postfix_private_t;
')
@@ -427,6 +427,26 @@
########################################
## <summary>
+## manage named socket in a postfix private directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_manage_private_sockets',`
+ gen_require(`
+ type postfix_private_t;
+ ')
+
+ allow $1 postfix_private_t:dir list_dir_perms;
+ manage_sock_files_pattern($1,postfix_private_t,postfix_private_t)
+')
+
+
+########################################
+## <summary>
## Execute the master postfix program in the
## postfix_master domain.
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.5/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/postfix.te 2007-12-31 14:18:01.000000000 -0500
@@ -6,6 +6,14 @@
# Declarations
#
+## <desc>
+## <p>
+## Allow postfix_local domain full write access to mail_spool directories
+##
+## </p>
+## </desc>
+gen_tunable(allow_postfix_local_write_mail_spool,false)
+
attribute postfix_user_domains;
# domains that transition to the
# postfix user domains
@@ -27,6 +35,10 @@
postfix_server_domain_template(local)
mta_mailserver_delivery(postfix_local_t)
+tunable_policy(`allow_postfix_local_write_mail_spool', `
+ mta_rw_spool(postfix_local_t)
+')
+
type postfix_local_tmp_t;
files_tmp_file(postfix_local_tmp_t)
@@ -34,6 +46,7 @@
type postfix_map_t;
type postfix_map_exec_t;
application_domain(postfix_map_t,postfix_map_exec_t)
+role system_r types postfix_map_t;
type postfix_map_tmp_t;
files_tmp_file(postfix_map_tmp_t)
@@ -99,6 +112,7 @@
allow postfix_master_t self:fifo_file rw_fifo_file_perms;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
allow postfix_master_t self:udp_socket create_socket_perms;
+allow postfix_master_t self:process setrlimit;
allow postfix_master_t postfix_etc_t:file rw_file_perms;
@@ -174,6 +188,7 @@
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
+mta_getattr_spool(postfix_master_t)
optional_policy(`
cyrus_stream_connect(postfix_master_t)
@@ -248,6 +263,10 @@
corecmd_exec_bin(postfix_cleanup_t)
+optional_policy(`
+ mailman_read_data_files(postfix_cleanup_t)
+')
+
########################################
#
# Postfix local local policy
@@ -273,6 +292,8 @@
files_read_etc_files(postfix_local_t)
+logging_dontaudit_search_logs(postfix_local_t)
+
mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
@@ -285,6 +306,8 @@
optional_policy(`
# for postalias
mailman_manage_data_files(postfix_local_t)
+ mailman_append_log(postfix_local_t)
+ mailman_read_log(postfix_local_t)
')
optional_policy(`
@@ -295,8 +318,7 @@
#
# Postfix map local policy
#
-
-allow postfix_map_t self:capability setgid;
+allow postfix_map_t self:capability { dac_override setgid setuid };
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
@@ -346,8 +368,6 @@
miscfiles_read_localization(postfix_map_t)
-seutil_read_config(postfix_map_t)
-
tunable_policy(`read_default_t',`
files_list_default(postfix_map_t)
files_read_default_files(postfix_map_t)
@@ -360,6 +380,11 @@
locallogin_dontaudit_use_fds(postfix_map_t)
')
+optional_policy(`
+# for postalias
+ mailman_manage_data_files(postfix_map_t)
+')
+
########################################
#
# Postfix pickup local policy
@@ -392,6 +417,10 @@
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
optional_policy(`
+ dovecot_domtrans_deliver(postfix_pipe_t)
+')
+
+optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
@@ -400,6 +429,10 @@
')
optional_policy(`
+ mta_manage_spool(postfix_pipe_t)
+')
+
+optional_policy(`
uucp_domtrans_uux(postfix_pipe_t)
')
@@ -532,9 +565,6 @@
# connect to master process
stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
-# Connect to policy server
-corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
-
# for prng_exch
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
@@ -557,6 +587,10 @@
sasl_connect(postfix_smtpd_t)
')
+optional_policy(`
+ dovecot_auth_stream_connect(postfix_smtpd_t)
+')
+
########################################
#
# Postfix virtual local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.2.5/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/postgresql.fc 2007-12-19 05:38:09.000000000 -0500
@@ -38,3 +38,5 @@
')
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.2.5/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2007-11-29 13:29:35.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/postgresql.if 2007-12-19 05:38:09.000000000 -0500
@@ -120,3 +120,77 @@
# Some versions of postgresql put the sock file in /tmp
allow $1 postgresql_tmp_t:sock_file write;
')
+
+########################################
+## <summary>
+## Execute postgresql server in the posgresql domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`postgresql_script_domtrans',`
+ gen_require(`
+ type postgresql_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1,postgresql_script_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate an postgresql environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the postgresql domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the postgresql domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`postgresql_admin',`
+ gen_require(`
+ type postgresql_t;
+ type postgresql_var_run_t;
+ type postgresql_tmp_t;
+ type postgresql_db_t;
+ type postgresql_etc_t;
+ type postgresql_log_t;
+ ')
+
+ allow $1 postgresql_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, postgresql_t, postgresql_t)
+
+ # Allow $1 to restart the apache service
+ postgresql_script_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 postgresql_script_exec_t system_r;
+ allow $2 system_r;
+
+ manage_dirs_pattern($1,postgresql_var_run_t,postgresql_var_run_t)
+ manage_files_pattern($1,postgresql_var_run_t,postgresql_var_run_t)
+
+ manage_dirs_pattern($1,postgresql_db_t,postgresql_db_t)
+ manage_files_pattern($1,postgresql_db_t,postgresql_db_t)
+
+ manage_dirs_pattern($1,postgresql_etc_t,postgresql_etc_t)
+ manage_files_pattern($1,postgresql_etc_t,postgresql_etc_t)
+
+ manage_dirs_pattern($1,postgresql_log_t,postgresql_log_t)
+ manage_files_pattern($1,postgresql_log_t,postgresql_log_t)
+
+ manage_dirs_pattern($1,postgresql_tmp_t,postgresql_tmp_t)
+ manage_files_pattern($1,postgresql_tmp_t,postgresql_tmp_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.2.5/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/postgresql.te 2007-12-19 05:38:09.000000000 -0500
@@ -27,6 +27,9 @@
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
+type postgresql_script_exec_t;
+init_script_type(postgresql_script_exec_t)
+
########################################
#
# postgresql Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.2.5/policy/modules/services/ppp.fc
--- nsaserefpolicy/policy/modules/services/ppp.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/ppp.fc 2007-12-19 05:38:09.000000000 -0500
@@ -25,7 +25,7 @@
#
# /var
#
-/var/run/(i)?ppp.*pid -- gen_context(system_u:object_r:pppd_var_run_t,s0)
+/var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0)
/var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
# Fix pptp sockets
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.2.5/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/ppp.te 2007-12-31 17:30:15.000000000 -0500
@@ -162,6 +162,8 @@
init_read_utmp(pppd_t)
init_dontaudit_write_utmp(pppd_t)
+auth_use_nsswitch(pppd_t)
+
libs_use_ld_so(pppd_t)
libs_use_shared_libs(pppd_t)
@@ -194,14 +196,12 @@
optional_policy(`
mta_send_mail(pppd_t)
+ mta_mailcontent(pppd_etc_t)
+ mta_mailcontent(pppd_etc_rw_t)
')
optional_policy(`
- nis_use_ypbind(pppd_t)
-')
-
-optional_policy(`
- nscd_socket_use(pppd_t)
+ networkmanager_signal(pppd_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.2.5/policy/modules/services/procmail.if
--- nsaserefpolicy/policy/modules/services/procmail.if 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/procmail.if 2007-12-31 15:18:55.000000000 -0500
@@ -39,3 +39,22 @@
corecmd_search_bin($1)
can_exec($1,procmail_exec_t)
')
+
+########################################
+## <summary>
+## Read procmail tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`procmail_read_tmp_files',`
+ gen_require(`
+ type procmail_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 procmail_tmp_t:file read_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.5/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2008-01-03 10:56:43.000000000 -0500
@@ -129,7 +129,9 @@
corenet_udp_bind_generic_port(procmail_t)
corenet_dontaudit_udp_bind_all_ports(procmail_t)
- spamassassin_exec(procmail_t)
- spamassassin_exec_client(procmail_t)
- spamassassin_read_lib_files(procmail_t)
+ spamassassin_domtrans(procmail_t)
+')
+
+optional_policy(`
+ mailscanner_read_spool(procmail_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.2.5/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/pyzor.fc 2007-12-19 05:38:09.000000000 -0500
@@ -1,6 +1,6 @@
/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
-HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:user_pyzor_home_t,s0)
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.2.5/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/pyzor.if 2007-12-19 05:38:09.000000000 -0500
@@ -25,16 +25,18 @@
#
template(`pyzor_per_role_template',`
gen_require(`
- type pyzord_t;
+ type pyzor_t;
+ type user_pyzor_home_t;
')
- type $1_pyzor_home_t;
- userdom_user_home_content($1, $1_pyzor_home_t)
+ ifelse(`$1',`user',`',`
+ typealias user_pyzor_home_t alias $1_pyzor_home_t;
+ ')
- manage_dirs_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
- manage_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
- manage_lnk_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
- userdom_user_home_dir_filetrans($1, pyzord_t, $1_pyzor_home_t, { dir file lnk_file })
+ manage_dirs_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t)
+ manage_files_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t)
+ manage_lnk_files_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t)
+ userdom_user_home_dir_filetrans($1,pyzor_t,user_pyzor_home_t,{ dir file lnk_file })
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.2.5/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/pyzor.te 2007-12-31 15:19:10.000000000 -0500
@@ -28,6 +28,9 @@
type pyzor_var_lib_t;
files_type(pyzor_var_lib_t)
+type user_pyzor_home_t;
+userdom_user_home_content(user,user_pyzor_home_t)
+
########################################
#
# Pyzor local policy
@@ -68,6 +71,8 @@
miscfiles_read_localization(pyzor_t)
+mta_read_queue(pyzor_t)
+
userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)
optional_policy(`
@@ -76,8 +81,13 @@
')
optional_policy(`
+ procmail_read_tmp_files(pyzor_t)
+')
+
+optional_policy(`
spamassassin_signal_spamd(pyzor_t)
spamassassin_read_spamd_tmp_files(pyzor_t)
+ userdom_read_user_home_content_files(unconfined,pyzor_t)
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.2.5/policy/modules/services/qmail.te
--- nsaserefpolicy/policy/modules/services/qmail.te 2007-10-02 09:54:52.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/qmail.te 2008-01-07 16:36:33.000000000 -0500
@@ -85,6 +85,8 @@
libs_use_ld_so(qmail_inject_t)
libs_use_shared_libs(qmail_inject_t)
+miscfiles_read_localization(qmail_inject_t)
+
qmail_read_config(qmail_inject_t)
########################################
@@ -106,15 +108,25 @@
kernel_read_system_state(qmail_local_t)
+corecmd_exec_bin(qmail_local_t)
corecmd_exec_shell(qmail_local_t)
+can_exec(qmail_local_t, qmail_local_exec_t)
files_read_etc_files(qmail_local_t)
files_read_etc_runtime_files(qmail_local_t)
+auth_use_nsswitch(qmail_local_t)
+
+logging_send_syslog(qmail_local_t)
+
mta_append_spool(qmail_local_t)
qmail_domtrans_queue(qmail_local_t)
+optional_policy(`
+ spamassassin_domtrans_spamc(qmail_local_t)
+')
+
########################################
#
# qmail-lspawn local policy
@@ -155,6 +167,10 @@
manage_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t)
rw_fifo_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t)
+corecmd_exec_bin(qmail_queue_t)
+
+logging_send_syslog(qmail_queue_t)
+
optional_policy(`
daemontools_ipc_domain(qmail_queue_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.5/policy/modules/services/razor.fc
--- nsaserefpolicy/policy/modules/services/razor.fc 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/razor.fc 2007-12-19 05:38:09.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:ROLE_razor_home_t,s0)
+HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:user_razor_home_t,s0)
/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.2.5/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if 2007-07-16 14:09:46.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/razor.if 2007-12-19 05:38:09.000000000 -0500
@@ -137,6 +137,7 @@
template(`razor_per_role_template',`
gen_require(`
type razor_exec_t;
+ type user_razor_home_t, user_razor_tmp_t;
')
type $1_razor_t;
@@ -145,12 +146,10 @@
razor_common_domain_template($1_razor)
role $3 types $1_razor_t;
- type $1_razor_home_t alias $1_razor_rw_t;
- files_poly_member($1_razor_home_t)
- userdom_user_home_content($1,$1_razor_home_t)
-
- type $1_razor_tmp_t;
- files_tmp_file($1_razor_tmp_t)
+ ifelse(`$1',`user',`',`
+ typealias user_razor_home_t alias $1_razor_home_t;
+ typealias user_razor_tmp_t alias $1_razor_tmp_t;
+ ')
##############################
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.2.5/policy/modules/services/razor.te
--- nsaserefpolicy/policy/modules/services/razor.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/razor.te 2007-12-19 05:38:09.000000000 -0500
@@ -23,6 +23,12 @@
razor_common_domain_template(razor)
+type user_razor_home_t;
+userdom_user_home_content(user,user_razor_home_t)
+
+type user_razor_tmp_t;
+files_tmp_file(user_razor_tmp_t)
+
########################################
#
# Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.if serefpolicy-3.2.5/policy/modules/services/remotelogin.if
--- nsaserefpolicy/policy/modules/services/remotelogin.if 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/remotelogin.if 2007-12-19 05:38:09.000000000 -0500
@@ -18,3 +18,20 @@
auth_domtrans_login_program($1,remote_login_t)
')
+########################################
+## <summary>
+## allow Domain to signal remote login domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`remotelogin_signal',`
+ gen_require(`
+ type remote_login_t;
+ ')
+
+ allow $1 remote_login_t:process signal;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.2.5/policy/modules/services/remotelogin.te
--- nsaserefpolicy/policy/modules/services/remotelogin.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/remotelogin.te 2007-12-19 05:38:09.000000000 -0500
@@ -85,6 +85,7 @@
miscfiles_read_localization(remote_login_t)
+userdom_read_all_users_home_dirs_symlinks(remote_login_t)
userdom_use_unpriv_users_fds(remote_login_t)
userdom_search_all_users_home_content(remote_login_t)
# Only permit unprivileged user domains to be entered via rlogin,
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.2.5/policy/modules/services/rlogin.te
--- nsaserefpolicy/policy/modules/services/rlogin.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/rlogin.te 2007-12-19 05:38:09.000000000 -0500
@@ -36,6 +36,8 @@
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty(rlogind_t,rlogind_devpts_t)
+domain_interactive_fd(rlogind_t)
+
# for /usr/lib/telnetlogin
can_exec(rlogind_t, rlogind_exec_t)
@@ -82,23 +84,21 @@
miscfiles_read_localization(rlogind_t)
-seutil_dontaudit_search_config(rlogind_t)
+seutil_read_config(rlogind_t)
userdom_setattr_unpriv_users_ptys(rlogind_t)
# cjp: this is egregious
userdom_read_all_users_home_content_files(rlogind_t)
remotelogin_domtrans(rlogind_t)
+remotelogin_signal(rlogind_t)
optional_policy(`
+ kerberos_use(rlogind_t)
kerberos_read_keytab(rlogind_t)
+ kerberos_manage_host_rcache(rlogind_t)
')
optional_policy(`
tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
')
-
-ifdef(`TODO',`
-# Allow krb5 rlogind to use fork and open /dev/tty for use
-allow rlogind_t userpty_type:chr_file setattr;
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.2.5/policy/modules/services/rpcbind.te
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/rpcbind.te 2007-12-19 05:38:09.000000000 -0500
@@ -21,11 +21,13 @@
# rpcbind local policy
#
-allow rpcbind_t self:capability setuid;
+allow rpcbind_t self:capability { dac_override setuid sys_tty_config };
allow rpcbind_t self:fifo_file rw_file_perms;
allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
allow rpcbind_t self:udp_socket create_socket_perms;
+# BROKEN ...
+dontaudit rpcbind_t self:udp_socket listen;
allow rpcbind_t self:tcp_socket create_stream_socket_perms;
manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
@@ -37,6 +39,7 @@
manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t)
files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file })
+kernel_read_system_state(rpcbind_t)
kernel_read_network_state(rpcbind_t)
corenet_all_recvfrom_unlabeled(rpcbind_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.2.5/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2007-12-04 11:02:50.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/rpc.if 2007-12-19 05:38:09.000000000 -0500
@@ -88,8 +88,11 @@
# bind to arbitary unused ports
corenet_tcp_bind_generic_port($1_t)
corenet_udp_bind_generic_port($1_t)
- corenet_udp_bind_reserved_port($1_t)
+ corenet_dontaudit_tcp_bind_all_ports($1_t)
+ corenet_dontaudit_udp_bind_all_ports($1_t)
corenet_sendrecv_generic_server_packets($1_t)
+ corenet_tcp_bind_all_rpc_ports($1_t)
+ corenet_udp_bind_all_rpc_ports($1_t)
fs_rw_rpc_named_pipes($1_t)
fs_search_auto_mountpoints($1_t)
@@ -208,6 +211,24 @@
########################################
## <summary>
+## Execute domain in nfsd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpc_domtrans_rpcd',`
+ gen_require(`
+ type rpcd_t, rpcd_exec_t;
+ ')
+
+ domtrans_pattern($1,rpcd_exec_t,rpcd_t)
+')
+
+########################################
+## <summary>
## Read NFS exported content.
## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.2.5/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/rpc.te 2007-12-19 05:38:09.000000000 -0500
@@ -60,10 +60,14 @@
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
+corecmd_exec_bin(rpcd_t)
+
kernel_read_system_state(rpcd_t)
-kernel_search_network_state(rpcd_t)
+kernel_read_network_state(rpcd_t)
# for rpc.rquotad
kernel_read_sysctl(rpcd_t)
+kernel_rw_fs_sysctls(rpcd_t)
+kernel_getattr_core_if(nfsd_t)
fs_list_rpc(rpcd_t)
fs_read_rpc_files(rpcd_t)
@@ -77,11 +81,17 @@
miscfiles_read_certs(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
+selinux_dontaudit_read_fs(rpcd_t)
optional_policy(`
nis_read_ypserv_config(rpcd_t)
')
+# automount -> mount -> rpcd
+optional_policy(`
+ automount_dontaudit_use_fds(rpcd_t)
+')
+
########################################
#
# NFSD local policy
@@ -92,9 +102,13 @@
allow nfsd_t exports_t:file { getattr read };
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+dev_dontaudit_getattr_all_blk_files(nfsd_t)
+dev_dontaudit_getattr_all_chr_files(nfsd_t)
+
# for /proc/fs/nfs/exports - should we have a new type?
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
+kernel_dontaudit_getattr_core_if(nfsd_t)
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
@@ -124,6 +138,7 @@
tunable_policy(`nfs_export_all_rw',`
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
+ userdom_generic_user_home_dir_filetrans_generic_user_home_content(nfsd_t, { file dir })
')
tunable_policy(`nfs_export_all_ro',`
@@ -144,6 +159,7 @@
manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
+kernel_read_system_state(gssd_t)
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
@@ -157,8 +173,13 @@
files_list_tmp(gssd_t)
files_read_usr_symlinks(gssd_t)
+auth_read_cache(gssd_t)
+
miscfiles_read_certs(gssd_t)
+userdom_dontaudit_search_users_home_dirs(rpcd_t)
+userdom_dontaudit_search_sysadm_home_dirs(rpcd_t)
+
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_unpriv_users_tmp(gssd_t)
userdom_read_unpriv_users_tmp_files(gssd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.2.5/policy/modules/services/rshd.te
--- nsaserefpolicy/policy/modules/services/rshd.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/rshd.te 2007-12-19 05:38:09.000000000 -0500
@@ -16,7 +16,7 @@
#
# Local policy
#
-allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override };
+allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
allow rshd_t self:fifo_file rw_fifo_file_perms;
allow rshd_t self:tcp_socket create_stream_socket_perms;
@@ -33,6 +33,9 @@
corenet_udp_sendrecv_all_ports(rshd_t)
corenet_tcp_bind_all_nodes(rshd_t)
corenet_tcp_bind_rsh_port(rshd_t)
+corenet_tcp_bind_all_rpc_ports(rshd_t)
+corenet_tcp_connect_all_ports(rshd_t)
+corenet_tcp_connect_all_rpc_ports(rshd_t)
corenet_sendrecv_rsh_server_packets(rshd_t)
dev_read_urand(rshd_t)
@@ -44,20 +47,22 @@
selinux_compute_relabel_context(rshd_t)
selinux_compute_user_contexts(rshd_t)
-auth_domtrans_chk_passwd(rshd_t)
+auth_login_pgm_domain(rshd_t)
+auth_write_login_records(rshd_t)
corecmd_read_bin_symlinks(rshd_t)
files_list_home(rshd_t)
files_read_etc_files(rshd_t)
-files_search_tmp(rshd_t)
+files_manage_generic_tmp_dirs(rshd_t)
-auth_use_nsswitch(rshd_t)
+init_rw_utmp(rshd_t)
libs_use_ld_so(rshd_t)
libs_use_shared_libs(rshd_t)
logging_send_syslog_msg(rshd_t)
+logging_search_logs(rshd_t)
miscfiles_read_localization(rshd_t)
@@ -78,6 +83,8 @@
optional_policy(`
kerberos_use(rshd_t)
+ kerberos_read_keytab(rshd_t)
+ kerberos_manage_host_rcache(rshd_t)
')
optional_policy(`
@@ -86,4 +93,5 @@
optional_policy(`
unconfined_shell_domtrans(rshd_t)
+ unconfined_signal(rshd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.2.5/policy/modules/services/rsync.fc
--- nsaserefpolicy/policy/modules/services/rsync.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/rsync.fc 2007-12-19 05:38:09.000000000 -0500
@@ -1,2 +1,4 @@
/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
+
+/var/log/rsync.log -- gen_context(system_u:object_r:rsync_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.2.5/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/rsync.te 2007-12-19 05:38:09.000000000 -0500
@@ -31,6 +31,9 @@
type rsync_data_t;
files_type(rsync_data_t)
+type rsync_log_t;
+logging_log_file(rsync_log_t)
+
type rsync_tmp_t;
files_tmp_file(rsync_tmp_t)
@@ -42,7 +45,7 @@
# Local policy
#
-allow rsync_t self:capability sys_chroot;
+allow rsync_t self:capability { dac_read_search dac_override setuid setgid sys_chroot };
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
allow rsync_t self:tcp_socket create_stream_socket_perms;
@@ -52,7 +55,6 @@
# cjp: this should probably only be inetd_child_t rules?
# search home and kerberos also.
allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow rsync_t self:capability { setuid setgid };
#end for identd
allow rsync_t rsync_data_t:dir list_dir_perms;
@@ -95,7 +97,8 @@
libs_use_shared_libs(rsync_t)
logging_send_syslog_msg(rsync_t)
-logging_dontaudit_search_logs(rsync_t)
+manage_files_pattern(rsync_t,rsync_log_t,rsync_log_t)
+logging_log_filetrans(rsync_t,rsync_log_t,file)
miscfiles_read_localization(rsync_t)
miscfiles_read_public_files(rsync_t)
@@ -117,7 +120,6 @@
')
tunable_policy(`rsync_export_all_ro',`
- allow rsync_t self:capability dac_override;
fs_read_noxattr_fs_files(rsync_t)
auth_read_all_files_except_shadow(rsync_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.2.5/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/samba.fc 2007-12-19 05:38:09.000000000 -0500
@@ -15,6 +15,7 @@
/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
@@ -30,6 +31,8 @@
/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+
/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.2.5/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/samba.if 2007-12-19 05:38:09.000000000 -0500
@@ -331,6 +331,25 @@
########################################
## <summary>
+## dontaudit the specified domain to
+## write samba /var files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_dontaudit_write_var_files',`
+ gen_require(`
+ type samba_var_t;
+ ')
+
+ dontaudit $1 samba_var_t:file write;
+')
+
+########################################
+## <summary>
## Allow the specified domain to
## read and write samba /var files.
## </summary>
@@ -348,6 +367,7 @@
files_search_var($1)
files_search_var_lib($1)
manage_files_pattern($1,samba_var_t,samba_var_t)
+ manage_lnk_files_pattern($1,samba_var_t,samba_var_t)
')
########################################
@@ -492,3 +512,102 @@
allow $1 samba_var_t:dir search_dir_perms;
stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
')
+
+########################################
+## <summary>
+## Create a set of derived types for apache
+## web content.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`samba_helper_template',`
+ gen_require(`
+ type smbd_t;
+ ')
+ #This type is for samba helper scripts
+ type samba_$1_script_t;
+ domain_type(samba_$1_script_t)
+ role system_r types samba_$1_script_t;
+
+ # This type is used for executable scripts files
+ type samba_$1_script_exec_t;
+ corecmd_shell_entry_type(samba_$1_script_t)
+ domain_entry_file(samba_$1_script_t,samba_$1_script_exec_t)
+
+ domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
+ allow smbd_t samba_$1_script_exec_t:file ioctl;
+
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read samba's shares
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_read_share_files',`
+ gen_require(`
+ type samba_share_t;
+ ')
+
+ read_files_pattern($1, samba_share_t, samba_share_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run smbcontrol.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`samba_domtrans_smbcontrol',`
+ gen_require(`
+ type smbcontrol_t;
+ type smbcontrol_exec_t;
+ ')
+
+ domtrans_pattern($1,smbcontrol_exec_t,smbcontrol_t)
+')
+
+
+########################################
+## <summary>
+## Execute smbcontrol in the smbcontrol domain, and
+## allow the specified role the smbcontrol domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the smbcontrol domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the role's terminal.
+## </summary>
+## </param>
+#
+interface(`samba_run_smbcontrol',`
+ gen_require(`
+ type smbcontrol_t;
+ ')
+
+ samba_domtrans_smbcontrol($1)
+ role $2 types smbcontrol_t;
+ dontaudit smbcontrol_t $3:chr_file rw_term_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.5/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/samba.te 2007-12-19 05:38:09.000000000 -0500
@@ -26,28 +26,28 @@
## <desc>
## <p>
-## Allow samba to share users home directories.
+## Allow Samba to share users home directories
## </p>
## </desc>
gen_tunable(samba_enable_home_dirs,false)
## <desc>
## <p>
-## Allow samba to share any file/directory read only.
+## Allow Samba to share any file/directory read only
## </p>
## </desc>
gen_tunable(samba_export_all_ro,false)
## <desc>
## <p>
-## Allow samba to share any file/directory read/write.
+## Allow Samba to share any file/directory read/write
## </p>
## </desc>
gen_tunable(samba_export_all_rw,false)
## <desc>
## <p>
-## Allow samba to run unconfined scripts
+## Allow Samba to run unconfined scripts in /var/lib/samba/scripts directory
## </p>
## </desc>
gen_tunable(samba_run_unconfined,false)
@@ -139,6 +139,11 @@
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
+type smbcontrol_t;
+type smbcontrol_exec_t;
+application_domain(smbcontrol_t, smbcontrol_exec_t)
+role system_r types smbcontrol_t;
+
########################################
#
# Samba net local policy
@@ -193,6 +198,8 @@
miscfiles_read_localization(samba_net_t)
+samba_read_var_files(samba_net_t)
+
userdom_dontaudit_search_sysadm_home_dirs(samba_net_t)
optional_policy(`
@@ -213,7 +220,7 @@
allow smbd_t self:msgq create_msgq_perms;
allow smbd_t self:sem create_sem_perms;
allow smbd_t self:shm create_shm_perms;
-allow smbd_t self:sock_file read_file_perms;
+allow smbd_t self:sock_file read_sock_file_perms;
allow smbd_t self:tcp_socket create_stream_socket_perms;
allow smbd_t self:udp_socket create_socket_perms;
allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -221,10 +228,8 @@
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
-create_dirs_pattern(smbd_t,samba_log_t,samba_log_t)
-create_files_pattern(smbd_t,samba_log_t,samba_log_t)
-allow smbd_t samba_log_t:dir setattr;
-dontaudit smbd_t samba_log_t:dir remove_name;
+manage_dirs_pattern(smbd_t,samba_log_t,samba_log_t)
+manage_files_pattern(smbd_t,samba_log_t,samba_log_t)
allow smbd_t samba_net_tmp_t:file getattr;
@@ -251,7 +256,7 @@
manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
files_pid_filetrans(smbd_t,smbd_var_run_t,file)
-allow smbd_t winbind_var_run_t:sock_file { read write getattr };
+allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms;
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
@@ -340,6 +345,17 @@
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
+ fs_manage_nfs_symlinks(smbd_t)
+ fs_manage_nfs_named_pipes(smbd_t)
+ fs_manage_nfs_named_sockets(smbd_t)
+')
+
+optional_policy(`
+ kerberos_read_keytab(smbd_t)
+')
+
+optional_policy(`
+ lpd_exec_lpr(smbd_t)
')
optional_policy(`
@@ -391,7 +407,7 @@
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
-allow nmbd_t self:sock_file read_file_perms;
+allow nmbd_t self:sock_file read_sock_file_perms;
allow nmbd_t self:tcp_socket create_stream_socket_perms;
allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -403,8 +419,7 @@
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
-append_files_pattern(nmbd_t,samba_log_t,samba_log_t)
-allow nmbd_t samba_log_t:file unlink;
+manage_files_pattern(nmbd_t,samba_log_t,samba_log_t)
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
@@ -439,6 +454,7 @@
dev_getattr_mtrr_dev(nmbd_t)
fs_getattr_all_fs(nmbd_t)
+fs_list_inotifyfs(nmbd_t)
fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
@@ -522,6 +538,7 @@
storage_raw_write_fixed_disk(smbmount_t)
term_list_ptys(smbmount_t)
+term_use_controlling_term(smbmount_t)
corecmd_list_bin(smbmount_t)
@@ -546,28 +563,37 @@
userdom_use_all_users_fds(smbmount_t)
+optional_policy(`
+ cups_read_rw_config(smbmount_t)
+')
+
########################################
#
# SWAT Local policy
#
-allow swat_t self:capability { setuid setgid };
-allow swat_t self:process signal_perms;
+allow swat_t self:capability { setuid setgid sys_resource };
+allow swat_t self:process { setrlimit signal_perms };
allow swat_t self:fifo_file rw_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow swat_t self:tcp_socket create_stream_socket_perms;
allow swat_t self:udp_socket create_socket_perms;
-allow swat_t nmbd_exec_t:file { execute read };
+allow swat_t self:unix_stream_socket connectto;
+can_exec(swat_t, smbd_exec_t)
+allow swat_t smbd_port_t:tcp_socket name_bind;
+allow swat_t smbd_t:process { signal signull };
+allow swat_t smbd_var_run_t:file { lock unlink };
+
+can_exec(swat_t, nmbd_exec_t)
+allow swat_t nmbd_port_t:udp_socket name_bind;
+allow swat_t nmbd_t:process { signal signull };
+allow swat_t nmbd_var_run_t:file { lock read unlink };
rw_files_pattern(swat_t,samba_etc_t,samba_etc_t)
append_files_pattern(swat_t,samba_log_t,samba_log_t)
-allow swat_t smbd_exec_t:file execute ;
-
-allow swat_t smbd_t:process signull;
-
allow swat_t smbd_var_run_t:file read;
manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
@@ -577,7 +603,9 @@
manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
files_pid_filetrans(swat_t,swat_var_run_t,file)
-allow swat_t winbind_exec_t:file execute;
+can_exec(swat_t, winbind_exec_t)
+allow swat_t winbind_var_run_t:dir { write add_name remove_name };
+allow swat_t winbind_var_run_t:sock_file { create unlink };
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
@@ -602,6 +630,7 @@
dev_read_urand(swat_t)
+files_list_var_lib(swat_t)
files_read_etc_files(swat_t)
files_search_home(swat_t)
files_read_usr_files(swat_t)
@@ -614,6 +643,7 @@
libs_use_shared_libs(swat_t)
logging_send_syslog_msg(swat_t)
+logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -631,6 +661,17 @@
kerberos_use(swat_t)
')
+init_read_utmp(swat_t)
+init_dontaudit_write_utmp(swat_t)
+
+manage_dirs_pattern(swat_t,samba_log_t,samba_log_t)
+create_files_pattern(swat_t,samba_log_t,samba_log_t)
+
+manage_files_pattern(swat_t,samba_etc_t,samba_secrets_t)
+
+manage_files_pattern(swat_t,samba_var_t,samba_var_t)
+files_list_var_lib(swat_t)
+
########################################
#
# Winbind local policy
@@ -679,6 +720,8 @@
manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
files_pid_filetrans(winbind_t,winbind_var_run_t,file)
+corecmd_exec_bin(winbind_t)
+
kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
@@ -766,6 +809,7 @@
optional_policy(`
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
+ squid_rw_stream_sockets(winbind_helper_t)
')
########################################
@@ -790,3 +834,37 @@
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
')
')
+
+########################################
+#
+# smbcontrol local policy
+#
+
+## internal communication is often done using fifo and unix sockets.
+allow smbcontrol_t self:fifo_file rw_file_perms;
+allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(smbcontrol_t)
+
+libs_use_ld_so(smbcontrol_t)
+libs_use_shared_libs(smbcontrol_t)
+
+miscfiles_read_localization(smbcontrol_t)
+
+files_search_var_lib(smbcontrol_t)
+samba_read_config(smbcontrol_t)
+samba_rw_var_files(smbcontrol_t)
+samba_search_var(smbcontrol_t)
+samba_read_winbind_pid(smbcontrol_t)
+
+allow smbcontrol_t smbd_t:process signal;
+domain_use_interactive_fds(smbcontrol_t)
+allow smbd_t smbcontrol_t:process { signal signull };
+
+allow nmbd_t smbcontrol_t:process signal;
+allow smbcontrol_t nmbd_t:process { signal signull };
+
+allow smbcontrol_t winbind_t:process { signal signull };
+allow winbind_t smbcontrol_t:process signal;
+
+allow smbcontrol_t nmbd_var_run_t:file { read lock };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.2.5/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/sasl.te 2007-12-19 05:38:09.000000000 -0500
@@ -107,6 +107,10 @@
')
optional_policy(`
+ nis_authenticate(saslauthd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(saslauthd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.2.5/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2007-08-27 13:57:20.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/sendmail.if 2007-12-19 05:38:09.000000000 -0500
@@ -149,3 +149,85 @@
logging_log_filetrans($1,sendmail_log_t,file)
')
+
+########################################
+## <summary>
+## Execute the sendmail program in the sendmail domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the sendmail domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the sendmail domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_run',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ sendmail_domtrans($1)
+ role $2 types sendmail_t;
+ allow sendmail_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute sendmail in the unconfined sendmail domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sendmail_domtrans_unconfined',`
+ gen_require(`
+ type unconfined_sendmail_t, sendmail_exec_t;
+ ')
+
+ domtrans_pattern($1,sendmail_exec_t,unconfined_sendmail_t)
+')
+
+########################################
+## <summary>
+## Execute sendmail in the unconfined sendmail domain, and
+## allow the specified role the unconfined sendmail domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the unconfined sendmail domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the unconfined sendmail domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_run_unconfined',`
+ gen_require(`
+ type unconfined_sendmail_t;
+ ')
+
+ sendmail_domtrans_unconfined($1)
+ role $2 types unconfined_sendmail_t;
+ allow unconfined_sendmail_t $3:chr_file rw_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.5/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/sendmail.te 2007-12-31 15:42:11.000000000 -0500
@@ -20,13 +20,17 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
+type unconfined_sendmail_t;
+application_domain(unconfined_sendmail_t,sendmail_exec_t)
+role system_r types unconfined_sendmail_t;
+
########################################
#
# Sendmail local policy
#
-allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
-allow sendmail_t self:process signal;
+allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
+allow sendmail_t self:process { signal signull };
allow sendmail_t self:fifo_file rw_fifo_file_perms;
allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
allow sendmail_t self:unix_dgram_socket create_socket_perms;
@@ -47,6 +51,7 @@
kernel_read_kernel_sysctls(sendmail_t)
# for piping mail to a command
kernel_read_system_state(sendmail_t)
+kernel_read_network_state(sendmail_t)
corenet_all_recvfrom_unlabeled(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
@@ -97,20 +102,35 @@
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
userdom_dontaudit_search_sysadm_home_dirs(sendmail_t)
+userdom_read_all_users_home_content_files(sendmail_t)
mta_read_config(sendmail_t)
mta_etc_filetrans_aliases(sendmail_t)
# Write to /etc/aliases and /etc/mail.
-mta_rw_aliases(sendmail_t)
+mta_manage_aliases(sendmail_t)
# Write to /var/spool/mail and /var/spool/mqueue.
mta_manage_queue(sendmail_t)
mta_manage_spool(sendmail_t)
+mta_sendmail_exec(sendmail_t)
+
+optional_policy(`
+ cron_read_pipes(sendmail_t)
+')
optional_policy(`
clamav_search_lib(sendmail_t)
')
optional_policy(`
+ cyrus_stream_connect(sendmail_t)
+ clamav_stream_connect(sendmail_t)
+')
+
+optional_policy(`
+ munin_dontaudit_search_lib(sendmail_t)
+')
+
+optional_policy(`
postfix_exec_master(sendmail_t)
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
@@ -125,24 +145,25 @@
')
optional_policy(`
+ sasl_connect(sendmail_t)
+')
+
+optional_policy(`
+ spamd_stream_connect(sendmail_t)
+')
+
+optional_policy(`
udev_read_db(sendmail_t)
')
-ifdef(`TODO',`
-allow sendmail_t etc_mail_t:dir rw_dir_perms;
-allow sendmail_t etc_mail_t:file manage_file_perms;
-# for the start script to run make -C /etc/mail
-allow initrc_t etc_mail_t:dir rw_dir_perms;
-allow initrc_t etc_mail_t:file manage_file_perms;
-allow system_mail_t initrc_t:fd use;
-allow system_mail_t initrc_t:fifo_file write;
-
-# When sendmail runs as user_mail_domain, it needs some extra permissions
-# to update /etc/mail/statistics.
-allow user_mail_domain etc_mail_t:file rw_file_perms;
+########################################
+#
+# Unconfined sendmail local policy
+# Allow unconfined domain to run newalias and have transitions work
+#
-# Silently deny attempts to access /root.
-dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search };
+optional_policy(`
+ mta_etc_filetrans_aliases(unconfined_sendmail_t)
+ unconfined_domain(unconfined_sendmail_t)
+')
-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te 2007-12-19 05:38:09.000000000 -0500
@@ -27,8 +27,8 @@
# setroubleshootd local policy
#
-allow setroubleshootd_t self:capability { dac_override sys_tty_config };
-allow setroubleshootd_t self:process { signull signal getattr getsched };
+allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
+allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -52,7 +52,9 @@
kernel_read_kernel_sysctls(setroubleshootd_t)
kernel_read_system_state(setroubleshootd_t)
+kernel_read_net_sysctls(setroubleshootd_t)
kernel_read_network_state(setroubleshootd_t)
+kernel_dontaudit_list_all_proc(setroubleshootd_t)
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
@@ -73,7 +75,7 @@
files_read_usr_files(setroubleshootd_t)
files_read_etc_files(setroubleshootd_t)
-files_getattr_all_dirs(setroubleshootd_t)
+files_list_all(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
fs_getattr_all_dirs(setroubleshootd_t)
@@ -110,6 +112,7 @@
optional_policy(`
dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
dbus_connect_system_bus(setroubleshootd_t)
+ dbus_system_domain(setroubleshootd_t,setroubleshootd_exec_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.2.5/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/snmp.te 2007-12-19 05:38:09.000000000 -0500
@@ -81,8 +81,7 @@
files_read_usr_files(snmpd_t)
files_read_etc_runtime_files(snmpd_t)
files_search_home(snmpd_t)
-files_getattr_boot_dirs(snmpd_t)
-files_dontaudit_getattr_home_dir(snmpd_t)
+auth_read_all_dirs_except_shadow(snmpd_t)
fs_getattr_all_dirs(snmpd_t)
fs_getattr_all_fs(snmpd_t)
Reference in New Issue View Git Blame Copy Permalink