[selinux-policy: 1818/3172] trunk: merge strict and targeted policies. merge shlib_t into lib_t.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:42:18 UTC 2010
commit 350b6ab767016fbee12e7133fcca2f8f1a1abdcf
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Oct 2 16:04:50 2007 +0000
trunk: merge strict and targeted policies. merge shlib_t into lib_t.
Changelog | 6 +
Makefile | 14 +-
README | 12 +-
build.conf | 6 +-
.../dbus_contexts | 0
config/appconfig-mcs/default_contexts | 15 +
.../default_type | 3 +-
.../failsafe_context | 0
.../initrc_context | 0
.../{appconfig-strict-mcs => appconfig-mcs}/media | 0
.../removable_context | 0
config/appconfig-mcs/root_default_contexts | 11 +
.../seusers | 0
.../userhelper_context | 0
.../dbus_contexts | 0
config/appconfig-mls/default_contexts | 15 +
.../default_type | 5 +-
.../failsafe_context | 0
.../initrc_context | 0
.../{appconfig-strict-mls => appconfig-mls}/media | 0
.../removable_context | 0
config/appconfig-mls/root_default_contexts | 11 +
.../seusers | 0
.../userhelper_context | 0
.../dbus_contexts | 0
config/appconfig-standard/default_contexts | 15 +
.../default_type | 3 +-
.../failsafe_context | 0
.../initrc_context | 0
.../{appconfig-strict => appconfig-standard}/media | 0
.../removable_context | 0
config/appconfig-standard/root_default_contexts | 11 +
.../seusers | 0
.../userhelper_context | 0
config/appconfig-strict-mcs/default_contexts | 12 -
config/appconfig-strict-mcs/default_type | 3 -
config/appconfig-strict-mcs/root_default_contexts | 9 -
config/appconfig-strict-mls/default_contexts | 12 -
config/appconfig-strict-mls/root_default_contexts | 9 -
config/appconfig-strict/default_contexts | 12 -
config/appconfig-strict/default_type | 3 -
config/appconfig-strict/root_default_contexts | 9 -
config/appconfig-targeted-mcs/dbus_contexts | 6 -
config/appconfig-targeted-mcs/default_contexts | 9 -
config/appconfig-targeted-mcs/default_type | 1 -
config/appconfig-targeted-mcs/failsafe_context | 1 -
config/appconfig-targeted-mcs/initrc_context | 1 -
config/appconfig-targeted-mcs/media | 3 -
config/appconfig-targeted-mcs/removable_context | 1 -
.../appconfig-targeted-mcs/root_default_contexts | 2 -
config/appconfig-targeted-mcs/seusers | 2 -
config/appconfig-targeted-mcs/userhelper_context | 1 -
config/appconfig-targeted-mls/dbus_contexts | 6 -
config/appconfig-targeted-mls/default_contexts | 9 -
config/appconfig-targeted-mls/default_type | 1 -
config/appconfig-targeted-mls/failsafe_context | 1 -
config/appconfig-targeted-mls/initrc_context | 1 -
config/appconfig-targeted-mls/media | 3 -
config/appconfig-targeted-mls/removable_context | 1 -
.../appconfig-targeted-mls/root_default_contexts | 2 -
config/appconfig-targeted-mls/seusers | 2 -
config/appconfig-targeted-mls/userhelper_context | 1 -
config/appconfig-targeted/dbus_contexts | 6 -
config/appconfig-targeted/default_contexts | 9 -
config/appconfig-targeted/default_type | 1 -
config/appconfig-targeted/failsafe_context | 1 -
config/appconfig-targeted/initrc_context | 1 -
config/appconfig-targeted/media | 3 -
config/appconfig-targeted/removable_context | 1 -
config/appconfig-targeted/root_default_contexts | 2 -
config/appconfig-targeted/seusers | 2 -
config/appconfig-targeted/userhelper_context | 1 -
policy/constraints | 55 +--
policy/global_booleans | 2 -
policy/global_tunables | 46 +-
policy/modules/admin/acct.te | 6 -
policy/modules/admin/apt.te | 8 +-
policy/modules/admin/bootloader.te | 5 -
policy/modules/admin/brctl.te | 5 -
policy/modules/admin/consoletype.te | 14 +-
policy/modules/admin/dmesg.if | 40 +-
policy/modules/admin/dmesg.te | 78 +--
policy/modules/admin/dmidecode.te | 5 -
policy/modules/admin/dpkg.te | 28 +-
policy/modules/admin/firstboot.te | 8 +-
policy/modules/admin/kudzu.te | 22 +-
policy/modules/admin/mrtg.te | 6 -
policy/modules/admin/netutils.te | 27 +-
policy/modules/admin/portage.te | 1 -
policy/modules/admin/prelink.if | 31 +
policy/modules/admin/prelink.te | 13 -
policy/modules/admin/quota.te | 6 -
policy/modules/admin/readahead.te | 6 -
policy/modules/admin/rpm.te | 58 +--
policy/modules/admin/su.if | 33 +-
policy/modules/admin/sxid.te | 6 -
policy/modules/admin/tzdata.if | 31 +
policy/modules/admin/tzdata.te | 5 -
policy/modules/admin/updfstab.te | 7 -
policy/modules/apps/ada.fc | 2 -
policy/modules/apps/ada.if | 32 +-
policy/modules/apps/ada.te | 7 +-
policy/modules/apps/cdrecord.te | 2 -
policy/modules/apps/ethereal.fc | 5 +-
policy/modules/apps/evolution.fc | 13 +-
policy/modules/apps/games.te | 6 -
policy/modules/apps/gift.fc | 6 +-
policy/modules/apps/gnome.fc | 9 +-
policy/modules/apps/gpg.fc | 5 +-
policy/modules/apps/irc.fc | 2 -
policy/modules/apps/java.if | 15 +-
policy/modules/apps/java.te | 9 +-
policy/modules/apps/loadkeys.if | 45 +-
policy/modules/apps/loadkeys.te | 54 +-
policy/modules/apps/mono.te | 47 +-
policy/modules/apps/mozilla.fc | 15 +-
policy/modules/apps/mozilla.if | 1 -
policy/modules/apps/mozilla.te | 2 -
policy/modules/apps/mplayer.fc | 2 -
policy/modules/apps/mplayer.te | 20 +-
policy/modules/apps/screen.fc | 2 -
policy/modules/apps/thunderbird.fc | 2 -
policy/modules/apps/uml.fc | 9 +-
policy/modules/apps/uml.te | 7 -
policy/modules/apps/vmware.fc | 4 +-
policy/modules/apps/vmware.te | 6 -
policy/modules/apps/webalizer.te | 5 -
policy/modules/apps/wine.te | 2 +-
policy/modules/kernel/corecommands.fc | 4 -
policy/modules/kernel/corecommands.if | 14 +-
policy/modules/kernel/domain.if | 11 +-
policy/modules/kernel/domain.te | 14 -
policy/modules/kernel/files.if | 15 +-
policy/modules/kernel/files.te | 11 +-
policy/modules/kernel/kernel.te | 15 +-
policy/modules/kernel/terminal.te | 9 -
policy/modules/services/amavis.te | 5 -
policy/modules/services/apache.fc | 5 -
policy/modules/services/apache.te | 70 +--
policy/modules/services/apcupsd.te | 4 -
policy/modules/services/apm.te | 11 +-
policy/modules/services/arpwatch.te | 6 -
policy/modules/services/asterisk.te | 6 -
policy/modules/services/audioentropy.te | 7 -
policy/modules/services/automount.te | 6 -
policy/modules/services/avahi.te | 6 -
policy/modules/services/bind.te | 13 -
policy/modules/services/bluetooth.if | 155 ++++-
policy/modules/services/bluetooth.te | 108 +---
policy/modules/services/canna.te | 6 -
policy/modules/services/ccs.te | 5 -
policy/modules/services/cipe.te | 6 -
policy/modules/services/clamav.te | 5 -
policy/modules/services/courier.if | 6 -
policy/modules/services/cpucontrol.te | 12 -
policy/modules/services/cron.if | 11 +
policy/modules/services/cron.te | 428 ++++++-------
policy/modules/services/cups.te | 40 --
policy/modules/services/cyrus.te | 7 -
policy/modules/services/dante.te | 6 -
policy/modules/services/dbus.if | 1 +
policy/modules/services/dbus.te | 8 +-
policy/modules/services/dcc.te | 18 -
policy/modules/services/ddclient.te | 6 -
policy/modules/services/dhcp.te | 6 -
policy/modules/services/dictd.te | 6 -
policy/modules/services/distcc.te | 6 -
policy/modules/services/dnsmasq.te | 6 -
policy/modules/services/dovecot.te | 6 -
policy/modules/services/fail2ban.te | 5 -
policy/modules/services/fetchmail.te | 6 -
policy/modules/services/finger.te | 6 -
policy/modules/services/ftp.if | 31 +
policy/modules/services/ftp.te | 15 -
policy/modules/services/gatekeeper.te | 6 -
policy/modules/services/gpm.te | 6 -
policy/modules/services/hal.te | 20 -
policy/modules/services/howl.te | 6 -
policy/modules/services/i18n_input.te | 6 -
policy/modules/services/imaze.te | 6 -
policy/modules/services/inetd.te | 22 +-
policy/modules/services/inn.te | 6 -
policy/modules/services/ircd.te | 6 -
policy/modules/services/irqbalance.te | 6 -
policy/modules/services/jabber.te | 6 -
policy/modules/services/kerberos.te | 12 -
policy/modules/services/ktalk.te | 5 -
policy/modules/services/ldap.te | 15 -
policy/modules/services/lpd.te | 11 -
policy/modules/services/monop.te | 6 -
policy/modules/services/mta.if | 6 +-
policy/modules/services/mta.te | 38 +--
policy/modules/services/munin.te | 6 -
policy/modules/services/mysql.te | 6 -
policy/modules/services/nagios.te | 12 -
policy/modules/services/nessus.te | 6 -
policy/modules/services/networkmanager.te | 19 +-
policy/modules/services/nis.te | 23 -
policy/modules/services/nscd.te | 6 -
policy/modules/services/nsd.te | 6 -
policy/modules/services/ntop.te | 6 -
policy/modules/services/ntp.te | 12 -
policy/modules/services/oav.te | 6 -
policy/modules/services/oddjob.te | 5 -
policy/modules/services/openct.te | 6 -
policy/modules/services/openvpn.te | 5 -
policy/modules/services/pcscd.te | 5 -
policy/modules/services/pegasus.te | 11 +-
policy/modules/services/perdition.te | 6 -
policy/modules/services/portmap.te | 11 -
policy/modules/services/portslave.te | 6 -
policy/modules/services/postfix.if | 6 -
policy/modules/services/postfix.te | 20 -
policy/modules/services/postgresql.te | 22 -
policy/modules/services/postgrey.te | 6 -
policy/modules/services/ppp.te | 14 -
policy/modules/services/privoxy.te | 6 -
policy/modules/services/pxe.te | 6 -
policy/modules/services/pyzor.fc | 6 +-
policy/modules/services/pyzor.if | 75 ++--
policy/modules/services/pyzor.te | 11 -
policy/modules/services/radius.te | 6 -
policy/modules/services/radvd.te | 6 -
policy/modules/services/razor.fc | 2 -
policy/modules/services/rdisc.te | 6 -
policy/modules/services/remotelogin.te | 10 +-
policy/modules/services/resmgr.te | 6 -
policy/modules/services/rhgb.te | 18 +-
policy/modules/services/ricci.te | 16 +-
policy/modules/services/roundup.te | 6 -
policy/modules/services/rpc.if | 6 -
policy/modules/services/rpc.te | 7 -
policy/modules/services/rshd.te | 8 +-
policy/modules/services/rwho.te | 5 -
policy/modules/services/samba.if | 32 +
policy/modules/services/samba.te | 60 +--
policy/modules/services/sasl.te | 8 +-
policy/modules/services/sendmail.te | 6 -
policy/modules/services/setroubleshoot.te | 5 -
policy/modules/services/slrnpull.te | 6 -
policy/modules/services/smartmon.te | 6 -
policy/modules/services/snmp.te | 6 -
policy/modules/services/snort.te | 6 -
policy/modules/services/soundserver.te | 6 -
policy/modules/services/spamassassin.fc | 5 +-
policy/modules/services/spamassassin.if | 6 +
policy/modules/services/spamassassin.te | 20 -
policy/modules/services/speedtouch.te | 6 -
policy/modules/services/squid.te | 6 -
policy/modules/services/ssh.fc | 11 +-
policy/modules/services/ssh.te | 73 +--
policy/modules/services/stunnel.te | 6 -
policy/modules/services/tftp.te | 6 -
policy/modules/services/timidity.te | 6 -
policy/modules/services/transproxy.te | 6 -
policy/modules/services/uptime.te | 6 -
policy/modules/services/uucp.te | 5 -
policy/modules/services/uwimap.te | 6 -
policy/modules/services/watchdog.te | 6 -
policy/modules/services/xfs.te | 6 -
policy/modules/services/xprint.te | 6 -
policy/modules/services/xserver.fc | 7 +-
policy/modules/services/xserver.if | 8 +-
policy/modules/services/xserver.te | 49 +-
policy/modules/services/zabbix.te | 5 -
policy/modules/services/zebra.te | 11 +-
policy/modules/system/authlogin.if | 19 +-
policy/modules/system/authlogin.te | 11 +-
policy/modules/system/clock.te | 6 -
policy/modules/system/fstools.te | 5 -
policy/modules/system/getty.te | 5 -
policy/modules/system/hotplug.te | 5 -
policy/modules/system/init.fc | 6 +-
policy/modules/system/init.if | 18 +
policy/modules/system/init.te | 72 +--
policy/modules/system/ipsec.te | 6 -
policy/modules/system/iptables.te | 7 -
policy/modules/system/iscsi.te | 4 -
policy/modules/system/libraries.fc | 57 +--
policy/modules/system/libraries.if | 37 +-
policy/modules/system/libraries.te | 20 +-
policy/modules/system/locallogin.te | 14 +-
policy/modules/system/logging.te | 25 -
policy/modules/system/lvm.te | 13 -
policy/modules/system/modutils.te | 16 +-
policy/modules/system/mount.if | 50 ++-
policy/modules/system/mount.te | 23 +-
policy/modules/system/pcmcia.te | 8 -
policy/modules/system/raid.te | 6 -
policy/modules/system/selinuxutil.te | 45 +-
policy/modules/system/sysnetwork.te | 15 -
policy/modules/system/udev.te | 6 -
policy/modules/system/unconfined.fc | 9 +-
policy/modules/system/unconfined.if | 143 +++--
policy/modules/system/unconfined.te | 286 +++++----
policy/modules/system/userdomain.if | 460 +++++---------
policy/modules/system/userdomain.te | 664 +++++++++-----------
policy/modules/system/xen.te | 9 -
policy/rolemap | 14 +-
policy/users | 17 +-
support/Makefile.devel | 16 +-
301 files changed, 1883 insertions(+), 3585 deletions(-)
---
diff --git a/Changelog b/Changelog
index 880d9ae..2cba6d7 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,9 @@
+- Merge shlib_t into lib_t.
+- Merge strict and targeted policies. The policy will now behave like the
+ strict policy if the unconfined module is not present. If it is, it will
+ behave like the targeted policy. Added an unconfined role to have a mix
+ of confined and unconfined users.
+
* Fri Sep 28 2007 Chris PeBenito <selinux at tresys.com> - 20070928
- Add support for setting the unknown permissions handling.
- Fix XML building for external reference builds and headers builds.
diff --git a/Makefile b/Makefile
index 2708a78..df6806e 100644
--- a/Makefile
+++ b/Makefile
@@ -158,18 +158,8 @@ modpkgdir = $(sharedir)/$(strip $(NAME))
headerdir = $(modpkgdir)/include
docsdir = $(prefix)/share/doc/$(PKGNAME)
-# compile strict policy if requested.
-ifneq ($(findstring strict,$(TYPE)),)
- M4PARAM += -D strict_policy
-endif
-
-# compile targeted policy if requested.
-ifneq ($(findstring targeted,$(TYPE)),)
- M4PARAM += -D targeted_policy
-endif
-
# enable MLS if requested.
-ifneq ($(findstring -mls,$(TYPE)),)
+ifeq "$(TYPE)" "mls"
M4PARAM += -D enable_mls
CHECKPOLICY += -M
CHECKMODULE += -M
@@ -177,7 +167,7 @@ ifneq ($(findstring -mls,$(TYPE)),)
endif
# enable MLS if MCS requested.
-ifneq ($(findstring -mcs,$(TYPE)),)
+ifeq "$(TYPE)" "mcs"
M4PARAM += -D enable_mcs
CHECKPOLICY += -M
CHECKMODULE += -M
diff --git a/README b/README
index 6901c33..f4d8b21 100644
--- a/README
+++ b/README
@@ -83,13 +83,10 @@ restorelabels Relabel the filesystem and report each file that is
2) Reference Policy Build Options (build.conf)
-TYPE String. Available options are strict, targeted,
- strict-mls, targeted-mls, strict-mcs, and targeted-mcs.
- This sets the policy type as strict or targeted, and
- optionally enables multi-leve security (MLS) or
+TYPE String. Available options are standard, mls, and mcs.
+ This optionally enables multi-level security (MLS) or
multi-category security (MCS) features. This option
- controls strict_policy, targeted_policy, enable_mls,
- and enable_mcs policy blocks.
+ controls enable_mls, and enable_mcs policy blocks.
NAME String (optional). Sets the name of the policy; the
NAME is used when installing files to e.g.,
@@ -136,8 +133,7 @@ Rules.modular Makefile rules specific to building loadable module
Rules.monolithic Makefile rules specific to building monolithic policies.
build.conf Options which influence the building of the policy,
- such as the policy type (strict, targeted, etc.)
- and distribution.
+ such as the policy type and distribution.
config/appconfig-* Application configuration files for all configurations
of the Reference Policy (targeted/strict with or without
diff --git a/build.conf b/build.conf
index b824ee5..7ebbb8b 100644
--- a/build.conf
+++ b/build.conf
@@ -11,10 +11,8 @@
#OUTPUT_POLICY = 18
# Policy Type
-# strict, targeted,
-# strict-mls, targeted-mls,
-# strict-mcs, targeted-mcs
-TYPE = strict
+# standard, mls, mcs
+TYPE = standard
# Policy Name
# If set, this will be used as the policy
diff --git a/config/appconfig-strict-mcs/dbus_contexts b/config/appconfig-mcs/dbus_contexts
similarity index 100%
rename from config/appconfig-strict-mcs/dbus_contexts
rename to config/appconfig-mcs/dbus_contexts
diff --git a/config/appconfig-mcs/default_contexts b/config/appconfig-mcs/default_contexts
new file mode 100644
index 0000000..c2b7a80
--- /dev/null
+++ b/config/appconfig-mcs/default_contexts
@@ -0,0 +1,15 @@
+system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
+system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+
+staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+
+sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
+
+user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-strict-mls/default_type b/config/appconfig-mcs/default_type
similarity index 54%
copy from config/appconfig-strict-mls/default_type
copy to config/appconfig-mcs/default_type
index c3315fe..a39710f 100644
--- a/config/appconfig-strict-mls/default_type
+++ b/config/appconfig-mcs/default_type
@@ -1,5 +1,4 @@
sysadm_r:sysadm_t
-secadm_r:secadm_t
staff_r:staff_t
+unconfined_r:unconfined_t
user_r:user_t
-auditadm_r:auditadm_t
diff --git a/config/appconfig-strict-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context
similarity index 100%
rename from config/appconfig-strict-mcs/failsafe_context
rename to config/appconfig-mcs/failsafe_context
diff --git a/config/appconfig-strict-mcs/initrc_context b/config/appconfig-mcs/initrc_context
similarity index 100%
rename from config/appconfig-strict-mcs/initrc_context
rename to config/appconfig-mcs/initrc_context
diff --git a/config/appconfig-strict-mcs/media b/config/appconfig-mcs/media
similarity index 100%
rename from config/appconfig-strict-mcs/media
rename to config/appconfig-mcs/media
diff --git a/config/appconfig-strict-mcs/removable_context b/config/appconfig-mcs/removable_context
similarity index 100%
rename from config/appconfig-strict-mcs/removable_context
rename to config/appconfig-mcs/removable_context
diff --git a/config/appconfig-mcs/root_default_contexts b/config/appconfig-mcs/root_default_contexts
new file mode 100644
index 0000000..7f4a125
--- /dev/null
+++ b/config/appconfig-mcs/root_default_contexts
@@ -0,0 +1,11 @@
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
+system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-strict-mcs/seusers b/config/appconfig-mcs/seusers
similarity index 100%
rename from config/appconfig-strict-mcs/seusers
rename to config/appconfig-mcs/seusers
diff --git a/config/appconfig-strict-mcs/userhelper_context b/config/appconfig-mcs/userhelper_context
similarity index 100%
rename from config/appconfig-strict-mcs/userhelper_context
rename to config/appconfig-mcs/userhelper_context
diff --git a/config/appconfig-strict-mls/dbus_contexts b/config/appconfig-mls/dbus_contexts
similarity index 100%
rename from config/appconfig-strict-mls/dbus_contexts
rename to config/appconfig-mls/dbus_contexts
diff --git a/config/appconfig-mls/default_contexts b/config/appconfig-mls/default_contexts
new file mode 100644
index 0000000..c2b7a80
--- /dev/null
+++ b/config/appconfig-mls/default_contexts
@@ -0,0 +1,15 @@
+system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
+system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+
+staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+
+sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
+
+user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-strict-mls/default_type b/config/appconfig-mls/default_type
similarity index 77%
copy from config/appconfig-strict-mls/default_type
copy to config/appconfig-mls/default_type
index c3315fe..33528d6 100644
--- a/config/appconfig-strict-mls/default_type
+++ b/config/appconfig-mls/default_type
@@ -1,5 +1,6 @@
-sysadm_r:sysadm_t
+auditadm_r:auditadm_t
secadm_r:secadm_t
+sysadm_r:sysadm_t
staff_r:staff_t
+unconfined_r:unconfined_t
user_r:user_t
-auditadm_r:auditadm_t
diff --git a/config/appconfig-strict-mls/failsafe_context b/config/appconfig-mls/failsafe_context
similarity index 100%
rename from config/appconfig-strict-mls/failsafe_context
rename to config/appconfig-mls/failsafe_context
diff --git a/config/appconfig-strict-mls/initrc_context b/config/appconfig-mls/initrc_context
similarity index 100%
rename from config/appconfig-strict-mls/initrc_context
rename to config/appconfig-mls/initrc_context
diff --git a/config/appconfig-strict-mls/media b/config/appconfig-mls/media
similarity index 100%
rename from config/appconfig-strict-mls/media
rename to config/appconfig-mls/media
diff --git a/config/appconfig-strict-mls/removable_context b/config/appconfig-mls/removable_context
similarity index 100%
rename from config/appconfig-strict-mls/removable_context
rename to config/appconfig-mls/removable_context
diff --git a/config/appconfig-mls/root_default_contexts b/config/appconfig-mls/root_default_contexts
new file mode 100644
index 0000000..7f4a125
--- /dev/null
+++ b/config/appconfig-mls/root_default_contexts
@@ -0,0 +1,11 @@
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
+system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-strict-mls/seusers b/config/appconfig-mls/seusers
similarity index 100%
rename from config/appconfig-strict-mls/seusers
rename to config/appconfig-mls/seusers
diff --git a/config/appconfig-strict-mls/userhelper_context b/config/appconfig-mls/userhelper_context
similarity index 100%
rename from config/appconfig-strict-mls/userhelper_context
rename to config/appconfig-mls/userhelper_context
diff --git a/config/appconfig-strict/dbus_contexts b/config/appconfig-standard/dbus_contexts
similarity index 100%
rename from config/appconfig-strict/dbus_contexts
rename to config/appconfig-standard/dbus_contexts
diff --git a/config/appconfig-standard/default_contexts b/config/appconfig-standard/default_contexts
new file mode 100644
index 0000000..4bb784d
--- /dev/null
+++ b/config/appconfig-standard/default_contexts
@@ -0,0 +1,15 @@
+system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t unconfined_r:unconfined_crond_t
+system_r:local_login_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
+system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t
+system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
+system_r:sulogin_t sysadm_r:sysadm_t
+system_r:xdm_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
+
+staff_r:staff_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
+staff_r:staff_sudo_t sysadm_r:sysadm_t staff_r:staff_t
+
+sysadm_r:sysadm_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
+sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t
+
+user_r:user_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
+user_r:user_sudo_t sysadm_r:sysadm_t user_r:user_t
diff --git a/config/appconfig-strict-mls/default_type b/config/appconfig-standard/default_type
similarity index 54%
rename from config/appconfig-strict-mls/default_type
rename to config/appconfig-standard/default_type
index c3315fe..a39710f 100644
--- a/config/appconfig-strict-mls/default_type
+++ b/config/appconfig-standard/default_type
@@ -1,5 +1,4 @@
sysadm_r:sysadm_t
-secadm_r:secadm_t
staff_r:staff_t
+unconfined_r:unconfined_t
user_r:user_t
-auditadm_r:auditadm_t
diff --git a/config/appconfig-strict/failsafe_context b/config/appconfig-standard/failsafe_context
similarity index 100%
rename from config/appconfig-strict/failsafe_context
rename to config/appconfig-standard/failsafe_context
diff --git a/config/appconfig-strict/initrc_context b/config/appconfig-standard/initrc_context
similarity index 100%
rename from config/appconfig-strict/initrc_context
rename to config/appconfig-standard/initrc_context
diff --git a/config/appconfig-strict/media b/config/appconfig-standard/media
similarity index 100%
rename from config/appconfig-strict/media
rename to config/appconfig-standard/media
diff --git a/config/appconfig-strict/removable_context b/config/appconfig-standard/removable_context
similarity index 100%
rename from config/appconfig-strict/removable_context
rename to config/appconfig-standard/removable_context
diff --git a/config/appconfig-standard/root_default_contexts b/config/appconfig-standard/root_default_contexts
new file mode 100644
index 0000000..3806d33
--- /dev/null
+++ b/config/appconfig-standard/root_default_contexts
@@ -0,0 +1,11 @@
+system_r:crond_t unconfined_r:unconfined_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t
+system_r:local_login_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+
+staff_r:staff_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+sysadm_r:sysadm_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+user_r:user_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
diff --git a/config/appconfig-strict/seusers b/config/appconfig-standard/seusers
similarity index 100%
rename from config/appconfig-strict/seusers
rename to config/appconfig-standard/seusers
diff --git a/config/appconfig-strict/userhelper_context b/config/appconfig-standard/userhelper_context
similarity index 100%
rename from config/appconfig-strict/userhelper_context
rename to config/appconfig-standard/userhelper_context
diff --git a/policy/constraints b/policy/constraints
index c1cb375..2e58ead 100644
--- a/policy/constraints
+++ b/policy/constraints
@@ -28,57 +28,34 @@
#
# SELinux process identity change constraint:
#
-ifdef(`strict_policy',`
- constrain process transition
- (
- u1 == u2
-
- or ( t1 == can_change_process_identity and t2 == process_user_target )
-
- or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
+constrain process transition
+(
+ u1 == u2
- or ( t1 == can_system_change and u2 == system_u )
+ or ( t1 == can_change_process_identity and t2 == process_user_target )
- or ( t1 == process_uncond_exempt )
- );
-')
+ or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
-ifdef(`targeted_policy',`
- constrain process transition
- (
- u1 == u2
+ or ( t1 == can_system_change and u2 == system_u )
- or t1 == can_change_process_identity
- );
-')
+ or ( t1 == process_uncond_exempt )
+);
#
# SELinux process role change constraint:
#
+constrain process transition
+(
+ r1 == r2
-ifdef(`strict_policy',`
- constrain process transition
- (
- r1 == r2
-
- or ( t1 == can_change_process_role and t2 == process_user_target )
-
- or ( t1 == cron_source_domain and t2 == cron_job_domain )
-
- or ( t1 == can_system_change and r2 == system_r )
+ or ( t1 == can_change_process_role and t2 == process_user_target )
- or ( t1 == process_uncond_exempt )
- );
-')
+ or ( t1 == cron_source_domain and t2 == cron_job_domain )
-ifdef(`targeted_policy',`
- constrain process transition
- (
- r1 == r2
+ or ( t1 == can_system_change and r2 == system_r )
- or t1 == can_change_process_role
- );
-')
+ or ( t1 == process_uncond_exempt )
+);
#
# SELinux dynamic transition constraint:
diff --git a/policy/global_booleans b/policy/global_booleans
index 844fc78..111d004 100644
--- a/policy/global_booleans
+++ b/policy/global_booleans
@@ -4,7 +4,6 @@
# file should be used.
#
-ifdef(`strict_policy',`
## <desc>
## <p>
## Enabling secure mode disallows programs, such as
@@ -13,7 +12,6 @@ ifdef(`strict_policy',`
## </p>
## </desc>
gen_bool(secure_mode,false)
-')
## <desc>
## <p>
diff --git a/policy/global_tunables b/policy/global_tunables
index 9a44314..7a1d85d 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -4,11 +4,6 @@
# file should be used.
#
-########################################
-#
-# Common tunables
-#
-
## <desc>
## <p>
## Allow making the heap executable.
@@ -69,6 +64,15 @@ gen_tunable(global_ssp,false)
## <desc>
## <p>
+## Allow email client to various content.
+## nfs, samba, removable devices, user temp
+## and untrusted content files
+## </p>
+## </desc>
+gen_tunable(mail_read_content,false)
+
+## <desc>
+## <p>
## Allow nfs to be exported read/write.
## </p>
## </desc>
@@ -90,41 +94,26 @@ gen_tunable(read_default_t,false)
## <desc>
## <p>
-## Support NFS home directories
-## </p>
-## </desc>
-gen_tunable(use_nfs_home_dirs,false)
-
-## <desc>
-## <p>
-## Support SAMBA home directories
+## Allow applications to read untrusted content
+## If this is disallowed, Internet content has
+## to be manually relabeled for read access to be granted
## </p>
## </desc>
-gen_tunable(use_samba_home_dirs,false)
-
-########################################
-#
-# Strict policy specific
-#
+gen_tunable(read_untrusted_content,false)
-ifdef(`strict_policy',`
## <desc>
## <p>
-## Allow email client to various content.
-## nfs, samba, removable devices, user temp
-## and untrusted content files
+## Support NFS home directories
## </p>
## </desc>
-gen_tunable(mail_read_content,false)
+gen_tunable(use_nfs_home_dirs,false)
## <desc>
## <p>
-## Allow applications to read untrusted content
-## If this is disallowed, Internet content has
-## to be manually relabeled for read access to be granted
+## Support SAMBA home directories
## </p>
## </desc>
-gen_tunable(read_untrusted_content,false)
+gen_tunable(use_samba_home_dirs,false)
## <desc>
## <p>
@@ -143,4 +132,3 @@ gen_tunable(user_tcp_server,false)
## </p>
## </desc>
gen_tunable(write_untrusted_content,false)
-')
diff --git a/policy/modules/admin/acct.te b/policy/modules/admin/acct.te
index 0529bb8..5e34a60 100644
--- a/policy/modules/admin/acct.te
+++ b/policy/modules/admin/acct.te
@@ -69,12 +69,6 @@ miscfiles_read_localization(acct_t)
userdom_dontaudit_search_sysadm_home_dirs(acct_t)
userdom_dontaudit_use_unpriv_user_fds(acct_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(acct_t)
- term_dontaudit_use_generic_ptys(acct_t)
- files_dontaudit_read_root_files(acct_t)
-')
-
optional_policy(`
optional_policy(`
# for monthly cron job
diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index 15a6c98..5d21443 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -113,10 +113,6 @@ seutil_use_newrole_fds(apt_t)
sysnet_read_config(apt_t)
-ifdef(`targeted_policy',`
- unconfined_domain(apt_t)
-')
-
# with boolean, for cron-apt and such?
#optional_policy(`
# cron_system_entry(apt_t,apt_exec_t)
@@ -137,3 +133,7 @@ optional_policy(`
rpm_read_db(apt_t)
rpm_domtrans(apt_t)
')
+
+optional_policy(`
+ unconfined_domain(apt_t)
+')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 308dce2..c93344d 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -174,11 +174,6 @@ ifdef(`distro_redhat',`
mount_domtrans(bootloader_t)
')
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(bootloader_t)
- term_use_generic_ptys(bootloader_t)
-')
-
optional_policy(`
fstools_exec(bootloader_t)
')
diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te
index 133cd2d..98c54b5 100644
--- a/policy/modules/admin/brctl.te
+++ b/policy/modules/admin/brctl.te
@@ -37,11 +37,6 @@ libs_use_shared_libs(brctl_t)
miscfiles_read_localization(brctl_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(brctl_t)
- term_dontaudit_use_generic_ptys(brctl_t)
-')
-
optional_policy(`
xen_append_log(brctl_t)
')
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index 299f21f..400100d 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
@@ -10,14 +10,9 @@ type consoletype_t;
type consoletype_exec_t;
application_executable_file(consoletype_exec_t)
init_domain(consoletype_t,consoletype_exec_t)
-mls_file_read_all_levels(consoletype_t)
-mls_file_write_all_levels(consoletype_t)
+init_system_domain(consoletype_t,consoletype_exec_t)
role system_r types consoletype_t;
-ifdef(`targeted_policy',`',`
- init_system_domain(consoletype_t,consoletype_exec_t)
-')
-
########################################
#
# Local declarations
@@ -44,6 +39,9 @@ fs_getattr_all_fs(consoletype_t)
fs_search_auto_mountpoints(consoletype_t)
fs_write_nfs_files(consoletype_t)
+mls_file_read_all_levels(consoletype_t)
+mls_file_write_all_levels(consoletype_t)
+
term_use_console(consoletype_t)
term_use_unallocated_ttys(consoletype_t)
@@ -60,10 +58,6 @@ files_list_usr(consoletype_t)
libs_use_ld_so(consoletype_t)
libs_use_shared_libs(consoletype_t)
-userdom_use_sysadm_terms(consoletype_t)
-userdom_use_sysadm_fds(consoletype_t)
-userdom_rw_sysadm_pipes(consoletype_t)
-
ifdef(`distro_redhat',`
fs_rw_tmpfs_chr_files(consoletype_t)
')
diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
index dc2a3b6..71081a8 100644
--- a/policy/modules/admin/dmesg.if
+++ b/policy/modules/admin/dmesg.if
@@ -11,26 +11,12 @@
## </param>
#
interface(`dmesg_domtrans',`
- ifdef(`targeted_policy',`
- gen_require(`
- type dmesg_exec_t;
- ')
-
- # $0(): disabled in targeted policy as there
- # is no dmesg domain.
- ',`
- gen_require(`
- type dmesg_t, dmesg_exec_t;
- ')
-
- corecmd_search_bin($1)
- domain_auto_trans($1,dmesg_exec_t,dmesg_t)
-
- allow $1 dmesg_t:fd use;
- allow dmesg_t $1:fd use;
- allow dmesg_t $1:fifo_file rw_file_perms;
- allow dmesg_t $1:process sigchld;
+ gen_require(`
+ type dmesg_t, dmesg_exec_t;
')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dmesg_exec_t, dmesg_t)
')
########################################
@@ -45,16 +31,10 @@ interface(`dmesg_domtrans',`
## <rolecap/>
#
interface(`dmesg_exec',`
- ifdef(`targeted_policy',`
- # $0(): the dmesg program is an alias
- # of generic bin programs.
- corecmd_exec_bin($1)
- ',`
- gen_require(`
- type dmesg_exec_t;
- ')
-
- corecmd_search_bin($1)
- can_exec($1,dmesg_exec_t)
+ gen_require(`
+ type dmesg_exec_t;
')
+
+ corecmd_search_bin($1)
+ can_exec($1,dmesg_exec_t)
')
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index 150feec..7d31ea0 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -6,69 +6,57 @@ policy_module(dmesg,1.0.0)
# Declarations
#
-ifdef(`strict_policy',`
- type dmesg_t;
- type dmesg_exec_t;
- init_system_domain(dmesg_t,dmesg_exec_t)
- role system_r types dmesg_t;
-')
-
-ifdef(`targeted_policy',`
- # dmesg domain is disabled in the
- # targeted policy. for compatibility
- # with strict:
- corecmd_bin_alias(dmesg_exec_t)
-')
+type dmesg_t;
+type dmesg_exec_t;
+init_system_domain(dmesg_t,dmesg_exec_t)
########################################
#
# Local policy
#
-ifdef(`strict_policy',`
- allow dmesg_t self:capability sys_admin;
- dontaudit dmesg_t self:capability sys_tty_config;
+allow dmesg_t self:capability sys_admin;
+dontaudit dmesg_t self:capability sys_tty_config;
- allow dmesg_t self:process signal_perms;
+allow dmesg_t self:process signal_perms;
- kernel_read_kernel_sysctls(dmesg_t)
- kernel_read_ring_buffer(dmesg_t)
- kernel_clear_ring_buffer(dmesg_t)
- kernel_change_ring_buffer_level(dmesg_t)
- kernel_list_proc(dmesg_t)
- kernel_read_proc_symlinks(dmesg_t)
+kernel_read_kernel_sysctls(dmesg_t)
+kernel_read_ring_buffer(dmesg_t)
+kernel_clear_ring_buffer(dmesg_t)
+kernel_change_ring_buffer_level(dmesg_t)
+kernel_list_proc(dmesg_t)
+kernel_read_proc_symlinks(dmesg_t)
- dev_read_sysfs(dmesg_t)
+dev_read_sysfs(dmesg_t)
- fs_search_auto_mountpoints(dmesg_t)
+fs_search_auto_mountpoints(dmesg_t)
- term_dontaudit_use_console(dmesg_t)
+term_dontaudit_use_console(dmesg_t)
- domain_use_interactive_fds(dmesg_t)
+domain_use_interactive_fds(dmesg_t)
- files_list_etc(dmesg_t)
- # for when /usr is not mounted:
- files_dontaudit_search_isid_type_dirs(dmesg_t)
+files_list_etc(dmesg_t)
+# for when /usr is not mounted:
+files_dontaudit_search_isid_type_dirs(dmesg_t)
- init_use_fds(dmesg_t)
- init_use_script_ptys(dmesg_t)
+init_use_fds(dmesg_t)
+init_use_script_ptys(dmesg_t)
- libs_use_ld_so(dmesg_t)
- libs_use_shared_libs(dmesg_t)
+libs_use_ld_so(dmesg_t)
+libs_use_shared_libs(dmesg_t)
- logging_send_syslog_msg(dmesg_t)
- logging_write_generic_logs(dmesg_t)
+logging_send_syslog_msg(dmesg_t)
+logging_write_generic_logs(dmesg_t)
- miscfiles_read_localization(dmesg_t)
+miscfiles_read_localization(dmesg_t)
- userdom_use_sysadm_terms(dmesg_t)
- userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
+userdom_use_sysadm_terms(dmesg_t)
+userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
- optional_policy(`
- seutil_sigchld_newrole(dmesg_t)
- ')
+optional_policy(`
+ seutil_sigchld_newrole(dmesg_t)
+')
- optional_policy(`
- udev_read_db(dmesg_t)
- ')
+optional_policy(`
+ udev_read_db(dmesg_t)
')
diff --git a/policy/modules/admin/dmidecode.te b/policy/modules/admin/dmidecode.te
index e7f5a84..1e170fc 100644
--- a/policy/modules/admin/dmidecode.te
+++ b/policy/modules/admin/dmidecode.te
@@ -31,8 +31,3 @@ libs_use_ld_so(dmidecode_t)
libs_use_shared_libs(dmidecode_t)
locallogin_use_fds(dmidecode_t)
-
-ifdef(`targeted_policy',`
- term_use_generic_ptys(dmidecode_t)
- term_use_unallocated_ttys(dmidecode_t)
-')
diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
index 170bb4f..829e211 100644
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@@ -172,10 +172,6 @@ dpkg_domtrans_script(dpkg_t)
# since the scripts aren't labeled correctly yet...
allow dpkg_t dpkg_var_lib_t:file execute;
-ifdef(`targeted_policy',`
- unconfined_domain(dpkg_t)
-')
-
# TODO: allow?
#optional_policy(`
# cron_system_entry(dpkg_t,dpkg_exec_t)
@@ -185,6 +181,10 @@ optional_policy(`
nis_use_ypbind(dpkg_t)
')
+optional_policy(`
+ unconfined_domain(dpkg_t)
+')
+
# TODO: the following was copied from dpkg_script_t, and could probably
# be removed again when dpkg_script_t is actually used...
domain_signal_all_domains(dpkg_t)
@@ -309,23 +309,15 @@ seutil_domtrans_setfiles(dpkg_script_t)
userdom_use_all_users_fds(dpkg_script_t)
-ifdef(`distro_redhat',`
- unconfined_domain(dpkg_script_t)
-')
-
-ifdef(`targeted_policy',`
- unconfined_domain(dpkg_script_t)
-',`
- optional_policy(`
- bootloader_domtrans(dpkg_script_t)
- ')
-')
-
tunable_policy(`allow_execmem',`
allow dpkg_script_t self:process execmem;
')
optional_policy(`
+ bootloader_domtrans(dpkg_script_t)
+')
+
+optional_policy(`
mta_send_mail(dpkg_script_t)
')
@@ -334,6 +326,10 @@ optional_policy(`
')
optional_policy(`
+ unconfined_domain(dpkg_script_t)
+')
+
+optional_policy(`
usermanage_domtrans_groupadd(dpkg_script_t)
usermanage_domtrans_useradd(dpkg_script_t)
')
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
index abde741..c61592b 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@@ -96,10 +96,6 @@ userdom_manage_generic_user_home_content_sockets(firstboot_t)
userdom_home_filetrans_generic_user_home_dir(firstboot_t)
userdom_generic_user_home_dir_filetrans_generic_user_home_content(firstboot_t,{ dir file lnk_file fifo_file sock_file })
-ifdef(`targeted_policy',`
- unconfined_domtrans(firstboot_t)
-')
-
optional_policy(`
hal_dbus_chat(firstboot_t)
')
@@ -113,6 +109,10 @@ optional_policy(`
')
optional_policy(`
+ unconfined_domtrans(firstboot_t)
+')
+
+optional_policy(`
usermanage_domtrans_chfn(firstboot_t)
usermanage_domtrans_groupadd(firstboot_t)
usermanage_domtrans_passwd(firstboot_t)
diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te
index fb51cb3..a996043 100644
--- a/policy/modules/admin/kudzu.te
+++ b/policy/modules/admin/kudzu.te
@@ -125,19 +125,6 @@ sysnet_read_config(kudzu_t)
userdom_search_sysadm_home_dirs(kudzu_t)
userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(kudzu_t)
- term_dontaudit_use_generic_ptys(kudzu_t)
- files_dontaudit_read_root_files(kudzu_t)
-
- # cjp: this was originally in the else block
- # of ifdef userhelper.te, but it seems to
- # make more sense here. also, require
- # blocks curently do not work in the
- # else block of optionals
- unconfined_domain(kudzu_t)
-')
-
optional_policy(`
gpm_getattr_gpmctl(kudzu_t)
')
@@ -154,6 +141,15 @@ optional_policy(`
udev_read_db(kudzu_t)
')
+optional_policy(`
+ # cjp: this was originally in the else block
+ # of ifdef userhelper.te, but it seems to
+ # make more sense here. also, require
+ # blocks curently do not work in the
+ # else block of optionals
+ unconfined_domain(kudzu_t)
+')
+
ifdef(`TODO',`
allow kudzu_t modules_conf_t:file unlink;
optional_policy(`
diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te
index 4128ad5..b02a0d3 100644
--- a/policy/modules/admin/mrtg.te
+++ b/policy/modules/admin/mrtg.te
@@ -126,12 +126,6 @@ ifdef(`distro_redhat',`
filetrans_pattern(mrtg_t,mrtg_etc_t,mrtg_lock_t,file)
')
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(mrtg_t)
- term_dontaudit_use_generic_ptys(mrtg_t)
- files_dontaudit_read_root_files(mrtg_t)
-')
-
optional_policy(`
apache_manage_sys_content(mrtg_t)
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index e8915d4..985d957 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -6,14 +6,12 @@ policy_module(netutils,1.5.0)
# Declarations
#
-ifdef(`strict_policy',`
## <desc>
## <p>
## Control users use of ping and traceroute
## </p>
## </desc>
gen_tunable(user_ping,false)
-')
type netutils_t;
type netutils_exec_t;
@@ -91,11 +89,6 @@ sysnet_read_config(netutils_t)
userdom_use_all_users_fds(netutils_t)
-ifdef(`targeted_policy',`
- term_use_generic_ptys(netutils_t)
- term_use_unallocated_ttys(netutils_t)
-')
-
optional_policy(`
nis_use_ypbind(netutils_t)
')
@@ -144,16 +137,9 @@ ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
')
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(ping_t)
- term_use_generic_ptys(ping_t)
+tunable_policy(`user_ping',`
term_use_all_user_ttys(ping_t)
term_use_all_user_ptys(ping_t)
-',`
- tunable_policy(`user_ping',`
- term_use_all_user_ttys(ping_t)
- term_use_all_user_ptys(ping_t)
- ')
')
optional_policy(`
@@ -228,14 +214,9 @@ files_read_usr_files(traceroute_t)
sysnet_read_config(traceroute_t)
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(traceroute_t)
- term_use_generic_ptys(traceroute_t)
-',`
- tunable_policy(`user_ping',`
- term_use_all_user_ttys(traceroute_t)
- term_use_all_user_ptys(traceroute_t)
- ')
+tunable_policy(`user_ping',`
+ term_use_all_user_ttys(traceroute_t)
+ term_use_all_user_ptys(traceroute_t)
')
optional_policy(`
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 30c9dd0..e99dc8c 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -104,7 +104,6 @@ libs_use_shared_libs(gcc_config_t)
libs_read_lib_files(gcc_config_t)
libs_domtrans_ldconfig(gcc_config_t)
libs_manage_shared_libs(gcc_config_t)
-lib_filetrans_shared_lib(gcc_config_t,file)
# gcc-config creates a temp dir for the libs
libs_manage_lib_dirs(gcc_config_t)
diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if
index 78151ee..cd667b6 100644
--- a/policy/modules/admin/prelink.if
+++ b/policy/modules/admin/prelink.if
@@ -21,6 +21,37 @@ interface(`prelink_domtrans',`
########################################
## <summary>
+## Execute the prelink program in the prelink domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the prelink domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the prelink domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`prelink_run',`
+ gen_require(`
+ type prelink_t;
+ ')
+
+ prelink_domtrans($1)
+ role $2 types prelink_t;
+ allow prelink_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
## Make the specified file type prelinkable.
## </summary>
## <param name="file_type">
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
index 1a8d3f2..039d92f 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -77,23 +77,10 @@ libs_relabel_ld_so(prelink_t)
libs_use_shared_libs(prelink_t)
libs_manage_shared_libs(prelink_t)
libs_relabel_shared_libs(prelink_t)
-libs_use_lib_files(prelink_t)
-libs_manage_lib_files(prelink_t)
-libs_relabel_lib_files(prelink_t)
libs_delete_lib_symlinks(prelink_t)
miscfiles_read_localization(prelink_t)
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(prelink_t)
- term_use_generic_ptys(prelink_t)
-
- # prelink executables in the user homedir
- userdom_manage_generic_user_home_content_files(prelink_t)
- userdom_mmap_generic_user_home_content_files(prelink_t)
- userdom_dontaudit_relabel_generic_user_home_content_files(prelink_t)
-')
-
optional_policy(`
amanda_manage_lib(prelink_t)
')
diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te
index c52b0d2..57b4f4c 100644
--- a/policy/modules/admin/quota.te
+++ b/policy/modules/admin/quota.te
@@ -77,12 +77,6 @@ logging_send_syslog_msg(quota_t)
userdom_dontaudit_use_unpriv_user_fds(quota_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(quota_t)
- term_dontaudit_use_generic_ptys(quota_t)
- files_dontaudit_read_root_files(quota_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(quota_t)
')
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
index beccc8a..db35cc4 100644
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
@@ -81,12 +81,6 @@ miscfiles_read_localization(readahead_t)
userdom_dontaudit_use_unpriv_user_fds(readahead_t)
userdom_dontaudit_search_sysadm_home_dirs(readahead_t)
-ifdef(`targeted_policy',`
- files_dontaudit_read_root_files(readahead_t)
- term_dontaudit_use_unallocated_ttys(readahead_t)
- term_dontaudit_use_generic_ptys(readahead_t)
-')
-
optional_policy(`
cron_system_entry(readahead_t, readahead_exec_t)
')
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 762f519..56574ff 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -71,6 +71,9 @@ allow rpm_t self:msg { send receive };
allow rpm_t self:dir search;
allow rpm_t self:file rw_file_perms;;
+allow rpm_t rpm_log_t:file manage_file_perms;
+logging_log_filetrans(rpm_t,rpm_log_t,file)
+
manage_dirs_pattern(rpm_t,rpm_tmp_t,rpm_tmp_t)
manage_files_pattern(rpm_t,rpm_tmp_t,rpm_tmp_t)
files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
@@ -172,22 +175,6 @@ sysnet_read_config(rpm_t)
userdom_use_unpriv_users_fds(rpm_t)
-ifdef(`distro_redhat',`
- unconfined_domain(rpm_t)
-')
-
-ifdef(`targeted_policy',`
- unconfined_domain(rpm_t)
- # yum-updatesd requires this
- unconfined_dbus_chat(rpm_t)
-',`
- # cjp: these are here to stop type_transition
- # conflicts since rpm_t is an alias of
- # unconfined in the targeted policy
- allow rpm_t rpm_log_t:file manage_file_perms;
- logging_log_filetrans(rpm_t,rpm_log_t,file)
-')
-
optional_policy(`
cron_system_entry(rpm_t,rpm_exec_t)
')
@@ -204,6 +191,12 @@ optional_policy(`
prelink_domtrans(rpm_t)
')
+optional_policy(`
+ unconfined_domain(rpm_t)
+ # yum-updatesd requires this
+ unconfined_dbus_chat(rpm_t)
+')
+
ifdef(`TODO',`
# read/write/create any files in the system
dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
@@ -332,26 +325,6 @@ seutil_domtrans_semanage(rpm_script_t)
userdom_use_all_users_fds(rpm_script_t)
ifdef(`distro_redhat',`
- unconfined_domain(rpm_script_t)
-')
-
-ifdef(`targeted_policy',`
- unconfined_domain(rpm_script_t)
-
- optional_policy(`
- java_domtrans(rpm_script_t)
- ')
-
- optional_policy(`
- mono_domtrans(rpm_script_t)
- ')
-
- optional_policy(`
- unconfined_domtrans(rpm_script_t)
- ')
-')
-
-ifdef(`distro_redhat',`
optional_policy(`
mta_send_mail(rpm_script_t)
')
@@ -375,6 +348,19 @@ optional_policy(`
')
optional_policy(`
+ unconfined_domain(rpm_script_t)
+ unconfined_domtrans(rpm_script_t)
+
+ optional_policy(`
+ java_domtrans(rpm_script_t)
+ ')
+
+ optional_policy(`
+ mono_domtrans(rpm_script_t)
+ ')
+')
+
+optional_policy(`
usermanage_domtrans_groupadd(rpm_script_t)
usermanage_domtrans_useradd(rpm_script_t)
')
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 6c337fa..28c5785 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -254,35 +254,20 @@ template(`su_per_role_template',`
seutil_read_config($1_su_t)
seutil_read_default_contexts($1_su_t)
- ifdef(`strict_policy',`
- if(secure_mode) {
- # Only allow transitions to unprivileged user domains.
- userdom_spec_domtrans_unpriv_users($1_su_t)
- } else {
- # Allow transitions to all user domains
- userdom_spec_domtrans_all_users($1_su_t)
- }
- ')
-
- ifdef(`targeted_policy',`
+ if(secure_mode) {
+ # Only allow transitions to unprivileged user domains.
+ userdom_spec_domtrans_unpriv_users($1_su_t)
+ } else {
+ # Allow transitions to all user domains
+ userdom_spec_domtrans_all_users($1_su_t)
+ }
+
+ optional_policy(`
unconfined_domtrans($1_su_t)
unconfined_signal($1_su_t)
')
')
- ifdef(`targeted_policy',`
- # allow user to suspend terminal.
- # does not work in strict since the
- # parent may not be able to use
- # the terminal if we newrole,
- # which relabels the terminal.
- allow $1_su_t self:process sigstop;
-
- corecmd_exec_bin($1_su_t)
- userdom_manage_all_users_home_content_files($1_su_t)
- userdom_manage_all_users_home_content_symlinks($1_su_t)
- ')
-
tunable_policy(`allow_polyinstantiation',`
fs_mount_xattr_fs($1_su_t)
fs_unmount_xattr_fs($1_su_t)
diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
index 165f240..2447b25 100644
--- a/policy/modules/admin/sxid.te
+++ b/policy/modules/admin/sxid.te
@@ -88,12 +88,6 @@ userdom_dontaudit_use_unpriv_user_fds(sxid_t)
cron_system_entry(sxid_t,sxid_exec_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(sxid_t)
- term_dontaudit_use_generic_ptys(sxid_t)
- files_dontaudit_read_root_files(sxid_t)
-')
-
optional_policy(`
mta_send_mail(sxid_t)
')
diff --git a/policy/modules/admin/tzdata.if b/policy/modules/admin/tzdata.if
index af803bf..747bf4a 100644
--- a/policy/modules/admin/tzdata.if
+++ b/policy/modules/admin/tzdata.if
@@ -17,3 +17,34 @@ interface(`tzdata_domtrans',`
domtrans_pattern($1,tzdata_exec_t,tzdata_t)
')
+
+########################################
+## <summary>
+## Execute the tzdata program in the tzdata domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the tzdata domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the tzdata domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`tzdata_run',`
+ gen_require(`
+ type tzdata_t;
+ ')
+
+ tzdata_domtrans($1)
+ role $2 types tzdata_t;
+ allow tzdata_t $3:chr_file rw_term_perms;
+')
diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te
index a1a0e24..7ea6af7 100644
--- a/policy/modules/admin/tzdata.te
+++ b/policy/modules/admin/tzdata.te
@@ -30,11 +30,6 @@ miscfiles_read_localization(tzdata_t)
miscfiles_manage_localization(tzdata_t)
miscfiles_etc_filetrans_localization(tzdata_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(tzdata_t)
- term_dontaudit_use_generic_ptys(tzdata_t)
-')
-
# tzdata looks for /var/spool/postfix/etc/localtime.
optional_policy(`
postfix_search_spool(tzdata_t)
diff --git a/policy/modules/admin/updfstab.te b/policy/modules/admin/updfstab.te
index df44c1f..2750893 100644
--- a/policy/modules/admin/updfstab.te
+++ b/policy/modules/admin/updfstab.te
@@ -79,16 +79,9 @@ seutil_read_config(updfstab_t)
seutil_read_default_contexts(updfstab_t)
seutil_read_file_contexts(updfstab_t)
-userdom_use_sysadm_ttys(updfstab_t)
userdom_dontaudit_search_all_users_home_content(updfstab_t)
userdom_dontaudit_use_unpriv_user_fds(updfstab_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(updfstab_t)
- term_dontaudit_use_generic_ptys(updfstab_t)
- files_dontaudit_read_root_files(updfstab_t)
-')
-
optional_policy(`
auth_domtrans_pam_console(updfstab_t)
')
diff --git a/policy/modules/apps/ada.fc b/policy/modules/apps/ada.fc
index 01a8572..e802ed5 100644
--- a/policy/modules/apps/ada.fc
+++ b/policy/modules/apps/ada.fc
@@ -1,9 +1,7 @@
#
# /usr
#
-ifdef(`targeted_policy',`
/usr/bin/gnatbind -- gen_context(system_u:object_r:ada_exec_t,s0)
/usr/bin/gnatls -- gen_context(system_u:object_r:ada_exec_t,s0)
/usr/bin/gnatmake -- gen_context(system_u:object_r:ada_exec_t,s0)
/usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:ada_exec_t,s0)
-')
diff --git a/policy/modules/apps/ada.if b/policy/modules/apps/ada.if
index 2c1c44f..348c348 100644
--- a/policy/modules/apps/ada.if
+++ b/policy/modules/apps/ada.if
@@ -11,16 +11,12 @@
## </param>
#
interface(`ada_domtrans',`
- ifdef(`targeted_policy',`
- gen_require(`
- type ada_t, ada_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, ada_exec_t, ada_t)
- ',`
- refpolicywarn(`$0($1) has no effect in strict policy.')
+ gen_require(`
+ type ada_t, ada_exec_t;
')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ada_exec_t, ada_t)
')
########################################
@@ -30,7 +26,7 @@ interface(`ada_domtrans',`
## </summary>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
## <param name="role">
@@ -45,15 +41,11 @@ interface(`ada_domtrans',`
## </param>
#
interface(`ada_run',`
- ifdef(`targeted_policy',`
- gen_require(`
- type ada_t;
- ')
-
- ada_domtrans($1)
- role $2 types ada_t;
- allow ada_t $3:chr_file rw_term_perms;
- ',`
- refpolicywarn(`$0($1) has no effect in strict policy.')
+ gen_require(`
+ type ada_t;
')
+
+ ada_domtrans($1)
+ role $2 types ada_t;
+ allow ada_t $3:chr_file rw_term_perms;
')
diff --git a/policy/modules/apps/ada.te b/policy/modules/apps/ada.te
index 7628b8b..a629215 100644
--- a/policy/modules/apps/ada.te
+++ b/policy/modules/apps/ada.te
@@ -9,14 +9,15 @@ policy_module(ada,1.1.0)
type ada_t;
type ada_exec_t;
application_domain(ada_t,ada_exec_t)
+role system_r types ada_t;
########################################
#
# Local policy
#
-ifdef(`targeted_policy',`
- allow ada_t self:process { execstack execmem };
+allow ada_t self:process { execstack execmem };
+
+optional_policy(`
unconfined_domain_noaudit(ada_t)
- role system_r types ada_t;
')
diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te
index 90d9e84..0af2bf6 100644
--- a/policy/modules/apps/cdrecord.te
+++ b/policy/modules/apps/cdrecord.te
@@ -6,7 +6,6 @@ policy_module(cdrecord,1.3.0)
# Declarations
#
-ifdef(`strict_policy',`
## <desc>
## <p>
## Allow cdrecord to read various content.
@@ -15,7 +14,6 @@ ifdef(`strict_policy',`
## </p>
## </desc>
gen_tunable(cdrecord_read_content,false)
-')
type cdrecord_exec_t;
application_executable_file(cdrecord_exec_t)
diff --git a/policy/modules/apps/ethereal.fc b/policy/modules/apps/ethereal.fc
index 12ae276..7204fe2 100644
--- a/policy/modules/apps/ethereal.fc
+++ b/policy/modules/apps/ethereal.fc
@@ -1,7 +1,4 @@
+HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ROLE_ethereal_home_t,s0)
/usr/sbin/ethereal.* -- gen_context(system_u:object_r:ethereal_exec_t,s0)
/usr/sbin/tethereal.* -- gen_context(system_u:object_r:tethereal_exec_t,s0)
-
-ifdef(`strict_policy',`
-HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ROLE_ethereal_home_t,s0)
-')
diff --git a/policy/modules/apps/evolution.fc b/policy/modules/apps/evolution.fc
index 4399a1a..1b425f4 100644
--- a/policy/modules/apps/evolution.fc
+++ b/policy/modules/apps/evolution.fc
@@ -1,10 +1,14 @@
+#
+# HOME_DIR/
+#
+
+HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0)
+HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0)
#
# /tmp
#
-ifdef(`strict_policy',`
/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:ROLE_evolution_exchange_tmp_t,s0)
-')
#
# /usr
@@ -15,8 +19,3 @@ ifdef(`strict_policy',`
/usr/libexec/evolution/.*evolution-exchange-storage.* -- gen_context(system_u:object_r:evolution_exchange_exec_t,s0)
/usr/libexec/evolution-data-server.* -- gen_context(system_u:object_r:evolution_server_exec_t,s0)
/usr/libexec/evolution-webcal.* -- gen_context(system_u:object_r:evolution_webcal_exec_t,s0)
-
-ifdef(`strict_policy',`
-HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0)
-HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:ROLE_evolution_home_t,s0)
-')
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index 75d96a4..c8f7a05 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -60,12 +60,6 @@ miscfiles_read_localization(games_t)
userdom_dontaudit_use_unpriv_user_fds(games_t)
userdom_dontaudit_search_sysadm_home_dirs(games_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(games_t)
- term_dontaudit_use_generic_ptys(games_t)
- files_dontaudit_read_root_files(games_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(games_t)
')
diff --git a/policy/modules/apps/gift.fc b/policy/modules/apps/gift.fc
index 09d6a60..2c2a01a 100644
--- a/policy/modules/apps/gift.fc
+++ b/policy/modules/apps/gift.fc
@@ -1,8 +1,6 @@
+HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:ROLE_gift_home_t,s0)
+
/usr/(local/)?bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0)
/usr/(local/)?bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0)
/usr/(local/)?bin/giftui -- gen_context(system_u:object_r:gift_exec_t,s0)
/usr/(local/)?bin/giFToxic -- gen_context(system_u:object_r:gift_exec_t,s0)
-
-ifdef(`strict_policy',`
-HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:ROLE_gift_home_t,s0)
-')
diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
index c812095..e5f5f1c 100644
--- a/policy/modules/apps/gnome.fc
+++ b/policy/modules/apps/gnome.fc
@@ -1,11 +1,8 @@
HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:ROLE_gnome_home_t,s0)
+HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:ROLE_gconf_home_t,s0)
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
-
-ifdef(`strict_policy',`
-HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:ROLE_gconf_home_t,s0)
-
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:ROLE_gconf_tmp_t,s0)
-')
+
+/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc
index 78f8a10..0c5dc94 100644
--- a/policy/modules/apps/gpg.fc
+++ b/policy/modules/apps/gpg.fc
@@ -1,3 +1,4 @@
+HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0)
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
@@ -6,7 +7,3 @@
/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
-
-ifdef(`targeted_policy',`',`
-HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0)
-')
diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc
index 4a2c7c7..618588c 100644
--- a/policy/modules/apps/irc.fc
+++ b/policy/modules/apps/irc.fc
@@ -1,9 +1,7 @@
#
# /home
#
-ifdef(`strict_policy',`
HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:ROLE_irc_home_t,s0)
-')
#
# /usr
diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
index a2c4011..cb557b0 100644
--- a/policy/modules/apps/java.if
+++ b/policy/modules/apps/java.if
@@ -151,7 +151,6 @@ template(`java_per_role_template',`
libs_legacy_use_shared_libs($1_javaplugin_t)
libs_legacy_use_ld_so($1_javaplugin_t)
- libs_use_lib_files($1_javaplugin_t)
miscfiles_legacy_read_localization($1_javaplugin_t)
')
@@ -213,14 +212,10 @@ template(`java_domtrans_user_javaplugin',`
## </param>
#
interface(`java_domtrans',`
- ifdef(`targeted_policy',`
- gen_require(`
- type java_t, java_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, java_exec_t, java_t)
- ',`
- refpolicywarn(`$0($1) has no effect in strict policy.')
+ gen_require(`
+ type java_t, java_exec_t;
')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, java_exec_t, java_t)
')
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
index a00de9b..921c45a 100644
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -22,13 +22,12 @@ init_system_domain(java_t,java_exec_t)
# Local policy
#
-ifdef(`targeted_policy',`
- # execheap is needed for itanium/BEA jrocket
- allow java_t self:process { execstack execmem execheap };
- role system_r types java_t;
+# execheap is needed for itanium/BEA jrocket
+allow java_t self:process { execstack execmem execheap };
- init_dbus_chat_script(java_t)
+init_dbus_chat_script(java_t)
+optional_policy(`
unconfined_domain_noaudit(java_t)
unconfined_dbus_chat(java_t)
')
diff --git a/policy/modules/apps/loadkeys.if b/policy/modules/apps/loadkeys.if
index 8515073..758d1c1 100644
--- a/policy/modules/apps/loadkeys.if
+++ b/policy/modules/apps/loadkeys.if
@@ -11,16 +11,12 @@
## </param>
#
interface(`loadkeys_domtrans',`
- ifdef(`strict_policy',`
- gen_require(`
- type loadkeys_t, loadkeys_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, loadkeys_exec_t, loadkeys_t)
- ',`
- refpolicywarn(`$0($*) has no effect in targeted policy.')
+ gen_require(`
+ type loadkeys_t, loadkeys_exec_t;
')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, loadkeys_exec_t, loadkeys_t)
')
########################################
@@ -45,18 +41,13 @@ interface(`loadkeys_domtrans',`
## <rolecap/>
#
interface(`loadkeys_run',`
- ifdef(`targeted_policy',`
- # $0(): disabled in targeted policy as there
- # is no loadkeys domain.
- ',`
- gen_require(`
- type loadkeys_t;
- ')
-
- loadkeys_domtrans($1)
- role $2 types loadkeys_t;
- allow loadkeys_t $3:chr_file rw_term_perms;
+ gen_require(`
+ type loadkeys_t;
')
+
+ loadkeys_domtrans($1)
+ role $2 types loadkeys_t;
+ allow loadkeys_t $3:chr_file rw_term_perms;
')
########################################
@@ -70,15 +61,9 @@ interface(`loadkeys_run',`
## </param>
#
interface(`loadkeys_exec',`
- ifdef(`targeted_policy',`
- # $0(): the loadkeys program is an alias
- # of generic bin programs.
- corecmd_exec_bin($1)
- ',`
- gen_require(`
- type loadkeys_exec_t;
- ')
-
- can_exec($1,loadkeys_exec_t)
+ gen_require(`
+ type loadkeys_exec_t;
')
+
+ can_exec($1,loadkeys_exec_t)
')
diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
index 88eabb3..cf73ab1 100644
--- a/policy/modules/apps/loadkeys.te
+++ b/policy/modules/apps/loadkeys.te
@@ -6,51 +6,41 @@ policy_module(loadkeys,1.2.0)
# Declarations
#
-ifdef(`targeted_policy',`
- # for compatibility with strict:
- corecmd_bin_alias(loadkeys_exec_t)
-',`
- # cjp: this should probably be rewritten
- # per user domain, since it can rw
- # all user domain ttys
-
- type loadkeys_t;
- type loadkeys_exec_t;
- init_system_domain(loadkeys_t,loadkeys_exec_t)
-')
+# cjp: this should probably be rewritten
+# per user domain, since it can rw
+# all user domain ttys
+type loadkeys_t;
+type loadkeys_exec_t;
+init_system_domain(loadkeys_t,loadkeys_exec_t)
########################################
#
# Local policy
#
-ifdef(`targeted_policy',`
- # loadkeys domain disabled in targeted policy
-',`
- allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_config };
- allow loadkeys_t self:fifo_file rw_fifo_file_perms;
+allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_config };
+allow loadkeys_t self:fifo_file rw_fifo_file_perms;
- kernel_read_system_state(loadkeys_t)
+kernel_read_system_state(loadkeys_t)
- corecmd_exec_bin(loadkeys_t)
- corecmd_exec_shell(loadkeys_t)
+corecmd_exec_bin(loadkeys_t)
+corecmd_exec_shell(loadkeys_t)
- files_read_etc_files(loadkeys_t)
- files_read_etc_runtime_files(loadkeys_t)
+files_read_etc_files(loadkeys_t)
+files_read_etc_runtime_files(loadkeys_t)
- term_dontaudit_use_console(loadkeys_t)
- term_use_unallocated_ttys(loadkeys_t)
+term_dontaudit_use_console(loadkeys_t)
+term_use_unallocated_ttys(loadkeys_t)
- init_dontaudit_use_script_ptys(loadkeys_t)
+init_dontaudit_use_script_ptys(loadkeys_t)
- libs_use_ld_so(loadkeys_t)
- libs_use_shared_libs(loadkeys_t)
+libs_use_ld_so(loadkeys_t)
+libs_use_shared_libs(loadkeys_t)
- locallogin_use_fds(loadkeys_t)
+locallogin_use_fds(loadkeys_t)
- miscfiles_read_localization(loadkeys_t)
+miscfiles_read_localization(loadkeys_t)
- optional_policy(`
- nscd_dontaudit_search_pid(loadkeys_t)
- ')
+optional_policy(`
+ nscd_dontaudit_search_pid(loadkeys_t)
')
diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te
index 9072bee..034dd6a 100644
--- a/policy/modules/apps/mono.te
+++ b/policy/modules/apps/mono.te
@@ -15,37 +15,34 @@ init_system_domain(mono_t,mono_exec_t)
# Local policy
#
-ifdef(`targeted_policy',`
- allow mono_t self:process { execheap execmem };
+allow mono_t self:process { execheap execmem };
- unconfined_domain_noaudit(mono_t)
- unconfined_dbus_chat(mono_t)
-
- userdom_generic_user_home_dir_filetrans_generic_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
+userdom_generic_user_home_dir_filetrans_generic_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
- init_dbus_chat_script(mono_t)
+init_dbus_chat_script(mono_t)
- optional_policy(`
- avahi_dbus_chat(mono_t)
- ')
+optional_policy(`
+ avahi_dbus_chat(mono_t)
+')
- optional_policy(`
- cups_dbus_chat(mono_t)
- ')
+optional_policy(`
+ cups_dbus_chat(mono_t)
+')
- optional_policy(`
- hal_dbus_chat(mono_t)
- ')
+optional_policy(`
+ hal_dbus_chat(mono_t)
+')
- optional_policy(`
- networkmanager_dbus_chat(mono_t)
- ')
+optional_policy(`
+ networkmanager_dbus_chat(mono_t)
+')
- optional_policy(`
- rpm_dbus_chat(mono_t)
- ')
+optional_policy(`
+ rpm_dbus_chat(mono_t)
+')
- optional_policy(`
- unconfined_dbus_connect(mono_t)
- ')
+optional_policy(`
+ unconfined_domain_noaudit(mono_t)
+ unconfined_dbus_chat(mono_t)
+ unconfined_dbus_connect(mono_t)
')
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
index 7218f9f..99f54ca 100644
--- a/policy/modules/apps/mozilla.fc
+++ b/policy/modules/apps/mozilla.fc
@@ -1,3 +1,9 @@
+HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
+HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
+HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
+
#
# /bin
#
@@ -23,12 +29,3 @@
/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib(64)?/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-
-# netscape/mozilla
-ifdef(`strict_policy',`
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0)
-')
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index 2450078..558208a 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -173,7 +173,6 @@ template(`mozilla_per_role_template',`
term_dontaudit_getattr_pty_dirs($1_mozilla_t)
libs_use_ld_so($1_mozilla_t)
- libs_use_lib_files($1_mozilla_t)
libs_use_shared_libs($1_mozilla_t)
logging_send_syslog_msg($1_mozilla_t)
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 4d2b991..a3a29f6 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -6,14 +6,12 @@ policy_module(mozilla,1.4.0)
# Declarations
#
-ifdef(`strict_policy',`
## <desc>
## <p>
## Control mozilla content access
## </p>
## </desc>
gen_tunable(mozilla_read_content,false)
-')
type mozilla_conf_t;
files_config_file(mozilla_conf_t)
diff --git a/policy/modules/apps/mplayer.fc b/policy/modules/apps/mplayer.fc
index 4806b64..ffef8be 100644
--- a/policy/modules/apps/mplayer.fc
+++ b/policy/modules/apps/mplayer.fc
@@ -10,6 +10,4 @@
/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0)
/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0)
-ifdef(`strict_policy',`
HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:ROLE_mplayer_home_t,s0)
-')
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
index 7065984..9153029 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -6,27 +6,19 @@ policy_module(mplayer,1.3.0)
# Declarations
#
-ifdef(`strict_policy',`
## <desc>
## <p>
## Allow mplayer executable stack
## </p>
## </desc>
gen_tunable(allow_mplayer_execstack,false)
-')
+
+type mencoder_exec_t;
+application_executable_file(mencoder_exec_t)
type mplayer_etc_t;
files_config_file(mplayer_etc_t)
-ifdef(`strict_policy',`
- type mencoder_exec_t;
- application_executable_file(mencoder_exec_t)
-
- type mplayer_exec_t;
- application_executable_file(mplayer_exec_t)
-')
-
-ifdef(`targeted_policy',`
- unconfined_execmem_alias_program(mencoder_exec_t)
- unconfined_execmem_alias_program(mplayer_exec_t)
-')
+type mplayer_exec_t;
+corecmd_executable_file(mplayer_exec_t)
+application_executable_file(mplayer_exec_t)
diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc
index fa622bc..92211c9 100644
--- a/policy/modules/apps/screen.fc
+++ b/policy/modules/apps/screen.fc
@@ -1,9 +1,7 @@
#
# /home
#
-ifdef(`strict_policy',`
HOME_DIR/\.screenrc -- gen_context(system_u:object_r:ROLE_screen_ro_home_t,s0)
-')
#
# /usr
diff --git a/policy/modules/apps/thunderbird.fc b/policy/modules/apps/thunderbird.fc
index cd80a95..2b6c006 100644
--- a/policy/modules/apps/thunderbird.fc
+++ b/policy/modules/apps/thunderbird.fc
@@ -3,6 +3,4 @@
#
/usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
-ifdef(`strict_policy',`
HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:ROLE_thunderbird_home_t,s0)
-')
diff --git a/policy/modules/apps/uml.fc b/policy/modules/apps/uml.fc
index 2a4afa0..ba0a764 100644
--- a/policy/modules/apps/uml.fc
+++ b/policy/modules/apps/uml.fc
@@ -1,4 +1,9 @@
#
+# HOME_DIR/
+#
+HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:ROLE_uml_rw_t,s0)
+
+#
# /usr
#
/usr/bin/uml_switch -- gen_context(system_u:object_r:uml_switch_exec_t,s0)
@@ -7,7 +12,3 @@
# /var
#
/var/run/uml-utilities(/.*)? gen_context(system_u:object_r:uml_switch_var_run_t,s0)
-
-ifdef(`strict_policy',`
- HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:ROLE_uml_rw_t,s0)
-')
diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
index a399a25..389d1d7 100644
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
@@ -59,13 +59,6 @@ miscfiles_read_localization(uml_switch_t)
userdom_dontaudit_use_unpriv_user_fds(uml_switch_t)
userdom_dontaudit_search_sysadm_home_dirs(uml_switch_t)
-ifdef(`targeted_policy',`
- files_dontaudit_read_root_files(uml_switch_t)
-
- term_dontaudit_use_unallocated_ttys(uml_switch_t)
- term_dontaudit_use_generic_ptys(uml_switch_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(uml_switch_t)
')
diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc
index ea0b7ef..b10db09 100644
--- a/policy/modules/apps/vmware.fc
+++ b/policy/modules/apps/vmware.fc
@@ -1,11 +1,9 @@
#
# HOME_DIR/
#
-ifdef(`strict_policy',`
HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
-HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:ROLE_vmware_conf_t,s0)
-')
+HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
#
# /etc
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index 5388212..9faf148 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -89,12 +89,6 @@ sysnet_dns_name_resolve(vmware_host_t)
userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
userdom_dontaudit_search_sysadm_home_dirs(vmware_host_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(vmware_host_t)
- term_dontaudit_use_generic_ptys(vmware_host_t)
- files_dontaudit_read_root_files(vmware_host_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(vmware_host_t)
diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te
index 7a3a15f..438d849 100644
--- a/policy/modules/apps/webalizer.te
+++ b/policy/modules/apps/webalizer.te
@@ -89,11 +89,6 @@ userdom_dontaudit_search_all_users_home_content(webalizer_t)
apache_read_log(webalizer_t)
apache_manage_sys_content(webalizer_t)
-ifdef(`targeted_policy',`
- term_use_generic_ptys(webalizer_t)
- term_use_unallocated_ttys(webalizer_t)
-')
-
optional_policy(`
cron_system_entry(webalizer_t,webalizer_exec_t)
')
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
index 8a87106..c237c8b 100644
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@ -15,7 +15,7 @@ application_domain(wine_t,wine_exec_t)
# Local policy
#
-ifdef(`targeted_policy',`
+optional_policy(`
allow wine_t self:process { execstack execmem execheap };
unconfined_domain_noaudit(wine_t)
files_execmod_all_files(wine_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 4395563..7c202da 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -72,10 +72,6 @@ ifdef(`distro_debian',`
/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
')
-ifdef(`targeted_policy',`
-/etc/X11/prefdm -- gen_context(system_u:object_r:bin_t,s0)
-')
-
#
# /lib
#
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 3de0969..881fc71 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -32,11 +32,11 @@ interface(`corecmd_executable_file',`
########################################
## <summary>
-## Create a aliased type to generic bin files.
+## Create a aliased type to generic bin files. (Deprecated)
## </summary>
## <desc>
## <p>
-## Create a aliased type to generic bin files.
+## Create a aliased type to generic bin files. (Deprecated)
## </p>
## <p>
## This is added to support targeted policy. Its
@@ -51,15 +51,7 @@ interface(`corecmd_executable_file',`
## </param>
#
interface(`corecmd_bin_alias',`
- ifdef(`targeted_policy',`
- gen_require(`
- type bin_t;
- ')
-
- typealias bin_t alias $1;
- ',`
- refpolicywarn(`$0($*) has no effect in strict policy.')
- ')
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index a8a12f7..232b16d 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -45,11 +45,6 @@ interface(`domain_type',`
# start with basic domain
domain_base_type($1)
- ifdef(`targeted_policy',`
- unconfined_use_fds($1)
- unconfined_sigchld($1)
- ')
-
# send init a sigchld and signull
optional_policy(`
init_sigchld($1)
@@ -1240,19 +1235,17 @@ interface(`domain_entry_file_spec_domtrans',`
interface(`domain_unconfined',`
gen_require(`
attribute set_curr_context;
- attribute can_change_process_identity;
- attribute can_change_process_role;
attribute can_change_object_identity;
attribute unconfined_domain_type;
+ attribute process_uncond_exempt;
')
typeattribute $1 unconfined_domain_type;
# pass constraints
- typeattribute $1 can_change_process_identity;
- typeattribute $1 can_change_process_role;
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
+ typeattribute $1 process_uncond_exempt;
')
########################################
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 1f93814..d075c54 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -92,20 +92,6 @@ term_use_controlling_term(domain)
# list the root directory
files_list_root(domain)
-ifdef(`targeted_policy',`
- # RBAC is disabled in the targeted policy,
- # as only one role is used, system_r.
- role system_r types domain;
-
- # FIXME:
- # workaround until role dominance is fixed in
- # the module compiler
- role secadm_r types domain;
- role sysadm_r types domain;
- role user_r types domain;
- role staff_r types domain;
-')
-
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
# this should be enabled when all programs
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index cd51464..8c7600f 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -468,8 +468,7 @@ interface(`files_read_all_files',`
## Allow shared library text relocations in all files.
## </p>
## <p>
-## This is added to support WINE in the targeted
-## policy. It has no effect on the strict policy.
+## This is added to support WINE policy.
## </p>
## </desc>
## <param name="domain">
@@ -479,15 +478,11 @@ interface(`files_read_all_files',`
## </param>
#
interface(`files_execmod_all_files',`
- ifdef(`targeted_policy',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 file_type:file execmod;
- ',`
- refpolicywarn(`$0($1) has no effect in strict policy.')
+ gen_require(`
+ attribute file_type;
')
+
+ allow $1 file_type:file execmod;
')
########################################
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index fa78e1f..350d024 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -187,10 +187,7 @@ allow file_type self:filesystem associate;
fs_associate(file_type)
fs_associate_noxattr(file_type)
-
-ifdef(`targeted_policy', `
- fs_associate_tmpfs(file_type)
-')
+fs_associate_tmpfs(file_type)
########################################
#
@@ -220,8 +217,6 @@ allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_fil
# Mount/unmount any filesystem with the context= option.
allow files_unconfined_type file_type:filesystem *;
-ifdef(`targeted_policy',`
- tunable_policy(`allow_execmod',`
- allow files_unconfined_type file_type:file execmod;
- ')
+tunable_policy(`allow_execmod',`
+ allow files_unconfined_type file_type:file execmod;
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 7d91bdf..d116c88 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -26,6 +26,9 @@ role sysadm_r;
role staff_r;
role user_r;
+# here until order dependence is fixed:
+role unconfined_r;
+
ifdef(`enable_mls',`
role secadm_r;
role auditadm_r;
@@ -252,10 +255,6 @@ ifdef(`distro_redhat',`
fs_rw_tmpfs_chr_files(kernel_t)
')
-ifdef(`targeted_policy',`
- unconfined_domain(kernel_t)
-')
-
tunable_policy(`read_default_t',`
files_list_default(kernel_t)
files_read_default_files(kernel_t)
@@ -336,15 +335,15 @@ optional_policy(`
seutil_read_bin_policy(kernel_t)
')
+optional_policy(`
+ unconfined_domain(kernel_t)
+')
+
########################################
#
# Unlabeled process local policy
#
-ifdef(`targeted_policy',`
- allow unlabeled_t self:filesystem associate;
-')
-
optional_policy(`
# If you load a new policy that removes active domains, processes can
# get stuck if you do not allow unlabeled processes to signal init.
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index 875b547..c8abb8e 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -31,11 +31,6 @@ fs_associate_tmpfs(devpts_t)
fs_type(devpts_t)
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
-ifdef(`targeted_policy',`
- # cjp: the ttynode should probably be removed.
- typeattribute devpts_t ttynode, ptynode;
-')
-
#
# devtty_t is the type of /dev/tty.
#
@@ -56,10 +51,6 @@ mls_trusted_object(ptmx_t)
type tty_device_t, serial_device;
dev_node(tty_device_t)
-ifdef(`targeted_policy',`
- typeattribute tty_device_t ttynode;
-')
-
#
# usbtty_device_t is the type of /dev/usr/tty*
#
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index 94f60a9..a2e3d68 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -150,11 +150,6 @@ cron_rw_pipes(amavis_t)
mta_read_config(amavis_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(amavis_t)
- term_dontaudit_use_unallocated_ttys(amavis_t)
-')
-
optional_policy(`
clamav_stream_connect(amavis_t)
clamav_domtrans_clamscan(amavis_t)
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index 68b46dd..c30c0ea 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,9 +1,4 @@
-# temporary hack till genhomedircon is fixed
-ifdef(`targeted_policy',`
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-',`
HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
-')
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 548c8bc..eb026c1 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -182,14 +182,6 @@ files_tmp_file(httpd_tmp_t)
type httpd_tmpfs_t;
files_tmpfs_file(httpd_tmpfs_t)
-# Unconfined domain for apache scripts.
-# Only to be used as a last resort
-type httpd_unconfined_script_t;
-type httpd_unconfined_script_exec_t; # customizable
-domain_type(httpd_unconfined_script_t)
-domain_entry_file(httpd_unconfined_script_t,httpd_unconfined_script_exec_t)
-role system_r types httpd_unconfined_script_t;
-
# for apache2 memory mapped files
type httpd_var_lib_t;
files_type(httpd_var_lib_t)
@@ -201,11 +193,6 @@ files_pid_file(httpd_var_run_t)
type squirrelmail_spool_t;
files_tmp_file(squirrelmail_spool_t)
-ifdef(`targeted_policy',`
- typealias httpd_sys_content_t alias httpd_user_content_t;
- typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
-')
-
optional_policy(`
prelink_object_file(httpd_modules_t)
')
@@ -363,16 +350,6 @@ userdom_use_unpriv_users_fds(httpd_t)
mta_send_mail(httpd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(httpd_t)
- term_dontaudit_use_generic_ptys(httpd_t)
- files_dontaudit_read_root_files(httpd_t)
-
- tunable_policy(`httpd_enable_homedirs',`
- userdom_search_generic_user_home_dirs(httpd_t)
- ')
-')
-
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
@@ -410,13 +387,6 @@ tunable_policy(`httpd_can_network_relay',`
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
-tunable_policy(`httpd_enable_cgi',`
- domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
-
- allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
- allow httpd_t httpd_unconfined_script_exec_t:dir list_dir_perms;
-')
-
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -464,6 +434,10 @@ optional_policy(`
')
optional_policy(`
+ cron_system_entry(httpd_t, httpd_exec_t)
+')
+
+optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -632,12 +606,6 @@ logging_send_syslog_msg(httpd_suexec_t)
miscfiles_read_localization(httpd_suexec_t)
-ifdef(`targeted_policy',`
- tunable_policy(`httpd_enable_homedirs',`
- userdom_search_generic_user_home_dirs(httpd_suexec_t)
- ')
-')
-
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
allow httpd_suexec_t self:udp_socket create_socket_perms;
@@ -656,10 +624,6 @@ tunable_policy(`httpd_can_network_connect',`
sysnet_read_config(httpd_suexec_t)
')
-tunable_policy(`httpd_enable_cgi',`
- domtrans_pattern(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
-')
-
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
@@ -726,12 +690,6 @@ ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file { getattr append };
')
-ifdef(`targeted_policy',`
- tunable_policy(`httpd_enable_homedirs',`
- userdom_search_generic_user_home_dirs(httpd_sys_script_t)
- ')
-')
-
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t)
@@ -753,21 +711,6 @@ optional_policy(`
########################################
#
-# Apache unconfined script local policy
-#
-
-unconfined_domain(httpd_unconfined_script_t)
-
-optional_policy(`
- cron_system_entry(httpd_t, httpd_exec_t)
-')
-
-optional_policy(`
- nscd_socket_use(httpd_unconfined_script_t)
-')
-
-########################################
-#
# httpd_rotatelogs local policy
#
@@ -785,8 +728,3 @@ libs_use_shared_libs(httpd_rotatelogs_t)
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
- term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t)
-')
diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
index aef5c8a..59f4e59 100644
--- a/policy/modules/services/apcupsd.te
+++ b/policy/modules/services/apcupsd.te
@@ -86,10 +86,6 @@ logging_send_syslog_msg(apcupsd_t)
miscfiles_read_localization(apcupsd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(apcupsd_t)
-')
-
optional_policy(`
hostname_exec(apcupsd_t)
')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
index 2fad90f..4414826 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -172,13 +172,6 @@ ifdef(`distro_suse',`
files_var_lib_filetrans(apmd_t,apmd_var_lib_t,file)
')
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(apmd_t)
- term_dontaudit_use_generic_ptys(apmd_t)
- files_dontaudit_read_root_files(apmd_t)
- unconfined_domain(apmd_t)
-')
-
optional_policy(`
automount_domtrans(apmd_t)
')
@@ -227,6 +220,10 @@ optional_policy(`
udev_read_state(apmd_t) #necessary?
')
+optional_policy(`
+ unconfined_domain(apmd_t)
+')
+
# cjp: related to sleep/resume (?)
optional_policy(`
xserver_domtrans_xdm_xserver(apmd_t)
diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
index d0abdb8..33cf2bb 100644
--- a/policy/modules/services/arpwatch.te
+++ b/policy/modules/services/arpwatch.te
@@ -85,12 +85,6 @@ userdom_dontaudit_search_sysadm_home_dirs(arpwatch_t)
mta_send_mail(arpwatch_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(arpwatch_t)
- term_dontaudit_use_generic_ptys(arpwatch_t)
- files_dontaudit_read_root_files(arpwatch_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(arpwatch_t)
')
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
index f9d0256..8853d15 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -127,12 +127,6 @@ sysnet_read_config(asterisk_t)
userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
userdom_dontaudit_search_sysadm_home_dirs(asterisk_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(asterisk_t)
- term_dontaudit_use_generic_ptys(asterisk_t)
- files_dontaudit_read_root_files(asterisk_t)
-')
-
optional_policy(`
nis_use_ypbind(asterisk_t)
')
diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
index c9d7c19..9723ae5 100644
--- a/policy/modules/services/audioentropy.te
+++ b/policy/modules/services/audioentropy.te
@@ -51,13 +51,6 @@ miscfiles_read_localization(entropyd_t)
userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
userdom_dontaudit_search_sysadm_home_dirs(entropyd_t)
-ifdef(`targeted_policy', `
- files_dontaudit_read_root_files(entropyd_t)
-
- term_dontaudit_use_unallocated_ttys(entropyd_t)
- term_dontaudit_use_generic_ptys(entropyd_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(entropyd_t)
')
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
index c22a97a..7e84171 100644
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
@@ -147,12 +147,6 @@ sysnet_read_config(automount_t)
userdom_dontaudit_use_unpriv_user_fds(automount_t)
userdom_dontaudit_search_sysadm_home_dirs(automount_t)
-ifdef(`targeted_policy', `
- files_dontaudit_read_root_files(automount_t)
- term_dontaudit_use_unallocated_ttys(automount_t)
- term_dontaudit_use_generic_ptys(automount_t)
-')
-
optional_policy(`
bind_search_cache(automount_t)
')
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index 16a2d07..159d655 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -80,12 +80,6 @@ miscfiles_read_localization(avahi_t)
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
userdom_dontaudit_search_sysadm_home_dirs(avahi_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(avahi_t)
- term_dontaudit_use_generic_ptys(avahi_t)
- files_dontaudit_read_root_files(avahi_t)
-')
-
optional_policy(`
dbus_system_bus_client_template(avahi,avahi_t)
dbus_connect_system_bus(avahi_t)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 6e59307..94b45a6 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -148,12 +148,6 @@ sysnet_read_config(named_t)
userdom_dontaudit_use_unpriv_user_fds(named_t)
userdom_dontaudit_search_sysadm_home_dirs(named_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(named_t)
- term_dontaudit_use_generic_ptys(named_t)
- files_dontaudit_read_root_files(named_t)
-')
-
tunable_policy(`named_write_master_zones',`
manage_dirs_pattern(named_t,named_zone_t,named_zone_t)
manage_files_pattern(named_t,named_zone_t,named_zone_t)
@@ -265,13 +259,6 @@ ifdef(`distro_redhat',`
allow ndc_t named_conf_t:dir search;
')
-ifdef(`targeted_policy',`
- kernel_dontaudit_read_unlabeled_files(ndc_t)
-
- term_use_unallocated_ttys(ndc_t)
- term_use_generic_ptys(ndc_t)
-')
-
optional_policy(`
nis_use_ypbind(ndc_t)
')
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index e031f39..4f79278 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -1,5 +1,116 @@
## <summary>Bluetooth tools and system services.</summary>
+#######################################
+## <summary>
+## The per role template for the bluetooth module.
+## </summary>
+## <desc>
+## <p>
+## This template creates derived domains which are used
+## for bluetooth.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`bluetooth_per_role_template',`
+ gen_require(`
+ attribute bluetooth_helper_domain;
+ type bluetooth_helper_exec_t;
+ ')
+
+ type $1_bluetooth_t, bluetooth_helper_domain;
+ application_domain($1_bluetooth_t, bluetooth_helper_exec_t)
+ role $3 types $1_bluetooth_t;
+
+ type $1_bluetooth_tmp_t;
+ files_tmp_file($1_bluetooth_tmp_t)
+
+ type $1_bluetooth_tmpfs_t;
+ files_tmpfs_file($1_bluetooth_tmpfs_t)
+
+ allow $1_bluetooth_t self:capability sys_nice;
+ allow $1_bluetooth_t self:process getsched;
+ allow $1_bluetooth_t self:fifo_file rw_fifo_file_perms;
+ allow $1_bluetooth_t self:shm create_shm_perms;
+ allow $1_bluetooth_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow $1_bluetooth_t self:tcp_socket create_socket_perms;
+ allow $1_bluetooth_t self:netlink_route_socket r_netlink_socket_perms;
+
+ allow $1_bluetooth_t bluetooth_t:socket { read write };
+
+ manage_dirs_pattern($1_bluetooth_t, $1_bluetooth_tmp_t, $1_bluetooth_tmp_t)
+ manage_files_pattern($1_bluetooth_t, $1_bluetooth_tmp_t, $1_bluetooth_tmp_t)
+ manage_sock_files_pattern($1_bluetooth_t, $1_bluetooth_tmp_t, $1_bluetooth_tmp_t)
+ files_tmp_filetrans($1_bluetooth_t, $1_bluetooth_tmp_t, { file dir sock_file })
+
+ manage_dirs_pattern($1_bluetooth_t, $1_bluetooth_tmpfs_t, $1_bluetooth_tmpfs_t)
+ manage_files_pattern($1_bluetooth_t, $1_bluetooth_tmpfs_t, $1_bluetooth_tmpfs_t)
+ fs_tmpfs_filetrans($1_bluetooth_t, $1_bluetooth_tmpfs_t, { dir file })
+
+ kernel_read_system_state($1_bluetooth_t)
+ kernel_read_kernel_sysctls($1_bluetooth_t)
+
+ dev_read_urand($1_bluetooth_t)
+
+ term_dontaudit_use_all_user_ttys($1_bluetooth_t)
+
+ corecmd_exec_bin($1_bluetooth_t)
+ corecmd_exec_shell($1_bluetooth_t)
+
+ domain_read_all_domains_state($1_bluetooth_t)
+
+ files_read_etc_files($1_bluetooth_t)
+ files_read_etc_runtime_files($1_bluetooth_t)
+ files_read_usr_files($1_bluetooth_t)
+ files_dontaudit_list_default($1_bluetooth_t)
+
+ libs_use_ld_so($1_bluetooth_t)
+ libs_use_shared_libs($1_bluetooth_t)
+
+ locallogin_dontaudit_use_fds($1_bluetooth_t)
+
+ logging_send_syslog_msg($1_bluetooth_t)
+
+ miscfiles_read_localization($1_bluetooth_t)
+
+ sysnet_read_config($1_bluetooth_t)
+
+ optional_policy(`
+ bluetooth_dbus_chat($1_bluetooth_t)
+ dbus_system_bus_client_template($1_bluetooth, $1_bluetooth_t)
+ dbus_connect_system_bus($1_bluetooth_t)
+ dbus_send_system_bus($1_bluetooth_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_bluetooth_t)
+ ')
+
+ optional_policy(`
+ xserver_user_client_template($1, $1_bluetooth_t, $1_bluetooth_tmpfs_t)
+ ')
+')
+
########################################
## <summary>
## Execute bluetooth in the bluetooth domain.
@@ -38,47 +149,43 @@ interface(`bluetooth_read_config',`
########################################
## <summary>
-## Execute bluetooth_helper in the bluetooth_helper domain.
+## Send and receive messages from
+## bluetooth over dbus.
## </summary>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`bluetooth_domtrans_helper',`
+interface(`bluetooth_dbus_chat',`
gen_require(`
- type bluetooth_helper_t, bluetooth_helper_exec_t;
+ type bluetooth_t;
+ class dbus send_msg;
')
- domtrans_pattern($1,bluetooth_helper_exec_t,bluetooth_helper_t)
+ allow $1 bluetooth_t:dbus send_msg;
+ allow bluetooth_t $1:dbus send_msg;
')
########################################
## <summary>
-## Send and receive messages from
-## bluetooth over dbus.
+## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## The type of the process performing this action.
## </summary>
## </param>
#
-interface(`bluetooth_dbus_chat',`
- gen_require(`
- type bluetooth_t;
- class dbus send_msg;
- ')
-
- allow $1 bluetooth_t:dbus send_msg;
- allow bluetooth_t $1:dbus send_msg;
+interface(`bluetooth_domtrans_helper',`
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
## Execute bluetooth_helper in the bluetooth_helper domain, and
-## allow the specified role the bluetooth_helper domain.
+## allow the specified role the bluetooth_helper domain. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -98,13 +205,7 @@ interface(`bluetooth_dbus_chat',`
## <rolecap/>
#
interface(`bluetooth_run_helper',`
- gen_require(`
- type bluetooth_helper_t;
- ')
-
- bluetooth_domtrans_helper($1)
- role $2 types bluetooth_helper_t;
- allow bluetooth_helper_t $3:chr_file rw_term_perms;
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
@@ -119,9 +220,9 @@ interface(`bluetooth_run_helper',`
#
interface(`bluetooth_dontaudit_read_helper_files',`
gen_require(`
- type bluetooth_helper_t;
+ attribute bluetooth_helper_domain;
')
- dontaudit $1 bluetooth_helper_t:dir search;
- dontaudit $1 bluetooth_helper_t:file { read getattr };
+ dontaudit $1 bluetooth_helper_domain:dir search;
+ dontaudit $1 bluetooth_helper_domain:file { read getattr };
')
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index ae6e6a7..7f1f285 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -15,14 +15,10 @@ files_type(bluetooth_conf_t)
type bluetooth_conf_rw_t;
files_type(bluetooth_conf_rw_t)
-type bluetooth_helper_t;
-type bluetooth_helper_exec_t;
-domain_type(bluetooth_helper_t)
-domain_entry_file(bluetooth_helper_t,bluetooth_helper_exec_t)
-role system_r types bluetooth_helper_t;
+attribute bluetooth_helper_domain;
-type bluetooth_helper_tmp_t;
-files_tmp_file(bluetooth_helper_tmp_t)
+type bluetooth_helper_exec_t;
+application_executable_file(bluetooth_helper_exec_t)
type bluetooth_lock_t;
files_lock_file(bluetooth_lock_t)
@@ -61,7 +57,7 @@ manage_fifo_files_pattern(bluetooth_t,bluetooth_conf_t,bluetooth_conf_rw_t)
manage_sock_files_pattern(bluetooth_t,bluetooth_conf_t,bluetooth_conf_rw_t)
filetrans_pattern(bluetooth_t,bluetooth_conf_t,bluetooth_conf_rw_t,{ dir file lnk_file sock_file fifo_file })
-domtrans_pattern(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
+can_exec(bluetooth_t, bluetooth_helper_exec_t)
allow bluetooth_t bluetooth_lock_t:file manage_file_perms;
files_lock_filetrans(bluetooth_t,bluetooth_lock_t,file)
@@ -117,8 +113,6 @@ files_read_usr_files(bluetooth_t)
libs_use_ld_so(bluetooth_t)
libs_use_shared_libs(bluetooth_t)
-locallogin_dontaudit_use_fds(bluetooth_helper_t)
-
logging_send_syslog_msg(bluetooth_t)
miscfiles_read_localization(bluetooth_t)
@@ -130,12 +124,6 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
userdom_dontaudit_use_sysadm_ptys(bluetooth_t)
userdom_dontaudit_search_sysadm_home_dirs(bluetooth_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(bluetooth_t)
- term_dontaudit_use_generic_ptys(bluetooth_t)
- files_dontaudit_read_root_files(bluetooth_t)
-')
-
optional_policy(`
dbus_system_bus_client_template(bluetooth,bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
@@ -154,94 +142,6 @@ optional_policy(`
udev_read_db(bluetooth_t)
')
-########################################
-#
-# Bluetooth helper local policy
-#
-
-allow bluetooth_helper_t self:capability sys_nice;
-allow bluetooth_helper_t self:process getsched;
-allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms;
-allow bluetooth_helper_t self:shm create_shm_perms;
-allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow bluetooth_helper_t self:tcp_socket create_socket_perms;
-allow bluetooth_helper_t self:netlink_route_socket r_netlink_socket_perms;
-
-allow bluetooth_helper_t bluetooth_t:socket { read write };
-
-manage_dirs_pattern(bluetooth_helper_t,bluetooth_helper_tmp_t,bluetooth_helper_tmp_t)
-manage_files_pattern(bluetooth_helper_t,bluetooth_helper_tmp_t,bluetooth_helper_tmp_t)
-manage_sock_files_pattern(bluetooth_helper_t,bluetooth_helper_tmp_t,bluetooth_helper_tmp_t)
-files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir sock_file })
-
-kernel_read_system_state(bluetooth_helper_t)
-kernel_read_kernel_sysctls(bluetooth_helper_t)
-
-dev_read_urand(bluetooth_helper_t)
-
-term_dontaudit_use_all_user_ttys(bluetooth_helper_t)
-
-corecmd_exec_bin(bluetooth_helper_t)
-corecmd_exec_shell(bluetooth_helper_t)
-
-domain_read_all_domains_state(bluetooth_helper_t)
-
-files_read_etc_files(bluetooth_helper_t)
-files_read_etc_runtime_files(bluetooth_helper_t)
-files_read_usr_files(bluetooth_helper_t)
-files_search_tmp(bluetooth_helper_t)
-files_dontaudit_list_default(bluetooth_helper_t)
-
-libs_use_ld_so(bluetooth_helper_t)
-libs_use_shared_libs(bluetooth_helper_t)
-
-logging_send_syslog_msg(bluetooth_helper_t)
-
-miscfiles_read_localization(bluetooth_helper_t)
-miscfiles_read_fonts(bluetooth_helper_t)
-
-sysnet_read_config(bluetooth_helper_t)
-
-ifdef(`targeted_policy',`
- files_rw_generic_tmp_sockets(bluetooth_helper_t)
- files_manage_generic_tmp_files(bluetooth_helper_t)
-
- fs_rw_tmpfs_files(bluetooth_helper_t)
-
- term_dontaudit_use_generic_ptys(bluetooth_helper_t)
- term_dontaudit_use_unallocated_ttys(bluetooth_helper_t)
-
- unconfined_stream_connect(bluetooth_helper_t)
-
- userdom_manage_generic_user_home_content_files(bluetooth_helper_t)
-
- optional_policy(`
- corenet_tcp_connect_xserver_port(bluetooth_helper_t)
- #Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=205956
- xserver_read_xdm_tmp_files(bluetooth_helper_t)
- xserver_stream_connect_xdm(bluetooth_helper_t)
- xserver_use_xdm_fds(bluetooth_helper_t)
- xserver_rw_xdm_pipes(bluetooth_helper_t)
- # when started via startx
- xserver_stream_connect_xdm_xserver(bluetooth_helper_t)
- ')
-')
-
-optional_policy(`
- bluetooth_dbus_chat(bluetooth_helper_t)
- dbus_system_bus_client_template(bluetooth_helper,bluetooth_helper_t)
- dbus_connect_system_bus(bluetooth_helper_t)
- dbus_send_system_bus(bluetooth_helper_t)
-')
-
-optional_policy(`
- nscd_socket_use(bluetooth_helper_t)
-')
-
optional_policy(`
ppp_domtrans(bluetooth_t)
')
-
-optional_policy(`
- xserver_stream_connect_xdm(bluetooth_helper_t)
-')
diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te
index 51e7efa..5445a70 100644
--- a/policy/modules/services/canna.te
+++ b/policy/modules/services/canna.te
@@ -80,12 +80,6 @@ sysnet_read_config(canna_t)
userdom_dontaudit_use_unpriv_user_fds(canna_t)
userdom_dontaudit_search_sysadm_home_dirs(canna_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(canna_t)
- term_dontaudit_use_generic_ptys(canna_t)
- files_dontaudit_read_root_files(canna_t)
-')
-
optional_policy(`
nis_use_ypbind(canna_t)
')
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
index 26b1da9..fcecb1b 100644
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
@@ -112,11 +112,6 @@ ifdef(`hide_broken_symptoms', `
files_manage_isid_type_files(ccs_t)
')
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(ccs_t)
- term_dontaudit_use_unallocated_ttys(ccs_t)
-')
-
optional_policy(`
unconfined_use_fds(ccs_t)
')
diff --git a/policy/modules/services/cipe.te b/policy/modules/services/cipe.te
index b4f8ad4..323554b 100644
--- a/policy/modules/services/cipe.te
+++ b/policy/modules/services/cipe.te
@@ -63,12 +63,6 @@ sysnet_read_config(ciped_t)
userdom_dontaudit_use_unpriv_user_fds(ciped_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(ciped_t)
- term_dontaudit_use_generic_ptys(ciped_t)
- files_dontaudit_read_root_files(ciped_t)
-')
-
optional_policy(`
nis_use_ypbind(ciped_t)
')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index 2a2dec7..6b7d0c5 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -120,11 +120,6 @@ cron_use_fds(clamd_t)
cron_use_system_job_fds(clamd_t)
cron_rw_pipes(clamd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(clamd_t)
- term_dontaudit_use_generic_ptys(clamd_t)
-')
-
optional_policy(`
amavis_read_lib_files(clamd_t)
amavis_read_spool_files(clamd_t)
diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if
index ee4a98e..354edf6 100644
--- a/policy/modules/services/courier.if
+++ b/policy/modules/services/courier.if
@@ -77,12 +77,6 @@ template(`courier_domain_template',`
userdom_dontaudit_use_unpriv_user_fds(courier_$1_t)
- ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(courier_$1_t)
- term_dontaudit_use_generic_ptys(courier_$1_t)
- files_dontaudit_read_root_files(courier_$1_t)
- ')
-
optional_policy(`
seutil_sigchld_newrole(courier_$1_t)
')
diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te
index 48d6e26..9145263 100644
--- a/policy/modules/services/cpucontrol.te
+++ b/policy/modules/services/cpucontrol.te
@@ -58,12 +58,6 @@ logging_send_syslog_msg(cpucontrol_t)
userdom_dontaudit_use_unpriv_user_fds(cpucontrol_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(cpucontrol_t)
- term_dontaudit_use_generic_ptys(cpucontrol_t)
- files_dontaudit_read_root_files(cpucontrol_t)
-')
-
optional_policy(`
nscd_socket_use(cpucontrol_t)
')
@@ -118,12 +112,6 @@ miscfiles_read_localization(cpuspeed_t)
userdom_dontaudit_use_unpriv_user_fds(cpuspeed_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(cpuspeed_t)
- term_dontaudit_use_generic_ptys(cpuspeed_t)
- files_dontaudit_read_root_files(cpuspeed_t)
-')
-
optional_policy(`
nscd_socket_use(cpuspeed_t)
')
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 74c3142..b61103c 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -152,6 +152,17 @@ template(`cron_per_role_template',`
allow crond_t $1_cron_spool_t:file manage_file_perms;
')
+ # need a per-role version of this:
+ #optional_policy(`
+ # mono_domtrans($1_crond_t)
+ #')
+
+ optional_policy(`
+ dbus_stub($1_crond_t)
+
+ allow $1_crond_t $2:dbus send_msg;
+ ')
+
optional_policy(`
nis_use_ypbind($1_crond_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 3e093b3..d95d755 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -60,11 +60,7 @@ application_executable_file(crontab_exec_t)
type system_cron_spool_t, cron_spool_type;
files_type(system_cron_spool_t)
-ifdef(`targeted_policy',`
- typealias crond_t alias system_crond_t;
-',`
- type system_crond_t;
-')
+type system_crond_t;
init_daemon_domain(system_crond_t,anacron_exec_t)
corecmd_shell_entry_type(system_crond_t)
role system_r types system_crond_t;
@@ -75,11 +71,6 @@ files_lock_file(system_crond_lock_t)
type system_crond_tmp_t;
files_tmp_file(system_crond_tmp_t)
-ifdef(`targeted_policy',`
- type sysadm_cron_spool_t;
- files_type(sysadm_cron_spool_t)
-')
-
ifdef(`enable_mcs',`
init_ranged_daemon_domain(crond_t,crond_exec_t,s0 - mcs_systemhigh)
')
@@ -111,6 +102,10 @@ files_pid_filetrans(crond_t,crond_var_run_t,file)
allow crond_t cron_spool_t:dir rw_dir_perms;
allow crond_t cron_spool_t:file read_file_perms;
+manage_dirs_pattern(crond_t,crond_tmp_t,crond_tmp_t)
+manage_files_pattern(crond_t,crond_tmp_t,crond_tmp_t)
+files_tmp_filetrans(crond_t,crond_tmp_t,{ file dir })
+
allow crond_t system_cron_spool_t:dir list_dir_perms;
allow crond_t system_cron_spool_t:file read_file_perms;
@@ -185,35 +180,6 @@ optional_policy(`
locallogin_link_keys(crond_t)
')
-ifdef(`targeted_policy',`
- manage_dirs_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t)
- manage_files_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t)
- manage_lnk_files_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t)
- manage_fifo_files_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t)
- manage_sock_files_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t)
- files_tmp_filetrans(crond_t,system_crond_tmp_t,{ dir file lnk_file sock_file fifo_file })
-
- unconfined_domain(crond_t)
-
- userdom_manage_generic_user_home_content_dirs(crond_t)
- userdom_manage_generic_user_home_content_files(crond_t)
- userdom_manage_generic_user_home_content_symlinks(crond_t)
- userdom_manage_generic_user_home_content_sockets(crond_t)
- userdom_manage_generic_user_home_content_pipes(crond_t)
- userdom_generic_user_home_dir_filetrans_generic_user_home_content(crond_t,{ dir file lnk_file fifo_file sock_file })
-
- allow crond_t unconfined_t:dbus send_msg;
- allow crond_t initrc_t:dbus send_msg;
-
- optional_policy(`
- mono_domtrans(crond_t)
- ')
-',`
- manage_dirs_pattern(crond_t,crond_tmp_t,crond_tmp_t)
- manage_files_pattern(crond_t,crond_tmp_t,crond_tmp_t)
- files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
-')
-
tunable_policy(`fcron_crond', `
allow crond_t system_cron_spool_t:file manage_file_perms;
')
@@ -258,6 +224,11 @@ optional_policy(`
# System cron process domain
#
+allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
+allow system_crond_t self:process { signal_perms setsched };
+allow system_crond_t self:fifo_file rw_fifo_file_perms;
+allow system_crond_t self:passwd rootok;
+
# This is to handle creation of files in /var/log directory.
# Used currently by rpm script log files
allow system_crond_t cron_log_t:file manage_file_perms;
@@ -268,220 +239,209 @@ logging_log_filetrans(system_crond_t,cron_log_t,file)
allow system_crond_t cron_var_lib_t:file manage_file_perms;
files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file)
-optional_policy(`
- # cjp: why?
- squid_domtrans(system_crond_t)
-')
+allow system_crond_t system_cron_spool_t:file read_file_perms;
+# The entrypoint interface is not used as this is not
+# a regular entrypoint. Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job. It
+# performs an entrypoint permission check
+# for this purpose.
+allow system_crond_t system_cron_spool_t:file entrypoint;
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond
+# via setexeccon. There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t system_crond_t:process transition;
+dontaudit crond_t system_crond_t:process { noatsecure siginh rlimitinh };
+allow crond_t system_crond_t:fd use;
+allow system_crond_t crond_t:fd use;
+allow system_crond_t crond_t:fifo_file rw_file_perms;
+allow system_crond_t crond_t:process sigchld;
+
+# Write /var/lock/makewhatis.lock.
+allow system_crond_t system_crond_lock_t:file manage_file_perms;
+files_lock_filetrans(system_crond_t,system_crond_lock_t,file)
+
+# write temporary files
+manage_files_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t)
+manage_lnk_files_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t)
+filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file })
+files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
-ifdef(`targeted_policy',`
- # cjp: FIXME
- allow crond_t unconfined_t:process transition;
-',`
- allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
- allow system_crond_t self:process { signal_perms setsched };
- allow system_crond_t self:fifo_file rw_fifo_file_perms;
- allow system_crond_t self:passwd rootok;
-
- # The entrypoint interface is not used as this is not
- # a regular entrypoint. Since crontab files are
- # not directly executed, crond must ensure that
- # the crontab file has a type that is appropriate
- # for the domain of the user cron job. It
- # performs an entrypoint permission check
- # for this purpose.
- allow system_crond_t system_cron_spool_t:file entrypoint;
-
- allow system_crond_t system_cron_spool_t:file read_file_perms;
-
- # Permit a transition from the crond_t domain to this domain.
- # The transition is requested explicitly by the modified crond
- # via setexeccon. There is no way to set up an automatic
- # transition, since crontabs are configuration files, not executables.
- allow crond_t system_crond_t:process transition;
- dontaudit crond_t system_crond_t:process { noatsecure siginh rlimitinh };
- allow crond_t system_crond_t:fd use;
- allow system_crond_t crond_t:fd use;
- allow system_crond_t crond_t:fifo_file rw_file_perms;
- allow system_crond_t crond_t:process sigchld;
-
- # Write /var/lock/makewhatis.lock.
- allow system_crond_t system_crond_lock_t:file manage_file_perms;
- files_lock_filetrans(system_crond_t,system_crond_lock_t,file)
-
- # write temporary files
- manage_files_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t)
- manage_lnk_files_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t)
- filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file })
- files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
-
- # Read from /var/spool/cron.
- allow system_crond_t cron_spool_t:dir list_dir_perms;
- allow system_crond_t cron_spool_t:file read_file_perms;
-
- kernel_read_kernel_sysctls(system_crond_t)
- kernel_read_system_state(system_crond_t)
- kernel_read_software_raid_state(system_crond_t)
-
- # ps does not need to access /boot when run from cron
- files_dontaudit_search_boot(system_crond_t)
-
- corecmd_exec_all_executables(system_crond_t)
-
- corenet_all_recvfrom_unlabeled(system_crond_t)
- corenet_all_recvfrom_netlabel(system_crond_t)
- corenet_tcp_sendrecv_all_if(system_crond_t)
- corenet_udp_sendrecv_all_if(system_crond_t)
- corenet_tcp_sendrecv_all_nodes(system_crond_t)
- corenet_udp_sendrecv_all_nodes(system_crond_t)
- corenet_tcp_sendrecv_all_ports(system_crond_t)
- corenet_udp_sendrecv_all_ports(system_crond_t)
-
- dev_getattr_all_blk_files(system_crond_t)
- dev_getattr_all_chr_files(system_crond_t)
- dev_read_urand(system_crond_t)
-
- fs_getattr_all_fs(system_crond_t)
- fs_getattr_all_files(system_crond_t)
- fs_getattr_all_symlinks(system_crond_t)
- fs_getattr_all_pipes(system_crond_t)
- fs_getattr_all_sockets(system_crond_t)
-
- # quiet other ps operations
- domain_dontaudit_read_all_domains_state(system_crond_t)
-
- files_exec_etc_files(system_crond_t)
- files_read_etc_files(system_crond_t)
- files_read_etc_runtime_files(system_crond_t)
- files_list_all(system_crond_t)
- files_getattr_all_dirs(system_crond_t)
- files_getattr_all_files(system_crond_t)
- files_getattr_all_symlinks(system_crond_t)
- files_getattr_all_pipes(system_crond_t)
- files_getattr_all_sockets(system_crond_t)
- files_read_usr_files(system_crond_t)
- files_read_var_files(system_crond_t)
- # for nscd:
- files_dontaudit_search_pids(system_crond_t)
- # Access other spool directories like
- # /var/spool/anacron and /var/spool/slrnpull.
- files_manage_generic_spool(system_crond_t)
-
- init_use_script_fds(system_crond_t)
- init_read_utmp(system_crond_t)
- init_dontaudit_rw_utmp(system_crond_t)
- # prelink tells init to restart it self, we either need to allow or dontaudit
- init_write_initctl(system_crond_t)
-
- libs_use_ld_so(system_crond_t)
- libs_use_shared_libs(system_crond_t)
- libs_exec_lib_files(system_crond_t)
- libs_exec_ld_so(system_crond_t)
-
- logging_read_generic_logs(system_crond_t)
- logging_send_syslog_msg(system_crond_t)
-
- miscfiles_read_localization(system_crond_t)
- miscfiles_manage_man_pages(system_crond_t)
-
- seutil_read_config(system_crond_t)
-
- ifdef(`distro_redhat', `
- # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
- # via redirection of standard out.
- optional_policy(`
- rpm_manage_log(system_crond_t)
- ')
- ')
-
- tunable_policy(`cron_can_relabel',`
- seutil_domtrans_setfiles(system_crond_t)
- ',`
- selinux_get_fs_mount(system_crond_t)
- selinux_validate_context(system_crond_t)
- selinux_compute_access_vector(system_crond_t)
- selinux_compute_create_context(system_crond_t)
- selinux_compute_relabel_context(system_crond_t)
- selinux_compute_user_contexts(system_crond_t)
- seutil_read_file_contexts(system_crond_t)
- ')
+# Read from /var/spool/cron.
+allow system_crond_t cron_spool_t:dir list_dir_perms;
+allow system_crond_t cron_spool_t:file read_file_perms;
+
+kernel_read_kernel_sysctls(system_crond_t)
+kernel_read_system_state(system_crond_t)
+kernel_read_software_raid_state(system_crond_t)
+
+# ps does not need to access /boot when run from cron
+files_dontaudit_search_boot(system_crond_t)
+
+corecmd_exec_all_executables(system_crond_t)
+
+corenet_all_recvfrom_unlabeled(system_crond_t)
+corenet_all_recvfrom_netlabel(system_crond_t)
+corenet_tcp_sendrecv_all_if(system_crond_t)
+corenet_udp_sendrecv_all_if(system_crond_t)
+corenet_tcp_sendrecv_all_nodes(system_crond_t)
+corenet_udp_sendrecv_all_nodes(system_crond_t)
+corenet_tcp_sendrecv_all_ports(system_crond_t)
+corenet_udp_sendrecv_all_ports(system_crond_t)
+
+dev_getattr_all_blk_files(system_crond_t)
+dev_getattr_all_chr_files(system_crond_t)
+dev_read_urand(system_crond_t)
+
+fs_getattr_all_fs(system_crond_t)
+fs_getattr_all_files(system_crond_t)
+fs_getattr_all_symlinks(system_crond_t)
+fs_getattr_all_pipes(system_crond_t)
+fs_getattr_all_sockets(system_crond_t)
+
+# quiet other ps operations
+domain_dontaudit_read_all_domains_state(system_crond_t)
+
+files_exec_etc_files(system_crond_t)
+files_read_etc_files(system_crond_t)
+files_read_etc_runtime_files(system_crond_t)
+files_list_all(system_crond_t)
+files_getattr_all_dirs(system_crond_t)
+files_getattr_all_files(system_crond_t)
+files_getattr_all_symlinks(system_crond_t)
+files_getattr_all_pipes(system_crond_t)
+files_getattr_all_sockets(system_crond_t)
+files_read_usr_files(system_crond_t)
+files_read_var_files(system_crond_t)
+# for nscd:
+files_dontaudit_search_pids(system_crond_t)
+# Access other spool directories like
+# /var/spool/anacron and /var/spool/slrnpull.
+files_manage_generic_spool(system_crond_t)
+
+init_use_script_fds(system_crond_t)
+init_read_utmp(system_crond_t)
+init_dontaudit_rw_utmp(system_crond_t)
+# prelink tells init to restart it self, we either need to allow or dontaudit
+init_write_initctl(system_crond_t)
+
+libs_use_ld_so(system_crond_t)
+libs_use_shared_libs(system_crond_t)
+libs_exec_lib_files(system_crond_t)
+libs_exec_ld_so(system_crond_t)
+
+logging_read_generic_logs(system_crond_t)
+logging_send_syslog_msg(system_crond_t)
+
+miscfiles_read_localization(system_crond_t)
+miscfiles_manage_man_pages(system_crond_t)
+
+seutil_read_config(system_crond_t)
+ifdef(`distro_redhat', `
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ # via redirection of standard out.
optional_policy(`
- # Needed for certwatch
- apache_exec_modules(system_crond_t)
- apache_read_config(system_crond_t)
- apache_read_log(system_crond_t)
- apache_read_sys_content(system_crond_t)
+ rpm_manage_log(system_crond_t)
')
+')
- optional_policy(`
- cyrus_manage_data(system_crond_t)
- ')
+tunable_policy(`cron_can_relabel',`
+ seutil_domtrans_setfiles(system_crond_t)
+',`
+ selinux_get_fs_mount(system_crond_t)
+ selinux_validate_context(system_crond_t)
+ selinux_compute_access_vector(system_crond_t)
+ selinux_compute_create_context(system_crond_t)
+ selinux_compute_relabel_context(system_crond_t)
+ selinux_compute_user_contexts(system_crond_t)
+ seutil_read_file_contexts(system_crond_t)
+')
- optional_policy(`
- ftp_read_log(system_crond_t)
- ')
+optional_policy(`
+ # Needed for certwatch
+ apache_exec_modules(system_crond_t)
+ apache_read_config(system_crond_t)
+ apache_read_log(system_crond_t)
+ apache_read_sys_content(system_crond_t)
+')
- optional_policy(`
- inn_manage_log(system_crond_t)
- inn_manage_pid(system_crond_t)
- inn_read_config(system_crond_t)
- ')
+optional_policy(`
+ cyrus_manage_data(system_crond_t)
+')
- optional_policy(`
- mrtg_append_create_logs(system_crond_t)
- ')
+optional_policy(`
+ ftp_read_log(system_crond_t)
+')
- optional_policy(`
- mta_send_mail(system_crond_t)
- ')
+optional_policy(`
+ inn_manage_log(system_crond_t)
+ inn_manage_pid(system_crond_t)
+ inn_read_config(system_crond_t)
+')
- optional_policy(`
- mysql_read_config(system_crond_t)
- ')
+optional_policy(`
+ mrtg_append_create_logs(system_crond_t)
+')
- optional_policy(`
- nis_use_ypbind(system_crond_t)
- ')
+optional_policy(`
+ mta_send_mail(system_crond_t)
+')
- optional_policy(`
- nscd_socket_use(system_crond_t)
- ')
+optional_policy(`
+ mysql_read_config(system_crond_t)
+')
- optional_policy(`
- postfix_read_config(system_crond_t)
- ')
+optional_policy(`
+ nis_use_ypbind(system_crond_t)
+')
- optional_policy(`
- prelink_read_cache(system_crond_t)
- prelink_manage_log(system_crond_t)
- prelink_delete_cache(system_crond_t)
- ')
+optional_policy(`
+ nscd_socket_use(system_crond_t)
+')
- optional_policy(`
- samba_read_config(system_crond_t)
- samba_read_log(system_crond_t)
- #samba_read_secrets(system_crond_t)
- ')
+optional_policy(`
+ postfix_read_config(system_crond_t)
+')
- optional_policy(`
- slocate_create_append_log(system_crond_t)
- ')
+optional_policy(`
+ prelink_read_cache(system_crond_t)
+ prelink_manage_log(system_crond_t)
+ prelink_delete_cache(system_crond_t)
+')
- optional_policy(`
- sysstat_manage_log(system_crond_t)
- ')
+optional_policy(`
+ samba_read_config(system_crond_t)
+ samba_read_log(system_crond_t)
+ #samba_read_secrets(system_crond_t)
+')
+
+optional_policy(`
+ slocate_create_append_log(system_crond_t)
+')
- ifdef(`TODO',`
- dontaudit userdomain system_crond_t:fd use;
+optional_policy(`
+ # cjp: why?
+ squid_domtrans(system_crond_t)
+')
- allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
+optional_policy(`
+ sysstat_manage_log(system_crond_t)
+')
- # for if /var/mail is a symlink
- allow system_crond_t mail_spool_t:lnk_file read;
+optional_policy(`
+ unconfined_domain(system_crond_t)
- ifdef(`mta.te', `
- allow mta_user_agent system_crond_t:fd use;
- r_dir_file(system_mail_t, crond_tmp_t)
- ')
- ') dnl end TODO
+ userdom_priveleged_home_dir_manager(system_crond_t)
+')
+
+ifdef(`TODO',`
+ifdef(`mta.te', `
+allow system_crond_t mail_spool_t:lnk_file read;
+allow mta_user_agent system_crond_t:fd use;
+r_dir_file(system_mail_t, crond_tmp_t)
')
+') dnl end TODO
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 4ddf3da..fc06d64 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -231,25 +231,6 @@ ifdef(`enable_mls',`
lpd_relabel_spool(cupsd_t)
')
-ifdef(`targeted_policy',`
- files_dontaudit_read_root_files(cupsd_t)
-
- term_dontaudit_use_unallocated_ttys(cupsd_t)
- term_dontaudit_use_generic_ptys(cupsd_t)
-
- init_stream_connect_script(cupsd_t)
-
- unconfined_rw_pipes(cupsd_t)
-
- optional_policy(`
- init_dbus_chat_script(cupsd_t)
-
- unconfined_dbus_send(cupsd_t)
-
- dbus_stub(cupsd_t)
- ')
-')
-
optional_policy(`
apm_domtrans_client(cupsd_t)
')
@@ -395,15 +376,6 @@ ifdef(`distro_redhat',`
')
')
-ifdef(`targeted_policy',`
- files_dontaudit_read_root_files(cupsd_config_t)
-
- term_dontaudit_use_unallocated_ttys(cupsd_config_t)
- term_use_generic_ptys(cupsd_config_t)
-
- unconfined_rw_pipes(cupsd_config_t)
-')
-
optional_policy(`
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
@@ -617,12 +589,6 @@ userdom_dontaudit_search_all_users_home_content(hplip_t)
lpd_read_config(cupsd_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(hplip_t)
- term_dontaudit_use_generic_ptys(hplip_t)
- files_dontaudit_read_root_files(hplip_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(hplip_t)
')
@@ -695,12 +661,6 @@ sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
userdom_dontaudit_search_all_users_home_content(ptal_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(ptal_t)
- term_dontaudit_use_generic_ptys(ptal_t)
- files_dontaudit_read_root_files(ptal_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(ptal_t)
')
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
index 23ede85..8b6300a 100644
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -109,17 +109,10 @@ sysnet_read_config(cyrus_t)
userdom_dontaudit_use_unpriv_user_fds(cyrus_t)
userdom_dontaudit_search_sysadm_home_dirs(cyrus_t)
userdom_use_unpriv_users_fds(cyrus_t)
-userdom_use_sysadm_ptys(cyrus_t)
mta_manage_spool(cyrus_t)
mta_send_mail(cyrus_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(cyrus_t)
- term_dontaudit_use_generic_ptys(cyrus_t)
- files_dontaudit_read_root_files(cyrus_t)
-')
-
optional_policy(`
cron_system_entry(cyrus_t,cyrus_exec_t)
')
diff --git a/policy/modules/services/dante.te b/policy/modules/services/dante.te
index b421355..1bc9f64 100644
--- a/policy/modules/services/dante.te
+++ b/policy/modules/services/dante.te
@@ -74,12 +74,6 @@ sysnet_read_config(dante_t)
userdom_dontaudit_use_unpriv_user_fds(dante_t)
userdom_dontaudit_search_sysadm_home_dirs(dante_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(dante_t)
- term_dontaudit_use_generic_ptys(dante_t)
- files_dontaudit_read_root_files(dante_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(dante_t)
')
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 5587696..9d0cfe3 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -13,6 +13,7 @@
interface(`dbus_stub',`
gen_require(`
type system_dbusd_t;
+ class dbus all_dbus_perms;
')
')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index c2cb1c0..12f7737 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -2,7 +2,7 @@
policy_module(dbus,1.7.0)
gen_require(`
- class dbus { send_msg acquire_svc };
+ class dbus all_dbus_perms;
')
##############################
@@ -108,12 +108,6 @@ seutil_sigchld_newrole(system_dbusd_t)
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_sysadm_home_dirs(system_dbusd_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(system_dbusd_t)
- term_dontaudit_use_generic_ptys(system_dbusd_t)
- files_dontaudit_read_root_files(system_dbusd_t)
-')
-
tunable_policy(`read_default_t',`
files_list_default(system_dbusd_t)
files_read_default_files(system_dbusd_t)
diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te
index 450bb53..d966d13 100644
--- a/policy/modules/services/dcc.te
+++ b/policy/modules/services/dcc.te
@@ -275,12 +275,6 @@ sysnet_dns_name_resolve(dccd_t)
userdom_dontaudit_use_unpriv_user_fds(dccd_t)
userdom_dontaudit_search_sysadm_home_dirs(dccd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(dccd_t)
- term_dontaudit_use_generic_ptys(dccd_t)
- files_dontaudit_read_root_files(dccd_t)
-')
-
optional_policy(`
nscd_socket_use(dccd_t)
')
@@ -354,12 +348,6 @@ sysnet_dns_name_resolve(dccifd_t)
userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
userdom_dontaudit_search_sysadm_home_dirs(dccifd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(dccifd_t)
- term_dontaudit_use_generic_ptys(dccifd_t)
- files_dontaudit_read_root_files(dccifd_t)
-')
-
optional_policy(`
nscd_socket_use(dccifd_t)
')
@@ -432,12 +420,6 @@ sysnet_dns_name_resolve(dccm_t)
userdom_dontaudit_use_unpriv_user_fds(dccm_t)
userdom_dontaudit_search_sysadm_home_dirs(dccm_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(dccm_t)
- term_dontaudit_use_generic_ptys(dccm_t)
- files_dontaudit_read_root_files(dccm_t)
-')
-
optional_policy(`
nscd_socket_use(dccm_t)
')
diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
index 4c0420b..89aa5ad 100644
--- a/policy/modules/services/ddclient.te
+++ b/policy/modules/services/ddclient.te
@@ -100,12 +100,6 @@ sysnet_read_config(ddclient_t)
userdom_dontaudit_use_unpriv_user_fds(ddclient_t)
userdom_dontaudit_search_sysadm_home_dirs(ddclient_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(ddclient_t)
- term_dontaudit_use_generic_ptys(ddclient_t)
- files_dontaudit_read_root_files(ddclient_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(ddclient_t)
')
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index 257cda7..c4cd996 100644
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
@@ -105,12 +105,6 @@ ifdef(`distro_gentoo',`
allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
')
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(dhcpd_t)
- term_dontaudit_use_generic_ptys(dhcpd_t)
- files_dontaudit_read_root_files(dhcpd_t)
-')
-
optional_policy(`
# used for dynamic DNS
bind_read_dnssec_keys(dhcpd_t)
diff --git a/policy/modules/services/dictd.te b/policy/modules/services/dictd.te
index f78306a..2bd1d91 100644
--- a/policy/modules/services/dictd.te
+++ b/policy/modules/services/dictd.te
@@ -76,12 +76,6 @@ sysnet_read_config(dictd_t)
userdom_dontaudit_use_unpriv_user_fds(dictd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(dictd_t)
- term_dontaudit_use_generic_ptys(dictd_t)
- files_dontaudit_read_root_files(dictd_t)
-')
-
optional_policy(`
nis_use_ypbind(dictd_t)
')
diff --git a/policy/modules/services/distcc.te b/policy/modules/services/distcc.te
index 49b4b68..844c839 100644
--- a/policy/modules/services/distcc.te
+++ b/policy/modules/services/distcc.te
@@ -83,12 +83,6 @@ sysnet_read_config(distccd_t)
userdom_dontaudit_use_unpriv_user_fds(distccd_t)
userdom_dontaudit_search_sysadm_home_dirs(distccd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(distccd_t)
- term_dontaudit_use_generic_ptys(distccd_t)
- files_dontaudit_read_root_files(distccd_t)
-')
-
optional_policy(`
nis_use_ypbind(distccd_t)
')
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index e4a2c8b..42b6bf4 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -83,12 +83,6 @@ sysnet_read_config(dnsmasq_t)
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_sysadm_home_dirs(dnsmasq_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(dnsmasq_t)
- term_dontaudit_use_generic_ptys(dnsmasq_t)
- files_dontaudit_read_root_files(dnsmasq_t)
-')
-
optional_policy(`
nis_use_ypbind(dnsmasq_t)
')
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 81b3f6d..a0af2de 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -120,12 +120,6 @@ userdom_priveleged_home_dir_manager(dovecot_t)
mta_manage_spool(dovecot_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(dovecot_t)
- term_dontaudit_use_generic_ptys(dovecot_t)
- files_dontaudit_read_root_files(dovecot_t)
-')
-
optional_policy(`
kerberos_use(dovecot_t)
')
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
index 360a251..c0d48ce 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -55,11 +55,6 @@ logging_read_generic_logs(fail2ban_t)
miscfiles_read_localization(fail2ban_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(fail2ban_t)
- term_dontaudit_use_generic_ptys(fail2ban_t)
-')
-
optional_policy(`
apache_read_log(fail2ban_t)
')
diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
index f1bbac5..23ab327 100644
--- a/policy/modules/services/fetchmail.te
+++ b/policy/modules/services/fetchmail.te
@@ -85,12 +85,6 @@ sysnet_read_config(fetchmail_t)
userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
userdom_dontaudit_search_sysadm_home_dirs(fetchmail_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(fetchmail_t)
- term_dontaudit_use_generic_ptys(fetchmail_t)
- files_dontaudit_read_root_files(fetchmail_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(fetchmail_t)
')
diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te
index cb62ac1..c2b0997 100644
--- a/policy/modules/services/finger.te
+++ b/policy/modules/services/finger.te
@@ -98,12 +98,6 @@ userdom_dontaudit_search_sysadm_home_dirs(fingerd_t)
# have to change this when we create a type for Maildir
userdom_dontaudit_search_generic_user_home_dirs(fingerd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(fingerd_t)
- term_dontaudit_use_generic_ptys(fingerd_t)
- files_dontaudit_read_root_files(fingerd_t)
-')
-
optional_policy(`
cron_system_entry(fingerd_t, fingerd_exec_t)
')
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
index e3bbfb5..f24bd26 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@@ -124,3 +124,34 @@ interface(`ftp_domtrans_ftpdctl',`
corecmd_search_bin($1)
domtrans_pattern($1, ftpdctl_exec_t, ftpdctl_t)
')
+
+########################################
+## <summary>
+## Execute the ftpdctl program in the ftpdctl domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the ftpdctl domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the ftpdctl domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ftp_run_ftpdctl',`
+ gen_require(`
+ type ftpdctl_t;
+ ')
+
+ ftp_domtrans_ftpdctl($1)
+ role $2 types ftpdctl_t;
+ allow ftpdctl_t $3:chr_file rw_term_perms;
+')
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 450074a..ee383b3 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -181,13 +181,6 @@ sysnet_use_ldap(ftpd_t)
userdom_dontaudit_search_sysadm_home_dirs(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
-ifdef(`targeted_policy',`
- files_dontaudit_read_root_files(ftpd_t)
-
- term_dontaudit_use_generic_ptys(ftpd_t)
- term_dontaudit_use_unallocated_ttys(ftpd_t)
-')
-
tunable_policy(`allow_ftpd_anon_write',`
miscfiles_manage_public_files(ftpd_t)
')
@@ -224,10 +217,6 @@ tunable_policy(`ftp_home_dir',`
userdom_manage_all_users_home_content_dirs(ftpd_t)
userdom_manage_all_users_home_content_files(ftpd_t)
userdom_manage_all_users_home_content_symlinks(ftpd_t)
-
- ifdef(`targeted_policy',`
- userdom_generic_user_home_dir_filetrans_generic_user_home_content(ftpd_t,{ dir file lnk_file sock_file fifo_file })
- ')
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
@@ -300,7 +289,3 @@ files_read_etc_files(ftpdctl_t)
libs_use_ld_so(ftpdctl_t)
libs_use_shared_libs(ftpdctl_t)
-
-ifdef(`targeted_policy',`
- term_use_generic_ptys(ftpdctl_t)
-')
diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te
index fdee3a1..0c12d3c 100644
--- a/policy/modules/services/gatekeeper.te
+++ b/policy/modules/services/gatekeeper.te
@@ -90,12 +90,6 @@ sysnet_read_config(gatekeeper_t)
userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
userdom_dontaudit_search_sysadm_home_dirs(gatekeeper_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(gatekeeper_t)
- term_dontaudit_use_generic_ptys(gatekeeper_t)
- files_dontaudit_read_root_files(gatekeeper_t)
-')
-
optional_policy(`
nis_use_ypbind(gatekeeper_t)
')
diff --git a/policy/modules/services/gpm.te b/policy/modules/services/gpm.te
index 977de38..3299d0d 100644
--- a/policy/modules/services/gpm.te
+++ b/policy/modules/services/gpm.te
@@ -71,12 +71,6 @@ miscfiles_read_localization(gpm_t)
userdom_dontaudit_use_unpriv_user_fds(gpm_t)
userdom_dontaudit_search_sysadm_home_dirs(gpm_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(gpm_t)
- term_dontaudit_use_generic_ptys(gpm_t)
- files_dontaudit_read_root_files(gpm_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(gpm_t)
')
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index f368e3b..e250c07 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -195,11 +195,6 @@ sysnet_read_config(hald_t)
userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_sysadm_home_dirs(hald_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(hald_t)
- files_dontaudit_read_root_files(hald_t)
-')
-
optional_policy(`
alsa_domtrans(hald_t)
alsa_read_rw_config(hald_t)
@@ -332,11 +327,6 @@ libs_use_shared_libs(hald_acl_t)
miscfiles_read_localization(hald_acl_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_console(hald_acl_t)
- term_dontaudit_use_generic_ptys(hald_acl_t)
-')
-
########################################
#
# Local hald mac policy
@@ -359,11 +349,6 @@ libs_use_shared_libs(hald_mac_t)
miscfiles_read_localization(hald_mac_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_console(hald_mac_t)
- term_dontaudit_use_generic_ptys(hald_mac_t)
-')
-
########################################
#
# Local hald sonypic policy
@@ -387,11 +372,6 @@ libs_use_shared_libs(hald_sonypic_t)
miscfiles_read_localization(hald_sonypic_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_console(hald_sonypic_t)
- term_dontaudit_use_generic_ptys(hald_sonypic_t)
-')
-
########################################
#
# Hal keymap local policy
diff --git a/policy/modules/services/howl.te b/policy/modules/services/howl.te
index 7e2180b..801d07d 100644
--- a/policy/modules/services/howl.te
+++ b/policy/modules/services/howl.te
@@ -71,12 +71,6 @@ sysnet_read_config(howl_t)
userdom_dontaudit_use_unpriv_user_fds(howl_t)
userdom_dontaudit_search_sysadm_home_dirs(howl_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(howl_t)
- term_dontaudit_use_generic_ptys(howl_t)
- files_dontaudit_read_root_files(howl_t)
-')
-
optional_policy(`
nis_use_ypbind(howl_t)
')
diff --git a/policy/modules/services/i18n_input.te b/policy/modules/services/i18n_input.te
index afa1441..480798f 100644
--- a/policy/modules/services/i18n_input.te
+++ b/policy/modules/services/i18n_input.te
@@ -80,12 +80,6 @@ userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
userdom_dontaudit_search_sysadm_home_dirs(i18n_input_t)
userdom_read_unpriv_users_home_content_files(i18n_input_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(i18n_input_t)
- term_dontaudit_use_generic_ptys(i18n_input_t)
- files_dontaudit_read_root_files(i18n_input_t)
-')
-
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(i18n_input_t)
fs_read_nfs_symlinks(i18n_input_t)
diff --git a/policy/modules/services/imaze.te b/policy/modules/services/imaze.te
index a998007..92200c7 100644
--- a/policy/modules/services/imaze.te
+++ b/policy/modules/services/imaze.te
@@ -90,12 +90,6 @@ sysnet_read_config(imazesrv_t)
userdom_use_unpriv_users_fds(imazesrv_t)
userdom_dontaudit_search_sysadm_home_dirs(imazesrv_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(imazesrv_t)
- term_dontaudit_use_generic_ptys(imazesrv_t)
- files_dontaudit_read_root_files(imazesrv_t)
-')
-
optional_policy(`
nis_use_ypbind(imazesrv_t)
')
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
index 72ba249..f952d22 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@@ -151,13 +151,6 @@ ifdef(`enable_mls',`
corenet_tcp_recvfrom_netlabel(inetd_t)
corenet_udp_recvfrom_netlabel(inetd_t)
')
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(inetd_t)
- term_dontaudit_use_generic_ptys(inetd_t)
- files_dontaudit_read_root_files(inetd_t)
-')
-
optional_policy(`
amanda_search_lib(inetd_t)
')
@@ -170,12 +163,8 @@ optional_policy(`
udev_read_db(inetd_t)
')
-ifdef(`targeted_policy',`
- unconfined_domain(inetd_t)
-',`
- optional_policy(`
- unconfined_domtrans(inetd_t)
- ')
+optional_policy(`
+ unconfined_domtrans(inetd_t)
')
########################################
@@ -230,11 +219,10 @@ miscfiles_read_localization(inetd_child_t)
sysnet_read_config(inetd_child_t)
-ifdef(`targeted_policy',`
- unconfined_domain(inetd_child_t)
-')
-
optional_policy(`
kerberos_use(inetd_child_t)
')
+optional_policy(`
+ unconfined_domain(inetd_child_t)
+')
diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te
index 125b9cb..302cb65 100644
--- a/policy/modules/services/inn.te
+++ b/policy/modules/services/inn.te
@@ -109,12 +109,6 @@ userdom_dontaudit_search_sysadm_home_dirs(innd_t)
mta_send_mail(innd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(innd_t)
- term_dontaudit_use_generic_ptys(innd_t)
- files_dontaudit_read_root_files(innd_t)
-')
-
optional_policy(`
cron_system_entry(innd_t, innd_exec_t)
')
diff --git a/policy/modules/services/ircd.te b/policy/modules/services/ircd.te
index 8551674..da7b457 100644
--- a/policy/modules/services/ircd.te
+++ b/policy/modules/services/ircd.te
@@ -84,12 +84,6 @@ sysnet_read_config(ircd_t)
userdom_dontaudit_use_unpriv_user_fds(ircd_t)
userdom_dontaudit_search_sysadm_home_dirs(ircd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(ircd_t)
- term_dontaudit_use_generic_ptys(ircd_t)
- files_dontaudit_read_root_files(ircd_t)
-')
-
optional_policy(`
nis_use_ypbind(ircd_t)
')
diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te
index bfac2d5..5523142 100644
--- a/policy/modules/services/irqbalance.te
+++ b/policy/modules/services/irqbalance.te
@@ -52,12 +52,6 @@ miscfiles_read_localization(irqbalance_t)
userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
userdom_dontaudit_search_sysadm_home_dirs(irqbalance_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(irqbalance_t)
- term_dontaudit_use_generic_ptys(irqbalance_t)
- files_dontaudit_read_root_files(irqbalance_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(irqbalance_t)
')
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index 12ae945..8ac8c3c 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -82,12 +82,6 @@ sysnet_read_config(jabberd_t)
userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
userdom_dontaudit_search_sysadm_home_dirs(jabberd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(jabberd_t)
- term_dontaudit_use_generic_ptys(jabberd_t)
- files_dontaudit_read_root_files(jabberd_t)
-')
-
optional_policy(`
nis_use_ypbind(jabberd_t)
')
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index ae02e95..a67c302 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -131,12 +131,6 @@ sysnet_read_config(kadmind_t)
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(kadmind_t)
- term_dontaudit_use_generic_ptys(kadmind_t)
- files_dontaudit_read_root_files(kadmind_t)
-')
-
optional_policy(`
nis_use_ypbind(kadmind_t)
')
@@ -233,12 +227,6 @@ sysnet_read_config(krb5kdc_t)
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(krb5kdc_t)
- term_dontaudit_use_generic_ptys(krb5kdc_t)
- files_dontaudit_read_root_files(krb5kdc_t)
-')
-
optional_policy(`
nis_use_ypbind(krb5kdc_t)
')
diff --git a/policy/modules/services/ktalk.te b/policy/modules/services/ktalk.te
index 6785893..4384504 100644
--- a/policy/modules/services/ktalk.te
+++ b/policy/modules/services/ktalk.te
@@ -78,11 +78,6 @@ miscfiles_read_localization(ktalkd_t)
sysnet_read_config(ktalkd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(ktalkd_t)
- term_dontaudit_use_unallocated_ttys(ktalkd_t)
-')
-
optional_policy(`
nis_use_ypbind(ktalkd_t)
')
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index 0b947fd..71d4a5c 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -117,21 +117,6 @@ sysnet_read_config(slapd_t)
userdom_dontaudit_use_unpriv_user_fds(slapd_t)
userdom_dontaudit_search_sysadm_home_dirs(slapd_t)
-ifdef(`targeted_policy',`
- #reh slapcat will want to talk to the terminal
- term_use_generic_ptys(slapd_t)
- term_use_unallocated_ttys(slapd_t)
-
- userdom_search_generic_user_home_dirs(slapd_t)
- #need to be able to read ldif files created by root
- # cjp: fix to not use templated interface:
- userdom_read_user_home_content_files(user,slapd_t)
-
- term_dontaudit_use_unallocated_ttys(slapd_t)
- term_dontaudit_use_generic_ptys(slapd_t)
- files_dontaudit_read_root_files(slapd_t)
-')
-
optional_policy(`
kerberos_use(slapd_t)
')
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 52c628a..d69c48b 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -103,11 +103,6 @@ libs_use_shared_libs(checkpc_t)
sysnet_read_config(checkpc_t)
-ifdef(`targeted_policy',`
- term_use_generic_ptys(checkpc_t)
- term_use_unallocated_ttys(checkpc_t)
-')
-
optional_policy(`
cron_system_entry(checkpc_t,checkpc_exec_t)
')
@@ -207,12 +202,6 @@ sysnet_read_config(lpd_t)
userdom_dontaudit_use_unpriv_user_fds(lpd_t)
userdom_dontaudit_search_sysadm_home_dirs(lpd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(lpd_t)
- term_dontaudit_use_generic_ptys(lpd_t)
- files_dontaudit_read_root_files(lpd_t)
-')
-
optional_policy(`
nis_use_ypbind(lpd_t)
')
diff --git a/policy/modules/services/monop.te b/policy/modules/services/monop.te
index a8b621c..1b321d0 100644
--- a/policy/modules/services/monop.te
+++ b/policy/modules/services/monop.te
@@ -76,12 +76,6 @@ sysnet_read_config(monopd_t)
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
userdom_dontaudit_search_sysadm_home_dirs(monopd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(monopd_t)
- term_dontaudit_use_generic_ptys(monopd_t)
- files_dontaudit_read_root_files(monopd_t)
-')
-
optional_policy(`
nis_use_ypbind(monopd_t)
')
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 905dbbc..b701897 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -263,10 +263,8 @@ template(`mta_admin_template',`
type $1_mail_t;
')
- ifdef(`strict_policy',`
- # allow the sysadmin to do "mail someone < /home/user/whatever"
- userdom_read_unpriv_users_home_content_files($1_mail_t)
- ')
+ # allow the sysadmin to do "mail someone < /home/user/whatever"
+ userdom_read_unpriv_users_home_content_files($1_mail_t)
optional_policy(`
gen_require(`
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index f4589fc..7d587f5 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -31,14 +31,6 @@ application_executable_file(sendmail_exec_t)
mta_base_mail_template(system)
role system_r types system_mail_t;
-# cjp: need to resolve this, but require{}
-# does not work in the else part of the optional
-#ifdef(`strict_policy',`
-# optional_policy(`',`
-# init_system_domain(system_mail_t,sendmail_exec_t)
-# ')
-#')
-
########################################
#
# System mail local policy
@@ -60,34 +52,6 @@ init_use_script_ptys(system_mail_t)
userdom_use_sysadm_terms(system_mail_t)
userdom_dontaudit_search_sysadm_home_dirs(system_mail_t)
-ifdef(`targeted_policy',`
- typealias system_mail_t alias sysadm_mail_t;
-
- manage_dirs_pattern(system_mail_t,mail_spool_t,mail_spool_t)
- manage_files_pattern(system_mail_t,mail_spool_t,mail_spool_t)
- manage_lnk_files_pattern(system_mail_t,mail_spool_t,mail_spool_t)
- manage_fifo_files_pattern(system_mail_t,mail_spool_t,mail_spool_t)
-
- # for reading .forward - maybe we need a new type for it?
- # also for delivering mail to maildir
- userdom_manage_generic_user_home_content_dirs(mailserver_delivery)
- userdom_manage_generic_user_home_content_files(mailserver_delivery)
- userdom_manage_generic_user_home_content_symlinks(mailserver_delivery)
- userdom_manage_generic_user_home_content_sockets(mailserver_delivery)
- userdom_manage_generic_user_home_content_pipes(mailserver_delivery)
- userdom_generic_user_home_dir_filetrans_generic_user_home_content(mailserver_delivery,{ dir file lnk_file sock_file fifo_file })
-
-# cjp: another require-in-else to resolve
-# optional_policy(`',`
- corecmd_exec_all_executables(system_mail_t)
-
- files_exec_etc_files(system_mail_t)
-
- libs_exec_ld_so(system_mail_t)
- libs_exec_lib_files(system_mail_t)
-# ')
-')
-
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
apache_append_squirrelmail_data(system_mail_t)
@@ -181,9 +145,11 @@ optional_policy(`
# why is mail delivered to a directory of type arpwatch_data_t?
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
+
ifdef(`hide_broken_symptoms', `
arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
')
+
optional_policy(`
cron_read_system_job_tmp_files(mta_user_agent)
')
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index 19037dd..a9d33ca 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -98,12 +98,6 @@ sysnet_read_config(munin_t)
userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_sysadm_home_dirs(munin_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(munin_t)
- term_dontaudit_use_generic_ptys(munin_t)
- files_dontaudit_read_root_files(munin_t)
-')
-
optional_policy(`
# for accessing the output directory
apache_search_sys_content(munin_t)
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index acb6bd4..fe73b60 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -108,12 +108,6 @@ ifdef(`distro_redhat',`
type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
')
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(mysqld_t)
- term_dontaudit_use_generic_ptys(mysqld_t)
- files_dontaudit_read_root_files(mysqld_t)
-')
-
optional_policy(`
daemontools_service_domain(mysqld_t, mysqld_exec_t)
')
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index 38ef62a..2b1fb2e 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -105,12 +105,6 @@ userdom_dontaudit_search_sysadm_home_dirs(nagios_t)
mta_send_mail(nagios_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(nagios_t)
- term_dontaudit_use_generic_ptys(nagios_t)
- files_dontaudit_read_root_files(nagios_t)
-')
-
optional_policy(`
auth_use_nsswitch(nagios_t)
')
@@ -211,12 +205,6 @@ miscfiles_read_localization(nrpe_t)
userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(nrpe_t)
- term_dontaudit_use_generic_ptys(nrpe_t)
- files_dontaudit_read_root_files(nrpe_t)
-')
-
optional_policy(`
inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
')
diff --git a/policy/modules/services/nessus.te b/policy/modules/services/nessus.te
index 7f96fef..027d713 100644
--- a/policy/modules/services/nessus.te
+++ b/policy/modules/services/nessus.te
@@ -96,12 +96,6 @@ sysnet_read_config(nessusd_t)
userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
userdom_dontaudit_search_sysadm_home_dirs(nessusd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(nessusd_t)
- term_dontaudit_use_generic_ptys(nessusd_t)
- files_dontaudit_read_root_files(nessusd_t)
-')
-
optional_policy(`
nis_use_ypbind(nessusd_t)
')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index b403519..03d6c32 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -111,18 +111,8 @@ sysnet_etc_filetrans_config(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
userdom_dontaudit_search_sysadm_home_dirs(NetworkManager_t)
userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t)
-
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(NetworkManager_t)
- term_dontaudit_use_generic_ptys(NetworkManager_t)
- files_dontaudit_read_root_files(NetworkManager_t)
- # Read gnome-keyring
- userdom_read_generic_user_home_content_files(NetworkManager_t)
-
- optional_policy(`
- unconfined_rw_pipes(NetworkManager_t)
- ')
-')
+# Read gnome-keyring
+userdom_read_unpriv_users_home_content_files(NetworkManager_t)
optional_policy(`
bind_domtrans(NetworkManager_t)
@@ -183,6 +173,11 @@ optional_policy(`
')
optional_policy(`
+ # Read gnome-keyring
+ unconfined_read_home_content_files(NetworkManager_t)
+')
+
+optional_policy(`
vpn_domtrans(NetworkManager_t)
vpn_signal(NetworkManager_t)
')
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
index 4337d1a..9e545cc 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -113,12 +113,6 @@ sysnet_read_config(ypbind_t)
userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
userdom_dontaudit_search_sysadm_home_dirs(ypbind_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(ypbind_t)
- term_dontaudit_use_generic_ptys(ypbind_t)
- files_dontaudit_read_root_files(ypbind_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(ypbind_t)
')
@@ -200,12 +194,6 @@ sysnet_read_config(yppasswdd_t)
userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t)
userdom_dontaudit_search_sysadm_home_dirs(yppasswdd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(yppasswdd_t)
- term_dontaudit_use_generic_ptys(yppasswdd_t)
- files_dontaudit_read_root_files(yppasswdd_t)
-')
-
optional_policy(`
hostname_exec(yppasswdd_t)
')
@@ -289,12 +277,6 @@ sysnet_read_config(ypserv_t)
userdom_dontaudit_use_unpriv_user_fds(ypserv_t)
userdom_dontaudit_search_sysadm_home_dirs(ypserv_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(ypserv_t)
- term_dontaudit_use_generic_ptys(ypserv_t)
- files_dontaudit_read_root_files(ypserv_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(ypserv_t)
')
@@ -350,8 +332,3 @@ logging_send_syslog_msg(ypxfr_t)
miscfiles_read_localization(ypxfr_t)
sysnet_read_config(ypxfr_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(ypxfr_t)
- term_dontaudit_use_generic_ptys(ypxfr_t)
-')
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
index b8f70d3..3cd96ed 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -106,12 +106,6 @@ sysnet_read_config(nscd_t)
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_sysadm_home_dirs(nscd_t)
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(nscd_t)
- term_use_generic_ptys(nscd_t)
- files_dontaudit_read_root_files(nscd_t)
-')
-
optional_policy(`
udev_read_db(nscd_t)
')
diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te
index 5debc19..17c540a 100644
--- a/policy/modules/services/nsd.te
+++ b/policy/modules/services/nsd.te
@@ -98,12 +98,6 @@ sysnet_read_config(nsd_t)
userdom_dontaudit_use_unpriv_user_fds(nsd_t)
userdom_dontaudit_search_sysadm_home_dirs(nsd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(nsd_t)
- term_dontaudit_use_generic_ptys(nsd_t)
- files_dontaudit_read_root_files(nsd_t)
-')
-
optional_policy(`
nis_use_ypbind(nsd_t)
')
diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te
index 9fe22ab..1d50ebf 100644
--- a/policy/modules/services/ntop.te
+++ b/policy/modules/services/ntop.te
@@ -94,12 +94,6 @@ sysnet_read_config(ntop_t)
userdom_dontaudit_use_unpriv_user_fds(ntop_t)
userdom_dontaudit_search_sysadm_home_dirs(ntop_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(ntop_t)
- term_dontaudit_use_generic_ptys(ntop_t)
- files_dontaudit_read_root_files(ntop_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(ntop_t)
')
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 0847b2e..cb1690a 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -111,18 +111,6 @@ userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_sysadm_home_dirs(ntpd_t)
userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(ntpd_t)
- term_dontaudit_use_generic_ptys(ntpd_t)
- files_dontaudit_read_root_files(ntpd_t)
-
- optional_policy(`
- # The Gnome date GUI code is requesting that
- # the ntp code change the date of the machine.
- unconfined_rw_pipes(ntpd_t)
- ')
-')
-
optional_policy(`
# for cron jobs
cron_system_entry(ntpd_t,ntpdate_exec_t)
diff --git a/policy/modules/services/oav.te b/policy/modules/services/oav.te
index 7a3c9f5..96bb8a9 100644
--- a/policy/modules/services/oav.te
+++ b/policy/modules/services/oav.te
@@ -144,12 +144,6 @@ sysnet_read_config(scannerdaemon_t)
userdom_dontaudit_use_unpriv_user_fds(scannerdaemon_t)
userdom_dontaudit_search_sysadm_home_dirs(scannerdaemon_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(scannerdaemon_t)
- term_dontaudit_use_generic_ptys(scannerdaemon_t)
- files_dontaudit_read_root_files(scannerdaemon_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(scannerdaemon_t)
')
diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te
index c2d7c5f..c4049a0 100644
--- a/policy/modules/services/oddjob.te
+++ b/policy/modules/services/oddjob.te
@@ -54,11 +54,6 @@ miscfiles_read_localization(oddjob_t)
locallogin_dontaudit_use_fds(oddjob_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(oddjob_t)
- term_dontaudit_use_unallocated_ttys(oddjob_t)
-')
-
optional_policy(`
dbus_system_bus_client_template(oddjob,oddjob_t)
dbus_send_system_bus(oddjob_t)
diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te
index 2e3e602..687ab2c 100644
--- a/policy/modules/services/openct.te
+++ b/policy/modules/services/openct.te
@@ -54,12 +54,6 @@ userdom_dontaudit_search_sysadm_home_dirs(openct_t)
openct_exec(openct_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(openct_t)
- term_dontaudit_use_generic_ptys(openct_t)
- files_dontaudit_read_root_files(openct_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(openct_t)
')
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 55900a2..70092cb 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -96,11 +96,6 @@ miscfiles_read_certs(openvpn_t)
sysnet_dns_name_resolve(openvpn_t)
sysnet_exec_ifconfig(openvpn_t)
-ifdef(`targeted_policy',`
- # Need to interact with terminals if config option "auth-user-pass" is used
- term_use_generic_ptys(openvpn_t)
-')
-
tunable_policy(`openvpn_enable_homedirs',`
userdom_read_unpriv_users_home_content_files(openvpn_t)
')
diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te
index ee1be00..7e08dde 100644
--- a/policy/modules/services/pcscd.te
+++ b/policy/modules/services/pcscd.te
@@ -58,11 +58,6 @@ miscfiles_read_localization(pcscd_t)
sysnet_dns_name_resolve(pcscd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(pcscd_t)
- term_dontaudit_use_unallocated_ttys(pcscd_t)
-')
-
optional_policy(`
openct_stream_connect(pcscd_t)
openct_read_pid_files(pcscd_t)
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
index a0ae68d..ea9e256 100644
--- a/policy/modules/services/pegasus.te
+++ b/policy/modules/services/pegasus.te
@@ -121,13 +121,6 @@ sysnet_read_config(pegasus_t)
userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
userdom_dontaudit_search_sysadm_home_dirs(pegasus_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(pegasus_t)
- term_dontaudit_use_generic_ptys(pegasus_t)
- files_dontaudit_read_root_files(pegasus_t)
- unconfined_signull(pegasus_t)
-')
-
optional_policy(`
logging_send_syslog_msg(pegasus_t)
')
@@ -144,3 +137,7 @@ optional_policy(`
optional_policy(`
udev_read_db(pegasus_t)
')
+
+optional_policy(`
+ unconfined_signull(pegasus_t)
+')
diff --git a/policy/modules/services/perdition.te b/policy/modules/services/perdition.te
index 9634866..a817d46 100644
--- a/policy/modules/services/perdition.te
+++ b/policy/modules/services/perdition.te
@@ -70,12 +70,6 @@ sysnet_read_config(perdition_t)
userdom_dontaudit_use_unpriv_user_fds(perdition_t)
userdom_dontaudit_search_sysadm_home_dirs(perdition_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(perdition_t)
- term_dontaudit_use_generic_ptys(perdition_t)
- files_dontaudit_read_root_files(perdition_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(perdition_t)
')
diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te
index 89033f2..27ef494 100644
--- a/policy/modules/services/portmap.te
+++ b/policy/modules/services/portmap.te
@@ -89,12 +89,6 @@ sysnet_read_config(portmap_t)
userdom_dontaudit_use_unpriv_user_fds(portmap_t)
userdom_dontaudit_search_sysadm_home_dirs(portmap_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(portmap_t)
- term_dontaudit_use_generic_ptys(portmap_t)
- files_dontaudit_read_root_files(portmap_t)
-')
-
optional_policy(`
nis_use_ypbind(portmap_t)
')
@@ -158,11 +152,6 @@ sysnet_read_config(portmap_helper_t)
userdom_dontaudit_use_all_users_fds(portmap_helper_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(portmap_helper_t)
- term_dontaudit_use_generic_ptys(portmap_helper_t)
-')
-
optional_policy(`
nis_use_ypbind(portmap_helper_t)
')
diff --git a/policy/modules/services/portslave.te b/policy/modules/services/portslave.te
index 3cac76a..9ba5db8 100644
--- a/policy/modules/services/portslave.te
+++ b/policy/modules/services/portslave.te
@@ -112,12 +112,6 @@ ppp_pid_filetrans(portslave_t)
ssh_exec(portslave_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(portslave_t)
- term_dontaudit_use_generic_ptys(portslave_t)
- files_dontaudit_read_root_files(portslave_t)
-')
-
optional_policy(`
inetd_tcp_service_domain(portslave_t,portslave_exec_t)
')
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
index bafbdf8..7e4e584 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -93,12 +93,6 @@ template(`postfix_domain_template',`
userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t)
- ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(postfix_$1_t)
- term_dontaudit_use_generic_ptys(postfix_$1_t)
- files_dontaudit_read_root_files(postfix_$1_t)
- ')
-
optional_policy(`
nscd_socket_use(postfix_$1_t)
')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 6191453..108c89c 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -180,12 +180,6 @@ mta_read_sendmail_bin(postfix_master_t)
optional_policy(`
auth_use_nsswitch(postfix_master_t)
')
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(postfix_master_t)
- term_dontaudit_use_generic_ptys(postfix_master_t)
-')
-
optional_policy(`
cyrus_stream_connect(postfix_master_t)
')
@@ -200,10 +194,6 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(postfix_master_t)
-')
-
-optional_policy(`
sendmail_signal(postfix_master_t)
')
@@ -363,11 +353,6 @@ seutil_read_config(postfix_map_t)
sysnet_read_config(postfix_map_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(postfix_map_t)
- term_dontaudit_use_generic_ptys(postfix_map_t)
-')
-
tunable_policy(`read_default_t',`
files_list_default(postfix_map_t)
files_read_default_files(postfix_map_t)
@@ -452,11 +437,6 @@ sysnet_dns_name_resolve(postfix_postdrop_t)
mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
-ifdef(`targeted_policy', `
- term_use_unallocated_ttys(postfix_postdrop_t)
- term_use_generic_ptys(postfix_postdrop_t)
-')
-
optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index f1d1623..7c384f1 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -136,12 +136,6 @@ userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
mta_getattr_spool(postgresql_t)
-ifdef(`targeted_policy', `
- files_dontaudit_read_root_files(postgresql_t)
- term_dontaudit_use_generic_ptys(postgresql_t)
- term_dontaudit_use_unallocated_ttys(postgresql_t)
-')
-
tunable_policy(`allow_execmem',`
allow postgresql_t self:process execmem;
')
@@ -174,19 +168,3 @@ optional_policy(`
optional_policy(`
udev_read_db(postgresql_t)
')
-
-ifdef(`TODO',`
-ifdef(`distro_debian', `
- init_exec_script_files(postgresql_t)
- # gross hack
- postgresql_domtrans(dpkg_t)
- can_exec(postgresql_t, dpkg_exec_t)
-')
-
-ifdef(`distro_gentoo', `
- allow postgresql_t initrc_su_t:process { sigchld };
- # "su - postgres ..." is called from initrc_t
- postgresql_search_db(initrc_su_t)
- dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
-')
-')
diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
index df44c63..5d29747 100644
--- a/policy/modules/services/postgrey.te
+++ b/policy/modules/services/postgrey.te
@@ -80,12 +80,6 @@ sysnet_read_config(postgrey_t)
userdom_dontaudit_use_unpriv_user_fds(postgrey_t)
userdom_dontaudit_search_sysadm_home_dirs(postgrey_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(postgrey_t)
- term_dontaudit_use_generic_ptys(postgrey_t)
- files_dontaudit_read_root_files(postgrey_t)
-')
-
optional_policy(`
nis_use_ypbind(postgrey_t)
')
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index fdf23d6..4739329 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -13,14 +13,12 @@ policy_module(ppp,1.5.0)
## </desc>
gen_tunable(pppd_can_insmod,false)
-ifdef(`strict_policy',`
## <desc>
## <p>
## Allow pppd to be run for a regular user
## </p>
## </desc>
gen_tunable(pppd_for_user,false)
-')
# pppd_t is the domain for the pppd program.
# pppd_exec_t is the type of the pppd executable.
@@ -184,12 +182,6 @@ userdom_search_unpriv_users_home_dirs(pppd_t)
ppp_exec(pppd_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(pppd_t)
- term_dontaudit_use_generic_ptys(pppd_t)
- files_dontaudit_read_root_files(pppd_t)
-')
-
optional_policy(`
ddclient_domtrans(pppd_t)
')
@@ -295,12 +287,6 @@ sysnet_read_config(pptp_t)
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
userdom_dontaudit_search_sysadm_home_dirs(pptp_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(pptp_t)
- term_dontaudit_use_generic_ptys(pptp_t)
- files_dontaudit_read_root_files(pptp_t)
-')
-
optional_policy(`
consoletype_exec(pppd_t)
')
diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
index c8391e7..92e1525 100644
--- a/policy/modules/services/privoxy.te
+++ b/policy/modules/services/privoxy.te
@@ -80,12 +80,6 @@ userdom_dontaudit_search_sysadm_home_dirs(privoxy_t)
# cjp: this should really not be needed
userdom_use_sysadm_terms(privoxy_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(privoxy_t)
- term_dontaudit_use_generic_ptys(privoxy_t)
- files_dontaudit_read_root_files(privoxy_t)
-')
-
optional_policy(`
nis_use_ypbind(privoxy_t)
')
diff --git a/policy/modules/services/pxe.te b/policy/modules/services/pxe.te
index 2e16ef3..a0b7d91 100644
--- a/policy/modules/services/pxe.te
+++ b/policy/modules/services/pxe.te
@@ -58,12 +58,6 @@ miscfiles_read_localization(pxe_t)
userdom_dontaudit_use_unpriv_user_fds(pxe_t)
userdom_dontaudit_search_sysadm_home_dirs(pxe_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(pxe_t)
- term_dontaudit_use_generic_ptys(pxe_t)
- files_dontaudit_read_root_files(pxe_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(pxe_t)
')
diff --git a/policy/modules/services/pyzor.fc b/policy/modules/services/pyzor.fc
index 0fbe17a..c512523 100644
--- a/policy/modules/services/pyzor.fc
+++ b/policy/modules/services/pyzor.fc
@@ -1,11 +1,9 @@
/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
+
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
/var/log/pyzord\.log -- gen_context(system_u:object_r:pyzord_log_t,s0)
-
-ifdef(`strict_policy',`
-HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
-')
diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if
index 63cd7ec..4589fd1 100644
--- a/policy/modules/services/pyzor.if
+++ b/policy/modules/services/pyzor.if
@@ -1,5 +1,42 @@
## <summary>Pyzor is a distributed, collaborative spam detection and filtering network.</summary>
+#######################################
+## <summary>
+## The per role template for the pyzor module.
+## </summary>
+## <desc>
+## <p>
+## This template allows pyzor to manage files in
+## a user home directory, creating files with the
+## correct type.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`pyzor_per_role_template',`
+ gen_require(`
+ type pyzord_t;
+ ')
+
+ type $1_pyzor_home_t;
+ userdom_user_home_content($1, $1_pyzor_home_t)
+
+ manage_dirs_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
+ manage_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
+ manage_lnk_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
+ userdom_user_home_dir_filetrans($1, pyzord_t, $1_pyzor_home_t, { dir file lnk_file })
+')
+
########################################
## <summary>
## Send generic signals to pyzor
@@ -57,41 +94,3 @@ interface(`pyzor_exec',`
corecmd_search_bin($1)
can_exec($1,pyzor_exec_t)
')
-
-#######################################
-## <summary>
-## The per role template for the pyzor module.
-## </summary>
-## <desc>
-## <p>
-## This template allows pyzor to manage files in
-## a user home directory, creating files with the
-## correct type.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
-## <param name="userdomain_prefix">
-## <summary>
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
-## </summary>
-## </param>
-#
-template(`pyzor_per_role_template',`
- gen_require(`
- type pyzord_t;
- ')
-
- type $1_pyzor_home_t;
- userdom_user_home_content($1,$1_pyzor_home_t)
-
- manage_dirs_pattern(pyzord_t,$1_pyzor_home_t,$1_pyzor_home_t)
- manage_files_pattern(pyzord_t,$1_pyzor_home_t,$1_pyzor_home_t)
- manage_lnk_files_pattern(pyzord_t,$1_pyzor_home_t,$1_pyzor_home_t)
- userdom_search_user_home_dirs($1,pyzord_t)
- userdom_user_home_dir_filetrans($1,pyzord_t,$1_pyzor_home_t,{ dir file lnk_file })
-')
diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
index 4c8692b..c14302b 100644
--- a/policy/modules/services/pyzor.te
+++ b/policy/modules/services/pyzor.te
@@ -70,10 +70,6 @@ miscfiles_read_localization(pyzor_t)
userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)
-ifdef(`targeted_policy',`
- userdom_read_generic_user_home_content_files(pyzor_t)
-')
-
optional_policy(`
amavis_manage_lib_files(pyzor_t)
amavis_manage_spool_files(pyzor_t)
@@ -137,13 +133,6 @@ userdom_dontaudit_search_staff_home_dirs(pyzord_t)
mta_manage_spool(pyzord_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(pyzord_t)
- term_dontaudit_use_unallocated_ttys(pyzord_t)
-
- userdom_read_generic_user_home_content_files(pyzord_t)
-')
-
optional_policy(`
logging_send_syslog_msg(pyzord_t)
')
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
index c95dccf..4563434 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -107,12 +107,6 @@ userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
userdom_dontaudit_search_sysadm_home_dirs(radiusd_t)
userdom_dontaudit_getattr_sysadm_home_dirs(radiusd_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(radiusd_t)
- term_dontaudit_use_generic_ptys(radiusd_t)
- files_dontaudit_read_root_files(radiusd_t)
-')
-
optional_policy(`
cron_system_entry(radiusd_t,radiusd_exec_t)
')
diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te
index 6aba1be..d56b426 100644
--- a/policy/modules/services/radvd.te
+++ b/policy/modules/services/radvd.te
@@ -71,12 +71,6 @@ sysnet_read_config(radvd_t)
userdom_dontaudit_use_unpriv_user_fds(radvd_t)
userdom_dontaudit_search_sysadm_home_dirs(radvd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(radvd_t)
- term_dontaudit_use_generic_ptys(radvd_t)
- files_dontaudit_read_root_files(radvd_t)
-')
-
optional_policy(`
nis_use_ypbind(radvd_t)
')
diff --git a/policy/modules/services/razor.fc b/policy/modules/services/razor.fc
index ad74d5b..d50875b 100644
--- a/policy/modules/services/razor.fc
+++ b/policy/modules/services/razor.fc
@@ -1,6 +1,4 @@
-ifdef(`strict_policy',`
HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:ROLE_razor_home_t,s0)
-')
/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
diff --git a/policy/modules/services/rdisc.te b/policy/modules/services/rdisc.te
index df9d7d0..d9af172 100644
--- a/policy/modules/services/rdisc.te
+++ b/policy/modules/services/rdisc.te
@@ -51,12 +51,6 @@ sysnet_read_config(rdisc_t)
userdom_dontaudit_use_unpriv_user_fds(rdisc_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(rdisc_t)
- term_dontaudit_use_generic_ptys(rdisc_t)
- files_dontaudit_read_root_files(rdisc_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(rdisc_t)
')
diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te
index bd2d695..c641ea5 100644
--- a/policy/modules/services/remotelogin.te
+++ b/policy/modules/services/remotelogin.te
@@ -95,11 +95,6 @@ userdom_spec_domtrans_unpriv_users(remote_login_t)
# Search for mail spool file.
mta_getattr_spool(remote_login_t)
-ifdef(`targeted_policy',`
- unconfined_domain(remote_login_t)
- unconfined_shell_domtrans(remote_login_t)
-')
-
tunable_policy(`read_default_t',`
files_list_default(remote_login_t)
files_read_default_files(remote_login_t)
@@ -131,5 +126,10 @@ optional_policy(`
')
optional_policy(`
+ unconfined_domain(remote_login_t)
+ unconfined_shell_domtrans(remote_login_t)
+')
+
+optional_policy(`
usermanage_read_crack_db(remote_login_t)
')
diff --git a/policy/modules/services/resmgr.te b/policy/modules/services/resmgr.te
index a593279..c4d31a3 100644
--- a/policy/modules/services/resmgr.te
+++ b/policy/modules/services/resmgr.te
@@ -61,12 +61,6 @@ miscfiles_read_localization(resmgrd_t)
userdom_dontaudit_use_unpriv_user_fds(resmgrd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(resmgrd_t)
- term_dontaudit_use_generic_ptys(resmgrd_t)
- files_dontaudit_read_root_files(resmgrd_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(resmgrd_t)
')
diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
index e6bddbb..773d785 100644
--- a/policy/modules/services/rhgb.te
+++ b/policy/modules/services/rhgb.te
@@ -31,6 +31,9 @@ allow rhgb_t self:tcp_socket create_socket_perms;
allow rhgb_t self:udp_socket create_socket_perms;
allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
+allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr };
+term_create_pty(rhgb_t,rhgb_devpts_t)
+
manage_dirs_pattern(rhgb_t,rhgb_tmpfs_t,rhgb_tmpfs_t)
manage_files_pattern(rhgb_t,rhgb_tmpfs_t,rhgb_tmpfs_t)
manage_lnk_files_pattern(rhgb_t,rhgb_tmpfs_t,rhgb_tmpfs_t)
@@ -114,20 +117,7 @@ xserver_kill_xdm_xserver(rhgb_t)
xserver_read_xkb_libs(rhgb_t)
xserver_domtrans_xdm_xserver(rhgb_t)
xserver_signal_xdm_xserver(rhgb_t)
-
-ifdef(`strict_policy',`
- allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr };
- term_create_pty(rhgb_t,rhgb_devpts_t)
-', `
- files_dontaudit_read_root_files(rhgb_t)
-
- term_use_generic_ptys(rhgb_t)
- term_setattr_generic_ptys(rhgb_t)
- term_dontaudit_use_unallocated_ttys(rhgb_t)
-
- xserver_domtrans_xdm_xserver(rhgb_t)
- xserver_read_xdm_tmp_files(rhgb_t)
-')
+xserver_read_xdm_tmp_files(rhgb_t)
optional_policy(`
consoletype_exec(rhgb_t)
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
index f467c11..0c49eda 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -153,11 +153,6 @@ miscfiles_read_localization(ricci_t)
sysnet_dns_name_resolve(ricci_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_generic_ptys(ricci_t)
- term_dontaudit_use_unallocated_ttys(ricci_t)
-')
-
optional_policy(`
ccs_read_config(ricci_t)
')
@@ -255,8 +250,10 @@ optional_policy(`
oddjob_system_entry(ricci_modcluster_t, ricci_modcluster_exec_t)
')
-# XXX This has got to go.
-unconfined_domain(ricci_modcluster_t)
+optional_policy(`
+ # XXX This has got to go.
+ unconfined_domain(ricci_modcluster_t)
+')
########################################
#
@@ -317,11 +314,6 @@ miscfiles_read_localization(ricci_modclusterd_t)
sysnet_domtrans_ifconfig(ricci_modclusterd_t)
sysnet_dns_name_resolve(ricci_modclusterd_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_generic_ptys(ricci_modclusterd_t)
- term_dontaudit_use_unallocated_ttys(ricci_modclusterd_t)
-')
-
optional_policy(`
ccs_domtrans(ricci_modclusterd_t)
ccs_stream_connect(ricci_modclusterd_t)
diff --git a/policy/modules/services/roundup.te b/policy/modules/services/roundup.te
index dfb7e36..c1f3a8e 100644
--- a/policy/modules/services/roundup.te
+++ b/policy/modules/services/roundup.te
@@ -83,12 +83,6 @@ sysnet_read_config(roundup_t)
userdom_dontaudit_use_unpriv_user_fds(roundup_t)
userdom_dontaudit_search_sysadm_home_dirs(roundup_t)
-ifdef(`targeted_policy',`
- files_dontaudit_read_root_files(roundup_t)
- term_dontaudit_use_unallocated_ttys(roundup_t)
- term_dontaudit_use_generic_ptys(roundup_t)
-')
-
optional_policy(`
mysql_stream_connect(roundup_t)
mysql_search_db(roundup_t)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index bbf5f41..9046f67 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -112,12 +112,6 @@ template(`rpc_domain_template', `
userdom_dontaudit_use_unpriv_user_fds($1_t)
- ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys($1_t)
- term_dontaudit_use_generic_ptys($1_t)
- files_dontaudit_read_root_files($1_t)
- ')
-
optional_policy(`
nis_use_ypbind($1_t)
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 8db6b2b..667b237 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -158,13 +158,6 @@ files_read_usr_symlinks(gssd_t)
miscfiles_read_certs(gssd_t)
-ifdef(`targeted_policy',`
- files_read_generic_tmp_files(gssd_t)
- files_read_generic_tmp_symlinks(gssd_t)
- # Manage the users kerberos tgt file
- files_manage_generic_tmp_files(gssd_t)
-')
-
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_unpriv_users_tmp(gssd_t)
userdom_read_unpriv_users_tmp_files(gssd_t)
diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
index c5f3df4..94834ff 100644
--- a/policy/modules/services/rshd.te
+++ b/policy/modules/services/rshd.te
@@ -66,10 +66,6 @@ sysnet_read_config(rshd_t)
userdom_search_all_users_home_content(rshd_t)
-ifdef(`targeted_policy',`
- unconfined_shell_domtrans(rshd_t)
-')
-
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(rshd_t)
fs_read_nfs_symlinks(rshd_t)
@@ -91,3 +87,7 @@ optional_policy(`
optional_policy(`
tcpd_wrapped_domain(rshd_t,rshd_exec_t)
')
+
+optional_policy(`
+ unconfined_shell_domtrans(rshd_t)
+')
diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te
index fd90e48..1a7e8ff 100644
--- a/policy/modules/services/rwho.te
+++ b/policy/modules/services/rwho.te
@@ -59,8 +59,3 @@ libs_use_shared_libs(rwho_t)
miscfiles_read_localization(rwho_t)
sysnet_dns_name_resolve(rwho_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(rwho_t)
- term_dontaudit_use_generic_ptys(rwho_t)
-')
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
index ecda9ab..51543ca 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -114,6 +114,38 @@ interface(`samba_domtrans_smbmount',`
########################################
## <summary>
+## Execute smbmount interactively and do
+## a domain transition to the smbmount domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed acces.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the smbmount domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the smbmount domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_run_smbmount',`
+ gen_require(`
+ type smbmount_t;
+ ')
+
+ samba_domtrans_smbmount($1)
+ role $2 types smbmount_t;
+ allow smbmount_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
## Allow the specified domain to read
## samba configuration files.
## </summary>
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index be13a29..e3fe1e4 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -86,13 +86,6 @@ files_type(samba_secrets_t)
type samba_share_t; # customizable
files_type(samba_share_t)
-type samba_unconfined_script_t;
-type samba_unconfined_script_exec_t;
-domain_type(samba_unconfined_script_t)
-domain_entry_file(samba_unconfined_script_t,samba_unconfined_script_exec_t)
-corecmd_shell_entry_type(samba_unconfined_script_t)
-role system_r types samba_unconfined_script_t;
-
type samba_var_t;
files_type(samba_var_t)
@@ -202,11 +195,6 @@ sysnet_use_ldap(samba_net_t)
userdom_dontaudit_search_sysadm_home_dirs(samba_net_t)
-ifdef(`targeted_policy',`
- term_use_generic_ptys(samba_net_t)
- term_use_unallocated_ttys(samba_net_t)
-')
-
optional_policy(`
kerberos_use(samba_net_t)
')
@@ -345,12 +333,6 @@ ifdef(`hide_broken_symptoms', `
fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
')
-ifdef(`targeted_policy', `
- files_dontaudit_read_root_files(smbd_t)
- term_dontaudit_use_generic_ptys(smbd_t)
- term_dontaudit_use_unallocated_ttys(smbd_t)
-')
-
tunable_policy(`allow_smbd_anon_write',`
miscfiles_manage_public_files(smbd_t)
')
@@ -486,12 +468,6 @@ userdom_dontaudit_search_sysadm_home_dirs(nmbd_t)
userdom_dontaudit_use_unpriv_user_fds(nmbd_t)
userdom_use_unpriv_users_fds(nmbd_t)
-ifdef(`targeted_policy', `
- files_dontaudit_read_root_files(nmbd_t)
- term_dontaudit_use_generic_ptys(nmbd_t)
- term_dontaudit_use_unallocated_ttys(nmbd_t)
-')
-
optional_policy(`
nis_use_ypbind(nmbd_t)
')
@@ -557,7 +533,6 @@ storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
term_list_ptys(smbmount_t)
-term_use_controlling_term(smbmount_t)
corecmd_list_bin(smbmount_t)
@@ -581,11 +556,6 @@ logging_search_logs(smbmount_t)
sysnet_read_config(smbmount_t)
userdom_use_all_users_fds(smbmount_t)
-userdom_use_sysadm_ttys(smbmount_t)
-
-optional_policy(`
- cups_read_rw_config(smbd_t)
-')
optional_policy(`
nis_use_ypbind(smbmount_t)
@@ -783,12 +753,6 @@ userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
userdom_priveleged_home_dir_manager(winbind_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(winbind_t)
- term_dontaudit_use_generic_ptys(winbind_t)
- files_dontaudit_read_root_files(winbind_t)
-')
-
optional_policy(`
kerberos_use(winbind_t)
')
@@ -833,11 +797,6 @@ logging_send_syslog_msg(winbind_helper_t)
miscfiles_read_localization(winbind_helper_t)
-ifdef(`targeted_policy',`
- term_use_generic_ptys(winbind_helper_t)
- term_use_unallocated_ttys(winbind_helper_t)
-')
-
optional_policy(`
nscd_socket_use(winbind_helper_t)
')
@@ -852,11 +811,20 @@ optional_policy(`
# samba_unconfined_script_t local policy
#
-allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
-allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+optional_policy(`
+ type samba_unconfined_script_t;
+ type samba_unconfined_script_exec_t;
+ domain_type(samba_unconfined_script_t)
+ domain_entry_file(samba_unconfined_script_t,samba_unconfined_script_exec_t)
+ corecmd_shell_entry_type(samba_unconfined_script_t)
+ role system_r types samba_unconfined_script_t;
+
+ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+ allow smbd_t samba_unconfined_script_exec_t:file ioctl;
-unconfined_domain(samba_unconfined_script_t)
+ unconfined_domain(samba_unconfined_script_t)
-tunable_policy(`samba_run_unconfined',`
- domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
+ tunable_policy(`samba_run_unconfined',`
+ domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
+ ')
')
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
index 6b2b547..dd7b0bd 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -91,13 +91,7 @@ sysnet_read_config(saslauthd_t)
userdom_dontaudit_use_unpriv_user_fds(saslauthd_t)
userdom_dontaudit_search_sysadm_home_dirs(saslauthd_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(saslauthd_t)
- term_dontaudit_use_generic_ptys(saslauthd_t)
- files_dontaudit_read_root_files(saslauthd_t)
-')
-
-# cjp: typeattribute dont work in conditionals yet
+# cjp: typeattribute doesnt work in conditionals
auth_can_read_shadow_passwords(saslauthd_t)
tunable_policy(`allow_saslauthd_read_shadow',`
auth_tunable_read_shadow(saslauthd_t)
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
index 076e7d5..4de2953 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -108,12 +108,6 @@ mta_rw_aliases(sendmail_t)
mta_manage_queue(sendmail_t)
mta_manage_spool(sendmail_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(sendmail_t)
- term_dontaudit_use_generic_ptys(sendmail_t)
- files_dontaudit_read_root_files(sendmail_t)
-')
-
optional_policy(`
clamav_search_lib(sendmail_t)
')
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
index 4f8e9a2..bcb7129 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -106,11 +106,6 @@ sysnet_read_config(setroubleshootd_t)
userdom_dontaudit_read_sysadm_home_content_files(setroubleshootd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(setroubleshootd_t)
- term_dontaudit_use_unallocated_ttys(setroubleshootd_t)
-')
-
optional_policy(`
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
diff --git a/policy/modules/services/slrnpull.te b/policy/modules/services/slrnpull.te
index 642593f..e258c48 100644
--- a/policy/modules/services/slrnpull.te
+++ b/policy/modules/services/slrnpull.te
@@ -61,12 +61,6 @@ miscfiles_read_localization(slrnpull_t)
userdom_dontaudit_use_unpriv_user_fds(slrnpull_t)
userdom_dontaudit_search_sysadm_home_dirs(slrnpull_t)
-ifdef(`targeted_policy',`
- files_dontaudit_read_root_files(slrnpull_t)
- term_dontaudit_use_unallocated_ttys(slrnpull_t)
- term_dontaudit_use_generic_ptys(slrnpull_t)
-')
-
optional_policy(`
cron_system_entry(slrnpull_t,slrnpull_exec_t)
')
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
index c702de5..2a3d371 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -82,12 +82,6 @@ sysnet_read_config(fsdaemon_t)
userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
userdom_dontaudit_search_sysadm_home_dirs(fsdaemon_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(fsdaemon_t)
- term_dontaudit_use_generic_ptys(fsdaemon_t)
- files_dontaudit_read_root_files(fsdaemon_t)
-')
-
optional_policy(`
mta_send_mail(fsdaemon_t)
')
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index e116f42..fa6be5e 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -115,12 +115,6 @@ ifdef(`distro_redhat', `
')
')
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(snmpd_t)
- term_dontaudit_use_generic_ptys(snmpd_t)
- files_dontaudit_read_root_files(snmpd_t)
-')
-
optional_policy(`
amanda_dontaudit_read_dumpdates(snmpd_t)
')
diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te
index 0b3e1b6..d37dd5b 100644
--- a/policy/modules/services/snort.te
+++ b/policy/modules/services/snort.te
@@ -88,12 +88,6 @@ sysnet_read_config(snort_t)
userdom_dontaudit_use_unpriv_user_fds(snort_t)
userdom_dontaudit_search_sysadm_home_dirs(snort_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(snort_t)
- term_dontaudit_use_generic_ptys(snort_t)
- files_dontaudit_read_root_files(snort_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(snort_t)
')
diff --git a/policy/modules/services/soundserver.te b/policy/modules/services/soundserver.te
index e8728a9..ceedaca 100644
--- a/policy/modules/services/soundserver.te
+++ b/policy/modules/services/soundserver.te
@@ -98,12 +98,6 @@ sysnet_read_config(soundd_t)
userdom_dontaudit_use_unpriv_user_fds(soundd_t)
userdom_dontaudit_search_sysadm_home_dirs(soundd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(soundd_t)
- term_dontaudit_use_generic_ptys(soundd_t)
- files_dontaudit_read_root_files(soundd_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(soundd_t)
')
diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc
index 870dc7d..e4f676b 100644
--- a/policy/modules/services/spamassassin.fc
+++ b/policy/modules/services/spamassassin.fc
@@ -1,3 +1,4 @@
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
@@ -13,7 +14,3 @@
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
-
-ifdef(`strict_policy',`
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
-')
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index c2802e1..06b14d9 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -280,6 +280,12 @@ template(`spamassassin_per_role_template',`
sysnet_read_config($1_spamassassin_t)
')
+ tunable_policy(`spamd_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs($1,spamd_t)
+ userdom_manage_user_home_content_files($1,spamd_t)
+ userdom_manage_user_home_content_symlinks($1,spamd_t)
+ ')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_spamassassin_t)
fs_manage_nfs_files($1_spamassassin_t)
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 220162a..8e4a0a1 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -6,23 +6,19 @@ policy_module(spamassassin,1.8.0)
# Declarations
#
-ifdef(`strict_policy',`
## <desc>
## <p>
## Allow user spamassassin clients to use the network.
## </p>
## </desc>
gen_tunable(spamassassin_can_network,false)
-')
-ifdef(`targeted_policy',`
## <desc>
## <p>
## Allow spamd to read/write user home directories.
## </p>
## </desc>
gen_tunable(spamd_enable_home_dirs,true)
-')
# spamassassin client executable
type spamc_exec_t;
@@ -140,8 +136,6 @@ init_dontaudit_rw_utmp(spamd_t)
libs_use_ld_so(spamd_t)
libs_use_shared_libs(spamd_t)
-# Various Perl bits
-libs_use_lib_files(spamd_t)
logging_send_syslog_msg(spamd_t)
@@ -155,20 +149,6 @@ userdom_use_unpriv_users_fds(spamd_t)
userdom_search_unpriv_users_home_dirs(spamd_t)
userdom_dontaudit_search_sysadm_home_dirs(spamd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(spamd_t)
- term_dontaudit_use_generic_ptys(spamd_t)
-
- files_dontaudit_read_root_files(spamd_t)
-
- tunable_policy(`spamd_enable_home_dirs',`
- userdom_manage_generic_user_home_content_dirs(spamd_t)
- userdom_manage_generic_user_home_content_files(spamd_t)
- userdom_manage_generic_user_home_content_symlinks(spamd_t)
- userdom_generic_user_home_dir_filetrans_generic_user_home_content(spamd_t,dir)
- ')
-')
-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(spamd_t)
')
diff --git a/policy/modules/services/speedtouch.te b/policy/modules/services/speedtouch.te
index b91764d..2c918b6 100644
--- a/policy/modules/services/speedtouch.te
+++ b/policy/modules/services/speedtouch.te
@@ -56,12 +56,6 @@ miscfiles_read_localization(speedmgmt_t)
userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t)
userdom_dontaudit_search_sysadm_home_dirs(speedmgmt_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(speedmgmt_t)
- term_dontaudit_use_generic_ptys(speedmgmt_t)
- files_dontaudit_read_root_files(speedmgmt_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(speedmgmt_t)
')
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index beaba00..9c30fe7 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -144,12 +144,6 @@ userdom_use_unpriv_users_fds(squid_t)
userdom_dontaudit_use_unpriv_user_fds(squid_t)
userdom_dontaudit_search_sysadm_home_dirs(squid_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(squid_t)
- term_dontaudit_use_generic_ptys(squid_t)
- files_dontaudit_read_root_files(squid_t)
-')
-
tunable_policy(`squid_connect_any',`
corenet_tcp_connect_all_ports(squid_t)
')
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index e83a852..bf53f28 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -1,19 +1,16 @@
+HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ROLE_home_ssh_t,s0)
+
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host_dsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
/usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
+/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
/usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
-/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
-
-ifdef(`targeted_policy', `', `
-/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
-
-HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ROLE_home_ssh_t,s0)
-')
+/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 129bf73..51e058c 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -80,11 +80,6 @@ kernel_link_key(sshd_t)
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
-ifdef(`targeted_policy',`
- unconfined_domain(sshd_t)
- unconfined_shell_domtrans(sshd_t)
-')
-
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
@@ -123,6 +118,11 @@ optional_policy(`
rssh_read_all_users_ro_content(sshd_t)
')
+optional_policy(`
+ unconfined_domain(sshd_t)
+ unconfined_shell_domtrans(sshd_t)
+')
+
ifdef(`TODO',`
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
@@ -153,39 +153,37 @@ tunable_policy(`ssh_sysadm_login',`
# sshd_extern_t is the domain for ssh from outside our network
#
-ifdef(`strict_policy',`
- ifdef(`TODO',`
- domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
+ifdef(`TODO',`
+domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
- domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain)
- # Signal the user domains.
- allow sshd_extern_t user_mini_domain:process signal;
+domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain)
+# Signal the user domains.
+allow sshd_extern_t user_mini_domain:process signal;
- ifdef(`xauth.te', `
- domain_trans(sshd_extern_t, xauth_exec_t, user_mini_domain)
- ')
+ifdef(`xauth.te', `
+domain_trans(sshd_extern_t, xauth_exec_t, user_mini_domain)
+')
- # Relabel and access ptys created by sshd
- # ioctl is necessary for logout() processing for utmp entry and for w to
- # display the tty.
- # some versions of sshd on the new SE Linux require setattr
- allow sshd_extern_t user_mini_domain:chr_file { relabelto read write getattr ioctl setattr };
+# Relabel and access ptys created by sshd
+# ioctl is necessary for logout() processing for utmp entry and for w to
+# display the tty.
+# some versions of sshd on the new SE Linux require setattr
+allow sshd_extern_t user_mini_domain:chr_file { relabelto read write getattr ioctl setattr };
- # inheriting stream sockets is needed for "ssh host command" as no pty
- # is allocated
- allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms;
+# inheriting stream sockets is needed for "ssh host command" as no pty
+# is allocated
+allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms;
- optional_policy(`
- domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
- ')
+optional_policy(`
+ domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
+')
- ifdef(`direct_sysadm_daemon', `
- # Direct execution by sysadm_r.
- domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t)
- role_transition sysadm_r sshd_exec_t system_r;
- ')
- ') dnl endif TODO
+ifdef(`direct_sysadm_daemon', `
+# Direct execution by sysadm_r.
+domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t)
+role_transition sysadm_r sshd_exec_t system_r;
')
+') dnl endif TODO
########################################
#
@@ -227,21 +225,8 @@ logging_send_syslog_msg(ssh_keygen_t)
allow ssh_keygen_t proc_t:dir r_dir_perms;
allow ssh_keygen_t proc_t:lnk_file read;
-userdom_use_sysadm_ttys(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
-# cjp: with the old daemon_(base_)domain being broken up into
-# a daemon and system interface, this probably is not needed:
-ifdef(`direct_sysadm_daemon',`
- userdom_dontaudit_use_sysadm_terms(ssh_keygen_t)
-')
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(ssh_keygen_t)
- term_dontaudit_use_generic_ptys(ssh_keygen_t)
- files_dontaudit_read_root_files(ssh_keygen_t)
-')
-
optional_policy(`
nscd_socket_use(ssh_keygen_t)
')
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
index ff31d9b..b9a386b 100644
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
@@ -90,12 +90,6 @@ ifdef(`distro_gentoo', `
userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
userdom_dontaudit_search_sysadm_home_dirs(stunnel_t)
- ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(stunnel_t)
- term_dontaudit_use_generic_ptys(stunnel_t)
- files_dontaudit_read_root_files(stunnel_t)
- ')
-
optional_policy(`
daemontools_service_domain(stunnel_t, stunnel_exec_t)
')
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index 00d1262..857ef97 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -79,12 +79,6 @@ userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
userdom_dontaudit_use_sysadm_ttys(tftpd_t)
userdom_dontaudit_search_sysadm_home_dirs(tftpd_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(tftpd_t)
- term_dontaudit_use_generic_ptys(tftpd_t)
- files_dontaudit_read_root_files(tftpd_t)
-')
-
optional_policy(`
inetd_udp_service_domain(tftpd_t,tftpd_exec_t)
')
diff --git a/policy/modules/services/timidity.te b/policy/modules/services/timidity.te
index 96423fa..26c276b 100644
--- a/policy/modules/services/timidity.te
+++ b/policy/modules/services/timidity.te
@@ -78,12 +78,6 @@ userdom_dontaudit_use_unpriv_user_fds(timidity_t)
# cjp: this should be fixed if possible so this rule can be removed.
userdom_search_sysadm_home_dirs(timidity_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(timidity_t)
- term_dontaudit_use_generic_ptys(timidity_t)
- files_dontaudit_read_root_files(timidity_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(timidity_t)
')
diff --git a/policy/modules/services/transproxy.te b/policy/modules/services/transproxy.te
index 7012e74..b06cb9d 100644
--- a/policy/modules/services/transproxy.te
+++ b/policy/modules/services/transproxy.te
@@ -60,12 +60,6 @@ sysnet_read_config(transproxy_t)
userdom_dontaudit_use_unpriv_user_fds(transproxy_t)
userdom_dontaudit_search_sysadm_home_dirs(transproxy_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(transproxy_t)
- term_dontaudit_use_generic_ptys(transproxy_t)
- files_dontaudit_read_root_files(transproxy_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(transproxy_t)
')
diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te
index 078adee..b4b9d7d 100644
--- a/policy/modules/services/uptime.te
+++ b/policy/modules/services/uptime.te
@@ -64,12 +64,6 @@ miscfiles_read_localization(uptimed_t)
userdom_dontaudit_use_unpriv_user_fds(uptimed_t)
userdom_dontaudit_search_sysadm_home_dirs(uptimed_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(uptimed_t)
- term_dontaudit_use_generic_ptys(uptimed_t)
- files_dontaudit_read_root_files(uptimed_t)
-')
-
optional_policy(`
mta_send_mail(uptimed_t)
')
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
index c555a84..ed1dbbe 100644
--- a/policy/modules/services/uucp.te
+++ b/policy/modules/services/uucp.te
@@ -131,11 +131,6 @@ logging_send_syslog_msg(uux_t)
miscfiles_read_localization(uux_t)
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(uux_t)
- term_use_generic_ptys(uux_t)
-')
-
optional_policy(`
mta_send_mail(uux_t)
')
diff --git a/policy/modules/services/uwimap.te b/policy/modules/services/uwimap.te
index e538d36..3d31305 100644
--- a/policy/modules/services/uwimap.te
+++ b/policy/modules/services/uwimap.te
@@ -82,12 +82,6 @@ userdom_priveleged_home_dir_manager(imapd_t)
mta_rw_spool(imapd_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(imapd_t)
- term_dontaudit_use_generic_ptys(imapd_t)
- files_dontaudit_read_root_files(imapd_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(imapd_t)
')
diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te
index 06d8800..50f2772 100644
--- a/policy/modules/services/watchdog.te
+++ b/policy/modules/services/watchdog.te
@@ -92,12 +92,6 @@ sysnet_read_config(watchdog_t)
userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
userdom_dontaudit_search_sysadm_home_dirs(watchdog_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(watchdog_t)
- term_dontaudit_use_generic_ptys(watchdog_t)
- files_dontaudit_read_root_files(watchdog_t)
-')
-
optional_policy(`
mta_send_mail(watchdog_t)
')
diff --git a/policy/modules/services/xfs.te b/policy/modules/services/xfs.te
index 5302588..800c4d2 100644
--- a/policy/modules/services/xfs.te
+++ b/policy/modules/services/xfs.te
@@ -72,12 +72,6 @@ ifdef(`distro_debian',`
init_script_tmp_filetrans(xfs_t,xfs_tmp_t,sock_file)
')
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(xfs_t)
- term_dontaudit_use_generic_ptys(xfs_t)
- files_dontaudit_read_root_files(xfs_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(xfs_t)
')
diff --git a/policy/modules/services/xprint.te b/policy/modules/services/xprint.te
index 8af8788..ce73458 100644
--- a/policy/modules/services/xprint.te
+++ b/policy/modules/services/xprint.te
@@ -69,12 +69,6 @@ sysnet_read_config(xprint_t)
userdom_dontaudit_use_unpriv_user_fds(xprint_t)
userdom_dontaudit_search_sysadm_home_dirs(xprint_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(xprint_t)
- term_dontaudit_use_generic_ptys(xprint_t)
- files_dontaudit_read_root_files(xprint_t)
-')
-
optional_policy(`
cups_read_config(xprint_t)
')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 1e86113..c1c87ac 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -1,7 +1,6 @@
#
# HOME_DIR
#
-ifdef(`strict_policy',`
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:ROLE_fonts_config_t,s0)
HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:ROLE_fonts_t,s0)
HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
@@ -9,7 +8,6 @@ HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:ROLE_fonts_cache_t,s
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:ROLE_iceauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
-')
#
# /dev
@@ -51,13 +49,10 @@ ifdef(`distro_redhat',`
/tmp/\.ICE-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
/tmp/\.ICE-unix/.* -s <<none>>
+/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_xserver_tmp_t,s0)
/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
/tmp/\.X11-unix/.* -s <<none>>
-ifdef(`strict_policy',`
-/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_xserver_tmp_t,s0)
-')
-
#
# /usr
#
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 0a32465..c8b8375 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -736,12 +736,8 @@ interface(`xserver_read_all_users_xauth',`
attribute xauth_home_type;
')
- ifdef(`strict_policy',`
- allow $1 xauth_home_type:file read_file_perms;
- userdom_search_all_users_home_dirs($1)
- ',`
- userdom_read_generic_user_home_content_files($1)
- ')
+ allow $1 xauth_home_type:file read_file_perms;
+ userdom_search_all_users_home_dirs($1)
')
########################################
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 0bfbe14..ae61202 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -6,7 +6,6 @@ policy_module(xserver,1.6.0)
# Declarations
#
-ifdef(`strict_policy',`
## <desc>
## <p>
## Allows clients to write to the X server shared
@@ -14,7 +13,6 @@ ifdef(`strict_policy',`
## </p>
## </desc>
gen_tunable(allow_write_xshm,false)
-')
## <desc>
## <p>
@@ -276,20 +274,6 @@ userdom_signal_all_users(xdm_t)
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
-ifdef(`targeted_policy',`
- unconfined_domain(xdm_t)
- unconfined_domtrans(xdm_t)
- userdom_generic_user_home_dir_filetrans_generic_user_home_content(xdm_t, {file dir })
-
- ifndef(`distro_redhat',`
- allow xdm_t self:process { execheap execmem };
- ')
-
- ifdef(`distro_rhel4',`
- allow xdm_t self:process { execheap execmem };
- ')
-')
-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
fs_manage_nfs_files(xdm_t)
@@ -364,6 +348,19 @@ optional_policy(`
')
optional_policy(`
+ unconfined_domain(xdm_t)
+ unconfined_domtrans(xdm_t)
+
+ ifndef(`distro_redhat',`
+ allow xdm_t self:process { execheap execmem };
+ ')
+
+ ifdef(`distro_rhel4',`
+ allow xdm_t self:process { execheap execmem };
+ ')
+')
+
+optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
')
@@ -427,7 +424,16 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_symlinks(xdm_xserver_t)
')
-ifdef(`targeted_policy',`
+optional_policy(`
+ resmgr_stream_connect(xdm_t)
+')
+
+optional_policy(`
+ rhgb_rw_shm(xdm_xserver_t)
+ rhgb_rw_tmpfs_files(xdm_xserver_t)
+')
+
+optional_policy(`
unconfined_domain_noaudit(xdm_xserver_t)
unconfined_domtrans(xdm_xserver_t)
@@ -440,15 +446,6 @@ ifdef(`targeted_policy',`
')
')
-optional_policy(`
- resmgr_stream_connect(xdm_t)
-')
-
-optional_policy(`
- rhgb_rw_shm(xdm_xserver_t)
- rhgb_rw_tmpfs_files(xdm_xserver_t)
-')
-
ifdef(`TODO',`
# Need to further investigate these permissions and
# perhaps define derived types.
diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
index ca643b6..ab0b55a 100644
--- a/policy/modules/services/zabbix.te
+++ b/policy/modules/services/zabbix.te
@@ -43,11 +43,6 @@ libs_use_shared_libs(zabbix_t)
miscfiles_read_localization(zabbix_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(zabbix_t)
- term_dontaudit_use_generic_ptys(zabbix_t)
-')
-
optional_policy(`
mysql_stream_connect(zabbix_t)
')
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
index 0c6112a..013631c 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -114,13 +114,6 @@ sysnet_read_config(zebra_t)
userdom_dontaudit_use_unpriv_user_fds(zebra_t)
userdom_dontaudit_search_sysadm_home_dirs(zebra_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(zebra_t)
- term_dontaudit_use_generic_ptys(zebra_t)
- files_dontaudit_read_root_files(zebra_t)
- unconfined_sigchld(zebra_t)
-')
-
tunable_policy(`allow_zebra_write_config',`
allow zebra_t zebra_conf_t:dir write;
allow zebra_t zebra_conf_t:file write;
@@ -141,3 +134,7 @@ optional_policy(`
optional_policy(`
udev_read_db(zebra_t)
')
+
+optional_policy(`
+ unconfined_sigchld(zebra_t)
+')
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index cc2c243..fc5889d 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -150,21 +150,12 @@ template(`authlogin_per_role_template',`
## </param>
#
template(`auth_domtrans_user_chk_passwd',`
- ifdef(`targeted_policy',`
- gen_require(`
- type system_chkpwd_t, chkpwd_exec_t;
- ')
-
- corecmd_search_bin($2)
- domtrans_pattern($2,chkpwd_exec_t,system_chkpwd_t)
- ',`
- gen_require(`
- type $1_chkpwd_t, chkpwd_exec_t;
- ')
-
- corecmd_search_bin($2)
- domtrans_pattern($2,chkpwd_exec_t,$1_chkpwd_t)
+ gen_require(`
+ type $1_chkpwd_t, chkpwd_exec_t;
')
+
+ corecmd_search_bin($2)
+ domtrans_pattern($2,chkpwd_exec_t,$1_chkpwd_t)
')
########################################
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 2b71f85..b52bff5 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -216,12 +216,6 @@ seutil_read_file_contexts(pam_console_t)
userdom_dontaudit_use_unpriv_user_fds(pam_console_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(pam_console_t)
- term_dontaudit_use_generic_ptys(pam_console_t)
- files_dontaudit_read_root_files(pam_console_t)
-')
-
optional_policy(`
gpm_getattr_gpmctl(pam_console_t)
gpm_setattr_gpmctl(pam_console_t)
@@ -300,6 +294,11 @@ optional_policy(`
')
optional_policy(`
+ # Allow utemper to write to /tmp/.xses-*
+ unconfined_write_tmp_files(utempter_t)
+')
+
+optional_policy(`
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
index ba99ccf..a86bb02 100644
--- a/policy/modules/system/clock.te
+++ b/policy/modules/system/clock.te
@@ -63,12 +63,6 @@ logging_send_syslog_msg(hwclock_t)
miscfiles_read_localization(hwclock_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(hwclock_t)
- term_dontaudit_use_generic_ptys(hwclock_t)
- files_dontaudit_read_root_files(hwclock_t)
-')
-
optional_policy(`
apm_append_log(hwclock_t)
apm_rw_stream_sockets(hwclock_t)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 1300638..6ff5748 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -154,11 +154,6 @@ seutil_read_config(fsadm_t)
userdom_use_unpriv_users_fds(fsadm_t)
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(fsadm_t)
- term_use_generic_ptys(fsadm_t)
-')
-
tunable_policy(`read_default_t',`
files_list_default(fsadm_t)
files_read_default_files(fsadm_t)
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index 31706fc..f8ba788 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -114,11 +114,6 @@ ifdef(`distro_gentoo',`
sysnet_dontaudit_read_config(getty_t)
')
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(getty_t)
- term_dontaudit_use_generic_ptys(getty_t)
-')
-
optional_policy(`
mta_send_mail(getty_t)
')
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
index 68469f3..69cdcb2 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@@ -125,11 +125,6 @@ ifdef(`distro_redhat', `
files_getattr_generic_locks(hotplug_t)
')
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(hotplug_t)
- term_dontaudit_use_generic_ptys(hotplug_t)
-')
-
optional_policy(`
consoletype_exec(hotplug_t)
')
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 2e31156..8ec8ef1 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -9,15 +9,13 @@
/etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
ifdef(`distro_gentoo',`
/etc/vmware/init\.d/vmware -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/x11/startDM.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
')
-ifdef(`strict_policy',`
-/etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0)
-')
-
#
# /dev
#
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 0c3e3ad..597a5cb 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -931,6 +931,24 @@ interface(`init_dontaudit_stream_connect_script',`
dontaudit $1 initrc_t:unix_stream_socket connectto;
')
+########################################
+## <summary>
+## Send messages to init scripts over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dbus_send_script',`
+ gen_require(`
+ type initrc_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 initrc_t:dbus send_msg;
+')
########################################
## <summary>
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8f67002..07c1860 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -10,15 +10,6 @@ gen_require(`
# Declarations
#
-ifdef(`targeted_policy',`
-## <desc>
-## <p>
-## Allow all daemons the ability to use unallocated ttys
-## </p>
-## </desc>
-gen_tunable(allow_daemons_use_tty,false)
-')
-
# used for direct running of init scripts
# by admin domains
attribute direct_run_init;
@@ -172,10 +163,6 @@ ifdef(`distro_redhat',`
fs_tmpfs_filetrans(init_t,initctl_t,fifo_file)
')
-ifdef(`targeted_policy',`
- unconfined_domain(init_t)
-')
-
optional_policy(`
auth_rw_login_records(init_t)
')
@@ -184,6 +171,10 @@ optional_policy(`
nscd_socket_use(init_t)
')
+optional_policy(`
+ unconfined_domain(init_t)
+')
+
# Run the shell in the sysadm_t domain for single-user mode.
optional_policy(`
userdom_shell_domtrans_sysadm(init_t)
@@ -505,37 +496,6 @@ ifdef(`distro_suse',`
')
')
-ifdef(`targeted_policy',`
- domain_subj_id_change_exemption(initrc_t)
- unconfined_domain(initrc_t)
-
- ifdef(`distro_redhat',`
- # system-config-services causes avc messages that should be dontaudited
- unconfined_dontaudit_rw_pipes(daemon)
- ')
-
- tunable_policy(`allow_daemons_use_tty',`
- term_use_unallocated_ttys(daemon)
- term_use_generic_ptys(daemon)
- ')
-
- optional_policy(`
- mono_domtrans(initrc_t)
- ')
-',`
- # cjp: require doesnt work in the else of optionals :\
- # this also would result in a type transition
- # conflict if sendmail is enabled
-# optional_policy(`',`
-# mta_send_mail(initrc_t)
-# ')
-
- # allow init scripts to su
- optional_policy(`
- su_restricted_domain_template(initrc,initrc_t,system_r)
- ')
-')
-
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
@@ -672,6 +632,12 @@ optional_policy(`
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
+# cjp: require doesnt work in the else of optionals :\
+# this also would result in a type transition
+# conflict if sendmail is enabled
+#optional_policy(`',`
+# mta_send_mail(initrc_t)
+#')
optional_policy(`
ifdef(`distro_redhat',`
@@ -750,6 +716,11 @@ optional_policy(`
')
optional_policy(`
+ # allow init scripts to su
+ su_restricted_domain_template(initrc,initrc_t,system_r)
+')
+
+optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
')
@@ -766,6 +737,19 @@ optional_policy(`
')
optional_policy(`
+ unconfined_domain(initrc_t)
+
+ ifdef(`distro_redhat',`
+ # system-config-services causes avc messages that should be dontaudited
+ unconfined_dontaudit_rw_pipes(daemon)
+ ')
+
+ optional_policy(`
+ mono_domtrans(initrc_t)
+ ')
+')
+
+optional_policy(`
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 5be38a2..ec5ea2b 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -139,12 +139,6 @@ sysnet_read_config(ipsec_t)
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_sysadm_home_dirs(ipsec_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(ipsec_t)
- term_dontaudit_use_generic_ptys(ipsec_t)
- files_dontaudit_read_root_files(ipsec_t)
-')
-
optional_policy(`
nis_use_ypbind(ipsec_t)
')
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 0bb1ac1..31048bf 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -79,13 +79,6 @@ sysnet_dns_name_resolve(iptables_t)
userdom_use_all_users_fds(iptables_t)
-ifdef(`targeted_policy', `
- term_use_unallocated_ttys(iptables_t)
- term_use_generic_ptys(iptables_t)
- files_dontaudit_read_root_files(iptables_t)
- unconfined_rw_pipes(iptables_t)
-')
-
optional_policy(`
fail2ban_append_log(iptables_t)
')
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
index 19c19e1..961b0c3 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@@ -76,7 +76,3 @@ logging_send_syslog_msg(iscsid_t)
miscfiles_read_localization(iscsid_t)
sysnet_dns_name_resolve(iscsid_t)
-
-ifdef(`targeted_policy',`
- term_use_generic_ptys(iscsid_t)
-')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index dba235d..50019e6 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -3,30 +3,24 @@
#
ifdef(`distro_debian',`
/emul/ia32-linux/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/emul/ia32-linux/usr(/.*)?/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
/emul/ia32-linux/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/emul/ia32-linux/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
')
ifdef(`distro_gentoo',`
/emul/linux/x86/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/emul/linux/x86/usr(/.*)?/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/emul/linux/x86/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/emul/linux/x86/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/emul/linux/x86/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
')
ifdef(`distro_redhat',`
/emul/ia32-linux/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/emul/ia32-linux/usr(/.*)?/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-/emul/ia32-linux/usr(/.*)?/java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- gen_context(system_u:object_r:shlib_t,s0)
-/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- gen_context(system_u:object_r:shlib_t,s0)
+/emul/ia32-linux/usr(/.*)?/java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
+/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- gen_context(system_u:object_r:lib_t,s0)
+/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- gen_context(system_u:object_r:lib_t,s0)
/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
/emul/ia32-linux/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/emul/ia32-linux/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
')
@@ -36,7 +30,7 @@ ifdef(`distro_redhat',`
/etc/ld\.so\.cache -- gen_context(system_u:object_r:ld_so_cache_t,s0)
/etc/ld\.so\.preload -- gen_context(system_u:object_r:ld_so_cache_t,s0)
-/etc/ppp/plugins/rp-pppoe\.so -- gen_context(system_u:object_r:shlib_t,s0)
+/etc/ppp/plugins/rp-pppoe\.so -- gen_context(system_u:object_r:lib_t,s0)
#
# /lib(64)?
@@ -45,8 +39,6 @@ ifdef(`distro_redhat',`
/lib/.* gen_context(system_u:object_r:lib_t,s0)
/lib64 -d gen_context(system_u:object_r:lib_t,s0)
/lib64/.* gen_context(system_u:object_r:lib_t,s0)
-/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-/lib64/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
/lib64/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -62,7 +54,6 @@ ifdef(`distro_gentoo',`
/lib -l gen_context(system_u:object_r:lib_t,s0)
/lib32 -d gen_context(system_u:object_r:lib_t,s0)
/lib32/.* gen_context(system_u:object_r:lib_t,s0)
-/lib32/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/lib32/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
')
@@ -70,14 +61,10 @@ ifdef(`distro_gentoo',`
# /opt
#
/opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt/(.*/)?lib/.+\.so -- gen_context(system_u:object_r:shlib_t,s0)
-/opt/(.*/)?lib/.+\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt/(.*/)?lib64/.+\.so -- gen_context(system_u:object_r:shlib_t,s0)
-/opt/(.*/)?lib64/.+\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
-/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:shlib_t,s0)
+/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:shlib_t,s0)
+/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -86,24 +73,18 @@ ifdef(`distro_gentoo',`
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
-/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
-/opt/Acrobat[5-9]/Reader/intellinux/plug_ins3d/.*\.x3d -- gen_context(system_u:object_r:shlib_t,s0)
-/opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:shlib_t,s0)
+/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
+/opt/Acrobat[5-9]/Reader/intellinux/plug_ins3d/.*\.x3d -- gen_context(system_u:object_r:lib_t,s0)
+/opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
/opt/netscape/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt/netscape/plugins/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
/opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/RealPlayer/codecs(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt/RealPlayer/codecs/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
/opt/RealPlayer/common(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt/RealPlayer/common/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
/opt/RealPlayer/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt/RealPlayer/lib/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
/opt/RealPlayer/mozilla(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt/RealPlayer/mozilla/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
/opt/RealPlayer/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt/RealPlayer/plugins/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
')
#
@@ -118,24 +99,18 @@ ifdef(`distro_gentoo',`
/usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:shlib_t,s0)
-/usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+/usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0)
/usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/usr/(.*/)?lib/.+\.so -- gen_context(system_u:object_r:shlib_t,s0)
-/usr/(.*/)?lib/.+\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
/usr/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/usr/(.*/)?lib64/.+\.so -- gen_context(system_u:object_r:shlib_t,s0)
-/usr/(.*/)?lib64/.+\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
/usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/transgaming_cedega/gddb_parser.so -- gen_context(system_u:object_r:shlib_t,s0)
/usr/lib/vlc/codec/libdmo_plugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/librealaudio_plugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -155,7 +130,7 @@ ifdef(`distro_gentoo',`
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -175,7 +150,7 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
-/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- gen_context(system_u:object_r:shlib_t,s0)
+/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- gen_context(system_u:object_r:lib_t,s0)
# The following are libraries with text relocations in need of execmod permissions
# Some of them should be fixed and removed from this list
@@ -299,9 +274,8 @@ HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_
#
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-/var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:shlib_t,s0)
+/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
ifdef(`distro_suse',`
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
@@ -310,6 +284,3 @@ ifdef(`distro_suse',`
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
-/var/spool/postfix/lib(64)?/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
-/var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
-/var/spool/postfix/lib(64)?/devfsd/.+\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index 2e71bea..db3945a 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -292,14 +292,8 @@ interface(`libs_exec_lib_files',`
## </param>
#
interface(`libs_use_lib_files',`
- gen_require(`
- type lib_t;
- ')
-
- files_list_usr($1)
- allow $1 lib_t:dir list_dir_perms;
- read_lnk_files_pattern($1,lib_t,lib_t)
- mmap_files_pattern($1,lib_t,lib_t)
+ refpolicywarn(`$0($*) has been deprecated, use libs_use_shared_libs() instead.')
+ libs_use_shared_libs($1)
')
########################################
@@ -392,10 +386,10 @@ interface(`libs_delete_lib_symlinks',`
# cjp: added for prelink
interface(`libs_manage_shared_libs',`
gen_require(`
- type lib_t, shlib_t, textrel_shlib_t;
+ type lib_t, textrel_shlib_t;
')
- manage_files_pattern($1,lib_t,{ shlib_t textrel_shlib_t })
+ manage_files_pattern($1,lib_t,{ lib_t textrel_shlib_t })
')
########################################
@@ -410,13 +404,13 @@ interface(`libs_manage_shared_libs',`
#
interface(`libs_use_shared_libs',`
gen_require(`
- type lib_t, shlib_t, textrel_shlib_t;
+ type lib_t, textrel_shlib_t;
')
files_list_usr($1)
allow $1 lib_t:dir list_dir_perms;
- read_lnk_files_pattern($1,lib_t,{ lib_t shlib_t textrel_shlib_t })
- mmap_files_pattern($1,lib_t,{ shlib_t textrel_shlib_t })
+ read_lnk_files_pattern($1,lib_t,{ lib_t textrel_shlib_t })
+ mmap_files_pattern($1,lib_t,{ lib_t textrel_shlib_t })
allow $1 textrel_shlib_t:file execmod;
')
@@ -433,11 +427,11 @@ interface(`libs_use_shared_libs',`
#
interface(`libs_legacy_use_shared_libs',`
gen_require(`
- type shlib_t, textrel_shlib_t;
+ type lib_t;
')
libs_use_shared_libs($1)
- allow $1 { shlib_t textrel_shlib_t }:file execmod;
+ allow $1 lib_t:file execmod;
')
########################################
@@ -454,10 +448,10 @@ interface(`libs_legacy_use_shared_libs',`
# cjp: added for prelink
interface(`libs_relabel_shared_libs',`
gen_require(`
- type lib_t, shlib_t, textrel_shlib_t;
+ type lib_t, textrel_shlib_t;
')
- relabel_files_pattern($1,lib_t,{ shlib_t textrel_shlib_t })
+ relabel_files_pattern($1,lib_t,{ lib_t textrel_shlib_t })
')
########################################
@@ -477,11 +471,7 @@ interface(`libs_relabel_shared_libs',`
## </param>
#
interface(`lib_filetrans_shared_lib',`
- gen_require(`
- type lib_t, shlib_t;
- ')
-
- filetrans_pattern($1,lib_t,shlib_t,$2)
+ refpolicywarn(`$0($*) has been deprecated.')
')
########################################
@@ -510,6 +500,5 @@ interface(`lib_filetrans_shared_lib',`
## </param>
#
interface(`files_lib_filetrans_shared_lib',`
- refpolicywarn(`$0($*) has been deprecated, use lib_filetrans_shared_lib() instead.')
- lib_filetrans_shared_lib($1,$2)
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index abb3189..c312700 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -29,21 +29,10 @@ files_tmp_file(ldconfig_tmp_t)
#
# lib_t is the type of files in the system lib directories.
#
-type lib_t;
+type lib_t alias shlib_t;
files_type(lib_t)
#
-# shlib_t is the type of shared objects in the system lib
-# directories.
-#
-ifdef(`targeted_policy',`
- typealias lib_t alias shlib_t;
-',`
- type shlib_t;
- files_type(shlib_t)
-')
-
-#
# textrel_shlib_t is the type of shared objects in the system lib
# directories, which require text relocation.
#
@@ -97,13 +86,6 @@ ifdef(`hide_broken_symptoms',`
')
')
-ifdef(`targeted_policy',`
- allow ldconfig_t lib_t:file read_file_perms;
- files_read_generic_tmp_symlinks(ldconfig_t)
- term_dontaudit_use_generic_ptys(ldconfig_t)
- term_dontaudit_use_unallocated_ttys(ldconfig_t)
-')
-
optional_policy(`
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
apache_dontaudit_search_modules(ldconfig_t)
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index f23717c..21b3356 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -138,10 +138,6 @@ userdom_use_unpriv_users_fds(local_login_t)
userdom_sigchld_all_users(local_login_t)
userdom_create_all_users_keys(local_login_t)
-ifdef(`targeted_policy',`
- unconfined_shell_domtrans(local_login_t)
-')
-
tunable_policy(`read_default_t',`
files_list_default(local_login_t)
files_read_default_files(local_login_t)
@@ -161,7 +157,11 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
- dbus_system_bus_client_template(local_login,local_login_t)
+ alsa_domtrans(local_login_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client_template(local_login, local_login_t)
dbus_send_system_bus(local_login_t)
consolekit_dbus_chat(local_login_t)
@@ -186,11 +186,11 @@ optional_policy(`
')
optional_policy(`
- usermanage_read_crack_db(local_login_t)
+ unconfined_domain(local_login_t)
')
optional_policy(`
- alsa_domtrans(local_login_t)
+ usermanage_read_crack_db(local_login_t)
')
optional_policy(`
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index d535027..4111465 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -94,11 +94,6 @@ locallogin_dontaudit_use_fds(auditctl_t)
logging_send_syslog_msg(auditctl_t)
-ifdef(`targeted_policy',`
- term_use_generic_ptys(auditctl_t)
- term_use_unallocated_ttys(auditctl_t)
-')
-
########################################
#
# Auditd local policy
@@ -161,14 +156,6 @@ seutil_dontaudit_read_config(auditd_t)
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
-# cjp: this is questionable
-userdom_use_sysadm_ttys(auditd_t)
-
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(auditd_t)
- term_dontaudit_use_unallocated_ttys(auditd_t)
- unconfined_dontaudit_read_pipes(auditd_t)
-')
optional_policy(`
seutil_sigchld_newrole(auditd_t)
@@ -230,11 +217,6 @@ optional_policy(`
udev_read_db(klogd_t)
')
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(klogd_t)
- term_dontaudit_use_unallocated_ttys(klogd_t)
-')
-
optional_policy(`
seutil_sigchld_newrole(klogd_t)
')
@@ -363,13 +345,6 @@ ifdef(`distro_suse',`
files_var_lib_filetrans(syslogd_t,devlog_t,sock_file)
')
-ifdef(`targeted_policy',`
- allow syslogd_t var_run_t:fifo_file { ioctl read write };
- term_dontaudit_use_unallocated_ttys(syslogd_t)
- term_dontaudit_use_generic_ptys(syslogd_t)
- files_dontaudit_read_root_files(syslogd_t)
-')
-
optional_policy(`
inn_manage_log(syslogd_t)
')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index dc23be3..a178d6a 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -122,12 +122,6 @@ userdom_dontaudit_search_sysadm_home_dirs(clvmd_t)
lvm_domtrans(clvmd_t)
lvm_read_config(clvmd_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(clvmd_t)
- term_dontaudit_use_generic_ptys(clvmd_t)
- files_dontaudit_read_root_files(clvmd_t)
-')
-
optional_policy(`
ccs_stream_connect(clvmd_t)
')
@@ -286,13 +280,6 @@ ifdef(`distro_redhat',`
files_rw_isid_type_dirs(lvm_t)
')
-ifdef(`targeted_policy', `
- term_use_unallocated_ttys(lvm_t)
- term_use_generic_ptys(lvm_t)
-
- files_dontaudit_read_root_files(lvm_t)
-')
-
optional_policy(`
bootloader_rw_tmp_files(lvm_t)
')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 527400f..8e8b003 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -116,11 +116,6 @@ if( ! secure_mode_insmod ) {
kernel_domtrans_to(insmod_t,insmod_exec_t)
}
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(insmod_t)
- term_use_generic_ptys(insmod_t)
-')
-
optional_policy(`
hotplug_search_config(insmod_t)
')
@@ -210,9 +205,9 @@ files_list_home(depmod_t)
userdom_read_staff_home_content_files(depmod_t)
userdom_read_sysadm_home_content_files(depmod_t)
-ifdef(`targeted_policy', `
- term_use_unallocated_ttys(depmod_t)
- term_use_generic_ptys(depmod_t)
+optional_policy(`
+ # Read System.map from home directories.
+ unconfined_read_home_content_files(depmod_t)
')
optional_policy(`
@@ -287,8 +282,3 @@ ifdef(`distro_gentoo',`
consoletype_exec(update_modules_t)
')
')
-
-ifdef(`targeted_policy',`
- term_use_generic_ptys(update_modules_t)
- term_use_unallocated_ttys(update_modules_t)
-')
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index e39a5e9..f9717ce 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -49,6 +49,10 @@ interface(`mount_run',`
mount_domtrans($1)
role $2 types mount_t;
allow mount_t $3:chr_file rw_file_perms;
+
+ optional_policy(`
+ samba_run_smbmount($1, $2, $3)
+ ')
')
########################################
@@ -128,18 +132,42 @@ interface(`mount_send_nfs_client_request',`
## </param>
#
interface(`mount_domtrans_unconfined',`
- ifdef(`targeted_policy',`
- gen_require(`
- type unconfined_mount_t, mount_exec_t;
- ')
+ gen_require(`
+ type unconfined_mount_t, mount_exec_t;
+ ')
- domtrans_pattern($1,mount_exec_t,unconfined_mount_t)
+ domtrans_pattern($1, mount_exec_t, unconfined_mount_t)
+')
- allow $1 unconfined_mount_t:fd use;
- allow unconfined_mount_t $1:fd use;
- allow unconfined_mount_t $1:fifo_file rw_file_perms;
- allow unconfined_mount_t $1:process sigchld;
- ',`
- mount_domtrans($1)
+########################################
+## <summary>
+## Execute mount in the unconfined mount domain, and
+## allow the specified role the unconfined mount domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the unconfined mount domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the unconfined mount domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mount_run_unconfined',`
+ gen_require(`
+ type unconfined_mount_t;
')
+
+ mount_domtrans_unconfined($1)
+ role $2 types unconfined_mount_t;
+ allow unconfined_mount_t $3:chr_file rw_file_perms;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index eb20fb7..2670a9f 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -6,14 +6,12 @@ policy_module(mount,1.8.0)
# Declarations
#
-ifdef(`targeted_policy',`
## <desc>
## <p>
## Allow mount to mount any file
## </p>
## </desc>
gen_tunable(allow_mount_anyfile,false)
-')
type mount_t;
type mount_exec_t;
@@ -26,10 +24,11 @@ files_type(mount_loopback_t)
type mount_tmp_t;
files_tmp_file(mount_tmp_t)
-ifdef(`targeted_policy',`
- type unconfined_mount_t;
- application_domain(unconfined_mount_t,mount_exec_t)
-')
+# causes problems with interfaces when
+# this is optionally declared in monolithic
+# policy--duplicate type declaration
+type unconfined_mount_t;
+application_domain(unconfined_mount_t,mount_exec_t)
########################################
#
@@ -128,12 +127,10 @@ ifdef(`distro_redhat',`
')
')
-ifdef(`targeted_policy',`
- tunable_policy(`allow_mount_anyfile',`
- auth_read_all_dirs_except_shadow(mount_t)
- auth_read_all_files_except_shadow(mount_t)
- files_mounton_non_security(mount_t)
- ')
+tunable_policy(`allow_mount_anyfile',`
+ auth_read_all_dirs_except_shadow(mount_t)
+ auth_read_all_files_except_shadow(mount_t)
+ files_mounton_non_security(mount_t)
')
optional_policy(`
@@ -201,7 +198,7 @@ optional_policy(`
# Unconfined mount local policy
#
-ifdef(`targeted_policy',`
+optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
')
diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te
index 7763585..6c658ee 100644
--- a/policy/modules/system/pcmcia.te
+++ b/policy/modules/system/pcmcia.te
@@ -112,14 +112,6 @@ sysnet_manage_config(cardmgr_t)
userdom_dontaudit_use_unpriv_user_fds(cardmgr_t)
userdom_dontaudit_search_sysadm_home_dirs(cardmgr_t)
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(cardmgr_t)
- term_use_generic_ptys(cardmgr_t)
- term_dontaudit_use_unallocated_ttys(cardmgr_t)
- term_dontaudit_use_generic_ptys(cardmgr_t)
- files_dontaudit_read_root_files(cardmgr_t)
-')
-
optional_policy(`
seutil_dontaudit_read_config(cardmgr_t)
seutil_sigchld_newrole(cardmgr_t)
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index d484e80..dde9994 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -74,12 +74,6 @@ userdom_dontaudit_search_all_users_home_content(mdadm_t)
mta_send_mail(mdadm_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(mdadm_t)
- term_dontaudit_use_generic_ptys(mdadm_t)
- files_dontaudit_read_root_files(mdadm_t)
-')
-
optional_policy(`
gpm_dontaudit_getattr_gpmctl(mdadm_t)
')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index fe267d9..c707435 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,10 +1,8 @@
policy_module(selinuxutil,1.7.0)
-ifdef(`strict_policy',`
- gen_require(`
- bool secure_mode;
- ')
+gen_require(`
+ bool secure_mode;
')
########################################
@@ -152,11 +150,6 @@ libs_use_shared_libs(checkpolicy_t)
userdom_use_all_users_fds(checkpolicy_t)
-ifdef(`targeted_policy',`
- term_use_generic_ptys(checkpolicy_t)
- term_use_unallocated_ttys(checkpolicy_t)
-')
-
########################################
#
# Load_policy local policy
@@ -205,11 +198,6 @@ ifdef(`hide_broken_symptoms',`
')
')
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(load_policy_t)
- term_use_generic_ptys(load_policy_t)
-')
-
########################################
#
# Newrole local policy
@@ -294,15 +282,13 @@ userdom_use_unpriv_users_fds(newrole_t)
userdom_dontaudit_search_all_users_home_content(newrole_t)
userdom_search_all_users_home_dirs(newrole_t)
-ifdef(`strict_policy',`
- # if secure mode is enabled, then newrole
- # can only transition to unprivileged users
- if(secure_mode) {
- userdom_spec_domtrans_unpriv_users(newrole_t)
- } else {
- userdom_spec_domtrans_all_users(newrole_t)
- }
-')
+# if secure mode is enabled, then newrole
+# can only transition to unprivileged users
+if(secure_mode) {
+ userdom_spec_domtrans_unpriv_users(newrole_t)
+} else {
+ userdom_spec_domtrans_all_users(newrole_t)
+}
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all(newrole_t)
@@ -357,11 +343,6 @@ logging_send_syslog_msg(restorecond_t)
miscfiles_read_localization(restorecond_t)
-ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(restorecond_t)
- term_dontaudit_use_unallocated_ttys(restorecond_t)
-')
-
optional_policy(`
rpm_use_script_fds(restorecond_t)
')
@@ -488,7 +469,6 @@ auth_use_nsswitch(semanage_t)
libs_use_ld_so(semanage_t)
libs_use_shared_libs(semanage_t)
-libs_use_lib_files(semanage_t)
locallogin_use_fds(semanage_t)
@@ -509,8 +489,6 @@ seutil_get_semanage_read_lock(semanage_t)
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-userdom_search_sysadm_home_dirs(semanage_t)
-
ifdef(`distro_debian',`
files_read_var_lib_files(semanage_t)
files_read_var_lib_symlinks(semanage_t)
@@ -523,6 +501,11 @@ ifdef(`enable_mls',`
# Handle pp files created in homedir and /tmp
userdom_read_sysadm_home_content_files(semanage_t)
userdom_read_sysadm_tmp_files(semanage_t)
+
+ optional_policy(`
+ unconfined_read_home_content_files(semanage_t)
+ unconfined_read_tmp_files(semanage_t)
+ ')
')
########################################
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index f757419..d54810e 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -142,12 +142,6 @@ ifdef(`distro_redhat', `
files_exec_etc_files(dhcpc_t)
')
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(dhcpc_t)
- term_dontaudit_use_generic_ptys(dhcpc_t)
- files_dontaudit_read_root_files(dhcpc_t)
-')
-
optional_policy(`
consoletype_domtrans(dhcpc_t)
')
@@ -320,15 +314,6 @@ ifdef(`hide_broken_symptoms',`
')
')
-ifdef(`targeted_policy',`
- term_use_generic_ptys(ifconfig_t)
- term_use_unallocated_ttys(ifconfig_t)
-
- optional_policy(`
- unconfined_dontaudit_read_pipes(ifconfig_t)
- ')
-')
-
optional_policy(`
netutils_domtrans(dhcpc_t)
')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 6bdbb4a..d63c9d4 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -159,7 +159,6 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
-userdom_use_sysadm_ttys(udev_t)
userdom_dontaudit_search_all_users_home_content(udev_t)
ifdef(`distro_gentoo',`
@@ -184,11 +183,6 @@ ifdef(`distro_redhat',`
netutils_domtrans(udev_t)
')
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(udev_t)
- term_dontaudit_use_generic_ptys(udev_t)
-')
-
optional_policy(`
brctl_domtrans(udev_t)
')
diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc
index 5d9bb3b..967c66c 100644
--- a/policy/modules/system/unconfined.fc
+++ b/policy/modules/system/unconfined.fc
@@ -2,12 +2,11 @@
# e.g.:
# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
+/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
-ifdef(`targeted_policy',`
+/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+
/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 816c263..a49911f 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -12,6 +12,7 @@
#
interface(`unconfined_domain_noaudit',`
gen_require(`
+ type unconfined_t;
class dbus all_dbus_perms;
class nscd all_nscd_perms;
class passwd all_passwd_perms;
@@ -118,6 +119,56 @@ interface(`unconfined_domain',`
########################################
## <summary>
+## Add an alias type to the unconfined domain. (Deprecated)
+## </summary>
+## <desc>
+## <p>
+## Add an alias type to the unconfined domain. (Deprecated)
+## </p>
+## <p>
+## This is added to support targeted policy. Its
+## use should be limited. It has no effect
+## on the strict policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## New alias of the unconfined domain.
+## </summary>
+## </param>
+#
+interface(`unconfined_alias_domain',`
+ refpolicywarn(`$0($1) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Add an alias type to the unconfined execmem
+## program file type. (Deprecated)
+## </summary>
+## <desc>
+## <p>
+## Add an alias type to the unconfined execmem
+## program file type. (Deprecated)
+## </p>
+## <p>
+## This is added to support targeted policy. Its
+## use should be limited. It has no effect
+## on the strict policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## New alias of the unconfined execmem program type.
+## </summary>
+## </param>
+#
+interface(`unconfined_execmem_alias_program',`
+ refpolicywarn(`$0($1) has been deprecated.')
+')
+
+########################################
+## <summary>
## Transition to the unconfined domain.
## </summary>
## <param name="domain">
@@ -473,74 +524,69 @@ interface(`unconfined_dbus_chat',`
########################################
## <summary>
-## Add an alias type to the unconfined domain.
+## Connect to the the unconfined DBUS
+## for service (acquire_svc).
## </summary>
-## <desc>
-## <p>
-## Add an alias type to the unconfined domain.
-## </p>
-## <p>
-## This is added to support targeted policy. Its
-## use should be limited. It has no effect
-## on the strict policy.
-## </p>
-## </desc>
## <param name="domain">
## <summary>
-## New alias of the unconfined domain.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`unconfined_alias_domain',`
- ifdef(`targeted_policy',`
- gen_require(`
- type unconfined_t;
- ')
-
- typealias unconfined_t alias $1;
- ',`
- refpolicywarn(`$0($1) has no effect in strict policy.')
+interface(`unconfined_dbus_connect',`
+ gen_require(`
+ type unconfined_t;
+ class dbus acquire_svc;
')
+
+ allow $1 unconfined_t:dbus acquire_svc;
')
########################################
## <summary>
-## Add an alias type to the unconfined execmem
-## program file type.
+## Read files in unconfined users home directories.
## </summary>
-## <desc>
-## <p>
-## Add an alias type to the unconfined execmem
-## program file type.
-## </p>
-## <p>
-## This is added to support targeted policy. Its
-## use should be limited. It has no effect
-## on the strict policy.
-## </p>
-## </desc>
## <param name="domain">
## <summary>
-## New alias of the unconfined execmem program type.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`unconfined_execmem_alias_program',`
- ifdef(`targeted_policy',`
- gen_require(`
- type unconfined_execmem_exec_t;
- ')
+interface(`unconfined_read_home_content_files',`
+ gen_require(`
+ type unconfined_home_dir_t, unconfined_home_t;
+ ')
- typealias unconfined_execmem_exec_t alias $1;
- ',`
- refpolicywarn(`$0($1) has no effect in strict policy.')
+ files_search_home($1)
+ allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
+ read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
+ read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
+')
+
+########################################
+## <summary>
+## Read unconfined users temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_read_tmp_files',`
+ gen_require(`
+ type unconfined_tmp_t;
')
+
+ files_search_tmp($1)
+ allow $1 unconfined_tmp_t:dir list_dir_perms;
+ read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
+ read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
')
########################################
## <summary>
-## Connect to the the unconfined DBUS
-## for service (acquire_svc).
+## Write unconfined users temporary files.
## </summary>
## <param name="domain">
## <summary>
@@ -548,11 +594,10 @@ interface(`unconfined_execmem_alias_program',`
## </summary>
## </param>
#
-interface(`unconfined_dbus_connect',`
+interface(`unconfined_write_tmp_files',`
gen_require(`
- type unconfined_t;
- class dbus acquire_svc;
+ type unconfined_tmp_t;
')
- allow $1 unconfined_t:dbus acquire_svc;
+ allow $1 unconfined_tmp_t:file { getattr write append };
')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 1bba626..3b147b0 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -6,192 +6,210 @@ policy_module(unconfined,1.7.0)
# Declarations
#
-type unconfined_t;
+# usage in this module of types created by these
+# calls is not correct, however we dont currently
+# have another method to add access to these types
+userdom_base_user_template(unconfined)
+userdom_manage_home_template(unconfined)
+userdom_manage_tmp_template(unconfined)
+userdom_manage_tmpfs_template(unconfined)
+
type unconfined_exec_t;
-init_system_domain(unconfined_t,unconfined_exec_t)
+init_system_domain(unconfined_t, unconfined_exec_t)
-ifdef(`targeted_policy',`
- type unconfined_execmem_t;
- type unconfined_execmem_exec_t;
- init_system_domain(unconfined_execmem_t,unconfined_execmem_exec_t)
-')
+type unconfined_execmem_t;
+type unconfined_execmem_exec_t;
+init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
+role unconfined_r types unconfined_execmem_t;
########################################
#
# Local policy
#
-unconfined_domain(unconfined_t)
+domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t)
+
+files_create_boot_flag(unconfined_t)
+
+mcs_killall(unconfined_t)
+mcs_ptrace_all(unconfined_t)
+
+init_run_daemon(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+
+libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
logging_send_syslog_msg(unconfined_t)
+logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-ifdef(`targeted_policy',`
- allow unconfined_t self:system syslog_read;
- dontaudit unconfined_t self:capability sys_module;
+mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- domain_auto_trans(unconfined_t,unconfined_execmem_exec_t,unconfined_execmem_t)
+seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- files_create_boot_flag(unconfined_t)
+unconfined_domain(unconfined_t)
- mcs_killall(unconfined_t)
- mcs_ptrace_all(unconfined_t)
+userdom_priveleged_home_dir_manager(unconfined_t)
- init_domtrans_script(unconfined_t)
+optional_policy(`
+ ada_domtrans(unconfined_t)
+')
- libs_domtrans_ldconfig(unconfined_t)
+optional_policy(`
+ apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ apache_per_role_template(unconfined, unconfined_t, unconfined_r)
+ # this is disallowed usage:
+ unconfined_domain(httpd_unconfined_script_t)
+')
- logging_domtrans_auditctl(unconfined_t)
+optional_policy(`
+ bind_run_ndc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
- mount_domtrans_unconfined(unconfined_t)
+optional_policy(`
+ bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
- seutil_domtrans_setfiles(unconfined_t)
- seutil_domtrans_semanage(unconfined_t)
+optional_policy(`
+ cron_per_role_template(unconfined, unconfined_t, unconfined_r)
+ # this is disallowed usage:
+ unconfined_domain(unconfined_crond_t)
+')
- userdom_unconfined(unconfined_t)
- userdom_priveleged_home_dir_manager(unconfined_t)
+optional_policy(`
+ init_dbus_chat_script(unconfined_t)
- optional_policy(`
- ada_domtrans(unconfined_t)
- ')
+ dbus_stub(unconfined_t)
optional_policy(`
- apache_domtrans_helper(unconfined_t)
+ avahi_dbus_chat(unconfined_t)
')
optional_policy(`
- bind_domtrans_ndc(unconfined_t)
+ bluetooth_dbus_chat(unconfined_t)
')
optional_policy(`
- bootloader_domtrans(unconfined_t)
+ consolekit_dbus_chat(unconfined_t)
')
optional_policy(`
- init_dbus_chat_script(unconfined_t)
-
- dbus_stub(unconfined_t)
-
- optional_policy(`
- avahi_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- bluetooth_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- consolekit_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- cups_dbus_chat_config(unconfined_t)
- ')
-
- optional_policy(`
- hal_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- networkmanager_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- oddjob_dbus_chat(unconfined_t)
- ')
+ cups_dbus_chat_config(unconfined_t)
')
optional_policy(`
- firstboot_domtrans(unconfined_t)
+ hal_dbus_chat(unconfined_t)
')
optional_policy(`
- ftp_domtrans_ftpdctl(unconfined_t)
+ networkmanager_dbus_chat(unconfined_t)
')
optional_policy(`
- inn_domtrans(unconfined_t)
+ oddjob_dbus_chat(unconfined_t)
')
+')
- optional_policy(`
- java_domtrans(unconfined_t)
- ')
+optional_policy(`
+ firstboot_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
- optional_policy(`
- lpd_domtrans_checkpc(unconfined_t)
- ')
+optional_policy(`
+ ftp_run_ftpdctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
- optional_policy(`
- modutils_domtrans_update_mods(unconfined_t)
- ')
+optional_policy(`
+ inn_domtrans(unconfined_t)
+')
- optional_policy(`
- mono_domtrans(unconfined_t)
- ')
+optional_policy(`
+ java_domtrans(unconfined_t)
+')
- optional_policy(`
- oddjob_domtrans_mkhomedir(unconfined_t)
- ')
+optional_policy(`
+ lpd_run_checkpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
- optional_policy(`
- prelink_domtrans(unconfined_t)
- ')
+optional_policy(`
+ modutils_run_update_mods(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
- optional_policy(`
- portmap_domtrans_helper(unconfined_t)
- ')
+optional_policy(`
+ mono_domtrans(unconfined_t)
+')
- optional_policy(`
- postfix_domtrans_map(unconfined_t)
- # cjp: this should probably be removed:
- postfix_domtrans_master(unconfined_t)
- ')
+optional_policy(`
+ mta_per_role_template(unconfined, unconfined_t, unconfined_r)
+')
- optional_policy(`
- # cjp: this should probably be removed:
- rpc_domtrans_nfsd(unconfined_t)
- ')
+optional_policy(`
+ oddjob_domtrans_mkhomedir(unconfined_t)
+')
- optional_policy(`
- rpm_domtrans(unconfined_t)
- ')
+optional_policy(`
+ prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
- optional_policy(`
- samba_domtrans_net(unconfined_t)
- samba_domtrans_winbind_helper(unconfined_t)
- ')
+optional_policy(`
+ portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
- optional_policy(`
- sendmail_domtrans(unconfined_t)
- ')
+optional_policy(`
+ postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ # cjp: this should probably be removed:
+ postfix_domtrans_master(unconfined_t)
+')
- optional_policy(`
- sysnet_domtrans_dhcpc(unconfined_t)
- sysnet_dbus_chat_dhcpc(unconfined_t)
- ')
- optional_policy(`
- tzdata_domtrans(unconfined_t)
- ')
+optional_policy(`
+ pyzor_per_role_template(unconfined)
+')
- optional_policy(`
- usermanage_domtrans_admin_passwd(unconfined_t)
- ')
+optional_policy(`
+ # cjp: this should probably be removed:
+ rpc_domtrans_nfsd(unconfined_t)
+')
- optional_policy(`
- vpn_domtrans(unconfined_t)
- ')
+optional_policy(`
+ rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
- optional_policy(`
- webalizer_domtrans(unconfined_t)
- ')
+optional_policy(`
+ samba_per_role_template(unconfined)
+ samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
- optional_policy(`
- wine_domtrans(unconfined_t)
- ')
+optional_policy(`
+ spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r)
+')
- optional_policy(`
- xserver_domtrans_xdm_xserver(unconfined_t)
- ')
+optional_policy(`
+ sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ sysnet_dbus_chat_dhcpc(unconfined_t)
+')
+
+optional_policy(`
+ tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
+
+optional_policy(`
+ usermanage_run_admin_passwd(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
+
+optional_policy(`
+ vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
+
+optional_policy(`
+ webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+')
+
+optional_policy(`
+ wine_domtrans(unconfined_t)
+')
+
+optional_policy(`
+ xserver_domtrans_xdm_xserver(unconfined_t)
')
########################################
@@ -199,18 +217,16 @@ ifdef(`targeted_policy',`
# Unconfined Execmem Local policy
#
-ifdef(`targeted_policy',`
- allow unconfined_execmem_t self:process { execstack execmem };
- unconfined_domain_noaudit(unconfined_execmem_t)
+allow unconfined_execmem_t self:process { execstack execmem };
+unconfined_domain_noaudit(unconfined_execmem_t)
- optional_policy(`
- dbus_stub(unconfined_execmem_t)
+optional_policy(`
+ dbus_stub(unconfined_execmem_t)
- init_dbus_chat_script(unconfined_execmem_t)
- unconfined_dbus_chat(unconfined_execmem_t)
+ init_dbus_chat_script(unconfined_execmem_t)
+ unconfined_dbus_chat(unconfined_execmem_t)
- optional_policy(`
- hal_dbus_chat(unconfined_execmem_t)
- ')
+ optional_policy(`
+ hal_dbus_chat(unconfined_execmem_t)
')
')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index f01c490..ab74d5a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1353,11 +1353,7 @@ template(`userdom_security_admin_template',`
## <rolecap/>
#
template(`userdom_role_change_generic_user',`
- ifdef(`strict_policy',`
- userdom_role_change_template($1,user)
- ',`
- refpolicywarn(`$0($*) has no effect in targeted policy.')
- ')
+ userdom_role_change_template($1, user)
')
########################################
@@ -1384,11 +1380,7 @@ template(`userdom_role_change_generic_user',`
## <rolecap/>
#
template(`userdom_role_change_from_generic_user',`
- ifdef(`strict_policy',`
- userdom_role_change_template(user,$1)
- ',`
- refpolicywarn(`$0($*) has no effect in targeted policy.')
- ')
+ userdom_role_change_template(user, $1)
')
########################################
@@ -1414,11 +1406,7 @@ template(`userdom_role_change_from_generic_user',`
## <rolecap/>
#
template(`userdom_role_change_staff',`
- ifdef(`strict_policy',`
- userdom_role_change_template($1,staff)
- ',`
- refpolicywarn(`$0($*) has no effect in targeted policy.')
- ')
+ userdom_role_change_template($1, staff)
')
########################################
@@ -1445,11 +1433,7 @@ template(`userdom_role_change_staff',`
## <rolecap/>
#
template(`userdom_role_change_from_staff',`
- ifdef(`strict_policy',`
- userdom_role_change_template(staff,$1)
- ',`
- refpolicywarn(`$0($*) has no effect in targeted policy.')
- ')
+ userdom_role_change_template(staff, $1)
')
########################################
@@ -1475,11 +1459,7 @@ template(`userdom_role_change_from_staff',`
## <rolecap/>
#
template(`userdom_role_change_sysadm',`
- ifdef(`strict_policy',`
- userdom_role_change_template($1,sysadm)
- ',`
- refpolicywarn(`$0($*) has no effect in targeted policy.')
- ')
+ userdom_role_change_template($1, sysadm)
')
########################################
@@ -1506,11 +1486,7 @@ template(`userdom_role_change_sysadm',`
## <rolecap/>
#
template(`userdom_role_change_from_sysadm',`
- ifdef(`strict_policy',`
- userdom_role_change_template(sysadm,$1)
- ',`
- refpolicywarn(`$0($*) has no effect in targeted policy.')
- ')
+ userdom_role_change_template(sysadm, $1)
')
########################################
@@ -1698,13 +1674,11 @@ template(`userdom_user_home_content',`
## </param>
#
template(`userdom_setattr_user_ptys',`
- ifdef(`strict_policy',`
- gen_require(`
- type $1_devpts_t;
- ')
-
- allow $2 $1_devpts_t:chr_file setattr;
+ gen_require(`
+ type $1_devpts_t;
')
+
+ allow $2 $1_devpts_t:chr_file setattr;
')
########################################
@@ -1733,13 +1707,11 @@ template(`userdom_setattr_user_ptys',`
## </param>
#
template(`userdom_create_user_pty',`
- ifdef(`strict_policy',`
- gen_require(`
- type $1_devpts_t;
- ')
-
- term_create_pty($2,$1_devpts_t)
+ gen_require(`
+ type $1_devpts_t;
')
+
+ term_create_pty($2, $1_devpts_t)
')
########################################
@@ -3622,15 +3594,11 @@ interface(`userdom_read_all_tmp_untrusted_content',`
## </param>
#
template(`userdom_setattr_user_ttys',`
- ifdef(`targeted_policy',`
- term_setattr_unallocated_ttys($2)
- ',`
- gen_require(`
- type $1_tty_device_t;
- ')
-
- allow $2 $1_tty_device_t:chr_file setattr;
+ gen_require(`
+ type $1_tty_device_t;
')
+
+ allow $2 $1_tty_device_t:chr_file setattr;
')
########################################
@@ -3659,15 +3627,11 @@ template(`userdom_setattr_user_ttys',`
## </param>
#
template(`userdom_use_user_ttys',`
- ifdef(`targeted_policy',`
- term_use_unallocated_ttys($2)
- ',`
- gen_require(`
- type $1_tty_device_t;
- ')
-
- allow $2 $1_tty_device_t:chr_file rw_term_perms;
+ gen_require(`
+ type $1_tty_device_t;
')
+
+ allow $2 $1_tty_device_t:chr_file rw_term_perms;
')
########################################
@@ -3696,18 +3660,13 @@ template(`userdom_use_user_ttys',`
## </param>
#
template(`userdom_use_user_terminals',`
- ifdef(`targeted_policy',`
- term_use_unallocated_ttys($2)
- term_use_generic_ptys($2)
- ',`
- gen_require(`
- type $1_tty_device_t, $1_devpts_t;
- ')
-
- allow $2 $1_tty_device_t:chr_file rw_term_perms;
- allow $2 $1_devpts_t:chr_file rw_term_perms;
- term_list_ptys($2)
+ gen_require(`
+ type $1_tty_device_t, $1_devpts_t;
')
+
+ allow $2 $1_tty_device_t:chr_file rw_term_perms;
+ allow $2 $1_devpts_t:chr_file rw_term_perms;
+ term_list_ptys($2)
')
########################################
@@ -3949,19 +3908,14 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
## </param>
#
interface(`userdom_shell_domtrans_sysadm',`
- ifdef(`targeted_policy',`
- #cjp: need to doublecheck this one
- unconfined_shell_domtrans($1)
- ',`
- gen_require(`
- type sysadm_t;
- ')
-
- corecmd_shell_domtrans($1,sysadm_t)
- allow sysadm_t $1:fd use;
- allow sysadm_t $1:fifo_file rw_file_perms;
- allow sysadm_t $1:process sigchld;
+ gen_require(`
+ type sysadm_t;
')
+
+ corecmd_shell_domtrans($1, sysadm_t)
+ allow sysadm_t $1:fd use;
+ allow sysadm_t $1:fifo_file rw_file_perms;
+ allow sysadm_t $1:process sigchld;
')
########################################
@@ -4170,16 +4124,12 @@ interface(`userdom_dontaudit_search_staff_home_dirs',`
## </param>
#
interface(`userdom_manage_staff_home_dirs',`
- ifdef(`targeted_policy',`
- userdom_manage_generic_user_home_dirs($1)
- ',`
- gen_require(`
- type staff_home_dir_t;
- ')
-
- files_search_home($1)
- allow $1 staff_home_dir_t:dir manage_dir_perms;
+ gen_require(`
+ type staff_home_dir_t;
')
+
+ files_search_home($1)
+ allow $1 staff_home_dir_t:dir manage_dir_perms;
')
########################################
@@ -4193,16 +4143,12 @@ interface(`userdom_manage_staff_home_dirs',`
## </param>
#
interface(`userdom_relabelto_staff_home_dirs',`
- ifdef(`targeted_policy',`
- userdom_relabelto_generic_user_home_dirs($1)
- ',`
- gen_require(`
- type staff_home_dir_t;
- ')
-
- files_search_home($1)
- allow $1 staff_home_dir_t:dir relabelto;
+ gen_require(`
+ type staff_home_dir_t;
')
+
+ files_search_home($1)
+ allow $1 staff_home_dir_t:dir relabelto;
')
########################################
@@ -4256,15 +4202,11 @@ interface(`userdom_read_staff_home_content_files',`
## </param>
#
interface(`userdom_sigchld_sysadm',`
- ifdef(`targeted_policy',`
- unconfined_sigchld($1)
- ',`
- gen_require(`
- type sysadm_t;
- ')
-
- allow $1 sysadm_t:process sigchld;
+ gen_require(`
+ type sysadm_t;
')
+
+ allow $1 sysadm_t:process sigchld;
')
########################################
@@ -4279,15 +4221,11 @@ interface(`userdom_sigchld_sysadm',`
## </param>
#
interface(`userdom_dontaudit_getattr_sysadm_ttys',`
- ifdef(`targeted_policy',`
- term_dontaudit_getattr_unallocated_ttys($1)
- ',`
- gen_require(`
- type sysadm_tty_device_t;
- ')
-
- dontaudit $1 sysadm_tty_device_t:chr_file getattr;
+ gen_require(`
+ type sysadm_tty_device_t;
')
+
+ dontaudit $1 sysadm_tty_device_t:chr_file getattr;
')
########################################
@@ -4301,17 +4239,13 @@ interface(`userdom_dontaudit_getattr_sysadm_ttys',`
## </param>
#
interface(`userdom_use_sysadm_ttys',`
- ifdef(`targeted_policy',`
- term_use_unallocated_ttys($1)
- ',`
- gen_require(`
- type sysadm_tty_device_t;
- ')
-
- dev_list_all_dev_nodes($1)
- term_list_ptys($1)
- allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
+ gen_require(`
+ type sysadm_tty_device_t;
')
+
+ dev_list_all_dev_nodes($1)
+ term_list_ptys($1)
+ allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
')
########################################
@@ -4325,15 +4259,11 @@ interface(`userdom_use_sysadm_ttys',`
## </param>
#
interface(`userdom_dontaudit_use_sysadm_ttys',`
- ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys($1)
- ',`
- gen_require(`
- type sysadm_tty_device_t;
- ')
-
- dontaudit $1 sysadm_tty_device_t:chr_file { read write };
+ gen_require(`
+ type sysadm_tty_device_t;
')
+
+ dontaudit $1 sysadm_tty_device_t:chr_file { read write };
')
########################################
@@ -4347,17 +4277,13 @@ interface(`userdom_dontaudit_use_sysadm_ttys',`
## </param>
#
interface(`userdom_use_sysadm_ptys',`
- ifdef(`targeted_policy',`
- term_use_generic_ptys($1)
- ',`
- gen_require(`
- type sysadm_devpts_t;
- ')
-
- dev_list_all_dev_nodes($1)
- term_list_ptys($1)
- allow $1 sysadm_devpts_t:chr_file rw_term_perms;
+ gen_require(`
+ type sysadm_devpts_t;
')
+
+ dev_list_all_dev_nodes($1)
+ term_list_ptys($1)
+ allow $1 sysadm_devpts_t:chr_file rw_term_perms;
')
########################################
@@ -4371,15 +4297,11 @@ interface(`userdom_use_sysadm_ptys',`
## </param>
#
interface(`userdom_dontaudit_use_sysadm_ptys',`
- ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys($1)
- ',`
- gen_require(`
- type sysadm_devpts_t;
- ')
-
- dontaudit $1 sysadm_devpts_t:chr_file { read write };
+ gen_require(`
+ type sysadm_devpts_t;
')
+
+ dontaudit $1 sysadm_devpts_t:chr_file { read write };
')
########################################
@@ -4408,15 +4330,11 @@ interface(`userdom_use_sysadm_terms',`
## </param>
#
interface(`userdom_dontaudit_use_sysadm_terms',`
- ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys($1)
- ',`
- gen_require(`
- attribute admin_terminal;
- ')
-
- dontaudit $1 admin_terminal:chr_file { read write };
+ gen_require(`
+ attribute admin_terminal;
')
+
+ dontaudit $1 admin_terminal:chr_file { read write };
')
########################################
@@ -4430,15 +4348,11 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
## </param>
#
interface(`userdom_use_sysadm_fds',`
- ifdef(`targeted_policy',`
- unconfined_use_fds($1)
- ',`
- gen_require(`
- type sysadm_t;
- ')
-
- allow $1 sysadm_t:fd use;
+ gen_require(`
+ type sysadm_t;
')
+
+ allow $1 sysadm_t:fd use;
')
########################################
@@ -4452,16 +4366,11 @@ interface(`userdom_use_sysadm_fds',`
## </param>
#
interface(`userdom_rw_sysadm_pipes',`
- ifdef(`targeted_policy',`
- #cjp: need to doublecheck this one
- unconfined_rw_pipes($1)
- ',`
- gen_require(`
- type sysadm_t;
- ')
-
- allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
+ gen_require(`
+ type sysadm_t;
')
+
+ allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
')
########################################
@@ -4496,19 +4405,11 @@ interface(`userdom_getattr_sysadm_home_dirs',`
## </param>
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
- ifdef(`targeted_policy',`
- gen_require(`
- type user_home_dir_t;
- ')
-
- dontaudit $1 user_home_dir_t:dir getattr;
- ', `
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- dontaudit $1 sysadm_home_dir_t:dir getattr;
+ gen_require(`
+ type sysadm_home_dir_t;
')
+
+ dontaudit $1 sysadm_home_dir_t:dir getattr;
')
########################################
@@ -4541,19 +4442,11 @@ interface(`userdom_search_sysadm_home_dirs',`
## </param>
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
- ifdef(`targeted_policy',`
- gen_require(`
- type user_home_dir_t;
- ')
-
- dontaudit $1 user_home_dir_t:dir search_dir_perms;
- ',`
- gen_require(`
- type sysadm_home_dir_t;
- ')
-
- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
+ gen_require(`
+ type sysadm_home_dir_t;
')
+
+ dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
')
########################################
@@ -4605,23 +4498,13 @@ interface(`userdom_dontaudit_list_sysadm_home_dirs',`
## </param>
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
- ifdef(`targeted_policy',`
- gen_require(`
- type user_home_dir_t, user_home_t;
- ')
-
- dontaudit $1 user_home_dir_t:dir search_dir_perms;
- dontaudit $1 user_home_t:dir search_dir_perms;
- dontaudit $1 user_home_t:file r_file_perms;
- ',`
- gen_require(`
- type sysadm_home_dir_t, sysadm_home_t;
- ')
-
- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
- dontaudit $1 sysadm_home_t:dir search_dir_perms;
- dontaudit $1 sysadm_home_t:file r_file_perms;
+ gen_require(`
+ type sysadm_home_dir_t, sysadm_home_t;
')
+
+ dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
+ dontaudit $1 sysadm_home_t:dir search_dir_perms;
+ dontaudit $1 sysadm_home_t:file read_file_perms;
')
########################################
@@ -4683,23 +4566,19 @@ interface(`userdom_search_sysadm_home_content_dirs',`
## </param>
#
interface(`userdom_read_sysadm_home_content_files',`
- ifdef(`strict_policy',`
- gen_require(`
- type sysadm_home_dir_t, sysadm_home_t;
- ')
-
- files_search_home($1)
- allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
- read_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
- read_lnk_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
- ',`
- userdom_read_generic_user_home_content_files($1)
+ gen_require(`
+ type sysadm_home_dir_t, sysadm_home_t;
')
+
+ files_search_home($1)
+ allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
+ read_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
+ read_lnk_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
')
########################################
## <summary>
-## Read files in the sysadm users home directory.
+## Read sysadm temporary files.
## </summary>
## <param name="domain">
## <summary>
@@ -4708,18 +4587,14 @@ interface(`userdom_read_sysadm_home_content_files',`
## </param>
#
interface(`userdom_read_sysadm_tmp_files',`
- ifdef(`strict_policy',`
- gen_require(`
- type sysadm_tmp_t;
- ')
-
- files_search_tmp($1)
- allow $1 sysadm_tmp_t:dir list_dir_perms;
- read_files_pattern($1,sysadm_tmp_t,sysadm_tmp_t)
- read_lnk_files_pattern($1,sysadm_tmp_t,sysadm_tmp_t)
- ',`
- files_read_generic_tmp_files($1)
+ gen_require(`
+ type sysadm_tmp_t;
')
+
+ files_search_tmp($1)
+ allow $1 sysadm_tmp_t:dir list_dir_perms;
+ read_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
+ read_lnk_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
')
########################################
@@ -5351,16 +5226,12 @@ interface(`userdom_setattr_unpriv_users_ptys',`
## </param>
#
interface(`userdom_use_unpriv_users_ptys',`
- ifdef(`targeted_policy',`
- term_use_generic_ptys($1)
- ',`
- gen_require(`
- attribute user_ptynode;
- ')
-
- term_search_ptys($1)
- allow $1 user_ptynode:chr_file rw_file_perms;
+ gen_require(`
+ attribute user_ptynode;
')
+
+ term_search_ptys($1)
+ allow $1 user_ptynode:chr_file rw_file_perms;
')
########################################
@@ -5375,15 +5246,11 @@ interface(`userdom_use_unpriv_users_ptys',`
## </param>
#
interface(`userdom_dontaudit_use_unpriv_users_ptys',`
- ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys($1)
- ',`
- gen_require(`
- attribute user_ptynode;
- ')
-
- dontaudit $1 user_ptynode:chr_file rw_file_perms;
+ gen_require(`
+ attribute user_ptynode;
')
+
+ dontaudit $1 user_ptynode:chr_file rw_file_perms;
')
########################################
@@ -5434,15 +5301,11 @@ interface(`userdom_dontaudit_relabelfrom_unpriv_users_ptys',`
## </param>
#
interface(`userdom_list_unpriv_users_tmp',`
- ifdef(`targeted_policy',`
- files_list_tmp($1)
- ',`
- gen_require(`
- attribute user_tmpfile;
- ')
-
- allow $1 user_tmpfile:dir list_dir_perms;
+ gen_require(`
+ attribute user_tmpfile;
')
+
+ allow $1 user_tmpfile:dir list_dir_perms;
')
########################################
@@ -5456,15 +5319,11 @@ interface(`userdom_list_unpriv_users_tmp',`
## </param>
#
interface(`userdom_read_unpriv_users_tmp_files',`
- ifdef(`targeted_policy',`
- files_read_generic_tmp_files($1)
- ',`
- gen_require(`
- attribute user_tmpfile;
- ')
-
- allow $1 user_tmpfile:file { read getattr };
+ gen_require(`
+ attribute user_tmpfile;
')
+
+ allow $1 user_tmpfile:file { read getattr };
')
########################################
@@ -5478,15 +5337,11 @@ interface(`userdom_read_unpriv_users_tmp_files',`
## </param>
#
interface(`userdom_read_unpriv_users_tmp_symlinks',`
- ifdef(`targeted_policy',`
- files_read_generic_tmp_symlinks($1)
- ',`
- gen_require(`
- attribute user_tmpfile;
- ')
-
- allow $1 user_tmpfile:lnk_file { getattr read };
+ gen_require(`
+ attribute user_tmpfile;
')
+
+ allow $1 user_tmpfile:lnk_file { getattr read };
')
########################################
@@ -5518,15 +5373,11 @@ interface(`userdom_write_unpriv_users_tmp_files',`
## </param>
#
interface(`userdom_use_unpriv_users_ttys',`
- ifdef(`targeted_policy',`
- term_use_unallocated_ttys($1)
- ',`
- gen_require(`
- attribute user_ttynode;
- ')
-
- allow $1 user_ttynode:chr_file rw_term_perms;
+ gen_require(`
+ attribute user_ttynode;
')
+
+ allow $1 user_ttynode:chr_file rw_term_perms;
')
########################################
@@ -5541,15 +5392,11 @@ interface(`userdom_use_unpriv_users_ttys',`
## </param>
#
interface(`userdom_dontaudit_use_unpriv_users_ttys',`
- ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys($1)
- ',`
- gen_require(`
- attribute user_ttynode;
- ')
-
- dontaudit $1 user_ttynode:chr_file rw_file_perms;
+ gen_require(`
+ attribute user_ttynode;
')
+
+ dontaudit $1 user_ttynode:chr_file rw_file_perms;
')
########################################
@@ -5673,15 +5520,11 @@ interface(`userdom_sigchld_all_users',`
## </param>
#
interface(`userdom_create_all_users_keys',`
- ifdef(`strict_policy',`
- gen_require(`
- attribute userdomain;
- ')
-
- allow $1 userdomain:key create;
- ',`
- unconfined_create_keys($1)
+ gen_require(`
+ attribute userdomain;
')
+
+ allow $1 userdomain:key create;
')
########################################
@@ -5705,7 +5548,7 @@ interface(`userdom_dbus_send_all_users',`
########################################
## <summary>
-## Unconfined access to user domains.
+## Unconfined access to user domains. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -5714,10 +5557,5 @@ interface(`userdom_dbus_send_all_users',`
## </param>
#
interface(`userdom_unconfined',`
- gen_require(`
- type user_home_dir_t;
- ')
-
- allow $1 user_home_dir_t:dir manage_dir_perms;
- files_home_filetrans($1,user_home_dir_t,dir)
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index eb915d1..80c2300 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -15,7 +15,6 @@ gen_require(`
# Declarations
#
-ifdef(`strict_policy',`
## <desc>
## <p>
## Allow sysadm to ptrace all processes
@@ -65,7 +64,6 @@ gen_tunable(user_rw_noexattrfile,false)
## </p>
## </desc>
gen_tunable(user_ttyfile_stat,false)
-')
# admin users terminals (tty and pty)
attribute admin_terminal;
@@ -108,451 +106,391 @@ attribute untrusted_content_tmp_type;
# Local policy
#
-ifdef(`strict_policy',`
- userdom_admin_user_template(sysadm)
- userdom_unpriv_user_template(staff)
- userdom_unpriv_user_template(user)
+userdom_admin_user_template(sysadm)
+userdom_unpriv_user_template(staff)
+userdom_unpriv_user_template(user)
- # user role change rules:
- # sysadm_r can change to user roles
- userdom_role_change_template(sysadm, user)
- userdom_role_change_template(sysadm, staff)
+# user role change rules:
+# sysadm_r can change to user roles
+userdom_role_change_template(sysadm, user)
+userdom_role_change_template(sysadm, staff)
- # only staff_r can change to sysadm_r
- userdom_role_change_template(staff, sysadm)
- dontaudit staff_t admin_terminal:chr_file { read write };
+# only staff_r can change to sysadm_r
+userdom_role_change_template(staff, sysadm)
+dontaudit staff_t admin_terminal:chr_file { read write };
- ifdef(`enable_mls',`
- userdom_unpriv_user_template(secadm)
- userdom_unpriv_user_template(auditadm)
+ifdef(`enable_mls',`
+ userdom_unpriv_user_template(secadm)
+ userdom_unpriv_user_template(auditadm)
- userdom_role_change_template(staff,auditadm)
- userdom_role_change_template(staff,secadm)
+ userdom_role_change_template(staff, auditadm)
+ userdom_role_change_template(staff, secadm)
- userdom_role_change_template(sysadm,secadm)
- userdom_role_change_template(sysadm,auditadm)
+ userdom_role_change_template(sysadm, secadm)
+ userdom_role_change_template(sysadm, auditadm)
- userdom_role_change_template(auditadm,secadm)
- userdom_role_change_template(auditadm,sysadm)
+ userdom_role_change_template(auditadm, secadm)
+ userdom_role_change_template(auditadm, sysadm)
- userdom_role_change_template(secadm,auditadm)
- userdom_role_change_template(secadm,sysadm)
- ')
+ userdom_role_change_template(secadm, auditadm)
+ userdom_role_change_template(secadm, sysadm)
+')
- # this should be tunable_policy, but
- # currently type_change and RBAC allow
- # do not work in conditionals
- ifdef(`user_canbe_sysadm',`
- userdom_role_change_template(user,sysadm)
- ')
+# this should be tunable_policy, but
+# currently type_change and RBAC allow
+# do not work in conditionals
+ifdef(`user_canbe_sysadm',`
+ userdom_role_change_template(user, sysadm)
+')
- ########################################
- #
- # Sysadm local policy
- #
+########################################
+#
+# Sysadm local policy
+#
- # for su
- allow sysadm_t userdomain:fd use;
+# for su
+allow sysadm_t userdomain:fd use;
- # Add/remove user home directories
- allow sysadm_t user_home_dir_t:dir manage_dir_perms;
- files_home_filetrans(sysadm_t,user_home_dir_t,dir)
+# Add/remove user home directories
+allow sysadm_t user_home_dir_t:dir manage_dir_perms;
+files_home_filetrans(sysadm_t, user_home_dir_t, dir)
- corecmd_exec_shell(sysadm_t)
+corecmd_exec_shell(sysadm_t)
- mls_process_read_up(sysadm_t)
+mls_process_read_up(sysadm_t)
- init_exec(sysadm_t)
+init_exec(sysadm_t)
- # Following for sending reboot and wall messages
- userdom_use_unpriv_users_ptys(sysadm_t)
- userdom_use_unpriv_users_ttys(sysadm_t)
+# Following for sending reboot and wall messages
+userdom_use_unpriv_users_ptys(sysadm_t)
+userdom_use_unpriv_users_ttys(sysadm_t)
- ifdef(`direct_sysadm_daemon',`
- optional_policy(`
- init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
- ')
- ',`
- ifdef(`distro_gentoo',`
- optional_policy(`
- seutil_init_script_run_runinit(sysadm_t,sysadm_r,admin_terminal)
- ')
- ')
+ifdef(`direct_sysadm_daemon',`
+ optional_policy(`
+ init_run_daemon(sysadm_t, sysadm_r, admin_terminal)
')
-
- ifdef(`enable_mls',`
- allow auditadm_t self:capability { dac_read_search dac_override };
- seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
- domain_kill_all_domains(auditadm_t)
- seutil_read_bin_policy(auditadm_t)
- corecmd_exec_shell(auditadm_t)
- logging_send_syslog_msg(auditadm_t)
- logging_read_generic_logs(auditadm_t)
- logging_manage_audit_log(auditadm_t)
- logging_manage_audit_config(auditadm_t)
- logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
- logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
- userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
-
- allow secadm_t self:capability { dac_read_search dac_override };
- corecmd_exec_shell(secadm_t)
- domain_obj_id_change_exemption(secadm_t)
- mls_process_read_up(secadm_t)
- mls_file_read_all_levels(secadm_t)
- mls_file_write_all_levels(secadm_t)
- mls_file_upgrade(secadm_t)
- mls_file_downgrade(secadm_t)
- auth_relabel_all_files_except_shadow(secadm_t)
- dev_relabel_all_dev_nodes(secadm_t)
- auth_relabel_shadow(secadm_t)
- init_exec(secadm_t)
- logging_read_audit_log(secadm_t)
- logging_read_generic_logs(secadm_t)
- logging_read_audit_config(secadm_t)
- userdom_dontaudit_append_staff_home_content_files(secadm_t)
- userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
-
+',`
+ ifdef(`distro_gentoo',`
optional_policy(`
- aide_run(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
+ seutil_init_script_run_runinit(sysadm_t, sysadm_r, admin_terminal)
')
-
- optional_policy(`
- netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
- ')
- ',`
- logging_manage_audit_log(sysadm_t)
- logging_manage_audit_config(sysadm_t)
- logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- tunable_policy(`allow_ptrace',`
- domain_ptrace_all_domains(sysadm_t)
- ')
-
- optional_policy(`
- amanda_run_recover(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
- apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
- #apache_run_all_scripts(sysadm_t,sysadm_r)
- #apache_domtrans_sys_script(sysadm_t)
')
+')
- optional_policy(`
- tzdata_domtrans(sysadm_t)
- ')
+ifdef(`enable_mls',`
+ allow auditadm_t self:capability { dac_read_search dac_override };
+ seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+ domain_kill_all_domains(auditadm_t)
+ seutil_read_bin_policy(auditadm_t)
+ corecmd_exec_shell(auditadm_t)
+ logging_send_syslog_msg(auditadm_t)
+ logging_read_generic_logs(auditadm_t)
+ logging_manage_audit_log(auditadm_t)
+ logging_manage_audit_config(auditadm_t)
+ logging_run_auditctl(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+ logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+ userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
+
+ allow secadm_t self:capability { dac_read_search dac_override };
+ corecmd_exec_shell(secadm_t)
+ domain_obj_id_change_exemption(secadm_t)
+ mls_process_read_up(secadm_t)
+ mls_file_read_all_levels(secadm_t)
+ mls_file_write_all_levels(secadm_t)
+ mls_file_upgrade(secadm_t)
+ mls_file_downgrade(secadm_t)
+ auth_relabel_all_files_except_shadow(secadm_t)
+ dev_relabel_all_dev_nodes(secadm_t)
+ auth_relabel_shadow(secadm_t)
+ init_exec(secadm_t)
+ logging_read_audit_log(secadm_t)
+ logging_read_generic_logs(secadm_t)
+ logging_read_audit_config(secadm_t)
+ userdom_dontaudit_append_staff_home_content_files(secadm_t)
+ userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
+
+ optional_policy(`
+ aide_run(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
+ ')
+
+ optional_policy(`
+ netlabel_run_mgmt(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
+ ')
+',`
+ logging_manage_audit_log(sysadm_t)
+ logging_manage_audit_config(sysadm_t)
+ logging_run_auditctl(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- raid_domtrans_mdadm(sysadm_t)
- ')
+tunable_policy(`allow_ptrace',`
+ domain_ptrace_all_domains(sysadm_t)
+')
- optional_policy(`
- # cjp: why is this not apm_run_client
- apm_domtrans_client(sysadm_t)
- ')
+optional_policy(`
+ amanda_run_recover(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- apt_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ apache_run_helper(sysadm_t, sysadm_r, admin_terminal)
+ #apache_run_all_scripts(sysadm_t, sysadm_r)
+ #apache_domtrans_sys_script(sysadm_t)
+')
- optional_policy(`
- backup_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ tzdata_domtrans(sysadm_t)
+')
- optional_policy(`
- bootloader_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ raid_domtrans_mdadm(sysadm_t)
+')
- optional_policy(`
- bind_run_ndc(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ # cjp: why is this not apm_run_client
+ apm_domtrans_client(sysadm_t)
+')
- optional_policy(`
- bluetooth_run_helper(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ apt_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- consoletype_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ backup_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- clock_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ bootloader_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- clockspeed_run_cli(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ bind_run_ndc(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- certwatch_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ certwatch_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- cvs_exec(sysadm_t)
- ')
+optional_policy(`
+ consoletype_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- consoletype_exec(sysadm_t)
+optional_policy(`
+ clock_run(sysadm_t, sysadm_r, admin_terminal)
+')
- ifdef(`enable_mls',`
- consoletype_exec(auditadm_t)
- ')
- ')
+optional_policy(`
+ clockspeed_run_cli(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- cron_admin_template(sysadm,sysadm_t,sysadm_r)
- ')
+optional_policy(`
+ cvs_exec(sysadm_t)
+')
- optional_policy(`
- dcc_run_cdcc(sysadm_t,sysadm_r,admin_terminal)
- dcc_run_client(sysadm_t,sysadm_r,admin_terminal)
- dcc_run_dbclean(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ consoletype_exec(sysadm_t)
- optional_policy(`
- ddcprobe_run(sysadm_t,sysadm_r,admin_terminal)
+ ifdef(`enable_mls',`
+ consoletype_exec(auditadm_t)
')
+')
- optional_policy(`
- dmesg_exec(sysadm_t)
+optional_policy(`
+ cron_admin_template(sysadm, sysadm_t, sysadm_r)
+')
- ifdef(`enable_mls',`
- dmesg_exec(auditadm_t)
- ')
- ')
+optional_policy(`
+ dcc_run_cdcc(sysadm_t, sysadm_r, admin_terminal)
+ dcc_run_client(sysadm_t, sysadm_r, admin_terminal)
+ dcc_run_dbclean(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- dmidecode_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ ddcprobe_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- dpkg_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ dmesg_exec(sysadm_t)
- optional_policy(`
- ethereal_run_tethereal(sysadm_t,sysadm_r,admin_terminal)
- ethereal_admin_template(sysadm,sysadm_t,sysadm_r)
+ ifdef(`enable_mls',`
+ dmesg_exec(auditadm_t)
')
+')
- optional_policy(`
- firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t)
- ')
+optional_policy(`
+ dmidecode_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- fstools_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ dpkg_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- hostname_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ ethereal_run_tethereal(sysadm_t, sysadm_r, admin_terminal)
+ ethereal_admin_template(sysadm, sysadm_t, sysadm_r)
+')
- optional_policy(`
- # allow system administrator to use the ipsec script to look
- # at things (e.g., ipsec auto --status)
- # probably should create an ipsec_admin role for this kind of thing
- ipsec_exec_mgmt(sysadm_t)
- ipsec_stream_connect(sysadm_t)
- # for lsof
- ipsec_getattr_key_sockets(sysadm_t)
- ')
+optional_policy(`
+ firstboot_run(sysadm_t, sysadm_r, sysadm_tty_device_t)
+')
- optional_policy(`
- iptables_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ fstools_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ hostname_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- lvm_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ # allow system administrator to use the ipsec script to look
+ # at things (e.g., ipsec auto --status)
+ # probably should create an ipsec_admin role for this kind of thing
+ ipsec_exec_mgmt(sysadm_t)
+ ipsec_stream_connect(sysadm_t)
+ # for lsof
+ ipsec_getattr_key_sockets(sysadm_t)
+')
- optional_policy(`
- logrotate_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ iptables_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- lpd_run_checkpc(sysadm_t,sysadm_r,admin_terminal)
- lpr_admin_template(sysadm,sysadm_t,sysadm_r)
- ')
+optional_policy(`
+ libs_run_ldconfig(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- kudzu_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ lvm_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal)
- modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal)
- modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ logrotate_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- mount_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ lpd_run_checkpc(sysadm_t, sysadm_r, admin_terminal)
+ lpr_admin_template(sysadm, sysadm_t, sysadm_r)
+')
- optional_policy(`
- mta_admin_template(sysadm,sysadm_t,sysadm_r)
- ')
+optional_policy(`
+ kudzu_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- mysql_stream_connect(sysadm_t)
- ')
+optional_policy(`
+ modutils_run_depmod(sysadm_t, sysadm_r, admin_terminal)
+ modutils_run_insmod(sysadm_t, sysadm_r, admin_terminal)
+ modutils_run_update_mods(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- netutils_run(sysadm_t,sysadm_r,admin_terminal)
- netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
- netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ mount_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- rpc_domtrans_nfsd(sysadm_t)
- ')
+optional_policy(`
+ mta_admin_template(sysadm, sysadm_t, sysadm_r)
+')
- optional_policy(`
- munin_stream_connect(sysadm_t)
- ')
+optional_policy(`
+ mysql_stream_connect(sysadm_t)
+')
- optional_policy(`
- ntp_stub()
- corenet_udp_bind_ntp_port(sysadm_t)
- ')
+optional_policy(`
+ netutils_run(sysadm_t, sysadm_r, admin_terminal)
+ netutils_run_ping(sysadm_t, sysadm_r, admin_terminal)
+ netutils_run_traceroute(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- oav_run_update(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ rpc_domtrans_nfsd(sysadm_t)
+')
- optional_policy(`
- pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ munin_stream_connect(sysadm_t)
+')
- optional_policy(`
- portage_run(sysadm_t,sysadm_r,admin_terminal)
- portage_run_gcc_config(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ ntp_stub()
+ corenet_udp_bind_ntp_port(sysadm_t)
+')
- optional_policy(`
- portmap_run_helper(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ oav_run_update(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- quota_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ pcmcia_run_cardctl(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- rpm_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ portage_run(sysadm_t, sysadm_r, admin_terminal)
+ portage_run_gcc_config(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- rsync_exec(sysadm_t)
- ')
+optional_policy(`
+ portmap_run_helper(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- samba_run_net(sysadm_t,sysadm_r,admin_terminal)
- samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ quota_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
- seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
+optional_policy(`
+ rpm_run(sysadm_t, sysadm_r, admin_terminal)
+')
- ifdef(`enable_mls',`
- userdom_security_admin_template(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
- ', `
- userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
- ')
- ')
+optional_policy(`
+ rsync_exec(sysadm_t)
+')
- optional_policy(`
- sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
- sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ samba_run_net(sysadm_t, sysadm_r, admin_terminal)
+ samba_run_winbind_helper(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- tripwire_run_siggen(sysadm_t,sysadm_r,admin_terminal)
- tripwire_run_tripwire(sysadm_t,sysadm_r,admin_terminal)
- tripwire_run_twadmin(sysadm_t,sysadm_r,admin_terminal)
- tripwire_run_twprint(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ seutil_run_setfiles(sysadm_t, sysadm_r, admin_terminal)
+ seutil_run_runinit(sysadm_t, sysadm_r, admin_terminal)
- optional_policy(`
- unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal)
+ ifdef(`enable_mls',`
+ userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t sysadm_devpts_t })
+ ', `
+ userdom_security_admin_template(sysadm_t, sysadm_r, admin_terminal)
')
+')
- optional_policy(`
- usbmodules_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ sysnet_run_ifconfig(sysadm_t, sysadm_r, admin_terminal)
+ sysnet_run_dhcpc(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
- usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
- usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ tripwire_run_siggen(sysadm_t, sysadm_r, admin_terminal)
+ tripwire_run_tripwire(sysadm_t, sysadm_r, admin_terminal)
+ tripwire_run_twadmin(sysadm_t, sysadm_r, admin_terminal)
+ tripwire_run_twprint(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- vpn_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ unconfined_domtrans(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- webalizer_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ usbmodules_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- yam_run(sysadm_t,sysadm_r,admin_terminal)
- ')
+optional_policy(`
+ usermanage_run_admin_passwd(sysadm_t, sysadm_r, admin_terminal)
+ usermanage_run_groupadd(sysadm_t, sysadm_r, admin_terminal)
+ usermanage_run_useradd(sysadm_t, sysadm_r, admin_terminal)
')
-ifdef(`targeted_policy',`
- # Define some type aliases to help with compatibility with
- # strict policy.
- unconfined_alias_domain(secadm_t)
- unconfined_alias_domain(auditadm_t)
- unconfined_alias_domain(sysadm_t)
-
- # User home directory type.
- type user_home_t alias { staff_home_t sysadm_home_t }, home_type, user_home_type;
- files_type(user_home_t)
- files_associate_tmp(user_home_t)
- fs_associate_tmpfs(user_home_t)
-
- type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type, user_home_dir_type;
- files_type(user_home_dir_t)
- files_associate_tmp(user_home_dir_t)
- fs_associate_tmpfs(user_home_dir_t)
-
- # compatibility for switching from strict
-# dominance { role secadm_r { role system_r; }}
-# dominance { role auditadm_r { role system_r; }}
-# dominance { role sysadm_r { role system_r; }}
-# dominance { role user_r { role system_r; }}
-# dominance { role staff_r { role system_r; }}
-
- # dont need to use the full role_change()
- allow sysadm_r system_r;
- allow sysadm_r user_r;
- allow user_r system_r;
- allow user_r sysadm_r;
- allow system_r sysadm_r;
- allow system_r sysadm_r;
-
- manage_dirs_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
- manage_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
- manage_lnk_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
- manage_sock_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
- manage_fifo_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
- filetrans_pattern(privhome,user_home_dir_t,user_home_t,{ dir file lnk_file sock_file fifo_file })
- files_search_home(privhome)
+optional_policy(`
+ vpn_run(sysadm_t, sysadm_r, admin_terminal)
+')
- ifdef(`enable_mls',`
- allow secadm_r system_r;
- allow auditadm_r system_r;
- allow secadm_r user_r;
- allow staff_r secadm_r;
- allow staff_r auditadm_r;
- ')
+optional_policy(`
+ webalizer_run(sysadm_t, sysadm_r, admin_terminal)
+')
- optional_policy(`
- samba_per_role_template(user)
- ')
+optional_policy(`
+ yam_run(sysadm_t, sysadm_r, admin_terminal)
')
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 031b7cf..cbe6502 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -217,15 +217,6 @@ optional_policy(`
consoletype_exec(xend_t)
')
-ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(xend_t)
- term_dontaudit_use_generic_ptys(xend_t)
-
- optional_policy(`
- unconfined_rw_pipes(xend_t)
- ')
-')
-
########################################
#
# Xen console local policy
diff --git a/policy/rolemap b/policy/rolemap
index 3e8d368..729ed88 100644
--- a/policy/rolemap
+++ b/policy/rolemap
@@ -8,13 +8,11 @@
# syntax: role prefix user_domain
#
-ifdef(`strict_policy',`
- user_r user user_t
- staff_r staff staff_t
- sysadm_r sysadm sysadm_t
+user_r user user_t
+staff_r staff staff_t
+sysadm_r sysadm sysadm_t
- ifdef(`enable_mls',`
- secadm_r secadm secadm_t
- auditadm_r auditadm auditadm_t
- ')
+ifdef(`enable_mls',`
+ secadm_r secadm secadm_t
+ auditadm_r auditadm auditadm_t
')
diff --git a/policy/users b/policy/users
index e2053ab..f82b604 100644
--- a/policy/users
+++ b/policy/users
@@ -25,13 +25,12 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
-ifdef(`targeted_policy',`
-gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-',`
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-')
+
+# Until order dependence is fixed for users:
+gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
@@ -40,12 +39,8 @@ gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
-ifdef(`targeted_policy',`
- gen_user(root, user, user_r sysadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ifdef(`direct_sysadm_daemon',`
+ gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
',`
- ifdef(`direct_sysadm_daemon',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
- ',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
- ')
+ gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
')
diff --git a/support/Makefile.devel b/support/Makefile.devel
index 34fd708..a944df0 100644
--- a/support/Makefile.devel
+++ b/support/Makefile.devel
@@ -24,7 +24,7 @@ SEMOD_PKG := $(BINDIR)/semodule_package
XMLLINT := $(BINDIR)/xmllint
# set default build options if missing
-TYPE ?= strict
+TYPE ?= standard
DIRECT_INITRC ?= n
POLY ?= n
QUIET ?= y
@@ -39,25 +39,15 @@ metaxml := metadata.xml
globaltun = $(HEADERDIR)/global_tunables.xml
globalbool = $(HEADERDIR)/global_booleans.xml
-# compile strict policy if requested.
-ifneq ($(findstring strict,$(TYPE)),)
- M4PARAM += -D strict_policy
-endif
-
-# compile targeted policy if requested.
-ifneq ($(findstring targeted,$(TYPE)),)
- M4PARAM += -D targeted_policy
-endif
-
# enable MLS if requested.
-ifneq ($(findstring -mls,$(TYPE)),)
+ifeq "$(TYPE)" "mls"
M4PARAM += -D enable_mls
CHECKPOLICY += -M
CHECKMODULE += -M
endif
# enable MLS if MCS requested.
-ifneq ($(findstring -mcs,$(TYPE)),)
+ifeq "$(TYPE)" "mcs"
M4PARAM += -D enable_mcs
CHECKPOLICY += -M
CHECKMODULE += -M
More information about the scm-commits
mailing list