[selinux-policy: 644/3172] more merging of NSA CVS policy
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:00:18 UTC 2010
commit 0907bda1e0f80c8d87ea958586d63b2544752a64
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Sep 13 13:06:07 2005 +0000
more merging of NSA CVS policy
refpolicy/policy/global_tunables | 4 +
refpolicy/policy/modules/admin/consoletype.te | 2 +-
refpolicy/policy/modules/admin/netutils.te | 1 +
refpolicy/policy/modules/admin/usermanage.fc | 3 +
refpolicy/policy/modules/admin/usermanage.te | 1 +
refpolicy/policy/modules/apps/gpg.fc | 3 +-
refpolicy/policy/modules/kernel/corenetwork.te.in | 41 +++++-
refpolicy/policy/modules/kernel/devices.te | 5 +
refpolicy/policy/modules/kernel/filesystem.te | 15 ++
refpolicy/policy/modules/kernel/kernel.if | 17 ++
refpolicy/policy/modules/kernel/terminal.te | 2 +-
refpolicy/policy/modules/services/hal.te | 5 +-
refpolicy/policy/modules/services/ldap.te | 1 +
refpolicy/policy/modules/services/nscd.te | 1 +
refpolicy/policy/modules/services/ntp.te | 1 +
refpolicy/policy/modules/services/portmap.te | 5 +
refpolicy/policy/modules/services/privoxy.te | 13 +-
refpolicy/policy/modules/services/rshd.te | 7 +-
refpolicy/policy/modules/services/rsync.te | 2 -
refpolicy/policy/modules/services/squid.te | 12 ++
refpolicy/policy/modules/services/ssh.if | 7 +-
refpolicy/policy/modules/system/authlogin.te | 6 +-
refpolicy/policy/modules/system/corecommands.fc | 1 +
refpolicy/policy/modules/system/files.fc | 11 ++
refpolicy/policy/modules/system/files.te | 8 +-
refpolicy/policy/modules/system/fstools.fc | 2 +
refpolicy/policy/modules/system/getty.fc | 4 +
refpolicy/policy/modules/system/getty.te | 31 +++-
refpolicy/policy/modules/system/init.fc | 4 +-
refpolicy/policy/modules/system/init.te | 28 +++-
refpolicy/policy/modules/system/logging.if | 31 ++++-
refpolicy/policy/modules/system/logging.te | 7 +-
refpolicy/policy/modules/system/lvm.te | 7 +-
refpolicy/policy/modules/system/miscfiles.te | 24 ++-
refpolicy/policy/modules/system/raid.te | 2 +-
refpolicy/policy/modules/system/selinuxutil.te | 3 +-
refpolicy/policy/modules/system/sysnetwork.fc | 1 +
refpolicy/policy/modules/system/udev.te | 6 +-
strict/domains/misc/local.te | 5 +
strict/domains/program/consoletype.te | 3 +-
strict/domains/program/crond.te | 2 +-
strict/domains/program/getty.te | 23 ++--
strict/domains/program/hald.te | 6 +-
strict/domains/program/init.te | 6 +-
strict/domains/program/initrc.te | 16 +-
strict/domains/program/klogd.te | 2 +-
strict/domains/program/lvm.te | 5 +-
strict/domains/program/mdadm.te | 2 +-
strict/domains/program/netutils.te | 3 +
strict/domains/program/nscd.te | 1 +
strict/domains/program/ntpd.te | 7 +-
strict/domains/program/pamconsole.te | 11 +-
strict/domains/program/passwd.te | 3 +-
strict/domains/program/portmap.te | 7 +-
strict/domains/program/postfix.te | 5 +-
strict/domains/program/privoxy.te | 5 +-
strict/domains/program/restorecon.te | 8 +-
strict/domains/program/rlogind.te | 1 +
strict/domains/program/rshd.te | 5 +-
strict/domains/program/rsync.te | 2 -
strict/domains/program/slapd.te | 1 +
strict/domains/program/squid.te | 14 ++-
strict/domains/program/ssh.te | 6 +-
strict/domains/program/syslogd.te | 10 +-
strict/domains/program/udev.te | 4 +-
strict/domains/program/xfs.te | 5 +-
strict/file_contexts/program/amavis.fc | 2 +
strict/file_contexts/program/apache.fc | 12 ++-
strict/file_contexts/program/apmd.fc | 3 +
strict/file_contexts/program/crack.fc | 2 +
strict/file_contexts/program/dhcpc.fc | 1 +
strict/file_contexts/program/fsadm.fc | 3 +
strict/file_contexts/program/ftpd.fc | 1 +
strict/file_contexts/program/getty.fc | 2 +
strict/file_contexts/program/gpg.fc | 6 +-
strict/file_contexts/program/iceauth.fc | 3 +
strict/file_contexts/program/initrc.fc | 9 +
strict/mls | 1 +
strict/net_contexts | 167 ++++++++++-----------
strict/types/device.te | 9 +-
strict/types/devpts.te | 4 +-
strict/types/file.te | 69 ++++++---
strict/types/network.te | 139 +++++++++++++-----
83 files changed, 628 insertions(+), 297 deletions(-)
---
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 8c7ae70..c03493e 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -45,6 +45,10 @@ gen_tunable(run_ssh_inetd,false)
## user domains.
gen_bool(secure_mode,false)
+## Allow squid to connect to all ports, not just
+## HTTP, FTP, and Gopher ports.
+gen_tunable(squid_connect_any,false)
+
## Allow ssh logins as sysadm_r:sysadm_t
gen_tunable(ssh_sysadm_login,false)
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index eefeb83..7dc2c5f 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -6,7 +6,7 @@ policy_module(consoletype, 1.0)
# Declarations
#
-type consoletype_t;
+type consoletype_t; #, mlsfileread, mlsfilewrite
type consoletype_exec_t;
init_domain(consoletype_t,consoletype_exec_t)
init_system_domain(consoletype_t,consoletype_exec_t)
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 8674b74..d2a0172 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -53,6 +53,7 @@ corenet_tcp_sendrecv_all_ports(netutils_t)
corenet_udp_sendrecv_all_ports(netutils_t)
corenet_tcp_bind_all_nodes(netutils_t)
corenet_udp_bind_all_nodes(netutils_t)
+corenet_tcp_connect_all_ports(netutils_t)
fs_getattr_xattr_fs(netutils_t)
diff --git a/refpolicy/policy/modules/admin/usermanage.fc b/refpolicy/policy/modules/admin/usermanage.fc
index b27c4f8..6afac6e 100644
--- a/refpolicy/policy/modules/admin/usermanage.fc
+++ b/refpolicy/policy/modules/admin/usermanage.fc
@@ -10,6 +10,7 @@
/usr/lib(64)?/cracklib_dict.* -- context_template(system_u:object_r:crack_db_t,s0)
/usr/sbin/crack_[a-z]* -- context_template(system_u:object_r:crack_exec_t,s0)
+/usr/sbin/cracklib-[a-z]* -- context_template(system_u:object_r:crack_exec_t,s0)
/usr/sbin/gpasswd -- context_template(system_u:object_r:groupadd_exec_t,s0)
/usr/sbin/groupadd -- context_template(system_u:object_r:groupadd_exec_t,s0)
/usr/sbin/groupdel -- context_template(system_u:object_r:groupadd_exec_t,s0)
@@ -24,4 +25,6 @@
/usr/sbin/vigr -- context_template(system_u:object_r:admin_passwd_exec_t,s0)
/usr/sbin/vipw -- context_template(system_u:object_r:admin_passwd_exec_t,s0)
+/usr/share/cracklib(/.*)? context_template(system_u:object_r:crack_db_t,s0)
+
/var/cache/cracklib(/.*)? context_template(system_u:object_r:crack_db_t,s0)
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 72a6365..8f6ed38 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -288,6 +288,7 @@ allow passwd_t self:unix_dgram_socket create_socket_perms;
allow passwd_t self:unix_stream_socket create_stream_socket_perms;
allow passwd_t self:unix_dgram_socket sendto;
allow passwd_t self:unix_stream_socket connectto;
+allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
diff --git a/refpolicy/policy/modules/apps/gpg.fc b/refpolicy/policy/modules/apps/gpg.fc
index 03d0676..bc435de 100644
--- a/refpolicy/policy/modules/apps/gpg.fc
+++ b/refpolicy/policy/modules/apps/gpg.fc
@@ -1,9 +1,10 @@
-/usr/bin/gpg -- context_template(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpg(2)? -- context_template(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- context_template(system_u:object_r:gpg_agent_exec_t,s0)
/usr/bin/kgpg -- context_template(system_u:object_r:gpg_exec_t,s0)
/usr/bin/pinentry.* -- context_template(system_u:object_r:pinentry_exec_t,s0)
+/usr/lib/gnupg/.* -- context_template(system_u:object_r:gpg_exec_t,s0)
/usr/lib/gnupg/gpgkeys.* -- context_template(system_u:object_r:gpg_helper_exec_t,s0)
HOME_DIR/\.gnupg(/.+)? context_template(system_u:object_r:ROLE_gpg_secret_t,s0)
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in
index 582e9d9..c1e59f0 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
@@ -36,9 +36,21 @@ sid port context_template(system_u:object_r:port_t,s0)
#
type reserved_port_t, port_type, reserved_port_type;
+network_port(afs_bos, udp,7007,s0)
+network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
+network_port(afs_ka, udp,7004,s0)
+network_port(afs_pt, udp,7002,s0)
+network_port(afs_vl, udp,7003,s0)
network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
+network_port(amavisd_recv, tcp,10024,s0)
+network_port(amavisd_send, tcp,10025,s0)
+network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
network_port(auth, tcp,113,s0)
dnl network_port(biff) # no defined portcon in current strict
+network_port(clamd, tcp,3310,s0)
+network_port(clockspeed, udp,4041,s0)
+network_port(cvs, tcp,2401,s0, udp,2401,s0)
+network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dbskkd, tcp,1178,s0)
network_port(dhcpc, udp,68,s0)
network_port(dhcpd, udp,67,s0)
@@ -47,43 +59,64 @@ network_port(dns, udp,53,s0, tcp,53,s0)
network_port(fingerd, tcp,79,s0)
network_port(ftp_data, tcp,20,s0)
network_port(ftp, tcp,21,s0)
-network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0)
-network_port(http, tcp,80,s0, tcp,443,s0)
+network_port(giftd, tcp,1213,s0)
+network_port(gopher, tcp,70,s0, udp,70,s0)
+network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
+network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
+network_port(hplip, tcp,50000,s0, tcp,50002,s0)
dnl network_port(i18n_input) # no defined portcon in current strict
-network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0)
+network_port(imaze, tcp,5323,s0, udp,5323,s0)
+network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
network_port(ipp, tcp,631,s0, udp,631,s0)
+network_port(ircd, tcp,6667,s0)
+network_port(isakmp, udp,500,s0)
+network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
+network_port(jabber_interserver, tcp,5269,s0)
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
network_port(mail, tcp,2000,s0)
+network_port(monopd, tcp,1234,s0)
network_port(mysqld, tcp,3306,s0)
+network_port(nessus, tcp,1241,s0)
network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0)
network_port(ntp, udp,123,s0)
-network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0)
+network_port(openvpn, udp,5000,s0)
+network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postgresql, tcp,5432,s0)
+network_port(postgrey, tcp,60000,s0)
network_port(printer, tcp,515,s0)
+network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0)
+network_port(pyzor, udp,24441,s0)
network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
+network_port(razor, tcp,2703,s0)
+network_port(rndc, tcp,953,s0)
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
+network_port(spamd, tcp,783,s0)
network_port(ssh, tcp,22,s0)
+network_port(soundd, tcp,8000,s0, tcp,9433,s0)
dnl network_port(stunnel) # no defined portcon in current strict
network_port(swat, tcp,901,s0)
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
+network_port(transproxy, tcp,8081,s0)
+network_port(uucpd, tcp,540,s0)
network_port(vnc, tcp,5900,s0)
network_port(xserver, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
network_port(zebra, tcp,2601,s0)
+network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index 0ba3697..d7f7e7f 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -59,6 +59,11 @@ type cpu_device_t, device_node;
fs_associate(cpu_device_t)
fs_associate_tmpfs(cpu_device_t)
+# for the IBM zSeries z90crypt hardware ssl accelorator
+type crypt_device_t, device_node;
+fs_associate(crypt_device_t)
+fs_associate_tmpfs(crypt_device_t)
+
type dri_device_t, device_node;
fs_associate(dri_device_t)
fs_associate_tmpfs(dri_device_t)
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index 37aa654..62a4f36 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -40,14 +40,29 @@ type bdev_t, filesystem_type;
genfscon bdev / context_template(system_u:object_r:bdev_t,s0)
type binfmt_misc_fs_t, filesystem_type;
+files_mountpoint(binfmt_misc_fs_t)
genfscon binfmt_misc / context_template(system_u:object_r:binfmt_misc_fs_t,s0)
+type debugfs_t, filesystem_type;
+allow debugfs_t self:filesystem associate;
+
type eventpollfs_t, filesystem_type;
genfscon eventpollfs / context_template(system_u:object_r:eventpollfs_t,s0)
type futexfs_t, filesystem_type;
genfscon futexfs / context_template(system_u:object_r:futexfs_t,s0)
+type hugetlbfs_t, filesystem_type;
+files_mountpoint(hugetlbfs_t)
+allow hugetlbfs_t self:filesystem associate;
+
+type inotifyfs_t, filesystem_type;
+allow inotifyfs_t self:filesystem associate;
+
+type mqueue_t, filesystem_type;
+files_mountpoint(mqueue_t)
+allow mqueue_t self:filesystem associate;
+
type nfsd_fs_t, filesystem_type;
genfscon nfsd / context_template(system_u:object_r:nfsd_fs_t,s0)
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 41dec5e..e74c2d2 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -70,6 +70,23 @@ interface(`kernel_sigchld',`
########################################
## <summary>
+## Send a generic signal to kernel threads.
+## </summary>
+## <param name="domain">
+## The type of the process sending the signal.
+## </param>
+#
+interface(`kernel_signal',`
+ gen_require(`
+ type kernel_t;
+ class process signal;
+ ')
+
+ allow kernel_t $1:process signal;
+')
+
+########################################
+## <summary>
## Allows the kernel to share state information with
## the caller.
## </summary>
diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te
index 53b52a2..90f51a0 100644
--- a/refpolicy/policy/modules/kernel/terminal.te
+++ b/refpolicy/policy/modules/kernel/terminal.te
@@ -38,7 +38,7 @@ dev_node(devtty_t)
#
# ptmx_t is the type for /dev/ptmx.
#
-type ptmx_t;
+type ptmx_t; #, mlstrustedobject;
dev_node(ptmx_t)
#
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 7217d1f..162e9f8 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -19,10 +19,13 @@ files_pid_file(hald_var_run_t)
allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
dontaudit hald_t self:capability sys_tty_config;
allow hald_t self:fifo_file rw_file_perms;
-allow hald_t self:unix_stream_socket create_stream_socket_perms;
+allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow hald_t self:unix_dgram_socket create_socket_perms;
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
+allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
allow hald_t self:tcp_socket create_stream_socket_perms;
+# For backwards compatibility with older kernels
+allow hald_t self:netlink_socket create_socket_perms;
allow hald_t hald_tmp_t:dir create_dir_perms;
allow hald_t hald_tmp_t:file create_file_perms;
diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te
index a2d8d7e..e55e70d 100644
--- a/refpolicy/policy/modules/services/ldap.te
+++ b/refpolicy/policy/modules/services/ldap.te
@@ -120,6 +120,7 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
+r_dir_file(slapd_t, cert_t)
optional_policy(`rhgb.te',`
rhgb_domain(slapd_t)
')
diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te
index 43c01dc..6ed8241 100644
--- a/refpolicy/policy/modules/services/nscd.te
+++ b/refpolicy/policy/modules/services/nscd.te
@@ -65,6 +65,7 @@ corenet_tcp_sendrecv_all_ports(nscd_t)
corenet_udp_sendrecv_all_ports(nscd_t)
corenet_tcp_bind_all_nodes(nscd_t)
corenet_udp_bind_all_nodes(nscd_t)
+corenet_tcp_connect_all_ports(nscd_t)
selinux_get_fs_mount(nscd_t)
selinux_validate_context(nscd_t)
diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te
index 638dbe4..0460f88 100644
--- a/refpolicy/policy/modules/services/ntp.te
+++ b/refpolicy/policy/modules/services/ntp.te
@@ -72,6 +72,7 @@ corenet_udp_sendrecv_all_ports(ntpd_t)
corenet_tcp_bind_all_nodes(ntpd_t)
corenet_udp_bind_all_nodes(ntpd_t)
corenet_udp_bind_ntp_port(ntpd_t)
+corenet_tcp_connect_ntp_port(ntpd_t)
dev_read_sysfs(ntpd_t)
# for SSP
diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te
index 85c9c8c..be80b85 100644
--- a/refpolicy/policy/modules/services/portmap.te
+++ b/refpolicy/policy/modules/services/portmap.te
@@ -58,6 +58,7 @@ corenet_tcp_bind_all_nodes(portmap_t)
corenet_udp_bind_all_nodes(portmap_t)
corenet_tcp_bind_portmap_port(portmap_t)
corenet_udp_bind_portmap_port(portmap_t)
+corenet_tcp_connect_all_ports(portmap_t)
# portmap binds to arbitary ports
corenet_tcp_bind_generic_port(portmap_t)
corenet_udp_bind_generic_port(portmap_t)
@@ -158,6 +159,9 @@ allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
allow portmap_helper_t self:tcp_socket create_stream_socket_perms;
allow portmap_helper_t self:udp_socket create_socket_perms;
+allow portmap_helper_t portmap_var_run_t:file create_file_perms;
+files_create_pid(portmap_helper_t,portmap_var_run_t)
+
corenet_tcp_sendrecv_all_if(portmap_helper_t)
corenet_udp_sendrecv_all_if(portmap_helper_t)
corenet_raw_sendrecv_all_if(portmap_helper_t)
@@ -172,6 +176,7 @@ corenet_tcp_bind_reserved_port(portmap_helper_t)
corenet_udp_bind_reserved_port(portmap_helper_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t)
corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t)
+corenet_tcp_connect_all_ports(portmap_helper_t)
files_read_etc_files(portmap_helper_t)
files_rw_generic_pids(portmap_helper_t)
diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te
index 36ee8a5..1160bb8 100644
--- a/refpolicy/policy/modules/services/privoxy.te
+++ b/refpolicy/policy/modules/services/privoxy.te
@@ -6,7 +6,7 @@ policy_module(privoxy,1.0)
# Declarations
#
-type privoxy_t;
+type privoxy_t; # web_client_domain
type privoxy_exec_t;
init_daemon_domain(privoxy_t,privoxy_exec_t)
@@ -36,16 +36,11 @@ kernel_list_proc(privoxy_t)
kernel_read_proc_symlinks(privoxy_t)
corenet_tcp_sendrecv_all_if(privoxy_t)
-corenet_udp_sendrecv_all_if(privoxy_t)
corenet_raw_sendrecv_all_if(privoxy_t)
corenet_tcp_sendrecv_all_nodes(privoxy_t)
-corenet_udp_sendrecv_all_nodes(privoxy_t)
corenet_raw_sendrecv_all_nodes(privoxy_t)
corenet_tcp_sendrecv_all_ports(privoxy_t)
-corenet_udp_sendrecv_all_ports(privoxy_t)
-# cjp: this really should be specified!
-corenet_tcp_bind_generic_port(privoxy_t)
-corenet_udp_bind_generic_port(privoxy_t)
+corenet_tcp_bind_http_cache_port(privoxy_t)
dev_read_sysfs(privoxy_t)
@@ -83,6 +78,10 @@ optional_policy(`mount.te',`
mount_send_nfs_client_request(privoxy_t)
')
+optional_policy(`nis.te',`
+ nis_use_ypbind(privoxy_t)
+')
+
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(privoxy_t)
')
diff --git a/refpolicy/policy/modules/services/rshd.te b/refpolicy/policy/modules/services/rshd.te
index 14986b8..717ac4a 100644
--- a/refpolicy/policy/modules/services/rshd.te
+++ b/refpolicy/policy/modules/services/rshd.te
@@ -29,8 +29,7 @@ corenet_raw_sendrecv_all_nodes(rshd_t)
corenet_tcp_sendrecv_all_nodes(rshd_t)
corenet_tcp_sendrecv_all_ports(rshd_t)
corenet_tcp_bind_all_nodes(rshd_t)
-corenet_tcp_bind_reserved_port(rshd_t)
-corenet_dontaudit_tcp_bind_all_reserved_ports(rshd_t)
+corenet_tcp_bind_rsh_port(rshd_t)
dev_read_urand(rshd_t)
@@ -83,10 +82,6 @@ optional_policy(`kerberos.te',`
kerberos_use(rshd_t)
')
-optional_policy(`nis.te',`
- nis_use_ypbind(rshd_t)
-')
-
ifdef(`TODO',`
optional_policy(`rlogind.te', `
allow rshd_t rlogind_tmp_t:file rw_file_perms;
diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te
index 12d6c19..10fc119 100644
--- a/refpolicy/policy/modules/services/rsync.te
+++ b/refpolicy/policy/modules/services/rsync.te
@@ -88,7 +88,5 @@ optional_policy(`nscd.te',`
')
ifdef(`TODO',`
-ifdef(`ftpd.te', `
r_dir_file(rsync_t, ftpd_anon_t)
-')
') dnl end TODO
diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te
index 90d85a1..5e8fcb9 100644
--- a/refpolicy/policy/modules/services/squid.te
+++ b/refpolicy/policy/modules/services/squid.te
@@ -78,6 +78,9 @@ corenet_tcp_bind_all_nodes(squid_t)
corenet_udp_bind_all_nodes(squid_t)
corenet_tcp_bind_http_cache_port(squid_t)
corenet_udp_bind_http_cache_port(squid_t)
+corenet_tcp_connect_ftp_port(squid_t)
+corenet_tcp_connect_gopher_port(squid_t)
+corenet_tcp_connect_http_port(squid_t)
dev_read_sysfs(squid_t)
dev_read_urand(squid_t)
@@ -126,6 +129,10 @@ ifdef(`targeted_policy', `
files_dontaudit_read_root_file(squid_t)
')
+tunable_policy(`squid_connect_any',`
+ corenet_tcp_connect_all_ports(squid_t)
+')
+
optional_policy(`logrotate.te',`
allow squid_t self:capability kill;
cron_use_fd(squid_t)
@@ -161,6 +168,11 @@ optional_policy(`rhgb.te',`
ifdef(`apache.te',`
can_tcp_connect(squid_t, httpd_t)
')
+r_dir_file(squid_t, cert_t)
+ifdef(`winbind.te', `
+domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t)
+allow winbind_helper_t squid_t:tcp_socket rw_socket_perms;
+')
#squid requires the following when run in diskd mode, the recommended setting
allow squid_t tmpfs_t:file { read write };
') dnl end TODO
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index b18be62..e1c29eb 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -388,7 +388,7 @@ template(`ssh_per_userdomain_template',`
## </param>
#
template(`ssh_server_template', `
- type $1_t, ssh_server;
+ type $1_t, ssh_server; #, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
domain_type($1_t)
role system_r types $1_t;
@@ -428,6 +428,7 @@ template(`ssh_server_template', `
corenet_tcp_sendrecv_all_ports($1_t)
corenet_tcp_bind_all_nodes($1_t)
corenet_udp_bind_all_nodes($1_t)
+ corenet_tcp_connect_all_ports($1_t)
dev_read_urand($1_t)
@@ -498,6 +499,10 @@ template(`ssh_server_template', `
init_use_script_pty($1_t)
')
+ optional_policy(`kerberos.te',`
+ kerberos_use($1_t)
+ ')
+
optional_policy(`mount.te', `
mount_send_nfs_client_request($1_t)
')
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index d0f55e4..46dbce6 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -22,7 +22,7 @@ logging_log_file(lastlog_t)
type login_exec_t;
files_type(login_exec_t)
-type pam_console_t;
+type pam_console_t; #, mlsfileread
type pam_console_exec_t;
init_system_domain(pam_console_t,pam_console_exec_t)
role system_r types pam_console_t;
@@ -142,8 +142,9 @@ allow pam_console_t pam_var_console_t:file r_file_perms;
allow pam_console_t pam_var_console_t:lnk_file r_file_perms;
kernel_read_kernel_sysctl(pam_console_t)
-kernel_read_system_state(pam_console_t)
kernel_use_fd(pam_console_t)
+# Read /proc/meminfo
+kernel_read_system_state(pam_console_t)
dev_read_sysfs(pam_console_t)
dev_getattr_apm_bios(pam_console_t)
@@ -173,6 +174,7 @@ storage_getattr_scsi_generic(pam_console_t)
storage_setattr_scsi_generic(pam_console_t)
term_use_console(pam_console_t)
+term_setattr_console(pam_console_t)
term_getattr_unallocated_ttys(pam_console_t)
term_setattr_unallocated_ttys(pam_console_t)
diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc
index 7a47a58..5166326 100644
--- a/refpolicy/policy/modules/system/corecommands.fc
+++ b/refpolicy/policy/modules/system/corecommands.fc
@@ -40,6 +40,7 @@ ifdef(`targeted_policy',`
# /sbin
#
/sbin(/.*)? context_template(system_u:object_r:sbin_t,s0)
+/sbin/mkfs\.cramfs -- context_template(system_u:object_r:sbin_t,s0)
/sbin/insmod_ksymoops_clean -- context_template(system_u:object_r:sbin_t,s0)
#
diff --git a/refpolicy/policy/modules/system/files.fc b/refpolicy/policy/modules/system/files.fc
index ce34937..3430a3c 100644
--- a/refpolicy/policy/modules/system/files.fc
+++ b/refpolicy/policy/modules/system/files.fc
@@ -5,6 +5,14 @@
/.* context_template(system_u:object_r:default_t,s0)
/ -d context_template(system_u:object_r:root_t,s0)
/\.journal <<none>>
+ifdef(`distro_redhat',`
+/\.autofsck -- context_template(system_u:object_r:etc_runtime_t,s0)
+/\.autorelabel -- context_template(system_u:object_r:etc_runtime_t,s0)
+/fastboot -- context_template(system_u:object_r:etc_runtime_t,s0)
+/forcefsck -- context_template(system_u:object_r:etc_runtime_t,s0)
+/fsckoptions -- context_template(system_u:object_r:etc_runtime_t,s0)
+/poweroff -- context_template(system_u:object_r:etc_runtime_t,s0)
+')
#
# /boot
@@ -32,6 +40,9 @@
/etc/nologin.* -- context_template(system_u:object_r:etc_runtime_t,s0)
/etc/init\.d/functions -- context_template(system_u:object_r:etc_t,s0)
+ifdef(`distro_suse',`
+/etc/init\.d/\.depend.* -- context_template(system_u:object_r:etc_runtime_t,s0)
+')
/etc/ipsec\.d/examples(/.*)? context_template(system_u:object_r:etc_t,s0)
diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te
index e9d0adb..94c867c 100644
--- a/refpolicy/policy/modules/system/files.te
+++ b/refpolicy/policy/modules/system/files.te
@@ -51,7 +51,7 @@ sid file context_template(system_u:object_r:file_t,s0)
# home_root_t is the type for the directory where user home directories
# are created
#
-type home_root_t, file_type, mountpoint;
+type home_root_t, file_type, mountpoint; #, polyparent
fs_associate(home_root_t)
fs_associate_noxattr(home_root_t)
@@ -84,7 +84,7 @@ fs_associate_noxattr(readable_t)
#
# root_t is the type for rootfs and the root directory.
#
-type root_t, file_type, mountpoint;
+type root_t, file_type, mountpoint; #, polyparent
fs_associate(root_t)
fs_associate_noxattr(root_t)
kernel_rootfs_mountpoint(root_t)
@@ -93,14 +93,14 @@ genfscon rootfs / context_template(system_u:object_r:root_t,s0)
#
# src_t is the type of files in the system src directories.
#
-type src_t, file_type;
+type src_t, file_type, mountpoint;
fs_associate(src_t)
fs_associate_noxattr(src_t)
#
# tmp_t is the type of the temporary directories
#
-type tmp_t, file_type, tmpfile, mountpoint;
+type tmp_t, file_type, tmpfile, mountpoint; #, polydir
fs_associate(tmp_t)
fs_associate_noxattr(tmp_t)
diff --git a/refpolicy/policy/modules/system/fstools.fc b/refpolicy/policy/modules/system/fstools.fc
index f24fd8c..90f772d 100644
--- a/refpolicy/policy/modules/system/fstools.fc
+++ b/refpolicy/policy/modules/system/fstools.fc
@@ -1,6 +1,7 @@
/sbin/blockdev -- context_template(system_u:object_r:fsadm_exec_t,s0)
/sbin/cfdisk -- context_template(system_u:object_r:fsadm_exec_t,s0)
/sbin/dosfsck -- context_template(system_u:object_r:fsadm_exec_t,s0)
+/sbin/dump -- context_template(system_u:object_r:fsadm_exec_t,s0)
/sbin/dumpe2fs -- context_template(system_u:object_r:fsadm_exec_t,s0)
/sbin/e2fsck -- context_template(system_u:object_r:fsadm_exec_t,s0)
/sbin/e2label -- context_template(system_u:object_r:fsadm_exec_t,s0)
@@ -21,6 +22,7 @@
/sbin/parted -- context_template(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- context_template(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- context_template(system_u:object_r:fsadm_exec_t,s0)
+/sbin/raidautorun -- context_template(system_u:object_r:fsadm_exec_t,s0)
/sbin/raidstart -- context_template(system_u:object_r:fsadm_exec_t,s0)
/sbin/reiserfs(ck|tune) -- context_template(system_u:object_r:fsadm_exec_t,s0)
/sbin/resize.*fs -- context_template(system_u:object_r:fsadm_exec_t,s0)
diff --git a/refpolicy/policy/modules/system/getty.fc b/refpolicy/policy/modules/system/getty.fc
index 77a3b5b..6dcaaca 100644
--- a/refpolicy/policy/modules/system/getty.fc
+++ b/refpolicy/policy/modules/system/getty.fc
@@ -2,3 +2,7 @@
/etc/mgetty(/.*)? context_template(system_u:object_r:getty_etc_t,s0)
/sbin/.*getty -- context_template(system_u:object_r:getty_exec_t,s0)
+
+/var/log/mgetty\.log.* -- context_template(system_u:object_r:getty_log_t,s0)
+
+/var/run/mgetty\.pid.* -- context_template(system_u:object_r:getty_var_run_t,s0)
diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te
index 3956bc6..c403848 100644
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@@ -15,33 +15,43 @@ type getty_etc_t;
typealias getty_etc_t alias etc_getty_t;
files_type(getty_etc_t)
+type getty_lock_t;
+files_lock_file(getty_lock_t)
+
type getty_log_t;
logging_log_file(getty_log_t)
type getty_tmp_t;
files_tmp_file(getty_tmp_t)
+type getty_var_run_t;
+files_pid_file(getty_var_run_t)
+
########################################
#
# Getty local policy
#
# Use capabilities.
-allow getty_t self:capability { dac_override chown sys_resource sys_tty_config };
-# fbgetty needs fsetid for some reason
-#allow getty_t self:capability fsetid;
-
+allow getty_t self:capability { dac_override chown sys_resource sys_tty_config fowner fsetid };
allow getty_t self:process { getpgid getsession };
allow getty_t getty_etc_t:dir r_dir_perms;
allow getty_t getty_etc_t:file r_file_perms;
files_create_etc_config(getty_t,getty_etc_t,{ file dir })
+allow getty_t getty_lock_t:file create_file_perms;
+files_create_lock(getty_t,getty_lock_t)
+
+allow getty_t getty_log_t:file { getattr append setattr };
+
allow getty_t getty_tmp_t:file { getattr create read setattr write setattr unlink };
allow getty_t getty_tmp_t:dir { getattr search create read setattr write setattr unlink rmdir };
files_create_tmp_files(getty_t,getty_tmp_t,{ file dir })
-allow getty_t getty_log_t:file { getattr append setattr };
+allow getty_t getty_var_run_t:file create_file_perms;
+allow getty_t getty_var_run_t:dir create_dir_perms;
+files_create_pid(getty_t,getty_var_run_t)
dev_read_sysfs(getty_t)
@@ -58,9 +68,9 @@ term_setattr_console(getty_t)
auth_rw_login_records(getty_t)
corecmd_search_bin(getty_t)
+corecmd_search_sbin(getty_t)
files_rw_generic_pids(getty_t)
-files_manage_generic_locks(getty_t)
files_read_etc_runtime_files(getty_t)
files_read_etc_files(getty_t)
@@ -75,3 +85,12 @@ locallogin_domtrans(getty_t)
logging_send_syslog_msg(getty_t)
miscfiles_read_localization(getty_t)
+
+ifdef(`TODO',`
+#
+# getty needs to be able to run pppd
+#
+ifdef(`pppd.te', `
+domain_auto_trans(getty_t, pppd_exec_t, pppd_t)
+')
+') dnl end TODO
diff --git a/refpolicy/policy/modules/system/init.fc b/refpolicy/policy/modules/system/init.fc
index 7a0983f..c85ca5a 100644
--- a/refpolicy/policy/modules/system/init.fc
+++ b/refpolicy/policy/modules/system/init.fc
@@ -55,8 +55,10 @@ ifdef(`distro_gentoo', `
/var/run/setmixer_flag -- context_template(system_u:object_r:initrc_var_run_t,s0)
ifdef(`distro_suse', `
-/var/run/sysconfig(/.*)? context_template(system_u:object_r:initrc_var_run_t,s0)
+/var/run/bootsplashctl -p context_template(system_u:object_r:initrc_var_run_t,s0)
/var/run/keymap -- context_template(system_u:object_r:initrc_var_run_t,s0)
/var/run/numlock-on -- context_template(system_u:object_r:initrc_var_run_t,s0)
+/var/run/setleds-on -- context_template(system_u:object_r:initrc_var_run_t,s0)
+/var/run/sysconfig(/.*)? context_template(system_u:object_r:initrc_var_run_t,s0)
')
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index c9fa5c7..ad8c451 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -15,7 +15,7 @@ attribute direct_init_entry;
#
# init_t is the domain of the init process.
#
-type init_t;
+type init_t; #, mlsrangetrans, mlsfileread, mlsfilewrite;
domain_type(init_t)
role system_r types init_t;
@@ -37,10 +37,10 @@ files_pid_file(init_var_run_t)
# by init during initialization. This pipe is used
# to communicate with init.
#
-type initctl_t;
+type initctl_t; #, mlstrustedobject;
files_type(initctl_t)
-type initrc_t;
+type initrc_t; #, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite;
domain_type(initrc_t)
role system_r types initrc_t;
@@ -79,6 +79,8 @@ allow init_t self:fifo_file rw_file_perms;
# Re-exec itself
allow init_t init_exec_t:file { getattr read ioctl execute execute_no_trans };
+allow init_t initrc_t:unix_stream_socket connectto;
+
# For /var/run/shutdown.pid.
allow init_t init_var_run_t:file { create getattr read append write setattr unlink };
files_create_pid(init_t,init_var_run_t)
@@ -162,6 +164,10 @@ optional_policy(`userdomain.te',`
userdom_shell_domtrans_sysadm(init_t)
')
+ifdef(`TODO',`
+allow init_t ramfs_t:sock_file write;
+')
+
########################################
#
# Init script local policy
@@ -201,12 +207,8 @@ kernel_read_ring_buffer(initrc_t)
kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
-dev_read_sysfs(initrc_t)
-dev_rw_sysfs(initrc_t)
kernel_read_all_sysctl(initrc_t)
kernel_rw_all_sysctl(initrc_t)
-selinux_get_enforce_mode(initrc_t)
-dev_list_usbfs(initrc_t)
# for lsof which is used by alsa shutdown:
kernel_dontaudit_getattr_message_if(initrc_t)
@@ -222,11 +224,14 @@ corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_bind_all_nodes(initrc_t)
corenet_udp_bind_all_nodes(initrc_t)
+corenet_tcp_connect_all_ports(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
+dev_rw_sysfs(initrc_t)
+dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_snd_mixer_dev(initrc_t)
@@ -244,6 +249,8 @@ fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
+selinux_get_enforce_mode(initrc_t)
+
storage_getattr_fixed_disk(initrc_t)
storage_setattr_fixed_disk(initrc_t)
storage_setattr_removable_device(initrc_t)
@@ -307,7 +314,7 @@ libs_use_shared_libs(initrc_t)
libs_exec_lib_files(initrc_t)
logging_send_syslog_msg(initrc_t)
-logging_rw_generic_logs(initrc_t)
+logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
@@ -527,6 +534,11 @@ role system_r types initrc_su_t;
ifdef(`distro_redhat', `
# readahead asks for these
allow initrc_t var_lib_nfs_t:file r_file_perms;
+
+ file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file)
+ allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
+ allow initrc_t self:capability sys_admin;
+ allow initrc_t device_t:dir create;
')
ifdef(`targeted_policy',`
diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if
index a592aae..4c3c744 100644
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@@ -238,9 +238,13 @@ interface(`logging_write_generic_logs',`
allow $1 var_log_t:file { getattr write };
')
-#######################################
-#
-# logging_rw_generic_logs(domain)
+########################################
+## <summary>
+## Read and write generic log files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
#
interface(`logging_rw_generic_logs',`
gen_require(`
@@ -253,3 +257,24 @@ interface(`logging_rw_generic_logs',`
allow $1 var_log_t:dir r_dir_perms;
allow $1 var_log_t:file rw_file_perms;
')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## generic log files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`logging_manage_generic_logs',`
+ gen_require(`
+ type var_log_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ ')
+
+ files_search_var($1)
+ allow $1 var_log_t:dir rw_dir_perms;
+ allow $1 var_log_t:file create_file_perms;
+')
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 3090e0a..039d8ea 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -18,10 +18,10 @@ init_daemon_domain(auditd_t,auditd_exec_t)
type auditd_var_run_t;
files_pid_file(auditd_var_run_t)
-type devlog_t;
+type devlog_t; #, mlstrustedobject;
files_type(devlog_t)
-type klogd_t;
+type klogd_t; #, mlsfileread
type klogd_exec_t;
init_daemon_domain(klogd_t,klogd_exec_t)
@@ -155,7 +155,8 @@ miscfiles_read_localization(klogd_t)
# syslogd local policy
#
-allow syslogd_t self:capability { dac_override net_bind_service sys_resource sys_tty_config };
+# cjp: why net_admin!
+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin };
dontaudit syslogd_t self:capability sys_tty_config;
allow syslogd_t self:process signal_perms;
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 47cfa64..db203f9 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -32,14 +32,12 @@ files_tmp_file(lvm_tmp_t)
#
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
-allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod };
+allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod chown sys_resource };
dontaudit lvm_t self:capability sys_tty_config;
-
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process setsched;
-
-allow lvm_t self:file r_file_perms;
+allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file rw_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
@@ -122,7 +120,6 @@ corecmd_dontaudit_getattr_sbin_file(lvm_t)
domain_use_wide_inherit_fd(lvm_t)
-files_search_var(lvm_t)
files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
files_dontaudit_getattr_pid_dir(lvm_t)
diff --git a/refpolicy/policy/modules/system/miscfiles.te b/refpolicy/policy/modules/system/miscfiles.te
index 61e7674..9b9ab9a 100644
--- a/refpolicy/policy/modules/system/miscfiles.te
+++ b/refpolicy/policy/modules/system/miscfiles.te
@@ -7,12 +7,6 @@ policy_module(miscfiles,1.0)
#
#
-# catman_t is the type for /var/catman.
-#
-type catman_t;
-files_tmp_file(catman_t)
-
-#
# cert_t is the type of files in the system certs directories.
#
type cert_t;
@@ -26,6 +20,18 @@ type fonts_t;
files_type(fonts_t)
#
+# Type for anonymous FTP data, used by ftp and rsync
+#
+type ftpd_anon_t; #, customizable;
+files_type(ftpd_anon_t)
+
+#
+# type for /tmp/.ICE-unix
+#
+type ice_tmp_t;
+files_tmp_file(ice_tmp_t)
+
+#
# locale_t is the type for system localization
#
type locale_t;
@@ -34,7 +40,7 @@ files_type(locale_t)
#
# man_t is the type for the man directories.
#
-type man_t;
+type man_t alias catman_t;
files_type(man_t)
#
@@ -48,3 +54,7 @@ files_type(test_file_t)
#
type tetex_data_t;
files_tmp_file(tetex_data_t)
+
+ifdef(`TODO',`
+allow customizable self:filesystem associate;
+') dnl end TODO
diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te
index c58e7af..5a0665c 100644
--- a/refpolicy/policy/modules/system/raid.te
+++ b/refpolicy/policy/modules/system/raid.te
@@ -6,7 +6,7 @@ policy_module(raid,1.0)
# Declarations
#
-type mdadm_t;
+type mdadm_t; # privmail
type mdadm_exec_t;
init_daemon_domain(mdadm_t,mdadm_exec_t)
role system_r types mdadm_t;
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 1a74046..f55425c 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -65,7 +65,7 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
type policy_src_t;
files_type(policy_src_t)
-type restorecon_t, can_relabelto_binary_policy;
+type restorecon_t, can_relabelto_binary_policy; #, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;
type restorecon_exec_t;
domain_obj_id_change_exempt(restorecon_t)
init_system_domain(restorecon_t,restorecon_exec_t)
@@ -280,7 +280,6 @@ kernel_read_system_state(restorecon_t)
dev_rw_generic_file(restorecon_t)
fs_getattr_xattr_fs(restorecon_t)
-fs_list_all(restorecon_t)
selinux_get_fs_mount(restorecon_t)
selinux_validate_context(restorecon_t)
diff --git a/refpolicy/policy/modules/system/sysnetwork.fc b/refpolicy/policy/modules/system/sysnetwork.fc
index b3f389a..98904af 100644
--- a/refpolicy/policy/modules/system/sysnetwork.fc
+++ b/refpolicy/policy/modules/system/sysnetwork.fc
@@ -43,6 +43,7 @@
#
/var/lib/dhcp3? -d context_template(system_u:object_r:dhcp_state_t,s0)
/var/lib/dhcp3?/dhclient.* context_template(system_u:object_r:dhcpc_state_t,s0)
+/var/lib/dhcpcd(/.*)? context_template(system_u:object_r:dhcpc_state_t,s0)
/var/run/dhclient.*\.pid -- context_template(system_u:object_r:dhcpc_var_run_t,s0)
/var/run/dhclient.*\.leases -- context_template(system_u:object_r:dhcpc_var_run_t,s0)
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index 7c3ec48..a11919c 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -6,7 +6,7 @@ policy_module(udev,1.0)
# Declarations
#
-type udev_t;
+type udev_t; #, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocwrite')
type udev_exec_t;
type udev_helper_exec_t;
kernel_userland_entry(udev_t,udev_exec_t)
@@ -34,7 +34,7 @@ files_pid_file(udev_var_run_t)
# Local policy
#
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice };
allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
@@ -42,6 +42,7 @@ allow udev_t self:fifo_file rw_file_perms;
allow udev_t self:unix_stream_socket { listen accept };
allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
+allow udev_t self:netlink_kobject_uevent_socket { create bind read };
allow udev_t self:shm create_shm_perms;
allow udev_t self:sem create_sem_perms;
allow udev_t self:msgq create_msgq_perms;
@@ -72,6 +73,7 @@ kernel_read_modprobe_sysctl(udev_t)
kernel_read_kernel_sysctl(udev_t)
kernel_rw_unix_dgram_socket(udev_t)
kernel_sendto_unix_dgram_socket(udev_t)
+kernel_signal(udev_t)
dev_read_sysfs(udev_t)
dev_manage_dev_nodes(udev_t)
diff --git a/strict/domains/misc/local.te b/strict/domains/misc/local.te
new file mode 100644
index 0000000..cedba3c
--- /dev/null
+++ b/strict/domains/misc/local.te
@@ -0,0 +1,5 @@
+# Local customization of existing policy should be done in this file.
+# If you are creating brand new policy for a new "target" domain, you
+# need to create a type enforcement (.te) file in domains/program
+# and a file context (.fc) file in file_context/program.
+
diff --git a/strict/domains/program/consoletype.te b/strict/domains/program/consoletype.te
index 9836ce4..f3f2c28 100644
--- a/strict/domains/program/consoletype.te
+++ b/strict/domains/program/consoletype.te
@@ -11,7 +11,7 @@
# consoletype_t is the domain for the consoletype program.
# consoletype_exec_t is the type of the corresponding program.
#
-type consoletype_t, domain;
+type consoletype_t, domain, mlsfileread, mlsfilewrite;
type consoletype_exec_t, file_type, sysadmfile, exec_type;
role system_r types consoletype_t;
@@ -57,6 +57,7 @@ allow consoletype_t tmpfs_t:chr_file rw_file_perms;
ifdef(`firstboot.te', `
allow consoletype_t firstboot_t:fifo_file write;
')
+dontaudit consoletype_t proc_t:dir search;
dontaudit consoletype_t proc_t:file read;
dontaudit consoletype_t root_t:file read;
allow consoletype_t crond_t:fifo_file { read getattr ioctl };
diff --git a/strict/domains/program/crond.te b/strict/domains/program/crond.te
index 10f8a4d..c19a2d8 100644
--- a/strict/domains/program/crond.te
+++ b/strict/domains/program/crond.te
@@ -37,7 +37,7 @@ allow mta_user_agent system_crond_t:fd use;
# read files in /etc
allow system_crond_t etc_t:file r_file_perms;
-allow system_crond_t etc_runtime_t:file read;
+allow system_crond_t etc_runtime_t:file { getattr read };
allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
diff --git a/strict/domains/program/getty.te b/strict/domains/program/getty.te
index fc8a2bb..c060211 100644
--- a/strict/domains/program/getty.te
+++ b/strict/domains/program/getty.te
@@ -23,22 +23,13 @@ allow getty_t self:process { getpgid getsession };
allow getty_t self:unix_dgram_socket create_socket_perms;
allow getty_t self:unix_stream_socket create_socket_perms;
-# to allow w to display everyone...
-bool user_ttyfile_stat false;
-if (user_ttyfile_stat) {
-allow userdomain ttyfile:chr_file getattr;
-}
-
# Use capabilities.
allow getty_t self:capability { dac_override chown sys_resource sys_tty_config };
-# fbgetty needs fsetid for some reason
-#allow getty_t self:capability fsetid;
-
read_locale(getty_t)
# Run login in local_login_t domain.
-allow getty_t bin_t:dir search;
+allow getty_t { sbin_t bin_t }:dir search;
domain_auto_trans(getty_t, login_exec_t, local_login_t)
# Write to /var/run/utmp.
@@ -55,5 +46,15 @@ allow getty_t ttyfile:chr_file { setattr rw_file_perms };
# for error condition handling
allow getty_t fs_t:filesystem getattr;
-rw_dir_create_file(getty_t, var_lock_t)
+lock_domain(getty)
r_dir_file(getty_t, sysfs_t)
+# for mgetty
+var_run_domain(getty)
+allow getty_t self:capability { fowner fsetid };
+
+#
+# getty needs to be able to run pppd
+#
+ifdef(`pppd.te', `
+domain_auto_trans(getty_t, pppd_exec_t, pppd_t)
+')
diff --git a/strict/domains/program/hald.te b/strict/domains/program/hald.te
index 2bdd0b5..ed84911 100644
--- a/strict/domains/program/hald.te
+++ b/strict/domains/program/hald.te
@@ -15,7 +15,7 @@ daemon_domain(hald, `, fs_domain, nscd_client_domain')
can_exec_any(hald_t)
allow hald_t { etc_t etc_runtime_t }:file { getattr read };
-allow hald_t self:unix_stream_socket create_stream_socket_perms;
+allow hald_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow hald_t self:unix_dgram_socket create_socket_perms;
ifdef(`dbusd.te', `
@@ -30,6 +30,10 @@ allow hald_t { bin_t sbin_t }:dir search;
allow hald_t self:fifo_file rw_file_perms;
allow hald_t usr_t:file { getattr read };
allow hald_t bin_t:file getattr;
+# For backwards compatibility with older kernels
+allow hald_t self:netlink_socket create_socket_perms;
+
+allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
can_network_server(hald_t)
diff --git a/strict/domains/program/init.te b/strict/domains/program/init.te
index 3fb67de..185e0ba 100644
--- a/strict/domains/program/init.te
+++ b/strict/domains/program/init.te
@@ -14,11 +14,11 @@
# by init during initialization. This pipe is used
# to communicate with init.
#
-type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain;
+type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite;
role system_r types init_t;
uses_shlib(init_t);
type init_exec_t, file_type, sysadmfile, exec_type;
-type initctl_t, file_type, sysadmfile, dev_fs;
+type initctl_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
# for init to determine whether SE Linux is active so it can know whether to
# activate it
@@ -82,6 +82,7 @@ allow init_t self:process { fork sigchld };
# Modify utmp.
allow init_t var_run_t:file rw_file_perms;
allow init_t initrc_var_run_t:file { setattr rw_file_perms };
+can_unix_connect(init_t, initrc_t)
# For /var/run/shutdown.pid.
var_run_domain(init)
@@ -133,6 +134,7 @@ allow init_t lib_t:file { getattr read };
allow init_t devtty_t:chr_file { read write };
allow init_t ramfs_t:dir search;
+allow init_t ramfs_t:sock_file write;
r_dir_file(init_t, sysfs_t)
r_dir_file(init_t, selinux_config_t)
diff --git a/strict/domains/program/initrc.te b/strict/domains/program/initrc.te
index 86e09cc..f6e248e 100644
--- a/strict/domains/program/initrc.te
+++ b/strict/domains/program/initrc.te
@@ -12,11 +12,12 @@
# initrc_exec_t is the type of the init program.
#
# do not use privmail for sendmail as it creates a type transition conflict
-type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain;
+type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite;
role system_r types initrc_t;
uses_shlib(initrc_t);
can_network(initrc_t)
+allow initrc_t port_type:tcp_socket name_connect;
can_ypbind(initrc_t)
type initrc_exec_t, file_type, sysadmfile, exec_type;
@@ -130,7 +131,7 @@ allow initrc_t ld_so_cache_t:file rw_file_perms;
# Update /var/log/wtmp and /var/log/dmesg.
allow initrc_t wtmp_t:file { setattr rw_file_perms };
allow initrc_t var_log_t:dir rw_dir_perms;
-allow initrc_t var_log_t:file { setattr rw_file_perms };
+allow initrc_t var_log_t:file create_file_perms;
allow initrc_t lastlog_t:file { setattr rw_file_perms };
allow initrc_t logfile:file { read append };
@@ -194,10 +195,8 @@ file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file)
allow initrc_t tmpfs_t:chr_file rw_file_perms;
allow initrc_t tmpfs_t:dir r_dir_perms;
-ifdef(`distro_redhat', `
# Allow initrc domain to set the enforcing flag.
can_setenforce(initrc_t)
-')
#
# readahead asks for these
@@ -208,6 +207,11 @@ allow initrc_t var_lib_nfs_t:file { getattr read };
# for /halt /.autofsck and other flag files
file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file)
+file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file)
+allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
+allow initrc_t self:capability sys_admin;
+allow initrc_t device_t:dir create;
+
')dnl end distro_redhat
allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
@@ -287,10 +291,6 @@ allow initrc_t device_t:lnk_file unlink;
r_dir_file(initrc_t,selinux_config_t)
-ifdef(`distro_redhat', `
-#allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
-')
-
ifdef(`unlimitedRC', `
unconfined_domain(initrc_t)
')
diff --git a/strict/domains/program/klogd.te b/strict/domains/program/klogd.te
index b7efff1..42a136e 100644
--- a/strict/domains/program/klogd.te
+++ b/strict/domains/program/klogd.te
@@ -8,7 +8,7 @@
#
# Rules for the klogd_t domain.
#
-daemon_domain(klogd, `, privmem')
+daemon_domain(klogd, `, privmem, privkmsg, mlsfileread')
tmp_domain(klogd)
allow klogd_t proc_t:dir r_dir_perms;
diff --git a/strict/domains/program/lvm.te b/strict/domains/program/lvm.te
index f2cf061..7ed0722 100644
--- a/strict/domains/program/lvm.te
+++ b/strict/domains/program/lvm.te
@@ -18,7 +18,6 @@ type lvm_vg_t, file_type, sysadmfile;
type lvm_metadata_t, file_type, sysadmfile;
type lvm_control_t, device_type, dev_fs;
etcdir_domain(lvm)
-allow lvm_t var_t:dir search;
lock_domain(lvm)
allow lvm_t lvm_lock_t:dir rw_dir_perms;
@@ -35,7 +34,7 @@ allow lvm_t self:fifo_file rw_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
r_dir_file(lvm_t, proc_t)
-allow lvm_t self:file r_file_perms;
+allow lvm_t self:file rw_file_perms;
# Read system variables in /proc/sys
read_sysctl(lvm_t)
@@ -65,7 +64,7 @@ tmp_domain(lvm)
allow lvm_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl };
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
-allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod };
+allow lvm_t self:capability { chown dac_override ipc_lock sys_admin sys_nice sys_resource mknod };
# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
file_type_auto_trans(lvm_t, { etc_t lvm_etc_t }, lvm_metadata_t, file)
diff --git a/strict/domains/program/mdadm.te b/strict/domains/program/mdadm.te
index 91de77c..47f82e2 100644
--- a/strict/domains/program/mdadm.te
+++ b/strict/domains/program/mdadm.te
@@ -3,7 +3,7 @@
# Author: Colin Walters <walters at redhat.com>
#
-daemon_base_domain(mdadm, `, fs_domain')
+daemon_base_domain(mdadm, `, fs_domain, privmail')
role sysadm_r types mdadm_t;
allow initrc_t mdadm_var_run_t:file create_file_perms;
diff --git a/strict/domains/program/netutils.te b/strict/domains/program/netutils.te
index c314eee..9b13fd4 100644
--- a/strict/domains/program/netutils.te
+++ b/strict/domains/program/netutils.te
@@ -16,11 +16,14 @@ role sysadm_r types netutils_t;
uses_shlib(netutils_t)
can_network(netutils_t)
+allow netutils_t port_type:tcp_socket name_connect;
can_ypbind(netutils_t)
tmp_domain(netutils)
domain_auto_trans(initrc_t, netutils_exec_t, netutils_t)
+ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t)
+')
# Inherit and use descriptors from init.
allow netutils_t { userdomain init_t }:fd use;
diff --git a/strict/domains/program/nscd.te b/strict/domains/program/nscd.te
index 74db228..40ffbbc 100644
--- a/strict/domains/program/nscd.te
+++ b/strict/domains/program/nscd.te
@@ -23,6 +23,7 @@ daemon_domain(nscd, `, userspace_objmgr')
allow nscd_t etc_t:file r_file_perms;
allow nscd_t etc_t:lnk_file read;
can_network_client(nscd_t)
+allow nscd_t port_type:tcp_socket name_connect;
can_ypbind(nscd_t)
file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file)
diff --git a/strict/domains/program/ntpd.te b/strict/domains/program/ntpd.te
index 1598c23..2b7480c 100644
--- a/strict/domains/program/ntpd.te
+++ b/strict/domains/program/ntpd.te
@@ -10,7 +10,6 @@
#
daemon_domain(ntpd, `, nscd_client_domain')
type ntp_drift_t, file_type, sysadmfile;
-type ntp_port_t, port_type, reserved_port_type;
type ntpdate_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t)
@@ -25,7 +24,7 @@ allow ntpd_t ntp_drift_t:dir rw_dir_perms;
allow ntpd_t ntp_drift_t:file create_file_perms;
# for SSP
-allow ntpd_t urandom_device_t:chr_file read;
+allow ntpd_t urandom_device_t:chr_file { getattr read };
allow ntpd_t self:capability { kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot };
dontaudit ntpd_t self:capability { net_admin };
@@ -41,6 +40,7 @@ allow ntpd_t etc_t:file { read getattr };
# Use the network.
can_network(ntpd_t)
+allow ntpd_t ntp_port_t:tcp_socket name_connect;
can_ypbind(ntpd_t)
allow ntpd_t ntp_port_t:udp_socket name_bind;
allow ntpd_t self:unix_dgram_socket create_socket_perms;
@@ -83,4 +83,5 @@ ifdef(`winbind.te', `
allow ntpd_t winbind_var_run_t:dir r_dir_perms;
allow ntpd_t winbind_var_run_t:sock_file rw_file_perms;
')
-
+# For clock devices like wwvb1
+allow ntpd_t device_t:lnk_file read;
diff --git a/strict/domains/program/pamconsole.te b/strict/domains/program/pamconsole.te
index 7270442..cbb84af 100644
--- a/strict/domains/program/pamconsole.te
+++ b/strict/domains/program/pamconsole.te
@@ -3,17 +3,23 @@
#
# pam_console_apply
-daemon_base_domain(pam_console, `, nscd_client_domain')
+daemon_base_domain(pam_console, `, nscd_client_domain, mlsfileread')
type pam_var_console_t, file_type, sysadmfile;
allow pam_console_t etc_t:file { getattr read ioctl };
allow pam_console_t self:unix_stream_socket create_stream_socket_perms;
+# Read /etc/mtab
+allow pam_console_t etc_runtime_t:file { read getattr };
+
+# Read /proc/meminfo
+allow pam_console_t proc_t:file { read getattr };
+
allow pam_console_t self:capability { chown fowner fsetid };
# Allow access to /dev/console through the fd:
-allow pam_console_t console_device_t:chr_file { read write };
+allow pam_console_t console_device_t:chr_file { read write setattr };
allow pam_console_t { kernel_t init_t }:fd use;
# for /var/run/console.lock checking
@@ -36,7 +42,6 @@ ifdef(`hotplug.te', `
dontaudit pam_console_t hotplug_etc_t:dir search;
allow pam_console_t hotplug_t:fd use;
')
-allow pam_console_t proc_t:file read;
ifdef(`xdm.te', `
allow pam_console_t xdm_var_run_t:file { getattr read };
')
diff --git a/strict/domains/program/passwd.te b/strict/domains/program/passwd.te
index efae37c..e984320 100644
--- a/strict/domains/program/passwd.te
+++ b/strict/domains/program/passwd.te
@@ -145,6 +145,7 @@ dontaudit sysadm_passwd_t devpts_t:dir search;
# make sure that getcon succeeds
allow passwd_t userdomain:dir search;
-allow passwd_t userdomain:file read;
+allow passwd_t userdomain:file { getattr read };
allow passwd_t userdomain:process getattr;
+allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --git a/strict/domains/program/portmap.te b/strict/domains/program/portmap.te
index 134b200..adc364d 100644
--- a/strict/domains/program/portmap.te
+++ b/strict/domains/program/portmap.te
@@ -14,12 +14,11 @@
daemon_domain(portmap, `, nscd_client_domain')
can_network(portmap_t)
+allow portmap_t port_type:tcp_socket name_connect;
can_ypbind(portmap_t)
allow portmap_t self:unix_dgram_socket create_socket_perms;
allow portmap_t self:unix_stream_socket create_stream_socket_perms;
-type portmap_port_t, port_type, reserved_port_type;
-
tmp_domain(portmap)
allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
@@ -60,11 +59,13 @@ domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t)
dontaudit portmap_helper_t self:capability { net_admin };
allow portmap_helper_t self:capability { net_bind_service };
allow portmap_helper_t { var_run_t initrc_var_run_t } :file rw_file_perms;
+file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file)
allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
can_network(portmap_helper_t)
+allow portmap_helper_t port_type:tcp_socket name_connect;
can_ypbind(portmap_helper_t)
dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms;
allow portmap_helper_t etc_t:file { getattr read };
-dontaudit portmap_helper_t userdomain:fd use;
+dontaudit portmap_helper_t { userdomain privfd }:fd use;
allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
diff --git a/strict/domains/program/postfix.te b/strict/domains/program/postfix.te
index 7d62e01..26ac65b 100644
--- a/strict/domains/program/postfix.te
+++ b/strict/domains/program/postfix.te
@@ -9,7 +9,6 @@
type postfix_var_run_t, file_type, sysadmfile, pidfile;
type postfix_etc_t, file_type, sysadmfile;
-typealias postfix_etc_t alias etc_postfix_t;
type postfix_exec_t, file_type, sysadmfile, exec_type;
type postfix_public_t, file_type, sysadmfile;
type postfix_private_t, file_type, sysadmfile;
@@ -120,6 +119,7 @@ allow postfix_master_t postfix_private_t:dir rw_dir_perms;
allow postfix_master_t postfix_private_t:sock_file create_file_perms;
allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
can_network(postfix_master_t)
+allow postfix_master_t port_type:tcp_socket name_connect;
can_ypbind(postfix_master_t)
allow postfix_master_t smtp_port_t:tcp_socket name_bind;
allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
@@ -155,6 +155,7 @@ domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow postfix_$1_t self:capability { setuid setgid dac_override };
can_network_client(postfix_$1_t)
+allow postfix_$1_t port_type:tcp_socket name_connect;
can_ypbind(postfix_$1_t)
')
@@ -179,6 +180,7 @@ allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto;
# for OpenSSL certificates
r_dir_file(postfix_smtpd_t,usr_t)
allow postfix_smtpd_t etc_aliases_t:file r_file_perms;
+allow postfix_smtpd_t self:file { getattr read };
# for prng_exch
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
@@ -345,5 +347,6 @@ allow postfix_map_t self:capability setgid;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
dontaudit postfix_map_t var_t:dir search;
can_network_server(postfix_map_t)
+allow postfix_map_t port_type:tcp_socket name_connect;
allow postfix_local_t mail_spool_t:dir { remove_name };
allow postfix_local_t mail_spool_t:file { unlink };
diff --git a/strict/domains/program/privoxy.te b/strict/domains/program/privoxy.te
index 5762592..9e94026 100644
--- a/strict/domains/program/privoxy.te
+++ b/strict/domains/program/privoxy.te
@@ -8,7 +8,7 @@
#
# Rules for the privoxy_t domain.
#
-daemon_domain(privoxy)
+daemon_domain(privoxy, `, web_client_domain')
logdir_domain(privoxy)
@@ -17,7 +17,8 @@ allow privoxy_t self:capability net_bind_service;
# Use the network.
can_network(privoxy_t)
-allow privoxy_t port_t:{ tcp_socket udp_socket } name_bind;
+can_ypbind(privoxy_t)
+allow privoxy_t http_cache_port_t:tcp_socket name_bind;
allow privoxy_t etc_t:file { getattr read };
allow privoxy_t self:capability { setgid setuid };
allow privoxy_t self:unix_stream_socket create_socket_perms ;
diff --git a/strict/domains/program/restorecon.te b/strict/domains/program/restorecon.te
index fb014d7..058dcd1 100644
--- a/strict/domains/program/restorecon.te
+++ b/strict/domains/program/restorecon.te
@@ -12,7 +12,7 @@
#
# needs auth_write attribute because it has relabelfrom/relabelto
# access to shadow_t
-type restorecon_t, domain, privlog, privowner, auth_write, change_context;
+type restorecon_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;
type restorecon_exec_t, file_type, sysadmfile, exec_type;
role system_r types restorecon_t;
@@ -48,10 +48,9 @@ allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom rel
allow restorecon_t ptyfile:chr_file getattr;
allow restorecon_t fs_t:filesystem getattr;
-allow restorecon_t fs_type:dir r_dir_perms;
-allow restorecon_t etc_runtime_t:file read;
-allow restorecon_t etc_t:file read;
+allow restorecon_t etc_runtime_t:file { getattr read };
+allow restorecon_t etc_t:file { getattr read };
allow restorecon_t proc_t:file { getattr read };
dontaudit restorecon_t proc_t:lnk_file { getattr read };
@@ -60,4 +59,3 @@ allow restorecon_t kernel_t:fd use;
allow restorecon_t kernel_t:fifo_file { read write };
allow restorecon_t kernel_t:unix_dgram_socket { read write };
r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } )
-
diff --git a/strict/domains/program/rlogind.te b/strict/domains/program/rlogind.te
index 0c896cf..d6fa1c5 100644
--- a/strict/domains/program/rlogind.te
+++ b/strict/domains/program/rlogind.te
@@ -35,3 +35,4 @@ allow rlogind_t self:file { getattr read };
allow rlogind_t default_t:dir search;
typealias rlogind_port_t alias rlogin_port_t;
read_sysctl(rlogind_t);
+allow rlogind_t krb5_keytab_t:file { getattr read };
diff --git a/strict/domains/program/rshd.te b/strict/domains/program/rshd.te
index 33006bd..39976c5 100644
--- a/strict/domains/program/rshd.te
+++ b/strict/domains/program/rshd.te
@@ -23,10 +23,7 @@ allow rshd_t self:capability { net_bind_service setuid setgid fowner fsetid chow
# Use the network.
can_network_server(rshd_t)
-allow rshd_t reserved_port_t:tcp_socket name_bind;
-dontaudit rshd_t reserved_port_type:tcp_socket name_bind;
-
-can_ypbind(rshd_t)
+allow rshd_t rsh_port_t:tcp_socket name_bind;
allow rshd_t etc_t:file { getattr read };
read_locale(rshd_t)
diff --git a/strict/domains/program/rsync.te b/strict/domains/program/rsync.te
index 1090463..6bac7b7 100644
--- a/strict/domains/program/rsync.te
+++ b/strict/domains/program/rsync.te
@@ -14,6 +14,4 @@
inetd_child_domain(rsync)
type rsync_data_t, file_type, sysadmfile;
r_dir_file(rsync_t, rsync_data_t)
-ifdef(`ftpd.te', `
r_dir_file(rsync_t, ftpd_anon_t)
-')
diff --git a/strict/domains/program/slapd.te b/strict/domains/program/slapd.te
index 8cca78e..dd9e416 100644
--- a/strict/domains/program/slapd.te
+++ b/strict/domains/program/slapd.te
@@ -58,3 +58,4 @@ read_sysctl(slapd_t)
allow slapd_t usr_t:file { read getattr };
allow slapd_t urandom_device_t:chr_file { getattr read };
allow slapd_t self:netlink_route_socket r_netlink_socket_perms;
+r_dir_file(slapd_t, cert_t)
diff --git a/strict/domains/program/squid.te b/strict/domains/program/squid.te
index 06d411d..bf7d01d 100644
--- a/strict/domains/program/squid.te
+++ b/strict/domains/program/squid.te
@@ -12,7 +12,7 @@
ifdef(`apache.te',`
can_tcp_connect(squid_t, httpd_t)
')
-
+bool squid_connect_any false;
daemon_domain(squid, `, web_client_domain, nscd_client_domain')
type squid_conf_t, file_type, sysadmfile;
general_domain_access(squid_t)
@@ -53,12 +53,15 @@ ifdef(`crond.te', `domain_auto_trans(system_crond_t, squid_exec_t, squid_t)')
# Use the network
can_network(squid_t)
+if (squid_connect_any) {
+allow squid_t port_type:tcp_socket name_connect;
+}
can_ypbind(squid_t)
can_tcp_connect(web_client_domain, squid_t)
# tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
-allow squid_t http_cache_port_t:tcp_socket name_bind;
-allow squid_t http_cache_port_t:udp_socket name_bind;
+allow squid_t http_cache_port_t:{ tcp_socket udp_socket } name_bind;
+allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
# to allow running programs from /usr/lib/squid (IE unlinkd)
# also allow exec()ing itself
@@ -74,3 +77,8 @@ allow squid_t urandom_device_t:chr_file { getattr read };
#squid requires the following when run in diskd mode, the recommended setting
allow squid_t tmpfs_t:file { read write };
+r_dir_file(squid_t, cert_t)
+ifdef(`winbind.te', `
+domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t)
+allow winbind_helper_t squid_t:tcp_socket rw_socket_perms;
+')
diff --git a/strict/domains/program/ssh.te b/strict/domains/program/ssh.te
index a1eb5ec..ee4dcf1 100644
--- a/strict/domains/program/ssh.te
+++ b/strict/domains/program/ssh.te
@@ -23,7 +23,7 @@ define(`sshd_program_domain', `
# privowner is for changing the identity on the terminal device
# privfd is for passing the terminal file handle to the user process
# auth_chkpwd is for running unix_chkpwd and unix_verify.
-type $1_t, domain, privuser, privrole, privlog, privowner, privfd, auth_chkpwd, nscd_client_domain;
+type $1_t, domain, privuser, privrole, privlog, privowner, privfd, auth_chkpwd, nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
can_exec($1_t, sshd_exec_t)
r_dir_file($1_t, self)
role system_r types $1_t;
@@ -67,6 +67,8 @@ allow $1_t { null_device_t zero_device_t }:chr_file rw_file_perms;
allow $1_t urandom_device_t:chr_file { getattr read };
can_network($1_t)
+allow $1_t port_type:tcp_socket name_connect;
+can_kerberos($1_t)
allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
allow $1_t { home_root_t home_dir_type }:dir { search getattr };
@@ -145,10 +147,8 @@ sshd_spawn_domain(sshd, userdomain, { sysadm_devpts_t userpty_type })
sshd_spawn_domain(sshd, unpriv_userdomain, userpty_type)
}
-ifdef(`use_x_ports', `
# for X forwarding
allow sshd_t xserver_port_t:tcp_socket name_bind;
-')
r_dir_file(sshd_t, selinux_config_t)
sshd_program_domain(sshd_extern)
diff --git a/strict/domains/program/syslogd.te b/strict/domains/program/syslogd.te
index 76d518e..33d1e20 100644
--- a/strict/domains/program/syslogd.te
+++ b/strict/domains/program/syslogd.te
@@ -14,9 +14,9 @@
# by syslogd.
#
ifdef(`klogd.te', `
-daemon_domain(syslogd)
+daemon_domain(syslogd, `, privkmsg')
', `
-daemon_domain(syslogd, `, privmem')
+daemon_domain(syslogd, `, privmem, privkmsg')
')
# can_network is for the UDP socket
@@ -25,7 +25,7 @@ can_ypbind(syslogd_t)
r_dir_file(syslogd_t, sysfs_t)
-type devlog_t, file_type, sysadmfile, dev_fs;
+type devlog_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
# if something can log to syslog they should be able to log to the console
allow privlog console_device_t:chr_file { ioctl read write getattr };
@@ -36,7 +36,7 @@ tmp_domain(syslogd)
allow syslogd_t etc_t:file r_file_perms;
# Use capabilities.
-allow syslogd_t self:capability { dac_override net_bind_service sys_resource sys_tty_config };
+allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config };
# Modify/create log files.
create_append_log_file(syslogd_t, var_log_t)
@@ -94,7 +94,6 @@ allow syslogd_t { device_t file_t }:sock_file unlink;
allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
# Allow name_bind for remote logging
-type syslogd_port_t, port_type, reserved_port_type;
allow syslogd_t syslogd_port_t:udp_socket name_bind;
#
# /initrd is not umounted before minilog starts
@@ -103,5 +102,4 @@ dontaudit syslogd_t file_t:dir search;
allow syslogd_t { tmpfs_t devpts_t }:dir search;
dontaudit syslogd_t unlabeled_t:file read;
dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
-allow syslogd_t self:capability net_admin;
allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
diff --git a/strict/domains/program/udev.te b/strict/domains/program/udev.te
index eae23a2..fb70a35 100644
--- a/strict/domains/program/udev.te
+++ b/strict/domains/program/udev.te
@@ -9,7 +9,7 @@
#
# udev_exec_t is the type of the udev executable.
#
-daemon_domain(udev, `, nscd_client_domain, privmodule, privmem, fs_domain, privfd, privowner')
+daemon_domain(udev, `, nscd_client_domain, privmodule, privmem, fs_domain, privfd, privowner, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocwrite')
general_domain_access(udev_t)
@@ -33,6 +33,7 @@ allow udev_t self:file { getattr read };
allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
allow udev_t self:unix_dgram_socket create_socket_perms;
allow udev_t self:fifo_file rw_file_perms;
+allow udev_t self:netlink_kobject_uevent_socket { create bind read };
allow udev_t device_t:sock_file create_file_perms;
allow udev_t device_t:lnk_file create_lnk_perms;
allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
@@ -70,6 +71,7 @@ can_setfscreate(udev_t)
allow udev_t kernel_t:fd use;
allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
+allow udev_t kernel_t:process signal;
allow udev_t initrc_var_run_t:file r_file_perms;
dontaudit udev_t initrc_var_run_t:file write;
diff --git a/strict/domains/program/xfs.te b/strict/domains/program/xfs.te
index 0c9e93f..04302cd 100644
--- a/strict/domains/program/xfs.te
+++ b/strict/domains/program/xfs.te
@@ -37,9 +37,8 @@ allow xfs_t xfs_tmp_t:unix_stream_socket name_bind;
allow xfs_t self:unix_stream_socket create_stream_socket_perms;
allow xfs_t self:unix_dgram_socket create_socket_perms;
-# Read /usr/X11R6/lib/X11/fonts/.* and /usr/share/fonts/.*
-allow xfs_t fonts_t:dir search;
-allow xfs_t fonts_t:file { getattr read };
+# Read fonts
+read_fonts(xfs_t)
# Unlink the xfs socket.
allow initrc_t xfs_tmp_t:dir rw_dir_perms;
diff --git a/strict/file_contexts/program/amavis.fc b/strict/file_contexts/program/amavis.fc
index 12a2064..366da33 100644
--- a/strict/file_contexts/program/amavis.fc
+++ b/strict/file_contexts/program/amavis.fc
@@ -4,3 +4,5 @@
/var/log/amavisd\.log -- system_u:object_r:amavisd_log_t
/var/lib/amavis(/.*)? system_u:object_r:amavisd_lib_t
/var/run/amavis(/.*)? system_u:object_r:amavisd_var_run_t
+/var/amavis(/.*)? system_u:object_r:amavisd_lib_t
+/var/virusmails(/.*)? system_u:object_r:amavisd_quarantine_t
diff --git a/strict/file_contexts/program/apache.fc b/strict/file_contexts/program/apache.fc
index 4fe5dac..444c3f0 100644
--- a/strict/file_contexts/program/apache.fc
+++ b/strict/file_contexts/program/apache.fc
@@ -1,6 +1,7 @@
# apache
HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t
/var/www(/.*)? system_u:object_r:httpd_sys_content_t
+/srv/([^/]*/)?www(/.*)? system_u:object_r:httpd_sys_content_t
/var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t
/usr/lib/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t
/var/www/perl(/.*)? system_u:object_r:httpd_sys_script_exec_t
@@ -15,7 +16,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_
/usr/lib(64)?/apache(/.*)? system_u:object_r:httpd_modules_t
/usr/lib(64)?/apache2/modules(/.*)? system_u:object_r:httpd_modules_t
/usr/lib(64)?/httpd(/.*)? system_u:object_r:httpd_modules_t
-/usr/sbin/httpd -- system_u:object_r:httpd_exec_t
+/usr/sbin/httpd(\.worker)? -- system_u:object_r:httpd_exec_t
/usr/sbin/apache(2)? -- system_u:object_r:httpd_exec_t
/usr/sbin/suexec -- system_u:object_r:httpd_suexec_exec_t
/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- system_u:object_r:httpd_suexec_exec_t
@@ -36,7 +37,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_
/var/run/gcache_port -s system_u:object_r:httpd_var_run_t
ifdef(`distro_suse', `
# suse puts shell scripts there :-(
-/usr/share/apache2/[^/]* -- system_u:object_r:bin_t
+/usr/share/apache2/[^/]* -- system_u:object_r:bin_t
+/usr/sbin/httpd2-.* -- system_u:object_r:httpd_exec_t
')
/var/lib/squirrelmail/prefs(/.*)? system_u:object_r:httpd_squirrelmail_t
/var/spool/squirrelmail(/.*)? system_u:object_r:squirrelmail_spool_t
@@ -44,3 +46,9 @@ ifdef(`distro_suse', `
/usr/share/htdig(/.*)? system_u:object_r:httpd_sys_content_t
/var/lib/htdig(/.*)? system_u:object_r:httpd_sys_content_t
/etc/htdig(/.*)? system_u:object_r:httpd_sys_content_t
+/var/spool/gosa(/.*)? system_u:object_r:httpd_sys_script_rw_t
+ifdef(`targeted_policy', `', `
+/var/spool/cron/apache -- system_u:object_r:user_cron_spool_t
+')
+/usr/sbin/apachectl -- system_u:object_r:initrc_exec_t
+
diff --git a/strict/file_contexts/program/apmd.fc b/strict/file_contexts/program/apmd.fc
index da3c93a..9e6ce0d 100644
--- a/strict/file_contexts/program/apmd.fc
+++ b/strict/file_contexts/program/apmd.fc
@@ -1,9 +1,12 @@
# apmd
/usr/sbin/apmd -- system_u:object_r:apmd_exec_t
/usr/sbin/acpid -- system_u:object_r:apmd_exec_t
+/usr/sbin/powersaved -- system_u:object_r:apmd_exec_t
/usr/bin/apm -- system_u:object_r:apm_exec_t
/var/run/apmd\.pid -- system_u:object_r:apmd_var_run_t
/var/run/\.?acpid\.socket -s system_u:object_r:apmd_var_run_t
+/var/run/powersaved\.pid -- system_u:object_r:apmd_var_run_t
+/var/run/powersave_socket -s system_u:object_r:apmd_var_run_t
/var/log/acpid -- system_u:object_r:apmd_log_t
ifdef(`distro_suse', `
/var/lib/acpi(/.*)? system_u:object_r:apmd_var_lib_t
diff --git a/strict/file_contexts/program/crack.fc b/strict/file_contexts/program/crack.fc
index fac9bd6..7d99136 100644
--- a/strict/file_contexts/program/crack.fc
+++ b/strict/file_contexts/program/crack.fc
@@ -1,4 +1,6 @@
# crack - for password checking
+/usr/sbin/cracklib-[a-z]* -- system_u:object_r:crack_exec_t
/usr/sbin/crack_[a-z]* -- system_u:object_r:crack_exec_t
/var/cache/cracklib(/.*)? system_u:object_r:crack_db_t
/usr/lib(64)?/cracklib_dict.* -- system_u:object_r:crack_db_t
+/usr/share/cracklib(/.*)? system_u:object_r:crack_db_t
diff --git a/strict/file_contexts/program/dhcpc.fc b/strict/file_contexts/program/dhcpc.fc
index 4085e1d..1390839 100644
--- a/strict/file_contexts/program/dhcpc.fc
+++ b/strict/file_contexts/program/dhcpc.fc
@@ -6,6 +6,7 @@
/sbin/dhcpcd -- system_u:object_r:dhcpc_exec_t
/sbin/dhclient.* -- system_u:object_r:dhcpc_exec_t
/var/lib/dhcp(3)?/dhclient.* system_u:object_r:dhcpc_state_t
+/var/lib/dhcpcd(/.*)? system_u:object_r:dhcpc_state_t
/var/run/dhclient.*\.pid -- system_u:object_r:dhcpc_var_run_t
/var/run/dhclient.*\.leases -- system_u:object_r:dhcpc_var_run_t
# pump
diff --git a/strict/file_contexts/program/fsadm.fc b/strict/file_contexts/program/fsadm.fc
index f755f4a..5d42601 100644
--- a/strict/file_contexts/program/fsadm.fc
+++ b/strict/file_contexts/program/fsadm.fc
@@ -1,6 +1,7 @@
# fs admin utilities
/sbin/fsck.* -- system_u:object_r:fsadm_exec_t
/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t
+/sbin/mkfs\.cramfs -- system_u:object_r:sbin_t
/sbin/e2fsck -- system_u:object_r:fsadm_exec_t
/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t
/sbin/dosfsck -- system_u:object_r:fsadm_exec_t
@@ -19,9 +20,11 @@
/sbin/parted -- system_u:object_r:fsadm_exec_t
/sbin/tune2fs -- system_u:object_r:fsadm_exec_t
/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t
+/sbin/dump -- system_u:object_r:fsadm_exec_t
/sbin/swapon.* -- system_u:object_r:fsadm_exec_t
/sbin/hdparm -- system_u:object_r:fsadm_exec_t
/sbin/raidstart -- system_u:object_r:fsadm_exec_t
+/sbin/raidautorun -- system_u:object_r:fsadm_exec_t
/sbin/mkraid -- system_u:object_r:fsadm_exec_t
/sbin/blockdev -- system_u:object_r:fsadm_exec_t
/sbin/losetup.* -- system_u:object_r:fsadm_exec_t
diff --git a/strict/file_contexts/program/ftpd.fc b/strict/file_contexts/program/ftpd.fc
index 0260197..6865fc5 100644
--- a/strict/file_contexts/program/ftpd.fc
+++ b/strict/file_contexts/program/ftpd.fc
@@ -13,3 +13,4 @@
/var/log/xferreport.* -- system_u:object_r:xferlog_t
/etc/cron\.monthly/proftpd -- system_u:object_r:ftpd_exec_t
/var/ftp(/.*)? system_u:object_r:ftpd_anon_t
+/srv/([^/]*/)?ftp(/.*)? system_u:object_r:ftpd_anon_t
diff --git a/strict/file_contexts/program/getty.fc b/strict/file_contexts/program/getty.fc
index f908221..0da4b32 100644
--- a/strict/file_contexts/program/getty.fc
+++ b/strict/file_contexts/program/getty.fc
@@ -1,3 +1,5 @@
# getty
/sbin/.*getty -- system_u:object_r:getty_exec_t
/etc/mgetty(/.*)? system_u:object_r:getty_etc_t
+/var/run/mgetty\.pid.* -- system_u:object_r:getty_var_run_t
+/var/log/mgetty\.log.* -- system_u:object_r:getty_log_t
diff --git a/strict/file_contexts/program/gpg.fc b/strict/file_contexts/program/gpg.fc
index 1cc9508..650df0c 100644
--- a/strict/file_contexts/program/gpg.fc
+++ b/strict/file_contexts/program/gpg.fc
@@ -1,5 +1,7 @@
# gpg
HOME_DIR/\.gnupg(/.+)? system_u:object_r:ROLE_gpg_secret_t
-/usr/bin/gpg -- system_u:object_r:gpg_exec_t
+/usr/bin/gpg(2)? -- system_u:object_r:gpg_exec_t
/usr/bin/kgpg -- system_u:object_r:gpg_exec_t
-/usr/lib/gnupg/gpgkeys.* -- system_u:object_r:gpg_helper_exec_t
+/usr/lib/gnupg/.* -- system_u:object_r:gpg_exec_t
+/usr/lib/gnupg/gpgkeys.* -- system_u:object_r:gpg_helper_exec_t
+
diff --git a/strict/file_contexts/program/iceauth.fc b/strict/file_contexts/program/iceauth.fc
new file mode 100644
index 0000000..31bf1f3
--- /dev/null
+++ b/strict/file_contexts/program/iceauth.fc
@@ -0,0 +1,3 @@
+# iceauth
+/usr/X11R6/bin/iceauth -- system_u:object_r:iceauth_exec_t
+HOME_DIR/\.ICEauthority.* -- system_u:object_r:ROLE_iceauth_home_t
diff --git a/strict/file_contexts/program/initrc.fc b/strict/file_contexts/program/initrc.fc
index b23d55e..45ea6cf 100644
--- a/strict/file_contexts/program/initrc.fc
+++ b/strict/file_contexts/program/initrc.fc
@@ -19,6 +19,9 @@ ifdef(`distro_suse', `
/var/run/sysconfig(/.*)? system_u:object_r:initrc_var_run_t
/var/run/keymap -- system_u:object_r:initrc_var_run_t
/var/run/numlock-on -- system_u:object_r:initrc_var_run_t
+/var/run/setleds-on -- system_u:object_r:initrc_var_run_t
+/var/run/bootsplashctl -p system_u:object_r:initrc_var_run_t
+/etc/init\.d/\.depend.* -- system_u:object_r:etc_runtime_t
')
ifdef(`distro_gentoo', `
@@ -35,5 +38,11 @@ ifdef(`distro_gentoo', `
/etc/nohotplug -- system_u:object_r:etc_runtime_t
ifdef(`distro_redhat', `
/halt -- system_u:object_r:etc_runtime_t
+/fastboot -- system_u:object_r:etc_runtime_t
+/fsckoptions -- system_u:object_r:etc_runtime_t
+/forcefsck -- system_u:object_r:etc_runtime_t
+/poweroff -- system_u:object_r:etc_runtime_t
/\.autofsck -- system_u:object_r:etc_runtime_t
+/\.autorelabel -- system_u:object_r:etc_runtime_t
')
+
diff --git a/strict/mls b/strict/mls
index 5f50906..ef20c21 100644
--- a/strict/mls
+++ b/strict/mls
@@ -730,3 +730,4 @@ mlsconstrain xextension use
# these access vectors have no MLS restrictions
# association { sendto recvfrom }
+
diff --git a/strict/net_contexts b/strict/net_contexts
index 49f6862..fd10f9b 100644
--- a/strict/net_contexts
+++ b/strict/net_contexts
@@ -17,7 +17,6 @@
# protocol number context
# protocol low-high context
#
-ifdef(`inetd.te', `
portcon tcp 7 system_u:object_r:inetd_child_port_t
portcon udp 7 system_u:object_r:inetd_child_port_t
portcon tcp 9 system_u:object_r:inetd_child_port_t
@@ -37,42 +36,47 @@ portcon udp 891 system_u:object_r:inetd_child_port_t
portcon tcp 892 system_u:object_r:inetd_child_port_t
portcon udp 892 system_u:object_r:inetd_child_port_t
portcon tcp 2105 system_u:object_r:inetd_child_port_t
-')
-ifdef(`ftpd.te', `
portcon tcp 20 system_u:object_r:ftp_data_port_t
portcon tcp 21 system_u:object_r:ftp_port_t
-')
-ifdef(`ssh.te', `portcon tcp 22 system_u:object_r:ssh_port_t')
-ifdef(`inetd.te', `portcon tcp 23 system_u:object_r:telnetd_port_t')
-ifdef(`mta.te', `
+portcon tcp 22 system_u:object_r:ssh_port_t
+portcon tcp 23 system_u:object_r:telnetd_port_t
+
portcon tcp 25 system_u:object_r:smtp_port_t
portcon tcp 465 system_u:object_r:smtp_port_t
portcon tcp 587 system_u:object_r:smtp_port_t
-')
-ifdef(`use_dns', `
+
+portcon udp 500 system_u:object_r:isakmp_port_t
portcon udp 53 system_u:object_r:dns_port_t
portcon tcp 53 system_u:object_r:dns_port_t
-')
-ifdef(`use_dhcpd', `portcon udp 67 system_u:object_r:dhcpd_port_t')
-ifdef(`dhcpc.te', `portcon udp 68 system_u:object_r:dhcpc_port_t')
-ifdef(`tftpd.te', `portcon udp 69 system_u:object_r:tftp_port_t')
-ifdef(`fingerd.te', `portcon tcp 79 system_u:object_r:fingerd_port_t')
-ifdef(`apache.te', `
+
+portcon udp 67 system_u:object_r:dhcpd_port_t
+portcon udp 68 system_u:object_r:dhcpc_port_t
+portcon udp 70 system_u:object_r:gopher_port_t
+portcon tcp 70 system_u:object_r:gopher_port_t
+
+portcon udp 69 system_u:object_r:tftp_port_t
+portcon tcp 79 system_u:object_r:fingerd_port_t
+
portcon tcp 80 system_u:object_r:http_port_t
portcon tcp 443 system_u:object_r:http_port_t
-')
-ifdef(`use_pop', `
+portcon tcp 488 system_u:object_r:http_port_t
+portcon tcp 8008 system_u:object_r:http_port_t
+
portcon tcp 106 system_u:object_r:pop_port_t
portcon tcp 109 system_u:object_r:pop_port_t
portcon tcp 110 system_u:object_r:pop_port_t
-')
-ifdef(`portmap.te', `
+portcon tcp 143 system_u:object_r:pop_port_t
+portcon tcp 220 system_u:object_r:pop_port_t
+portcon tcp 993 system_u:object_r:pop_port_t
+portcon tcp 995 system_u:object_r:pop_port_t
+portcon tcp 1109 system_u:object_r:pop_port_t
+
portcon udp 111 system_u:object_r:portmap_port_t
portcon tcp 111 system_u:object_r:portmap_port_t
-')
-ifdef(`innd.te', `portcon tcp 119 system_u:object_r:innd_port_t')
-ifdef(`ntpd.te', `portcon udp 123 system_u:object_r:ntp_port_t')
-ifdef(`samba.te', `
+
+portcon tcp 119 system_u:object_r:innd_port_t
+portcon udp 123 system_u:object_r:ntp_port_t
+
portcon tcp 137 system_u:object_r:smbd_port_t
portcon udp 137 system_u:object_r:nmbd_port_t
portcon tcp 138 system_u:object_r:smbd_port_t
@@ -80,39 +84,26 @@ portcon udp 138 system_u:object_r:nmbd_port_t
portcon tcp 139 system_u:object_r:smbd_port_t
portcon udp 139 system_u:object_r:nmbd_port_t
portcon tcp 445 system_u:object_r:smbd_port_t
-')
-ifdef(`use_pop', `
-portcon tcp 143 system_u:object_r:pop_port_t
-portcon tcp 220 system_u:object_r:pop_port_t
-')
-ifdef(`snmpd.te', `
+
portcon udp 161 system_u:object_r:snmp_port_t
portcon udp 162 system_u:object_r:snmp_port_t
portcon tcp 199 system_u:object_r:snmp_port_t
-')
-ifdef(`comsat.te', `
portcon udp 512 system_u:object_r:comsat_port_t
-')
-ifdef(`slapd.te', `
+
portcon tcp 389 system_u:object_r:ldap_port_t
portcon udp 389 system_u:object_r:ldap_port_t
portcon tcp 636 system_u:object_r:ldap_port_t
portcon udp 636 system_u:object_r:ldap_port_t
-')
-ifdef(`rlogind.te', `portcon tcp 513 system_u:object_r:rlogind_port_t')
-ifdef(`rshd.te', `portcon tcp 514 system_u:object_r:rsh_port_t')
-ifdef(`lpd.te', `portcon tcp 515 system_u:object_r:printer_port_t')
-ifdef(`syslogd.te', `
+
+portcon tcp 513 system_u:object_r:rlogind_port_t
+portcon tcp 514 system_u:object_r:rsh_port_t
+
+portcon tcp 515 system_u:object_r:printer_port_t
portcon udp 514 system_u:object_r:syslogd_port_t
-')
-ifdef(`ktalkd.te', `
portcon udp 517 system_u:object_r:ktalkd_port_t
portcon udp 518 system_u:object_r:ktalkd_port_t
-')
-ifdef(`cups.te', `
portcon tcp 631 system_u:object_r:ipp_port_t
portcon udp 631 system_u:object_r:ipp_port_t
-')
portcon tcp 88 system_u:object_r:kerberos_port_t
portcon udp 88 system_u:object_r:kerberos_port_t
portcon tcp 464 system_u:object_r:kerberos_admin_port_t
@@ -122,66 +113,57 @@ portcon tcp 750 system_u:object_r:kerberos_port_t
portcon udp 750 system_u:object_r:kerberos_port_t
portcon tcp 4444 system_u:object_r:kerberos_master_port_t
portcon udp 4444 system_u:object_r:kerberos_master_port_t
-ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t')
-ifdef(`rsync.te', `
+portcon tcp 783 system_u:object_r:spamd_port_t
+portcon tcp 540 system_u:object_r:uucpd_port_t
+portcon tcp 2401 system_u:object_r:cvs_port_t
+portcon udp 2401 system_u:object_r:cvs_port_t
portcon tcp 873 system_u:object_r:rsync_port_t
portcon udp 873 system_u:object_r:rsync_port_t
-')
-ifdef(`swat.te', `portcon tcp 901 system_u:object_r:swat_port_t')
-ifdef(`named.te', `portcon tcp 953 system_u:object_r:rndc_port_t')
-ifdef(`use_pop', `
-portcon tcp 993 system_u:object_r:pop_port_t
-portcon tcp 995 system_u:object_r:pop_port_t
-portcon tcp 1109 system_u:object_r:pop_port_t
-')
-ifdef(`nessusd.te', `portcon tcp 1241 system_u:object_r:nessus_port_t')
-ifdef(`monopd.te', `portcon tcp 1234 system_u:object_r:monopd_port_t')
-ifdef(`radius.te', `
+portcon tcp 901 system_u:object_r:swat_port_t
+portcon tcp 953 system_u:object_r:rndc_port_t
+portcon tcp 1213 system_u:object_r:giftd_port_t
+portcon tcp 1241 system_u:object_r:nessus_port_t
+portcon tcp 1234 system_u:object_r:monopd_port_t
portcon udp 1645 system_u:object_r:radius_port_t
portcon udp 1646 system_u:object_r:radacct_port_t
portcon udp 1812 system_u:object_r:radius_port_t
portcon udp 1813 system_u:object_r:radacct_port_t
-')
-ifdef(`dbskkd.te', `portcon tcp 1178 system_u:object_r:dbskkd_port_t')
-ifdef(`gatekeeper.te', `
portcon udp 1718 system_u:object_r:gatekeeper_port_t
portcon udp 1719 system_u:object_r:gatekeeper_port_t
portcon tcp 1721 system_u:object_r:gatekeeper_port_t
portcon tcp 7000 system_u:object_r:gatekeeper_port_t
-')
-ifdef(`asterisk.te', `
+portcon tcp 2040 system_u:object_r:afs_fs_port_t
+portcon udp 7000 system_u:object_r:afs_fs_port_t
+portcon udp 7002 system_u:object_r:afs_pt_port_t
+portcon udp 7003 system_u:object_r:afs_vl_port_t
+portcon udp 7004 system_u:object_r:afs_ka_port_t
+portcon udp 7005 system_u:object_r:afs_fs_port_t
+portcon udp 7007 system_u:object_r:afs_bos_port_t
portcon tcp 1720 system_u:object_r:asterisk_port_t
portcon udp 2427 system_u:object_r:asterisk_port_t
portcon udp 2727 system_u:object_r:asterisk_port_t
portcon udp 4569 system_u:object_r:asterisk_port_t
portcon udp 5060 system_u:object_r:asterisk_port_t
-')
portcon tcp 2000 system_u:object_r:mail_port_t
-ifdef(`zebra.te', `portcon tcp 2601 system_u:object_r:zebra_port_t')
-ifdef(`dictd.te', `portcon tcp 2628 system_u:object_r:dict_port_t')
-ifdef(`mysqld.te', `portcon tcp 3306 system_u:object_r:mysqld_port_t')
-ifdef(`distcc.te', `portcon tcp 3632 system_u:object_r:distccd_port_t')
-ifdef(`use_pxe', `portcon udp 4011 system_u:object_r:pxe_port_t')
-ifdef(`openvpn.te', `portcon udp 5000 system_u:object_r:openvpn_port_t')
-ifdef(`imazesrv.te',`
+portcon tcp 2601 system_u:object_r:zebra_port_t
+portcon tcp 2628 system_u:object_r:dict_port_t
+portcon tcp 3306 system_u:object_r:mysqld_port_t
+portcon tcp 3632 system_u:object_r:distccd_port_t
+portcon udp 4011 system_u:object_r:pxe_port_t
+portcon udp 5000 system_u:object_r:openvpn_port_t
portcon tcp 5323 system_u:object_r:imaze_port_t
portcon udp 5323 system_u:object_r:imaze_port_t
-')
-ifdef(`howl.te', `
portcon tcp 5335 system_u:object_r:howl_port_t
portcon udp 5353 system_u:object_r:howl_port_t
-')
-ifdef(`jabberd.te', `
portcon tcp 5222 system_u:object_r:jabber_client_port_t
portcon tcp 5223 system_u:object_r:jabber_client_port_t
portcon tcp 5269 system_u:object_r:jabber_interserver_port_t
-')
-ifdef(`postgresql.te', `portcon tcp 5432 system_u:object_r:postgresql_port_t')
-ifdef(`nrpe.te', `portcon tcp 5666 system_u:object_r:inetd_child_port_t')
-ifdef(`xdm.te', `
+portcon tcp 5432 system_u:object_r:postgresql_port_t
+portcon tcp 5666 system_u:object_r:inetd_child_port_t
+portcon tcp 5703 system_u:object_r:ptal_port_t
+portcon tcp 50000 system_u:object_r:hplip_port_t
+portcon tcp 50002 system_u:object_r:hplip_port_t
portcon tcp 5900 system_u:object_r:vnc_port_t
-')
-ifdef(`use_x_ports', `
portcon tcp 6000 system_u:object_r:xserver_port_t
portcon tcp 6001 system_u:object_r:xserver_port_t
portcon tcp 6002 system_u:object_r:xserver_port_t
@@ -202,29 +184,34 @@ portcon tcp 6016 system_u:object_r:xserver_port_t
portcon tcp 6017 system_u:object_r:xserver_port_t
portcon tcp 6018 system_u:object_r:xserver_port_t
portcon tcp 6019 system_u:object_r:xserver_port_t
-')
-ifdef(`ircd.te', `portcon tcp 6667 system_u:object_r:ircd_port_t')
-ifdef(`ciped.te', `portcon udp 7007 system_u:object_r:cipe_port_t')
-ifdef(`sound-server.te', `
+portcon tcp 6667 system_u:object_r:ircd_port_t
portcon tcp 8000 system_u:object_r:soundd_port_t
# 9433 is for YIFF
portcon tcp 9433 system_u:object_r:soundd_port_t
-')
-ifdef(`use_http_cache', `
portcon tcp 3128 system_u:object_r:http_cache_port_t
portcon tcp 8080 system_u:object_r:http_cache_port_t
portcon udp 3130 system_u:object_r:http_cache_port_t
-')
-ifdef(`transproxy.te', `portcon tcp 8081 system_u:object_r:transproxy_port_t')
-ifdef(`amanda.te', `
+# 8118 is for privoxy
+portcon tcp 8118 system_u:object_r:http_cache_port_t
+
+portcon udp 4041 system_u:object_r:clockspeed_port_t
+portcon tcp 8081 system_u:object_r:transproxy_port_t
portcon udp 10080 system_u:object_r:amanda_port_t
portcon tcp 10080 system_u:object_r:amanda_port_t
portcon udp 10081 system_u:object_r:amanda_port_t
portcon tcp 10081 system_u:object_r:amanda_port_t
portcon tcp 10082 system_u:object_r:amanda_port_t
portcon tcp 10083 system_u:object_r:amanda_port_t
-')
-ifdef(`postgrey.te', `portcon tcp 60000 system_u:object_r:postgrey_port_t')
+portcon tcp 60000 system_u:object_r:postgrey_port_t
+
+portcon tcp 10024 system_u:object_r:amavisd_recv_port_t
+portcon tcp 10025 system_u:object_r:amavisd_send_port_t
+portcon tcp 3310 system_u:object_r:clamd_port_t
+portcon udp 6276 system_u:object_r:dcc_port_t
+portcon udp 6277 system_u:object_r:dcc_port_t
+portcon udp 24441 system_u:object_r:pyzor_port_t
+portcon tcp 2703 system_u:object_r:razor_port_t
+portcon tcp 8021 system_u:object_r:zope_port_t
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise
diff --git a/strict/types/device.te b/strict/types/device.te
index 35836e2..ffa6c11 100644
--- a/strict/types/device.te
+++ b/strict/types/device.te
@@ -10,7 +10,7 @@
#
# device_t is the type of /dev.
#
-type device_t, file_type, dev_fs;
+type device_t, file_type, mount_point, dev_fs;
#
# null_device_t is the type of /dev/null.
@@ -154,3 +154,10 @@ type cpu_device_t, device_type, dev_fs;
# for other device nodes such as the NVidia binary-only driver
type xserver_misc_device_t, device_type, dev_fs;
+
+# for the IBM zSeries z90crypt hardware ssl accelorator
+type crypt_device_t, device_type, dev_fs;
+
+
+
+
diff --git a/strict/types/devpts.te b/strict/types/devpts.te
index b50cd55..56b8dde 100644
--- a/strict/types/devpts.te
+++ b/strict/types/devpts.te
@@ -10,12 +10,12 @@
#
# ptmx_t is the type for /dev/ptmx.
#
-type ptmx_t, sysadmfile, device_type, dev_fs;
+type ptmx_t, sysadmfile, device_type, dev_fs, mlstrustedobject;
#
# devpts_t is the type of the devpts file system and
# the type of the root directory of the file system.
#
-type devpts_t, fs_type;
+type devpts_t, mount_point, fs_type;
diff --git a/strict/types/file.te b/strict/types/file.te
index 0df034a..d6bc8a9 100644
--- a/strict/types/file.te
+++ b/strict/types/file.te
@@ -23,37 +23,37 @@ type fs_t, fs_type;
type eventpollfs_t, fs_type;
type futexfs_t, fs_type;
type bdev_t, fs_type;
-type usbfs_t, fs_type;
+type usbfs_t, mount_point, fs_type;
type nfsd_fs_t, fs_type;
type rpc_pipefs_t, fs_type;
-type binfmt_misc_fs_t, fs_type;
+type binfmt_misc_fs_t, mount_point, fs_type;
#
# file_t is the default type of a file that has not yet been
# assigned an extended attribute (EA) value (when using a filesystem
# that supports EAs).
#
-type file_t, file_type, sysadmfile;
+type file_t, file_type, mount_point, sysadmfile;
# default_t is the default type for files that do not
# match any specification in the file_contexts configuration
# other than the generic /.* specification.
-type default_t, file_type, sysadmfile;
+type default_t, file_type, mount_point, sysadmfile;
#
# root_t is the type for the root directory.
#
-type root_t, file_type, sysadmfile;
+type root_t, file_type, mount_point, polyparent, sysadmfile;
#
# mnt_t is the type for mount points such as /mnt/cdrom
-type mnt_t, file_type, sysadmfile;
+type mnt_t, file_type, mount_point, sysadmfile;
#
# home_root_t is the type for the directory where user home directories
# are created
#
-type home_root_t, file_type, sysadmfile;
+type home_root_t, file_type, mount_point, polyparent, sysadmfile;
#
# lost_found_t is the type for the lost+found directories.
@@ -64,7 +64,7 @@ type lost_found_t, file_type, sysadmfile;
# boot_t is the type for files in /boot,
# including the kernel.
#
-type boot_t, file_type, sysadmfile;
+type boot_t, file_type, mount_point, sysadmfile;
# system_map_t is for the system.map files in /boot
type system_map_t, file_type, sysadmfile;
@@ -77,7 +77,7 @@ type boot_runtime_t, file_type, sysadmfile;
#
# tmp_t is the type of /tmp and /var/tmp.
#
-type tmp_t, file_type, sysadmfile, tmpfile;
+type tmp_t, file_type, mount_point, sysadmfile, polydir, tmpfile;
#
# etc_t is the type of the system etc directories.
@@ -137,7 +137,11 @@ type shlib_t, file_type, sysadmfile;
# texrel_shlib_t is the type of shared objects in the system lib
# directories, which require text relocation.
#
+ifdef(`targeted_policy', `
+typealias lib_t alias texrel_shlib_t;
+', `
type texrel_shlib_t, file_type, sysadmfile;
+')
# ld_so_t is the type of the system dynamic loaders.
#
@@ -171,26 +175,27 @@ type sbin_t, file_type, sysadmfile;
#
# usr_t is the type for /usr.
#
-type usr_t, file_type, sysadmfile;
+type usr_t, file_type, mount_point, sysadmfile;
#
# src_t is the type of files in the system src directories.
#
-type src_t, file_type, sysadmfile;
+type src_t, file_type, mount_point, sysadmfile;
#
# var_t is the type for /var.
#
-type var_t, file_type, sysadmfile;
+type var_t, file_type, mount_point, sysadmfile;
#
# Types for subdirectories of /var.
#
type var_run_t, file_type, sysadmfile;
type var_log_t, file_type, sysadmfile, logfile;
+typealias var_log_t alias crond_log_t;
type faillog_t, file_type, sysadmfile, logfile;
type var_lock_t, file_type, sysadmfile, lockfile;
-type var_lib_t, file_type, sysadmfile;
+type var_lib_t, mount_point, file_type, sysadmfile;
# for /var/{spool,lib}/texmf index files
type tetex_data_t, file_type, sysadmfile, tmpfile;
type var_spool_t, file_type, sysadmfile, tmpfile;
@@ -203,7 +208,7 @@ type var_log_ksyms_t, file_type, sysadmfile, logfile;
type lastlog_t, file_type, sysadmfile, logfile;
# Type for /var/lib/nfs.
-type var_lib_nfs_t, file_type, sysadmfile, usercanread;
+type var_lib_nfs_t, file_type, mount_point, sysadmfile, usercanread;
#
# wtmp_t is the type of /var/log/wtmp.
@@ -211,11 +216,6 @@ type var_lib_nfs_t, file_type, sysadmfile, usercanread;
type wtmp_t, file_type, sysadmfile, logfile;
#
-# catman_t is the type for /var/catman.
-#
-type catman_t, file_type, sysadmfile, tmpfile;
-
-#
# cron_spool_t is the type for /var/spool/cron.
#
type cron_spool_t, file_type, sysadmfile;
@@ -239,6 +239,7 @@ type mqueue_spool_t, file_type, sysadmfile;
# man_t is the type for the man directories.
#
type man_t, file_type, sysadmfile;
+typealias man_t alias catman_t;
#
# readable_t is a general type for
@@ -271,23 +272,23 @@ type locale_t, file_type, sysadmfile;
# the default file system type.
#
allow { file_type device_type ttyfile } fs_t:filesystem associate;
-ifdef(`distro_redhat', `
-allow { dev_fs ttyfile } tmpfs_t:filesystem associate;
-')
# Allow the pty to be associated with the file system.
allow devpts_t self:filesystem associate;
type tmpfs_t, file_type, sysadmfile, fs_type;
allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
+ifdef(`distro_redhat', `
+allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate;
+')
type autofs_t, fs_type, noexattrfile, sysadmfile;
allow autofs_t self:filesystem associate;
-type usbdevfs_t, fs_type, noexattrfile, sysadmfile;
+type usbdevfs_t, fs_type, mount_point, noexattrfile, sysadmfile;
allow usbdevfs_t self:filesystem associate;
-type sysfs_t, fs_type, sysadmfile;
+type sysfs_t, mount_point, fs_type, sysadmfile;
allow sysfs_t self:filesystem associate;
type iso9660_t, fs_type, noexattrfile, sysadmfile;
@@ -302,6 +303,12 @@ allow ramfs_t self:filesystem associate;
type dosfs_t, fs_type, noexattrfile, sysadmfile;
allow dosfs_t self:filesystem associate;
+type hugetlbfs_t, mount_point, fs_type, sysadmfile;
+allow hugetlbfs_t self:filesystem associate;
+
+type mqueue_t, mount_point, fs_type, sysadmfile;
+allow mqueue_t self:filesystem associate;
+
# udev_runtime_t is the type of the udev table file
type udev_runtime_t, file_type, sysadmfile;
@@ -310,7 +317,12 @@ type krb5_conf_t, file_type, sysadmfile;
type cifs_t, fs_type, noexattrfile, sysadmfile;
allow cifs_t self:filesystem associate;
-typealias cifs_t alias sambafs_t;
+
+type debugfs_t, fs_type, sysadmfile;
+allow debugfs_t self:filesystem associate;
+
+type inotifyfs_t, fs_type, sysadmfile;
+allow inotifyfs_t self:filesystem associate;
# removable_t is the default type of all removable media
type removable_t, file_type, sysadmfile, usercanread;
@@ -318,4 +330,11 @@ allow removable_t self:filesystem associate;
allow file_type removable_t:filesystem associate;
allow file_type noexattrfile:filesystem associate;
+# Type for anonymous FTP data, used by ftp and rsync
+type ftpd_anon_t, file_type, sysadmfile, customizable;
+
+allow customizable self:filesystem associate;
+
+# type for /tmp/.ICE-unix
+type ice_tmp_t, file_type, sysadmfile, tmpfile;
diff --git a/strict/types/network.te b/strict/types/network.te
index 39666ee..bf5ca67 100644
--- a/strict/types/network.te
+++ b/strict/types/network.te
@@ -8,50 +8,27 @@
# Modified by Russell Coker
# Move port types to their respective domains, add ifdefs, other cleanups.
-# generally we do not want to define port types in this file, but some things
-# are insanely difficult to do elsewhere, xserver_port_t is a good example
-# getting the type defined is the easy part for X, conditional code for many
-# other domains (including one that starts with a) is the hard part.
-ifdef(`xdm.te', `define(`use_x_ports')')
-ifdef(`startx.te', `define(`use_x_ports')')
-ifdef(`xauth.te', `define(`use_x_ports')')
-ifdef(`xserver.te', `define(`use_x_ports')')
-ifdef(`use_x_ports', `
type xserver_port_t, port_type;
-')
#
# Defines used by the te files need to be defined outside of net_constraints
#
-ifdef(`named.te', `define(`use_dns')')
-ifdef(`nsd.te', `define(`use_dns')')
-ifdef(`tinydns.te', `define(`use_dns')')
-ifdef(`dnsmasq.te', `define(`use_dns')')
-ifdef(`use_dns', `
-type dns_port_t, port_type;
-')
-
-ifdef(`dhcpd.te', `define(`use_dhcpd')')
-ifdef(`dnsmasq.te', `define(`use_dhcpd')')
-ifdef(`use_dhcpd', `
-type dhcpd_port_t, port_type;
-')
-
-ifdef(`cyrus.te', `define(`use_pop')')
-ifdef(`courier.te', `define(`use_pop')')
-ifdef(`perdition.te', `define(`use_pop')')
-ifdef(`dovecot.te', `define(`use_pop')')
-ifdef(`uwimapd.te', `define(`use_pop')')
-ifdef(`use_pop', `
+type rsh_port_t, port_type, reserved_port_type;
+type dns_port_t, port_type, reserved_port_type;
+type smtp_port_t, port_type, reserved_port_type;
+type dhcpd_port_t, port_type, reserved_port_type;
+type smbd_port_t, port_type, reserved_port_type;
+type nmbd_port_t, port_type, reserved_port_type;
+type http_cache_port_t, port_type, reserved_port_type;
+type http_port_t, port_type, reserved_port_type;
+type ipp_port_t, port_type, reserved_port_type;
+type gopher_port_t, port_type, reserved_port_type;
+type isakmp_port_t, port_type, reserved_port_type;
+
+allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect;
type pop_port_t, port_type, reserved_port_type;
-')
-ifdef(`apache.te', `define(`use_http_cache')')
-ifdef(`squid.te', `define(`use_http_cache')')
-ifdef(`use_http_cache', `
-type http_cache_port_t, port_type;
-')
-ifdef(`dhcpd.te', `define(`use_pxe')')
-ifdef(`pxe.te', `define(`use_pxe')')
+type ftp_port_t, port_type, reserved_port_type;
+type ftp_data_port_t, port_type, reserved_port_type;
############################################
#
@@ -71,6 +48,16 @@ type kerberos_admin_port_t, port_type, reserved_port_type;
type kerberos_master_port_t, port_type;
#
+# Ports used to communicate with portmap server
+#
+type portmap_port_t, port_type, reserved_port_type;
+
+#
+# Ports used to communicate with ldap server
+#
+type ldap_port_t, port_type, reserved_port_type;
+
+#
# port_t is the default type of INET port numbers.
# The *_port_t types are used for specific port
# numbers in net_contexts or net_contexts.mls.
@@ -120,3 +107,79 @@ allow kernel_t node_type:node { rawip_send rawip_recv };
# Kernel-generated traffic, e.g. TCP resets.
allow kernel_t netif_type:netif { tcp_send tcp_recv };
allow kernel_t node_type:node { tcp_send tcp_recv };
+type radius_port_t, port_type;
+type radacct_port_t, port_type;
+type rndc_port_t, port_type, reserved_port_type;
+type tftp_port_t, port_type, reserved_port_type;
+type printer_port_t, port_type, reserved_port_type;
+type mysqld_port_t, port_type;
+type postgresql_port_t, port_type;
+type ptal_port_t, port_type, reserved_port_type;
+type howl_port_t, port_type;
+type dict_port_t, port_type;
+type syslogd_port_t, port_type, reserved_port_type;
+type spamd_port_t, port_type, reserved_port_type;
+type ssh_port_t, port_type, reserved_port_type;
+type pxe_port_t, port_type;
+type amanda_port_t, port_type;
+type fingerd_port_t, port_type, reserved_port_type;
+type dhcpc_port_t, port_type, reserved_port_type;
+type ntp_port_t, port_type, reserved_port_type;
+type stunnel_port_t, port_type;
+type zebra_port_t, port_type;
+type i18n_input_port_t, port_type;
+type vnc_port_t, port_type;
+type openvpn_port_t, port_type;
+type clamd_port_t, port_type, reserved_port_type;
+type transproxy_port_t, port_type;
+type clockspeed_port_t, port_type;
+type pyzor_port_t, port_type, reserved_port_type;
+type postgrey_port_t, port_type;
+type asterisk_port_t, port_type;
+type utcpserver_port_t, port_type;
+type nessus_port_t, port_type;
+type razor_port_t, port_type;
+type distccd_port_t, port_type;
+type socks_port_t, port_type;
+type gatekeeper_port_t, port_type;
+type dcc_port_t, port_type;
+type lrrd_port_t, port_type;
+type jabber_client_port_t, port_type;
+type jabber_interserver_port_t, port_type;
+type ircd_port_t, port_type;
+type giftd_port_t, port_type;
+type soundd_port_t, port_type;
+type imaze_port_t, port_type;
+type monopd_port_t, port_type;
+# Differentiate between the port where amavisd receives mail, and the
+# port where it returns cleaned mail back to the MTA.
+type amavisd_recv_port_t, port_type;
+type amavisd_send_port_t, port_type;
+type innd_port_t, port_type, reserved_port_type;
+type snmp_port_t, port_type, reserved_port_type;
+type biff_port_t, port_type, reserved_port_type;
+type hplip_port_t, port_type;
+
+#inetd_child_ports
+
+type rlogind_port_t, port_type, reserved_port_type;
+type telnetd_port_t, port_type, reserved_port_type;
+type comsat_port_t, port_type, reserved_port_type;
+type cvs_port_t, port_type;
+type dbskkd_port_t, port_type, reserved_port_type;
+type inetd_child_port_t, port_type, reserved_port_type;
+type ktalkd_port_t, port_type, reserved_port_type;
+type rsync_port_t, port_type, reserved_port_type;
+type uucpd_port_t, port_type, reserved_port_type;
+type swat_port_t, port_type, reserved_port_type;
+type zope_port_t, port_type;
+type auth_port_t, port_type, reserved_port_type;
+
+# afs ports
+
+type afs_fs_port_t, port_type;
+type afs_pt_port_t, port_type;
+type afs_vl_port_t, port_type;
+type afs_ka_port_t, port_type;
+type afs_bos_port_t, port_type;
+
More information about the scm-commits
mailing list