[selinux-policy: 662/3172] more upstream merging
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:02:09 UTC 2010
commit cff75c90cab354d68044903a4943c5325bf848f2
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Sep 16 19:36:10 2005 +0000
more upstream merging
refpolicy/policy/modules/admin/su.if | 312 ++++++++++++-----------
refpolicy/policy/modules/admin/sudo.if | 2 +-
refpolicy/policy/modules/apps/gpg.if | 59 +----
refpolicy/policy/modules/kernel/filesystem.te | 6 +-
refpolicy/policy/modules/kernel/kernel.te | 2 +-
refpolicy/policy/modules/kernel/selinux.te | 2 +-
refpolicy/policy/modules/services/cron.if | 5 +-
refpolicy/policy/modules/services/dbus.if | 9 +-
refpolicy/policy/modules/services/kerberos.fc | 6 +-
refpolicy/policy/modules/services/kerberos.if | 1 +
refpolicy/policy/modules/services/mta.if | 1 +
refpolicy/policy/modules/services/ssh.if | 56 ++--
refpolicy/policy/modules/system/authlogin.if | 49 ++--
refpolicy/policy/modules/system/corecommands.fc | 19 +-
refpolicy/policy/modules/system/files.fc | 34 ++-
refpolicy/policy/modules/system/files.if | 12 +-
refpolicy/policy/modules/system/libraries.fc | 12 +-
refpolicy/policy/modules/system/logging.if | 10 +-
refpolicy/policy/modules/system/lvm.fc | 13 +-
refpolicy/policy/modules/system/lvm.te | 96 +++++++-
refpolicy/policy/modules/system/miscfiles.fc | 6 +-
refpolicy/policy/modules/system/miscfiles.te | 3 +
refpolicy/policy/modules/system/selinuxutil.te | 3 +-
refpolicy/policy/modules/system/userdomain.if | 2 +
refpolicy/policy/support/misc_macros.spt | 9 +-
refpolicy/policy/systemuser | 7 +-
refpolicy/policy/users | 8 +-
strict/assert.te | 54 ++---
strict/attrib.te | 25 ++
strict/domains/program/lvm.te | 13 +
strict/domains/program/snmpd.te | 17 +-
strict/file_contexts/program/kerberos.fc | 9 +
strict/file_contexts/program/lvm.fc | 7 +-
strict/file_contexts/program/rsync.fc | 1 +
strict/file_contexts/types.fc | 60 ++++--
strict/macros/program/chkpwd_macros.te | 25 +-
strict/macros/program/crond_macros.te | 1 +
strict/macros/program/crontab_macros.te | 7 +-
strict/macros/program/dbusd_macros.te | 9 +-
strict/macros/program/gpg_agent_macros.te | 4 +-
strict/macros/program/gpg_macros.te | 49 +---
strict/macros/program/inetd_macros.te | 1 -
strict/macros/program/kerberos_macros.te | 1 +
strict/macros/program/mta_macros.te | 1 +
strict/macros/program/newrole_macros.te | 5 +-
strict/macros/program/ssh_agent_macros.te | 6 +-
strict/macros/program/ssh_macros.te | 51 ++--
strict/macros/program/su_macros.te | 31 ++-
strict/mcs | 212 +++++++++++++++
strict/types/file.te | 4 +-
strict/types/security.te | 12 +-
strict/users | 9 +-
tools/regression.sh | 4 +-
53 files changed, 879 insertions(+), 483 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index 1fb0855..0ae4071 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -28,151 +28,171 @@
## </param>
#
template(`su_per_userdomain_template',`
-
- gen_require(`
- type su_exec_t;
- ')
-
- type $1_su_t;
- domain_entry_file($1_su_t,su_exec_t)
- domain_type($1_su_t)
- domain_role_change_exempt($1_su_t)
- domain_subj_id_change_exempt($1_su_t)
- domain_obj_id_change_exempt($1_su_t)
- domain_wide_inherit_fd($1_su_t)
- role $3 types $1_su_t;
-
- allow $2 $1_su_t:process signal;
-
- allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
- dontaudit $1_su_t self:capability sys_tty_config;
- allow $1_su_t self:process { setexec setsched setrlimit };
- allow $1_su_t self:fifo_file rw_file_perms;
-
- # Transition from the user domain to this domain.
- domain_auto_trans($2, su_exec_t, $1_su_t)
- allow $2 $1_su_t:fd use;
- allow $1_su_t $2:fd use;
- allow $1_su_t $2:fifo_file rw_file_perms;
- allow $1_su_t $2:process sigchld;
-
- # By default, revert to the calling domain when a shell is executed.
- corecmd_shell_domtrans($1_su_t,$2)
- allow $2 $1_su_t:fd use;
- allow $1_su_t $2:fd use;
- allow $1_su_t $2:fifo_file rw_file_perms;
- allow $1_su_t $2:process sigchld;
-
- kernel_read_system_state($1_su_t)
- kernel_read_kernel_sysctl($1_su_t)
-
- # for SSP
- dev_read_urand($1_su_t)
-
- fs_search_auto_mountpoints($1_su_t)
-
- selinux_get_fs_mount($1_su_t)
- selinux_validate_context($1_su_t)
- selinux_compute_access_vector($1_su_t)
- selinux_compute_create_context($1_su_t)
- selinux_compute_relabel_context($1_su_t)
- selinux_compute_user_contexts($1_su_t)
-
- # Relabel ttys and ptys.
- term_relabel_all_user_ttys($1_su_t)
- term_relabel_all_user_ptys($1_su_t)
- # Close and re-open ttys and ptys to get the fd into the correct domain.
- term_use_all_user_ttys($1_su_t)
- term_use_all_user_ptys($1_su_t)
-
- auth_domtrans_user_chk_passwd($1_su_t,$1)
- auth_dontaudit_read_shadow($1_su_t)
-
- domain_wide_inherit_fd($1_su_t)
-
- files_read_etc_files($1_su_t)
- files_search_var_lib($1_su_t)
-
- init_dontaudit_use_fd($1_su_t)
- # Write to utmp.
- init_rw_script_pid($1_su_t)
-
- libs_use_ld_so($1_su_t)
- libs_use_shared_libs($1_su_t)
-
- logging_send_syslog_msg($1_su_t)
-
- miscfiles_read_localization($1_su_t)
-
- seutil_read_config($1_su_t)
- seutil_read_default_contexts($1_su_t)
-
- userdom_use_user_terminals($1,$1_su_t)
-
- if(secure_mode)
- {
- # Only allow transitions to unprivileged user domains.
- userdom_spec_domtrans_unpriv_users($1_su_t)
- } else {
- # Allow transitions to all user domains
- userdom_spec_domtrans_all_users($1_su_t)
- }
-
- if (use_nfs_home_dirs) {
- fs_search_nfs($1_su_t)
- }
-
- if (use_samba_home_dirs) {
- fs_search_cifs($1_su_t)
- }
-
- optional_policy(`crond.te',`
- cron_read_pipe($1_su_t)
- ')
-
- optional_policy(`kerberos.te',`
- kerberos_use($1_su_t)
- ')
-
- optional_policy(`nis.te',`
- nis_use_ypbind($1_su_t)
- ')
-
- optional_policy(`nscd.te',`
- nscd_use_socket($1_su_t)
- ')
-
- ifdef(`TODO',`
- # Caused by su - init scripts
- dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
-
- # Inherit and use descriptors from gnome-pty-helper.
- ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
-
- allow $1_su_t { home_root_t $1_home_dir_t }:dir search;
- allow $1_su_t $1_home_t:file create_file_perms;
-
- ifdef(`user_canbe_sysadm', `
- allow $1_su_t home_dir_type:dir { search write };
- ', `
- dontaudit $1_su_t home_dir_type:dir { search write };
- ')
-
- # Modify .Xauthority file (via xauth program).
- ifdef(`xauth.te', `
- file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
- file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
- file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
- domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
- ')
-
- ifdef(`cyrus.te', `
- allow $1_su_t cyrus_var_lib_t:dir search;
- ')
- ifdef(`ssh.te', `
- # Access sshd cookie files.
- allow $1_su_t sshd_tmp_t:file rw_file_perms;
- file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
+ # in optional since loadable modules do not natively
+ # support per-userdomain templates yet.
+ optional_policy(`su.te',`
+ gen_require(`
+ type su_exec_t;
+ ')
+
+ type $1_su_t;
+ domain_entry_file($1_su_t,su_exec_t)
+ domain_type($1_su_t)
+ domain_role_change_exempt($1_su_t)
+ domain_subj_id_change_exempt($1_su_t)
+ domain_obj_id_change_exempt($1_su_t)
+ domain_wide_inherit_fd($1_su_t)
+ role $3 types $1_su_t;
+
+ allow $2 $1_su_t:process signal;
+
+ allow $1_su_t self:capability { audit_control setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+ dontaudit $1_su_t self:capability sys_tty_config;
+ allow $1_su_t self:process { setexec setsched setrlimit };
+ allow $1_su_t self:fifo_file rw_file_perms;
+ allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+
+ # Transition from the user domain to this domain.
+ domain_auto_trans($2, su_exec_t, $1_su_t)
+ allow $2 $1_su_t:fd use;
+ allow $1_su_t $2:fd use;
+ allow $1_su_t $2:fifo_file rw_file_perms;
+ allow $1_su_t $2:process sigchld;
+
+ # By default, revert to the calling domain when a shell is executed.
+ corecmd_shell_domtrans($1_su_t,$2)
+ allow $2 $1_su_t:fd use;
+ allow $1_su_t $2:fd use;
+ allow $1_su_t $2:fifo_file rw_file_perms;
+ allow $1_su_t $2:process sigchld;
+
+ kernel_read_system_state($1_su_t)
+ kernel_read_kernel_sysctl($1_su_t)
+
+ # for SSP
+ dev_read_urand($1_su_t)
+
+ fs_search_auto_mountpoints($1_su_t)
+
+ selinux_get_fs_mount($1_su_t)
+ selinux_validate_context($1_su_t)
+ selinux_compute_access_vector($1_su_t)
+ selinux_compute_create_context($1_su_t)
+ selinux_compute_relabel_context($1_su_t)
+ selinux_compute_user_contexts($1_su_t)
+
+ # Relabel ttys and ptys.
+ term_relabel_all_user_ttys($1_su_t)
+ term_relabel_all_user_ptys($1_su_t)
+ # Close and re-open ttys and ptys to get the fd into the correct domain.
+ term_use_all_user_ttys($1_su_t)
+ term_use_all_user_ptys($1_su_t)
+
+ auth_domtrans_user_chk_passwd($1_su_t,$1)
+ auth_dontaudit_read_shadow($1_su_t)
+
+ domain_wide_inherit_fd($1_su_t)
+
+ files_read_etc_files($1_su_t)
+ files_search_var_lib($1_su_t)
+
+ init_dontaudit_use_fd($1_su_t)
+ # Write to utmp.
+ init_rw_script_pid($1_su_t)
+
+ libs_use_ld_so($1_su_t)
+ libs_use_shared_libs($1_su_t)
+
+ logging_send_syslog_msg($1_su_t)
+
+ miscfiles_read_localization($1_su_t)
+
+ seutil_read_config($1_su_t)
+ seutil_read_default_contexts($1_su_t)
+
+ userdom_use_user_terminals($1,$1_su_t)
+
+ if(secure_mode)
+ {
+ # Only allow transitions to unprivileged user domains.
+ userdom_spec_domtrans_unpriv_users($1_su_t)
+ } else {
+ # Allow transitions to all user domains
+ userdom_spec_domtrans_all_users($1_su_t)
+ }
+
+ if (use_nfs_home_dirs) {
+ fs_search_nfs($1_su_t)
+ }
+
+ if (use_samba_home_dirs) {
+ fs_search_cifs($1_su_t)
+ }
+
+ optional_policy(`crond.te',`
+ cron_read_pipe($1_su_t)
+ ')
+
+ optional_policy(`kerberos.te',`
+ kerberos_use($1_su_t)
+ ')
+
+ optional_policy(`nis.te',`
+ nis_use_ypbind($1_su_t)
+ ')
+
+ optional_policy(`nscd.te',`
+ nscd_use_socket($1_su_t)
+ ')
+
+ ifdef(`TODO',`
+
+ ifdef(`support_polyinstantiation', `
+ typeattribute $1_su_t mlsfileread;
+ typeattribute $1_su_t mlsfilewrite;
+ typeattribute $1_su_t mlsfileupgrade;
+ typeattribute $1_su_t mlsfiledowngrade;
+ typeattribute $1_su_t mlsprocsetsl;
+ # Su can polyinstantiate
+ polyinstantiater($1_su_t)
+ # Su has to unmount polyinstantiated directories (like home)
+ # that should not be polyinstantiated under the new user
+ allow $1_su_t fs_t:filesystem unmount;
+ # Su needs additional permission to mount over a previous mount
+ allow $1_su_t polymember:dir mounton;
+ ')
+
+ # Caused by su - init scripts
+ dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
+
+ # Inherit and use descriptors from gnome-pty-helper.
+ ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
+
+ allow $1_su_t { home_root_t $1_home_dir_t }:dir search;
+ allow $1_su_t $1_home_t:file create_file_perms;
+
+ ifdef(`user_canbe_sysadm', `
+ allow $1_su_t home_dir_type:dir { search write };
+ ', `
+ dontaudit $1_su_t home_dir_type:dir { search write };
+ ')
+
+ # Modify .Xauthority file (via xauth program).
+ ifdef(`xauth.te', `
+ file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
+ file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
+ file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
+ domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
+ ')
+
+ ifdef(`cyrus.te', `
+ allow $1_su_t cyrus_var_lib_t:dir search;
+ ')
+ ifdef(`ssh.te', `
+ # Access sshd cookie files.
+ allow $1_su_t sshd_tmp_t:file rw_file_perms;
+ file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
+ ')
+ ') dnl end TODO
')
- ') dnl end TODO
')
diff --git a/refpolicy/policy/modules/admin/sudo.if b/refpolicy/policy/modules/admin/sudo.if
index e61e8d5..84e11c4 100644
--- a/refpolicy/policy/modules/admin/sudo.if
+++ b/refpolicy/policy/modules/admin/sudo.if
@@ -54,7 +54,7 @@ template(`sudo_per_userdomain_template',`
#
# Use capabilities.
- allow $1_sudo_t self:capability { setuid setgid dac_override sys_resource };
+ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_sudo_t self:process { setexec setrlimit };
allow $1_sudo_t self:fd use;
diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if
index f27154e..8659a3d 100644
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@@ -75,7 +75,7 @@ template(`gpg_per_userdomain_template',`
allow $1_gpg_t self:capability { ipc_lock setuid };
allow { $2 $1_gpg_t } $1_gpg_t:process signal;
# setrlimit is for ulimit -c 0
- allow $1_gpg_t self:process { setrlimit setcap };
+ allow $1_gpg_t self:process { setrlimit setcap setpgid };
allow $1_gpg_t self:fifo_file rw_file_perms;
allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
@@ -84,9 +84,6 @@ template(`gpg_per_userdomain_template',`
allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
- allow $2 $1_gpg_secret_t:file getattr;
- allow $2 $1_gpg_secret_t:dir rw_dir_perms;
-
corenet_tcp_sendrecv_all_if($1_gpg_t)
corenet_raw_sendrecv_all_if($1_gpg_t)
corenet_udp_sendrecv_all_if($1_gpg_t)
@@ -97,6 +94,7 @@ template(`gpg_per_userdomain_template',`
corenet_udp_sendrecv_all_ports($1_gpg_t)
corenet_tcp_bind_all_nodes($1_gpg_t)
corenet_udp_bind_all_nodes($1_gpg_t)
+ corenet_tcp_connect_all_ports($1_gpg_t)
dev_read_rand($1_gpg_t)
dev_read_urand($1_gpg_t)
@@ -108,8 +106,6 @@ template(`gpg_per_userdomain_template',`
files_read_etc_files($1_gpg_t)
files_read_usr_files($1_gpg_t)
files_dontaudit_search_var($1_gpg_t)
- # should not need read access...
- files_list_home($1_gpg_t)
libs_use_shared_libs($1_gpg_t)
libs_use_ld_so($1_gpg_t)
@@ -122,54 +118,22 @@ template(`gpg_per_userdomain_template',`
userdom_use_user_terminals($1,$1_gpg_t)
- # Legacy
- tunable_policy(`allow_gpg_execstack',`
- allow $1_gpg_t self:process execmem;
- libs_legacy_use_shared_libs($1_gpg_t)
- libs_legacy_use_ld_so($1_gpg_t)
- miscfiles_legacy_read_localization($1_gpg_t)
- # Not quite sure why this is needed...
- allow $1_gpg_t gpg_exec_t:file execmod;
- ')
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs($1_gpg_t)
- fs_manage_nfs_files($1_gpg_t)
- fs_manage_nfs_symlinks($1_gpg_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs($1_gpg_t)
- fs_manage_cifs_files($1_gpg_t)
- fs_manage_cifs_symlinks($1_gpg_t)
- ')
-
optional_policy(`nis.te',`
nis_use_ypbind($1_gpg_t)
')
ifdef(`TODO',`
+ # Read content to encrypt/decrypt/sign
+ read_content($1_gpg_t, $1)
+
+ # Write content to encrypt/decrypt/sign
+ write_trusted($1_gpg_t, $1)
ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
# allow ps to show gpg
can_ps($1_t, $1_gpg_t)
- # use $1_gpg_secret_t for files it creates
- # NB we are doing the type transition for directory creation only!
- # so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as
- # secring.gpg will be of $1_gpg_secret_t too. But when you use gpg to decrypt
- # a file and write output to your home directory it will use user_home_t.
- file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir)
-
- file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file)
- create_dir_file($1_gpg_t, $1_home_t)
-
- # allow the usual access to /tmp
- file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
-
- rw_dir_create_file($1_gpg_t, $1_file_type)
-
') dnl end TODO
########################################
@@ -210,6 +174,7 @@ template(`gpg_per_userdomain_template',`
corenet_udp_sendrecv_all_ports($1_gpg_helper_t)
corenet_tcp_bind_all_nodes($1_gpg_helper_t)
corenet_udp_bind_all_nodes($1_gpg_helper_t)
+ corenet_tcp_connect_all_ports($1_gpg_helper_t)
dev_read_urand($1_gpg_helper_t)
@@ -232,9 +197,8 @@ template(`gpg_per_userdomain_template',`
ifdef(`TODO',`
- ifdef(`xdm.te', `
- dontaudit $1_gpg_t xdm_t:fd use;
- dontaudit $1_gpg_t xdm_t:fifo_file read;
+ ifdef(`xdm.te',`
+ can_pipe_xdm($1_gpg_t)
')
') dnl end TODO
@@ -296,8 +260,6 @@ template(`gpg_per_userdomain_template',`
ifdef(`TODO',`
- allow $1_gpg_agent_t xdm_t:fd use;
-
# allow ps to show gpg-agent
can_ps($1_t, $1_gpg_agent_t)
@@ -353,7 +315,6 @@ template(`gpg_per_userdomain_template',`
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
allow $1_gpg_pinentry_t xdm_xserver_t:unix_stream_socket connectto;
- allow $1_gpg_pinentry_t xdm_t:fd use;
')
allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search };
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index e1771a6..e6e9584 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -62,10 +62,6 @@ type inotifyfs_t, filesystem_type;
allow inotifyfs_t self:filesystem associate;
genfscon inotifyfs / context_template(system_u:object_r:inotifyfs_t,s0)
-type mqueue_t, filesystem_type;
-files_mountpoint(mqueue_t)
-allow mqueue_t self:filesystem associate;
-
type nfsd_fs_t, filesystem_type;
genfscon nfsd / context_template(system_u:object_r:nfsd_fs_t,s0)
@@ -86,12 +82,14 @@ genfscon rpc_pipefs / context_template(system_u:object_r:rpc_pipefs_t,s0)
#
type tmpfs_t, filesystem_type;
files_type(tmpfs_t)
+files_mountpoint(tmpfs_t)
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
# and label the filesystem itself with the specified context.
# This is appropriate for pseudo filesystems like devpts and tmpfs
# where we want to label objects with a derived type.
+fs_use_trans mqueue context_template(system_u:object_r:tmpfs_t,s0);
fs_use_trans shm context_template(system_u:object_r:tmpfs_t,s0);
fs_use_trans tmpfs context_template(system_u:object_r:tmpfs_t,s0);
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 282f5d0..d4d9bf7 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -28,7 +28,7 @@ attribute sysctl_type;
type kernel_t, can_load_kernmodule; # mlsprocread, mlsprocwrite, privrangetrans
role system_r types kernel_t;
domain_base_type(kernel_t)
-sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127)
+sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127, c0.c127)
#
# Procfs types
diff --git a/refpolicy/policy/modules/kernel/selinux.te b/refpolicy/policy/modules/kernel/selinux.te
index 6953df6..0c091b8 100644
--- a/refpolicy/policy/modules/kernel/selinux.te
+++ b/refpolicy/policy/modules/kernel/selinux.te
@@ -15,7 +15,7 @@ attribute can_setsecparam;
# the permissions in the security class. It is also
# applied to selinuxfs inodes.
#
-type security_t;
+type security_t; #, mlstrustedobject;
fs_type(security_t)
sid security context_template(system_u:object_r:security_t,s0)
genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index b01cbfd..e642b2a 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -91,6 +91,7 @@ template(`cron_per_userdomain_template',`
corenet_udp_sendrecv_all_ports($1_crond_t)
corenet_tcp_bind_all_nodes($1_crond_t)
corenet_udp_bind_all_nodes($1_crond_t)
+ corenet_tcp_connect_all_ports($1_crond_t)
dev_read_urand($1_crond_t)
@@ -188,6 +189,8 @@ template(`cron_per_userdomain_template',`
# crontab signals crond by updating the mtime on the spooldir
allow $1_crontab_t cron_spool_t:dir setattr;
+ kernel_read_system_state($1_crontab_t)
+
# for the checks used by crontab -u
selinux_dontaudit_search_fs($1_crontab_t)
@@ -210,7 +213,7 @@ template(`cron_per_userdomain_template',`
miscfiles_read_localization($1_crontab_t)
- seutil_dontaudit_search_config($1_crontab_t)
+ seutil_read_config($1_crontab_t)
userdom_manage_user_tmp_dirs($1,$1_crontab_t)
userdom_manage_user_tmp_files($1,$1_crontab_t)
diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if
index c4f6c53..07b9a03 100644
--- a/refpolicy/policy/modules/services/dbus.if
+++ b/refpolicy/policy/modules/services/dbus.if
@@ -46,12 +46,13 @@ template(`dbus_per_userdomain_template',`
#
allow $1_dbusd_t self:process { getattr sigkill signal };
+ allow $1_dbusd_t self:file { getattr read write };
allow $1_dbusd_t self:dbus { send_msg acquire_svc };
allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
# Receive notifications of policy reloads and enforcing status changes.
- allow $1_dbusd_t self:netlink_selinux_socket { create bind read };
+ allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
# For connecting to the bus
allow $2 $1_dbusd_t:unix_stream_socket connectto;
@@ -141,6 +142,12 @@ template(`dbus_per_userdomain_template',`
optional_policy(`nscd.te',`
nscd_use_socket($1_dbusd_t)
')
+
+ ifdef(`TODO',`
+ ifdef(`xdm.te', `
+ can_pipe_xdm($1_dbusd_t)
+ ')
+ ')
')
#######################################
diff --git a/refpolicy/policy/modules/services/kerberos.fc b/refpolicy/policy/modules/services/kerberos.fc
index fcbb737..bd07afa 100644
--- a/refpolicy/policy/modules/services/kerberos.fc
+++ b/refpolicy/policy/modules/services/kerberos.fc
@@ -1,6 +1,10 @@
/etc/krb5\.conf -- context_template(system_u:object_r:krb5_conf_t,s0)
/etc/krb5\.keytab context_template(system_u:object_r:krb5_keytab_t,s0)
+/etc/krb5kdc(/.*)? context_template(system_u:object_r:krb5kdc_conf_t,s0)
+/etc/krb5kdc/kadm5.keytab -- context_template(system_u:object_r:krb5_keytab_t,s0)
+/etc/krb5kdc/principal.* context_template(system_u:object_r:krb5kdc_principal_t,s0)
+
/usr(/local)?(/kerberos)?/sbin/krb5kdc -- context_template(system_u:object_r:krb5kdc_exec_t,s0)
/usr(/local)?(/kerberos)?/sbin/kadmind -- context_template(system_u:object_r:kadmind_exec_t,s0)
@@ -11,4 +15,4 @@
/var/kerberos/krb5kdc/principal.* context_template(system_u:object_r:krb5kdc_principal_t,s0)
/var/log/krb5kdc\.log context_template(system_u:object_r:krb5kdc_log_t,s0)
-/var/log/kadmind\.log context_template(system_u:object_r:kadmind_log_t,s0)
+/var/log/kadmin(d)?\.log context_template(system_u:object_r:kadmind_log_t,s0)
diff --git a/refpolicy/policy/modules/services/kerberos.if b/refpolicy/policy/modules/services/kerberos.if
index adfd14e..b777d46 100644
--- a/refpolicy/policy/modules/services/kerberos.if
+++ b/refpolicy/policy/modules/services/kerberos.if
@@ -54,6 +54,7 @@ interface(`kerberos_use',`
corenet_udp_sendrecv_kerberos_port($1)
corenet_tcp_bind_all_nodes($1)
corenet_udp_bind_all_nodes($1)
+ corenet_tcp_connect_kerberos_port($1)
sysnet_read_config($1)
sysnet_dns_name_resolve($1)
')
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 06537b8..ccd249d 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -70,6 +70,7 @@ template(`mta_per_userdomain_template',`
corenet_raw_sendrecv_all_nodes($1_mail_t)
corenet_tcp_sendrecv_all_ports($1_mail_t)
corenet_tcp_bind_all_nodes($1_mail_t)
+ corenet_tcp_connect_all_ports($1_mail_t)
domain_use_wide_inherit_fd($1_mail_t)
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index edb0e04..6fab73a 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -110,6 +110,7 @@ template(`ssh_per_userdomain_template',`
corenet_raw_sendrecv_all_nodes($1_ssh_t)
corenet_tcp_sendrecv_all_ports($1_ssh_t)
corenet_tcp_bind_all_nodes($1_ssh_t)
+ corenet_tcp_connect_ssh_port($1_ssh_t)
dev_read_urand($1_ssh_t)
@@ -132,6 +133,7 @@ template(`ssh_per_userdomain_template',`
files_read_usr_files($1_ssh_t)
files_read_etc_runtime_files($1_ssh_t)
files_read_etc_files($1_ssh_t)
+ files_read_var_files($1_ssh_t)
libs_use_ld_so($1_ssh_t)
libs_use_shared_libs($1_ssh_t)
@@ -184,9 +186,6 @@ template(`ssh_per_userdomain_template',`
')
ifdef(`TODO',`
- # Read /var.
- allow $1_ssh_t var_t:dir r_dir_perms;
- allow $1_ssh_t var_t:notdevfile_class_set r_file_perms;
# Read /var/run, /var/log.
allow $1_ssh_t var_run_t:dir r_dir_perms;
@@ -215,32 +214,33 @@ template(`ssh_per_userdomain_template',`
# allow ps to show ssh
can_ps($1_t, $1_ssh_t)
- ifdef(`xserver.te', `
- # Communicate with the X server.
- can_unix_connect($1_ssh_t, $1_xserver_t)
- allow $1_ssh_t $1_xserver_tmp_t:sock_file rw_file_perms;
- allow $1_ssh_t $1_xserver_tmp_t:dir search;
- ifdef(`xdm.te', `
- allow $1_ssh_t { xdm_xserver_tmp_t xdm_tmp_t }:dir search;
- allow $1_ssh_t { xdm_tmp_t }:sock_file write;
- ')
- ')dnl end if xserver
+ # Connect to X server
+ x_client_domain($1_ssh, $1)
#allow ssh to access keys stored on removable media
# Should we have a boolean around this?
files_search_mnt($1_ssh_t)
r_dir_file($1_ssh_t, removable_t)
- ifdef(`xdm.te', `
- # should be able to remove these two later
- allow $1_ssh_t xdm_xserver_tmp_t:sock_file { read write };
- allow $1_ssh_t xdm_xserver_tmp_t:dir search;
- allow $1_ssh_t xdm_xserver_t:unix_stream_socket connectto;
- allow $1_ssh_t xdm_xserver_t:shm r_shm_perms;
- allow $1_ssh_t xdm_xserver_t:fd use;
- allow $1_ssh_t xdm_xserver_tmpfs_t:file read;
- allow $1_ssh_t xdm_t:fd use;
- ')dnl end if xdm.te
+ type $1_ssh_keysign_t, domain, nscd_client_domain;
+ role $1_r types $1_ssh_keysign_t;
+
+ if (allow_ssh_keysign) {
+ domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
+ allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
+ allow $1_ssh_keysign_t self:capability { setgid setuid };
+ allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms;
+ uses_shlib($1_ssh_keysign_t)
+ dontaudit $1_ssh_keysign_t selinux_config_t:dir search;
+ dontaudit $1_ssh_keysign_t proc_t:dir search;
+ dontaudit $1_ssh_keysign_t proc_t:{ lnk_file file } { getattr read };
+ allow $1_ssh_keysign_t usr_t:dir search;
+ allow $1_ssh_keysign_t etc_t:file { getattr read };
+ allow $1_ssh_keysign_t self:dir search;
+ allow $1_ssh_keysign_t self:file { getattr read };
+ allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
+ }
+
') dnl endif TODO
##############################
@@ -301,7 +301,7 @@ template(`ssh_per_userdomain_template',`
miscfiles_read_localization($1_ssh_agent_t)
- seutil_dontaudit_search_config($1_ssh_agent_t)
+ seutil_dontaudit_read_config($1_ssh_agent_t)
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_ssh_agent_t)
@@ -325,14 +325,14 @@ template(`ssh_per_userdomain_template',`
')
optional_policy(`xdm.te', `
- xdm_use_fd($1_ssh_agent_t)
- xdm_rw_pipe($1_ssh_agent_t)
-
# KDM:
- xdm_sigchld($1_ssh_agent_t)
+ #xdm_sigchld($1_ssh_agent_t)
')
ifdef(`TODO',`
+ ifdef(`xdm.te',`
+ can_pipe_xdm($1_ssh_agent_t)
+ ')
# allow ps to show ssh
can_ps($1_t, $1_ssh_agent_t)
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 7a126cc..3bfa449 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -47,12 +47,14 @@ template(`authlogin_per_userdomain_template',`
role $3 types $1_chkpwd_t;
role $3 types system_chkpwd_t;
- allow $1_chkpwd_t self:capability setuid;
+ allow $1_chkpwd_t self:capability { audit_write audit_control setuid };
allow $1_chkpwd_t self:process getattr;
files_list_etc($1_chkpwd_t)
allow $1_chkpwd_t shadow_t:file { getattr read };
+ allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
# Transition from the user domain to this domain.
domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
@@ -64,6 +66,9 @@ template(`authlogin_per_userdomain_template',`
# is_selinux_enabled
kernel_read_system_state($1_chkpwd_t)
+ dev_read_rand($1_chkpwd_t)
+ dev_read_urand($1_chkpwd_t)
+
fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
domain_use_wide_inherit_fd($1_chkpwd_t)
@@ -82,6 +87,7 @@ template(`authlogin_per_userdomain_template',`
seutil_read_config($1_chkpwd_t)
sysnet_dns_name_resolve($1_chkpwd_t)
+ sysnet_use_ldap($1_chkpwd_t)
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_chkpwd_t)
@@ -93,17 +99,6 @@ template(`authlogin_per_userdomain_template',`
kerberos_use($1_chkpwd_t)
')
- optional_policy(`ldap.te',`
- allow $1_chkpwd_t self:tcp_socket create_socket_perms;
- corenet_tcp_sendrecv_all_if($1_chkpwd_t)
- corenet_raw_sendrecv_all_if($1_chkpwd_t)
- corenet_tcp_sendrecv_all_nodes($1_chkpwd_t)
- corenet_raw_sendrecv_all_nodes($1_chkpwd_t)
- corenet_tcp_sendrecv_ldap_port($1_chkpwd_t)
- corenet_tcp_bind_all_nodes($1_chkpwd_t)
- sysnet_read_config($1_chkpwd_t)
- ')
-
optional_policy(`nis.te',`
nis_use_ypbind($1_chkpwd_t)
')
@@ -115,6 +110,12 @@ template(`authlogin_per_userdomain_template',`
optional_policy(`selinuxutil.te',`
seutil_use_newrole_fd($1_chkpwd_t)
')
+
+ ifdef(`TODO',`
+ can_winbind($1)
+ r_dir_file($1, cert_t)
+ dontaudit $1 shadow_t:file { getattr read };
+ ')
')
########################################
@@ -221,6 +222,9 @@ interface(`auth_domtrans_chk_passwd',`
corecmd_search_sbin($1)
domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t)
+ allow $1 self:capability { audit_write audit_control };
+ allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
allow $1 system_chkpwd_t:fd use;
allow system_chkpwd_t $1:fd use;
allow system_chkpwd_t $1:fifo_file rw_file_perms;
@@ -228,26 +232,25 @@ interface(`auth_domtrans_chk_passwd',`
dontaudit $1 shadow_t:file { getattr read };
+ dev_read_rand($1)
+ dev_read_urand($1)
+
sysnet_dns_name_resolve($1)
+ sysnet_use_ldap($1)
optional_policy(`kerberos.te',`
kerberos_use($1)
')
- optional_policy(`ldap.te',`
- allow $1 self:tcp_socket create_socket_perms;
- corenet_tcp_sendrecv_all_if($1)
- corenet_raw_sendrecv_all_if($1)
- corenet_tcp_sendrecv_all_nodes($1)
- corenet_raw_sendrecv_all_nodes($1)
- corenet_tcp_sendrecv_ldap_port($1)
- corenet_tcp_bind_all_nodes($1)
- sysnet_read_config($1)
- ')
-
optional_policy(`nis.te',`
nis_use_ypbind($1)
')
+
+ ifdef(`TODO',`
+ can_winbind($1)
+ r_dir_file($1, cert_t)
+ dontaudit $1 shadow_t:file { getattr read };
+ ')
')
########################################
diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc
index 5df4a0f..850b48d 100644
--- a/refpolicy/policy/modules/system/corecommands.fc
+++ b/refpolicy/policy/modules/system/corecommands.fc
@@ -46,11 +46,11 @@ ifdef(`targeted_policy',`
#
# /opt
#
-/opt/.*/bin(/.*)? context_template(system_u:object_r:bin_t,s0)
+/opt/(.*)?/bin(/.*)? context_template(system_u:object_r:bin_t,s0)
-/opt/.*/libexec(/.*)? context_template(system_u:object_r:bin_t,s0)
+/opt/(.*)?/libexec(/.*)? context_template(system_u:object_r:bin_t,s0)
-/opt/.*/sbin(/.*)? context_template(system_u:object_r:sbin_t,s0)
+/opt/(.*)?/sbin(/.*)? context_template(system_u:object_r:sbin_t,s0)
#
# /usr
@@ -70,23 +70,20 @@ ifdef(`distro_suse', `
')
/usr/lib(64)?/sftp-server -- context_template(system_u:object_r:bin_t,s0)
-
/usr/lib(64)?/emacsen-common/.* context_template(system_u:object_r:bin_t,s0)
-
/usr/lib(64)?/ipsec/.* -- context_template(system_u:object_r:sbin_t,s0)
-
/usr/lib(64)?/misc/sftp-server -- context_template(system_u:object_r:bin_t,s0)
-
/usr/lib(64)?/news/bin(/.*)? context_template(system_u:object_r:bin_t,s0)
ifdef(`distro_suse', `
/usr/lib(64)?/ssh/.* -- context_template(system_u:object_r:bin_t,s0)
')
-/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- context_template(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- context_template(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- context_template(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/[^/]*thunderbird[^/]*/run-mozilla\.sh -- context_template(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/[^/]*thunderbird[^/]*/mozilla-xremote-client -- context_template(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- context_template(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*/run-mozilla\.sh -- context_template(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*/mozilla-xremote-client -- context_template(system_u:object_r:bin_t,s0)
/usr/libexec(/.*)? context_template(system_u:object_r:bin_t,s0)
/usr/libexec/openssh/sftp-server -- context_template(system_u:object_r:bin_t,s0)
@@ -97,8 +94,8 @@ ifdef(`distro_suse', `
/usr/share/gnucash/finance-quote-check -- context_template(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- context_template(system_u:object_r:bin_t,s0)
-
/usr/share/mc/extfs/.* -- context_template(system_u:object_r:bin_t,s0)
+/usr/share/turboprint/lib(/.*)? -- context_template(system_u:object_r:bin_t,s0)
#
# /var
diff --git a/refpolicy/policy/modules/system/files.fc b/refpolicy/policy/modules/system/files.fc
index 970538e..6d1fd77 100644
--- a/refpolicy/policy/modules/system/files.fc
+++ b/refpolicy/policy/modules/system/files.fc
@@ -19,8 +19,8 @@ ifdef(`distro_redhat',`
# /boot
#
/boot/\.journal <<none>>
-
-/boot/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
+/boot/lost\+found -d context_template(system_u:object_r:lost_found_t,s0)
+/boot/lost\+found/.* <<none>>
#
# /etc
@@ -66,7 +66,8 @@ ifdef(`distro_gentoo', `
# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd
HOME_ROOT -d context_template(system_u:object_r:home_root_t,s0)
HOME_ROOT/\.journal <<none>>
-HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
+HOME_ROOT/lost\+found -d context_template(system_u:object_r:lost_found_t,s0)
+HOME_ROOT/lost\+found/.* <<none>>
#
# /initrd
@@ -77,7 +78,8 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
#
# /lost+found
#
-/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
+/lost\+found -d context_template(system_u:object_r:lost_found_t,s0)
+/lost\+found/.* <<none>>
#
# /media
@@ -98,7 +100,7 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
#
/opt(/.*)? context_template(system_u:object_r:usr_t,s0)
-/opt/.*/var/lib(64)?(/.*)? context_template(system_u:object_r:var_lib_t,s0)
+/opt/(.*)?/var/lib(64)?(/.*)? context_template(system_u:object_r:var_lib_t,s0)
#
# /proc
@@ -111,6 +113,11 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
/selinux(/.*)? <<none>>
#
+# /srv
+#
+/srv(/.*)? context_template(system_u:object_r:var_t,s0)
+
+#
# /sys
#
/sys(/.*)? <<none>>
@@ -122,7 +129,8 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
/tmp/.* <<none>>
/tmp/\.journal <<none>>
-/tmp/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
+/tmp/lost\+found -d context_template(system_u:object_r:lost_found_t,s0)
+/tmp/lost\+found/.* <<none>>
#
# /usr
@@ -130,8 +138,6 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
/usr(/.*)? context_template(system_u:object_r:usr_t,s0)
/usr/\.journal <<none>>
-/usr/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
-
/usr/etc(/.*)? context_template(system_u:object_r:etc_t,s0)
/usr/inclu.e(/.*)? context_template(system_u:object_r:usr_t,s0)
@@ -140,10 +146,14 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
/usr/local/etc(/.*)? context_template(system_u:object_r:etc_t,s0)
-/usr/local/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
+/usr/local/lost\+found -d context_template(system_u:object_r:lost_found_t,s0)
+/usr/local/lost\+found/.* <<none>>
/usr/local/src(/.*)? context_template(system_u:object_r:src_t,s0)
+/usr/lost\+found -d context_template(system_u:object_r:lost_found_t,s0)
+/usr/lost\+found/.* <<none>>
+
/usr/share(/.*)?/lib(64)?(/.*)? context_template(system_u:object_r:usr_t,s0)
/usr/src(/.*)? context_template(system_u:object_r:src_t,s0)
@@ -167,7 +177,8 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
/var/lock(/.*)? context_template(system_u:object_r:var_lock_t,s0)
-/var/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
+/var/lost\+found -d context_template(system_u:object_r:lost_found_t,s0)
+/var/lost\+found/.* <<none>>
/var/run(/.*)? context_template(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
@@ -176,5 +187,6 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
/var/tmp -d context_template(system_u:object_r:tmp_t,s0)
/var/tmp/.* <<none>>
-
+/var/tmp/lost\+found -d context_template(system_u:object_r:lost_found_t,s0)
+/var/tmp/lost\+found/.* <<none>>
/var/tmp/vi\.recover -d context_template(system_u:object_r:tmp_t,s0)
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index a31f3e8..df31a4e 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -73,15 +73,21 @@ interface(`files_pid_file',`
')
########################################
-#
-# files_tmp_file(type)
-#
+## <summary>
+## Make the specified type a file
+## used for temporary files.
+## </summary>
+## <param name="file_type">
+## Type of the file to be used as a
+## temporary file.
+## </param>
interface(`files_tmp_file',`
gen_require(`
attribute tmpfile;
')
files_type($1)
+ fs_associate_tmpfs($1)
typeattribute $1 tmpfile;
')
diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
index d4dc4d4..2730a5e 100644
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@@ -15,8 +15,8 @@
#
# /opt
#
-/opt/.*/lib(64)?(/.*)? context_template(system_u:object_r:lib_t,s0)
-/opt/.*/lib(64)?/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:shlib_t,s0)
+/opt/(.*)?/lib(64)?(/.*)? context_template(system_u:object_r:lib_t,s0)
+/opt/(.*)?/lib(64)?/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:shlib_t,s0)
#
# /sbin
@@ -26,6 +26,10 @@
#
# /usr
#
+/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
+
+/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
+
/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
/usr(/.*)?/java/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
@@ -41,6 +45,10 @@
/usr/lib/win32/.* -- context_template(system_u:object_r:shlib_t,s0)
+/usr/(local/)?lib/wine/.*\.so -- context_template(system_u:object_r:texrel_shlib_t,s0)
+/usr/(local/)?lib/libfame-.*\.so.* -- context_template(system_u:object_r:texrel_shlib_t,s0)
+/usr/local/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:shlib_t,s0)
+
/usr/X11R6/lib/libGL\.so.* -- context_template(system_u:object_r:texrel_shlib_t,s0)
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- context_template(system_u:object_r:texrel_shlib_t,s0)
diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if
index 5098be3..e642dba 100644
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@@ -1,8 +1,13 @@
## <summary>Policy for the kernel message logger and system logging daemon.</summary>
#######################################
-#
-# logging_log_file(domain)
+## <summary>
+## Make the specified type a file
+## used for logs.
+## </summary>
+## <param name="file_type">
+## Type of the file to be used as a log.
+## </param>
#
interface(`logging_log_file',`
gen_require(`
@@ -10,6 +15,7 @@ interface(`logging_log_file',`
')
files_type($1)
+ fs_associate_tmpfs($1)
typeattribute $1 logfile;
')
diff --git a/refpolicy/policy/modules/system/lvm.fc b/refpolicy/policy/modules/system/lvm.fc
index f23a4f1..5b41740 100644
--- a/refpolicy/policy/modules/system/lvm.fc
+++ b/refpolicy/policy/modules/system/lvm.fc
@@ -8,23 +8,18 @@
#
/etc/lvm(/.*)? context_template(system_u:object_r:lvm_etc_t,s0)
/etc/lvm/\.cache -- context_template(system_u:object_r:lvm_metadata_t,s0)
-
/etc/lvm/archive(/.*)? context_template(system_u:object_r:lvm_metadata_t,s0)
-
/etc/lvm/backup(/.*)? context_template(system_u:object_r:lvm_metadata_t,s0)
-
/etc/lvm/lock(/.*)? context_template(system_u:object_r:lvm_lock_t,s0)
/etc/lvmtab(/.*)? context_template(system_u:object_r:lvm_metadata_t,s0)
-
/etc/lvmtab\.d(/.*)? context_template(system_u:object_r:lvm_metadata_t,s0)
#
# /lib
#
-/lib/lvm-10(/.*) -- context_template(system_u:object_r:lvm_exec_t,s0)
-
-/lib/lvm-200(/.*) -- context_template(system_u:object_r:lvm_exec_t,s0)
+/lib/lvm-10/.* -- context_template(system_u:object_r:lvm_exec_t,s0)
+/lib/lvm-200/.* -- context_template(system_u:object_r:lvm_exec_t,s0)
#
# /sbin
@@ -50,6 +45,7 @@
/sbin/lvresize -- context_template(system_u:object_r:lvm_exec_t,s0)
/sbin/lvs -- context_template(system_u:object_r:lvm_exec_t,s0)
/sbin/lvscan -- context_template(system_u:object_r:lvm_exec_t,s0)
+/sbin/multipathd -- context_template(system_u:object_r:lvm_exec_t,s0)
/sbin/pvchange -- context_template(system_u:object_r:lvm_exec_t,s0)
/sbin/pvcreate -- context_template(system_u:object_r:lvm_exec_t,s0)
/sbin/pvdata -- context_template(system_u:object_r:lvm_exec_t,s0)
@@ -82,9 +78,12 @@
#
# /usr
#
+/usr/sbin/clvmd -- context_template(system_u:object_r:clvmd_exec_t,s0)
/usr/sbin/lvm -- context_template(system_u:object_r:lvm_exec_t,s0)
#
# /var
#
/var/lock/lvm(/.*)? context_template(system_u:object_r:lvm_lock_t,s0)
+
+/var/cache/multipathd(/.*)? context_template(system_u:object_r:lvm_metadata_t,s0)
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index db203f9..f16a8bf 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -6,6 +6,13 @@ policy_module(lvm,1.0)
# Declarations
#
+type clvmd_t;
+type clvmd_exec_t;
+init_daemon_domain(clvmd_t,clvmd_exec_t)
+
+type clvmd_var_run_t;
+files_pid_file(clvmd_var_run_t)
+
type lvm_t;
type lvm_exec_t;
init_system_domain(lvm_t,lvm_exec_t)
@@ -28,7 +35,91 @@ files_tmp_file(lvm_tmp_t)
########################################
#
-# Local policy
+# Cluster LVM daemon local policy
+#
+
+dontaudit clvmd_t self:capability sys_tty_config;
+allow clvmd_t self:socket create_socket_perms;
+allow clvmd_t self:fifo_file { read write };
+allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow clvmd_t self:tcp_socket create_stream_socket_perms;
+allow clvmd_t self:udp_socket create_socket_perms;
+
+allow clvmd_t clvmd_var_run_t:file create_file_perms;
+allow clvmd_t clvmd_var_run_t:dir rw_dir_perms;
+files_create_pid(clvmd_t,clvmd_var_run_t)
+
+kernel_read_kernel_sysctl(clvmd_t)
+kernel_list_proc(clvmd_t)
+kernel_read_proc_symlinks(clvmd_t)
+
+corenet_tcp_sendrecv_all_if(clvmd_t)
+corenet_udp_sendrecv_all_if(clvmd_t)
+corenet_raw_sendrecv_all_if(clvmd_t)
+corenet_tcp_sendrecv_all_nodes(clvmd_t)
+corenet_udp_sendrecv_all_nodes(clvmd_t)
+corenet_raw_sendrecv_all_nodes(clvmd_t)
+corenet_tcp_sendrecv_all_ports(clvmd_t)
+corenet_udp_sendrecv_all_ports(clvmd_t)
+corenet_tcp_bind_all_nodes(clvmd_t)
+corenet_udp_bind_all_nodes(clvmd_t)
+corenet_tcp_bind_reserved_port(clvmd_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t)
+
+dev_read_sysfs(clvmd_t)
+
+fs_getattr_all_fs(clvmd_t)
+fs_search_auto_mountpoints(clvmd_t)
+
+term_dontaudit_use_console(clvmd_t)
+
+domain_use_wide_inherit_fd(clvmd_t)
+
+init_use_fd(clvmd_t)
+init_use_script_pty(clvmd_t)
+
+libs_use_ld_so(clvmd_t)
+libs_use_shared_libs(clvmd_t)
+
+logging_send_syslog_msg(clvmd_t)
+
+miscfiles_read_localization(clvmd_t)
+
+seutil_dontaudit_search_config(clvmd_t)
+seutil_sigchld_newrole(clvmd_t)
+
+sysnet_read_config(clvmd_t)
+
+userdom_dontaudit_use_unpriv_user_fd(clvmd_t)
+userdom_dontaudit_search_sysadm_home_dir(clvmd_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_tty(clvmd_t)
+ term_dontaudit_use_generic_pty(clvmd_t)
+ files_dontaudit_read_root_file(clvmd_t)
+')
+
+optional_policy(`mount.te',`
+ mount_send_nfs_client_request(clvmd_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(clvmd_t)
+')
+
+optional_policy(`udev.te', `
+ udev_read_db(clvmd_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+ rhgb_domain(clvmd_t)
+')
+') dnl end TODO
+
+########################################
+#
+# LVM Local policy
#
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
@@ -167,13 +258,10 @@ optional_policy(`udev.te', `
')
ifdef(`TODO',`
-
optional_policy(`gnome-pty-helper.te', `
allow lvm_t sysadm_gph_t:fd use;
')
-
optional_policy(`rhgb.te',`
rhgb_domain(lvm_t)
')
-
') dnl end TODO
diff --git a/refpolicy/policy/modules/system/miscfiles.fc b/refpolicy/policy/modules/system/miscfiles.fc
index bcd4720..770a32d 100644
--- a/refpolicy/policy/modules/system/miscfiles.fc
+++ b/refpolicy/policy/modules/system/miscfiles.fc
@@ -1,13 +1,15 @@
-
#
# /etc
#
/etc/localtime -- context_template(system_u:object_r:locale_t,s0)
+/etc/pki(/.*)? context_template(system_u:object_r:cert_t,s0)
#
# /opt
#
-/opt/.*/man(/.*)? context_template(system_u:object_r:man_t,s0)
+/opt/(.*)?/man(/.*)? context_template(system_u:object_r:man_t,s0)
+
+/srv/([^/]*/)?rsync(/.*)? context_template(system_u:object_r:ftpd_anon_t,s0)
#
# /usr
diff --git a/refpolicy/policy/modules/system/miscfiles.te b/refpolicy/policy/modules/system/miscfiles.te
index 9b9ab9a..535e1af 100644
--- a/refpolicy/policy/modules/system/miscfiles.te
+++ b/refpolicy/policy/modules/system/miscfiles.te
@@ -25,6 +25,9 @@ files_type(fonts_t)
type ftpd_anon_t; #, customizable;
files_type(ftpd_anon_t)
+type ftpd_anon_rw_t; #, customizable;
+files_type(ftpd_anon_rw_t)
+
#
# type for /tmp/.ICE-unix
#
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index f55425c..cc19cb5 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -181,8 +181,7 @@ userdom_use_all_user_fd(load_policy_t)
# Newrole local policy
#
-allow newrole_t self:capability { setuid setgid net_bind_service dac_override };
-
+allow newrole_t self:capability { fowner setuid setgid dac_override };
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 488bb20..85a7b4d 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -41,10 +41,12 @@ template(`base_user_template',`
# type for contents of home directory
type $1_home_t, $1_file_type, home_type;
files_type($1_home_t)
+ fs_associate_tmpfs($1_home_t)
# type of home directory
type $1_home_dir_t, home_dir_type, home_type;
files_type($1_home_dir_t)
+ fs_associate_tmpfs($1_home_dir_t)
type $1_tmp_t, $1_file_type;
files_tmp_file($1_tmp_t)
diff --git a/refpolicy/policy/support/misc_macros.spt b/refpolicy/policy/support/misc_macros.spt
index 4dafb20..2c869d3 100644
--- a/refpolicy/policy/support/misc_macros.spt
+++ b/refpolicy/policy/support/misc_macros.spt
@@ -13,19 +13,14 @@ define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
########################################
#
-# gen_user(username, role_set, mls_defaultlevel, mls_range)
+# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
#
-define(`gen_user',`
-user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4');
-')
+define(`gen_user',`user $1 roles { $2 }`'ifdef(`enable_mls', ` level $3 range $4')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$5',,,` - s0:$5')');')
########################################
#
# gen_con(context,mls_sensitivity,[mcs_categories])
#
-# MLS: Optionally put the sensitivity for the file
-# MCS: Optionally put the categories of the file
-#
define(`context_template',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl
########################################
diff --git a/refpolicy/policy/systemuser b/refpolicy/policy/systemuser
index ff30b50..35499f8 100644
--- a/refpolicy/policy/systemuser
+++ b/refpolicy/policy/systemuser
@@ -4,11 +4,8 @@
#
#
-# gen_user(username, role_set, mls_defaultlevel, mls_range)
+# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
#
-define(`gen_user',`
-user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4');
-')
#
# system_u is the user identity for system processes and objects.
@@ -16,7 +13,7 @@ user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4');
# and a user process should never be assigned the system user
# identity.
#
-gen_user(system_u, system_r, s0, s0 - s9:c0.c127)
+gen_user(system_u, system_r, s0, s0 - s9:c0.c127, c0.c127)
# Normal users should not be added to this file,
# but instead added to the users file.
diff --git a/refpolicy/policy/users b/refpolicy/policy/users
index 517c9e3..88a516e 100644
--- a/refpolicy/policy/users
+++ b/refpolicy/policy/users
@@ -5,7 +5,7 @@
#
#
-# gen_user(username, role_set, mls_defaultlevel, mls_range)
+# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
#
@@ -29,11 +29,11 @@ gen_user(user_u, user_r, s0, s0 - s9:c0.c127)
# not in the sysadm_r.
#
ifdef(`targeted_policy',`
- gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127)
+ gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127, c0.c127)
',`
ifdef(`direct_sysadm_daemon',`
- gen_user(root, sysadm_r staff_r system_r, s0, s0 - s9:c0.c127)
+ gen_user(root, sysadm_r staff_r system_r, s0, s0 - s9:c0.c127, c0.c127)
',`
- gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127)
+ gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127, c0.c127)
')
')
diff --git a/strict/assert.te b/strict/assert.te
index f8b76c8..02b2878 100644
--- a/strict/assert.te
+++ b/strict/assert.te
@@ -30,58 +30,52 @@ neverallow domain ~domain:process { transition dyntransition };
# Verify that only the insmod_t and kernel_t domains
# have the sys_module capability.
#
-neverallow {domain -unrestricted -insmod_t -kernel_t ifdef(`howl.te', `-howl_t') } self:capability sys_module;
+neverallow {domain -privsysmod -unrestricted } self:capability sys_module;
#
# Verify that executable types, the system dynamic loaders, and the
# system shared libraries can only be modified by administrators.
#
-neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin} { exec_type ld_so_t shlib_t }:file { write append unlink rename };
-neverallow {domain ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin } { exec_type ld_so_t shlib_t }:file relabelto;
+neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { exec_type ld_so_t shlib_t }:file { write append unlink rename };
+neverallow {domain ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin -unrestricted } { exec_type ld_so_t shlib_t }:file relabelto;
#
# Verify that only appropriate domains can access /etc/shadow
-neverallow { domain -auth -auth_write } shadow_t:file ~getattr;
-neverallow { domain -auth_write } shadow_t:file ~r_file_perms;
+neverallow { domain -auth_bool -auth -auth_write -unrestricted } shadow_t:file ~getattr;
+neverallow { domain -auth_write -unrestricted } shadow_t:file ~r_file_perms;
#
# Verify that only appropriate domains can write to /etc (IE mess with
# /etc/passwd)
-neverallow {domain -auth_write -etc_writer } etc_t:dir ~rw_dir_perms;
-neverallow {domain -auth_write -etc_writer } etc_t:lnk_file ~r_file_perms;
-neverallow {domain -auth_write -etc_writer } etc_t:file ~{ execute_no_trans rx_file_perms };
+neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:dir ~rw_dir_perms;
+neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:lnk_file ~r_file_perms;
+neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:file ~{ execute_no_trans rx_file_perms };
#
# Verify that other system software can only be modified by administrators.
#
-neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin } { lib_t bin_t sbin_t }:dir { add_name remove_name rename };
-neverallow { domain -kernel_t -admin } { lib_t bin_t sbin_t }:file { write append unlink rename };
+neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { lib_t bin_t sbin_t }:dir { add_name remove_name rename };
+neverallow { domain -kernel_t -admin -unrestricted } { lib_t bin_t sbin_t }:file { write append unlink rename };
#
# Verify that only certain domains have access to the raw disk devices.
#
-neverallow { domain -fs_domain } fixed_disk_device_t:devfile_class_set { read write append };
+neverallow { domain -fs_domain -unrestricted } fixed_disk_device_t:devfile_class_set { read write append };
#
# Verify that only the X server and klogd have access to memory devices.
#
-neverallow { domain -privmem } memory_device_t:devfile_class_set { read write append };
+neverallow { domain -privmem -unrestricted } memory_device_t:devfile_class_set { read write append };
#
# Verify that only domains with the privlog attribute can actually syslog
#
-neverallow { domain -unrestricted -privlog } devlog_t:sock_file { read write append };
+neverallow { domain -privlog -unrestricted } devlog_t:sock_file { read write append };
#
# Verify that /proc/kmsg is only accessible to klogd.
#
-ifdef(`klogd.te', `
-neverallow {domain -unrestricted -klogd_t } proc_kmsg_t:file ~stat_file_perms;
-', `
-ifdef(`syslogd.te', `
-neverallow {domain -unrestricted -syslogd_t } proc_kmsg_t:file ~stat_file_perms;
-')dnl end if syslogd
-')dnl end if klogd
+neverallow {domain -privkmsg -unrestricted } proc_kmsg_t:file ~stat_file_perms;
#
# Verify that /proc/kcore is inaccessible.
@@ -93,14 +87,14 @@ neverallow { domain -unrestricted } proc_kcore_t:file ~stat_file_perms;
# Verify that sysctl variables are only changeable
# by initrc and administrators.
#
-neverallow { domain -initrc_t -admin -kernel_t -insmod_t } sysctl_t:file { write append };
-neverallow { domain -initrc_t -admin } sysctl_fs_t:file { write append };
-neverallow { domain -admin -sysctl_kernel_writer } sysctl_kernel_t:file { write append };
-neverallow { domain -initrc_t -admin -sysctl_net_writer } sysctl_net_t:file { write append };
-neverallow { domain -initrc_t -admin } sysctl_net_unix_t:file { write append };
-neverallow { domain -initrc_t -admin } sysctl_vm_t:file { write append };
-neverallow { domain -initrc_t -admin } sysctl_dev_t:file { write append };
-neverallow { domain -initrc_t -admin } sysctl_modprobe_t:file { write append };
+neverallow { domain -initrc_t -admin -kernel_t -insmod_t -unrestricted } sysctl_t:file { write append };
+neverallow { domain -initrc_t -admin -unrestricted } sysctl_fs_t:file { write append };
+neverallow { domain -admin -sysctl_kernel_writer -unrestricted } sysctl_kernel_t:file { write append };
+neverallow { domain -initrc_t -admin -sysctl_net_writer -unrestricted } sysctl_net_t:file { write append };
+neverallow { domain -initrc_t -admin -unrestricted } sysctl_net_unix_t:file { write append };
+neverallow { domain -initrc_t -admin -unrestricted } sysctl_vm_t:file { write append };
+neverallow { domain -initrc_t -admin -unrestricted } sysctl_dev_t:file { write append };
+neverallow { domain -initrc_t -admin -unrestricted } sysctl_modprobe_t:file { write append };
#
# Verify that certain domains are limited to only being
@@ -146,13 +140,13 @@ neverallow { passwd_t sysadm_passwd_t } ~{ bin_t sbin_t shell_exec_t ld_so_t }:f
#
# Verify that only the admin domains and initrc_t have setenforce.
#
-neverallow { domain -admin -initrc_t } security_t:security setenforce;
+neverallow { domain -secadmin -initrc_t -unrestricted } security_t:security setenforce;
#
# Verify that only the kernel and load_policy_t have load_policy.
#
-neverallow { domain -unrestricted -kernel_t -load_policy_t } security_t:security load_policy;
+neverallow { domain -kernel_t -load_policy_t -unrestricted } security_t:security load_policy;
#
# for gross mistakes in policy
diff --git a/strict/attrib.te b/strict/attrib.te
index 9648dcf..b5e4d8b 100644
--- a/strict/attrib.te
+++ b/strict/attrib.te
@@ -141,6 +141,10 @@ attribute privhome;
# to read /etc/shadow, and grants the permission.
attribute auth;
+# The auth_bool attribute identifies every domain that can
+# read /etc/shadow if its boolean is set;
+attribute auth_bool;
+
# The auth_write attribute identifies every domain that can have write or
# relabel access to /etc/shadow, but does not grant it.
attribute auth_write;
@@ -180,6 +184,12 @@ attribute sysctl_type;
# XXX used in different assertions within assert.te.
attribute admin;
+# The secadmin attribute identifies every security administrator domain.
+# It is used in TE assertions when verifying that only administrator
+# domains have certain permissions.
+# This attribute is presently associated with sysadm_t and secadm_t
+attribute secadmin;
+
# The userdomain attribute identifies every user domain, presently
# user_t and sysadm_t. It is used in TE rules that should be applied
# to all user domains.
@@ -454,3 +464,18 @@ attribute transitionbool;
# of the file system.
attribute customizable;
+##############################
+# Attributes for polyinstatiation support:
+#
+
+# For labeling types that are to be polyinstantiated
+attribute polydir;
+
+# And for labeling the parent directories of those polyinstantiated directories
+# This is necessary for remounting the original in the parent to give
+# security aware apps access
+attribute polyparent;
+
+# And labeling for the member directories
+attribute polymember;
+
diff --git a/strict/domains/program/lvm.te b/strict/domains/program/lvm.te
index 7ed0722..b3df265 100644
--- a/strict/domains/program/lvm.te
+++ b/strict/domains/program/lvm.te
@@ -121,3 +121,16 @@ r_dir_file(lvm_t, selinux_config_t)
# it has no reason to need this
dontaudit lvm_t proc_kcore_t:file getattr;
+
+# cluster LVM daemon
+daemon_domain(clvmd)
+can_network(clvmd_t)
+can_ypbind(clvmd_t)
+allow clvmd_t self:capability net_bind_service;
+allow clvmd_t self:socket create_socket_perms;
+allow clvmd_t self:fifo_file { read write };
+allow clvmd_t self:file { getattr read };
+allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow clvmd_t reserved_port_t:tcp_socket name_bind;
+dontaudit clvmd_t reserved_port_type:tcp_socket name_bind;
+dontaudit clvmd_t selinux_config_t:dir search;
diff --git a/strict/domains/program/snmpd.te b/strict/domains/program/snmpd.te
index 5b794ed..9e86c4b 100644
--- a/strict/domains/program/snmpd.te
+++ b/strict/domains/program/snmpd.te
@@ -8,7 +8,7 @@
#
# Rules for the snmpd_t domain.
#
-daemon_domain(snmpd)
+daemon_domain(snmpd, `, nscd_client_domain')
#temp
allow snmpd_t var_t:dir getattr;
@@ -16,17 +16,14 @@ allow snmpd_t var_t:dir getattr;
can_network_server(snmpd_t)
can_ypbind(snmpd_t)
-type snmp_port_t, port_type, reserved_port_type;
allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind;
etc_domain(snmpd)
-typealias snmpd_etc_t alias etc_snmpd_t;
# for the .index file
var_lib_domain(snmpd)
file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, dir)
file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file)
-typealias snmpd_var_lib_t alias snmpd_var_rw_t;
log_domain(snmpd)
# for /usr/share/snmp/mibs
@@ -39,13 +36,15 @@ allow snmpd_t self:unix_dgram_socket create_socket_perms;
allow snmpd_t self:unix_stream_socket create_socket_perms;
allow snmpd_t etc_t:lnk_file read;
allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
-allow snmpd_t urandom_device_t:chr_file read;
+allow snmpd_t { random_device_t urandom_device_t }:chr_file { getattr read };
allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config };
allow snmpd_t proc_t:dir search;
allow snmpd_t proc_t:file r_file_perms;
allow snmpd_t self:file { getattr read };
-allow snmpd_t self:fifo_file { read write };
+allow snmpd_t self:fifo_file rw_file_perms;
+allow snmpd_t { bin_t sbin_t }:dir search;
+can_exec(snmpd_t, { bin_t sbin_t shell_exec_t })
ifdef(`distro_redhat', `
ifdef(`rpm.te', `
@@ -61,6 +60,9 @@ dontaudit snmpd_t initrc_var_run_t:file write;
dontaudit snmpd_t rpc_pipefs_t:dir getattr;
allow snmpd_t rpc_pipefs_t:dir getattr;
read_sysctl(snmpd_t)
+allow snmpd_t sysctl_net_t:dir search;
+allow snmpd_t sysctl_net_t:file { getattr read };
+
dontaudit snmpd_t { removable_device_t fixed_disk_device_t }:blk_file { getattr ioctl read };
allow snmpd_t sysfs_t:dir { getattr read search };
ifdef(`amanda.te', `
@@ -75,6 +77,7 @@ allow snmpd_t var_lib_nfs_t:dir search;
allow snmpd_t proc_net_t:dir search;
allow snmpd_t proc_net_t:file r_file_perms;
-dontaudit snmpd_t domain:dir { getattr search };
+allow snmpd_t domain:dir { getattr search };
+allow snmpd_t domain:file { getattr read };
dontaudit snmpd_t selinux_config_t:dir search;
diff --git a/strict/file_contexts/program/kerberos.fc b/strict/file_contexts/program/kerberos.fc
index 06adff4..050ecb3 100644
--- a/strict/file_contexts/program/kerberos.fc
+++ b/strict/file_contexts/program/kerberos.fc
@@ -9,3 +9,12 @@
/var/log/krb5kdc\.log system_u:object_r:krb5kdc_log_t
/var/log/kadmind\.log system_u:object_r:kadmind_log_t
/usr(/local)?/bin/ksu -- system_u:object_r:su_exec_t
+
+# gentoo file locations
+/usr/sbin/krb5kdc -- system_u:object_r:krb5kdc_exec_t
+/usr/sbin/kadmind -- system_u:object_r:kadmind_exec_t
+/etc/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t
+/etc/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t
+/etc/krb5kdc/kadm5.keytab -- system_u:object_r:krb5_keytab_t
+/var/log/kadmin.log -- system_u:object_r:kadmind_log_t
+
diff --git a/strict/file_contexts/program/lvm.fc b/strict/file_contexts/program/lvm.fc
index e74e2c5..648beb0 100644
--- a/strict/file_contexts/program/lvm.fc
+++ b/strict/file_contexts/program/lvm.fc
@@ -13,8 +13,8 @@
/var/lock/lvm(/.*)? system_u:object_r:lvm_lock_t
/dev/lvm -c system_u:object_r:fixed_disk_device_t
/dev/mapper/control -c system_u:object_r:lvm_control_t
-/lib/lvm-10(/.*) -- system_u:object_r:lvm_exec_t
-/lib/lvm-200(/.*) -- system_u:object_r:lvm_exec_t
+/lib/lvm-10/.* -- system_u:object_r:lvm_exec_t
+/lib/lvm-200/.* -- system_u:object_r:lvm_exec_t
/sbin/e2fsadm -- system_u:object_r:lvm_exec_t
/sbin/lvchange -- system_u:object_r:lvm_exec_t
/sbin/lvcreate -- system_u:object_r:lvm_exec_t
@@ -64,3 +64,6 @@
/sbin/pvremove -- system_u:object_r:lvm_exec_t
/sbin/pvs -- system_u:object_r:lvm_exec_t
/sbin/vgs -- system_u:object_r:lvm_exec_t
+/sbin/multipathd -- system_u:object_r:lvm_exec_t
+/var/cache/multipathd(/.*)? system_u:object_r:lvm_metadata_t
+/usr/sbin/clvmd -- system_u:object_r:clvmd_exec_t
diff --git a/strict/file_contexts/program/rsync.fc b/strict/file_contexts/program/rsync.fc
index f4539f1..a146940 100644
--- a/strict/file_contexts/program/rsync.fc
+++ b/strict/file_contexts/program/rsync.fc
@@ -1,2 +1,3 @@
# rsync program
/usr/bin/rsync -- system_u:object_r:rsync_exec_t
+/srv/([^/]*/)?rsync(/.*)? system_u:object_r:ftpd_anon_t
diff --git a/strict/file_contexts/types.fc b/strict/file_contexts/types.fc
index 33816d9..b712037 100644
--- a/strict/file_contexts/types.fc
+++ b/strict/file_contexts/types.fc
@@ -261,13 +261,13 @@ ifdef(`distro_suse', `
# /opt
#
/opt(/.*)? system_u:object_r:usr_t
-/opt/.*/lib(64)?(/.*)? system_u:object_r:lib_t
-/opt/.*/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
-/opt/.*/libexec(/.*)? system_u:object_r:bin_t
-/opt/.*/bin(/.*)? system_u:object_r:bin_t
-/opt/.*/sbin(/.*)? system_u:object_r:sbin_t
-/opt/.*/man(/.*)? system_u:object_r:man_t
-/opt/.*/var/lib(64)?(/.*)? system_u:object_r:var_lib_t
+/opt(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t
+/opt(/.*)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+/opt(/.*)?/libexec(/.*)? system_u:object_r:bin_t
+/opt(/.*)?/bin(/.*)? system_u:object_r:bin_t
+/opt(/.*)?/sbin(/.*)? system_u:object_r:sbin_t
+/opt(/.*)?/man(/.*)? system_u:object_r:man_t
+/opt(/.*)?/var/lib(64)?(/.*)? system_u:object_r:var_lib_t
#
# /etc
@@ -359,7 +359,9 @@ ifdef(`distro_gentoo', `
# nvidia share libraries
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
+/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
/usr(/.*)?/nvidia/.*\.so(\..*)? -- system_u:object_r:texrel_shlib_t
+/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- system_u:object_r:texrel_shlib_t
# libGL
@@ -385,6 +387,10 @@ ifdef(`distro_gentoo', `
/usr/local/etc(/.*)? system_u:object_r:etc_t
/usr/local/src(/.*)? system_u:object_r:src_t
/usr/local/man(/.*)? system_u:object_r:man_t
+/usr/local/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+/usr/(local/)?lib/wine/.*\.so -- system_u:object_r:texrel_shlib_t
+/usr/(local/)?lib/libfame-.*\.so.* -- system_u:object_r:texrel_shlib_t
+
#
# /usr/X11R6/man
@@ -442,13 +448,22 @@ HOME_ROOT/\.journal <<none>>
#
# Lost and found directories.
#
-/lost\+found(/.*)? system_u:object_r:lost_found_t
-/usr/lost\+found(/.*)? system_u:object_r:lost_found_t
-/boot/lost\+found(/.*)? system_u:object_r:lost_found_t
-HOME_ROOT/lost\+found(/.*)? system_u:object_r:lost_found_t
-/var/lost\+found(/.*)? system_u:object_r:lost_found_t
-/tmp/lost\+found(/.*)? system_u:object_r:lost_found_t
-/usr/local/lost\+found(/.*)? system_u:object_r:lost_found_t
+/lost\+found -d system_u:object_r:lost_found_t
+/lost\+found/.* <<none>>
+/usr/lost\+found -d system_u:object_r:lost_found_t
+/usr/lost\+found/.* <<none>>
+/boot/lost\+found -d system_u:object_r:lost_found_t
+/boot/lost\+found/.* <<none>>
+HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t
+HOME_ROOT/lost\+found/.* <<none>>
+/var/lost\+found -d system_u:object_r:lost_found_t
+/var/lost\+found/.* <<none>>
+/tmp/lost\+found -d system_u:object_r:lost_found_t
+/tmp/lost\+found/.* <<none>>
+/var/tmp/lost\+found -d system_u:object_r:lost_found_t
+/var/tmp/lost\+found/.* <<none>>
+/usr/local/lost\+found -d system_u:object_r:lost_found_t
+/usr/local/lost\+found/.* <<none>>
#
# system localization
@@ -458,6 +473,7 @@ HOME_ROOT/lost\+found(/.*)? system_u:object_r:lost_found_t
/usr/lib/locale(/.*)? system_u:object_r:locale_t
/etc/localtime -- system_u:object_r:locale_t
/etc/localtime -l system_u:object_r:etc_t
+/etc/pki(/.*)? system_u:object_r:cert_t
#
# Gnu Cash
@@ -466,6 +482,11 @@ HOME_ROOT/lost\+found(/.*)? system_u:object_r:lost_found_t
/usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t
#
+# Turboprint
+#
+/usr/share/turboprint/lib(/.*)? -- system_u:object_r:bin_t
+
+#
# initrd mount point, only used during boot
#
/initrd -d system_u:object_r:root_t
@@ -481,5 +502,12 @@ HOME_ROOT/lost\+found(/.*)? system_u:object_r:lost_found_t
#
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- system_u:object_r:bin_t
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t
-/usr/lib(64)?/[^/]*thunderbird[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t
-/usr/lib(64)?/[^/]*thunderbird[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t
+/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- system_u:object_r:bin_t
+/usr/lib(64)?/[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t
+/usr/lib(64)?/[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t
+
+#
+# /srv
+#
+/srv(/.*)? system_u:object_r:var_t
+
diff --git a/strict/macros/program/chkpwd_macros.te b/strict/macros/program/chkpwd_macros.te
index 806a9cd..34f1948 100644
--- a/strict/macros/program/chkpwd_macros.te
+++ b/strict/macros/program/chkpwd_macros.te
@@ -17,30 +17,25 @@ define(`chkpwd_domain',`
# Derived domain based on the calling user domain and the program.
type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth;
+role $1_r types $1_chkpwd_t;
+
# is_selinux_enabled
allow $1_chkpwd_t proc_t:file read;
+
can_getcon($1_chkpwd_t)
-can_ypbind($1_chkpwd_t)
-can_kerberos($1_chkpwd_t)
-can_ldap($1_chkpwd_t)
-can_resolve($1_chkpwd_t)
-# Transition from the user domain to this domain.
+authentication_domain($1_chkpwd_t)
+
ifelse($1, system, `
domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
-role system_r types system_chkpwd_t;
-dontaudit auth_chkpwd shadow_t:file { getattr read };
allow auth_chkpwd sbin_t:dir search;
-dontaudit $1_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
-can_ypbind(auth_chkpwd)
-can_kerberos(auth_chkpwd)
-can_ldap(auth_chkpwd)
-can_resolve(auth_chkpwd)
+allow auth_chkpwd self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
+authentication_domain(auth_chkpwd)
', `
domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
allow $1_t sbin_t:dir search;
-
-# The user role is authorized for this domain.
-role $1_r types $1_chkpwd_t;
+allow $1_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
# Write to the user domain tty.
access_terminal($1_chkpwd_t, $1)
diff --git a/strict/macros/program/crond_macros.te b/strict/macros/program/crond_macros.te
index 8cd7deb..5e61d7d 100644
--- a/strict/macros/program/crond_macros.te
+++ b/strict/macros/program/crond_macros.te
@@ -67,6 +67,7 @@ role $1_r types $1_crond_t;
# This domain is granted permissions common to most domains.
can_network($1_crond_t)
+allow $1_crond_t port_type:tcp_socket name_connect;
can_ypbind($1_crond_t)
r_dir_file($1_crond_t, self)
allow $1_crond_t self:fifo_file rw_file_perms;
diff --git a/strict/macros/program/crontab_macros.te b/strict/macros/program/crontab_macros.te
index 352fbe9..50d5ee5 100644
--- a/strict/macros/program/crontab_macros.te
+++ b/strict/macros/program/crontab_macros.te
@@ -41,8 +41,6 @@ read_locale($1_crontab_t)
# Use capabilities dac_override is to create the file in the directory
# under /tmp
allow $1_crontab_t $1_crontab_t:capability { setuid setgid chown dac_override };
-dontaudit $1_crontab_t proc_t:dir search;
-dontaudit $1_crontab_t selinux_config_t:dir search;
# Type for temporary files.
file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file })
@@ -65,6 +63,11 @@ dontaudit $1_crontab_t crond_t:process signal;
# for the checks used by crontab -u
dontaudit $1_crontab_t security_t:dir search;
+allow $1_crontab_t proc_t:dir search;
+allow $1_crontab_t proc_t:{ file lnk_file } { getattr read };
+allow $1_crontab_t selinux_config_t:dir search;
+allow $1_crontab_t selinux_config_t:file { getattr read };
+dontaudit $1_crontab_t self:dir search;
# crontab signals crond by updating the mtime on the spooldir
allow $1_crontab_t cron_spool_t:dir setattr;
diff --git a/strict/macros/program/dbusd_macros.te b/strict/macros/program/dbusd_macros.te
index c11784c..600ac41 100644
--- a/strict/macros/program/dbusd_macros.te
+++ b/strict/macros/program/dbusd_macros.te
@@ -30,17 +30,20 @@ r_dir_file($1_dbusd_t, etc_dbusd_t)
tmp_domain($1_dbusd)
allow $1_dbusd_t self:process fork;
ifdef(`xdm.te', `
-allow $1_dbusd_t xdm_t:fd use;
-allow $1_dbusd_t xdm_t:fifo_file write;
+can_pipe_xdm($1_dbusd_t)
')
allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
allow $1_dbusd_t urandom_device_t:chr_file { getattr read };
-allow $1_dbusd_t self:file { getattr read };
+allow $1_dbusd_t self:file { getattr read write };
allow $1_dbusd_t proc_t:file read;
+can_getsecurity($1_dbusd_t)
+r_dir_file($1_dbusd_t, default_context_t)
+allow system_dbusd_t self:netlink_selinux_socket create_socket_perms;
+
ifdef(`pamconsole.te', `
r_dir_file($1_dbusd_t, pam_var_console_t)
')
diff --git a/strict/macros/program/gpg_agent_macros.te b/strict/macros/program/gpg_agent_macros.te
index 21a8768..f7ad8b0 100644
--- a/strict/macros/program/gpg_agent_macros.te
+++ b/strict/macros/program/gpg_agent_macros.te
@@ -22,7 +22,6 @@ domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
role $1_r types $1_gpg_agent_t;
allow $1_gpg_agent_t privfd:fd use;
-allow $1_gpg_agent_t xdm_t:fd use;
# Write to the user domain tty.
access_terminal($1_gpg_agent_t, $1)
@@ -86,10 +85,9 @@ ifdef(`xdm.te', `
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
-allow $1_gpg_pinentry_t xdm_t:fd use;
')dnl end ig xdm.te
-r_dir_file($1_gpg_pinentry_t, fonts_t)
+read_fonts($1_gpg_pinentry_t, $1)
# read kde font cache
allow $1_gpg_pinentry_t usr_t:file { getattr read };
diff --git a/strict/macros/program/gpg_macros.te b/strict/macros/program/gpg_macros.te
index 124d6e8..a836ed6 100644
--- a/strict/macros/program/gpg_macros.te
+++ b/strict/macros/program/gpg_macros.te
@@ -23,27 +23,15 @@ type $1_gpg_secret_t, file_type, $1_file_type, sysadmfile;
# Transition from the user domain to the derived domain.
domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t)
+role $1_r types $1_gpg_t;
can_network($1_gpg_t)
+allow $1_gpg_t port_type:tcp_socket name_connect;
can_ypbind($1_gpg_t)
# for a bug in kmail
dontaudit $1_gpg_t $1_t:unix_stream_socket { getattr read write };
-# The user role is authorized for this domain.
-role $1_r types $1_gpg_t;
-
-# Legacy
-if (allow_gpg_execstack) {
-legacy_domain($1_gpg)
-allow $1_gpg_t locale_t:file execute;
-
-# Not quite sure why this is needed...
-allow $1_gpg_t gpg_exec_t:file execmod;
-}
-
-allow $1_t $1_gpg_secret_t:file getattr;
-
allow $1_gpg_t device_t:dir r_dir_perms;
allow $1_gpg_t { random_device_t urandom_device_t }:chr_file r_file_perms;
@@ -60,45 +48,28 @@ allow $1_gpg_t { privfd $1_t }:fd use;
allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
# setrlimit is for ulimit -c 0
-allow $1_gpg_t self:process { setrlimit setcap };
+allow $1_gpg_t self:process { setrlimit setcap setpgid };
# allow ps to show gpg
can_ps($1_t, $1_gpg_t)
uses_shlib($1_gpg_t)
-# should not need read access...
-allow $1_gpg_t home_root_t:dir { read search };
-
-# use $1_gpg_secret_t for files it creates
-# NB we are doing the type transition for directory creation only!
-# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as
-# secring.gpg will be of $1_gpg_secret_t too. But when you use gpg to decrypt
-# a file and write output to your home directory it will use user_home_t.
-file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir)
+# Access .gnupg
rw_dir_create_file($1_gpg_t, $1_gpg_secret_t)
-file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file)
-create_dir_file($1_gpg_t, $1_home_t)
-
-# allow the usual access to /tmp
-file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
+# Read content to encrypt/decrypt/sign
+read_content($1_gpg_t, $1)
-if (use_nfs_home_dirs) {
-create_dir_file($1_gpg_t, nfs_t)
-}
-if (use_samba_home_dirs) {
-create_dir_file($1_gpg_t, cifs_t)
-}
+# Write content to encrypt/decrypt/sign
+write_trusted($1_gpg_t, $1)
allow $1_gpg_t self:capability { ipc_lock setuid };
-rw_dir_create_file($1_gpg_t, $1_file_type)
allow $1_gpg_t { etc_t usr_t }:dir r_dir_perms;
allow $1_gpg_t fs_t:filesystem getattr;
allow $1_gpg_t usr_t:file r_file_perms;
read_locale($1_gpg_t)
-allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
dontaudit $1_gpg_t var_t:dir search;
@@ -130,6 +101,7 @@ allow $1_gpg_helper_t $1_t:fd use;
allow $1_gpg_helper_t $1_t:fifo_file write;
# get keys from the network
can_network_client($1_gpg_helper_t)
+allow $1_gpg_helper_t port_type:tcp_socket name_connect;
allow $1_gpg_helper_t etc_t:file { getattr read };
allow $1_gpg_helper_t urandom_device_t:chr_file read;
allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
@@ -137,8 +109,7 @@ allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
dontaudit $1_gpg_helper_t var_t:dir search;
ifdef(`xdm.te', `
-dontaudit $1_gpg_t xdm_t:fd use;
-dontaudit $1_gpg_t xdm_t:fifo_file read;
+can_pipe_xdm($1_gpg_t)
')
')dnl end gpg_domain definition
diff --git a/strict/macros/program/inetd_macros.te b/strict/macros/program/inetd_macros.te
index 1cdaa39..e5c4eed 100644
--- a/strict/macros/program/inetd_macros.te
+++ b/strict/macros/program/inetd_macros.te
@@ -56,7 +56,6 @@ allow $1_t self:dir search;
allow $1_t self:{ lnk_file file } { getattr read };
can_kerberos($1_t)
allow $1_t urandom_device_t:chr_file r_file_perms;
-type $1_port_t, port_type, reserved_port_type;
# Use sockets inherited from inetd.
ifelse($2, `', `
allow inetd_t $1_port_t:udp_socket name_bind;
diff --git a/strict/macros/program/kerberos_macros.te b/strict/macros/program/kerberos_macros.te
index 0be8bee..91850d3 100644
--- a/strict/macros/program/kerberos_macros.te
+++ b/strict/macros/program/kerberos_macros.te
@@ -2,6 +2,7 @@ define(`can_kerberos',`
ifdef(`kerberos.te',`
if (allow_kerberos) {
can_network_client($1, `kerberos_port_t')
+allow $1 kerberos_port_t:tcp_socket name_connect;
can_resolve($1)
}
') dnl kerberos.te
diff --git a/strict/macros/program/mta_macros.te b/strict/macros/program/mta_macros.te
index 6778d6e..cc73d63 100644
--- a/strict/macros/program/mta_macros.te
+++ b/strict/macros/program/mta_macros.te
@@ -34,6 +34,7 @@ role $1_r types $1_mail_t;
uses_shlib($1_mail_t)
can_network_client_tcp($1_mail_t)
+allow $1_mail_t port_type:tcp_socket name_connect;
can_resolve($1_mail_t)
can_ypbind($1_mail_t)
allow $1_mail_t self:unix_dgram_socket create_socket_perms;
diff --git a/strict/macros/program/newrole_macros.te b/strict/macros/program/newrole_macros.te
index b19e2de..c7a143e 100644
--- a/strict/macros/program/newrole_macros.te
+++ b/strict/macros/program/newrole_macros.te
@@ -49,7 +49,7 @@ can_setexec($1_t)
allow $1_t autofs_t:dir search;
# Use capabilities.
-allow $1_t self:capability { setuid setgid net_bind_service dac_override };
+allow $1_t self:capability { fowner setuid setgid net_bind_service dac_override };
# Read the devpts root directory.
allow $1_t devpts_t:dir r_dir_perms;
@@ -60,8 +60,7 @@ r_dir_file($1_t, selinux_config_t)
allow $1_t etc_t:file r_file_perms;
# Read /var.
-allow $1_t var_t:dir r_dir_perms;
-allow $1_t var_t:notdevfile_class_set r_file_perms;
+r_dir_file($1_t, var_t)
# Read /dev directories and any symbolic links.
allow $1_t device_t:dir r_dir_perms;
diff --git a/strict/macros/program/ssh_agent_macros.te b/strict/macros/program/ssh_agent_macros.te
index 0accc1b..7215f5c 100644
--- a/strict/macros/program/ssh_agent_macros.te
+++ b/strict/macros/program/ssh_agent_macros.te
@@ -49,6 +49,7 @@ read_locale($1_ssh_agent_t)
allow $1_ssh_agent_t proc_t:dir search;
dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
dontaudit $1_ssh_agent_t selinux_config_t:dir search;
+dontaudit $1_ssh_agent_t selinux_config_t:file { read getattr };
read_sysctl($1_ssh_agent_t)
# Access the ssh temporary files. Should we have an own type here
@@ -62,7 +63,7 @@ allow $1_ssh_agent_t self:process { fork sigchld setrlimit };
allow $1_ssh_agent_t self:capability setgid;
# access the random devices
-allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file read;
+allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file { getattr read };
# for ssh-add
can_unix_connect($1_t, $1_ssh_agent_t)
@@ -89,8 +90,7 @@ allow $1_ssh_t $1_t:unix_stream_socket connectto;
allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
ifdef(`xdm.te', `
-allow $1_ssh_agent_t xdm_t:fd use;
-allow $1_ssh_agent_t xdm_t:fifo_file { read write };
+can_pipe_xdm($1_ssh_agent_t)
# kdm: sigchld
allow $1_ssh_agent_t xdm_t:process sigchld;
diff --git a/strict/macros/program/ssh_macros.te b/strict/macros/program/ssh_macros.te
index 473b273..0f6549f 100644
--- a/strict/macros/program/ssh_macros.te
+++ b/strict/macros/program/ssh_macros.te
@@ -53,8 +53,7 @@ allow $1_ssh_t fs_type:filesystem getattr;
base_file_read_access($1_ssh_t)
# Read /var.
-allow $1_ssh_t var_t:dir r_dir_perms;
-allow $1_ssh_t var_t:notdevfile_class_set r_file_perms;
+r_dir_file($1_ssh_t, var_t)
# Read /var/run, /var/log.
allow $1_ssh_t var_run_t:dir r_dir_perms;
@@ -63,8 +62,7 @@ allow $1_ssh_t var_log_t:dir r_dir_perms;
allow $1_ssh_t var_log_t:{ file lnk_file } r_file_perms;
# Read /etc.
-allow $1_ssh_t etc_t:dir r_dir_perms;
-allow $1_ssh_t etc_t:notdevfile_class_set r_file_perms;
+r_dir_file($1_ssh_t, etc_t)
allow $1_ssh_t etc_runtime_t:{ file lnk_file } r_file_perms;
# Read /dev directories and any symbolic links.
@@ -80,6 +78,7 @@ allow $1_ssh_t { null_device_t zero_device_t }:chr_file rw_file_perms;
# Grant permissions needed to create TCP and UDP sockets and
# to access the network.
can_network_client_tcp($1_ssh_t)
+allow $1_ssh_t ssh_port_t:tcp_socket name_connect;
can_resolve($1_ssh_t)
can_ypbind($1_ssh_t)
can_kerberos($1_ssh_t)
@@ -130,18 +129,8 @@ allow $1_t $1_ssh_t:process signal;
# allow ps to show ssh
can_ps($1_t, $1_ssh_t)
-ifdef(`xserver.te', `
-# Communicate with the X server.
-ifdef(`startx.te', `
-can_unix_connect($1_ssh_t, $1_xserver_t)
-allow $1_ssh_t $1_xserver_tmp_t:sock_file rw_file_perms;
-allow $1_ssh_t $1_xserver_tmp_t:dir search;
-')dnl end if startx
-ifdef(`xdm.te', `
-allow $1_ssh_t { xdm_xserver_tmp_t xdm_tmp_t }:dir search;
-allow $1_ssh_t { xdm_tmp_t }:sock_file write;
-')
-')dnl end if xserver
+# Connect to X server
+x_client_domain($1_ssh, $1)
ifdef(`ssh-agent.te', `
ssh_agent_domain($1)
@@ -152,18 +141,26 @@ ssh_agent_domain($1)
allow $1_ssh_t mnt_t:dir search;
r_dir_file($1_ssh_t, removable_t)
-ifdef(`xdm.te', `
-# should be able to remove these two later
-allow $1_ssh_t xdm_xserver_tmp_t:sock_file { read write };
-allow $1_ssh_t xdm_xserver_tmp_t:dir search;
-allow $1_ssh_t xdm_xserver_t:unix_stream_socket connectto;
-allow $1_ssh_t xdm_xserver_t:shm r_shm_perms;
-allow $1_ssh_t xdm_xserver_t:fd use;
-allow $1_ssh_t xdm_xserver_tmpfs_t:file read;
-allow $1_ssh_t xdm_t:fd use;
-')dnl end if xdm.te
-')dnl end macro definition
+type $1_ssh_keysign_t, domain, nscd_client_domain;
+role $1_r types $1_ssh_keysign_t;
+
+if (allow_ssh_keysign) {
+domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
+allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
+allow $1_ssh_keysign_t self:capability { setgid setuid };
+allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms;
+uses_shlib($1_ssh_keysign_t)
+dontaudit $1_ssh_keysign_t selinux_config_t:dir search;
+dontaudit $1_ssh_keysign_t proc_t:dir search;
+dontaudit $1_ssh_keysign_t proc_t:{ lnk_file file } { getattr read };
+allow $1_ssh_keysign_t usr_t:dir search;
+allow $1_ssh_keysign_t etc_t:file { getattr read };
+allow $1_ssh_keysign_t self:dir search;
+allow $1_ssh_keysign_t self:file { getattr read };
+allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
+}
+')dnl end macro definition
', `
define(`ssh_domain',`')
diff --git a/strict/macros/program/su_macros.te b/strict/macros/program/su_macros.te
index 7426b4e..055e08a 100644
--- a/strict/macros/program/su_macros.te
+++ b/strict/macros/program/su_macros.te
@@ -24,6 +24,13 @@ ifdef(`su.te', `
define(`su_restricted_domain', `
# Derived domain based on the calling user domain and the program.
type $1_su_t, domain, privlog, privrole, privuser, privowner, privfd, nscd_client_domain;
+ifdef(`support_polyinstantiation', `
+typeattribute $1_su_t mlsfileread;
+typeattribute $1_su_t mlsfilewrite;
+typeattribute $1_su_t mlsfileupgrade;
+typeattribute $1_su_t mlsfiledowngrade;
+typeattribute $1_su_t mlsprocsetsl;
+')
# for SSP
allow $1_su_t urandom_device_t:chr_file { getattr read };
@@ -32,7 +39,6 @@ allow $1_su_t urandom_device_t:chr_file { getattr read };
domain_auto_trans($1_t, su_exec_t, $1_su_t)
allow $1_su_t sbin_t:dir search;
-domain_auto_trans($1_su_t, chkpwd_exec_t, $2_chkpwd_t)
uses_shlib($1_su_t)
allow $1_su_t etc_t:file { getattr read };
@@ -62,7 +68,7 @@ allow $1_su_t crond_t:fifo_file read;
')
# Use capabilities.
-allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource audit_control };
dontaudit $1_su_t self:capability sys_tty_config;
#
# Caused by su - init scripts
@@ -88,6 +94,13 @@ allow $1_su_t privfd:fd use;
allow $1_su_t { var_t var_run_t }:dir search;
allow $1_su_t initrc_var_run_t:file rw_file_perms;
can_kerberos($1_su_t)
+
+ifdef(`chkpwd.te', `
+domain_auto_trans($1_su_t, chkpwd_exec_t, $2_chkpwd_t)
+')
+
+allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+
') dnl end su_restricted_domain
define(`su_mini_domain', `
@@ -109,10 +122,6 @@ allow $1_su_t { ttyfile ptyfile }:chr_file { read write };
define(`su_domain', `
su_mini_domain($1)
-ifdef(`chkpwd.te', `
-# Run chkpwd.
-can_exec($1_su_t, chkpwd_exec_t)
-')
# Inherit and use descriptors from gnome-pty-helper.
ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
@@ -139,6 +148,16 @@ if (use_samba_home_dirs) {
allow $1_su_t cifs_t:dir search;
}
+ifdef(`support_polyinstantiation', `
+# Su can polyinstantiate
+polyinstantiater($1_su_t)
+# Su has to unmount polyinstantiated directories (like home)
+# that should not be polyinstantiated under the new user
+allow $1_su_t fs_t:filesystem unmount;
+# Su needs additional permission to mount over a previous mount
+allow $1_su_t polymember:dir mounton;
+')
+
# Modify .Xauthority file (via xauth program).
ifdef(`xauth.te', `
file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
diff --git a/strict/mcs b/strict/mcs
new file mode 100644
index 0000000..20ec239
--- /dev/null
+++ b/strict/mcs
@@ -0,0 +1,212 @@
+#
+# Define sensitivities
+#
+# Each sensitivity has a name and zero or more aliases.
+#
+# MCS is single-sensitivity.
+#
+sensitivity s0;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0;
+category c1;
+category c2;
+category c3;
+category c4;
+category c5;
+category c6;
+category c7;
+category c8;
+category c9;
+category c10;
+category c11;
+category c12;
+category c13;
+category c14;
+category c15;
+category c16;
+category c17;
+category c18;
+category c19;
+category c20;
+category c21;
+category c22;
+category c23;
+category c24;
+category c25;
+category c26;
+category c27;
+category c28;
+category c29;
+category c30;
+category c31;
+category c32;
+category c33;
+category c34;
+category c35;
+category c36;
+category c37;
+category c38;
+category c39;
+category c40;
+category c41;
+category c42;
+category c43;
+category c44;
+category c45;
+category c46;
+category c47;
+category c48;
+category c49;
+category c50;
+category c51;
+category c52;
+category c53;
+category c54;
+category c55;
+category c56;
+category c57;
+category c58;
+category c59;
+category c60;
+category c61;
+category c62;
+category c63;
+category c64;
+category c65;
+category c66;
+category c67;
+category c68;
+category c69;
+category c70;
+category c71;
+category c72;
+category c73;
+category c74;
+category c75;
+category c76;
+category c77;
+category c78;
+category c79;
+category c80;
+category c81;
+category c82;
+category c83;
+category c84;
+category c85;
+category c86;
+category c87;
+category c88;
+category c89;
+category c90;
+category c91;
+category c92;
+category c93;
+category c94;
+category c95;
+category c96;
+category c97;
+category c98;
+category c99;
+category c100;
+category c101;
+category c102;
+category c103;
+category c104;
+category c105;
+category c106;
+category c107;
+category c108;
+category c109;
+category c110;
+category c111;
+category c112;
+category c113;
+category c114;
+category c115;
+category c116;
+category c117;
+category c118;
+category c119;
+category c120;
+category c121;
+category c122;
+category c123;
+category c124;
+category c125;
+category c126;
+category c127;
+
+
+#
+# Each MCS level specifies a sensitivity and zero or more categories which may
+# be associated with that sensitivity.
+#
+level s0:c0.c127;
+
+#
+# Define the MCS policy
+#
+# mlsconstrain class_set perm_set expression ;
+#
+# mlsvalidatetrans class_set expression ;
+#
+# expression : ( expression )
+# | not expression
+# | expression and expression
+# | expression or expression
+# | u1 op u2
+# | r1 role_mls_op r2
+# | t1 op t2
+# | l1 role_mls_op l2
+# | l1 role_mls_op h2
+# | h1 role_mls_op l2
+# | h1 role_mls_op h2
+# | l1 role_mls_op h1
+# | l2 role_mls_op h2
+# | u1 op names
+# | u2 op names
+# | r1 op names
+# | r2 op names
+# | t1 op names
+# | t2 op names
+# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
+#
+# op : == | !=
+# role_mls_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
+#
+# MCS policy for the file classes
+#
+# Constrain file access so that the high range of the process dominates
+# the high range of the file. We use the high range of the process so
+# that processes can always simply run at s0.
+#
+# Only files are constrained by MCS at this stage.
+#
+mlsconstrain file { read write setattr append unlink link rename
+ create ioctl lock execute } (h1 dom h2);
+
+
+# XXX
+#
+# For some reason, we need to reference the mlsfileread attribute
+# or we get a build error. Below is a dummy entry to do this.
+mlsconstrain xextension query ( t1 == mlsfileread );
+
diff --git a/strict/types/file.te b/strict/types/file.te
index d6bc8a9..5b319e5 100644
--- a/strict/types/file.te
+++ b/strict/types/file.te
@@ -276,7 +276,8 @@ allow { file_type device_type ttyfile } fs_t:filesystem associate;
# Allow the pty to be associated with the file system.
allow devpts_t self:filesystem associate;
-type tmpfs_t, file_type, sysadmfile, fs_type;
+type tmpfs_t, file_type, mount_point, sysadmfile, fs_type;
+allow { logfile tmpfs_t tmpfile home_type } tmpfs_t:filesystem associate;
allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
ifdef(`distro_redhat', `
allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate;
@@ -332,6 +333,7 @@ allow file_type noexattrfile:filesystem associate;
# Type for anonymous FTP data, used by ftp and rsync
type ftpd_anon_t, file_type, sysadmfile, customizable;
+type ftpd_anon_rw_t, file_type, sysadmfile, customizable;
allow customizable self:filesystem associate;
diff --git a/strict/types/security.te b/strict/types/security.te
index 7bfd0bc..76d97dd 100644
--- a/strict/types/security.te
+++ b/strict/types/security.te
@@ -12,32 +12,32 @@
# the permissions in the security class. It is also
# applied to selinuxfs inodes.
#
-type security_t, fs_type;
+type security_t, mount_point, fs_type, mlstrustedobject;
#
# policy_config_t is the type of /etc/security/selinux/*
# the security server policy configuration.
#
-type policy_config_t, file_type;
+type policy_config_t, file_type, secadmfile;
#
# policy_src_t is the type of the policy source
# files.
#
-type policy_src_t, file_type, sysadmfile;
+type policy_src_t, file_type, secadmfile;
#
# default_context_t is the type applied to
# /etc/selinux/*/contexts/*
#
-type default_context_t, file_type, sysadmfile, login_contexts;
+type default_context_t, file_type, login_contexts, secadmfile;
#
# file_context_t is the type applied to
# /etc/selinux/*/contexts/files
#
-type file_context_t, file_type, sysadmfile;
+type file_context_t, file_type, secadmfile;
#
# no_access_t is the type for objects that should
@@ -49,6 +49,6 @@ type no_access_t, file_type, sysadmfile;
# selinux_config_t is the type applied to
# /etc/selinux/config
#
-type selinux_config_t, file_type, sysadmfile;
+type selinux_config_t, file_type, secadmfile;
diff --git a/strict/users b/strict/users
index 19e6842..c0269c4 100644
--- a/strict/users
+++ b/strict/users
@@ -41,10 +41,17 @@ user user_u roles { user_r };
# The sysadm_r user also needs to be permitted system_r if we are to allow
# direct execution of daemons
-user root roles { sysadm_r staff_r ifdef(`direct_sysadm_daemon', `system_r') };
+user root roles { sysadm_r staff_r secadm_r ifdef(`direct_sysadm_daemon', `system_r') };
# sample for administrative user
#user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') };
# sample for regular user
#user jdoe roles { user_r };
+
+#
+# The following users correspond to special Unix identities
+#
+ifdef(`nx_server.te', `
+user nx roles nx_server_r;
+')
diff --git a/tools/regression.sh b/tools/regression.sh
index 85864f8..0979a05 100755
--- a/tools/regression.sh
+++ b/tools/regression.sh
@@ -1,8 +1,8 @@
#!/bin/bash
DISTROS="redhat gentoo debian suse"
-STRICT_TYPES="strict strict-mls"
-TARG_TYPES="targeted targeted-mls"
+STRICT_TYPES="strict strict-mls strict-mcs"
+TARG_TYPES="targeted targeted-mls targeted-mcs"
POLVER="`checkpolicy -V |cut -f 1 -d ' '`"
SETFILES="/usr/sbin/setfiles"
More information about the scm-commits
mailing list