[selinux-policy: 658/3172] more merging from nsa cvs
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:01:48 UTC 2010
commit a0824843c2e6a485abfaadd9e5bf8964051c183a
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Sep 16 13:36:26 2005 +0000
more merging from nsa cvs
refpolicy/Changelog | 1 +
refpolicy/Makefile | 9 +-
refpolicy/Rules.modular | 2 +-
refpolicy/Rules.monolithic | 2 +-
refpolicy/policy/global_tunables | 3 +
refpolicy/policy/mcs | 215 +++++++++++++++++++++
refpolicy/policy/modules/admin/firstboot.te | 6 -
refpolicy/policy/modules/admin/logrotate.te | 3 +-
refpolicy/policy/modules/admin/netutils.fc | 1 +
refpolicy/policy/modules/admin/su.fc | 2 +
refpolicy/policy/modules/admin/sudo.fc | 2 +-
refpolicy/policy/modules/admin/usermanage.te | 15 ++-
refpolicy/policy/modules/kernel/bootloader.fc | 2 +-
refpolicy/policy/modules/kernel/corenetwork.te.in | 10 +-
refpolicy/policy/modules/kernel/devices.fc | 1 +
refpolicy/policy/modules/kernel/terminal.fc | 1 +
refpolicy/policy/modules/services/bind.fc | 13 +-
refpolicy/policy/modules/services/cron.fc | 6 +-
refpolicy/policy/modules/services/dhcp.fc | 2 +-
refpolicy/policy/modules/services/dhcp.te | 5 +
refpolicy/policy/modules/services/hal.te | 11 +-
refpolicy/policy/modules/services/kerberos.fc | 3 -
refpolicy/policy/modules/services/nscd.fc | 2 +
refpolicy/policy/modules/services/ntp.fc | 4 +-
refpolicy/policy/modules/services/ntp.te | 2 +-
refpolicy/policy/modules/services/portmap.fc | 2 +
refpolicy/policy/modules/services/privoxy.te | 2 +
refpolicy/policy/modules/services/samba.te | 6 +
refpolicy/policy/modules/services/ssh.fc | 2 +
refpolicy/policy/modules/services/ssh.if | 3 +
refpolicy/policy/modules/services/ssh.te | 6 +-
refpolicy/policy/modules/system/clock.te | 1 +
refpolicy/policy/modules/system/corecommands.fc | 4 +
refpolicy/policy/modules/system/fstools.fc | 1 +
refpolicy/policy/modules/system/fstools.te | 9 +-
refpolicy/policy/modules/system/hostname.te | 1 +
refpolicy/policy/modules/system/ipsec.te | 1 +
refpolicy/policy/modules/system/libraries.fc | 1 +
refpolicy/policy/modules/system/logging.fc | 4 +
refpolicy/policy/modules/system/miscfiles.fc | 12 +-
refpolicy/policy/modules/system/selinuxutil.if | 20 ++
refpolicy/policy/modules/system/udev.fc | 5 +-
refpolicy/policy/modules/system/udev.te | 2 +-
refpolicy/policy/support/misc_macros.spt | 7 +-
strict/ChangeLog | 23 +++
strict/Makefile | 42 ++++-
strict/VERSION | 2 +-
strict/appconfig/default_type | 1 +
strict/attrib.te | 11 +-
strict/domains/program/acct.te | 10 +-
strict/domains/program/apache.te | 5 +-
strict/domains/program/apmd.te | 2 +
strict/domains/program/bluetooth.te | 3 +
strict/domains/program/certwatch.te | 11 +
strict/domains/program/cyrus.te | 10 +-
strict/domains/program/dhcpd.te | 7 +-
strict/domains/program/firstboot.te | 7 -
strict/domains/program/fs_daemon.te | 2 +
strict/domains/program/fsadm.te | 14 +-
strict/domains/program/ftpd.te | 8 +-
strict/domains/program/hald.te | 7 +-
strict/domains/program/hostname.te | 4 +-
strict/domains/program/hwclock.te | 3 +
strict/domains/program/ifconfig.te | 2 +-
strict/domains/program/ipsec.te | 7 +-
strict/domains/program/kudzu.te | 2 +
strict/domains/program/logrotate.te | 5 +
strict/domains/program/mailman.te | 2 +
strict/domains/program/mta.te | 2 +-
strict/domains/program/ntpd.te | 2 +-
strict/domains/program/passwd.te | 6 +
strict/domains/program/ping.te | 4 -
strict/domains/program/pppd.te | 21 ++-
strict/domains/program/privoxy.te | 3 +-
strict/domains/program/rlogind.te | 2 +-
strict/domains/program/rpm.te | 1 +
strict/domains/program/rsync.te | 2 +
strict/domains/program/samba.te | 4 +-
strict/domains/program/saslauthd.te | 10 +
strict/domains/program/setfiles.te | 3 +-
strict/domains/program/slocate.te | 4 +-
strict/domains/program/ssh.te | 14 +-
strict/domains/program/udev.te | 2 +-
strict/domains/program/unused/clockspeed.te | 3 +-
strict/domains/program/unused/cvs.te | 10 +-
strict/domains/program/unused/ddclient.te | 6 +-
strict/domains/program/unused/dpkg.te | 3 +
strict/domains/program/unused/sxid.te | 1 +
strict/domains/program/useradd.te | 1 +
strict/file_contexts/homedir_template | 32 ---
strict/file_contexts/program/apache.fc | 8 +-
strict/file_contexts/program/auditd.fc | 5 +
strict/file_contexts/program/certwatch.fc | 3 +
strict/file_contexts/program/clamav.fc | 2 +-
strict/file_contexts/program/compat.fc | 62 ++++++
strict/file_contexts/program/crond.fc | 7 +-
strict/file_contexts/program/cups.fc | 1 +
strict/file_contexts/program/dhcpd.fc | 2 +-
strict/file_contexts/program/fsadm.fc | 1 +
strict/file_contexts/program/lvm.fc | 1 -
strict/file_contexts/program/named.fc | 9 +-
strict/file_contexts/program/nscd.fc | 1 +
strict/file_contexts/program/ntpd.fc | 4 +-
strict/file_contexts/program/portmap.fc | 1 +
strict/file_contexts/program/postfix.fc | 2 +
strict/file_contexts/program/pppd.fc | 14 +-
strict/file_contexts/program/qmail.fc | 2 +-
strict/file_contexts/program/radvd.fc | 1 +
strict/file_contexts/program/ssh.fc | 1 +
strict/file_contexts/program/sudo.fc | 3 +-
strict/file_contexts/program/traceroute.fc | 1 +
strict/file_contexts/program/udev.fc | 3 +-
strict/file_contexts/types.fc | 17 +-
strict/macros/content_macros.te | 188 ++++++++++++++++++
strict/macros/home_macros.te | 130 +++++++++++++
strict/macros/program/apache_macros.te | 6 +-
strict/macros/program/cdrecord_macros.te | 16 +-
strict/macros/program/ethereal_macros.te | 7 +-
strict/macros/program/evolution_macros.te | 2 +-
strict/macros/program/irc_macros.te | 4 +-
strict/macros/program/lpr_macros.te | 25 +--
strict/macros/program/mail_client_macros.te | 5 +
strict/macros/program/mozilla_macros.te | 7 +
strict/macros/program/spamassassin_macros.te | 2 +-
strict/macros/program/thunderbird_macros.te | 6 +-
strict/mls | 8 +-
strict/net_contexts | 8 -
strict/types/network.te | 9 -
128 files changed, 1057 insertions(+), 255 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 85c05a4..58b23ac 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Add experimental MCS support.
- Add equivalents for old can_resolve(), can_ldap(), and
can_portmap() to sysnetwork.
- Fix base module compile issues.
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 1350fa5..4aeb490 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -108,12 +108,19 @@ USERPATH = $(INSTALLDIR)/users
CONTEXTPATH = $(INSTALLDIR)/contexts
# enable MLS if requested.
-ifneq ($(findstring mls,$(TYPE)),)
+ifneq ($(findstring -mls,$(TYPE)),)
override M4PARAM += -D enable_mls
CHECKPOLICY += -M
CHECKMODULE += -M
endif
+# enable MLS if MCS requested.
+ifneq ($(findstring -mcs,$(TYPE)),)
+ override M4PARAM += -D enable_mcs
+ CHECKPOLICY += -M
+ CHECKMODULE += -M
+endif
+
# compile targeted policy if requested.
ifneq ($(findstring targeted,$(TYPE)),)
override M4PARAM += -D targeted_policy
diff --git a/refpolicy/Rules.modular b/refpolicy/Rules.modular
index 067ee01..d8debf5 100644
--- a/refpolicy/Rules.modular
+++ b/refpolicy/Rules.modular
@@ -11,7 +11,7 @@ BASE_FC := base.fc
BASE_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
-BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls
+BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
BASE_TE_FILES := $(BASE_MODS)
BASE_POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/constraints
BASE_FC_FILES := $(BASE_MODS:.te=.fc)
diff --git a/refpolicy/Rules.monolithic b/refpolicy/Rules.monolithic
index 1d5c6cb..7153e1e 100644
--- a/refpolicy/Rules.monolithic
+++ b/refpolicy/Rules.monolithic
@@ -18,7 +18,7 @@ ALL_INTERFACES := $(ALL_MODULES:.te=.if)
ALL_TE_FILES := $(ALL_MODULES)
ALL_FC_FILES := $(ALL_MODULES:.te=.fc)
-PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls
+PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/users $(POLDIR)/constraints
POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 28004e2..1bed344 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -22,6 +22,9 @@ gen_tunable(allow_gpg_execstack,false)
## Allow system to run with kerberos
gen_tunable(allow_kerberos,false)
+## allow host key based authentication
+gen_tunable(allow_ssh_keysign,false)
+
## Allow users to connect to mysql
gen_tunable(allow_user_mysql_connect,false)
diff --git a/refpolicy/policy/mcs b/refpolicy/policy/mcs
new file mode 100644
index 0000000..754753b
--- /dev/null
+++ b/refpolicy/policy/mcs
@@ -0,0 +1,215 @@
+ifdef(`enable_mcs',`
+#
+# Define sensitivities
+#
+# Each sensitivity has a name and zero or more aliases.
+#
+# MCS is single-sensitivity.
+#
+sensitivity s0;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0;
+category c1;
+category c2;
+category c3;
+category c4;
+category c5;
+category c6;
+category c7;
+category c8;
+category c9;
+category c10;
+category c11;
+category c12;
+category c13;
+category c14;
+category c15;
+category c16;
+category c17;
+category c18;
+category c19;
+category c20;
+category c21;
+category c22;
+category c23;
+category c24;
+category c25;
+category c26;
+category c27;
+category c28;
+category c29;
+category c30;
+category c31;
+category c32;
+category c33;
+category c34;
+category c35;
+category c36;
+category c37;
+category c38;
+category c39;
+category c40;
+category c41;
+category c42;
+category c43;
+category c44;
+category c45;
+category c46;
+category c47;
+category c48;
+category c49;
+category c50;
+category c51;
+category c52;
+category c53;
+category c54;
+category c55;
+category c56;
+category c57;
+category c58;
+category c59;
+category c60;
+category c61;
+category c62;
+category c63;
+category c64;
+category c65;
+category c66;
+category c67;
+category c68;
+category c69;
+category c70;
+category c71;
+category c72;
+category c73;
+category c74;
+category c75;
+category c76;
+category c77;
+category c78;
+category c79;
+category c80;
+category c81;
+category c82;
+category c83;
+category c84;
+category c85;
+category c86;
+category c87;
+category c88;
+category c89;
+category c90;
+category c91;
+category c92;
+category c93;
+category c94;
+category c95;
+category c96;
+category c97;
+category c98;
+category c99;
+category c100;
+category c101;
+category c102;
+category c103;
+category c104;
+category c105;
+category c106;
+category c107;
+category c108;
+category c109;
+category c110;
+category c111;
+category c112;
+category c113;
+category c114;
+category c115;
+category c116;
+category c117;
+category c118;
+category c119;
+category c120;
+category c121;
+category c122;
+category c123;
+category c124;
+category c125;
+category c126;
+category c127;
+
+
+#
+# Each MCS level specifies a sensitivity and zero or more categories which may
+# be associated with that sensitivity.
+#
+level s0:c0.c127;
+
+#
+# Define the MCS policy
+#
+# mlsconstrain class_set perm_set expression ;
+#
+# mlsvalidatetrans class_set expression ;
+#
+# expression : ( expression )
+# | not expression
+# | expression and expression
+# | expression or expression
+# | u1 op u2
+# | r1 role_mls_op r2
+# | t1 op t2
+# | l1 role_mls_op l2
+# | l1 role_mls_op h2
+# | h1 role_mls_op l2
+# | h1 role_mls_op h2
+# | l1 role_mls_op h1
+# | l2 role_mls_op h2
+# | u1 op names
+# | u2 op names
+# | r1 op names
+# | r2 op names
+# | t1 op names
+# | t2 op names
+# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
+#
+# op : == | !=
+# role_mls_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
+#
+# MCS policy for the file classes
+#
+# Constrain file access so that the high range of the process dominates
+# the high range of the file. We use the high range of the process so
+# that processes can always simply run at s0.
+#
+# Only files are constrained by MCS at this stage.
+#
+mlsconstrain file { read write setattr append unlink link rename
+ create ioctl lock execute } (h1 dom h2);
+
+
+# XXX
+#
+# For some reason, we need to reference the mlsfileread attribute
+# or we get a build error. Below is a dummy entry to do this.
+mlsconstrain xextension query ( t1 == mlsfileread );
+
+attribute mlsfileread;
+') dnl end enable_mcs
diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te
index 8f19fa6..359cbdc 100644
--- a/refpolicy/policy/modules/admin/firstboot.te
+++ b/refpolicy/policy/modules/admin/firstboot.te
@@ -93,8 +93,6 @@ modutils_domtrans_insmod(firstboot_t)
modutils_read_module_conf(firstboot_t)
modutils_read_mods_deps(firstboot_t)
-sysnet_manage_config(firstboot_t)
-
# Add/remove user home directories
userdom_create_user_home_dir(firstboot_t)
userdom_manage_user_home_dir(firstboot_t)
@@ -109,10 +107,6 @@ ifdef(`targeted_policy',`
unconfined_domtrans(firstboot_t)
')
-optional_policy(`kerberos.te',`
- kerberos_rw_config(firstboot_t)
-')
-
optional_policy(`nis.te',`
nis_use_ypbind(firstboot_t)
')
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index d139e14..1a1e714 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -72,6 +72,7 @@ fs_search_auto_mountpoints(logrotate_t)
fs_getattr_xattr_fs(logrotate_t)
selinux_get_fs_mount(logrotate_t)
+selinux_get_enforce_mode(logrotate_t)
auth_manage_login_records(logrotate_t)
@@ -106,7 +107,7 @@ libs_use_shared_libs(logrotate_t)
miscfiles_read_localization(logrotate_t)
-seutil_dontaudit_search_config(logrotate_t)
+seutil_dontaudit_read_config(logrotate_t)
sysnet_read_config(logrotate_t)
diff --git a/refpolicy/policy/modules/admin/netutils.fc b/refpolicy/policy/modules/admin/netutils.fc
index 2fc2442..7804251 100644
--- a/refpolicy/policy/modules/admin/netutils.fc
+++ b/refpolicy/policy/modules/admin/netutils.fc
@@ -1,5 +1,6 @@
/bin/ping.* -- context_template(system_u:object_r:ping_exec_t,s0)
+/bin/tracepath.* -- context_template(system_u:object_r:traceroute_exec_t,s0)
/bin/traceroute.* -- context_template(system_u:object_r:traceroute_exec_t,s0)
/sbin/arping -- context_template(system_u:object_r:netutils_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/su.fc b/refpolicy/policy/modules/admin/su.fc
index ed98aba..f7f130a 100644
--- a/refpolicy/policy/modules/admin/su.fc
+++ b/refpolicy/policy/modules/admin/su.fc
@@ -1,2 +1,4 @@
/bin/su -- context_template(system_u:object_r:su_exec_t,s0)
+
+/usr(/local)?/bin/ksu -- context_template(system_u:object_r:su_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/sudo.fc b/refpolicy/policy/modules/admin/sudo.fc
index 1bd2127..14f48c5 100644
--- a/refpolicy/policy/modules/admin/sudo.fc
+++ b/refpolicy/policy/modules/admin/sudo.fc
@@ -1,2 +1,2 @@
-/usr/bin/sudo -- context_template(system_u:object_r:sudo_exec_t,s0)
+/usr/bin/sudo(edit)? -- context_template(system_u:object_r:sudo_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 3d1a165..4452dee 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -78,6 +78,8 @@ allow chfn_t self:msgq create_msgq_perms;
allow chfn_t self:msg { send receive };
kernel_read_system_state(chfn_t)
+kernel_read_kernel_sysctl(chfn_t)
+
selinux_get_fs_mount(chfn_t)
selinux_validate_context(chfn_t)
selinux_compute_access_vector(chfn_t)
@@ -297,6 +299,8 @@ allow passwd_t self:msg { send receive };
allow passwd_t crack_db_t:dir r_dir_perms;
allow passwd_t crack_db_t:file r_file_perms;
+kernel_read_kernel_sysctl(passwd_t)
+
# for SSP
dev_read_urand(passwd_t)
@@ -389,14 +393,16 @@ allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms;
files_create_tmp_files(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
files_search_var(sysadm_passwd_t)
+kernel_read_kernel_sysctl(sysadm_passwd_t)
+# for /proc/meminfo
+kernel_read_system_state(sysadm_passwd_t)
+
selinux_get_fs_mount(sysadm_passwd_t)
selinux_validate_context(sysadm_passwd_t)
selinux_compute_access_vector(sysadm_passwd_t)
selinux_compute_create_context(sysadm_passwd_t)
selinux_compute_relabel_context(sysadm_passwd_t)
selinux_compute_user_contexts(sysadm_passwd_t)
-# for /proc/meminfo
-kernel_read_system_state(sysadm_passwd_t)
# for SSP
dev_read_urand(sysadm_passwd_t)
@@ -460,6 +466,10 @@ dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search };
dontaudit sysadm_passwd_t var_run_t:dir search;
dontaudit sysadm_passwd_t selinux_config_t:dir search;
+ifdef(`targeted_policy', `
+role system_r types sysadm_passwd_t;
+allow sysadm_passwd_t devpts_t:chr_file rw_file_perms;
+')
') dnl endif TODO
########################################
@@ -508,6 +518,7 @@ corecmd_exec_sbin(useradd_t)
domain_use_wide_inherit_fd(useradd_t)
files_manage_etc_files(useradd_t)
+files_search_var_lib(useradd_t)
init_use_fd(useradd_t)
init_rw_script_pid(useradd_t)
diff --git a/refpolicy/policy/modules/kernel/bootloader.fc b/refpolicy/policy/modules/kernel/bootloader.fc
index 43c9acf..a302ded 100644
--- a/refpolicy/policy/modules/kernel/bootloader.fc
+++ b/refpolicy/policy/modules/kernel/bootloader.fc
@@ -3,7 +3,7 @@
/initrd\.img.* -l context_template(system_u:object_r:boot_t,s0)
/boot(/.*)? context_template(system_u:object_r:boot_t,s0)
-/boot/System\.map-.* -- context_template(system_u:object_r:system_map_t,s0)
+/boot/System\.map(-.*)? -- context_template(system_u:object_r:system_map_t,s0)
/etc/lilo\.conf.* -- context_template(system_u:object_r:bootloader_etc_t,s0)
/etc/yaboot\.conf.* -- context_template(system_u:object_r:bootloader_etc_t,s0)
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in
index c1e59f0..310b6e7 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
@@ -158,11 +158,5 @@ network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
type netif_t, netif_type;
sid netif context_template(system_u:object_r:netif_t,s0)
-network_interface(lo, lo,s0)
-network_interface(eth0, eth0,s0)
-network_interface(eth1, eth1,s0)
-network_interface(eth2, eth2,s0)
-network_interface(ippp0, ippp0,s0)
-network_interface(ipsec0, ipsec0,s0)
-network_interface(ipsec1, ipsec1,s0)
-network_interface(ipsec2, ipsec2,s0)
+#network_interface(lo, lo,s0)
+#network_interface(eth0, eth0,s0)
diff --git a/refpolicy/policy/modules/kernel/devices.fc b/refpolicy/policy/modules/kernel/devices.fc
index b60f902..0ef00bf 100644
--- a/refpolicy/policy/modules/kernel/devices.fc
+++ b/refpolicy/policy/modules/kernel/devices.fc
@@ -55,6 +55,7 @@ ifdef(`distro_suse', `
/dev/vttuner -c context_template(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c context_template(system_u:object_r:v4l_device_t,s0)
/dev/winradio. -c context_template(system_u:object_r:v4l_device_t,s0)
+/dev/z90crypt -c context_template(system_u:object_r:crypt_device_t,s0)
/dev/zero -c context_template(system_u:object_r:zero_device_t,s0)
/dev/cpu/.* -c context_template(system_u:object_r:cpu_device_t,s0)
diff --git a/refpolicy/policy/modules/kernel/terminal.fc b/refpolicy/policy/modules/kernel/terminal.fc
index a22099d..7457125 100644
--- a/refpolicy/policy/modules/kernel/terminal.fc
+++ b/refpolicy/policy/modules/kernel/terminal.fc
@@ -1,6 +1,7 @@
/dev/.*tty[^/]* -c context_template(system_u:object_r:tty_device_t,s0)
/dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f] -c context_template(system_u:object_r:bsdpty_device_t,s0)
+/dev/adb.* -c context_template(system_u:object_r:tty_device_t,s0)
/dev/capi.* -c context_template(system_u:object_r:tty_device_t,s0)
/dev/cu.* -c context_template(system_u:object_r:tty_device_t,s0)
/dev/dcbri[0-9]+ -c context_template(system_u:object_r:tty_device_t,s0)
diff --git a/refpolicy/policy/modules/services/bind.fc b/refpolicy/policy/modules/services/bind.fc
index ecedc6c..8287f7f 100644
--- a/refpolicy/policy/modules/services/bind.fc
+++ b/refpolicy/policy/modules/services/bind.fc
@@ -1,27 +1,28 @@
/etc/rndc.* -- context_template(system_u:object_r:named_conf_t,s0)
-/etc/rndc.key -- context_template(system_u:object_r:dnssec_t,s0)
+/etc/rndc\.key -- context_template(system_u:object_r:dnssec_t,s0)
/usr/sbin/lwresd -- context_template(system_u:object_r:named_exec_t,s0)
-/usr/sbin/named -- context_template(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named -- context_template(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-checkconf -- context_template(system_u:object_r:named_checkconf_exec_t,s0)
/usr/sbin/r?ndc -- context_template(system_u:object_r:ndc_exec_t,s0)
-/var/run/ndc -s context_template(system_u:object_r:named_var_run_t,s0)
+/var/log/named.* -- context_template(system_u:object_r:named_log_t,s0)
+/var/run/ndc -s context_template(system_u:object_r:named_var_run_t,s0)
/var/run/bind(/.*)? context_template(system_u:object_r:named_var_run_t,s0)
-
/var/run/named(/.*)? context_template(system_u:object_r:named_var_run_t,s0)
ifdef(`distro_debian',`
/etc/bind(/.*)? context_template(system_u:object_r:named_zone_t,s0)
/etc/bind/named\.conf -- context_template(system_u:object_r:named_conf_t,s0)
-/etc/bind/rndc\.key -- context_template(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key -- context_template(system_u:object_r:dnssec_t,s0)
/var/cache/bind(/.*)? context_template(system_u:object_r:named_cache_t,s0)
')
ifdef(`distro_gentoo',`
/etc/bind(/.*)? context_template(system_u:object_r:named_zone_t,s0)
/etc/bind/named\.conf -- context_template(system_u:object_r:named_conf_t,s0)
-/etc/bind/rndc\.key -- context_template(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key -- context_template(system_u:object_r:dnssec_t,s0)
/var/bind(/.*)? context_template(system_u:object_r:named_cache_t,s0)
/var/bind/pri(/.*)? context_template(system_u:object_r:named_zone_t,s0)
')
diff --git a/refpolicy/policy/modules/services/cron.fc b/refpolicy/policy/modules/services/cron.fc
index 2d705aa..46af1bd 100644
--- a/refpolicy/policy/modules/services/cron.fc
+++ b/refpolicy/policy/modules/services/cron.fc
@@ -22,8 +22,12 @@
/var/spool/cron -d context_template(system_u:object_r:cron_spool_t,s0)
#/var/spool/cron/root -- context_template(system_u:object_r:sysadm_cron_spool_t,s0)
-
/var/spool/cron/[^/]* -- <<none>>
+ifdef(`distro_suse', `
+/var/spool/cron/lastrun -d context_template(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]* -- <<none>>
+/var/spool/cron/tabs -d context_template(system_u:object_r:cron_spool_t,s0)
+')
/var/spool/cron/crontabs -d context_template(system_u:object_r:cron_spool_t,s0)
/var/spool/cron/crontabs/.* -- <<none>>
diff --git a/refpolicy/policy/modules/services/dhcp.fc b/refpolicy/policy/modules/services/dhcp.fc
index dd68495..84b0bc9 100644
--- a/refpolicy/policy/modules/services/dhcp.fc
+++ b/refpolicy/policy/modules/services/dhcp.fc
@@ -3,4 +3,4 @@
/var/lib/dhcp(3)?/dhcpd\.leases.* -- context_template(system_u:object_r:dhcpd_state_t,s0)
-/var/run/dhcpd\.pid -d context_template(system_u:object_r:dhcpd_var_run_t,s0)
+/var/run/dhcpd\.pid -- context_template(system_u:object_r:dhcpd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/dhcp.te b/refpolicy/policy/modules/services/dhcp.te
index bb2be4e..0c483ca 100644
--- a/refpolicy/policy/modules/services/dhcp.te
+++ b/refpolicy/policy/modules/services/dhcp.te
@@ -62,6 +62,7 @@ corenet_tcp_bind_all_nodes(dhcpd_t)
corenet_udp_bind_all_nodes(dhcpd_t)
corenet_udp_bind_dhcpd_port(dhcpd_t)
corenet_udp_bind_pxe_port(dhcpd_t)
+corenet_tcp_connect_all_ports(dhcpd_t)
dev_read_sysfs(dhcpd_t)
dev_read_rand(dhcpd_t)
@@ -121,6 +122,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(dhcpd_t)
')
+optional_policy(`nscd.te',`
+ nscd_use_socket(dhcpd_t)
+')
+
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(dhcpd_t)
')
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 162e9f8..8963214 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -16,7 +16,7 @@ files_tmp_file(hald_tmp_t)
type hald_var_run_t;
files_pid_file(hald_var_run_t)
-allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
+allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
dontaudit hald_t self:capability sys_tty_config;
allow hald_t self:fifo_file rw_file_perms;
allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -49,12 +49,21 @@ dev_read_sysfs(hald_t)
dev_read_usbfs(hald_t)
dev_read_urand(hald_t)
dev_read_input(hald_t)
+dev_read_mouse(hald_t)
dev_rw_printer(hald_t)
+dev_getattr_all_chr_files(hald_t)
dev_manage_generic_chr_file(hald_t)
fs_getattr_all_fs(hald_t)
fs_search_auto_mountpoints(hald_t)
+selinux_get_fs_mount(hald_t)
+selinux_validate_context(hald_t)
+selinux_compute_access_vector(hald_t)
+selinux_compute_create_context(hald_t)
+selinux_compute_relabel_context(hald_t)
+selinux_compute_user_contexts(hald_t)
+
storage_raw_read_removable_device(hald_t)
storage_raw_read_fixed_disk(hald_t)
storage_raw_write_fixed_disk(hald_t)
diff --git a/refpolicy/policy/modules/services/kerberos.fc b/refpolicy/policy/modules/services/kerberos.fc
index 830b095..fcbb737 100644
--- a/refpolicy/policy/modules/services/kerberos.fc
+++ b/refpolicy/policy/modules/services/kerberos.fc
@@ -12,6 +12,3 @@
/var/log/krb5kdc\.log context_template(system_u:object_r:krb5kdc_log_t,s0)
/var/log/kadmind\.log context_template(system_u:object_r:kadmind_log_t,s0)
-
-#this goes to su:
-#/usr(/local)?/bin/ksu -- context_template(system_u:object_r:su_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/nscd.fc b/refpolicy/policy/modules/services/nscd.fc
index 0eec9ba..8409e17 100644
--- a/refpolicy/policy/modules/services/nscd.fc
+++ b/refpolicy/policy/modules/services/nscd.fc
@@ -3,6 +3,8 @@
/var/db/nscd(/.*)? context_template(system_u:object_r:nscd_var_run_t,s0)
+/var/log/nscd\.log.* -- context_template(system_u:object_r:nscd_log_t,s0)
+
/var/run/nscd\.pid -- context_template(system_u:object_r:nscd_var_run_t,s0)
/var/run/\.nscd_socket -s context_template(system_u:object_r:nscd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/ntp.fc b/refpolicy/policy/modules/services/ntp.fc
index 3554fcd..a856d9c 100644
--- a/refpolicy/policy/modules/services/ntp.fc
+++ b/refpolicy/policy/modules/services/ntp.fc
@@ -1,10 +1,10 @@
-/etc/ntp(d)?\.conf(.sv)? -- context_template(system_u:object_r:net_conf_t,s0)
+/etc/ntp(d)?\.conf.* -- context_template(system_u:object_r:net_conf_t,s0)
/etc/cron\.(daily|weekly)/ntp-simple -- context_template(system_u:object_r:ntpd_exec_t,s0)
/etc/cron\.(daily|weekly)/ntp-server -- context_template(system_u:object_r:ntpd_exec_t,s0)
-/etc/ntp/step-tickers -- context_template(system_u:object_r:net_conf_t,s0)
+/etc/ntp/step-tickers.* -- context_template(system_u:object_r:net_conf_t,s0)
/etc/ntp/data(/.*)? context_template(system_u:object_r:ntp_drift_t,s0)
/usr/sbin/ntpd -- context_template(system_u:object_r:ntpd_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te
index 7ff072a..3c1bdba 100644
--- a/refpolicy/policy/modules/services/ntp.te
+++ b/refpolicy/policy/modules/services/ntp.te
@@ -30,7 +30,7 @@ init_system_domain(ntpd_t,ntpdate_exec_t)
# Local policy
#
-allow ntpd_t self:capability { kill setgid setuid sys_time ipc_lock sys_chroot };
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot };
# ntpdate wants sys_nice
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
allow ntpd_t self:process { signal_perms setcap setsched };
diff --git a/refpolicy/policy/modules/services/portmap.fc b/refpolicy/policy/modules/services/portmap.fc
index 6975de0..53933d1 100644
--- a/refpolicy/policy/modules/services/portmap.fc
+++ b/refpolicy/policy/modules/services/portmap.fc
@@ -8,3 +8,5 @@ ifdef(`distro_debian',`
/usr/sbin/pmap_dump -- context_template(system_u:object_r:portmap_helper_exec_t,s0)
/usr/sbin/pmap_set -- context_template(system_u:object_r:portmap_helper_exec_t,s0)
')
+
+/var/run/portmap.upgrade-state -- context_template(system_u:object_r:portmap_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te
index 1160bb8..4b5eec3 100644
--- a/refpolicy/policy/modules/services/privoxy.te
+++ b/refpolicy/policy/modules/services/privoxy.te
@@ -63,6 +63,8 @@ logging_send_syslog_msg(privoxy_t)
miscfiles_read_localization(privoxy_t)
+sysnet_dns_name_resolve(privoxy_t)
+
userdom_dontaudit_use_unpriv_user_fd(privoxy_t)
userdom_dontaudit_search_sysadm_home_dir(privoxy_t)
# cjp: this should really not be needed
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index c56c5a3..daf9875 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -125,6 +125,11 @@ optional_policy(`nscd.te',`
nscd_use_socket(samba_net_t)
')
+ifdef(`TODO',`
+role system_r types samba_net_t;
+in_user_role(samba_net_t)
+')
+
########################################
#
# smbd Local policy
@@ -194,6 +199,7 @@ corenet_tcp_bind_all_nodes(smbd_t)
corenet_udp_bind_all_nodes(smbd_t)
corenet_tcp_bind_smbd_port(smbd_t)
corenet_tcp_connect_ipp_port(smbd_t)
+corenet_tcp_connect_smbd_port(smbd_t)
dev_read_sysfs(smbd_t)
dev_read_urand(smbd_t)
diff --git a/refpolicy/policy/modules/services/ssh.fc b/refpolicy/policy/modules/services/ssh.fc
index 46d3cb8..c970a01 100644
--- a/refpolicy/policy/modules/services/ssh.fc
+++ b/refpolicy/policy/modules/services/ssh.fc
@@ -7,6 +7,8 @@
/usr/bin/ssh-agent -- context_template(system_u:object_r:ssh_agent_exec_t,s0)
/usr/bin/ssh-keygen -- context_template(system_u:object_r:ssh_keygen_exec_t,s0)
+/usr/libexec/openssh/ssh-keysign -- context_template(system_u:object_r:ssh_keysign_exec_t,s0)
+
/usr/sbin/sshd -- context_template(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- context_template(system_u:object_r:sshd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 1b4b1d4..edb0e04 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -467,6 +467,9 @@ template(`ssh_server_template', `
userdom_search_all_users_home($1_t)
+ # Allow checking users mail at login
+ mta_getattr_spool($1_t)
+
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files($1_t)
')
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index 69e7652..fe1f7c9 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -21,6 +21,9 @@ type ssh_keygen_exec_t;
init_system_domain(ssh_keygen_t,ssh_keygen_exec_t)
role system_r types ssh_keygen_t;
+type ssh_keysign_exec_t;
+files_type(ssh_keysign_exec_t)
+
ssh_server_template(sshd)
# cjp: commenting this out until typeattribute works in a conditional
@@ -69,9 +72,6 @@ auth_exec_pam(sshd_t)
seutil_read_config(sshd_t)
-# Allow checking users mail at login
-mta_getattr_spool(sshd_t)
-
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index a53c3bf..90c51ba 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -25,6 +25,7 @@ allow hwclock_t self:process signal_perms;
# but hwclock does require it.
allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
dontaudit hwclock_t self:capability sys_tty_config;
+allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
# Allow hwclock to store & retrieve correction factors.
allow hwclock_t adjtime_t:file { setattr ioctl read getattr lock write append };
diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc
index 5166326..5df4a0f 100644
--- a/refpolicy/policy/modules/system/corecommands.fc
+++ b/refpolicy/policy/modules/system/corecommands.fc
@@ -65,6 +65,10 @@ ifdef(`distro_gentoo', `
/usr(/.*)?/sbin(/.*)? context_template(system_u:object_r:sbin_t,s0)
+ifdef(`distro_suse', `
+/usr/lib/cron/run-crons -- context_template(system_u:object_r:bin_t,s0)
+')
+
/usr/lib(64)?/sftp-server -- context_template(system_u:object_r:bin_t,s0)
/usr/lib(64)?/emacsen-common/.* context_template(system_u:object_r:bin_t,s0)
diff --git a/refpolicy/policy/modules/system/fstools.fc b/refpolicy/policy/modules/system/fstools.fc
index 90f772d..265cdeb 100644
--- a/refpolicy/policy/modules/system/fstools.fc
+++ b/refpolicy/policy/modules/system/fstools.fc
@@ -34,5 +34,6 @@
/usr/bin/partition_uuid -- context_template(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/raw -- context_template(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/scsi_unique_id -- context_template(system_u:object_r:fsadm_exec_t,s0)
+/usr/bin/syslinux -- context_template(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/smartctl -- context_template(system_u:object_r:fsadm_exec_t,s0)
diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te
index f4b0190..845b705 100644
--- a/refpolicy/policy/modules/system/fstools.te
+++ b/refpolicy/policy/modules/system/fstools.te
@@ -6,7 +6,7 @@ policy_module(fstools,1.0)
# Declarations
#
-type fsadm_t;
+type fsadm_t; #, mlsfileread;
type fsadm_exec_t;
init_system_domain(fsadm_t,fsadm_exec_t)
role system_r types fsadm_t;
@@ -23,7 +23,7 @@ files_type(swapfile_t)
#
# ipc_lock is for losetup
-allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };
+allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
allow fsadm_t self:fd use;
allow fsadm_t self:fifo_file rw_file_perms;
@@ -63,8 +63,7 @@ dev_manage_generic_symlinks(fsadm_t)
# Access to /initrd devices
dev_search_usbfs(fsadm_t)
# for swapon
-dev_getattr_sysfs_dir(fsadm_t)
-dev_search_sysfs(fsadm_t)
+dev_read_sysfs(fsadm_t)
# Access to /initrd devices
dev_getattr_usbfs_dir(fsadm_t)
@@ -83,6 +82,8 @@ storage_raw_write_removable_device(fsadm_t)
storage_read_scsi_generic(fsadm_t)
storage_swapon_fixed_disk(fsadm_t)
+term_use_console(fsadm_t)
+
corecmd_list_bin(fsadm_t)
corecmd_list_sbin(fsadm_t)
corecmd_read_bin_symlink(fsadm_t)
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index 61dbd27..471b076 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -36,6 +36,7 @@ term_use_all_user_ttys(hostname_t)
term_use_all_user_ptys(hostname_t)
init_use_fd(hostname_t)
+init_use_script_fd(hostname_t)
init_use_script_pty(hostname_t)
domain_use_wide_inherit_fd(hostname_t)
diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te
index 25e0b0a..a954963 100644
--- a/refpolicy/policy/modules/system/ipsec.te
+++ b/refpolicy/policy/modules/system/ipsec.te
@@ -42,6 +42,7 @@ files_pid_file(ipsec_mgmt_var_run_t)
allow ipsec_t self:capability { net_admin dac_override dac_read_search };
dontaudit ipsec_t self:capability sys_tty_config;
allow ipsec_t self:process signal;
+allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:key_socket { create write read setopt };
allow ipsec_t self:fifo_file { read getattr };
diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
index ce9eb73..d4dc4d4 100644
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@@ -44,6 +44,7 @@
/usr/X11R6/lib/libGL\.so.* -- context_template(system_u:object_r:texrel_shlib_t,s0)
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- context_template(system_u:object_r:texrel_shlib_t,s0)
+/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
#
# /var
#
diff --git a/refpolicy/policy/modules/system/logging.fc b/refpolicy/policy/modules/system/logging.fc
index c7d5734..fd88bb3 100644
--- a/refpolicy/policy/modules/system/logging.fc
+++ b/refpolicy/policy/modules/system/logging.fc
@@ -1,6 +1,10 @@
/dev/log -s context_template(system_u:object_r:devlog_t,s0)
+/etc/auditd.conf -- context_template(system_u:object_r:auditd_etc_t,s0)
+/etc/audit.rules -- context_template(system_u:object_r:auditd_etc_t,s0)
+
+/sbin/auditctl -- context_template(system_u:object_r:auditctl_exec_t,s0)
/sbin/auditd -- context_template(system_u:object_r:auditd_exec_t,s0)
/sbin/klogd -- context_template(system_u:object_r:klogd_exec_t,s0)
/sbin/minilogd -- context_template(system_u:object_r:syslogd_exec_t,s0)
diff --git a/refpolicy/policy/modules/system/miscfiles.fc b/refpolicy/policy/modules/system/miscfiles.fc
index c1d0120..bcd4720 100644
--- a/refpolicy/policy/modules/system/miscfiles.fc
+++ b/refpolicy/policy/modules/system/miscfiles.fc
@@ -23,15 +23,14 @@
/usr/man(/.*)? context_template(system_u:object_r:man_t,s0)
/usr/share/fonts(/.*)? context_template(system_u:object_r:fonts_t,s0)
-
/usr/share/ghostscript/fonts(/.*)? context_template(system_u:object_r:fonts_t,s0)
-
/usr/share/locale(/.*)? context_template(system_u:object_r:locale_t,s0)
-
/usr/share/man(/.*)? context_template(system_u:object_r:man_t,s0)
-
/usr/share/zoneinfo(/.*)? context_template(system_u:object_r:locale_t,s0)
+/usr/share/ssl/certs(/.*)? context_template(system_u:object_r:cert_t,s0)
+/usr/share/ssl/private(/.*)? context_template(system_u:object_r:cert_t,s0)
+
/usr/X11R6/lib/X11/fonts(/.*)? context_template(system_u:object_r:fonts_t,s0)
/usr/X11R6/man(/.*)? context_template(system_u:object_r:man_t,s0)
@@ -46,9 +45,6 @@ ifdef(`distro_debian', `
/var/lib/texmf(/.*)? context_template(system_u:object_r:tetex_data_t,s0)
/var/cache/fonts(/.*)? context_template(system_u:object_r:tetex_data_t,s0)
-
-/var/cache/man(/.*)? context_template(system_u:object_r:catman_t,s0)
-
-/var/catman(/.*)? context_template(system_u:object_r:catman_t,s0)
+/var/cache/man(/.*)? context_template(system_u:object_r:man_t,s0)
/var/spool/texmf(/.*)? context_template(system_u:object_r:tetex_data_t,s0)
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index 280bf4f..3c5b3cc 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -475,6 +475,26 @@ interface(`seutil_dontaudit_search_config',`
')
########################################
+## <summary>
+## Do not audit attempts to read the SELinux
+## userland configuration (/etc/selinux).
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`seutil_dontaudit_read_config',`
+ gen_require(`
+ type selinux_config_t;
+ class dir search;
+ class file { getattr read };
+ ')
+
+ dontaudit $1 selinux_config_t:dir search;
+ dontaudit $1 selinux_config_t:file { getattr read };
+')
+
+########################################
#
# seutil_read_config(domain)
#
diff --git a/refpolicy/policy/modules/system/udev.fc b/refpolicy/policy/modules/system/udev.fc
index f959a14..133ddd5 100644
--- a/refpolicy/policy/modules/system/udev.fc
+++ b/refpolicy/policy/modules/system/udev.fc
@@ -1,18 +1,19 @@
# udev
-/dev/\.udev\.tdb -- context_template(system_u:object_r:udev_tbl_t,s0)
+/dev/\.udevdb -- context_template(system_u:object_r:udev_tbl_t,s0)
/dev/udev\.tbl -- context_template(system_u:object_r:udev_tbl_t,s0)
/etc/dev\.d/.+ -- context_template(system_u:object_r:udev_helper_exec_t,s0)
/etc/hotplug\.d/default/udev.* -- context_template(system_u:object_r:udev_helper_exec_t,s0)
-/etc/udev/scripts/.+ -- context_template(system_u:object_r:udev_helper_exec_t,s0)
+/etc/udev/scripts/.+ -- context_template(system_u:object_r:udev_helper_exec_t,s0)
/sbin/start_udev -- context_template(system_u:object_r:udev_exec_t,s0)
/sbin/udev -- context_template(system_u:object_r:udev_exec_t,s0)
/sbin/udevd -- context_template(system_u:object_r:udev_exec_t,s0)
/sbin/udevsend -- context_template(system_u:object_r:udev_exec_t,s0)
+/sbin/udevstart -- context_template(system_u:object_r:udev_exec_t,s0)
/sbin/wait_for_sysfs -- context_template(system_u:object_r:udev_exec_t,s0)
/usr/bin/udevinfo -- context_template(system_u:object_r:udev_exec_t,s0)
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index 0829712..fe0b5a2 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -42,7 +42,7 @@ allow udev_t self:fifo_file rw_file_perms;
allow udev_t self:unix_stream_socket { listen accept };
allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
-allow udev_t self:netlink_kobject_uevent_socket { create bind read };
+allow udev_t self:netlink_kobject_uevent_socket { create bind read setopt };
allow udev_t self:shm create_shm_perms;
allow udev_t self:sem create_sem_perms;
allow udev_t self:msgq create_msgq_perms;
diff --git a/refpolicy/policy/support/misc_macros.spt b/refpolicy/policy/support/misc_macros.spt
index 60bb608..4dafb20 100644
--- a/refpolicy/policy/support/misc_macros.spt
+++ b/refpolicy/policy/support/misc_macros.spt
@@ -21,11 +21,12 @@ user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4');
########################################
#
-# gen_con(context,sensitivity)
+# gen_con(context,mls_sensitivity,[mcs_categories])
#
-# Optionally put the sensitivity for the file
+# MLS: Optionally put the sensitivity for the file
+# MCS: Optionally put the categories of the file
#
-define(`context_template',`ifdef(`enable_mls',`$1:$2',`$1')') dnl
+define(`context_template',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl
########################################
#
diff --git a/strict/ChangeLog b/strict/ChangeLog
index 20fcfc3..db9833c 100644
--- a/strict/ChangeLog
+++ b/strict/ChangeLog
@@ -1,3 +1,26 @@
+1.27.1 2005-09-15
+ * Merged small patches from Russell Coker for the apostrophe,
+ dhcpc, fsadm, and setfiles policy.
+ * Merged a patch from Russell Coker with some minor fixes to a
+ multitude of policy files.
+ * Merged patch from Dan Walsh from August 15th. Adds certwatch
+ policy. Adds mcs support to Makefile. Adds mcs file which
+ defines sensitivities and categories for the MSC policy. Creates
+ an authentication_domain macro in global_macros.te for domains
+ that use pam_authentication. Creates the anonymous_domain macro
+ so that the ftpd, rsync, httpd, and smbd domains can share the
+ ftpd_anon_t and ftpd_anon_rw_t types. Removes netifcon rules to
+ start isolating individual ethernet devices. Changes vpnc from a
+ daemon to an application_domain. Adds audit_control capability to
+ crond_t. Adds dac_override and dac_read_search capabilities to
+ fsadm_t to allow the manipulation of removable media. Adds
+ read_sysctl macro to the base_passwd_domain macro. Adds rules to
+ allow alsa_t to communicate with userspace. Allows networkmanager
+ to communicate with isakmp_port and to use vpnc. For targeted
+ policy, removes transitions of sysadm_t to apm_t, backup_t,
+ bootloader_t, cardmgr_t, clockspeed_t, hwclock_t, and kudzu_t.
+ Makes other minor cleanups and fixes.
+
1.26 2005-09-06
* Updated version for release.
diff --git a/strict/Makefile b/strict/Makefile
index fec8c3e..fac8cab 100644
--- a/strict/Makefile
+++ b/strict/Makefile
@@ -15,6 +15,9 @@
# Set to y if MLS is enabled in the policy.
MLS=n
+# Set to y if MCS is enabled in the policy
+MCS=n
+
FLASKDIR = flask/
PREFIX = /usr
BINDIR = $(PREFIX)/bin
@@ -24,14 +27,18 @@ CHECKPOLICY = $(BINDIR)/checkpolicy
GENHOMEDIRCON = $(SBINDIR)/genhomedircon
SETFILES = $(SBINDIR)/setfiles
VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
+PREVERS := 19
KERNVERS := $(shell cat /selinux/policyvers)
POLICYVER := policy.$(VERS)
TOPDIR = $(DESTDIR)/etc/selinux
+TYPE=strict
ifeq ($(MLS),y)
TYPE=mls
-else
-TYPE=strict
endif
+ifeq ($(MCS),y)
+TYPE=mcs
+endif
+
INSTALLDIR = $(TOPDIR)/$(TYPE)
POLICYPATH = $(INSTALLDIR)/policy
SRCPATH = $(INSTALLDIR)/src
@@ -54,6 +61,10 @@ ifeq ($(MLS),y)
POLICYFILES += mls
CHECKPOLMLS += -M
endif
+ifeq ($(MCS), y)
+POLICYFILES += mcs
+CHECKPOLMLS += -M
+endif
DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts
POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES)
POLICYFILES += $(USER_FILES)
@@ -148,8 +159,10 @@ $(LOADPATH): policy.conf $(CHECKPOLICY)
@echo "Compiling policy ..."
@mkdir -p $(POLICYPATH)
$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
-ifneq ($(MLS),y)
+ifneq ($(VERS),$(PREVERS))
+ $(CHECKPOLICY) -c $(PREVERS) -o $(POLICYPATH)/policy.$(PREVERS) policy.conf
endif
+
# Note: Can't use install, so not sure how to deal with mode, user, and group
# other than by default.
@@ -162,7 +175,11 @@ $(POLICYVER): policy.conf $(FC) $(CHECKPOLICY)
reload tmp/load: $(LOADPATH)
@echo "Loading Policy ..."
+ifeq ($(VERS), $(KERNVERS))
$(LOADPOLICY) $(LOADPATH)
+else
+ $(LOADPOLICY) $(POLICYPATH)/policy.$(PREVERS)
+endif
touch tmp/load
load: tmp/load $(FCPATH)
@@ -328,3 +345,22 @@ mlsconvert:
@sed "s/MLS=n/MLS=y/" Makefile > Makefile.new
@mv Makefile.new Makefile
@echo "Done"
+
+mcsconvert:
+ @for file in $(CONTEXTFILES); do \
+ echo "Converting $$file"; \
+ sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \
+ mv $$file.new $$file; \
+ done
+ @for file in $(USER_FILES); do \
+ echo "Converting $$file"; \
+ sed -r -e 's/\;/ level s0 range s0;/' $$file | \
+ sed -r -e 's/(user (root|system_u).*);/\1 - s0:c0.c127;/' > $$file.new; \
+ mv $$file.new $$file; \
+ done
+ @sed -e '/sid kernel/s/s0/s0 - s0:c0.c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
+ @echo "Enabling MCS in the Makefile"
+ @sed "s/MCS=y/MCS=y/" Makefile > Makefile.new
+ @mv Makefile.new Makefile
+ @echo "Done"
+
diff --git a/strict/VERSION b/strict/VERSION
index 24cffb8..08002f8 100644
--- a/strict/VERSION
+++ b/strict/VERSION
@@ -1 +1 @@
-1.26
+1.27.1
diff --git a/strict/appconfig/default_type b/strict/appconfig/default_type
index 5212ca4..af878bd 100644
--- a/strict/appconfig/default_type
+++ b/strict/appconfig/default_type
@@ -1,3 +1,4 @@
+secadm_r:secadm_t
sysadm_r:sysadm_t
staff_r:staff_t
user_r:user_t
diff --git a/strict/attrib.te b/strict/attrib.te
index ca9d8e8..9648dcf 100644
--- a/strict/attrib.te
+++ b/strict/attrib.te
@@ -94,7 +94,7 @@ attribute priv_system_role;
# The privowner attribute identifies every domain that can
# assign a different SELinux user identity to a file, or that
-# can create a file with an identity that's not the same as the
+# can create a file with an identity that is not the same as the
# process identity. This attribute is used in the constraints
# configuration.
attribute privowner;
@@ -201,6 +201,10 @@ attribute userpty_type;
# unpriviledged user
attribute user_tty_type;
+# The admin_tty_type identifies every type for a tty or pty owned by a
+# priviledged user
+attribute admin_tty_type;
+
# The user_crond_domain attribute identifies every user_crond domain, presently
# user_crond_t and sysadm_crond_t. It is used in TE rules that should be
# applied to all user domains.
@@ -255,6 +259,11 @@ attribute dev_fs;
# in TE rules to grant such access for administrator domains.
attribute sysadmfile;
+# The secadmfile attribute identifies all types assigned to files
+# that should be only accessible to security administrators. It is used
+# in TE rules to grant such access for security administrator domains.
+attribute secadmfile;
+
# The fs_type attribute identifies all types assigned to filesystems
# (not limited to persistent filesystems).
# It is used in TE rules to permit certain domains to mount
diff --git a/strict/domains/program/acct.te b/strict/domains/program/acct.te
index 75f3074..bbb4fdc 100644
--- a/strict/domains/program/acct.te
+++ b/strict/domains/program/acct.te
@@ -23,10 +23,11 @@ allow acct_t urandom_device_t:chr_file read;
type acct_data_t, file_type, logfile, sysadmfile;
-allow acct_t self:capability sys_pacct;
+# not sure why we need this, the command "last" is reported as using it
+dontaudit acct_t self:capability kill;
# gzip needs chown capability for some reason
-allow acct_t self:capability chown;
+allow acct_t self:capability { chown fsetid sys_pacct };
allow acct_t var_t:dir { getattr search };
rw_dir_create_file(acct_t, acct_data_t)
@@ -37,14 +38,13 @@ allow acct_t bin_t:lnk_file read;
read_locale(acct_t)
-allow acct_t self:capability fsetid;
allow acct_t fs_t:filesystem getattr;
allow acct_t self:unix_stream_socket create_socket_perms;
allow acct_t self:fifo_file { read write getattr };
-allow acct_t proc_t:file { read getattr };
+allow acct_t { self proc_t }:file { read getattr };
read_sysctl(acct_t)
@@ -53,8 +53,6 @@ dontaudit acct_t sysadm_home_dir_t:dir { getattr search };
# for nscd
dontaudit acct_t var_run_t:dir search;
-# not sure why we need this, the command "last" is reported as using it
-dontaudit acct_t self:capability kill;
allow acct_t devtty_t:chr_file { read write };
diff --git a/strict/domains/program/apache.te b/strict/domains/program/apache.te
index 72a708c..fb1fc1e 100644
--- a/strict/domains/program/apache.te
+++ b/strict/domains/program/apache.te
@@ -222,6 +222,9 @@ tmp_domain(httpd_php)
# Creation of lock files for apache2
lock_domain(httpd)
+# Allow apache to used ftpd_anon_t
+anonymous_domain(httpd)
+
# connect to mysql
ifdef(`mysqld.te', `
can_unix_connect(httpd_php_t, mysqld_t)
@@ -300,7 +303,7 @@ allow httpd_helper_t httpd_log_t:file { append };
##################################################
if (httpd_tty_comm) {
-allow { httpd_t httpd_helper_t } devpts_t:dir { search };
+allow { httpd_t httpd_helper_t } devpts_t:dir search;
ifdef(`targeted_policy', `
allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file { read write };
')
diff --git a/strict/domains/program/apmd.te b/strict/domains/program/apmd.te
index dd08d41..6ce5958 100644
--- a/strict/domains/program/apmd.te
+++ b/strict/domains/program/apmd.te
@@ -16,7 +16,9 @@ allow apmd_t urandom_device_t:chr_file read;
type apm_t, domain, privlog;
type apm_exec_t, file_type, sysadmfile, exec_type;
+ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, apm_exec_t, apm_t)
+')
uses_shlib(apm_t)
allow apm_t privfd:fd use;
allow apm_t admin_tty_type:chr_file rw_file_perms;
diff --git a/strict/domains/program/bluetooth.te b/strict/domains/program/bluetooth.te
index b2e3622..fc09db6 100644
--- a/strict/domains/program/bluetooth.te
+++ b/strict/domains/program/bluetooth.te
@@ -43,3 +43,6 @@ allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
allow initrc_t usbfs_t:file { getattr read };
allow bluetooth_t usbfs_t:dir r_dir_perms;
allow bluetooth_t usbfs_t:file rw_file_perms;
+allow bluetooth_t bin_t:dir search;
+can_exec(bluetooth_t, bin_t)
+
diff --git a/strict/domains/program/certwatch.te b/strict/domains/program/certwatch.te
new file mode 100644
index 0000000..2abb168
--- /dev/null
+++ b/strict/domains/program/certwatch.te
@@ -0,0 +1,11 @@
+#DESC certwatch - generate SSL certificate expiry warnings
+#
+# Domains for the certwatch process
+# Authors: Dan Walsh <dwalsh at redhat.com>,
+#
+application_domain(certwatch)
+role system_r types certwatch_t;
+r_dir_file(certwatch_t, cert_t)
+can_exec(certwatch_t, httpd_modules_t)
+system_crond_entry(certwatch_exec_t, certwatch_t)
+read_locale(certwatch_t)
diff --git a/strict/domains/program/cyrus.te b/strict/domains/program/cyrus.te
index a22fce9..8680035 100644
--- a/strict/domains/program/cyrus.te
+++ b/strict/domains/program/cyrus.te
@@ -20,7 +20,7 @@ allow cyrus_t port_type:tcp_socket name_connect;
can_ypbind(cyrus_t)
can_exec(cyrus_t, bin_t)
allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
-allow cyrus_t cyrus_var_lib_t:{file sock_file } create_file_perms;
+allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms;
allow cyrus_t etc_t:file { getattr read };
allow cyrus_t lib_t:file { execute execute_no_trans getattr read };
read_locale(cyrus_t)
@@ -42,3 +42,11 @@ allow system_crond_t cyrus_var_lib_t:file create_file_perms;
create_dir_file(cyrus_t, mail_spool_t)
allow cyrus_t var_spool_t:dir search;
+ifdef(`saslaudthd.te', `
+allow cyrus_t saslauthd_var_run_t:dir search;
+allow cyrus_t saslauthd_var_run_t:sock_file { read write };
+allow cyrus_t saslauthd_t:unix_stream_socket { connectto };
+')
+
+r_dir_file(cyrus_t, cert_t)
+allow cyrus_t { urandom_device_t random_device_t }:chr_file { read getattr };
diff --git a/strict/domains/program/dhcpd.te b/strict/domains/program/dhcpd.te
index 67ae087..07ad4ce 100644
--- a/strict/domains/program/dhcpd.te
+++ b/strict/domains/program/dhcpd.te
@@ -15,21 +15,18 @@
# dhcpd_exec_t is the type of the dhcpdd executable.
# The dhcpd_t can be used for other DHCPC related files as well.
#
-daemon_domain(dhcpd)
+daemon_domain(dhcpd, `, nscd_client_domain')
allow dhcpd_t dhcpd_port_t:udp_socket name_bind;
# for UDP port 4011
-ifdef(`pxe.te', `', `
-type pxe_port_t, port_type;
-')
allow dhcpd_t pxe_port_t:udp_socket name_bind;
type dhcp_etc_t, file_type, sysadmfile, usercanread;
-typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
# Use the network.
can_network(dhcpd_t)
+allow dhcpd_t port_type:tcp_socket name_connect;
can_ypbind(dhcpd_t)
allow dhcpd_t self:unix_dgram_socket create_socket_perms;
allow dhcpd_t self:unix_stream_socket create_socket_perms;
diff --git a/strict/domains/program/firstboot.te b/strict/domains/program/firstboot.te
index bb4d4e8..e07bc43 100644
--- a/strict/domains/program/firstboot.te
+++ b/strict/domains/program/firstboot.te
@@ -57,9 +57,6 @@ allow firstboot_t etc_t:file write;
# Allow write to utmp file
allow firstboot_t initrc_var_run_t:file write;
-allow firstboot_t krb5_conf_t:file { getattr read };
-allow firstboot_t net_conf_t:file { getattr read };
-
ifdef(`samba.te', `
rw_dir_file(firstboot_t, samba_etc_t)
')
@@ -95,10 +92,6 @@ allow firstboot_t krb5_conf_t:file rw_file_perms;
allow firstboot_t modules_conf_t:file { getattr read };
allow firstboot_t modules_dep_t:file { getattr read };
allow firstboot_t modules_object_t:dir search;
-allow firstboot_t net_conf_t:file rw_file_perms;
-allow firstboot_t netif_lo_t:netif { tcp_recv tcp_send };
-allow firstboot_t node_t:node { tcp_recv tcp_send };
-
allow firstboot_t port_t:tcp_socket { recv_msg send_msg };
allow firstboot_t proc_t:lnk_file read;
diff --git a/strict/domains/program/fs_daemon.te b/strict/domains/program/fs_daemon.te
index 6ec6da0..05c98a9 100644
--- a/strict/domains/program/fs_daemon.te
+++ b/strict/domains/program/fs_daemon.te
@@ -15,6 +15,8 @@ allow fsdaemon_t fixed_disk_device_t:blk_file rw_file_perms;
allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
allow fsdaemon_t etc_runtime_t:file { getattr read };
+allow fsdaemon_t proc_mdstat_t:file { getattr read };
+
can_exec_any(fsdaemon_t)
allow fsdaemon_t self:fifo_file rw_file_perms;
can_network_udp(fsdaemon_t)
diff --git a/strict/domains/program/fsadm.te b/strict/domains/program/fsadm.te
index 6ae2a67..56295e3 100644
--- a/strict/domains/program/fsadm.te
+++ b/strict/domains/program/fsadm.te
@@ -12,14 +12,14 @@
# administration.
# fsadm_exec_t is the type of the corresponding programs.
#
-type fsadm_t, domain, privlog, fs_domain;
+type fsadm_t, domain, privlog, fs_domain, mlsfileread;
role system_r types fsadm_t;
role sysadm_r types fsadm_t;
general_domain_access(fsadm_t)
# for swapon
-allow fsadm_t sysfs_t:dir { search getattr };
+r_dir_file(fsadm_t, sysfs_t)
# Read system information files in /proc.
r_dir_file(fsadm_t, proc_t)
@@ -33,8 +33,7 @@ allow fsadm_t tmpfs_t:dir { getattr search };
base_file_read_access(fsadm_t)
# Read /etc.
-allow fsadm_t etc_t:dir r_dir_perms;
-allow fsadm_t etc_t:notdevfile_class_set r_file_perms;
+r_dir_file(fsadm_t, etc_t)
# Read module-related files.
allow fsadm_t modules_conf_t:{ file lnk_file } r_file_perms;
@@ -47,8 +46,9 @@ uses_shlib(fsadm_t)
type fsadm_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t)
+ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t)
-
+')
tmp_domain(fsadm)
# remount file system to apply changes
@@ -63,7 +63,7 @@ allow fsadm_t proc_t:filesystem getattr;
allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read };
# Use capabilities. ipc_lock is for losetup
-allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };
+allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
# Write to /etc/mtab.
file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file)
@@ -101,7 +101,7 @@ allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
allow fsadm_t kernel_t:system syslog_console;
# Access terminals.
-allow fsadm_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+allow fsadm_t { initrc_devpts_t admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
allow fsadm_t privfd:fd use;
allow fsadm_t devpts_t:dir { getattr search };
diff --git a/strict/domains/program/ftpd.te b/strict/domains/program/ftpd.te
index 57d79f6..ab5101e 100644
--- a/strict/domains/program/ftpd.te
+++ b/strict/domains/program/ftpd.te
@@ -110,9 +110,5 @@ if (use_samba_home_dirs && ftp_home_dir) {
r_dir_file(ftpd_t, cifs_t)
}
dontaudit ftpd_t selinux_config_t:dir search;
-#
-# Type for access to anon ftp
-#
-r_dir_file(ftpd_t,ftpd_anon_t)
-type ftpd_anon_rw_t, file_type, sysadmfile, customizable;
-create_dir_file(ftpd_t,ftpd_anon_rw_t)
+anonymous_domain(ftpd)
+
diff --git a/strict/domains/program/hald.te b/strict/domains/program/hald.te
index ed84911..1d1ce66 100644
--- a/strict/domains/program/hald.te
+++ b/strict/domains/program/hald.te
@@ -30,12 +30,13 @@ allow hald_t { bin_t sbin_t }:dir search;
allow hald_t self:fifo_file rw_file_perms;
allow hald_t usr_t:file { getattr read };
allow hald_t bin_t:file getattr;
+
# For backwards compatibility with older kernels
allow hald_t self:netlink_socket create_socket_perms;
allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
-allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
+allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
can_network_server(hald_t)
can_ypbind(hald_t)
@@ -45,6 +46,10 @@ allow hald_t removable_device_t:blk_file write;
allow hald_t event_device_t:chr_file { getattr read ioctl };
allow hald_t printer_device_t:chr_file rw_file_perms;
allow hald_t urandom_device_t:chr_file read;
+allow hald_t mouse_device_t:chr_file r_file_perms;
+allow hald_t device_type:chr_file getattr;
+
+can_getsecurity(hald_t)
ifdef(`updfstab.te', `
domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)
diff --git a/strict/domains/program/hostname.te b/strict/domains/program/hostname.te
index 575833c..579cd97 100644
--- a/strict/domains/program/hostname.te
+++ b/strict/domains/program/hostname.te
@@ -10,7 +10,7 @@ role sysadm_r types hostname_t;
allow hostname_t self:capability sys_admin;
allow hostname_t etc_t:file { getattr read };
-allow hostname_t { user_tty_type admin_tty_type }:chr_file { getattr read write };
+allow hostname_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
read_locale(hostname_t)
can_resolve(hostname_t)
allow hostname_t userdomain:fd use;
@@ -26,3 +26,5 @@ dontaudit hostname_t file_t:dir search;
ifdef(`distro_redhat', `
allow hostname_t tmpfs_t:chr_file rw_file_perms;
')
+allow hostname_t initrc_devpts_t:chr_file { read write };
+allow hostname_t initrc_t:fd use;
diff --git a/strict/domains/program/hwclock.te b/strict/domains/program/hwclock.te
index c4e3d77..e5c5c4e 100644
--- a/strict/domains/program/hwclock.te
+++ b/strict/domains/program/hwclock.te
@@ -17,7 +17,9 @@
#
daemon_base_domain(hwclock)
role sysadm_r types hwclock_t;
+ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
+')
type adjtime_t, file_type, sysadmfile;
allow hwclock_t fs_t:filesystem getattr;
@@ -44,3 +46,4 @@ read_locale(hwclock_t)
# for when /usr is not mounted
dontaudit hwclock_t file_t:dir search;
+allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --git a/strict/domains/program/ifconfig.te b/strict/domains/program/ifconfig.te
index 48ffb7b..dbab5bf 100644
--- a/strict/domains/program/ifconfig.te
+++ b/strict/domains/program/ifconfig.te
@@ -34,7 +34,7 @@ allow ifconfig_t etc_t:file { getattr read };
allow ifconfig_t self:socket create_socket_perms;
# Use capabilities.
-allow ifconfig_t self:capability net_admin;
+allow ifconfig_t self:capability { net_raw net_admin };
dontaudit ifconfig_t self:capability sys_module;
allow ifconfig_t self:capability sys_tty_config;
diff --git a/strict/domains/program/ipsec.te b/strict/domains/program/ipsec.te
index 3bb4bad..36e55ac 100644
--- a/strict/domains/program/ipsec.te
+++ b/strict/domains/program/ipsec.te
@@ -60,8 +60,8 @@ allow sysadm_t ipsec_t:key_socket getattr;
# it in its own domain?)
can_exec(ipsec_mgmt_t, bin_t)
# logger, running in ipsec_mgmt_t needs to use sockets
-allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
-allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
+allow ipsec_mgmt_t self:unix_dgram_socket create_socket_perms;
+allow ipsec_mgmt_t ipsec_t:unix_dgram_socket create_socket_perms;
# also need to run things like whack and shell scripts
can_exec(ipsec_mgmt_t, ipsec_exec_t)
@@ -169,7 +169,7 @@ allow ipsec_t self:unix_stream_socket {create setopt bind listen accept read wri
# Pluto needs network access
can_network_server(ipsec_t)
can_ypbind(ipsec_t)
-allow ipsec_t self:unix_dgram_socket { create connect write };
+allow ipsec_t self:unix_dgram_socket create_socket_perms;
# for sleep
allow ipsec_mgmt_t fs_t:filesystem getattr;
@@ -211,6 +211,7 @@ allow ipsec_mgmt_t tmpfs_t:dir { getattr read };
allow ipsec_mgmt_t self:key_socket { create setopt };
can_exec(ipsec_mgmt_t, initrc_exec_t)
allow ipsec_t self:netlink_xfrm_socket create_socket_perms;
+allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
read_locale(ipsec_t)
ifdef(`consoletype.te', `
can_exec(ipsec_mgmt_t, consoletype_exec_t )
diff --git a/strict/domains/program/kudzu.te b/strict/domains/program/kudzu.te
index 7ec13fc..803ae3d 100644
--- a/strict/domains/program/kudzu.te
+++ b/strict/domains/program/kudzu.te
@@ -48,7 +48,9 @@ allow kudzu_t devpts_t:dir search;
allow kudzu_t { tty_device_t devtty_t admin_tty_type }:chr_file rw_file_perms;
role sysadm_r types kudzu_t;
+ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, kudzu_exec_t, kudzu_t)
+')
ifdef(`anaconda.te', `
domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t)
')
diff --git a/strict/domains/program/logrotate.te b/strict/domains/program/logrotate.te
index 33c1d51..d568a5f 100644
--- a/strict/domains/program/logrotate.te
+++ b/strict/domains/program/logrotate.te
@@ -141,5 +141,10 @@ allow logrotate_t syslogd_t:unix_dgram_socket sendto;
domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t)
+# Supress libselinux initialization denials
dontaudit logrotate_t selinux_config_t:dir search;
+dontaudit logrotate_t selinux_config_t:file { read getattr };
+# Allow selinux_getenforce
+allow logrotate_t security_t:dir search;
+allow logrotate_t security_t:file { getattr read };
diff --git a/strict/domains/program/mailman.te b/strict/domains/program/mailman.te
index b2f593e..72fe6a7 100644
--- a/strict/domains/program/mailman.te
+++ b/strict/domains/program/mailman.te
@@ -91,6 +91,8 @@ allow mailman_cgi_t var_spool_t:dir search;
allow mta_delivery_agent mailman_data_t:dir search;
allow mta_delivery_agent mailman_data_t:lnk_file read;
+allow initrc_t mailman_data_t:lnk_file read;
+allow initrc_t mailman_data_t:dir r_dir_perms;
domain_auto_trans({ mta_delivery_agent initrc_t }, mailman_mail_exec_t, mailman_mail_t)
ifdef(`direct_sysadm_daemon', `
domain_auto_trans(sysadm_t, mailman_mail_exec_t, mailman_mail_t)
diff --git a/strict/domains/program/mta.te b/strict/domains/program/mta.te
index 6c141c4..d7d49e1 100644
--- a/strict/domains/program/mta.te
+++ b/strict/domains/program/mta.te
@@ -22,7 +22,7 @@ ifdef(`targeted_policy', `
# rules are currently defined in sendmail.te, but it is not included in
# targeted policy. We could move these rules permanantly here.
ifdef(`postfix.te', `', `can_exec_any(system_mail_t)')
-allow system_mail_t self:dir { search };
+allow system_mail_t self:dir search;
allow system_mail_t self:lnk_file read;
r_dir_file(system_mail_t, { proc_t proc_net_t })
allow system_mail_t fs_t:filesystem getattr;
diff --git a/strict/domains/program/ntpd.te b/strict/domains/program/ntpd.te
index 80ea965..db49c23 100644
--- a/strict/domains/program/ntpd.te
+++ b/strict/domains/program/ntpd.te
@@ -26,7 +26,7 @@ allow ntpd_t ntp_drift_t:file create_file_perms;
# for SSP
allow ntpd_t urandom_device_t:chr_file { getattr read };
-allow ntpd_t self:capability { kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot };
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot };
dontaudit ntpd_t self:capability { net_admin };
allow ntpd_t self:process { setcap setsched };
# ntpdate wants sys_nice
diff --git a/strict/domains/program/passwd.te b/strict/domains/program/passwd.te
index e984320..d7dff6c 100644
--- a/strict/domains/program/passwd.te
+++ b/strict/domains/program/passwd.te
@@ -64,6 +64,7 @@ dontaudit $1_t { user_home_dir_type user_home_type }:dir search;
dontaudit $1_t { proc_t device_t }:dir { search read };
allow $1_t device_t:dir getattr;
+read_sysctl($1_t)
')
#################################
@@ -149,3 +150,8 @@ allow passwd_t userdomain:file { getattr read };
allow passwd_t userdomain:process getattr;
allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+ifdef(`targeted_policy', `
+role system_r types sysadm_passwd_t;
+allow sysadm_passwd_t devpts_t:chr_file rw_file_perms;
+')
diff --git a/strict/domains/program/ping.te b/strict/domains/program/ping.te
index cc1407e..3a54e81 100644
--- a/strict/domains/program/ping.te
+++ b/strict/domains/program/ping.te
@@ -42,9 +42,6 @@ allow ping_t self:unix_stream_socket create_socket_perms;
# Let ping create raw ICMP packets.
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
-allow ping_t netif_type:netif { rawip_send rawip_recv };
-allow ping_t node_type:node { rawip_send rawip_recv };
-
# Use capabilities.
allow ping_t self:capability { net_raw setuid };
@@ -52,7 +49,6 @@ allow ping_t self:capability { net_raw setuid };
allow ping_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;')
allow ping_t privfd:fd use;
-
dontaudit ping_t fs_t:filesystem getattr;
# it tries to access /var/run
diff --git a/strict/domains/program/pppd.te b/strict/domains/program/pppd.te
index e0c1ea2..c2dc6e7 100644
--- a/strict/domains/program/pppd.te
+++ b/strict/domains/program/pppd.te
@@ -32,12 +32,9 @@ allow pppd_t sysfs_t:dir search;
log_domain(pppd)
# Use the network.
-can_network(pppd_t)
+can_network_server(pppd_t)
can_ypbind(pppd_t)
-allow pppd_t fingerd_port_t:tcp_socket name_connect;
-
-
# Use capabilities.
allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
lock_domain(pppd)
@@ -55,8 +52,6 @@ allow postfix_postqueue_t pppd_t:process sigchld;
# allow running ip-up and ip-down scripts and running chat.
can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t })
-can_exec(pppd_t, pppd_etc_rw_t)
-can_exec(pppd_t, hostname_exec_t)
allow pppd_t { bin_t sbin_t }:dir search;
allow pppd_t { sbin_t bin_t }:lnk_file read;
@@ -115,7 +110,6 @@ ifdef(`modutil.te', `
domain_auto_trans(pppd_t, insmod_exec_t, insmod_t)
')
}
-domain_auto_trans(pppd_t, named_exec_t, named_t)
daemon_domain(pptp)
can_network_client_tcp(pptp_t)
@@ -136,4 +130,17 @@ allow pptp_t self:capability net_raw;
allow pptp_t self:fifo_file { read write };
allow pptp_t ptmx_t:chr_file rw_file_perms;
log_domain(pptp)
+
+# Fix sockets
+allow pptp_t pptp_var_run_t:sock_file create_file_perms;
+
+# Allow pptp to append to pppd log files
allow pptp_t pppd_log_t:file append;
+
+ifdef(`named.te', `
+dontaudit ndc_t pppd_t:fd use;
+')
+
+# Allow /etc/ppp/ip-{up,down} to run most anything
+type pppd_script_exec_t, file_type, sysadmfile;
+domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
diff --git a/strict/domains/program/privoxy.te b/strict/domains/program/privoxy.te
index 9e94026..b8a522df 100644
--- a/strict/domains/program/privoxy.te
+++ b/strict/domains/program/privoxy.te
@@ -16,8 +16,9 @@ logdir_domain(privoxy)
allow privoxy_t self:capability net_bind_service;
# Use the network.
-can_network(privoxy_t)
+can_network_tcp(privoxy_t)
can_ypbind(privoxy_t)
+can_resolve(privoxy_t)
allow privoxy_t http_cache_port_t:tcp_socket name_bind;
allow privoxy_t etc_t:file { getattr read };
allow privoxy_t self:capability { setgid setuid };
diff --git a/strict/domains/program/rlogind.te b/strict/domains/program/rlogind.te
index d6fa1c5..b0ac4f0 100644
--- a/strict/domains/program/rlogind.te
+++ b/strict/domains/program/rlogind.te
@@ -35,4 +35,4 @@ allow rlogind_t self:file { getattr read };
allow rlogind_t default_t:dir search;
typealias rlogind_port_t alias rlogin_port_t;
read_sysctl(rlogind_t);
-allow rlogind_t krb5_keytab_t:file { getattr read };
+allow rlogind_t krb5_keytab_t:file r_file_perms;
diff --git a/strict/domains/program/rpm.te b/strict/domains/program/rpm.te
index 0fc36f9..e245f57 100644
--- a/strict/domains/program/rpm.te
+++ b/strict/domains/program/rpm.te
@@ -31,6 +31,7 @@ tmpfs_domain(rpm)
log_domain(rpm)
can_network(rpm_t)
+allow rpm_t port_type:tcp_socket name_connect;
can_ypbind(rpm_t)
# Allow the rpm domain to execute other programs
diff --git a/strict/domains/program/rsync.te b/strict/domains/program/rsync.te
index 6bac7b7..c7d5378 100644
--- a/strict/domains/program/rsync.te
+++ b/strict/domains/program/rsync.te
@@ -15,3 +15,5 @@ inetd_child_domain(rsync)
type rsync_data_t, file_type, sysadmfile;
r_dir_file(rsync_t, rsync_data_t)
r_dir_file(rsync_t, ftpd_anon_t)
+
+
diff --git a/strict/domains/program/samba.te b/strict/domains/program/samba.te
index 09f5960..a1570b6 100644
--- a/strict/domains/program/samba.te
+++ b/strict/domains/program/samba.te
@@ -50,7 +50,7 @@ can_network(smbd_t)
can_ldap(smbd_t)
can_kerberos(smbd_t)
can_winbind(smbd_t)
-allow smbd_t ipp_port_t:tcp_socket name_connect;
+allow smbd_t { smbd_port_t ipp_port_t }:tcp_socket name_connect;
allow smbd_t urandom_device_t:chr_file { getattr read };
@@ -189,6 +189,8 @@ allow smbmount_t local_login_t:fd use;
')
# Derive from app. domain. Transition from mount.
application_domain(samba_net, `, nscd_client_domain')
+role system_r types samba_net_t;
+in_user_role(samba_net_t)
file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file)
read_locale(samba_net_t)
allow samba_net_t samba_etc_t:file r_file_perms;
diff --git a/strict/domains/program/saslauthd.te b/strict/domains/program/saslauthd.te
index c10b03b..8786dd1 100644
--- a/strict/domains/program/saslauthd.te
+++ b/strict/domains/program/saslauthd.te
@@ -9,6 +9,7 @@ allow saslauthd_t self:fifo_file { read write };
allow saslauthd_t self:unix_dgram_socket create_socket_perms;
allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms;
+allow saslauthd_t var_lib_t:dir search;
allow saslauthd_t etc_t:dir { getattr search };
allow saslauthd_t etc_t:file r_file_perms;
@@ -29,3 +30,12 @@ bool allow_saslauthd_read_shadow false;
if (allow_saslauthd_read_shadow) {
allow saslauthd_t shadow_t:file r_file_perms;
}
+dontaudit saslauthd_t selinux_config_t:dir search;
+dontaudit saslauthd_t selinux_config_t:file { getattr read };
+
+
+dontaudit saslauthd_t initrc_t:unix_stream_socket connectto;
+ifdef(`mysqld.te', `
+allow saslauthd_t mysqld_db_t:dir search;
+allow saslauthd_t mysqld_var_run_t:sock_file rw_file_perms;
+')
diff --git a/strict/domains/program/setfiles.te b/strict/domains/program/setfiles.te
index f3bdbd9..dae93e0 100644
--- a/strict/domains/program/setfiles.te
+++ b/strict/domains/program/setfiles.te
@@ -17,6 +17,7 @@ type setfiles_exec_t, file_type, sysadmfile, exec_type;
role system_r types setfiles_t;
role sysadm_r types setfiles_t;
+role secadm_r types setfiles_t;
ifdef(`distro_redhat', `
domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t)
@@ -26,7 +27,7 @@ allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_fi
allow setfiles_t self:unix_dgram_socket create_socket_perms;
-domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t)
+domain_auto_trans(secadmin, setfiles_exec_t, setfiles_t)
allow setfiles_t { userdomain privfd initrc_t init_t }:fd use;
uses_shlib(setfiles_t)
diff --git a/strict/domains/program/slocate.te b/strict/domains/program/slocate.te
index d854f59..8512aab 100644
--- a/strict/domains/program/slocate.te
+++ b/strict/domains/program/slocate.te
@@ -10,7 +10,8 @@
# locate_exec_t is the type of the locate executable.
#
daemon_base_domain(locate)
-
+role system_r types locate_t;
+role sysadm_r types locate_t;
allow locate_t fs_t:filesystem getattr;
ifdef(`crond.te', `
@@ -23,6 +24,7 @@ allow system_crond_t locate_etc_t:file { getattr read };
allow locate_t { userpty_type admin_tty_type }:chr_file rw_file_perms;
allow locate_t { fs_type file_type }:dir r_dir_perms;
+dontaudit locate_t sysctl_t:dir getattr;
allow locate_t file_type:lnk_file r_file_perms;
allow locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr;
dontaudit locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } read;
diff --git a/strict/domains/program/ssh.te b/strict/domains/program/ssh.te
index ee4dcf1..221ec7a 100644
--- a/strict/domains/program/ssh.te
+++ b/strict/domains/program/ssh.te
@@ -9,6 +9,9 @@
# Allow ssh logins as sysadm_r:sysadm_t
bool ssh_sysadm_login false;
+# allow host key based authentication
+bool allow_ssh_keysign false;
+
ifdef(`inetd.te', `
# Allow ssh to run from inetd instead of as a daemon.
bool run_ssh_inetd false;
@@ -111,6 +114,11 @@ read_sysctl($1_t)
can_create_pty($1, `, server_pty')
allow $1_t $1_devpts_t:chr_file { setattr getattr relabelfrom };
dontaudit sshd_t userpty_type:chr_file relabelfrom;
+
+# Allow checking users mail at login
+allow $1_t { var_spool_t mail_spool_t }:dir search;
+allow $1_t mail_spool_t:lnk_file read;
+allow $1_t mail_spool_t:file getattr;
')dnl end sshd_program_domain
# macro for defining which domains a sshd can spawn
@@ -157,11 +165,6 @@ sshd_spawn_domain(sshd_extern, user_mini_domain, mini_pty_type)
# for when the network connection breaks after running newrole -r sysadm_r
dontaudit sshd_t sysadm_devpts_t:chr_file setattr;
-# Allow checking users mail at login
-allow sshd_t { var_spool_t mail_spool_t }:dir search;
-allow sshd_t mail_spool_t:lnk_file read;
-allow sshd_t mail_spool_t:file getattr;
-
ifdef(`inetd.te', `
if (run_ssh_inetd) {
allow inetd_t ssh_port_t:tcp_socket name_bind;
@@ -217,6 +220,7 @@ file_type_auto_trans(ssh_keygen_t, etc_t, sshd_key_t, file)
# Type for the ssh executable.
type ssh_exec_t, file_type, exec_type, sysadmfile;
+type ssh_keysign_exec_t, file_type, exec_type, sysadmfile;
# Everything else is in the ssh_domain macro in
# macros/program/ssh_macros.te.
diff --git a/strict/domains/program/udev.te b/strict/domains/program/udev.te
index ae4760c..5ff434f 100644
--- a/strict/domains/program/udev.te
+++ b/strict/domains/program/udev.te
@@ -33,7 +33,7 @@ allow udev_t self:file { getattr read };
allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
allow udev_t self:unix_dgram_socket create_socket_perms;
allow udev_t self:fifo_file rw_file_perms;
-allow udev_t self:netlink_kobject_uevent_socket { create bind read };
+allow udev_t self:netlink_kobject_uevent_socket { create bind read setopt };
allow udev_t device_t:file { unlink rw_file_perms };
allow udev_t device_t:sock_file create_file_perms;
allow udev_t device_t:lnk_file create_lnk_perms;
diff --git a/strict/domains/program/unused/clockspeed.te b/strict/domains/program/unused/clockspeed.te
index ef51d66..f79c314 100644
--- a/strict/domains/program/unused/clockspeed.te
+++ b/strict/domains/program/unused/clockspeed.te
@@ -21,5 +21,6 @@ allow clockspeed_t clockspeed_var_lib_t:fifo_file create_file_perms;
# sysadm can play with clockspeed
role sysadm_r types clockspeed_t;
+ifdef(`targeted_policy', `', `
domain_auto_trans( sysadm_t, clockspeed_exec_t, clockspeed_t)
-
+')
diff --git a/strict/domains/program/unused/cvs.te b/strict/domains/program/unused/cvs.te
index ca089ed..324ddd3 100644
--- a/strict/domains/program/unused/cvs.te
+++ b/strict/domains/program/unused/cvs.te
@@ -15,12 +15,14 @@ inetd_child_domain(cvs, tcp)
typeattribute cvs_t privmail;
typeattribute cvs_t auth_chkpwd;
-type cvs_data_t, file_type, sysadmfile;
+type cvs_data_t, file_type, sysadmfile, customizable;
create_dir_file(cvs_t, cvs_data_t)
can_exec(cvs_t, { bin_t sbin_t shell_exec_t })
+allow cvs_t bin_t:dir search;
+allow cvs_t { bin_t sbin_t }:lnk_file read;
allow cvs_t etc_runtime_t:file { getattr read };
allow system_mail_t cvs_data_t:file { getattr read };
dontaudit cvs_t devtty_t:chr_file { read write };
-allow cvs_t default_t:dir search;
-allow cvs_t default_t:lnk_file read;
-
+# Allow kerberos to work
+allow cvs_t { krb5_keytab_t krb5_conf_t }:file r_file_perms;
+dontaudit cvs_t krb5_conf_t:file write;
diff --git a/strict/domains/program/unused/ddclient.te b/strict/domains/program/unused/ddclient.te
index 21f1f8e..29255f3 100644
--- a/strict/domains/program/unused/ddclient.te
+++ b/strict/domains/program/unused/ddclient.te
@@ -38,5 +38,7 @@ allow ddclient_t self:unix_stream_socket create_socket_perms;
# allow access to ddclient.conf and ddclient.cache
allow ddclient_t ddclient_etc_t:file r_file_perms;
-allow ddclient_t ddclient_var_t:dir rw_dir_perms;
-allow ddclient_t ddclient_var_t:file create_file_perms;
+file_type_auto_trans(ddclient_t, var_t, ddclient_var_t)
+dontaudit ddclient_t devpts_t:dir search;
+dontaudit ddclient_t { devtty_t admin_tty_type user_tty_type }:chr_file rw_file_perms;
+dontaudit httpd_t selinux_config_t:dir search;
diff --git a/strict/domains/program/unused/dpkg.te b/strict/domains/program/unused/dpkg.te
index 34ba329..4feb508 100644
--- a/strict/domains/program/unused/dpkg.te
+++ b/strict/domains/program/unused/dpkg.te
@@ -178,6 +178,9 @@ etcdir_domain(apt)
type apt_rw_etc_t, file_type, sysadmfile;
tmp_domain(apt, `', `{ dir file lnk_file }')
can_exec(apt_t, apt_tmp_t)
+ifdef(`crond.te', `
+allow system_crond_t apt_etc_t:file { getattr read };
+')
rw_dir_create_file(apt_t, apt_rw_etc_t)
diff --git a/strict/domains/program/unused/sxid.te b/strict/domains/program/unused/sxid.te
index 3397b0b..a96c987 100644
--- a/strict/domains/program/unused/sxid.te
+++ b/strict/domains/program/unused/sxid.te
@@ -32,6 +32,7 @@ allow sxid_t { device_t device_type }:{ chr_file blk_file } getattr;
allow sxid_t ttyfile:chr_file getattr;
allow sxid_t file_type:dir { getattr read search };
allow sxid_t sysadmfile:file { getattr read };
+dontaudit sxid_t devpts_t:dir r_dir_perms;
allow sxid_t fs_type:dir { getattr read search };
# Use the network.
diff --git a/strict/domains/program/useradd.te b/strict/domains/program/useradd.te
index 779cd31..121e03c 100644
--- a/strict/domains/program/useradd.te
+++ b/strict/domains/program/useradd.te
@@ -102,3 +102,4 @@ dontaudit groupadd_t initrc_var_run_t:file write;
allow useradd_t default_context_t:dir search;
allow useradd_t file_context_t:dir search;
allow useradd_t file_context_t:file { getattr read };
+allow useradd_t var_lib_t:dir search;
diff --git a/strict/file_contexts/program/apache.fc b/strict/file_contexts/program/apache.fc
index 444c3f0..96c5b3a 100644
--- a/strict/file_contexts/program/apache.fc
+++ b/strict/file_contexts/program/apache.fc
@@ -7,6 +7,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_
/var/www/perl(/.*)? system_u:object_r:httpd_sys_script_exec_t
/var/www/icons(/.*)? system_u:object_r:httpd_sys_content_t
/var/cache/httpd(/.*)? system_u:object_r:httpd_cache_t
+/var/cache/php-eaccelerator(/.*)? system_u:object_r:httpd_cache_t
+/var/cache/php-mmcache(/.*)? system_u:object_r:httpd_cache_t
/etc/httpd -d system_u:object_r:httpd_config_t
/etc/httpd/conf.* system_u:object_r:httpd_config_t
/etc/httpd/logs system_u:object_r:httpd_log_t
@@ -26,15 +28,17 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_
/var/log/cgiwrap\.log.* -- system_u:object_r:httpd_log_t
/var/cache/ssl.*\.sem -- system_u:object_r:httpd_cache_t
/var/cache/mod_ssl(/.*)? system_u:object_r:httpd_cache_t
-/var/run/apache(2)?\.pid.* -- system_u:object_r:httpd_var_run_t
+/var/run/apache.* system_u:object_r:httpd_var_run_t
/var/lib/httpd(/.*)? system_u:object_r:httpd_var_lib_t
/var/lib/php/session(/.*)? system_u:object_r:httpd_var_run_t
/etc/apache-ssl(2)?(/.*)? system_u:object_r:httpd_config_t
/usr/lib/apache-ssl/.+ -- system_u:object_r:httpd_exec_t
/usr/sbin/apache-ssl(2)? -- system_u:object_r:httpd_exec_t
/var/log/apache-ssl(2)?(/.*)? system_u:object_r:httpd_log_t
-/var/run/apache-ssl(2)?\.pid.* -- system_u:object_r:httpd_var_run_t
/var/run/gcache_port -s system_u:object_r:httpd_var_run_t
+ifdef(`distro_debian', `
+/var/log/horde2(/.*)? system_u:object_r:httpd_log_t
+')
ifdef(`distro_suse', `
# suse puts shell scripts there :-(
/usr/share/apache2/[^/]* -- system_u:object_r:bin_t
diff --git a/strict/file_contexts/program/auditd.fc b/strict/file_contexts/program/auditd.fc
index 32401bb..a87077b 100644
--- a/strict/file_contexts/program/auditd.fc
+++ b/strict/file_contexts/program/auditd.fc
@@ -1,3 +1,8 @@
# auditd
+/sbin/auditctl -- system_u:object_r:auditctl_exec_t
/sbin/auditd -- system_u:object_r:auditd_exec_t
/var/log/audit.log -- system_u:object_r:auditd_log_t
+/var/log/audit(/.*)? system_u:object_r:auditd_log_t
+/etc/auditd.conf -- system_u:object_r:auditd_etc_t
+/etc/audit.rules -- system_u:object_r:auditd_etc_t
+
diff --git a/strict/file_contexts/program/certwatch.fc b/strict/file_contexts/program/certwatch.fc
new file mode 100644
index 0000000..20bb8ca
--- /dev/null
+++ b/strict/file_contexts/program/certwatch.fc
@@ -0,0 +1,3 @@
+# certwatch.fc
+/usr/bin/certwatch -- system_u:object_r:certwatch_exec_t
+
diff --git a/strict/file_contexts/program/clamav.fc b/strict/file_contexts/program/clamav.fc
index 4262e05..90c898c 100644
--- a/strict/file_contexts/program/clamav.fc
+++ b/strict/file_contexts/program/clamav.fc
@@ -12,4 +12,4 @@
/var/run/clamd\.ctl -s system_u:object_r:clamd_sock_t
/var/run/clamd\.pid -- system_u:object_r:clamd_var_run_t
/var/run/clamav(/.*)? system_u:object_r:clamd_var_run_t
-/var/run/clamav/clamd.sock -s system_u:object_r:clamd_sock_t
+/var/run/clamav/clamd\.sock -s system_u:object_r:clamd_sock_t
diff --git a/strict/file_contexts/program/compat.fc b/strict/file_contexts/program/compat.fc
new file mode 100644
index 0000000..ba15f45
--- /dev/null
+++ b/strict/file_contexts/program/compat.fc
@@ -0,0 +1,62 @@
+ifdef(`setfiles.te', `', `
+# setfiles
+/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t
+')
+
+ifdef(`mount.te', `', `
+# mount
+/bin/mount.* -- system_u:object_r:mount_exec_t
+/bin/umount.* -- system_u:object_r:mount_exec_t
+')
+ifdef(`loadkeys.te', `', `
+# loadkeys
+/bin/unikeys -- system_u:object_r:loadkeys_exec_t
+/bin/loadkeys -- system_u:object_r:loadkeys_exec_t
+')
+ifdef(`dmesg.te', `', `
+# dmesg
+/bin/dmesg -- system_u:object_r:dmesg_exec_t
+')
+ifdef(`fsadm.te', `', `
+# fs admin utilities
+/sbin/fsck.* -- system_u:object_r:fsadm_exec_t
+/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t
+/sbin/e2fsck -- system_u:object_r:fsadm_exec_t
+/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t
+/sbin/dosfsck -- system_u:object_r:fsadm_exec_t
+/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t
+/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t
+/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t
+/sbin/e2label -- system_u:object_r:fsadm_exec_t
+/sbin/findfs -- system_u:object_r:fsadm_exec_t
+/sbin/mkfs -- system_u:object_r:fsadm_exec_t
+/sbin/mke2fs -- system_u:object_r:fsadm_exec_t
+/sbin/mkswap -- system_u:object_r:fsadm_exec_t
+/sbin/scsi_info -- system_u:object_r:fsadm_exec_t
+/sbin/sfdisk -- system_u:object_r:fsadm_exec_t
+/sbin/cfdisk -- system_u:object_r:fsadm_exec_t
+/sbin/fdisk -- system_u:object_r:fsadm_exec_t
+/sbin/parted -- system_u:object_r:fsadm_exec_t
+/sbin/tune2fs -- system_u:object_r:fsadm_exec_t
+/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t
+/sbin/swapon.* -- system_u:object_r:fsadm_exec_t
+/sbin/hdparm -- system_u:object_r:fsadm_exec_t
+/sbin/raidstart -- system_u:object_r:fsadm_exec_t
+/sbin/mkraid -- system_u:object_r:fsadm_exec_t
+/sbin/blockdev -- system_u:object_r:fsadm_exec_t
+/sbin/losetup.* -- system_u:object_r:fsadm_exec_t
+/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t
+/sbin/lsraid -- system_u:object_r:fsadm_exec_t
+/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t
+/sbin/install-mbr -- system_u:object_r:fsadm_exec_t
+/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t
+/usr/bin/raw -- system_u:object_r:fsadm_exec_t
+/sbin/partx -- system_u:object_r:fsadm_exec_t
+/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t
+/sbin/partprobe -- system_u:object_r:fsadm_exec_t
+')
+ifdef(`kudzu.te', `', `
+# kudzu
+/usr/sbin/kudzu -- system_u:object_r:kudzu_exec_t
+/sbin/kmodule -- system_u:object_r:kudzu_exec_t
+')
diff --git a/strict/file_contexts/program/crond.fc b/strict/file_contexts/program/crond.fc
index 90869cf..3a46659 100644
--- a/strict/file_contexts/program/crond.fc
+++ b/strict/file_contexts/program/crond.fc
@@ -9,7 +9,6 @@
/var/spool/cron/crontabs/root -- system_u:object_r:sysadm_cron_spool_t
/var/spool/cron/root -- system_u:object_r:sysadm_cron_spool_t
/var/spool/cron/[^/]* -- <<none>>
-/var/log/cron.* -- system_u:object_r:crond_log_t
/var/run/crond\.reboot -- system_u:object_r:crond_var_run_t
/var/run/crond?\.pid -- system_u:object_r:crond_var_run_t
# fcron
@@ -27,3 +26,9 @@
/var/spool/at/spool -d system_u:object_r:cron_spool_t
/var/spool/at/[^/]* -- <<none>>
/var/run/atd\.pid -- system_u:object_r:crond_var_run_t
+ifdef(`distro_suse', `
+/usr/lib/cron/run-crons -- system_u:object_r:bin_t
+/var/spool/cron/lastrun -d system_u:object_r:crond_tmp_t
+/var/spool/cron/lastrun/[^/]* -- <<none>>
+/var/spool/cron/tabs -d system_u:object_r:cron_spool_t
+')
diff --git a/strict/file_contexts/program/cups.fc b/strict/file_contexts/program/cups.fc
index d4c1eb2..26ae56f 100644
--- a/strict/file_contexts/program/cups.fc
+++ b/strict/file_contexts/program/cups.fc
@@ -5,6 +5,7 @@
/var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t
/etc/cups/client\.conf -- system_u:object_r:etc_t
/etc/cups/cupsd\.conf.* -- system_u:object_r:cupsd_rw_etc_t
+/etc/cups/classes\.conf.* -- system_u:object_r:cupsd_rw_etc_t
/etc/cups/lpoptions -- system_u:object_r:cupsd_rw_etc_t
/etc/cups/printers\.conf.* -- system_u:object_r:cupsd_rw_etc_t
/etc/cups/ppd/.* -- system_u:object_r:cupsd_rw_etc_t
diff --git a/strict/file_contexts/program/dhcpd.fc b/strict/file_contexts/program/dhcpd.fc
index 4e612cf..3e010c3 100644
--- a/strict/file_contexts/program/dhcpd.fc
+++ b/strict/file_contexts/program/dhcpd.fc
@@ -3,7 +3,7 @@
/etc/dhcp3(/.*)? system_u:object_r:dhcp_etc_t
/usr/sbin/dhcpd.* -- system_u:object_r:dhcpd_exec_t
/var/lib/dhcp(3)?/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t
-/var/run/dhcpd\.pid -d system_u:object_r:dhcpd_var_run_t
+/var/run/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t
ifdef(`dhcp_defined', `', `
/var/lib/dhcp(3)? -d system_u:object_r:dhcp_state_t
define(`dhcp_defined')
diff --git a/strict/file_contexts/program/fsadm.fc b/strict/file_contexts/program/fsadm.fc
index 5d42601..9b81537 100644
--- a/strict/file_contexts/program/fsadm.fc
+++ b/strict/file_contexts/program/fsadm.fc
@@ -37,3 +37,4 @@
/sbin/partx -- system_u:object_r:fsadm_exec_t
/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t
/sbin/partprobe -- system_u:object_r:fsadm_exec_t
+/usr/bin/syslinux -- system_u:object_r:fsadm_exec_t
diff --git a/strict/file_contexts/program/lvm.fc b/strict/file_contexts/program/lvm.fc
index fc65c44..e74e2c5 100644
--- a/strict/file_contexts/program/lvm.fc
+++ b/strict/file_contexts/program/lvm.fc
@@ -12,7 +12,6 @@
/etc/lvm/lock(/.*)? system_u:object_r:lvm_lock_t
/var/lock/lvm(/.*)? system_u:object_r:lvm_lock_t
/dev/lvm -c system_u:object_r:fixed_disk_device_t
-/dev/mapper/.* -b system_u:object_r:fixed_disk_device_t
/dev/mapper/control -c system_u:object_r:lvm_control_t
/lib/lvm-10(/.*) -- system_u:object_r:lvm_exec_t
/lib/lvm-200(/.*) -- system_u:object_r:lvm_exec_t
diff --git a/strict/file_contexts/program/named.fc b/strict/file_contexts/program/named.fc
index b39ec8f..edcbe3e 100644
--- a/strict/file_contexts/program/named.fc
+++ b/strict/file_contexts/program/named.fc
@@ -9,18 +9,21 @@ ifdef(`distro_redhat', `
ifdef(`distro_debian', `
/etc/bind(/.*)? system_u:object_r:named_zone_t
/etc/bind/named\.conf -- system_u:object_r:named_conf_t
-/etc/bind/rndc\.key -- system_u:object_r:named_conf_t
+/etc/bind/rndc\.key -- system_u:object_r:dnssec_t
/var/cache/bind(/.*)? system_u:object_r:named_cache_t
') dnl distro_debian
/etc/rndc.* -- system_u:object_r:named_conf_t
-/etc/rndc.key -- system_u:object_r:dnssec_t
+/etc/rndc\.key -- system_u:object_r:dnssec_t
/usr/sbin/named -- system_u:object_r:named_exec_t
+/usr/sbin/named-checkconf -- system_u:object_r:named_checkconf_exec_t
/usr/sbin/r?ndc -- system_u:object_r:ndc_exec_t
/var/run/ndc -s system_u:object_r:named_var_run_t
/var/run/bind(/.*)? system_u:object_r:named_var_run_t
/var/run/named(/.*)? system_u:object_r:named_var_run_t
/usr/sbin/lwresd -- system_u:object_r:named_exec_t
+/var/log/named.* -- system_u:object_r:named_log_t
+
ifdef(`distro_redhat', `
/var/named/named\.ca -- system_u:object_r:named_conf_t
/var/named/chroot(/.*)? system_u:object_r:named_conf_t
@@ -40,7 +43,7 @@ ifdef(`distro_redhat', `
ifdef(`distro_gentoo', `
/etc/bind(/.*)? system_u:object_r:named_zone_t
/etc/bind/named\.conf -- system_u:object_r:named_conf_t
-/etc/bind/rndc\.key -- system_u:object_r:named_conf_t
+/etc/bind/rndc\.key -- system_u:object_r:dnssec_t
/var/bind(/.*)? system_u:object_r:named_cache_t
/var/bind/pri(/.*)? system_u:object_r:named_zone_t
') dnl distro_gentoo
diff --git a/strict/file_contexts/program/nscd.fc b/strict/file_contexts/program/nscd.fc
index aa24987..5c39b46 100644
--- a/strict/file_contexts/program/nscd.fc
+++ b/strict/file_contexts/program/nscd.fc
@@ -4,3 +4,4 @@
/var/run/nscd\.pid -- system_u:object_r:nscd_var_run_t
/var/db/nscd(/.*)? system_u:object_r:nscd_var_run_t
/var/run/nscd(/.*)? system_u:object_r:nscd_var_run_t
+/var/log/nscd\.log.* -- system_u:object_r:nscd_log_t
diff --git a/strict/file_contexts/program/ntpd.fc b/strict/file_contexts/program/ntpd.fc
index 3b178b4..84dd7b9 100644
--- a/strict/file_contexts/program/ntpd.fc
+++ b/strict/file_contexts/program/ntpd.fc
@@ -1,7 +1,7 @@
/var/lib/ntp(/.*)? system_u:object_r:ntp_drift_t
/etc/ntp/data(/.*)? system_u:object_r:ntp_drift_t
-/etc/ntp(d)?\.conf(.sv)? -- system_u:object_r:net_conf_t
-/etc/ntp/step-tickers -- system_u:object_r:net_conf_t
+/etc/ntp(d)?\.conf.* -- system_u:object_r:net_conf_t
+/etc/ntp/step-tickers.* -- system_u:object_r:net_conf_t
/usr/sbin/ntpd -- system_u:object_r:ntpd_exec_t
/usr/sbin/ntpdate -- system_u:object_r:ntpdate_exec_t
/var/log/ntpstats(/.*)? system_u:object_r:ntpd_log_t
diff --git a/strict/file_contexts/program/portmap.fc b/strict/file_contexts/program/portmap.fc
index 08802d5..4417c85 100644
--- a/strict/file_contexts/program/portmap.fc
+++ b/strict/file_contexts/program/portmap.fc
@@ -7,3 +7,4 @@ ifdef(`distro_debian', `
/usr/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t
/usr/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t
')
+/var/run/portmap.upgrade-state -- system_u:object_r:portmap_var_run_t
diff --git a/strict/file_contexts/program/postfix.fc b/strict/file_contexts/program/postfix.fc
index 2a5850b..0e96508 100644
--- a/strict/file_contexts/program/postfix.fc
+++ b/strict/file_contexts/program/postfix.fc
@@ -10,6 +10,7 @@ ifdef(`distro_redhat', `
/usr/libexec/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t
/usr/libexec/postfix/showq -- system_u:object_r:postfix_showq_exec_t
/usr/libexec/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t
+/usr/libexec/postfix/scache -- system_u:object_r:postfix_smtp_exec_t
/usr/libexec/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t
/usr/libexec/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t
/usr/libexec/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t
@@ -22,6 +23,7 @@ ifdef(`distro_redhat', `
/usr/lib/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t
/usr/lib/postfix/showq -- system_u:object_r:postfix_showq_exec_t
/usr/lib/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t
+/usr/lib/postfix/scache -- system_u:object_r:postfix_smtp_exec_t
/usr/lib/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t
/usr/lib/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t
/usr/lib/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t
diff --git a/strict/file_contexts/program/pppd.fc b/strict/file_contexts/program/pppd.fc
index af9d512..a16da2a 100644
--- a/strict/file_contexts/program/pppd.fc
+++ b/strict/file_contexts/program/pppd.fc
@@ -13,9 +13,13 @@
/var/run/(i)?ppp.*pid -- system_u:object_r:pppd_var_run_t
/var/log/ppp-connect-errors.* -- system_u:object_r:pppd_log_t
/var/log/ppp/.* -- system_u:object_r:pppd_log_t
-/etc/ppp/ip-down.* -- system_u:object_r:bin_t
-/etc/ppp/ip-up.* -- system_u:object_r:bin_t
-/etc/ppp/ipv6-up -- system_u:object_r:bin_t
-/etc/ppp/ipv6-down -- system_u:object_r:bin_t
+/etc/ppp/ip-down\..* -- system_u:object_r:bin_t
+/etc/ppp/ip-up\..* -- system_u:object_r:bin_t
+/etc/ppp/ipv6-up\..* -- system_u:object_r:bin_t
+/etc/ppp/ipv6-down\..* -- system_u:object_r:bin_t
/etc/ppp/plugins/rp-pppoe\.so -- system_u:object_r:shlib_t
-/etc/ppp/resolv\.conf -- system_u:object_r:pppd_etc_rw_t
+/etc/ppp/resolv\.conf -- system_u:object_r:pppd_etc_rw_t
+# Fix pptp sockets
+/var/run/pptp(/.*)? -- system_u:object_r:pptp_var_run_t
+# Fix /etc/ppp {up,down} family scripts (see man pppd)
+/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- system_u:object_r:pppd_script_exec_t
diff --git a/strict/file_contexts/program/qmail.fc b/strict/file_contexts/program/qmail.fc
index 510f077..7704ed7 100644
--- a/strict/file_contexts/program/qmail.fc
+++ b/strict/file_contexts/program/qmail.fc
@@ -17,7 +17,7 @@
/usr/sbin/splogger -- system_u:object_r:qmail_splogger_exec_t
/usr/sbin/qmail-getpw -- system_u:object_r:qmail_exec_t
/usr/local/bin/serialmail/.* -- system_u:object_r:qmail_serialmail_exec_t
-# qmail - djb's locations
+# qmail - djb locations
/var/qmail/control(/.*)? system_u:object_r:qmail_etc_t
/var/qmail/bin -d system_u:object_r:bin_t
/var/qmail/queue(/.*)? system_u:object_r:qmail_spool_t
diff --git a/strict/file_contexts/program/radvd.fc b/strict/file_contexts/program/radvd.fc
index fc8ddcf..5000383 100644
--- a/strict/file_contexts/program/radvd.fc
+++ b/strict/file_contexts/program/radvd.fc
@@ -2,3 +2,4 @@
/etc/radvd\.conf -- system_u:object_r:radvd_etc_t
/usr/sbin/radvd -- system_u:object_r:radvd_exec_t
/var/run/radvd\.pid -- system_u:object_r:radvd_var_run_t
+/var/run/radvd(/.*)? system_u:object_r:radvd_var_run_t
diff --git a/strict/file_contexts/program/ssh.fc b/strict/file_contexts/program/ssh.fc
index 078f8ef..3cd1d0c 100644
--- a/strict/file_contexts/program/ssh.fc
+++ b/strict/file_contexts/program/ssh.fc
@@ -1,5 +1,6 @@
# ssh
/usr/bin/ssh -- system_u:object_r:ssh_exec_t
+/usr/libexec/openssh/ssh-keysign -- system_u:object_r:ssh_keysign_exec_t
/usr/bin/ssh-keygen -- system_u:object_r:ssh_keygen_exec_t
# sshd
/etc/ssh/primes -- system_u:object_r:sshd_key_t
diff --git a/strict/file_contexts/program/sudo.fc b/strict/file_contexts/program/sudo.fc
index 3eed3ff..d733894 100644
--- a/strict/file_contexts/program/sudo.fc
+++ b/strict/file_contexts/program/sudo.fc
@@ -1,2 +1,3 @@
# sudo
-/usr/bin/sudo -- system_u:object_r:sudo_exec_t
+/usr/bin/sudo(edit)? -- system_u:object_r:sudo_exec_t
+
diff --git a/strict/file_contexts/program/traceroute.fc b/strict/file_contexts/program/traceroute.fc
index 6a8b259..66a6c5f 100644
--- a/strict/file_contexts/program/traceroute.fc
+++ b/strict/file_contexts/program/traceroute.fc
@@ -1,5 +1,6 @@
# traceroute
/bin/traceroute.* -- system_u:object_r:traceroute_exec_t
+/bin/tracepath.* -- system_u:object_r:traceroute_exec_t
/usr/(s)?bin/traceroute.* -- system_u:object_r:traceroute_exec_t
/usr/bin/lft -- system_u:object_r:traceroute_exec_t
/usr/bin/nmap -- system_u:object_r:traceroute_exec_t
diff --git a/strict/file_contexts/program/udev.fc b/strict/file_contexts/program/udev.fc
index 40f1fd5..0b6c719 100644
--- a/strict/file_contexts/program/udev.fc
+++ b/strict/file_contexts/program/udev.fc
@@ -3,11 +3,12 @@
/sbin/udev -- system_u:object_r:udev_exec_t
/sbin/udevd -- system_u:object_r:udev_exec_t
/sbin/start_udev -- system_u:object_r:udev_exec_t
+/sbin/udevstart -- system_u:object_r:udev_exec_t
/usr/bin/udevinfo -- system_u:object_r:udev_exec_t
/etc/dev\.d/.+ -- system_u:object_r:udev_helper_exec_t
/etc/udev/scripts/.+ -- system_u:object_r:udev_helper_exec_t
/etc/udev/devices/.* system_u:object_r:device_t
/etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t
/dev/udev\.tbl -- system_u:object_r:udev_tbl_t
-/dev/\.udev\.tdb(/.*)? -- system_u:object_r:udev_tdb_t
+/dev/\.udevdb(/.*)? -- system_u:object_r:udev_tdb_t
/sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t
diff --git a/strict/file_contexts/types.fc b/strict/file_contexts/types.fc
index 4708e08..33816d9 100644
--- a/strict/file_contexts/types.fc
+++ b/strict/file_contexts/types.fc
@@ -46,9 +46,9 @@
#
# Ordinary user home directories.
# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd
-# HOME_DIR expands to each user's home directory,
+# HOME_DIR expands to each users home directory,
# and to HOME_ROOT/[^/]+ for each HOME_ROOT.
-# ROLE expands to each user's role when role != user_r, and to "user" otherwise.
+# ROLE expands to each users role when role != user_r, and to "user" otherwise.
#
HOME_ROOT -d system_u:object_r:home_root_t
HOME_DIR -d system_u:object_r:ROLE_home_dir_t
@@ -58,7 +58,7 @@ HOME_DIR/.+ system_u:object_r:ROLE_home_t
#
# Mount points; do not relabel subdirectories, since
-# we don't want to change any removable media by default.
+# we do not want to change any removable media by default.
/mnt(/[^/]*)? -d system_u:object_r:mnt_t
/mnt/[^/]*/.* <<none>>
/media(/[^/]*)? -d system_u:object_r:mnt_t
@@ -68,8 +68,7 @@ HOME_DIR/.+ system_u:object_r:ROLE_home_t
# /var
#
/var(/.*)? system_u:object_r:var_t
-/var/catman(/.*)? system_u:object_r:catman_t
-/var/cache/man(/.*)? system_u:object_r:catman_t
+/var/cache/man(/.*)? system_u:object_r:man_t
/var/yp(/.*)? system_u:object_r:var_yp_t
/var/lib(/.*)? system_u:object_r:var_lib_t
/var/lib/nfs(/.*)? system_u:object_r:var_lib_nfs_t
@@ -110,7 +109,7 @@ HOME_DIR/.+ system_u:object_r:ROLE_home_t
# /boot
#
/boot(/.*)? system_u:object_r:boot_t
-/boot/System\.map-.* -- system_u:object_r:system_map_t
+/boot/System\.map(-.*)? system_u:object_r:system_map_t
#
# /dev
@@ -129,6 +128,7 @@ HOME_DIR/.+ system_u:object_r:ROLE_home_t
/dev/nvram -c system_u:object_r:memory_device_t
/dev/random -c system_u:object_r:random_device_t
/dev/urandom -c system_u:object_r:urandom_device_t
+/dev/adb.* -c system_u:object_r:tty_device_t
/dev/capi.* -c system_u:object_r:tty_device_t
/dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t
/dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t
@@ -157,6 +157,7 @@ ifdef(`distro_redhat', `
/dev/i2o/hd[^/]* -b system_u:object_r:fixed_disk_device_t
/dev/ubd[^/]* -b system_u:object_r:fixed_disk_device_t
/dev/cciss/[^/]* -b system_u:object_r:fixed_disk_device_t
+/dev/mapper/.* -b system_u:object_r:fixed_disk_device_t
/dev/ida/[^/]* -b system_u:object_r:fixed_disk_device_t
/dev/dasd[^/]* -b system_u:object_r:fixed_disk_device_t
/dev/flash[^/]* -b system_u:object_r:fixed_disk_device_t
@@ -247,6 +248,7 @@ ifdef(`distro_suse', `
/dev/dri/.+ -c system_u:object_r:dri_device_t
/dev/radeon -c system_u:object_r:dri_device_t
/dev/agpgart -c system_u:object_r:agp_device_t
+/dev/z90crypt -c system_u:object_r:crypt_device_t
#
# Misc
@@ -352,8 +354,11 @@ ifdef(`distro_gentoo', `
/usr/share/man(/.*)? system_u:object_r:man_t
/usr/share/mc/extfs/.* -- system_u:object_r:bin_t
/usr/share(/.*)?/lib(64)?(/.*)? system_u:object_r:usr_t
+/usr/share/ssl/certs(/.*)? system_u:object_r:cert_t
+/usr/share/ssl/private(/.*)? system_u:object_r:cert_t
# nvidia share libraries
+/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
/usr(/.*)?/nvidia/.*\.so(\..*)? -- system_u:object_r:texrel_shlib_t
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- system_u:object_r:texrel_shlib_t
diff --git a/strict/macros/content_macros.te b/strict/macros/content_macros.te
new file mode 100644
index 0000000..fb36d46
--- /dev/null
+++ b/strict/macros/content_macros.te
@@ -0,0 +1,188 @@
+# Content access macros
+
+# FIXME: After nested booleans are supported, replace NFS/CIFS
+# w/ read_network_home, and write_network_home macros from global
+
+# FIXME: If true/false constant booleans are supported, replace
+# ugly $3 ifdefs with if(true), if(false)...
+
+# FIXME: Do we want write to imply read?
+
+############################################################
+# read_content(domain, role_prefix, bool_prefix)
+#
+# Allow the given domain to read content.
+# Content may be trusted or untrusted,
+# Reading anything is subject to a controlling boolean based on bool_prefix.
+# Reading untrusted content is additionally subject to read_untrusted_content
+# Reading default_t is additionally subject to read_default_t
+
+define(`read_content', `
+
+# Declare controlling boolean
+ifelse($3, `', `', `
+ifdef(`$3_read_content_defined', `', `
+define(`$3_read_content_defined')
+bool $3_read_content false;
+') dnl ifdef
+') dnl ifelse
+
+# Handle nfs home dirs
+ifelse($3, `',
+`if (use_nfs_home_dirs) { ',
+`if ($3_read_content && use_nfs_home_dirs) {')
+allow $1 { autofs_t home_root_t }:dir { read search getattr };
+r_dir_file($1, nfs_t)
+} else {
+dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
+dontaudit $1 nfs_t:file r_file_perms;
+dontaudit $1 nfs_t:dir r_dir_perms;
+}
+
+# Handle samba home dirs
+ifelse($3, `',
+`if (use_samba_home_dirs) { ',
+`if ($3_read_content && use_samba_home_dirs) {')
+allow $1 { autofs_t home_root_t }:dir { read search getattr };
+r_dir_file($1, cifs_t)
+} else {
+dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
+dontaudit $1 cifs_t:file r_file_perms;
+dontaudit $1 cifs_t:dir r_dir_perms;
+}
+
+# Handle removable media, /tmp, and /home
+ifelse($3, `', `',
+`if ($3_read_content) {')
+allow $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
+r_dir_file($1, { $2_tmp_t $2_home_t } )
+ifdef(`mls_policy', `', `
+r_dir_file($1, removable_t)
+')
+
+ifelse($3, `', `',
+`} else {
+dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
+dontaudit $1 { removable_t $2_tmp_t $2_home_t }:dir r_dir_perms;
+dontaudit $1 { removable_t $2_tmp_t $2_home_t }:file r_file_perms;
+}')
+
+# Handle default_t content
+ifelse($3, `',
+`if (read_default_t) { ',
+`if ($3_read_content && read_default_t) {')
+r_dir_file($1, default_t)
+} else {
+dontaudit $1 default_t:file r_file_perms;
+dontaudit $1 default_t:dir r_dir_perms;
+}
+
+# Handle untrusted content
+ifelse($3, `',
+`if (read_untrusted_content) { ',
+`if ($3_read_content && read_untrusted_content) {')
+allow $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
+r_dir_file($1, { $2_untrusted_content_t $2_untrusted_content_tmp_t })
+} else {
+dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
+dontaudit $1 { $2_untrusted_content_t $2_untrusted_content_tmp_t }:dir r_dir_perms;
+dontaudit $1 { $2_untrusted_content_t $2_untrusted_content_tmp_t }:file r_file_perms;
+}
+') dnl read_content
+
+#################################################
+# write_trusted(domain, role_prefix, bool_prefix)
+#
+# Allow the given domain to write trusted content.
+# This is subject to a controlling boolean based
+# on bool_prefix.
+
+define(`write_trusted', `
+
+# Declare controlling boolean
+ifelse($3, `', `', `
+ifdef(`$3_write_content_defined', `', `
+define(`$3_write_content_defined')
+bool $3_write_content false;
+') dnl ifdef
+') dnl ifelse
+
+# Handle nfs homedirs
+ifelse($3, `',
+`if (use_nfs_home_dirs) { ',
+`if ($3_write_content && use_nfs_home_dirs) {')
+allow $1 { autofs_t home_root_t }:dir { read search getattr };
+create_dir_file($1, nfs_t)
+} else {
+dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
+dontaudit $1 nfs_t:file create_file_perms;
+dontaudit $1 nfs_t:dir create_dir_perms;
+}
+
+# Handle samba homedirs
+ifelse($3, `',
+`if (use_samba_home_dirs) { ',
+`if ($3_write_content && use_samba_home_dirs) {')
+allow $1 { autofs_t home_root_t }:dir { read search getattr };
+create_dir_file($1, cifs_t)
+} else {
+dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
+dontaudit $1 cifs_t:file create_file_perms;
+dontaudit $1 cifs_t:dir create_dir_perms;
+}
+
+# Handle /tmp and /home
+ifelse($3, `', `',
+`if ($3_write_content) {')
+allow $1 home_root_t:dir { read getattr search };
+file_type_auto_trans($1, tmp_t, $2_tmp_t, { dir file });
+file_type_auto_trans($1, $2_home_dir_t, $2_home_t, { dir file });
+ifelse($3, `', `',
+`} else {
+dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
+dontaudit $1 { $2_tmp_t $2_home_t }:file create_file_perms;
+dontaudit $1 { $2_tmp_t $2_home_t }:dir create_dir_perms;
+}')
+
+') dnl write_trusted
+
+#########################################
+# write_untrusted(domain, role_prefix)
+#
+# Allow the given domain to write untrusted content.
+# This is subject to the global boolean write_untrusted.
+
+define(`write_untrusted', `
+
+# Handle nfs homedirs
+if (write_untrusted_content && use_nfs_home_dirs) {
+allow $1 { autofs_t home_root_t }:dir { read search getattr };
+create_dir_file($1, nfs_t)
+} else {
+dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
+dontaudit $1 nfs_t:file create_file_perms;
+dontaudit $1 nfs_t:dir create_dir_perms;
+}
+
+# Handle samba homedirs
+if (write_untrusted_content && use_samba_home_dirs) {
+allow $1 { autofs_t home_root_t }:dir { read search getattr };
+create_dir_file($1, cifs_t)
+} else {
+dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
+dontaudit $1 cifs_t:file create_file_perms;
+dontaudit $1 cifs_t:dir create_dir_perms;
+}
+
+# Handle /tmp and /home
+if (write_untrusted_content) {
+allow $1 home_root_t:dir { read getattr search };
+file_type_auto_trans($1, { tmp_t $2_tmp_t }, $2_untrusted_content_tmp_t, { dir file })
+file_type_auto_trans($1, { $2_home_dir_t $2_home_t }, $2_untrusted_content_t, { dir file })
+} else {
+dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
+dontaudit $1 { $2_tmp_t $2_home_t }:file create_file_perms;
+dontaudit $1 { $2_tmp_t $2_home_t }:dir create_dir_perms;
+}
+
+') dnl write_untrusted
diff --git a/strict/macros/home_macros.te b/strict/macros/home_macros.te
new file mode 100644
index 0000000..033b32f
--- /dev/null
+++ b/strict/macros/home_macros.te
@@ -0,0 +1,130 @@
+# Home macros
+
+################################################
+# network_home(source)
+#
+# Allows source domain to use a network home
+# This includes privileges of create and execute
+# as well as the ability to create sockets and fifo
+
+define(`network_home', `
+allow $1 autofs_t:dir { search getattr };
+
+if (use_nfs_home_dirs) {
+create_dir_file($1, nfs_t)
+can_exec($1, nfs_t)
+allow $1 nfs_t:{ sock_file fifo_file } create_file_perms;
+}
+
+if (use_samba_home_dirs) {
+create_dir_file($1, cifs_t)
+can_exec($1, cifs_t)
+allow $1 cifs_t:{ sock_file fifo_file } create_file_perms;
+}
+') dnl network_home
+
+################################################
+# write_network_home(source)
+#
+# Allows source domain to create directories and
+# files on network file system
+
+define(`write_network_home', `
+allow $1 home_root_t:dir search;
+
+if (use_nfs_home_dirs) {
+create_dir_file($1, nfs_t)
+}
+if (use_samba_home_dirs) {
+create_dir_file($1, cifs_t)
+}
+allow $1 autofs_t:dir { search getattr };
+') dnl write_network_home
+
+################################################
+# read_network_home(source)
+#
+# Allows source domain to read directories and
+# files on network file system
+
+define(`read_network_home', `
+allow $1 home_root_t:dir search;
+
+if (use_nfs_home_dirs) {
+r_dir_file($1, nfs_t)
+}
+if (use_samba_home_dirs) {
+r_dir_file($1, cifs_t)
+}
+allow $1 autofs_t:dir { search getattr };
+') dnl read_network_home
+
+##################################################
+# home_domain_ro_access(source, user, app)
+#
+# Gives source access to the read-only home
+# domain of app for the given user type
+
+define(`home_domain_ro_access', `
+allow $1 { home_root_t $2_home_dir_t }:dir { search getattr };
+read_network_home($1)
+r_dir_file($1, $2_$3_ro_home_t)
+') dnl home_domain_ro_access
+
+#################################################
+# home_domain_access(source, user, app)
+#
+# Gives source full access to the home
+# domain of app for the given user type
+#
+# Requires transition in caller
+
+define(`home_domain_access', `
+allow $1 { home_root_t $2_home_dir_t }:dir { search getattr };
+write_network_home($1)
+create_dir_file($1, $2_$3_home_t)
+') dnl home_domain_access
+
+####################################################################
+# home_domain (prefix, app)
+#
+# Creates a domain in the prefix home where an application can
+# store its settings. It is accessible by the prefix domain.
+#
+# Requires transition in caller
+
+define(`home_domain', `
+
+# Declare home domain
+type $1_$2_home_t, file_type, $1_file_type, sysadmfile, polymember;
+typealias $1_$2_home_t alias $1_$2_rw_t;
+
+# User side access
+create_dir_file($1_t, $1_$2_home_t)
+allow $1_t $1_$2_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+
+# App side access
+home_domain_access($1_$2_t, $1, $2)
+')
+
+####################################################################
+# home_domain_ro (user, app)
+#
+# Creates a read-only domain in the user home where an application can
+# store its settings. It is fully accessible by the user, but
+# it is read-only for the application.
+#
+
+define(`home_domain_ro', `
+
+# Declare home domain
+type $1_$2_ro_home_t, file_type, $1_file_type, sysadmfile;
+typealias $1_$2_ro_home_t alias $1_$2_ro_t;
+
+# User side access
+create_dir_file($1_t, $1_$2_ro_home_t)
+allow $1_t $1_$2_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+
+# App side access
+home_domain_ro_access($1_$2_t, $1, $2)
+')
diff --git a/strict/macros/program/apache_macros.te b/strict/macros/program/apache_macros.te
index a363f7b..b19d3f7 100644
--- a/strict/macros/program/apache_macros.te
+++ b/strict/macros/program/apache_macros.te
@@ -23,6 +23,7 @@ if (httpd_enable_cgi) {
domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
+allow httpd_t httpd_$1_script_exec_t:file r_file_perms;
allow httpd_$1_script_t httpd_t:fd use;
allow httpd_$1_script_t httpd_t:process sigchld;
@@ -101,7 +102,9 @@ allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
read_fonts(httpd_$1_script_t)
r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t)
create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)
+allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file rw_file_perms;
ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
+anonymous_domain(httpd_$1_script)
if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
create_dir_file(httpd_$1_script_t, httpdcontent)
@@ -136,9 +139,10 @@ dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
if (httpd_builtin_scripting) {
r_dir_file(httpd_t, httpd_$1_script_ro_t)
create_dir_file(httpd_t, httpd_$1_script_rw_t)
+allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms;
ra_dir_file(httpd_t, httpd_$1_script_ra_t)
-}
r_dir_file(httpd_t, httpd_$1_content_t)
+}
')
define(`apache_user_domain', `
diff --git a/strict/macros/program/cdrecord_macros.te b/strict/macros/program/cdrecord_macros.te
index aa9e1e5..8b94a00 100644
--- a/strict/macros/program/cdrecord_macros.te
+++ b/strict/macros/program/cdrecord_macros.te
@@ -27,16 +27,8 @@ allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms;
can_resmgrd_connect($1_cdrecord_t)
-allow $1_cdrecord_t { tmp_t home_root_t }:dir search;
-
-# allow cdrecord to read user files
-r_dir_file($1_cdrecord_t, { $1_home_t $1_tmp_t })
-if (use_nfs_home_dirs) {
-r_dir_file($1_cdrecord_t, nfs_t)
-}
-if (use_samba_home_dirs) {
-r_dir_file($1_cdrecord_t, cifs_t)
-}
+read_content($1_cdrecord_t, $1, cdrecord)
+
allow $1_cdrecord_t etc_t:file { getattr read };
# allow searching for cdrom-drive
@@ -50,6 +42,8 @@ allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl };
allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill };
allow $1_cdrecord_t $1_devpts_t:chr_file rw_file_perms;
-read_content($1_cdrecord_t, $1)
+allow $1_cdrecord_t $1_home_t:dir search;
+allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms;
+allow $1_cdrecord_t $1_home_t:file r_file_perms;
')
diff --git a/strict/macros/program/ethereal_macros.te b/strict/macros/program/ethereal_macros.te
index c546cb4..36f1a96 100644
--- a/strict/macros/program/ethereal_macros.te
+++ b/strict/macros/program/ethereal_macros.te
@@ -38,11 +38,10 @@ domain_auto_trans($1_t, ethereal_exec_t, $1_ethereal_t)
role $1_r types $1_ethereal_t;
# Manual transition from userhelper
-# FIXME: Need to handle the fallback case, which requires userhelper support
ifdef(`userhelper.te', `
-allow userhelperdomain sysadm_ethereal_t:process { transition siginh rlimitinh noatsecure };
-allow sysadm_ethereal_t userhelperdomain:fd use;
-allow sysadm_ethereal_t userhelperdomain:process sigchld;
+allow userhelperdomain $1_ethereal_t:process { transition siginh rlimitinh noatsecure };
+allow $1_ethereal_t userhelperdomain:fd use;
+allow $1_ethereal_t userhelperdomain:process sigchld;
') dnl userhelper
# X, GNOME
diff --git a/strict/macros/program/evolution_macros.te b/strict/macros/program/evolution_macros.te
index facfe7f..37fc087 100644
--- a/strict/macros/program/evolution_macros.te
+++ b/strict/macros/program/evolution_macros.te
@@ -64,7 +64,7 @@ can_network_client_tcp($1_evolution_server_t, ldap_port_t)
allow $1_evolution_server_t ldap_port_t:tcp_socket name_connect;
# Look in /etc/pki
-allow $1_evolution_server_t cert_t:dir r_dir_perms;
+r_dir_file($1_evolution_server_t, cert_t)
') dnl evolution_data_server
diff --git a/strict/macros/program/irc_macros.te b/strict/macros/program/irc_macros.te
index 8c9c876..3adaef7 100644
--- a/strict/macros/program/irc_macros.te
+++ b/strict/macros/program/irc_macros.te
@@ -21,6 +21,7 @@ define(`irc_domain',`
# Home domain
home_domain($1, irc)
+file_type_auto_trans($1_irc_t, $1_home_dir_t, $1_irc_home_t, dir)
# Derived domain based on the calling user domain and the program.
type $1_irc_t, domain;
@@ -46,6 +47,7 @@ allow $1_t $1_irc_t:process signal;
# Use the network.
can_network_client($1_irc_t)
+allow $1_irc_t port_type:tcp_socket name_connect;
can_ypbind($1_irc_t)
allow $1_irc_t usr_t:file { getattr read };
@@ -65,7 +67,7 @@ allow $1_irc_t self:dir search;
dontaudit $1_irc_t var_run_t:dir search;
# allow utmp access
-allow $1_irc_t initrc_var_run_t:file read;
+allow $1_irc_t initrc_var_run_t:file { getattr read };
dontaudit $1_irc_t initrc_var_run_t:file lock;
# access files under /tmp
diff --git a/strict/macros/program/lpr_macros.te b/strict/macros/program/lpr_macros.te
index beb6ca2..3dea9b0 100644
--- a/strict/macros/program/lpr_macros.te
+++ b/strict/macros/program/lpr_macros.te
@@ -35,6 +35,7 @@ role $1_r types $1_lpr_t;
# This domain is granted permissions common to most domains (including can_net)
can_network_client($1_lpr_t)
+allow $1_lpr_t port_type:tcp_socket name_connect;
can_ypbind($1_lpr_t)
# Use capabilities.
@@ -52,7 +53,6 @@ r_dir_file($1_lpr_t, printconf_t)
')
tmp_domain($1_lpr)
-r_dir_file($1_lpr_t, $1_tmp_t)
# Type for spool files.
type $1_print_spool_t, file_type, sysadmfile;
@@ -71,18 +71,8 @@ ifdef(`gnome-pty-helper.te', `allow $1_lpr_t $1_gph_t:fd use;')
allow $1_lpr_t privfd:fd use;
# Read user files.
-allow sysadm_lpr_t { home_root_t $1_home_t $1_home_dir_t }:dir search;
-allow sysadm_lpr_t $1_home_t:{ file lnk_file } r_file_perms;
-allow $1_lpr_t { home_root_t $1_home_t $1_home_dir_t }:dir search;
-allow $1_lpr_t $1_home_t:{ file lnk_file } r_file_perms;
-
-if (use_nfs_home_dirs) {
-r_dir_file($1_lpr_t, nfs_t)
-}
-
-if (use_samba_home_dirs) {
-r_dir_file($1_lpr_t, cifs_t)
-}
+read_content(sysadm_lpr_t, $1)
+read_content($1_lpr_t, $1)
# Read and write shared files in the spool directory.
allow $1_lpr_t print_spool_t:file rw_file_perms;
@@ -114,8 +104,7 @@ allow $1_lpr_t lpd_t:process signal;
')dnl end if lpd.te
ifdef(`xdm.te', `
-allow $1_lpr_t xdm_t:fd use;
-allow $1_lpr_t xdm_t:fifo_file write;
+can_pipe_xdm($1_lpr_t)
')
ifdef(`cups.te', `
@@ -124,11 +113,5 @@ allow $1_lpr_t { cupsd_etc_t cupsd_rw_etc_t }:file { getattr read };
can_tcp_connect({ $1_lpr_t $1_t }, cupsd_t)
')dnl end ifdef cups.te
-ifdef(`hide_broken_symptoms', `
-# thunderbird causes these
-dontaudit $1_lpr_t $1_t:tcp_socket { read write };
-dontaudit $1_lpr_t { $1_home_t $1_tmp_t }:file write;
-')
-
')dnl end macro definition
diff --git a/strict/macros/program/mail_client_macros.te b/strict/macros/program/mail_client_macros.te
index 90b9b1d..da22a62 100644
--- a/strict/macros/program/mail_client_macros.te
+++ b/strict/macros/program/mail_client_macros.te
@@ -54,10 +54,15 @@ domain_auto_trans($1_t, mozilla_exec_t, $2_mozilla_t)
')
ifdef(`dbusd.te', `
dbusd_client(system, $1)
+allow $1_t system_dbusd_t:dbus send_msg;
dbusd_client($2, $1)
allow $1_t $2_dbusd_t:dbus send_msg;
ifdef(`cups.te', `
allow cupsd_t $1_t:dbus send_msg;
')
')
+# Allow the user domain to signal/ps.
+can_ps($2_t, $1_t)
+allow $2_t $1_t:process signal_perms;
+
')
diff --git a/strict/macros/program/mozilla_macros.te b/strict/macros/program/mozilla_macros.te
index 3980122..cc8afb0 100644
--- a/strict/macros/program/mozilla_macros.te
+++ b/strict/macros/program/mozilla_macros.te
@@ -139,7 +139,14 @@ allow $1_mozilla_t self:process { execmem execstack };
}
allow $1_mozilla_t texrel_shlib_t:file execmod;
+ifdef(`dbusd.te', `
dbusd_client(system, $1_mozilla)
+allow $1_mozilla_t system_dbusd_t:dbus send_msg;
+ifdef(`cups.te', `
+allow cupsd_t $1_mozilla_t:dbus send_msg;
+')
+')
+
ifdef(`apache.te', `
ifelse($1, sysadm, `', `
r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t })
diff --git a/strict/macros/program/spamassassin_macros.te b/strict/macros/program/spamassassin_macros.te
index d7678f5..c85cfc7 100644
--- a/strict/macros/program/spamassassin_macros.te
+++ b/strict/macros/program/spamassassin_macros.te
@@ -85,7 +85,7 @@ file_type_auto_trans($1_spamassassin_t, $1_home_dir_t, $1_spamassassin_home_t, d
spamassassin_agent_privs($1_spamassassin_t, $1)
can_resolve($1_spamassassin_t)
-# set tunable if you give spamassassin full network access.
+# set tunable if you have spamassassin do DNS lookups
if (spamassasin_can_network) {
can_network($1_spamassassin_t)
allow $1_spamassassin_t port_type:tcp_socket name_connect;
diff --git a/strict/macros/program/thunderbird_macros.te b/strict/macros/program/thunderbird_macros.te
index b84e41d..2c0711d 100644
--- a/strict/macros/program/thunderbird_macros.te
+++ b/strict/macros/program/thunderbird_macros.te
@@ -38,6 +38,7 @@ dontaudit $1_thunderbird_t $1_home_t:file { getattr read };
x_client_domain($1_thunderbird, $1)
mail_client_domain($1_thunderbird, $1)
+allow $1_thunderbird_t self:process signull;
allow $1_thunderbird_t fs_t:filesystem getattr;
# GNOME support
@@ -54,9 +55,6 @@ home_domain($1, thunderbird)
can_network_client_tcp($1_thunderbird_t, http_port_t)
allow $1_thunderbird_t http_port_t:tcp_socket name_connect;
-allow $1_thunderbird_t self:process { execheap execstack };
-if (allow_execmem) {
-allow $1_thunderbird_t self:process execmem;
-}
+allow $1_thunderbird_t self:process { execheap execmem execstack };
')
diff --git a/strict/mls b/strict/mls
index ef20c21..01a652a 100644
--- a/strict/mls
+++ b/strict/mls
@@ -217,7 +217,7 @@ level s9:c0.c127;
mlsconstrain { file lnk_file fifo_file } { create relabelto }
( l2 eq h2 );
-# new file labels must be dominated by the relabeling subject clearance
+# new file labels must be dominated by the relabeling subject's clearance
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
( h1 dom h2 );
@@ -272,7 +272,7 @@ mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file }
# create can also require the upgrade/downgrade checks if the creating process
# has used setfscreate (note that both the high and low level of the object
-# default to the process sensitivity level)
+# default to the process' sensitivity level)
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
((( l1 eq l2 ) or
(( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or
@@ -290,7 +290,7 @@ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
# MLS policy for the filesystem class
#
-# new filesystem labels must be dominated by the relabeling subject clearance
+# new filesystem labels must be dominated by the relabeling subject's clearance
mlsconstrain filesystem relabelto
( h1 dom h2 );
@@ -316,7 +316,7 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
# MLS policy for the socket classes
#
-# new socket labels must be dominated by the relabeling subject clearance
+# new socket labels must be dominated by the relabeling subject's clearance
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
( h1 dom h2 );
diff --git a/strict/net_contexts b/strict/net_contexts
index fd10f9b..f38e613 100644
--- a/strict/net_contexts
+++ b/strict/net_contexts
@@ -223,14 +223,6 @@ portcon udp 1-1023 system_u:object_r:reserved_port_t
#
# interface netif_context default_msg_context
#
-netifcon lo system_u:object_r:netif_lo_t system_u:object_r:unlabeled_t
-netifcon eth0 system_u:object_r:netif_eth0_t system_u:object_r:unlabeled_t
-netifcon eth1 system_u:object_r:netif_eth1_t system_u:object_r:unlabeled_t
-netifcon eth2 system_u:object_r:netif_eth2_t system_u:object_r:unlabeled_t
-netifcon ippp0 system_u:object_r:netif_ippp0_t system_u:object_r:unlabeled_t
-netifcon ipsec0 system_u:object_r:netif_ipsec0_t system_u:object_r:unlabeled_t
-netifcon ipsec1 system_u:object_r:netif_ipsec1_t system_u:object_r:unlabeled_t
-netifcon ipsec2 system_u:object_r:netif_ipsec2_t system_u:object_r:unlabeled_t
# Nodes (default = initial SID "node")
#
diff --git a/strict/types/network.te b/strict/types/network.te
index bf5ca67..e3c66f8 100644
--- a/strict/types/network.te
+++ b/strict/types/network.te
@@ -74,15 +74,6 @@ type reserved_port_t, port_type;
# interfaces in net_contexts or net_contexts.mls.
#
type netif_t, netif_type;
-type netif_eth0_t, netif_type;
-type netif_eth1_t, netif_type;
-type netif_eth2_t, netif_type;
-type netif_lo_t, netif_type;
-type netif_ippp0_t, netif_type;
-
-type netif_ipsec0_t, netif_type;
-type netif_ipsec1_t, netif_type;
-type netif_ipsec2_t, netif_type;
#
# node_t is the default type of network nodes.
More information about the scm-commits
mailing list