patch from dan, Thu, 2007-01-25 at 08:12 -0500

diff --git a/Changelog b/Changelog
index a3e9f69f932bac84fdb55c8b8c064a01a80b8a2f..7b518ccdefebbdce7ec830198c1bc8b2a028bb14 100644 (file)
--- a/Changelog
+++ b/Changelog
@@ -1,5 +1,7 @@
 - Fix explicit use of httpd_t in openca_domtrans().
 - Clean up file context regexes in apache and java, from Eamon Walsh.
+- Patches from Dan Walsh:
+       Thu, 25 Jan 2007
 
 * Tue Dec 12 2006 Chris PeBenito <selinux@tresys.com> - 20061212
 - Add policy patterns support macros.  This changes the behavior of

diff --git a/config/appconfig-strict-mcs/seusers b/config/appconfig-strict-mcs/seusers
index ce614b41b88705552533c854ea0e9294b8ce66ba..dc5f1e42eabb0e42dc2ffcf04a051d0e90a300ca 100644 (file)
--- a/config/appconfig-strict-mcs/seusers
+++ b/config/appconfig-strict-mcs/seusers
@@ -1,2 +1,3 @@
+system_u:system_u:s0-mcs_systemhigh
 root:root:s0-mcs_systemhigh
 __default__:user_u:s0

diff --git a/config/appconfig-strict-mls/seusers b/config/appconfig-strict-mls/seusers
index 4e500b0985d427000852a1ee3d1d5ad0b96794a6..dc156bfa8b719b4c81b79a7b0693e6d104059443 100644 (file)
--- a/config/appconfig-strict-mls/seusers
+++ b/config/appconfig-strict-mls/seusers
@@ -1,2 +1,3 @@
+system_u:system_u:s0-mls_systemhigh
 root:root:s0-mls_systemhigh
 __default__:user_u:s0

diff --git a/config/appconfig-strict/seusers b/config/appconfig-strict/seusers
index f7c5bd27a7bb9392533e9a184c1ddfbeecb857f0..36b193b174263da41eb24195f113b2b9d14b2030 100644 (file)
--- a/config/appconfig-strict/seusers
+++ b/config/appconfig-strict/seusers
@@ -1,2 +1,3 @@
+system_u:system_u
 root:root
 __default__:user_u

diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8
index e9d4774eeb9b9a9a5acf7f05ad92d83c54f525ca..3330e00b82d585c8a5ad47455bd1c2645b95b055 100644 (file)
--- a/man/man8/httpd_selinux.8
+++ b/man/man8/httpd_selinux.8
@@ -1,4 +1,12 @@
 .TH  "httpd_selinux"  "8"  "17 Jan 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
 .SH "NAME"
 httpd_selinux \- Security Enhanced Linux Policy for the httpd daemon
 .SH "DESCRIPTION"
@@ -9,38 +17,32 @@ control.
 SELinux requires files to have an extended attribute to define the file type. 
 Policy governs the access daemons have to these files. 
 SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible.
-.TP 
+.PP 
 The following file contexts types are defined for httpd:
-.br
-
+.EX
 httpd_sys_content_t 
-.br 
+.EE 
 - Set files with httpd_sys_content_t for content which is available from all httpd scripts and the daemon.
-.br
-
+.EX
 httpd_sys_script_exec_t  
-.br 
+.EE 
 - Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
-.br
-
+.EX
 httpd_sys_script_ro_t 
-.br
+.EE
 - Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other sys scripts from access.
-.br
-
+.EX
 httpd_sys_script_rw_t 
-.br
+.EE
 - Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access.
-.br
-
+.EX
 httpd_sys_script_ra_t 
-.br
+.EE
 - Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access.
-
+.EX
 httpd_unconfined_script_exec_t  
-.br 
+.EE 
 - Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options.  It is better to use this script rather than turning off SELinux protection for httpd.
-.br
 
 .SH NOTE
 With certain policies you can define addional file contexts based on roles like user or staff.  httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
@@ -48,71 +50,81 @@ With certain policies you can define addional file contexts based on roles like
 .SH SHARING FILES
 If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t.  These context allow any of the above domains to read the content.  If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.  allow_DOMAIN_anon_write.  So for httpd you would execute:
 
+.EX
 setsebool -P allow_httpd_anon_write=1
+.EE
 
 or 
 
+.EX
 setsebool -P allow_httpd_sys_script_anon_write=1
+.EE
 
 .SH BOOLEANS
 SELinux policy is customizable based on least access required.  So by 
 default SElinux prevents certain http scripts from working.  httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
-.TP
+.PP
 httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this
-.br
 
+.EX
 setsebool -P httpd_enable_cgi 1
+.EE
 
-.TP
+.PP
 httpd by default is not allowed to access users home directories.  If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir.
-.br
 
+.EX
 setsebool -P httpd_enable_homedirs 1
-.br
 chcon -R -t httpd_sys_content_t ~user/public_html
+.EE
 
-.TP
+.PP
 httpd by default is not allowed access to the controling terminal.  In most cases this is prefered, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required.  Set the httpd_tty_comm boolean to allow terminal access.
-.br
 
+.EX
 setsebool -P httpd_tty_comm 1
+.EE
 
-.TP
+.PP
 httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/execute.  Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another.
-.br
 
+.EX
 setsebool -P httpd_unified 0
+.EE
 
-.TP
+.PP
 httpd can be configured to turn off internal scripting (PHP).  PHP and other
 loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
-.br
 
+.EX
 setsebool -P httpd_builtin_scripting 0
+.EE
 
-.TP
+.PP
 httpd scripts by default are not allowed to connect out to the network.
 This would prevent a hacker from breaking into you httpd server and attacking 
 other machines.  If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
-.br
 
+.EX
 setsebool -P httpd_can_network_connect 1
+.EE
 
-.TP
+.PP
 You can disable suexec transition, set httpd_suexec_disable_trans deny this
-.br
 
+.EX
 setsebool -P httpd_suexec_disable_trans 1
+.EE
 
-.TP
+.PP
 You can disable SELinux protection for the httpd daemon by executing:
-.br
 
+.EX
 setsebool -P httpd_disable_trans 1
-.br
 service httpd restart
+.EE
 
-.TP
+.PP
 system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
 .SH AUTHOR     
 This manual page was written by Dan Walsh <dwalsh@redhat.com>.

diff --git a/man/man8/kerberos_selinux.8 b/man/man8/kerberos_selinux.8
index 94b32289bd7a2b1070191bb4f36bd92ab74eeaa2..b614c40fbb530666fba82f0bdc430d5e7ac0b65e 100644 (file)
--- a/man/man8/kerberos_selinux.8
+++ b/man/man8/kerberos_selinux.8
@@ -1,4 +1,12 @@
 .TH  "kerberos_selinux"  "8"  "17 Jan 2005" "dwalsh@redhat.com" "kerberos Selinux Policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
 .SH "NAME"
 kerberos_selinux \- Security Enhanced Linux Policy for Kerberos.
 .SH "DESCRIPTION"
@@ -6,23 +14,19 @@ kerberos_selinux \- Security Enhanced Linux Policy for Kerberos.
 Security-Enhanced Linux secures the system via flexible mandatory access
 control. By default Kerberos access is not allowed, since it requires daemons to be allowed greater access to certain secure files and addtional access to the network.  
 .SH BOOLEANS
-.TP
+.PP
 You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment.
-.TP
+.EX
 setsebool -P allow_kerberos 1
-.TP 
+.EE 
 If you are running Kerberos daemons kadmind or krb5kdc you can disable the SELinux protection on these daemons by setting the krb5kdc_disable_trans and kadmind_disable_trans booleans.
-.br
-
+.EX
 setsebool -P krb5kdc_disable_trans 1
-.br
 service krb5kdc restart
-.br
 setsebool -P kadmind_disable_trans booleans 1
-.br
 service kadmind restart
-
-.TP
+.EE
+.PP
 system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
 .SH AUTHOR     
 This manual page was written by Dan Walsh <dwalsh@redhat.com>.

diff --git a/man/man8/named_selinux.8 b/man/man8/named_selinux.8
index 2381614c5517389dc4fb09fe9f3304202a027443..d2f601b4eb7a8ac70e21821ab8a2cb3ab057e168 100644 (file)
--- a/man/man8/named_selinux.8
+++ b/man/man8/named_selinux.8
@@ -1,4 +1,12 @@
 .TH  "named_selinux"  "8"  "17 Jan 2005" "dwalsh@redhat.com" "named Selinux Policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
 .SH "NAME"
 named_selinux \- Security Enhanced Linux Policy for the Internet Name server (named) daemon
 .SH "DESCRIPTION"
@@ -8,17 +16,16 @@ control.
 .SH BOOLEANS
 SELinux policy is customizable based on least access required.  So by 
 default SElinux policy does not allow named to write master zone files.  If you want to have named update the master zone files you need to set the named_write_master_zones boolean.
-.TP
-.br
+.EX
 setsebool -P named_write_master_zones 1
-
-.TP
+.EE
+.PP
 You can disable SELinux protection for the named daemon by executing:
-.TP
+.EX
 setsebool -P named_disable_trans 1
-.br
 service named restart
-.TP
+.EE
+.PP
 system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
 .SH AUTHOR     
 This manual page was written by Dan Walsh <dwalsh@redhat.com>.

diff --git a/man/man8/rsync_selinux.8 b/man/man8/rsync_selinux.8
index 8ff44296f4425d79096cee6d8c8cc796a86a7589..fece9c7338a61d6a98e149d84d75527e5c251203 100644 (file)
--- a/man/man8/rsync_selinux.8
+++ b/man/man8/rsync_selinux.8
@@ -1,4 +1,12 @@
 .TH  "rsync_selinux"  "8"  "17 Jan 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
 .SH "NAME"
 rsync_selinux \- Security Enhanced Linux Policy for the rsync daemon
 .SH "DESCRIPTION"
@@ -14,24 +22,25 @@ would need to label the directory with the chcon tool.
 chcon -t public_content_t /var/rsync
 .TP
 If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
-.TP
+.EX
 /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
-.br
 /var/rsync(/.*)? system_u:object_r:public_content_t
+.EE
 
 .SH SHARING FILES
 If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t.  These context allow any of the above domains to read the content.  If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.  allow_DOMAIN_anon_write.  So for rsync you would execute:
 
+.EX
 setsebool -P allow_rsync_anon_write=1
-
+.EE
 
 .SH BOOLEANS
 .TP
 You can disable SELinux protection for the rsync daemon by executing:
-.TP
+.EX
 setsebool -P rsync_disable_trans 1
-.br
 service xinetd restart
+.EE
 .TP
 system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
 .SH AUTHOR     

diff --git a/policy/global_tunables b/policy/global_tunables
index 1cdee7a66e7d13c2e75b3a14df0abe502a341539..05b19ffd6dadfae4463d01d4bbd1b902a8abab91 100644 (file)
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -64,6 +64,14 @@ gen_tunable(allow_execstack,false)
 ## </desc>
 gen_tunable(allow_ftpd_anon_write,false)
 
+## <desc>
+## <p>
+## Allow ftp servers to login to local users and 
+## read/write all files on the system, governed by DAC.
+## </p>
+## </desc>
+gen_tunable(allow_ftpd_full_access,false)
+
 ## <desc>
 ## <p>
 ## Allow ftp servers to use cifs
@@ -326,6 +334,13 @@ gen_tunable(samba_share_nfs,false)
 ## </desc>
 gen_tunable(squid_connect_any,false)
 
+## <desc>
+## <p>
+## Allow ssh logins as sysadm_r:sysadm_t
+## </p>
+## </desc>
+gen_tunable(ssh_sysadm_login,false)
+
 ## <desc>
 ## <p>
 ## Configure stunnel to be a standalone daemon or
@@ -348,6 +363,13 @@ gen_tunable(use_nfs_home_dirs,false)
 ## </desc>
 gen_tunable(use_samba_home_dirs,false)
 
+## <desc>
+## <p>
+## Allow xdm logins as sysadm
+## </p>
+## </desc>
+gen_tunable(xdm_sysadm_login,false)
+
 ########################################
 #
 # Strict policy specific
@@ -498,18 +520,18 @@ gen_tunable(spamassassin_can_network,false)
 
 ## <desc>
 ## <p>
-## Allow ssh logins as sysadm_r:sysadm_t
+## Allow staff_r users to search the sysadm home 
+## dir and read files (such as ~/.bashrc)
 ## </p>
 ## </desc>
-gen_tunable(ssh_sysadm_login,false)
+gen_tunable(staff_read_sysadm_file,false)
 
 ## <desc>
 ## <p>
-## Allow staff_r users to search the sysadm home 
-## dir and read files (such as ~/.bashrc)
+## Use lpd server instead of cups
 ## </p>
 ## </desc>
-gen_tunable(staff_read_sysadm_file,false)
+gen_tunable(use_lpd_server,false)
 
 ## <desc>
 ## <p>
@@ -565,13 +587,6 @@ gen_tunable(user_ttyfile_stat,false)
 ## </p>
 ## </desc>
 gen_tunable(write_untrusted_content,false)
-
-## <desc>
-## <p>
-## Allow xdm logins as sysadm
-## </p>
-## </desc>
-gen_tunable(xdm_sysadm_login,false)
 ')
 
 ########################################

diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index 107cc4a979b027cb7d2dcdd77128bfe11e68a381..b6383623b6eb82b2b7b34b62c9998c0927799b38 100644 (file)
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -2,11 +2,6 @@
 /etc/lilo\.conf.*      --      gen_context(system_u:object_r:bootloader_etc_t,s0)
 /etc/yaboot\.conf.*    --      gen_context(system_u:object_r:bootloader_etc_t,s0)
 
-/etc/mkinitrd/scripts/.* --    gen_context(system_u:object_r:bootloader_exec_t,s0)
-
-/usr/sbin/mkinitrd     --      gen_context(system_u:object_r:bootloader_exec_t,s0)
-
 /sbin/grub             --      gen_context(system_u:object_r:bootloader_exec_t,s0)
 /sbin/lilo.*           --      gen_context(system_u:object_r:bootloader_exec_t,s0)
-/sbin/mkinitrd         --      gen_context(system_u:object_r:bootloader_exec_t,s0)
 /sbin/ybin.*           --      gen_context(system_u:object_r:bootloader_exec_t,s0)

diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index f71b97f5a6135b64cffa90a1f17b74d9b469e01a..44206fe6dbea2a33d21fe31fee04e213f81222b2 100644 (file)
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -1,5 +1,5 @@
 
-policy_module(bootloader,1.4.0)
+policy_module(bootloader,1.4.1)
 
 ########################################
 #
@@ -93,6 +93,8 @@ fs_read_tmpfs_symlinks(bootloader_t)
 fs_manage_dos_files(bootloader_t)
 
 mls_file_read_up(bootloader_t)
+mls_file_write_down(bootloader_t)
+
 
 term_getattr_all_user_ttys(bootloader_t)
 term_dontaudit_manage_pty_dirs(bootloader_t)
@@ -163,9 +165,6 @@ ifdef(`distro_redhat',`
        # new file system defaults to file_t, granting file_t access is still bad.
        allow bootloader_t boot_runtime_t:file { read_file_perms unlink };
 
-       # mkinitrd mount initrd on bootloader temp dir
-       files_mountpoint(bootloader_tmp_t)
-
        # new file system defaults to file_t, granting file_t access is still bad.
        files_manage_isid_type_dirs(bootloader_t)
        files_manage_isid_type_files(bootloader_t)

diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index 831a8634b84518f68257e51d645fe7ea29c6e907..a07ab94a716ae4ceba1b1680791b86b332f75cb2 100644 (file)
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
@@ -1,5 +1,5 @@
 
-policy_module(consoletype,1.2.0)
+policy_module(consoletype,1.2.1)
 
 ########################################
 #
@@ -87,6 +87,11 @@ optional_policy(`
        firstboot_rw_pipes(consoletype_t)
 ')
 
+optional_policy(`
+       hal_dontaudit_use_fds(consoletype_t)
+       hal_dontaudit_rw_pipes(consoletype_t)
+')
+
 optional_policy(`
        logrotate_dontaudit_use_fds(consoletype_t)
 ')

diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
index f54ad40701ebc17306ee4e33a241b4d54f104630..2ab7defdf5a6f55f02ac308c4f895f028e4522ff 100644 (file)
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@@ -1,5 +1,5 @@
 
-policy_module(logwatch,1.3.0)
+policy_module(logwatch,1.3.1)
 
 #################################
 #
@@ -58,6 +58,7 @@ dev_search_sysfs(logwatch_t)
 # Read /proc/PID directories for all domains.
 domain_read_all_domains_state(logwatch_t)
 
+files_list_var(logwatch_t)
 files_read_etc_files(logwatch_t)
 files_read_etc_runtime_files(logwatch_t)
 files_read_usr_files(logwatch_t)
@@ -112,6 +113,10 @@ optional_policy(`
        mta_getattr_spool(logwatch_t)
 ')
 
+optional_policy(`
+       nis_use_ypbind(logwatch_t)
+')
+
 optional_policy(`
        nscd_socket_use(logwatch_t)
 ')

diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
index ab158e873e8cc0e28eba04e566def160ce280fe6..bba13dc310269d46e49e533b09cd04989f49d867 100644 (file)
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -1,5 +1,5 @@
 
-policy_module(prelink,1.3.0)
+policy_module(prelink,1.3.1)
 
 ########################################
 #
@@ -18,6 +18,9 @@ files_type(prelink_cache_t)
 type prelink_log_t;
 logging_log_file(prelink_log_t)
 
+type prelink_tmp_t;
+files_tmp_file(prelink_tmp_t)
+
 ########################################
 #
 # Local policy
@@ -37,6 +40,10 @@ append_files_pattern(prelink_t,prelink_log_t,prelink_log_t)
 read_lnk_files_pattern(prelink_t,prelink_log_t,prelink_log_t)
 logging_log_filetrans(prelink_t, prelink_log_t, file)
 
+allow prelink_t prelink_tmp_t:file { manage_file_perms execute };
+files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
+fs_tmpfs_filetrans(prelink_t, prelink_tmp_t, file)
+
 # prelink misc objects that are not system
 # libraries or entrypoints
 allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };

diff --git a/policy/modules/admin/quota.fc b/policy/modules/admin/quota.fc
index b760aa36c231ce64758238d139626a4345728ae4..f38723074717ebbbb80a69d7e6b3abbe30a67925 100644 (file)
--- a/policy/modules/admin/quota.fc
+++ b/policy/modules/admin/quota.fc
@@ -1,14 +1,19 @@
+HOME_ROOT/a?quota\.(user|group)        --      gen_context(system_u:object_r:quota_db_t,s0)
+
+/a?quota\.(user|group) --      gen_context(system_u:object_r:quota_db_t,s0)
+
+/boot/a?quota\.(user|group)    --      gen_context(system_u:object_r:quota_db_t,s0)
+
+/etc/a?quota\.(user|group)     --      gen_context(system_u:object_r:quota_db_t,s0)
 
 /sbin/quota(check|on)          --      gen_context(system_u:object_r:quota_exec_t,s0)
 
+/var/a?quota\.(user|group)     --      gen_context(system_u:object_r:quota_db_t,s0)
+/var/lib/quota(/.*)?                   gen_context(system_u:object_r:quota_flag_t,s0)
+/var/spool/a?quota\.(user|group) --    gen_context(system_u:object_r:quota_db_t,s0)
+
 ifdef(`distro_redhat',`
 /usr/sbin/convertquota         --      gen_context(system_u:object_r:quota_exec_t,s0)
 ',`
 /sbin/convertquota             --      gen_context(system_u:object_r:quota_exec_t,s0)
 ')
-
-HOME_ROOT/a?quota\.(user|group)        --      gen_context(system_u:object_r:quota_db_t,s0)
-
-/var/a?quota\.(user|group)     --      gen_context(system_u:object_r:quota_db_t,s0)
-
-/var/lib/quota(/.*)?                   gen_context(system_u:object_r:quota_flag_t,s0)

diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te
index 81717643cd357e9553fba2f1944efb7b6233d395..276c5b1ef6ee1bcbed786cd4d4f9bd481056917d 100644 (file)
--- a/policy/modules/admin/quota.te
+++ b/policy/modules/admin/quota.te
@@ -1,5 +1,5 @@
 
-policy_module(quota,1.1.0)
+policy_module(quota,1.1.1)
 
 ########################################
 #
@@ -26,7 +26,15 @@ dontaudit quota_t self:capability sys_tty_config;
 allow quota_t self:process signal_perms;
 
 # for /quota.*
-allow quota_t quota_db_t:file { read write quotaon };
+allow quota_t quota_db_t:file { manage_file_perms quotaon };
+files_root_filetrans(quota_t, quota_db_t, file)
+files_boot_filetrans(quota_t, quota_db_t, file)
+files_etc_filetrans(quota_t, quota_db_t, file)
+files_tmp_filetrans(quota_t, quota_db_t, file)
+files_home_filetrans(quota_t, quota_db_t, file)
+files_usr_filetrans(quota_t, quota_db_t, file)
+files_var_filetrans(quota_t, quota_db_t, file)
+files_spool_filetrans(quota_t, quota_db_t, file)
 
 kernel_list_proc(quota_t)
 kernel_read_proc_symlinks(quota_t)
@@ -55,6 +63,7 @@ files_read_all_files(quota_t)
 files_read_all_symlinks(quota_t)
 files_getattr_all_pipes(quota_t)
 files_getattr_all_sockets(quota_t)
+files_getattr_all_file_type_fs(quota_t)
 # Read /etc/mtab.
 files_read_etc_runtime_files(quota_t)
 
@@ -81,12 +90,3 @@ optional_policy(`
 optional_policy(`
        udev_read_db(quota_t)
 ')
-
-ifdef(`TODO',`
-# quotacheck creates new quota_db_t files
-file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t }, quota_db_t, file)
-
-allow quota_t file_t:file quotaon;
-
-allow quota_t proc_t:file getattr;
-') dnl end TODO

diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index ecf5af3d290745c085d15c49a8ecdde4977e4295..3bff0b6c6418c31a4aac41d3126e4693f49ab686 100644 (file)
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,5 +1,5 @@
 
-policy_module(rpm,1.5.0)
+policy_module(rpm,1.5.1)
 
 ########################################
 #
@@ -188,11 +188,11 @@ ifdef(`targeted_policy',`
 ')
 
 optional_policy(`
-       hal_dbus_chat(rpm_t)
+       cron_system_entry(rpm_t,rpm_exec_t)
 ')
 
 optional_policy(`
-       cron_system_entry(rpm_t,rpm_exec_t)
+       hal_dbus_chat(rpm_t)
 ')
 
 optional_policy(`
@@ -368,6 +368,11 @@ optional_policy(`
        nis_use_ypbind(rpm_script_t)
 ')
 
+optional_policy(`
+       tzdata_domtrans(rpm_t)
+       tzdata_domtrans(rpm_script_t)
+')
+
 optional_policy(`
        usermanage_domtrans_groupadd(rpm_script_t)
        usermanage_domtrans_useradd(rpm_script_t)

diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index dee1ca1a708c55b238faf72312a5e293f76f5809..b6f6a8483430a8a91f8ae957e4204724f7359a09 100644 (file)
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -61,6 +61,7 @@ template(`su_restricted_domain_template', `
        kernel_read_system_state($1_su_t)
        kernel_read_kernel_sysctls($1_su_t)
        kernel_search_key($1_su_t)
+       kernel_link_key($1_su_t)
 
        # for SSP
        dev_read_urand($1_su_t)
@@ -160,11 +161,12 @@ template(`su_restricted_domain_template', `
 #
 template(`su_per_role_template',`
        gen_require(`
+               attribute su_domain_type;
                type su_exec_t;
                bool secure_mode;
        ')
 
-       type $1_su_t;
+       type $1_su_t, su_domain_type;
        domain_entry_file($1_su_t,su_exec_t)
        domain_type($1_su_t)
        domain_interactive_fd($1_su_t)
@@ -177,6 +179,7 @@ template(`su_per_role_template',`
        allow $1_su_t self:process { setexec setsched setrlimit };
        allow $1_su_t self:fifo_file rw_fifo_file_perms;
        allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+       allow $1_su_t self:key { search write };
 
        # Transition from the user domain to this domain.
        domtrans_pattern($2, su_exec_t, $1_su_t)
@@ -189,12 +192,17 @@ template(`su_per_role_template',`
 
        kernel_read_system_state($1_su_t)
        kernel_read_kernel_sysctls($1_su_t)
+       kernel_search_key($1_su_t)
+       kernel_link_key($1_su_t)
 
        # for SSP
        dev_read_urand($1_su_t)
 
        fs_search_auto_mountpoints($1_su_t)
 
+       # needed for pam_rootok
+       selinux_compute_access_vector($1_su_t)
+
        auth_domtrans_user_chk_passwd($1,$1_su_t)
        auth_dontaudit_read_shadow($1_su_t)
        auth_use_nsswitch($1_su_t)
@@ -213,6 +221,8 @@ template(`su_per_role_template',`
        # Write to utmp.
        init_rw_utmp($1_su_t)
 
+       mls_file_write_down($1_su_t)
+
        libs_use_ld_so($1_su_t)
        libs_use_shared_libs($1_su_t)
 
@@ -230,7 +240,6 @@ template(`su_per_role_template',`
 
                selinux_get_fs_mount($1_su_t)
                selinux_validate_context($1_su_t)
-               selinux_compute_access_vector($1_su_t)
                selinux_compute_create_context($1_su_t)
                selinux_compute_relabel_context($1_su_t)
                selinux_compute_user_contexts($1_su_t)
@@ -297,9 +306,7 @@ template(`su_per_role_template',`
 
        # Modify .Xauthority file (via xauth program).
        optional_policy(`
-#              file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
-#              file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
-#              file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
+               xserver_user_home_dir_filetrans_user_xauth($1, su_domain_type)
                xserver_domtrans_user_xauth($1, $1_su_t)
        ')
 

diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
index 00999cedded79b2fc69b3e83d8c7241a92da2e3a..886edbd6e6779e57c1cccf743705dccba3969f4d 100644 (file)
--- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te
@@ -1,10 +1,12 @@
 
-policy_module(su,1.5.0)
+policy_module(su,1.5.1)
 
 ########################################
 #
 # Declarations
 #
 
+attribute su_domain_type;
+
 type su_exec_t;
 corecmd_executable_file(su_exec_t)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index e0ae7c05b38f3136f40c052a4059a877bac1e592..da47fa9795e271efd692ffafb12707a642d6ccf1 100644 (file)
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -71,6 +71,7 @@ template(`sudo_per_role_template',`
        allow $1_sudo_t self:unix_dgram_socket sendto;
        allow $1_sudo_t self:unix_stream_socket connectto;
        allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
+       allow $1_sudo_t self:netlink_route_socket r_netlink_socket_perms;
 
        # Enter this derived domain from the user domain
        domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
@@ -83,6 +84,7 @@ template(`sudo_per_role_template',`
 
        kernel_read_kernel_sysctls($1_sudo_t)
        kernel_read_system_state($1_sudo_t)
+       kernel_search_key($1_sudo_t)
 
        dev_read_urand($1_sudo_t)
 
@@ -90,6 +92,8 @@ template(`sudo_per_role_template',`
        fs_getattr_xattr_fs($1_sudo_t)
 
        auth_domtrans_chk_passwd($1_sudo_t)
+       # sudo stores a token in the pam_pid directory
+       auth_manage_pam_pid($1_sudo_t)
 
        corecmd_getattr_bin_files($1_sudo_t)
        corecmd_read_sbin_symlinks($1_sudo_t)
@@ -140,9 +144,5 @@ template(`sudo_per_role_template',`
        domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
        ')
 
-       ifdef(`pam.te', `
-       allow $1_sudo_t pam_var_run_t:dir manage_dir_perms;
-       allow $1_sudo_t pam_var_run_t:file manage_file_perms;
-       ')
        ') dnl end TODO
 ')

diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index 54c1f3c0ff959fffd64919e504055299a8013436..bf3ea5fa9db0c02c29091a51ca1eb21d063b2984 100644 (file)
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -1,5 +1,5 @@
 
-policy_module(sudo,1.0.0)
+policy_module(sudo,1.0.1)
 
 ########################################
 #

diff --git a/policy/modules/admin/tzdata.fc b/policy/modules/admin/tzdata.fc
new file mode 100644 (file)
index 0000000..04b8548
--- /dev/null
+++ b/policy/modules/admin/tzdata.fc
@@ -0,0 +1 @@
+/usr/sbin/tzdata-update        --      gen_context(system_u:object_r:tzdata_exec_t,s0)

diff --git a/policy/modules/admin/tzdata.if b/policy/modules/admin/tzdata.if
new file mode 100644 (file)
index 0000000..af803bf
--- /dev/null
+++ b/policy/modules/admin/tzdata.if
@@ -0,0 +1,19 @@
+## <summary>Time zone updater</summary>
+
+########################################
+## <summary>
+##     Execute a domain transition to run tzdata.
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tzdata_domtrans',`
+       gen_require(`
+               type tzdata_t, tzdata_exec_t;
+       ')
+
+       domtrans_pattern($1,tzdata_exec_t,tzdata_t)
+')

diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te
new file mode 100644 (file)
index 0000000..b4c48f6
--- /dev/null
+++ b/policy/modules/admin/tzdata.te
@@ -0,0 +1,40 @@
+
+policy_module(tzdata,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type tzdata_t;
+type tzdata_exec_t;
+init_daemon_domain(tzdata_t, tzdata_exec_t)
+
+########################################
+#
+# tzdata local policy
+#
+
+files_read_etc_files(tzdata_t)
+files_search_spool(tzdata_t)
+
+term_dontaudit_list_ptys(tzdata_t)
+
+libs_use_ld_so(tzdata_t)
+libs_use_shared_libs(tzdata_t)
+
+locallogin_dontaudit_use_fds(tzdata_t)
+
+miscfiles_read_localization(tzdata_t)
+miscfiles_manage_localization(tzdata_t)
+miscfiles_etc_filetrans_localization(tzdata_t)
+
+ifdef(`targeted_policy',`
+       term_dontaudit_use_unallocated_ttys(tzdata_t)
+       term_dontaudit_use_generic_ptys(tzdata_t)
+')
+
+# tzdata looks for /var/spool/postfix/etc/localtime.
+optional_policy(`
+       postfix_search_spool(tzdata_t)
+')

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 6af8f3fabe1e6bc8c9ab7768204a466bd596475d..56705bcbcadf689033f350347cb38c2437d3dd8a 100644 (file)
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
 
-policy_module(usermanage,1.5.0)
+policy_module(usermanage,1.5.1)
 
 ########################################
 #
@@ -112,6 +112,7 @@ domain_use_interactive_fds(chfn_t)
 files_manage_etc_files(chfn_t)
 files_read_etc_runtime_files(chfn_t)
 files_dontaudit_search_var(chfn_t)
+files_dontaudit_search_home(chfn_t)
 
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
@@ -486,6 +487,8 @@ files_read_etc_runtime_files(useradd_t)
 fs_search_auto_mountpoints(useradd_t)
 fs_getattr_xattr_fs(useradd_t)
 
+mls_file_upgrade(useradd_t)
+
 # Allow access to context for shadow file
 selinux_get_fs_mount(useradd_t)
 selinux_validate_context(useradd_t)
@@ -517,16 +520,16 @@ miscfiles_read_localization(useradd_t)
 seutil_read_config(useradd_t)
 seutil_read_file_contexts(useradd_t)
 seutil_read_default_contexts(useradd_t)
+seutil_domtrans_semanage(useradd_t)
+seutil_domtrans_restorecon(useradd_t)
 
 userdom_use_unpriv_users_fds(useradd_t)
 # for when /root is the cwd
 userdom_dontaudit_search_sysadm_home_dirs(useradd_t)
 # Add/remove user home directories
 userdom_home_filetrans_generic_user_home_dir(useradd_t)
-userdom_manage_generic_user_home_content_dirs(useradd_t)
-userdom_manage_generic_user_home_content_files(useradd_t)
-userdom_manage_generic_user_home_dirs(useradd_t)
-userdom_manage_staff_home_dirs(useradd_t)
+userdom_manage_all_users_home_content_dirs(useradd_t)
+userdom_manage_all_users_home_content_files(useradd_t)
 userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
 
 mta_manage_spool(useradd_t)

diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index f6af2c3724cb6b51577861a23e29ab0fc21a60c6..f6acf4b0f24090d017df548555b2758e852eddfe 100644 (file)
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@@ -1,5 +1,5 @@
 
-policy_module(vpn,1.3.0)
+policy_module(vpn,1.3.1)
 
 ########################################
 #
@@ -95,6 +95,7 @@ logging_send_syslog_msg(vpnc_t)
 miscfiles_read_localization(vpnc_t)
 
 seutil_dontaudit_search_config(vpnc_t)
+seutil_use_newrole_fds(vpnc_t)
 
 sysnet_exec_ifconfig(vpnc_t)
 sysnet_etc_filetrans_config(vpnc_t)

diff --git a/policy/modules/apps/ethereal.if b/policy/modules/apps/ethereal.if
index 91789daf03184e6a135df6dabc22c33c26f3b363..2a2e86dcab1a422819ee4b0574d9efc5c1e6ca85 100644 (file)
--- a/policy/modules/apps/ethereal.if
+++ b/policy/modules/apps/ethereal.if
@@ -34,6 +34,10 @@
 #
 template(`ethereal_per_role_template',`
 
+       gen_require(`
+               type ethereal_exec_t;
+       ')
+
        ##############################
        #
        # Declarations

diff --git a/policy/modules/apps/ethereal.te b/policy/modules/apps/ethereal.te
index 433765a00ac928f3df4d1c03a1c6001ae065aa05..c3449c067aefb4271b39eb46cf26f178fef3f073 100644 (file)
--- a/policy/modules/apps/ethereal.te
+++ b/policy/modules/apps/ethereal.te
@@ -1,5 +1,5 @@
 
-policy_module(ethereal,1.1.0)
+policy_module(ethereal,1.1.1)
 
 ########################################
 #

diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if
index 02ccdba772464752ca92048ecff2f9fde60e532d..17c8b79a58e8f2885b56a1292f0155dad5bf7bad 100644 (file)
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@@ -53,7 +53,7 @@ template(`evolution_per_role_template',`
        userdom_user_home_content($1,$1_evolution_home_t)
 
        type $1_evolution_orbit_tmp_t;
-       files_type($1_evolution_orbit_tmp_t)
+       files_tmp_file($1_evolution_orbit_tmp_t)
        
        type $1_evolution_alarm_t;
        domain_type($1_evolution_alarm_t)
@@ -64,7 +64,7 @@ template(`evolution_per_role_template',`
        files_tmpfs_file($1_evolution_alarm_tmpfs_t)
 
        type $1_evolution_alarm_orbit_tmp_t;
-       files_type($1_evolution_alarm_orbit_tmp_t)
+       files_tmp_file($1_evolution_alarm_orbit_tmp_t)
 
        type $1_evolution_exchange_t;
        domain_type($1_evolution_exchange_t)
@@ -78,7 +78,7 @@ template(`evolution_per_role_template',`
        files_tmp_file($1_evolution_exchange_tmp_t)
 
        type $1_evolution_exchange_orbit_tmp_t;
-       files_type($1_evolution_exchange_orbit_tmp_t)
+       files_tmp_file($1_evolution_exchange_orbit_tmp_t)
 
        type $1_evolution_server_t;
        domain_type($1_evolution_server_t)
@@ -86,7 +86,7 @@ template(`evolution_per_role_template',`
        role $3 types $1_evolution_server_t;
 
        type $1_evolution_server_orbit_tmp_t;
-       files_type($1_evolution_server_orbit_tmp_t)
+       files_tmp_file($1_evolution_server_orbit_tmp_t)
 
        type $1_evolution_webcal_t;
        domain_type($1_evolution_webcal_t)
@@ -97,7 +97,7 @@ template(`evolution_per_role_template',`
        files_tmpfs_file($1_evolution_webcal_tmpfs_t)
 
        type $1_orbit_tmp_t;
-       files_type($1_orbit_tmp_t)
+       files_tmp_file($1_orbit_tmp_t)
 
        ########################################
        #
@@ -129,6 +129,10 @@ template(`evolution_per_role_template',`
        allow $1_evolution_t $1_evolution_orbit_tmp_t:file manage_file_perms;
        files_tmp_filetrans($1_evolution_t,$1_evolution_orbit_tmp_t,{ dir file })
 
+       allow $1_evolution_server_t $1_evolution_orbit_tmp_t:dir manage_dir_perms;
+       allow $1_evolution_server_t $1_evolution_orbit_tmp_t:file manage_file_perms;
+       files_tmp_filetrans($1_evolution_server_t,$1_evolution_orbit_tmp_t,{ dir file })
+
        allow $1_evolution_t $1_evolution_server_t:dir search_dir_perms;
        allow $1_evolution_t $1_evolution_server_t:file read;
 
@@ -171,6 +175,8 @@ template(`evolution_per_role_template',`
        allow $2 $1_evolution_t:{ file lnk_file } { read getattr };
        allow $2 $1_evolution_t:process getattr;
 
+       domain_dontaudit_read_all_domains_state($1_evolution_t)
+
        #FIXME check to see if really needed
        kernel_read_kernel_sysctls($1_evolution_t)
        kernel_read_system_state($1_evolution_t)
@@ -238,6 +244,7 @@ template(`evolution_per_role_template',`
        userdom_manage_user_tmp_dirs($1,$1_evolution_t)
        userdom_manage_user_tmp_sockets($1,$1_evolution_t)
        userdom_manage_user_tmp_files($1,$1_evolution_t)
+       userdom_use_user_terminals($1, $1_evolution_t)
        # FIXME: suppress access to .local/.icons/.themes until properly implemented
        # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
        # until properly implemented
@@ -246,6 +253,7 @@ template(`evolution_per_role_template',`
        mta_read_config($1_evolution_t)
 
        xserver_user_client_template($1,$1_evolution_t,$1_evolution_tmpfs_t)
+       xserver_read_xdm_tmp_files($1_evolution_t)
 
        tunable_policy(`use_nfs_home_dirs',`
                fs_manage_nfs_dirs($1_evolution_t)
@@ -367,7 +375,10 @@ template(`evolution_per_role_template',`
        tunable_policy(`write_untrusted_content',`
                files_search_home($1_evolution_t)
        
-               userdom_manage_user_untrusted_content_files($1,$1_evolution_t,{ dir file })
+               userdom_manage_user_untrusted_content_files($1,$1_evolution_t)
+               userdom_user_home_dir_filetrans($1,$1_evolution_t,$1_untrusted_content_tmp_t, { file dir })
+               userdom_user_home_content_filetrans($1,$1_evolution_t,$1_untrusted_content_tmp_t, { file dir })
+
        ',`
                files_dontaudit_list_home($1_evolution_t)
                files_dontaudit_list_tmp($1_evolution_t)
@@ -394,6 +405,10 @@ template(`evolution_per_role_template',`
                dbus_send_user_bus($1,$1_evolution_t)
        ')
 
+       optional_policy(`
+               gnome_stream_connect_gconf_template($1, $1_evolution_t)
+       ')
+
        # Encrypt mail
        optional_policy(`
                gpg_domtrans_user_gpg($1,$1_evolution_t)
@@ -404,13 +419,18 @@ template(`evolution_per_role_template',`
                lpd_domtrans_user_lpr($1,$1_evolution_t)
        ')
 
+       optional_policy(`
+               mozilla_read_user_home_files($1, $1_evolution_t)
+               mozilla_domtrans_user_mozilla($1, $1_evolution_t)
+       ')
+
        # Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
        optional_policy(`
                nis_use_ypbind($1_evolution_t)
        ')
 
        optional_policy(`
-               nscd_socket_use($1_evolution_exchange_t)
+               nscd_socket_use($1_evolution_t)
        ')
 
        ### Junk mail filtering (start spamd)
@@ -427,9 +447,6 @@ template(`evolution_per_role_template',`
 
        ifdef(`TODO',`
 
-               #dbus connect to
-               allow $1_evolution_t $1_dbusd_t:unix_stream_socket connectto;
-
                # Gnome common stuff
                gnome_application($1_evolution, $1)
 
@@ -450,12 +467,6 @@ template(`evolution_per_role_template',`
                ifdef(`TODO',`
                        gnome_file_dialog($1_evolution, $1)
                ')
-               # Start links in web browser
-               ifdef(`mozilla', `
-                       corecmd_exec_shell($1_evolution_t)
-                       domain_auto_trans($1_evolution_t, mozilla_exec_t, $1_mozilla_t)
-               ')
-
        ')
 
        ########################################
@@ -463,7 +474,8 @@ template(`evolution_per_role_template',`
        # Evolution alarm local policy
        #
 
-       allow $1_evolution_alarm_t self:fifo_file { read write };
+       allow $1_evolution_alarm_t self:process { signal getsched };
+       allow $1_evolution_alarm_t self:fifo_file rw_fifo_file_perms;
 
        allow $1_evolution_alarm_t $1_evolution_t:unix_stream_socket connectto;
        allow $1_evolution_alarm_t $1_evolution_orbit_tmp_t:sock_file write;
@@ -489,7 +501,15 @@ template(`evolution_per_role_template',`
        domain_auto_trans($2, evolution_alarm_exec_t, $1_evolution_alarm_t)
        allow $1_evolution_alarm_t $2:fd use;
 
+       dev_read_urand($1_evolution_alarm_t)
+
+       files_read_etc_files($1_evolution_alarm_t)
+       files_read_usr_files($1_evolution_alarm_t)
+
        fs_search_auto_mountpoints($1_evolution_alarm_t)
+
+       libs_use_ld_so($1_evolution_alarm_t)
+       libs_use_shared_libs($1_evolution_alarm_t)
        
        miscfiles_read_localization($1_evolution_alarm_t)
 
@@ -511,6 +531,15 @@ template(`evolution_per_role_template',`
                fs_manage_cifs_files($1_evolution_alarm_t)
        ')
 
+       optional_policy(`
+               dbus_user_bus_client_template($1,$1_evolution_alarm,$1_evolution_alarm_t)
+               dbus_send_user_bus($1,$1_evolution_alarm_t)
+       ')
+
+       optional_policy(`
+               gnome_stream_connect_gconf_template($1, $1_evolution_alarm_t)
+       ')
+
        optional_policy(`
                nscd_socket_use($1_evolution_alarm_t)
        ')
@@ -525,6 +554,9 @@ template(`evolution_per_role_template',`
        # Evolution exchange connector local policy
        #
 
+       allow $1_evolution_exchange_t self:process getsched;
+       allow $1_evolution_exchange_t self:fifo_file rw_fifo_file_perms;
+
        allow $1_evolution_exchange_t self:tcp_socket create_socket_perms;
        allow $1_evolution_exchange_t self:udp_socket create_socket_perms;
 
@@ -571,8 +603,18 @@ template(`evolution_per_role_template',`
        # Allow netstat
        corecmd_exec_bin($1_evolution_exchange_t)
 
+       dev_read_urand($1_evolution_exchange_t)
+
+       files_read_etc_files($1_evolution_exchange_t)
+       files_read_usr_files($1_evolution_exchange_t)
+
        # Access evolution home
        fs_search_auto_mountpoints($1_evolution_exchange_t)
+
+       libs_use_ld_so($1_evolution_exchange_t)
+       libs_use_shared_libs($1_evolution_exchange_t)
+
+       miscfiles_read_localization($1_evolution_exchange_t)
         
        # Access evolution home
        userdom_search_user_home_dirs($1,$1_evolution_exchange_t)
@@ -591,6 +633,10 @@ template(`evolution_per_role_template',`
        tunable_policy(`use_samba_home_dirs',`
                fs_manage_cifs_files($1_evolution_exchange_t)
        ')
+
+       optional_policy(`
+               gnome_stream_connect_gconf_template($1, $1_evolution_exchange_t)
+       ')
        
        optional_policy(`
                nscd_socket_use($1_evolution_exchange_t)
@@ -606,6 +652,8 @@ template(`evolution_per_role_template',`
        # Evolution data server local policy
        #
 
+       allow $1_evolution_server_t self:process { getsched signal };
+
        allow $1_evolution_server_t self:fifo_file { read write };
        allow $1_evolution_server_t self:unix_stream_socket { accept connectto };
        # Talk to ldap (address book),
@@ -643,6 +691,8 @@ template(`evolution_per_role_template',`
        corenet_sendrecv_http_client_packets($1_evolution_server_t)
        corenet_sendrecv_http_cache_client_packets($1_evolution_server_t)
 
+       dev_read_urand($1_evolution_server_t)
+
        files_read_etc_files($1_evolution_server_t)
        # Obtain weather data via http (read server name from xml file in /usr)
        files_read_usr_files($1_evolution_server_t)
@@ -652,6 +702,7 @@ template(`evolution_per_role_template',`
        libs_use_ld_so($1_evolution_server_t)
        libs_use_shared_libs($1_evolution_server_t)
 
+       miscfiles_read_localization($1_evolution_server_t)
        # Look in /etc/pki
        miscfiles_read_certs($1_evolution_server_t)
 
@@ -681,6 +732,10 @@ template(`evolution_per_role_template',`
                fs_manage_cifs_files($1_evolution_server_t)
        ')
 
+       optional_policy(`
+               gnome_stream_connect_gconf_template($1, $1_evolution_server_t)
+       ')
+
        optional_policy(`
                nscd_socket_use($1_evolution_server_t)
        ')
@@ -813,3 +868,45 @@ template(`evolution_stream_connect',`
        allow $2 $1_evolution_t:unix_stream_socket connectto;
        allow $2 $1_evolution_home_t:dir search;
 ')
+
+########################################
+## <summary>
+##     Send and receive messages from
+##     evolution over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`evolution_dbus_chat',`
+       gen_require(`
+               type $1_evolution_t;
+               class dbus send_msg;
+       ')
+
+       allow $2 $1_evolution_t:dbus send_msg;
+       allow $1_evolution_t $2:dbus send_msg;
+')
+
+########################################
+## <summary>
+##     Send and receive messages from
+##     evolution_alarm over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`evolution_alarm_dbus_chat',`
+       gen_require(`
+               type $1_evolution_alarm_t;
+               class dbus send_msg;
+       ')
+
+       allow $2 $1_evolution_alarm_t:dbus send_msg;
+       allow $1_evolution_alarm_t $2:dbus send_msg;
+')

diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index 1848879f051773a431c58ac668cdbc9a58a7953d..e6d1b5c1be0e6d97ed0316bcd3b5268634e952e2 100644 (file)
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@@ -1,5 +1,5 @@
 
-policy_module(evolution,1.1.0)
+policy_module(evolution,1.1.1)
 
 ########################################
 #

diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if
index 91fe9e708d8189c5a26af8b9faa0b36a41acc3b6..3337616919e9736c13b1292c45bec2ddba4a8b06 100644 (file)
--- a/policy/modules/apps/games.if
+++ b/policy/modules/apps/games.if
@@ -34,6 +34,10 @@
 #
 template(`games_per_role_template',`
 
+       gen_require(`
+               type games_exec_t, games_data_t;
+       ')
+
        ########################################
        #
        # Declarations

diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index cf2d88e02b317875ac4b63108b026ec56380db0e..a090d131e4c74593bcd50bb913c379e08170d08b 100644 (file)
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -1,5 +1,5 @@
 
-policy_module(games,1.1.0)
+policy_module(games,1.1.1)
 
 ########################################
 #

diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
index 0146bd4233499984c3ea09bef974f2089c6d560f..c81209548b364351b3cdc709ee8e3295b7339a26 100644 (file)
--- a/policy/modules/apps/gnome.fc
+++ b/policy/modules/apps/gnome.fc
@@ -1,3 +1,5 @@
+HOME_DIR/\.config/gtk-.*       gen_context(system_u:object_r:ROLE_gnome_home_t,s0)
+
 /etc/gconf(/.*)?               gen_context(system_u:object_r:gconf_etc_t,s0)
 
 /usr/libexec/gconfd-2  --      gen_context(system_u:object_r:gconfd_exec_t,s0)

diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index d9b5fc96f74dcd3588496be68070bbae4378c45d..a0e35fce7158b43d6b2546b1e59aa62246017339 100644 (file)
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -35,19 +35,24 @@
 template(`gnome_per_role_template',`
        gen_require(`
                type gconfd_exec_t;
+               attribute gnomedomain;
        ')
 
        ##############################
        #
        # Declarations
        #
-       type $1_gconfd_t;
+       type $1_gconfd_t, gnomedomain;
+
        domain_type($1_gconfd_t)
        domain_entry_file($1_gconfd_t, gconfd_exec_t)
        role $3 types $1_gconfd_t;
 
        type $1_gconf_home_t;
-       files_type($1_gconf_home_t)
+       userdom_user_home_content($1, $1_gconf_home_t)
+
+       type $1_gnome_home_t;
+       userdom_user_home_content($1, $1_gnome_home_t)
 
        type $1_gconf_tmp_t;
        files_tmp_file($1_gconf_tmp_t)
@@ -58,6 +63,7 @@ template(`gnome_per_role_template',`
        #
 
        allow $1_gconfd_t self:process getsched;
+       allow $1_gconfd_t self:fifo_file rw_fifo_file_perms;
 
        manage_dirs_pattern($1_gconfd_t,$1_gconf_home_t,$1_gconf_home_t)
        manage_files_pattern($1_gconfd_t,$1_gconf_home_t,$1_gconf_home_t)
@@ -75,6 +81,8 @@ template(`gnome_per_role_template',`
        allow $1_gconfd_t gconf_etc_t:dir list_dir_perms;
        read_files_pattern($1_gconfd_t,gconf_etc_t,gconf_etc_t)
 
+       ps_process_pattern($2,$1_gconfd_t)
+
        dev_read_urand($1_gconfd_t)
 
        files_read_etc_files($1_gconfd_t)
@@ -124,6 +132,64 @@ template(`gnome_stream_connect_gconf_template',`
                type $1_gconf_tmp_t;
        ')
 
+       read_files_pattern($2,$1_gconf_tmp_t,$1_gconf_tmp_t)
        allow $2 $1_gconfd_t:unix_stream_socket connectto;
-       allow $2 $1_gconf_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##     Run gconfd in the role-specific gconfd domain.
+## </summary>
+## <desc>
+##     <p>
+##     Run gconfd in the role-specfic gconfd domain.
+##     </p>
+##     <p>
+##     This is a templated interface, and should only
+##     be called from a per-userdomain template.
+##     </p>
+## </desc>
+## <param name="userdomain_prefix">
+##     <summary>
+##     The prefix of the user domain (e.g., user
+##     is the prefix for user_t).
+##     </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+template(`gnome_domtrans_user_gconf',`
+       gen_require(`
+               type $1_gconfd_t, gconfd_exec_t;
+       ')
+
+       domtrans_pattern($2,gconfd_exec_t,$1_gconfd_t)
+')
+
+########################################
+## <summary>
+##     manage gnome homedir content (.config)
+## </summary>
+## <param name="userdomain_prefix">
+##     <summary>
+##     The prefix of the user domain (e.g., user
+##     is the prefix for user_t).
+##     </summary>
+## </param>
+## <param name="user_domain">
+##     <summary>
+##     The type of the user domain.
+##     </summary>
+## </param>
+#
+template(`gnome_manage_user_gnome_config',`
+       gen_require(`
+               type $1_gnome_home_t;
+       ')
+
+       allow $2 $1_gnome_home_t:dir manage_dir_perms;
+       allow $2 $1_gnome_home_t:file manage_file_perms;
 ')

diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
index 996809aa4f5e2a36fdcd022081563f84dd1bf15f..7fede6f6a987219dbac4e75292ff33f69505ea7d 100644 (file)
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -1,11 +1,13 @@
 
-policy_module(gnome,1.0.0)
+policy_module(gnome,1.0.1)
 
 ##############################
 #
 # Declarations
 #
 
+attribute gnomedomain;
+
 type gconf_etc_t;
 files_type(gconf_etc_t)
 

diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
index 00e77445e2abb71a92b1c064c5af0bb0598ef4ba..52426e34131c8d329ed63ec12a179ca00b76c49f 100644 (file)
--- a/policy/modules/apps/java.if
+++ b/policy/modules/apps/java.if
@@ -169,6 +169,39 @@ template(`java_per_role_template',`
        ')
 ')
 
+########################################
+## <summary>
+##     Run java in javaplugin domain.
+## </summary>
+## <desc>
+##     <p>
+##     Run java in javaplugin domain.
+##     </p>
+##     <p>
+##     This is a templated interface, and should only
+##     be called from a per-userdomain template.
+##     </p>
+## </desc>
+## <param name="userdomain_prefix">
+##     <summary>
+##     The prefix of the user domain (e.g., user
+##     is the prefix for user_t).
+##     </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+template(`java_domtrans_user_javaplugin',`
+       gen_require(`
+               type $1_javaplugin_t, java_exec_t;
+       ')
+
+       domtrans_pattern($2,java_exec_t,$1_javaplugin_t)
+')
+
 ########################################
 ## <summary>
 ##     Execute the java program in the java domain.

diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
index 0e776e1804f9368d257f41fb3877b1b062f4afa9..51eb769228ccec9cc9e174e17b0353c970aa719a 100644 (file)
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -1,5 +1,5 @@
 
-policy_module(java,1.3.1)
+policy_module(java,1.3.2)
 
 ########################################
 #
@@ -18,6 +18,10 @@ init_system_domain(java_t,java_exec_t)
 ifdef(`targeted_policy',`
        # execheap is needed for itanium/BEA jrocket
        allow java_t self:process { execstack execmem execheap };
-       unconfined_domain_noaudit(java_t)
        role system_r types java_t;
+
+       init_dbus_chat_script(java_t)
+
+       unconfined_domain_noaudit(java_t)
+       unconfined_dbus_chat(java_t)
 ')

diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
index a8e2e118ebffd18e2a952ab08eecd1aaf7bc63ef..6cc288b36db70dc14dbe83b7271a81426d0676c1 100644 (file)
--- a/policy/modules/apps/loadkeys.te
+++ b/policy/modules/apps/loadkeys.te
@@ -1,5 +1,5 @@
 
-policy_module(loadkeys,1.0.0)
+policy_module(loadkeys,1.0.1)
 
 ########################################
 #
@@ -15,10 +15,8 @@ ifdef(`targeted_policy',`
        # all user domain ttys
 
        type loadkeys_t;
-       domain_type(loadkeys_t)
-
        type loadkeys_exec_t;
-       domain_entry_file(loadkeys_t,loadkeys_exec_t)
+       init_system_domain(loadkeys_t,loadkeys_exec_t)
 ')
 
 ########################################
@@ -29,15 +27,22 @@ ifdef(`targeted_policy',`
 ifdef(`targeted_policy',`
        # loadkeys domain disabled in targeted policy
 ',`
-       allow loadkeys_t self:capability { setuid sys_tty_config };
+       allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_config };
        allow loadkeys_t self:fifo_file rw_fifo_file_perms;
 
        kernel_read_system_state(loadkeys_t)
 
        corecmd_exec_bin(loadkeys_t)
        corecmd_exec_shell(loadkeys_t)
+       corecmd_search_sbin(loadkeys_t)
+
+       files_read_etc_files(loadkeys_t)
+       files_read_etc_runtime_files(loadkeys_t)
+
+       term_dontaudit_use_console(loadkeys_t)
+       term_dontaudit_use_unallocated_ttys(loadkeys_t)
 
-       files_dontaudit_read_etc_runtime_files(loadkeys_t)
+       init_dontaudit_use_script_ptys(loadkeys_t)
 
        libs_use_ld_so(loadkeys_t)
        libs_use_shared_libs(loadkeys_t)

diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index 2e443c1c1fbcbd8c02c4ee3cc9953081e1a1047c..2d2990d0742b70f242bb0d89f47d6af8ff109adf 100644 (file)
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -60,7 +60,7 @@ template(`mozilla_per_role_template',`
 
        allow $1_mozilla_t self:capability { sys_nice setgid setuid };
        allow $1_mozilla_t self:process { sigkill signal setsched getsched setrlimit };
-       allow $1_mozilla_t self:fifo_file { getattr read write };
+       allow $1_mozilla_t self:fifo_file rw_fifo_file_perms;
        allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create };
        allow $1_mozilla_t self:sem create_sem_perms;
        allow $1_mozilla_t self:socket create_socket_perms;
@@ -150,6 +150,7 @@ template(`mozilla_per_role_template',`
        dev_write_sound($1_mozilla_t)
        dev_read_sound($1_mozilla_t)
        dev_dontaudit_rw_dri($1_mozilla_t)
+       dev_getattr_sysfs_dirs($1_mozilla_t)
 
        files_read_etc_runtime_files($1_mozilla_t)
        files_read_usr_files($1_mozilla_t)
@@ -159,10 +160,13 @@ template(`mozilla_per_role_template',`
        # interacting with gstreamer
        files_read_var_files($1_mozilla_t)
        files_read_var_symlinks($1_mozilla_t)
+       files_dontaudit_getattr_boot_dirs($1_mozilla_t)
 
        fs_search_auto_mountpoints($1_mozilla_t)
-       fs_search_inotifyfs($1_mozilla_t)
+       fs_list_inotifyfs($1_mozilla_t)
        fs_rw_tmpfs_files($1_mozilla_t)
+
+       term_dontaudit_getattr_pty_dirs($1_mozilla_t)
        
        libs_use_ld_so($1_mozilla_t)
        libs_use_lib_files($1_mozilla_t)
@@ -185,7 +189,9 @@ template(`mozilla_per_role_template',`
        userdom_manage_user_tmp_sockets($1,$1_mozilla_t)
        
        xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
-       
+       xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
+       xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t)
+
        tunable_policy(`allow_execmem',`
                allow $1_mozilla_t self:process { execmem execstack };
        ')
@@ -318,12 +324,14 @@ template(`mozilla_per_role_template',`
 
        tunable_policy(`write_untrusted_content',`
                files_search_home($1_mozilla_t)
+               userdom_manage_user_untrusted_content_tmp_files($1, $1_mozilla_t)
                files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,file)
                files_tmp_filetrans($1_mozilla_t,$1_untrusted_content_tmp_t,dir)
 
-               userdom_manage_user_untrusted_content_files($1,$1_mozilla_t,file)
-               userdom_manage_user_untrusted_content_files($1,$1_mozilla_t,dir)
-       ',`
+               userdom_manage_user_untrusted_content_files($1,$1_mozilla_t)
+               userdom_user_home_dir_filetrans($1,$1_mozilla_t,$1_untrusted_content_tmp_t, { file dir })
+               userdom_user_home_content_filetrans($1,$1_mozilla_t,$1_untrusted_content_tmp_t, { file dir })
+               ',`
                files_dontaudit_list_home($1_mozilla_t)
                files_dontaudit_list_tmp($1_mozilla_t)
 
@@ -339,63 +347,54 @@ template(`mozilla_per_role_template',`
                apache_read_user_content($1,$1_mozilla_t)
        ')
 
+       optional_policy(`
+               automount_dontaudit_getattr_tmp_dirs($1_mozilla_t)
+       ')
+
        optional_policy(`
                cups_read_rw_config($1_mozilla_t)
+               cups_dbus_chat($1_mozilla_t)
        ')
 
        optional_policy(`
                dbus_system_bus_client_template($1_mozilla,$1_mozilla_t)
                dbus_send_system_bus($1_mozilla_t)
-               ifdef(`TODO',`
-                       optional_policy(`
-                               allow cupsd_t $1_mozilla_t:dbus send_msg;
-                       ')
-               ')
+               dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
+               dbus_send_user_bus($1,$1_mozilla_t)
        ')
 
        optional_policy(`
-               nscd_socket_use($1_mozilla_t)
+               gnome_stream_connect_gconf_template($1,$1_mozilla_t)
+       ')
+
+       optional_policy(`
+               java_domtrans_user_javaplugin($1, $1_mozilla_t)
        ')
 
        optional_policy(`
                lpd_domtrans_user_lpr($1,$1_mozilla_t)
        ')
 
-       ifdef(`TODO',`
-               # Java plugin
-               optional_policy(`
-                       #reh, these are hacked in types due to the use of the java_per_role_template
-                       type $1_mozilla_tmp_t;
-                       files_tmp_file($1_mozilla_tmp_t)
-
-                       #this looks even more ugly.
-                       type $1_mozilla_tty_device_t;
-                       term_tty($1_mozilla_t,$1_mozilla_tty_device_t)
-                       type $1_mozilla_devpts_t;
-                       term_pty($1_mozilla_devpts_t)
-                       type $1_mozilla_home_dir_t;
-                       userdom_user_home_content($1,$1_mozilla_home_dir_t)
-
-                       java_per_role_template($1_mozilla,$2,$3)
-               ')
+       optional_policy(`
+               mplayer_domtrans_user_mplayer($1, $1_mozilla_t)
+               mplayer_read_user_home_files($1, $1_mozilla_t)
+       ')
 
-               ######### Launch mplayer
-               optional_policy(`
-                       domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t)
-                       dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
-                       dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
-                       dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
-               ')
+       optional_policy(`
+               nscd_socket_use($1_mozilla_t)
+       ')
+
+       optional_policy(`
+               thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
+       ')
+
+       ifdef(`TODO',`
                #NOTE commented out in strict.
                ######### Launch email client, and make webcal links work
                #ifdef(`evolution.te', `
                #domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t)
                #domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
                #')
-               #NOTE commented out in strict
-               #ifdef(`thunderbird.te', `
-               #domain_auto_trans($1_mozilla_t, thunderbird_exec_t, $1_thunderbird_t)
-               #')
        
                # Macros for mozilla/mozilla (or other browser) domains.
                # FIXME: Rules were removed to centralize policy in a gnome_app macro
@@ -409,3 +408,174 @@ template(`mozilla_per_role_template',`
                ')
        ')
 ')
+
+########################################
+## <summary>
+##     Read mozilla per user homedir
+## </summary>
+## <desc>
+##     <p>
+##     Read mozilla per user homedir
+##     </p>
+##     <p>
+##     This is a templated interface, and should only
+##     be called from a per-userdomain template.
+##     </p>
+## </desc>
+## <param name="userdomain_prefix">
+##     <summary>
+##     The prefix of the user domain (e.g., user
+##     is the prefix for user_t).
+##     </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+template(`mozilla_read_user_home_files',`
+       gen_require(`
+               type $1_mozilla_home_t;
+       ')
+
+       allow $2 $1_mozilla_home_t:dir list_dir_perms;
+       allow $2 $1_mozilla_home_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##     write mozilla per user homedir
+## </summary>
+## <desc>
+##     <p>
+##     Read mozilla per user homedir
+##     </p>
+##     <p>
+##     This is a templated interface, and should only
+##     be called from a per-userdomain template.
+##     </p>
+## </desc>
+## <param name="userdomain_prefix">
+##     <summary>
+##     The prefix of the user domain (e.g., user
+##     is the prefix for user_t).
+##     </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+template(`mozilla_write_user_home_files',`
+       gen_require(`
+               type $1_mozilla_home_t;
+       ')
+
+       allow $2 $1_mozilla_home_t:dir list_dir_perms;
+       allow $2 $1_mozilla_home_t:file write;
+')
+
+########################################
+## <summary>
+##     Run mozilla in user mozilla domain.
+## </summary>
+## <desc>
+##     <p>
+##     Run mozilla in mozilla domain.
+##     </p>
+##     <p>
+##     This is a templated interface, and should only
+##     be called from a per-userdomain template.
+##     </p>
+## </desc>
+## <param name="userdomain_prefix">
+##     <summary>
+##     The prefix of the user domain (e.g., user
+##     is the prefix for user_t).
+##     </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+template(`mozilla_domtrans_user_mozilla',`
+       gen_require(`
+               type $1_mozilla_t, mozilla_exec_t;
+       ')
+
+       domtrans_pattern($2, mozilla_exec_t,$1_mozilla_t)
+')
+
+########################################
+## <summary>
+##     Send and receive messages from
+##     mozilla over dbus.
+## </summary>
+## <desc>
+##     <p>
+##     Send and receive messages from
+##     mozilla over dbus.
+##     </p>
+##     <p>
+##     This is a templated interface, and should only
+##     be called from a per-userdomain template.
+##     </p>
+## </desc>
+## <param name="userdomain_prefix">
+##     <summary>
+##     The prefix of the user domain (e.g., user
+##     is the prefix for user_t).
+##     </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+template(`mozilla_dbus_chat',`
+       gen_require(`
+               type $1_mozilla_t;
+               class dbus send_msg;
+       ')
+
+       allow $2 $1_mozilla_t:dbus send_msg;
+       allow $1_mozilla_t $2:dbus send_msg;
+')
+
+########################################
+## <summary>
+##     read/write mozilla per user tcp_socket
+## </summary>
+## <desc>
+##     <p>
+##     read/write mozilla per user tcp_socket
+##     </p>
+##     <p>
+##     This is a templated interface, and should only
+##     be called from a per-userdomain template.
+##     </p>
+## </desc>
+## <param name="userdomain_prefix">
+##     <summary>
+##     The prefix of the user domain (e.g., user
+##     is the prefix for user_t).
+##     </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+template(`mozilla_rw_user_tcp_sockets',`
+       gen_require(`
+               type $1_mozilla_t;
+       ')
+
+       allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
+')

diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 846e70aa981613d4f633358a36b63d183356f305..7752e69e4b93f24bb9980a2d30c2b9082190209e 100644 (file)
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -1,5 +1,5 @@
 
-policy_module(mozilla,1.1.0)
+policy_module(mozilla,1.1.1)
 
 ########################################
 #

diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index 47ee8ec87a987ee616224996050931ae9d6d77e7..99bc933d97909b9fbfdc279b00f3b48d1cffdb45 100644 (file)
--- a/policy/modules/apps/mplayer.if
+++ b/policy/modules/apps/mplayer.if
@@ -33,6 +33,9 @@
 ## </param>
 #
 template(`mplayer_per_role_template',`
+       gen_require(`
+               type mencoder_exec_t, mplayer_exec_t;
+       ')
 
        ########################################
        #
@@ -198,6 +201,10 @@ template(`mplayer_per_role_template',`
                userdom_dontaudit_read_user_tmp_untrusted_content_files($1,$1_mencoder_t)
        ')
 
+       tunable_policy(`write_untrusted_content',`
+               userdom_manage_user_untrusted_content_files($1, $1_mplayer_t)
+       ')
+
        # Save encoded files
        tunable_policy(`write_untrusted_content && use_nfs_home_dirs',`
                files_search_home($1_mencoder_t)
@@ -249,6 +256,7 @@ template(`mplayer_per_role_template',`
 
        allow $1_mplayer_t self:process { signal_perms getsched };
        allow $1_mplayer_t self:fifo_file rw_fifo_file_perms;
+       allow $1_mplayer_t self:sem create_sem_perms;
 
        manage_dirs_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t)
        manage_files_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t)
@@ -320,6 +328,7 @@ template(`mplayer_per_role_template',`
 
        fs_dontaudit_getattr_all_fs($1_mplayer_t)
        fs_search_auto_mountpoints($1_mplayer_t)
+       fs_list_inotifyfs($1_mplayer_t)
 
        libs_use_ld_so($1_mplayer_t)
        libs_use_shared_libs($1_mplayer_t)
@@ -435,3 +444,69 @@ template(`mplayer_per_role_template',`
                nscd_socket_use($1_mplayer_t)
        ')
 ')
+
+########################################
+## <summary>
+##     Run mplayer in mplayer domain.
+## </summary>
+## <desc>
+##     <p>
+##     Run mplayer in mplayer domain.
+##     </p>
+##     <p>
+##     This is a templated interface, and should only
+##     be called from a per-userdomain template.
+##     </p>
+## </desc>
+## <param name="userdomain_prefix">
+##     <summary>
+##     The prefix of the user domain (e.g., user
+##     is the prefix for user_t).
+##     </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+template(`mplayer_domtrans_user_mplayer',`
+       gen_require(`
+               type $1_mplayer_t, mplayer_exec_t;
+       ')
+
+       domtrans_pattern($2, mplayer_exec_t,$1_mplayer_t)
+')
+
+########################################
+## <summary>
+##     Read mplayer per user homedir
+## </summary>
+## <desc>
+##     <p>
+##     Read mplayer per user homedir
+##     </p>
+##     <p>
+##     This is a templated interface, and should only
+##     be called from a per-userdomain template.
+##     </p>
+## </desc>
+## <param name="userdomain_prefix">
+##     <summary>
+##     The prefix of the user domain (e.g., user
+##     is the prefix for user_t).
+##     </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+template(`mplayer_read_user_home_files',`
+       gen_require(`
+               type $1_mplayer_home_t;
+       ')
+
+       read_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
+')

diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
index 337d3a9ef860040e28292cd19ab2dd178d4d1b87..dd9b1a4683ff75b9d2b506f8353651d19b7b3561 100644 (file)
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -1,5 +1,5 @@
 
-policy_module(mplayer,1.1.0)
+policy_module(mplayer,1.1.1)
 
 ########################################
 #

diff --git a/policy/modules/apps/slocate.if b/policy/modules/apps/slocate.if
index 1d3e061e348d8024e1f4ab23cc1a0608f3dfe5c9..0346700f81698da85145a87699f47380cb6969b7 100644 (file)
--- a/policy/modules/apps/slocate.if
+++ b/policy/modules/apps/slocate.if
@@ -19,3 +19,23 @@ interface(`slocate_create_append_log',`
        create_files_pattern($1,locate_log_t,locate_log_t)
        append_files_pattern($1,locate_log_t,locate_log_t)
 ')
+
+########################################
+## <summary>
+##     Read locate lib files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`locate_read_lib_files',`
+       gen_require(`
+               type locate_var_lib_t;
+       ')
+
+       read_files_pattern($1,locate_var_lib_t,locate_var_lib_t)
+       allow $1 locate_var_lib_t:dir list_dir_perms;
+       files_search_var_lib($1)
+')

diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te
index b8bad11e43b52ca3160e4609a36451069f87592a..737146942940022ade40dfd71cda5b697eb4bdf8 100644 (file)
--- a/policy/modules/apps/slocate.te
+++ b/policy/modules/apps/slocate.te
@@ -1,5 +1,5 @@
 
-policy_module(slocate,1.3.0)
+policy_module(slocate,1.3.1)
 
 #################################
 #
@@ -44,6 +44,7 @@ files_read_etc_files(locate_t)
 
 fs_getattr_xattr_fs(locate_t)
 fs_getattr_rpc_pipefs(locate_t)
+fs_getattr_rpc_dirs(locate_t)
 
 libs_use_shared_libs(locate_t)
 libs_use_ld_so(locate_t)

diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if
index 9a77b220a0a5092d576700c28742b8b864ae7633..38bde70413bb358be8a57f0794ffdf0b865967a6 100644 (file)
--- a/policy/modules/apps/thunderbird.if
+++ b/policy/modules/apps/thunderbird.if
@@ -46,6 +46,7 @@ template(`thunderbird_per_role_template',`
 
        type $1_thunderbird_home_t alias $1_thunderbird_rw_t;
        files_poly_member($1_thunderbird_home_t)
+       userdom_user_home_content($1, $1_thunderbird_home_t)
 
        type $1_thunderbird_tmpfs_t;
        files_tmpfs_file($1_thunderbird_tmpfs_t)
@@ -62,6 +63,7 @@ template(`thunderbird_per_role_template',`
        allow $1_thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind };
        allow $1_thunderbird_t self:tcp_socket create_socket_perms;
        allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write };
+       allow $1_thunderbird_t self:netlink_route_socket r_netlink_socket_perms;
 
        # Access ~/.thunderbird
        manage_dirs_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t)
@@ -89,16 +91,19 @@ template(`thunderbird_per_role_template',`
        manage_dirs_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
        manage_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
        manage_lnk_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
+
        relabel_dirs_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
        relabel_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
        relabel_lnk_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
        
        # Allow netstat
        kernel_read_network_state($1_thunderbird_t)
+       kernel_read_net_sysctls($1_thunderbird_t)
+       kernel_read_system_state($1_thunderbird_t)
        
        corecmd_exec_shell($1_thunderbird_t)
        # Startup shellscript
-       corecmd_exec_bin($1_thunderbird_t)
+       corecmd_search_sbin($1_thunderbird_t)
 
        corenet_non_ipsec_sendrecv($1_thunderbird_t)
        corenet_tcp_sendrecv_generic_if($1_thunderbird_t)
@@ -122,11 +127,22 @@ template(`thunderbird_per_role_template',`
        corenet_sendrecv_pop_client_packets($1_thunderbird_t)
        corenet_sendrecv_http_client_packets($1_thunderbird_t)
 
+       dev_read_urand($1_thunderbird_t)
+       dev_dontaudit_search_sysfs($1_thunderbird_t)
+
        files_list_tmp($1_thunderbird_t)
        files_read_usr_files($1_thunderbird_t)
        files_read_etc_files($1_thunderbird_t)
+       files_read_etc_runtime_files($1_thunderbird_t)
+       files_read_var_files($1_thunderbird_t)
+       files_read_var_symlinks($1_thunderbird_t)
+       files_dontaudit_getattr_all_tmp_files($1_thunderbird_t)
+       files_dontaudit_getattr_boot_dirs($1_thunderbird_t)
+       files_dontaudit_getattr_lost_found_dirs($1_thunderbird_t)
+       files_dontaudit_search_mnt($1_thunderbird_t)
 
        fs_getattr_xattr_fs($1_thunderbird_t)
+       fs_list_inotifyfs($1_thunderbird_t)
        # Access ~/.thunderbird
        fs_search_auto_mountpoints($1_thunderbird_t)
        
@@ -134,6 +150,7 @@ template(`thunderbird_per_role_template',`
        libs_use_ld_so($1_thunderbird_t)
 
        miscfiles_read_fonts($1_thunderbird_t)
+       miscfiles_read_localization($1_thunderbird_t)
 
        sysnet_read_config($1_thunderbird_t)
        # Allow DNS
@@ -147,7 +164,9 @@ template(`thunderbird_per_role_template',`
        userdom_read_user_home_content_files($1,$1_thunderbird_t)
 
        xserver_user_client_template($1,$1_thunderbird_t,$1_thunderbird_tmpfs_t)
-       
+       xserver_read_xdm_tmp_files($1_thunderbird_t)
+       xserver_dontaudit_getattr_xdm_tmp_sockets($1_thunderbird_t)
+
        # Transition from user type
        tunable_policy(`! disable_thunderbird_trans',`
                domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t)
@@ -200,7 +219,6 @@ template(`thunderbird_per_role_template',`
                userdom_read_user_tmp_symlinks($1,$1_thunderbird_t)
                userdom_search_user_home_dirs($1,$1_thunderbird_t)
                userdom_read_user_home_content_files($1,$1_thunderbird_t)
-               userdom_read_user_home_content_symlinks($1,$1_thunderbird_t)
                
                ifndef(`enable_mls',`
                        fs_search_removable($1_thunderbird_t)
@@ -284,9 +302,10 @@ template(`thunderbird_per_role_template',`
                files_search_home($1_thunderbird_t)
                files_tmp_filetrans($1_thunderbird_t,$1_untrusted_content_tmp_t,file)
                files_tmp_filetrans($1_thunderbird_t,$1_untrusted_content_tmp_t,dir)
-
-               userdom_manage_user_untrusted_content_files($1,$1_thunderbird_t,file)
-               userdom_manage_user_untrusted_content_files($1,$1_thunderbird_t,dir)
+               userdom_manage_user_untrusted_content_files($1,$1_thunderbird_t)
+               userdom_manage_user_untrusted_content_tmp_files($1, $1_thunderbird_t)
+               userdom_user_home_dir_filetrans($1,$1_thunderbird_t,$1_untrusted_content_tmp_t, { file dir })
+               userdom_user_home_content_filetrans($1,$1_thunderbird_t,$1_untrusted_content_tmp_t, { file dir })
        ',`
                files_dontaudit_list_home($1_thunderbird_t)
                files_dontaudit_list_tmp($1_thunderbird_t)
@@ -305,44 +324,81 @@ template(`thunderbird_per_role_template',`
        ')
 
        optional_policy(`
-               lpd_domtrans_user_lpr($1,$1_thunderbird_t)
+               cups_read_rw_config($1_thunderbird_t)
+               cups_dbus_chat($1_thunderbird_t)
        ')
 
        optional_policy(`
-               cups_read_rw_config($1_thunderbird_t)
+               gnome_stream_connect_gconf_template($1,$1_thunderbird_t)
+               gnome_domtrans_user_gconf($1, $1_thunderbird_t)
+               gnome_manage_user_gnome_config($1, $1_thunderbird_t)
        ')
 
        optional_policy(`
                gpg_domtrans_user_gpg($1,$1_thunderbird_t)
        ')
 
+       optional_policy(`
+               lpd_domtrans_user_lpr($1,$1_thunderbird_t)
+       ')
+
+       optional_policy(`
+               mozilla_read_user_home_files($1, $1_thunderbird_t)
+               mozilla_domtrans_user_mozilla($1, $1_thunderbird_t)
+               mozilla_dbus_chat($1, $1_thunderbird_t)
+       ')
+
        optional_policy(`
                nis_use_ypbind($1_thunderbird_t)
        ')
 
+       optional_policy(`
+               nscd_socket_use($1_thunderbird_t)
+       ')
+
        ifdef(`TODO',`
                # FIXME: Rules were removed to centralize policy in a gnome_app macro
                # A similar thing might be necessary for mozilla compiled without GNOME
                # support (is this possible?).
 
-               # Start links in web browser
-               ifdef(`mozilla.te', `
-                       can_exec($1_thunderbird_t, shell_exec_t)
-                       domain_auto_trans($1_thunderbird_t, mozilla_exec_t, $1_mozilla_t)
-               ')
-
                # GNOME support
                optional_policy(`
                        gnome_application($1_thunderbird, $1)
                        gnome_file_dialog($1_thunderbird, $1)
                        allow $1_thunderbird_t $1_gnome_settings_t:file { read write };
                ')
-               optinal_policy(`
-                       allow $1_t $2_dbusd_t:dbus send_msg;
-                       ifdef(`cups.te', `
-                               allow cupsd_t $1_t:dbus send_msg;
-                       ')
-               ')
+       ')
+')
 
+########################################
+## <summary>
+##     Run thunderbird in the user thunderbird domain.
+## </summary>
+## <desc>
+##     <p>
+##     Run thunderbird in the user thunderbird domain.
+##     </p>
+##     <p>
+##     This is a templated interface, and should only
+##     be called from a per-userdomain template.
+##     </p>
+## </desc>
+## <param name="userdomain_prefix">
+##     <summary>
+##     The prefix of the user domain (e.g., user
+##     is the prefix for user_t).
+##     </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+template(`thunderbird_domtrans_user_thunderbird',`
+       gen_require(`
+               type $1_thunderbird_t, thunderbird_exec_t;
        ')
+
+       domtrans_pattern($2, thunderbird_exec_t,$1_thunderbird_t)
 ')

diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
index ff5d47730d35b50dc5b666ce33c4323cc26d590d..0d1c693dc615a1eefa1ad96a0ffa0bb4d4a1ccfa 100644 (file)
--- a/policy/modules/apps/thunderbird.te
+++ b/policy/modules/apps/thunderbird.te
@@ -1,5 +1,5 @@
 
-policy_module(thunderbird,1.1.0)
+policy_module(thunderbird,1.1.1)
 
 ########################################
 #

diff --git a/policy/modules/apps/tvtime.if b/policy/modules/apps/tvtime.if
index 679e1b950e6c15c41cdf937aeca4336e5037ae36..ef67d5ebc6e37c23e4729e0756f632906a7dc0eb 100644 (file)
--- a/policy/modules/apps/tvtime.if
+++ b/policy/modules/apps/tvtime.if
@@ -33,6 +33,9 @@
 ## </param>
 #
 template(`tvtime_per_role_template',`
+       gen_require(`
+               type tvtime_exec_t;
+       ')
 
        ########################################
        #

diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
index 8a74bd903804477c19f68fe87011487006eb2d12..158534e13593d2f1d760d514d354b25b4857f1f9 100644 (file)
--- a/policy/modules/apps/tvtime.te
+++ b/policy/modules/apps/tvtime.te
@@ -1,5 +1,5 @@
 
-policy_module(tvtime,1.1.0)
+policy_module(tvtime,1.1.1)
 
 ########################################
 #

diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if
index 37c5c7e9aff3c36d361b848a13200776acfdeea5..efa6b07cdb83778d7433ecfbafd7e13e45088921 100644 (file)
--- a/policy/modules/apps/uml.if
+++ b/policy/modules/apps/uml.if
@@ -34,6 +34,10 @@
 #
 template(`uml_per_role_template',`
        
+       gen_require(`
+               type uml_ro_t, uml_exec_t;
+       ')
+
        ########################################
        #
        # Declarations

diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
index 4791630609bb68047d7e934e5ff1fdd181abfe14..7e4dcf19d32fd9c1b8807c769324349b54758b9a 100644 (file)
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
@@ -1,5 +1,5 @@
 
-policy_module(uml,1.1.0)
+policy_module(uml,1.1.1)
 
 ########################################
 #

diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
index 4cd3e013bd50e393ceca89ba2866367c4b85db16..100f14020f869d231904400f5facf51b97262097 100644 (file)
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@@ -49,7 +49,7 @@ template(`userhelper_per_role_template',`
        domain_obj_id_change_exemption($1_userhelper_t)
        domain_interactive_fd($1_userhelper_t)
        domain_subj_id_change_exemption($1_userhelper_t)
-       role system_r types $1_userhelper_t;
+       role $3 types $1_userhelper_t;
        
        ########################################
        #
@@ -287,3 +287,21 @@ template(`userhelper_sigchld_user',`
 
        allow $2 $1_userhelper_t:process sigchld;
 ')
+
+########################################
+## <summary>
+##     Execute the userhelper program in the caller domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     The type of the process performing this action.
+##     </summary>
+## </param>
+#
+interface(`userhelper_exec',`
+       gen_require(`
+               type userhelper_exec_t;
+       ')
+
+       can_exec($1,userhelper_exec_t)
+')

diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te
index 5cd61eb108744a06b10c86e087392db81c33d3e3..1914e6c7208792a65fd66bb744dfbb4a5dcf3a24 100644 (file)
--- a/policy/modules/apps/userhelper.te
+++ b/policy/modules/apps/userhelper.te
@@ -1,5 +1,5 @@
 
-policy_module(userhelper,1.1.0)
+policy_module(userhelper,1.1.1)
 
 ########################################
 #

diff --git a/policy/modules/apps/vmware.if b/policy/modules/apps/vmware.if
index 2033523ea715d235e1498b1794e6a80573f28969..6bb09151ab1b890df8188ded8c05701f15c7feb0 100644 (file)
--- a/policy/modules/apps/vmware.if
+++ b/policy/modules/apps/vmware.if
@@ -33,6 +33,9 @@
 ## </param>
 #
 template(`vmware_per_role_template',`
+       gen_require(`
+               type vmware_exec_t, vmware_sys_conf_t;
+       ')
 
        ##############################
        #

diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index 2fd59564d95c6aa418378438a3ce0aea0d376a4d..e189c795482c635cb68b5b4d3db58dd7d04202dd 100644 (file)
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -1,5 +1,5 @@
 
-policy_module(vmware,1.0.0)
+policy_module(vmware,1.0.1)
 
 ########################################
 #

diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te
index ace13c275c1f278f775290088ef82e2b2fe34cf0..4f7ef2ae36416f643edaa9cbed69d658829cdfe7 100644 (file)
--- a/policy/modules/apps/webalizer.te
+++ b/policy/modules/apps/webalizer.te
@@ -1,5 +1,5 @@
 
-policy_module(webalizer,1.3.0)
+policy_module(webalizer,1.3.1)
 
 ########################################
 #
@@ -67,6 +67,7 @@ corenet_tcp_sendrecv_all_nodes(webalizer_t)
 corenet_tcp_sendrecv_all_ports(webalizer_t)
 
 fs_search_auto_mountpoints(webalizer_t)
+fs_getattr_xattr_fs(webalizer_t)
 
 files_read_etc_files(webalizer_t)
 files_read_etc_runtime_files(webalizer_t)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index ecf1bec3118eb3ec46fa5e127e02b3e230ff221e..74234f156a84128ee56fe865a7fe9dd3d1397720 100644 (file)
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -73,6 +73,7 @@ ifdef(`distro_debian',`
 
 ifdef(`targeted_policy',`
 /etc/X11/prefdm                        --      gen_context(system_u:object_r:bin_t,s0)
+/usr/games/nethack-3.4.3/nethack --    gen_context(system_u:object_r:bin_t,s0)
 ')
 
 #
@@ -189,7 +190,12 @@ ifdef(`distro_redhat', `
 /usr/lib/.*/program(/.*)?              gen_context(system_u:object_r:bin_t,s0)
 /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/authconfig/authconfig.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cvs/contrib/rcs2log --      gen_context(system_u:object_r:bin_t,s0)
+/usr/share/clamav/clamd-gen    --      gen_context(system_u:object_r:bin_t,s0)
+/usr/share/clamav/freshclam-sleep --   gen_context(system_u:object_r:bin_t,s0)
+/usr/share/fedora-usermgmt/wrapper --  gen_context(system_u:object_r:bin_t,s0)
+/usr/share/hplip/[^/]*         --      gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hwbrowser/hwbrowser --      gen_context(system_u:object_r:bin_t,s0)
 /usr/share/pwlib/make/ptlib-config --  gen_context(system_u:object_r:bin_t,s0)
 /usr/share/pydict/pydict\.py   --      gen_context(system_u:object_r:bin_t,s0)

diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 6531489f85c9418e6e06173feeadd3c0e85df5ab..cc7c6201d0eed2b70f3ee37cca19627d9c4a7903 100644 (file)
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -463,6 +463,25 @@ interface(`corecmd_list_sbin',`
        list_dirs_pattern($1,sbin_t,sbin_t)
 ')
 
+########################################
+## <summary>
+##     Do not audit attempts to write
+##     sbin directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`corecmd_dontaudit_write_sbin_dirs',`
+       gen_require(`
+               type sbin_t;
+       ')
+
+       dontaudit $1 sbin_t:dir write;
+')
+
 ########################################
 ## <summary>
 ##     Get the attributes of sbin files.

diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 7b2d1e0caa4a378a154b40fbe86cde1cd77387c2..007d955bcc34937f127b0973e081279cfb2bdebd 100644 (file)
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
 
-policy_module(corecommands,1.5.0)
+policy_module(corecommands,1.5.1)
 
 ########################################
 #

diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 0af6336beb0e102a60bdc4c1d7c4a911f949dc42..864395b940e51f0d5fbb70823269f4b6dce31963 100644 (file)
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -1003,6 +1003,25 @@ interface(`corenet_tcp_connect_all_ports',`
        allow $1 port_type:tcp_socket name_connect;
 ')
 
+########################################
+## <summary>
+##     Do not audit attempts to connect TCP sockets
+##     to all ports.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_all_ports',`
+       gen_require(`
+               attribute port_type;
+       ')
+
+       dontaudit $1 port_type:tcp_socket name_connect;
+')
+
 ########################################
 ## <summary>
 ##     Send and receive TCP network traffic on generic reserved ports.
@@ -1271,6 +1290,42 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
        dontaudit $1 reserved_port_type:udp_socket name_bind;
 ')
 
+########################################
+## <summary>
+##     Bind TCP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     The type of the process performing this action.
+##     </summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_unreserved_ports',`
+       gen_require(`
+               attribute port_type, reserved_port_type;
+       ')
+
+       allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+##     Bind UDP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     The type of the process performing this action.
+##     </summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_unreserved_ports',`
+       gen_require(`
+               attribute port_type, reserved_port_type;
+       ')
+
+       allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
+')
+
 ########################################
 ## <summary>
 ##      Connect TCP sockets to reserved ports.
@@ -1510,6 +1565,35 @@ interface(`corenet_dontaudit_udp_recv_netlabel',`
        kernel_dontaudit_udp_recvfrom_unlabeled($1)
 ')
 
+########################################
+## <summary>
+##      Receive Raw IP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`corenet_raw_recv_netlabel',`
+       kernel_raw_recvfrom_unlabeled($1)
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive Raw IP packets from a NetLabel
+##      connection.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`corenet_dontaudit_raw_recv_netlabel',`
+       kernel_dontaudit_raw_recvfrom_unlabeled($1)
+')
+
 ########################################
 ## <summary>
 ##     Send generic client packets.

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index b3f13bc8f340b00287020b694c575c988f567d5c..140e4ae14694e0c8a08ed9ff75e6cae17cda712f 100644 (file)
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
 
-policy_module(corenetwork,1.2.3)
+policy_module(corenetwork,1.2.4)
 
 ########################################
 #
@@ -111,7 +111,7 @@ network_port(netsupport, tcp,5405,s0, udp,5405,s0)
 network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0)
 network_port(ntp, udp,123,s0)
 network_port(ocsp, tcp,9080,s0)
-network_port(openvpn, udp,1194,s0)
+network_port(openvpn, tcp,1194,s0, udp,1194,s0)
 network_port(pegasus_http, tcp,5988,s0)
 network_port(pegasus_https, tcp,5989,s0)
 network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
@@ -196,6 +196,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
 
 build_option(`enable_mls',`
 network_interface(lo, lo,s0 - mls_systemhigh)
+',`
+typealias netif_t alias netif_lo_t;
 ')
 
 ########################################

diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index b2557fd2d5eaa2f2e259b927367826c17ffda1df..4228a0e2900756e351595335cbded3d7325ad57a 100644 (file)
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -1053,6 +1053,25 @@ interface(`domain_dontaudit_getattr_all_pipes',`
        dontaudit $1 domain:fifo_file getattr;
 ')
 
+########################################
+## <summary>
+##     Allow specified type to set context of all
+##     domains IPSEC associations.
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type of subject to be allowed this.
+##     </summary>
+## </param>
+#
+interface(`domain_ipsec_setcontext_all_domains',`
+       gen_require(`
+               attribute domain;
+       ')
+
+       allow $1 domain:association setcontext;
+')
+
 ########################################
 ## <summary>
 ##     Get the attributes of entry point
@@ -1112,6 +1131,24 @@ interface(`domain_exec_all_entry_files',`
        can_exec($1,entry_type)
 ')
 
+########################################
+## <summary>
+##     dontaudit checking for execute on all entry point files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`domain_dontaudit_exec_all_entry_files',`
+       gen_require(`
+               attribute entry_type;
+       ')
+
+       dontaudit $1 entry_type:file exec_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Create, read, write, and delete all

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index ea99772f9912a9a34801e945bca0134ca4c9659d..dc734441486ed9ebbd3010d73013d7e8f98d6ed7 100644 (file)
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -1,5 +1,5 @@
 
-policy_module(domain,1.2.0)
+policy_module(domain,1.2.1)
 
 ########################################
 #

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 5e78a96fac42520946c5c89dc924c54341032c6e..38a25c9dfcb51e3fcd83fd99336b304d3ddde4d2 100644 (file)
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1002,6 +1002,29 @@ interface(`files_dontaudit_search_all_dirs',`
        dontaudit $1 file_type:dir search;
 ')
 
+########################################
+## <summary>
+##     Get the attributes of all filesystems
+##     with the type of a file.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+# dwalsh: This interface is to allow quotacheck to work on a 
+# a filesystem mounted with the --context switch
+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212957
+#
+interface(`files_getattr_all_file_type_fs',`
+       gen_require(`
+               attribute file_type;
+       ')
+
+       allow $1 file_type:filesystem getattr;
+')
+
 ########################################
 ## <summary>
 ##     Relabel a filesystem to the type of a file.
@@ -1937,6 +1960,24 @@ interface(`files_read_etc_symlinks',`
        read_lnk_files_pattern($1,etc_t,etc_t)
 ')
 
+########################################
+## <summary>
+##     Create, read, write, and delete symbolic links in /etc.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_manage_etc_symlinks',`
+       gen_require(`
+               type etc_t;
+       ')
+
+       manage_lnk_files_pattern($1,etc_t,etc_t)
+')
+
 ########################################
 ## <summary>
 ##     Create objects in /etc with a private
@@ -2487,6 +2528,25 @@ interface(`files_getattr_lost_found_dirs',`
        allow $1 lost_found_t:dir getattr;
 ')
 
+########################################
+## <summary>
+##     Do not audit attempts to get the attributes of
+##     lost+found directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_lost_found_dirs',`
+       gen_require(`
+               type lost_found_t;
+       ')
+
+       dontaudit $1 lost_found_t:dir getattr;
+')
+
 ########################################
 ## <summary>
 ##     Create, read, write, and delete objects in
@@ -3129,6 +3189,43 @@ interface(`files_setattr_all_tmp_dirs',`
        allow $1 tmpfile:dir { search_dir_perms setattr };
 ')
 
+########################################
+## <summary>
+##     Do not audit attempts to get the attributes
+##     of all tmp files. 
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain not to audit.
+##     </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_tmp_files',`
+       gen_require(`
+               attribute tmpfile;
+       ')
+
+       dontaudit $1 tmpfile:file getattr;
+')
+
+########################################
+## <summary>
+##     Read all tmp files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_read_all_tmp_files',`
+       gen_require(`
+               attribute tmpfile;
+       ')
+
+       read_files_pattern($1,tmpfile,tmpfile)
+')
+
 ########################################
 ## <summary>
 ##     Create an object in the tmp directories, with a private
@@ -3513,6 +3610,24 @@ interface(`files_dontaudit_write_var_dirs',`
        dontaudit $1 var_t:dir write;
 ')
 
+########################################
+## <summary>
+##     Allow attempts to write to /var.dirs
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`files_write_var_dirs',`
+       gen_require(`
+               type var_t;
+       ')
+
+       allow $1 var_t:dir write;
+')
+
 ########################################
 ## <summary>
 ##     Do not audit attempts to search
@@ -3786,6 +3901,7 @@ interface(`files_read_var_lib_files',`
                type var_t, var_lib_t;
        ')
 
+       allow $1 var_lib_t:dir list_dir_perms;
        read_files_pattern($1,{ var_t var_lib_t },var_lib_t)
 ')
 
@@ -4421,7 +4537,7 @@ interface(`files_polyinstantiate_all',`
        selinux_compute_member($1)
 
        # Need sys_admin capability for mounting
-       allow $1 self:capability sys_admin;
+       allow $1 self:capability { chown fsetid sys_admin };
 
        # Need to give access to the directories to be polyinstantiated
        allow $1 polydir:dir { create getattr search write add_name setattr mounton rmdir };
@@ -4437,7 +4553,7 @@ interface(`files_polyinstantiate_all',`
        allow $1 self:process setfscreate;
        allow $1 polymember: dir { create setattr relabelto };
        allow $1 polydir: dir { write add_name };
-       allow $1 polyparent:dir { write add_name relabelfrom relabelto };
+       allow $1 polyparent:dir { read write remove_name add_name relabelfrom relabelto };
 
        # Default type for mountpoints
        allow $1 poly_t:dir { create mounton };

diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index d6ff14141d04fa004ea9adf159a5d7657dc47fe1..f6d234aa20c909a7e96adb89b131774b6800456a 100644 (file)
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
 
-policy_module(files,1.4.0)
+policy_module(files,1.4.1)
 
 ########################################
 #
@@ -50,6 +50,8 @@ files_mountpoint(default_t)
 #
 type etc_t;
 files_type(etc_t)
+# compatibility aliases for removed types:
+typealias etc_t alias automount_etc_t;
 
 #
 # etc_runtime_t is the type of various

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 3effc68fc4a91a95019618a5696223f6dbf419e2..285776912aaab9406e92c4976ff2921990249f68 100644 (file)
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2719,6 +2719,25 @@ interface(`fs_tmpfs_filetrans',`
        filetrans_pattern($1,tmpfs_t,$2,$3)
 ')
 
+########################################
+## <summary>
+##     Do not audit attempts to getattr
+##     generic tmpfs files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_tmpfs_files',`
+       gen_require(`
+               type tmpfs_t;
+       ')
+
+       dontaudit $1 tmpfs_t:file getattr;
+')
+
 ########################################
 ## <summary>
 ##     Do not audit attempts to read or write
@@ -2735,7 +2754,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
                type tmpfs_t;
        ')
 
-       dontaudit $1 tmpfs_t:file { read write };
+       dontaudit $1 tmpfs_t:file rw_file_perms;
 ')
 
 ########################################

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index e57cf37d50be64a2c6a481034f825450c144bf33..33f3447029afdd1ba96aa5bdc6590d81b38d6c5c 100644 (file)
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
 
-policy_module(filesystem,1.5.0)
+policy_module(filesystem,1.5.1)
 
 ########################################
 #
@@ -103,6 +103,7 @@ genfscon cramfs / gen_context(system_u:object_r:romfs_t,s0)
 type rpc_pipefs_t;
 fs_type(rpc_pipefs_t)
 genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)
+files_mountpoint(rpc_pipefs_t)
 
 #
 # tmpfs_t is the type for tmpfs filesystems
@@ -139,6 +140,7 @@ genfscon automount / gen_context(system_u:object_r:autofs_t,s0)
 #
 type cifs_t alias sambafs_t;
 fs_noxattr_type(cifs_t)
+files_mountpoint(cifs_t)
 genfscon cifs / gen_context(system_u:object_r:cifs_t,s0)
 genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0)
 
@@ -151,6 +153,7 @@ fs_noxattr_type(dosfs_t)
 allow dosfs_t fs_t:filesystem associate;
 genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
 genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0)
+genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0)
 genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
 genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
 

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 1b65900e37a8e56386c51af86bea69605ec1b6a2..39fd13f2cd1a8d8f598227b70f8973abb2738397 100644 (file)
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2300,6 +2300,67 @@ interface(`kernel_dontaudit_udp_recvfrom_unlabeled',`
        dontaudit $1 unlabeled_t:udp_socket recvfrom;
 ')
 
+########################################
+## <summary>
+##      Receive Raw IP packets from a NetLabel connection.
+## </summary>
+## <desc>
+##     <p>
+##      Receive Raw IP packets from a NetLabel connection, NetLabel is an
+##      explicit packet labeling framework which implements CIPSO and
+##      similar protocols.
+##      </p>
+##     <p>
+##     The corenetwork interface
+##     corenet_raw_recv_netlabel() should
+##     be used instead of this one.
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`kernel_raw_recvfrom_unlabeled',`
+       gen_require(`
+               type unlabeled_t;
+       ')
+
+       allow $1 unlabeled_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive Raw IP packets from a NetLabel
+##      connection.
+## </summary>
+## <desc>
+##     <p>
+##      Do not audit attempts to receive Raw IP packets from a NetLabel
+##      connection.  NetLabel is an explicit packet labeling framework
+##      which implements CIPSO and similar protocols.
+##      </p>
+##     <p>
+##     The corenetwork interface
+##     corenet_dontaudit_raw_recv_netlabel() should
+##     be used instead of this one.
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`kernel_dontaudit_raw_recvfrom_unlabeled',`
+       gen_require(`
+               type unlabeled_t;
+       ')
+
+       dontaudit $1 unlabeled_t:rawip_socket recvfrom;
+')
+
 ########################################
 ## <summary>
 ##     Send and receive unlabeled packets.

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 5a3e4b15ff207c2b749710f0666959acffd680bc..82df3496298226de945d4380d153aa08080a4537 100644 (file)
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
 
-policy_module(kernel,1.5.0)
+policy_module(kernel,1.5.1)
 
 ########################################
 #
@@ -239,6 +239,11 @@ mcs_process_set_categories(kernel_t)
 mls_process_read_up(kernel_t)
 mls_process_write_down(kernel_t)
 
+ifdef(`distro_redhat',`
+       # Bugzilla 222337
+       fs_rw_tmpfs_chr_files(kernel_t)
+')
+
 ifdef(`targeted_policy',`
        unconfined_domain(kernel_t)
 ')
@@ -345,7 +350,7 @@ optional_policy(`
 # Rules for unconfined acccess to this module
 #
 
-allow kern_unconfined proc_type:{ dir file } *;
+allow kern_unconfined proc_type:{ dir file lnk_file } *;
 
 allow kern_unconfined sysctl_t:{ dir file } *;
 

diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index e0d1aeb95650ae2ad448fb1209021aa2740e20dd..2921718986a5478d8d8f277a9134dd531cbbb9f8 100644 (file)
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
 
-policy_module(apache,1.5.1)
+policy_module(apache,1.5.2)
 
 #
 # NOTES: 
@@ -424,6 +424,11 @@ optional_policy(`
        seutil_sigchld_newrole(httpd_t)
 ')
 
+optional_policy(`
+       snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
+       snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
+')
+
 optional_policy(`
        udev_read_db(httpd_t)
 ')
@@ -684,10 +689,6 @@ optional_policy(`
        nscd_socket_use(httpd_unconfined_script_t)
 ')
 
-optional_policy(`
-       snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
-')
-
 ########################################
 #
 # httpd_rotatelogs local policy

diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
index f4875ea1a2b90902f07f1e61a487c4bdafb49f5d..fa62acefaae64369f1a7e5711ebcc22d943a3679 100644 (file)
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -1,5 +1,5 @@
 
-policy_module(apm,1.3.0)
+policy_module(apm,1.3.1)
 
 ########################################
 #
@@ -109,6 +109,7 @@ term_dontaudit_use_console(apmd_t)
 corecmd_exec_all_executables(apmd_t)
 
 domain_read_all_domains_state(apmd_t)
+domain_dontaudit_ptrace_all_domains(apmd_t)
 domain_use_interactive_fds(apmd_t)
 domain_dontaudit_getattr_all_sockets(apmd_t)
 domain_dontaudit_getattr_all_key_sockets(apmd_t) # Excessive?

diff --git a/policy/modules/services/automount.fc b/policy/modules/services/automount.fc
index 746c12064b440a5a96b5b1d9fbf758b056c68632..4a150ebf8f4829cf78c26970c39a81a8c5aaf12a 100644 (file)
--- a/policy/modules/services/automount.fc
+++ b/policy/modules/services/automount.fc
@@ -2,7 +2,6 @@
 # /etc
 #
 /etc/apm/event\.d/autofs --    gen_context(system_u:object_r:automount_exec_t,s0)
-/etc/auto\..+          --      gen_context(system_u:object_r:automount_etc_t,s0)
 
 #
 # /usr

diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
index 0e7ba1b4b167d82ec167d6f79169e13d132a296c..ec2f092ac521f09b41ee22fae541f159fd903a1b 100644 (file)
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
@@ -1,5 +1,5 @@
 
-policy_module(automount,1.4.0)
+policy_module(automount,1.4.1)
 
 ########################################
 #
@@ -13,9 +13,6 @@ init_daemon_domain(automount_t,automount_exec_t)
 type automount_var_run_t;
 files_pid_file(automount_var_run_t)
 
-type automount_etc_t;
-files_config_file(automount_etc_t)
-
 type automount_lock_t;
 files_lock_file(automount_lock_t)
 
@@ -28,7 +25,7 @@ files_mountpoint(automount_tmp_t)
 # Local policy
 #
 
-allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override sys_admin };
+allow automount_t self:capability { net_bind_service setgid setuid sys_nice sys_resource dac_override sys_admin };
 dontaudit automount_t self:capability sys_tty_config;
 allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
 allow automount_t self:fifo_file rw_fifo_file_perms;
@@ -40,9 +37,6 @@ allow automount_t self:rawip_socket create_socket_perms;
 
 allow automount_t self:netlink_route_socket r_netlink_socket_perms;
 
-allow automount_t automount_etc_t:file { getattr read };
-# because config files can be shell scripts
-can_exec(automount_t, automount_etc_t)
 can_exec(automount_t, automount_exec_t)
 
 allow automount_t automount_lock_t:file manage_file_perms;

diff --git a/policy/modules/services/ccs.fc b/policy/modules/services/ccs.fc
index 12ac6d724c3365fbe87aa76ca59a6fcda2a8a85c..0ec5ba1ad83cf7ed9d702db06c856d737b774f8a 100644 (file)
--- a/policy/modules/services/ccs.fc
+++ b/policy/modules/services/ccs.fc
@@ -4,5 +4,7 @@
 
 /usr/sbin/aisexec      --      gen_context(system_u:object_r:ccs_exec_t,s0)
 
+/var/lib/openais(/.*)?         gen_context(system_u:object_r:ccs_var_lib_t,s0)
+
 /var/run/cluster(/.*)?         gen_context(system_u:object_r:ccs_var_run_t,s0)
 /var/run/cman_.*       -s      gen_context(system_u:object_r:ccs_var_run_t,s0)

diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
index ce2c80f75a9fe1f79953b934f38d4fdcc18e190b..e18344b1a127c9808aee3266436cee62df466961 100644 (file)
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
@@ -1,5 +1,5 @@
 
-policy_module(ccs,1.0.0)
+policy_module(ccs,1.0.1)
 
 ########################################
 #
@@ -18,6 +18,10 @@ files_type(cluster_conf_t)
 type ccs_var_log_t;
 logging_log_file(ccs_var_log_t)
 
+# var lib files
+type ccs_var_lib_t;
+logging_log_file(ccs_var_lib_t)
+
 # pid files
 type ccs_var_run_t;
 files_pid_file(ccs_var_run_t)
@@ -27,7 +31,7 @@ files_pid_file(ccs_var_run_t)
 # ccs local policy
 #
 
-allow ccs_t self:capability { ipc_lock sys_nice sys_resource };
+allow ccs_t self:capability { ipc_lock sys_nice sys_resource sys_admin };
 allow ccs_t self:process { signal setrlimit setsched };
 allow ccs_t self:fifo_file { read write };
 allow ccs_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -46,6 +50,11 @@ manage_sock_files_pattern(ccs_t,ccs_var_log_t,ccs_var_log_t)
 allow ccs_t ccs_var_log_t:dir setattr;
 logging_log_filetrans(ccs_t,ccs_var_log_t,{ sock_file file dir })
 
+# var lib files
+manage_dirs_pattern(ccs_t,ccs_var_lib_t,ccs_var_lib_t)
+manage_files_pattern(ccs_t,ccs_var_lib_t,ccs_var_lib_t)
+files_var_lib_filetrans(ccs_t,ccs_var_lib_t,{ file dir })
+
 # pid file
 manage_dirs_pattern(ccs_t,ccs_var_run_t,ccs_var_run_t)
 manage_files_pattern(ccs_t,ccs_var_run_t,ccs_var_run_t)
@@ -87,6 +96,11 @@ miscfiles_read_localization(ccs_t)
 
 sysnet_dns_name_resolve(ccs_t)
 
+ifdef(`hide_broken_symptoms', `
+       corecmd_dontaudit_write_sbin_dirs(ccs_t)
+       files_manage_isid_type_files(ccs_t)
+')
+
 ifdef(`targeted_policy',`
        term_dontaudit_use_generic_ptys(ccs_t)
        term_dontaudit_use_unallocated_ttys(ccs_t)

diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 8aaab57fbce8793e2584d6387fe759a83b530617..85d6770e5a6f3de737004af35177ef5ec6c14427 100644 (file)
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
 
-policy_module(cups,1.5.0)
+policy_module(cups,1.5.1)
 
 ########################################
 #
@@ -203,6 +203,10 @@ files_read_var_files(cupsd_t)
 files_read_var_symlinks(cupsd_t)
 # for /etc/printcap
 files_dontaudit_write_etc_files(cupsd_t)
+# smbspool seems to be iterating through all existing tmp files.
+# redhat bug #214953
+# cjp: this might be a broken behavior
+files_dontaudit_getattr_all_tmp_files(cupsd_t)
 
 selinux_compute_access_vector(cupsd_t)
 

diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 4dca3f6217015a4543e151b40ffd71d85c6ac188..02a89a7a81f916ee03f033ba1e4a79e55ade7f69 100644 (file)
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -71,6 +71,7 @@ template(`dbus_per_role_template',`
 
        allow $1_dbusd_t self:process { getattr sigkill signal };
        allow $1_dbusd_t self:file { getattr read write };
+       allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
        allow $1_dbusd_t self:dbus { send_msg acquire_svc };
        allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
        allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
@@ -102,22 +103,6 @@ template(`dbus_per_role_template',`
        kernel_read_system_state($1_dbusd_t)
        kernel_read_kernel_sysctls($1_dbusd_t)
 
-       corenet_non_ipsec_sendrecv($1_dbusd_t)
-       corenet_tcp_sendrecv_all_if($1_dbusd_t)
-       corenet_tcp_sendrecv_all_nodes($1_dbusd_t)
-       corenet_tcp_sendrecv_all_ports($1_dbusd_t)
-       corenet_tcp_bind_all_nodes($1_dbusd_t)
-       corenet_tcp_bind_reserved_port($1_dbusd_t)
-
-       dev_read_urand($1_dbusd_t)
-
-       selinux_get_fs_mount($1_dbusd_t)
-       selinux_validate_context($1_dbusd_t)
-       selinux_compute_access_vector($1_dbusd_t)
-       selinux_compute_create_context($1_dbusd_t)
-       selinux_compute_relabel_context($1_dbusd_t)
-       selinux_compute_user_contexts($1_dbusd_t)
-
        corecmd_list_bin($1_dbusd_t)
        corecmd_read_bin_symlinks($1_dbusd_t)
        corecmd_read_bin_files($1_dbusd_t)
@@ -129,11 +114,32 @@ template(`dbus_per_role_template',`
        corecmd_read_sbin_pipes($1_dbusd_t)
        corecmd_read_sbin_sockets($1_dbusd_t)
 
+       corenet_non_ipsec_sendrecv($1_dbusd_t)
+       corenet_tcp_sendrecv_all_if($1_dbusd_t)
+       corenet_tcp_sendrecv_all_nodes($1_dbusd_t)
+       corenet_tcp_sendrecv_all_ports($1_dbusd_t)
+       corenet_tcp_bind_all_nodes($1_dbusd_t)
+       corenet_tcp_bind_reserved_port($1_dbusd_t)
+
+       dev_read_urand($1_dbusd_t)
+
+       domain_use_interactive_fds($1_dbusd_t)
+
        files_read_etc_files($1_dbusd_t)
        files_list_home($1_dbusd_t)
        files_read_usr_files($1_dbusd_t)
        files_dontaudit_search_var($1_dbusd_t)
 
+       fs_getattr_romfs($1_dbusd_t)
+       fs_getattr_xattr_fs($1_dbusd_t)
+
+       selinux_get_fs_mount($1_dbusd_t)
+       selinux_validate_context($1_dbusd_t)
+       selinux_compute_access_vector($1_dbusd_t)
+       selinux_compute_create_context($1_dbusd_t)
+       selinux_compute_relabel_context($1_dbusd_t)
+       selinux_compute_user_contexts($1_dbusd_t)
+
        auth_read_pam_console_data($1_dbusd_t)
 
        libs_use_ld_so($1_dbusd_t)

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 51f6d4fdcfaef7b3a7bbcee32ab9998a5c3d1b31..27d83f1e0bb47dea341b38f4c2fd892940168eed 100644 (file)
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -1,5 +1,5 @@
 
-policy_module(dbus,1.4.0)
+policy_module(dbus,1.4.1)
 
 gen_require(`
        class dbus { send_msg acquire_svc };

diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
index 86c18ec6e5acbb27505f0dc92ae5434235d6b3cd..954a7466213601b4a31870b77849cea45a96dd07 100644 (file)
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@@ -24,6 +24,10 @@
 ## </param>
 #
 template(`ftp_per_role_template',`
+       gen_require(`
+               type ftpd_t;
+       ')
+
        tunable_policy(`ftpd_is_daemon',`
                userdom_manage_user_home_content_files($1,ftpd_t)
                userdom_manage_user_home_content_symlinks($1,ftpd_t)

diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 4d459429df26398cbce7fa8285044e2f6cae4d4d..c4a5d18b8fac17412e1df45e94031f4c8fa4d3cb 100644 (file)
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -1,5 +1,5 @@
 
-policy_module(ftp,1.4.0)
+policy_module(ftp,1.4.1)
 
 ########################################
 #
@@ -102,6 +102,8 @@ corenet_tcp_bind_all_nodes(ftpd_t)
 corenet_tcp_bind_ftp_port(ftpd_t)
 corenet_tcp_bind_ftp_data_port(ftpd_t)
 corenet_tcp_bind_generic_port(ftpd_t)
+corenet_tcp_bind_all_unreserved_ports(ftpd_t)
+corenet_dontaudit_tcp_bind_all_ports(ftpd_t)
 corenet_tcp_connect_all_ports(ftpd_t)
 corenet_sendrecv_ftp_server_packets(ftpd_t)
 
@@ -123,6 +125,7 @@ auth_domtrans_chk_passwd(ftpd_t)
 auth_append_login_records(ftpd_t)
 #kerberized ftp requires the following
 auth_write_login_records(ftpd_t)
+auth_append_faillog(ftpd_t)
 
 init_use_fds(ftpd_t)
 init_use_script_ptys(ftpd_t)
@@ -173,6 +176,11 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
        fs_manage_nfs_files(ftpd_t)
 ')
 
+tunable_policy(`allow_ftpd_full_access',`
+       allow ftpd_t self:capability { dac_override dac_read_search };
+       auth_manage_all_files_except_shadow(ftpd_t)
+')
+
 tunable_policy(`ftp_home_dir',`
        allow ftpd_t self:capability { dac_override dac_read_search };
 

diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
index 6a37e699fe11fa16b829300dd5b0ce114577dec7..d220329763d91ec82c24b2e307f1ce13a8cd4430 100644 (file)
--- a/policy/modules/services/hal.if
+++ b/policy/modules/services/hal.if
@@ -18,6 +18,43 @@ interface(`hal_domtrans',`
        domtrans_pattern($1,hald_exec_t,hald_t)
 ')
 
+########################################
+## <summary>
+##     Do not audit attempts to use file descriptors from hal.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`hal_dontaudit_use_fds',`
+       gen_require(`
+               type hald_t;
+       ')
+
+       dontaudit $1 hald_t:fd use; 
+')
+
+########################################
+## <summary>
+##     Do not audit attempts to read and write to
+##     hald unnamed pipes.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`hal_dontaudit_rw_pipes',`
+       gen_require(`
+               type hald_t;
+       ')
+
+       dontaudit $1 hald_t:fifo_file rw_fifo_file_perms; 
+')
+
 ########################################
 ## <summary>
 ##     Send to hal over a unix domain

diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index 7d7caab2dcaa8879976b9a856be373933ba24776..955e4ffd0cee1881a47cb72a4f90dbd5bcf30300 100644 (file)
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
 
-policy_module(hal,1.5.0)
+policy_module(hal,1.5.1)
 
 ########################################
 #

diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
index f1431a2a57fdb8b68478b94345fb1705b6307381..f5f590b58c31eab90c4fb946d9e5c65744188af0 100644 (file)
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@@ -1,5 +1,5 @@
 
-policy_module(inetd,1.2.0)
+policy_module(inetd,1.2.1)
 
 ########################################
 #
@@ -37,10 +37,11 @@ files_pid_file(inetd_child_var_run_t)
 
 allow inetd_t self:capability { setuid setgid };
 dontaudit inetd_t self:capability sys_tty_config;
-allow inetd_t self:process setsched;
+allow inetd_t self:process { setsched setexec };
 allow inetd_t self:fifo_file rw_fifo_file_perms;
 allow inetd_t self:tcp_socket create_stream_socket_perms;
 allow inetd_t self:udp_socket create_socket_perms;
+allow inetd_t self:fd use;
 
 allow inetd_t inetd_log_t:file manage_file_perms;
 logging_log_filetrans(inetd_t,inetd_log_t,file)
@@ -55,6 +56,8 @@ files_pid_filetrans(inetd_t,inetd_var_run_t,file)
 kernel_read_kernel_sysctls(inetd_t)
 kernel_list_proc(inetd_t)
 kernel_read_proc_symlinks(inetd_t)
+kernel_read_system_state(inetd_t)
+kernel_tcp_recvfrom_unlabeled(inetd_t)
 
 # base networking:
 corenet_non_ipsec_sendrecv(inetd_t)
@@ -88,6 +91,7 @@ corenet_udp_bind_rsync_port(inetd_t)
 corenet_tcp_bind_swat_port(inetd_t)
 corenet_udp_bind_swat_port(inetd_t)
 corenet_udp_bind_tftp_port(inetd_t)
+corenet_tcp_bind_ssh_port(inetd_t)
 
 # service port packets:
 corenet_sendrecv_amanda_server_packets(inetd_t)
@@ -109,6 +113,9 @@ dev_read_sysfs(inetd_t)
 fs_getattr_all_fs(inetd_t)
 fs_search_auto_mountpoints(inetd_t)
 
+selinux_validate_context(inetd_t)
+selinux_compute_create_context(inetd_t)
+
 term_dontaudit_use_console(inetd_t)
 
 # Run other daemons in the inetd_child_t domain.
@@ -129,11 +136,23 @@ logging_send_syslog_msg(inetd_t)
 
 miscfiles_read_localization(inetd_t)
 
+# xinetd needs MLS override privileges to work
+mls_fd_use_all_levels(inetd_t)
+mls_fd_share_all_levels(inetd_t)
+mls_socket_read_to_clearance(inetd_t)
+mls_process_set_level(inetd_t)
+mls_socket_read_to_clearance(inetd_t)
+
 sysnet_read_config(inetd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(inetd_t)
 userdom_dontaudit_search_sysadm_home_dirs(inetd_t)
 
+ifdef(`enable_mls',`
+       corenet_tcp_recv_netlabel(inetd_t)
+       corenet_udp_recv_netlabel(inetd_t)
+')
+
 ifdef(`targeted_policy',`
        term_dontaudit_use_unallocated_ttys(inetd_t)
        term_dontaudit_use_generic_ptys(inetd_t)
@@ -209,10 +228,8 @@ miscfiles_read_localization(inetd_child_t)
 
 sysnet_read_config(inetd_child_t)
 
-ifdef(`strict_policy',`
-       tunable_policy(`run_ssh_inetd',`
-               corenet_tcp_bind_ssh_port(inetd_t)
-       ')
+ifdef(`targeted_policy',`
+       unconfined_domain(inetd_child_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te
index 5c73ace27d651d6e9cfed5f6c6aa4458cce86d0d..9dee22542f427fee124596de511a36034d4717e4 100644 (file)
--- a/policy/modules/services/irqbalance.te
+++ b/policy/modules/services/irqbalance.te
@@ -1,5 +1,5 @@
 
-policy_module(irqbalance,1.0.0)
+policy_module(irqbalance,1.0.1)
 
 ########################################
 #
@@ -18,12 +18,16 @@ files_pid_file(irqbalance_var_run_t)
 # Local policy
 #
 
+allow irqbalance_t self:capability net_admin;
+allow irqbalance_t self:udp_socket create_socket_perms;
+
 dontaudit irqbalance_t self:capability sys_tty_config;
 allow irqbalance_t self:process signal_perms;
 
 manage_files_pattern(irqbalance_t,irqbalance_var_run_t,irqbalance_var_run_t)
 files_pid_filetrans(irqbalance_t,irqbalance_var_run_t,file)
 
+kernel_read_network_state(irqbalance_t)
 kernel_read_system_state(irqbalance_t)
 kernel_read_kernel_sysctls(irqbalance_t)
 kernel_rw_irq_sysctls(irqbalance_t)

diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
index 99a57b823549632d60e354d2645dd2499d8dbbcb..14d37198eaef1174c69ce12b090260297ae28b38 100644 (file)
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -40,7 +40,8 @@ interface(`kerberos_use',`
        files_search_etc($1)
        allow $1 krb5_conf_t:file { getattr read };
        dontaudit $1 krb5_conf_t:file write;
-       dontaudit $1 krb5kdc_conf_t:dir r_dir_perms;
+       dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
+       dontaudit $1 krb5kdc_conf_t:file read_file_perms;
 
        tunable_policy(`allow_kerberos',`
                allow $1 self:tcp_socket create_socket_perms;
@@ -63,6 +64,12 @@ interface(`kerberos_use',`
                sysnet_read_config($1)
                sysnet_dns_name_resolve($1)
        ')
+
+       optional_policy(`
+               tunable_policy(`allow_kerberos',`
+                       pcscd_stream_connect($1)
+               ')
+       ')
 ')
 
 ########################################

diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index 60b2d44ca4cdadda4357c5c920dde6ade840f329..e5d8f469e095d00aafc49e75386cd36cd55dd425 100644 (file)
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -1,5 +1,5 @@
 
-policy_module(kerberos,1.3.0)
+policy_module(kerberos,1.3.1)
 
 ########################################
 #

diff --git a/policy/modules/services/ktalk.fc b/policy/modules/services/ktalk.fc
index 379e4e8244eda818f0c88fa56894da171830496e..47d0bf31c7b0fd35081735b767359f3b519371fa 100644 (file)
--- a/policy/modules/services/ktalk.fc
+++ b/policy/modules/services/ktalk.fc
@@ -1,4 +1,7 @@
 
-/usr/bin/in\.talkd     --      gen_context(system_u:object_r:ktalkd_exec_t,s0)
 /usr/bin/ktalkd                --      gen_context(system_u:object_r:ktalkd_exec_t,s0)
+
+/usr/sbin/in\.talkd    --      gen_context(system_u:object_r:ktalkd_exec_t,s0)
+/usr/sbin/in\.ntalkd   --      gen_context(system_u:object_r:ktalkd_exec_t,s0)
+
 /var/log/talkd.*       --      gen_context(system_u:object_r:ktalkd_log_t,s0)

diff --git a/policy/modules/services/ktalk.te b/policy/modules/services/ktalk.te
index bef8d804a9b69e8a77312654481d367c58933aee..4b6cdd09ce07632d37aed55be151eb26fa997b3f 100644 (file)
--- a/policy/modules/services/ktalk.te
+++ b/policy/modules/services/ktalk.te
@@ -1,5 +1,5 @@
 
-policy_module(ktalk,1.3.0)
+policy_module(ktalk,1.3.1)
 
 ########################################
 #
@@ -77,6 +77,11 @@ miscfiles_read_localization(ktalkd_t)
 
 sysnet_read_config(ktalkd_t)
 
+ifdef(`targeted_policy',`
+       term_dontaudit_use_generic_ptys(ktalkd_t)
+       term_dontaudit_use_unallocated_ttys(ktalkd_t)
+')
+
 optional_policy(`
        nis_use_ypbind(ktalkd_t)
 ')

diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
index 84ec5d2a76fad1a07d91169fac95fb985844d83f..ce2b1f62c29fc11ca3f2a25c99f69525d6ebed34 100644 (file)
--- a/policy/modules/services/lpd.if
+++ b/policy/modules/services/lpd.if
@@ -64,31 +64,33 @@ template(`lpd_per_role_template',`
        allow $1_lpr_t self:udp_socket create_socket_perms;
        allow $1_lpr_t self:netlink_route_socket r_netlink_socket_perms;
        
-       # lpr can run in lightweight mode, without a local print spooler.
-       allow $1_lpr_t lpd_var_run_t:dir search;
-       allow $1_lpr_t lpd_var_run_t:sock_file write;
-       files_read_var_files($1_lpr_t)
-
-       # Connect to lpd via a Unix domain socket.
-       allow $1_lpr_t printer_t:sock_file rw_file_perms;
-       allow $1_lpr_t lpd_t:unix_stream_socket connectto;
-       # Send SIGHUP to lpd.
-       allow $1_lpr_t lpd_t:process signal;
-
        can_exec($1_lpr_t,lpr_exec_t)
 
-       manage_dirs_pattern($1_lpr_t,$1_lpr_tmp_t,$1_lpr_tmp_t)
-       manage_files_pattern($1_lpr_t,$1_lpr_tmp_t,$1_lpr_tmp_t)
-       files_tmp_filetrans($1_lpr_t, $1_lpr_tmp_t, { file dir })
-
-       manage_files_pattern($1_lpr_t,print_spool_t,$1_print_spool_t)
-       filetrans_pattern($1_lpr_t,print_spool_t,$1_print_spool_t,file)
-       # Read and write shared files in the spool directory.
-       allow $1_lpr_t print_spool_t:file rw_file_perms;
-
-       allow $1_lpr_t printconf_t:dir list_dir_perms;
-       read_files_pattern($1_lpr_t,printconf_t,printconf_t)
-       read_lnk_files_pattern($1_lpr_t,printconf_t,printconf_t)
+       tunable_policy(`use_lpd_server',`
+               # lpr can run in lightweight mode, without a local print spooler.
+               allow $1_lpr_t lpd_var_run_t:dir search;
+               allow $1_lpr_t lpd_var_run_t:sock_file write;
+               files_read_var_files($1_lpr_t)
+
+               # Connect to lpd via a Unix domain socket.
+               allow $1_lpr_t printer_t:sock_file rw_sock_file_perms;
+               allow $1_lpr_t lpd_t:unix_stream_socket connectto;
+               # Send SIGHUP to lpd.
+               allow $1_lpr_t lpd_t:process signal;
+
+               manage_dirs_pattern($1_lpr_t,$1_lpr_tmp_t,$1_lpr_tmp_t)
+               manage_files_pattern($1_lpr_t,$1_lpr_tmp_t,$1_lpr_tmp_t)
+               files_tmp_filetrans($1_lpr_t, $1_lpr_tmp_t, { file dir })
+
+               manage_files_pattern($1_lpr_t,print_spool_t,$1_print_spool_t)
+               filetrans_pattern($1_lpr_t,print_spool_t,$1_print_spool_t,file)
+               # Read and write shared files in the spool directory.
+               allow $1_lpr_t print_spool_t:file rw_file_perms;
+
+               allow $1_lpr_t printconf_t:dir list_dir_perms;
+               read_files_pattern($1_lpr_t,printconf_t,printconf_t)
+               read_lnk_files_pattern($1_lpr_t,printconf_t,printconf_t)
+       ')
 
        dontaudit $1_lpr_t $2:unix_stream_socket { read write };
 
@@ -215,10 +217,14 @@ template(`lpd_per_role_template',`
 template(`lpr_admin_template',`
        gen_require(`
                type $1_lpr_t;
+               type print_spool_t;
        ')
 
        userdom_read_all_users_home_content_files($1_lpr_t)
 
+       # Read and write shared files in the spool directory.
+       allow $1_lpr_t print_spool_t:file rw_file_perms;
+
        # Allow per user lpr domain read acces for specific user.
        tunable_policy(`read_untrusted_content',`
                userdom_read_all_untrusted_content($1_lpr_t)

diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 9ccebb5a3ebfbcd756c78e5bcddd49819412fe1a..26c1f0baaa2259939496faed8eeaf839e5e82b83 100644 (file)
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -1,5 +1,5 @@
 
-policy_module(lpd,1.4.0)
+policy_module(lpd,1.4.1)
 
 ########################################
 #

diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 1a03d844ec7ff06203a0fce134853f690e2b5304..768578bbc798b931b806cf03ceee6e9fa67a3220 100644 (file)
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -40,6 +40,11 @@ interface(`mta_stub',`
 #
 template(`mta_base_mail_template',`
 
+       gen_require(`
+               attribute user_mail_domain;
+               type sendmail_exec_t;
+       ')
+
        ##############################
        #
        # $1_mail_t declarations
@@ -174,6 +179,10 @@ template(`mta_base_mail_template',`
 ## </param>
 #
 template(`mta_per_role_template',`
+       gen_require(`
+               attribute mta_user_agent;
+               attribute mailserver_delivery;
+       ')
 
        ##############################
        #

diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 41762f20dea2f5e742f5454f40a5f9eb305b8a70..0f081b44c03637daf31c0612ef6103da7d064a48 100644 (file)
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
 
-policy_module(mta,1.5.0)
+policy_module(mta,1.5.1)
 
 ########################################
 #
@@ -58,6 +58,7 @@ dev_read_urand(system_mail_t)
 init_use_script_ptys(system_mail_t)
 
 userdom_use_sysadm_terms(system_mail_t)
+userdom_dontaudit_search_sysadm_home_dirs(system_mail_t)
 
 ifdef(`targeted_policy',`
        typealias system_mail_t alias sysadm_mail_t;

diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 5651f8b99e25b364cd29115d90e2d37f5948a2e3..7722bc2101a95e0d1d531bb3b1f1fcf5e0248b2e 100644 (file)
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -1,5 +1,5 @@
 
-policy_module(networkmanager,1.5.0)
+policy_module(networkmanager,1.5.1)
 
 ########################################
 #
@@ -119,6 +119,8 @@ ifdef(`targeted_policy', `
        term_dontaudit_use_unallocated_ttys(NetworkManager_t)
        term_dontaudit_use_generic_ptys(NetworkManager_t)
        files_dontaudit_read_root_files(NetworkManager_t)
+       # Read gnome-keyring
+       userdom_read_generic_user_home_content_files(NetworkManager_t)
 
        optional_policy(`
                unconfined_rw_pipes(NetworkManager_t)

diff --git a/policy/modules/services/nis.fc b/policy/modules/services/nis.fc
index ff9ec1e07b3ad1584ef6c1c619d599d83be9640d..cc23fb5ed7d39bda12c0303caef5d24c0a084008 100644 (file)
--- a/policy/modules/services/nis.fc
+++ b/policy/modules/services/nis.fc
@@ -6,7 +6,7 @@
 /usr/lib/yp/ypxfr      --      gen_context(system_u:object_r:ypxfr_exec_t,s0)
 
 /usr/sbin/rpc\.yppasswdd --    gen_context(system_u:object_r:yppasswdd_exec_t,s0)
-/usr/sbin/rpc\.ypxfr   --      gen_context(system_u:object_r:ypxfr_exec_t,s0)
+/usr/sbin/rpc\.ypxfrd  --      gen_context(system_u:object_r:ypxfr_exec_t,s0)
 /usr/sbin/ypserv       --      gen_context(system_u:object_r:ypserv_exec_t,s0)
 
 /var/yp(/.*)?                  gen_context(system_u:object_r:var_yp_t,s0)

diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
index df40154a00a0ca7afe97c073f995faf380804de9..1634307600f26fd2a927f1858718a3b327a2709f 100644 (file)
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -50,12 +50,12 @@ interface(`nis_use_ypbind_uncond',`
        corenet_udp_bind_generic_port($1)
        corenet_tcp_bind_reserved_port($1)
        corenet_udp_bind_reserved_port($1)
-       corenet_dontaudit_tcp_bind_all_reserved_ports($1)
-       corenet_dontaudit_udp_bind_all_reserved_ports($1)
+       corenet_dontaudit_tcp_bind_all_ports($1)
+       corenet_dontaudit_udp_bind_all_ports($1)
        corenet_tcp_connect_portmap_port($1)
        corenet_tcp_connect_reserved_port($1)
        corenet_tcp_connect_generic_port($1)
-       corenet_dontaudit_tcp_connect_all_reserved_ports($1)
+       corenet_dontaudit_tcp_connect_all_ports($1)
        corenet_sendrecv_portmap_client_packets($1)
        corenet_sendrecv_generic_client_packets($1)
        corenet_sendrecv_generic_server_packets($1)
@@ -81,8 +81,6 @@ interface(`nis_use_ypbind',`
 
        tunable_policy(`allow_ypbind',`
                nis_use_ypbind_uncond($1)
-       ',`
-               dontaudit $1 var_yp_t:dir search;
        ')
 ')
 

diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
index b4b8f56a6570bab6527a14586c28910fb16099d2..f8cbabdffef6eaf6e232b0e840ace748510e191b 100644 (file)
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -1,5 +1,5 @@
 
-policy_module(nis,1.3.0)
+policy_module(nis,1.3.1)
 
 ########################################
 #
@@ -285,6 +285,7 @@ corecmd_exec_bin(ypserv_t)
 domain_use_interactive_fds(ypserv_t)
 
 files_read_var_files(ypserv_t)
+files_read_etc_files(ypserv_t)
 
 init_use_fds(ypserv_t)
 init_use_script_ptys(ypserv_t)
@@ -324,6 +325,10 @@ optional_policy(`
 #
 
 allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
+allow ypxfr_t self:tcp_socket connected_socket_perms;
+allow ypxfr_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(ypxfr_t, var_yp_t, var_yp_t)
 
 allow ypxfr_t ypserv_t:tcp_socket { read write };
 allow ypxfr_t ypserv_t:udp_socket { read write };
@@ -352,3 +357,5 @@ files_search_usr(ypxfr_t)
 
 libs_use_shared_libs(ypxfr_t)
 libs_use_ld_so(ypxfr_t)
+
+sysnet_read_config(ypxfr_t)

diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
index 3a4925b424d54dd9cabf88babde2b028ec951d63..fe31de30aae1b5a1859b4ae7011c5ad485e79aaa 100644 (file)
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -1,5 +1,5 @@
 
-policy_module(nscd,1.3.0)
+policy_module(nscd,1.3.1)
 
 gen_require(`
        class nscd all_nscd_perms;
@@ -35,7 +35,6 @@ allow nscd_t self:fifo_file { read write };
 allow nscd_t self:unix_stream_socket create_stream_socket_perms;
 allow nscd_t self:unix_dgram_socket create_socket_perms;
 allow nscd_t self:netlink_selinux_socket create_socket_perms;
-allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
 allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 allow nscd_t self:tcp_socket create_socket_perms;
 allow nscd_t self:udp_socket create_socket_perms;
@@ -66,6 +65,7 @@ term_dontaudit_use_console(nscd_t)
 
 # for when /etc/passwd has just been updated and has the wrong type
 auth_getattr_shadow(nscd_t)
+auth_use_nsswitch(nscd_t)
 
 corenet_non_ipsec_sendrecv(nscd_t)
 corenet_tcp_sendrecv_all_if(nscd_t)
@@ -99,14 +99,12 @@ libs_use_shared_libs(nscd_t)
 
 logging_send_syslog_msg(nscd_t)
 
-miscfiles_read_certs(nscd_t)
 miscfiles_read_localization(nscd_t)
 
 seutil_read_config(nscd_t)
 seutil_read_default_contexts(nscd_t)
 seutil_sigchld_newrole(nscd_t)
 
-sysnet_dns_name_resolve(nscd_t)
 sysnet_read_config(nscd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(nscd_t)
@@ -121,14 +119,6 @@ ifdef(`targeted_policy',`
        files_dontaudit_read_root_files(nscd_t)
 ')
 
-optional_policy(`
-       nis_use_ypbind(nscd_t)
-')
-
-optional_policy(`
-       samba_stream_connect_winbind(nscd_t)
-')
-
 optional_policy(`
        udev_read_db(nscd_t)
 ')

diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 5f0e9979b44ad953f5cf7a8d44e0e2903d970412..9419a6d61f7f60c5115df410ba2d1ccb2f65c49e 100644 (file)
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -1,5 +1,5 @@
 
-policy_module(openvpn,1.1.0)
+policy_module(openvpn,1.1.1)
 
 ########################################
 #
@@ -28,11 +28,11 @@ files_pid_file(openvpn_var_run_t)
 # openvpn local policy
 #
 
-allow openvpn_t self:capability { net_admin setgid setuid sys_tty_config };
+allow openvpn_t self:capability { net_bind_service net_admin setgid setuid sys_tty_config };
 allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
 allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow openvpn_t self:udp_socket create_socket_perms;
-allow openvpn_t self:tcp_socket create_socket_perms;
+allow openvpn_t self:tcp_socket server_stream_socket_perms;
 allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
 
 allow openvpn_t openvpn_etc_t:dir list_dir_perms;

diff --git a/policy/modules/services/pcscd.fc b/policy/modules/services/pcscd.fc
new file mode 100644 (file)
index 0000000..f2df0fc
--- /dev/null
+++ b/policy/modules/services/pcscd.fc
@@ -0,0 +1,5 @@
+/var/run/pcscd\.comm   -s      gen_context(system_u:object_r:pcscd_var_run_t,s0)
+/var/run/pcscd\.pid    --      gen_context(system_u:object_r:pcscd_var_run_t,s0)
+/var/run/pcscd\.pub    --      gen_context(system_u:object_r:pcscd_var_run_t,s0)
+
+/usr/sbin/pcscd                --      gen_context(system_u:object_r:pcscd_exec_t,s0)

diff --git a/policy/modules/services/pcscd.if b/policy/modules/services/pcscd.if
new file mode 100644 (file)
index 0000000..5c77c32
--- /dev/null
+++ b/policy/modules/services/pcscd.if
@@ -0,0 +1,58 @@
+## <summary>PCSC smart card service</summary>
+
+########################################
+## <summary>
+##     Execute a domain transition to run pcscd.
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pcscd_domtrans',`
+       gen_require(`
+               type pcscd_t, pcscd_exec_t;
+       ')
+
+       domtrans_pattern($1,pcscd_exec_t,pcscd_t)
+')
+
+########################################
+## <summary>
+##     Read pcscd pub files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`pcscd_read_pub_files',`
+       gen_require(`
+               type pcscd_var_run_t;
+       ')
+
+       files_search_pids($1)
+       allow $1 pcscd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##     Connect to pcscd over an unix stream socket.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`pcscd_stream_connect',`
+       gen_require(`
+               type pcscd_t, pcscd_var_run_t;
+       ')
+
+       files_search_pids($1)
+       allow $1 pcscd_var_run_t:sock_file write;
+       allow $1 pcscd_t:unix_stream_socket connectto;
+')

diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te
new file mode 100644 (file)
index 0000000..f065d8a
--- /dev/null
+++ b/policy/modules/services/pcscd.te
@@ -0,0 +1,69 @@
+
+policy_module(pcscd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type pcscd_t;
+type pcscd_exec_t;
+domain_type(pcscd_t)
+init_daemon_domain(pcscd_t, pcscd_exec_t)
+
+# pid files
+type pcscd_var_run_t;
+files_pid_file(pcscd_var_run_t)
+
+########################################
+#
+# pcscd local policy
+#
+
+allow pcscd_t self:capability { dac_override dac_read_search };
+allow pcscd_t self:fifo_file { read write };
+allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
+allow pcscd_t self:unix_dgram_socket create_socket_perms;
+allow pcscd_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(pcscd_t,pcscd_var_run_t,pcscd_var_run_t)
+manage_sock_files_pattern(pcscd_t,pcscd_var_run_t,pcscd_var_run_t)
+files_pid_filetrans(pcscd_t,pcscd_var_run_t, { file sock_file })
+
+corenet_tcp_sendrecv_all_if(pcscd_t)
+corenet_tcp_sendrecv_all_nodes(pcscd_t)
+corenet_tcp_sendrecv_all_ports(pcscd_t)
+corenet_non_ipsec_sendrecv(pcscd_t)
+corenet_tcp_connect_http_port(pcscd_t)
+
+dev_rw_generic_usb_dev(pcscd_t)
+dev_rw_usbfs(pcscd_t)
+dev_search_sysfs(pcscd_t)
+
+files_read_etc_files(pcscd_t)
+files_read_etc_runtime_files(pcscd_t)
+
+term_dontaudit_getattr_pty_dirs(pcscd_t)
+
+init_dontaudit_use_fds(pcscd_t)
+
+libs_use_ld_so(pcscd_t)
+libs_use_shared_libs(pcscd_t)
+
+locallogin_use_fds(pcscd_t)
+
+logging_send_syslog_msg(pcscd_t)
+
+miscfiles_read_localization(pcscd_t)
+
+sysnet_dns_name_resolve(pcscd_t)
+
+ifdef(`targeted_policy',`
+       term_dontaudit_use_generic_ptys(pcscd_t)
+       term_dontaudit_use_unallocated_ttys(pcscd_t)
+       term_dontaudit_use_console(pcscd_t)
+')
+
+optional_policy(`
+       rpm_use_script_fds(pcscd_t)
+')

diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
index f430d8ff7e6a324635e5bd911bb9efa52d6c1d5c..f89dd6f8270efefb52d28ce6edbab3f3977f3aa5 100644 (file)
--- a/policy/modules/services/pyzor.te
+++ b/policy/modules/services/pyzor.te
@@ -1,5 +1,5 @@
 
-policy_module(pyzor,1.1.0)
+policy_module(pyzor,1.1.1)
 
 ########################################
 #
@@ -60,6 +60,10 @@ miscfiles_read_localization(pyzor_t)
 
 userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)
 
+ifdef(`targeted_policy',`
+       userdom_read_generic_user_home_content_files(pyzor_t)
+')
+
 optional_policy(`
        amavis_manage_lib_files(pyzor_t)
        amavis_manage_spool_files(pyzor_t)

diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te
index 970a71318b13a5d686ac211687b82ac530438d65..2be5e67110c74e1829edd32e2f7413df78c98b45 100644 (file)
--- a/policy/modules/services/radvd.te
+++ b/policy/modules/services/radvd.te
@@ -1,5 +1,5 @@
 
-policy_module(radvd,1.2.0)
+policy_module(radvd,1.2.1)
 
 ########################################
 #
@@ -28,7 +28,7 @@ allow radvd_t self:rawip_socket create_socket_perms;
 allow radvd_t self:tcp_socket create_stream_socket_perms;
 allow radvd_t self:udp_socket create_socket_perms;
 
-allow radvd_t radvd_etc_t:file { getattr read };
+allow radvd_t radvd_etc_t:file read_file_perms;
 
 manage_files_pattern(radvd_t,radvd_var_run_t,radvd_var_run_t)
 files_pid_filetrans(radvd_t,radvd_var_run_t,file)

diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if
index c58bfdf15336642b5c2db0dc6e2adaacf29dd755..5c5b99dc2c253a29124f8f7e8d1bff4a93304aaa 100644 (file)
--- a/policy/modules/services/razor.if
+++ b/policy/modules/services/razor.if
@@ -23,6 +23,9 @@
 ## </param>
 #
 template(`razor_common_domain_template',`
+       gen_require(`
+               type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
+       ')
 
        allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
        allow $1_t self:fd use;
@@ -131,6 +134,9 @@ template(`razor_common_domain_template',`
 ## </param>
 #
 template(`razor_per_role_template',`
+       gen_require(`
+               type razor_exec_t;
+       ')
 
        type $1_razor_t;
        domain_type($1_razor_t)

diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
index 29916f8329b2b87f7b824c7210157b90ed8d7840..3a613b378e3e19658f0f59d08614748d000f6226 100644 (file)
--- a/policy/modules/services/razor.te
+++ b/policy/modules/services/razor.te
@@ -1,5 +1,5 @@
 
-policy_module(razor,1.1.0)
+policy_module(razor,1.1.1)
 
 ########################################
 #
@@ -10,7 +10,6 @@ type razor_t;
 type razor_exec_t;
 domain_type(razor_t)
 domain_entry_file(razor_t,razor_exec_t)
-razor_common_domain_template(razor)
 role system_r types razor_t;
 
 type razor_etc_t;
@@ -22,6 +21,8 @@ logging_log_file(razor_log_t)
 type razor_var_lib_t;
 files_type(razor_var_lib_t)
 
+razor_common_domain_template(razor)
+
 ########################################
 #
 # Local policy

diff --git a/policy/modules/services/rhgb.if b/policy/modules/services/rhgb.if
index 639ece6f3413d6cbfb3c5f0a887a79aa69e9245d..c859f23d80245b39490f97488fa89a8e6fdeabd7 100644 (file)
--- a/policy/modules/services/rhgb.if
+++ b/policy/modules/services/rhgb.if
@@ -34,6 +34,42 @@ interface(`rhgb_use_fds',`
        allow $1 rhgb_t:fd use;
 ')
 
+########################################
+## <summary>
+##     Get the process group of rhgb.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`rhgb_getpgid',`
+       gen_require(`
+               type rhgb_t;
+       ')
+
+       allow $1 rhgb_t:process getpgid;
+')
+
+########################################
+## <summary>
+##     Send a signal to rhgb.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`rhgb_signal',`
+       gen_require(`
+               type rhgb_t;
+       ')
+
+       allow $1 rhgb_t:process signal;
+')
+
 ########################################
 ## <summary>
 ##     Read and write to unix stream sockets.
@@ -107,6 +143,42 @@ interface(`rhgb_rw_shm',`
        allow $1 rhgb_t:shm rw_shm_perms;
 ')
 
+########################################
+## <summary>
+##     Read from and write to the rhgb devpts.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`rhgb_use_ptys',`
+       gen_require(`
+               type rhgb_devpts_t;
+       ')
+
+       allow $1 rhgb_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##     dontaudit Read from and write to the rhgb devpts.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`rhgb_dontaudit_use_ptys',`
+       gen_require(`
+               type rhgb_devpts_t;
+       ')
+
+       dontaudit $1 rhgb_devpts_t:chr_file rw_term_perms;
+')
+
 ########################################
 ## <summary>
 ##     Read and write to rhgb temporary file system.

diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
index 0c73211bc98542605325a70d5c0e4683bd3dd62d..cdf3651c4dd3546ec9e3bc4c529d2a485e95d538 100644 (file)
--- a/policy/modules/services/rhgb.te
+++ b/policy/modules/services/rhgb.te
@@ -1,5 +1,5 @@
 
-policy_module(rhgb,1.2.0)
+policy_module(rhgb,1.2.1)
 
 ########################################
 #
@@ -114,6 +114,8 @@ xserver_read_xdm_xserver_tmp_files(rhgb_t)
 xserver_kill_xdm_xserver(rhgb_t)
 # for running setxkbmap
 xserver_read_xkb_libs(rhgb_t)
+xserver_domtrans_xdm_xserver(rhgb_t)
+xserver_signal_xdm_xserver(rhgb_t)
 
 ifdef(`strict_policy',`
        allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr };
@@ -126,7 +128,6 @@ ifdef(`strict_policy',`
        term_dontaudit_use_unallocated_ttys(rhgb_t)
 
        xserver_domtrans_xdm_xserver(rhgb_t)
-       xserver_signal_xdm_xserver(rhgb_t)
        xserver_read_xdm_tmp_files(rhgb_t)
 ')
 

diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
index a72c725418357e739974da47078878827be701d6..9ff934b456ef085b0e4def3fb16d15535955621a 100644 (file)
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -1,5 +1,5 @@
 
-policy_module(ricci,1.0.0)
+policy_module(ricci,1.0.1)
 
 ########################################
 #
@@ -74,6 +74,9 @@ domain_type(ricci_modstorage_t)
 domain_entry_file(ricci_modstorage_t, ricci_modstorage_exec_t)
 role system_r types ricci_modstorage_t;
 
+type ricci_modstorage_lock_t;
+files_lock_file(ricci_modstorage_lock_t)
+
 ########################################
 #
 # ricci local policy
@@ -377,6 +380,8 @@ optional_policy(`
 
 allow ricci_modrpm_t self:fifo_file { getattr read };
 
+kernel_read_kernel_sysctls(ricci_modrpm_t)
+
 corecmd_exec_bin(ricci_modrpm_t)
 
 libs_use_ld_so(ricci_modrpm_t)
@@ -414,6 +419,8 @@ corecmd_exec_shell(ricci_modservice_t)
 files_read_etc_files(ricci_modservice_t)
 files_read_etc_runtime_files(ricci_modservice_t)
 files_search_usr(ricci_modservice_t)
+# Needed for running chkconfig
+files_manage_etc_symlinks(ricci_modservice_t)
 
 consoletype_exec(ricci_modservice_t)
 
@@ -449,6 +456,9 @@ allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms;
 kernel_read_kernel_sysctls(ricci_modstorage_t)
 kernel_read_system_state(ricci_modstorage_t)
 
+create_files_pattern(ricci_modstorage_t,ricci_modstorage_lock_t,ricci_modstorage_lock_t)
+files_lock_filetrans(ricci_modstorage_t,ricci_modstorage_lock_t,file)
+
 corecmd_exec_bin(ricci_modstorage_t)
 corecmd_exec_sbin(ricci_modstorage_t)
 
@@ -456,10 +466,13 @@ dev_read_sysfs(ricci_modstorage_t)
 dev_read_urand(ricci_modstorage_t)
 dev_manage_generic_blk_files(ricci_modstorage_t)
 
+domain_dontaudit_read_all_domains_state(ricci_modstorage_t)
+
 #Needed for editing /etc/fstab
 files_manage_etc_files(ricci_modstorage_t)
 files_read_etc_runtime_files(ricci_modstorage_t)
 files_read_usr_files(ricci_modstorage_t)
+files_read_kernel_modules(ricci_modstorage_t)
 
 storage_raw_read_fixed_disk(ricci_modstorage_t)
 

diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
index 9fa8c6fc57c0d6beabecee7997eb744fee3d45f2..2b917ff0529e74d237b177c94663f35e7764929c 100644 (file)
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -1,5 +1,5 @@
 
-policy_module(rlogin,1.2.0)
+policy_module(rlogin,1.2.1)
 
 ########################################
 #
@@ -61,9 +61,11 @@ corenet_udp_sendrecv_all_ports(rlogind_t)
 dev_read_urand(rlogind_t)
 
 fs_getattr_xattr_fs(rlogind_t)
+fs_search_auto_mountpoints(rlogind_t)
 
 auth_domtrans_chk_passwd(rlogind_t)
 auth_rw_login_records(rlogind_t)
+auth_use_nsswitch(rlogind_t)
 
 files_read_etc_files(rlogind_t)
 files_read_etc_runtime_files(rlogind_t)
@@ -91,17 +93,6 @@ remotelogin_domtrans(rlogind_t)
 
 optional_policy(`
        kerberos_read_keytab(rlogind_t)
-
-       # for identd; cjp: this should probably only be inetd_child rules?
-       kerberos_use(rlogind_t)
-')
-
-optional_policy(`
-       nis_use_ypbind(rlogind_t)
-')
-
-optional_policy(`
-       nscd_socket_use(rlogind_t)
 ')
 
 ifdef(`TODO',`

diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
index 4e6471d9c6f9d79e09b6171c3d4b9de74c2fad75..9dc170958477e078bb040505a43e078f3875c307 100644 (file)
--- a/policy/modules/services/rpc.fc
+++ b/policy/modules/services/rpc.fc
@@ -11,7 +11,6 @@
 #
 # /usr
 #
-/usr/sbin/exportfs     --      gen_context(system_u:object_r:nfsd_exec_t,s0)
 /usr/sbin/rpc\.idmapd  --      gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/sbin/rpc\.gssd    --      gen_context(system_u:object_r:gssd_exec_t,s0)
 /usr/sbin/rpc\.mountd  --      gen_context(system_u:object_r:nfsd_exec_t,s0)

diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 40776158a376616c6cce124958a35db0a785d4a4..b487385ed81b68e27051d9d25b5984fa1414ea77 100644 (file)
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -1,5 +1,5 @@
 
-policy_module(rpc,1.4.0)
+policy_module(rpc,1.4.1)
 
 ########################################
 #

diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
index e0d10d50f32efe6692c79a4c8a51088e10790146..308423faa5f138a23270c25510c09376a2b91815 100644 (file)
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -1,5 +1,5 @@
 
-policy_module(sendmail,1.3.0)
+policy_module(sendmail,1.3.1)
 
 ########################################
 #
@@ -114,6 +114,10 @@ ifdef(`targeted_policy',`
        files_dontaudit_read_root_files(sendmail_t)
 ')
 
+optional_policy(`
+       clamav_search_lib(sendmail_t)
+')
+
 optional_policy(`
        nis_use_ypbind(sendmail_t)
 ')

diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if
index 1627cae250174c47d946564b4a8e925e39c85e39..50c713510218bdf2346947d5d280ee3755c1fc10 100644 (file)
--- a/policy/modules/services/setroubleshoot.if
+++ b/policy/modules/services/setroubleshoot.if
@@ -1 +1,21 @@
 ## <summary>SELinux troubleshooting service</summary>
+
+########################################
+## <summary>
+##     Connect to setroubleshootd over an unix stream socket.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`setroubleshoot_stream_connect',`
+       gen_require(`
+               type setroubleshootd_t, setroubleshoot_var_run_t;
+       ')
+
+       files_search_pids($1)
+       allow $1 setroubleshoot_var_run_t:sock_file write;
+       allow $1 setroubleshootd_t:unix_stream_socket connectto;
+')

diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
index 9a11afded12fd6e3c87902b21a79c5400e5e4b19..2dee8bd3a22c62392ff9782493abe4cc8c72a105 100644 (file)
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -1,5 +1,5 @@
 
-policy_module(setroubleshoot,1.2.0)
+policy_module(setroubleshoot,1.2.1)
 
 ########################################
 #
@@ -53,6 +53,7 @@ files_pid_filetrans(setroubleshootd_t,setroubleshoot_var_run_t, { file sock_file
 
 kernel_read_kernel_sysctls(setroubleshootd_t)
 kernel_read_system_state(setroubleshootd_t)
+kernel_read_network_state(setroubleshootd_t)
 
 corecmd_exec_sbin(setroubleshootd_t)
 corecmd_exec_bin(setroubleshootd_t)

diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
index a21eb212f5627917f792f5a92b07bd84094384bd..e311ba21fe32a73363da4ff422167fc869f6a12e 100644 (file)
--- a/policy/modules/services/snmp.if
+++ b/policy/modules/services/snmp.if
@@ -54,7 +54,7 @@ interface(`snmp_read_snmp_var_lib_files',`
 ## </summary>
 ## <param name="domain">
 ##     <summary>
-##     Domain allowed access.
+##     Domain to not audit.
 ##     </summary>
 ## </param>
 #
@@ -66,3 +66,21 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
        dontaudit $1 snmpd_var_lib_t:file read_file_perms;
        dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
 ')
+
+########################################
+## <summary>
+##     dontaudit write snmpd libraries files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`snmp_dontaudit_write_snmp_var_lib_files',`
+       gen_require(`
+               type snmpd_var_lib_t;
+       ')
+
+       dontaudit $1 snmpd_var_lib_t:file write;
+')

diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index be5f9c0203debd3d4f492035f6c156f691e2e9cb..22617e9e6972d581a0ce240c0e61621325f8f64f 100644 (file)
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -1,5 +1,5 @@
 
-policy_module(snmp,1.3.0)
+policy_module(snmp,1.3.1)
 
 ########################################
 #

diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index 46273d28912bd5d8e52d6cd61e0122bf06f7361c..6723760a9a4f2b524afefa4e5d3d8131456353dd 100644 (file)
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -35,6 +35,11 @@
 # toggled on activation of spamc, and similarly for spamd.
 template(`spamassassin_per_role_template',`
 
+       gen_require(`
+               type spamc_exec_t, spamassassin_exec_t;
+               type spamd_t, spamd_tmp_t;
+       ')
+
        ##############################
        #
        # Declarations

diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index e38124104e85b55e9029d5c24e91f0b742f33238..b1643ce5f704a5a140fc9194840dd8a89a01b315 100644 (file)
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -1,5 +1,5 @@
 
-policy_module(spamassassin,1.5.0)
+policy_module(spamassassin,1.5.1)
 
 ########################################
 #
@@ -107,7 +107,8 @@ domain_use_interactive_fds(spamd_t)
 files_read_usr_files(spamd_t)
 files_read_etc_files(spamd_t)
 files_read_etc_runtime_files(spamd_t)
-files_search_var_lib(spamd_t)
+# /var/lib/spamassin
+files_read_var_lib_files(spamd_t)
 
 init_use_fds(spamd_t)
 init_use_script_ptys(spamd_t)

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index ffc7eb8b799efe4d8646c25558335a303f8b90f4..22997345a6588a0eb3dc8f9f3a85f59a2382b8cd 100644 (file)
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -35,11 +35,7 @@ template(`ssh_basic_client_template',`
 
        gen_require(`
                attribute ssh_server;
-               type ssh_exec_t, sshd_key_t;
-
-               ifdef(`strict_policy',`
-                       type sshd_tmp_t;
-               ')
+               type ssh_exec_t, sshd_key_t, sshd_tmp_t;
        ')
 
        ##############################
@@ -80,6 +76,11 @@ template(`ssh_basic_client_template',`
        # Read the ssh key file.
        allow $1_ssh_t sshd_key_t:file read_file_perms;
 
+       # Access the ssh temporary files.
+       allow $1_ssh_t sshd_tmp_t:dir manage_dir_perms;
+       allow $1_ssh_t sshd_tmp_t:file manage_file_perms;
+       files_tmp_filetrans($1_ssh_t, sshd_tmp_t, { file dir })
+
        # Transition from the domain to the derived domain.
        domtrans_pattern($2, ssh_exec_t, $1_ssh_t)
 
@@ -147,13 +148,6 @@ template(`ssh_basic_client_template',`
        sysnet_read_config($1_ssh_t)
        sysnet_dns_name_resolve($1_ssh_t)
 
-       ifdef(`strict_policy',`
-               # Access the ssh temporary files.
-               allow $1_ssh_t sshd_tmp_t:dir manage_dir_perms;
-               allow $1_ssh_t sshd_tmp_t:file manage_file_perms;
-               files_tmp_filetrans($1_ssh_t, sshd_tmp_t, { file dir })
-       ')
-
        tunable_policy(`read_default_t',`
                files_list_default($1_ssh_t)
                files_read_default_files($1_ssh_t)
@@ -225,6 +219,7 @@ template(`ssh_per_role_template',`
        type $1_ssh_agent_t;
        domain_type($1_ssh_agent_t)
        domain_entry_file($1_ssh_agent_t,ssh_agent_exec_t)
+       domain_interactive_fd($1_ssh_agent_t)
        role $3 types $1_ssh_agent_t;
 
        type $1_ssh_agent_tmp_t;
@@ -258,11 +253,15 @@ template(`ssh_per_role_template',`
 
        allow $1_ssh_t sshd_t:unix_stream_socket connectto;
 
+       allow $2 $1_ssh_t:process signal;
+
        userdom_use_unpriv_users_fds($1_ssh_t)
        userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t)
        userdom_search_user_home_dirs($1,$1_ssh_t)
        # Write to the user domain tty.
        userdom_use_user_terminals($1,$1_ssh_t)
+       # needs to read krb tgt
+       userdom_read_user_tmp_files($1, $1_ssh_t)
 
        tunable_policy(`allow_ssh_keysign',`
                domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
@@ -292,8 +291,6 @@ template(`ssh_per_role_template',`
        ')
 
        ifdef(`TODO',`
-       allow $1_ssh_t $1_tmp_t:dir r_dir_perms;
-
        # for /bin/sh used to execute xauth
        dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
 
@@ -659,6 +656,24 @@ interface(`ssh_tcp_connect',`
        refpolicywarn(`$0($*) has been deprecated.')
 ')
 
+########################################
+## <summary>
+##     Execute the ssh daemon sshd domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`ssh_domtrans',`
+       gen_require(`
+               type sshd_t, sshd_exec_t;
+       ')
+
+       domtrans_pattern($1,sshd_exec_t,sshd_t)
+')
+
 ########################################
 ## <summary>
 ##     Execute the ssh client in the caller domain.

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index abd1e0d3969b2d729357de1400f4ed158e2be384..cf9cceb82c3589e3a69a1167f63be02fe2417d0f 100644 (file)
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,5 +1,5 @@
 
-policy_module(ssh,1.5.0)
+policy_module(ssh,1.5.1)
 
 ########################################
 #
@@ -8,6 +8,10 @@ policy_module(ssh,1.5.0)
 
 attribute ssh_server;
 
+# Type for the ssh-agent executable.
+type ssh_agent_exec_t;
+files_type(ssh_agent_exec_t)
+
 # ssh client executable.
 type ssh_exec_t;
 corecmd_executable_file(ssh_exec_t)
@@ -23,46 +27,20 @@ corecmd_executable_file(ssh_keysign_exec_t)
 type sshd_exec_t;
 corecmd_executable_file(sshd_exec_t)
 
-type sshd_key_t;
-files_type(sshd_key_t)
-
-ifdef(`targeted_policy',`
-       unconfined_alias_domain(sshd_t)
-       init_system_domain(sshd_t,sshd_exec_t)
+ssh_server_template(sshd)
+init_daemon_domain(sshd_t,sshd_exec_t)
 
-       type sshd_var_run_t;
-       files_type(sshd_var_run_t)
+ssh_server_template(sshd_extern)
 
-       ifdef(`enable_mcs',`
-               init_ranged_system_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh)
-       ')
-',`
-       # Type for the ssh-agent executable.
-       type ssh_agent_exec_t;
-       files_type(ssh_agent_exec_t)
-
-       ssh_server_template(sshd)
-       ssh_server_template(sshd_extern)
-
-       # cjp: commenting this out until typeattribute works in a conditional
-#      optional_policy(`
-#              tunable_policy(`run_ssh_inetd',`
-#                      inetd_tcp_service_domain(sshd_t,sshd_exec_t)
-#              ',`
-#                      init_daemon_domain(sshd_t,sshd_exec_t)
-#              ')
-#      ',`
-               # These rules should match the else block
-               # of the run_ssh_inetd tunable directly above
-               init_daemon_domain(sshd_t,sshd_exec_t)
+type sshd_key_t;
+files_type(sshd_key_t)
 
-               ifdef(`enable_mcs',`
-                       init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh)
-               ')
-#      ')
+type sshd_tmp_t;
+files_tmp_file(sshd_tmp_t)
+files_poly_parent(sshd_tmp_t)
 
-       type sshd_tmp_t;
-       files_tmp_file(sshd_tmp_t)
+ifdef(`enable_mcs',`
+       init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh)
 ')
 
 #################################
@@ -72,79 +50,86 @@ ifdef(`targeted_policy',`
 # sshd_t is the domain for the sshd program.
 #
 
-ifdef(`strict_policy',`
-       # so a tunnel can point to another ssh tunnel
-       allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
-       allow sshd_t self:key { search link write };
-
-       manage_dirs_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t)
-       manage_files_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t)
-       manage_sock_files_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t)
-       files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
-
-       kernel_link_key(sshd_t)
-
-       # for X forwarding
-       corenet_tcp_bind_xserver_port(sshd_t)
-       corenet_sendrecv_xserver_server_packets(sshd_t)
-
-       tunable_policy(`ssh_sysadm_login',`
-               # Relabel and access ptys created by sshd
-               # ioctl is necessary for logout() processing for utmp entry and for w to
-               # display the tty.
-               # some versions of sshd on the new SE Linux require setattr
-               term_use_all_user_ptys(sshd_t)
-               term_setattr_all_user_ptys(sshd_t)
-               term_relabelto_all_user_ptys(sshd_t)
-
-               userdom_spec_domtrans_all_users(sshd_t)
-               userdom_signal_all_users(sshd_t)
-       ',`
-               userdom_spec_domtrans_unpriv_users(sshd_t)
-               userdom_signal_unpriv_users(sshd_t)
+# so a tunnel can point to another ssh tunnel
+allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
+allow sshd_t self:key { search link write };
 
-               userdom_setattr_unpriv_users_ptys(sshd_t)
-               userdom_relabelto_unpriv_users_ptys(sshd_t)
-               userdom_use_unpriv_users_ptys(sshd_t)
-       ')
+manage_dirs_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t)
+manage_files_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t)
+manage_sock_files_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t)
+files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
 
-       optional_policy(`
-               daemontools_service_domain(sshd_t, sshd_exec_t)
-       ')
+kernel_search_key(sshd_t)
+kernel_link_key(sshd_t)
 
-       optional_policy(`
-               rpm_use_script_fds(sshd_t)
-       ')
+# for X forwarding
+corenet_tcp_bind_xserver_port(sshd_t)
+corenet_sendrecv_xserver_server_packets(sshd_t)
+
+ifdef(`targeted_policy',`
+       unconfined_domain(sshd_t)
+')
+
+tunable_policy(`ssh_sysadm_login',`
+       # Relabel and access ptys created by sshd
+       # ioctl is necessary for logout() processing for utmp entry and for w to
+       # display the tty.
+       # some versions of sshd on the new SE Linux require setattr
+       term_use_all_user_ptys(sshd_t)
+       term_setattr_all_user_ptys(sshd_t)
+       term_relabelto_all_user_ptys(sshd_t)
+
+       userdom_spec_domtrans_all_users(sshd_t)
+       userdom_signal_all_users(sshd_t)
+',`
+       userdom_spec_domtrans_unpriv_users(sshd_t)
+       userdom_signal_unpriv_users(sshd_t)
+
+       userdom_setattr_unpriv_users_ptys(sshd_t)
+       userdom_relabelto_unpriv_users_ptys(sshd_t)
+       userdom_use_unpriv_users_ptys(sshd_t)
+')
+
+optional_policy(`
+       daemontools_service_domain(sshd_t, sshd_exec_t)
+')
+
+optional_policy(`
+       inetd_tcp_service_domain(sshd_t, sshd_exec_t)
+')
+
+optional_policy(`
+       rpm_use_script_fds(sshd_t)
+')
+
+optional_policy(`
+       rssh_spec_domtrans_all_users(sshd_t)
+       # For reading /home/user/.ssh
+       rssh_read_all_users_ro_content(sshd_t)
+')
+
+ifdef(`TODO',`
+tunable_policy(`ssh_sysadm_login',`
+       # Relabel and access ptys created by sshd
+       # ioctl is necessary for logout() processing for utmp entry and for w to
+       # display the tty.
+       # some versions of sshd on the new SE Linux require setattr
+       allow sshd_t ptyfile:chr_file relabelto;
 
        optional_policy(`
-               rssh_spec_domtrans_all_users(sshd_t)
-               # For reading /home/user/.ssh
-               rssh_read_all_users_ro_content(sshd_t)
+               domain_trans(sshd_t, xauth_exec_t, userdomain)
        ')
-
-       ifdef(`TODO',`
-       tunable_policy(`ssh_sysadm_login',`
-               # Relabel and access ptys created by sshd
-               # ioctl is necessary for logout() processing for utmp entry and for w to
-               # display the tty.
-               # some versions of sshd on the new SE Linux require setattr
-               allow sshd_t ptyfile:chr_file relabelto;
-
-               optional_policy(`
-                       domain_trans(sshd_t, xauth_exec_t, userdomain)
-               ')
-       ',`
-               optional_policy(`
-                       domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
-               ')
-               # Relabel and access ptys created by sshd
-               # ioctl is necessary for logout() processing for utmp entry and for w to
-               # display the tty.
-               # some versions of sshd on the new SE Linux require setattr
-               allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
+',`
+       optional_policy(`
+               domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
        ')
-       ') dnl endif TODO
+       # Relabel and access ptys created by sshd
+       # ioctl is necessary for logout() processing for utmp entry and for w to
+       # display the tty.
+       # some versions of sshd on the new SE Linux require setattr
+       allow sshd_t userpty_type:chr_file { relabelto read write getattr ioctl setattr };
 ')
+') dnl endif TODO
 
 #################################
 #

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 32fb0f2a38999b7ccd0a5057ef5ac396e1799dc1..084c18df449a5f4242e78895966ca227dfb72ee4 100644 (file)
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -44,7 +44,7 @@ HOME_DIR/\.Xauthority.*       --      gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
 # /tmp
 #
 
-/tmp/\.ICE-unix                -d      gen_context(system_u:object_r:ice_tmp_t,s0)
+/tmp/\.ICE-unix                -d      gen_context(system_u:object_r:xdm_tmp_t,s0)
 /tmp/\.ICE-unix/.*     -s      <<none>>
 /tmp/\.X11-unix                -d      gen_context(system_u:object_r:xdm_tmp_t,s0)
 /tmp/\.X11-unix/.*     -s      <<none>>

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 46bbc1355756c86d69ea36a0012f271f198eb029..bec19bc4802b3393dc591e40e6995665544b86f1 100644 (file)
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -45,7 +45,7 @@ template(`xserver_common_domain_template',`
        # execheap needed until the X module loader is fixed.
        # NVIDIA Needs execstack
 
-       allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+       allow $1_xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
        dontaudit $1_xserver_t self:capability chown;
        allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
        allow $1_xserver_t self:fd use;
@@ -138,6 +138,7 @@ template(`xserver_common_domain_template',`
        fs_getattr_xattr_fs($1_xserver_t)
        fs_search_nfs($1_xserver_t)
        fs_search_auto_mountpoints($1_xserver_t)
+       fs_search_ramfs($1_xserver_t)
 
        init_getpgid($1_xserver_t)
 
@@ -182,6 +183,11 @@ template(`xserver_common_domain_template',`
                nscd_socket_use($1_xserver_t)
        ')
 
+       optional_policy(`
+               rhgb_getpgid($1_xserver_t)
+               rhgb_signal($1_xserver_t)
+       ')
+
        optional_policy(`
                xfs_stream_connect($1_xserver_t)
        ')
@@ -309,6 +315,7 @@ template(`xserver_per_role_template',`
        userdom_rw_user_tmpfs_files($1,$1_xserver_t)
 
        xserver_use_user_fonts($1,$1_xserver_t)
+       xserver_rw_xdm_tmp_files($1_xauth_t)
 
        optional_policy(`
                userhelper_search_config($1_xserver_t)
@@ -402,6 +409,8 @@ template(`xserver_per_role_template',`
        allow $2 $1_iceauth_home_t:file manage_file_perms;
        allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
 
+       allow xdm_t $1_iceauth_home_t:file r_file_perms;
+
        fs_search_auto_mountpoints($1_iceauth_t)
 
        libs_use_ld_so($1_iceauth_t)
@@ -525,7 +534,7 @@ template(`xserver_user_client_template',`
 
        gen_require(`
                type xdm_t, xdm_tmp_t;
-               type $1_xauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
+               type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
        ')
 
        allow $2 self:shm create_shm_perms;
@@ -534,6 +543,7 @@ template(`xserver_user_client_template',`
 
        # Read .Xauthority file
        allow $2 $1_xauth_home_t:file { getattr read };
+       allow $2 $1_iceauth_home_t:file { getattr read };
 
        # for when /tmp/.X11-unix is created by the system
        allow $2 xdm_t:fd use;
@@ -555,6 +565,8 @@ template(`xserver_user_client_template',`
        xserver_rw_session_template($1,$2,$3)
        xserver_use_user_fonts($1,$2)
 
+       xserver_read_xdm_tmp_files($2)
+
        # Client write xserver shm
        tunable_policy(`allow_write_xshm',`
                allow $2 $1_xserver_t:shm rw_shm_perms;
@@ -642,6 +654,39 @@ template(`xserver_domtrans_user_xauth',`
        domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
 ')
 
+########################################
+## <summary>
+##     Transition to a user Xauthority domain.
+## </summary>
+## <desc>
+##     <p>
+##     Transition to a user Xauthority domain.
+##     </p>
+##     <p>
+##     This is a templated interface, and should only
+##     be called from a per-userdomain template.
+##     </p>
+## </desc>
+## <param name="userdomain_prefix">
+##     <summary>
+##     The prefix of the user domain (e.g., user
+##     is the prefix for user_t).
+##     </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+template(`xserver_user_home_dir_filetrans_user_xauth',`
+       gen_require(`
+               type $1_xauth_home_t;
+       ')
+
+       userdom_user_home_dir_filetrans($1, $2, $1_xauth_home_t, file)
+')
+
 ########################################
 ## <summary>
 ##     Read all users fonts, user font configurations,
@@ -914,6 +959,7 @@ interface(`xserver_domtrans_xdm_xserver',`
                type xdm_xserver_t, xserver_exec_t;
        ')
 
+       allow $1 xdm_xserver_t:process siginh;
        domtrans_pattern($1,xserver_exec_t,xdm_xserver_t)
 ')
 
@@ -1029,6 +1075,7 @@ interface(`xserver_delete_log',`
        logging_search_logs($1)
        allow $1 xserver_log_t:dir list_dir_perms;
        delete_files_pattern($1,xserver_log_t,xserver_log_t)
+       delete_fifo_files_pattern($1,xserver_log_t,xserver_log_t)
 ')
 
 ########################################
@@ -1085,9 +1132,84 @@ interface(`xserver_read_xdm_tmp_files',`
                type xdm_tmp_t;
        ')
 
+       files_search_tmp($1)
        read_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
 ')
 
+########################################
+## <summary>
+##     Do not audit attempts to read xdm temporary files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit
+##     </summary>
+## </param>
+#
+interface(`xserver_dontaudit_read_xdm_tmp_files',`
+       gen_require(`
+               type xdm_tmp_t;
+       ')
+
+       dontaudit $1 xdm_tmp_t:dir search_dir_perms;
+       dontaudit $1 xdm_tmp_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##     Read write xdm temporary files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit
+##     </summary>
+## </param>
+#
+interface(`xserver_rw_xdm_tmp_files',`
+       gen_require(`
+               type xdm_tmp_t;
+       ')
+
+       allow $1 xdm_tmp_t:dir search_dir_perms;
+       allow $1 xdm_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##     Create, read, write, and delete xdm temporary files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit
+##     </summary>
+## </param>
+#
+interface(`xserver_manage_xdm_tmp_files',`
+       gen_require(`
+               type xdm_tmp_t;
+       ')
+
+       manage_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
+')
+
+########################################
+## <summary>
+##     dontaudit getattr xdm temporary named sockets.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit
+##     </summary>
+## </param>
+#
+interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+       gen_require(`
+               type xdm_tmp_t;
+       ')
+
+       dontaudit $1 xdm_tmp_t:sock_file getattr;
+')
+
 ########################################
 ## <summary>
 ##     Signal XDM X servers
@@ -1143,6 +1265,25 @@ interface(`xserver_dontaudit_rw_xdm_xserver_tcp_sockets',`
        dontaudit $1 xdm_xserver_t:tcp_socket { read write };
 ')
 
+########################################
+## <summary>
+##     Do not audit attempts to read and write xdm_xserver
+##     unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`xserver_dontaudit_rw_xdm_stream_sockets',`
+       gen_require(`
+               type xdm_xserver_t;
+       ')
+
+       dontaudit $1 xdm_xserver_t:unix_stream_socket { read write };
+')
+
 ########################################
 ## <summary>
 ##     Connect to xdm_xserver over a unix domain

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 4d584bb82c7412d848f64bcc3789513e64c7226f..25d82d4a535ef106d716c222c089b9d554695856 100644 (file)
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,5 +1,5 @@
 
-policy_module(xserver,1.3.0)
+policy_module(xserver,1.3.1)
 
 ########################################
 #
@@ -10,9 +10,6 @@ attribute fonts_type;
 attribute fonts_cache_type;
 attribute fonts_config_type;
 
-type ice_tmp_t;
-files_tmp_file(ice_tmp_t)
-
 type iceauth_exec_t;
 corecmd_executable_file(iceauth_exec_t)
 
@@ -45,6 +42,7 @@ files_pid_file(xdm_var_run_t)
 
 type xdm_tmp_t;
 files_tmp_file(xdm_tmp_t)
+typealias xdm_tmp_t alias ice_tmp_t;
 
 type xdm_tmpfs_t;
 files_tmpfs_file(xdm_tmpfs_t)
@@ -95,23 +93,64 @@ allow xdm_t self:socket create_socket_perms;
 allow xdm_t self:appletalk_socket create_socket_perms;
 allow xdm_t self:key { search link write };
 
-# Supress permission check on .ICE-unix
-dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
-
 allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
 
-manage_dirs_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
-manage_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
-manage_sock_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
-files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
-
 # Allow gdm to run gdm-binary
 can_exec(xdm_t, xdm_exec_t)
 
+allow xdm_t xdm_lock_t:file manage_file_perms;
+files_lock_filetrans(xdm_t,xdm_lock_t,file)
+
 # wdm has its own config dir /etc/X11/wdm
 # this is ugly, daemons should not create files under /etc!
 manage_files_pattern(xdm_t,xdm_rw_etc_t,xdm_rw_etc_t)
 
+manage_dirs_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
+manage_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
+manage_sock_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
+files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
+
+manage_dirs_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
+manage_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
+manage_lnk_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
+manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
+manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
+fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) 
+manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
+files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file)
+
+manage_dirs_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
+manage_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
+manage_fifo_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
+files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file })
+
+allow xdm_t xdm_xserver_t:process signal;
+allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
+
+allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
+allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms };
+
+# transition to the xdm xserver
+domtrans_pattern(xdm_t, xserver_exec_t, xdm_xserver_t)
+allow xdm_xserver_t xdm_t:process signal;
+allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
+
+allow xdm_t xdm_xserver_t:shm rw_shm_perms;
+
+# connect to xdm xserver over stream socket
+stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
+
+# Remove /tmp/.X11-unix/X0.
+delete_files_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t)
+delete_sock_files_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t)
+
+manage_dirs_pattern(xdm_t,xserver_log_t,xserver_log_t)
+manage_files_pattern(xdm_t,xserver_log_t,xserver_log_t)
+manage_fifo_files_pattern(xdm_t,xserver_log_t,xserver_log_t)
+logging_log_filetrans(xdm_t,xserver_log_t,file)
+
 kernel_read_system_state(xdm_t)
 kernel_read_kernel_sysctls(xdm_t)
 kernel_read_net_sysctls(xdm_t)
@@ -189,6 +228,7 @@ term_dontaudit_use_console(xdm_t)
 term_use_unallocated_ttys(xdm_t)
 term_setattr_unallocated_ttys(xdm_t)
 
+auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
 auth_rw_faillog(xdm_t)
@@ -219,71 +259,7 @@ userdom_read_unpriv_users_home_content_files(xdm_t)
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
 
-ifdef(`strict_policy',`
-       allow xdm_t xdm_lock_t:file manage_file_perms;
-       files_lock_filetrans(xdm_t,xdm_lock_t,file)
-
-       manage_dirs_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
-       manage_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
-       manage_lnk_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
-       manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
-       manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
-       fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
-       manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)  
-       manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
-       files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file)
-
-       manage_dirs_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
-       manage_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
-       manage_fifo_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
-       files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file })
-
-       allow xdm_t xdm_xserver_t:process signal;
-       allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-
-       allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
-       allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms };
-
-       # transition to the xdm xserver
-       domtrans_pattern(xdm_t, xserver_exec_t, xdm_xserver_t)
-       allow xdm_xserver_t xdm_t:process signal;
-       allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
-
-       allow xdm_t xdm_xserver_t:shm rw_shm_perms;
-
-       # connect to xdm xserver over stream socket
-       stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
-
-       # Remove /tmp/.X11-unix/X0.
-       delete_files_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t)
-       delete_sock_files_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t)
-
-       manage_dirs_pattern(xdm_t,xserver_log_t,xserver_log_t)
-       manage_files_pattern(xdm_t,xserver_log_t,xserver_log_t)
-       manage_fifo_files_pattern(xdm_t,xserver_log_t,xserver_log_t)
-       logging_log_filetrans(xdm_t,xserver_log_t,file)
-
-       auth_domtrans_pam_console(xdm_t)        
-
-       xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
-
-       tunable_policy(`xdm_sysadm_login',`
-               userdom_xsession_spec_domtrans_all_users(xdm_t)
-               # FIXME:
-#              xserver_rw_session_template(xdm,userdomain)
-       ',`
-               userdom_xsession_spec_domtrans_unpriv_users(xdm_t)
-               # FIXME:
-#              xserver_rw_session_template(xdm,unpriv_userdomain)
-#              dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
-#              allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
-       ')
-
-       optional_policy(`
-               alsa_domtrans(xdm_t)
-       ')
-')
+xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
 
 ifdef(`targeted_policy',`
        unconfined_domain(xdm_t)
@@ -313,6 +289,22 @@ tunable_policy(`use_samba_home_dirs',`
        fs_exec_cifs_files(xdm_t)
 ')
 
+tunable_policy(`xdm_sysadm_login',`
+       userdom_xsession_spec_domtrans_all_users(xdm_t)
+       # FIXME:
+#      xserver_rw_session_template(xdm,userdomain)
+',`
+       userdom_xsession_spec_domtrans_unpriv_users(xdm_t)
+       # FIXME:
+#      xserver_rw_session_template(xdm,unpriv_userdomain)
+#      dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
+#      allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
+')
+
+optional_policy(`
+       alsa_domtrans(xdm_t)
+')
+
 optional_policy(`
        consoletype_exec(xdm_t)
 ')
@@ -396,6 +388,14 @@ fs_search_auto_mountpoints(xdm_xserver_t)
 
 init_use_fds(xdm_xserver_t)
 
+# FIXME: After per user fonts are properly working
+# xdm_xserver_t may no longer have any reason
+# to read ROLE_home_t - examine this in more detail
+# (xauth?)
+userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
+
+xserver_use_all_users_fonts(xdm_xserver_t)
+
 tunable_policy(`use_nfs_home_dirs',`
        fs_manage_nfs_dirs(xdm_xserver_t)
        fs_manage_nfs_files(xdm_xserver_t)
@@ -408,16 +408,6 @@ tunable_policy(`use_samba_home_dirs',`
        fs_manage_cifs_symlinks(xdm_xserver_t)
 ')
 
-ifdef(`strict_policy',`
-       # FIXME: After per user fonts are properly working
-       # xdm_xserver_t may no longer have any reason
-       # to read ROLE_home_t - examine this in more detail
-       # (xauth?)
-       userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
-
-       xserver_use_all_users_fonts(xdm_xserver_t)
-')
-
 ifdef(`targeted_policy',`
        unconfined_domain_noaudit(xdm_xserver_t)
        unconfined_domtrans(xdm_xserver_t)

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index d39159ef23d7f1fc5e9519199749916e47b479b5..46a75e91133825c01bf8a1cfce66c419479bea53 100644 (file)
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -204,6 +204,7 @@ interface(`auth_login_pgm_domain',`
        mls_file_upgrade($1)
        mls_file_downgrade($1)
        mls_process_set_level($1)
+       mls_fd_share_all_levels($1)
 
        auth_domtrans_chk_passwd($1)
        auth_dontaudit_read_shadow($1)
@@ -344,6 +345,11 @@ interface(`auth_domtrans_chk_passwd',`
                nis_use_ypbind($1)
        ')
 
+       optional_policy(`
+               pcscd_read_pub_files($1)
+               pcscd_stream_connect($1)
+       ')
+
        optional_policy(`
                samba_stream_connect_winbind($1)
        ')

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index f0fa13adaf5f0fc1ea72c6bd85c9641cf32542b1..a9c88401a18ee565798f93396047cff2616a3386 100644 (file)
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
 
-policy_module(authlogin,1.5.0)
+policy_module(authlogin,1.5.1)
 
 ########################################
 #

diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
index 1b4909fbf2b8c7e72c78d8322dd3c19c05855360..5a75b5b0b01502a905ffbaffeb2f23893b3d99e1 100644 (file)
--- a/policy/modules/system/clock.te
+++ b/policy/modules/system/clock.te
@@ -1,5 +1,5 @@
 
-policy_module(clock,1.2.0)
+policy_module(clock,1.2.1)
 
 ########################################
 #
@@ -32,8 +32,7 @@ send_audit_msgs_pattern(hwclock_t)
 allow hwclock_t adjtime_t:file { rw_file_perms setattr };
 
 kernel_read_kernel_sysctls(hwclock_t)
-kernel_list_proc(hwclock_t)
-kernel_read_proc_symlinks(hwclock_t)
+kernel_read_system_state(hwclock_t)
 
 corecmd_exec_bin(hwclock_t)
 corecmd_exec_shell(hwclock_t)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index dc0ca89b9f8434b9f271097f95c118f6f72be568..4f919344d22827f6c435074135e2af9a073db760 100644 (file)
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,5 +1,5 @@
 
-policy_module(fstools,1.5.0)
+policy_module(fstools,1.5.1)
 
 ########################################
 #
@@ -9,7 +9,6 @@ policy_module(fstools,1.5.0)
 type fsadm_t;
 type fsadm_exec_t;
 init_system_domain(fsadm_t,fsadm_exec_t)
-mls_file_read_up(fsadm_t)
 role system_r types fsadm_t;
 
 type fsadm_log_t;
@@ -27,7 +26,7 @@ files_type(swapfile_t)
 #
 
 # ipc_lock is for losetup
-allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
+allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search };
 allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
 allow fsadm_t self:fd use;
 allow fsadm_t self:fifo_file rw_file_perms;
@@ -53,7 +52,7 @@ manage_files_pattern(fsadm_t,fsadm_log_t,fsadm_log_t)
 logging_log_filetrans(fsadm_t,fsadm_log_t,file)
 
 # Enable swapping to files
-allow fsadm_t swapfile_t:file { read write getattr swapon };
+allow fsadm_t swapfile_t:file { rw_file_perms swapon };
 
 kernel_read_system_state(fsadm_t)
 kernel_read_kernel_sysctls(fsadm_t)

diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index 96f011a3fb8651020fb3cb246d5a6f1f8beed3fa..e59d0d87d613bd718699c655c03be5672e6251a7 100644 (file)
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -1,5 +1,5 @@
 
-policy_module(getty,1.2.0)
+policy_module(getty,1.2.1)
 
 ########################################
 #
@@ -35,7 +35,8 @@ files_pid_file(getty_var_run_t)
 # Use capabilities.
 allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
 dontaudit getty_t self:capability sys_tty_config;
-allow getty_t self:process { getpgid getsession signal_perms };
+allow getty_t self:process { getpgid setpgid getsession signal_perms };
+allow getty_t self:fifo_file rw_fifo_file_perms;
 
 read_files_pattern(getty_t,getty_etc_t,getty_etc_t)
 read_lnk_files_pattern(getty_t,getty_etc_t,getty_etc_t)
@@ -80,6 +81,7 @@ auth_rw_login_records(getty_t)
 
 corecmd_search_bin(getty_t)
 corecmd_search_sbin(getty_t)
+corecmd_read_bin_symlinks(getty_t)
 
 files_rw_generic_pids(getty_t)
 files_read_etc_runtime_files(getty_t)
@@ -130,6 +132,10 @@ optional_policy(`
        ppp_domtrans(getty_t)
 ')
 
+optional_policy(`
+       rhgb_dontaudit_use_ptys(getty_t)
+')
+
 optional_policy(`
        udev_read_db(getty_t)
 ')

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a9593c99501f36bad13b13a368bf039c4c743fd1..32745e74199770674a73c40a3411c825a3898aa7 100644 (file)
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
 
-policy_module(init,1.5.0)
+policy_module(init,1.5.1)
 
 gen_require(`
        class passwd rootok;
@@ -431,6 +431,8 @@ ifdef(`distro_redhat',`
        # this is from kmodule, which should get its own policy:
        allow initrc_t self:capability sys_admin;
 
+       allow initrc_t self:process setfscreate;
+
        # Red Hat systems seem to have a stray
        # fd open from the initrd
        kernel_dontaudit_use_fds(initrc_t)
@@ -452,6 +454,8 @@ ifdef(`distro_redhat',`
        # wants to read /.fonts directory
        files_read_default_files(initrc_t)
        files_mountpoint(initrc_tmp_t)
+       # Needs to cp localtime to /var dirs
+       files_write_var_dirs(initrc_t)
 
        fs_rw_tmpfs_chr_files(initrc_t)
 
@@ -462,6 +466,11 @@ ifdef(`distro_redhat',`
        # readahead asks for these
        auth_dontaudit_read_shadow(initrc_t)
 
+       # init scripts cp /etc/localtime over other directories localtime
+       miscfiles_rw_localization(initrc_t)
+       miscfiles_setattr_localization(initrc_t)
+       miscfiles_relabel_localization(initrc_t)
+
        miscfiles_read_fonts(initrc_t)
        miscfiles_read_hwdata(initrc_t)
 

diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index f0aa1f157864df9a15fba936715a21d36388c5b3..a850b14db41a641c2a77f4a6daaddaebc429bb20 100644 (file)
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -7,7 +7,7 @@
 
 /etc/ipsec\.d(/.*)?                    gen_context(system_u:object_r:ipsec_key_file_t,s0)
 
-/sbin/setkey                   --      gen_context(system_u:object_r:ipsec_exec_t,s0)
+/sbin/setkey                   --      gen_context(system_u:object_r:setkey_exec_t,s0)
 
 /usr/lib(64)?/ipsec/_plutoload --      gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 /usr/lib(64)?/ipsec/_plutorun  --      gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -26,8 +26,8 @@
 /usr/local/lib(64)?/ipsec/pluto --     gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/local/lib(64)?/ipsec/spi  --      gen_context(system_u:object_r:ipsec_exec_t,s0)
 
-/usr/sbin/racoon               --      gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/sbin/setkey               --      gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/sbin/racoon               --      gen_context(system_u:object_r:racoon_exec_t,s0)
+/usr/sbin/setkey               --      gen_context(system_u:object_r:setkey_exec_t,s0)
 
 /var/racoon(/.*)?                      gen_context(system_u:object_r:ipsec_var_run_t,s0)
 

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index eef098944dc8a53135b86ba88a07a9cca312de87..d796b43c7bef94413f30face5893a3a64447be99 100644 (file)
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,5 +1,5 @@
 
-policy_module(ipsec,1.2.0)
+policy_module(ipsec,1.2.1)
 
 ########################################
 #
@@ -19,6 +19,9 @@ files_type(ipsec_conf_file_t)
 type ipsec_key_file_t;
 files_type(ipsec_key_file_t)
 
+# Default type for IPSEC SPD entries
+type ipsec_spd_t;
+
 # type for runtime files, including pluto.ctl
 type ipsec_var_run_t;
 files_pid_file(ipsec_var_run_t)
@@ -35,6 +38,16 @@ files_lock_file(ipsec_mgmt_lock_t)
 type ipsec_mgmt_var_run_t;
 files_pid_file(ipsec_mgmt_var_run_t)
 
+type racoon_t;
+type racoon_exec_t;
+init_daemon_domain(racoon_t,racoon_exec_t)
+role system_r types racoon_t;
+
+type setkey_t;
+type setkey_exec_t;
+init_system_domain(setkey_t,setkey_exec_t)
+role system_r types setkey_t;
+
 ########################################
 #
 # ipsec Local policy
@@ -265,3 +278,83 @@ file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
 
 allow ipsec_mgmt_t dev_fs:file_class_set getattr;
 ') dnl end TODO
+
+########################################
+#
+# Racoon local policy
+#
+
+allow racoon_t self:capability { net_admin net_bind_service };
+allow racoon_t self:netlink_route_socket create_netlink_socket_perms;
+allow racoon_t self:unix_dgram_socket { connect create ioctl write };
+allow racoon_t self:netlink_selinux_socket { bind create read };
+allow racoon_t self:udp_socket create_socket_perms;
+allow racoon_t self:key_socket { create read setopt write };
+
+# manage pid file
+manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
+manage_sock_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
+files_pid_filetrans(racoon_t,ipsec_var_run_t,file)
+
+allow racoon_t ipsec_conf_file_t:dir list_dir_perms;
+read_files_pattern(racoon_t,ipsec_conf_file_t,ipsec_conf_file_t)
+read_lnk_files_pattern(racoon_t,ipsec_conf_file_t,ipsec_conf_file_t)
+
+allow racoon_t ipsec_key_file_t:dir list_dir_perms;
+read_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
+read_lnk_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
+
+allow racoon_t ipsec_spd_t:association setcontext;
+
+kernel_read_network_state(racoon_t)
+
+corenet_non_ipsec_sendrecv(racoon_t)
+corenet_tcp_bind_all_nodes(racoon_t)
+corenet_udp_bind_isakmp_port(racoon_t)
+
+dev_read_urand(racoon_t)
+
+# allow racoon to set contexts on ipsec policy and SAs
+domain_ipsec_setcontext_all_domains(racoon_t)
+
+files_read_etc_files(racoon_t)
+
+# allow racoon to use avc_has_perm to check context on proposed SA
+selinux_compute_access_vector(racoon_t)
+
+libs_use_ld_so(racoon_t)
+libs_use_shared_libs(racoon_t)
+
+locallogin_use_fds(racoon_t)
+
+logging_send_syslog_msg(racoon_t)
+
+miscfiles_read_localization(racoon_t)
+
+seutil_read_config(setkey_t)
+
+########################################
+#
+# Setkey local policy
+#
+
+allow setkey_t self:capability net_admin;
+allow setkey_t self:key_socket { create read setopt write };
+allow setkey_t self:netlink_route_socket create_netlink_socket_perms;
+
+# allow setkey to set the context for ipsec SAs and policy.
+allow setkey_t ipsec_spd_t:association setcontext;
+
+# allow setkey utility to set contexts on SA's and policy
+domain_ipsec_setcontext_all_domains(setkey_t)
+
+files_read_etc_files(setkey_t)
+
+locallogin_use_fds(setkey_t)
+
+libs_use_ld_so(setkey_t)
+libs_use_shared_libs(setkey_t)
+
+miscfiles_read_localization(setkey_t)
+
+seutil_read_config(setkey_t)

diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index bd5d1810b48a0ca3d7961dd3cb4c58eecad47a44..cc40dcb084538e7f8a82f034e53a60e7ee2ad318 100644 (file)
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,5 +1,5 @@
 
-policy_module(iptables,1.2.0)
+policy_module(iptables,1.2.1)
 
 ########################################
 #
@@ -96,6 +96,10 @@ optional_policy(`
        nis_use_ypbind(iptables_t)
 ')
 
+optional_policy(`
+       nscd_socket_use(iptables_t)
+')
+
 optional_policy(`
        ppp_dontaudit_use_fds(iptables_t)
 ')

diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 4a4b47054f6bb9d51eb79337a1b9769e075c171d..f7e2c00dc7fb7a7e01fc2cd69329f1c0527b9d07 100644 (file)
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -79,6 +79,7 @@ ifdef(`distro_gentoo',`
 /opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /opt/(.*/)?java/.+\.jar                        --      gen_context(system_u:object_r:shlib_t,s0)
 /opt/(.*/)?jre/.+\.jar                 --      gen_context(system_u:object_r:shlib_t,s0)
+/opt/ibm/java2-ppc64-50/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 ifdef(`distro_gentoo',`
 # despite the extensions, they are actually libs
@@ -242,6 +243,7 @@ ifdef(`distro_redhat',`
 /usr/lib(64)?/libmp3lame\.so.*         --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Flash plugin, Macromedia
+HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 HOME_DIR/.*/plugins/libflashplayer\.so.* --    gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/.*/libflashplayer\.so.*  --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/local/(.*/)?libflashplayer\.so.*  --      gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -254,6 +256,8 @@ HOME_DIR/.*/plugins/nprhapengine\.so.* --   gen_context(system_u:object_r:textrel_
 /usr/lib(64)?/libdivxdecore\.so\.0     --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libdivxencore\.so\.0     --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 
+/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so --        gen_context(system_u:object_r:textrel_shlib_t,s0)
+
 # vmware 
 /usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so  -- gen_context(system_u:object_r:textrel_shlib_t,s0)

diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 1c1d33ffce51b6c633f991680fb53e765f90ba43..3d763c75a74269da5a2f8fda0fa6e75d7cb7286a 100644 (file)
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
 
-policy_module(libraries,1.5.0)
+policy_module(libraries,1.5.1)
 
 ########################################
 #

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 34f57896fe534766040bf0efcbcb9fd590280053..74aeeced404eeec9e4cb34a0287c3f4f258a3eb4 100644 (file)
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
 
-policy_module(logging,1.5.0)
+policy_module(logging,1.5.1)
 
 ########################################
 #
@@ -320,6 +320,13 @@ corenet_udp_sendrecv_all_nodes(syslogd_t)
 corenet_udp_sendrecv_all_ports(syslogd_t)
 corenet_udp_bind_all_nodes(syslogd_t)
 corenet_udp_bind_syslogd_port(syslogd_t)
+# syslog-ng can listen and connect on tcp port 514 (rsh)
+corenet_tcp_sendrecv_all_if(syslogd_t)
+corenet_tcp_sendrecv_all_nodes(syslogd_t)
+corenet_tcp_sendrecv_all_ports(syslogd_t)
+corenet_tcp_bind_rsh_port(syslogd_t)
+corenet_tcp_connect_rsh_port(syslogd_t)
+
 # syslog-ng can send or receive logs
 corenet_sendrecv_syslogd_client_packets(syslogd_t)
 corenet_sendrecv_syslogd_server_packets(syslogd_t)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index ea2ed516f5d0018ccbd5a515f8ac8f5c8d77365b..360df31092677f84dd47e3413dec0d74153e2573 100644 (file)
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,5 +1,5 @@
 
-policy_module(lvm,1.5.0)
+policy_module(lvm,1.5.1)
 
 ########################################
 #
@@ -44,6 +44,7 @@ files_tmp_file(lvm_tmp_t)
 # Cluster LVM daemon local policy
 #
 
+allow clvmd_t self:capability { sys_admin mknod };
 dontaudit clvmd_t self:capability sys_tty_config;
 allow clvmd_t self:process signal_perms;
 allow clvmd_t self:socket create_socket_perms;
@@ -62,9 +63,11 @@ kernel_read_system_state(clvmd_t)
 kernel_list_proc(clvmd_t)
 kernel_read_proc_symlinks(clvmd_t)
 kernel_search_debugfs(clvmd_t)
+kernel_dontaudit_getattr_core_if(clvmd_t)
 
 corecmd_exec_shell(clvmd_t)
 corecmd_read_bin_symlinks(clvmd_t)
+corecmd_getattr_sbin_files(clvmd_t)
 corecmd_read_sbin_symlinks(clvmd_t)
 
 corenet_non_ipsec_sendrecv(clvmd_t)
@@ -83,12 +86,18 @@ corenet_sendrecv_generic_server_packets(clvmd_t)
 
 dev_read_sysfs(clvmd_t)
 dev_manage_generic_chr_files(clvmd_t)
+dev_rw_lvm_control(clvmd_t)
+dev_dontaudit_getattr_all_blk_files(clvmd_t)
+dev_dontaudit_getattr_all_chr_files(clvmd_t)
 
 files_read_etc_files(clvmd_t)
 files_list_usr(clvmd_t)
 
 fs_getattr_all_fs(clvmd_t)
 fs_search_auto_mountpoints(clvmd_t)
+fs_dontaudit_list_tmpfs(clvmd_t)
+
+storage_dontaudit_getattr_removable_dev(clvmd_t)
 
 term_dontaudit_use_console(clvmd_t)
 
@@ -127,6 +136,10 @@ optional_policy(`
        ccs_stream_connect(clvmd_t)
 ')
 
+optional_policy(`
+       gpm_dontaudit_getattr_gpmctl(clvmd_t)
+')
+
 optional_policy(`
        nis_use_ypbind(clvmd_t)
 ')
@@ -157,6 +170,8 @@ allow lvm_t self:fifo_file rw_file_perms;
 allow lvm_t self:unix_dgram_socket create_socket_perms;
 allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
 
+allow lvm_t clvmd_t:unix_stream_socket connectto;
+
 manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
 manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
 files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir })
@@ -228,6 +243,7 @@ fs_search_auto_mountpoints(lvm_t)
 fs_list_tmpfs(lvm_t)
 fs_read_tmpfs_symlinks(lvm_t)
 fs_dontaudit_read_removable_files(lvm_t)
+fs_dontaudit_getattr_tmpfs_files(lvm_t)
 
 storage_relabel_fixed_disk(lvm_t)
 storage_dontaudit_read_removable_device(lvm_t)
@@ -240,8 +256,8 @@ storage_dev_filetrans_fixed_disk(lvm_t)
 # Access raw devices and old /dev/lvm (c 109,0).  Is this needed?
 storage_manage_fixed_disk(lvm_t)
 
-term_dontaudit_getattr_all_user_ttys(lvm_t)
-term_dontaudit_getattr_pty_dirs(lvm_t)
+term_getattr_all_user_ttys(lvm_t)
+term_list_ptys(lvm_t)
 
 corecmd_exec_sbin(lvm_t)
 
@@ -274,8 +290,8 @@ ifdef(`distro_redhat',`
 ')
 
 ifdef(`targeted_policy', `
-       term_dontaudit_use_unallocated_ttys(lvm_t)
-       term_dontaudit_use_generic_ptys(lvm_t)
+       term_use_unallocated_ttys(lvm_t)
+       term_use_generic_ptys(lvm_t)
 
        files_dontaudit_read_root_files(lvm_t)
 ')

diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 276ad3c79733c610f59add034d708e43316ac2b2..cf640b64be50f7ccf5b7325564a63eba2ccc053b 100644 (file)
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -91,6 +91,26 @@ interface(`miscfiles_read_hwdata',`
        read_lnk_files_pattern($1,hwdata_t,hwdata_t)
 ')
 
+########################################
+## <summary>
+##     Allow process to setattr localization info
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`miscfiles_setattr_localization',`
+       gen_require(`
+               type locale_t;
+       ')
+
+       files_search_usr($1)
+       allow $1 locale_t:dir list_dir_perms;
+       allow $1 locale_t:file setattr;
+')
+
 ########################################
 ## <summary>
 ##     Allow process to read localization info
@@ -136,6 +156,25 @@ interface(`miscfiles_rw_localization',`
        rw_files_pattern($1,locale_t,locale_t)
 ')
 
+########################################
+## <summary>
+##     Allow process to relabel localization info
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`miscfiles_relabel_localization',`
+       gen_require(`
+               type locale_t;
+       ')
+
+       files_search_usr($1)
+       relabel_files_pattern($1,locale_t,locale_t)
+')
+
 ########################################
 ## <summary>
 ##     Allow process to read legacy time localization info
@@ -387,3 +426,44 @@ interface(`miscfiles_exec_test_files',`
        exec_files_pattern($1,test_file_t,test_file_t)
        read_lnk_files_pattern($1,test_file_t,test_file_t)
 ')
+
+########################################
+## <summary>
+##     Execute test files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`miscfiles_etc_filetrans_localization',`
+       gen_require(`
+               type locale_t;
+       ')
+
+       files_etc_filetrans($1, locale_t, file)
+
+')
+
+########################################
+## <summary>
+##     Create, read, write, and delete localization
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_manage_localization',`
+       gen_require(`
+               type locale_t;
+       ')
+
+       manage_dirs_pattern($1,locale_t,locale_t)
+       manage_files_pattern($1,locale_t,locale_t)
+       manage_lnk_files_pattern($1,locale_t,locale_t)
+')
+

diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 38f9861b883873a234e086898ed5eab00c822a60..afd7d9a25559722458e9f7453e710e1b7291491c 100644 (file)
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -1,5 +1,5 @@
 
-policy_module(miscfiles,1.2.0)
+policy_module(miscfiles,1.2.1)
 
 ########################################
 #

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 81e2f2092d820a486f27aca33ded058b2316eccb..3236e4fe857bd739afa839a93cdc4251def00a0f 100644 (file)
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,5 +1,5 @@
 
-policy_module(modutils,1.2.0)
+policy_module(modutils,1.2.1)
 
 gen_require(`
        bool secure_mode_insmod;
@@ -117,10 +117,6 @@ if( ! secure_mode_insmod ) {
        kernel_domtrans_to(insmod_t,insmod_exec_t)
 }
 
-ifdef(`hide_broken_symptoms',`
-       dev_dontaudit_rw_cardmgr(insmod_t)
-')
-
 ifdef(`targeted_policy',`
        unconfined_domain(insmod_t)
 ')
@@ -145,6 +141,11 @@ optional_policy(`
        fs_manage_ramfs_files(insmod_t)
 
        rhgb_use_fds(insmod_t)
+       rhgb_dontaudit_use_ptys(insmod_t)
+
+       xserver_dontaudit_write_log(insmod_t)
+       xserver_stream_connect_xdm_xserver(insmod_t)
+       xserver_dontaudit_rw_xdm_stream_sockets(insmod_t)
 
        ifdef(`hide_broken_symptoms',`
                xserver_dontaudit_rw_xdm_xserver_tcp_sockets(insmod_t)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 639a6f64a5e0af448fd189ee26356b2e08e63ae3..7f859e95514c51f9a4bfdd03fbf9faf204165e5a 100644 (file)
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.4.0)
+policy_module(selinuxutil,1.4.1)
 
 ifdef(`strict_policy',`
        gen_require(`
@@ -292,6 +292,7 @@ domain_sigchld_interactive_fds(newrole_t)
 
 # Write to utmp.
 init_rw_utmp(newrole_t)
+init_use_fds(newrole_t)
 
 files_read_etc_files(newrole_t)
 files_read_var_files(newrole_t)
@@ -307,6 +308,7 @@ miscfiles_read_localization(newrole_t)
 userdom_use_unpriv_users_fds(newrole_t)
 # for some PAM modules and for cwd
 userdom_dontaudit_search_all_users_home_content(newrole_t)
+userdom_search_all_users_home_dirs(newrole_t)
 
 ifdef(`strict_policy',`
        # if secure mode is enabled, then newrole
@@ -318,6 +320,10 @@ ifdef(`strict_policy',`
        }
 ')
 
+tunable_policy(`allow_polyinstantiation',`
+       files_polyinstantiate_all(newrole_t)
+')
+
 optional_policy(`
        nis_use_ypbind(newrole_t)
 ')
@@ -409,6 +415,11 @@ ifdef(`hide_broken_symptoms',`
        optional_policy(`
                udev_dontaudit_rw_dgram_sockets(restorecon_t)
        ')
+
+       optional_policy(`
+               unconfined_dontaudit_rw_pipes(restorecon_t)
+               unconfined_dontaudit_rw_tcp_sockets(restorecon_t)
+       ')
 ')
 
 optional_policy(`
@@ -669,6 +680,7 @@ auth_relabelto_shadow(setfiles_t)
 init_use_fds(setfiles_t)
 init_use_script_fds(setfiles_t)
 init_use_script_ptys(setfiles_t)
+init_exec_script_files(setfiles_t)
 
 domain_use_interactive_fds(setfiles_t)
 
@@ -688,3 +700,10 @@ miscfiles_read_localization(setfiles_t)
 userdom_use_all_users_fds(setfiles_t)
 # for config files in a home directory
 userdom_read_all_users_home_content_files(setfiles_t)
+
+ifdef(`hide_broken_symptoms',`
+       # cjp: cover up stray file descriptors.
+       optional_policy(`
+               unconfined_dontaudit_read_pipes(setfiles_t)
+       ')
+')

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 8161430b044474ddc7f201b120ffbc38d0c23346..26cca2bc9fb55f6c7f6da540efa9913edb8fbf85 100644 (file)
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,5 +1,5 @@
 
-policy_module(sysnetwork,1.2.0)
+policy_module(sysnetwork,1.2.1)
 
 ########################################
 #
@@ -326,6 +326,10 @@ ifdef(`hide_broken_symptoms',`
 ifdef(`targeted_policy',`
        term_use_generic_ptys(ifconfig_t)
        term_use_unallocated_ttys(ifconfig_t)
+
+       optional_policy(`
+               unconfined_dontaudit_read_pipes(ifconfig_t)
+       ')
 ')
 
 optional_policy(`

diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc
index b772df320c8f1cf8a59ecdd860429c7b1f602392..5d9bb3b4949b7c525325fdf9b88555628c97313d 100644 (file)
--- a/policy/modules/system/unconfined.fc
+++ b/policy/modules/system/unconfined.fc
@@ -6,6 +6,7 @@
 
 ifdef(`targeted_policy',`
 /usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/qemu.*                        --      gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 /usr/bin/valgrind              --      gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 /usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 /usr/lib/ia32el/ia32x_loader   --      gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)

diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 2c7c721b9f554860e6ce5b8d429f29f478435e9e..816c263816d377f98925faf3c0ae1a7183afee8b 100644 (file)
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -31,6 +31,7 @@ interface(`unconfined_domain_noaudit',`
        allow $1 self:nscd *;
        allow $1 self:dbus *;
        allow $1 self:passwd *;
+       allow $1 self:association *;
 
        kernel_unconfined($1)
        corenet_unconfined($1)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index c18d90e50c0fce2b140a4997e0faa1982b79d8d8..19df0fb9d8f0ac013d057c4d9f8e3bd9e4e5d00e 100644 (file)
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.5.0)
+policy_module(unconfined,1.5.1)
 
 ########################################
 #
@@ -62,6 +62,10 @@ ifdef(`targeted_policy',`
                bind_domtrans_ndc(unconfined_t)
        ')
 
+       optional_policy(`
+               bootloader_domtrans(unconfined_t)
+       ')
+
        optional_policy(`
                init_dbus_chat_script(unconfined_t)
 
@@ -161,6 +165,10 @@ ifdef(`targeted_policy',`
                sysnet_dbus_chat_dhcpc(unconfined_t)
        ')
 
+       optional_policy(`
+               tzdata_domtrans(unconfined_t)
+       ')
+
        optional_policy(`
                usermanage_domtrans_admin_passwd(unconfined_t)
        ')

diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index a7146d832fdd6bc9c7062cfd586619236b78f731..ebb37c571c3c5e6b65893526ea6e667883c72fb9 100644 (file)
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -1,11 +1,4 @@
-ifdef(`strict_policy',`
 HOME_DIR       -d      gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
 HOME_DIR/.+            gen_context(system_u:object_r:ROLE_home_t,s0)
 
 /tmp/gconfd-USER -d    gen_context(system_u:object_r:ROLE_tmp_t,s0)
-')
-
-ifdef(`targeted_policy',`
-HOME_DIR       -d      gen_context(system_u:object_r:user_home_dir_t,s0)
-HOME_DIR/.+            gen_context(system_u:object_r:user_home_t,s0)
-')

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 0f1edf6eab92f346e5c52be4c8a225ea124ea293..2361425196d90dea1c45cfa3181bd2eab7444719 100644 (file)
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -102,6 +102,9 @@ template(`userdom_base_user_template',`
        libs_exec_ld_so($1_t)
 
        miscfiles_read_localization($1_t)
+       miscfiles_read_certs($1_t)
+
+       sysnet_read_config($1_t)
 
        tunable_policy(`allow_execmem',`
                # Allow loading DSOs that require executable stack.
@@ -154,6 +157,7 @@ template(`userdom_ro_home_template',`
        files_mountpoint($1_home_dir_t)
        files_associate_tmp($1_home_dir_t)
        fs_associate_tmpfs($1_home_dir_t)
+       files_poly_member($1_home_dir_t)
 
        ##############################
        #
@@ -337,12 +341,11 @@ template(`userdom_exec_home_template',`
 ## <rolebase/>
 #
 template(`userdom_poly_home_template',`
-       ifdef(`enable_polyinstantiation',`
-               type_member $1_t $1_home_dir_t:dir $1_home_t;
-
-               files_poly($1_home_dir_t)
-               files_poly_member($1_home_t)
-       ')
+       type_member $1_t $1_home_dir_t:dir $1_home_dir_t;
+       files_poly($1_home_dir_t)
+       files_poly_parent($1_home_dir_t)
+       files_poly_parent($1_home_t)
+       files_poly_member($1_home_t)
 ')
 
 #######################################
@@ -409,9 +412,7 @@ template(`userdom_exec_tmp_template',`
 ## <rolebase/>
 #
 template(`userdom_poly_tmp_template',`
-       ifdef(`enable_polyinstantiation',`
-               files_poly_member_tmp($1_t,$1_tmp_t)
-       ')
+       files_poly_member_tmp($1_t,tmp_t)
 ')
 
 #######################################
@@ -593,6 +594,8 @@ template(`userdom_xwindows_client_template',`
                xserver_read_xdm_pid($1_t)
                # gnome-session creates socket under /tmp/.ICE-unix/
                xserver_create_xdm_tmp_sockets($1_t)
+               # Needed for escd, remove if we get escd policy
+               xserver_manage_xdm_tmp_files($1_t)
        ')
 ')
 
@@ -727,6 +730,8 @@ template(`userdom_common_user_template',`
        dev_write_sound_mixer($1_t)
 
        domain_use_interactive_fds($1_t)
+       # Command completion can fire hundreds of denials
+       domain_dontaudit_exec_all_entry_files($1_t)
 
        files_exec_etc_files($1_t)
        files_search_locks($1_t)
@@ -784,6 +789,8 @@ template(`userdom_common_user_template',`
        seutil_read_default_contexts($1_t)
        seutil_read_config($1_t)
        seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+       seutil_exec_checkpolicy($1_t)
+       seutil_exec_setfiles($1_t)
        # for when the network connection is killed
        # this is needed when a login role can change
        # to this one.
@@ -808,6 +815,10 @@ template(`userdom_common_user_template',`
                term_getattr_all_user_ttys($1_t)
        ')
 
+       optional_policy(`
+               alsa_read_rw_config($1_t)
+       ')
+
        optional_policy(`
                # Allow graphical boot to check battery lifespan
                apm_stream_connect($1_t)
@@ -818,16 +829,23 @@ template(`userdom_common_user_template',`
        ')
 
        optional_policy(`
+               cups_stream_connect($1_t)
                cups_stream_connect_ptal($1_t)
        ')
 
        optional_policy(`
+               allow $1_t self:dbus send_msg;
                dbus_system_bus_client_template($1,$1_t)
 
                optional_policy(`
                        bluetooth_dbus_chat($1_t)
                ')
 
+               optional_policy(`
+                       evolution_dbus_chat($1,$1_t)
+                       evolution_alarm_dbus_chat($1,$1_t)
+               ')
+
                optional_policy(`
                        cups_dbus_chat_config($1_t)
                ')
@@ -852,6 +870,10 @@ template(`userdom_common_user_template',`
                inn_read_news_spool($1_t)
        ')
 
+       optional_policy(`
+               locate_read_lib_files($1_t)
+       ')
+
        # for running depmod as part of the kernel packaging process
        optional_policy(`
                modutils_read_module_config($1_t)
@@ -880,6 +902,11 @@ template(`userdom_common_user_template',`
                pcmcia_read_pid($1_t)
        ')
 
+       optional_policy(`
+               pcscd_read_pub_files($1_t)
+               pcscd_stream_connect($1_t)
+       ')
+
        optional_policy(`
                quota_dontaudit_getattr_db($1_t)
        ')
@@ -1025,6 +1052,10 @@ template(`userdom_unpriv_user_template', `
                ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
        ')
 
+       optional_policy(`
+               setroubleshoot_stream_connect($1_t)
+       ')
+
        ifdef(`TODO',`
        ifdef(`xdm.te', `
                # this should cause the .xsession-errors file to be written to /tmp
@@ -1212,14 +1243,106 @@ template(`userdom_admin_user_template',`
                mta_admin_template($1,$1_t,$1_r)
        ')
 
-       ifdef(`TODO',`
-       ifdef(`xserver.te', `
-               tunable_policy(`xdm_sysadm_login',`
-                       allow xdm_t $1_home_t:lnk_file read;
-                       allow xdm_t $1_home_t:dir search;
-               ')
+       optional_policy(`
+               userhelper_exec($1_t)
+       ')
+')
+
+########################################
+## <summary>
+##     Allow user to run as a secadm
+## </summary>
+## <desc>
+##     <p>
+##     Create objects in a user home directory
+##     with an automatic type transition to
+##     a specified private type.
+##     </p>
+##     <p>
+##     This is a templated interface, and should only
+##     be called from a per-userdomain template.
+##     </p>
+## </desc>
+## <param name="userdomain_prefix">
+##     <summary>
+##     The prefix of the user domain (e.g., user
+##     is the prefix for user_t).
+##     </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     The role  of the object to create.
+##     </summary>
+## </param>
+## <param name="object_class">
+##     <summary>
+##     The terminal
+##     </summary>
+## </param>
+#
+template(`userdom_security_admin_template',`
+       allow $1 self:capability { dac_read_search dac_override };
+
+       corecmd_exec_shell($1)
+
+       domain_obj_id_change_exemption($1)
+
+       dev_relabel_all_dev_nodes($1)
+
+       files_create_boot_flag($1)
+
+       # Necessary for managing /boot/efi
+       fs_manage_dos_files($1)
+
+       mls_process_read_up($1)
+       mls_file_read_up($1)
+       mls_file_upgrade($1)
+       mls_file_downgrade($1)
+
+       selinux_set_enforce_mode($1)
+       selinux_set_boolean($1)
+       selinux_set_parameters($1)
+
+       auth_relabel_all_files_except_shadow($1)
+       auth_relabel_shadow($1)
+
+       init_exec($1)
+
+       logging_send_syslog_msg($1)
+       logging_read_audit_log($1)
+       logging_read_generic_logs($1)
+       logging_read_audit_config($1)
+
+       seutil_manage_bin_policy($1)
+       seutil_run_checkpolicy($1,$2,$3)
+       seutil_run_loadpolicy($1,$2,$3)
+       seutil_run_semanage($1,$2,$3)
+       seutil_run_setfiles($1, $2, $3)
+       seutil_run_restorecon($1,$2,$3)
+
+       userdom_dontaudit_append_staff_home_content_files($1)
+       userdom_dontaudit_read_sysadm_home_content_files($1)
+
+       optional_policy(`
+               aide_run($1,$2, $3)
+       ')
+
+       optional_policy(`
+               consoletype_exec($1)
+       ')
+
+       optional_policy(`
+               dmesg_exec($1)
+       ')
+
+       optional_policy(`
+               netlabel_run_mgmt($1,$2, $3)
        ')
-       ') dnl endif TODO
 ')
 
 ########################################
@@ -2289,6 +2412,55 @@ template(`userdom_user_home_dir_filetrans',`
        filetrans_pattern($2,$1_home_dir_t,$3,$4)
 ')
 
+########################################
+## <summary>
+##     Create objects in a user home directory
+##     with an automatic type transition to
+##     a specified private type.
+## </summary>
+## <desc>
+##     <p>
+##     Create objects in a user home directory
+##     with an automatic type transition to
+##     a specified private type.
+##     </p>
+##     <p>
+##     This is a templated interface, and should only
+##     be called from a per-userdomain template.
+##     </p>
+## </desc>
+## <param name="userdomain_prefix">
+##     <summary>
+##     The prefix of the user domain (e.g., user
+##     is the prefix for user_t).
+##     </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="private_type">
+##     <summary>
+##     The type of the object to create.
+##     </summary>
+## </param>
+## <param name="object_class">
+##     <summary>
+##     The class of the object to be created.  If not
+##     specified, file is used.
+##     </summary>
+## </param>
+#
+template(`userdom_user_home_content_filetrans',`
+       gen_require(`
+               type $1_home_t;
+       ')
+
+       files_search_home($2)
+       filetrans_pattern($2,$1_home_t,$3,$4)
+')
+
 ########################################
 ## <summary>
 ##     Create objects in a user home directory
@@ -3126,6 +3298,39 @@ template(`userdom_manage_user_untrusted_content_files',`
        manage_files_pattern($2,$1_untrusted_content_t,$1_untrusted_content_t)
 ')
 
+########################################
+## <summary>
+##     Manage user untrusted tmp files.
+## </summary>
+## <desc>
+##      <p>
+##      Create, read, write, and delete untrusted tmp files.
+##      </p>
+##      <p>
+##      This is a templated interface, and should only
+##      be called from a per-userdomain template.
+##      </p>
+## </desc>
+## <param name="userdomain_prefix">
+##     <summary>
+##      The prefix of the user domain (e.g., user
+##      is the prefix for user_t).
+##     </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##      Domain allowed access.
+##     </summary>
+## </param>
+#
+template(`userdom_manage_user_untrusted_content_tmp_files',`
+       gen_require(`
+               type $1_untrusted_content_tmp_t;
+       ')
+
+       manage_files_pattern($2,$1_untrusted_content_tmp_t,$1_untrusted_content_tmp_t)
+')
+
 ########################################
 ## <summary>
 ##     Do not audit attempts to read users

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index f2af46ee4861f0e3f829b1ca3551eb44b4b96c8b..1e5a0b486ffad7761ab6f7849ae776cad1160d37 100644 (file)
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain,2.1.0)
+policy_module(userdomain,2.1.1)
 
 gen_require(`
        role sysadm_r, staff_r, user_r;
@@ -68,6 +68,7 @@ ifdef(`strict_policy',`
 
        # only staff_r can change to sysadm_r
        userdom_role_change_template(staff, sysadm)
+       dontaudit staff_t admin_terminal:chr_file { read write };
 
        ifdef(`enable_mls',`
                userdom_unpriv_user_template(secadm)
@@ -186,6 +187,14 @@ ifdef(`strict_policy',`
                #apache_domtrans_sys_script(sysadm_t)
        ')
 
+       optional_policy(`
+               tzdata_domtrans(sysadm_t)
+       ')
+
+       optional_policy(`
+               raid_domtrans_mdadm(sysadm_t)
+       ')
+
        optional_policy(`
                # cjp: why is this not apm_run_client
                apm_domtrans_client(sysadm_t)
@@ -235,7 +244,6 @@ ifdef(`strict_policy',`
                consoletype_exec(sysadm_t)
 
                ifdef(`enable_mls',`
-                       consoletype_exec(secadm_t)
                        consoletype_exec(auditadm_t)
                ')
        ')
@@ -254,7 +262,6 @@ ifdef(`strict_policy',`
                dmesg_exec(sysadm_t)
 
                ifdef(`enable_mls',`
-                       dmesg_exec(secadm_t)
                        dmesg_exec(auditadm_t)
                ')
        ')
@@ -389,27 +396,9 @@ ifdef(`strict_policy',`
                seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
 
                ifdef(`enable_mls',`
-                       selinux_set_enforce_mode(secadm_t)
-                       selinux_set_boolean(secadm_t)
-                       selinux_set_parameters(secadm_t)
-
-                       seutil_manage_bin_policy(secadm_t)
-                       seutil_run_checkpolicy(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
-                       seutil_run_loadpolicy(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
-                       seutil_run_semanage(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
-                       seutil_run_setfiles(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
-                       seutil_run_restorecon(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
-                       logging_send_syslog_msg(secadm_t)
+                       userdom_security_admin_template(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
                ', `
-                       selinux_set_enforce_mode(sysadm_t)
-                       selinux_set_boolean(sysadm_t)
-                       selinux_set_parameters(sysadm_t)
-
-                       seutil_manage_bin_policy(sysadm_t)
-                       seutil_run_checkpolicy(sysadm_t,sysadm_r,admin_terminal)
-                       seutil_run_loadpolicy(sysadm_t,sysadm_r,admin_terminal)
-                       seutil_run_semanage(sysadm_t,sysadm_r,admin_terminal)
-                       seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
+                       userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
                ')
        ')