# file should be used.
#
+ifdef(`strict_policy',`
## <desc>
## <p>
## Enabling secure mode disallows programs, such as
## </p>
## </desc>
gen_bool(secure_mode,false)
+')
## <desc>
## <p>
#
gen_tunable(allow_cvs_read_shadow,false)
+## <desc>
+## <p>
+## Allow zebra daemon to write it configuration files
+## </p>
+## </desc>
+#
+gen_tunable(allow_zebra_write_config,false)
+
## <desc>
## <p>
## Allow making the heap executable.
## </desc>
gen_tunable(allow_httpd_anon_write,false)
+## <desc>
+## <p>
+## Allow Apache to use mod_auth_pam
+## </p>
+## </desc>
+gen_tunable(allow_httpd_mod_auth_pam,false)
+
## <desc>
## <p>
## Allow java executable stack
## </desc>
gen_tunable(allow_smbd_anon_write,false)
-## <desc>
-## <p>
-## Allow sysadm to ptrace all processes
-## </p>
-## </desc>
-gen_tunable(allow_ptrace,false)
## <desc>
## <p>
## </desc>
gen_tunable(read_default_t,false)
-## <desc>
-## <p>
-## Allow ssh to run from inetd instead of as a daemon.
-## </p>
-## </desc>
-gen_tunable(run_ssh_inetd,false)
-
## <desc>
## <p>
## Allow samba to export user home directories.
## </desc>
gen_tunable(samba_share_nfs,false)
-## <desc>
-## <p>
-## Allow spamassassin to do DNS lookups
-## </p>
-## </desc>
-gen_tunable(spamassasin_can_network,false)
-
## <desc>
## <p>
## Allow squid to connect to all ports, not just
## </desc>
gen_tunable(squid_connect_any,false)
-## <desc>
-## <p>
-## Allow ssh logins as sysadm_r:sysadm_t
-## </p>
-## </desc>
-gen_tunable(ssh_sysadm_login,false)
-
## <desc>
## <p>
## Configure stunnel to be a standalone daemon or
## </desc>
gen_tunable(use_samba_home_dirs,false)
+########################################
+#
+# Strict policy specific
+#
+
+ifdef(`strict_policy',`
## <desc>
## <p>
## Control users use of ping and traceroute
## </desc>
gen_tunable(user_ping,false)
-########################################
-#
-# Strict policy specific
-#
-
-ifdef(`strict_policy',`
## <desc>
## <p>
## Allow gpg executable stack
## </desc>
gen_tunable(allow_mplayer_execstack,false)
+## <desc>
+## <p>
+## Allow sysadm to ptrace all processes
+## </p>
+## </desc>
+gen_tunable(allow_ptrace,false)
+
## <desc>
## <p>
## allow host key based authentication
## </desc>
gen_tunable(read_untrusted_content,false)
+## <desc>
+## <p>
+## Allow ssh to run from inetd instead of as a daemon.
+## </p>
+## </desc>
+gen_tunable(run_ssh_inetd,false)
+
## <desc>
## <p>
## Allow user spamassassin clients to use the network.
## </desc>
gen_tunable(spamassassin_can_network,false)
+## <desc>
+## <p>
+## Allow ssh logins as sysadm_r:sysadm_t
+## </p>
+## </desc>
+gen_tunable(ssh_sysadm_login,false)
+
## <desc>
## <p>
## Allow staff_r users to search the sysadm home
(( h1 dom h2 ) or ( t1 == mcssetcats ));
mlsconstrain process { ptrace }
- ( h1 dom h2 );
+ (( h1 dom h2) or ( t1 == mcsptraceall ));
mlsconstrain process { sigkill sigstop }
(( h1 dom h2 ) or ( t1 == mcskillall ));
-policy_module(bootloader,1.2.4)
+policy_module(bootloader,1.2.5)
########################################
#
# bootloader local policy
#
-allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
+allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
allow bootloader_t self:process { sigkill sigstop signull signal execmem };
allow bootloader_t self:fifo_file rw_file_perms;
files_root_filetrans(bootloader_t,bootloader_tmp_t,file)
kernel_getattr_core_if(bootloader_t)
+kernel_read_network_state(bootloader_t)
kernel_read_system_state(bootloader_t)
kernel_read_software_raid_state(bootloader_t)
kernel_read_kernel_sysctls(bootloader_t)
dev_read_raw_memory(bootloader_t)
fs_getattr_xattr_fs(bootloader_t)
+fs_getattr_tmpfs(bootloader_t)
fs_read_tmpfs_symlinks(bootloader_t)
+#Needed for ia64
+fs_manage_dos_files(bootloader_t)
mls_file_read_up(bootloader_t)
-policy_module(firstboot,1.1.2)
+policy_module(firstboot,1.1.3)
gen_require(`
class passwd rootok;
unconfined_domtrans(firstboot_t)
')
+optional_policy(`
+ hal_dbus_send(firstboot_t)
+')
+
optional_policy(`
nis_use_ypbind(firstboot_t)
')
-policy_module(netutils,1.1.4)
+policy_module(netutils,1.1.5)
########################################
#
ifdef(`targeted_policy',`
term_use_unallocated_ttys(traceroute_t)
term_use_generic_ptys(traceroute_t)
-')
-
-tunable_policy(`user_ping',`
- term_use_all_user_ttys(traceroute_t)
- term_use_all_user_ptys(traceroute_t)
+',`
+ tunable_policy(`user_ping',`
+ term_use_all_user_ttys(traceroute_t)
+ term_use_all_user_ptys(traceroute_t)
+ ')
')
optional_policy(`
-policy_module(prelink,1.1.4)
+policy_module(prelink,1.1.5)
########################################
#
corecmd_relabel_all_executables(prelink_t)
corecmd_mmap_all_executables(prelink_t)
corecmd_read_sbin_symlinks(prelink_t)
+corecmd_read_bin_symlinks(prelink_t)
dev_read_urand(prelink_t)
files_search_var_lib($1)
allow $1 rpm_var_lib_t:dir r_dir_perms;
- allow $1 rpm_var_lib_t:file { getattr read };
+ allow $1 rpm_var_lib_t:file r_file_perms;
allow $1 rpm_var_lib_t:lnk_file r_file_perms;
')
files_search_var_lib($1)
allow $1 rpm_var_lib_t:dir rw_dir_perms;
- allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
- allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
+ allow $1 rpm_var_lib_t:file manage_file_perms;
+ allow $1 rpm_var_lib_t:lnk_file create_lnk_perms;
')
########################################
-policy_module(rpm,1.3.9)
+policy_module(rpm,1.3.10)
########################################
#
-policy_module(usermanage,1.3.7)
+policy_module(usermanage,1.3.8)
########################################
#
')
optional_policy(`
+ nscd_exec(groupadd_t)
nscd_socket_use(groupadd_t)
')
')
optional_policy(`
+ nscd_exec(useradd_t)
nscd_socket_use(useradd_t)
')
-policy_module(corenetwork,1.1.12)
+policy_module(corenetwork,1.1.13)
########################################
#
network_port(amavisd_send, tcp,10025,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
network_port(auth, tcp,113,s0)
-network_port(bgp, tcp,179,s0, udp,179,s0)
+network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(vnc, tcp,5900,s0)
network_port(xen, tcp,8002,s0)
network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
-network_port(zebra, tcp,2601,s0)
+network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0)
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
+/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
+/dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0)
/dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
+/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
-policy_module(devices,1.1.14)
+policy_module(devices,1.1.15)
########################################
#
ifdef(`distro_redhat',`
/\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
/\.autorelabel -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/\.suspended -- gen_context(system_u:object_r:etc_runtime_t,s0)
/fastboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
/forcefsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
-policy_module(files,1.2.12)
+policy_module(files,1.2.13)
########################################
#
allow $1 dosfs_t:filesystem relabelfrom;
')
+########################################
+## <summary>
+## Create, read, write, and delete files
+## on a DOS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_dos_files',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ allow $1 dosfs_t:dir rw_dir_perms;
+ allow $1 dosfs_t:file manage_file_perms;
+')
+
########################################
## <summary>
## Read eventpollfs files.
-policy_module(filesystem,1.3.12)
+policy_module(filesystem,1.3.13)
########################################
#
########################################
## <summary>
## This domain is allowed to sigkill and sigstop
-## all domains regardless of their MCS level.
+## all domains regardless of their MCS category set.
## </summary>
## <param name="domain">
## <summary>
typeattribute $1 mcskillall;
')
+########################################
+## <summary>
+## This domain is allowed to ptrace
+## all domains regardless of their MCS
+## category set.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain target for user exemption.
+## </summary>
+## </param>
+#
+interface(`mcs_ptrace_all',`
+ gen_require(`
+ attribute mcsptraceall;
+ ')
+
+ typeattribute $1 mcsptraceall;
+')
+
########################################
## <summary>
## Make specified domain MCS trusted
-policy_module(mcs,1.0.2)
+policy_module(mcs,1.0.3)
########################################
#
#
attribute mcskillall;
+attribute mcsptraceall;
attribute mcssetcats;
########################################
if(!secure_mode_policyload) {
allow $1 security_t:security setenforce;
- auditallow $1 security_t:security setenforce;
+
+ ifdef(`distro_rhel4',`
+ # needed for systems without audit support
+ auditallow $1 security_t:security setenforce;
+ ')
}
')
if(!secure_mode_policyload) {
allow $1 security_t:security load_policy;
- auditallow $1 security_t:security load_policy;
+
+ ifdef(`distro_rhel4',`
+ # needed for systems without audit support
+ auditallow $1 security_t:security load_policy;
+ ')
}
')
-policy_module(selinux,1.1.1)
+policy_module(selinux,1.1.2)
########################################
#
if(!secure_mode_policyload) {
allow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
- auditallow selinux_unconfined_type security_t:security { load_policy setenforce };
ifdef(`distro_rhel4',`
# needed for systems without audit support
- auditallow selinux_unconfined_type security_t:security setbool;
+ auditallow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
')
}
/dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
-/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
-policy_module(storage,1.0.1)
+policy_module(storage,1.0.2)
########################################
#
-policy_module(automount,1.2.7)
+policy_module(automount,1.2.8)
########################################
#
allow automount_t self:unix_dgram_socket create_socket_perms;
allow automount_t self:tcp_socket create_stream_socket_perms;
allow automount_t self:udp_socket create_socket_perms;
+allow automount_t self:netlink_route_socket r_netlink_socket_perms;
allow automount_t automount_etc_t:file { getattr read };
# because config files can be shell scripts
can_exec(automount_t, automount_etc_t)
+can_exec(automount_t, automount_exec_t)
allow automount_t automount_lock_t:file create_file_perms;
files_lock_filetrans(automount_t,automount_lock_t,file)
fstools_domtrans(automount_t)
')
+optional_policy(`
+ kerberos_read_keytab(automount_t)
+ kerberos_read_config(automount_t)
+ kerberos_dontaudit_write_config(automount_t)
+')
+
optional_policy(`
nis_use_ypbind(automount_t)
')
-policy_module(avahi,1.2.3)
+policy_module(avahi,1.2.4)
########################################
#
miscfiles_read_localization(avahi_t)
sysnet_read_config(avahi_t)
+sysnet_use_ldap(avahi_t)
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
userdom_dontaudit_search_sysadm_home_dirs(avahi_t)
')
ifdef(`distro_redhat',`
-/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-policy_module(bind,1.1.6)
+policy_module(bind,1.1.7)
########################################
#
## <summary>Bluetooth tools and system services.</summary>
+########################################
+## <summary>
+## Execute bluetooth in the bluetooth domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`bluetooth_domtrans',`
+ gen_require(`
+ type bluetooth_t, bluetooth_exec_t;
+ ')
+
+ domain_auto_trans($1,bluetooth_exec_t,bluetooth_t)
+ allow bluetooth_t $1:fd use;
+ allow bluetooth_t $1:fifo_file rw_file_perms;
+ allow bluetooth_t $1:process sigchld;
+')
+
########################################
## <summary>
## Read bluetooth daemon configuration.
-policy_module(bluetooth,1.2.8)
+policy_module(bluetooth,1.2.9)
########################################
#
allow bluetooth_helper_t self:shm create_shm_perms;
allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow bluetooth_helper_t self:tcp_socket create_socket_perms;
+allow bluetooth_helper_t self:netlink_route_socket r_netlink_socket_perms;
allow bluetooth_helper_t bluetooth_t:socket { read write };
userdom_manage_generic_user_home_content_files(bluetooth_helper_t)
optional_policy(`
+ corenet_tcp_connect_xserver_port(bluetooth_helper_t)
+
xserver_stream_connect_xdm(bluetooth_helper_t)
xserver_use_xdm_fds(bluetooth_helper_t)
xserver_rw_xdm_pipes(bluetooth_helper_t)
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
+/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
-/var/run/clamav/clamd\.ctl -s gen_context(system_u:object_r:clamd_sock_t,s0)
/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
+/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
#
interface(`clamav_stream_connect',`
gen_require(`
- type clamd_t, clamd_sock_t, clamd_var_run_t;
+ type clamd_t, clamd_var_run_t;
')
allow $1 clamd_var_run_t:dir search;
- allow $1 clamd_sock_t:sock_file write;
+ allow $1 clamd_var_run_t:sock_file write;
allow $1 clamd_t:unix_stream_socket connectto;
')
-policy_module(clamav,1.0.4)
+policy_module(clamav,1.0.5)
########################################
#
type clamd_etc_t;
files_type(clamd_etc_t)
-# named socket type
-type clamd_sock_t;
-files_type(clamd_sock_t)
-
# tmp files
type clamd_tmp_t;
files_tmp_file(clamd_tmp_t)
# pid files
type clamd_var_run_t;
files_pid_file(clamd_var_run_t)
+typealias clamd_var_run_t alias clamd_sock_t;
type clamscan_t;
type clamscan_exec_t;
allow clamd_t clamd_etc_t:file r_file_perms;
allow clamd_t clamd_etc_t:lnk_file { getattr read };
-# socket file
-allow clamd_t clamd_sock_t:file manage_file_perms;
-allow clamd_t clamd_sock_t:sock_file manage_file_perms;
-allow clamd_t clamd_sock_t:dir rw_dir_perms;
-files_pid_filetrans(clamd_t,clamd_sock_t,sock_file)
-
# tmp files
allow clamd_t clamd_tmp_t:file create_file_perms;
allow clamd_t clamd_tmp_t:dir create_dir_perms;
# var/lib files for clamd
allow clamd_t clamd_var_lib_t:file create_file_perms;
-allow clamd_t clamd_var_lib_t:sock_file create_file_perms;
allow clamd_t clamd_var_lib_t:dir create_dir_perms;
-files_var_filetrans(clamd_t,clamd_var_lib_t,{ file dir sock_file })
-files_var_lib_filetrans(clamd_t,clamd_var_lib_t,file)
# log files
allow clamd_t clamd_var_log_t:file create_file_perms;
-allow clamd_t clamd_var_log_t:sock_file create_file_perms;
allow clamd_t clamd_var_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(clamd_t,clamd_var_log_t,file)
# var/lib files together with clamd
allow freshclam_t clamd_var_lib_t:file create_file_perms;
-allow freshclam_t clamd_var_lib_t:sock_file create_file_perms;
allow freshclam_t clamd_var_lib_t:dir create_dir_perms;
-files_var_filetrans(freshclam_t,clamd_var_lib_t,{ file dir sock_file })
-files_var_lib_filetrans(freshclam_t,clamd_var_lib_t,file)
# pidfiles- var/run together with clamd
allow freshclam_t clamd_var_run_t:file manage_file_perms;
# log files (own logfiles only)
allow freshclam_t freshclam_var_log_t:file create_file_perms;
-allow freshclam_t freshclam_var_log_t:sock_file create_file_perms;
allow freshclam_t freshclam_var_log_t:dir { rw_dir_perms setattr };
allow freshclam_t clamd_var_log_t:dir search;
logging_log_filetrans(freshclam_t,freshclam_var_log_t,file)
# var/lib files together with clamd
allow clamscan_t clamd_var_lib_t:file r_file_perms;
-allow clamscan_t clamd_var_lib_t:sock_file rw_file_perms;
allow clamscan_t clamd_var_lib_t:dir r_dir_perms;
kernel_read_kernel_sysctls(clamscan_t)
-policy_module(cyrus,1.1.3)
+policy_module(cyrus,1.1.4)
########################################
#
allow cyrus_t self:unix_stream_socket connectto;
allow cyrus_t self:tcp_socket create_stream_socket_perms;
allow cyrus_t self:udp_socket create_socket_perms;
+allow cyrus_t self:netlink_route_socket r_netlink_socket_perms;
allow cyrus_t cyrus_tmp_t:dir create_dir_perms;
allow cyrus_t cyrus_tmp_t:file create_file_perms;
cron_system_entry(cyrus_t,cyrus_exec_t)
')
+optional_policy(`
+ ldap_stream_connect(cyrus_t)
+')
+
optional_policy(`
nis_use_ypbind(cyrus_t)
')
#
/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
+/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
-policy_module(dovecot,1.2.4)
+policy_module(dovecot,1.2.5)
########################################
#
type dovecot_exec_t;
init_daemon_domain(dovecot_t,dovecot_exec_t)
+type dovecot_auth_t;
+type dovecot_auth_exec_t;
+domain_type(dovecot_auth_t)
+domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
+role system_r types dovecot_auth_t;
+
type dovecot_cert_t;
files_type(dovecot_cert_t)
type dovecot_spool_t;
files_type(dovecot_spool_t)
+# /var/lib/dovecot holds SSL parameters file
+type dovecot_var_lib_t;
+files_type(dovecot_var_lib_t)
+
type dovecot_var_run_t;
files_pid_file(dovecot_var_run_t)
-type dovecot_auth_t;
-type dovecot_auth_exec_t;
-domain_type(dovecot_auth_t)
-domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
-role system_r types dovecot_auth_t;
-
########################################
#
# dovecot local policy
allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
+# Allow dovecot to create and read SSL parameters file
+allow dovecot_t dovecot_var_lib_t:dir rw_dir_perms;
+allow dovecot_t dovecot_var_lib_t:file manage_file_perms;
+files_search_var_lib(dovecot_t)
+
allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms;
kernel_read_all_sysctls(dovecot_auth_t)
-policy_module(ftp,1.2.6)
+policy_module(ftp,1.2.7)
########################################
#
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
allow ftpd_t self:udp_socket create_socket_perms;
+allow ftpd_t self:netlink_route_socket r_netlink_socket_perms;
allow ftpd_t ftpd_etc_t:file r_file_perms;
corenet_tcp_bind_ftp_port(ftpd_t)
')
+optional_policy(`
+ tunable_policy(`ftp_home_dir',`
+ apache_search_sys_content(ftpd_t)
+ ')
+')
+
optional_policy(`
corecmd_exec_shell(ftpd_t)
-policy_module(hal,1.3.10)
+policy_module(hal,1.3.11)
########################################
#
#
# execute openvt which needs setuid
-allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+allow hald_t self:capability { audit_write chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
dontaudit hald_t self:capability sys_tty_config;
allow hald_t self:process signal_perms;
allow hald_t self:fifo_file rw_file_perms;
files_dontaudit_read_root_files(hald_t)
')
+optional_policy(`
+ bootloader_domtrans(hald_t)
+')
+
optional_policy(`
# For /usr/libexec/hald-addon-acpi
# writes to /var/run/acpid.socket
bind_search_cache(hald_t)
')
+optional_policy(`
+ bluetooth_domtrans(hald_t)
+')
+
optional_policy(`
clock_domtrans(hald_t)
')
-policy_module(inetd,1.1.4)
+policy_module(inetd,1.1.5)
########################################
#
sysnet_read_config(inetd_child_t)
-tunable_policy(`run_ssh_inetd',`
- corenet_tcp_bind_ssh_port(inetd_t)
+ifdef(`strict_policy',`
+ tunable_policy(`run_ssh_inetd',`
+ corenet_tcp_bind_ssh_port(inetd_t)
+ ')
')
optional_policy(`
/var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
/var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0)
+/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
allow slapd_t $1:tcp_socket { acceptfrom recvfrom };
kernel_tcp_recvfrom($1)
')
+
+
+########################################
+## <summary>
+## Connect to slapd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ldap_stream_connect',`
+ gen_require(`
+ type slapd_t, slapd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 slapd_var_run_t:sock_file write;
+ allow $1 slapd_t:unix_stream_socket connectto;
+')
-policy_module(ldap,1.2.3)
+policy_module(ldap,1.2.4)
########################################
#
allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms;
allow $1_lpr_t self:tcp_socket create_socket_perms;
allow $1_lpr_t self:udp_socket create_socket_perms;
+ allow $1_lpr_t self:netlink_route_socket r_netlink_socket_perms;
# lpr can run in lightweight mode, without a local print spooler.
allow $1_lpr_t lpd_var_run_t:dir search;
allow lpd_t $1_print_spool_t:file link_file_perms;
kernel_tcp_recvfrom($1_lpr_t)
+ kernel_read_kernel_sysctls($1_lpr_t)
+ corenet_non_ipsec_sendrecv($1_lpr_t)
corenet_tcp_sendrecv_generic_if($1_lpr_t)
corenet_udp_sendrecv_generic_if($1_lpr_t)
corenet_tcp_sendrecv_all_nodes($1_lpr_t)
corenet_tcp_connect_all_ports($1_lpr_t)
corenet_sendrecv_all_client_packets($1_lpr_t)
- # for /dev/null
- dev_list_all_dev_nodes($1_lpr_t)
+ dev_read_rand($1_lpr_t)
+ dev_read_urand($1_lpr_t)
domain_use_interactive_fds($1_lpr_t)
userdom_read_user_tmp_symlinks($1,$1_lpr_t)
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_lpr_t)
+ userdom_read_user_home_content_files($1,$1_lpr_t)
+ userdom_read_user_tmp_files($1,$1_lpr_t)
tunable_policy(`read_default_t',`
files_list_default($1_lpr_t)
tunable_policy(`read_untrusted_content',`
#list and read user specific untrusted content
- files_list_home($1_lpr_t)
- userdom_list_user_home_dirs($1,$1_lpr_t)
userdom_read_user_untrusted_content_files($1,$1_lpr_t)
#list and read user specific temporary untrusted content
cups_tcp_connect($1_lpr_t)
cups_read_config($2)
cups_tcp_connect($2)
+ cups_stream_connect($1_lpr_t)
')
optional_policy(`
optional_policy(`
nis_use_ypbind($1_lpr_t)
')
-
- ifdef(`TODO',`
- optional_policy(`
- allow $1_lpr_t xdm_t:fd use;
- allow $1_lpr_t xdm_var_run_t:dir search;
- allow $1_lpr_t xdm_t:fifo_file { getattr read write ioctl };
- ')
- ') dnl end TODO
')
#######################################
-policy_module(lpd,1.2.4)
+policy_module(lpd,1.2.5)
########################################
#
-policy_module(mailman,1.1.5)
+policy_module(mailman,1.1.6)
########################################
#
# Mailman CGI local policy
#
-# cjp: the template invocation for queue should be
+# cjp: the template invocation for cgi should be
# in the below optional policy; however, there are no
# optionals for file contexts yet, so it is promoted
# to global scope until such facilities exist.
optional_policy(`
+ allow mailman_cgi_t self:netlink_route_socket r_netlink_socket_perms;
+
+ dev_read_urand(mailman_cgi_t)
+
allow mailman_cgi_t mailman_archive_t:dir create_dir_perms;
allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
allow mailman_cgi_t mailman_archive_t:file create_file_perms;
apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
apache_search_sys_script_state(mailman_cgi_t)
+
+ optional_policy(`
+ nscd_socket_use(mailman_cgi_t)
+ ')
')
########################################
-policy_module(nis,1.1.5)
+policy_module(nis,1.1.6)
########################################
#
corenet_tcp_bind_reserved_port(ypbind_t)
corenet_udp_bind_reserved_port(ypbind_t)
corenet_tcp_bind_all_rpc_ports(ypbind_t)
+corenet_udp_bind_all_rpc_ports(ypbind_t)
corenet_tcp_connect_all_ports(ypbind_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
allow nscd_t $1:process sigchld;
')
+########################################
+## <summary>
+## Allow the specified domain to execute nscd
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_exec',`
+ gen_require(`
+ type nscd_exec_t;
+ ')
+
+ can_exec($1,nscd_exec_t)
+')
+
########################################
## <summary>
## Use NSCD services by connecting using
-policy_module(nscd,1.2.6)
+policy_module(nscd,1.2.7)
gen_require(`
class nscd all_nscd_perms;
-policy_module(openvpn,1.0.2)
+policy_module(openvpn,1.0.3)
########################################
#
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow openvpn_t self:udp_socket create_socket_perms;
allow openvpn_t self:tcp_socket create_socket_perms;
+allow openvpn_t self:netlink_route_socket r_netlink_socket_perms;
allow openvpn_t openvpn_etc_t:dir r_dir_perms;
allow openvpn_t openvpn_etc_t:file r_file_perms;
corenet_sendrecv_openvpn_server_packets(openvpn_t)
corenet_rw_tun_tap_dev(openvpn_t)
+dev_search_sysfs(openvpn_t)
dev_read_rand(openvpn_t)
dev_read_urand(openvpn_t)
files_read_etc_files(openvpn_t)
files_read_etc_runtime_files(openvpn_t)
+init_use_fds(openvpn_t)
+
libs_use_ld_so(openvpn_t)
libs_use_shared_libs(openvpn_t)
miscfiles_read_localization(openvpn_t)
+sysnet_dns_name_resolve(openvpn_t)
sysnet_exec_ifconfig(openvpn_t)
ifdef(`targeted_policy',`
- term_dontaudit_use_generic_ptys(openvpn_t)
+ # Need to interact with terminals if config option "auth-user-pass" is used
+ term_use_generic_ptys(openvpn_t)
')
optional_policy(`
-policy_module(postfix,1.2.9)
+policy_module(postfix,1.2.10)
########################################
#
init_use_script_ptys(postfix_master_t)
-miscfiles_dontaudit_search_man_pages(postfix_master_t)
+miscfiles_read_man_pages(postfix_master_t)
seutil_sigchld_newrole(postfix_master_t)
# postfix does a "find" on startup for some reason - keep it quiet
files_read_usr_files(postfix_smtpd_t)
mta_read_aliases(postfix_smtpd_t)
+optional_policy(`
+ postgrey_stream_connect(postfix_smtpd_t)
+')
+
optional_policy(`
sasl_connect(postfix_smtpd_t)
')
/usr/sbin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0)
-/var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0)
-
/var/lib/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_lib_t,s0)
+
+/var/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0)
+/var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0)
## <summary>Postfix grey-listing server</summary>
+
+########################################
+## <summary>
+## Write to postgrey socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to talk to postgrey
+## </summary>
+## </param>
+#
+interface(`postgrey_stream_connect',`
+ gen_require(`
+ type postgrey_var_run_t, postgrey_t;
+ ')
+
+ allow $1 postgrey_t:unix_stream_socket connectto;
+ allow $1 postgrey_var_run_t:sock_file write;
+ files_search_pids($1)
+')
-policy_module(postgrey,1.0.1)
+policy_module(postgrey,1.0.2)
########################################
#
files_var_lib_filetrans(postgrey_t,postgrey_var_lib_t,file)
allow postgrey_t postgrey_var_run_t:file create_file_perms;
+allow postgrey_t postgrey_var_run_t:sock_file manage_file_perms;
allow postgrey_t postgrey_var_run_t:dir rw_dir_perms;
files_pid_filetrans(postgrey_t,postgrey_var_run_t,file)
-policy_module(procmail,1.2.4)
+policy_module(procmail,1.2.5)
########################################
#
corenet_udp_sendrecv_all_nodes(procmail_t)
corenet_tcp_sendrecv_all_ports(procmail_t)
corenet_udp_sendrecv_all_ports(procmail_t)
+corenet_udp_bind_all_nodes(procmail_t)
corenet_tcp_connect_spamd_port(procmail_t)
corenet_sendrecv_spamd_client_packets(procmail_t)
/etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0)
+/etc/raddb/db.daily -- gen_context(system_u:object_r:radiusd_etc_rw_t,s0)
/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
-policy_module(radius,1.1.1)
+policy_module(radius,1.1.2)
########################################
#
type radiusd_etc_t;
files_config_file(radiusd_etc_t)
+type radiusd_etc_rw_t;
+files_type(radiusd_etc_rw_t)
+
type radiusd_log_t;
logging_log_file(radiusd_log_t)
allow radiusd_t radiusd_etc_t:lnk_file { getattr read };
files_search_etc(radiusd_t)
+allow radiusd_t radiusd_etc_rw_t:dir create_dir_perms;
+allow radiusd_t radiusd_etc_rw_t:file create_file_perms;
+allow radiusd_t radiusd_etc_rw_t:lnk_file create_lnk_perms;
+type_transition radiusd_t radiusd_etc_t:{ dir file lnk_file } radiusd_etc_rw_t;
+
allow radiusd_t radiusd_log_t:file create_file_perms;
allow radiusd_t radiusd_log_t:dir create_dir_perms;
logging_log_filetrans(radiusd_t,radiusd_log_t,{ file dir })
-policy_module(remotelogin,1.2.0)
+policy_module(remotelogin,1.2.1)
########################################
#
allow remote_login_t self:sem create_sem_perms;
allow remote_login_t self:msgq create_msgq_perms;
allow remote_login_t self:msg { send receive };
+allow remote_login_t self:key write;
allow remote_login_t remote_login_tmp_t:dir create_dir_perms;
allow remote_login_t remote_login_tmp_t:file create_file_perms;
-policy_module(samba,1.2.8)
+policy_module(samba,1.2.9)
#################################
#
allow smbd_t self:udp_socket create_socket_perms;
allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow smbd_t self:netlink_route_socket r_netlink_socket_perms;
allow smbd_t samba_etc_t:dir rw_dir_perms;
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
-allow smbd_t samba_log_t:dir ra_dir_perms;
+allow smbd_t samba_log_t:dir { ra_dir_perms setattr };
dontaudit smbd_t samba_log_t:dir remove_name;
allow smbd_t samba_log_t:file { create ra_file_perms };
optional_policy(`
cups_read_rw_config(smbd_t)
+ cups_stream_connect(smbd_t)
')
optional_policy(`
allow nmbd_t samba_etc_t:dir { search getattr };
allow nmbd_t samba_etc_t:file { getattr read };
-allow nmbd_t samba_log_t:dir ra_dir_perms;
+allow nmbd_t samba_log_t:dir { ra_dir_perms setattr };
allow nmbd_t samba_log_t:file { create ra_file_perms };
allow nmbd_t samba_var_t:dir rw_dir_perms;
-policy_module(squid,1.1.3)
+policy_module(squid,1.1.4)
########################################
#
corenet_tcp_bind_all_nodes(squid_t)
corenet_udp_bind_all_nodes(squid_t)
corenet_tcp_bind_http_cache_port(squid_t)
+corenet_udp_bind_http_cache_port(squid_t)
corenet_tcp_bind_ftp_port(squid_t)
corenet_tcp_bind_gopher_port(squid_t)
+corenet_udp_bind_gopher_port(squid_t)
corenet_tcp_connect_ftp_port(squid_t)
corenet_tcp_connect_gopher_port(squid_t)
corenet_tcp_connect_http_port(squid_t)
')
ifdef(`TODO',`
-ifdef(`apache.te',`
-can_tcp_connect(squid_t, httpd_t)
-')
#squid requires the following when run in diskd mode, the recommended setting
allow squid_t tmpfs_t:file { read write };
') dnl end TODO
allow $1_ssh_t self:msgq create_msgq_perms;
allow $1_ssh_t self:msg { send receive };
allow $1_ssh_t self:tcp_socket create_socket_perms;
+ allow $1_ssh_t self:netlink_route_socket r_netlink_socket_perms;
# for rsync
allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;
-policy_module(ssh,1.3.6)
+policy_module(ssh,1.3.7)
########################################
#
-policy_module(tftp,1.1.1)
+policy_module(tftp,1.1.2)
########################################
#
miscfiles_read_localization(tftpd_t)
sysnet_read_config(tftpd_t)
+sysnet_use_ldap(tftpd_t)
userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
userdom_dontaudit_use_sysadm_ttys(tftpd_t)
-policy_module(xfs,1.0.3)
+policy_module(xfs,1.0.4)
########################################
#
corecmd_list_sbin(xfs_t)
dev_read_sysfs(xfs_t)
+dev_read_urand(xfs_t)
+dev_read_rand(xfs_t)
fs_getattr_all_fs(xfs_t)
fs_search_auto_mountpoints(xfs_t)
')
ifdef(`TODO',`
- allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
allow $1_t xdm_xserver_t:unix_stream_socket connectto;
ifdef(`xdm.te', `
')
files_search_tmp($1)
+ allow $1 xdm_xserver_tmp_t:dir search_dir_perms;
allow $1 xdm_xserver_tmp_t:sock_file write;
allow $1 xdm_xserver_t:unix_stream_socket connectto;
')
-policy_module(xserver,1.1.10)
+policy_module(xserver,1.1.11)
########################################
#
allow xdm_t self:unix_dgram_socket create_socket_perms;
allow xdm_t self:tcp_socket create_stream_socket_perms;
allow xdm_t self:udp_socket create_socket_perms;
+allow xdm_t self:key write;
# Supress permission check on .ICE-unix
dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
')
optional_policy(`
- consoletype_domtrans(xdm_t)
+ consoletype_exec(xdm_t)
')
optional_policy(`
-policy_module(zebra,1.2.2)
+policy_module(zebra,1.2.3)
########################################
#
corenet_udp_sendrecv_all_ports(zebra_t)
corenet_tcp_bind_all_nodes(zebra_t)
corenet_udp_bind_all_nodes(zebra_t)
+corenet_tcp_bind_bgp_port(zebra_t)
corenet_tcp_bind_zebra_port(zebra_t)
corenet_udp_bind_router_port(zebra_t)
+corenet_tcp_connect_bgp_port(zebra_t)
corenet_sendrecv_zebra_server_packets(zebra_t)
corenet_sendrecv_router_server_packets(zebra_t)
unconfined_sigchld(zebra_t)
')
+tunable_policy(`allow_zebra_write_config',`
+ allow zebra_t zebra_conf_t:dir write;
+ allow zebra_t zebra_conf_t:file write;
+')
+
optional_policy(`
ldap_use(zebra_t)
')
-policy_module(authlogin,1.3.8)
+policy_module(authlogin,1.3.9)
########################################
#
term_setattr_console(pam_console_t)
term_getattr_unallocated_ttys(pam_console_t)
term_setattr_unallocated_ttys(pam_console_t)
+term_use_unallocated_ttys(pam_console_t)
auth_use_nsswitch(pam_console_t)
+/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-policy_module(fstools,1.3.2)
+policy_module(fstools,1.3.3)
########################################
#
/var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0)
/var/spool/fax -- gen_context(system_u:object_r:getty_var_run_t,s0)
+/var/spool/voice -- gen_context(system_u:object_r:getty_var_run_t,s0)
-policy_module(getty,1.1.2)
+policy_module(getty,1.1.3)
########################################
#
#
# Use capabilities.
-allow getty_t self:capability { dac_override chown sys_resource sys_tty_config fowner fsetid };
+allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
dontaudit getty_t self:capability sys_tty_config;
allow getty_t self:process { getpgid getsession signal_perms };
files_rw_generic_pids(getty_t)
files_read_etc_runtime_files(getty_t)
files_read_etc_files(getty_t)
+files_search_spool(getty_t)
init_rw_utmp(getty_t)
init_use_script_ptys(getty_t)
-policy_module(hotplug,1.2.1)
+policy_module(hotplug,1.2.2)
########################################
#
term_dontaudit_use_generic_ptys(hotplug_t)
optional_policy(`
- consoletype_domtrans(hotplug_t)
+ consoletype_exec(hotplug_t)
')
')
-policy_module(init,1.3.17)
+policy_module(init,1.3.18)
gen_require(`
class passwd rootok;
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
+# initrc_t needs to do a pidof which requires ptrace
+mcs_ptrace_all(initrc_t)
+
selinux_get_enforce_mode(initrc_t)
storage_getattr_fixed_disk_dev(initrc_t)
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
/usr/lib(64)?.*/libmpg123\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libavformat-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libavcodec-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libavutil-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-policy_module(libraries,1.3.9)
+policy_module(libraries,1.3.10)
########################################
#
-policy_module(locallogin,1.2.3)
+policy_module(locallogin,1.2.4)
########################################
#
allow local_login_t self:sem create_sem_perms;
allow local_login_t self:msgq create_msgq_perms;
allow local_login_t self:msg { send receive };
+allow local_login_t self:key write;
allow local_login_t local_login_lock_t:file create_file_perms;
files_lock_filetrans(local_login_t,local_login_lock_t,file)
')
files_search_etc($1)
- allow $1 auditd_etc_t:file create_file_perms;
+ allow $1 auditd_etc_t:dir rw_dir_perms;
+ allow $1 auditd_etc_t:file manage_file_perms;
')
########################################
')
files_search_etc($1)
+ allow $1 auditd_etc_t:dir r_dir_perms;
allow $1 auditd_etc_t:file r_file_perms;
')
')
files_search_var($1)
- allow $1 var_log_t:dir search;
+ allow $1 var_log_t:dir search_dir_perms;
')
#######################################
type var_log_t;
')
- dontaudit $1 var_log_t:dir search;
+ dontaudit $1 var_log_t:dir search_dir_perms;
')
#######################################
-policy_module(logging,1.3.7)
+policy_module(logging,1.3.8)
########################################
#
# Probably want a transition, and a new auditd_helper app
corecmd_exec_sbin(auditd_t)
corecmd_exec_bin(auditd_t)
-
+corecmd_exec_shell(auditd_t)
domain_use_interactive_fds(auditd_t)
-policy_module(lvm,1.3.4)
+policy_module(lvm,1.3.5)
########################################
#
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
# rawio needed for dmraid
-allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio };
+allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio };
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
+fs_list_tmpfs(lvm_t)
fs_read_tmpfs_symlinks(lvm_t)
fs_dontaudit_read_removable_files(lvm_t)
-policy_module(selinuxutil,1.2.9)
+policy_module(selinuxutil,1.2.10)
-gen_require(`
- bool secure_mode;
+ifdef(`strict_policy',`
+ gen_require(`
+ bool secure_mode;
+ ')
')
########################################
type semanage_t;
domain_type(semanage_t)
+domain_interactive_fd(semanage_t)
type semanage_exec_t;
domain_entry_file(semanage_t, semanage_exec_t)
allow restorecond_t self:capability { dac_override dac_read_search fowner };
allow restorecond_t self:fifo_file rw_file_perms;
+allow restorecond_t self:netlink_route_socket r_netlink_socket_perms;
allow restorecond_t restorecond_var_run_t:file create_file_perms;
files_pid_filetrans(restorecond_t,restorecond_var_run_t, file)
-auth_relabel_all_files_except_shadow(restorecond_t )
-auth_read_all_files_except_shadow(restorecond_t)
-fs_relabelfrom_noxattr_fs(restorecond_t)
-
kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
+fs_relabelfrom_noxattr_fs(restorecond_t)
+fs_dontaudit_list_nfs(restorecond_t)
fs_getattr_xattr_fs(restorecond_t)
fs_list_inotifyfs(restorecond_t)
term_dontaudit_use_generic_ptys(restorecond_t)
+auth_relabel_all_files_except_shadow(restorecond_t )
+auth_read_all_files_except_shadow(restorecond_t)
+
init_use_fds(restorecond_t)
+init_dontaudit_use_script_ptys(restorecond_t)
libs_use_ld_so(restorecond_t)
libs_use_shared_libs(restorecond_t)
miscfiles_read_localization(restorecond_t)
+optional_policy(`
+ # restorecond watches for users logging in,
+ # so it getspwnam when a user logs in to find his homedir
+ nis_use_ypbind(restorecond_t)
+')
+
#################################
#
# Run_init local policy
allow semanage_t self:unix_stream_socket create_stream_socket_perms;
allow semanage_t self:unix_dgram_socket create_socket_perms;
allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow semanage_t self:netlink_route_socket r_netlink_socket_perms;
allow semanage_t policy_config_t:file { read write };
term_use_all_terms(semanage_t)
+# Running genhomedircon requires this for finding all users
+auth_use_nsswitch(semanage_t)
+
libs_use_ld_so(semanage_t)
libs_use_shared_libs(semanage_t)
libs_use_lib_files(semanage_t)
+locallogin_use_fds(semanage_t)
+
logging_send_syslog_msg(semanage_t)
miscfiles_read_localization(semanage_t)
userdom_search_sysadm_home_dirs(semanage_t)
ifdef(`targeted_policy',`
-# Handle pp files created in homedir and /tmp
+ # Handle pp files created in homedir and /tmp
files_read_generic_tmp_files(semanage_t)
userdom_read_generic_user_home_content_files(semanage_t)
')
-policy_module(setrans,1.0.1)
+policy_module(setrans,1.0.2)
########################################
#
miscfiles_read_localization(setrans_t)
seutil_read_config(setrans_t)
+
+optional_policy(`
+ rpm_use_script_fds(setrans_t)
+')
-policy_module(sysnetwork,1.1.8)
+policy_module(sysnetwork,1.1.9)
########################################
#
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
+allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
allow ifconfig_t self:tcp_socket { create ioctl };
files_read_etc_files(ifconfig_t);
-policy_module(udev,1.3.3)
+policy_module(udev,1.3.4)
########################################
#
# Local policy
#
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
dontaudit udev_t self:capability sys_tty_config;
-allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
allow udev_t self:fifo_file rw_file_perms;
/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/local/RealPlay/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/bin/mplayer -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/xine -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
')
allow $1 self:process execmem;
')
- tunable_policy(`allow_execmem && allow_execstack',`
- # Allow making the stack executable via mprotect.
- allow $1 self:process execstack;
+ tunable_policy(`allow_execstack',`
+ # Allow making the stack executable via mprotect;
+ # execstack implies execmem;
+ allow $1 self:process { execstack execmem };
# auditallow $1 self:process execstack;
')
-policy_module(unconfined,1.3.12)
+policy_module(unconfined,1.3.13)
########################################
#
ada_domtrans(unconfined_t)
')
- optional_policy(`
- amanda_domtrans_recover(unconfined_t)
- ')
-
optional_policy(`
apache_domtrans_helper(unconfined_t)
')
bluetooth_domtrans_helper(unconfined_t)
')
+ optional_policy(`
+ bootloader_domtrans(unconfined_t)
+ ')
+
optional_policy(`
init_dbus_chat_script(unconfined_t)
-policy_module(xen,1.0.7)
+policy_module(xen,1.0.8)
########################################
#
netutils_domtrans(xend_t)
optional_policy(`
- consoletype_domtrans(xend_t)
+ consoletype_exec(xend_t)
')
########################################