Merge upstream

diff --git a/Makefile b/Makefile
index f802d3bd05c789703cc24c324ed54858cf0742b4..b8804f7fb808e18929a031f1f10247d1f29c4f68 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -244,7 +244,7 @@ seusers := $(appconf)/seusers
 appdir := $(contextpath)
 user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
 user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)
 net_contexts := $(builddir)net_contexts
 
 all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)

diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8
index 9e194812a05d1a2664588a8aa92ef280422700e6..5bebd82d470f91e2496b1df2c13a328356d4cd3a 100644 (file)
--- a/man/man8/ftpd_selinux.8
+++ b/man/man8/ftpd_selinux.8
@@ -15,7 +15,7 @@ Allow ftp servers to read the /var/ftp directory by adding the public_content_t
 semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
 .TP
 .B
-restorecon -R -v /var/ftp
+restorecon -F -R -v /var/ftp
 .TP
 Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type.  This also requires the allow_ftpd_anon_write boolean to be set.
 .PP
@@ -23,7 +23,7 @@ Allow ftp servers to read and write /var/tmp/incoming by adding the public_conte
 semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?"
 .TP
 .B
-restorecon -R -v /var/ftp/incoming
+restorecon -F -R -v /var/ftp/incoming
 
 .SH BOOLEANS
 .PP

diff --git a/man/man8/git_selinux.8 b/man/man8/git_selinux.8
new file mode 100644 (file)
index 0000000..e9c43b1
--- /dev/null
+++ b/man/man8/git_selinux.8
@@ -0,0 +1,109 @@
+.TH  "git_selinux"  "8"  "27 May 2010" "domg472@gmail.com" "Git SELinux policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "NAME"
+git_selinux \- Security Enhanced Linux Policy for the Git daemon.
+.SH "DESCRIPTION"
+Security-Enhanced Linux secures the Git server via flexible mandatory access
+control.
+.SH FILE_CONTEXTS
+SELinux requires files to have an extended attribute to define the file type. 
+Policy governs the access daemons have to these files. 
+SELinux Git policy is very flexible allowing users to setup their web services in as secure a method as possible.
+.PP 
+The following file contexts types are by default defined for Git:
+.EX
+git_system_content_t 
+.EE 
+- Set files with git_system_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all "Git shell" users.
+.EX
+git_session_content_t 
+.EE 
+- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all users. Note that "Git shell" users may not interact with this type.
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. Git policy is extremely flexible and has several booleans that allow you to manipulate the policy and run Git with the tightest access possible.
+.PP
+Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git system daemon to host users personal repositories. 
+.EX
+sudo setsebool -P git_system_enable_homedirs 1
+.EE
+.PP
+Allow the Git system daemon to read system shared repositories on NFS shares.
+.EX
+sudo setsebool -P git_system_use_nfs 1
+.EE
+.PP
+Allow the Git system daemon to read system shared repositories on Samba shares.
+.EX
+sudo setsebool -P git_system_use_cifs 1
+.EE
+.PP
+Allow the Git session daemon to read users personal repositories on NFS mounted home directories.
+.EX
+sudo setsebool -P use_nfs_home_dirs 1
+.EE
+.PP
+Allow the Git session daemon to read users personal repositories on Samba mounted home directories.
+.EX
+sudo setsebool -P use_samba_home_dirs 1
+.EE
+.PP
+To also allow Git system daemon to read users personal repositories on NFS and Samba mounted home directories you must also allow the Git system daemon to search home directories so that it can find the repositories.
+.EX
+sudo setsebool -P git_system_enable_homedirs 1
+.EE
+.PP
+To allow the Git System daemon mass hosting of users personal repositories you can allow the Git daemon to listen to any unreserved ports.
+.EX
+sudo setsebool -P git_session_bind_all_unreserved_ports 1
+.EE
+.SH GIT_SHELL
+The Git policy by default provides a restricted user environment to be used with "Git shell". This default git_shell_u SELinux user can modify and execute generic Git system content (generic system shared respositories with type git_system_content_t).
+.PP
+To add a new Linux user and map him to this Git shell user domain automatically:
+.EX
+sudo useradd -Z git_shell_u joe
+.EE
+.SH ADVANCED_SYSTEM_SHARED_REPOSITORY_AND GIT_SHELL_RESTRICTIONS
+Alternatively Git SELinux policy can be used to restrict "Git shell" users to git system shared repositories. The policy allows for the creation of new types of Git system content and Git shell user environment. The policy allows for delegation of types of "Git shell" environments to types of Git system content.
+.PP
+To add a new Git system repository type, for example "project1" create a file named project1.te and add to it:
+.EX
+policy_module(project1, 1.0.0)
+git_content_template(project1)
+.EE
+Next create a file named project1.fc and add a file context specification for the new repository type to it:
+.EX
+/srv/git/project1\.git(/.*)? gen_context(system_u:object_r:git_project1_content_t,s0)
+.EE
+Build a binary representation of this source policy module, load it into the policy store and restore the context of the repository:
+.EX
+make -f /usr/share/selinux/devel/Makefile project.pp
+sudo semodule -i project1.pp
+sudo restorecon -R -v /srv/git/project1
+.EE
+To create a "Git shell" domain that can interact with this repository create a file named project1user.te in the same directory as where the source policy for the Git systemm content type is and add the following:
+.EX
+policy_module(project1user, 1.0.0) 
+git_role_template(project1user)
+git_content_delegation(project1user_t, git_project1_content_t)
+gen_user(project1user_u, user, project1user_r, s0, s0)
+.EE
+Build a binary representation of this source policy module, load it into the policy store and map Linux users to the new project1user_u SELinux user:
+.EX
+make -f /usr/share/selinux/devel/Makefile project1user.pp
+sudo semodule -i project1user.pp
+sudo useradd -Z project1user_u jane
+.EE
+.PP
+system-config-selinux is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR     
+This manual page was written by Dominick Grift <domg472@gmail.com>.
+.SH "SEE ALSO"
+selinux(8), git(8), chcon(1), semodule(8), setsebool(8)

diff --git a/policy/global_tunables b/policy/global_tunables
index 3316f6effc613639eb605960ed3716df2593fc85..f85244d24e2debdbb33ac2f588e7249643dae76d 100644 (file)
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -13,21 +13,21 @@ gen_tunable(allow_execheap,false)
 
 ## <desc>
 ## <p>
-## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
+## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
 ## </p>
 ## </desc>
 gen_tunable(allow_execmem,false)
 
 ## <desc>
 ## <p>
-## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
+## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t
 ## </p>
 ## </desc>
 gen_tunable(allow_execmod,false)
 
 ## <desc>
 ## <p>
-## Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
+## Allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
 ## </p>
 ## </desc>
 gen_tunable(allow_execstack,false)
@@ -59,15 +59,6 @@ gen_tunable(allow_ypbind,false)
 ## </desc>
 gen_tunable(global_ssp,false)
 
-## <desc>
-## <p>
-## Allow email client to various content.
-## nfs, samba, removable devices, and user temp
-## files
-## </p>
-## </desc>
-gen_tunable(mail_read_content,false)
-
 ## <desc>
 ## <p>
 ## Allow any files/directories to be exported read/write via NFS.
@@ -104,3 +95,11 @@ gen_tunable(use_samba_home_dirs,false)
 ## </p>
 ## </desc>
 gen_tunable(user_tcp_server,false)
+
+## <desc>
+## <p>
+## Allow direct login to the console device. Required for System 390
+## </p>
+## </desc>
+gen_tunable(allow_console_login,false)
+

diff --git a/policy/mcs b/policy/mcs
index af90ef2b8faedd8c692a004dfc4527b55d68a034..fbd2c40769772e91c972b8f926274d47d44b32e7 100644 (file)
--- a/policy/mcs
+++ b/policy/mcs
@@ -86,10 +86,10 @@ mlsconstrain file { create relabelto }
        (( h1 dom h2 ) and ( l2 eq h2 ));
 
 # new file labels must be dominated by the relabeling subject clearance
-mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
+mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file file } { relabelfrom }
        ( h1 dom h2 );
 
-mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
+mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file file } { create relabelto }
        (( h1 dom h2 ) and ( l2 eq h2 ));
 
 mlsconstrain process { transition dyntransition }
@@ -98,7 +98,7 @@ mlsconstrain process { transition dyntransition }
 mlsconstrain process { ptrace }
        (( h1 dom h2) or ( t1 == mcsptraceall ));
 
-mlsconstrain process { sigkill sigstop }
+mlsconstrain process { signal sigkill sigstop }
        (( h1 dom h2 ) or ( t1 == mcskillall ));
 
 #

diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te
index f76ed8a2ac0b12336f086a11edd1decc02109dd1..9a9526a47c7f2ba1e38f825c76ce63da1d92f36d 100644 (file)
--- a/policy/modules/admin/anaconda.te
+++ b/policy/modules/admin/anaconda.te
@@ -30,6 +30,7 @@ modutils_domtrans_insmod(anaconda_t)
 modutils_domtrans_depmod(anaconda_t)
 
 seutil_domtrans_semanage(anaconda_t)
+seutil_domtrans_setsebool(anaconda_t)
 
 userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
 
@@ -51,7 +52,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-       unconfined_domain(anaconda_t)
+       unconfined_domain_noaudit(anaconda_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if
index 5b43db5feaa04ca336e534f6674fcdcc6b79095a..fdb453cb022936b4076b6c2be1ae1eb30631b047 100644 (file)
--- a/policy/modules/admin/brctl.if
+++ b/policy/modules/admin/brctl.if
@@ -17,3 +17,22 @@ interface(`brctl_domtrans',`
 
        domtrans_pattern($1, brctl_exec_t, brctl_t)
 ')
+
+#####################################
+## <summary>
+##      Execute brctl in the brctl domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`brctl_run',`
+        gen_require(`
+                type brctl_t, brctl_exec_t;
+        ')
+
+        brctl_domtrans($1)
+        role $2 types brctl_t;
+')

diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te
index a2e9cb5bb4c27cbb7eb0ef58eca5a81294169b7f..cec5c564226118df0ad72d11d7175acb45e10cb3 100644 (file)
--- a/policy/modules/admin/certwatch.te
+++ b/policy/modules/admin/certwatch.te
@@ -35,7 +35,7 @@ miscfiles_read_generic_certs(certwatch_t)
 miscfiles_read_localization(certwatch_t)
 
 userdom_use_user_terminals(certwatch_t)
-userdom_dontaudit_list_user_home_dirs(certwatch_t)
+userdom_dontaudit_list_admin_dir(certwatch_t)
 
 optional_policy(`
        apache_exec_modules(certwatch_t)

diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index 2b12a37d251de162e1ff631dc65626e52efa0024..a37065603d4890c010649145905d2d0fdddf9c49 100644 (file)
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
@@ -81,10 +81,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-       hal_dontaudit_use_fds(consoletype_t)
-       hal_dontaudit_rw_pipes(consoletype_t)
-       hal_dontaudit_rw_dgram_sockets(consoletype_t)
-       hal_dontaudit_write_log(consoletype_t)
+       hal_dontaudit_leaks(consoletype_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index 72bc6d815971c0f73b98d4f96e320d7509cc14a7..54210658b100c12ad2a42d930c8bd6089af1c600 100644 (file)
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -49,6 +49,12 @@ miscfiles_read_localization(dmesg_t)
 userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
 userdom_use_user_terminals(dmesg_t)
 
+optional_policy(`
+       abrt_cache_append(dmesg_t)
+       abrt_rw_fifo_file(dmesg_t)
+       abrt_manage_pid_files(dmesg_t)
+')
+
 optional_policy(`
        seutil_sigchld_newrole(dmesg_t)
 ')

diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
index 66e486eceb7ea5c64d08dcd82da505a49422a179..bfda8e96c9dc8a10a2a22f568f1320be591d8ee6 100644 (file)
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@@ -102,6 +102,10 @@ optional_policy(`
        ')
 ')
 
+optional_policy(`
+       iptables_domtrans(firstboot_t)
+')
+
 optional_policy(`
        nis_use_ypbind(firstboot_t)
 ')
@@ -125,6 +129,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+       gnome_admin_home_gconf_filetrans(firstboot_t, dir)
        gnome_manage_config(firstboot_t)
 ')
 

diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 0b6123e85326e061a32c1111cc2a4b62ab624bd6..dd4cd300acb051dbdc51ebf2286e1aa600ef6ca9 100644 (file)
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -119,6 +119,7 @@ seutil_dontaudit_read_config(logrotate_t)
 userdom_use_user_terminals(logrotate_t)
 userdom_list_user_home_dirs(logrotate_t)
 userdom_use_unpriv_users_fds(logrotate_t)
+userdom_dontaudit_list_admin_dir(logrotate_t)
 
 cron_system_entry(logrotate_t, logrotate_exec_t)
 cron_search_spool(logrotate_t)
@@ -126,7 +127,7 @@ cron_search_spool(logrotate_t)
 mta_send_mail(logrotate_t)
 
 ifdef(`distro_debian', `
-       allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
+       allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
        # for savelog
        can_exec(logrotate_t, logrotate_exec_t)
 

diff --git a/policy/modules/admin/logwatch.fc b/policy/modules/admin/logwatch.fc
index 3c7b1e8b573593ea26723c9442add584479a1053..1e155f5bf6f474c01710b33785e94ad2f29275ed 100644 (file)
--- a/policy/modules/admin/logwatch.fc
+++ b/policy/modules/admin/logwatch.fc
@@ -1,7 +1,11 @@
 /usr/sbin/logcheck     --      gen_context(system_u:object_r:logwatch_exec_t,s0)
+/usr/sbin/epylog       --      gen_context(system_u:object_r:logwatch_exec_t,s0)
 
 /usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0)
 
 /var/cache/logwatch(/.*)?      gen_context(system_u:object_r:logwatch_cache_t, s0)
 /var/lib/logcheck(/.*)?                gen_context(system_u:object_r:logwatch_cache_t,s0)
+/var/lib/epylog(/.*)?          gen_context(system_u:object_r:logwatch_cache_t,s0)
 /var/log/logcheck/.+   --      gen_context(system_u:object_r:logwatch_lock_t,s0)
+
+/var/run/epylog\.pid           gen_context(system_u:object_r:logwatch_var_run_t,s0)

diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
index 75ce30f3eb6d81c7a906ef02c713f37bb0b9b849..b84546784654684655681fed1b59bab39ed8f67d 100644 (file)
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@@ -19,6 +19,9 @@ files_lock_file(logwatch_lock_t)
 type logwatch_tmp_t;
 files_tmp_file(logwatch_tmp_t)
 
+type logwatch_var_run_t;
+files_pid_file(logwatch_var_run_t)
+
 ########################################
 #
 # Local policy
@@ -39,6 +42,9 @@ manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
 manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
 files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
 
+allow logwatch_t logwatch_var_run_t:file manage_file_perms;
+files_pid_filetrans(logwatch_t, logwatch_var_run_t, file)
+
 kernel_read_fs_sysctls(logwatch_t)
 kernel_read_kernel_sysctls(logwatch_t)
 kernel_read_system_state(logwatch_t)
@@ -92,8 +98,16 @@ sysnet_dns_name_resolve(logwatch_t)
 sysnet_exec_ifconfig(logwatch_t)
 
 userdom_dontaudit_search_user_home_dirs(logwatch_t)
-
-mta_send_mail(logwatch_t)
+userdom_dontaudit_list_admin_dir(logwatch_t)
+
+#mta_send_mail(logwatch_t)
+mta_base_mail_template(logwatch)
+mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
+role system_r types logwatch_mail_t;
+logging_read_all_logs(logwatch_mail_t)
+manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t)
+allow logwatch_mail_t self:capability { dac_read_search dac_override };
+mta_read_home(logwatch_mail_t)
 
 ifdef(`distro_redhat',`
        files_search_all(logwatch_t)

diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te
index 0e19d802022b820c974f1d0d8fbb7007ae2c7220..9d58abe1a3e628ccdd3e2d726c03357c77f82940 100644 (file)
--- a/policy/modules/admin/mrtg.te
+++ b/policy/modules/admin/mrtg.te
@@ -115,6 +115,7 @@ selinux_dontaudit_getattr_dir(mrtg_t)
 userdom_use_user_terminals(mrtg_t)
 userdom_dontaudit_read_user_home_content_files(mrtg_t)
 userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
+userdom_dontaudit_list_admin_dir(mrtg_t)
 
 netutils_domtrans_ping(mrtg_t)
 

diff --git a/policy/modules/admin/ncftool.fc b/policy/modules/admin/ncftool.fc
new file mode 100644 (file)
index 0000000..ae4045e
--- /dev/null
+++ b/policy/modules/admin/ncftool.fc
@@ -0,0 +1,2 @@
+
+/usr/bin/ncftool               --      gen_context(system_u:object_r:ncftool_exec_t,s0)

diff --git a/policy/modules/admin/ncftool.if b/policy/modules/admin/ncftool.if
new file mode 100644 (file)
index 0000000..8c2e044
--- /dev/null
+++ b/policy/modules/admin/ncftool.if
@@ -0,0 +1,78 @@
+
+## <summary>policy for ncftool</summary>
+
+########################################
+## <summary>
+##     Execute a domain transition to run ncftool.
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ncftool_domtrans',`
+       gen_require(`
+               type ncftool_t, ncftool_exec_t;
+       ')
+
+       domtrans_pattern($1, ncftool_exec_t, ncftool_t)
+')
+
+########################################
+## <summary>
+##     Execute ncftool in the ncftool domain, and
+##     allow the specified role the ncftool domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     The role to be allowed the ncftool domain.
+##     </summary>
+## </param>
+#
+interface(`ncftool_run',`
+       gen_require(`
+               type ncftool_t;
+       ')
+
+       ncftool_domtrans($1)
+       role $2 types ncftool_t;
+
+       optional_policy(`
+               brctl_run(ncftool_t, $2)
+       ')
+')
+
+########################################
+## <summary>
+##     Role access for ncftool
+## </summary>
+## <param name="role">
+##     <summary>
+##     Role allowed access
+##     </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##     User domain for the role
+##     </summary>
+## </param>
+#
+interface(`ncftool_role',`
+       gen_require(`
+              type ncftool_t;
+       ')
+
+       role $1 types ncftool_t;
+
+       ncftool_domtrans($2)
+
+       ps_process_pattern($2, ncftool_t)
+       allow $2 ncftool_t:process signal;
+')
+

diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te
new file mode 100644 (file)
index 0000000..eef0c87
--- /dev/null
+++ b/policy/modules/admin/ncftool.te
@@ -0,0 +1,91 @@
+policy_module(ncftool, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ncftool_t;
+type ncftool_exec_t;
+application_domain(ncftool_t, ncftool_exec_t)
+domain_obj_id_change_exemption(ncftool_t)
+domain_system_change_exemption(ncftool_t)
+role system_r types ncftool_t;
+
+permissive ncftool_t;
+
+########################################
+#
+# ncftool local policy
+#
+
+allow ncftool_t self:capability { net_admin sys_ptrace };
+
+allow ncftool_t self:process signal;
+
+allow ncftool_t self:fifo_file manage_fifo_file_perms;
+allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
+
+allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
+allow ncftool_t self:tcp_socket create_stream_socket_perms;
+
+kernel_read_kernel_sysctls(ncftool_t)
+kernel_read_modprobe_sysctls(ncftool_t)
+kernel_read_network_state(ncftool_t)
+kernel_read_system_state(ncftool_t)
+kernel_request_load_module(ncftool_t)
+kernel_rw_net_sysctls(ncftool_t)
+
+corecmd_exec_bin(ncftool_t)
+corecmd_exec_shell(ncftool_t)
+
+domain_read_all_domains_state(ncftool_t)
+
+dev_read_sysfs(ncftool_t)
+
+files_manage_system_conf_files(ncftool_t)
+files_relabelto_system_conf_files(ncftool_t)
+files_read_etc_files(ncftool_t)
+files_read_etc_runtime_files(ncftool_t)
+files_read_usr_files(ncftool_t)
+
+term_use_all_terms(ncftool_t)
+
+miscfiles_read_localization(ncftool_t)
+
+modutils_list_module_config(ncftool_t)
+modutils_read_module_config(ncftool_t)
+modutils_domtrans_insmod(ncftool_t)
+
+sysnet_delete_dhcpc_pid(ncftool_t)
+sysnet_domtrans_dhcpc(ncftool_t)
+sysnet_domtrans_ifconfig(ncftool_t)
+sysnet_etc_filetrans_config(ncftool_t)
+sysnet_manage_config(ncftool_t)
+sysnet_read_dhcpc_state(ncftool_t)
+sysnet_relabelfrom_net_conf(ncftool_t)
+sysnet_relabelto_net_conf(ncftool_t)
+sysnet_read_dhcpc_pid(ncftool_t)
+sysnet_signal_dhcpc(ncftool_t)
+
+userdom_read_user_tmp_files(ncftool_t)
+
+optional_policy(`
+       consoletype_exec(ncftool_t)
+')
+
+optional_policy(`
+        dbus_system_bus_client(ncftool_t)
+')
+
+optional_policy(`
+       iptables_initrc_domtrans(ncftool_t)
+')
+
+optional_policy(`
+       iptables_initrc_domtrans(ncftool_t)
+')
+
+optional_policy(`
+       netutils_domtrans(ncftool_t)
+')

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index b687b5d7d9d6b9c4ec60cb07a95b48ddb228cd73..4f38995768f7f9e5aae41d4fe05ec9004f429c3f 100644 (file)
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -51,6 +51,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
 
 kernel_search_proc(netutils_t)
 kernel_read_all_sysctls(netutils_t)
+kernel_read_network_state(netutils_t)
+kernel_request_load_module(netutils_t)
 
 corenet_all_recvfrom_unlabeled(netutils_t)
 corenet_all_recvfrom_netlabel(netutils_t)
@@ -67,6 +69,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
 corenet_udp_bind_generic_node(netutils_t)
 
 dev_read_sysfs(netutils_t)
+dev_read_usbmon_dev(netutils_t)
+dev_write_usbmon_dev(netutils_t)
+dev_rw_generic_usb_dev(netutils_t)
 
 fs_getattr_xattr_fs(netutils_t)
 
@@ -137,8 +142,6 @@ logging_send_syslog_msg(ping_t)
 
 miscfiles_read_localization(ping_t)
 
-userdom_use_user_terminals(ping_t)
-
 ifdef(`hide_broken_symptoms',`
        init_dontaudit_use_fds(ping_t)
 
@@ -148,10 +151,24 @@ ifdef(`hide_broken_symptoms',`
        ')
 ')
 
+term_use_all_terms(ping_t)
+
+tunable_policy(`user_ping',`
+       term_use_all_ttys(ping_t)
+       term_use_all_ptys(ping_t)
+',`
+       term_dontaudit_use_all_ttys(ping_t)
+       term_dontaudit_use_all_ptys(ping_t)
+')
+
 optional_policy(`
        munin_append_log(ping_t)
 ')
 
+optional_policy(`
+       nagios_rw_inerited_tmp_files(ping_t)
+')
+
 optional_policy(`
        pcmcia_use_cardmgr_fds(ping_t)
 ')
@@ -197,6 +214,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
 domain_use_interactive_fds(traceroute_t)
 
 files_read_etc_files(traceroute_t)
+files_read_usr_files(traceroute_t)
 files_dontaudit_search_var(traceroute_t)
 
 init_use_fds(traceroute_t)
@@ -207,9 +225,16 @@ logging_send_syslog_msg(traceroute_t)
 
 miscfiles_read_localization(traceroute_t)
 
-userdom_use_user_terminals(traceroute_t)
-
 #rules needed for nmap
 dev_read_rand(traceroute_t)
 dev_read_urand(traceroute_t)
-files_read_usr_files(traceroute_t)
+
+term_use_all_terms(traceroute_t)
+
+tunable_policy(`user_ping',`
+       term_use_all_ttys(traceroute_t)
+       term_use_all_ptys(traceroute_t)
+',`
+       term_dontaudit_use_all_ttys(traceroute_t)
+       term_dontaudit_use_all_ptys(traceroute_t)
+')

diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
index aa0dcc67400cfcf41a9b39dca1902b75dfb20499..0faba2af1e77dc4835635203f6fe136c8008303a 100644 (file)
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -59,10 +59,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
 manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
 relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
 files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
+files_search_var_lib(prelink_t)
 
 # prelink misc objects that are not system
 # libraries or entrypoints
-allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
+allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms };
 
 kernel_read_system_state(prelink_t)
 kernel_read_kernel_sysctls(prelink_t)
@@ -73,6 +74,7 @@ corecmd_mmap_all_executables(prelink_t)
 corecmd_read_bin_symlinks(prelink_t)
 
 dev_read_urand(prelink_t)
+dev_getattr_all_chr_files(prelink_t)
 
 files_list_all(prelink_t)
 files_getattr_all_files(prelink_t)
@@ -86,6 +88,8 @@ files_relabelfrom_usr_files(prelink_t)
 
 fs_getattr_xattr_fs(prelink_t)
 
+storage_getattr_fixed_disk_dev(prelink_t)
+
 selinux_get_enforce_mode(prelink_t)
 
 libs_exec_ld_so(prelink_t)
@@ -99,6 +103,8 @@ libs_delete_lib_symlinks(prelink_t)
 miscfiles_read_localization(prelink_t)
 
 userdom_use_user_terminals(prelink_t)
+userdom_manage_user_home_content(prelink_t)
+userdom_execmod_user_home_files(prelink_t)
 
 optional_policy(`
        amanda_manage_lib(prelink_t)
@@ -108,6 +114,10 @@ optional_policy(`
        cron_system_entry(prelink_t, prelink_exec_t)
 ')
 
+optional_policy(`
+       nsplugin_manage_rw_files(prelink_t)
+')
+
 optional_policy(`
        rpm_manage_tmp_files(prelink_t)
 ')
@@ -129,6 +139,7 @@ optional_policy(`
 
        read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
        allow prelink_cron_system_t prelink_cache_t:file unlink;
+       files_delete_etc_dir_entry(prelink_cron_system_t)
 
        domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
        allow prelink_cron_system_t prelink_t:process noatsecure;
@@ -148,7 +159,7 @@ optional_policy(`
        files_read_etc_files(prelink_cron_system_t)
        files_search_var_lib(prelink_cron_system_t)
 
-       init_exec(prelink_cron_system_t)
+       init_telinit(prelink_cron_system_t)
 
        libs_exec_ld_so(prelink_cron_system_t)
 
@@ -158,7 +169,14 @@ optional_policy(`
 
        cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
 
+       userdom_dontaudit_list_admin_dir(prelink_cron_system_t)
+
        optional_policy(`
                rpm_read_db(prelink_cron_system_t)
        ')
 ')
+ifdef(`hide_broken_symptoms', `
+       optional_policy(`
+             dbus_read_config(prelink_t)
+       ')
+')

diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
index 2df2f1d08be7b332f84c9f088dc88f10a449285d..c1aaa794b6e36b240fbb80eb3e82692fd539a865 100644 (file)
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
@@ -53,6 +53,7 @@ domain_read_all_domains_state(readahead_t)
 
 files_list_non_security(readahead_t)
 files_read_non_security_files(readahead_t)
+files_dontaudit_read_security_files(readahead_t)
 files_create_boot_flag(readahead_t)
 files_getattr_all_pipes(readahead_t)
 files_dontaudit_getattr_all_sockets(readahead_t)
@@ -66,6 +67,7 @@ fs_read_cgroup_files(readahead_t)
 fs_read_tmpfs_files(readahead_t)
 fs_read_tmpfs_symlinks(readahead_t)
 fs_list_inotifyfs(readahead_t)
+fs_dontaudit_read_tmpfs_blk_dev(readahead_t)
 fs_dontaudit_search_ramfs(readahead_t)
 fs_dontaudit_read_ramfs_pipes(readahead_t)
 fs_dontaudit_read_ramfs_files(readahead_t)

diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
index b206bf6865ef46f5e7cb8903deccee03da1039d1..48922c9774b3ae03490dd166e0b16ca6756d67b0 100644 (file)
--- a/policy/modules/admin/rpm.fc
+++ b/policy/modules/admin/rpm.fc
@@ -7,6 +7,7 @@
 
 /usr/bin/yum                   --      gen_context(system_u:object_r:rpm_exec_t,s0)
 
+/usr/libexec/packagekitd       --      gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/libexec/yumDBUSBackend.py --      gen_context(system_u:object_r:rpm_exec_t,s0)
 
 /usr/sbin/yum-complete-transaction --  gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -25,6 +26,9 @@ ifdef(`distro_redhat', `
 /usr/sbin/pup                  --      gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/rhn_check            --      gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/up2date              --      gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/synaptic             --      gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-get               --      gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-shell             --      gen_context(system_u:object_r:rpm_exec_t,s0)
 ')
 
 /var/cache/yum(/.*)?                   gen_context(system_u:object_r:rpm_var_cache_t,s0)
@@ -36,6 +40,8 @@ ifdef(`distro_redhat', `
 /var/log/rpmpkgs.*             --      gen_context(system_u:object_r:rpm_log_t,s0)
 /var/log/yum\.log.*            --      gen_context(system_u:object_r:rpm_log_t,s0)
 
+/var/spool/up2date(/.*)?               gen_context(system_u:object_r:rpm_var_cache_t,s0)
+
 /var/run/yum.*                 --      gen_context(system_u:object_r:rpm_var_run_t,s0)
 /var/run/PackageKit(/.*)?              gen_context(system_u:object_r:rpm_var_run_t,s0)
 

diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
index 86463e348d01f74d2eb1d84f35d1df91ccdee2b4..ddbb3af422083fbac47ecc6b19497fcc73eaa639 100644 (file)
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@ -13,11 +13,14 @@
 interface(`rpm_domtrans',`
        gen_require(`
                type rpm_t, rpm_exec_t;
+               attribute rpm_transition_domain;
        ')
 
        files_search_usr($1)
        corecmd_search_bin($1)
        domtrans_pattern($1, rpm_exec_t, rpm_t)
+       typeattribute $1 rpm_transition_domain;
+       rpm_debuginfo_domtrans($1)
 ')
 
 ########################################
@@ -87,6 +90,11 @@ interface(`rpm_run',`
        rpm_domtrans($1)
        role $2 types rpm_t;
        role $2 types rpm_script_t;
+
+       domain_system_change_exemption($1)
+       role_transition $2 rpm_exec_t system_r;
+       allow $2 system_r;
+
        seutil_run_loadpolicy(rpm_script_t, $2)
        seutil_run_semanage(rpm_script_t, $2)
        seutil_run_setfiles(rpm_script_t, $2)
@@ -183,6 +191,41 @@ interface(`rpm_rw_pipes',`
        allow $1 rpm_t:fifo_file rw_fifo_file_perms;
 ')
 
+########################################
+## <summary>
+##     dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`rpm_dontaudit_leaks',`
+       gen_require(`
+               type rpm_t, rpm_var_cache_t;
+               type rpm_script_t, rpm_var_run_t, rpm_tmp_t;
+               type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t;
+       ')
+
+       dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms;
+       dontaudit $1 rpm_t:tcp_socket { read write };
+       dontaudit $1 rpm_t:unix_dgram_socket { read write };
+       dontaudit $1 rpm_t:shm rw_shm_perms;
+
+       dontaudit $1 rpm_script_t:fd use;
+       dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
+
+       dontaudit $1 rpm_var_run_t:file rw_inherited_file_perms;
+
+       dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms;
+       dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
+       dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms;
+       dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms;
+       dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms;
+       dontaudit $1 rpm_var_cache_t:file  rw_inherited_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Send and receive messages from
@@ -338,7 +381,9 @@ interface(`rpm_manage_script_tmp_files',`
        ')
 
        files_search_tmp($1)
+       manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
        manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+       manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
 ')
 
 #####################################
@@ -378,7 +423,9 @@ interface(`rpm_manage_tmp_files',`
        ')
 
        files_search_tmp($1)
+       manage_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t)
        manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+       manage_lnk_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
 ')
 
 ########################################
@@ -461,6 +508,7 @@ interface(`rpm_read_db',`
        allow $1 rpm_var_lib_t:dir list_dir_perms;
        read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
        read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+       rpm_read_cache($1)
 ')
 
 ########################################
@@ -577,3 +625,66 @@ interface(`rpm_pid_filetrans',`
 
        files_pid_filetrans($1, rpm_var_run_t, file)
 ')
+
+########################################
+## <summary>
+##     Send a null signal to rpm.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`rpm_inherited_fifo',`
+       gen_require(`
+               attribute rpm_transition_domain;
+       ')
+
+       allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+')
+
+
+########################################
+## <summary>
+##     Make rpm_exec_t an entry point for
+##     the specified domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+# 
+interface(`rpm_entry_type',`
+       gen_require(`
+               type rpm_exec_t;
+       ')
+
+       domain_entry_file($1, rpm_exec_t)
+')
+
+########################################
+## <summary>
+##     Allow application to transition to rpm_script domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`rpm_transition_script',`
+       gen_require(`
+               type rpm_script_t;
+               attribute rpm_transition_domain;
+       ')
+
+       typeattribute $1 rpm_transition_domain;
+       allow $1 rpm_script_t:process transition;
+
+       allow $1 rpm_script_t:fd use;
+       allow rpm_script_t $1:fd use;
+       allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
+       allow rpm_script_t $1:process sigchld;
+')

diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 95dbcf31efc4e5cde5ae74b4cf6483daa5baf918..bdba9c56a9041bac7452aabc0a15a72680509758 100644 (file)
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,10 +1,11 @@
 policy_module(rpm, 1.11.1)
 
+attribute rpm_transition_domain;
+
 ########################################
 #
 # Declarations
 #
-
 type debuginfo_exec_t;
 domain_entry_file(rpm_t, debuginfo_exec_t)
 
@@ -44,6 +45,7 @@ type rpm_script_exec_t;
 domain_obj_id_change_exemption(rpm_script_t)
 domain_system_change_exemption(rpm_script_t)
 corecmd_shell_entry_type(rpm_script_t)
+corecmd_bin_entry_type(rpm_script_t)
 domain_type(rpm_script_t)
 domain_entry_file(rpm_t, rpm_script_exec_t)
 domain_interactive_fd(rpm_script_t)
@@ -77,6 +79,8 @@ allow rpm_t self:shm create_shm_perms;
 allow rpm_t self:sem create_sem_perms;
 allow rpm_t self:msgq create_msgq_perms;
 allow rpm_t self:msg { send receive };
+allow rpm_t self:dir search;
+allow rpm_t self:file rw_file_perms;;
 
 allow rpm_t rpm_log_t:file manage_file_perms;
 logging_log_filetrans(rpm_t, rpm_log_t, file)
@@ -84,6 +88,7 @@ logging_log_filetrans(rpm_t, rpm_log_t, file)
 manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
 manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
 files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
+can_exec(rpm_t, rpm_tmp_t)
 
 manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
 manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
@@ -91,6 +96,7 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
 manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
 manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
 fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+can_exec(rpm_t, rpm_tmpfs_t)
 
 manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
 manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
@@ -100,12 +106,14 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
 manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
 files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
 
+manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
 manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
-files_pid_filetrans(rpm_t, rpm_var_run_t, file)
+files_pid_filetrans(rpm_t, rpm_var_run_t, { file dir })
 
 kernel_read_network_state(rpm_t)
 kernel_read_system_state(rpm_t)
 kernel_read_kernel_sysctls(rpm_t)
+kernel_read_network_state_symlinks(rpm_t)
 
 corecmd_exec_all_executables(rpm_t)
 
@@ -125,6 +133,8 @@ corenet_sendrecv_all_client_packets(rpm_t)
 dev_list_sysfs(rpm_t)
 dev_list_usbfs(rpm_t)
 dev_read_urand(rpm_t)
+dev_read_raw_memory(rpm_t)
+#devices_manage_all_device_types(rpm_t)
 
 fs_getattr_all_dirs(rpm_t)
 fs_list_inotifyfs(rpm_t)
@@ -205,6 +215,7 @@ optional_policy(`
        optional_policy(`
                networkmanager_dbus_chat(rpm_t)
        ')
+
 ')
 
 optional_policy(`
@@ -212,7 +223,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-       unconfined_domain(rpm_t)
+       unconfined_domain_noaudit(rpm_t)
        # yum-updatesd requires this
        unconfined_dbus_chat(rpm_t)
        unconfined_dbus_chat(rpm_script_t)
@@ -242,6 +253,8 @@ allow rpm_script_t rpm_tmp_t:file read_file_perms;
 allow rpm_script_t rpm_script_tmp_t:dir mounton;
 manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
 manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
 files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
 
 manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
@@ -254,6 +267,7 @@ fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_fi
 kernel_read_kernel_sysctls(rpm_script_t)
 kernel_read_system_state(rpm_script_t)
 kernel_read_network_state(rpm_script_t)
+kernel_list_all_proc(rpm_script_t)
 kernel_read_software_raid_state(rpm_script_t)
 
 dev_list_sysfs(rpm_script_t)
@@ -301,6 +315,8 @@ auth_manage_all_files_except_shadow(rpm_script_t)
 auth_relabel_shadow(rpm_script_t)
 
 corecmd_exec_all_executables(rpm_script_t)
+can_exec(rpm_script_t, rpm_script_tmp_t)
+can_exec(rpm_script_t, rpm_script_tmpfs_t)
 
 domain_read_all_domains_state(rpm_script_t)
 domain_getattr_all_domains(rpm_script_t)
@@ -331,12 +347,15 @@ modutils_domtrans_insmod(rpm_script_t)
 seutil_domtrans_loadpolicy(rpm_script_t)
 seutil_domtrans_setfiles(rpm_script_t)
 seutil_domtrans_semanage(rpm_script_t)
+seutil_domtrans_setsebool(rpm_script_t)
 
 userdom_use_all_users_fds(rpm_script_t)
+userdom_exec_admin_home_files(rpm_script_t)
 
 ifdef(`distro_redhat',`
        optional_policy(`
                mta_send_mail(rpm_script_t)
+               mta_system_content(rpm_var_run_t)
        ')
 ')
 
@@ -366,8 +385,9 @@ optional_policy(`
 ')
 
 optional_policy(`
-       unconfined_domain(rpm_script_t)
+       unconfined_domain_noaudit(rpm_script_t)
        unconfined_domtrans(rpm_script_t)
+       unconfined_execmem_domtrans(rpm_script_t)
 
        optional_policy(`
                java_domtrans_unconfined(rpm_script_t)

diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if
index 0948921725e3a466497df2853aa7a466139244e7..b83f3db175c4b9b4daa1950a6083878121b02409 100644 (file)
--- a/policy/modules/admin/shorewall.if
+++ b/policy/modules/admin/shorewall.if
@@ -18,6 +18,24 @@ interface(`shorewall_domtrans',`
        domtrans_pattern($1, shorewall_exec_t, shorewall_t)
 ')
 
+######################################
+## <summary>
+##      Execute a domain transition to run shorewall.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`shorewall_domtrans_lib',`
+        gen_require(`
+                type shorewall_t, shorewall_var_lib_t;
+        ')
+
+        domtrans_pattern($1, shorewall_var_lib_t, shorewall_t)
+')
+
 #######################################
 ## <summary>
 ##     Read shorewall etc configuration files.
@@ -115,6 +133,25 @@ interface(`shorewall_rw_lib_files',`
         rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
 ')
 
+#######################################
+## <summary>
+##      Read shorewall tmp files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`shorewall_read_tmp_files',`
+        gen_require(`
+                type shorewall_tmp_t;
+        ')
+
+        files_search_tmp($1)
+        read_files_pattern($1, shorewall_tmp_t, shorewall_tmp_t)
+')
+
 #######################################
 ## <summary>
 ##     All of the rules required to administrate 
@@ -134,9 +171,10 @@ interface(`shorewall_rw_lib_files',`
 #
 interface(`shorewall_admin',`
        gen_require(`
-               type shorewall_t, shorewall_var_run_t, shorewall_lock_t;
+               type shorewall_t, shorewall_lock_t;
+               type shorewall_log_t;
                type shorewall_initrc_exec_t, shorewall_var_lib_t;
-               type shorewall_tmp_t;
+               type shorewall_tmp_t, shorewall_etc_t;
        ')
 
        allow $1 shorewall_t:process { ptrace signal_perms };
@@ -153,12 +191,12 @@ interface(`shorewall_admin',`
        files_search_locks($1)
        admin_pattern($1, shorewall_lock_t)
 
-       files_search_pids($1)
-       admin_pattern($1, shorewall_var_run_t)
-
        files_search_var_lib($1)
        admin_pattern($1, shorewall_var_lib_t)
 
+       logging_search_logs($1)
+       admin_pattern($1, shorewall_log_t)
+
        files_search_tmp($1)
        admin_pattern($1, shorewall_tmp_t)
 ')

diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te
index a22e546b9cc437696dee9dc281119aa98e6240a2..ffc0571fddb5732c8186571d95c942dd49e0b4ed 100644 (file)
--- a/policy/modules/admin/shorewall.te
+++ b/policy/modules/admin/shorewall.te
@@ -58,6 +58,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
 manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
 manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
 files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
+allow shorewall_t shorewall_var_lib_t:file entrypoint;
+
+allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
 
 kernel_read_kernel_sysctls(shorewall_t)
 kernel_read_network_state(shorewall_t)
@@ -80,13 +83,18 @@ fs_getattr_all_fs(shorewall_t)
 
 init_rw_utmp(shorewall_t)
 
+logging_read_generic_logs(shorewall_t)
 logging_send_syslog_msg(shorewall_t)
 
 miscfiles_read_localization(shorewall_t)
 
 sysnet_domtrans_ifconfig(shorewall_t)
 
-userdom_dontaudit_list_user_home_dirs(shorewall_t)
+userdom_dontaudit_list_admin_dir(shorewall_t)
+
+optional_policy(`
+        brctl_domtrans(shorewall_t)
+')
 
 optional_policy(`
        hostname_exec(shorewall_t)

diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc
index 917426895abed9a2140581cfb169e9bf54ef929b..09c3771ae5431c711fe6ec6327c35a928e742920 100644 (file)
--- a/policy/modules/admin/shutdown.fc
+++ b/policy/modules/admin/shutdown.fc
@@ -3,3 +3,5 @@
 /sbin/shutdown         --      gen_context(system_u:object_r:shutdown_exec_t,s0)
 
 /var/run/shutdown\.pid         --      gen_context(system_u:object_r:shutdown_var_run_t,s0)
+
+/lib/upstart/shutdown  --      gen_context(system_u:object_r:shutdown_exec_t,s0)

diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if
index d2c068dec24ea6f6a4a69c97b34ff7951faac6bc..914e1ac990a779f810e9239ec1a0bf7cd399a340 100644 (file)
--- a/policy/modules/admin/shutdown.if
+++ b/policy/modules/admin/shutdown.if
@@ -19,10 +19,11 @@ interface(`shutdown_domtrans',`
 
        ifdef(`hide_broken_symptoms', `
                dontaudit shutdown_t $1:socket_class_set { read write };
-               dontaudit shutdown_t $1:fifo_file { read write };
+               dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms;
        ')
 ')
 
+
 ########################################
 ## <summary>
 ##     Execute shutdown in the shutdown domain, and
@@ -48,6 +49,73 @@ interface(`shutdown_run',`
        role $2 types shutdown_t;
 ')
 
+########################################
+## <summary>
+##     Role access for shutdown
+## </summary>
+## <param name="role">
+##     <summary>
+##     Role allowed access
+##     </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##     User domain for the role
+##     </summary>
+## </param>
+#
+interface(`shutdown_role',`
+       gen_require(`
+              type shutdown_t;
+       ')
+
+       role $1 types shutdown_t;
+
+       shutdown_domtrans($2)
+
+       ps_process_pattern($2, shutdown_t)
+       allow $2 shutdown_t:process signal;
+')
+
+########################################
+## <summary>
+##     Recieve sigchld from shutdown
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access
+##     </summary>
+## </param>
+#
+interface(`shutdown_send_sigchld',`
+       gen_require(`
+              type shutdown_t;
+       ')
+
+       allow shutdown_t $1:process signal;
+')
+
+########################################
+## <summary>
+##     Send and receive messages from
+##     shutdown over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`shutdown_dbus_chat',`
+       gen_require(`
+               type shutdown_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 shutdown_t:dbus send_msg;
+       allow shutdown_t $1:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##     Get attributes of shutdown executable.

diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te
index 51f7c3a40f67a136398d61423e297dabbcee32bd..707fb3de1da8f5604dbb8720b16cc84c964a551d 100644 (file)
--- a/policy/modules/admin/shutdown.te
+++ b/policy/modules/admin/shutdown.te
@@ -36,6 +36,8 @@ files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
 files_read_etc_files(shutdown_t)
 files_read_generic_pids(shutdown_t)
 
+mls_file_write_to_clearance(shutdown_t)
+
 term_use_all_terms(shutdown_t)
 
 auth_use_nsswitch(shutdown_t)
@@ -54,6 +56,11 @@ optional_policy(`
        dbus_connect_system_bus(shutdown_t)
 ')
 
+optional_policy(`
+    oddjob_dontaudit_rw_fifo_file(shutdown_t)
+    oddjob_sigchld(shutdown_t)
+')
+
 optional_policy(`
        xserver_dontaudit_write_log(shutdown_t)
 ')

diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index a0aa8c55c354bdd0b4e923af372cd4b3ed526d23..1b60ad87315dd27c1671f52209c9b3ea1df7835a 100644 (file)
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -212,7 +212,7 @@ template(`su_role_template',`
 
        auth_domtrans_chk_passwd($1_su_t)
        auth_dontaudit_read_shadow($1_su_t)
-       auth_use_nsswitch($1_su_t)
+       auth_use_pam($1_su_t)
        auth_rw_faillog($1_su_t)
 
        corecmd_search_bin($1_su_t)
@@ -236,6 +236,7 @@ template(`su_role_template',`
 
        userdom_use_user_terminals($1_su_t)
        userdom_search_user_home_dirs($1_su_t)
+       userdom_search_admin_dir($1_su_t)
 
        ifdef(`distro_redhat',`
                # RHEL5 and possibly newer releases incl. Fedora

diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc
index 7bddc02a492e51e9dd80c3c86c379e454d21b38d..2b59ed0a0690df330e5ef63c669b9243c4784a7d 100644 (file)
--- a/policy/modules/admin/sudo.fc
+++ b/policy/modules/admin/sudo.fc
@@ -1,2 +1,4 @@
 
 /usr/bin/sudo(edit)?   --      gen_context(system_u:object_r:sudo_exec_t,s0)
+
+/var/db/sudo(/.*)?             gen_context(system_u:object_r:sudo_db_t,s0)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 5f44f1bc0d86873387cd4b4f228f91089783a237..29931302952ee86df8781251d35482acf497799c 100644 (file)
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
 
        gen_require(`
                type sudo_exec_t;
+               type sudo_db_t;
                attribute sudodomain;
        ')
 
@@ -47,6 +48,9 @@ template(`sudo_role_template',`
        ubac_constrained($1_sudo_t)
        role $2 types $1_sudo_t;
 
+       manage_dirs_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
+       manage_files_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
+
        ##############################
        #
        # Local Policy
@@ -76,6 +80,8 @@ template(`sudo_role_template',`
        # By default, revert to the calling domain when a shell is executed.
        corecmd_shell_domtrans($1_sudo_t, $3)
        corecmd_bin_domtrans($1_sudo_t, $3)
+       userdom_domtrans_user_home($1_sudo_t, $3)
+       userdom_domtrans_user_tmp($1_sudo_t, $3)
        allow $3 $1_sudo_t:fd use;
        allow $3 $1_sudo_t:fifo_file rw_file_perms;
        allow $3 $1_sudo_t:process signal_perms;
@@ -111,6 +117,7 @@ template(`sudo_role_template',`
 
        term_relabel_all_ttys($1_sudo_t)
        term_relabel_all_ptys($1_sudo_t)
+       term_getattr_pty_fs($1_sudo_t)
 
        auth_run_chk_passwd($1_sudo_t, $2)
        # sudo stores a token in the pam_pid directory
@@ -133,13 +140,18 @@ template(`sudo_role_template',`
        userdom_manage_user_tmp_files($1_sudo_t)
        userdom_manage_user_tmp_symlinks($1_sudo_t)
        userdom_use_user_terminals($1_sudo_t)
+       userdom_signal_unpriv_users($1_sudo_t)
        # for some PAM modules and for cwd
-       userdom_dontaudit_search_user_home_content($1_sudo_t)
+       userdom_search_user_home_content($1_sudo_t)
+       userdom_search_admin_dir($1_sudo_t)
+       userdom_manage_all_users_keys($1_sudo_t)
 
        ifdef(`hide_broken_symptoms', `
                dontaudit $1_sudo_t $3:socket_class_set { read write };
        ')
 
+       mta_role($2, $1_sudo_t)
+
        tunable_policy(`use_nfs_home_dirs',`
                fs_manage_nfs_files($1_sudo_t)
        ')

diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index c368bdc08ecdaca0f98fb98ddfb1a730d1c27457..c927b85eea69c694c9977691ab6b1629882b39c2 100644 (file)
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -7,3 +7,7 @@ attribute sudodomain;
 
 type sudo_exec_t;
 application_executable_file(sudo_exec_t)
+
+type sudo_db_t;
+files_type(sudo_db_t)
+

diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
index 6a5004b915436722fc539ffa16ddaa3e5194089c..50cd538614d398d177b36e12484db019d3e729d3 100644 (file)
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -25,8 +25,11 @@ fs_getattr_xattr_fs(tmpreaper_t)
 files_read_etc_files(tmpreaper_t)
 files_read_var_lib_files(tmpreaper_t)
 files_purge_tmp(tmpreaper_t)
+files_delete_usr_dirs(tmpreaper_t)
+files_delete_usr_files(tmpreaper_t)
 # why does it need setattr?
 files_setattr_all_tmp_dirs(tmpreaper_t)
+files_setattr_usr_dirs(tmpreaper_t)
 files_getattr_all_dirs(tmpreaper_t)
 files_getattr_all_files(tmpreaper_t)
 
@@ -52,7 +55,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+       apache_delete_sys_content_rw(tmpreaper_t)
        apache_list_cache(tmpreaper_t)
+       apache_delete_cache_dirs(tmpreaper_t)
        apache_delete_cache_files(tmpreaper_t)
        apache_setattr_cache_dirs(tmpreaper_t)
 ')
@@ -65,6 +70,14 @@ optional_policy(`
        lpd_manage_spool(tmpreaper_t)
 ')
 
+optional_policy(`
+       sandbox_list(tmpreaper_t)
+       sandbox_delete_dirs(tmpreaper_t)
+       sandbox_delete_files(tmpreaper_t)
+       sandbox_delete_sock_files(tmpreaper_t)
+       sandbox_setattr_dirs(tmpreaper_t)
+')
+
 optional_policy(`
        rpm_manage_cache(tmpreaper_t)
 ')

diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te
index aa9636dee877a30ef2e739267c9eb64f06976163..78516430fdab92e2aa6b33bef2a1ce79feb88bb8 100644 (file)
--- a/policy/modules/admin/tzdata.te
+++ b/policy/modules/admin/tzdata.te
@@ -15,7 +15,7 @@ application_domain(tzdata_t, tzdata_exec_t)
 # tzdata local policy
 #
 
-files_read_etc_files(tzdata_t)
+files_read_config_files(tzdata_t)
 files_search_spool(tzdata_t)
 
 fs_getattr_xattr_fs(tzdata_t)

diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index aecbf1ce3c859808bb0b05c15f15db4abe7a82d2..0b5e6344960c5c5f7a9d0ae0617fa43e8dd0ea48 100644 (file)
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -290,6 +290,9 @@ interface(`usermanage_run_useradd',`
        usermanage_domtrans_useradd($1)
        role $2 types useradd_t;
 
+       # Add/remove user home directories
+       userdom_manage_home_role($2, useradd_t)
+
        seutil_run_semanage(useradd_t, $2)
 
        optional_policy(`

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index c35d8015b06d9f89baabe505058d36055b6ec7ca..961424f18d47904be96ce9c0be95f3294d3f42ba 100644 (file)
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -90,9 +90,7 @@ fs_search_auto_mountpoints(chfn_t)
 # for SSP
 dev_read_urand(chfn_t)
 
-auth_domtrans_chk_passwd(chfn_t)
-auth_dontaudit_read_shadow(chfn_t)
-auth_use_nsswitch(chfn_t)
+auth_use_pam(chfn_t)
 
 # allow checking if a shell is executable
 corecmd_check_exec_shell(chfn_t)
@@ -295,15 +293,18 @@ selinux_compute_user_contexts(passwd_t)
 
 term_use_all_ttys(passwd_t)
 term_use_all_ptys(passwd_t)
+term_use_generic_ptys(passwd_t)
 
-auth_domtrans_chk_passwd(passwd_t)
 auth_manage_shadow(passwd_t)
 auth_relabel_shadow(passwd_t)
 auth_etc_filetrans_shadow(passwd_t)
-auth_use_nsswitch(passwd_t)
+auth_use_pam(passwd_t)
 
 # allow checking if a shell is executable
 corecmd_check_exec_shell(passwd_t)
+corecmd_exec_bin(passwd_t)
+
+corenet_tcp_connect_kerberos_password_port(passwd_t)
 
 domain_use_interactive_fds(passwd_t)
 
@@ -334,6 +335,7 @@ userdom_read_user_tmp_files(passwd_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
 userdom_dontaudit_search_user_home_content(passwd_t)
+userdom_stream_connect(passwd_t)
 
 optional_policy(`
        nscd_domtrans(passwd_t)
@@ -428,7 +430,7 @@ optional_policy(`
 # Useradd local policy
 #
 
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource sys_ptrace };
 dontaudit useradd_t self:capability sys_tty_config;
 allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow useradd_t self:process setfscreate;
@@ -500,12 +502,8 @@ seutil_domtrans_setfiles(useradd_t)
 
 userdom_use_unpriv_users_fds(useradd_t)
 # Add/remove user home directories
-userdom_manage_user_home_dirs(useradd_t)
-userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_manage_user_home_content_dirs(useradd_t)
-userdom_manage_user_home_content_files(useradd_t)
 userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
+userdom_manage_home_role(system_r, useradd_t)
 
 mta_manage_spool(useradd_t)
 

diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index a870982078499d521a5bc4829590ea9b119c0e32..6542902fa3e1bea1de8aa5fe719f6520a5cdbe42 100644 (file)
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@@ -107,6 +107,7 @@ sysnet_manage_config(vpnc_t)
 
 userdom_use_all_users_fds(vpnc_t)
 userdom_dontaudit_search_user_home_content(vpnc_t)
+userdom_read_home_certs(vpnc_t)
 
 optional_policy(`
        dbus_system_bus_client(vpnc_t)

diff --git a/policy/modules/apps/chrome.fc b/policy/modules/apps/chrome.fc
new file mode 100644 (file)
index 0000000..432fb25
--- /dev/null
+++ b/policy/modules/apps/chrome.fc
@@ -0,0 +1,3 @@
+ /opt/google/chrome/chrome-sandbox     --      gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/usr/lib(64)?/chromium-browser/chrome-sandbox  --      gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)

diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if
new file mode 100644 (file)
index 0000000..5ef90cd
--- /dev/null
+++ b/policy/modules/apps/chrome.if
@@ -0,0 +1,90 @@
+
+## <summary>policy for chrome</summary>
+
+########################################
+## <summary>
+##     Execute a domain transition to run chrome_sandbox.
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chrome_domtrans_sandbox',`
+       gen_require(`
+               type chrome_sandbox_t, chrome_sandbox_exec_t;
+       ')
+
+       domtrans_pattern($1,chrome_sandbox_exec_t,chrome_sandbox_t)
+       ps_process_pattern(chrome_sandbox_t, $1)
+ifdef(`hide_broken_symptoms', `
+       dontaudit chrome_sandbox_t $1:socket_class_set { read write };
+       fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
+')
+')
+
+
+########################################
+## <summary>
+##     Execute chrome_sandbox in the chrome_sandbox domain, and
+##     allow the specified role the chrome_sandbox domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     The role to be allowed the chrome_sandbox domain.
+##     </summary>
+## </param>
+#
+interface(`chrome_run_sandbox',`
+       gen_require(`
+               type chrome_sandbox_t;
+       ')
+
+       chrome_domtrans_sandbox($1)
+       role $2 types chrome_sandbox_t;
+')
+
+########################################
+## <summary>
+##     Role access for chrome sandbox
+## </summary>
+## <param name="role">
+##     <summary>
+##     Role allowed access
+##     </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##     User domain for the role
+##     </summary>
+## </param>
+#
+interface(`chrome_role',`
+       gen_require(`
+              type chrome_sandbox_t;
+              type chrome_sandbox_tmpfs_t;
+       ')
+
+       role $1 types chrome_sandbox_t;
+
+       chrome_domtrans_sandbox($2)
+
+       ps_process_pattern($2, chrome_sandbox_t)
+       allow $2 chrome_sandbox_t:process signal_perms;
+
+       allow chrome_sandbox_t $2:unix_dgram_socket { read write };
+       allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
+       allow chrome_sandbox_t $2:unix_stream_socket { read write };
+       allow $2 chrome_sandbox_t:unix_stream_socket { read write };
+
+       allow $2 chrome_sandbox_t:shm rw_shm_perms;
+
+       allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
+')
+

diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644 (file)
index 0000000..b09816f
--- /dev/null
+++ b/policy/modules/apps/chrome.te
@@ -0,0 +1,91 @@
+policy_module(chrome,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type chrome_sandbox_t;
+type chrome_sandbox_exec_t;
+application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
+role system_r types chrome_sandbox_t;
+
+type chrome_sandbox_tmp_t;
+files_tmp_file(chrome_sandbox_tmp_t)
+
+type chrome_sandbox_tmpfs_t;
+files_tmpfs_file(chrome_sandbox_tmpfs_t)
+ubac_constrained(chrome_sandbox_tmpfs_t)
+
+########################################
+#
+# chrome_sandbox local policy
+#
+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
+allow chrome_sandbox_t self:fifo_file manage_file_perms;
+allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
+allow chrome_sandbox_t self:shm create_shm_perms;
+
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
+
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file)
+
+kernel_read_system_state(chrome_sandbox_t)
+kernel_read_kernel_sysctls(chrome_sandbox_t)
+
+fs_manage_cgroup_dirs(chrome_sandbox_t)
+fs_manage_cgroup_files(chrome_sandbox_t)
+
+corecmd_exec_bin(chrome_sandbox_t)
+
+domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
+
+dev_read_urand(chrome_sandbox_t)
+dev_read_sysfs(chrome_sandbox_t)
+dev_rwx_zero(chrome_sandbox_t)
+
+files_read_etc_files(chrome_sandbox_t)
+files_read_usr_files(chrome_sandbox_t)
+
+fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
+
+userdom_rw_user_tmpfs_files(chrome_sandbox_t)
+userdom_use_user_ptys(chrome_sandbox_t)
+userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
+userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
+userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
+
+miscfiles_read_localization(chrome_sandbox_t)
+miscfiles_read_fonts(chrome_sandbox_t)
+
+sysnet_dontaudit_read_config(chrome_sandbox_t)
+
+optional_policy(`
+       execmem_exec(chrome_sandbox_t)
+')
+
+optional_policy(`
+       gnome_rw_inherited_config(chrome_sandbox_t)
+       gnome_list_home_config(chrome_sandbox_t)
+')
+
+optional_policy(`
+       xserver_use_user_fonts(chrome_sandbox_t)
+       xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+       fs_dontaudit_append_nfs_files(chrome_sandbox_t)
+       fs_dontaudit_read_nfs_files(chrome_sandbox_t)
+       fs_dontaudit_read_nfs_symlinks(chrome_sandbox_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+       fs_dontaudit_append_cifs_files(chrome_sandbox_t)
+       fs_dontaudit_read_cifs_files(chrome_sandbox_t)
+')

diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te
index 7fd0900a1eebfeb653ef68c8d910ff10d44d7e59..899e23462c955063dfd0b1b12f6f453df4801e6a 100644 (file)
--- a/policy/modules/apps/cpufreqselector.te
+++ b/policy/modules/apps/cpufreqselector.te
@@ -27,7 +27,7 @@ dev_rw_sysfs(cpufreqselector_t)
 miscfiles_read_localization(cpufreqselector_t)
 
 userdom_read_all_users_state(cpufreqselector_t)
-userdom_dontaudit_search_user_home_dirs(cpufreqselector_t)
+userdom_dontaudit_search_admin_dir(cpufreqselector_t)
 
 optional_policy(`
        dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)

diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
new file mode 100644 (file)
index 0000000..9bd4f45
--- /dev/null
+++ b/policy/modules/apps/execmem.fc
@@ -0,0 +1,48 @@
+
+/usr/bin/aticonfig     --      gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/compiz                --      gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/darcs                 --      gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/dosbox                --      gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/haddock.*     --      gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/hasktags      --      gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/plasma-desktop        --      gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/runghc                --      gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/runhaskell    --      gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/sbcl          --      gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/skype         --      gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/valgrind      --      gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/sbin/vboxadd-service      --      gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/sbin/VBox.*       --      gen_context(system_u:object_r:execmem_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+')
+/usr/lib(64)?/chromium-browser/chromium-browser  gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib64/erlang/erts-[^/]+/bin/beam.smp --   gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/erlang/erts-[^/]+/bin/beam.smp --     gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib64/R/bin/exec/R                --      gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/R/bin/exec/R          --      gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/libexec/ghc-[^/]+/.*bin  --       gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/libexec/ghc-[^/]+/ghc.*  --       gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib(64)?/ghc-[^/]+/ghc.*  --      gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/ia32el/ia32x_loader   --      gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib(64)/virtualbox/VirtualBox  -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/real/(.*/)?realplay\.bin --       gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/real/RealPlayer/realplay\.bin --  gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/thunderbird-[^/]+/thunderbird-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Updater -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Application -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/likewise/bin/domainjoin-cli -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)

diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
new file mode 100644 (file)
index 0000000..06ed3de
--- /dev/null
+++ b/policy/modules/apps/execmem.if
@@ -0,0 +1,110 @@
+## <summary>execmem domain</summary>
+
+########################################
+## <summary>
+##     Execute the execmem program in the execmem domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`execmem_exec',`
+       gen_require(`
+               type execmem_exec_t;
+       ')
+
+       can_exec($1, execmem_exec_t)
+')
+
+#######################################
+## <summary>
+##     The role template for the execmem module.
+## </summary>
+## <desc>
+##     <p>
+##     This template creates a derived domains which are used
+##     for execmem applications.
+##     </p>
+## </desc>
+## <param name="role_prefix">
+##     <summary>
+##     The prefix of the user domain (e.g., user
+##     is the prefix for user_t).
+##     </summary>
+## </param>
+## <param name="user_role">
+##     <summary>
+##     The role associated with the user domain.
+##     </summary>
+## </param>
+## <param name="user_domain">
+##     <summary>
+##     The type of the user domain.
+##     </summary>
+## </param>
+#
+template(`execmem_role_template',`
+       gen_require(`
+               type execmem_exec_t;
+       ')
+
+       type $1_execmem_t;
+       domain_type($1_execmem_t)
+       domain_entry_file($1_execmem_t, execmem_exec_t)
+       role $2 types $1_execmem_t;
+
+       userdom_unpriv_usertype($1, $1_execmem_t)
+       userdom_manage_tmp_role($2, $1_execmem_t)
+       userdom_manage_tmpfs_role($2, $1_execmem_t)
+
+       allow $1_execmem_t self:process { execmem execstack };
+       allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
+       domtrans_pattern($3, execmem_exec_t, $1_execmem_t)
+ifdef(`hide_broken_symptoms', `
+       dontaudit $1_execmem_t $3:socket_class_set { read write };
+')
+       files_execmod_tmp($1_execmem_t)
+
+       optional_policy(`
+               chrome_role($2, $1_execmem_t)
+       ')
+
+       optional_policy(`
+               mozilla_execmod_user_home_files($1_execmem_t)
+       ')
+
+       optional_policy(`
+               nsplugin_rw_shm($1_execmem_t)
+               nsplugin_rw_semaphores($1_execmem_t)
+       ')
+
+       optional_policy(`
+               xserver_role($2, $1_execmem_t)
+       ')
+')
+
+########################################
+## <summary>
+##     Execute a execmem_exec file
+##     in the specified domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="target_domain">
+##     <summary>
+##     The type of the new process.
+##     </summary>
+## </param>
+#
+interface(`execmem_domtrans',`
+       gen_require(`
+               type execmem_exec_t;
+       ')
+
+       domtrans_pattern($1, execmem_exec_t, $2)
+')

diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te
new file mode 100644 (file)
index 0000000..a7d37e2
--- /dev/null
+++ b/policy/modules/apps/execmem.te
@@ -0,0 +1,10 @@
+policy_module(execmem, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type execmem_exec_t alias unconfined_execmem_exec_t;
+application_executable_file(execmem_exec_t)
+

diff --git a/policy/modules/apps/firewallgui.fc b/policy/modules/apps/firewallgui.fc
new file mode 100644 (file)
index 0000000..ce498b3
--- /dev/null
+++ b/policy/modules/apps/firewallgui.fc
@@ -0,0 +1,3 @@
+
+/usr/share/system-config-firewall/system-config-firewall-mechanism.py  --      gen_context(system_u:object_r:firewallgui_exec_t,s0)
+

diff --git a/policy/modules/apps/firewallgui.if b/policy/modules/apps/firewallgui.if
new file mode 100644 (file)
index 0000000..7fe26f3
--- /dev/null
+++ b/policy/modules/apps/firewallgui.if
@@ -0,0 +1,41 @@
+
+## <summary>policy for firewallgui</summary>
+
+########################################
+## <summary>
+##     Send and receive messages from
+##     firewallgui over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`firewallgui_dbus_chat',`
+       gen_require(`
+               type firewallgui_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 firewallgui_t:dbus send_msg;
+       allow firewallgui_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##     Read and write firewallgui unnamed pipes.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`firewallgui_dontaudit_rw_pipes',`
+       gen_require(`
+               type firewallgui_t;
+       ')
+
+       dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms;
+')

diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te
new file mode 100644 (file)
index 0000000..4da3d86
--- /dev/null
+++ b/policy/modules/apps/firewallgui.te
@@ -0,0 +1,66 @@
+policy_module(firewallgui,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type firewallgui_t;
+type firewallgui_exec_t;
+dbus_system_domain(firewallgui_t, firewallgui_exec_t)
+
+type firewallgui_tmp_t;
+files_tmp_file(firewallgui_tmp_t)
+
+########################################
+#
+# firewallgui local policy
+#
+
+allow firewallgui_t self:capability net_admin;
+
+allow firewallgui_t self:fifo_file rw_fifo_file_perms;
+
+manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
+manage_dirs_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
+files_tmp_filetrans(firewallgui_t,firewallgui_tmp_t, { file dir })
+
+files_manage_system_conf_files(firewallgui_t)
+files_etc_filetrans_system_conf(firewallgui_t)
+
+corecmd_exec_shell(firewallgui_t)
+corecmd_exec_bin(firewallgui_t)
+consoletype_exec(firewallgui_t)
+
+kernel_read_system_state(firewallgui_t)
+kernel_read_network_state(firewallgui_t)
+kernel_rw_net_sysctls(firewallgui_t)
+kernel_rw_kernel_sysctl(firewallgui_t)
+kernel_rw_vm_sysctls(firewallgui_t)
+
+files_read_etc_files(firewallgui_t)
+files_read_usr_files(firewallgui_t)
+files_search_kernel_modules(firewallgui_t)
+files_list_kernel_modules(firewallgui_t)
+
+modutils_getattr_module_deps(firewallgui_t)
+
+dev_read_urand(firewallgui_t)
+dev_read_sysfs(firewallgui_t)
+
+nscd_dontaudit_search_pid(firewallgui_t)
+nscd_socket_use(firewallgui_t)
+
+miscfiles_read_localization(firewallgui_t)
+
+iptables_domtrans(firewallgui_t)
+iptables_initrc_domtrans(firewallgui_t)
+
+optional_policy(`
+       gnome_read_gconf_home_files(firewallgui_t)
+')
+
+optional_policy(`
+        policykit_dbus_chat(firewallgui_t)
+')
+

diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
index 00a19e3c40e519de157c564eb367bf188b1fa208..46db5fff02dd8c4d142a90231d95a63e2afff5c3 100644 (file)
--- a/policy/modules/apps/gnome.fc
+++ b/policy/modules/apps/gnome.fc
@@ -1,9 +1,30 @@
-HOME_DIR/\.config/gtk-.*       gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.config(/.*)?        gen_context(system_u:object_r:config_home_t,s0)
 HOME_DIR/\.gconf(d)?(/.*)?     gen_context(system_u:object_r:gconf_home_t,s0)
 HOME_DIR/\.gnome2(/.*)?                gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gstreamer-.*                gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.local.*             gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local/share(.*)?    gen_context(system_u:object_r:data_home_t,s0)
+/HOME_DIR/\.Xdefaults          gen_context(system_u:object_r:config_home_t,s0)
+/HOME_DIR/\.xine(/.*)?         gen_context(system_u:object_r:config_home_t,s0)
+
+/root/\.config(/.*)?           gen_context(system_u:object_r:config_home_t,s0)
+/root/\.xine(/.*)?             gen_context(system_u:object_r:config_home_t,s0)
+/root/\.gconf(d)?(/.*)?        gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.gnome2(/.*)?           gen_context(system_u:object_r:gnome_home_t,s0)
+/root/\.gstreamer-.*           gen_context(system_u:object_r:gstreamer_home_t,s0)
+/root/\.local.*                        gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.local/share(.*)?       gen_context(system_u:object_r:data_home_t,s0)
+/root/\.Xdefaults              gen_context(system_u:object_r:config_home_t,s0)
 
 /etc/gconf(/.*)?               gen_context(system_u:object_r:gconf_etc_t,s0)
 
 /tmp/gconfd-USER/.*    --      gen_context(system_u:object_r:gconf_tmp_t,s0)
 
-/usr/libexec/gconfd-2  --      gen_context(system_u:object_r:gconfd_exec_t,s0)
+# Don't use because toolchain is broken
+#/usr/libexec/gconfd-2 --      gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/usr/libexec/gconf-defaults-mechanism          --      gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
+
+/usr/libexec/gnome-system-monitor-mechanism    --      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+

diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index f5afe78db62cab4ad77634b61fe0462530306c1d..250935ae885b8810c6fedb2deb434fd9a2d93371 100644 (file)
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -37,8 +37,7 @@ interface(`gnome_role',`
 
 ########################################
 ## <summary>
-##     Execute gconf programs in
-##     in the caller domain.
+##     gconf connection template.
 ## </summary>
 ## <param name="domain">
 ##     <summary>
@@ -46,19 +45,276 @@ interface(`gnome_role',`
 ##     </summary>
 ## </param>
 #
-interface(`gnome_exec_gconf',`
+interface(`gnome_stream_connect_gconf',`
        gen_require(`
-               type gconfd_exec_t;
+               type gconfd_t, gconf_tmp_t;
        ')
 
-       can_exec($1, gconfd_exec_t)
+       read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
+       allow $1 gconfd_t:unix_stream_socket connectto;
 ')
 
 ########################################
 ## <summary>
-##     Read gconf config files.
+##     Run gconfd in gconfd domain.
 ## </summary>
-## <param name="user_domain">
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`gnome_domtrans_gconfd',`
+       gen_require(`
+               type gconfd_t, gconfd_exec_t;
+       ')
+
+       domtrans_pattern($1, gconfd_exec_t, gconfd_t)
+')
+
+########################################
+## <summary>
+##     Dontaudit search gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`gnome_dontaudit_search_config',`
+       gen_require(`
+               attribute gnome_home_type;
+       ')
+
+       dontaudit $1 gnome_home_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##     manage gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`gnome_manage_config',`
+       gen_require(`
+               attribute gnome_home_type;
+       ')
+
+       allow $1 gnome_home_type:dir manage_dir_perms;
+       allow $1 gnome_home_type:file manage_file_perms;
+       allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
+       userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##     Send general signals to all gconf domains.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`gnome_signal_all',`
+       gen_require(`
+               attribute gnomedomain;
+       ')
+
+       allow $1 gnomedomain:process signal;
+')
+
+########################################
+## <summary>
+##     Create objects in a Gnome cache home directory
+##     with an automatic type transition to
+##     a specified private type.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="private_type">
+##     <summary>
+##     The type of the object to create.
+##     </summary>
+## </param>
+## <param name="object_class">
+##     <summary>
+##     The class of the object to be created.
+##     </summary>
+## </param>
+#
+interface(`gnome_cache_filetrans',`
+       gen_require(`
+               type cache_home_t;
+       ')
+
+       filetrans_pattern($1, cache_home_t, $2, $3)
+       userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##     Read generic cache home files (.cache)
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`gnome_read_generic_cache_files',`
+       gen_require(`
+               type cache_home_t;
+       ')
+
+       read_files_pattern($1, cache_home_t, cache_home_t)
+       userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##     Set attributes of cache home dir (.cache)
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`gnome_setattr_cache_home_dir',`
+       gen_require(`
+               type cache_home_t;
+       ')
+
+       setattr_dirs_pattern($1, cache_home_t, cache_home_t)
+       userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##     append to generic cache home files (.cache)
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`gnome_append_generic_cache_files',`
+       gen_require(`
+               type cache_home_t;
+       ')
+
+       append_files_pattern($1, cache_home_t, cache_home_t)
+       userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##     write to generic cache home files (.cache)
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`gnome_write_generic_cache_files',`
+       gen_require(`
+               type cache_home_t;
+       ')
+
+       write_files_pattern($1, cache_home_t, cache_home_t)
+       userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+##     read gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+template(`gnome_read_config',`
+       gen_require(`
+               attribute gnome_home_type;
+       ')
+
+       list_dirs_pattern($1, gnome_home_type, gnome_home_type)
+       read_files_pattern($1, gnome_home_type, gnome_home_type)
+       read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
+')
+
+########################################
+## <summary>
+##     Create objects in a Gnome gconf home directory
+##     with an automatic type transition to
+##     a specified private type.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="private_type">
+##     <summary>
+##     The type of the object to create.
+##     </summary>
+## </param>
+## <param name="object_class">
+##     <summary>
+##     The class of the object to be created.
+##     </summary>
+## </param>
+#
+interface(`gnome_data_filetrans',`
+       gen_require(`
+               type data_home_t;
+       ')
+
+       filetrans_pattern($1, data_home_t, $2, $3)
+       gnome_search_gconf($1)
+')
+
+########################################
+## <summary>
+##     Create gconf_home_t objects in the /root directory
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="object_class">
+##     <summary>
+##     The class of the object to be created.
+##     </summary>
+## </param>
+#
+interface(`gnome_admin_home_gconf_filetrans',`
+       gen_require(`
+               type gconf_home_t;
+       ')
+
+       userdom_admin_home_dir_filetrans($1, gconf_home_t, $2)
+')
+
+########################################
+## <summary>
+##     read gconf config files
+## </summary>
+## <param name="domain">
 ##     <summary>
 ##     Domain allowed access.
 ##     </summary>
@@ -71,12 +327,31 @@ template(`gnome_read_gconf_config',`
 
        allow $1 gconf_etc_t:dir list_dir_perms;
        read_files_pattern($1, gconf_etc_t, gconf_etc_t)
-       files_search_etc($1)
 ')
 
 #######################################
 ## <summary>
-##     Create, read, write, and delete gconf config files.
+##      Manage gconf config files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`gnome_manage_gconf_config',`
+        gen_require(`
+                type gconf_etc_t;
+        ')
+
+        allow $1 gconf_etc_t:dir list_dir_perms;
+        manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
+')
+
+########################################
+## <summary>
+##     Execute gconf programs in 
+##     in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##     <summary>
@@ -84,37 +359,39 @@ template(`gnome_read_gconf_config',`
 ##     </summary>
 ## </param>
 #
-interface(`gnome_manage_gconf_config',`
+interface(`gnome_exec_gconf',`
        gen_require(`
-               type gconf_etc_t;
+               type gconfd_exec_t;
        ')
 
-       manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
-       files_search_etc($1)
+       can_exec($1, gconfd_exec_t)
 ')
 
 ########################################
 ## <summary>
-##     gconf connection template.
+##     Read gconf home files
 ## </summary>
-## <param name="user_domain">
+## <param name="domain">
 ##     <summary>
 ##     Domain allowed access.
 ##     </summary>
 ## </param>
 #
-interface(`gnome_stream_connect_gconf',`
+interface(`gnome_read_gconf_home_files',`
        gen_require(`
-               type gconfd_t, gconf_tmp_t;
+               type gconf_home_t;
+               type data_home_t;
        ')
 
-       read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
-       allow $1 gconfd_t:unix_stream_socket connectto;
+       allow $1 gconf_home_t:dir list_dir_perms;
+       allow $1 data_home_t:dir list_dir_perms;
+       read_files_pattern($1, gconf_home_t, gconf_home_t)
+       read_files_pattern($1, data_home_t, data_home_t)
 ')
 
 ########################################
 ## <summary>
-##     Run gconfd in gconfd domain.
+##     search gconf homedir (.local)
 ## </summary>
 ## <param name="domain">
 ##     <summary>
@@ -122,12 +399,13 @@ interface(`gnome_stream_connect_gconf',`
 ##     </summary>
 ## </param>
 #
-interface(`gnome_domtrans_gconfd',`
+interface(`gnome_search_gconf',`
        gen_require(`
-               type gconfd_t, gconfd_exec_t;
+               type gconf_home_t;
        ')
 
-       domtrans_pattern($1, gconfd_exec_t, gconfd_t)
+       allow $1 gconf_home_t:dir search_dir_perms;
+       userdom_search_user_home_dirs($1)
 ')
 
 ########################################
@@ -151,40 +429,173 @@ interface(`gnome_setattr_config_dirs',`
 
 ########################################
 ## <summary>
-##     Read gnome homedir content (.config)
+##     Append gconf home files
 ## </summary>
-## <param name="user_domain">
+## <param name="domain">
 ##     <summary>
 ##     Domain allowed access.
 ##     </summary>
 ## </param>
 #
-template(`gnome_read_config',`
+interface(`gnome_append_gconf_home_files',`
        gen_require(`
-               type gnome_home_t;
+               type gconf_home_t;
        ')
 
-       list_dirs_pattern($1, gnome_home_t, gnome_home_t)
-       read_files_pattern($1, gnome_home_t, gnome_home_t)
-       read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
+       append_files_pattern($1, gconf_home_t, gconf_home_t)
 ')
 
 ########################################
 ## <summary>
-##     manage gnome homedir content (.config)
+##     manage gconf home files
 ## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`gnome_manage_gconf_home_files',`
+       gen_require(`
+               type gconf_home_t;
+       ')
+
+       allow $1 gconf_home_t:dir list_dir_perms;
+       manage_files_pattern($1, gconf_home_t, gconf_home_t)
+')
+
+########################################
+## <summary>
+##     Connect to gnome over an unix stream socket.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
 ## <param name="user_domain">
 ##     <summary>
+##     The type of the user domain.
+##     </summary>
+## </param>
+#
+interface(`gnome_stream_connect',`
+       gen_require(`
+               attribute gnome_home_type;
+       ')
+
+       # Connect to pulseaudit server
+       stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
+')
+
+########################################
+## <summary>
+##     list gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##     <summary>
 ##     Domain allowed access.
 ##     </summary>
 ## </param>
 #
-interface(`gnome_manage_config',`
+template(`gnome_list_home_config',`
        gen_require(`
-               type gnome_home_t;
+               type config_home_t;
        ')
 
-       allow $1 gnome_home_t:dir manage_dir_perms;
-       allow $1 gnome_home_t:file manage_file_perms;
+       allow $1 config_home_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##     Set attributes of gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+template(`gnome_setattr_home_config',`
+       gen_require(`
+               type config_home_t;
+       ')
+
+       setattr_dirs_pattern($1, config_home_t, config_home_t)
        userdom_search_user_home_dirs($1)
 ')
+
+########################################
+## <summary>
+##     read gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+template(`gnome_read_home_config',`
+       gen_require(`
+               type config_home_t;
+       ')
+
+       read_files_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+## <summary>
+##     manage gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+template(`gnome_manage_home_config',`
+       gen_require(`
+               type config_home_t;
+       ')
+
+       manage_files_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+## <summary>
+##     Read/Write all inherited gnome home config 
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`gnome_rw_inherited_config',`
+       gen_require(`
+               attribute gnome_home_type;
+       ')
+
+       allow $1 gnome_home_type:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##     Send and receive messages from
+##     gconf system service over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gconfdefault',`
+       gen_require(`
+               type gconfdefaultsm_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 gconfdefaultsm_t:dbus send_msg;
+       allow gconfdefaultsm_t $1:dbus send_msg;
+')

diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
index 35f748636d2d9cb58d4b0dd21cbf590b970abb68..26852d24b6353e01b50eb9d273fad0be2a5c8be6 100644 (file)
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -6,11 +6,24 @@ policy_module(gnome, 2.0.1)
 #
 
 attribute gnomedomain;
+attribute gnome_home_type;
 
 type gconf_etc_t;
 files_config_file(gconf_etc_t)
 
-type gconf_home_t;
+type data_home_t, gnome_home_type;
+userdom_user_home_content(data_home_t)
+
+type config_home_t, gnome_home_type;
+userdom_user_home_content(config_home_t)
+
+type cache_home_t, gnome_home_type;
+userdom_user_home_content(cache_home_t)
+
+type gstreamer_home_t, gnome_home_type;
+userdom_user_home_content(gstreamer_home_t)
+
+type gconf_home_t, gnome_home_type;
 typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
 typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
 typealias gconf_home_t alias unconfined_gconf_home_t;
@@ -30,12 +43,20 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
 application_domain(gconfd_t, gconfd_exec_t)
 ubac_constrained(gconfd_t)
 
-type gnome_home_t;
+type gnome_home_t, gnome_home_type;
 typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
 typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
 typealias gnome_home_t alias unconfined_gnome_home_t;
 userdom_user_home_content(gnome_home_t)
 
+type gconfdefaultsm_t;
+type gconfdefaultsm_exec_t;
+dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
+
+type gnomesystemmm_t;
+type gnomesystemmm_exec_t;
+dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
+
 ##############################
 #
 # Local Policy
@@ -75,3 +96,91 @@ optional_policy(`
        xserver_use_xdm_fds(gconfd_t)
        xserver_rw_xdm_pipes(gconfd_t)
 ')
+
+tunable_policy(`use_nfs_home_dirs',`
+        fs_manage_nfs_dirs(gconfdefaultsm_t)
+        fs_manage_nfs_files(gconfdefaultsm_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+        fs_manage_cifs_dirs(gconfdefaultsm_t)
+        fs_manage_cifs_files(gconfdefaultsm_t)
+')
+
+#######################################
+#
+# gconf-defaults-mechanisms local policy
+#
+
+allow gconfdefaultsm_t self:capability { dac_override sys_nice sys_ptrace };
+allow gconfdefaultsm_t self:process getsched;
+allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;
+
+corecmd_search_bin(gconfdefaultsm_t)
+
+files_read_etc_files(gconfdefaultsm_t)
+files_read_usr_files(gconfdefaultsm_t)
+
+miscfiles_read_localization(gconfdefaultsm_t)
+
+gnome_manage_gconf_home_files(gconfdefaultsm_t)
+gnome_manage_gconf_config(gconfdefaultsm_t)
+
+userdom_read_all_users_state(gconfdefaultsm_t)
+userdom_search_user_home_dirs(gconfdefaultsm_t)
+
+userdom_dontaudit_search_admin_dir(gconfdefaultsm_t)
+
+optional_policy(`
+        consolekit_dbus_chat(gconfdefaultsm_t)
+')
+
+optional_policy(`
+        nscd_dontaudit_search_pid(gconfdefaultsm_t)
+')
+
+optional_policy(`
+        policykit_domtrans_auth(gconfdefaultsm_t)
+        policykit_dbus_chat(gconfdefaultsm_t)
+        policykit_read_lib(gconfdefaultsm_t)
+        policykit_read_reload(gconfdefaultsm_t)
+')
+
+#######################################
+#
+# gnome-system-monitor-mechanisms local policy
+#
+
+allow gnomesystemmm_t self:capability { sys_nice sys_ptrace };
+allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
+
+corecmd_search_bin(gnomesystemmm_t)
+
+domain_kill_all_domains(gnomesystemmm_t)
+domain_search_all_domains_state(gnomesystemmm_t)
+domain_setpriority_all_domains(gnomesystemmm_t)
+domain_signal_all_domains(gnomesystemmm_t)
+domain_sigstop_all_domains(gnomesystemmm_t)
+
+files_read_etc_files(gnomesystemmm_t)
+files_read_usr_files(gnomesystemmm_t)
+
+miscfiles_read_localization(gnomesystemmm_t)
+
+userdom_read_all_users_state(gnomesystemmm_t)
+userdom_dontaudit_search_admin_dir(gnomesystemmm_t)
+
+optional_policy(`
+        consolekit_dbus_chat(gnomesystemmm_t)
+')
+
+optional_policy(`
+        nscd_dontaudit_search_pid(gnomesystemmm_t)
+')
+
+optional_policy(`
+        policykit_dbus_chat(gnomesystemmm_t)
+        policykit_domtrans_auth(gnomesystemmm_t)
+        policykit_read_lib(gnomesystemmm_t)
+        policykit_read_reload(gnomesystemmm_t)
+')

diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc
index e9853d418865724d4d5f790c6d27b73057e0f436..717d1634c6816cb4092eab9fef24bf0ed62ecb36 100644 (file)
--- a/policy/modules/apps/gpg.fc
+++ b/policy/modules/apps/gpg.fc
@@ -1,4 +1,5 @@
 HOME_DIR/\.gnupg(/.+)?         gen_context(system_u:object_r:gpg_secret_t,s0)
+/root/\.gnupg(/.+)?            gen_context(system_u:object_r:gpg_secret_t,s0)
 
 /usr/bin/gpg(2)?       --      gen_context(system_u:object_r:gpg_exec_t,s0)
 /usr/bin/gpg-agent     --      gen_context(system_u:object_r:gpg_agent_exec_t,s0)

diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
index 40e0a2a284c94ea3504a54e4fb7a20db2762a28a..13d939a579c7aa2cd39dff83dba1c406e7b04cdc 100644 (file)
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
@@ -54,6 +54,8 @@ interface(`gpg_role',`
        manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
        relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
 
+       allow gpg_pinentry_t $2:fifo_file { read write };
+
        optional_policy(`
                gpg_pinentry_dbus_chat($2)
        ')
@@ -85,6 +87,43 @@ interface(`gpg_domtrans',`
        domtrans_pattern($1, gpg_exec_t, gpg_t)
 ')
 
+######################################
+## <summary>
+##  Transition to a gpg web domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`gpg_domtrans_web',`
+    gen_require(`
+        type gpg_web_t, gpg_exec_t;
+    ')
+
+    domtrans_pattern($1, gpg_exec_t, gpg_web_t)
+')
+
+######################################
+## <summary>
+##  Make gpg an entrypoint for
+##  the specified domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  The domain for which cifs_t is an entrypoint.
+##  </summary>
+## </param>
+#
+interface(`gpg_entry_type',`
+    gen_require(`
+        type gpg_exec_t;
+    ')
+
+    domain_entry_file($1, gpg_exec_t)
+')
+
 ########################################
 ## <summary>
 ##     Send generic signals to user gpg processes.

diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 4525c37a098e02959ed0174f87ada22cb48366eb..e9a7937fa5bdd82ad5d49043a1b942da466eb100 100644 (file)
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -4,6 +4,7 @@ policy_module(gpg, 2.3.1)
 #
 # Declarations
 #
+attribute gpgdomain;
 
 ## <desc>
 ## <p>
@@ -13,7 +14,15 @@ policy_module(gpg, 2.3.1)
 ## </desc>
 gen_tunable(gpg_agent_env_file, false)
 
-type gpg_t;
+## <desc>
+## <p>
+## Allow gpg web domain to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(gpg_web_anon_write, false)
+
+type gpg_t, gpgdomain;
 type gpg_exec_t;
 typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
 typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
@@ -62,17 +71,23 @@ type gpg_pinentry_tmpfs_t;
 files_tmpfs_file(gpg_pinentry_tmpfs_t)
 ubac_constrained(gpg_pinentry_tmpfs_t)
 
+type gpg_web_t;
+domain_type(gpg_web_t)
+gpg_entry_type(gpg_web_t)
+role system_r types gpg_web_t;
+
 ########################################
 #
 # GPG local policy
 #
 
-allow gpg_t self:capability { ipc_lock setuid };
-# setrlimit is for ulimit -c 0
-allow gpg_t self:process { signal signull setrlimit getcap setcap setpgid };
+allow gpgdomain self:capability { ipc_lock setuid };
+allow gpgdomain self:process { getsched setsched };
+#at setrlimit is for ulimit -c 0
+allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
 
-allow gpg_t self:fifo_file rw_fifo_file_perms;
-allow gpg_t self:tcp_socket create_stream_socket_perms;
+allow gpgdomain self:fifo_file rw_fifo_file_perms;
+allow gpgdomain self:tcp_socket create_stream_socket_perms;
 
 manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
 manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
@@ -128,6 +143,7 @@ userdom_use_user_terminals(gpg_t)
 userdom_manage_user_tmp_files(gpg_t)
 userdom_manage_user_home_content_files(gpg_t)
 userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
+userdom_stream_connect(gpg_t)
 
 mta_write_config(gpg_t)
 
@@ -141,6 +157,10 @@ tunable_policy(`use_samba_home_dirs',`
        fs_manage_cifs_files(gpg_t)
 ')
 
+optional_policy(`
+       gnome_read_config(gpg_t)
+')
+
 optional_policy(`
        mozilla_read_user_home_files(gpg_t)
        mozilla_write_user_home_files(gpg_t)
@@ -151,10 +171,10 @@ optional_policy(`
        xserver_rw_xdm_pipes(gpg_t)
 ')
 
-optional_policy(`
-       cron_system_entry(gpg_t, gpg_exec_t)
-       cron_read_system_job_tmp_files(gpg_t)
-')
+#optional_policy(`
+#      cron_system_entry(gpg_t, gpg_exec_t)
+#      cron_read_system_job_tmp_files(gpg_t)
+#')
 
 ########################################
 #
@@ -205,6 +225,7 @@ tunable_policy(`use_samba_home_dirs',`
 #
 # GPG agent local policy
 #
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
 
 # rlimit: gpg-agent wants to prevent coredumps
 allow gpg_agent_t self:process setrlimit;
@@ -245,6 +266,7 @@ userdom_search_user_home_dirs(gpg_agent_t)
 
 ifdef(`hide_broken_symptoms',`
        userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
+       userdom_dontaudit_write_user_tmp_files(gpg_agent_t)
 ')
 
 tunable_policy(`gpg_agent_env_file',`
@@ -332,6 +354,9 @@ miscfiles_read_localization(gpg_pinentry_t)
 # for .Xauthority
 userdom_read_user_home_content_files(gpg_pinentry_t)
 userdom_read_user_tmpfs_files(gpg_pinentry_t)
+# Bug: user pulseaudio files need open,read and unlink:
+allow gpg_pinentry_t user_tmpfs_t:file unlink;
+userdom_signull_unpriv_users(gpg_pinentry_t)
 
 tunable_policy(`use_nfs_home_dirs',`
        fs_read_nfs_files(gpg_pinentry_t)
@@ -346,6 +371,12 @@ optional_policy(`
        dbus_system_bus_client(gpg_pinentry_t)
 ')
 
+optional_policy(`
+       gnome_write_generic_cache_files(gpg_pinentry_t)
+       gnome_read_generic_cache_files(gpg_pinentry_t)
+       gnome_read_gconf_home_files(gpg_pinentry_t)
+')
+
 optional_policy(`
        pulseaudio_exec(gpg_pinentry_t)
        pulseaudio_rw_home_files(gpg_pinentry_t)
@@ -356,4 +387,28 @@ optional_policy(`
 
 optional_policy(`
        xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
+
+')
+
+#############################
+#
+# gpg web local policy
+#
+
+allow gpg_web_t self:process setrlimit;
+
+dev_read_rand(gpg_web_t)
+dev_read_urand(gpg_web_t)
+
+can_exec(gpg_web_t, gpg_exec_t)
+
+files_read_usr_files(gpg_web_t)
+
+miscfiles_read_localization(gpg_web_t)
+
+apache_dontaudit_rw_tmp_files(gpg_web_t)
+apache_manage_sys_content_rw(gpg_web_t)
+
+tunable_policy(`gpg_web_anon_write',`
+    miscfiles_manage_public_files(gpg_web_t)
 ')

diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc
index 65ece18ff6e0ac7b4219401c1cb8d4ab35f2be72..6bfdfd35e300eccee73939bd18f235be76dcb536 100644 (file)
--- a/policy/modules/apps/irc.fc
+++ b/policy/modules/apps/irc.fc
@@ -2,10 +2,14 @@
 # /home
 #
 HOME_DIR/\.ircmotd     --      gen_context(system_u:object_r:irc_home_t,s0)
+HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irssi_home_t,s0)
+
+/etc/irssi\.conf       --      gen_context(system_u:object_r:irssi_etc_t,s0)
 
 #
 # /usr
 #
 /usr/bin/[st]irc       --      gen_context(system_u:object_r:irc_exec_t,s0)
 /usr/bin/ircII         --      gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/irssi         --      gen_context(system_u:object_r:irssi_exec_t,s0)
 /usr/bin/tinyirc       --      gen_context(system_u:object_r:irc_exec_t,s0)

diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
index 4f9dc90f795593f4dee67623cfd16cbdd1c12a4c..8dc8a5ff870cf73c26b45bfeb39f1e2498f5ee9a 100644 (file)
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@@ -18,9 +18,11 @@
 interface(`irc_role',`
        gen_require(`
                type irc_t, irc_exec_t;
+               type irssi_t, irssi_exec_t, irssi_home_t;
        ')
 
        role $1 types irc_t;
+       role $1 types irssi_t;
 
        # Transition from the user domain to the derived domain.
        domtrans_pattern($2, irc_exec_t, irc_t)
@@ -28,4 +30,17 @@ interface(`irc_role',`
        # allow ps to show irc
        ps_process_pattern($2, irc_t)
        allow $2 irc_t:process signal;
+
+       domtrans_pattern($2, irssi_exec_t, irssi_t)
+
+       allow $2 irssi_t:process { ptrace signal_perms };
+       ps_process_pattern($2, irssi_t)
+
+       manage_dirs_pattern($2, irssi_home_t, irssi_home_t)
+       manage_files_pattern($2, irssi_home_t, irssi_home_t)
+       manage_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
+
+       relabel_dirs_pattern($2, irssi_home_t, irssi_home_t)
+       relabel_files_pattern($2, irssi_home_t, irssi_home_t)
+       relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
 ')

diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
index 66beb80609fdc51d51dc01c79bb139f7fbd54635..b7c650298ebb7576172db6abf84dcad88dccd9a5 100644 (file)
--- a/policy/modules/apps/irc.te
+++ b/policy/modules/apps/irc.te
@@ -22,6 +22,30 @@ typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
 typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
 userdom_user_home_content(irc_tmp_t)
 
+########################################
+#
+# Irssi personal declarations.
+#
+
+## <desc>
+## <p>
+## Allow the Irssi IRC Client to connect to any port,
+## and to bind to any unreserved port.
+## </p>
+## </desc>
+gen_tunable(irssi_use_full_network, false)
+
+type irssi_t;
+type irssi_exec_t;
+application_domain(irssi_t, irssi_exec_t)
+ubac_constrained(irssi_t)
+
+type irssi_etc_t;
+files_config_file(irssi_etc_t)
+
+type irssi_home_t;
+userdom_user_home_content(irssi_home_t)
+
 ########################################
 #
 # Local policy
@@ -101,3 +125,83 @@ tunable_policy(`use_samba_home_dirs',`
 optional_policy(`
        nis_use_ypbind(irc_t)
 ')
+
+########################################
+#
+# Irssi personal declarations.
+#
+
+allow irssi_t self:process { signal sigkill };
+allow irssi_t self:fifo_file rw_fifo_file_perms;
+allow irssi_t self:netlink_route_socket create_netlink_socket_perms;
+allow irssi_t self:tcp_socket create_stream_socket_perms;
+allow irssi_t self:udp_socket create_socket_perms;
+
+read_files_pattern(irssi_t, irssi_etc_t, irssi_etc_t)
+
+manage_dirs_pattern(irssi_t, irssi_home_t, irssi_home_t)
+manage_files_pattern(irssi_t, irssi_home_t, irssi_home_t)
+manage_lnk_files_pattern(irssi_t, irssi_home_t, irssi_home_t)
+userdom_user_home_dir_filetrans(irssi_t, irssi_home_t, { dir file lnk_file })
+userdom_search_user_home_dirs(irssi_t)
+
+corecmd_search_bin(irssi_t)
+corecmd_read_bin_symlinks(irssi_t)
+
+corenet_tcp_connect_ircd_port(irssi_t)
+corenet_sendrecv_ircd_client_packets(irssi_t)
+
+# Privoxy
+corenet_tcp_connect_http_cache_port(irssi_t)
+corenet_sendrecv_http_cache_client_packets(irssi_t)
+
+corenet_all_recvfrom_netlabel(irssi_t)
+corenet_all_recvfrom_unlabeled(irssi_t)
+corenet_tcp_sendrecv_generic_if(irssi_t)
+corenet_tcp_sendrecv_generic_node(irssi_t)
+corenet_tcp_sendrecv_generic_port(irssi_t)
+corenet_tcp_bind_generic_node(irssi_t)
+corenet_udp_bind_generic_node(irssi_t)
+
+dev_read_urand(irssi_t)
+# irssi-otr genkey.
+dev_read_rand(irssi_t)
+
+files_read_etc_files(irssi_t)
+files_read_usr_files(irssi_t)
+
+fs_search_auto_mountpoints(irssi_t)
+
+miscfiles_read_localization(irssi_t)
+
+sysnet_read_config(irssi_t)
+
+userdom_use_user_terminals(irssi_t)
+
+tunable_policy(`irssi_use_full_network', `
+       corenet_tcp_bind_all_unreserved_ports(irssi_t)
+       corenet_tcp_connect_all_ports(irssi_t)
+       corenet_sendrecv_generic_server_packets(irssi_t)
+       corenet_sendrecv_all_client_packets(irssi_t)
+')
+
+tunable_policy(`use_nfs_home_dirs', `
+       fs_manage_nfs_dirs(irssi_t)
+       fs_manage_nfs_files(irssi_t)
+       fs_manage_nfs_symlinks(irssi_t)
+')
+
+tunable_policy(`use_samba_home_dirs', `
+       fs_manage_cifs_dirs(irssi_t)
+       fs_manage_cifs_files(irssi_t)
+       fs_manage_cifs_symlinks(irssi_t)
+')
+
+optional_policy(`
+       automount_dontaudit_getattr_tmp_dirs(irssi_t)
+')
+
+optional_policy(`
+       nis_use_ypbind(irssi_t)
+')
+

diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc
index 86c176876c9d1d1511f12c617b9237ffb31f2898..87d560bd90d740e25ee940397e379aa127bb26d7 100644 (file)
--- a/policy/modules/apps/java.fc
+++ b/policy/modules/apps/java.fc
@@ -9,6 +9,7 @@
 #
 # /usr
 #
+/usr/Aptana[^/]*/AptanaStudio  --      gen_context(system_u:object_r:java_exec_t,s0)
 /usr/(.*/)?bin/java.*  --      gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/fastjar       --      gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/frysk         --      gen_context(system_u:object_r:java_exec_t,s0)
@@ -33,6 +34,9 @@
 
 /usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
 
+/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)?    --      gen_context(system_u:object_r:java_exec_t,s0)
+/opt/ibm(/.*)?/eclipse/plugins(/.*)?   --      gen_context(system_u:object_r:java_exec_t,s0)
+
 ifdef(`distro_redhat',`
 /usr/java/eclipse[^/]*/eclipse --      gen_context(system_u:object_r:java_exec_t,s0)
 ')

diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
index e6d84e86fd6a738ebf42c0794020f0bb63e99d7f..f0c47779f14ee2727d221825ea6ebb8133232bbd 100644 (file)
--- a/policy/modules/apps/java.if
+++ b/policy/modules/apps/java.if
@@ -72,7 +72,8 @@ template(`java_role_template',`
 
        domain_interactive_fd($1_java_t)
 
-       userdom_manage_user_tmpfs_files($1_java_t)
+       userdom_unpriv_usertype($1, $1_java_t)
+       userdom_manage_tmpfs_role($2, $1_java_t)
 
        allow $1_java_t self:process { ptrace signal getsched execmem execstack };
 
@@ -82,7 +83,7 @@ template(`java_role_template',`
 
        domtrans_pattern($3, java_exec_t, $1_java_t)
 
-       corecmd_bin_domtrans($1_java_t, $3)
+       corecmd_bin_domtrans($1_java_t, $1_t)
 
        dev_dontaudit_append_rand($1_java_t)
 
@@ -179,6 +180,7 @@ interface(`java_run_unconfined',`
 
        java_domtrans_unconfined($1)
        role $2 types unconfined_java_t;
+       nsplugin_role_notrans($2, unconfined_java_t)
 ')
 
 ########################################

diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
index 726e85373da10153db532811e5a104de9737b8e0..90ce46ac8010dc5b7d4c32aeb8d81c1c67f7319f 100644 (file)
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -82,12 +82,12 @@ dev_read_urand(java_t)
 dev_read_rand(java_t)
 dev_dontaudit_append_rand(java_t)
 
+files_read_etc_files(java_t)
 files_read_usr_files(java_t)
 files_search_home(java_t)
 files_search_var_lib(java_t)
 files_read_etc_runtime_files(java_t)
 # Read global fonts and font config
-files_read_etc_files(java_t)
 
 fs_getattr_xattr_fs(java_t)
 fs_dontaudit_rw_tmpfs_files(java_t)
@@ -143,12 +143,15 @@ optional_policy(`
        # execheap is needed for itanium/BEA jrocket
        allow unconfined_java_t self:process { execstack execmem execheap };
 
+       init_dbus_chat_script(unconfined_java_t)
+
        files_execmod_all_files(unconfined_java_t)
 
        init_dbus_chat_script(unconfined_java_t)
 
        unconfined_domain_noaudit(unconfined_java_t)
        unconfined_dbus_chat(unconfined_java_t)
+       userdom_unpriv_usertype(unconfined, unconfined_java_t)
 
        optional_policy(`
                rpm_domtrans(unconfined_java_t)

diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te
index f63c4c2d007f20df6826edaeec74d0142c13009d..3812a46654d1510b2610d444c64869c7f21f04d3 100644 (file)
--- a/policy/modules/apps/kdumpgui.te
+++ b/policy/modules/apps/kdumpgui.te
@@ -14,6 +14,7 @@ dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
 # system-config-kdump local policy
 #
 
+allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio };
 allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
 allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
 
@@ -33,6 +34,7 @@ files_manage_etc_symlinks(kdumpgui_t)
 # for blkid.tab
 files_manage_etc_runtime_files(kdumpgui_t)
 files_etc_filetrans_etc_runtime(kdumpgui_t, file)
+files_read_usr_files(kdumpgui_t)
 
 storage_raw_read_fixed_disk(kdumpgui_t)
 storage_raw_write_fixed_disk(kdumpgui_t)
@@ -50,10 +52,16 @@ miscfiles_read_localization(kdumpgui_t)
 
 init_dontaudit_read_all_script_files(kdumpgui_t)
 
+userdom_dontaudit_search_admin_dir(kdumpgui_t)
+
 optional_policy(`
        dev_rw_lvm_control(kdumpgui_t)
 ')
 
+optional_policy(`
+       gnome_dontaudit_search_config(kdumpgui_t)
+')
+
 optional_policy(`
        policykit_dbus_chat(kdumpgui_t)
 ')

diff --git a/policy/modules/apps/livecd.if b/policy/modules/apps/livecd.if
index 12b772fb33c28d34188283a8706e141bee31fae9..b67cf2641b2022b66ecaaa025dc54471ebf8c0b1 100644 (file)
--- a/policy/modules/apps/livecd.if
+++ b/policy/modules/apps/livecd.if
@@ -41,12 +41,32 @@ interface(`livecd_run',`
 
        livecd_domtrans($1)
        role $2 types livecd_t;
+       
+       seutil_run_setfiles_mac(livecd_t, $2)
 
        optional_policy(`
                mount_run(livecd_t, $2)
        ')
 ')
 
+########################################
+## <summary>
+##     Dontaudit read/write to a livecd leaks
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`livecd_dontaudit_leaks',`
+       gen_require(`
+               type livecd_t;
+       ')
+
+       dontaudit $1 livecd_t:unix_dgram_socket { read write };
+')
+
 ########################################
 ## <summary>
 ##     Read livecd temporary files.
@@ -82,7 +102,7 @@ interface(`livecd_rw_tmp_files',`
        ')
 
        files_search_tmp($1)
-       allow $1 livecd_tmp_t:file rw_file_perms;
+       rw_files_pattern($1, livecd_tmp_t, livecd_tmp_t)
 ')
 
 ########################################

diff --git a/policy/modules/apps/livecd.te b/policy/modules/apps/livecd.te
index 49abe8e2db217662ef4e567b725c4a588555a96d..47a193cd666d05354339800f4117af57e6252bcc 100644 (file)
--- a/policy/modules/apps/livecd.te
+++ b/policy/modules/apps/livecd.te
@@ -27,7 +27,7 @@ manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
 files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file })
 
 optional_policy(`
-       unconfined_domain(livecd_t)
+       unconfined_domain_noaudit(livecd_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
index 7b08e138e521643fcc74c720fd27e120f3f1b27e..9c9e6c1c02b181df48334a5849c08df6f73ae190 100644 (file)
--- a/policy/modules/apps/mono.if
+++ b/policy/modules/apps/mono.if
@@ -41,7 +41,6 @@ template(`mono_role_template',`
        application_type($1_mono_t)
 
        allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
-
        allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
 
        domtrans_pattern($3, mono_exec_t, $1_mono_t)
@@ -49,7 +48,12 @@ template(`mono_role_template',`
        fs_dontaudit_rw_tmpfs_files($1_mono_t)
        corecmd_bin_domtrans($1_mono_t, $1_t)
 
-       userdom_manage_user_tmpfs_files($1_mono_t)
+       userdom_unpriv_usertype($1, $1_mono_t)
+       userdom_manage_tmpfs_role($2, $1_mono_t)
+
+       ifdef(`hide_broken_symptoms', `
+               dontaudit $1_t $1_mono_t:socket_class_set { read write };
+       ')
 
        optional_policy(`
                xserver_role($1_r, $1_mono_t)

diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
index 93ac529f981f9dfcd0924afef22adf3876ab861f..aafece713ce04ae349e080f89a6432fb2040b67b 100644 (file)
--- a/policy/modules/apps/mozilla.fc
+++ b/policy/modules/apps/mozilla.fc
@@ -1,6 +1,7 @@
 HOME_DIR/\.galeon(/.*)?                        gen_context(system_u:object_r:mozilla_home_t,s0)
 HOME_DIR/\.java(/.*)?                  gen_context(system_u:object_r:mozilla_home_t,s0)
 HOME_DIR/\.mozilla(/.*)?               gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.thunderbird(/.*)?           gen_context(system_u:object_r:mozilla_home_t,s0)
 HOME_DIR/\.netscape(/.*)?              gen_context(system_u:object_r:mozilla_home_t,s0)
 HOME_DIR/\.phoenix(/.*)?               gen_context(system_u:object_r:mozilla_home_t,s0)
 
@@ -27,3 +28,4 @@ HOME_DIR/\.phoenix(/.*)?              gen_context(system_u:object_r:mozilla_home_t,s0)
 /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/lib/[^/]*firefox[^/]*/firefox --  gen_context(system_u:object_r:mozilla_exec_t,s0)
 /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/xulrunner[^/]*/plugin-container          --      gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)

diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index 9a6d67dc8ab77805834cbb88443b562a0dcc14ad..47aa143fe00b5ca5858007fc3edd823484cbf2ad 100644 (file)
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
        allow mozilla_t $2:process { sigchld signull };
        allow mozilla_t $2:unix_stream_socket connectto;
 
+       mozilla_plugin_run(mozilla_t, $2)
+
        # Allow the user domain to signal/ps.
        ps_process_pattern($2, mozilla_t)
        allow $2 mozilla_t:process signal_perms;
@@ -48,6 +50,12 @@ interface(`mozilla_role',`
 
        mozilla_dbus_chat($2)
 
+       userdom_manage_tmp_role($1, mozilla_t)
+
+       optional_policy(`
+               nsplugin_role($1, mozilla_t)
+       ')
+
        optional_policy(`
                pulseaudio_role($1, mozilla_t)
        ')
@@ -108,7 +116,7 @@ interface(`mozilla_dontaudit_rw_user_home_files',`
                type mozilla_home_t;
        ')
 
-       dontaudit $1 mozilla_home_t:file rw_file_perms;
+       dontaudit $1 mozilla_home_t:file rw_inherited_file_perms;
 ')
 
 ########################################
@@ -166,6 +174,52 @@ interface(`mozilla_domtrans',`
        domtrans_pattern($1, mozilla_exec_t, mozilla_t)
 ')
 
+########################################
+## <summary>
+##     Execute a domain transition to run mozilla_plugin.
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_domtrans_plugin',`
+       gen_require(`
+               type mozilla_plugin_t, mozilla_plugin_exec_t;
+       ')
+
+       domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
+')
+
+
+########################################
+## <summary>
+##     Execute mozilla_plugin in the mozilla_plugin domain, and
+##     allow the specified role the mozilla_plugin domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     The role to be allowed the mozilla_plugin domain.
+##     </summary>
+## </param>
+#
+interface(`mozilla_run_plugin',`
+       gen_require(`
+               type mozilla_plugin_t;
+       ')
+
+       mozilla_domtrans_plugin($1)
+       role $2 types mozilla_plugin_t;
+
+       allow mozilla_plugin_t $1:process signull;      
+')
+
 ########################################
 ## <summary>
 ##     Send and receive messages from

diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index cbf4bec25b4e9f120ead5f2e18ec4418e5354388..7c260fa456072389b8a52d0db6a16d5633733173 100644 (file)
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
 type mozilla_home_t;
 typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
 typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
+files_poly_member(mozilla_home_t)
 userdom_user_home_content(mozilla_home_t)
 
 type mozilla_tmpfs_t;
@@ -33,6 +34,20 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_
 files_tmpfs_file(mozilla_tmpfs_t)
 ubac_constrained(mozilla_tmpfs_t)
 
+type mozilla_plugin_t;
+type mozilla_plugin_exec_t;
+application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
+role system_r types mozilla_plugin_t;
+
+type mozilla_plugin_tmp_t;
+files_tmp_file(mozilla_plugin_tmp_t)
+
+type mozilla_plugin_tmpfs_t;
+files_tmpfs_file(mozilla_plugin_tmpfs_t)
+ubac_constrained(mozilla_plugin_tmpfs_t)
+
+permissive mozilla_plugin_t;
+
 ########################################
 #
 # Local policy
@@ -89,16 +104,20 @@ corenet_tcp_sendrecv_generic_node(mozilla_t)
 corenet_raw_sendrecv_generic_node(mozilla_t)
 corenet_tcp_sendrecv_http_port(mozilla_t)
 corenet_tcp_sendrecv_http_cache_port(mozilla_t)
+corenet_tcp_sendrecv_squid_port(mozilla_t)
+corenet_tcp_connect_flash_port(mozilla_t)
 corenet_tcp_sendrecv_ftp_port(mozilla_t)
 corenet_tcp_sendrecv_ipp_port(mozilla_t)
 corenet_tcp_connect_http_port(mozilla_t)
 corenet_tcp_connect_http_cache_port(mozilla_t)
+corenet_tcp_connect_squid_port(mozilla_t)
 corenet_tcp_connect_ftp_port(mozilla_t)
 corenet_tcp_connect_ipp_port(mozilla_t)
 corenet_tcp_connect_generic_port(mozilla_t)
 corenet_tcp_connect_soundd_port(mozilla_t)
 corenet_sendrecv_http_client_packets(mozilla_t)
 corenet_sendrecv_http_cache_client_packets(mozilla_t)
+corenet_sendrecv_squid_client_packets(mozilla_t)
 corenet_sendrecv_ftp_client_packets(mozilla_t)
 corenet_sendrecv_ipp_client_packets(mozilla_t)
 corenet_sendrecv_generic_client_packets(mozilla_t)
@@ -238,6 +257,7 @@ optional_policy(`
 optional_policy(`
        gnome_stream_connect_gconf(mozilla_t)
        gnome_manage_config(mozilla_t)
+       gnome_manage_gconf_home_files(mozilla_t)
 ')
 
 optional_policy(`
@@ -257,6 +277,11 @@ optional_policy(`
        nscd_socket_use(mozilla_t)
 ')
 
+optional_policy(`
+       nsplugin_manage_rw(mozilla_t)
+       nsplugin_manage_home_files(mozilla_t)
+')
+
 optional_policy(`
        pulseaudio_exec(mozilla_t)
        pulseaudio_stream_connect(mozilla_t)
@@ -266,3 +291,89 @@ optional_policy(`
 optional_policy(`
        thunderbird_domtrans(mozilla_t)
 ')
+
+########################################
+#
+# mozilla_plugin local policy
+#
+allow mozilla_plugin_t self:process { setsched signal_perms execmem };
+
+allow mozilla_plugin_t self:sem create_sem_perms;
+allow mozilla_plugin_t self:shm create_shm_perms;
+allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
+allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+
+manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file })
+
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+can_exec(mozilla_plugin_t, mozilla_exec_t)
+
+kernel_read_kernel_sysctls(mozilla_plugin_t)
+kernel_read_system_state(mozilla_plugin_t)
+kernel_request_load_module(mozilla_plugin_t)
+
+corecmd_exec_bin(mozilla_plugin_t)
+corecmd_exec_shell(mozilla_plugin_t)
+
+dev_read_urand(mozilla_plugin_t)
+dev_read_video_dev(mozilla_plugin_t)
+dev_read_sysfs(mozilla_plugin_t)
+dev_read_sound(mozilla_plugin_t)
+dev_write_sound(mozilla_plugin_t)
+
+domain_use_interactive_fds(mozilla_plugin_t)
+domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+
+files_read_config_files(mozilla_plugin_t)
+files_read_usr_files(mozilla_plugin_t)
+
+fs_getattr_tmpfs(mozilla_plugin_t)
+
+miscfiles_read_localization(mozilla_plugin_t)
+miscfiles_read_fonts(mozilla_plugin_t)
+
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
+
+userdom_rw_user_tmpfs_files(mozilla_plugin_t)
+userdom_stream_connect(mozilla_plugin_t)
+userdom_dontaudit_use_user_ptys(mozilla_plugin_t)
+
+optional_policy(`
+       alsa_read_rw_config(mozilla_plugin_t)
+')
+
+optional_policy(`
+       dbus_read_lib_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+       gnome_manage_home_config(mozilla_plugin_t)
+       gnome_setattr_home_config(mozilla_plugin_t)
+')
+
+optional_policy(`
+       nsplugin_domtrans(mozilla_plugin_t)
+       nsplugin_rw_exec(mozilla_plugin_t)
+       nsplugin_manage_home_dirs(mozilla_plugin_t)
+       nsplugin_manage_home_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+       pulseaudio_rw_home_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+       xserver_read_xdm_pid(mozilla_plugin_t)
+       xserver_stream_connect(mozilla_plugin_t)
+       xserver_use_user_fonts(mozilla_plugin_t)
+')

diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index d8ea41d12e64db2fd7ddd5184247dfbe2d547ba8..8bdc5269339e35461da9393411bfba97389a6984 100644 (file)
--- a/policy/modules/apps/mplayer.if
+++ b/policy/modules/apps/mplayer.if
@@ -102,3 +102,39 @@ interface(`mplayer_read_user_home_files',`
        read_files_pattern($1, mplayer_home_t, mplayer_home_t)
        userdom_search_user_home_dirs($1)
 ')
+
+########################################
+## <summary>
+##     Execute mplayer_exec_t 
+##     in the specified domain.
+## </summary>
+## <desc>
+##     <p>
+##     Execute a mplayer_exec_t
+##     in the specified domain.  
+##     </p>
+##     <p>
+##     No interprocess communication (signals, pipes,
+##     etc.) is provided by this interface since
+##     the domains are not owned by this module.
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="target_domain">
+##     <summary>
+##     The type of the new process.
+##     </summary>
+## </param>
+#
+interface(`mplayer_exec_domtrans',`
+       gen_require(`
+               type mplayer_exec_t;
+       ')
+
+       allow $2 mplayer_exec_t:file entrypoint;
+       domtrans_pattern($1, mplayer_exec_t, $2)
+')

diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
index 815a4677634607d557d432dbb151d6af895531c2..192d54e20cd475b27328eb839ed7234b422128c5 100644 (file)
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -32,6 +32,7 @@ files_config_file(mplayer_etc_t)
 type mplayer_home_t;
 typealias mplayer_home_t alias { user_mplayer_home_t staff_mplayer_home_t sysadm_mplayer_home_t };
 typealias mplayer_home_t alias { auditadm_mplayer_home_t secadm_mplayer_home_t };
+files_poly_member(mplayer_home_t)
 userdom_user_home_content(mplayer_home_t)
 
 type mplayer_tmpfs_t;
@@ -159,6 +160,7 @@ manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
 manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
 manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
 userdom_user_home_dir_filetrans(mplayer_t, mplayer_home_t, dir)
+userdom_search_user_home_dirs(mplayer_t)
 
 manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
 manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
@@ -222,6 +224,8 @@ fs_dontaudit_getattr_all_fs(mplayer_t)
 fs_search_auto_mountpoints(mplayer_t)
 fs_list_inotifyfs(mplayer_t)
 
+logging_send_syslog_msg(mplayer_t)
+
 miscfiles_read_localization(mplayer_t)
 miscfiles_read_fonts(mplayer_t)
 
@@ -301,6 +305,10 @@ optional_policy(`
        alsa_read_rw_config(mplayer_t)
 ')
 
+optional_policy(`
+       gnome_setattr_config_dirs(mplayer_t)
+')
+
 optional_policy(`
        nscd_socket_use(mplayer_t)
 ')

diff --git a/policy/modules/apps/nsplugin.fc b/policy/modules/apps/nsplugin.fc
new file mode 100644 (file)
index 0000000..63abc5c
--- /dev/null
+++ b/policy/modules/apps/nsplugin.fc
@@ -0,0 +1,10 @@
+HOME_DIR/\.adobe(/.*)?                 gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.macromedia(/.*)?            gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)?          gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)?         gen_context(system_u:object_r:nsplugin_home_t,s0)
+
+/usr/bin/nspluginscan  --      gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/bin/nspluginviewer        --      gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib(64)?/nspluginwrapper/npviewer.bin     --      gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib(64)?/nspluginwrapper/plugin-config    --      gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)?                    gen_context(system_u:object_r:nsplugin_rw_t,s0)

diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if
new file mode 100644 (file)
index 0000000..c779d44
--- /dev/null
+++ b/policy/modules/apps/nsplugin.if
@@ -0,0 +1,392 @@
+
+## <summary>policy for nsplugin</summary>
+
+########################################
+## <summary>
+##     Create, read, write, and delete
+##     nsplugin rw files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`nsplugin_manage_rw_files',`
+       gen_require(`
+               type nsplugin_rw_t;
+       ')
+
+       allow $1 nsplugin_rw_t:file manage_file_perms;
+       allow $1 nsplugin_rw_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+##     Manage nsplugin rw files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`nsplugin_manage_rw',`
+       gen_require(`
+               type nsplugin_rw_t;
+       ')
+
+         manage_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+         manage_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+         manage_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+')
+
+#######################################
+## <summary>
+##     The per role template for the nsplugin module.
+## </summary>
+## <param name="user_role">
+##     <summary>
+##     The role associated with the user domain.
+##     </summary>
+## </param>
+## <param name="user_domain">
+##     <summary>
+##     The type of the user domain.
+##     </summary>
+## </param>
+#
+interface(`nsplugin_role_notrans',`
+       gen_require(`
+               type nsplugin_rw_t;
+               type nsplugin_home_t;
+               type nsplugin_exec_t;
+               type nsplugin_config_exec_t;
+               type nsplugin_t;
+               type nsplugin_config_t;
+               class x_drawable all_x_drawable_perms;
+               class x_resource all_x_resource_perms;
+               class dbus send_msg;
+       ')
+
+       role $1 types nsplugin_t;
+       role $1 types nsplugin_config_t;
+
+       allow nsplugin_t $2:process signull;
+       allow nsplugin_t $2:dbus send_msg;
+       allow $2 nsplugin_t:dbus send_msg;
+
+       list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+       read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+       read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+       can_exec($2, nsplugin_rw_t)
+
+       #Leaked File Descriptors
+ifdef(`hide_broken_symptoms', `
+       dontaudit nsplugin_t $2:socket_class_set { read write };
+       dontaudit nsplugin_t $2:fifo_file rw_inherited_fifo_file_perms;
+       dontaudit nsplugin_config_t $2:socket_class_set { read write };
+       dontaudit nsplugin_config_t $2:fifo_file rw_inherited_fifo_file_perms;
+')
+       allow nsplugin_t $2:unix_stream_socket connectto;
+       dontaudit nsplugin_t $2:process ptrace;
+       allow nsplugin_t $2:sem rw_sem_perms;
+       allow nsplugin_t $2:shm rw_shm_perms;
+       dontaudit nsplugin_t $2:shm destroy;
+       allow $2 nsplugin_t:sem rw_sem_perms;
+
+       allow $2 nsplugin_t:process { getattr ptrace signal_perms };
+       allow $2 nsplugin_t:unix_stream_socket connectto;
+
+       # Connect to pulseaudit server
+       stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
+       gnome_stream_connect(nsplugin_t, $2)
+
+       userdom_use_user_terminals(nsplugin_t)
+       userdom_use_user_terminals(nsplugin_config_t)
+       userdom_dontaudit_setattr_user_home_content_files(nsplugin_t)
+       userdom_manage_tmpfs_role($1, nsplugin_t)
+
+       optional_policy(`
+               pulseaudio_role($1, nsplugin_t)
+       ')
+')
+
+#######################################
+## <summary>
+##     Role access for nsplugin
+## </summary>
+## <param name="userdomain_prefix">
+##     <summary>
+##     The prefix of the user domain (e.g., user
+##     is the prefix for user_t).
+##     </summary>
+## </param>
+## <param name="user_role">
+##     <summary>
+##     The role associated with the user domain.
+##     </summary>
+## </param>
+## <param name="user_domain">
+##     <summary>
+##     The type of the user domain.
+##     </summary>
+## </param>
+#
+interface(`nsplugin_role',`
+       gen_require(`
+               type nsplugin_exec_t;
+               type nsplugin_config_exec_t;
+               type nsplugin_t;
+               type nsplugin_config_t;
+       ')
+
+       nsplugin_role_notrans($1, $2)
+
+       domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
+       domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
+
+')
+
+#######################################
+## <summary>
+##     The per role template for the nsplugin module.
+## </summary>
+## <param name="user_domain">
+##     <summary>
+##     The type of the user domain.
+##     </summary>
+## </param>
+#
+interface(`nsplugin_domtrans',`
+       gen_require(`
+               type nsplugin_exec_t;
+               type nsplugin_t;
+       ')
+
+       domtrans_pattern($1, nsplugin_exec_t, nsplugin_t)
+       allow $1 nsplugin_t:unix_stream_socket connectto;
+       allow nsplugin_t $1:process signal;
+')
+#######################################
+## <summary>
+##     The per role template for the nsplugin module.
+## </summary>
+## <param name="user_domain">
+##     <summary>
+##     The type of the user domain.
+##     </summary>
+## </param>
+#
+interface(`nsplugin_domtrans_config',`
+       gen_require(`
+               type nsplugin_config_exec_t;
+               type nsplugin_config_t;
+       ')
+
+       domtrans_pattern($1, nsplugin_config_exec_t, nsplugin_config_t)
+')
+
+########################################
+## <summary>
+##     Search nsplugin rw directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`nsplugin_search_rw_dir',`
+       gen_require(`
+               type nsplugin_rw_t;
+       ')
+
+       allow $1 nsplugin_rw_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##     Read nsplugin rw files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`nsplugin_read_rw_files',`
+       gen_require(`
+               type nsplugin_rw_t;
+       ')
+
+       list_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+       read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+       read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+')
+
+########################################
+## <summary>
+##     Read nsplugin home files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`nsplugin_read_home',`
+       gen_require(`
+               type nsplugin_home_t;
+       ')
+
+       list_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t)
+       read_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
+       read_lnk_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+## <summary>
+##     Exec nsplugin rw files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`nsplugin_rw_exec',`
+       gen_require(`
+               type nsplugin_rw_t;
+       ')
+
+       can_exec($1, nsplugin_rw_t)
+')
+
+########################################
+## <summary>
+##     Create, read, write, and delete
+##     nsplugin home files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`nsplugin_manage_home_files',`
+       gen_require(`
+               type nsplugin_home_t;
+       ')
+
+       manage_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+## <summary>
+##     manage nnsplugin home dirs.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`nsplugin_manage_home_dirs',`
+       gen_require(`
+               type nsplugin_home_t;
+       ')
+
+       manage_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+## <summary>
+##     Allow attempts to read and write to
+##     nsplugin named pipes.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`nsplugin_rw_pipes',`
+       gen_require(`
+               type nsplugin_home_t;
+       ')
+
+       allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms; 
+')
+
+########################################
+## <summary>
+##     Read and write to nsplugin shared memory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`nsplugin_rw_shm',`
+       gen_require(`
+               type nsplugin_t;
+       ')
+
+       allow $1 nsplugin_t:shm rw_shm_perms;
+')
+
+#####################################
+## <summary>
+##      Allow read and write access to nsplugin semaphores.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`nsplugin_rw_semaphores',`
+        gen_require(`
+                type nsplugin_t;
+        ')
+
+        allow $1 nsplugin_t:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+##     Execute nsplugin_exec_t 
+##     in the specified domain.
+## </summary>
+## <desc>
+##     <p>
+##     Execute a nsplugin_exec_t
+##     in the specified domain.  
+##     </p>
+##     <p>
+##     No interprocess communication (signals, pipes,
+##     etc.) is provided by this interface since
+##     the domains are not owned by this module.
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="target_domain">
+##     <summary>
+##     The type of the new process.
+##     </summary>
+## </param>
+#
+interface(`nsplugin_exec_domtrans',`
+       gen_require(`
+               type nsplugin_exec_t;
+       ')
+
+       allow $2 nsplugin_exec_t:file entrypoint;
+       domtrans_pattern($1, nsplugin_exec_t, $2)
+')

diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644 (file)
index 0000000..7bc0dcf
--- /dev/null
+++ b/policy/modules/apps/nsplugin.te
@@ -0,0 +1,310 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow nsplugin code to execmem/execstack
+## </p>
+## </desc>
+gen_tunable(allow_nsplugin_execmem, false)
+
+## <desc>
+## <p>
+## Allow nsplugin code to connect to unreserved ports
+## </p>
+## </desc>
+gen_tunable(nsplugin_can_network, true)
+
+type nsplugin_exec_t;
+application_executable_file(nsplugin_exec_t)
+
+type nsplugin_config_exec_t;
+application_executable_file(nsplugin_config_exec_t)
+
+type nsplugin_rw_t;
+files_poly_member(nsplugin_rw_t)
+files_type(nsplugin_rw_t)
+
+type nsplugin_tmp_t;
+files_tmp_file(nsplugin_tmp_t)
+
+type nsplugin_home_t;
+files_poly_member(nsplugin_home_t)
+userdom_user_home_content(nsplugin_home_t)
+typealias nsplugin_home_t alias user_nsplugin_home_t;
+
+type nsplugin_t;
+domain_type(nsplugin_t)
+domain_entry_file(nsplugin_t, nsplugin_exec_t)
+
+type nsplugin_config_t;
+domain_type(nsplugin_config_t)
+domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t)
+
+application_executable_file(nsplugin_exec_t)
+application_executable_file(nsplugin_config_exec_t)
+
+
+########################################
+#
+# nsplugin local policy
+#
+dontaudit nsplugin_t self:capability { sys_nice sys_tty_config };
+allow nsplugin_t self:fifo_file rw_file_perms;
+allow nsplugin_t self:process { ptrace setpgid getsched setsched signal_perms };
+
+allow nsplugin_t self:sem create_sem_perms;
+allow nsplugin_t self:shm create_shm_perms;
+allow nsplugin_t self:msgq create_msgq_perms;
+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow nsplugin_t self:unix_dgram_socket create_socket_perms;
+allow nsplugin_t nsplugin_rw_t:dir list_dir_perms;
+read_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+read_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+
+tunable_policy(`allow_nsplugin_execmem',`
+       allow nsplugin_t self:process { execstack execmem };
+       allow nsplugin_config_t self:process { execstack execmem };
+')
+       
+tunable_policy(`nsplugin_can_network',`
+       corenet_tcp_connect_all_unreserved_ports(nsplugin_t)
+')
+
+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_fifo_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_sock_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+userdom_user_home_dir_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
+userdom_user_home_content_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
+userdom_dontaudit_getattr_user_home_content(nsplugin_t)
+userdom_dontaudit_search_user_bin_dirs(nsplugin_t)
+userdom_dontaudit_write_user_home_content_files(nsplugin_t)
+userdom_dontaudit_search_admin_dir(nsplugin_t)
+
+corecmd_exec_bin(nsplugin_t)
+corecmd_exec_shell(nsplugin_t)
+
+corenet_all_recvfrom_unlabeled(nsplugin_t)
+corenet_all_recvfrom_netlabel(nsplugin_t)
+corenet_tcp_connect_flash_port(nsplugin_t)
+corenet_tcp_connect_streaming_port(nsplugin_t)
+corenet_tcp_connect_pulseaudio_port(nsplugin_t)
+corenet_tcp_connect_http_port(nsplugin_t)
+corenet_tcp_connect_http_cache_port(nsplugin_t)
+corenet_tcp_connect_squid_port(nsplugin_t)
+corenet_tcp_sendrecv_generic_if(nsplugin_t)
+corenet_tcp_sendrecv_generic_node(nsplugin_t)
+corenet_tcp_connect_ipp_port(nsplugin_t)
+corenet_tcp_connect_speech_port(nsplugin_t)
+
+domain_dontaudit_read_all_domains_state(nsplugin_t)
+
+dev_read_rand(nsplugin_t)
+dev_read_sound(nsplugin_t)
+dev_write_sound(nsplugin_t)
+dev_read_video_dev(nsplugin_t)
+dev_write_video_dev(nsplugin_t)
+dev_getattr_dri_dev(nsplugin_t)
+dev_rwx_zero(nsplugin_t)
+dev_search_sysfs(nsplugin_t)
+
+kernel_read_kernel_sysctls(nsplugin_t)
+kernel_read_system_state(nsplugin_t)
+
+files_dontaudit_getattr_lost_found_dirs(nsplugin_t)
+files_dontaudit_list_home(nsplugin_t)
+files_read_etc_files(nsplugin_t)
+files_read_usr_files(nsplugin_t)
+files_read_config_files(nsplugin_t)
+
+fs_getattr_tmpfs(nsplugin_t)
+fs_getattr_xattr_fs(nsplugin_t)
+fs_search_auto_mountpoints(nsplugin_t)
+fs_rw_anon_inodefs_files(nsplugin_t)
+fs_list_inotifyfs(nsplugin_t)
+
+storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
+storage_dontaudit_getattr_removable_dev(nsplugin_t)
+
+term_dontaudit_getattr_all_ptys(nsplugin_t)
+term_dontaudit_getattr_all_ttys(nsplugin_t)
+
+auth_use_nsswitch(nsplugin_t)
+
+libs_exec_ld_so(nsplugin_t)
+
+miscfiles_read_localization(nsplugin_t)
+miscfiles_read_fonts(nsplugin_t)
+miscfiles_dontaudit_write_fonts(nsplugin_t)
+miscfiles_setattr_fonts_cache_dirs(nsplugin_t)
+
+userdom_manage_user_tmp_dirs(nsplugin_t)
+userdom_manage_user_tmp_files(nsplugin_t)
+userdom_manage_user_tmp_sockets(nsplugin_t)
+userdom_tmp_filetrans_user_tmp(nsplugin_t, { file dir sock_file })
+userdom_rw_semaphores(nsplugin_t)
+userdom_dontaudit_rw_user_tmp_pipes(nsplugin_t)
+
+userdom_read_user_home_content_symlinks(nsplugin_t)
+userdom_read_user_home_content_files(nsplugin_t)
+userdom_read_user_tmp_files(nsplugin_t)
+userdom_write_user_tmp_sockets(nsplugin_t)
+userdom_dontaudit_append_user_home_content_files(nsplugin_t)
+
+optional_policy(`
+       alsa_read_rw_config(nsplugin_t)
+       alsa_read_home_files(nsplugin_t)
+')
+
+optional_policy(`
+       cups_stream_connect(nsplugin_t)
+')
+
+optional_policy(`
+       dbus_session_bus_client(nsplugin_t)
+       dbus_connect_session_bus(nsplugin_t)
+       dbus_system_bus_client(nsplugin_t)
+')
+
+optional_policy(`
+       gnome_exec_gconf(nsplugin_t)
+       gnome_manage_config(nsplugin_t)
+       gnome_read_gconf_home_files(nsplugin_t)
+')
+
+optional_policy(`
+       mozilla_read_user_home_files(nsplugin_t)
+       mozilla_write_user_home_files(nsplugin_t)
+')
+
+optional_policy(`
+       mplayer_exec(nsplugin_t)
+       mplayer_read_user_home_files(nsplugin_t)
+')
+
+optional_policy(`
+       unconfined_execmem_signull(nsplugin_t)
+')
+
+optional_policy(`
+       sandbox_read_tmpfs_files(nsplugin_t)
+')
+
+optional_policy(`
+       gen_require(`
+               type user_tmpfs_t;
+       ')
+       xserver_user_x_domain_template(nsplugin, nsplugin_t, user_tmpfs_t)
+       xserver_rw_shm(nsplugin_t)
+       xserver_read_xdm_pid(nsplugin_t)
+       xserver_read_xdm_tmp_files(nsplugin_t)
+       xserver_read_user_xauth(nsplugin_t)
+       xserver_read_user_iceauth(nsplugin_t)
+       xserver_use_user_fonts(nsplugin_t)
+       xserver_rw_inherited_user_fonts(nsplugin_t)
+')
+
+########################################
+#
+# nsplugin_config local policy
+#
+
+allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
+allow nsplugin_config_t self:process { setsched signal_perms getsched execmem };
+#execing pulseaudio
+dontaudit nsplugin_t self:process { getcap setcap };
+
+allow nsplugin_config_t self:fifo_file rw_file_perms;
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
+dev_dontaudit_read_rand(nsplugin_config_t)
+
+fs_search_auto_mountpoints(nsplugin_config_t)
+fs_list_inotifyfs(nsplugin_config_t)
+
+can_exec(nsplugin_config_t, nsplugin_rw_t)
+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+
+manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+
+corecmd_exec_bin(nsplugin_config_t)
+corecmd_exec_shell(nsplugin_config_t)
+
+kernel_read_system_state(nsplugin_config_t)
+kernel_request_load_module(nsplugin_config_t)
+
+files_read_etc_files(nsplugin_config_t)
+files_read_usr_files(nsplugin_config_t)
+files_dontaudit_search_home(nsplugin_config_t)
+files_list_tmp(nsplugin_config_t)
+
+auth_use_nsswitch(nsplugin_config_t)
+
+miscfiles_read_localization(nsplugin_config_t)
+miscfiles_read_fonts(nsplugin_config_t)
+
+userdom_search_user_home_content(nsplugin_config_t)
+userdom_read_user_home_content_symlinks(nsplugin_config_t)
+userdom_read_user_home_content_files(nsplugin_config_t)
+userdom_dontaudit_search_admin_dir(nsplugin_config_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+       fs_getattr_nfs(nsplugin_t)
+       fs_manage_nfs_dirs(nsplugin_t)
+       fs_manage_nfs_files(nsplugin_t)
+       fs_read_nfs_symlinks(nsplugin_t)
+       fs_manage_nfs_named_pipes(nsplugin_t)
+       fs_manage_nfs_dirs(nsplugin_config_t)
+       fs_manage_nfs_files(nsplugin_config_t)
+       fs_manage_nfs_named_pipes(nsplugin_config_t)
+       fs_read_nfs_symlinks(nsplugin_config_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+       fs_getattr_cifs(nsplugin_t)
+       fs_manage_cifs_dirs(nsplugin_t)
+       fs_manage_cifs_files(nsplugin_t)
+       fs_read_cifs_symlinks(nsplugin_t)
+       fs_manage_cifs_named_pipes(nsplugin_t)
+       fs_manage_cifs_dirs(nsplugin_config_t)
+       fs_manage_cifs_files(nsplugin_config_t)
+       fs_manage_cifs_named_pipes(nsplugin_config_t)
+       fs_read_cifs_symlinks(nsplugin_config_t)
+')
+
+domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
+
+optional_policy(`
+       xserver_use_user_fonts(nsplugin_config_t)
+')
+
+optional_policy(`
+       mozilla_read_user_home_files(nsplugin_config_t)
+       mozilla_write_user_home_files(nsplugin_config_t)
+')
+
+application_signull(nsplugin_t)
+
+optional_policy(`
+       pulseaudio_exec(nsplugin_t)
+       pulseaudio_stream_connect(nsplugin_t)
+       pulseaudio_manage_home_files(nsplugin_t)
+       pulseaudio_setattr_home_dir(nsplugin_t)
+')
+
+optional_policy(`
+       unconfined_execmem_exec(nsplugin_t)
+')
+
+

diff --git a/policy/modules/apps/openoffice.fc b/policy/modules/apps/openoffice.fc
new file mode 100644 (file)
index 0000000..0c53a12
--- /dev/null
+++ b/policy/modules/apps/openoffice.fc
@@ -0,0 +1,4 @@
+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+/opt/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+

diff --git a/policy/modules/apps/openoffice.if b/policy/modules/apps/openoffice.if
new file mode 100644 (file)
index 0000000..6863365
--- /dev/null
+++ b/policy/modules/apps/openoffice.if
@@ -0,0 +1,129 @@
+## <summary>Openoffice</summary>
+
+#######################################
+## <summary>
+##     The per role template for the openoffice module.
+## </summary>
+## <param name="user_role">
+##     <summary>
+##     The role associated with the user domain.
+##     </summary>
+## </param>
+## <param name="user_domain">
+##     <summary>
+##     The type of the user domain.
+##     </summary>
+## </param>
+#
+interface(`openoffice_plugin_role',`
+       gen_require(`
+               type openoffice_exec_t;
+               type openoffice_t;
+       ')
+       
+       ########################################
+       #
+       # Local policy
+       #
+
+       domtrans_pattern($1, openoffice_exec_t, openoffice_t)
+       allow $1 openoffice_t:process { signal sigkill };
+')
+
+#######################################
+## <summary>
+##     role for openoffice
+## </summary>
+## <desc>
+##     <p>
+##     This template creates a derived domains which are used
+##     for java applications.
+##     </p>
+## </desc>
+## <param name="role_prefix">
+##     <summary>
+##     The prefix of the user domain (e.g., user
+##     is the prefix for user_t).
+##     </summary>
+## </param>
+## <param name="user_role">
+##     <summary>
+##     The role associated with the user domain.
+##     </summary>
+## </param>
+## <param name="user_domain">
+##     <summary>
+##     The type of the user domain.
+##     </summary>
+## </param>
+#
+interface(`openoffice_role_template',`
+       gen_require(`
+               type openoffice_exec_t;
+       ')
+
+       role $2 types $1_openoffice_t;
+
+       type $1_openoffice_t;
+       domain_type($1_openoffice_t)
+       domain_entry_file($1_openoffice_t, openoffice_exec_t)
+       domain_interactive_fd($1_openoffice_t)
+
+       userdom_unpriv_usertype($1, $1_openoffice_t)
+       userdom_exec_user_home_content_files($1_openoffice_t)
+
+       allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack };
+
+       allow $3 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh };
+       allow $1_openoffice_t $3:tcp_socket { read write };
+
+       domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t)
+
+       dev_read_urand($1_openoffice_t)
+       dev_read_rand($1_openoffice_t)
+
+       fs_dontaudit_rw_tmpfs_files($1_openoffice_t)
+
+       allow $3 $1_openoffice_t:process { signal sigkill };
+       allow $1_openoffice_t $3:unix_stream_socket connectto;
+
+       optional_policy(`
+               xserver_role($2, $1_openoffice_t)
+       ')
+')
+
+########################################
+## <summary>
+##     Execute openoffice_exec_t 
+##     in the specified domain.
+## </summary>
+## <desc>
+##     <p>
+##     Execute a openoffice_exec_t
+##     in the specified domain.  
+##     </p>
+##     <p>
+##     No interprocess communication (signals, pipes,
+##     etc.) is provided by this interface since
+##     the domains are not owned by this module.
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="target_domain">
+##     <summary>
+##     The type of the new process.
+##     </summary>
+## </param>
+#
+interface(`openoffice_exec_domtrans',`
+       gen_require(`
+               type openoffice_exec_t;
+       ')
+
+       allow $2 openoffice_exec_t:file entrypoint;
+       domtrans_pattern($1, openoffice_exec_t, $2)
+')

diff --git a/policy/modules/apps/openoffice.te b/policy/modules/apps/openoffice.te
new file mode 100644 (file)
index 0000000..a842371
--- /dev/null
+++ b/policy/modules/apps/openoffice.te
@@ -0,0 +1,16 @@
+policy_module(openoffice, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type openoffice_t;
+type openoffice_exec_t;
+application_domain(openoffice_t, openoffice_exec_t)
+
+########################################
+#
+# Unconfined java local policy
+#
+

diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
index 690589eb44cfbcfb5da560a78364c9edf90f1074..815d35de91a1871edcbf6be8847fc0a56e5d9160 100644 (file)
--- a/policy/modules/apps/podsleuth.te
+++ b/policy/modules/apps/podsleuth.te
@@ -27,7 +27,7 @@ ubac_constrained(podsleuth_tmpfs_t)
 # podsleuth local policy
 #
 allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
-allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack };
+allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
 allow podsleuth_t self:fifo_file rw_file_perms;
 allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
 allow podsleuth_t self:sem create_sem_perms;
@@ -73,6 +73,7 @@ miscfiles_read_localization(podsleuth_t)
 sysnet_dns_name_resolve(podsleuth_t)
 
 userdom_signal_unpriv_users(podsleuth_t)
+userdom_signull_unpriv_users(podsleuth_t)
 userdom_read_user_tmpfs_files(podsleuth_t)
 
 optional_policy(`

diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
index 2ba7787164bb2f264caa468a0a7ef7fb69c7846b..9f12b51379b6f0cb710ac835de30ddeff06712e3 100644 (file)
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
@@ -17,7 +17,7 @@
 #
 interface(`pulseaudio_role',`
        gen_require(`
-               type pulseaudio_t, pulseaudio_exec_t, print_spool_t;
+               type pulseaudio_t, pulseaudio_exec_t;
                class dbus { acquire_svc send_msg };
        ')
 
@@ -35,6 +35,10 @@ interface(`pulseaudio_role',`
        allow pulseaudio_t $2:unix_stream_socket connectto;
        allow $2 pulseaudio_t:unix_stream_socket connectto;
 
+       userdom_manage_home_role($1, pulseaudio_t)
+       userdom_manage_tmp_role($1, pulseaudio_t)
+       userdom_manage_tmpfs_role($1, pulseaudio_t)
+
        allow $2 pulseaudio_t:dbus send_msg;
        allow pulseaudio_t $2:dbus { acquire_svc send_msg };
 ')
@@ -215,6 +219,7 @@ interface(`pulseaudio_read_home_files',`
 
        userdom_search_user_home_dirs($1)
        read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+       read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
 ')
 
 ########################################
@@ -233,6 +238,7 @@ interface(`pulseaudio_rw_home_files',`
        ')
 
        rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+       read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
        userdom_search_user_home_dirs($1)
 ')
 

diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index 5c2680cb5a4bc88609c24a3776b9ac8823a999c1..db9658157a29e6d0a81cd74dbe87ad7522f7ec04 100644 (file)
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
 manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
 manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
 userdom_search_user_home_dirs(pulseaudio_t)
+userdom_search_admin_dir(pulseaudio_t)
 
 manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
 manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
@@ -53,7 +54,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
 manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
 manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
 manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
-files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
+files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { file dir })
 
 can_exec(pulseaudio_t, pulseaudio_exec_t)
 
@@ -94,10 +95,9 @@ logging_send_syslog_msg(pulseaudio_t)
 
 miscfiles_read_localization(pulseaudio_t)
 
-# cjp: this seems excessive. need to confirm
-userdom_manage_user_home_content_files(pulseaudio_t)
-userdom_manage_user_tmp_files(pulseaudio_t)
-userdom_manage_user_tmpfs_files(pulseaudio_t)
+optional_policy(`
+       alsa_read_rw_config(pulseaudio_t)
+')
 
 optional_policy(`
        bluetooth_stream_connect(pulseaudio_t)
@@ -130,6 +130,10 @@ optional_policy(`
        rtkit_scheduled(pulseaudio_t)
 ')
 
+optional_policy(`
+       mpd_read_tmpfs_files(pulseaudio_t)
+')
+
 optional_policy(`
        policykit_domtrans_auth(pulseaudio_t)
        policykit_read_lib(pulseaudio_t)
@@ -148,3 +152,7 @@ optional_policy(`
        xserver_read_xdm_pid(pulseaudio_t)
        xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
 ')
+
+optional_policy(`
+       sandbox_manage_tmpfs_files(pulseaudio_t)
+')

diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
index c1d5f50a8dbb438a480eea1e4823470e95a6121d..8d8d96120a0141aa2920a6985f549fca7834c494 100644 (file)
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@@ -155,6 +155,24 @@ interface(`qemu_domtrans',`
        domtrans_pattern($1, qemu_exec_t, qemu_t)
 ')
 
+########################################
+## <summary>
+##     Execute a qemu in the callers domain
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_exec',`
+       gen_require(`
+               type qemu_exec_t;
+       ')
+
+       can_exec($1, qemu_exec_t)
+')
+
 ########################################
 ## <summary>
 ##     Execute qemu in the qemu domain.
@@ -273,6 +291,67 @@ interface(`qemu_domtrans_unconfined',`
        domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t)
 ')
 
+########################################
+## <summary>
+##     Execute qemu_exec_t 
+##     in the specified domain but do not
+##     do it automatically. This is an explicit
+##     transition, requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+##     <p>
+##     Execute qemu_exec_t 
+##     in the specified domain.  This allows
+##     the specified domain to qemu programs
+##     on these filesystems in the specified
+##     domain.
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="target_domain">
+##     <summary>
+##     The type of the new process.
+##     </summary>
+## </param>
+#
+interface(`qemu_spec_domtrans',`
+       gen_require(`
+               type qemu_exec_t;
+       ')
+  
+       read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t)
+       domain_transition_pattern($1, qemu_exec_t, $2)
+       domain_entry_file($2,qemu_exec_t)
+       can_exec($1,qemu_exec_t)
+
+       allow $2 $1:fd use;
+       allow $2 $1:fifo_file rw_fifo_file_perms;
+       allow $2 $1:process sigchld;
+')
+
+########################################
+## <summary>
+##     Execute qemu unconfined programs in the role.
+## </summary>
+## <param name="role">
+##     <summary>
+##     The role to allow the PAM domain.
+##     </summary>
+## </param>
+#
+interface(`qemu_unconfined_role',`
+       gen_require(`
+               type unconfined_qemu_t;
+               type qemu_t;
+       ')
+       role $1 types unconfined_qemu_t;
+       role $1 types qemu_t;
+')
+
 ########################################
 ## <summary>
 ##     Manage qemu temporary dirs.
@@ -308,3 +387,24 @@ interface(`qemu_manage_tmp_files',`
 
        manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
 ')
+
+########################################
+## <summary>
+##     Make qemu_exec_t an entrypoint for
+##     the specified domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     The domain for which qemu_exec_t is an entrypoint.
+##     </summary>
+## </param>
+#
+interface(`qemu_entry_type',`
+       gen_require(`
+               type qemu_exec_t;
+       ')
+
+       domain_entry_file($1, qemu_exec_t)
+')
+
+

diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
index a3225d4e440065afe9b2cca08f8c851dcd8e46ee..7551020c70c02f018298a4160f817ae907988832 100644 (file)
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
@@ -102,6 +102,10 @@ optional_policy(`
        xen_rw_image_files(qemu_t)
 ')
 
+optional_policy(`
+       xen_rw_image_files(qemu_t)
+')
+
 ########################################
 #
 # Unconfined qemu local policy
@@ -112,6 +116,8 @@ optional_policy(`
        typealias unconfined_qemu_t alias qemu_unconfined_t;
        application_type(unconfined_qemu_t)
        unconfined_domain(unconfined_qemu_t)
+       userdom_manage_tmpfs_role(unconfined_r, unconfined_qemu_t)
+       userdom_unpriv_usertype(unconfined, unconfined_qemu_t)
 
        allow unconfined_qemu_t self:process { execstack execmem };
        allow unconfined_qemu_t qemu_exec_t:file execmod;

diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te
index 9ec14787ea62341458358ccfe6d2bd5bdb45bf7a..26bb71c0211310747284f3e9ff945b4d3ee4da0d 100644 (file)
--- a/policy/modules/apps/sambagui.te
+++ b/policy/modules/apps/sambagui.te
@@ -29,7 +29,7 @@ dev_dontaudit_read_urand(sambagui_t)
 
 files_read_etc_files(sambagui_t)
 files_search_var_lib(sambagui_t)
-files_search_usr(sambagui_t)
+files_read_usr_files(sambagui_t)
 
 auth_use_nsswitch(sambagui_t)
 
@@ -39,6 +39,8 @@ miscfiles_read_localization(sambagui_t)
 
 nscd_dontaudit_search_pid(sambagui_t)
 
+userdom_dontaudit_search_admin_dir(sambagui_t)
+
 # handling with samba conf files
 samba_append_log(sambagui_t)
 samba_manage_config(sambagui_t)
@@ -52,6 +54,10 @@ optional_policy(`
        consoletype_exec(sambagui_t)
 ')
 
+optional_policy(`
+       gnome_dontaudit_search_config(sambagui_t)
+') 
+
 optional_policy(`
        policykit_dbus_chat(sambagui_t)
 ')

diff --git a/policy/modules/apps/sandbox.fc b/policy/modules/apps/sandbox.fc
new file mode 100644 (file)
index 0000000..15778fd
--- /dev/null
+++ b/policy/modules/apps/sandbox.fc
@@ -0,0 +1 @@
+# No types are sandbox_exec_t

diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if
new file mode 100644 (file)
index 0000000..5dd356f
--- /dev/null
+++ b/policy/modules/apps/sandbox.if
@@ -0,0 +1,336 @@
+
+## <summary>policy for sandbox</summary>
+
+########################################
+## <summary>
+##     Execute sandbox in the sandbox domain, and
+##     allow the specified role the sandbox domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     The role to be allowed the sandbox domain.
+##     </summary>
+## </param>
+#
+interface(`sandbox_transition',`
+       gen_require(`
+               type sandbox_xserver_t;
+               attribute sandbox_domain;
+               attribute sandbox_x_domain;
+               attribute sandbox_file_type;
+               attribute sandbox_tmpfs_type;
+       ')
+
+       allow $1 sandbox_domain:process transition;
+       dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
+       role $2 types sandbox_domain;
+       allow sandbox_domain $1:process { sigchld signull };
+       allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
+
+       allow $1 sandbox_x_domain:process { signal_perms transition };
+       dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
+       allow sandbox_x_domain $1:process { sigchld signull };
+       dontaudit sandbox_domain $1:process signal;
+       role $2 types sandbox_x_domain;
+       role $2 types sandbox_xserver_t;
+       allow $1 sandbox_xserver_t:process signal_perms;
+       dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms;
+       dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms;
+       dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms;
+       allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms };
+       allow sandbox_x_domain sandbox_x_domain:process signal;
+       # Dontaudit leaked file descriptors
+       dontaudit sandbox_x_domain $1:fifo_file { read write };
+       dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
+       dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
+       dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
+       dontaudit sandbox_x_domain $1:process signal;
+       
+       allow $1 sandbox_tmpfs_type:file manage_file_perms;
+       dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
+
+       can_exec($1, sandbox_file_type)
+       manage_files_pattern($1, sandbox_file_type, sandbox_file_type);
+       manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type);
+       manage_sock_files_pattern($1, sandbox_file_type, sandbox_file_type);
+       manage_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type);
+       manage_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type);
+       relabel_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
+       relabel_files_pattern($1, sandbox_file_type, sandbox_file_type)
+       relabel_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type)
+       relabel_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type)
+       relabel_sock_files_pattern($1, sandbox_file_type, sandbox_file_type)
+')
+
+########################################
+## <summary>
+##     Creates types and rules for a basic
+##     qemu process domain.
+## </summary>
+## <param name="prefix">
+##     <summary>
+##     Prefix for the domain.
+##     </summary>
+## </param>
+#
+template(`sandbox_domain_template',`
+
+       gen_require(`
+               attribute sandbox_domain;
+               attribute sandbox_file_type;
+               attribute sandbox_x_type;
+       ')
+
+       type $1_t, sandbox_domain, sandbox_x_type;
+       application_type($1_t)
+
+       mls_rangetrans_target($1_t)
+
+       type $1_file_t, sandbox_file_type;
+       files_type($1_file_t)
+
+       can_exec($1_t, $1_file_t)
+       manage_dirs_pattern($1_t, $1_file_t, $1_file_t)
+       manage_files_pattern($1_t, $1_file_t, $1_file_t)
+       manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t)
+       manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
+       manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
+')
+
+########################################
+## <summary>
+##     Creates types and rules for a basic
+##     qemu process domain.
+## </summary>
+## <param name="prefix">
+##     <summary>
+##     Prefix for the domain.
+##     </summary>
+## </param>
+#
+template(`sandbox_x_domain_template',`
+       gen_require(`
+               type xserver_exec_t, sandbox_devpts_t;
+               type sandbox_xserver_t;
+               attribute sandbox_domain, sandbox_x_domain;
+               attribute sandbox_file_type, sandbox_tmpfs_type;
+       ')
+
+       type $1_t, sandbox_x_domain;
+       application_type($1_t)
+
+       type $1_file_t, sandbox_file_type;
+       files_type($1_file_t)
+
+       can_exec($1_t, $1_file_t)
+       manage_dirs_pattern($1_t, $1_file_t, $1_file_t)
+       manage_files_pattern($1_t, $1_file_t, $1_file_t)
+       manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t)
+       manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
+       manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
+
+       type $1_devpts_t;
+       term_pty($1_devpts_t)
+       term_create_pty($1_t, $1_devpts_t)
+       allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
+
+       # window manager
+       miscfiles_setattr_fonts_cache_dirs($1_t)
+       allow $1_t self:capability setuid;
+
+       type $1_client_t, sandbox_x_domain;
+       application_type($1_client_t)
+
+       type $1_client_tmpfs_t, sandbox_tmpfs_type;
+       files_tmpfs_file($1_client_tmpfs_t)
+
+       term_search_ptys($1_t)
+       allow $1_client_t sandbox_devpts_t:chr_file { rw_term_perms setattr };
+       term_create_pty($1_client_t,sandbox_devpts_t)
+
+       manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
+       fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
+       # Pulseaudio tmpfs files with different MCS labels
+       dontaudit $1_client_t $1_client_tmpfs_t:file { read write };
+       allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
+
+       domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
+       allow $1_t sandbox_xserver_t:process signal_perms;
+
+       domtrans_pattern($1_t, $1_file_t, $1_client_t)
+       domain_entry_file($1_client_t,  $1_file_t)
+
+       # Random tmpfs_t that gets created when you run X. 
+       fs_rw_tmpfs_files($1_t)
+
+       manage_dirs_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
+       manage_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
+       manage_sock_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
+       allow sandbox_xserver_t $1_file_t:sock_file create_sock_file_perms;
+       ps_process_pattern(sandbox_xserver_t, $1_client_t)
+       ps_process_pattern(sandbox_xserver_t, $1_t)
+       allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
+       allow sandbox_xserver_t $1_t:shm rw_shm_perms;
+       allow $1_client_t $1_t:unix_stream_socket connectto;
+       allow $1_t $1_client_t:unix_stream_socket connectto;
+
+       can_exec($1_client_t, $1_file_t)
+       manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t)
+       manage_files_pattern($1_client_t, $1_file_t, $1_file_t)
+       manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
+       manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
+       manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
+')
+
+########################################
+## <summary>
+##     allow domain to read, 
+##     write sandbox_xserver tmp files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access
+##     </summary>
+## </param>
+#
+interface(`sandbox_rw_xserver_tmpfs_files',`
+       gen_require(`
+               type sandbox_xserver_tmpfs_t;
+       ')
+
+       allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##     allow domain to read
+##     sandbox tmpfs files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access
+##     </summary>
+## </param>
+#
+interface(`sandbox_read_tmpfs_files',`
+       gen_require(`
+               attribute sandbox_tmpfs_type;
+       ')
+
+       allow $1 sandbox_tmpfs_type:file read_file_perms;
+')
+
+########################################
+## <summary>
+##     allow domain to manage
+##     sandbox tmpfs files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access
+##     </summary>
+## </param>
+#
+interface(`sandbox_manage_tmpfs_files',`
+       gen_require(`
+               attribute sandbox_tmpfs_type;
+       ')
+
+       allow $1 sandbox_tmpfs_type:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##     Delete sandbox files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access
+##     </summary>
+## </param>
+#
+interface(`sandbox_delete_files',`
+       gen_require(`
+               attribute sandbox_file_type;
+       ')
+
+       delete_files_pattern($1, sandbox_file_type, sandbox_file_type)
+')
+
+########################################
+## <summary>
+##     Delete sandbox sock files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access
+##     </summary>
+## </param>
+#
+interface(`sandbox_delete_sock_files',`
+       gen_require(`
+               attribute sandbox_file_type;
+       ')
+
+       delete_sock_files_pattern($1, sandbox_file_type, sandbox_file_type)
+')
+
+########################################
+## <summary>
+##     Allow domain to  set the attributes
+##     of the sandbox directory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access
+##     </summary>
+## </param>
+#
+interface(`sandbox_setattr_dirs',`
+       gen_require(`
+               attribute sandbox_file_type;
+       ')
+
+       allow $1 sandbox_file_type:dir setattr;
+')
+
+########################################
+## <summary>
+##     allow domain to delete sandbox files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access
+##     </summary>
+## </param>
+#
+interface(`sandbox_delete_dirs',`
+       gen_require(`
+               attribute sandbox_file_type;
+       ')
+
+       delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
+')
+
+########################################
+## <summary>
+##     allow domain to list sandbox dirs
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access
+##     </summary>
+## </param>
+#
+interface(`sandbox_list',`
+       gen_require(`
+               attribute sandbox_file_type;
+       ')
+
+       allow $1 sandbox_file_type:dir list_dir_perms;
+')

diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644 (file)
index 0000000..2251b02
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
@@ -0,0 +1,407 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
+attribute sandbox_x_domain;
+attribute sandbox_file_type;
+attribute sandbox_web_type;
+attribute sandbox_tmpfs_type;
+attribute sandbox_x_type;
+
+########################################
+#
+# Declarations
+#
+
+sandbox_domain_template(sandbox)
+sandbox_x_domain_template(sandbox_min)
+sandbox_x_domain_template(sandbox_x)
+sandbox_x_domain_template(sandbox_web)
+sandbox_x_domain_template(sandbox_net)
+
+type sandbox_xserver_t;
+domain_type(sandbox_xserver_t)
+xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t)
+
+type sandbox_xserver_tmpfs_t;
+files_tmpfs_file(sandbox_xserver_tmpfs_t)
+
+type sandbox_devpts_t;
+term_pty(sandbox_devpts_t)
+files_type(sandbox_devpts_t)
+
+########################################
+#
+# sandbox xserver policy
+#
+allow sandbox_xserver_t self:process { execmem execstack };
+allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
+allow sandbox_xserver_t self:shm create_shm_perms;
+allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_dontaudit_request_load_module(sandbox_xserver_t)
+
+corecmd_exec_bin(sandbox_xserver_t)
+corecmd_exec_shell(sandbox_xserver_t)
+
+corenet_all_recvfrom_unlabeled(sandbox_xserver_t)
+corenet_all_recvfrom_netlabel(sandbox_xserver_t)
+corenet_tcp_sendrecv_all_if(sandbox_xserver_t)
+corenet_udp_sendrecv_all_if(sandbox_xserver_t)
+corenet_tcp_sendrecv_all_nodes(sandbox_xserver_t)
+corenet_udp_sendrecv_all_nodes(sandbox_xserver_t)
+corenet_tcp_sendrecv_all_ports(sandbox_xserver_t)
+corenet_udp_sendrecv_all_ports(sandbox_xserver_t)
+corenet_tcp_bind_all_nodes(sandbox_xserver_t)
+corenet_tcp_bind_xserver_port(sandbox_xserver_t)
+corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
+corenet_sendrecv_all_client_packets(sandbox_xserver_t)
+
+dev_rwx_zero(sandbox_xserver_t)
+
+files_read_config_files(sandbox_xserver_t)
+files_read_usr_files(sandbox_xserver_t)
+files_search_home(sandbox_xserver_t)
+fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
+fs_list_inotifyfs(sandbox_xserver_t)
+
+miscfiles_read_fonts(sandbox_xserver_t)
+miscfiles_read_localization(sandbox_xserver_t)
+
+kernel_read_system_state(sandbox_xserver_t)
+
+selinux_validate_context(sandbox_xserver_t)
+selinux_compute_access_vector(sandbox_xserver_t)
+selinux_compute_create_context(sandbox_xserver_t)
+
+auth_use_nsswitch(sandbox_xserver_t)
+
+logging_send_syslog_msg(sandbox_xserver_t)
+logging_send_audit_msgs(sandbox_xserver_t)
+
+userdom_use_user_terminals(sandbox_xserver_t)
+userdom_dontaudit_search_user_home_content(sandbox_xserver_t)
+
+xserver_entry_type(sandbox_xserver_t)
+
+optional_policy(`
+       dbus_system_bus_client(sandbox_xserver_t)
+
+       optional_policy(`
+               hal_dbus_chat(sandbox_xserver_t)
+       ')
+')
+
+########################################
+#
+# sandbox local policy
+#
+
+## internal communication is often done using fifo and unix sockets.
+allow sandbox_domain self:fifo_file manage_file_perms;
+allow sandbox_domain self:sem create_sem_perms;
+allow sandbox_domain self:shm create_shm_perms;
+allow sandbox_domain self:msgq create_msgq_perms;
+allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
+allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
+dontaudit sandbox_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+dev_rw_all_inherited_chr_files(sandbox_domain)
+dev_rw_all_inherited_blk_files(sandbox_domain)
+
+gen_require(`
+       type usr_t, lib_t, locale_t;
+       type var_t, var_run_t, rpm_log_t, locale_t;
+       attribute exec_type, configfile;
+')
+
+files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t )
+files_entrypoint_all_files(sandbox_domain)
+
+files_read_config_files(sandbox_domain)
+files_read_usr_files(sandbox_domain)
+files_read_var_files(sandbox_domain)
+files_dontaudit_search_all_dirs(sandbox_domain)
+
+miscfiles_read_localization(sandbox_domain)
+
+kernel_dontaudit_read_system_state(sandbox_domain)
+corecmd_exec_all_executables(sandbox_domain)
+
+userdom_dontaudit_use_user_terminals(sandbox_domain)
+
+mta_dontaudit_read_spool_symlinks(sandbox_domain)
+
+########################################
+#
+# sandbox_x_domain local policy
+#
+allow sandbox_x_domain self:fifo_file manage_file_perms;
+allow sandbox_x_domain self:sem create_sem_perms;
+allow sandbox_x_domain self:shm create_shm_perms;
+allow sandbox_x_domain self:msgq create_msgq_perms;
+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
+allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
+
+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
+
+allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem };
+allow sandbox_x_domain self:shm create_shm_perms;
+allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
+allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
+allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
+dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+domain_dontaudit_read_all_domains_state(sandbox_x_domain)
+
+files_search_home(sandbox_x_domain)
+files_dontaudit_list_tmp(sandbox_x_domain)
+
+kernel_getattr_proc(sandbox_x_domain)
+kernel_read_network_state(sandbox_x_domain)
+kernel_read_system_state(sandbox_x_domain)
+
+corecmd_exec_all_executables(sandbox_x_domain)
+
+dev_read_urand(sandbox_x_domain)
+dev_dontaudit_read_rand(sandbox_x_domain)
+dev_read_sysfs(sandbox_x_domain)
+
+files_entrypoint_all_files(sandbox_x_domain)
+files_read_config_files(sandbox_x_domain)
+files_read_usr_files(sandbox_x_domain)
+files_read_usr_symlinks(sandbox_x_domain)
+
+fs_getattr_tmpfs(sandbox_x_domain)
+fs_getattr_xattr_fs(sandbox_x_domain)
+fs_list_inotifyfs(sandbox_x_domain)
+
+auth_dontaudit_read_login_records(sandbox_x_domain)
+auth_dontaudit_write_login_records(sandbox_x_domain)
+auth_use_nsswitch(sandbox_x_domain)
+auth_search_pam_console_data(sandbox_x_domain)
+
+init_read_utmp(sandbox_x_domain)
+init_dontaudit_write_utmp(sandbox_x_domain)
+
+miscfiles_read_localization(sandbox_x_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain)
+
+term_getattr_pty_fs(sandbox_x_domain)
+term_use_ptmx(sandbox_x_domain)
+
+logging_send_syslog_msg(sandbox_x_domain)
+logging_dontaudit_search_logs(sandbox_x_domain)
+
+miscfiles_read_fonts(sandbox_x_domain)
+
+storage_dontaudit_rw_fuse(sandbox_x_domain)
+
+optional_policy(`
+       cups_stream_connect(sandbox_x_domain)
+       cups_read_rw_config(sandbox_x_domain)
+')
+
+optional_policy(`
+       dbus_system_bus_client(sandbox_x_domain)
+')
+
+optional_policy(`
+       gnome_read_gconf_config(sandbox_x_domain)
+')
+
+optional_policy(`
+       nscd_dontaudit_search_pid(sandbox_x_domain)
+')
+
+optional_policy(`
+       sssd_dontaudit_search_lib(sandbox_x_domain)
+')
+
+optional_policy(`
+       udev_read_db(sandbox_x_domain)
+')
+
+userdom_dontaudit_use_user_terminals(sandbox_x_domain)
+userdom_read_user_home_content_symlinks(sandbox_x_domain)
+userdom_search_user_home_content(sandbox_x_domain)
+
+files_search_home(sandbox_x_t)
+userdom_use_user_ptys(sandbox_x_t)
+
+########################################
+#
+# sandbox_x_client_t local policy
+#
+allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms;
+allow sandbox_x_client_t self:udp_socket create_socket_perms;
+allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
+allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms;
+
+dev_read_rand(sandbox_x_client_t)
+
+corenet_tcp_connect_ipp_port(sandbox_x_client_t)
+
+auth_use_nsswitch(sandbox_x_client_t)
+
+selinux_get_fs_mount(sandbox_x_client_t)
+selinux_validate_context(sandbox_x_client_t)
+selinux_compute_access_vector(sandbox_x_client_t)
+selinux_compute_create_context(sandbox_x_client_t)
+selinux_compute_relabel_context(sandbox_x_client_t)
+selinux_compute_user_contexts(sandbox_x_client_t)
+seutil_read_default_contexts(sandbox_x_client_t)
+
+optional_policy(`
+       hal_dbus_chat(sandbox_x_client_t)
+')
+
+
+allow sandbox_web_t self:process setsched;
+
+optional_policy(`
+       nsplugin_read_rw_files(sandbox_web_t)
+')
+
+########################################
+#
+# sandbox_web_client_t local policy
+#
+typeattribute sandbox_web_client_t sandbox_web_type;
+
+allow sandbox_web_type self:capability { setuid setgid };
+allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
+allow sandbox_web_type self:process setsched;
+dontaudit sandbox_web_type self:process setrlimit;
+
+allow sandbox_web_type self:tcp_socket create_stream_socket_perms;
+allow sandbox_web_type self:udp_socket create_socket_perms;
+allow sandbox_web_type self:dbus { acquire_svc send_msg };
+allow sandbox_web_type self:netlink_selinux_socket create_socket_perms;
+
+kernel_dontaudit_search_kernel_sysctl(sandbox_web_type)
+kernel_request_load_module(sandbox_web_type)
+
+dev_read_rand(sandbox_web_type)
+dev_write_sound(sandbox_web_type)
+dev_read_sound(sandbox_web_type)
+
+corenet_all_recvfrom_unlabeled(sandbox_web_type)
+corenet_all_recvfrom_netlabel(sandbox_web_type)
+corenet_tcp_sendrecv_all_if(sandbox_web_type)
+corenet_raw_sendrecv_all_if(sandbox_web_type)
+corenet_tcp_sendrecv_all_nodes(sandbox_web_type)
+corenet_raw_sendrecv_all_nodes(sandbox_web_type)
+corenet_tcp_sendrecv_http_port(sandbox_web_type)
+corenet_tcp_sendrecv_http_cache_port(sandbox_web_type)
+corenet_tcp_sendrecv_squid_port(sandbox_web_type)
+corenet_tcp_sendrecv_ftp_port(sandbox_web_type)
+corenet_tcp_sendrecv_ipp_port(sandbox_web_type)
+corenet_tcp_connect_http_port(sandbox_web_type)
+corenet_tcp_connect_http_cache_port(sandbox_web_type)
+corenet_tcp_connect_squid_port(sandbox_web_type)
+corenet_tcp_connect_flash_port(sandbox_web_type)
+corenet_tcp_connect_ftp_port(sandbox_web_type)
+corenet_tcp_connect_ipp_port(sandbox_web_type)
+corenet_tcp_connect_streaming_port(sandbox_web_type)
+corenet_tcp_connect_pulseaudio_port(sandbox_web_type)
+corenet_tcp_connect_speech_port(sandbox_web_type)
+corenet_tcp_connect_generic_port(sandbox_web_type)
+corenet_tcp_connect_soundd_port(sandbox_web_type)
+corenet_tcp_connect_speech_port(sandbox_web_type)
+corenet_sendrecv_http_client_packets(sandbox_web_type)
+corenet_sendrecv_http_cache_client_packets(sandbox_web_type)
+corenet_sendrecv_squid_client_packets(sandbox_web_type)
+corenet_sendrecv_ftp_client_packets(sandbox_web_type)
+corenet_sendrecv_ipp_client_packets(sandbox_web_type)
+corenet_sendrecv_generic_client_packets(sandbox_web_type)
+
+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type)
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
+
+files_dontaudit_getattr_all_dirs(sandbox_web_type)
+files_dontaudit_list_mnt(sandbox_web_type)
+
+fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type)
+fs_dontaudit_getattr_all_fs(sandbox_web_type)
+
+storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type)
+
+auth_use_nsswitch(sandbox_web_type)
+
+dbus_system_bus_client(sandbox_web_type)
+dbus_read_config(sandbox_web_type)
+selinux_get_fs_mount(sandbox_web_type)
+selinux_validate_context(sandbox_web_type)
+selinux_compute_access_vector(sandbox_web_type)
+selinux_compute_create_context(sandbox_web_type)
+selinux_compute_relabel_context(sandbox_web_type)
+selinux_compute_user_contexts(sandbox_web_type)
+seutil_read_default_contexts(sandbox_web_type)
+
+userdom_rw_user_tmpfs_files(sandbox_web_type)
+userdom_delete_user_tmpfs_files(sandbox_web_type)
+
+optional_policy(`
+       bluetooth_dontaudit_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+       consolekit_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+       hal_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+       nsplugin_read_rw_files(sandbox_web_type)
+       nsplugin_rw_exec(sandbox_web_type)
+       nsplugin_manage_rw(sandbox_web_type)
+')
+
+optional_policy(`
+       pulseaudio_stream_connect(sandbox_web_type)
+       allow sandbox_web_type self:netlink_kobject_uevent_socket create_socket_perms;
+')
+
+optional_policy(`
+       rtkit_daemon_dontaudit_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+       networkmanager_dontaudit_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+       udev_read_state(sandbox_web_type)
+')
+
+########################################
+#
+# sandbox_net_client_t local policy
+#
+typeattribute sandbox_net_client_t sandbox_web_type;
+
+corenet_all_recvfrom_unlabeled(sandbox_net_client_t)
+corenet_all_recvfrom_netlabel(sandbox_net_client_t)
+corenet_tcp_sendrecv_all_if(sandbox_net_client_t)
+corenet_udp_sendrecv_all_if(sandbox_net_client_t)
+corenet_tcp_sendrecv_all_nodes(sandbox_net_client_t)
+corenet_udp_sendrecv_all_nodes(sandbox_net_client_t)
+corenet_tcp_sendrecv_all_ports(sandbox_net_client_t)
+corenet_udp_sendrecv_all_ports(sandbox_net_client_t)
+corenet_tcp_connect_all_ports(sandbox_net_client_t)
+corenet_sendrecv_all_client_packets(sandbox_net_client_t)
+
+optional_policy(`
+       mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
+       mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
+       mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
+')

diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
index 1dc7a85d3177db35ca9f86fdcaa48d1aa5682ea2..7455c190643ff0fa4037f42b35d37260507a110d 100644 (file)
--- a/policy/modules/apps/seunshare.if
+++ b/policy/modules/apps/seunshare.if
@@ -53,8 +53,14 @@ interface(`seunshare_run',`
 
 ########################################
 ## <summary>
-##     Role access for seunshare
+##     The role template for the seunshare module.
 ## </summary>
+## <param name="role_prefix">
+##     <summary>
+##     The prefix of the user role (e.g., user
+##     is the prefix for user_r).
+##     </summary>
+## </param>
 ## <param name="role">
 ##     <summary>
 ##     Role allowed access.
@@ -66,15 +72,28 @@ interface(`seunshare_run',`
 ##     </summary>
 ## </param>
 #
-interface(`seunshare_role',`
+interface(`seunshare_role_template',`
        gen_require(`
-               type seunshare_t;
+               attribute seunshare_domain;
+               type seunshare_exec_t;
        ')
 
-       role $2 types seunshare_t;
+       type $1_seunshare_t, seunshare_domain;
+       application_domain($1_seunshare_t, seunshare_exec_t)
+       role $2 types $1_seunshare_t;
 
-       seunshare_domtrans($1)
+       mls_process_set_level($1_seunshare_t)
 
-       ps_process_pattern($2, seunshare_t)
-       allow $2 seunshare_t:process signal;
+       domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t)
+       sandbox_transition($1_seunshare_t, $2)
+
+       ps_process_pattern($3, $1_seunshare_t)
+       allow $3 $1_seunshare_t:process signal_perms;
+
+       allow $1_seunshare_t $3:process transition;
+       dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh };
+
+       ifdef(`hide_broken_symptoms', `
+               dontaudit $1_seunshare_t $3:socket_class_set { read write };
+       ')
 ')

diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
index 75901658336b9494402523fd81171d893c441080..e5ef7b36f2ac792d722fb6a2a1016d8d1eb2c030 100644 (file)
--- a/policy/modules/apps/seunshare.te
+++ b/policy/modules/apps/seunshare.te
@@ -5,40 +5,45 @@ policy_module(seunshare, 1.1.0)
 # Declarations
 #
 
-type seunshare_t;
+attribute seunshare_domain;
 type seunshare_exec_t;
-application_domain(seunshare_t, seunshare_exec_t)
-role system_r types seunshare_t;
 
 ########################################
 #
 # seunshare local policy
 #
+allow seunshare_domain self:capability { fowner setuid dac_override setpcap sys_admin sys_nice };
+allow seunshare_domain self:process { fork setexec signal getcap setcap setsched };
 
-allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
-allow seunshare_t self:process { setexec signal getcap setcap };
+allow seunshare_domain self:fifo_file rw_file_perms;
+allow seunshare_domain self:unix_stream_socket create_stream_socket_perms;
 
-allow seunshare_t self:fifo_file rw_file_perms;
-allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
+kernel_read_system_state(seunshare_domain)
 
-corecmd_exec_shell(seunshare_t)
-corecmd_exec_bin(seunshare_t)
+corecmd_exec_shell(seunshare_domain)
+corecmd_exec_bin(seunshare_domain)
 
-files_read_etc_files(seunshare_t)
-files_mounton_all_poly_members(seunshare_t)
+files_search_all(seunshare_domain)
+files_read_etc_files(seunshare_domain)
+files_mounton_all_poly_members(seunshare_domain)
 
-auth_use_nsswitch(seunshare_t)
+fs_manage_cgroup_dirs(seunshare_domain)
+fs_manage_cgroup_files(seunshare_domain)
 
-logging_send_syslog_msg(seunshare_t)
+auth_use_nsswitch(seunshare_domain)
 
-miscfiles_read_localization(seunshare_t)
+logging_send_syslog_msg(seunshare_domain)
 
-userdom_use_user_terminals(seunshare_t)
+miscfiles_read_localization(seunshare_domain)
+
+userdom_use_user_terminals(seunshare_domain)
 
 ifdef(`hide_broken_symptoms', `
-       fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
+       fs_dontaudit_rw_anon_inodefs_files(seunshare_domain)
+       fs_dontaudit_list_inotifyfs(seunshare_domain)
 
        optional_policy(`
-               mozilla_dontaudit_manage_user_home_files(seunshare_t)
+               mozilla_dontaudit_manage_user_home_files(seunshare_domain)
        ')
 ')
+

diff --git a/policy/modules/apps/telepathy.fc b/policy/modules/apps/telepathy.fc
new file mode 100644 (file)
index 0000000..1e47b96
--- /dev/null
+++ b/policy/modules/apps/telepathy.fc
@@ -0,0 +1,14 @@
+HOME_DIR/\.mission-control(/.*)?                               gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
+HOME_DIR/\.cache/\.mc_connections              --              gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
+HOME_DIR/\.cache/telepathy/gabble(/.*)?                        gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+
+/usr/libexec/mission-control-5                 --              gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0)
+
+/usr/libexec/telepathy-butterfly               --              gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
+/usr/libexec/telepathy-gabble                  --              gen_context(system_u:object_r:telepathy_gabble_exec_t, s0)
+/usr/libexec/telepathy-haze                            --              gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
+/usr/libexec/telepathy-idle                            --              gen_context(system_u:object_r:telepathy_idle_exec_t, s0)
+/usr/libexec/telepathy-salut                   --              gen_context(system_u:object_r:telepathy_salut_exec_t, s0)
+/usr/libexec/telepathy-sofiasip                        --              gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0)
+/usr/libexec/telepathy-stream-engine   --              gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0)
+/usr/libexec/telepathy-sunshine                        --              gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)

diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
new file mode 100644 (file)
index 0000000..3d12484
--- /dev/null
+++ b/policy/modules/apps/telepathy.if
@@ -0,0 +1,188 @@
+
+## <summary>Telepathy framework.</summary>
+
+#######################################
+## <summary>
+##  Creates basic types for telepathy
+##  domain
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+#
+template(`telepathy_domain_template',`
+
+       gen_require(`
+               attribute telepathy_domain;
+               attribute telepathy_executable;
+       ')
+
+       type telepathy_$1_t, telepathy_domain;
+       type telepathy_$1_exec_t, telepathy_executable;
+       application_domain(telepathy_$1_t, telepathy_$1_exec_t)
+       ubac_constrained(telepathy_$1_t)
+
+       type telepathy_$1_tmp_t;
+       files_tmp_file(telepathy_$1_tmp_t)
+       ubac_constrained(telepathy_$1_tmp_t)
+
+       dbus_session_domain(telepathy_$1_t, telepathy_$1_exec_t)
+')
+
+#######################################
+## <summary>
+##     Role access for telepathy domains
+###     that executes via dbus-session
+## </summary>
+## <param name="user_role">
+##     <summary>
+##     The role associated with the user domain.
+##     </summary>
+## </param>
+## <param name="user_domain">
+##     <summary>
+##     The type of the user domain.
+##     </summary>
+## </param>
+#
+template(`telepathy_dbus_session_role', `
+       gen_require(`
+               attribute telepathy_domain;
+       ')
+
+        role $1 types telepathy_domain;
+
+       allow $2 telepathy_domain:process { ptrace signal_perms };
+       ps_process_pattern($2, telepathy_domain)
+
+       optional_policy(`
+               telepathy_dbus_chat($2)
+       ')
+
+       telepathy_gabble_stream_connect($2)
+       telepathy_msn_stream_connect($2)
+       telepathy_salut_stream_connect($2)      
+')
+
+########################################
+## <summary>
+##     Send DBus messages to and from
+##     all Telepathy domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`telepathy_dbus_chat', `
+       gen_require(`
+               attribute telepathy_domain;
+               class dbus send_msg;
+       ')
+
+       allow $1 telepathy_domain:dbus send_msg;
+       allow telepathy_domain $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##     Send DBus messages to and from
+##     Telepathy Gabble.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`telepathy_gabble_dbus_chat', `
+       gen_require(`
+               type telepathy_gabble_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 telepathy_gabble_t:dbus send_msg;
+       allow telepathy_gabble_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##     Read and write Telepathy Butterfly
+##     temporary files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`telepathy_butterfly_rw_tmp_files', `
+       gen_require(`
+               type telepathy_butterfly_tmp_t;
+       ')
+
+       allow $1 telepathy_butterfly_tmp_t:file rw_file_perms;
+       files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##     Stream connect to Telepathy Gabble
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`telepathy_gabble_stream_connect', `
+       gen_require(`
+               type telepathy_gabble_t, telepathy_gabble_tmp_t;
+       ')
+
+       stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t)
+       files_search_tmp($1)
+')
+
+#######################################
+## <summary>
+##      Stream connect to telepathy MSN managers
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`telepathy_msn_stream_connect', `
+        gen_require(`
+                type telepathy_msn_t, telepathy_msn_tmp_t;
+        ')
+
+        stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t)
+        files_search_tmp($1)
+')
+
+
+########################################
+## <summary>
+##     Stream connect to Telepathy Salut
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`telepathy_salut_stream_connect', `
+       gen_require(`
+               type telepathy_salut_t, telepathy_salut_tmp_t;
+       ')
+
+       stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
+       files_search_tmp($1)
+')

diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
new file mode 100644 (file)
index 0000000..aa34be4
--- /dev/null
+++ b/policy/modules/apps/telepathy.te
@@ -0,0 +1,318 @@
+
+policy_module(telepathy, 1.0.0)
+
+########################################
+#
+# Declarations.
+#
+
+## <desc>
+## <p>
+##  Allow the Telepathy connection managers
+##  to connect to any generic TCP port.
+## </p>
+## </desc>
+gen_tunable(telepathy_tcp_connect_generic_network_ports, false)
+
+attribute telepathy_domain;
+attribute telepathy_executable;
+
+telepathy_domain_template(gabble)
+
+type telepathy_gabble_cache_home_t;
+userdom_user_home_content(telepathy_gabble_cache_home_t)
+
+telepathy_domain_template(idle)
+telepathy_domain_template(mission_control)
+
+type telepathy_mission_control_home_t;
+userdom_user_home_content(telepathy_mission_control_home_t)
+
+type telepathy_mission_control_cache_home_t;
+userdom_user_home_content(telepathy_mission_control_cache_home_t)
+
+telepathy_domain_template(msn)
+telepathy_domain_template(salut)
+telepathy_domain_template(sofiasip)
+telepathy_domain_template(stream_engine)
+telepathy_domain_template(sunshine)
+
+#######################################
+#
+# Telepathy Butterfly and Haze local policy.
+#
+
+allow telepathy_msn_t self:process setsched;
+allow telepathy_msn_t self:netlink_route_socket create_netlink_socket_perms;
+allow telepathy_msn_t self:unix_dgram_socket { write create connect };
+
+manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
+userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
+userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
+can_exec(telepathy_msn_t, telepathy_msn_tmp_t)
+
+corenet_sendrecv_http_client_packets(telepathy_msn_t)
+corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
+corenet_tcp_connect_http_port(telepathy_msn_t)
+corenet_tcp_connect_msnp_port(telepathy_msn_t)
+corenet_tcp_connect_sametime_port(telepathy_msn_t)
+
+corecmd_exec_bin(telepathy_msn_t)
+corecmd_exec_shell(telepathy_msn_t)
+corecmd_read_bin_symlinks(telepathy_msn_t)
+
+dev_read_urand(telepathy_msn_t)
+
+files_read_etc_files(telepathy_msn_t)
+files_read_usr_files(telepathy_msn_t)
+
+auth_use_nsswitch(telepathy_msn_t)
+
+libs_exec_ldconfig(telepathy_msn_t)
+
+logging_send_syslog_msg(telepathy_msn_t)
+
+miscfiles_read_all_certs(telepathy_msn_t)
+
+sysnet_read_config(telepathy_msn_t)
+
+optional_policy(`
+        dbus_system_bus_client(telepathy_msn_t)
+       optional_policy(`
+               networkmanager_dbus_chat(telepathy_msn_t)
+       ')
+')
+
+optional_policy(`
+        gnome_read_gconf_home_files(telepathy_msn_t)
+')
+
+#######################################
+#
+# Telepathy Gabble local policy.
+#
+
+allow telepathy_gabble_t self:netlink_route_socket create_netlink_socket_perms;
+allow telepathy_gabble_t self:tcp_socket { listen accept };
+allow telepathy_gabble_t self:unix_dgram_socket { write read create getattr sendto };
+
+manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
+manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
+files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file })
+
+# ~/.cache/gabble/caps-cache.db-journal
+optional_policy(`
+        manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+        manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+        gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, { dir file })
+')
+
+corenet_sendrecv_commplex_client_packets(telepathy_gabble_t)
+corenet_sendrecv_http_client_packets(telepathy_gabble_t)
+corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t)
+corenet_sendrecv_vnc_client_packets(telepathy_gabble_t)
+
+corenet_tcp_connect_commplex_port(telepathy_gabble_t)
+corenet_tcp_connect_http_port(telepathy_gabble_t)
+corenet_tcp_connect_jabber_client_port(telepathy_gabble_t)
+corenet_tcp_connect_vnc_port(telepathy_gabble_t)
+
+dev_read_rand(telepathy_gabble_t)
+dev_read_urand(telepathy_gabble_t)
+
+files_read_config_files(telepathy_gabble_t)
+files_read_usr_files(telepathy_gabble_t)
+
+miscfiles_read_all_certs(telepathy_gabble_t)
+
+sysnet_read_config(telepathy_gabble_t)
+
+optional_policy(`
+        dbus_system_bus_client(telepathy_gabble_t)
+')
+
+tunable_policy(`use_nfs_home_dirs', `
+        fs_manage_nfs_dirs(telepathy_gabble_t)
+        fs_manage_nfs_files(telepathy_gabble_t)
+')
+
+tunable_policy(`use_samba_home_dirs', `
+        fs_manage_cifs_dirs(telepathy_gabble_t)
+        fs_manage_cifs_files(telepathy_gabble_t)
+')
+
+#######################################
+#
+# Telepathy Idle local policy.
+#
+
+allow telepathy_idle_t self:netlink_route_socket create_netlink_socket_perms;
+
+corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
+corenet_tcp_connect_ircd_port(telepathy_idle_t)
+
+files_read_etc_files(telepathy_idle_t)
+
+sysnet_read_config(telepathy_idle_t)
+
+#######################################
+#
+# Telepathy Mission-Control local policy.
+#
+
+manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
+manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
+userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
+userdom_search_user_home_dirs(telepathy_mission_control_t)
+
+dev_read_rand(telepathy_mission_control_t)
+
+files_read_etc_files(telepathy_mission_control_t)
+files_read_usr_files(telepathy_mission_control_t)
+
+tunable_policy(`use_nfs_home_dirs', `
+        fs_manage_nfs_dirs(telepathy_mission_control_t)
+        fs_manage_nfs_files(telepathy_mission_control_t)
+')
+
+tunable_policy(`use_samba_home_dirs', `
+        fs_manage_cifs_dirs(telepathy_mission_control_t)
+        fs_manage_cifs_files(telepathy_mission_control_t)
+')
+
+auth_use_nsswitch(telepathy_mission_control_t)
+
+# ~/.cache/.mc_connections.
+optional_policy(`
+        manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
+        gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file)
+')
+
+optional_policy(`
+        gnome_read_gconf_home_files(telepathy_mission_control_t)
+        gnome_setattr_cache_home_dir(telepathy_mission_control_t)
+       gnome_read_generic_cache_files(telepathy_mission_control_t)
+')
+
+#######################################
+#
+# Telepathy Salut local policy.
+#
+
+allow telepathy_salut_t self:netlink_route_socket create_netlink_socket_perms;
+allow telepathy_salut_t self:tcp_socket { accept listen };
+
+manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t)
+files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file)
+
+corenet_sendrecv_presence_server_packets(telepathy_salut_t)
+corenet_tcp_bind_presence_port(telepathy_salut_t)
+corenet_tcp_connect_presence_port(telepathy_salut_t)
+
+dev_read_urand(telepathy_salut_t)
+
+files_read_etc_files(telepathy_salut_t)
+
+sysnet_read_config(telepathy_salut_t)
+
+optional_policy(`
+        dbus_system_bus_client(telepathy_salut_t)
+
+        optional_policy(`
+                avahi_dbus_chat(telepathy_salut_t)
+        ')
+')
+
+#######################################
+#
+# Telepathy Sofiasip local policy.
+#
+
+allow telepathy_sofiasip_t self:netlink_route_socket create_netlink_socket_perms;
+allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen };
+allow telepathy_sofiasip_t self:tcp_socket { listen };
+
+corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t)
+corenet_tcp_connect_sip_port(telepathy_sofiasip_t)
+
+dev_read_urand(telepathy_sofiasip_t)
+
+kernel_request_load_module(telepathy_sofiasip_t)
+
+sysnet_read_config(telepathy_sofiasip_t)
+
+#######################################
+#
+# Telepathy Sunshine local policy.
+#
+
+manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
+exec_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
+files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file)
+
+corecmd_list_bin(telepathy_sunshine_t)
+
+dev_read_urand(telepathy_sunshine_t)
+
+files_read_etc_files(telepathy_sunshine_t)
+files_read_usr_files(telepathy_sunshine_t)
+
+optional_policy(`
+        xserver_read_xdm_pid(telepathy_sunshine_t)
+        xserver_stream_connect(telepathy_sunshine_t)
+')
+
+#######################################
+#
+# telepathy domains common policy
+#
+
+allow telepathy_domain self:process { getsched signal sigkill };
+allow telepathy_domain self:fifo_file rw_fifo_file_perms;
+allow telepathy_domain self:tcp_socket create_socket_perms;
+allow telepathy_domain self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_netlabel(telepathy_domain)
+corenet_all_recvfrom_unlabeled(telepathy_domain)
+corenet_raw_bind_generic_node(telepathy_domain)
+corenet_raw_sendrecv_generic_if(telepathy_domain)
+corenet_raw_sendrecv_generic_node(telepathy_domain)
+corenet_tcp_bind_generic_node(telepathy_domain)
+corenet_tcp_sendrecv_generic_if(telepathy_domain)
+corenet_tcp_sendrecv_generic_node(telepathy_domain)
+corenet_udp_bind_generic_node(telepathy_domain)
+
+kernel_read_system_state(telepathy_domain)
+
+fs_search_auto_mountpoints(telepathy_domain)
+
+miscfiles_read_localization(telepathy_domain)
+
+# This interface does not facilitate files_search_tmp which appears to be a bug.
+userdom_stream_connect(telepathy_domain)
+userdom_use_user_terminals(telepathy_domain)
+
+tunable_policy(`telepathy_tcp_connect_generic_network_ports', `
+        corenet_tcp_connect_generic_port(telepathy_domain)
+        corenet_sendrecv_generic_client_packets(telepathy_domain)
+')
+
+optional_policy(`
+        automount_dontaudit_getattr_tmp_dirs(telepathy_domain)
+')
+
+optional_policy(`
+        nis_use_ypbind(telepathy_domain)
+')
+
+optional_policy(`
+        telepathy_dbus_chat(telepathy_domain)
+')
+
+optional_policy(`
+        xserver_rw_xdm_pipes(telepathy_domain)
+')

diff --git a/policy/modules/apps/userhelper.fc b/policy/modules/apps/userhelper.fc
index e70b0e8b0d8a1cafe60bd413552eab68be37673e..cd83b89ee2bd88dd46ab90fd1cb6e6fa6e0f1778 100644 (file)
--- a/policy/modules/apps/userhelper.fc
+++ b/policy/modules/apps/userhelper.fc
@@ -7,3 +7,4 @@
 # /usr
 #
 /usr/sbin/userhelper           --      gen_context(system_u:object_r:userhelper_exec_t,s0)
+/usr/bin/consolehelper         --      gen_context(system_u:object_r:consolehelper_exec_t,s0)

diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
index ced285aaa8d88104c326c157ffec63db5860fd53..d73e7c8265d499e09bb99a841bbe67d16976878c 100644 (file)
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@@ -25,6 +25,7 @@ template(`userhelper_role_template',`
        gen_require(`
                attribute userhelper_type;
                type userhelper_exec_t, userhelper_conf_t;
+               class dbus send_msg;
        ')
 
        ########################################
@@ -256,3 +257,58 @@ interface(`userhelper_exec',`
 
        can_exec($1, userhelper_exec_t)
 ')
+
+#######################################
+## <summary>
+##     The role template for the consolehelper module.
+## </summary>
+## <desc>
+##     <p>
+##     This template creates a derived domains which are used
+##     for consolehelper applications.
+##     </p>
+## </desc>
+## <param name="role_prefix">
+##     <summary>
+##     The prefix of the user domain (e.g., user
+##     is the prefix for user_t).
+##     </summary>
+## </param>
+## <param name="user_role">
+##     <summary>
+##     The role associated with the user domain.
+##     </summary>
+## </param>
+## <param name="user_domain">
+##     <summary>
+##     The type of the user domain.
+##     </summary>
+## </param>
+#
+template(`userhelper_console_role_template',`
+       gen_require(`
+               type consolehelper_exec_t;
+               attribute consolehelper_domain;
+               class dbus send_msg;
+       ')
+       type $1_consolehelper_t, consolehelper_domain;
+       domain_type($1_consolehelper_t)
+       domain_entry_file($1_consolehelper_t, consolehelper_exec_t)
+       role $2 types $1_consolehelper_t;
+
+       domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
+
+       allow $3 $1_consolehelper_t:dbus send_msg;
+       allow $1_consolehelper_t $3:dbus send_msg;
+
+       auth_use_pam($1_consolehelper_t)
+
+       optional_policy(`
+               shutdown_run($1_consolehelper_t, $2)
+               shutdown_send_sigchld($3)
+       ')
+
+       optional_policy(`
+               xserver_read_xdm_pid($1_consolehelper_t)
+       ')
+')

diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te
index d584dff8f2e268fe8baee6c19356aa7943172f86..f62c171b7d5a638f26206d14dd2b3e3dcaa0c36f 100644 (file)
--- a/policy/modules/apps/userhelper.te
+++ b/policy/modules/apps/userhelper.te
@@ -6,9 +6,54 @@ policy_module(userhelper, 1.5.1)
 #
 
 attribute userhelper_type;
+attribute consolehelper_domain;
 
 type userhelper_conf_t;
 files_type(userhelper_conf_t)
 
 type userhelper_exec_t;
 application_executable_file(userhelper_exec_t)
+
+type consolehelper_exec_t;
+application_executable_file(consolehelper_exec_t)
+
+########################################
+#
+# consolehelper local policy
+#
+
+allow consolehelper_domain self:capability { setgid setuid }; 
+
+dontaudit consolehelper_domain  userhelper_conf_t:file write;
+read_files_pattern(consolehelper_domain, userhelper_conf_t, userhelper_conf_t)
+
+# Init script handling
+domain_use_interactive_fds(consolehelper_domain)
+
+# internal communication is often done using fifo and unix sockets.
+allow consolehelper_domain self:fifo_file rw_fifo_file_perms;
+allow consolehelper_domain self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_kernel_sysctls(consolehelper_domain)
+
+corecmd_exec_bin(consolehelper_domain)
+
+files_read_config_files(consolehelper_domain)
+files_read_usr_files(consolehelper_domain)
+
+auth_search_pam_console_data(consolehelper_domain)
+auth_read_pam_pid(consolehelper_domain)
+
+init_read_utmp(consolehelper_domain)
+
+miscfiles_read_localization(consolehelper_domain)
+
+userhelper_exec(consolehelper_domain)
+
+userdom_use_user_ptys(consolehelper_domain)
+userdom_use_user_ttys(consolehelper_domain)
+userdom_search_user_home_content(consolehelper_domain)
+
+optional_policy(`
+       xserver_stream_connect(consolehelper_domain)
+')

diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc
index 5872ea208f75a01d992a37d1229e6ed63d370712..028c994e7f16b185e2b59d36b8004506bccf38c7 100644 (file)
--- a/policy/modules/apps/vmware.fc
+++ b/policy/modules/apps/vmware.fc
@@ -66,5 +66,6 @@ ifdef(`distro_gentoo',`
 /var/log/vmware.*              --      gen_context(system_u:object_r:vmware_log_t,s0)
 /var/log/vnetlib.*             --      gen_context(system_u:object_r:vmware_log_t,s0)
 
+/var/run/vmnet.*                       gen_context(system_u:object_r:vmware_var_run_t,s0)
 /var/run/vmnat.*               -s      gen_context(system_u:object_r:vmware_var_run_t,s0)
 /var/run/vmware.*                      gen_context(system_u:object_r:vmware_var_run_t,s0)

diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index 1f803bbb39b64397a503282952a9c9712124a1a4..4bdcbe3d68733c73c2c314eef03c0e2b4ba005ab 100644 (file)
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -126,6 +126,7 @@ dev_getattr_all_blk_files(vmware_host_t)
 dev_read_sysfs(vmware_host_t)
 dev_read_urand(vmware_host_t)
 dev_rw_vmware(vmware_host_t)
+dev_rw_generic_chr_files(vmware_host_t)
 
 domain_use_interactive_fds(vmware_host_t)
 domain_dontaudit_read_all_domains_state(vmware_host_t)
@@ -133,6 +134,7 @@ domain_dontaudit_read_all_domains_state(vmware_host_t)
 files_list_tmp(vmware_host_t)
 files_read_etc_files(vmware_host_t)
 files_read_etc_runtime_files(vmware_host_t)
+files_read_usr_files(vmware_host_t) 
 
 fs_getattr_all_fs(vmware_host_t)
 fs_search_auto_mountpoints(vmware_host_t)
@@ -151,15 +153,27 @@ logging_send_syslog_msg(vmware_host_t)
 miscfiles_read_localization(vmware_host_t)
 
 sysnet_dns_name_resolve(vmware_host_t)
+sysnet_domtrans_ifconfig(vmware_host_t) 
 
 userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
 userdom_dontaudit_search_user_home_dirs(vmware_host_t)
 
 netutils_domtrans_ping(vmware_host_t)
 
+optional_policy(`
+        hostname_exec(vmware_host_t)
+') 
+
+optional_policy(`
+        modutils_domtrans_insmod(vmware_host_t)
+') 
+
 optional_policy(`
        seutil_sigchld_newrole(vmware_host_t)
+')
 
+optional_policy(`
+       shutdown_domtrans(vmware_host_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc
index 9d24449fb5d24a6cc396204f91b8c161cdc6ec4a..9782698fd5f32ab6d7fa0fae71bb0214817f67d3 100644 (file)
--- a/policy/modules/apps/wine.fc
+++ b/policy/modules/apps/wine.fc
@@ -2,6 +2,7 @@ HOME_DIR/cxoffice/bin/wine.+    --      gen_context(system_u:object_r:wine_exec_t,s0)
 
 /opt/cxoffice/bin/wine.*       --      gen_context(system_u:object_r:wine_exec_t,s0)
 
+/opt/google/picasa(/.*)?/Picasa3/.*exe --      gen_context(system_u:object_r:wine_exec_t,s0)
 /opt/google/picasa(/.*)?/bin/msiexec --        gen_context(system_u:object_r:wine_exec_t,s0)
 /opt/google/picasa(/.*)?/bin/notepad --        gen_context(system_u:object_r:wine_exec_t,s0)
 /opt/google/picasa(/.*)?/bin/progman --        gen_context(system_u:object_r:wine_exec_t,s0)

diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
index 0440b4cb84161efba2d46f4bb79e363a972f9e9a..e10101a962f5ba5cc741ef595f0220a2b21e91c6 100644 (file)
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -29,12 +29,16 @@
 #
 template(`wine_role',`
        gen_require(`
+               type wine_t;
+               type wine_home_t;
                type wine_exec_t;
        ')
 
        role $1 types wine_t;
 
        domain_auto_trans($2, wine_exec_t, wine_t)
+       # Unrestricted inheritance from the caller.
+       allow $2 wine_t:process { noatsecure siginh rlimitinh };
        allow wine_t $2:fd use;
        allow wine_t $2:process { sigchld signull };
        allow wine_t $2:unix_stream_socket connectto;
@@ -44,8 +48,7 @@ template(`wine_role',`
        allow $2 wine_t:process signal_perms;
 
        allow $2 wine_t:fd use;
-       allow $2 wine_t:shm { associate getattr };
-       allow $2 wine_t:shm { unix_read unix_write };
+       allow $2 wine_t:shm { associate getattr  unix_read unix_write };
        allow $2 wine_t:unix_stream_socket connectto;
 
        # X access, Home files
@@ -86,6 +89,7 @@ template(`wine_role',`
 #
 template(`wine_role_template',`
        gen_require(`
+               type wine_t;
                type wine_exec_t;
        ')
 
@@ -101,7 +105,7 @@ template(`wine_role_template',`
        corecmd_bin_domtrans($1_wine_t, $1_t)
 
        userdom_unpriv_usertype($1, $1_wine_t)
-       userdom_manage_user_tmpfs_files($1_wine_t)
+       userdom_manage_tmpfs_role($2, $1_wine_t)
 
        domain_mmap_low($1_wine_t)
 
@@ -109,6 +113,10 @@ template(`wine_role_template',`
                dontaudit $1_wine_t self:memprotect mmap_zero;
        ')
 
+       tunable_policy(`wine_mmap_zero_ignore',`
+               dontaudit $1_wine_t self:memprotect mmap_zero;
+       ')
+
        optional_policy(`
                xserver_role($1_r, $1_wine_t)
        ')
@@ -157,3 +165,22 @@ interface(`wine_run',`
        wine_domtrans($1)
        role $2 types wine_t;
 ')
+
+########################################
+## <summary>
+##     Read and write wine Shared
+##     memory segments.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`wine_rw_shm',`
+       gen_require(`
+               type wine_t;
+       ')
+
+       allow $1 wine_t:shm rw_shm_perms;
+')

diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
index f9a123a31dcd438350f86f702092bdae7c183371..277543affbfbc20c98cf2697586c3046e5cb4251 100644 (file)
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@ -51,7 +51,11 @@ optional_policy(`
 ')
 
 optional_policy(`
-       unconfined_domain_noaudit(wine_t)
+       policykit_dbus_chat(wine_t)
+')
+
+optional_policy(`
+       unconfined_domain(wine_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 4b3bdeaa172c5c9061ade8d96f189e1b1351af0a..7c0518966372fa59714c1f5680112b5f2fdbbf96 100644 (file)
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -15,6 +15,7 @@ ubac_constrained(wireshark_t)
 type wireshark_home_t;
 typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t };
 typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t };
+files_poly_member(wireshark_home_t)
 userdom_user_home_content(wireshark_home_t)
 
 type wireshark_tmp_t;
@@ -70,6 +71,8 @@ kernel_read_kernel_sysctls(wireshark_t)
 kernel_read_system_state(wireshark_t)
 kernel_read_sysctl(wireshark_t)
 
+corecmd_search_bin(wireshark_t)
+
 corenet_tcp_connect_generic_port(wireshark_t)
 corenet_tcp_sendrecv_generic_if(wireshark_t)
 

diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if
index 82842a098bbb785c713966a49904c74dfda6bd35..369c3b51a5631ea980624004f33b6f073634482a 100644 (file)
--- a/policy/modules/apps/wm.if
+++ b/policy/modules/apps/wm.if
@@ -75,6 +75,10 @@ template(`wm_role_template',`
        miscfiles_read_fonts($1_wm_t)
        miscfiles_read_localization($1_wm_t)
 
+       userdom_manage_home_role($2, $1_wm_t)
+       userdom_manage_tmpfs_role($2, $1_wm_t)
+       userdom_manage_tmp_role($2, $1_wm_t)
+
        optional_policy(`
                dbus_system_bus_client($1_wm_t)
                dbus_session_bus_client($1_wm_t)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 0eb1d976e6e1f1b4b7ebeb21e62b187ccb1bc498..93c9ec1b708f8cdbb5ef550fd2e60b1ed151d323 100644 (file)
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -9,8 +9,11 @@
 /bin/bash2                     --      gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/fish                      --      gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/ksh.*                     --      gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/mksh                      --      gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/mountpoint                        --      gen_context(system_u:object_r:bin_t,s0)
 /bin/sash                      --      gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/tcsh                      --      gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/yash                      --  gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/zsh.*                     --      gen_context(system_u:object_r:shell_exec_t,s0)
 
 #
@@ -101,6 +104,9 @@ ifdef(`distro_redhat',`
 /etc/X11/xdm/Xsetup_0          --      gen_context(system_u:object_r:bin_t,s0)
 /etc/X11/xinit(/.*)?                   gen_context(system_u:object_r:bin_t,s0)
 
+/etc/pki/tls/certs/make-dummy-cert --  gen_context(system_u:object_r:bin_t,s0)
+/etc/pki/tls/misc(/.*)?                --      gen_context(system_u:object_r:bin_t,s0)
+
 /etc/profile.d(/.*)?                   gen_context(system_u:object_r:bin_t,s0)
 /etc/xen/qemu-ifup             --      gen_context(system_u:object_r:bin_t,s0)
 /etc/xen/scripts(/.*)?                 gen_context(system_u:object_r:bin_t,s0)
@@ -109,6 +115,8 @@ ifdef(`distro_debian',`
 /etc/mysql/debian-start                --      gen_context(system_u:object_r:bin_t,s0)
 ')
 
+/etc/vmware-tools(/.*)?                        gen_context(system_u:object_r:bin_t,s0)
+
 #
 # /lib
 #
@@ -126,6 +134,8 @@ ifdef(`distro_gentoo',`
 /lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)
 /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
 ')
+/lib/readahead(/.*)?                   gen_context(system_u:object_r:bin_t,s0)
+/lib/upstart(/.*)?                     gen_context(system_u:object_r:bin_t,s0)
 
 #
 # /sbin
@@ -145,6 +155,12 @@ ifdef(`distro_gentoo',`
 
 /opt/(.*/)?sbin(/.*)?                  gen_context(system_u:object_r:bin_t,s0)
 
+/opt/google/talkplugin/cron(/.*)?      gen_context(system_u:object_r:bin_t,s0)
+
+/opt/gutenprint/cups/lib/filter(/.*)?  gen_context(system_u:object_r:bin_t,s0)
+
+/opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
 ifdef(`distro_gentoo',`
 /opt/RealPlayer/realplay(\.bin)?       gen_context(system_u:object_r:bin_t,s0)
 /opt/RealPlayer/postint(/.*)?          gen_context(system_u:object_r:bin_t,s0)
@@ -169,6 +185,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/fence(/.*)?                   gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/pgsql/test/regress/.*\.sh --  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/qt.*/bin(/.*)?                        gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/mediawiki/math/texvc.*   gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/apt/methods.+    --      gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -218,8 +235,11 @@ ifdef(`distro_gentoo',`
 /usr/sbin/sesh                 --      gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/smrsh                        --      gen_context(system_u:object_r:shell_exec_t,s0)
 
+/usr/share/ajaxterm/qweb.py.* --       gen_context(system_u:object_r:bin_t,s0)
+/usr/share/ajaxterm/ajaxterm.py.* --   gen_context(system_u:object_r:bin_t,s0)
 /usr/share/apr-0/build/[^/]+\.sh --    gen_context(system_u:object_r:bin_t,s0)
 /usr/share/apr-0/build/libtool --      gen_context(system_u:object_r:bin_t,s0)
+/usr/share/dayplanner/dayplanner --    gen_context(system_u:object_r:bin_t,s0)
 /usr/share/debconf/.+          --      gen_context(system_u:object_r:bin_t,s0)
 /usr/share/denyhosts/scripts(/.*)?     gen_context(system_u:object_r:bin_t,s0)
 /usr/share/denyhosts/plugins(/.*)?     gen_context(system_u:object_r:bin_t,s0)
@@ -228,6 +248,8 @@ ifdef(`distro_gentoo',`
 /usr/share/cluster/svclib_nfslock --   gen_context(system_u:object_r:bin_t,s0)
 /usr/share/e16/misc(/.*)?              gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gitolite/hooks/common/update         --      gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
@@ -314,6 +336,7 @@ ifdef(`distro_redhat', `
 /usr/share/texmf/web2c/mktexdir        --      gen_context(system_u:object_r:bin_t,s0)
 /usr/share/texmf/web2c/mktexnam        --      gen_context(system_u:object_r:bin_t,s0)
 /usr/share/texmf/web2c/mktexupd        --      gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texmf/texconfig/tcfmgr      --      gen_context(system_u:object_r:bin_t,s0)
 ')
 
 ifdef(`distro_suse', `
@@ -340,3 +363,27 @@ ifdef(`distro_suse', `
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+                  gen_context(system_u:object_r:bin_t,s0)
 ')
+/var/lib/asterisk/agi-bin(/.*)?                gen_context(system_u:object_r:bin_t,s0)
+
+/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+
+/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib/oracle/xe/apps(/.*)?  gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/pm-utils(/.*)?  gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib/wicd/monitor.py       --      gen_context(system_u:object_r:bin_t, s0)
+
+/usr/lib(64)?/nspluginwrapper/np.*     gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/rpm/rpmd         --      gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/rpm/rpmq         --      gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/rpm/rpmk         --      gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/rpm/rpmv         --      gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)?  gen_context(system_u:object_r:bin_t,s0)
+
+/etc/kde/env(/.*)?  gen_context(system_u:object_r:bin_t,s0)
+/etc/kde/shutdown(/.*)?  gen_context(system_u:object_r:bin_t,s0)

diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 1cc7ef60f01b471a6ad4e4abd08472d0369e1746..58b4e9daf0645b62c16dfc71bc9b9469e3ba6dc6 100644 (file)
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -931,6 +931,7 @@ interface(`corecmd_exec_chroot',`
 
        read_lnk_files_pattern($1, bin_t, bin_t)
        can_exec($1, chroot_exec_t)
+       allow $1 self:capability sys_chroot;
 ')
 
 ########################################
@@ -1030,6 +1031,7 @@ interface(`corecmd_manage_all_executables',`
                type bin_t;
        ')
 
+       manage_dirs_pattern($1, bin_t, exec_type)
        manage_files_pattern($1, bin_t, exec_type)
        manage_lnk_files_pattern($1, bin_t, bin_t)
 ')

diff --git a/policy/modules/kernel/corenetwork.fc b/policy/modules/kernel/corenetwork.fc
index 9e5c83ed4ac9e0fda5fa0344dda3b243eda123fa..953e0e8f495f6a430eaa4fe7936c776abf54d69e 100644 (file)
--- a/policy/modules/kernel/corenetwork.fc
+++ b/policy/modules/kernel/corenetwork.fc
@@ -5,3 +5,6 @@
 /dev/tap.*     -c      gen_context(system_u:object_r:tun_tap_device_t,s0)
 
 /dev/net/.*    -c      gen_context(system_u:object_r:tun_tap_device_t,s0)
+
+/lib/udev/devices/ppp  -c      gen_context(system_u:object_r:ppp_device_t,s0)
+/lib/udev/devices/net/.* -c    gen_context(system_u:object_r:tun_tap_device_t,s0)

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 2ecdde815464e30e079cda52c3688101156ff4a3..f15e5bad9d4e87d256bf5a3bdb0044a98817b4c8 100644 (file)
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -24,6 +24,7 @@ dev_node(ppp_device_t)
 #
 type tun_tap_device_t;
 dev_node(tun_tap_device_t)
+mls_trusted_object(tun_tap_device_t)
 
 ########################################
 #
@@ -64,20 +65,25 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
 type server_packet_t, packet_type, server_packet_type;
 
 network_port(afs_bos, udp,7007,s0)
+network_port(afs_client, udp,7001,s0)
 network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
 network_port(afs_ka, udp,7004,s0)
 network_port(afs_pt, udp,7002,s0)
 network_port(afs_vl, udp,7003,s0)
 network_port(agentx, udp,705,s0, tcp,705,s0)
+network_port(ajaxterm, tcp,8022,s0)
 network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
 network_port(amavisd_recv, tcp,10024,s0)
 network_port(amavisd_send, tcp,10025,s0)
+network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
 network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0) 
 network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
+network_port(apertus_ldp, tcp,539,s0, udp,539,s0)
 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
 network_port(audit, tcp,60,s0)
 network_port(auth, tcp,113,s0)
 network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
+network_port(boinc, tcp,31416,s0)
 type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
 network_port(certmaster, tcp,51235,s0)
 network_port(chronyd, udp,323,s0)
@@ -85,6 +91,7 @@ network_port(clamd, tcp,3310,s0)
 network_port(clockspeed, udp,4041,s0)
 network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
 network_port(cobbler, tcp,25151,s0)
+network_port(commplex, tcp,5000,s0, udp,5000,s0, tcp,5001,s0, udp,5001,s0)
 network_port(comsat, udp,512,s0)
 network_port(cvs, tcp,2401,s0, udp,2401,s0)
 network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
@@ -97,7 +104,9 @@ network_port(dict, tcp,2628,s0)
 network_port(distccd, tcp,3632,s0)
 network_port(dns, udp,53,s0, tcp,53,s0)
 network_port(epmap, tcp,135,s0, udp,135,s0)
+network_port(festival, tcp,1314,s0)
 network_port(fingerd, tcp,79,s0)
+network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
 network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
 network_port(ftp_data, tcp,20,s0)
 network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
@@ -109,7 +118,7 @@ network_port(hddtemp, tcp,7634,s0)
 network_port(howl, tcp,5335,s0, udp,5353,s0)
 network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
 network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
-network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
+network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
 network_port(i18n_input, tcp,9010,s0)
 network_port(imaze, tcp,5323,s0, udp,5323,s0)
 network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
@@ -123,30 +132,34 @@ network_port(iscsi, tcp,3260,s0)
 network_port(isns, tcp,3205,s0, udp,3205,s0)
 network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
 network_port(jabber_interserver, tcp,5269,s0)
+network_port(jabber_router, tcp,5347,s0)
 network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
-network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
+network_port(kerberos_admin, tcp,749,s0)
 network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
+network_port(kerberos_password, tcp,464,s0, udp,464,s0)
 network_port(kismet, tcp,2501,s0)
 network_port(kprop, tcp,754,s0)
 network_port(ktalkd, udp,517,s0, udp,518,s0)
 network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
 network_port(lirc, tcp,8765,s0)
+network_port(luci, tcp,8084,s0)
 network_port(lmtp, tcp,24,s0, udp,24,s0)
 type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
 network_port(mail, tcp,2000,s0, tcp,3905,s0)
 network_port(memcache, tcp,11211,s0, udp,11211,s0)
 network_port(mmcc, tcp,5050,s0, udp,5050,s0)
 network_port(monopd, tcp,1234,s0)
+network_port(mpd, tcp,6600,s0)
 network_port(msnp, tcp,1863,s0, udp,1863,s0)
-network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0)
+network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
 network_port(munin, tcp,4949,s0, udp,4949,s0)
-network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63163,s0)
+network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
 network_port(mysqlmanagerd, tcp,2273,s0)
 network_port(nessus, tcp,1241,s0)
 network_port(netport, tcp,3129,s0, udp,3129,s0)
 network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
 network_port(nmbd, udp,137,s0, udp,138,s0)
-network_port(ntop, tcp,3000,s0, udp,3000,s0, tcp,3001,s0, udp,3001,s0)
+network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
 network_port(ntp, udp,123,s0)
 network_port(ocsp, tcp,9080,s0)
 network_port(openvpn, tcp,1194,s0, udp,1194,s0)
@@ -154,12 +167,20 @@ network_port(pegasus_http, tcp,5988,s0)
 network_port(pegasus_https, tcp,5989,s0)
 network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
 network_port(pingd, tcp,9125,s0)
+network_port(piranha, tcp,3636,s0)
+network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9444, s0, tcp, 9445, s0)
+network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0)
+network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0)
+network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443, s0, tcp, 13444, s0, tcp, 13445, s0)
+network_port(pki_ra, tcp,12888-12889,s0)
+network_port(pki_tps, tcp,7888-7889,s0)
 network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
 network_port(portmap, udp,111,s0, tcp,111,s0)
 network_port(postfix_policyd, tcp,10031,s0)
 network_port(postgresql, tcp,5432,s0)
 network_port(postgrey, tcp,60000,s0)
 network_port(prelude, tcp,4690,s0, udp,4690,s0)
+network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
 network_port(printer, tcp,515,s0)
 network_port(ptal, tcp,5703,s0)
 network_port(pulseaudio, tcp,4713,s0)
@@ -174,24 +195,28 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
 network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
 network_port(rlogind, tcp,513,s0)
 network_port(rndc, tcp,953,s0)
-network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
+network_port(router, udp,520-521,s0, tcp,521,s0)
 network_port(rsh, tcp,514,s0)
 network_port(rsync, tcp,873,s0, udp,873,s0)
 network_port(rwho, udp,513,s0)
 network_port(sap, tcp,9875,s0, udp,9875,s0)
+network_port(sametime, tcp,1533,s0, udp,1533,s0)
 network_port(sieve, tcp,4190,s0)
-network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
+network_port(sip, tcp,5060-5061,s0, udp,5060-5061,s0)
+network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
 network_port(smbd, tcp,137-139,s0, tcp,445,s0)
 network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0)
+network_port(snmp, tcp,161-162,s0, udp,161-162,s0, tcp,199,s0, tcp, 1161, s0)
 type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
 network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
 network_port(spamd, tcp,783,s0)
 network_port(speech, tcp,8036,s0)
-network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
+network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
 network_port(ssh, tcp,22,s0)
+network_port(streaming, tcp, 1755, s0, udp, 1755, s0)
 type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
 network_port(swat, tcp,901,s0)
+network_port(sype, tcp,9911,s0, udp,9911,s0)
 network_port(syslogd, udp,514,s0)
 network_port(telnetd, tcp,23,s0)
 network_port(tftp, udp,69,s0)
@@ -201,16 +226,17 @@ network_port(transproxy, tcp,8081,s0)
 network_port(ups, tcp,3493,s0)
 type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
 network_port(uucpd, tcp,540,s0)
-network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
+network_port(varnishd, tcp,6081-6082,s0)
 network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
 network_port(virt_migration, tcp,49152-49216,s0)
-network_port(vnc, tcp,5900,s0)
+network_port(vnc, tcp,5900-5999,s0)
 network_port(wccp, udp,2048,s0)
 network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
 network_port(xdmcp, udp,177,s0, tcp,177,s0)
 network_port(xen, tcp,8002,s0)
 network_port(xfs, tcp,7100,s0)
-network_port(xserver, tcp,6000-6020,s0)
+network_port(xserver, tcp,6000-6150,s0)
+network_port(zarafa, tcp,236,s0)
 network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
 network_port(zope, tcp,8021,s0)
 

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 3b2da106dffbf2037437ca034a665af257a36034..7c29e17470211e6296890878c8920550fa0121a5 100644 (file)
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -159,6 +159,7 @@ ifdef(`distro_suse', `
 
 /dev/mvideo/.*         -c      gen_context(system_u:object_r:xserver_misc_device_t,s0)
 
+/dev/mqueue(/.*)?              <<none>>
 /dev/pts(/.*)?                 <<none>>
 
 /dev/s(ou)?nd/.*       -c      gen_context(system_u:object_r:sound_device_t,s0)
@@ -176,13 +177,12 @@ ifdef(`distro_suse', `
 
 /etc/udev/devices      -d      gen_context(system_u:object_r:device_t,s0)
 
-/lib/udev/devices      -d      gen_context(system_u:object_r:device_t,s0)
+/lib/udev/devices(/.*)         gen_context(system_u:object_r:device_t,s0)
 
-ifdef(`distro_gentoo',`
 # used by init scripts to initally populate udev /dev
+/lib/udev/devices/lp.*         -c      gen_context(system_u:object_r:printer_device_t,s0)
 /lib/udev/devices/null -c      gen_context(system_u:object_r:null_device_t,s0)
 /lib/udev/devices/zero -c      gen_context(system_u:object_r:zero_device_t,s0)
-')
 
 ifdef(`distro_redhat',`
 # originally from named.fc
@@ -191,3 +191,8 @@ ifdef(`distro_redhat',`
 /var/named/chroot/dev/random -c        gen_context(system_u:object_r:random_device_t,s0)
 /var/named/chroot/dev/zero -c  gen_context(system_u:object_r:zero_device_t,s0)
 ')
+
+#
+# /sys
+#
+/sys(/.*)?                     gen_context(system_u:object_r:sysfs_t,s0)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 8b09281554945aa8454f8ed7cb04dc3b15281831..3fb8756eedb2dc79ba3d009edda13414c0369d66 100644 (file)
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -316,6 +316,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
        dontaudit $1 device_t:file getattr;
 ')
 
+########################################
+## <summary>
+##     read generic files in /dev.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`dev_read_generic_files',`
+       gen_require(`
+               type device_t;
+       ')
+
+       read_files_pattern($1, device_t, device_t)
+')
+
 ########################################
 ## <summary>
 ##     Read and write generic files in /dev.
@@ -496,6 +514,24 @@ interface(`dev_getattr_generic_chr_files',`
        getattr_chr_files_pattern($1, device_t, device_t)
 ')
 
+########################################
+## <summary>
+##     Allow relablefrom for generic character device files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_relabelfrom_generic_chr_files',`
+       gen_require(`
+               type device_t;
+       ')
+
+       allow $1 device_t:chr_file relabelfrom;
+')
+
 ########################################
 ## <summary>
 ##     Dontaudit getattr for generic character device files.
@@ -532,6 +568,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
        dontaudit $1 device_t:chr_file setattr;
 ')
 
+########################################
+## <summary>
+##     Read generic character device files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_read_generic_chr_files',`
+       gen_require(`
+               type device_t;
+       ')
+
+       allow $1 device_t:chr_file read_chr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Read and write generic character device files.
@@ -550,6 +604,24 @@ interface(`dev_rw_generic_chr_files',`
        allow $1 device_t:chr_file rw_chr_file_perms;
 ')
 
+########################################
+## <summary>
+##     Read and write generic block device files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_rw_generic_blk_files',`
+       gen_require(`
+               type device_t;
+       ')
+
+       allow $1 device_t:blk_file rw_chr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Dontaudit attempts to read/write generic character device files.
@@ -659,6 +731,24 @@ interface(`dev_delete_generic_symlinks',`
        delete_lnk_files_pattern($1, device_t, device_t)
 ')
 
+########################################
+## <summary>
+##     Read symbolic links in device directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_read_generic_symlinks',`
+       gen_require(`
+               type device_t;
+       ')
+
+       allow $1 device_t:lnk_file read_lnk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Create, delete, read, and write symbolic links in device directories.
@@ -1068,6 +1158,42 @@ interface(`dev_create_all_chr_files',`
        create_chr_files_pattern($1, device_t, device_node)
 ')
 
+########################################
+## <summary>
+##     rw all inherited character device files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_rw_all_inherited_chr_files',`
+       gen_require(`
+               attribute device_node;
+       ')
+
+       allow $1 device_node:chr_file rw_inherited_chr_file_perms;
+')
+
+########################################
+## <summary>
+##     rw all inherited blk device files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_rw_all_inherited_blk_files',`
+       gen_require(`
+               attribute device_node;
+       ')
+
+       allow $1 device_node:blk_file rw_inherited_blk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Delete all block device files.
@@ -1330,6 +1456,24 @@ interface(`dev_getattr_autofs_dev',`
        getattr_chr_files_pattern($1, device_t, autofs_device_t)
 ')
 
+########################################
+## <summary>
+##     Relable the autofs device node.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_relabel_autofs_dev',`
+       gen_require(`
+               type autofs_device_t;
+       ')
+
+       allow $1 autofs_device_t:chr_file relabel_chr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Do not audit attempts to get the attributes of
@@ -3593,6 +3737,24 @@ interface(`dev_manage_smartcard',`
        manage_chr_files_pattern($1, device_t, smartcard_device_t)
 ')
 
+########################################
+## <summary>
+##     Associate a file to a sysfs filesystem.
+## </summary>
+## <param name="file_type">
+##     <summary>
+##     The type of the file to be associated to sysfs.
+##     </summary>
+## </param>
+#
+interface(`dev_associate_sysfs',`
+       gen_require(`
+               type sysfs_t;
+       ')
+
+       allow $1 sysfs_t:filesystem associate;
+')
+
 ########################################
 ## <summary>
 ##     Get the attributes of sysfs directories.
@@ -3735,6 +3897,24 @@ interface(`dev_rw_sysfs',`
        list_dirs_pattern($1, sysfs_t, sysfs_t)
 ')
 
+########################################
+## <summary>
+##     Allow caller to modify hardware state information.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_manage_sysfs_dirs',`
+       gen_require(`
+               type sysfs_t;
+       ')
+
+       manage_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
 ########################################
 ## <summary>
 ##     Read from pseudo random number generator devices (e.g., /dev/urandom).
@@ -3904,6 +4084,24 @@ interface(`dev_read_usbmon_dev',`
        read_chr_files_pattern($1, device_t, usbmon_device_t)
 ')
 
+########################################
+## <summary>
+##     Write USB monitor devices.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_write_usbmon_dev',`
+       gen_require(`
+               type device_t, usbmon_device_t;
+       ')
+
+       write_chr_files_pattern($1, device_t, usbmon_device_t)
+')
+
 ########################################
 ## <summary>
 ##     Mount a usbfs filesystem.
@@ -4216,11 +4414,10 @@ interface(`dev_write_video_dev',`
 #
 interface(`dev_rw_vhost',`
        gen_require(`
-               type vhost_device_t;
+               type device_t, vhost_device_t;
        ')
 
-       list_dirs_pattern($1, vhost_device_t, vhost_device_t)
-       rw_files_pattern($1, vhost_device_t, vhost_device_t)
+       rw_chr_files_pattern($1, device_t, vhost_device_t)
 ')
 
 ########################################

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index eb9c360e10bbc9af62fe3359f6625f4cccc6d1d8..20c2d34adca4156260fab89507b12399b77122a7 100644 (file)
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -102,6 +102,7 @@ dev_node(ksm_device_t)
 #
 type kvm_device_t;
 dev_node(kvm_device_t)
+mls_trusted_object(kvm_device_t)
 
 #
 # Type for /dev/lirc
@@ -304,5 +305,5 @@ files_associate_tmp(device_node)
 #
 
 allow devices_unconfined_type self:capability sys_rawio;
-allow devices_unconfined_type device_node:{ blk_file chr_file } *;
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
 allow devices_unconfined_type mtrr_device_t:file *;

diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index aad8c52be49d1de42f86c884b78752439c05f89b..0d8458a3cb76f8b4d6dddeed6370478081d6463f 100644 (file)
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -472,6 +472,25 @@ interface(`domain_signal_all_domains',`
        allow $1 domain:process signal;
 ')
 
+########################################
+## <summary>
+##     Dontaudit sending general signals to all domains.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_dontaudit_signal_all_domains',`
+       gen_require(`
+               attribute domain;
+       ')
+
+       dontaudit $1 domain:process signal;
+')
+
 ########################################
 ## <summary>
 ##     Send a null signal to all domains.
@@ -611,7 +630,7 @@ interface(`domain_read_all_domains_state',`
 
 ########################################
 ## <summary>
-##     Get the attributes of all domains of all domains.
+##     Get the attributes of all domains.
 ## </summary>
 ## <param name="domain">
 ##     <summary>
@@ -630,7 +649,7 @@ interface(`domain_getattr_all_domains',`
 
 ########################################
 ## <summary>
-##     Get the attributes of all domains of all domains.
+##     Dontaudit geting the attributes of all domains.
 ## </summary>
 ## <param name="domain">
 ##     <summary>
@@ -1473,3 +1492,22 @@ interface(`domain_unconfined',`
        typeattribute $1 set_curr_context;
        typeattribute $1 process_uncond_exempt;
 ')
+
+########################################
+## <summary>
+##     Do not audit attempts to read or write
+##     all leaked sockets.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`domain_dontaudit_leaks',`
+       gen_require(`
+               attribute domain;
+       ')
+
+       dontaudit $1 domain:socket_class_set { read write };
+')

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 099f57f1b236d92cf6bfb8a927573a3410b5749f..d58ef64a5816a17ce000f64dcfc2bd946238d9ad 100644 (file)
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.8.1)
 #
 # Declarations
 #
+## <desc>
+## <p>
+## Allow all domains to use other domains file descriptors
+## </p>
+## </desc>
+#
+gen_tunable(allow_domain_fd_use, true)
+
+## <desc>
+## <p>
+## Allow all domains to have the kernel load modules
+## </p>
+## </desc>
+#
+gen_tunable(domain_kernel_load_modules, false)
 
 ## <desc>
 ## <p>
@@ -87,14 +102,17 @@ allow domain self:dir list_dir_perms;
 allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
 allow domain self:file rw_file_perms;
 kernel_read_proc_symlinks(domain)
+kernel_read_crypto_sysctls(domain)
+
 # Every domain gets the key ring, so we should default
 # to no one allowed to look at it; afs kernel support creates
 # a keyring
 kernel_dontaudit_search_key(domain)
 kernel_dontaudit_link_key(domain)
+kernel_dontaudit_search_debugfs(domain)
 
 # create child processes in the domain
-allow domain self:process { fork sigchld };
+allow domain self:process { fork getsched sigchld };
 
 # Use trusted objects in /dev
 dev_rw_null(domain)
@@ -104,6 +122,13 @@ term_use_controlling_term(domain)
 # list the root directory
 files_list_root(domain)
 
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
+
+tunable_policy(`domain_kernel_load_modules',`
+       kernel_request_load_module(domain)
+')
+
 tunable_policy(`global_ssp',`
        # enable reading of urandom for all domains:
        # this should be enabled when all programs
@@ -112,9 +137,14 @@ tunable_policy(`global_ssp',`
        dev_read_urand(domain)
 ')
 
+optional_policy(`
+       afs_rw_cache(domain)
+')
+
 optional_policy(`
        libs_use_ld_so(domain)
        libs_use_shared_libs(domain)
+       libs_read_lib_files(domain)
 ')
 
 optional_policy(`
@@ -125,6 +155,8 @@ optional_policy(`
 optional_policy(`
        xserver_dontaudit_use_xdm_fds(domain)
        xserver_dontaudit_rw_xdm_pipes(domain)
+       xserver_dontaudit_append_xdm_home_files(domain)
+       xserver_dontaudit_write_log(domain)
 ')
 
 ########################################
@@ -143,6 +175,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
 allow unconfined_domain_type domain:fd use;
 allow unconfined_domain_type domain:fifo_file rw_file_perms;
 
+allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
+
 # Act upon any other process.
 allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
 
@@ -160,3 +194,81 @@ allow unconfined_domain_type domain:key *;
 
 # receive from all domains over labeled networking
 domain_all_recvfrom_all_domains(unconfined_domain_type)
+
+selinux_getattr_fs(domain)
+selinux_search_fs(domain)
+selinux_dontaudit_read_fs(domain)
+
+seutil_dontaudit_read_config(domain)
+
+init_sigchld(domain)
+init_signull(domain)
+
+ifdef(`distro_redhat',`
+       files_search_mnt(domain)
+       optional_policy(`
+               unconfined_use_fds(domain)
+       ')
+')
+
+# these seem questionable:
+
+optional_policy(`
+       abrt_domtrans_helper(domain)
+       abrt_read_pid_files(domain)
+       abrt_read_state(domain)
+       abrt_signull(domain)
+       abrt_stream_connect(domain)
+')
+
+optional_policy(`
+       rpm_use_fds(domain)
+       rpm_read_pipes(domain)
+       rpm_search_log(domain)
+       rpm_append_tmp_files(domain)
+       rpm_dontaudit_leaks(domain)
+       rpm_read_script_tmp_files(domain)
+       rpm_inherited_fifo(domain)
+')
+
+optional_policy(`
+       sosreport_append_tmp_files(domain)
+')
+
+tunable_policy(`allow_domain_fd_use',`
+       # Allow all domains to use fds past to them
+       allow domain domain:fd use;
+')
+
+optional_policy(`
+       cron_dontaudit_write_system_job_tmp_files(domain)
+       cron_rw_pipes(domain)
+       cron_rw_system_job_pipes(domain)
+')
+
+ifdef(`hide_broken_symptoms',`
+       dontaudit domain self:udp_socket listen;
+       allow domain domain:key { link search };
+')
+
+optional_policy(`
+       hal_dontaudit_read_pid_files(domain)
+')
+
+optional_policy(`
+       ifdef(`hide_broken_symptoms',`
+               afs_rw_udp_sockets(domain)
+       ')
+')
+
+optional_policy(`
+       ssh_rw_pipes(domain)
+')
+
+optional_policy(`
+       unconfined_dontaudit_rw_pipes(domain)
+       unconfined_sigchld(domain)
+')
+
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;

diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 3517db213eb506c23eb46c5f0a590a876e09745f..bd4c23d20cc8af3598ceec1edc9ca47ccb25ef14 100644 (file)
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
 /fsckoptions           --      gen_context(system_u:object_r:etc_runtime_t,s0)
 /halt                  --      gen_context(system_u:object_r:etc_runtime_t,s0)
 /poweroff              --      gen_context(system_u:object_r:etc_runtime_t,s0)
+/[^/]+                 --      gen_context(system_u:object_r:etc_runtime_t,s0)
 ')
 
 ifdef(`distro_suse',`
@@ -64,6 +65,13 @@ ifdef(`distro_suse',`
 /etc/reader\.conf      --      gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/smartd\.conf.*    --      gen_context(system_u:object_r:etc_runtime_t,s0)
 
+/etc/sysctl\.conf(\.old)?               --      gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ebtables.*                              --      gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ip6?tables.*             --      gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ipvsadm.*                --      gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/system-config-firewall.* --      gen_context(system_u:object_r:system_conf_t,s0)
+
+
 /etc/cups/client\.conf --      gen_context(system_u:object_r:etc_t,s0)
 
 /etc/ipsec\.d/examples(/.*)?   gen_context(system_u:object_r:etc_t,s0)
@@ -74,7 +82,8 @@ ifdef(`distro_suse',`
 
 /etc/sysconfig/hwconf  --      gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/sysconfig/firstboot --    gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/xorg\.conf\.d/00-system-setup-keyboard\.conf --   gen_context(system_u:object_r:etc_runtime_t,s0)
 
 ifdef(`distro_gentoo', `
 /etc/profile\.env      --      gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -95,7 +104,7 @@ ifdef(`distro_suse',`
 # HOME_ROOT
 # expanded by genhomedircon
 #
-HOME_ROOT              -d      gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
+HOME_ROOT                      gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
 HOME_ROOT/\.journal            <<none>>
 HOME_ROOT/lost\+found  -d      gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 HOME_ROOT/lost\+found/.*               <<none>>
@@ -159,6 +168,12 @@ HOME_ROOT/lost\+found/.*           <<none>>
 /proc                  -d      <<none>>
 /proc/.*                       <<none>>
 
+ifdef(`distro_redhat',`
+/rhev                  -d      gen_context(system_u:object_r:mnt_t,s0)
+/rhev(/[^/]*)?         -d      gen_context(system_u:object_r:mnt_t,s0)
+/rhev/[^/]*/.*                 <<none>>
+')
+
 #
 # /selinux
 #
@@ -171,12 +186,6 @@ HOME_ROOT/lost\+found/.*           <<none>>
 /srv                   -d      gen_context(system_u:object_r:var_t,s0)
 /srv/.*                                gen_context(system_u:object_r:var_t,s0)
 
-#
-# /sys
-#
-/sys                   -d      <<none>>
-/sys/.*                                <<none>>
-
 #
 # /tmp
 #
@@ -217,7 +226,6 @@ HOME_ROOT/lost\+found/.*            <<none>>
 
 ifndef(`distro_redhat',`
 /usr/local/src(/.*)?           gen_context(system_u:object_r:src_t,s0)
-
 /usr/src(/.*)?                 gen_context(system_u:object_r:src_t,s0)
 /usr/src/kernels/.+/lib(/.*)?  gen_context(system_u:object_r:usr_t,s0)
 ')
@@ -233,6 +241,8 @@ ifndef(`distro_redhat',`
 
 /var/ftp/etc(/.*)?             gen_context(system_u:object_r:etc_t,s0)
 
+/var/named/chroot/etc(/.*)?    gen_context(system_u:object_r:etc_t,s0)
+
 /var/lib(/.*)?                 gen_context(system_u:object_r:var_lib_t,s0)
 
 /var/lib/nfs/rpc_pipefs(/.*)?  <<none>>
@@ -249,7 +259,7 @@ ifndef(`distro_redhat',`
 /var/spool(/.*)?                       gen_context(system_u:object_r:var_spool_t,s0)
 /var/spool/postfix/etc(/.*)?   gen_context(system_u:object_r:etc_t,s0)
 
-/var/tmp                       -d      gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+/var/tmp                       gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
 /var/tmp/.*                    <<none>>
 /var/tmp/lost\+found   -d      gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /var/tmp/lost\+found/.*                <<none>>
@@ -258,3 +268,5 @@ ifndef(`distro_redhat',`
 ifdef(`distro_debian',`
 /var/run/motd          --      gen_context(system_u:object_r:etc_runtime_t,s0)
 ')
+/nsr(/.*)?                                             gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)?                                                gen_context(system_u:object_r:var_log_t,s0)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 5302dac437cf507d6ad22ecaed2a995df610eb7b..96a406db3dc63ef237b1af243dd436ff443f2250 100644 (file)
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
        relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
        relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
        relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
-       # this is only relabelfrom since there should be no
-       # device nodes with file types.
-       relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
-       relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
+       relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
+       relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
 
        # satisfy the assertions:
        seutil_relabelto_bin_policy($1)
@@ -1444,6 +1442,42 @@ interface(`files_dontaudit_search_all_mountpoints',`
        dontaudit $1 mountpoint:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##     Do not audit listing of all mount points.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`files_dontaudit_list_all_mountpoints',`
+       gen_require(`
+               attribute mountpoint;
+       ')
+
+       dontaudit $1 mountpoint:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##     Write all mount points.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_write_all_mountpoints',`
+       gen_require(`
+               attribute mountpoint;
+       ')
+
+       allow $1 mountpoint:dir write;
+')
+
 ########################################
 ## <summary>
 ##     List the contents of the root directory.
@@ -2433,6 +2467,24 @@ interface(`files_delete_etc_files',`
        delete_files_pattern($1, etc_t, etc_t)
 ')
 
+########################################
+## <summary>
+##     Remove entries from the etc directory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_delete_etc_dir_entry',`
+       gen_require(`
+               type etc_t;
+       ')
+
+       allow $1 etc_t:dir del_entry_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##     Execute generic files in /etc.
@@ -3086,6 +3138,7 @@ interface(`files_getattr_home_dir',`
        ')
 
        allow $1 home_root_t:dir getattr;
+       allow $1 home_root_t:lnk_file getattr;
 ')
 
 ########################################
@@ -3106,6 +3159,7 @@ interface(`files_dontaudit_getattr_home_dir',`
        ')
 
        dontaudit $1 home_root_t:dir getattr;
+       dontaudit $1 home_root_t:lnk_file getattr;
 ')
 
 ########################################
@@ -3347,6 +3401,24 @@ interface(`files_list_mnt',`
        allow $1 mnt_t:dir list_dir_perms;
 ')
 
+######################################
+## <summary>
+##  dontaudit List the contents of /mnt.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`files_dontaudit_list_mnt',`
+    gen_require(`
+        type mnt_t;
+    ')
+
+    dontaudit $1 mnt_t:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##     Mount a filesystem on /mnt.
@@ -3420,6 +3492,24 @@ interface(`files_read_mnt_files',`
        read_files_pattern($1, mnt_t, mnt_t)
 ')
 
+######################################
+## <summary>
+##  Read symbolic links in /mnt.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`files_read_mnt_symlinks',`
+    gen_require(`
+        type mnt_t;
+    ')
+
+    read_lnk_files_pattern($1, mnt_t, mnt_t)
+')
+
 ########################################
 ## <summary>
 ##     Create, read, write, and delete symbolic links in /mnt.
@@ -3711,6 +3801,100 @@ interface(`files_read_world_readable_sockets',`
        allow $1 readable_t:sock_file read_sock_file_perms;
 ')
 
+#######################################
+## <summary>
+##  Read manageable system configuration files in /etc
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_read_system_conf_files',`
+    gen_require(`
+        type etc_t, system_conf_t;
+    ')
+
+    allow $1 etc_t:dir list_dir_perms;
+    read_files_pattern($1, etc_t, system_conf_t)
+    read_lnk_files_pattern($1, etc_t, system_conf_t)
+')
+
+######################################
+## <summary>
+##  Manage manageable system configuration files in /etc.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`files_manage_system_conf_files',`
+    gen_require(`
+        type etc_t, system_conf_t;
+    ')
+
+    manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
+')
+
+######################################
+## <summary>
+##  Relabel manageable system configuration files in /etc.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`files_relabelto_system_conf_files',`
+    gen_require(`
+        type usr_t;
+    ')
+
+    relabelto_files_pattern($1, system_conf_t, system_conf_t)
+')
+
+######################################
+## <summary>
+##  Relabel manageable system configuration files in /etc.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`files_relabelfrom_system_conf_files',`
+    gen_require(`
+        type usr_t;
+    ')
+
+    relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
+')
+
+###################################
+## <summary>
+##  Create files in /etc with the type used for
+##  the manageable system config files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  The type of the process performing this action.
+##  </summary>
+## </param>
+#
+interface(`files_etc_filetrans_system_conf',`
+    gen_require(`
+        type etc_t, system_conf_t;
+    ')
+
+    filetrans_pattern($1, etc_t, system_conf_t, file)
+')
+
 ########################################
 ## <summary>
 ##     Allow the specified type to associate
@@ -3894,6 +4078,32 @@ interface(`files_manage_generic_tmp_dirs',`
        manage_dirs_pattern($1, tmp_t, tmp_t)
 ')
 
+########################################
+## <summary>
+##     Allow shared library text relocations in tmp files.
+## </summary>
+## <desc>
+##     <p>
+##     Allow shared library text relocations in tmp files.
+##     </p>
+##     <p>
+##     This is added to support java policy.
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_execmod_tmp',`
+       gen_require(`
+               attribute tmpfile;
+       ')
+
+       allow $1 tmpfile:file execmod;
+')
+
 ########################################
 ## <summary>
 ##     Manage temporary files and directories in /tmp.
@@ -4109,6 +4319,13 @@ interface(`files_purge_tmp',`
        delete_lnk_files_pattern($1, tmpfile, tmpfile)
        delete_fifo_files_pattern($1, tmpfile, tmpfile)
        delete_sock_files_pattern($1, tmpfile, tmpfile)
+       files_delete_isid_type_dirs($1)
+       files_delete_isid_type_files($1)
+       files_delete_isid_type_symlinks($1)
+       files_delete_isid_type_fifo_files($1)
+       files_delete_isid_type_sock_files($1)
+       files_delete_isid_type_blk_files($1)
+       files_delete_isid_type_chr_files($1)
 ')
 
 ########################################
@@ -4716,6 +4933,24 @@ interface(`files_read_var_files',`
        read_files_pattern($1, var_t, var_t)
 ')
 
+########################################
+## <summary>
+##     Append files in the /var directory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_append_var_files',`
+       gen_require(`
+               type var_t;
+       ')
+
+       append_files_pattern($1, var_t, var_t)
+')
+
 ########################################
 ## <summary>
 ##     Read and write files in the /var directory.
@@ -5138,12 +5373,12 @@ interface(`files_getattr_generic_locks',`
 ## </param>
 #
 interface(`files_delete_generic_locks',`
-       gen_require(`
-               type var_t, var_lock_t;
-       ')
+       gen_require(`
+               type var_t, var_lock_t;
+       ')
 
-       allow $1 var_t:dir search_dir_perms;
-       delete_files_pattern($1, var_lock_t, var_lock_t)
+       allow $1 var_t:dir search_dir_perms;
+       delete_files_pattern($1, var_lock_t, var_lock_t)
 ')
 
 ########################################
@@ -5317,6 +5552,43 @@ interface(`files_search_pids',`
        search_dirs_pattern($1, var_t, var_run_t)
 ')
 
+######################################
+## <summary>
+## Add and remove entries from pid directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_pid_dirs',`
+    gen_require(`
+        type var_run_t;
+    ')
+
+    allow $1 var_run_t:dir rw_dir_perms;
+')
+
+#######################################
+## <summary>
+##      Create generic pid directory.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_create_var_run_dirs',`
+        gen_require(`
+                type var_t, var_run_t;
+        ')
+
+        allow $1 var_t:dir search_dir_perms;
+        allow $1 var_run_t:dir create_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##     Do not audit attempts to search
@@ -5522,6 +5794,26 @@ interface(`files_dontaudit_ioctl_all_pids',`
        dontaudit $1 pidfile:file ioctl;
 ')
 
+########################################
+## <summary>
+##     manage all pidfile directories
+##     in the /var/run directory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_manage_all_pids_dirs',`
+       gen_require(`
+               attribute pidfile;
+       ')
+
+       manage_dirs_pattern($1,pidfile,pidfile)
+')
+
+
 ########################################
 ## <summary>
 ##     Read all process ID files.
@@ -5541,6 +5833,7 @@ interface(`files_read_all_pids',`
 
        list_dirs_pattern($1, var_t, pidfile)
        read_files_pattern($1, pidfile, pidfile)
+       read_lnk_files_pattern($1, pidfile, pidfile)
 ')
 
 ########################################
@@ -5826,3 +6119,229 @@ interface(`files_unconfined',`
 
        typeattribute $1 files_unconfined_type;
 ')
+
+########################################
+## <summary>
+##     Create a core files in /
+## </summary>
+## <desc>
+##     <p>
+##     Create a core file in /,
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_root_files',`
+       gen_require(`
+               type root_t;
+       ')
+
+       manage_files_pattern($1, root_t, root_t)
+')
+
+########################################
+## <summary>
+##     Create a default directory
+## </summary>
+## <desc>
+##     <p>
+##     Create a default_t direcrory
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_create_default_dir',`
+       gen_require(`
+               type default_t;
+       ')
+
+       allow $1 default_t:dir create;
+')
+
+########################################
+## <summary>
+##     Create, default_t objects with an automatic
+##     type transition.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="object">
+##     <summary>
+##     The class of the object being created.
+##     </summary>
+## </param>
+#
+interface(`files_root_filetrans_default',`
+       gen_require(`
+               type root_t, default_t;
+       ')
+
+       filetrans_pattern($1, root_t, default_t, $2)
+')
+
+########################################
+## <summary>
+##     manage generic symbolic links
+##     in the /var/run directory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_manage_generic_pids_symlinks',`
+       gen_require(`
+               type var_run_t;
+       ')
+
+       manage_lnk_files_pattern($1,var_run_t,var_run_t)
+')
+
+########################################
+## <summary>
+##     Do not audit attempts to getattr
+##     all tmpfs files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_tmpfs_files',`
+       gen_require(`
+               attribute tmpfsfile;
+       ')
+
+       allow $1 tmpfsfile:file getattr;
+')
+
+########################################
+## <summary>
+##     Do not audit attempts to read security files 
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`files_dontaudit_read_security_files',`
+       gen_require(`
+               attribute security_file_type;
+       ')
+
+       dontaudit $1 security_file_type:file read_file_perms;
+')
+
+########################################
+## <summary>
+##     rw any files inherited from another process
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_rw_all_inherited_files',`
+       gen_require(`
+               attribute file_type;
+       ')
+
+       allow $1 { file_type $2 }:file rw_inherited_file_perms;
+       allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
+       allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
+       allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
+')
+
+########################################
+## <summary>
+##     Allow any file point to be the entrypoint of this domain
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_entrypoint_all_files',`
+       gen_require(`
+               attribute file_type;
+       ')
+       allow $1 file_type:file entrypoint;
+')
+
+########################################
+## <summary>
+##     Do not audit attempts to rw inherited file perms
+##     of non security files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`files_dontaudit_all_non_security_leaks',`
+       gen_require(`
+               attribute non_security_file_type;
+       ')
+
+       dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##     Do not audit attempts to read or write
+##     all leaked files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_dontaudit_leaks',`
+       gen_require(`
+               attribute file_type;
+       ')
+
+       dontaudit $1 file_type:file rw_inherited_file_perms;
+       dontaudit $1 file_type:lnk_file { read };
+')
+
+########################################
+## <summary>
+##     Allow domain to create_file_ass all types
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_create_as_is_all_files',`
+       gen_require(`
+               attribute file_type;
+               class kernel_service create_files_as;
+       ')
+
+       allow $1 file_type:kernel_service create_files_as;
+')

diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 07352a52fdc0f3d95dcecb1dd7fd55f6e26c232c..12e9ecf463744804f58fcfa4f5ca9fe12f7daa58 100644 (file)
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -11,6 +11,7 @@ attribute lockfile;
 attribute mountpoint;
 attribute pidfile;
 attribute configfile;
+attribute etcfile;
 
 # For labeling types that are to be polyinstantiated
 attribute polydir;
@@ -58,12 +59,21 @@ files_type(etc_t)
 typealias etc_t alias automount_etc_t;
 typealias etc_t alias snmpd_etc_t;
 
+# system_conf_t is a new type of various
+# files in /etc/ that can be managed and
+# created by several domains.
+# 
+type system_conf_t, configfile;
+files_type(system_conf_t)
+# compatibility aliases for removed type:
+typealias system_conf_t alias iptables_conf_t;
+
 #
 # etc_runtime_t is the type of various
 # files in /etc that are automatically
 # generated during initialization.
 #
-type etc_runtime_t;
+type etc_runtime_t, configfile;
 files_type(etc_runtime_t)
 #Temporarily in policy until FC5 dissappears
 typealias etc_runtime_t alias firstboot_rw_t;

diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
index 59bae6ad3b8bcef7a0248ab01218078ea63ce59d..16f0f9e46861fdaddc6cdc25cf00368ee9252c08 100644 (file)
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -2,5 +2,10 @@
 /dev/shm/.*            <<none>>
 
 /cgroup                -d      gen_context(system_u:object_r:cgroup_t,s0)
+/cgroup/.*             <<none>>
 
+/sys/fs/cgroup -d      gen_context(system_u:object_r:cgroup_t,s0)
 /sys/fs/cgroup(/.*)?   <<none>>
+
+/dev/hugepages -d      gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)?           <<none>>

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 437a42af0bf0fc94dc80128a819d239621cf7a8e..4eecefb54563d551669330c77001cf3e9a776cba 100644 (file)
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -646,6 +646,7 @@ interface(`fs_search_cgroup_dirs',`
        ')
 
        search_dirs_pattern($1, cgroup_t, cgroup_t)
+       fs_search_tmpfs($1)
        dev_search_sysfs($1)
 ')
 
@@ -665,6 +666,7 @@ interface(`fs_list_cgroup_dirs', `
        ')
 
        list_dirs_pattern($1, cgroup_t, cgroup_t)
+       fs_search_tmpfs($1)
        dev_search_sysfs($1)
 ')
 
@@ -684,6 +686,7 @@ interface(`fs_delete_cgroup_dirs', `
        ')
 
        delete_dirs_pattern($1, cgroup_t, cgroup_t)
+       fs_search_tmpfs($1)
        dev_search_sysfs($1)
 ')
 
@@ -704,6 +707,7 @@ interface(`fs_manage_cgroup_dirs',`
        ')
 
        manage_dirs_pattern($1, cgroup_t, cgroup_t)
+       fs_search_tmpfs($1)
        dev_search_sysfs($1)
 ')
 
@@ -724,6 +728,7 @@ interface(`fs_read_cgroup_files',`
        ')
 
        read_files_pattern($1, cgroup_t, cgroup_t)
+       fs_search_tmpfs($1)
        dev_search_sysfs($1)
 ')
 
@@ -743,6 +748,7 @@ interface(`fs_write_cgroup_files', `
        ')
 
        write_files_pattern($1, cgroup_t, cgroup_t)
+       fs_search_tmpfs($1)
        dev_search_sysfs($1)
 ')
 
@@ -763,6 +769,7 @@ interface(`fs_rw_cgroup_files',`
        ')
 
        rw_files_pattern($1, cgroup_t, cgroup_t)
+       fs_search_tmpfs($1)
        dev_search_sysfs($1)
 ')
 
@@ -803,6 +810,7 @@ interface(`fs_manage_cgroup_files',`
        ')
 
        manage_files_pattern($1, cgroup_t, cgroup_t)
+       fs_search_tmpfs($1)
        dev_search_sysfs($1)
 ')
 
@@ -1241,7 +1249,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
                type cifs_t;
        ')
 
-       dontaudit $1 cifs_t:file rw_file_perms;
+       dontaudit $1 cifs_t:file rw_inherited_file_perms;
 ')
 
 ########################################
@@ -1504,6 +1512,25 @@ interface(`fs_cifs_domtrans',`
        domain_auto_transition_pattern($1, cifs_t, $2)
 ')
 
+########################################
+## <summary>
+##     Make general progams in cifs an entrypoint for
+##     the specified domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     The domain for which cifs_t is an entrypoint.
+##     </summary>
+## </param>
+#
+interface(`fs_cifs_entry_type',`
+       gen_require(`
+               type cifs_t;
+       ')
+
+       domain_entry_file($1, cifs_t)
+')
+
 #######################################
 ## <summary>
 ##     Create, read, write, and delete dirs
@@ -1931,7 +1958,26 @@ interface(`fs_read_fusefs_symlinks',`
 
 ########################################
 ## <summary>
-##     Read and write hugetlbfs files.
+##     Get the attributes of an hugetlbfs 
+##     filesystem;
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fs_getattr_hugetlbfs',`
+       gen_require(`
+               type hugetlbfs_t;
+       ')
+
+       allow $1 hugetlbfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##     R/W hugetlbfs files.
 ## </summary>
 ## <param name="domain">
 ##     <summary>
@@ -1946,6 +1992,41 @@ interface(`fs_rw_hugetlbfs_files',`
 
        rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
 ')
+########################################
+## <summary>
+##     Manage hugetlbfs dirs.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fs_manage_hugetlbfs_dirs',`
+       gen_require(`
+               type hugetlbfs_t;
+       ')
+
+       manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
+')
+
+########################################
+## <summary>
+##     List hugetlbfs dirs
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fs_list_hugetlbfs',`
+       gen_require(`
+               type hugetlbfs_t;
+       ')
+
+       allow $1 hugetlbfs_t:dir list_dir_perms;
+')
 
 ########################################
 ## <summary>
@@ -1999,6 +2080,7 @@ interface(`fs_list_inotifyfs',`
        ')
 
        allow $1 inotifyfs_t:dir list_dir_perms;
+       fs_read_anon_inodefs_files($1)
 ')
 
 ########################################
@@ -2393,6 +2475,25 @@ interface(`fs_exec_nfs_files',`
        exec_files_pattern($1, nfs_t, nfs_t)
 ')
 
+########################################
+## <summary>
+##     Make general progams in nfs an entrypoint for
+##     the specified domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     The domain for which nfs_t is an entrypoint.
+##     </summary>
+## </param>
+#
+interface(`fs_nfs_entry_type',`
+       gen_require(`
+               type nfs_t;
+       ')
+
+       domain_entry_file($1, nfs_t)
+')
+
 ########################################
 ## <summary>
 ##     Append files
@@ -2449,7 +2550,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
                type nfs_t;
        ')
 
-       dontaudit $1 nfs_t:file rw_file_perms;
+       dontaudit $1 nfs_t:file rw_inherited_file_perms;
 ')
 
 ########################################
@@ -2635,6 +2736,24 @@ interface(`fs_dontaudit_read_removable_files',`
        dontaudit $1 removable_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##     Do not audit attempts to write removable storage files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain not to audit.
+##     </summary>
+## </param>
+#
+interface(`fs_dontaudit_write_removable_files',`
+       gen_require(`
+               type removable_t;
+       ')
+
+       dontaudit $1 removable_t:file write_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Read removable storage symbolic links.
@@ -2845,7 +2964,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
 #########################################
 ## <summary>
 ##     Create, read, write, and delete symbolic links
-##     on a CIFS or SMB network filesystem.
+##     on a NFS network filesystem.
 ## </summary>
 ## <param name="domain">
 ##     <summary>
@@ -3968,6 +4087,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
        dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms;
 ')
 
+########################################
+## <summary>
+##     dontaudit Read and write block nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fs_dontaudit_read_tmpfs_blk_dev',`
+       gen_require(`
+               type tmpfs_t;
+       ')
+
+       dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Relabel character nodes on tmpfs filesystems.
@@ -4662,3 +4799,24 @@ interface(`fs_unconfined',`
 
        typeattribute $1 filesystem_unconfined_type;
 ')
+
+########################################
+## <summary>
+##     Do not audit attempts to read or write
+##     all leaked filesystems files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fs_dontaudit_leaks',`
+       gen_require(`
+               attribute filesystem_type;
+       ')
+
+       dontaudit $1 filesystem_type:file rw_inherited_file_perms;
+       dontaudit $1 filesystem_type:lnk_file { read };
+')
+

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 0dff98ef79de19c62703ae69befe6c62d9bff472..a09ab475d8cf87455e224b803129d300ff7fa3ec 100644 (file)
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -52,6 +52,7 @@ type anon_inodefs_t;
 fs_type(anon_inodefs_t)
 files_mountpoint(anon_inodefs_t)
 genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
+mls_trusted_object(anon_inodefs_t)
 
 type bdev_t;
 fs_type(bdev_t)
@@ -67,10 +68,11 @@ fs_type(capifs_t)
 files_mountpoint(capifs_t)
 genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
 
-type cgroup_t;
+type cgroup_t alias cgroupfs_t;
 fs_type(cgroup_t)
 files_type(cgroup_t)
 files_mountpoint(cgroup_t)
+dev_associate_sysfs(cgroup_t)
 genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
 
 type configfs_t;
@@ -100,12 +102,22 @@ type hugetlbfs_t;
 fs_type(hugetlbfs_t)
 files_mountpoint(hugetlbfs_t)
 fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
+dev_associate(hugetlbfs_t)
 
 type ibmasmfs_t;
 fs_type(ibmasmfs_t)
 allow ibmasmfs_t self:filesystem associate;
 genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
 
+#
+# infinibandeventfs fs
+#
+
+type infinibandeventfs_t;
+fs_type(infinibandeventfs_t)
+allow infinibandeventfs_t self:filesystem associate;
+genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0)
+
 type inotifyfs_t;
 fs_type(inotifyfs_t)
 genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
@@ -148,6 +160,12 @@ fs_type(squash_t)
 genfscon squash / gen_context(system_u:object_r:squash_t,s0)
 files_mountpoint(squash_t)
 
+type sysv_t;
+fs_noxattr_type(sysv_t)
+files_mountpoint(sysv_t)
+genfscon sysv / gen_context(system_u:object_r:sysv_t,s0)
+genfscon v7 / gen_context(system_u:object_r:sysv_t,s0)
+
 type vmblock_t;
 fs_noxattr_type(vmblock_t)
 files_mountpoint(vmblock_t)
@@ -168,6 +186,7 @@ fs_type(tmpfs_t)
 files_type(tmpfs_t)
 files_mountpoint(tmpfs_t)
 files_poly_parent(tmpfs_t)
+dev_associate(tmpfs_t)
 
 # Use a transition SID based on the allocating task SID and the
 # filesystem SID to label inodes in the following filesystem types,
@@ -247,6 +266,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
 type removable_t;
 allow removable_t noxattrfs:filesystem associate;
 fs_noxattr_type(removable_t)
+files_type(removable_t)
 files_mountpoint(removable_t)
 
 #

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index ed7667a539865077d72496da9aac60025a57c552..46e9859d372833608e8255bea992f6741963c57f 100644 (file)
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -696,6 +696,46 @@ interface(`kernel_read_debugfs',`
        list_dirs_pattern($1, debugfs_t, debugfs_t)
 ')
 
+########################################
+## <summary>
+##     Read/Write information from the debugging filesystem.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`kernel_rw_debugfs',`
+       gen_require(`
+               type debugfs_t;
+       ')
+
+       rw_files_pattern($1, debugfs_t, debugfs_t)
+       read_lnk_files_pattern($1, debugfs_t, debugfs_t)
+       list_dirs_pattern($1, debugfs_t, debugfs_t)
+')
+
+########################################
+## <summary>
+##     Manage information from the debugging filesystem.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`kernel_manage_debugfs',`
+       gen_require(`
+               type debugfs_t;
+       ')
+
+       manage_files_pattern($1, debugfs_t, debugfs_t)
+       read_lnk_files_pattern($1, debugfs_t, debugfs_t)
+       list_dirs_pattern($1, debugfs_t, debugfs_t)
+')
+
 ########################################
 ## <summary>
 ##     Mount a kernel VM filesystem.
@@ -1977,7 +2017,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
        ')
 
        dontaudit $1 sysctl_type:dir list_dir_perms;
-       dontaudit $1 sysctl_type:file getattr;
+       dontaudit $1 sysctl_type:file read_file_perms;
 ')
 
 ########################################
@@ -2843,6 +2883,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
        allow $1 unlabeled_t:db_blob { setattr relabelfrom };
 ')
 
+########################################
+## <summary>
+##      Relabel to unlabeled context .
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`kernel_relabelto_unlabeled',`
+       gen_require(`
+               type unlabeled_t;
+       ')
+
+       allow $1 unlabeled_t:dir_file_class_set relabelto;
+')
+
 ########################################
 ## <summary>
 ##     Unconfined access to kernel module resources.
@@ -2860,3 +2918,23 @@ interface(`kernel_unconfined',`
 
        typeattribute $1 kern_unconfined;
 ')
+
+########################################
+## <summary>
+##     Allow the specified domain to connect to
+##     the kernel with a unix socket.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`kernel_stream_connect',`
+       gen_require(`
+               type kernel_t;
+       ')
+
+       allow $1 kernel_t:unix_stream_socket connectto;
+')
+

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index e4f98ce90f218eec5a909458e7b415029e0683f4..806026cce04170109a310ff8dea2e04bb56087ef 100644 (file)
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -156,6 +156,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
 #
 type unlabeled_t;
 sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+fs_associate(unlabeled_t)
 
 # These initial sids are no longer used, and can be removed:
 sid any_socket         gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -254,7 +255,8 @@ fs_unmount_all_fs(kernel_t)
 
 selinux_load_policy(kernel_t)
 
-term_use_console(kernel_t)
+term_use_all_terms(kernel_t)
+term_use_ptmx(kernel_t)
 
 corecmd_exec_shell(kernel_t)
 corecmd_list_bin(kernel_t)
@@ -268,19 +270,29 @@ files_list_root(kernel_t)
 files_list_etc(kernel_t)
 files_list_home(kernel_t)
 files_read_usr_files(kernel_t)
+files_manage_mounttab(kernel_t)
+files_manage_generic_spool_dirs(kernel_t)
 
 mcs_process_set_categories(kernel_t)
+mcs_file_read_all(kernel_t)
+mcs_file_write_all(kernel_t)
 
 mls_process_read_up(kernel_t)
 mls_process_write_down(kernel_t)
 mls_file_write_all_levels(kernel_t)
 mls_file_read_all_levels(kernel_t)
+mls_socket_write_all_levels(kernel_t) 
+mls_fd_share_all_levels(kernel_t) 
+
+logging_manage_generic_logs(kernel_t)
 
 ifdef(`distro_redhat',`
        # Bugzilla 222337
        fs_rw_tmpfs_chr_files(kernel_t)
 ')
 
+userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir })
+
 optional_policy(`
        hotplug_search_config(kernel_t)
 ')
@@ -357,6 +369,10 @@ optional_policy(`
        unconfined_domain_noaudit(kernel_t)
 ')
 
+optional_policy(`
+       xserver_xdm_manage_spool(kernel_t)
+')
+
 ########################################
 #
 # Unlabeled process local policy

diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index f8b357c3a48e8844068884277df217098ae6bad6..bc1ed0fd8c94d76742fc78d9410f9b2c263030f9 100644 (file)
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
 
        # because of this statement, any module which
        # calls this interface must be in the base module:
-       genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
+#      genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
 ')
 
 ########################################
@@ -202,10 +202,31 @@ interface(`selinux_dontaudit_read_fs',`
                type security_t;
        ')
 
+       selinux_dontaudit_getattr_fs($1)
        dontaudit $1 security_t:dir search_dir_perms;
        dontaudit $1 security_t:file read_file_perms;
 ')
 
+
+########################################
+## <summary>
+##     Do not audit attempts to write
+##     generic selinuxfs entries
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`selinux_dontaudit_write_fs',`
+       gen_require(`
+               type security_t;
+       ')
+
+       dontaudit $1 security_t:dir write;
+')
+
 ########################################
 ## <summary>
 ##     Allows the caller to get the mode of policy enforcement
@@ -223,6 +244,7 @@ interface(`selinux_get_enforce_mode',`
                type security_t;
        ')
 
+       selinux_get_fs_mount($1)
        allow $1 security_t:dir list_dir_perms;
        allow $1 security_t:file read_file_perms;
 ')
@@ -404,6 +426,7 @@ interface(`selinux_set_all_booleans',`
        ')
 
        allow $1 security_t:dir list_dir_perms;
+       allow $1 boolean_type:dir list_dir_perms;
        allow $1 boolean_type:file rw_file_perms;
 
        if(!secure_mode_policyload) {
@@ -622,3 +645,42 @@ interface(`selinux_unconfined',`
 
        typeattribute $1 selinux_unconfined_type;
 ')
+
+########################################
+## <summary>
+##     Generate a file context for a boolean type
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`selinux_genbool',`
+       gen_require(`
+               attribute boolean_type;
+       ')
+
+       type $1, boolean_type;
+       fs_type($1)
+       mls_trusted_object($1)
+')
+
+########################################
+## <summary>
+##     Unmount a security filesystem.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     The type of the domain unmounting the filesystem.
+##     </summary>
+## </param>
+#
+interface(`selinux_unmount_fs',`
+       gen_require(`
+               type security_t;
+       ')
+
+       allow $1 security_t:filesystem unmount;
+')
+

diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index a9b898210eeccdff50afa5a527c433b6b43d6c2d..811b85946c20125e47c9af86bac3e42cc4feb9dc 100644 (file)
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -77,3 +77,6 @@ ifdef(`distro_redhat', `
 /dev/scramdisk/.*      -b      gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 
 /dev/usb/rio500                -c      gen_context(system_u:object_r:removable_device_t,s0)
+
+/lib/udev/devices/loop.* -b    gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/lib/udev/devices/fuse -c      gen_context(system_u:object_r:fuse_device_t,s0)

diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 3723150362517dce0283e8cc1a20c3d79e207618..bde6daa7f6de22e717735c10157fc8d535e215a8 100644 (file)
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
        dev_list_all_dev_nodes($1)
        allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
        allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
+       #577012
+       allow $1 fixed_disk_device_t:lnk_file read_lnk_file_perms;
        typeattribute $1 fixed_disk_raw_read;
 ')
 
@@ -203,6 +205,8 @@ interface(`storage_create_fixed_disk_dev',`
                type fixed_disk_device_t;
        ')
 
+       allow $1 self:capability mknod;
+
        allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
        dev_add_entry_generic_dirs($1)
 ')

diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 492bf76cc9ece77083f197b873256298433a5714..87a6942333aa489efff0483340e0b4ab825adec7 100644 (file)
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -292,9 +292,11 @@ interface(`term_use_console',`
 interface(`term_dontaudit_use_console',`
        gen_require(`
                type console_device_t;
+               type tty_device_t;
        ')
 
-       dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
+       dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms;
+       dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
 ')
 
 ########################################
@@ -334,7 +336,7 @@ interface(`term_relabel_console',`
        ')
 
        dev_list_all_dev_nodes($1)
-       allow $1 console_device_t:chr_file { relabelfrom relabelto };
+       allow $1 console_device_t:chr_file relabel_chr_file_perms;
 ')
 
 ########################################
@@ -848,7 +850,7 @@ interface(`term_dontaudit_use_all_ptys',`
                attribute ptynode;
        ')
 
-       dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
+       dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append };
 ')
 
 ########################################
@@ -1116,7 +1118,7 @@ interface(`term_relabel_unallocated_ttys',`
        ')
 
        dev_list_all_dev_nodes($1)
-       allow $1 tty_device_t:chr_file { relabelfrom relabelto };
+       allow $1 tty_device_t:chr_file relabel_chr_file_perms;
 ')
 
 ########################################
@@ -1215,7 +1217,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
                type tty_device_t;
        ')
 
-       dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
+       dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
 ')
 
 ########################################
@@ -1231,11 +1233,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
 #
 interface(`term_getattr_all_ttys',`
        gen_require(`
+               type tty_device_t;
                attribute ttynode;
        ')
 
        dev_list_all_dev_nodes($1)
        allow $1 ttynode:chr_file getattr;
+       allow $1 tty_device_t:chr_file getattr;
 ')
 
 ########################################
@@ -1252,10 +1256,12 @@ interface(`term_getattr_all_ttys',`
 interface(`term_dontaudit_getattr_all_ttys',`
        gen_require(`
                attribute ttynode;
+               type tty_device_t;
        ')
 
        dev_list_all_dev_nodes($1)
        dontaudit $1 ttynode:chr_file getattr;
+       dontaudit $1 tty_device_t:chr_file getattr;
 ')
 
 ########################################
@@ -1294,7 +1300,7 @@ interface(`term_relabel_all_ttys',`
        ')
 
        dev_list_all_dev_nodes($1)
-       allow $1 ttynode:chr_file { relabelfrom relabelto };
+       allow $1 ttynode:chr_file relabel_chr_file_perms;
 ')
 
 ########################################
@@ -1352,7 +1358,7 @@ interface(`term_dontaudit_use_all_ttys',`
                attribute ttynode;
        ')
 
-       dontaudit $1 ttynode:chr_file rw_chr_file_perms;
+       dontaudit $1 ttynode:chr_file rw_inherited_chr_file_perms;
 ')
 
 ########################################

diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index 646bbcfd9991be2056f09df10dd562bbfb3472fd..a5deadedd2fcf86e6b65d520acb88f13396ad3f6 100644 (file)
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
 fs_associate_tmpfs(devpts_t)
 fs_type(devpts_t)
 fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
+dev_associate(devpts_t)
 
 #
 # devtty_t is the type of /dev/tty.

diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
index 252913b138c259f7a602318ba694a92cbc6f6e66..a1bbe8fd685ba4ead8a43a9bded4bf0249f850bd 100644 (file)
--- a/policy/modules/roles/auditadm.te
+++ b/policy/modules/roles/auditadm.te
@@ -28,10 +28,13 @@ logging_manage_audit_log(auditadm_t)
 logging_manage_audit_config(auditadm_t)
 logging_run_auditctl(auditadm_t, auditadm_r)
 logging_run_auditd(auditadm_t, auditadm_r)
+logging_stream_connect_syslog(auditadm_t)
 
 seutil_run_runinit(auditadm_t, auditadm_r)
 seutil_read_bin_policy(auditadm_t)
 
+userdom_dontaudit_search_admin_dir(auditadm_t)
+
 optional_policy(`
        consoletype_exec(auditadm_t)
 ')

diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
index 1875064e6e4dcfdbaddde79b7fdaf3b7eca6e730..e9c9277d72293ee1b8762fb98b5b482f25522b3e 100644 (file)
--- a/policy/modules/roles/dbadm.te
+++ b/policy/modules/roles/dbadm.te
@@ -37,6 +37,7 @@ files_list_var(dbadm_t)
 selinux_get_enforce_mode(dbadm_t)
 
 logging_send_syslog_msg(dbadm_t)
+logging_send_audit_msgs(dbadm_t)
 
 userdom_dontaudit_search_user_home_dirs(dbadm_t)
 
@@ -58,3 +59,7 @@ optional_policy(`
 optional_policy(`
        postgresql_admin(dbadm_t, dbadm_r)
 ')
+
+optional_policy(`
+       sudo_role_template(dbadm, dbadm_r, dbadm_t)
+')

diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te
index 531c6165c807b4bf35cd188630543eb655404eb5..321e5a74ad8e5213978583b8a2179a6b9ab70099 100644 (file)
--- a/policy/modules/roles/guest.te
+++ b/policy/modules/roles/guest.te
@@ -14,4 +14,8 @@ userdom_restricted_user_template(guest)
 # Local policy
 #
 
-#gen_user(guest_u,, guest_r, s0, s0)
+optional_policy(`
+       apache_role(guest_r, guest_t)
+')
+
+gen_user(guest_u, user, guest_r, s0, s0)

diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index ebe6a9c2809cda4265ce39c1dd750ed729e2cc98..e3a1987903eab7cb4f6d6bcac174529c3aac8dbe 100644 (file)
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -9,6 +9,8 @@ role secadm_r;
 
 userdom_unpriv_user_template(secadm)
 userdom_security_admin_template(secadm_t, secadm_r)
+userdom_inherit_append_admin_home_files(secadm_t)
+userdom_read_admin_home_files(secadm_t)
 
 ########################################
 #

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 185400290c40d7caa142e0ff65ac5a0b8b3e2e2f..b0d95d4b1c7ae7f4fb7550be58d3c2ea59c17d0f 100644 (file)
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,46 @@ policy_module(staff, 2.1.2)
 role staff_r;
 
 userdom_unpriv_user_template(staff)
+fs_exec_noxattr(staff_t)
+
+# needed for sandbox
+allow staff_t self:process setexec;
 
 ########################################
 #
 # Local policy
 #
 
+kernel_read_ring_buffer(staff_usertype)
+kernel_getattr_core_if(staff_usertype)
+kernel_getattr_message_if(staff_usertype)
+kernel_read_software_raid_state(staff_usertype)
+kernel_read_fs_sysctls(staff_usertype)
+
+domain_read_all_domains_state(staff_usertype)
+domain_getattr_all_domains(staff_usertype)
+domain_obj_id_change_exemption(staff_t)
+
+files_read_kernel_modules(staff_usertype)
+
+seutil_read_module_store(staff_t)
+seutil_run_newrole(staff_t, staff_r)
+
+term_use_unallocated_ttys(staff_usertype)
+
+auth_domtrans_pam_console(staff_t)
+
+init_dbus_chat(staff_t)
+init_dbus_chat_script(staff_t)
+
+miscfiles_read_hwdata(staff_usertype)
+
+modutils_read_module_config(staff_usertype)
+modutils_read_module_deps(staff_usertype)
+
+netutils_run_ping(staff_t, staff_r)
+netutils_signal_ping(staff_t)
+
 optional_policy(`
        apache_role(staff_r, staff_t)
 ')
@@ -26,6 +60,35 @@ optional_policy(`
        dbadm_role_change(staff_r)
 ')
 
+optional_policy(`
+       accountsd_dbus_chat(staff_t)
+       accountsd_read_lib_files(staff_t)
+')
+
+optional_policy(`
+       gnomeclock_dbus_chat(staff_t)
+')
+
+optional_policy(`
+       firewallgui_dbus_chat(staff_t)
+')
+
+optional_policy(`
+       lpd_list_spool(staff_t)
+')
+
+optional_policy(`
+       kerneloops_dbus_chat(staff_t)
+')
+
+optional_policy(`
+       logadm_role_change(staff_r)
+')
+
+optional_policy(`
+       mozilla_run_plugin(staff_t, staff_r)
+')
+
 optional_policy(`
        oident_manage_user_content(staff_t)
        oident_relabel_user_content(staff_t)
@@ -35,22 +98,63 @@ optional_policy(`
        postgresql_role(staff_r, staff_t)
 ')
 
+optional_policy(`
+       rtkit_scheduled(staff_t)
+')
+
+optional_policy(`
+       rpm_dbus_chat(staff_usertype)
+')
+
 optional_policy(`
        secadm_role_change(staff_r)
 ')
 
 optional_policy(`
-       ssh_role_template(staff, staff_r, staff_t)
+       sandbox_transition(staff_t, staff_r)
 ')
 
 optional_policy(`
-       sudo_role_template(staff, staff_r, staff_t)
+       screen_role_template(staff, staff_r, staff_t)
 ')
 
 optional_policy(`
        sysadm_role_change(staff_r)
        userdom_dontaudit_use_user_terminals(staff_t)
 ')
+optional_policy(`
+       setroubleshoot_stream_connect(staff_t)
+       setroubleshoot_dbus_chat(staff_t)
+       setroubleshoot_dbus_chat_fixit(staff_t)
+')
+
+optional_policy(`
+       ssh_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+       sudo_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+       telepathy_dbus_session_role(staff_r, staff_t)
+')
+
+optional_policy(`
+       userhelper_console_role_template(staff, staff_r, staff_usertype)
+')
+
+optional_policy(`
+       unconfined_role_change(staff_r)
+')
+
+optional_policy(`
+       virt_stream_connect(staff_t)
+')
+
+optional_policy(`
+       webadm_role_change(staff_r)
+')
 
 optional_policy(`
        xserver_role(staff_r, staff_t)
@@ -137,10 +241,6 @@ ifndef(`distro_redhat',`
                rssh_role(staff_r, staff_t)
        ')
 
-       optional_policy(`
-               screen_role_template(staff, staff_r, staff_t)
-       ')
-
        optional_policy(`
                spamassassin_role(staff_r, staff_t)
        ')

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 2a19751f24d86567f866c3c94ea7417856d384f7..1a950853223b361519bb9103b89453044c0fa482 100644 (file)
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,41 @@ ifndef(`enable_mls',`
 #
 # Local policy
 #
+kernel_read_fs_sysctls(sysadm_t)
 
 corecmd_exec_shell(sysadm_t)
 
+domain_dontaudit_read_all_domains_state(sysadm_t)
+
+files_read_kernel_modules(sysadm_t)
+
 mls_process_read_up(sysadm_t)
+mls_file_read_to_clearance(sysadm_t)
+mls_process_write_to_clearance(sysadm_t)
 
 ubac_process_exempt(sysadm_t)
 ubac_file_exempt(sysadm_t)
 ubac_fd_exempt(sysadm_t)
 
+application_exec(sysadm_t)
+
 init_exec(sysadm_t)
+init_exec_script_files(sysadm_t)
+init_dbus_chat(sysadm_t)
+init_script_role_transition(sysadm_r)
+
+modutils_read_module_deps(sysadm_t)
+
+miscfiles_read_hwdata(sysadm_t)
 
 # Add/remove user home directories
 userdom_manage_user_home_dirs(sysadm_t)
 userdom_home_filetrans_user_home_dir(sysadm_t)
+userdom_manage_user_tmp_dirs(sysadm_t)
+userdom_manage_user_tmp_files(sysadm_t)
+userdom_manage_user_tmp_symlinks(sysadm_t)
+userdom_manage_user_tmp_chr_files(sysadm_t)
+userdom_manage_user_tmp_blk_files(sysadm_t)
 
 ifdef(`direct_sysadm_daemon',`
        optional_policy(`
@@ -55,6 +76,7 @@ ifndef(`enable_mls',`
        logging_manage_audit_log(sysadm_t)
        logging_manage_audit_config(sysadm_t)
        logging_run_auditctl(sysadm_t, sysadm_r)
+       logging_stream_connect_syslog(sysadm_t)
 ')
 
 tunable_policy(`allow_ptrace',`
@@ -69,7 +91,6 @@ optional_policy(`
        apache_run_helper(sysadm_t, sysadm_r)
        #apache_run_all_scripts(sysadm_t, sysadm_r)
        #apache_domtrans_sys_script(sysadm_t)
-       apache_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
@@ -97,6 +118,10 @@ optional_policy(`
        bootloader_run(sysadm_t, sysadm_r)
 ')
 
+optional_policy(`
+       certmonger_dbus_chat(sysadm_t)
+')
+
 optional_policy(`
        certwatch_run(sysadm_t, sysadm_r)
 ')
@@ -114,7 +139,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-       cvs_exec(sysadm_t)
+    daemonstools_run_start(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
@@ -159,6 +184,13 @@ optional_policy(`
        ipsec_stream_connect(sysadm_t)
        # for lsof
        ipsec_getattr_key_sockets(sysadm_t)
+       ipsec_run_setkey(sysadm_t, sysadm_r)
+       ipsec_run_racoon(sysadm_t, sysadm_r)
+       ipsec_stream_connect_racoon(sysadm_t)
+
+       optional_policy(`
+               ipsec_mgmt_dbus_chat(sysadm_t)
+       ')
 ')
 
 optional_policy(`
@@ -166,15 +198,15 @@ optional_policy(`
 ')
 
 optional_policy(`
-       kudzu_run(sysadm_t, sysadm_r)
+       kerberos_exec_kadmind(sysadm_t)
 ')
 
 optional_policy(`
-       libs_run_ldconfig(sysadm_t, sysadm_r)
+       kudzu_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-       lockdev_role(sysadm_r, sysadm_t)
+       libs_run_ldconfig(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
@@ -198,14 +230,7 @@ optional_policy(`
 
 optional_policy(`
        mount_run(sysadm_t, sysadm_r)
-')
-
-optional_policy(`
-       mozilla_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
-       mplayer_role(sysadm_r, sysadm_t)
+       mount_run_showmount(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
@@ -220,6 +245,10 @@ optional_policy(`
        mysql_stream_connect(sysadm_t)
 ')
 
+optional_policy(`
+       ncftool_run(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
        netutils_run(sysadm_t, sysadm_r)
        netutils_run_ping(sysadm_t, sysadm_r)
@@ -254,7 +283,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-       pyzor_role(sysadm_r, sysadm_t)
+       prelink_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
@@ -265,10 +294,6 @@ optional_policy(`
        raid_domtrans_mdadm(sysadm_t)
 ')
 
-optional_policy(`
-       razor_role(sysadm_r, sysadm_t)
-')
-
 optional_policy(`
        rpc_domtrans_nfsd(sysadm_t)
 ')
@@ -277,9 +302,6 @@ optional_policy(`
        rpm_run(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-       rssh_role(sysadm_r, sysadm_t)
-')
 
 optional_policy(`
        rsync_exec(sysadm_t)
@@ -304,9 +326,10 @@ optional_policy(`
 ')
 
 optional_policy(`
-       spamassassin_role(sysadm_r, sysadm_t)
+       shutdown_run(sysadm_t, sysadm_r)
 ')
 
+
 optional_policy(`
        ssh_role_template(sysadm, sysadm_r, sysadm_t)
 ')
@@ -328,10 +351,6 @@ optional_policy(`
        sysnet_run_dhcpc(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-       thunderbird_role(sysadm_r, sysadm_t)
-')
-
 optional_policy(`
        tripwire_run_siggen(sysadm_t, sysadm_r)
        tripwire_run_tripwire(sysadm_t, sysadm_r)
@@ -339,18 +358,10 @@ optional_policy(`
        tripwire_run_twprint(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-       tvtime_role(sysadm_r, sysadm_t)
-')
-
 optional_policy(`
        tzdata_domtrans(sysadm_t)
 ')
 
-optional_policy(`
-       uml_role(sysadm_r, sysadm_t)
-')
-
 optional_policy(`
        unconfined_domtrans(sysadm_t)
 ')
@@ -363,18 +374,15 @@ optional_policy(`
        usbmodules_run(sysadm_t, sysadm_r)
 ')
 
-optional_policy(`
-       userhelper_role_template(sysadm, sysadm_r, sysadm_t)
-')
-
 optional_policy(`
        usermanage_run_admin_passwd(sysadm_t, sysadm_r)
        usermanage_run_groupadd(sysadm_t, sysadm_r)
        usermanage_run_useradd(sysadm_t, sysadm_r)
 ')
 
+
 optional_policy(`
-       vmware_role(sysadm_r, sysadm_t)
+       vpn_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
@@ -386,18 +394,21 @@ optional_policy(`
 ')
 
 optional_policy(`
-       wireshark_role(sysadm_r, sysadm_t)
+       virt_stream_connect(sysadm_t)
 ')
 
 optional_policy(`
-       xserver_role(sysadm_r, sysadm_t)
+       yam_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-       yam_run(sysadm_t, sysadm_r)
+       zebra_stream_connect(sysadm_t)
 ')
 
 ifndef(`distro_redhat',`
+       optional_policy(`
+               apache_role(sysadm_r, sysadm_t)
+       ')
        optional_policy(`
                auth_role(sysadm_r, sysadm_t)
        ')
@@ -445,5 +456,60 @@ ifndef(`distro_redhat',`
        optional_policy(`
                java_role(sysadm_r, sysadm_t)
        ')
-')
 
+       optional_policy(`
+               lockdev_role(sysadm_r, sysadm_t)
+       ')
+
+       optional_policy(`
+               mozilla_role(sysadm_r, sysadm_t)
+       ')
+
+       optional_policy(`
+               mplayer_role(sysadm_r, sysadm_t)
+       ')
+
+       optional_policy(`
+               pyzor_role(sysadm_r, sysadm_t)
+       ')
+
+       optional_policy(`
+               razor_role(sysadm_r, sysadm_t)
+       ')
+
+       optional_policy(`
+               rssh_role(sysadm_r, sysadm_t)
+       ')
+
+       optional_policy(`
+               spamassassin_role(sysadm_r, sysadm_t)
+       ')
+
+       optional_policy(`
+               thunderbird_role(sysadm_r, sysadm_t)
+       ')
+
+       optional_policy(`
+               tvtime_role(sysadm_r, sysadm_t)
+       ')
+
+       optional_policy(`
+               uml_role(sysadm_r, sysadm_t)
+       ')
+
+       optional_policy(`
+               userhelper_role_template(sysadm, sysadm_r, sysadm_t)
+       ')
+
+       optional_policy(`
+               vmware_role(sysadm_r, sysadm_t)
+       ')
+
+       optional_policy(`
+               wireshark_role(sysadm_r, sysadm_t)
+       ')
+
+       optional_policy(`
+               xserver_role(sysadm_r, sysadm_t)
+       ')
+')

diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc
new file mode 100644 (file)
index 0000000..0e8654b
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.fc
@@ -0,0 +1,8 @@
+# Add programs here which should not be confined by SELinux
+# e.g.:
+# /usr/local/bin/appsrv                --      gen_context(system_u:object_r:unconfined_exec_t,s0)
+# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
+/usr/bin/vncserver             --      gen_context(system_u:object_r:unconfined_exec_t,s0)
+
+/usr/sbin/xrdp   --  gen_context(system_u:object_r:unconfined_exec_t,s0)
+/usr/sbin/xrdp-sesman   --  gen_context(system_u:object_r:unconfined_exec_t,s0)

diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
new file mode 100644 (file)
index 0000000..8b2cdf3
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.if
@@ -0,0 +1,687 @@
+## <summary>Unconfiend user role</summary>
+
+########################################
+## <summary>
+##     Change from the unconfineduser role.
+## </summary>
+## <desc>
+##     <p>
+##     Change from the unconfineduser role to
+##     the specified role.
+##     </p>
+##     <p>
+##     This is an interface to support third party modules
+##     and its use is not allowed in upstream reference
+##     policy.
+##     </p>
+## </desc>
+## <param name="role">
+##     <summary>
+##     Role allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`unconfined_role_change_to',`
+       gen_require(`
+               role unconfined_r;
+       ')
+
+       allow unconfined_r $1;
+')
+
+########################################
+## <summary>
+##     Transition to the unconfined domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`unconfined_domtrans',`
+       gen_require(`
+               type unconfined_t, unconfined_exec_t;
+       ')
+
+       domtrans_pattern($1,unconfined_exec_t,unconfined_t)
+')
+
+########################################
+## <summary>
+##     Execute specified programs in the unconfined domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     The type of the process performing this action.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     The role to allow the unconfined domain.
+##     </summary>
+## </param>
+#
+interface(`unconfined_run',`
+       gen_require(`
+               type unconfined_t;
+       ')
+
+       unconfined_domtrans($1)
+       role $2 types unconfined_t;
+')
+
+########################################
+## <summary>
+##     Transition to the unconfined domain by executing a shell.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`unconfined_shell_domtrans',`
+       gen_require(`
+               attribute unconfined_login_domain;
+       ')
+       typeattribute $1 unconfined_login_domain;
+')
+
+########################################
+## <summary>
+##     Allow unconfined to execute the specified program in
+##     the specified domain.
+## </summary>
+## <desc>
+##     <p>
+##     Allow unconfined to execute the specified program in
+##     the specified domain.
+##     </p>
+##     <p>
+##     This is a interface to support third party modules
+##     and its use is not allowed in upstream reference
+##     policy.
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain to execute in.
+##     </summary>
+## </param>
+## <param name="entry_file">
+##     <summary>
+##     Domain entry point file.
+##     </summary>
+## </param>
+#
+interface(`unconfined_domtrans_to',`
+       gen_require(`
+               type unconfined_t;
+       ')
+
+       domtrans_pattern(unconfined_t,$2,$1)
+')
+
+########################################
+## <summary>
+##     Allow unconfined to execute the specified program in
+##     the specified domain.  Allow the specified domain the
+##     unconfined role and use of unconfined user terminals.
+## </summary>
+## <desc>
+##     <p>
+##     Allow unconfined to execute the specified program in
+##     the specified domain.  Allow the specified domain the
+##     unconfined role and use of unconfined user terminals.
+##     </p>
+##     <p>
+##     This is a interface to support third party modules
+##     and its use is not allowed in upstream reference
+##     policy.
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain to execute in.
+##     </summary>
+## </param>
+## <param name="entry_file">
+##     <summary>
+##     Domain entry point file.
+##     </summary>
+## </param>
+#
+interface(`unconfined_run_to',`
+       gen_require(`
+               type unconfined_t;
+               role unconfined_r;
+       ')
+
+       domtrans_pattern(unconfined_t,$2,$1)
+       role unconfined_r types $1;
+       userdom_use_user_terminals($1)
+')
+
+########################################
+## <summary>
+##     Inherit file descriptors from the unconfined domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`unconfined_use_fds',`
+       gen_require(`
+               type unconfined_t;
+       ')
+
+       allow $1 unconfined_t:fd use;
+')
+
+########################################
+## <summary>
+##     Send a SIGCHLD signal to the unconfined domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`unconfined_sigchld',`
+       gen_require(`
+               type unconfined_t;
+       ')
+
+       allow $1 unconfined_t:process sigchld;
+')
+
+########################################
+## <summary>
+##     Send a SIGNULL signal to the unconfined domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`unconfined_signull',`
+       gen_require(`
+               type unconfined_t;
+       ')
+
+       allow $1 unconfined_t:process signull;
+')
+
+########################################
+## <summary>
+##     Send a SIGNULL signal to the unconfined execmem domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`unconfined_execmem_signull',`
+       gen_require(`
+               type unconfined_execmem_t;
+       ')
+
+       allow $1 unconfined_execmem_t:process signull;
+')
+
+########################################
+## <summary>
+##     Send a signal to the unconfined execmem domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`unconfined_execmem_signal',`
+       gen_require(`
+               type unconfined_execmem_t;
+       ')
+
+       allow $1 unconfined_execmem_t:process signal;
+')
+
+########################################
+## <summary>
+##     Send generic signals to the unconfined domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`unconfined_signal',`
+       gen_require(`
+               type unconfined_t;
+       ')
+
+       allow $1 unconfined_t:process signal;
+')
+
+########################################
+## <summary>
+##     Read unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`unconfined_read_pipes',`
+       gen_require(`
+               type unconfined_t;
+       ')
+
+       allow $1 unconfined_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##     Do not audit attempts to read unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_read_pipes',`
+       gen_require(`
+               type unconfined_t;
+       ')
+
+       dontaudit $1 unconfined_t:fifo_file read;
+')
+
+########################################
+## <summary>
+##     Read and write unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`unconfined_rw_pipes',`
+       gen_require(`
+               type unconfined_t;
+       ')
+
+       allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##     Do not audit attempts to read and write
+##     unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_pipes',`
+       gen_require(`
+               type unconfined_t;
+       ')
+
+       dontaudit $1 unconfined_t:fifo_file rw_file_perms;
+')
+
+########################################
+## <summary>
+##     Do not audit attempts to read and write
+##     unconfined domain stream.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_stream',`
+       gen_require(`
+               type unconfined_t;
+       ')
+
+       dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+##     Connect to the unconfined domain using
+##     a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`unconfined_stream_connect',`
+       gen_require(`
+               type unconfined_t;
+       ')
+
+       allow $1 unconfined_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##     Do not audit attempts to read or write
+##     unconfined domain tcp sockets.
+## </summary>
+## <desc>
+##     <p>
+##     Do not audit attempts to read or write
+##     unconfined domain tcp sockets.
+##     </p>
+##     <p>
+##     This interface was added due to a broken
+##     symptom in ldconfig.
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_tcp_sockets',`
+       gen_require(`
+               type unconfined_t;
+       ')
+
+       dontaudit $1 unconfined_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+##     Do not audit attempts to read or write
+##     unconfined domain packet sockets.
+## </summary>
+## <desc>
+##     <p>
+##     Do not audit attempts to read or write
+##     unconfined domain packet sockets.
+##     </p>
+##     <p>
+##     This interface was added due to a broken
+##     symptom.
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_packet_sockets',`
+       gen_require(`
+               type unconfined_t;
+       ')
+
+       dontaudit $1 unconfined_t:packet_socket { read write };
+')
+
+########################################
+## <summary>
+##     Create keys for the unconfined domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`unconfined_create_keys',`
+       gen_require(`
+               type unconfined_t;
+       ')
+
+       allow $1 unconfined_t:key create;
+')
+
+########################################
+## <summary>
+##     Send messages to the unconfined domain over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`unconfined_dbus_send',`
+       gen_require(`
+               type unconfined_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 unconfined_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+##     Send and receive messages from
+##     unconfined_t over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`unconfined_dbus_chat',`
+       gen_require(`
+               type unconfined_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 unconfined_t:dbus send_msg;
+       allow unconfined_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##     Connect to the the unconfined DBUS
+##     for service (acquire_svc).
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`unconfined_dbus_connect',`
+       gen_require(`
+               type unconfined_t;
+               class dbus acquire_svc;
+       ')
+
+       allow $1 unconfined_t:dbus acquire_svc;
+')
+
+########################################
+## <summary>
+##     Allow ptrace of unconfined domain
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`unconfined_ptrace',`
+       gen_require(`
+               type unconfined_t;
+       ')
+
+       allow $1 unconfined_t:process ptrace;
+')
+
+########################################
+## <summary>
+##     Read and write to unconfined shared memory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     The type of the process performing this action.
+##     </summary>
+## </param>
+#
+interface(`unconfined_rw_shm',`
+       gen_require(`
+               type unconfined_t;
+       ')
+
+       allow $1 unconfined_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+##     Read and write to unconfined execmem shared memory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     The type of the process performing this action.
+##     </summary>
+## </param>
+#
+interface(`unconfined_execmem_rw_shm',`
+       gen_require(`
+               type unconfined_execmem_t;
+       ')
+
+       allow $1 unconfined_execmem_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+##     Transition to the unconfined_execmem domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`unconfined_execmem_domtrans',`
+
+       gen_require(`
+               type unconfined_execmem_t;
+       ')
+
+       execmem_domtrans($1, unconfined_execmem_t)
+')
+
+########################################
+## <summary>
+##     execute the execmem applications
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`unconfined_execmem_exec',`
+
+       gen_require(`
+               type execmem_exec_t;
+       ')
+
+       can_exec($1, execmem_exec_t)
+')
+
+########################################
+## <summary>
+##     Allow apps to set rlimits on userdomain
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`unconfined_set_rlimitnh',`
+       gen_require(`
+               type unconfined_t;
+       ')
+
+       allow $1 unconfined_t:process rlimitinh;
+')
+
+########################################
+## <summary>
+##     Get the process group of unconfined.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`unconfined_getpgid',`
+       gen_require(`
+               type unconfined_t;
+       ')
+
+       allow $1 unconfined_t:process getpgid;
+')
+
+########################################
+## <summary>
+##     Change to the unconfined role.
+## </summary>
+## <param name="role">
+##     <summary>
+##     Role allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`unconfined_role_change',`
+       gen_require(`
+               role unconfined_r;
+       ')
+
+       allow $1 unconfined_r;
+')
+
+########################################
+## <summary>
+##     Allow domain to attach to TUN devices created by unconfined_t users.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`unconfined_attach_tun_iface',`
+       gen_require(`
+               type unconfined_t;
+       ')
+
+       allow $1 unconfined_t:tun_socket relabelfrom;
+       allow $1 self:tun_socket relabelto;
+')
+

diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644 (file)
index 0000000..799db36
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,475 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+attribute unconfined_login_domain;
+
+## <desc>
+## <p>
+## Transition to confined nsplugin domains from unconfined user
+## </p>
+## </desc>
+gen_tunable(allow_unconfined_nsplugin_transition, false)
+
+## <desc>
+## <p>
+## Allow vidio playing tools to tun unconfined
+## </p>
+## </desc>
+gen_tunable(unconfined_mplayer, false)
+
+## <desc>
+## <p>
+## Allow a user to login as an unconfined domain
+## </p>
+## </desc>
+gen_tunable(unconfined_login, true)
+
+## <desc>
+## <p>
+## Transition to confined qemu domains from unconfined user
+## </p>
+## </desc>
+gen_tunable(allow_unconfined_qemu_transition, false)
+
+# usage in this module of types created by these
+# calls is not correct, however we dont currently
+# have another method to add access to these types
+userdom_base_user_template(unconfined)
+userdom_manage_home_role(unconfined_r, unconfined_t)
+userdom_manage_tmp_role(unconfined_r, unconfined_t)
+userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
+userdom_unpriv_usertype(unconfined, unconfined_t)
+
+type unconfined_exec_t;
+init_system_domain(unconfined_t, unconfined_exec_t)
+role unconfined_r types unconfined_t;
+role_transition system_r unconfined_exec_t unconfined_r;
+allow system_r unconfined_r;
+
+domain_user_exemption_target(unconfined_t)
+allow system_r unconfined_r;
+allow unconfined_r system_r;
+init_script_role_transition(unconfined_r)
+role system_r types unconfined_t;
+typealias unconfined_t alias unconfined_crontab_t;
+
+type unconfined_notrans_t;
+type unconfined_notrans_exec_t;
+init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t)
+role unconfined_r types unconfined_notrans_t;
+
+########################################
+#
+# Local policy
+#
+
+dontaudit unconfined_t self:dir write;
+dontaudit unconfined_t self:file setattr;
+
+allow unconfined_t self:system syslog_read;
+dontaudit unconfined_t self:capability sys_module;
+
+files_create_boot_flag(unconfined_t)
+files_create_default_dir(unconfined_t)
+files_root_filetrans_default(unconfined_t, dir)
+
+mcs_killall(unconfined_t)
+mcs_ptrace_all(unconfined_t)
+mls_file_write_all_levels(unconfined_t)
+
+init_run_daemon(unconfined_t, unconfined_r)
+init_domtrans_script(unconfined_t)
+init_telinit(unconfined_t)
+
+libs_run_ldconfig(unconfined_t, unconfined_r)
+
+logging_send_syslog_msg(unconfined_t)
+logging_run_auditctl(unconfined_t, unconfined_r)
+
+mount_run_unconfined(unconfined_t, unconfined_r)
+# Unconfined running as system_r
+mount_domtrans_unconfined(unconfined_t)
+
+seutil_run_setsebool(unconfined_t, unconfined_r)
+seutil_run_setfiles(unconfined_t, unconfined_r)
+seutil_run_semanage(unconfined_t, unconfined_r)
+
+unconfined_domain_noaudit(unconfined_t)
+
+userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
+
+usermanage_run_passwd(unconfined_t, unconfined_r)
+usermanage_run_chfn(unconfined_t, unconfined_r)
+
+tunable_policy(`allow_execmem',`
+       allow unconfined_t self:process execmem;
+')
+
+tunable_policy(`allow_execmem && allow_execstack',`
+       allow unconfined_t self:process execstack;
+')
+
+tunable_policy(`allow_execmod',`
+       userdom_execmod_user_home_files(unconfined_usertype)
+')
+
+tunable_policy(`unconfined_login',`
+       corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
+       allow unconfined_t unconfined_login_domain:fd use;
+       allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
+       allow unconfined_t unconfined_login_domain:process sigchld;
+')
+
+optional_policy(`
+       gen_require(`
+               attribute unconfined_usertype;
+       ')
+
+       nsplugin_role_notrans(unconfined_r, unconfined_usertype)
+       optional_policy(`
+               tunable_policy(`allow_unconfined_nsplugin_transition',`
+                     nsplugin_domtrans(unconfined_usertype)
+                     nsplugin_domtrans_config(unconfined_usertype)
+               ')
+       ')
+
+       optional_policy(`
+               abrt_dbus_chat(unconfined_usertype)
+               abrt_run_helper(unconfined_usertype, unconfined_r)
+       ')
+
+       optional_policy(`
+               avahi_dbus_chat(unconfined_usertype)
+       ')
+
+       optional_policy(`
+               certmonger_dbus_chat(unconfined_usertype)
+       ')
+
+       optional_policy(`
+               devicekit_dbus_chat(unconfined_usertype)
+               devicekit_dbus_chat_disk(unconfined_usertype)
+               devicekit_dbus_chat_power(unconfined_usertype)
+       ')
+
+       optional_policy(`
+               hal_dbus_chat(unconfined_usertype)
+       ')
+
+       optional_policy(`
+               iptables_run(unconfined_usertype, unconfined_r)
+       ')
+
+       optional_policy(`
+               networkmanager_dbus_chat(unconfined_usertype)
+       ')
+
+       optional_policy(`
+               policykit_role(unconfined_r, unconfined_usertype)
+       ')
+
+       optional_policy(`
+               rtkit_scheduled(unconfined_usertype)
+       ')
+
+       optional_policy(`
+               setroubleshoot_dbus_chat(unconfined_usertype)
+               setroubleshoot_dbus_chat_fixit(unconfined_t)
+       ')
+
+       optional_policy(`
+               sandbox_transition(unconfined_usertype, unconfined_r)
+       ')
+
+       optional_policy(`
+               shutdown_run(unconfined_t, unconfined_r)
+       ')
+
+       optional_policy(`
+               tzdata_run(unconfined_usertype, unconfined_r)
+       ')
+
+       optional_policy(`
+               gen_require(`
+                       type user_tmpfs_t;
+               ')
+       
+               xserver_rw_session(unconfined_usertype, user_tmpfs_t)
+               xserver_run_xauth(unconfined_usertype, unconfined_r)
+               xserver_dbus_chat_xdm(unconfined_usertype)
+       ')
+')
+
+ifdef(`distro_gentoo',`
+       seutil_run_runinit(unconfined_t, unconfined_r)
+       seutil_init_script_run_runinit(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+       accountsd_dbus_chat(unconfined_t)
+')
+
+optional_policy(`
+       ada_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+       apache_run_helper(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+       bind_run_ndc(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+       bootloader_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+       cron_unconfined_role(unconfined_r, unconfined_t)
+')
+
+optional_policy(`
+       chrome_role(unconfined_r, unconfined_usertype)
+')
+
+optional_policy(`
+       dbus_role_template(unconfined, unconfined_r, unconfined_t)
+
+       optional_policy(`
+               unconfined_domain(unconfined_dbusd_t)
+               unconfined_execmem_domtrans(unconfined_dbusd_t)
+
+               optional_policy(`
+                       xserver_rw_shm(unconfined_dbusd_t)
+               ')
+       ')
+
+       init_dbus_chat(unconfined_usertype)
+       init_dbus_chat_script(unconfined_usertype)
+
+       dbus_stub(unconfined_t)
+
+       optional_policy(`
+               bluetooth_dbus_chat(unconfined_usertype)
+       ')
+
+       optional_policy(`
+               consolekit_dbus_chat(unconfined_usertype)
+       ')
+
+       optional_policy(`
+               cups_dbus_chat_config(unconfined_usertype)
+       ')
+
+       optional_policy(`
+               fprintd_dbus_chat(unconfined_usertype)
+       ')
+
+       optional_policy(`
+               gnomeclock_dbus_chat(unconfined_usertype)
+               gnome_dbus_chat_gconfdefault(unconfined_usertype)
+       ')
+
+       optional_policy(`
+               ipsec_mgmt_dbus_chat(unconfined_usertype)
+       ')
+
+       optional_policy(`
+               kerneloops_dbus_chat(unconfined_usertype)
+       ')
+
+       optional_policy(`
+               oddjob_dbus_chat(unconfined_usertype)
+       ')
+
+       optional_policy(`
+               vpn_dbus_chat(unconfined_usertype)
+       ')
+')
+
+optional_policy(`
+       firewallgui_dbus_chat(unconfined_usertype)
+')
+
+optional_policy(`
+       firstboot_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+       ftp_run_ftpdctl(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+        gpsd_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+       java_run_unconfined(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+       livecd_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+       lpd_run_checkpc(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+       modutils_run_update_mods(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+       mono_role_template(unconfined, unconfined_r, unconfined_t)
+       unconfined_domain_noaudit(unconfined_mono_t)
+       role system_r types unconfined_mono_t;
+')
+
+optional_policy(`
+       mozilla_run_plugin(unconfined_usertype, unconfined_r)
+')
+
+optional_policy(`
+       ncftool_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+       oddjob_run_mkhomedir(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+       prelink_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+       portmap_run_helper(unconfined_t, unconfined_r)
+')
+
+#optional_policy(`
+#      ppp_run(unconfined_t, unconfined_r)
+#')
+
+optional_policy(`
+       qemu_unconfined_role(unconfined_r)
+
+       tunable_policy(`allow_unconfined_qemu_transition',`
+               qemu_domtrans(unconfined_t)
+       ',`
+               qemu_domtrans_unconfined(unconfined_t)
+')
+')
+
+optional_policy(`
+       rpm_run(unconfined_t, unconfined_r)
+       # Allow SELinux aware applications to request rpm_script execution
+       rpm_transition_script(unconfined_t)
+       rpm_dbus_chat(unconfined_t)
+')
+
+optional_policy(`
+       samba_role_notrans(unconfined_r)
+       samba_run_unconfined_net(unconfined_t, unconfined_r)
+#      samba_run_winbind_helper(unconfined_t, unconfined_r)
+       samba_run_smbcontrol(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+       sendmail_run_unconfined(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+       sysnet_run_dhcpc(unconfined_t, unconfined_r)
+       sysnet_dbus_chat_dhcpc(unconfined_t)
+       sysnet_role_transition_dhcpc(unconfined_r)
+')
+
+optional_policy(`
+       telepathy_dbus_session_role(unconfined_r, unconfined_t)
+')
+
+optional_policy(`
+       vbetool_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+       virt_transition_svirt(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+       vpn_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+       webalizer_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+       wine_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+       xserver_run(unconfined_t, unconfined_r)
+')
+
+########################################
+#
+# Unconfined Execmem Local policy
+#
+
+optional_policy(`
+       execmem_role_template(unconfined, unconfined_r, unconfined_t)
+       typealias unconfined_execmem_t alias execmem_t;
+       typealias unconfined_execmem_t alias unconfined_openoffice_t;
+       unconfined_domain_noaudit(unconfined_execmem_t)
+       allow unconfined_execmem_t unconfined_t:process transition;
+       rpm_transition_script(unconfined_execmem_t)
+       role system_r types unconfined_execmem_t;
+
+       optional_policy(`
+               init_dbus_chat_script(unconfined_execmem_t)
+               dbus_system_bus_client(unconfined_execmem_t)
+               unconfined_dbus_chat(unconfined_execmem_t)
+               unconfined_dbus_connect(unconfined_execmem_t)
+       ')
+
+       optional_policy(`
+               tunable_policy(`allow_unconfined_nsplugin_transition',`', `
+                       nsplugin_exec_domtrans(unconfined_t, unconfined_execmem_t)
+               ')
+       ')
+
+       optional_policy(`
+               tunable_policy(`unconfined_login',`
+                       mplayer_exec_domtrans(unconfined_t, unconfined_execmem_t)
+               ')
+       ')
+
+       optional_policy(`
+               openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t)
+       ')
+')
+
+########################################
+#
+# Unconfined notrans Local policy
+#
+
+allow unconfined_notrans_t self:process { execstack execmem };
+unconfined_domain_noaudit(unconfined_notrans_t)
+userdom_unpriv_usertype(unconfined, unconfined_notrans_t)
+domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t)
+# Allow SELinux aware applications to request rpm_script execution
+rpm_transition_script(unconfined_notrans_t)
+domain_ptrace_all_domains(unconfined_notrans_t)
+
+########################################
+#
+# Unconfined mount local policy
+#
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 9b55b004712f443d12575c0e5d343c090857c62b..2932c133b22f822531166c986bdc1af7fc490a26 100644 (file)
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -12,6 +12,8 @@ role user_r;
 
 userdom_unpriv_user_template(user)
 
+fs_exec_noxattr(user_t)
+
 optional_policy(`
        apache_role(user_r, user_t)
 ')
@@ -21,10 +23,34 @@ optional_policy(`
        oident_relabel_user_content(user_t)
 ')
 
+optional_policy(`
+       mozilla_run_plugin(user_t, user_r)
+')
+
+optional_policy(`
+       rpm_dontaudit_dbus_chat(user_t)
+')
+
+optional_policy(`
+       rtkit_scheduled(user_t)
+')
+
+optional_policy(`
+       sandbox_transition(user_t, user_r)
+')
+
 optional_policy(`
        screen_role_template(user, user_r, user_t)
 ')
 
+optional_policy(`
+       setroubleshoot_dontaudit_stream_connect(user_t)
+')
+
+optional_policy(`
+       telepathy_dbus_session_role(user_r, user_t)
+')
+
 optional_policy(`
        xserver_role(user_r, user_t)
 ')
@@ -115,7 +141,7 @@ ifndef(`distro_redhat',`
        ')
 
        optional_policy(`
-       spamassassin_role(user_r, user_t)
+               spamassassin_role(user_r, user_t)
        ')
 
        optional_policy(`

diff --git a/policy/modules/roles/webadm.te b/policy/modules/roles/webadm.te
index 0ecc7862a0048b5e5eb5c6739c08424d1879ab88..dbf27107e322f5ec0854424d299a20c5a42e7242 100644 (file)
--- a/policy/modules/roles/webadm.te
+++ b/policy/modules/roles/webadm.te
@@ -38,6 +38,7 @@ selinux_get_enforce_mode(webadm_t)
 seutil_domtrans_setfiles(webadm_t)
 
 logging_send_syslog_msg(webadm_t)
+logging_send_audit_msgs(webadm_t)
 
 userdom_dontaudit_search_user_home_dirs(webadm_t)
 

diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
index e88b95f1006695ee72c255d8cfa47b18b1000dbe..e76f7a729a73ae35a32bc8efa1b79bdb498de3c2 100644 (file)
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -14,7 +14,7 @@ gen_tunable(xguest_mount_media, true)
 
 ## <desc>
 ## <p>
-## Allow xguest to configure Network Manager
+## Allow xguest to configure Network Manager and connect to apache ports
 ## </p>
 ## </desc>
 gen_tunable(xguest_connect_network, true)
@@ -29,12 +29,12 @@ gen_tunable(xguest_use_bluetooth, true)
 role xguest_r;
 
 userdom_restricted_xwindows_user_template(xguest)
+sysnet_dns_name_resolve(xguest_t)
 
 ########################################
 #
 # Local policy
 #
-
 ifndef(`enable_mls',`
        fs_exec_noxattr(xguest_t)
 
@@ -48,12 +48,21 @@ ifndef(`enable_mls',`
                storage_raw_read_removable_device(xguest_t)
        ')
 ')
+# Dontaudit fusermount
+mount_dontaudit_exec_fusermount(xguest_t)
+
+allow xguest_t self:process execmem;
+kernel_dontaudit_request_load_module(xguest_t)
+
+tunable_policy(`allow_execstack',`
+       allow xguest_t self:process execstack;
+')
 
 # Allow mounting of file systems
 optional_policy(`
        tunable_policy(`xguest_mount_media',`
                kernel_read_fs_sysctls(xguest_t)
-
+               kernel_request_load_module(xguest_t)
                files_dontaudit_getattr_boot_dirs(xguest_t)
                files_search_mnt(xguest_t)
 
@@ -62,10 +71,9 @@ optional_policy(`
                fs_manage_noxattr_fs_dirs(xguest_t)
                fs_getattr_noxattr_fs(xguest_t)
                fs_read_noxattr_fs_symlinks(xguest_t)
+               fs_mount_fusefs(xguest_t)
 
                auth_list_pam_console_data(xguest_t)
-
-               init_read_utmp(xguest_t)
        ')
 ')
 
@@ -75,24 +83,91 @@ optional_policy(`
        ')
 ')
 
+optional_policy(`
+       chrome_role(xguest_r, xguest_usertype)
+')
+
+
 optional_policy(`
        hal_dbus_chat(xguest_t)
 ')
 
 optional_policy(`
-       java_role(xguest_r, xguest_t)
+       apache_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
+       gnomeclock_dontaudit_dbus_chat(xguest_t)
+')
+
+optional_policy(`
+       java_role_template(xguest, xguest_r, xguest_t)
+')
+
+optional_policy(`
+       mono_role_template(xguest, xguest_r, xguest_t)
 ')
 
 optional_policy(`
-       mozilla_role(xguest_r, xguest_t)
+       mozilla_run_plugin(xguest_t, xguest_r)
+')
+
+optional_policy(`
+       nsplugin_role(xguest_r, xguest_t)
 ')
 
 optional_policy(`
        tunable_policy(`xguest_connect_network',`
+               kernel_read_network_state(xguest_usertype)
+
                networkmanager_dbus_chat(xguest_t)
-               corenet_tcp_connect_pulseaudio_port(xguest_t)
-               corenet_tcp_connect_ipp_port(xguest_t)
+               networkmanager_read_lib_files(xguest_t)
+               corenet_tcp_connect_pulseaudio_port(xguest_usertype)
+               corenet_all_recvfrom_unlabeled(xguest_usertype)
+               corenet_all_recvfrom_netlabel(xguest_usertype)
+               corenet_tcp_sendrecv_generic_if(xguest_usertype)
+               corenet_raw_sendrecv_generic_if(xguest_usertype)
+               corenet_tcp_sendrecv_generic_node(xguest_usertype)
+               corenet_raw_sendrecv_generic_node(xguest_usertype)
+               corenet_tcp_sendrecv_http_port(xguest_usertype)
+               corenet_tcp_sendrecv_http_cache_port(xguest_usertype)
+               corenet_tcp_sendrecv_squid_port(xguest_usertype)
+               corenet_tcp_sendrecv_ftp_port(xguest_usertype)
+               corenet_tcp_sendrecv_ipp_port(xguest_usertype)
+               corenet_tcp_connect_http_port(xguest_usertype)
+               corenet_tcp_connect_http_cache_port(xguest_usertype)
+               corenet_tcp_connect_squid_port(xguest_usertype)
+               corenet_tcp_connect_flash_port(xguest_usertype)
+               corenet_tcp_connect_ftp_port(xguest_usertype)
+               corenet_tcp_connect_ipp_port(xguest_usertype)
+               corenet_tcp_connect_generic_port(xguest_usertype)
+               corenet_tcp_connect_soundd_port(xguest_usertype)
+               corenet_sendrecv_http_client_packets(xguest_usertype)
+               corenet_sendrecv_http_cache_client_packets(xguest_usertype)
+               corenet_sendrecv_squid_client_packets(xguest_usertype)
+               corenet_sendrecv_ftp_client_packets(xguest_usertype)
+               corenet_sendrecv_ipp_client_packets(xguest_usertype)
+               corenet_sendrecv_generic_client_packets(xguest_usertype)
+               # Should not need other ports
+               corenet_dontaudit_tcp_sendrecv_generic_port(xguest_usertype)
+               corenet_dontaudit_tcp_bind_generic_port(xguest_usertype)
+               corenet_tcp_connect_speech_port(xguest_usertype)
+               corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
+               corenet_tcp_connect_transproxy_port(xguest_usertype)
        ')
+
+       optional_policy(`
+               telepathy_dbus_session_role(xguest_r, xguest_t)
+       ')
+')
+
+optional_policy(`
+       gen_require(`
+               type mozilla_t;
+       ')
+
+       allow xguest_t mozilla_t:process transition;
+       role xguest_r types mozilla_t;
 ')
 
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)

diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc
index 1bd5812e37bbe90f379b5c1031226f24bed40953..3b3ba64e8097e8d8e98733ad1ae00f0274df735c 100644 (file)
--- a/policy/modules/services/abrt.fc
+++ b/policy/modules/services/abrt.fc
@@ -15,6 +15,7 @@
 
 /var/run/abrt\.pid             --      gen_context(system_u:object_r:abrt_var_run_t,s0)
 /var/run/abrtd?\.lock          --      gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.socket                --      gen_context(system_u:object_r:abrt_var_run_t,s0)
 /var/run/abrt(/.*)?                    gen_context(system_u:object_r:abrt_var_run_t,s0)
 
 /var/spool/abrt(/.*)?                  gen_context(system_u:object_r:abrt_var_cache_t,s0)

diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
index 0b827c527c084ea02b5e7a75dd3ee4eddbd961f2..022c07927447c8b3223dd51601c6fac942798070 100644 (file)
--- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if
@@ -71,6 +71,7 @@ interface(`abrt_read_state',`
                type abrt_t;
        ')
 
+       kernel_search_proc($1)
        ps_process_pattern($1, abrt_t)
 ')
 
@@ -130,6 +131,10 @@ interface(`abrt_domtrans_helper',`
        ')
 
        domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
+
+       ifdef(`hide_broken_symptoms', `
+               dontaudit abrt_helper_t $1:socket_class_set { read write };
+       ')
 ')
 
 ########################################
@@ -160,8 +165,25 @@ interface(`abrt_run_helper',`
 
 ########################################
 ## <summary>
-##     Send and receive messages from
-##     abrt over dbus.
+##     Append abrt cache
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`abrt_cache_append',`
+       gen_require(`
+               type abrt_var_cache_t;
+       ')
+
+       append_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+')
+
+########################################
+## <summary>
+##     Manage abrt cache
 ## </summary>
 ## <param name="domain">
 ##     <summary>
@@ -253,6 +275,24 @@ interface(`abrt_manage_pid_files',`
        manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
 ')
 
+########################################
+## <summary>
+##     Read and write abrt fifo files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`abrt_rw_fifo_file',`
+       gen_require(`
+               type abrt_t;
+       ')
+
+       allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
 #####################################
 ## <summary>
 ##     All of the rules required to administrate

diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
index 98646c42f28b08287056f5e2ce57ce6e9a00d0e3..2bd70ae63301275fd835055e9578dea5d76e0787 100644 (file)
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,6 +5,14 @@ policy_module(abrt, 1.1.1)
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow ABRT to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(abrt_anon_write, false)
+
 type abrt_t;
 type abrt_exec_t;
 init_daemon_domain(abrt_t, abrt_exec_t)
@@ -50,7 +58,7 @@ ifdef(`enable_mcs',`
 
 allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
 dontaudit abrt_t self:capability sys_rawio;
-allow abrt_t self:process { signal signull setsched getsched };
+allow abrt_t self:process { sigkill signal signull setsched getsched };
 
 allow abrt_t self:fifo_file rw_fifo_file_perms;
 allow abrt_t self:tcp_socket create_stream_socket_perms;
@@ -69,6 +77,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
 manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
 manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
 files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
+can_exec(abrt_t, abrt_tmp_t)
 
 # abrt var/cache files
 manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
@@ -82,7 +91,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
 manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
 manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
 manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
-files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
+files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
 
 kernel_read_ring_buffer(abrt_t)
 kernel_read_system_state(abrt_t)
@@ -121,6 +130,8 @@ files_read_generic_tmp_files(abrt_t)
 files_read_kernel_modules(abrt_t)
 files_dontaudit_list_default(abrt_t)
 files_dontaudit_read_default_files(abrt_t)
+files_dontaudit_read_all_symlinks(abrt_t)
+files_dontaudit_getattr_all_sockets(abrt_t)
 
 fs_list_inotifyfs(abrt_t)
 fs_getattr_all_fs(abrt_t)
@@ -131,7 +142,7 @@ fs_read_nfs_files(abrt_t)
 fs_read_nfs_symlinks(abrt_t)
 fs_search_all(abrt_t)
 
-sysnet_read_config(abrt_t)
+sysnet_dns_name_resolve(abrt_t)
 
 logging_read_generic_logs(abrt_t)
 logging_send_syslog_msg(abrt_t)
@@ -140,6 +151,15 @@ miscfiles_read_generic_certs(abrt_t)
 miscfiles_read_localization(abrt_t)
 
 userdom_dontaudit_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_admin_home_files(abrt_t)
+
+tunable_policy(`abrt_anon_write',`
+        miscfiles_manage_public_files(abrt_t)
+')
+
+optional_policy(`
+       apache_read_modules(abrt_t)
+')
 
 optional_policy(`
        dbus_system_domain(abrt_t, abrt_exec_t)
@@ -150,7 +170,12 @@ optional_policy(`
 ')
 
 optional_policy(`
-       policykit_dbus_chat(abrt_t)
+       nsplugin_read_rw_files(abrt_t)
+       nsplugin_read_home(abrt_t)
+')
+
+optional_policy(`
+        policykit_dbus_chat(abrt_t)
        policykit_domtrans_auth(abrt_t)
        policykit_read_lib(abrt_t)
        policykit_read_reload(abrt_t)
@@ -177,6 +202,12 @@ optional_policy(`
        sendmail_domtrans(abrt_t)
 ')
 
+optional_policy(`
+       sosreport_domtrans(abrt_t)
+       sosreport_read_tmp_files(abrt_t)
+       sosreport_delete_tmp_files(abrt_t)
+')
+
 optional_policy(`
        sssd_stream_connect(abrt_t)
 ')
@@ -203,6 +234,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
 domain_read_all_domains_state(abrt_helper_t)
 
 files_read_etc_files(abrt_helper_t)
+files_dontaudit_all_non_security_leaks(abrt_helper_t)
 
 fs_list_inotifyfs(abrt_helper_t)
 fs_getattr_all_fs(abrt_helper_t)
@@ -217,11 +249,26 @@ term_dontaudit_use_all_ttys(abrt_helper_t)
 term_dontaudit_use_all_ptys(abrt_helper_t)
 
 ifdef(`hide_broken_symptoms', `
+       domain_dontaudit_leaks(abrt_helper_t)
        userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
        userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
+       optional_policy(`
+               rpm_dontaudit_leaks(abrt_helper_t)
+       ')
        dev_dontaudit_read_all_blk_files(abrt_helper_t)
        dev_dontaudit_read_all_chr_files(abrt_helper_t)
        dev_dontaudit_write_all_chr_files(abrt_helper_t)
        dev_dontaudit_write_all_blk_files(abrt_helper_t)
        fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
 ')
+
+
+ifdef(`hide_broken_symptoms', `
+       gen_require(`
+        attribute domain;
+       ')
+
+       allow abrt_t self:capability sys_resource;    
+       allow abrt_t domain:file write;
+       allow abrt_t domain:process setrlimit;
+')

diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if
index c0f858de6944a2afa25649cb041a3ffdf2c81551..b46f76fca459cd066db3146d218e3977417dff47 100644 (file)
--- a/policy/modules/services/accountsd.if
+++ b/policy/modules/services/accountsd.if
@@ -138,7 +138,7 @@ interface(`accountsd_admin',`
                type accountsd_t;
        ')
 
-       allow $1 accountsd_t:process { ptrace signal_perms getattr };
+       allow $1 accountsd_t:process { ptrace signal_perms };
        ps_process_pattern($1, accountsd_t)
 
        accountsd_manage_lib_files($1)

diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
index 1632f105a864e2157b94b440770073df1bb112a6..2724c115aec19611a7f74aebad9979ba74394a66 100644 (file)
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0)
 type accountsd_t;
 type accountsd_exec_t;
 dbus_system_domain(accountsd_t, accountsd_exec_t)
+init_daemon_domain(accountsd_t, accountsd_exec_t)
+role system_r types accountsd_t;
 
 type accountsd_var_lib_t;
 files_type(accountsd_var_lib_t)
@@ -55,3 +57,8 @@ optional_policy(`
 optional_policy(`
        policykit_dbus_chat(accountsd_t)
 ')
+
+optional_policy(`
+       xserver_dbus_chat_xdm(accountsd_t)
+       xserver_manage_xdm_etc_files(accountsd_t)
+')

diff --git a/policy/modules/services/afs.if b/policy/modules/services/afs.if
index 8559cdc6d6e1b5e743c09b037c25262f5fdc4ab1..49c0cc8c278cf5da81b7d387e55fd8afb12ac10d 100644 (file)
--- a/policy/modules/services/afs.if
+++ b/policy/modules/services/afs.if
@@ -97,8 +97,8 @@ interface(`afs_admin',`
                type afs_t, afs_initrc_exec_t;
        ')
 
-       allow $1 afs_t:process { ptrace signal_perms getattr };
-       read_files_pattern($1, afs_t, afs_t)
+       allow $1 afs_t:process { ptrace signal_perms };
+       ps_process_pattern($1, afs_t)
 
        # Allow afs_admin to restart the afs service
        afs_initrc_domtrans($1)

diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te
index de8b79133fff13543c13ef6d6f9a0ca08b2f6d53..9ec36b90b89ac1b10243d0031604193d8b7327ed 100644 (file)
--- a/policy/modules/services/afs.te
+++ b/policy/modules/services/afs.te
@@ -82,6 +82,10 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
 
 kernel_rw_afs_state(afs_t)
 
+ifdef(`hide_broken_symptoms', `
+       kernel_rw_unlabeled_files(afs_t)
+')
+
 corenet_all_recvfrom_unlabeled(afs_t)
 corenet_all_recvfrom_netlabel(afs_t)
 corenet_tcp_sendrecv_generic_if(afs_t)

diff --git a/policy/modules/services/aiccu.fc b/policy/modules/services/aiccu.fc
new file mode 100644 (file)
index 0000000..069518f
--- /dev/null
+++ b/policy/modules/services/aiccu.fc
@@ -0,0 +1,6 @@
+/etc/aiccu.conf                        --      gen_context(system_u:object_r:aiccu_etc_t,s0)
+/etc/rc\.d/init\.d/aiccu       --      gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
+
+/usr/sbin/aiccu                        --      gen_context(system_u:object_r:aiccu_exec_t,s0)
+
+/var/run/aiccu\.pid            --      gen_context(system_u:object_r:aiccu_var_run_t,s0)

diff --git a/policy/modules/services/aiccu.if b/policy/modules/services/aiccu.if
new file mode 100644 (file)
index 0000000..420c856
--- /dev/null
+++ b/policy/modules/services/aiccu.if
@@ -0,0 +1,118 @@
+## <summary>Automatic IPv6 Connectivity Client Utility.</summary>
+
+########################################
+## <summary>
+##     Execute a domain transition to run aiccu.
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`aiccu_domtrans',`
+       gen_require(`
+               type aiccu_t, aiccu_exec_t;
+       ')
+
+       domtrans_pattern($1, aiccu_exec_t, aiccu_t)
+       corecmd_search_bin($1)
+')
+
+
+########################################
+## <summary>
+##     Execute aiccu server in the aiccu domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
+## </param>
+#
+interface(`aiccu_initrc_domtrans',`
+       gen_require(`
+               type aiccu_initrc_exec_t;
+       ')
+
+       init_labeled_script_domtrans($1, aiccu_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##     Read aiccu PID files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`aiccu_read_pid_files',`
+       gen_require(`
+               type aiccu_var_run_t;
+       ')
+
+       allow $1 aiccu_var_run_t:file read_file_perms;
+       files_search_pids($1)
+')
+
+########################################
+## <summary>
+##     Manage aiccu PID files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`aiccu_manage_var_run',`
+       gen_require(`
+               type aiccu_var_run_t;
+       ')
+
+       manage_dirs_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+       manage_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+       manage_lnk_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+       files_search_pids($1)
+')
+
+
+########################################
+## <summary>
+##     All of the rules required to administrate 
+##     an aiccu environment
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     Role allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`aiccu_admin',`
+       gen_require(`
+               type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t;
+               type aiccu_var_run_t;
+       ')
+
+       allow $1 aiccu_t:process { ptrace signal_perms };
+       ps_process_pattern($1, aiccu_t)
+
+       aiccu_initrc_domtrans($1)
+       domain_system_change_exemption($1)
+       role_transition $2 aiccu_initrc_exec_t system_r;
+       allow $2 system_r;
+
+       admin_pattern($1, aiccu_etc_t)
+       files_search_etc($1)
+
+       admin_pattern($1, aiccu_var_run_t)
+       files_search_pids($1)
+')

diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te
new file mode 100644 (file)
index 0000000..d21aa69
--- /dev/null
+++ b/policy/modules/services/aiccu.te
@@ -0,0 +1,71 @@
+policy_module(aiccu, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type aiccu_t;
+type aiccu_exec_t;
+init_daemon_domain(aiccu_t, aiccu_exec_t)
+
+type aiccu_initrc_exec_t;
+init_script_file(aiccu_initrc_exec_t)
+
+type aiccu_etc_t;
+files_config_file(aiccu_etc_t)
+
+type aiccu_var_run_t;
+files_pid_file(aiccu_var_run_t)
+
+########################################
+#
+# aiccu local policy
+#
+
+allow aiccu_t self:capability { kill net_admin };
+dontaudit aiccu_t self:capability sys_tty_config;
+allow aiccu_t self:process signal;
+allow aiccu_t self:fifo_file rw_fifo_file_perms;
+allow aiccu_t self:netlink_route_socket create_netlink_socket_perms;
+allow aiccu_t self:tcp_socket create_stream_socket_perms;
+allow aiccu_t self:tun_socket create_socket_perms;
+allow aiccu_t self:udp_socket create_stream_socket_perms;
+allow aiccu_t self:unix_stream_socket create_stream_socket_perms;
+
+allow aiccu_t aiccu_etc_t:file read_file_perms;
+
+manage_dirs_pattern(aiccu_t, aiccu_var_run_t,  aiccu_var_run_t)
+manage_files_pattern(aiccu_t, aiccu_var_run_t,  aiccu_var_run_t)
+files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
+
+kernel_read_system_state(aiccu_t)
+
+corecmd_exec_shell(aiccu_t)
+
+corenet_all_recvfrom_netlabel(aiccu_t)
+corenet_all_recvfrom_unlabeled(aiccu_t)
+corenet_tcp_bind_generic_node(aiccu_t)
+corenet_tcp_sendrecv_generic_if(aiccu_t)
+corenet_tcp_sendrecv_generic_node(aiccu_t)
+corenet_tcp_sendrecv_generic_port(aiccu_t)
+corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
+corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
+corenet_tcp_connect_sixxsconfig_port(aiccu_t)
+corenet_rw_tun_tap_dev(aiccu_t)
+
+domain_use_interactive_fds(aiccu_t)
+
+dev_read_rand(aiccu_t)
+dev_read_urand(aiccu_t)
+
+files_read_etc_files(aiccu_t)
+
+logging_send_syslog_msg(aiccu_t)
+
+miscfiles_read_localization(aiccu_t)
+
+modutils_domtrans_insmod(aiccu_t)
+
+sysnet_domtrans_ifconfig(aiccu_t)
+sysnet_dns_name_resolve(aiccu_t)

diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te
index 97c9cae682275febed5286284da87bd50b7dcd7b..c24bd66d91a02130ca2de8d9f404833529892b98 100644 (file)
--- a/policy/modules/services/aisexec.te
+++ b/policy/modules/services/aisexec.te
@@ -32,7 +32,7 @@ files_pid_file(aisexec_var_run_t)
 # aisexec local policy
 #
 
-allow aisexec_t self:capability { sys_nice sys_resource ipc_lock };
+allow aisexec_t self:capability { sys_nice sys_resource ipc_lock ipc_owner };
 allow aisexec_t self:process { setrlimit setsched signal };
 allow aisexec_t self:fifo_file rw_fifo_file_perms;
 allow aisexec_t self:sem create_sem_perms;
@@ -81,6 +81,9 @@ logging_send_syslog_msg(aisexec_t)
 
 miscfiles_read_localization(aisexec_t)
 
+userdom_rw_semaphores(aisexec_t)
+userdom_rw_unpriv_user_shared_mem(aisexec_t)
+
 optional_policy(`
        ccs_stream_connect(aisexec_t)
 ')

diff --git a/policy/modules/services/ajaxterm.fc b/policy/modules/services/ajaxterm.fc
new file mode 100644 (file)
index 0000000..aeb1888
--- /dev/null
+++ b/policy/modules/services/ajaxterm.fc
@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/ajaxterm    --      gen_context(system_u:object_r:ajaxterm_initrc_exec_t,s0)
+
+/usr/share/ajaxterm/ajaxterm\.py       --      gen_context(system_u:object_r:ajaxterm_exec_t,s0)
+
+/var/run/ajaxterm\.pid         --      gen_context(system_u:object_r:ajaxterm_var_run_t,s0)

diff --git a/policy/modules/services/ajaxterm.if b/policy/modules/services/ajaxterm.if
new file mode 100644 (file)
index 0000000..581ae6e
--- /dev/null
+++ b/policy/modules/services/ajaxterm.if
@@ -0,0 +1,72 @@
+
+## <summary>policy for ajaxterm</summary>
+
+########################################
+## <summary>
+##     Execute a domain transition to run ajaxterm.
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ajaxterm_domtrans',`
+       gen_require(`
+               type ajaxterm_t, ajaxterm_exec_t;
+       ')
+
+       domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
+')
+
+
+########################################
+## <summary>
+##     Execute ajaxterm server in the ajaxterm domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     The type of the process performing this action.
+##     </summary>
+## </param>
+#
+interface(`ajaxterm_initrc_domtrans',`
+       gen_require(`
+               type ajaxterm_initrc_exec_t;
+       ')
+
+       init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##     All of the rules required to administrate
+##     an ajaxterm environment
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     Role allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ajaxterm_admin',`
+       gen_require(`
+               type ajaxterm_t;
+               type ajaxterm_initrc_exec_t;
+       ')
+
+       allow $1 ajaxterm_t:process { ptrace signal_perms };
+       ps_process_pattern($1, ajaxterm_t)
+
+       ajaxterm_initrc_domtrans($1)
+       domain_system_change_exemption($1)
+       role_transition $2 ajaxterm_initrc_exec_t system_r;
+       allow $2 system_r;
+
+')

diff --git a/policy/modules/services/ajaxterm.te b/policy/modules/services/ajaxterm.te
new file mode 100644 (file)
index 0000000..3441758
--- /dev/null
+++ b/policy/modules/services/ajaxterm.te
@@ -0,0 +1,56 @@
+policy_module(ajaxterm,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ajaxterm_t;
+type ajaxterm_exec_t;
+init_daemon_domain(ajaxterm_t, ajaxterm_exec_t)
+
+type ajaxterm_initrc_exec_t;
+init_script_file(ajaxterm_initrc_exec_t)
+
+type ajaxterm_var_run_t;
+files_pid_file(ajaxterm_var_run_t)
+
+type ajaxterm_devpts_t;
+term_login_pty(ajaxterm_devpts_t)
+
+permissive ajaxterm_t;
+
+########################################
+#
+# ajaxterm local policy
+#
+allow ajaxterm_t self:capability setuid;
+allow ajaxterm_t self:process setpgid;
+allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
+allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
+allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
+
+allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
+term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
+
+manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
+manage_files_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
+files_pid_filetrans(ajaxterm_t, ajaxterm_var_run_t, { file dir })
+
+kernel_read_system_state(ajaxterm_t)
+
+corecmd_exec_bin(ajaxterm_t)
+
+corenet_tcp_bind_generic_node(ajaxterm_t)
+corenet_tcp_bind_ajaxterm_port(ajaxterm_t)
+
+dev_read_urand(ajaxterm_t)
+
+domain_use_interactive_fds(ajaxterm_t)
+
+files_read_etc_files(ajaxterm_t)
+files_read_usr_files(ajaxterm_t)
+
+miscfiles_read_localization(ajaxterm_t)
+
+sysnet_dns_name_resolve(ajaxterm_t)

diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index 9e39aa5be7ccdce1305a3d98d924b81ee2f06ce4..8603d4d18378334625c6c831ae3ecbf0e4835509 100644 (file)
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -2,7 +2,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
 
 /etc/apache(2)?(/.*)?                  gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/apache-ssl(2)?(/.*)?              gen_context(system_u:object_r:httpd_config_t,s0)
-/etc/drupal(/.*)?                      gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/drupal(6)?(/.*)?                  gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /etc/htdig(/.*)?                       gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /etc/httpd(/.*)?                       gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/httpd/conf/keytab         --      gen_context(system_u:object_r:httpd_keytab_t,s0)
@@ -24,7 +24,6 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
 
 /usr/lib/apache-ssl/.+         --      gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/lib/cgi-bin(/.*)?                 gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/dirsrv/cgi-bin(/.*)?          gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 /usr/lib(64)?/apache(/.*)?             gen_context(system_u:object_r:httpd_modules_t,s0)
 /usr/lib(64)?/apache2/modules(/.*)?    gen_context(system_u:object_r:httpd_modules_t,s0)
 /usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
@@ -43,8 +42,7 @@ ifdef(`distro_suse', `
 /usr/sbin/httpd2-.*            --      gen_context(system_u:object_r:httpd_exec_t,s0)
 ')
 
-/usr/share/dirsrv(/.*)?                        gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/drupal(/.*)?                        gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/drupal(6)?(/.*)?                    gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /usr/share/htdig(/.*)?                 gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /usr/share/icecast(/.*)?               gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /usr/share/mythweb(/.*)?               gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -74,7 +72,8 @@ ifdef(`distro_suse', `
 
 /var/lib/cacti/rra(/.*)?               gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/lib/dav(/.*)?                     gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/drupal(/.*)?                  gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/dokuwiki(/.*)?                        gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/drupal(6)?(/.*)?                      gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/lib/htdig(/.*)?                   gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/lib/httpd(/.*)?                   gen_context(system_u:object_r:httpd_var_lib_t,s0)
 /var/lib/php/session(/.*)?             gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -86,7 +85,6 @@ ifdef(`distro_suse', `
 /var/log/cgiwrap\.log.*                --      gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/httpd(/.*)?                   gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/lighttpd(/.*)?                        gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/piranha(/.*)?                 gen_context(system_u:object_r:httpd_log_t,s0)
 
 ifdef(`distro_debian', `
 /var/log/horde2(/.*)?                  gen_context(system_u:object_r:httpd_log_t,s0)
@@ -109,3 +107,17 @@ ifdef(`distro_debian', `
 /var/www/cgi-bin(/.*)?                 gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 /var/www/icons(/.*)?                   gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/www/perl(/.*)?                    gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/var/www/html/[^/]*/cgi-bin(/.*)?      gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/var/www/html/configuration\.php       gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/www/gallery/albums(/.*)?          gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/lib/koji(/.*)?                    gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/pootle/po(/.*)?               gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/rt3/data/RT-Shredder(/.*)?    gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
+/var/www/svn(/.*)?                     gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/hooks(/.*)?               gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)?                        gen_context(system_u:object_r:httpd_sys_content_t,s0)

diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index c9e1a4435ea10434d4dbea3d6a8fcc0b9af086a3..2244b11ed2a00dafdfec70cf873b8e60aed7cc37 100644 (file)
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,17 +13,14 @@
 #
 template(`apache_content_template',`
        gen_require(`
-               attribute httpdcontent;
                attribute httpd_exec_scripts;
                attribute httpd_script_exec_type;
                type httpd_t, httpd_suexec_t, httpd_log_t;
+               type httpd_sys_content_t;
        ')
-       # allow write access to public file transfer
-       # services files.
-       gen_tunable(allow_httpd_$1_script_anon_write, false)
 
        #This type is for webpages
-       type httpd_$1_content_t, httpdcontent; # customizable
+       type httpd_$1_content_t; # customizable;
        typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
        files_type(httpd_$1_content_t)
 
@@ -36,16 +33,18 @@ template(`apache_content_template',`
        domain_type(httpd_$1_script_t)
        role system_r types httpd_$1_script_t;
 
+       search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type)
+
        # This type is used for executable scripts files
        type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
        corecmd_shell_entry_type(httpd_$1_script_t)
        domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
 
-       type httpd_$1_rw_content_t, httpdcontent; # customizable
+       type httpd_$1_rw_content_t; # customizable
        typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
        files_type(httpd_$1_rw_content_t)
 
-       type httpd_$1_ra_content_t, httpdcontent; # customizable
+       type httpd_$1_ra_content_t; # customizable
        typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
        files_type(httpd_$1_ra_content_t)
 
@@ -54,7 +53,7 @@ template(`apache_content_template',`
        domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
 
        allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
-       allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
+       allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
 
        allow httpd_$1_script_t self:fifo_file rw_file_perms;
        allow httpd_$1_script_t self:unix_stream_socket connectto;
@@ -86,7 +85,6 @@ template(`apache_content_template',`
        manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
        manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
        manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-       files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
 
        kernel_dontaudit_search_sysctl(httpd_$1_script_t)
        kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
@@ -95,6 +93,7 @@ template(`apache_content_template',`
        dev_read_urand(httpd_$1_script_t)
 
        corecmd_exec_all_executables(httpd_$1_script_t)
+       application_exec_all(httpd_$1_script_t)
 
        files_exec_etc_files(httpd_$1_script_t)
        files_read_etc_files(httpd_$1_script_t)
@@ -108,19 +107,6 @@ template(`apache_content_template',`
 
        seutil_dontaudit_search_config(httpd_$1_script_t)
 
-       tunable_policy(`httpd_enable_cgi && httpd_unified',`
-               allow httpd_$1_script_t httpdcontent:file entrypoint;
-
-               manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
-               manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
-               manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent)
-               can_exec(httpd_$1_script_t, httpdcontent)
-       ')
-
-       tunable_policy(`allow_httpd_$1_script_anon_write',`
-               miscfiles_manage_public_files(httpd_$1_script_t)
-       ')
-
        # Allow the web server to run scripts and serve pages
        tunable_policy(`httpd_builtin_scripting',`
                manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
@@ -140,6 +126,7 @@ template(`apache_content_template',`
                allow httpd_t httpd_$1_content_t:dir list_dir_perms;
                read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
                read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+               allow httpd_t httpd_$1_script_t:unix_stream_socket connectto;
        ')
 
        tunable_policy(`httpd_enable_cgi',`
@@ -148,14 +135,19 @@ template(`apache_content_template',`
                # privileged users run the script:
                domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
 
+               allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
+
                # apache runs the script:
                domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
 
+               allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
+
                allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
                allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
 
                allow httpd_$1_script_t self:process { setsched signal_perms };
                allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
+               allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms;
 
                allow httpd_$1_script_t httpd_t:fd use;
                allow httpd_$1_script_t httpd_t:process sigchld;
@@ -172,6 +164,7 @@ template(`apache_content_template',`
                libs_read_lib_files(httpd_$1_script_t)
 
                miscfiles_read_localization(httpd_$1_script_t)
+               allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
        ')
 
        optional_policy(`
@@ -182,15 +175,13 @@ template(`apache_content_template',`
 
        optional_policy(`
                postgresql_unpriv_client(httpd_$1_script_t)
-
-               tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
-                       postgresql_tcp_connect(httpd_$1_script_t)
-               ')
        ')
 
        optional_policy(`
                nscd_socket_use(httpd_$1_script_t)
        ')
+
+       dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
 ')
 
 ########################################
@@ -229,6 +220,13 @@ interface(`apache_role',`
        relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
        relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
 
+       manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+       manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+       manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+       relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+       relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+       relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
        manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
        manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
        manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
@@ -243,6 +241,8 @@ interface(`apache_role',`
        relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
        relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
 
+       apache_exec_modules($2)
+
        tunable_policy(`httpd_enable_cgi',`
                # If a user starts a script by hand it gets the proper context
                domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
@@ -312,6 +312,25 @@ interface(`apache_domtrans',`
        domtrans_pattern($1, httpd_exec_t, httpd_t)
 ')
 
+######################################
+## <summary>
+##  Allow the specified domain to execute apache
+##  in the caller domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`apache_exec',`
+    gen_require(`
+        type httpd_exec_t;
+    ')
+
+    can_exec($1, httpd_exec_t)
+')
+
 #######################################
 ## <summary>
 ##     Send a generic signal to apache.
@@ -400,7 +419,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
                type httpd_t;
        ')
 
-       dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
+       dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
@@ -523,6 +542,25 @@ interface(`apache_rw_cache_files',`
        allow $1 httpd_cache_t:file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##     Allow the specified domain to delete
+##     Apache cache dirs.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`apache_delete_cache_dirs',`
+       gen_require(`
+               type httpd_cache_t;
+       ')
+
+       delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
+')
+
 ########################################
 ## <summary>
 ##     Allow the specified domain to delete
@@ -738,6 +776,25 @@ interface(`apache_dontaudit_search_modules',`
        dontaudit $1 httpd_modules_t:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##     Allow the specified domain to read
+##     the apache module directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`apache_read_modules',`
+       gen_require(`
+               type httpd_modules_t;
+       ')
+
+       read_files_pattern($1, httpd_modules_t, httpd_modules_t)
+')
+
 ########################################
 ## <summary>
 ##     Allow the specified domain to list
@@ -756,6 +813,7 @@ interface(`apache_list_modules',`
        ')
 
        allow $1 httpd_modules_t:dir list_dir_perms;
+       read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
 ')
 
 ########################################
@@ -814,6 +872,7 @@ interface(`apache_list_sys_content',`
        ')
 
        list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+       read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
        files_search_var($1)
 ')
 
@@ -836,11 +895,80 @@ interface(`apache_manage_sys_content',`
        ')
 
        files_search_var($1)
+       apache_search_sys_content($1)
        manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
        manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
        manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
 ')
 
+######################################
+## <summary>
+##  Allow the specified domain to read
+##  apache system content rw files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_sys_content_rw_files',`
+    gen_require(`
+               type httpd_sys_rw_content_t;
+       ')
+
+    read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+######################################
+## <summary>
+##  Allow the specified domain to manage
+##  apache system content rw files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_manage_sys_content_rw',`
+    gen_require(`
+               type httpd_sys_rw_content_t;
+       ')
+
+    files_search_var($1)
+    manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+    manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+    manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+########################################
+## <summary>
+##     Allow the specified domain to delete
+##     apache system content rw files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_delete_sys_content_rw',`
+       gen_require(`
+               type httpd_sys_rw_content_t;
+       ')
+
+       files_search_tmp($1)
+       delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+       delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+       delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+       delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+       delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
 ########################################
 ## <summary>
 ##     Execute all web scripts in the system
@@ -858,6 +986,11 @@ interface(`apache_domtrans_sys_script',`
        gen_require(`
                attribute httpdcontent;
                type httpd_sys_script_t;
+               type httpd_sys_content_t;
+       ')
+
+       tunable_policy(`httpd_enable_cgi',`
+               domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
        ')
 
        tunable_policy(`httpd_enable_cgi && httpd_unified',`
@@ -945,7 +1078,7 @@ interface(`apache_read_squirrelmail_data',`
                type httpd_squirrelmail_t;
        ')
 
-       allow $1 httpd_squirrelmail_t:file read_file_perms;
+       read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
 ')
 
 ########################################
@@ -1086,6 +1219,25 @@ interface(`apache_read_tmp_files',`
        read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
 ')
 
+######################################
+## <summary>
+##  Dontaudit attempts to read and write
+##  apache tmp files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_tmp_files',`
+    gen_require(`
+        type httpd_tmp_t;
+    ')
+
+    dontaudit $1 httpd_tmp_t:file { read write };
+')
+
 ########################################
 ## <summary>
 ##     Dontaudit attempts to write
@@ -1102,7 +1254,7 @@ interface(`apache_dontaudit_write_tmp_files',`
                type httpd_tmp_t;
        ')
 
-       dontaudit $1 httpd_tmp_t:file write_file_perms;
+       dontaudit $1 httpd_tmp_t:file write;
 ')
 
 ########################################
@@ -1172,7 +1324,7 @@ interface(`apache_admin',`
                type httpd_modules_t, httpd_lock_t;
                type httpd_var_run_t, httpd_php_tmp_t;
                type httpd_suexec_tmp_t, httpd_tmp_t;
-               type httpd_initrc_exec_t;
+               type httpd_initrc_exec_t, httpd_bool_t;
        ')
 
        allow $1 httpd_t:process { getattr ptrace signal_perms };
@@ -1202,12 +1354,43 @@ interface(`apache_admin',`
 
        kernel_search_proc($1)
        allow $1 httpd_t:dir list_dir_perms;
-
+       ps_process_pattern($1, httpd_t)
        read_lnk_files_pattern($1, httpd_t, httpd_t)
 
        admin_pattern($1, httpdcontent)
        admin_pattern($1, httpd_script_exec_type)
+
+       seutil_domtrans_setfiles($1)
+
        admin_pattern($1, httpd_tmp_t)
        admin_pattern($1, httpd_php_tmp_t)
        admin_pattern($1, httpd_suexec_tmp_t)
+
+ifdef(`TODO',`
+       apache_set_booleans($1, $2, $3, httpd_bool_t )
+       seutil_setsebool_role_template($1, $3, $2)
+       allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
+       allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
+')
+')
+
+########################################
+## <summary>
+##     dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`apache_dontaudit_leaks',`
+       gen_require(`
+               type httpd_t;
+       ')
+
+       dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+       dontaudit $1 httpd_t:tcp_socket { read write };
+       dontaudit $1 httpd_t:unix_dgram_socket { read write };
+       dontaudit $1 httpd_t:unix_stream_socket { read write };
 ')

diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 08dfa0c46e39d9337d38ad1518268c53c574031b..86641ddfc54461444aa7da32d77b44f71c918a0e 100644 (file)
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.2.0)
 # Declarations
 #
 
+selinux_genbool(httpd_bool_t)
+
 ## <desc>
 ## <p>
 ## Allow Apache to modify public files
@@ -34,6 +36,20 @@ gen_tunable(allow_httpd_anon_write, false)
 ## </desc>
 gen_tunable(allow_httpd_mod_auth_pam, false)
 
+## <desc>
+## <p>
+## Allow httpd scripts and modules execmem/execstack
+## </p>
+## </desc>
+gen_tunable(httpd_execmem, false)
+
+## <desc>
+## <p>
+## Allow httpd daemon to change system limits
+## </p>
+## </desc>
+gen_tunable(httpd_setrlimit, false)
+
 ## <desc>
 ## <p>
 ## Allow httpd to use built in scripting (usually php)
@@ -43,11 +59,18 @@ gen_tunable(httpd_builtin_scripting, false)
 
 ## <desc>
 ## <p>
-## Allow HTTPD scripts and modules to connect to the network using TCP.
+## Allow HTTPD scripts and modules to connect to the network using any TCP port.
 ## </p>
 ## </desc>
 gen_tunable(httpd_can_network_connect, false)
 
+## <desc>
+## <p>
+## Allow HTTPD scripts and modules to connect to cobbler over the network.
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_connect_cobbler, false)
+
 ## <desc>
 ## <p>
 ## Allow HTTPD scripts and modules to connect to databases over the network.
@@ -55,6 +78,13 @@ gen_tunable(httpd_can_network_connect, false)
 ## </desc>
 gen_tunable(httpd_can_network_connect_db, false)
 
+## <desc>
+## <p>
+## Allow httpd to connect to memcache server
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_memcache, false)
+
 ## <desc>
 ## <p>
 ## Allow httpd to act as a relay
@@ -69,6 +99,13 @@ gen_tunable(httpd_can_network_relay, false)
 ## </desc>
 gen_tunable(httpd_can_sendmail, false)
 
+## <desc>
+## <p>
+## Allow http daemon to check spam
+## </p>
+## </desc>
+gen_tunable(httpd_can_check_spam, false)
+
 ## <desc>
 ## <p>
 ## Allow Apache to communicate with avahi service via dbus
@@ -78,7 +115,7 @@ gen_tunable(httpd_dbus_avahi, false)
 
 ## <desc>
 ## <p>
-## Allow httpd cgi support
+## Allow httpd to execute cgi scripts
 ## </p>
 ## </desc>
 gen_tunable(httpd_enable_cgi, false)
@@ -98,6 +135,13 @@ gen_tunable(httpd_enable_ftp_server, false)
 ## </desc>
 gen_tunable(httpd_enable_homedirs, false)
 
+## <desc>
+## <p>
+## Allow httpd to read user content 
+## </p>
+## </desc>
+gen_tunable(httpd_read_user_content, false)
+
 ## <desc>
 ## <p>
 ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
@@ -105,6 +149,13 @@ gen_tunable(httpd_enable_homedirs, false)
 ## </desc>
 gen_tunable(httpd_ssi_exec, false)
 
+## <desc>
+## <p>
+## Allow Apache to execute tmp content.
+## </p>
+## </desc>
+gen_tunable(httpd_tmp_exec, false)
+
 ## <desc>
 ## <p>
 ## Unify HTTPD to communicate with the terminal.
@@ -130,7 +181,7 @@ gen_tunable(httpd_use_cifs, false)
 
 ## <desc>
 ## <p>
-## Allow httpd to run gpg
+## Allow httpd to run gpg in gpg-web domain
 ## </p>
 ## </desc>
 gen_tunable(httpd_use_gpg, false)
@@ -142,6 +193,13 @@ gen_tunable(httpd_use_gpg, false)
 ## </desc>
 gen_tunable(httpd_use_nfs, false)
 
+## <desc>
+## <p>
+## Allow apache scripts to write to public content.  Directories/Files must be labeled public_rw_content_t.
+## </p>
+## </desc>
+gen_tunable(allow_httpd_sys_script_anon_write, false)
+
 attribute httpdcontent;
 attribute httpd_user_content_type;
 
@@ -216,7 +274,10 @@ files_tmp_file(httpd_suexec_tmp_t)
 
 # setup the system domain for system CGI scripts
 apache_content_template(sys)
-typealias httpd_sys_content_t alias ntop_http_content_t;
+
+typeattribute httpd_sys_content_t httpdcontent; # customizable
+typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
+typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
 
 type httpd_tmp_t;
 files_tmp_file(httpd_tmp_t)
@@ -226,6 +287,10 @@ files_tmpfs_file(httpd_tmpfs_t)
 
 apache_content_template(user)
 ubac_constrained(httpd_user_script_t)
+typeattribute httpd_user_content_t httpdcontent;
+typeattribute httpd_user_rw_content_t httpdcontent;
+typeattribute httpd_user_ra_content_t httpdcontent;
+
 userdom_user_home_content(httpd_user_content_t)
 userdom_user_home_content(httpd_user_htaccess_t)
 userdom_user_home_content(httpd_user_script_exec_t)
@@ -233,6 +298,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
 userdom_user_home_content(httpd_user_rw_content_t)
 typeattribute httpd_user_script_t httpd_script_domains;
 typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
+typealias httpd_user_content_t alias httpd_unconfined_content_t;
 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
 typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
 typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
@@ -286,6 +352,7 @@ allow httpd_t self:udp_socket create_socket_perms;
 manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
 manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
 manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
 
 # Allow the httpd_t to read the web servers config files
 allow httpd_t httpd_config_t:dir list_dir_perms;
@@ -355,6 +422,7 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 kernel_read_kernel_sysctls(httpd_t)
 # for modules that want to access /proc/meminfo
 kernel_read_system_state(httpd_t)
+kernel_search_network_sysctl(httpd_t)
 
 corenet_all_recvfrom_unlabeled(httpd_t)
 corenet_all_recvfrom_netlabel(httpd_t)
@@ -365,8 +433,10 @@ corenet_udp_sendrecv_generic_node(httpd_t)
 corenet_tcp_sendrecv_all_ports(httpd_t)
 corenet_udp_sendrecv_all_ports(httpd_t)
 corenet_tcp_bind_generic_node(httpd_t)
+corenet_udp_bind_generic_node(httpd_t)
 corenet_tcp_bind_http_port(httpd_t)
 corenet_tcp_bind_http_cache_port(httpd_t)
+corenet_tcp_bind_ntop_port(httpd_t)
 corenet_sendrecv_http_server_packets(httpd_t)
 # Signal self for shutdown
 corenet_tcp_connect_http_port(httpd_t)
@@ -378,12 +448,12 @@ dev_rw_crypto(httpd_t)
 
 fs_getattr_all_fs(httpd_t)
 fs_search_auto_mountpoints(httpd_t)
+fs_read_iso9660_files(httpd_t)
+fs_read_anon_inodefs_files(httpd_t)
 
 auth_use_nsswitch(httpd_t)
 
-# execute perl
-corecmd_exec_bin(httpd_t)
-corecmd_exec_shell(httpd_t)
+application_exec_all(httpd_t)
 
 domain_use_interactive_fds(httpd_t)
 
@@ -402,6 +472,10 @@ files_read_etc_files(httpd_t)
 files_read_var_lib_symlinks(httpd_t)
 
 fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
 
 libs_read_lib_files(httpd_t)
 
@@ -416,16 +490,31 @@ seutil_dontaudit_search_config(httpd_t)
 
 userdom_use_unpriv_users_fds(httpd_t)
 
+tunable_policy(`httpd_setrlimit',`
+       allow httpd_t self:process setrlimit;
+')
+
 tunable_policy(`allow_httpd_anon_write',`
        miscfiles_manage_public_files(httpd_t)
 ')
 
-ifdef(`TODO', `
 #
 # We need optionals to be able to be within booleans to make this work
 #
 tunable_policy(`allow_httpd_mod_auth_pam',`
-       auth_domtrans_chk_passwd(httpd_t)
+       auth_domtrans_chkpwd(httpd_t)
+       logging_send_audit_msgs(httpd_t)
+')
+
+## <desc>
+## <p>
+## Allow Apache to use mod_auth_pam
+## </p>
+## </desc>
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
+optional_policy(`
+tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
+               samba_domtrans_winbind_helper(httpd_t)
 ')
 ')
 
@@ -433,19 +522,35 @@ tunable_policy(`httpd_can_network_connect',`
        corenet_tcp_connect_all_ports(httpd_t)
 ')
 
+tunable_policy(`httpd_can_network_memcache',`
+       corenet_tcp_connect_memcache_port(httpd_t)
+')
+
 tunable_policy(`httpd_can_network_relay',`
        # allow httpd to work as a relay
        corenet_tcp_connect_gopher_port(httpd_t)
        corenet_tcp_connect_ftp_port(httpd_t)
        corenet_tcp_connect_http_port(httpd_t)
        corenet_tcp_connect_http_cache_port(httpd_t)
+       corenet_tcp_connect_squid_port(httpd_t)
        corenet_tcp_connect_memcache_port(httpd_t)
        corenet_sendrecv_gopher_client_packets(httpd_t)
        corenet_sendrecv_ftp_client_packets(httpd_t)
        corenet_sendrecv_http_client_packets(httpd_t)
        corenet_sendrecv_http_cache_client_packets(httpd_t)
+       corenet_sendrecv_squid_client_packets(httpd_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+       allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
+       filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+       can_exec(httpd_sys_script_t, httpd_sys_content_t)
 ')
 
+tunable_policy(`allow_httpd_sys_script_anon_write',`
+       miscfiles_manage_public_files(httpd_sys_script_t)
+') 
+
 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
        fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
 ')
@@ -456,6 +561,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
 
 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
        domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+       filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+       manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+       manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+       manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
 
        manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
        manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
@@ -470,11 +579,25 @@ tunable_policy(`httpd_enable_homedirs',`
        userdom_read_user_home_content_files(httpd_t)
 ')
 
+tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
+        can_exec(httpd_t, httpd_tmp_t)
+')
+
+tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
+        can_exec(httpd_sys_script_t, httpd_tmp_t)
+')
+
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
        fs_read_nfs_files(httpd_t)
        fs_read_nfs_symlinks(httpd_t)
 ')
 
+tunable_policy(`httpd_use_nfs',`
+       fs_manage_nfs_dirs(httpd_t)
+       fs_manage_nfs_files(httpd_t)
+       fs_manage_nfs_symlinks(httpd_t)
+')
+
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
        fs_read_cifs_files(httpd_t)
        fs_read_cifs_symlinks(httpd_t)
@@ -484,7 +607,16 @@ tunable_policy(`httpd_can_sendmail',`
        # allow httpd to connect to mail servers
        corenet_tcp_connect_smtp_port(httpd_t)
        corenet_sendrecv_smtp_client_packets(httpd_t)
+       corenet_tcp_connect_pop_port(httpd_t)
+       corenet_sendrecv_pop_client_packets(httpd_t)
        mta_send_mail(httpd_t)
+       mta_signal_system_mail(httpd_t)
+')
+
+tunable_policy(`httpd_use_cifs',`
+       fs_manage_cifs_dirs(httpd_t)
+       fs_manage_cifs_files(httpd_t)
+       fs_manage_cifs_symlinks(httpd_t)
 ')
 
 tunable_policy(`httpd_ssi_exec',`
@@ -500,8 +632,10 @@ tunable_policy(`httpd_ssi_exec',`
 # are dontaudited here.
 tunable_policy(`httpd_tty_comm',`
        userdom_use_user_terminals(httpd_t)
+       userdom_use_user_terminals(httpd_suexec_t)
 ',`
        userdom_dontaudit_use_user_terminals(httpd_t)
+       userdom_dontaudit_use_user_terminals(httpd_suexec_t)
 ')
 
 optional_policy(`
@@ -513,7 +647,13 @@ optional_policy(`
 ')
 
 optional_policy(`
-       cobbler_search_lib(httpd_t)
+       cobbler_list_config(httpd_t)
+       cobbler_read_config(httpd_t)
+       cobbler_read_lib_files(httpd_t)
+
+       tunable_policy(`httpd_can_network_connect_cobbler',`
+               corenet_tcp_connect_cobbler_port(httpd_t)
+       ')
 ')
 
 optional_policy(`
@@ -528,7 +668,7 @@ optional_policy(`
        daemontools_service_domain(httpd_t, httpd_exec_t)
 ')
 
- optional_policy(`
+optional_policy(`
        dbus_system_bus_client(httpd_t)
 
        tunable_policy(`httpd_dbus_avahi',`
@@ -536,9 +676,13 @@ optional_policy(`
        ')
 ')
 
+optional_policy(`
+       gitosis_read_lib_files(httpd_t)
+')
+
 optional_policy(`
        tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
-               gpg_domtrans(httpd_t)
+               gpg_domtrans_web(httpd_t)
        ')
 ')
 
@@ -557,6 +701,7 @@ optional_policy(`
 
 optional_policy(`
        # Allow httpd to work with mysql
+       mysql_read_config(httpd_t)
        mysql_stream_connect(httpd_t)
        mysql_rw_db_sockets(httpd_t)
 
@@ -567,6 +712,7 @@ optional_policy(`
 
 optional_policy(`
        nagios_read_config(httpd_t)
+       nagios_read_log(httpd_t)
 ')
 
 optional_policy(`
@@ -576,6 +722,22 @@ optional_policy(`
        openca_kill(httpd_t)
 ')
 
+optional_policy(`
+        passenger_domtrans(httpd_t)
+        passenger_manage_pid_content(httpd_t)
+        passenger_read_lib_files(httpd_t)
+')
+
+optional_policy(`
+       rpc_search_nfs_state_data(httpd_t)
+')
+
+tunable_policy(`httpd_execmem',`
+       allow httpd_t self:process { execmem execstack };
+       allow httpd_sys_script_t self:process { execmem execstack };
+       allow httpd_suexec_t self:process { execmem execstack };
+') 
+
 optional_policy(`
        # Allow httpd to work with postgresql
        postgresql_stream_connect(httpd_t)
@@ -583,6 +745,7 @@ optional_policy(`
 
        tunable_policy(`httpd_can_network_connect_db',`
                postgresql_tcp_connect(httpd_t)
+               postgresql_tcp_connect(httpd_sys_script_t)
        ')
 ')
 
@@ -591,6 +754,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+       smokeping_getattr_lib_files(httpd_t)
+')
+
+optional_policy(`
+       files_dontaudit_rw_usr_dirs(httpd_t)
        snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
        snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 ')
@@ -603,6 +771,10 @@ optional_policy(`
        yam_read_content(httpd_t)
 ')
 
+optional_policy(`
+       zarafa_stream_connect_server(httpd_t)
+')
+
 ########################################
 #
 # Apache helper local policy
@@ -618,6 +790,10 @@ logging_send_syslog_msg(httpd_helper_t)
 
 userdom_use_user_terminals(httpd_helper_t)
 
+tunable_policy(`httpd_tty_comm',`
+       userdom_use_user_terminals(httpd_helper_t)
+')
+
 ########################################
 #
 # Apache PHP script local policy
@@ -699,17 +875,18 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
 manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
 
+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
+
 kernel_read_kernel_sysctls(httpd_suexec_t)
 kernel_list_proc(httpd_suexec_t)
 kernel_read_proc_symlinks(httpd_suexec_t)
 
 dev_read_urand(httpd_suexec_t)
 
+fs_read_iso9660_files(httpd_suexec_t)
 fs_search_auto_mountpoints(httpd_suexec_t)
 
-# for shell scripts
-corecmd_exec_bin(httpd_suexec_t)
-corecmd_exec_shell(httpd_suexec_t)
+application_exec_all(httpd_suexec_t)
 
 files_read_etc_files(httpd_suexec_t)
 files_read_usr_files(httpd_suexec_t)
@@ -740,10 +917,21 @@ tunable_policy(`httpd_can_network_connect',`
        corenet_sendrecv_all_client_packets(httpd_suexec_t)
 ')
 
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
        allow httpd_sys_script_t httpdcontent:file entrypoint;
        domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
-
+       manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+       manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+       manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+       manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+')
+tunable_policy(`httpd_enable_cgi',`
+       domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t)
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -769,6 +957,12 @@ optional_policy(`
        dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
 ')
 
+optional_policy(`
+       mysql_stream_connect(httpd_suexec_t)
+       mysql_rw_db_sockets(httpd_suexec_t)
+       mysql_read_config(httpd_suexec_t)
+')
+
 ########################################
 #
 # Apache system script local policy
@@ -792,9 +986,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
 files_search_var_lib(httpd_sys_script_t)
 files_search_spool(httpd_sys_script_t)
 
+logging_inherit_append_all_logs(httpd_sys_script_t)
+
 # Should we add a boolean?
 apache_domtrans_rotatelogs(httpd_sys_script_t)
 
+auth_use_nsswitch(httpd_sys_script_t)
+
 ifdef(`distro_redhat',`
        allow httpd_sys_script_t httpd_log_t:file append_file_perms;
 ')
@@ -803,6 +1001,28 @@ tunable_policy(`httpd_can_sendmail',`
        mta_send_mail(httpd_sys_script_t)
 ')
 
+optional_policy(`
+ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
+  spamassassin_domtrans_client(httpd_t)
+ ')
+')
+
+fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_nfs_entry_type(httpd_sys_script_t)
+
+tunable_policy(`httpd_use_nfs',`
+       fs_manage_nfs_dirs(httpd_sys_script_t)
+       fs_manage_nfs_files(httpd_sys_script_t)
+       fs_manage_nfs_symlinks(httpd_sys_script_t)
+       fs_exec_nfs_files(httpd_sys_script_t)
+
+       fs_manage_nfs_dirs(httpd_suexec_t)
+       fs_manage_nfs_files(httpd_suexec_t)
+       fs_manage_nfs_symlinks(httpd_suexec_t)
+       fs_exec_nfs_files(httpd_suexec_t)
+')
+
 tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
        allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
        allow httpd_sys_script_t self:udp_socket create_socket_perms;
@@ -830,6 +1050,16 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
        fs_read_nfs_symlinks(httpd_sys_script_t)
 ')
 
+tunable_policy(`httpd_use_cifs',`
+       fs_manage_cifs_dirs(httpd_sys_script_t)
+       fs_manage_cifs_files(httpd_sys_script_t)
+       fs_manage_cifs_symlinks(httpd_sys_script_t)
+       fs_manage_cifs_dirs(httpd_suexec_t)
+       fs_manage_cifs_files(httpd_suexec_t)
+       fs_manage_cifs_symlinks(httpd_suexec_t)
+       fs_exec_cifs_files(httpd_suexec_t)
+')
+
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
        fs_read_cifs_files(httpd_sys_script_t)
        fs_read_cifs_symlinks(httpd_sys_script_t)
@@ -842,6 +1072,7 @@ optional_policy(`
 optional_policy(`
        mysql_stream_connect(httpd_sys_script_t)
        mysql_rw_db_sockets(httpd_sys_script_t)
+       mysql_read_config(httpd_sys_script_t)
 ')
 
 optional_policy(`
@@ -891,11 +1122,33 @@ optional_policy(`
 
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
        allow httpd_user_script_t httpdcontent:file entrypoint;
+       manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+       manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+       manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+       manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
 ')
 
 # allow accessing files/dirs below the users home dir
 tunable_policy(`httpd_enable_homedirs',`
-       userdom_search_user_home_dirs(httpd_t)
-       userdom_search_user_home_dirs(httpd_suexec_t)
-       userdom_search_user_home_dirs(httpd_user_script_t)
+       userdom_search_user_home_content(httpd_t)
+       userdom_search_user_home_content(httpd_suexec_t)
+       userdom_search_user_home_content(httpd_user_script_t)
 ')
+
+tunable_policy(`httpd_read_user_content',`
+       userdom_read_user_home_content_files(httpd_user_script_t)
+       userdom_read_user_home_content_files(httpd_suexec_t)
+')
+
+tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',`
+       userdom_read_user_home_content_files(httpd_t)
+')
+
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
+typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
+typealias httpd_sys_ra_content_t   alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_t      alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t         alias httpd_fastcgi_var_run_t;
+

diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
index 67c91aaf14daca02e6d88d976adc7612e73ab187..472ddade1809d7b9ab00f5c5e8208642d87a0364 100644 (file)
--- a/policy/modules/services/apcupsd.te
+++ b/policy/modules/services/apcupsd.te
@@ -93,6 +93,10 @@ optional_policy(`
        hostname_exec(apcupsd_t)
 ')
 
+optional_policy(`
+       shutdown_domtrans(apcupsd_t)
+')
+
 optional_policy(`
        mta_send_mail(apcupsd_t)
        mta_system_content(apcupsd_tmp_t)

diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
index 1c8c27e4d8bdc3a20d1de281b5974caab9991e20..c7cba002a3207bbe6cf57548534cc3f6dac4e31c 100644 (file)
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -62,6 +62,7 @@ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
 dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
 allow apmd_t self:process { signal_perms getsession };
 allow apmd_t self:fifo_file rw_fifo_file_perms;
+allow apmd_t self:netlink_socket create_socket_perms;
 allow apmd_t self:unix_dgram_socket create_socket_perms;
 allow apmd_t self:unix_stream_socket create_stream_socket_perms;
 
@@ -81,6 +82,7 @@ kernel_rw_all_sysctls(apmd_t)
 kernel_read_system_state(apmd_t)
 kernel_write_proc_files(apmd_t)
 
+dev_read_input(apmd_t)
 dev_read_realtime_clock(apmd_t)
 dev_read_urand(apmd_t)
 dev_rw_apm_bios(apmd_t)
@@ -142,9 +144,8 @@ ifdef(`distro_redhat',`
 
        can_exec(apmd_t, apmd_var_run_t)
 
-       # ifconfig_exec_t needs to be run in its own domain for Red Hat
        optional_policy(`
-               sysnet_domtrans_ifconfig(apmd_t)
+               fstools_domtrans(apmd_t)
        ')
 
        optional_policy(`
@@ -155,6 +156,15 @@ ifdef(`distro_redhat',`
                netutils_domtrans(apmd_t)
        ')
 
+       # ifconfig_exec_t needs to be run in its own domain for Red Hat
+       optional_policy(`
+               sssd_search_lib(apmd_t)
+       ')
+
+       optional_policy(`
+               sysnet_domtrans_ifconfig(apmd_t)
+       ')
+
 ',`
        # for ifconfig which is run all the time
        kernel_dontaudit_search_sysctl(apmd_t)

diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if
index c804110ac944a5e76f2216fc11b042bba2a986b6..bdefbe15e0ce88904acdce780a9764dfec855a3e 100644 (file)
--- a/policy/modules/services/arpwatch.if
+++ b/policy/modules/services/arpwatch.if
@@ -137,7 +137,7 @@ interface(`arpwatch_admin',`
                type arpwatch_initrc_exec_t;
        ')
 
-       allow $1 arpwatch_t:process { ptrace signal_perms getattr };
+       allow $1 arpwatch_t:process { ptrace signal_perms };
        ps_process_pattern($1, arpwatch_t)
 
        arpwatch_initrc_domtrans($1)

diff --git a/policy/modules/services/asterisk.if b/policy/modules/services/asterisk.if
index 8b8143ef99dd0cd1a5624c087ab9122504037117..c1a2b964e63cb747277ae546d6f2d0081489e87c 100644 (file)
--- a/policy/modules/services/asterisk.if
+++ b/policy/modules/services/asterisk.if
@@ -64,7 +64,7 @@ interface(`asterisk_admin',`
                type asterisk_initrc_exec_t;
        ')
 
-       allow $1 asterisk_t:process { ptrace signal_perms getattr };
+       allow $1 asterisk_t:process { ptrace signal_perms };
        ps_process_pattern($1, asterisk_t)
 
        init_labeled_script_domtrans($1, asterisk_initrc_exec_t)

diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
index b9e94c41ea39d100722cebf8499acb1486aca49d..608e3a1f5f52f1f417980bbdbb82ddf9ca0199a2 100644 (file)
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -99,6 +99,7 @@ corenet_udp_sendrecv_all_ports(asterisk_t)
 corenet_tcp_bind_generic_node(asterisk_t)
 corenet_udp_bind_generic_node(asterisk_t)
 corenet_tcp_bind_asterisk_port(asterisk_t)
+corenet_tcp_bind_sip_port(asterisk_t)
 corenet_udp_bind_asterisk_port(asterisk_t)
 corenet_udp_bind_sip_port(asterisk_t)
 corenet_sendrecv_asterisk_server_packets(asterisk_t)
@@ -109,6 +110,7 @@ corenet_dontaudit_udp_bind_all_ports(asterisk_t)
 corenet_sendrecv_generic_server_packets(asterisk_t)
 corenet_tcp_connect_postgresql_port(asterisk_t)
 corenet_tcp_connect_snmp_port(asterisk_t)
+corenet_tcp_connect_sip_port(asterisk_t)
 
 dev_rw_generic_usb_dev(asterisk_t)
 dev_read_sysfs(asterisk_t)
@@ -146,6 +148,10 @@ optional_policy(`
        mta_send_mail(asterisk_t)
 ')
 
+optional_policy(`
+       postfix_domtrans_postdrop(asterisk_t)
+')
+
 optional_policy(`
        postgresql_stream_connect(asterisk_t)
 ')

diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if
index d80a16b87031985ca66555f176e193816dbc954b..f3848484169d8b6dabdc47eda3a0a87b20073e11 100644 (file)
--- a/policy/modules/services/automount.if
+++ b/policy/modules/services/automount.if
@@ -68,7 +68,8 @@ interface(`automount_read_state',`
                type automount_t;
        ')
 
-       read_files_pattern($1, automount_t, automount_t)
+       kernel_search_proc($1)
+       ps_process_pattern($1, automount_t)
 ')
 
 ########################################
@@ -149,7 +150,7 @@ interface(`automount_admin',`
                type automount_var_run_t, automount_initrc_exec_t;
        ')
 
-       allow $1 automount_t:process { ptrace signal_perms getattr };
+       allow $1 automount_t:process { ptrace signal_perms };
        ps_process_pattern($1, automount_t)
 
        init_labeled_script_domtrans($1, automount_initrc_exec_t)

diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
index 39799dbaeca8fd76d42e10f05df679d64d633519..61895659f7eeca4d0a913c798d238db165eb5211 100644 (file)
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
@@ -145,6 +145,7 @@ miscfiles_read_generic_certs(automount_t)
 
 # Run mount in the mount_t domain.
 mount_domtrans(automount_t)
+mount_domtrans_showmount(automount_t)
 mount_signal(automount_t)
 
 userdom_dontaudit_use_unpriv_user_fds(automount_t)

diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if
index 210ca0bf3dcce9b9b7e36e5f46c44fc49d916b1e..e51354dc0b05a6da0810ee3b1f1c25c7f9775b8a 100644 (file)
--- a/policy/modules/services/avahi.if
+++ b/policy/modules/services/avahi.if
@@ -90,6 +90,7 @@ interface(`avahi_dbus_chat',`
                class dbus send_msg;
        ')
 
+       allow avahi_t $1:file read;
        allow $1 avahi_t:dbus send_msg;
        allow avahi_t $1:dbus send_msg;
 ')

diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index b7bf6f0754621fcabe732257535963bf36d46593..803adbf2c09f8323b973e8c26b2d1a795971e357 100644 (file)
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -37,10 +37,11 @@ manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
 manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
 files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file })
 
+manage_dirs_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
 manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
 manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
 allow avahi_t avahi_var_run_t:dir setattr;
-files_pid_filetrans(avahi_t, avahi_var_run_t, file)
+files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
 
 kernel_read_system_state(avahi_t)
 kernel_read_kernel_sysctls(avahi_t)

diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
index 44a1e3d16fc2dfa0b42f385cea6f57b30764d160..71f551412286eae2d155d4459d3f910333a59927 100644 (file)
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -306,6 +306,27 @@ interface(`bind_read_zone',`
        read_files_pattern($1, named_zone_t, named_zone_t)
 ')
 
+########################################
+## <summary>
+##     Read BIND zone files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`bind_read_log',`
+       gen_require(`
+               type named_zone_t;
+               type named_log_t;
+       ')
+
+       files_search_var($1)
+       allow $1 named_zone_t:dir search_dir_perms;
+       read_files_pattern($1, named_log_t, named_log_t)
+')
+
 ########################################
 ## <summary>
 ##     Manage BIND zone files.
@@ -359,9 +380,9 @@ interface(`bind_udp_chat_named',`
 interface(`bind_admin',`
        gen_require(`
                type named_t, named_tmp_t, named_log_t;
-               type named_conf_t, named_var_lib_t, named_var_run_t;
+               type named_conf_t, named_var_run_t;
                type named_cache_t, named_zone_t;
-               type dnssec_t, ndc_t;
+               type dnssec_t, ndc_t, named_keytab_t;
                type named_initrc_exec_t;
        ')
 
@@ -391,8 +412,7 @@ interface(`bind_admin',`
        admin_pattern($1, named_zone_t)
        admin_pattern($1, dnssec_t)
 
-       files_list_var_lib($1)
-       admin_pattern($1, named_var_lib_t)
+       admin_pattern($1, named_keytab_t)
 
        files_list_pids($1)
        admin_pattern($1, named_var_run_t)

diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 4deca04f0a7c403320586bf6dcc610f76ef1797a..ece1f1f8ee425b0042e0ff4d2c34c2ebb93ab905 100644 (file)
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -89,9 +89,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
 manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
 files_tmp_filetrans(named_t, named_tmp_t, { file dir })
 
+manage_dirs_pattern(named_t, named_var_run_t, named_var_run_t)
 manage_files_pattern(named_t, named_var_run_t, named_var_run_t)
 manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t)
-files_pid_filetrans(named_t, named_var_run_t, { file sock_file })
+files_pid_filetrans(named_t, named_var_run_t, { file sock_file dir })
 
 # read zone files
 allow named_t named_zone_t:dir list_dir_perms;

diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te
index f42cdfc92fe0d9585323b9a4f1cc691135f07377..e74f728bf949d66997bbc55e4abe4567cefaf06d 100644 (file)
--- a/policy/modules/services/bitlbee.te
+++ b/policy/modules/services/bitlbee.te
@@ -27,6 +27,7 @@ files_type(bitlbee_var_t)
 # Local policy
 #
 #
+allow bitlbee_t self:capability { setgid setuid };
 
 allow bitlbee_t self:udp_socket create_socket_perms;
 allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
@@ -80,6 +81,10 @@ files_read_usr_files(bitlbee_t)
 
 libs_legacy_use_shared_libs(bitlbee_t)
 
+auth_use_nsswitch(bitlbee_t)
+
+logging_send_syslog_msg(bitlbee_t)
+
 miscfiles_read_localization(bitlbee_t)
 
 sysnet_dns_name_resolve(bitlbee_t)

diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index 3e45431416397b65fa8eacbabddef114c79dd76e..328302d31311e13d867362b8c09cf22fdb5ac4fc 100644 (file)
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -115,6 +115,27 @@ interface(`bluetooth_dbus_chat',`
        allow bluetooth_t $1:dbus send_msg;
 ')
 
+########################################
+## <summary>
+##     dontaudit Send and receive messages from
+##     bluetooth over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`bluetooth_dontaudit_dbus_chat',`
+       gen_require(`
+               type bluetooth_t;
+               class dbus send_msg;
+       ')
+
+       dontaudit $1 bluetooth_t:dbus send_msg;
+       dontaudit bluetooth_t $1:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##     Execute bluetooth_helper in the bluetooth_helper domain.  (Deprecated)
@@ -194,7 +215,7 @@ interface(`bluetooth_dontaudit_read_helper_state',`
 interface(`bluetooth_admin',`
        gen_require(`
                type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
-               type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
+               type bluetooth_var_lib_t, bluetooth_var_run_t;
                type bluetooth_conf_t, bluetooth_conf_rw_t;
                type bluetooth_initrc_exec_t;
        ')
@@ -217,9 +238,6 @@ interface(`bluetooth_admin',`
        admin_pattern($1, bluetooth_conf_t)
        admin_pattern($1, bluetooth_conf_rw_t)
 
-       files_list_spool($1)
-       admin_pattern($1, bluetooth_spool_t)
-
        files_list_var_lib($1)
        admin_pattern($1, bluetooth_var_lib_t)
 

diff --git a/policy/modules/services/boinc.fc b/policy/modules/services/boinc.fc
new file mode 100644 (file)
index 0000000..c095160
--- /dev/null
+++ b/policy/modules/services/boinc.fc
@@ -0,0 +1,8 @@
+
+/etc/rc\.d/init\.d/boinc-client                --      gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
+
+/usr/bin/boinc_client                  --      gen_context(system_u:object_r:boinc_exec_t,s0)
+
+/var/lib/boinc(/.*)?                           gen_context(system_u:object_r:boinc_var_lib_t,s0)
+/var/lib/boinc/projects(/.*)?                  gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+/var/lib/boinc/slots(/.*)?                     gen_context(system_u:object_r:boinc_project_var_lib_t,s0)

diff --git a/policy/modules/services/boinc.if b/policy/modules/services/boinc.if
new file mode 100644 (file)
index 0000000..272bf74
--- /dev/null
+++ b/policy/modules/services/boinc.if
@@ -0,0 +1,151 @@
+
+## <summary>policy for boinc</summary>
+
+########################################
+## <summary>
+##     Execute a domain transition to run boinc.
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`boinc_domtrans',`
+       gen_require(`
+               type boinc_t, boinc_exec_t;
+       ')
+
+       domtrans_pattern($1, boinc_exec_t, boinc_t)
+')
+
+#######################################
+## <summary>
+##  Execute boinc server in the boinc domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`boinc_initrc_domtrans',`
+    gen_require(`
+        type boinc_initrc_exec_t;
+    ')
+
+    init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##     Search boinc lib directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`boinc_search_lib',`
+       gen_require(`
+               type boinc_var_lib_t;
+       ')
+
+       allow $1 boinc_var_lib_t:dir search_dir_perms;
+       files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##     Read boinc lib files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`boinc_read_lib_files',`
+       gen_require(`
+               type boinc_var_lib_t;
+       ')
+
+       files_search_var_lib($1)
+        read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+## <summary>
+##     Create, read, write, and delete
+##     boinc lib files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`boinc_manage_lib_files',`
+       gen_require(`
+               type boinc_var_lib_t;
+       ')
+
+       files_search_var_lib($1)
+        manage_files_pattern($1, boinc_var_lib_t,  boinc_var_lib_t)
+')
+
+########################################
+## <summary>
+##     Manage boinc var_lib files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`boinc_manage_var_lib',`
+       gen_require(`
+               type boinc_var_lib_t;
+       ')
+
+         manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+         manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+         manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+## <summary>
+##     All of the rules required to administrate
+##     an boinc environment.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     Role allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`boinc_admin',`
+       gen_require(`
+               type boinc_t, boinc_initrc_exec_t;
+               type boinc_var_lib_t;
+       ')
+
+       allow $1 boinc_t:process { ptrace signal_perms };
+       ps_process_pattern($1, boinc_t)
+
+       boinc_initrc_domtrans($1)
+       domain_system_change_exemption($1)
+       role_transition $2 boinc_initrc_exec_t system_r;
+       allow $2 system_r;
+               
+       files_list_var_lib($1)
+       admin_pattern($1, boinc_var_lib_t)
+')

diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644 (file)
index 0000000..aaf0ba3
--- /dev/null
+++ b/policy/modules/services/boinc.te
@@ -0,0 +1,153 @@
+policy_module(boinc,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type boinc_t;
+type boinc_exec_t;
+init_daemon_domain(boinc_t, boinc_exec_t)
+
+type boinc_initrc_exec_t;
+init_script_file(boinc_initrc_exec_t)
+
+type boinc_tmp_t;
+files_tmp_file(boinc_tmp_t)
+
+type boinc_tmpfs_t;
+files_tmpfs_file(boinc_tmpfs_t)
+
+type boinc_var_lib_t;
+files_type(boinc_var_lib_t)
+
+type boinc_project_t;
+domain_type(boinc_project_t)
+role system_r types boinc_project_t;
+
+permissive boinc_project_t;
+
+type boinc_project_var_lib_t;
+files_type(boinc_project_var_lib_t)
+
+########################################
+#
+# boinc local policy
+#
+
+allow boinc_t self:capability { kill };
+allow boinc_t self:process { setsched sigkill };
+
+allow boinc_t self:fifo_file rw_fifo_file_perms;
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
+allow boinc_t self:tcp_socket create_stream_socket_perms;
+allow boinc_t self:sem create_sem_perms;
+allow boinc_t self:shm create_shm_perms;
+
+manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
+manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
+files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+
+manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
+fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t,file)
+
+exec_files_pattern(boinc_t, boinc_var_lib_t,  boinc_var_lib_t)
+manage_dirs_pattern(boinc_t, boinc_var_lib_t,  boinc_var_lib_t)
+manage_files_pattern(boinc_t, boinc_var_lib_t,  boinc_var_lib_t)
+filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, { dir })
+
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t,  boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t,  boinc_project_var_lib_t)
+
+kernel_read_system_state(boinc_t)
+
+files_getattr_all_dirs(boinc_t)
+files_getattr_all_files(boinc_t)
+
+corecmd_exec_bin(boinc_t)
+corecmd_exec_shell(boinc_t)
+
+corenet_all_recvfrom_unlabeled(boinc_t)
+corenet_all_recvfrom_netlabel(boinc_t)
+corenet_tcp_sendrecv_generic_if(boinc_t)
+corenet_udp_sendrecv_generic_if(boinc_t)
+corenet_tcp_sendrecv_generic_node(boinc_t)
+corenet_udp_sendrecv_generic_node(boinc_t)
+corenet_tcp_sendrecv_all_ports(boinc_t)
+corenet_udp_sendrecv_all_ports(boinc_t)
+corenet_tcp_bind_generic_node(boinc_t)
+corenet_udp_bind_generic_node(boinc_t)
+corenet_tcp_bind_boinc_port(boinc_t)
+corenet_tcp_connect_boinc_port(boinc_t)
+corenet_tcp_connect_http_port(boinc_t)
+corenet_tcp_connect_http_cache_port(boinc_t)
+
+dev_list_sysfs(boinc_t)
+dev_read_rand(boinc_t)
+dev_read_urand(boinc_t)
+dev_read_sysfs(boinc_t)
+
+domain_read_all_domains_state(boinc_t)
+
+files_dontaudit_getattr_boot_dirs(boinc_t)
+
+files_read_etc_files(boinc_t)
+files_read_usr_files(boinc_t)
+
+fs_getattr_all_fs(boinc_t)
+
+term_dontaudit_getattr_ptmx(boinc_t)
+
+miscfiles_read_localization(boinc_t)
+miscfiles_read_generic_certs(boinc_t)
+
+logging_send_syslog_msg(boinc_t)
+
+sysnet_dns_name_resolve(boinc_t)
+
+mta_send_mail(boinc_t)
+
+########################################
+#
+# boinc-projects local policy
+#
+
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+allow boinc_t boinc_project_t:process sigkill;
+
+allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop };
+allow boinc_project_t self:process { execmem execstack };
+
+allow boinc_project_t self:fifo_file rw_fifo_file_perms;
+
+allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t,  boinc_project_var_lib_t)
+manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t,  boinc_project_var_lib_t)
+manage_files_pattern(boinc_project_t, boinc_project_var_lib_t,  boinc_project_var_lib_t)
+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir })
+
+allow boinc_project_t boinc_project_var_lib_t:file execmod;
+
+allow boinc_project_t boinc_t:shm rw_shm_perms;
+allow boinc_project_t boinc_tmpfs_t:file { read write };
+
+list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
+rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
+
+kernel_read_system_state(boinc_project_t)
+kernel_read_kernel_sysctls(boinc_project_t)
+kernel_search_vm_sysctl(boinc_project_t)
+kernel_read_network_state(boinc_project_t)
+
+corecmd_exec_bin(boinc_project_t)
+corecmd_exec_shell(boinc_project_t)
+
+corenet_tcp_connect_boinc_port(boinc_project_t)
+
+dev_read_urand(boinc_project_t)
+dev_rw_xserver_misc(boinc_project_t)
+
+files_read_etc_files(boinc_project_t)
+
+miscfiles_read_localization(boinc_project_t)
+

diff --git a/policy/modules/services/bugzilla.fc b/policy/modules/services/bugzilla.fc
new file mode 100644 (file)
index 0000000..18f37e2
--- /dev/null
+++ b/policy/modules/services/bugzilla.fc
@@ -0,0 +1,4 @@
+
+/usr/share/bugzilla(/.*)?      -d      gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+/usr/share/bugzilla(/.*)?      --      gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+/var/lib/bugzilla(/.*)?                        gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)

diff --git a/policy/modules/services/bugzilla.if b/policy/modules/services/bugzilla.if
new file mode 100644 (file)
index 0000000..922c4ba
--- /dev/null
+++ b/policy/modules/services/bugzilla.if
@@ -0,0 +1,81 @@
+## <summary>Bugzilla server</summary>
+
+########################################
+## <summary>
+##     Allow the specified domain to search 
+##     bugzilla directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`bugzilla_search_dirs',`
+       gen_require(`
+               type httpd_bugzilla_content_t;
+       ')
+
+       allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##     Do not audit attempts to read and write 
+##     bugzilla script unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`bugzilla_dontaudit_rw_script_stream_sockets',`
+       gen_require(`
+               type httpd_bugzilla_script_t;
+       ')
+
+       dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##     All of the rules required to administrate 
+##     an bugzilla environment
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     The role to be allowed to manage the bugzilla domain.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`bugzilla_admin',`
+       gen_require(`
+               type httpd_bugzilla_script_t;
+               type httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
+               type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t;
+               type httpd_bugzilla_script_exec_t, httpd_bugzilla_htaccess_t;
+       ')
+
+       allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
+       ps_process_pattern($1, httpd_bugzilla_script_t)
+
+       files_list_tmp($1)
+       admin_pattern($1, httpd_bugzilla_tmp_t)
+
+       files_search_var_lib(httpd_bugzilla_script_t)
+
+       apache_search_sys_content($1)
+       admin_pattern($1, httpd_bugzilla_script_exec_t)
+       admin_pattern($1, httpd_bugzilla_script_t)
+       admin_pattern($1, httpd_bugzilla_content_t)
+       admin_pattern($1, httpd_bugzilla_htaccess_t)
+       admin_pattern($1, httpd_bugzilla_rw_content_t)
+       admin_pattern($1, httpd_bugzilla_ra_content_t)
+')

diff --git a/policy/modules/services/bugzilla.te b/policy/modules/services/bugzilla.te
new file mode 100644 (file)
index 0000000..d31736b
--- /dev/null
+++ b/policy/modules/services/bugzilla.te
@@ -0,0 +1,56 @@
+policy_module(bugzilla, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(bugzilla)
+
+type httpd_bugzilla_tmp_t;
+files_tmp_file(httpd_bugzilla_tmp_t)
+
+########################################
+#
+# bugzilla local policy
+#
+
+allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
+allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
+allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
+corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_if(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_if(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_nodes(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_nodes(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
+corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
+corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
+
+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
+
+files_search_var_lib(httpd_bugzilla_script_t)
+
+mta_send_mail(httpd_bugzilla_script_t)
+
+sysnet_read_config(httpd_bugzilla_script_t)
+sysnet_use_ldap(httpd_bugzilla_script_t)
+
+optional_policy(`
+       mysql_search_db(httpd_bugzilla_script_t)
+       mysql_stream_connect(httpd_bugzilla_script_t)
+')
+
+optional_policy(`
+       postgresql_stream_connect(httpd_bugzilla_script_t)
+')
+

diff --git a/policy/modules/services/cachefilesd.fc b/policy/modules/services/cachefilesd.fc
new file mode 100644 (file)
index 0000000..24d9837
--- /dev/null
+++ b/policy/modules/services/cachefilesd.fc
@@ -0,0 +1,29 @@
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+#            Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the contexts to be assigned to various files and directories of
+# importance to the CacheFiles kernel module and userspace management daemon.
+#
+
+# cachefilesd executable will have:
+# label: system_u:object_r:cachefilesd_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/sbin/cachefilesd      --      gen_context(system_u:object_r:cachefilesd_exec_t,s0)
+/dev/cachefiles                -c      gen_context(system_u:object_r:cachefiles_dev_t,s0)
+/var/fscache(/.*)?             gen_context(system_u:object_r:cachefiles_var_t,s0)
+/var/cache/fscache(/.*)?               gen_context(system_u:object_r:cachefiles_var_t,s0)
+
+/var/run/cachefilesd\.pid --   gen_context(system_u:object_r:cachefiles_var_t,s0)

diff --git a/policy/modules/services/cachefilesd.if b/policy/modules/services/cachefilesd.if
new file mode 100644 (file)
index 0000000..89d19e0
--- /dev/null
+++ b/policy/modules/services/cachefilesd.if
@@ -0,0 +1,41 @@
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+#            Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the policy interface for the CacheFiles userspace management daemon.
+#
+
+## <summary>policy for cachefilesd</summary>
+
+########################################
+## <summary>
+##     Execute a domain transition to run cachefilesd.
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cachefilesd_domtrans',`
+       gen_require(`
+               type cachefilesd_t, cachefilesd_exec_t;
+       ')
+
+       domain_auto_trans($1,cachefilesd_exec_t,cachefilesd_t)
+
+       allow $1 cachefilesd_t:fd use;
+       allow cachefilesd_t $1:fd use;
+       allow cachefilesd_t $1:fifo_file rw_file_perms;
+       allow cachefilesd_t $1:process sigchld;
+')

diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te
new file mode 100644 (file)
index 0000000..e67f987
--- /dev/null
+++ b/policy/modules/services/cachefilesd.te
@@ -0,0 +1,146 @@
+###############################################################################
+#
+# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+#            Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# This security policy governs access by the CacheFiles kernel module and
+# userspace management daemon to the files and directories in the on-disk
+# cache, on behalf of the processes accessing the cache through a network
+# filesystem such as NFS
+#
+policy_module(cachefilesd,1.0.17)
+
+###############################################################################
+#
+# Declarations
+#
+
+#
+# Files in the cache are created by the cachefiles module with security ID
+# cachefiles_var_t
+#
+type cachefiles_var_t;
+files_type(cachefiles_var_t)
+
+#
+# The /dev/cachefiles character device has security ID cachefiles_dev_t
+#
+type cachefiles_dev_t;
+dev_node(cachefiles_dev_t)
+
+#
+# The cachefilesd daemon normally runs with security ID cachefilesd_t
+#
+type cachefilesd_t;
+type cachefilesd_exec_t;
+domain_type(cachefilesd_t)
+init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
+
+#
+# The cachefilesd daemon pid file context
+#
+type cachefilesd_var_run_t;
+files_pid_file(cachefilesd_var_run_t)
+
+#
+# The CacheFiles kernel module causes processes accessing the cache files to do
+# so acting as security ID cachefiles_kernel_t
+#
+type cachefiles_kernel_t;
+domain_type(cachefiles_kernel_t)
+domain_obj_id_change_exemption(cachefiles_kernel_t)
+role system_r types cachefiles_kernel_t;
+
+###############################################################################
+#
+# Permit RPM to deal with files in the cache
+#
+rpm_use_script_fds(cachefilesd_t)
+
+###############################################################################
+#
+# cachefilesd local policy
+#
+# These define what cachefilesd is permitted to do.  This doesn't include very
+# much: startup stuff, logging, pid file, scanning the cache superstructure and
+# deleting files from the cache.  It is not permitted to read/write files in
+# the cache.
+#
+# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
+# rules.
+#
+allow cachefilesd_t self : capability { setuid setgid sys_admin dac_override };
+
+# Basic access
+files_read_etc_files(cachefilesd_t)
+libs_use_ld_so(cachefilesd_t)
+libs_use_shared_libs(cachefilesd_t)
+miscfiles_read_localization(cachefilesd_t)
+logging_send_syslog_msg(cachefilesd_t)
+init_dontaudit_use_script_ptys(cachefilesd_t)
+term_dontaudit_use_generic_ptys(cachefilesd_t)
+term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
+
+# Allow manipulation of pid file
+allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
+manage_files_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
+manage_dirs_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
+files_pid_file(cachefilesd_var_run_t)
+files_pid_filetrans(cachefilesd_t,cachefilesd_var_run_t,file)
+files_create_as_is_all_files(cachefilesd_t)
+
+# Allow access to cachefiles device file
+allow cachefilesd_t cachefiles_dev_t : chr_file rw_file_perms;
+
+# Allow access to cache superstructure
+allow cachefilesd_t cachefiles_var_t : dir { rw_dir_perms rmdir };
+allow cachefilesd_t cachefiles_var_t : file { getattr rename unlink };
+
+# Permit statfs on the backing filesystem
+fs_getattr_xattr_fs(cachefilesd_t)
+
+###############################################################################
+#
+# When cachefilesd invokes the kernel module to begin caching, it has to tell
+# the kernel module the security context in which it should act, and this
+# policy has to approve that.
+#
+# There are two parts to this:
+#
+#   (1) the security context used by the module to access files in the cache,
+#       as set by the 'secctx' command in /etc/cachefilesd.conf, and
+#
+allow cachefilesd_t cachefiles_kernel_t : kernel_service { use_as_override };
+
+#
+#   (2) the label that will be assigned to new files and directories created in
+#       the cache by the module, which will be the same as the label on the
+#       directory pointed to by the 'dir' command.
+#
+allow cachefilesd_t cachefiles_var_t : kernel_service { create_files_as };
+
+###############################################################################
+#
+# cachefiles kernel module local policy
+#
+# This governs what the kernel module is allowed to do the contents of the
+# cache.
+#
+allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
+allow cachefiles_kernel_t initrc_t:process sigchld;
+
+manage_dirs_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
+
+fs_getattr_xattr_fs(cachefiles_kernel_t)
+
+dev_search_sysfs(cachefiles_kernel_t)

diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
index 4c90b57ee3d33f17139329007328f5cb3d69fbc3..bffe6b61fd78031cd7a82a820a1d27ce6635ce36 100644 (file)
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
@@ -117,6 +117,11 @@ optional_policy(`
        corosync_stream_connect(ccs_t)
 ')
 
+optional_policy(`
+       qpidd_rw_semaphores(ccs_t)
+       qpidd_rw_shm(ccs_t)
+')
+
 optional_policy(`
        unconfined_use_fds(ccs_t)
 ')

diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te
index 73f03ff1ee5bb0297ffae05ac47e84099351a6ec..4aef8648529ac6a15ea2fb237a0754ba01012c48 100644 (file)
--- a/policy/modules/services/certmaster.te
+++ b/policy/modules/services/certmaster.te
@@ -60,6 +60,7 @@ corenet_tcp_bind_generic_node(certmaster_t)
 corenet_tcp_bind_certmaster_port(certmaster_t)
 
 files_search_etc(certmaster_t)
+files_read_usr_files(certmaster_t)
 files_list_var(certmaster_t)
 files_search_var_lib(certmaster_t)
 

diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
index 8ca23338762e52bf9267839a1a4de9cd44b241cb..63a18fce077aee99f554cbff153d9e3d37b3d6a2 100644 (file)
--- a/policy/modules/services/cgroup.te
+++ b/policy/modules/services/cgroup.te
@@ -22,8 +22,8 @@ files_pid_file(cgred_var_run_t)
 type cgrules_etc_t;
 files_config_file(cgrules_etc_t)
 
-type cgconfig_t;
-type cgconfig_exec_t;
+type cgconfig_t alias cgconfigparser_t;
+type cgconfig_exec_t alias cgconfigparser_exec_t;
 init_daemon_domain(cgconfig_t, cgconfig_exec_t)
 
 type cgconfig_initrc_exec_t;
@@ -52,7 +52,7 @@ fs_unmount_cgroup(cgclear_t)
 # cgconfig personal policy.
 #
 
-allow cgconfig_t self:capability { chown sys_admin };
+allow cgconfig_t self:capability { dac_override fowner chown sys_admin };
 
 allow cgconfig_t cgconfig_etc_t:file read_file_perms;
 

diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
index 9a0da9462e17b624f595c22654c700cbe31a8d48..5a98145ee2c2c208bb0bb84d32a8cc1c77e7432b 100644 (file)
--- a/policy/modules/services/chronyd.if
+++ b/policy/modules/services/chronyd.if
@@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
        domtrans_pattern($1, chronyd_exec_t, chronyd_t)
 ')
 
+########################################
+## <summary>
+##     Execute chronyd server in the chronyd  domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`chronyd_initrc_domtrans',`
+       gen_require(`
+               type chronyd_initrc_exec_t;
+       ')
+
+       init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
+')
+
 ####################################
 ## <summary>
 ##     Execute chronyd
@@ -56,6 +74,64 @@ interface(`chronyd_read_log',`
        read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
 ')
 
+########################################
+## <summary>
+##     Read and write chronyd shared memory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`chronyd_rw_shm',`
+       gen_require(`
+               type chronyd_t, chronyd_tmpfs_t;
+       ')
+
+       allow $1 chronyd_t:shm rw_shm_perms;
+       allow $1 chronyd_tmpfs_t:dir list_dir_perms;
+       rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
+       read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
+       fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+##     Read chronyd keys files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`chronyd_read_keys',`
+       gen_require(`
+               type chronyd_keys_t;
+       ')
+
+       read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+')
+
+########################################
+## <summary>
+##     Append chronyd keys files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`chronyd_append_keys',`
+       gen_require(`
+               type chronyd_keys_t;
+       ')
+
+       append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+')
+
 ####################################
 ## <summary>
 ##     All of the rules required to administrate
@@ -77,6 +153,7 @@ interface(`chronyd_admin',`
        gen_require(`
                type chronyd_t, chronyd_var_log_t;
                type chronyd_var_run_t, chronyd_var_lib_t;
+               type chronyd_tmpfs_t;
                type chronyd_initrc_exec_t, chronyd_keys_t;
        ')
 
@@ -100,6 +177,5 @@ interface(`chronyd_admin',`
        files_search_pids($1)
        admin_pattern($1, chronyd_var_run_t)
 
-       files_search_tmp($1)
-       admin_pattern($1, chronyd_tmp_t)
+       admin_pattern($1, chronyd_tmpfs_t)
 ')

diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
index fa82327a1e1f47c19e18e1bcf22a84626ae9c640..7f4ca47426eccd0645a4549a17893c2443c07480 100644 (file)
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -15,6 +15,9 @@ init_script_file(chronyd_initrc_exec_t)
 type chronyd_keys_t;
 files_type(chronyd_keys_t)
 
+type chronyd_tmpfs_t;
+files_tmpfs_file(chronyd_tmpfs_t)
+
 type chronyd_var_lib_t;
 files_type(chronyd_var_lib_t)
 
@@ -37,6 +40,10 @@ allow chronyd_t self:unix_dgram_socket create_socket_perms;
 
 allow chronyd_t chronyd_keys_t:file read_file_perms;
 
+manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
+manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
+fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file })
+
 manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
 manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
 manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
@@ -50,6 +57,7 @@ manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
 manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
 files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
 
+corenet_udp_bind_generic_node(chronyd_t)
 corenet_udp_bind_ntp_port(chronyd_t)
 # bind to udp/323
 corenet_udp_bind_chronyd_port(chronyd_t)

diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index 8c36027740cbd31ceac802c85402a636e9ec5341..16598a4fb2ec3563984657793cfb10d8d99a131b 100644 (file)
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -80,6 +80,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
 files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
 
 # var/lib files for clamd
+manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
 manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
 manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
 
@@ -89,9 +90,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
 logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file })
 
 # pid file
+manage_dirs_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
 manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
 manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
-files_pid_filetrans(clamd_t, clamd_var_run_t, { file dir })
+files_pid_filetrans(clamd_t, clamd_var_run_t, { sock_file file dir })
 
 kernel_dontaudit_list_proc(clamd_t)
 kernel_read_sysctl(clamd_t)
@@ -147,8 +149,10 @@ optional_policy(`
 
 tunable_policy(`clamd_use_jit',`
        allow clamd_t self:process execmem;
+       allow clamscan_t self:process execmem;
 ', `
        dontaudit clamd_t self:process execmem;
+       dontaudit clamscan_t self:process execmem;
 ')
 
 ########################################
@@ -179,9 +183,15 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
 # log files (own logfiles only)
 manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
 allow freshclam_t freshclam_var_log_t:dir setattr;
-allow freshclam_t clamd_var_log_t:dir search_dir_perms;
+read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
 logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
 
+kernel_read_kernel_sysctls(freshclam_t)
+kernel_read_system_state(freshclam_t)
+
+corecmd_exec_shell(freshclam_t)
+corecmd_exec_bin(freshclam_t)
+
 corenet_all_recvfrom_unlabeled(freshclam_t)
 corenet_all_recvfrom_netlabel(freshclam_t)
 corenet_tcp_sendrecv_generic_if(freshclam_t)
@@ -189,6 +199,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
 corenet_tcp_sendrecv_all_ports(freshclam_t)
 corenet_tcp_sendrecv_clamd_port(freshclam_t)
 corenet_tcp_connect_http_port(freshclam_t)
+corenet_tcp_connect_clamd_port(freshclam_t)
 corenet_sendrecv_http_client_packets(freshclam_t)
 
 dev_read_rand(freshclam_t)
@@ -207,6 +218,8 @@ miscfiles_read_localization(freshclam_t)
 
 clamav_stream_connect(freshclam_t)
 
+userdom_stream_connect(freshclam_t)
+
 optional_policy(`
        cron_system_entry(freshclam_t, freshclam_exec_t)
 ')
@@ -251,6 +264,7 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
 corenet_tcp_connect_clamd_port(clamscan_t)
 
 kernel_read_kernel_sysctls(clamscan_t)
+kernel_read_system_state(clamscan_t)
 
 files_read_etc_files(clamscan_t)
 files_read_etc_runtime_files(clamscan_t)

diff --git a/policy/modules/services/cmirrord.fc b/policy/modules/services/cmirrord.fc
new file mode 100644 (file)
index 0000000..e500fa5
--- /dev/null
+++ b/policy/modules/services/cmirrord.fc
@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/cmirrord    --      gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0)
+
+/usr/sbin/cmirrord             --      gen_context(system_u:object_r:cmirrord_exec_t,s0)
+
+/var/run/cmirrord\.pid         --      gen_context(system_u:object_r:cmirrord_var_run_t,s0)

diff --git a/policy/modules/services/cmirrord.if b/policy/modules/services/cmirrord.if
new file mode 100644 (file)
index 0000000..d5b410f
--- /dev/null
+++ b/policy/modules/services/cmirrord.if
@@ -0,0 +1,118 @@
+
+## <summary>policy for cmirrord</summary>
+
+########################################
+## <summary>
+##     Execute a domain transition to run cmirrord.
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cmirrord_domtrans',`
+       gen_require(`
+               type cmirrord_t, cmirrord_exec_t;
+       ')
+
+       domtrans_pattern($1, cmirrord_exec_t, cmirrord_t)
+')
+
+########################################
+## <summary>
+##     Execute cmirrord server in the cmirrord domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`cmirrord_initrc_domtrans',`
+       gen_require(`
+               type cmirrord_initrc_exec_t;
+       ')
+
+       init_labeled_script_domtrans($1, cmirrord_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##     Read cmirrord PID files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`cmirrord_read_pid_files',`
+       gen_require(`
+               type cmirrord_var_run_t;
+       ')
+
+       files_search_pids($1)
+       allow $1 cmirrord_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##      Read and write to cmirrord shared memory.
+## </summary>
+## <param name="domain">
+##      <summary>
+##     Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`cmirrord_rw_shm',`
+        gen_require(`
+                type cmirrord_t;
+               type cmirrord_tmpfs_t;
+        ')
+
+        allow $1 cmirrord_t:shm { rw_shm_perms destroy };
+        allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
+        rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+       delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+       read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+        fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+##     All of the rules required to administrate 
+##     an cmirrord environment
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     Role allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cmirrord_admin',`
+       gen_require(`
+               type cmirrord_t;
+               type cmirrord_initrc_exec_t;
+                type cmirrord_var_run_t;
+       ')
+
+       allow $1 cmirrord_t:process { ptrace signal_perms };
+       ps_process_pattern($1, cmirrord_t)
+
+       cmirrord_initrc_domtrans($1)
+       domain_system_change_exemption($1)
+       role_transition $2 cmirrord_initrc_exec_t system_r;
+       allow $2 system_r;
+
+       files_search_pids($1)
+       admin_pattern($1, cmirrord_var_run_t)
+
+')

diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te
new file mode 100644 (file)
index 0000000..bb7d429
--- /dev/null
+++ b/policy/modules/services/cmirrord.te
@@ -0,0 +1,55 @@
+policy_module(cmirrord,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cmirrord_t;
+type cmirrord_exec_t;
+init_daemon_domain(cmirrord_t, cmirrord_exec_t)
+
+type cmirrord_initrc_exec_t;
+init_script_file(cmirrord_initrc_exec_t)
+
+type cmirrord_tmpfs_t;
+files_tmpfs_file(cmirrord_tmpfs_t)
+
+type cmirrord_var_run_t;
+files_pid_file(cmirrord_var_run_t)
+
+########################################
+#
+# cmirrord local policy
+#
+
+allow cmirrord_t self:capability { net_admin kill };
+dontaudit cmirrord_t self:capability sys_tty_config;
+allow cmirrord_t self:process signal;
+
+allow cmirrord_t self:fifo_file rw_fifo_file_perms;
+
+allow cmirrord_t self:sem create_sem_perms;
+allow cmirrord_t self:shm create_shm_perms;
+allow cmirrord_t self:netlink_socket create_socket_perms;
+allow cmirrord_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+manage_files_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file })
+
+manage_dirs_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
+manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
+files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, { file })
+
+domain_use_interactive_fds(cmirrord_t)
+
+files_read_etc_files(cmirrord_t)
+
+logging_send_syslog_msg(cmirrord_t)
+
+miscfiles_read_localization(cmirrord_t)
+
+optional_policy(`
+        corosync_stream_connect(cmirrord_t)
+')

diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc
index 1cf6c4e4ac20e4ffc16498f55abbe21e704d1863..90c60dfbdee1512d3aa67520d4ccd248ff42cb61 100644 (file)
--- a/policy/modules/services/cobbler.fc
+++ b/policy/modules/services/cobbler.fc
@@ -1,7 +1,32 @@
-/etc/cobbler(/.*)?             gen_context(system_u:object_r:cobbler_etc_t, s0)
-/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
 
-/usr/bin/cobblerd      --      gen_context(system_u:object_r:cobblerd_exec_t, s0)
+/etc/cobbler(/.*)?                                     gen_context(system_u:object_r:cobbler_etc_t,s0)
+
+/etc/rc\.d/init\.d/cobblerd                    --      gen_context(system_u:object_r:cobblerd_initrc_exec_t,s0)
+
+/usr/bin/cobblerd                              --      gen_context(system_u:object_r:cobblerd_exec_t,s0)
+
+/var/lib/cobbler(/.*)?                                 gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
+/var/lib/tftpboot/etc(/.*)?                            gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/images(/.*)?                         gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/memdisk                      --      gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/menu\.c32                    --      gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/ppc(/.*)?                            gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/pxelinux\.0                  --      gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/pxelinux\.cfg(/.*)?                  gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/s390x(/.*)?                          gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/yaboot                       --      gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
+/var/log/cobbler(/.*)?                                 gen_context(system_u:object_r:cobbler_var_log_t,s0)
+
+# This should removable when cobbler package installs /var/www/cobbler/rendered
+/var/www/cobbler(/.*)?                                 gen_context(system_u:object_r:httpd_cobbler_content_t,s0)
+
+/var/www/cobbler/images(/.*)?                          gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/ks_mirror(/.*)?                       gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/links(/.*)?                           gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/localmirror(/.*)?                     gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/pub(/.*)?                             gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/rendered(/.*)?                                gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/repo_mirror(/.*)?                     gen_context(system_u:object_r:cobbler_var_lib_t,s0)
 
-/var/lib/cobbler(/.*)?         gen_context(system_u:object_r:cobbler_var_lib_t, s0)
-/var/log/cobbler(/.*)?         gen_context(system_u:object_r:cobbler_var_log_t, s0)

diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if
index 293e08d535e593b90c48520278c730c45953bbf7..b2198bb0d95ab17e85ff7e2b50cefd144554d354 100644 (file)
--- a/policy/modules/services/cobbler.if
+++ b/policy/modules/services/cobbler.if
@@ -26,6 +26,7 @@ interface(`cobblerd_domtrans',`
        ')
 
        domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
+       corecmd_search_bin($1)
 ')
 
 ########################################
@@ -48,7 +49,7 @@ interface(`cobblerd_initrc_domtrans',`
 
 ########################################
 ## <summary>
-##     Read Cobbler content in /etc
+##     List Cobbler configuration.
 ## </summary>
 ## <param name="domain">
 ##     <summary>
@@ -56,19 +57,18 @@ interface(`cobblerd_initrc_domtrans',`
 ##     </summary>
 ## </param>
 #
-interface(`cobbler_read_config',`
+interface(`cobbler_list_config',`
        gen_require(`
                type cobbler_etc_t;
        ')
 
-       read_files_pattern($1, cobbler_etc_t, cobbler_etc_t);
+       list_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
        files_search_etc($1)
 ')
 
 ########################################
 ## <summary>
-##     Do not audit attempts to read and write
-##     Cobbler log files (leaked fd).
+##     Read Cobbler configuration files.
 ## </summary>
 ## <param name="domain">
 ##     <summary>
@@ -76,12 +76,13 @@ interface(`cobbler_read_config',`
 ##     </summary>
 ## </param>
 #
-interface(`cobbler_dontaudit_rw_log',`
+interface(`cobbler_read_config',`
        gen_require(`
-               type cobbler_var_log_t;
+               type cobbler_etc_t;
        ')
 
-       dontaudit $1 cobbler_var_log_t:file rw_file_perms;
+       read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
+       files_search_etc($1)
 ')
 
 ########################################
@@ -100,6 +101,7 @@ interface(`cobbler_search_lib',`
        ')
 
        search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+       read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
        files_search_var_lib($1)
 ')
 
@@ -119,6 +121,7 @@ interface(`cobbler_read_lib_files',`
        ')
 
        read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+       read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
        files_search_var_lib($1)
 ')
 
@@ -137,10 +140,31 @@ interface(`cobbler_manage_lib_files',`
                type cobbler_var_lib_t;
        ')
 
+       manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
        manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+       manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
        files_search_var_lib($1)
 ')
 
+########################################
+## <summary>
+##     Do not audit attempts to read and write
+##     Cobbler log files (leaked fd).
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`cobbler_dontaudit_rw_log',`
+       gen_require(`
+               type cobbler_var_log_t;
+       ')
+
+       dontaudit $1 cobbler_var_log_t:file rw_inherited_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     All of the rules required to administrate
@@ -162,10 +186,13 @@ interface(`cobblerd_admin',`
        gen_require(`
                type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
                type cobbler_etc_t, cobblerd_initrc_exec_t;
+               type httpd_cobbler_content_t;
+               type httpd_cobbler_content_ra_t;
+               type httpd_cobbler_content_rw_t;
        ')
 
-       allow $1 cobblerd_t:process { ptrace signal_perms getattr };
-       read_files_pattern($1, cobblerd_t, cobblerd_t)
+       allow $1 cobblerd_t:process { ptrace signal_perms };
+       ps_process_pattern($1, cobblerd_t)
 
        files_search_etc($1)
        admin_pattern($1, cobbler_etc_t)
@@ -176,10 +203,18 @@ interface(`cobblerd_admin',`
        logging_search_logs($1)
        admin_pattern($1, cobbler_var_log_t)
 
+       apache_search_sys_content($1)
+       admin_pattern($1, httpd_cobbler_content_t)
+       admin_pattern($1, httpd_cobbler_content_ra_t)
        admin_pattern($1, httpd_cobbler_content_rw_t)
 
        cobblerd_initrc_domtrans($1)
        domain_system_change_exemption($1)
        role_transition $2 cobblerd_initrc_exec_t system_r;
        allow $2 system_r;
+
+       optional_policy(`
+               # traverse /var/lib/tftpdir to get to cobbler_var_lib_t there.
+               tftp_search_rw_content($1)
+       ')
 ')

diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
index 0258b4811d4ac33a6b2d6dff53822bd36e8ab94f..6a6d7d7d141ff9433b75d63fa31ffd029f71a25c 100644 (file)
--- a/policy/modules/services/cobbler.te
+++ b/policy/modules/services/cobbler.te
@@ -12,6 +12,28 @@ policy_module(cobbler, 1.1.0)
 ## </p>
 ## </desc>
 gen_tunable(cobbler_anon_write, false)
+  
+## <desc>
+## <p>
+##     Allow Cobbler to connect to the
+##     network using TCP.
+## </p>
+## </desc>
+gen_tunable(cobbler_can_network_connect, false)
+
+## <desc>
+## <p>
+##     Allow Cobbler to access cifs file systems.
+## </p>
+## </desc>
+gen_tunable(cobbler_use_cifs, false)
+
+## <desc>
+## <p>
+##     Allow Cobbler to access nfs file systems.
+## </p>
+## </desc>
+gen_tunable(cobbler_use_nfs, false)
 
 type cobblerd_t;
 type cobblerd_exec_t;
@@ -26,25 +48,40 @@ files_config_file(cobbler_etc_t)
 type cobbler_var_log_t;
 logging_log_file(cobbler_var_log_t)
 
-type cobbler_var_lib_t;
+type cobbler_var_lib_t alias cobbler_content_t;
 files_type(cobbler_var_lib_t)
 
+type cobbler_tmp_t;
+files_tmp_file(cobbler_tmp_t)
+
 ########################################
 #
 # Cobbler personal policy.
 #
 
-allow cobblerd_t self:capability { chown dac_override fowner sys_nice };
+allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
+dontaudit cobblerd_t self:capability { sys_ptrace sys_tty_config };
+
 allow cobblerd_t self:process { getsched setsched signal };
 allow cobblerd_t self:fifo_file rw_fifo_file_perms;
+allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms;
 allow cobblerd_t self:tcp_socket create_stream_socket_perms;
+allow cobblerd_t self:udp_socket create_socket_perms;
+allow cobblerd_t self:unix_dgram_socket create_socket_perms;
 
 list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
 read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
 
+# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_var_lib_t dir to httpd_sys_content_t.
+dontaudit cobblerd_t cobbler_var_lib_t:dir relabel_dir_perms;
+
 manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
 manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
-files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file })
+manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file lnk_file })
+
+# Something really needs to write to cobbler.log. Ideally this should not be happening.
+allow cobblerd_t cobbler_var_log_t:file write;
 
 append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
 create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
@@ -52,7 +89,12 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
 setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
 logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
 
+manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
+manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
+files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file })
+
 kernel_read_system_state(cobblerd_t)
+kernel_dontaudit_search_network_state(cobblerd_t)
 
 corecmd_exec_bin(cobblerd_t)
 corecmd_exec_shell(cobblerd_t)
@@ -65,26 +107,75 @@ corenet_tcp_bind_generic_node(cobblerd_t)
 corenet_tcp_sendrecv_generic_if(cobblerd_t)
 corenet_tcp_sendrecv_generic_node(cobblerd_t)
 corenet_tcp_sendrecv_generic_port(cobblerd_t)
+corenet_tcp_sendrecv_cobbler_port(cobblerd_t)
+# sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect.
+corenet_tcp_connect_ftp_port(cobblerd_t)
+corenet_tcp_sendrecv_ftp_port(cobblerd_t)
+corenet_sendrecv_ftp_client_packets(cobblerd_t)
+corenet_tcp_connect_http_port(cobblerd_t)
+corenet_tcp_sendrecv_http_port(cobblerd_t)
+corenet_sendrecv_http_client_packets(cobblerd_t)
 
 dev_read_urand(cobblerd_t)
 
+domain_dontaudit_exec_all_entry_files(cobblerd_t)
+domain_dontaudit_read_all_domains_state(cobblerd_t)
+
+files_read_etc_files(cobblerd_t)
+# mtab
+files_read_etc_runtime_files(cobblerd_t)
 files_read_usr_files(cobblerd_t)
 files_list_boot(cobblerd_t)
+files_read_boot_files(cobblerd_t)
 files_list_tmp(cobblerd_t)
-# read /etc/nsswitch.conf
-files_read_etc_files(cobblerd_t)
+
+# read from mounted images (install media)
+fs_read_iso9660_files(cobblerd_t)
+
+init_dontaudit_read_all_script_files(cobblerd_t)
+
+term_use_console(cobblerd_t)
 
 miscfiles_read_localization(cobblerd_t)
 miscfiles_read_public_files(cobblerd_t)
 
+selinux_dontaudit_read_fs(cobblerd_t)
+
 sysnet_read_config(cobblerd_t)
 sysnet_rw_dhcp_config(cobblerd_t)
 sysnet_write_config(cobblerd_t)
 
+userdom_dontaudit_use_user_terminals(cobblerd_t)
+userdom_dontaudit_search_user_home_dirs(cobblerd_t)
+userdom_dontaudit_search_admin_dir(cobblerd_t)
+
 tunable_policy(`cobbler_anon_write',`
        miscfiles_manage_public_files(cobblerd_t)
 ')
 
+tunable_policy(`cobbler_can_network_connect',`
+       corenet_tcp_connect_all_ports(cobblerd_t)
+       corenet_tcp_sendrecv_all_ports(cobblerd_t)
+       corenet_sendrecv_all_client_packets(cobblerd_t)
+')
+
+tunable_policy(`cobbler_use_cifs',`
+       fs_manage_cifs_dirs(cobblerd_t)
+       fs_manage_cifs_files(cobblerd_t)
+       fs_manage_cifs_symlinks(cobblerd_t)
+')
+
+tunable_policy(`cobbler_use_nfs',`
+       fs_manage_nfs_dirs(cobblerd_t)
+       fs_manage_nfs_files(cobblerd_t)
+       fs_manage_nfs_symlinks(cobblerd_t)
+')
+
+optional_policy(`
+       # Cobbler traverses /var/www to get to /var/www/cobbler/*
+       apache_search_sys_content(cobblerd_t)
+')
+
 optional_policy(`
        bind_read_config(cobblerd_t)
        bind_write_config(cobblerd_t)
@@ -94,6 +185,10 @@ optional_policy(`
        bind_manage_zone(cobblerd_t)
 ')
 
+optional_policy(`
+       certmaster_exec(cobblerd_t)
+')
+
 optional_policy(`
        dhcpd_domtrans(cobblerd_t)
        dhcpd_initrc_domtrans(cobblerd_t)
@@ -105,17 +200,29 @@ optional_policy(`
        dnsmasq_write_config(cobblerd_t)
 ')
 
+optional_policy(`
+       gnome_dontaudit_search_config(cobblerd_t)
+')
+
 optional_policy(`
        rpm_exec(cobblerd_t)
 ')
 
 optional_policy(`
-       rsync_read_config(cobblerd_t)
-       rsync_write_config(cobblerd_t)
+       rsync_exec(cobblerd_t)
+       rsync_manage_config(cobblerd_t)
+       # cobbler creates /etc/rsync.conf if its not there.
+       rsync_filetrans_config(cobblerd_t, file)
 ')
 
 optional_policy(`
-       tftp_manage_rw_content(cobblerd_t)
+       # Cobbler puts objects in both /var/lib/tftpdir as well as /var/lib/tftpdir/images.
+       # tftp_manage_rw_content(cobblerd_t) can be used instead if:
+       # 1. cobbler package installs /var/lib/tftpdir/images.
+       # 2. no FILES in /var/lib/TFTPDIR are hard linked.
+       # Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg)
+       # are any of those hard linked?
+       tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
 ')
 
 ########################################

diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
index 42c6bd71ad3439c952e6b0968e2a9651a2cb6443..51afa67bd01c1283bf8267bf04cf1275c51c6f6e 100644 (file)
--- a/policy/modules/services/consolekit.if
+++ b/policy/modules/services/consolekit.if
@@ -95,3 +95,22 @@ interface(`consolekit_read_pid_files',`
        files_search_pids($1)
        read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
 ')
+
+########################################
+## <summary>
+##     List consolekit PID files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`consolekit_list_pid_files',`
+       gen_require(`
+               type consolekit_var_run_t;
+       ')
+
+       files_search_pids($1)
+       list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')

diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
index daf151dd0bfbed64a6028b971fdc13790f4953e7..cc2058baf8116eff13d7a7a4d93ad2ef17c11e4d 100644 (file)
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@@ -15,6 +15,9 @@ logging_log_file(consolekit_log_t)
 type consolekit_var_run_t;
 files_pid_file(consolekit_var_run_t)
 
+type consolekit_tmpfs_t;
+files_tmpfs_file(consolekit_tmpfs_t)
+
 ########################################
 #
 # consolekit local policy
@@ -69,7 +72,10 @@ logging_send_audit_msgs(consolekit_t)
 
 miscfiles_read_localization(consolekit_t)
 
+# consolekit needs to be able to ptrace all logged in users 
+userdom_ptrace_all_users(consolekit_t)
 userdom_dontaudit_read_user_home_content_files(consolekit_t)
+userdom_dontaudit_getattr_admin_home_files(consolekit_t)
 userdom_read_user_tmp_files(consolekit_t)
 
 hal_ptrace(consolekit_t)
@@ -82,6 +88,10 @@ tunable_policy(`use_samba_home_dirs',`
        fs_read_cifs_files(consolekit_t)
 ')
 
+optional_policy(`
+       cron_read_system_job_lib_files(consolekit_t)
+')
+
 optional_policy(`
        dbus_system_domain(consolekit_t, consolekit_exec_t)
 
@@ -99,16 +109,21 @@ optional_policy(`
 ')
 
 optional_policy(`
-       policykit_dbus_chat(consolekit_t)
+       networkmanager_append_log(consolekit_t)
+')
+
+optional_policy(`
+        policykit_dbus_chat(consolekit_t)
        policykit_domtrans_auth(consolekit_t)
        policykit_read_lib(consolekit_t)
        policykit_read_reload(consolekit_t)
 ')
 
 optional_policy(`
-       type consolekit_tmpfs_t;
-       files_tmpfs_file(consolekit_tmpfs_t)
+       shutdown_domtrans(consolekit_t)
+')
 
+optional_policy(`
        xserver_read_xdm_pid(consolekit_t)
        xserver_read_user_xauth(consolekit_t)
        xserver_non_drawing_client(consolekit_t)
@@ -125,5 +140,6 @@ optional_policy(`
 
 optional_policy(`
        #reading .Xauthity
+       unconfined_ptrace(consolekit_t)
        unconfined_stream_connect(consolekit_t)
 ')

diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc
index 3a6d7eb23a5af8f5b00c25382bfd3b5d97e17e5d..2098ee988a7515bc4ab0c92af0e7b4b12a1de56e 100644 (file)
--- a/policy/modules/services/corosync.fc
+++ b/policy/modules/services/corosync.fc
@@ -3,6 +3,7 @@
 /usr/sbin/corosync             --      gen_context(system_u:object_r:corosync_exec_t,s0)
 
 /usr/sbin/ccs_tool             --      gen_context(system_u:object_r:corosync_exec_t,s0)
+/usr/sbin/cman_tool            --      gen_context(system_u:object_r:corosync_exec_t,s0)
 
 /var/lib/corosync(/.*)?                        gen_context(system_u:object_r:corosync_var_lib_t,s0)
 

diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
index 7d2cf85f341bcdc02fd24b41b09a63584f24eae1..fdb0dcb0c80e12808ef18bdc3942af0df4adf205 100644 (file)
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
@@ -32,8 +32,8 @@ files_pid_file(corosync_var_run_t)
 # corosync local policy
 #
 
-allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
-allow corosync_t self:process { setrlimit setsched signal };
+allow corosync_t self:capability { dac_override sys_nice sys_ptrace sys_resource ipc_lock };
+allow corosync_t self:process { setrlimit setsched signal signull };
 
 allow corosync_t self:fifo_file rw_fifo_file_perms;
 allow corosync_t self:sem create_sem_perms;
@@ -41,6 +41,8 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto
 allow corosync_t self:unix_dgram_socket create_socket_perms;
 allow corosync_t self:udp_socket create_socket_perms;
 
+can_exec(corosync_t, corosync_exec_t)
+
 manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
 manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
 files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir })
@@ -63,8 +65,10 @@ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
 files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
 
 kernel_read_system_state(corosync_t)
+kernel_read_network_state(corosync_t)
 
 corecmd_exec_bin(corosync_t)
+corecmd_exec_shell(corosync_t)
 
 corenet_udp_bind_netsupport_port(corosync_t)
 
@@ -73,6 +77,7 @@ dev_read_urand(corosync_t)
 domain_read_all_domains_state(corosync_t)
 
 files_manage_mounttab(corosync_t)
+files_read_usr_files(corosync_t)
 
 auth_use_nsswitch(corosync_t)
 
@@ -83,19 +88,35 @@ logging_send_syslog_msg(corosync_t)
 
 miscfiles_read_localization(corosync_t)
 
+userdom_delete_user_tmpfs_files(corosync_t)
 userdom_rw_user_tmpfs_files(corosync_t)
 
+optional_policy(`
+       gen_require(`
+               attribute unconfined_services;
+       ')      
+
+       fs_manage_tmpfs_files(corosync_t)
+       init_manage_script_status_files(corosync_t)
+')
+
 optional_policy(`
        ccs_read_config(corosync_t)
 ')
 
 optional_policy(`
-       # to communication with RHCS
-       rhcs_rw_dlm_controld_semaphores(corosync_t)
+       cmirrord_rw_shm(corosync_t)
+')
 
-       rhcs_rw_fenced_semaphores(corosync_t)
+optional_policy(`
+       lvm_rw_clvmd_tmpfs_files(corosync_t)
+')
 
-       rhcs_rw_gfs_controld_semaphores(corosync_t)
+optional_policy(`
+       # to communication with RHCS
+       rhcs_rw_cluster_shm(corosync_t)
+       rhcs_rw_cluster_semaphores(corosync_t)
+       rhcs_stream_connect_cluster(corosync_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
index 2eefc08b8a1c0d7ded243bc077eed9c2dd950e9c..3e8ad69e5ad8cd579d836a1654fa71de6dff3a5a 100644 (file)
--- a/policy/modules/services/cron.fc
+++ b/policy/modules/services/cron.fc
@@ -14,7 +14,7 @@
 /var/run/anacron\.pid          --      gen_context(system_u:object_r:crond_var_run_t,s0)
 /var/run/atd\.pid              --      gen_context(system_u:object_r:crond_var_run_t,s0)
 /var/run/crond?\.pid           --      gen_context(system_u:object_r:crond_var_run_t,s0)
-/var/run/crond\.reboot         --      gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond?\.reboot                --      gen_context(system_u:object_r:crond_var_run_t,s0)
 /var/run/fcron\.fifo           -s      gen_context(system_u:object_r:crond_var_run_t,s0)
 /var/run/fcron\.pid            --      gen_context(system_u:object_r:crond_var_run_t,s0)
 
@@ -45,3 +45,7 @@ ifdef(`distro_suse', `
 /var/spool/fcron/systab\.orig  --      gen_context(system_u:object_r:system_cron_spool_t,s0)
 /var/spool/fcron/systab                --      gen_context(system_u:object_r:system_cron_spool_t,s0)
 /var/spool/fcron/new\.systab   --      gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+/var/lib/glpi/files(/.*)?              gen_context(system_u:object_r:cron_var_lib_t,s0)
+
+/var/log/mcelog.*              --      gen_context(system_u:object_r:cron_log_t,s0)

diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 35241edfec9362304467aa47f98e9d3ccaefe9b6..98220745c0ec8a80f079897c1740799551fb3114 100644 (file)
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -12,6 +12,11 @@
 ## </param>
 #
 template(`cron_common_crontab_template',`
+       gen_require(`
+               type crond_t, crond_var_run_t, crontab_exec_t;
+               type cron_spool_t, user_cron_spool_t;
+       ')
+
        ##############################
        #
        # Declarations
@@ -34,8 +39,12 @@ template(`cron_common_crontab_template',`
        allow $1_t self:process { setsched signal_perms };
        allow $1_t self:fifo_file rw_fifo_file_perms;
 
-       allow $1_t $1_tmp_t:file manage_file_perms;
-       files_tmp_filetrans($1_t, $1_tmp_t, file)
+       allow $1_t crond_t:process signal;
+       allow $1_t crond_var_run_t:file read_file_perms;
+
+       manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+       manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+       files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
 
        # create files in /var/spool/cron
        manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
@@ -62,6 +71,7 @@ template(`cron_common_crontab_template',`
 
        logging_send_syslog_msg($1_t)
        logging_send_audit_msgs($1_t)
+       logging_set_loginuid($1_t)
 
        init_dontaudit_write_utmp($1_t)
        init_read_utmp($1_t)
@@ -76,6 +86,7 @@ template(`cron_common_crontab_template',`
        userdom_use_user_terminals($1_t)
        # Read user crontabs
        userdom_read_user_home_content_files($1_t)
+       userdom_read_user_home_content_symlinks($1_t)
 
        tunable_policy(`fcron_crond',`
                # fcron wants an instant update of a crontab change for the administrator
@@ -106,6 +117,8 @@ template(`cron_common_crontab_template',`
 interface(`cron_role',`
        gen_require(`
                type cronjob_t, crontab_t, crontab_exec_t;
+               type user_cron_spool_t;
+               type crond_t;
        ')
 
        role $1 types { cronjob_t crontab_t };
@@ -116,6 +129,13 @@ interface(`cron_role',`
        # Transition from the user domain to the derived domain.
        domtrans_pattern($2, crontab_exec_t, crontab_t)
 
+       allow crond_t $2:process transition;
+       dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+       allow $2 crond_t:process sigchld;
+
+       # needs to be authorized SELinux context for cron
+       allow $2 user_cron_spool_t:file entrypoint;
+
        # crontab shows up in user ps
        ps_process_pattern($2, crontab_t)
        allow $2 crontab_t:process signal;
@@ -154,27 +174,14 @@ interface(`cron_role',`
 #
 interface(`cron_unconfined_role',`
        gen_require(`
-               type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t;
+               type unconfined_cronjob_t;
        ')
 
-       role $1 types { unconfined_cronjob_t crontab_t };
+       role $1 types unconfined_cronjob_t;
 
        # cronjob shows up in user ps
        ps_process_pattern($2, unconfined_cronjob_t)
 
-       # Transition from the user domain to the derived domain.
-       domtrans_pattern($2, crontab_exec_t, crontab_t)
-
-       # crontab shows up in user ps
-       ps_process_pattern($2, crontab_t)
-       allow $2 crontab_t:process signal;
-
-       # Run helper programs as the user domain
-       #corecmd_bin_domtrans(crontab_t, $2)
-       #corecmd_shell_domtrans(crontab_t, $2)
-       corecmd_exec_bin(crontab_t)
-       corecmd_exec_shell(crontab_t)
-
        optional_policy(`
                gen_require(`
                        class dbus send_msg;
@@ -408,7 +415,43 @@ interface(`cron_rw_pipes',`
                type crond_t;
        ')
 
-       allow $1 crond_t:fifo_file { getattr read write };
+       allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##     Read and write inherited user spool files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`cron_rw_inherited_user_spool_files',`
+       gen_require(`
+               type user_cron_spool_t;
+       ')
+
+       allow $1 user_cron_spool_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##     Read and write inherited spool files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`cron_rw_inherited_spool_files',`
+       gen_require(`
+               type cron_spool_t;
+       ')
+
+       allow $1 cron_spool_t:file rw_inherited_file_perms;
 ')
 
 ########################################
@@ -554,7 +597,7 @@ interface(`cron_rw_system_job_pipes',`
                type system_cronjob_t;
        ')
 
-       allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
+       allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
@@ -587,11 +630,14 @@ interface(`cron_rw_system_job_stream_sockets',`
 #
 interface(`cron_read_system_job_tmp_files',`
        gen_require(`
-               type system_cronjob_tmp_t;
+               type system_cronjob_tmp_t, cron_var_run_t;
        ')
 
        files_search_tmp($1)
        allow $1 system_cronjob_tmp_t:file read_file_perms;
+
+       files_search_pids($1)
+       allow $1 cron_var_run_t:file read_file_perms;
 ')
 
 ########################################
@@ -627,7 +673,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
 interface(`cron_dontaudit_write_system_job_tmp_files',`
        gen_require(`
                type system_cronjob_tmp_t;
+               type cron_var_run_t;
        ')
 
        dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
+       dontaudit $1 cron_var_run_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+##     Read temporary files from the system cron jobs.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`cron_read_system_job_lib_files',`
+       gen_require(`
+               type system_cronjob_var_lib_t;
+       ')
+
+
+       read_files_pattern($1, system_cronjob_var_lib_t,  system_cronjob_var_lib_t)
+')
+
+########################################
+## <summary>
+##     Manage files from the system cron jobs.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`cron_manage_system_job_lib_files',`
+       gen_require(`
+               type system_cronjob_var_lib_t;
+       ')
+
+
+       manage_files_pattern($1, system_cronjob_var_lib_t,  system_cronjob_var_lib_t)
 ')

diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index f35b2431609df31c3bfae673063a3954420f2ba8..ff1a1c99c970a42fc16374b1724cef5aaecc0355 100644 (file)
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -63,9 +63,12 @@ init_script_file(crond_initrc_exec_t)
 
 type crond_tmp_t;
 files_tmp_file(crond_tmp_t)
+files_poly_parent(crond_tmp_t)
+mta_system_content(crond_tmp_t)
 
 type crond_var_run_t;
 files_pid_file(crond_var_run_t)
+mta_system_content(crond_var_run_t)
 
 type crontab_exec_t;
 application_executable_file(crontab_exec_t)
@@ -79,6 +82,7 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
 typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
 typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
 typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+allow admin_crontab_t crond_t:process signal;
 
 type system_cron_spool_t, cron_spool_type;
 files_type(system_cron_spool_t)
@@ -87,6 +91,7 @@ type system_cronjob_t alias system_crond_t;
 init_daemon_domain(system_cronjob_t, anacron_exec_t)
 corecmd_shell_entry_type(system_cronjob_t)
 role system_r types system_cronjob_t;
+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
 
 type system_cronjob_lock_t alias system_crond_lock_t;
 files_lock_file(system_cronjob_lock_t)
@@ -108,6 +113,14 @@ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t uncon
 typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
 files_type(user_cron_spool_t)
 ubac_constrained(user_cron_spool_t)
+mta_system_content(user_cron_spool_t)
+
+type system_cronjob_var_lib_t;
+files_type(system_cronjob_var_lib_t)
+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
+
+type system_cronjob_var_run_t;
+files_pid_file(system_cronjob_var_run_t)
 
 ########################################
 #
@@ -138,7 +151,7 @@ tunable_policy(`fcron_crond', `
 
 allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
 dontaudit crond_t self:capability { sys_resource sys_tty_config };
-allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
 allow crond_t self:process { setexec setfscreate };
 allow crond_t self:fd use;
 allow crond_t self:fifo_file rw_fifo_file_perms;
@@ -193,6 +206,8 @@ corecmd_list_bin(crond_t)
 corecmd_read_bin_symlinks(crond_t)
 
 domain_use_interactive_fds(crond_t)
+domain_subj_id_change_exemption(crond_t)
+domain_role_change_exemption(crond_t)
 
 files_read_usr_files(crond_t)
 files_read_etc_runtime_files(crond_t)
@@ -208,7 +223,9 @@ init_spec_domtrans_script(crond_t)
 
 auth_use_nsswitch(crond_t)
 
+logging_send_audit_msgs(crond_t)
 logging_send_syslog_msg(crond_t)
+logging_set_loginuid(crond_t)
 
 seutil_read_config(crond_t)
 seutil_read_default_contexts(crond_t)
@@ -219,8 +236,10 @@ miscfiles_read_localization(crond_t)
 userdom_use_unpriv_users_fds(crond_t)
 # Not sure why this is needed
 userdom_list_user_home_dirs(crond_t)
+userdom_create_all_users_keys(crond_t)
 
 mta_send_mail(crond_t)
+mta_system_content(cron_spool_t)
 
 ifdef(`distro_debian',`
        # pam_limits is used
@@ -240,8 +259,17 @@ ifdef(`distro_redhat', `
        ')
 ')
 
-tunable_policy(`fcron_crond', `
-       allow crond_t system_cron_spool_t:file manage_file_perms;
+tunable_policy(`allow_polyinstantiation',`
+       files_polyinstantiate_all(crond_t)
+')
+
+optional_policy(`
+       apache_search_sys_content(crond_t)
+')
+
+optional_policy(`
+    djbdns_search_tinydns_keys(crond_t)
+    djbdns_link_tinydns_keys(crond_t)
 ')
 
 optional_policy(`
@@ -249,6 +277,20 @@ optional_policy(`
        locallogin_link_keys(crond_t)
 ')
 
+optional_policy(`
+       # these should probably be unconfined_crond_t
+       dbus_system_bus_client(crond_t)
+       init_dbus_send_script(crond_t)
+')
+
+optional_policy(`
+       mono_domtrans(crond_t)
+')
+
+tunable_policy(`fcron_crond', `
+       allow crond_t system_cron_spool_t:file manage_file_perms;
+')
+
 optional_policy(`
        amanda_search_var_lib(crond_t)
 ')
@@ -259,6 +301,8 @@ optional_policy(`
 
 optional_policy(`
        hal_dbus_chat(crond_t)
+       hal_write_log(crond_t)
+       hal_dbus_chat(system_cronjob_t)
 ')
 
 optional_policy(`
@@ -290,6 +334,8 @@ optional_policy(`
 #
 
 allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+dontaudit system_cronjob_t self:capability sys_ptrace;
+
 allow system_cronjob_t self:process { signal_perms getsched setsched };
 allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
 allow system_cronjob_t self:passwd rootok;
@@ -301,10 +347,17 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
 
 # This is to handle /var/lib/misc directory.  Used currently
 # by prelink var/lib files for cron 
-allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
+allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabelfrom relabelto };
 files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
 
+allow system_cronjob_t cron_var_run_t:file manage_file_perms;
+files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
+
 allow system_cronjob_t system_cron_spool_t:file read_file_perms;
+
+# anacron forces the following
+manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
+
 # The entrypoint interface is not used as this is not
 # a regular entrypoint.  Since crontab files are
 # not directly executed, crond must ensure that
@@ -324,6 +377,7 @@ allow crond_t system_cronjob_t:fd use;
 allow system_cronjob_t crond_t:fd use;
 allow system_cronjob_t crond_t:fifo_file rw_file_perms;
 allow system_cronjob_t crond_t:process sigchld;
+allow crond_t system_cronjob_t:key manage_key_perms;
 
 # Write /var/lock/makewhatis.lock.
 allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
@@ -335,9 +389,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
 filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
 files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
 
+# var/lib files for system_crond
+files_search_var_lib(system_cronjob_t)
+manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+
 # Read from /var/spool/cron.
 allow system_cronjob_t cron_spool_t:dir list_dir_perms;
-allow system_cronjob_t cron_spool_t:file read_file_perms;
+allow system_cronjob_t cron_spool_t:file rw_file_perms;
 
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_system_state(system_cronjob_t)
@@ -360,6 +418,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
 dev_getattr_all_blk_files(system_cronjob_t)
 dev_getattr_all_chr_files(system_cronjob_t)
 dev_read_urand(system_cronjob_t)
+dev_read_sysfs(system_cronjob_t)
 
 fs_getattr_all_fs(system_cronjob_t)
 fs_getattr_all_files(system_cronjob_t)
@@ -386,6 +445,7 @@ files_dontaudit_search_pids(system_cronjob_t)
 # Access other spool directories like
 # /var/spool/anacron and /var/spool/slrnpull.
 files_manage_generic_spool(system_cronjob_t)
+files_create_boot_flag(system_cronjob_t)
 
 init_use_script_fds(system_cronjob_t)
 init_read_utmp(system_cronjob_t)
@@ -410,6 +470,8 @@ seutil_read_config(system_cronjob_t)
 
 ifdef(`distro_redhat', `
        # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+       allow crond_t system_cron_spool_t:file manage_file_perms;
+
        # via redirection of standard out.
        optional_policy(`
                rpm_manage_log(system_cronjob_t)
@@ -434,12 +496,22 @@ optional_policy(`
        apache_read_config(system_cronjob_t)
        apache_read_log(system_cronjob_t)
        apache_read_sys_content(system_cronjob_t)
+       apache_delete_cache_dirs(system_cronjob_t)
+       apache_delete_cache_files(system_cronjob_t)
 ')
 
 optional_policy(`
        cyrus_manage_data(system_cronjob_t)
 ')
 
+optional_policy(`
+       dbus_system_bus_client(system_cronjob_t)
+')
+
+optional_policy(`
+       exim_read_spool_files(system_cronjob_t)
+')
+
 optional_policy(`
        ftp_read_log(system_cronjob_t)
 ')
@@ -450,16 +522,25 @@ optional_policy(`
        inn_read_config(system_cronjob_t)
 ')
 
+optional_policy(`
+       livecd_read_tmp_files(system_cronjob_t)
+')
+
 optional_policy(`
        lpd_list_spool(system_cronjob_t)
 ')
 
+optional_policy(`
+       mono_domtrans(system_cronjob_t)
+')
+
 optional_policy(`
        mrtg_append_create_logs(system_cronjob_t)
 ')
 
 optional_policy(`
        mta_send_mail(system_cronjob_t)
+       mta_system_content(system_cron_spool_t)
 ')
 
 optional_policy(`
@@ -475,7 +556,7 @@ optional_policy(`
        prelink_manage_lib(system_cronjob_t)
        prelink_manage_log(system_cronjob_t)
        prelink_read_cache(system_cronjob_t)
-       prelink_relabelfrom_lib(system_cronjob_t)
+       prelink_relabel_lib(system_cronjob_t)
 ')
 
 optional_policy(`
@@ -490,6 +571,7 @@ optional_policy(`
 
 optional_policy(`
        spamassassin_manage_lib_files(system_cronjob_t)
+       spamassassin_manage_home_client(system_cronjob_t)
 ')
 
 optional_policy(`
@@ -497,7 +579,13 @@ optional_policy(`
 ')
 
 optional_policy(`
+       unconfined_domain(crond_t)
        unconfined_domain(system_cronjob_t)
+')
+
+optional_policy(`
+       unconfined_shell_domtrans(crond_t)
+       unconfined_dbus_send(crond_t)
        userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
 ')
 
@@ -590,7 +678,10 @@ userdom_manage_user_home_content_sockets(cronjob_t)
 #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
 
 list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
 read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
 
 tunable_policy(`fcron_crond', `
        allow crond_t user_cron_spool_t:file manage_file_perms;

diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc
index 1b492eda8217dcd3c0d128a4d9c2dddbff7ad305..286ec9e5894592d88b5e52e4805eaad0c22e6bc9 100644 (file)
--- a/policy/modules/services/cups.fc
+++ b/policy/modules/services/cups.fc
@@ -71,3 +71,9 @@
 /var/run/ptal-mlcd(/.*)?       gen_context(system_u:object_r:ptal_var_run_t,s0)
 /var/run/udev-configure-printer(/.*)?  gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
 /var/turboprint(/.*)?          gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
+/usr/local/Brother/fax/.*\.log         gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/local/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)

diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
index 305ddf4609108cc8ddac0939e73b5375f7e7973a..fb3454a527c4419bbc1387a14f6b9e627b28087f 100644 (file)
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@@ -190,10 +190,12 @@ interface(`cups_dbus_chat_config',`
 interface(`cups_read_config',`
        gen_require(`
                type cupsd_etc_t, cupsd_rw_etc_t;
+               type hplip_etc_t;
        ')
 
        files_search_etc($1)
        read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
+       read_files_pattern($1, hplip_etc_t, hplip_etc_t)
        read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
 ')
 
@@ -314,11 +316,12 @@ interface(`cups_stream_connect_ptal',`
 interface(`cups_admin',`
        gen_require(`
                type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
-               type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
+               type cupsd_etc_t, cupsd_log_t;
                type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
                type cupsd_var_run_t, ptal_etc_t;
                type ptal_var_run_t, hplip_var_run_t;
                type cupsd_initrc_exec_t;
+               type hplip_etc_t;
        ')
 
        allow $1 cupsd_t:process { ptrace signal_perms };
@@ -341,15 +344,14 @@ interface(`cups_admin',`
 
        admin_pattern($1, cupsd_lpd_var_run_t)
 
-       admin_pattern($1, cupsd_spool_t)
-       files_list_spool($1)
-
        admin_pattern($1, cupsd_tmp_t)
        files_list_tmp($1)
 
        admin_pattern($1, cupsd_var_run_t)
        files_list_pids($1)
 
+       admin_pattern($1, hplip_etc_t)
+
        admin_pattern($1, hplip_var_run_t)
 
        admin_pattern($1, ptal_etc_t)

diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 0f28095a2f1355cebaadb863058a4fffd0ca8745..11e74af877b736a905155ba18d279696c55ff634 100644 (file)
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
 type cupsd_t;
 type cupsd_exec_t;
 init_daemon_domain(cupsd_t, cupsd_exec_t)
+mls_trusted_object(cupsd_t)
 
 type cupsd_etc_t;
 files_config_file(cupsd_etc_t)
@@ -123,6 +124,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
 files_search_etc(cupsd_t)
 
 manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
+can_exec(cupsd_t, cupsd_interface_t)
 
 manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
 manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
@@ -137,6 +139,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
 allow cupsd_t cupsd_lock_t:file manage_file_perms;
 files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
 
+manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
 manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
 allow cupsd_t cupsd_log_t:dir setattr;
 logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
@@ -147,10 +150,11 @@ manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
 files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
 
 allow cupsd_t cupsd_var_run_t:dir setattr;
+manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
 manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
 manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
 manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
-files_pid_filetrans(cupsd_t, cupsd_var_run_t, { file fifo_file })
+files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir file fifo_file })
 
 allow cupsd_t hplip_t:process { signal sigkill };
 
@@ -297,8 +301,10 @@ optional_policy(`
                hal_dbus_chat(cupsd_t)
        ')
 
+       # talk to processes that do not have policy
        optional_policy(`
                unconfined_dbus_chat(cupsd_t)
+               files_write_generic_pid_pipes(cupsd_t)
        ')
 ')
 
@@ -371,8 +377,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
 
 allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
 
+manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
 manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
-files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
+files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
 
 domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
 
@@ -425,6 +432,7 @@ seutil_dontaudit_search_config(cupsd_config_t)
 
 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
 userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
+userdom_rw_user_tmp_files(cupsd_config_t)
 
 cups_stream_connect(cupsd_config_t)
 
@@ -452,6 +460,10 @@ optional_policy(`
        ')
 ')
 
+optional_policy(`
+       gnome_dontaudit_search_config(cupsd_config_t)
+')
+
 optional_policy(`
        hal_domtrans(cupsd_config_t)
        hal_read_tmp_files(cupsd_config_t)
@@ -587,13 +599,19 @@ auth_use_nsswitch(cups_pdf_t)
 
 miscfiles_read_localization(cups_pdf_t)
 miscfiles_read_fonts(cups_pdf_t)
+miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
 
 userdom_home_filetrans_user_home_dir(cups_pdf_t)
+userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir })
 userdom_manage_user_home_content_dirs(cups_pdf_t)
 userdom_manage_user_home_content_files(cups_pdf_t)
+userdom_dontaudit_search_admin_dir(cups_pdf_t)
 
 lpd_manage_spool(cups_pdf_t)
 
+optional_policy(`
+       gnome_read_config(cups_pdf_t)
+')
 
 tunable_policy(`use_nfs_home_dirs',`
        fs_search_auto_mountpoints(cups_pdf_t)

diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
index 88e7e97f0b4fdf2adb25a042d6e879d66ea3e80b..9e8d14b3a682eccac1722144c138d59822593641 100644 (file)
--- a/policy/modules/services/cvs.te
+++ b/policy/modules/services/cvs.te
@@ -112,4 +112,5 @@ optional_policy(`
        read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
        manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
        manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+       files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
 ')

diff --git a/policy/modules/services/cyphesis.te b/policy/modules/services/cyphesis.te
index 346f926ee23c11fc549f95b7ee343f189119f36a..1f789f8b23f7df18412951bd7ef03389428ea176 100644 (file)
--- a/policy/modules/services/cyphesis.te
+++ b/policy/modules/services/cyphesis.te
@@ -36,9 +36,10 @@ logging_log_filetrans(cyphesis_t, cyphesis_log_t, file)
 allow cyphesis_t cyphesis_tmp_t:sock_file manage_sock_file_perms;
 files_tmp_filetrans(cyphesis_t, cyphesis_tmp_t, file)
 
+manage_dirs_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t)
 manage_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t)
 manage_sock_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t)
-files_pid_filetrans(cyphesis_t, cyphesis_var_run_t, { file sock_file })
+files_pid_filetrans(cyphesis_t, cyphesis_var_run_t, { dir file sock_file })
 
 kernel_read_system_state(cyphesis_t)
 kernel_read_kernel_sysctls(cyphesis_t)

diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
index e182bf4736b5f35140a7603b01d22a327594c6dc..f80e725d7ce95be3346a0df7952a2ad413ce8973 100644 (file)
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
 # Local policy
 #
 
-allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
+allow cyrus_t self:capability { fsetid dac_override net_bind_service setgid setuid sys_resource };
 dontaudit cyrus_t self:capability sys_tty_config;
 allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow cyrus_t self:process setrlimit;
@@ -135,6 +135,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+       files_dontaudit_write_usr_dirs(cyrus_t)
        snmp_read_snmp_var_lib_files(cyrus_t)
        snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
        snmp_stream_connect(cyrus_t)

diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 39e901a4260070582617a1b194191aaeda189762..87fc055cc5375b0d9b9e29684db901e392d8a307 100644 (file)
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -42,8 +42,10 @@ template(`dbus_role_template',`
        gen_require(`
                class dbus { send_msg acquire_svc };
 
+               attribute dbusd_unconfined;
                attribute session_bus_type;
                type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
+               type $1_t;
        ')
 
        ##############################
@@ -76,7 +78,7 @@ template(`dbus_role_template',`
        allow $3 $1_dbusd_t:unix_stream_socket connectto;
 
        # SE-DBus specific permissions
-       allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
+       allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
        allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
 
        allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
@@ -91,7 +93,7 @@ template(`dbus_role_template',`
        allow $3 $1_dbusd_t:process { signull sigkill signal };
 
        # cjp: this seems very broken
-       corecmd_bin_domtrans($1_dbusd_t, $3)
+       corecmd_bin_domtrans($1_dbusd_t, $1_t)
        allow $1_dbusd_t $3:process sigkill;
        allow $3 $1_dbusd_t:fd use;
        allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
@@ -149,12 +151,19 @@ template(`dbus_role_template',`
 
        term_use_all_terms($1_dbusd_t)
 
-       userdom_read_user_home_content_files($1_dbusd_t)
+       userdom_dontaudit_search_admin_dir($1_dbusd_t)
+       userdom_manage_user_home_content_dirs($1_dbusd_t)
+       userdom_manage_user_home_content_files($1_dbusd_t)
+       userdom_user_home_dir_filetrans_user_home_content($1_dbusd_t, { dir file })
 
        ifdef(`hide_broken_symptoms', `
                dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
        ')
 
+       optional_policy(`
+               gnome_read_gconf_home_files($1_dbusd_t)
+       ')
+
        optional_policy(`
                hal_dbus_chat($1_dbusd_t)
        ')
@@ -181,10 +190,12 @@ interface(`dbus_system_bus_client',`
                type system_dbusd_t, system_dbusd_t;
                type system_dbusd_var_run_t, system_dbusd_var_lib_t;
                class dbus send_msg;
+               attribute dbusd_unconfined;
        ')
 
        # SE-DBus specific permissions
        allow $1 { system_dbusd_t self }:dbus send_msg;
+       allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
 
        read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
        files_search_var_lib($1)
@@ -431,13 +442,26 @@ interface(`dbus_system_domain',`
 
        domtrans_pattern(system_dbusd_t, $2, $1)
 
+       fs_search_all($1)
+
        dbus_system_bus_client($1)
        dbus_connect_system_bus($1)
 
+       init_stream_connect($1)
+
        ps_process_pattern(system_dbusd_t, $1)
 
+       userdom_dontaudit_search_admin_dir($1)
        userdom_read_all_users_state($1)
 
+       optional_policy(`
+               rpm_script_dbus_chat($1)
+       ')
+
+       optional_policy(`
+               unconfined_dbus_send($1)
+       ')
+
        ifdef(`hide_broken_symptoms', `
                dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
        ')
@@ -479,3 +503,22 @@ interface(`dbus_unconfined',`
 
        typeattribute $1 dbusd_unconfined;
 ')
+
+########################################
+## <summary>
+##     Delete all dbus pid files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dbus_delete_pid_files',`
+       gen_require(`
+               type system_dbusd_var_run_t;
+       ')
+
+       delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+')
+

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index b354128cfe9924815810b0393776f4c34be8e1d8..c725caee56c215068322d3f4adbdd3f691bf46e7 100644 (file)
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -74,9 +74,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
 
 read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 
+manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
 manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
 manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
-files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, file)
+files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir })
 
 kernel_read_system_state(system_dbusd_t)
 kernel_read_kernel_sysctls(system_dbusd_t)
@@ -121,7 +122,9 @@ files_read_usr_files(system_dbusd_t)
 
 init_use_fds(system_dbusd_t)
 init_use_script_ptys(system_dbusd_t)
+init_bin_domtrans_spec(system_dbusd_t)
 init_domtrans_script(system_dbusd_t)
+init_rw_stream_sockets(system_dbusd_t)
 
 logging_send_audit_msgs(system_dbusd_t)
 logging_send_syslog_msg(system_dbusd_t)
@@ -141,7 +144,15 @@ optional_policy(`
 ')
 
 optional_policy(`
-       policykit_dbus_chat(system_dbusd_t)
+       gnome_exec_gconf(system_dbusd_t)
+')
+
+optional_policy(`
+       networkmanager_initrc_domtrans(system_dbusd_t)
+')
+
+optional_policy(`
+        policykit_dbus_chat(system_dbusd_t)
        policykit_domtrans_auth(system_dbusd_t)
        policykit_search_lib(system_dbusd_t)
 ')
@@ -158,5 +169,12 @@ optional_policy(`
 #
 # Unconfined access to this module
 #
-
 allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
+
+optional_policy(`
+       xserver_use_xdm_fds(session_bus_type)
+       xserver_rw_xdm_pipes(session_bus_type)
+       xserver_append_xdm_home_files(session_bus_type)
+')

diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te
index 8ba942504d25a1e06174a509b1c0ba1b7e009531..d53ee7e3f17b3056f6901134e2a5639a6d566de4 100644 (file)
--- a/policy/modules/services/denyhosts.te
+++ b/policy/modules/services/denyhosts.te
@@ -25,7 +25,8 @@ logging_log_file(denyhosts_var_log_t)
 #
 # DenyHosts personal policy.
 #
-
+# Bug #588563
+allow denyhosts_t self:capability sys_tty_config;
 allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
 allow denyhosts_t self:tcp_socket create_socket_perms;
 allow denyhosts_t self:udp_socket create_socket_perms;
@@ -53,20 +54,28 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t)
 corenet_tcp_sendrecv_generic_node(denyhosts_t)
 corenet_tcp_bind_generic_node(denyhosts_t)
 corenet_tcp_connect_smtp_port(denyhosts_t)
+corenet_tcp_connect_sype_port(denyhosts_t)
 corenet_sendrecv_smtp_client_packets(denyhosts_t)
 
 dev_read_urand(denyhosts_t)
 
 files_read_etc_files(denyhosts_t)
+files_read_usr_files(denyhosts_t)
 
 # /var/log/secure
 logging_read_generic_logs(denyhosts_t)
+logging_send_syslog_msg(denyhosts_t)
 
 miscfiles_read_localization(denyhosts_t)
 
+sysnet_dns_name_resolve(denyhosts_t)
 sysnet_manage_config(denyhosts_t)
 sysnet_etc_filetrans_config(denyhosts_t)
 
 optional_policy(`
        cron_system_entry(denyhosts_t, denyhosts_exec_t)
 ')
+
+optional_policy(`
+    gnome_dontaudit_search_config(denyhosts_t)
+')

diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
index f706b994fc39471a0acca7719226d329c6f5e20e..70cf0184daa66bfcdc927dd1e7fd72d8ae1982c5 100644 (file)
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -165,13 +165,13 @@ interface(`devicekit_admin',`
                type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
        ')
 
-       allow $1 devicekit_t:process { ptrace signal_perms getattr };
+       allow $1 devicekit_t:process { ptrace signal_perms };
        ps_process_pattern($1, devicekit_t)
 
-       allow $1 devicekit_disk_t:process { ptrace signal_perms getattr };
+       allow $1 devicekit_disk_t:process { ptrace signal_perms };
        ps_process_pattern($1, devicekit_disk_t)
 
-       allow $1 devicekit_power_t:process { ptrace signal_perms getattr };
+       allow $1 devicekit_power_t:process { ptrace signal_perms };
        ps_process_pattern($1, devicekit_power_t)
 
        admin_pattern($1, devicekit_tmp_t)

diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index f231f17daa80742b0e0372d5f465de357912a47d..6cee08fa619615f5ebba8121b291fe81d5972b5b 100644 (file)
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
 manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
 files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
 
+allow devicekit_disk_t devicekit_var_run_t:dir mounton;
 manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
 manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
 files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir })
 
+kernel_list_unlabeled(devicekit_disk_t)
 kernel_getattr_message_if(devicekit_disk_t)
 kernel_read_fs_sysctls(devicekit_disk_t)
 kernel_read_network_state(devicekit_disk_t)
@@ -105,8 +107,10 @@ domain_read_all_domains_state(devicekit_disk_t)
 
 files_dontaudit_read_all_symlinks(devicekit_disk_t)
 files_getattr_all_sockets(devicekit_disk_t)
-files_getattr_all_mountpoints(devicekit_disk_t)
+files_getattr_all_dirs(devicekit_disk_t)
 files_getattr_all_files(devicekit_disk_t)
+files_getattr_all_pipes(devicekit_disk_t)
+files_manage_boot_dirs(devicekit_disk_t)
 files_manage_isid_type_dirs(devicekit_disk_t)
 files_manage_mnt_dirs(devicekit_disk_t)
 files_read_etc_files(devicekit_disk_t)
@@ -178,17 +182,27 @@ optional_policy(`
        virt_manage_images(devicekit_disk_t)
 ')
 
+optional_policy(`
+       unconfined_domain(devicekit_t)
+       unconfined_domain(devicekit_power_t)
+       unconfined_domain(devicekit_disk_t)
+')
+
 ########################################
 #
 # DeviceKit-Power local policy
 #
 
 allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
-allow devicekit_power_t self:process getsched;
+allow devicekit_power_t self:process { getsched signal_perms };
 allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
 allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
 
+manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
+manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
+files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir })
+
 manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
 manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
 files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
@@ -212,12 +226,14 @@ dev_rw_generic_usb_dev(devicekit_power_t)
 dev_rw_generic_chr_files(devicekit_power_t)
 dev_rw_netcontrol(devicekit_power_t)
 dev_rw_sysfs(devicekit_power_t)
+dev_read_rand(devicekit_power_t)
 
 files_read_kernel_img(devicekit_power_t)
 files_read_etc_files(devicekit_power_t)
 files_read_usr_files(devicekit_power_t)
 
 fs_list_inotifyfs(devicekit_power_t)
+fs_getattr_all_fs(devicekit_power_t)
 
 term_use_all_terms(devicekit_power_t)
 
@@ -225,8 +241,11 @@ auth_use_nsswitch(devicekit_power_t)
 
 miscfiles_read_localization(devicekit_power_t)
 
+modutils_domtrans_insmod(devicekit_power_t)
+
 sysnet_read_config(devicekit_power_t)
 sysnet_domtrans_ifconfig(devicekit_power_t)
+sysnet_domtrans_dhcpc(devicekit_power_t)
 
 userdom_read_all_users_state(devicekit_power_t)
 
@@ -260,6 +279,10 @@ optional_policy(`
        fstools_domtrans(devicekit_power_t)
 ')
 
+optional_policy(`
+       gnome_read_home_config(devicekit_power_t)
+')
+
 optional_policy(`
        hal_domtrans_mac(devicekit_power_t)
        hal_manage_log(devicekit_power_t)
@@ -279,6 +302,11 @@ optional_policy(`
        udev_read_db(devicekit_power_t)
 ')
 
+optional_policy(`
+       usbmuxd_stream_connect(devicekit_power_t)
+')
+
 optional_policy(`
        vbetool_domtrans(devicekit_power_t)
 ')
+

diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if
index 5e2cea828bb844f35759b6022cb8e1ace9c1ca4d..aa4da1d90d227cbb5705b77f3b403d1a641c9209 100644 (file)
--- a/policy/modules/services/dhcp.if
+++ b/policy/modules/services/dhcp.if
@@ -77,7 +77,7 @@ interface(`dhcpd_initrc_domtrans',`
 #
 interface(`dhcpd_admin',`
        gen_require(`
-               type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t;
+               type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
                type dhcpd_var_run_t, dhcpd_initrc_exec_t;
        ')
 

diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index d4424ad7fe5818aaf2753b5a7619ea853fa14e23..a307b51bf91c6a3bf51dce80bbc07d8b93894d64 100644 (file)
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
@@ -110,6 +110,10 @@ optional_policy(`
        bind_read_dnssec_keys(dhcpd_t)
 ')
 
+optional_policy(`
+       cobbler_dontaudit_rw_log(dhcpd_t)
+')
+
 optional_policy(`
        dbus_system_bus_client(dhcpd_t)
        dbus_connect_system_bus(dhcpd_t)

diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te
index 0c6a473607ee739986db318cd16063658e5cad00..e72326675b1b17ea0b6ff2c52cc1e9e38dfcd9c7 100644 (file)
--- a/policy/modules/services/djbdns.te
+++ b/policy/modules/services/djbdns.te
@@ -23,6 +23,8 @@ djbdns_daemontools_domain_template(tinydns)
 # Local policy for axfrdns component
 #
 
+files_config_file(djbdns_axfrdns_conf_t)
+
 daemontools_ipc_domain(djbdns_axfrdns_t)
 daemontools_read_svc(djbdns_axfrdns_t)
 

diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index fdaeebac81fba29b55b8efa06dc5a6823e40a55c..a50a8a76c0e1e0963530aa039949b2771d26f555 100644 (file)
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -95,6 +95,10 @@ optional_policy(`
        cobbler_read_lib_files(dnsmasq_t)
 ')
 
+optional_policy(`
+       cron_manage_pid_files(dnsmasq_t)
+')
+
 optional_policy(`
        dbus_system_bus_client(dnsmasq_t)
 ')

diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc
index bfc880b6b0976f0e3d639b5ea852fbbb68c67cd5..9a1dcbab9152b8d861776cc14071dd345022f243 100644 (file)
--- a/policy/modules/services/dovecot.fc
+++ b/policy/modules/services/dovecot.fc
@@ -25,7 +25,7 @@ ifdef(`distro_debian', `
 ifdef(`distro_redhat', `
 /usr/libexec/dovecot/auth      --      gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
 /usr/libexec/dovecot/deliver   --      gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
-/usr/libexec/dovecot/deliver-lda --    gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/libexec/dovecot/dovecot-lda --    gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
 /usr/libexec/dovecot/dovecot-auth --   gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
 ')
 

diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if
index e1d7dc5aeabd637bbe6ea7fb38d92d97f6aa0a38..09f6f301d94b4f90823035b8b3a14d3245df74f4 100644 (file)
--- a/policy/modules/services/dovecot.if
+++ b/policy/modules/services/dovecot.if
@@ -93,12 +93,14 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
 #
 interface(`dovecot_admin',`
        gen_require(`
-               type dovecot_t, dovecot_etc_t, dovecot_log_t;
+               type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t;
                type dovecot_spool_t, dovecot_var_lib_t;
-               type dovecot_var_run_t;
+               type dovecot_var_run_t, dovecot_tmp_t;
+               type dovecot_var_log_t;
 
                type dovecot_cert_t, dovecot_passwd_t;
                type dovecot_initrc_exec_t;
+               type dovecot_keytab_t;
        ')
 
        allow $1 dovecot_t:process { ptrace signal_perms };
@@ -112,8 +114,11 @@ interface(`dovecot_admin',`
        files_list_etc($1)
        admin_pattern($1, dovecot_etc_t)
 
-       logging_list_logs($1)
-       admin_pattern($1, dovecot_log_t)
+       files_list_tmp($1)
+       admin_pattern($1, dovecot_auth_tmp_t)
+       admin_pattern($1, dovecot_tmp_t)
+
+       admin_pattern($1, dovecot_keytab_t)
 
        files_list_spool($1)
        admin_pattern($1, dovecot_spool_t)
@@ -121,6 +126,9 @@ interface(`dovecot_admin',`
        files_list_var_lib($1)
        admin_pattern($1, dovecot_var_lib_t)
 
+       logging_search_logs($1)
+       admin_pattern($1, dovecot_var_log_t)
+
        files_list_pids($1)
        admin_pattern($1, dovecot_var_run_t)
 

diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index cbe14e4459295f8ee9406b83dcff00181759ad38..64bc566b5539a708bd88933ad9bb7079ab405ca7 100644 (file)
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
 files_tmp_file(dovecot_auth_tmp_t)
 
 type dovecot_cert_t;
-files_type(dovecot_cert_t)
+miscfiles_cert_type(dovecot_cert_t)
 
 type dovecot_deliver_t;
 type dovecot_deliver_exec_t;
@@ -26,6 +26,9 @@ domain_type(dovecot_deliver_t)
 domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
 role system_r types dovecot_deliver_t;
 
+type dovecot_deliver_tmp_t;
+files_tmp_file(dovecot_deliver_tmp_t)
+
 type dovecot_etc_t;
 files_config_file(dovecot_etc_t)
 
@@ -58,7 +61,7 @@ files_pid_file(dovecot_var_run_t)
 
 allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
 dontaudit dovecot_t self:capability sys_tty_config;
-allow dovecot_t self:process { setrlimit signal_perms getcap setcap };
+allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
 allow dovecot_t self:fifo_file rw_fifo_file_perms;
 allow dovecot_t self:tcp_socket create_stream_socket_perms;
 allow dovecot_t self:unix_dgram_socket create_socket_perms;
@@ -72,7 +75,8 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
 read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
 read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
 
-allow dovecot_t dovecot_etc_t:file read_file_perms;
+allow dovecot_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
 files_search_etc(dovecot_t)
 
 can_exec(dovecot_t, dovecot_exec_t)
@@ -94,10 +98,11 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
 manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
 manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
 
+manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
 manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
 manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
 manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
-files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file })
 
 kernel_read_kernel_sysctls(dovecot_t)
 kernel_read_system_state(dovecot_t)
@@ -158,6 +163,11 @@ optional_policy(`
        kerberos_keytab_template(dovecot, dovecot_t)
 ')
 
+optional_policy(`
+    postfix_manage_private_sockets(dovecot_t)
+    postfix_search_spool(dovecot_t)
+')
+
 optional_policy(`
        postgresql_stream_connect(dovecot_t)
 ')
@@ -242,6 +252,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+       postfix_manage_private_sockets(dovecot_auth_t)
        postfix_search_spool(dovecot_auth_t)
 ')
 
@@ -253,19 +264,31 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
 
 allow dovecot_deliver_t dovecot_t:process signull;
 
-allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
+read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
 allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
 
+allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
+
+append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+
+manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
+manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
+files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
+
+can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
+
 kernel_read_all_sysctls(dovecot_deliver_t)
 kernel_read_system_state(dovecot_deliver_t)
 
+corecmd_exec_bin(dovecot_deliver_t)
+
 files_read_etc_files(dovecot_deliver_t)
 files_read_etc_runtime_files(dovecot_deliver_t)
 
 auth_use_nsswitch(dovecot_deliver_t)
 
 logging_send_syslog_msg(dovecot_deliver_t)
-logging_search_logs(dovecot_auth_t)
+logging_search_logs(dovecot_deliver_t)
 
 miscfiles_read_localization(dovecot_deliver_t)
 
@@ -302,4 +325,5 @@ tunable_policy(`use_samba_home_dirs',`
 
 optional_policy(`
        mta_manage_spool(dovecot_deliver_t)
+       mta_read_queue(dovecot_deliver_t)
 ')

diff --git a/policy/modules/services/exim.fc b/policy/modules/services/exim.fc
index 298f06606f28d968112970386eedef587dfb680a..c2570df0a0038e368dd5467bd4160a3bced2549e 100644 (file)
--- a/policy/modules/services/exim.fc
+++ b/policy/modules/services/exim.fc
@@ -1,3 +1,6 @@
+
+/etc/rc\.d/init\.d/exim        --  gen_context(system_u:object_r:exim_initrc_exec_t,s0)
+
 /usr/sbin/exim[0-9]?           --      gen_context(system_u:object_r:exim_exec_t,s0)
 /var/log/exim[0-9]?(/.*)?              gen_context(system_u:object_r:exim_log_t,s0)
 /var/run/exim[0-9]?\.pid       --      gen_context(system_u:object_r:exim_var_run_t,s0)

diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if
index 6bef7f8646ecfd8fed71e8c618e565bf68da185b..1685c5d543052c59ea978b1770190ccf6bcac4e9 100644 (file)
--- a/policy/modules/services/exim.if
+++ b/policy/modules/services/exim.if
@@ -18,6 +18,24 @@ interface(`exim_domtrans',`
        domtrans_pattern($1, exim_exec_t, exim_t)
 ')
 
+########################################
+## <summary>
+##     Execute exim in the exim domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`exim_initrc_domtrans', `
+       gen_require(`
+               type exim_initrc_exec_t;
+       ')
+
+       init_labeled_script_domtrans($1, exim_initrc_exec_t)
+')
+
 ########################################
 ## <summary>
 ##     Do not audit attempts to read, 
@@ -194,3 +212,46 @@ interface(`exim_manage_spool_files',`
        manage_files_pattern($1, exim_spool_t, exim_spool_t)
        files_search_spool($1)
 ')
+
+########################################
+## <summary>
+##     All of the rules required to administrate
+##     an exim environment.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     Role allowed access.
+##     </summary>
+## </param>
+#
+interface(`exim_admin', `
+       gen_require(`
+               type exim_t, exim_initrc_exec_t, exim_log_t; 
+               type exim_tmp_t, exim_spool_t,  exim_var_run_t;
+       ')
+
+       allow $1 exim_t:process { ptrace signal_perms };
+       ps_process_pattern($1, exim_t)
+
+       exim_initrc_domtrans($1)
+       domain_system_change_exemption($1)
+       role_transition $2 exim_initrc_exec_t system_r;
+       allow $2 system_r;
+
+       logging_search_logs($1)
+       admin_pattern($1, exim_log_t)
+
+       files_search_tmp($1)
+       admin_pattern($1, exim_tmp_t)
+
+       files_search_spool($1)
+       admin_pattern($1, exim_spool_t)
+
+       files_search_pids($1)
+       admin_pattern($1, exim_var_run_t)
+')

diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index f28f64b9fab739a6aeb628fd3cab36a236d72541..6c819a37d905296a7917b6c386021c97b5967da4 100644 (file)
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -35,6 +35,9 @@ mta_mailserver_user_agent(exim_t)
 application_executable_file(exim_exec_t)
 mta_agent_executable(exim_exec_t)
 
+type exim_initrc_exec_t;
+init_script_file(exim_initrc_exec_t)
+
 type exim_log_t;
 logging_log_file(exim_log_t)
 
@@ -170,6 +173,10 @@ optional_policy(`
        mailman_domtrans(exim_t)
 ')
 
+optional_policy(`
+    nagios_search_spool(exim_t)
+')
+
 optional_policy(`
        tunable_policy(`exim_can_connect_db',`
                mysql_stream_connect(exim_t)
@@ -184,6 +191,7 @@ optional_policy(`
 
 optional_policy(`
        procmail_domtrans(exim_t)
+       procmail_read_home_files(exim_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if
index f590a1ffed71fbe05e479869ab8d69c601b5c64b..e4261f5e5d204c2988946b60d1548064c69cd25e 100644 (file)
--- a/policy/modules/services/fail2ban.if
+++ b/policy/modules/services/fail2ban.if
@@ -136,6 +136,26 @@ interface(`fail2ban_read_pid_files',`
        allow $1 fail2ban_var_run_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##     dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fail2ban_dontaudit_leaks',`
+       gen_require(`
+               type fail2ban_t;
+       ')
+
+       dontaudit $1 fail2ban_t:tcp_socket { read write };
+       dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
+       dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+')
+
 ########################################
 ## <summary>
 ##     All of the rules required to administrate 

diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
index 2a69e5ece5785a80c810a35ae85d5fa5375c53a3..fd30b024c66bafc7357fc1134f46b80abef88aa9 100644 (file)
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -93,6 +93,10 @@ optional_policy(`
        ftp_read_log(fail2ban_t)
 ')
 
+optional_policy(`
+    gnome_dontaudit_search_config(fail2ban_t)
+')
+
 optional_policy(`
        iptables_domtrans(fail2ban_t)
 ')

diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if
index 6537214cb66f08ed4a661f9d6eb097af41e2bbbe..7d64c0af44159062ae2c47fae8d4312106b814cf 100644 (file)
--- a/policy/modules/services/fetchmail.if
+++ b/policy/modules/services/fetchmail.if
@@ -18,6 +18,7 @@ interface(`fetchmail_admin',`
                type fetchmail_var_run_t;
        ')
 
+       allow $1 fetchmail_t:process { ptrace signal_perms };
        ps_process_pattern($1, fetchmail_t)
 
        files_list_etc($1)

diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te
index 7df52c7d88eabb51e3a30d74d58d0cbde619e950..899feaf3acdaad784d7ab6d8b266a3dfd99fd723 100644 (file)
--- a/policy/modules/services/fprintd.te
+++ b/policy/modules/services/fprintd.te
@@ -17,9 +17,9 @@ files_type(fprintd_var_lib_t)
 # Local policy
 #
 
-allow fprintd_t self:capability sys_ptrace;
+allow fprintd_t self:capability { sys_nice sys_ptrace };
 allow fprintd_t self:fifo_file rw_fifo_file_perms;
-allow fprintd_t self:process { getsched signal };
+allow fprintd_t self:process { getsched setsched signal };
 
 manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
 manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
@@ -54,4 +54,5 @@ optional_policy(`
        policykit_read_lib(fprintd_t)
        policykit_dbus_chat(fprintd_t)
        policykit_domtrans_auth(fprintd_t)
+       policykit_dbus_chat_auth(fprintd_t)
 ')

diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc
index 69dcd2a02607bc94d76ccca1a3d67b6372f74561..a9a91167b99937b84063abccd1bf75c393cc343e 100644 (file)
--- a/policy/modules/services/ftp.fc
+++ b/policy/modules/services/ftp.fc
@@ -29,3 +29,4 @@
 /var/log/vsftpd.*      --      gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/xferlog.*     --      gen_context(system_u:object_r:xferlog_t,s0)
 /var/log/xferreport.*  --      gen_context(system_u:object_r:xferlog_t,s0)
+/usr/libexec/webmin/vsftpd/webalizer/xfer_log  --      gen_context(system_u:object_r:xferlog_t,s0)

diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 8a74a832e4a39a1f75f287d489357133431e4741..34a00149c1bbdb2289ae0231b829e646c70c006c 100644 (file)
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -38,6 +38,13 @@ gen_tunable(allow_ftpd_use_cifs, false)
 ## </desc>
 gen_tunable(allow_ftpd_use_nfs, false)
 
+## <desc>
+## <p>
+## Allow ftp servers to use connect to mysql database
+## </p>
+## </desc>
+gen_tunable(ftpd_connect_db, false)
+
 ## <desc>
 ## <p>
 ## Allow ftp to read and write files in the user home directories
@@ -70,6 +77,14 @@ gen_tunable(sftpd_enable_homedirs, false)
 ## </desc>
 gen_tunable(sftpd_full_access, false)
 
+## <desc>
+## <p>
+## Allow interlnal-sftp to read and write files 
+## in the user ssh home directories.
+## </p>
+## </desc>
+gen_tunable(sftpd_write_ssh_home, false)
+
 type anon_sftpd_t;
 typealias anon_sftpd_t alias sftpd_anon_t;
 domain_type(anon_sftpd_t)
@@ -115,6 +130,10 @@ ifdef(`enable_mcs',`
        init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
 ')
 
+ifdef(`enable_mls',`
+       init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
+')
+
 ########################################
 #
 # anon-sftp local policy
@@ -133,7 +152,7 @@ tunable_policy(`sftpd_anon_write',`
 # ftpd local policy
 #
 
-allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
+allow ftpd_t self:capability { chown fowner fsetid ipc_lock setgid setuid sys_chroot sys_admin sys_nice sys_resource };
 dontaudit ftpd_t self:capability sys_tty_config;
 allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
 allow ftpd_t self:fifo_file rw_fifo_file_perms;
@@ -151,7 +170,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
 
 manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
 manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
-files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
 
 manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
 manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
@@ -270,10 +288,13 @@ tunable_policy(`ftp_home_dir',`
        # allow access to /home
        files_list_home(ftpd_t)
        userdom_read_user_home_content_files(ftpd_t)
-       userdom_manage_user_home_content_dirs(ftpd_t)
-       userdom_manage_user_home_content_files(ftpd_t)
-       userdom_manage_user_home_content_symlinks(ftpd_t)
-       userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
+       userdom_manage_user_home_content(ftpd_t)
+       userdom_manage_user_tmp_files(ftpd_t)
+       userdom_tmp_filetrans_user_tmp(ftpd_t, file)
+', `
+   # Needed for permissive mode, to make sure everything gets labeled correctly
+   userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
+   files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
 ')
 
 tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
@@ -315,6 +336,23 @@ optional_policy(`
        kerberos_manage_host_rcache(ftpd_t)
 ')
 
+optional_policy(`
+       tunable_policy(`ftpd_connect_db',`
+               mysql_stream_connect(ftpd_t)
+       ')
+')
+
+optional_policy(`
+       tunable_policy(`ftpd_connect_db',`
+               postgresql_stream_connect(ftpd_t)
+       ')
+')
+
+tunable_policy(`ftpd_connect_db',`
+       corenet_tcp_connect_mysqld_port(ftpd_t)
+       corenet_tcp_connect_postgresql_port(ftpd_t)
+')
+
 optional_policy(`
        inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
 
@@ -362,21 +400,33 @@ userdom_use_user_terminals(ftpdctl_t)
 #
 # sftpd local policy
 #
-
 files_read_etc_files(sftpd_t)
 
 # allow read access to /home by default
 userdom_read_user_home_content_files(sftpd_t)
 userdom_read_user_home_content_symlinks(sftpd_t)
+userdom_dontaudit_list_admin_dir(sftpd_t)
+
+tunable_policy(`sftpd_full_access',`
+    allow sftpd_t self:capability { dac_override dac_read_search };
+    fs_read_noxattr_fs_files(sftpd_t)
+    auth_manage_all_files_except_shadow(sftpd_t)
+')
+
+tunable_policy(`sftpd_write_ssh_home',`
+    ssh_manage_home_files(sftpd_t)
+')
 
 tunable_policy(`sftpd_enable_homedirs',`
        allow sftpd_t self:capability { dac_override dac_read_search };
 
        # allow access to /home
        files_list_home(sftpd_t)
-       userdom_manage_user_home_content_files(sftpd_t)
-       userdom_manage_user_home_content_dirs(sftpd_t)
-       userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
+       userdom_read_user_home_content_files(sftpd_t)
+       userdom_manage_user_home_content(sftpd_t)
+', `
+   # Needed for permissive mode, to make sure everything gets labeled correctly
+   userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
 ')
 
 tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`

diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
index 54f0737cad69aa8628fa17c6a2d2d029bec8ebb4..7ab4c92c1ebb1b5990e9dd8cc07293282a60b051 100644 (file)
--- a/policy/modules/services/git.fc
+++ b/policy/modules/services/git.fc
@@ -1,3 +1,12 @@
+HOME_DIR/public_git(/.*)?      gen_context(system_u:object_r:git_session_content_t, s0)
+HOME_DIR/\.gitconfig   --      gen_context(system_u:object_r:git_session_content_t, s0)
+
+/srv/git(/.*)?                 gen_context(system_u:object_r:git_system_content_t, s0)
+
+/usr/libexec/git-core/git-daemon       --      gen_context(system_u:object_r:gitd_exec_t, s0)
+
 /var/cache/cgit(/.*)?          gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
 /var/lib/git(/.*)?             gen_context(system_u:object_r:httpd_git_content_t,s0)
 /var/www/cgi-bin/cgit  --      gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/git(/.*)?             gen_context(system_u:object_r:httpd_git_content_t,s0)
+/var/www/git/gitweb.cgi                gen_context(system_u:object_r:httpd_git_script_exec_t,s0)

diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index 458aac63133030e32a2e529e8dcd9a82195fced9..63742a3c9e23d80ac5783ffd4bb4002e80bc3ac7 100644 (file)
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -1 +1,525 @@
-## <summary>GIT revision control system</summary>
+## <summary>Fast Version Control System.</summary>
+## <desc>
+##     <p>
+##             A really simple TCP git daemon that normally listens on
+##             port DEFAULT_GIT_PORT aka 9418. It waits for a
+##             connection asking for a service, and will serve that
+##             service if it is enabled.
+##     </p>
+## </desc>
+
+#######################################
+## <summary>
+##     Role access for Git daemon session.
+## </summary>
+## <param name="role">
+##     <summary>
+##     Role allowed access.
+##     </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##     User domain for the role.
+##     </summary>
+## </param>
+#
+interface(`git_session_role',`
+       gen_require(`
+               type git_session_t, gitd_exec_t;
+               type git_session_content_t;
+       ')
+
+       ########################################
+       #
+       # Git daemon session shared declarations.
+       #
+
+       role $1 types git_session_t;
+
+       ########################################
+       #
+       # Git daemon session shared policy.
+       #
+
+       domtrans_pattern($2, gitd_exec_t, git_session_t)
+
+       allow $2 git_session_t:process { ptrace signal_perms };
+       ps_process_pattern($2, git_session_t)
+')
+
+########################################
+## <summary>
+##     Create a set of derived types for Git
+##     daemon shared repository content.
+## </summary>
+## <param name="prefix">
+##     <summary>
+##     The prefix to be used for deriving type names.
+##     </summary>
+## </param>
+#
+template(`git_content_template',`
+
+       gen_require(`
+               attribute git_system_content;
+               attribute git_content;
+       ')
+
+       ########################################
+       #
+       # Git daemon content shared declarations.
+       #
+
+       type git_$1_content_t, git_system_content, git_content;
+       files_type(git_$1_content_t)
+')
+
+########################################
+## <summary>
+##     Create a set of derived types for Git
+##     daemon shared repository roles.
+## </summary>
+## <param name="prefix">
+##     <summary>
+##     The prefix to be used for deriving type names.
+##     </summary>
+## </param>
+#
+template(`git_role_template',`
+
+       gen_require(`
+               class context contains;
+               role system_r;
+       ')
+
+       ########################################
+       #
+       # Git daemon role shared declarations.
+       #
+
+       attribute $1_usertype;
+
+       type $1_t;
+       userdom_unpriv_usertype($1, $1_t)
+       domain_type($1_t)
+
+       role $1_r types $1_t;
+       allow system_r $1_r;
+
+       ########################################
+       #
+       # Git daemon role shared policy.
+       #
+
+       allow $1_t self:context contains;
+       allow $1_t self:fifo_file rw_fifo_file_perms;
+
+       corecmd_exec_bin($1_t)
+       corecmd_bin_entry_type($1_t)
+       corecmd_shell_entry_type($1_t)
+
+       domain_interactive_fd($1_t)
+       domain_user_exemption_target($1_t)
+
+       kernel_read_system_state($1_t)
+
+       files_read_etc_files($1_t)
+       files_dontaudit_search_home($1_t)
+
+       miscfiles_read_localization($1_t)
+
+       git_rwx_generic_system_content($1_t)
+
+       ssh_rw_stream_sockets($1_t)
+
+       tunable_policy(`git_system_use_cifs',`
+               fs_exec_cifs_files($1_t)
+               fs_manage_cifs_dirs($1_t)
+               fs_manage_cifs_files($1_t)
+       ')
+
+       tunable_policy(`git_system_use_nfs',`
+               fs_exec_nfs_files($1_t)
+               fs_manage_nfs_dirs($1_t)
+               fs_manage_nfs_files($1_t)
+       ')
+
+       optional_policy(`
+               nscd_read_pid($1_t)
+       ')
+')
+
+#######################################
+## <summary>
+##     Allow specified domain access to the
+##     specified Git daemon content.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="object">
+##     <summary>
+##     Type of the object that access is allowed to.
+##     </summary>
+## </param>
+#
+interface(`git_content_delegation',`
+       gen_require(`
+               type $1, $2;
+       ')
+
+       exec_files_pattern($1, $2, $2)
+       manage_dirs_pattern($1, $2, $2)
+       manage_files_pattern($1, $2, $2)
+       files_search_var_lib($1)
+
+       tunable_policy(`git_system_use_cifs',`
+               fs_exec_cifs_files($1)
+               fs_manage_cifs_dirs($1)
+               fs_manage_cifs_files($1)
+       ')
+
+       tunable_policy(`git_system_use_nfs',`
+               fs_exec_nfs_files($1)
+               fs_manage_nfs_dirs($1)
+               fs_manage_nfs_files($1)
+       ')
+')
+
+########################################
+## <summary>
+##     Allow the specified domain to manage
+##     and execute all Git daemon content.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`git_rwx_all_content',`
+       gen_require(`
+               attribute git_content;
+       ')
+
+       exec_files_pattern($1, git_content, git_content)
+       manage_dirs_pattern($1, git_content, git_content)
+       manage_files_pattern($1, git_content, git_content)
+       userdom_search_user_home_dirs($1)
+       files_search_var_lib($1)
+
+       tunable_policy(`use_nfs_home_dirs',`
+               fs_exec_nfs_files($1)
+               fs_manage_nfs_dirs($1)
+               fs_manage_nfs_files($1)
+       ')
+
+       tunable_policy(`use_samba_home_dirs',`
+               fs_exec_cifs_files($1)
+               fs_manage_cifs_dirs($1)
+               fs_manage_cifs_files($1)
+       ')
+
+       tunable_policy(`git_system_use_cifs',`
+               fs_exec_cifs_files($1)
+               fs_manage_cifs_dirs($1)
+               fs_manage_cifs_files($1)
+       ')
+
+       tunable_policy(`git_system_use_nfs',`
+               fs_exec_nfs_files($1)
+               fs_manage_nfs_dirs($1)
+               fs_manage_nfs_files($1)
+       ')
+')
+
+########################################
+## <summary>
+##     Allow the specified domain to manage
+##     and execute all Git daemon system content.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`git_rwx_all_system_content',`
+       gen_require(`
+               attribute git_system_content;
+       ')
+
+       exec_files_pattern($1, git_system_content, git_system_content)
+       manage_dirs_pattern($1, git_system_content, git_system_content)
+       manage_files_pattern($1, git_system_content, git_system_content)
+       files_search_var_lib($1)
+
+       tunable_policy(`git_system_use_cifs',`
+               fs_exec_cifs_files($1)
+               fs_manage_cifs_dirs($1)
+               fs_manage_cifs_files($1)
+       ')
+
+       tunable_policy(`git_system_use_nfs',`
+               fs_exec_nfs_files($1)
+               fs_manage_nfs_dirs($1)
+               fs_manage_nfs_files($1)
+       ')
+')
+
+########################################
+## <summary>
+##     Allow the specified domain to manage
+##     and execute Git daemon generic system content.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`git_rwx_generic_system_content',`
+       gen_require(`
+               type git_system_content_t;
+       ')
+
+       exec_files_pattern($1, git_system_content_t, git_system_content_t)
+       manage_dirs_pattern($1, git_system_content_t, git_system_content_t)
+       manage_files_pattern($1, git_system_content_t, git_system_content_t)
+       files_search_var_lib($1)
+
+       tunable_policy(`git_system_use_cifs',`
+               fs_exec_cifs_files($1)
+               fs_manage_cifs_dirs($1)
+               fs_manage_cifs_files($1)
+       ')
+
+       tunable_policy(`git_system_use_nfs',`
+               fs_exec_nfs_files($1)
+               fs_manage_nfs_dirs($1)
+               fs_manage_nfs_files($1)
+       ')
+')
+
+########################################
+## <summary>
+##     Allow the specified domain to read
+##     all Git daemon content files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`git_read_all_content_files',`
+       gen_require(`
+               attribute git_content;
+       ')
+
+       list_dirs_pattern($1, git_content, git_content)
+       read_files_pattern($1, git_content, git_content)
+       userdom_search_user_home_dirs($1)
+       files_search_var_lib($1)
+
+       tunable_policy(`use_nfs_home_dirs',`
+               fs_list_nfs($1)
+               fs_read_nfs_files($1)
+       ')
+
+       tunable_policy(`use_samba_home_dirs',`
+               fs_list_cifs($1)
+               fs_read_cifs_files($1)
+       ')
+
+       tunable_policy(`git_system_use_cifs',`
+               fs_list_cifs($1)
+               fs_read_cifs_files($1)
+       ')
+
+       tunable_policy(`git_system_use_nfs',`
+               fs_list_nfs($1)
+               fs_read_nfs_files($1)
+       ')
+')
+
+########################################
+## <summary>
+##     Allow the specified domain to read
+##     Git daemon session content files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`git_read_session_content_files',`
+       gen_require(`
+               type git_session_content_t;
+       ')
+
+       list_dirs_pattern($1, git_session_content_t, git_session_content_t)
+       read_files_pattern($1, git_session_content_t, git_session_content_t)
+       userdom_search_user_home_dirs($1)
+
+       tunable_policy(`use_nfs_home_dirs',`
+               fs_list_nfs($1)
+               fs_read_nfs_files($1)
+       ')
+
+       tunable_policy(`use_samba_home_dirs',`
+               fs_list_cifs($1)
+               fs_read_cifs_files($1)
+       ')
+')
+
+########################################
+## <summary>
+##     Allow the specified domain to read
+##     all Git daemon system content files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`git_read_all_system_content_files',`
+       gen_require(`
+               attribute git_system_content;
+       ')
+
+       list_dirs_pattern($1, git_system_content, git_system_content)
+       read_files_pattern($1, git_system_content, git_system_content)
+       files_search_var_lib($1)
+
+       tunable_policy(`git_system_use_cifs',`
+               fs_list_cifs($1)
+               fs_read_cifs_files($1)
+       ')
+
+       tunable_policy(`git_system_use_nfs',`
+               fs_list_nfs($1)
+               fs_read_nfs_files($1)
+       ')
+')
+
+########################################
+## <summary>
+##     Allow the specified domain to read
+##     Git daemon generic system content files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`git_read_generic_system_content_files',`
+       gen_require(`
+               type git_system_content_t;
+       ')
+
+       list_dirs_pattern($1, git_system_content_t, git_system_content_t)
+       read_files_pattern($1, git_system_content_t, git_system_content_t)
+       files_search_var_lib($1)
+
+       tunable_policy(`git_system_use_cifs',`
+               fs_list_cifs($1)
+               fs_read_cifs_files($1)
+       ')
+
+       tunable_policy(`git_system_use_nfs',`
+               fs_list_nfs($1)
+               fs_read_nfs_files($1)
+       ')
+')
+
+########################################
+## <summary>
+##     Allow the specified domain to relabel
+##     all Git daemon content.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`git_relabel_all_content',`
+       gen_require(`
+               attribute git_content;
+       ')
+
+       relabel_dirs_pattern($1, git_content, git_content)
+       relabel_files_pattern($1, git_content, git_content)
+       userdom_search_user_home_dirs($1)
+       files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##     Allow the specified domain to relabel
+##     all Git daemon system content.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`git_relabel_all_system_content',`
+       gen_require(`
+               attribute git_system_content;
+       ')
+
+       relabel_dirs_pattern($1, git_system_content, git_system_content)
+       relabel_files_pattern($1, git_system_content, git_system_content)
+       files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##     Allow the specified domain to relabel
+##     Git daemon generic system content.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`git_relabel_generic_system_content',`
+       gen_require(`
+               type git_system_content_t;
+       ')
+
+       relabel_dirs_pattern($1, git_system_content_t, git_system_content_t)
+       relabel_files_pattern($1, git_system_content_t, git_system_content_t)
+       files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##     Allow the specified domain to relabel
+##     Git daemon session content.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`git_relabel_session_content',`
+       gen_require(`
+               type git_session_content_t;
+       ')
+
+       relabel_dirs_pattern($1, git_session_content_t, git_session_content_t)
+       relabel_files_pattern($1, git_session_content_t, git_session_content_t)
+       userdom_search_user_home_dirs($1)
+')
+

diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
index 7382f851bd126a3094cbe304c05050fe79091dbc..cf1708507416b3f268cf4948981d04492070caf5 100644 (file)
--- a/policy/modules/services/git.te
+++ b/policy/modules/services/git.te
@@ -1,8 +1,192 @@
-policy_module(git, 1.0)
+policy_module(git, 1.0.3)
+
+## <desc>
+## <p>
+## Allow Git daemon system to search home directories.
+## </p>
+## </desc>
+gen_tunable(git_system_enable_homedirs, false)
+
+## <desc>
+## <p>
+## Allow Git daemon system to access cifs file systems.
+## </p>
+## </desc>
+gen_tunable(git_system_use_cifs, false)
+
+## <desc>
+## <p>
+## Allow Git daemon system to access nfs file systems.
+## </p>
+## </desc>
+gen_tunable(git_system_use_nfs, false)
+
+########################################
+#
+# Git daemon global private declarations.
+#
+
+attribute git_domains;
+attribute git_system_content;
+attribute git_content;
+
+type gitd_exec_t;
+
+########################################
+#
+# Git daemon system private declarations.
+#
+
+type git_system_t, git_domains;
+inetd_service_domain(git_system_t, gitd_exec_t)
+role system_r types git_system_t;
+
+type git_system_content_t, git_system_content, git_content;
+files_type(git_system_content_t)
+typealias git_system_content_t alias git_data_t;
+
+########################################
+#
+# Git daemon session private declarations.
+#
+
+## <desc>
+## <p>
+## Allow Git daemon session to bind
+## tcp sockets to all unreserved ports.
+## </p>
+## </desc>
+gen_tunable(git_session_bind_all_unreserved_ports, false)
+
+type git_session_t, git_domains;
+application_domain(git_session_t, gitd_exec_t)
+ubac_constrained(git_session_t)
+
+type git_session_content_t, git_content;
+userdom_user_home_content(git_session_content_t)
+
+########################################
+#
+# Git daemon global private policy.
+#
+
+allow git_domains self:fifo_file rw_fifo_file_perms;
+allow git_domains self:netlink_route_socket create_netlink_socket_perms;
+allow git_domains self:tcp_socket create_socket_perms;
+allow git_domains self:udp_socket create_socket_perms;
+allow git_domains self:unix_dgram_socket create_socket_perms;
+
+corenet_all_recvfrom_netlabel(git_domains)
+corenet_all_recvfrom_unlabeled(git_domains)
+corenet_tcp_bind_generic_node(git_domains)
+corenet_tcp_sendrecv_generic_if(git_domains)
+corenet_tcp_sendrecv_generic_node(git_domains)
+corenet_tcp_sendrecv_generic_port(git_domains)
+corenet_tcp_bind_git_port(git_domains)
+corenet_sendrecv_git_server_packets(git_domains)
+
+corecmd_exec_bin(git_domains)
+
+files_read_etc_files(git_domains)
+files_read_usr_files(git_domains)
+
+fs_search_auto_mountpoints(git_domains)
+
+kernel_read_system_state(git_domains)
+
+auth_use_nsswitch(git_domains)
+
+logging_send_syslog_msg(git_domains)
+
+miscfiles_read_localization(git_domains)
+
+sysnet_read_config(git_domains)
+
+optional_policy(`
+       automount_dontaudit_getattr_tmp_dirs(git_domains)
+')
+
+optional_policy(`
+       nis_use_ypbind(git_domains)
+')
+
+########################################
+#
+# Git daemon system repository private policy.
+#
+
+list_dirs_pattern(git_system_t, git_content, git_content)
+read_files_pattern(git_system_t, git_content, git_content)
+files_search_var_lib(git_system_t)
+
+tunable_policy(`git_system_enable_homedirs', `
+       userdom_search_user_home_dirs(git_system_t)
+')
+
+tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', `
+       fs_list_nfs(git_system_t)
+       fs_read_nfs_files(git_system_t)
+')
+
+tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', `
+       fs_list_cifs(git_system_t)
+       fs_read_cifs_files(git_system_t)
+')
+
+tunable_policy(`git_system_use_cifs', `
+       fs_list_cifs(git_system_t)
+       fs_read_cifs_files(git_system_t)
+')
+
+tunable_policy(`git_system_use_nfs', `
+       fs_list_nfs(git_system_t)
+       fs_read_nfs_files(git_system_t)
+')
 
 ########################################
 #
-# Declarations
+# Git daemon session repository private policy.
 #
 
-apache_content_template(git)
+allow git_session_t self:tcp_socket { accept listen };
+
+list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
+read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
+userdom_search_user_home_dirs(git_session_t)
+
+userdom_use_user_terminals(git_session_t)
+
+tunable_policy(`git_session_bind_all_unreserved_ports', `
+       corenet_tcp_bind_all_unreserved_ports(git_session_t)
+       corenet_sendrecv_generic_server_packets(git_session_t)
+')
+
+tunable_policy(`use_nfs_home_dirs', `
+       fs_list_nfs(git_session_t)
+       fs_read_nfs_files(git_session_t)
+')
+
+tunable_policy(`use_samba_home_dirs', `
+       fs_list_cifs(git_session_t)
+       fs_read_cifs_files(git_session_t)
+')
+
+########################################
+#
+# cgi git Declarations
+#
+
+optional_policy(`
+       apache_content_template(git)
+       git_read_all_content_files(httpd_git_script_t)
+       files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
+')
+
+########################################
+#
+# Git-shell private policy.
+#
+
+git_role_template(git_shell)
+gen_user(git_shell_u, user, git_shell_r, s0, s0)
+

diff --git a/policy/modules/services/gnomeclock.fc b/policy/modules/services/gnomeclock.fc
index 462de63b42f0e6d82b1b1989f8e5d548fa186a29..a8ce02e168e51a98835ac909264812f1e65380e6 100644 (file)
--- a/policy/modules/services/gnomeclock.fc
+++ b/policy/modules/services/gnomeclock.fc
@@ -1,2 +1,4 @@
 /usr/libexec/gnome-clock-applet-mechanism      --      gen_context(system_u:object_r:gnomeclock_exec_t,s0)
 
+/usr/libexec/gsd-datetime-mechanism            --      gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+

diff --git a/policy/modules/services/gnomeclock.if b/policy/modules/services/gnomeclock.if
index 671d8fd25213ff2781c75810924fce2613936be6..da0e84468971852be2d361041298d7b1c53f3a9f 100644 (file)
--- a/policy/modules/services/gnomeclock.if
+++ b/policy/modules/services/gnomeclock.if
@@ -63,3 +63,24 @@ interface(`gnomeclock_dbus_chat',`
        allow $1 gnomeclock_t:dbus send_msg;
        allow gnomeclock_t $1:dbus send_msg;
 ')
+
+########################################
+## <summary>
+##     Do not audit send and receive messages from
+##     gnomeclock over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`gnomeclock_dontaudit_dbus_chat',`
+       gen_require(`
+               type gnomeclock_t;
+               class dbus send_msg;
+       ')
+
+       dontaudit $1 gnomeclock_t:dbus send_msg;
+       dontaudit gnomeclock_t $1:dbus send_msg;
+')

diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te
index 03742d88537cb80c9771d4b0c5dc25ee68e4ec15..7b9c5433171819a88c92866d3e39aee5d18b5af9 100644 (file)
--- a/policy/modules/services/gpsd.te
+++ b/policy/modules/services/gpsd.te
@@ -55,6 +55,10 @@ logging_send_syslog_msg(gpsd_t)
 
 miscfiles_read_localization(gpsd_t)
 
+optional_policy(`
+       chronyd_rw_shm(gpsd_t)
+')
+
 optional_policy(`
        dbus_system_bus_client(gpsd_t)
 ')

diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
index 7cf6763980d178e0def7b9bea07877375683cfb2..0d50d0d56d1c1f8e72470358f5fcb19c8c24ac52 100644 (file)
--- a/policy/modules/services/hal.if
+++ b/policy/modules/services/hal.if
@@ -51,6 +51,7 @@ interface(`hal_read_state',`
                type hald_t;
        ')
 
+       kernel_search_proc($1)
        ps_process_pattern($1, hald_t)
 ')
 
@@ -375,6 +376,25 @@ interface(`hal_read_pid_files',`
        allow $1 hald_var_run_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##     Do not audit attempts to read 
+##     hald PID files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`hal_dontaudit_read_pid_files',`
+       gen_require(` 
+               type hald_var_run_t;
+       ')
+
+       dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Read/Write hald PID files.
@@ -431,3 +451,27 @@ interface(`hal_manage_pid_files',`
        files_search_pids($1)
        manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
 ')
+
+########################################
+## <summary>
+##     dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`hal_dontaudit_leaks',`
+       gen_require(`
+               type hald_log_t;
+               type hald_t;
+               type hald_var_run_t;
+       ')
+
+       dontaudit $1 hald_t:fd use; 
+       dontaudit $1 hald_log_t:file rw_inherited_file_perms;
+       dontaudit $1 hald_t:fifo_file rw_inherited_fifo_file_perms; 
+       dontaudit hald_t $1:socket_class_set { read write };
+       dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
+')

diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index 24c6253977735060bd3d519907d924a0eefb02fe..e72b0633ee61b23088e6fe617d4b94890e5691d1 100644 (file)
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t)
 type hald_var_lib_t;
 files_type(hald_var_lib_t)
 
+typealias hald_log_t alias pmtools_log_t;
+typealias hald_var_run_t alias pmtools_var_run_t;
+
 ########################################
 #
 # Local policy
@@ -99,7 +102,7 @@ kernel_read_fs_sysctls(hald_t)
 kernel_rw_irq_sysctls(hald_t)
 kernel_rw_vm_sysctls(hald_t)
 kernel_write_proc_files(hald_t)
-kernel_search_network_sysctl(hald_t)
+kernel_rw_net_sysctls(hald_t)
 kernel_setsched(hald_t)
 kernel_request_load_module(hald_t)
 
@@ -125,6 +128,7 @@ dev_rw_printer(hald_t)
 dev_read_lvm_control(hald_t)
 dev_getattr_all_chr_files(hald_t)
 dev_manage_generic_chr_files(hald_t)
+dev_manage_generic_blk_files(hald_t)
 dev_rw_generic_usb_dev(hald_t)
 dev_setattr_generic_usb_dev(hald_t)
 dev_setattr_usbfs_files(hald_t)
@@ -211,13 +215,19 @@ seutil_read_config(hald_t)
 seutil_read_default_contexts(hald_t)
 seutil_read_file_contexts(hald_t)
 
-sysnet_read_config(hald_t)
+sysnet_delete_dhcpc_pid(hald_t)
 sysnet_domtrans_dhcpc(hald_t)
 sysnet_domtrans_ifconfig(hald_t)
+sysnet_read_config(hald_t)
 sysnet_read_dhcp_config(hald_t)
+sysnet_read_dhcpc_pid(hald_t)
+sysnet_signal_dhcpc(hald_t)
 
 userdom_dontaudit_use_unpriv_user_fds(hald_t)
 userdom_dontaudit_search_user_home_dirs(hald_t)
+userdom_stream_connect(hald_t)
+
+netutils_domtrans(hald_t)
 
 optional_policy(`
        alsa_domtrans(hald_t)
@@ -267,6 +277,10 @@ optional_policy(`
        dmidecode_domtrans(hald_t)
 ')
 
+optional_policy(`
+       gnome_read_config(hald_t)
+')
+
 optional_policy(`
        gpm_dontaudit_getattr_gpmctl(hald_t)
 ')
@@ -317,6 +331,10 @@ optional_policy(`
        seutil_sigchld_newrole(hald_t)
 ')
 
+optional_policy(`
+       shutdown_domtrans(hald_t)
+')    
+
 optional_policy(`
        udev_domtrans(hald_t)
        udev_read_db(hald_t)
@@ -338,6 +356,10 @@ optional_policy(`
        virt_manage_images(hald_t)
 ')
 
+optional_policy(`
+       xserver_read_pid(hald_t)
+')
+
 ########################################
 #
 # Hal acl local policy
@@ -358,6 +380,7 @@ files_search_var_lib(hald_acl_t)
 manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
 manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
 files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
+allow hald_t hald_var_run_t:dir mounton;
 
 corecmd_exec_bin(hald_acl_t)
 
@@ -470,6 +493,10 @@ files_read_usr_files(hald_keymap_t)
 
 miscfiles_read_localization(hald_keymap_t)
 
+# This is caused by a bug in hald and PolicyKit.  
+# Should be removed when this is fixed
+cron_read_system_job_lib_files(hald_t)
+
 ########################################
 #
 # Local hald dccm policy

diff --git a/policy/modules/services/hddtemp.if b/policy/modules/services/hddtemp.if
index 87b453121f1d3cd4a79f95f88670bda1a1023e7f..777b0362bb5d341cbf9317c791d6dc07026f932f 100644 (file)
--- a/policy/modules/services/hddtemp.if
+++ b/policy/modules/services/hddtemp.if
@@ -70,8 +70,4 @@ interface(`hddtemp_admin',`
 
        admin_pattern($1, hddtemp_etc_t)
        files_search_etc($1)
-
-       allow $1 hddtemp_t:dir list_dir_perms;
-       read_lnk_files_pattern($1, hddtemp_t, hddtemp_t)
-       kernel_search_proc($1)
 ')

diff --git a/policy/modules/services/icecast.if b/policy/modules/services/icecast.if
index ecab47ab7c12ee71953c02da4dbb0f4fae225ccf..3aa86f307cb4dd6b36bf7e0238336bf8e0b72f0c 100644 (file)
--- a/policy/modules/services/icecast.if
+++ b/policy/modules/services/icecast.if
@@ -173,6 +173,7 @@ interface(`icecast_admin',`
                type icecast_t, icecast_initrc_exec_t;
        ')
 
+       allow $1 icecast_t:process { ptrace signal_perms };
        ps_process_pattern($1, icecast_t)
 
        # Allow icecast_t to restart the apache service

diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te
index f368bf3975d320360a90afbd0dbc626564cad09f..80befb0fc7a7a9eee95f753663235bdc1d4b3019 100644 (file)
--- a/policy/modules/services/icecast.te
+++ b/policy/modules/services/icecast.te
@@ -5,6 +5,14 @@ policy_module(icecast, 1.0.1)
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow icecast to connect to all ports, not just
+## sound ports.
+## </p>
+## </desc>
+gen_tunable(icecast_connect_any, false)
+
 type icecast_t;
 type icecast_exec_t;
 init_daemon_domain(icecast_t, icecast_exec_t)
@@ -40,6 +48,13 @@ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
 kernel_read_system_state(icecast_t)
 
 corenet_tcp_bind_soundd_port(icecast_t)
+corenet_tcp_connect_soundd_port(icecast_t)
+
+tunable_policy(`icecast_connect_any',`
+       corenet_tcp_connect_all_ports(icecast_t)
+       corenet_tcp_bind_all_ports(icecast_t)
+       corenet_sendrecv_all_packets(icecast_t)
+')
 
 # Init script handling
 domain_use_interactive_fds(icecast_t)

diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te
index 9fab1dc8678a200094987c8ce9f309abdc82562b..05119f72ed1cf21fa96632194085c671c864955a 100644 (file)
--- a/policy/modules/services/inn.te
+++ b/policy/modules/services/inn.te
@@ -56,7 +56,7 @@ files_var_lib_filetrans(innd_t, innd_var_lib_t, file)
 manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t)
 manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
 manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
-files_pid_filetrans(innd_t, innd_var_run_t, file)
+files_pid_filetrans(innd_t, innd_var_run_t, { dir file })
 
 manage_dirs_pattern(innd_t, news_spool_t, news_spool_t)
 manage_files_pattern(innd_t, news_spool_t, news_spool_t)
@@ -105,6 +105,7 @@ sysnet_read_config(innd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(innd_t)
 userdom_dontaudit_search_user_home_dirs(innd_t)
+userdom_dgram_send(innd_t)
 
 mta_send_mail(innd_t)
 

diff --git a/policy/modules/services/jabber.fc b/policy/modules/services/jabber.fc
index 4c9acec1125ccb8f619909b5cf9c75492f32a6e2..908eb91c709e8437ebf1d6fb4ab7165fe9ceb911 100644 (file)
--- a/policy/modules/services/jabber.fc
+++ b/policy/modules/services/jabber.fc
@@ -2,5 +2,14 @@
 
 /usr/sbin/jabberd      --      gen_context(system_u:object_r:jabberd_exec_t,s0)
 
+# for new version of jabberd
+/usr/bin/router         --      gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/sm             --      gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/c2s            --      gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/s2s            --      gen_context(system_u:object_r:jabberd_exec_t,s0)
+
+/var/lib/jabberd(/.*)?           gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+
+
 /var/lib/jabber(/.*)?          gen_context(system_u:object_r:jabberd_var_lib_t,s0)
 /var/log/jabber(/.*)?          gen_context(system_u:object_r:jabberd_log_t,s0)

diff --git a/policy/modules/services/jabber.if b/policy/modules/services/jabber.if
index 98784995fd2a52fc897f74f4896412ff0c825ccc..f17e6297fe108e9fc4f10402d763d2dea2be80e6 100644 (file)
--- a/policy/modules/services/jabber.if
+++ b/policy/modules/services/jabber.if
@@ -1,17 +1,96 @@
 ## <summary>Jabber instant messaging server</summary>
 
-########################################
+#######################################
 ## <summary>
-##     Connect to jabber over a TCP socket  (Deprecated)
+##      Execute a domain transition to run jabberd services
 ## </summary>
 ## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
+## <summary>
+##      Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`jabber_domtrans_jabberd',`
+        gen_require(`
+                type jabberd_t, jabberd_exec_t;
+        ')
+
+        domtrans_pattern($1, jabberd_exec_t, jabberd_t)
+')
+
+######################################
+## <summary>
+##      Execute a domain transition to run jabberd router service
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`jabber_domtrans_jabberd_router',`
+        gen_require(`
+                type jabberd_router_t, jabberd_router_exec_t;
+        ')
+
+        domtrans_pattern($1, jabberd_router_exec_t, jabberd_router_t)
+')
+
+#######################################
+## <summary>
+##      Read jabberd lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
 ## </param>
 #
-interface(`jabber_tcp_connect',`
-       refpolicywarn(`$0($*) has been deprecated.')
+interface(`jabberd_read_lib_files',`
+        gen_require(`
+                type jabberd_var_lib_t;
+        ')
+
+        files_search_var_lib($1)
+        read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
+')
+
+#######################################
+## <summary>
+##      Dontaudit inherited read jabberd lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`jabberd_dontaudit_read_lib_files',`
+        gen_require(`
+                type jabberd_var_lib_t;
+        ')
+
+        dontaudit $1 jabberd_var_lib_t:file read_inherited_file_perms;
+')
+
+#######################################
+## <summary>
+##      Create, read, write, and delete
+##      jabberd lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`jabberd_manage_lib_files',`
+        gen_require(`
+                type jabberd_var_lib_t;
+        ')
+
+        files_search_var_lib($1)
+        manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
 ')
 
 ########################################
@@ -35,11 +114,15 @@ interface(`jabber_admin',`
        gen_require(`
                type jabberd_t, jabberd_log_t, jabberd_var_lib_t;
                type jabberd_var_run_t, jabberd_initrc_exec_t;
+               type jabberd_router_t;
        ')
 
        allow $1 jabberd_t:process { ptrace signal_perms };
        ps_process_pattern($1, jabberd_t)
 
+       allow $1 jabberd_router_t:process { ptrace signal_perms };
+        ps_process_pattern($1, jabberd_router_t)
+
        init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
        domain_system_change_exemption($1)
        role_transition $2 jabberd_initrc_exec_t system_r;

diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index da2127e5853588e697718fbc61f0310116600a1b..975bbcde9597e8c3794d02b72a7dc32cfe6c7e60 100644 (file)
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -1,3 +1,4 @@
+
 policy_module(jabber, 1.8.0)
 
 ########################################
@@ -5,13 +6,19 @@ policy_module(jabber, 1.8.0)
 # Declarations
 #
 
-type jabberd_t;
+attribute jabberd_domain;
+
+type jabberd_t, jabberd_domain;
 type jabberd_exec_t;
 init_daemon_domain(jabberd_t, jabberd_exec_t)
 
 type jabberd_initrc_exec_t;
 init_script_file(jabberd_initrc_exec_t)
 
+type jabberd_router_t, jabberd_domain;
+type jabberd_router_exec_t;
+init_daemon_domain(jabberd_router_t, jabberd_router_exec_t)
+
 type jabberd_log_t;
 logging_log_file(jabberd_log_t)
 
@@ -21,40 +28,78 @@ files_type(jabberd_var_lib_t)
 type jabberd_var_run_t;
 files_pid_file(jabberd_var_run_t)
 
-########################################
+permissive jabberd_router_t;
+permissive jabberd_t;
+
+#######################################
 #
-# Local policy
+# Local policy for jabberd domains
 #
 
-allow jabberd_t self:capability dac_override;
-dontaudit jabberd_t self:capability sys_tty_config;
-allow jabberd_t self:process signal_perms;
-allow jabberd_t self:fifo_file read_fifo_file_perms;
-allow jabberd_t self:tcp_socket create_stream_socket_perms;
-allow jabberd_t self:udp_socket create_socket_perms;
+allow jabberd_domain self:process signal_perms;
+allow jabberd_domain self:fifo_file read_fifo_file_perms;
+allow jabberd_domain self:tcp_socket create_stream_socket_perms;
+allow jabberd_domain self:udp_socket create_socket_perms;
+
+manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
+manage_dirs_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
+
+# log and pid files are moved into /var/lib/jabberd in the newer version of jabberd
+manage_files_pattern(jabberd_domain, jabberd_log_t, jabberd_log_t)
+logging_log_filetrans(jabberd_domain, jabberd_log_t, { file dir })
+
+manage_files_pattern(jabberd_domain, jabberd_var_run_t, jabberd_var_run_t)
+files_pid_filetrans(jabberd_domain, jabberd_var_run_t, file)
+
+corenet_all_recvfrom_unlabeled(jabberd_domain)
+corenet_all_recvfrom_netlabel(jabberd_domain)
+corenet_tcp_sendrecv_generic_if(jabberd_domain)
+corenet_udp_sendrecv_generic_if(jabberd_domain)
+corenet_tcp_sendrecv_generic_node(jabberd_domain)
+corenet_udp_sendrecv_generic_node(jabberd_domain)
+corenet_tcp_sendrecv_all_ports(jabberd_domain)
+corenet_udp_sendrecv_all_ports(jabberd_domain)
+corenet_tcp_bind_generic_node(jabberd_domain)
+
+dev_read_urand(jabberd_domain)
+dev_read_urand(jabberd_domain)
+
+files_read_etc_files(jabberd_domain)
+files_read_etc_runtime_files(jabberd_domain)
+
+logging_send_syslog_msg(jabberd_domain)
+
+miscfiles_read_localization(jabberd_domain)
+
+sysnet_read_config(jabberd_domain)
 
-manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
-files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file)
+######################################
+#
+# Local policy for jabberd-router
+#
+
+allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
+
+corenet_tcp_bind_jabber_router_port(jabberd_router_t)
+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
 
-manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
-logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
+optional_policy(`
+        kerberos_use(jabberd_router_t)
+')
+
+########################################
+#
+# Local policy for jabberd
+#
 
-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
+allow jabberd_t self:capability dac_override;
+dontaudit jabberd_t self:capability sys_tty_config;
 
 kernel_read_kernel_sysctls(jabberd_t)
-kernel_list_proc(jabberd_t)
 kernel_read_proc_symlinks(jabberd_t)
+kernel_read_system_state(jabberd_t)
 
-corenet_all_recvfrom_unlabeled(jabberd_t)
-corenet_all_recvfrom_netlabel(jabberd_t)
-corenet_tcp_sendrecv_generic_if(jabberd_t)
-corenet_udp_sendrecv_generic_if(jabberd_t)
-corenet_tcp_sendrecv_generic_node(jabberd_t)
-corenet_udp_sendrecv_generic_node(jabberd_t)
-corenet_tcp_sendrecv_all_ports(jabberd_t)
-corenet_udp_sendrecv_all_ports(jabberd_t)
-corenet_tcp_bind_generic_node(jabberd_t)
+corenet_tcp_connect_jabber_router_port(jabberd_t)
 corenet_tcp_bind_jabber_client_port(jabberd_t)
 corenet_tcp_bind_jabber_interserver_port(jabberd_t)
 corenet_sendrecv_jabber_client_server_packets(jabberd_t)
@@ -66,18 +111,9 @@ dev_read_rand(jabberd_t)
 
 domain_use_interactive_fds(jabberd_t)
 
-files_read_etc_files(jabberd_t)
-files_read_etc_runtime_files(jabberd_t)
-
 fs_getattr_all_fs(jabberd_t)
 fs_search_auto_mountpoints(jabberd_t)
 
-logging_send_syslog_msg(jabberd_t)
-
-miscfiles_read_localization(jabberd_t)
-
-sysnet_read_config(jabberd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
 userdom_dontaudit_search_user_home_dirs(jabberd_t)
 

diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
index 3525d248a9ef24cb8c8ae3af28cf27e847bc4277..e5db5391f4068725af8a7748b6066c24a77b3fe8 100644 (file)
--- a/policy/modules/services/kerberos.fc
+++ b/policy/modules/services/kerberos.fc
@@ -8,7 +8,7 @@ HOME_DIR/\.k5login              --      gen_context(system_u:object_r:krb5_home_t,s0)
 /etc/krb5kdc/kadm5\.keytab     --      gen_context(system_u:object_r:krb5_keytab_t,s0)
 /etc/krb5kdc/principal.*               gen_context(system_u:object_r:krb5kdc_principal_t,s0)
 
-/etc/rc\.d/init\.d/kadmind     --      gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/kadmin      --      gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/kprop       --      gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/krb524d     --      gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/krb5kdc     --      gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)

diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index 8edc29b6fad7ec2b8184a16244da2460ec5c2edd..225e33fbaa6ce89ed1c68c43d17c1ade4e3b0dd5 100644 (file)
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -126,10 +126,13 @@ corenet_udp_sendrecv_all_ports(kadmind_t)
 corenet_tcp_bind_generic_node(kadmind_t)
 corenet_udp_bind_generic_node(kadmind_t)
 corenet_tcp_bind_kerberos_admin_port(kadmind_t)
+corenet_tcp_bind_kerberos_password_port(kadmind_t)
 corenet_udp_bind_kerberos_admin_port(kadmind_t)
+corenet_udp_bind_kerberos_password_port(kadmind_t)
 corenet_tcp_bind_reserved_port(kadmind_t)
 corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
 corenet_sendrecv_kerberos_admin_server_packets(kadmind_t)
+corenet_sendrecv_kerberos_password_server_packets(kadmind_t)
 
 dev_read_sysfs(kadmind_t)
 dev_read_rand(kadmind_t)
@@ -149,6 +152,7 @@ selinux_validate_context(kadmind_t)
 
 logging_send_syslog_msg(kadmind_t)
 
+miscfiles_read_generic_certs(kadmind_t)
 miscfiles_read_localization(kadmind_t)
 
 seutil_read_file_contexts(kadmind_t)
@@ -198,8 +202,7 @@ allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr };
 allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
 logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
 
-allow krb5kdc_t krb5kdc_principal_t:file read_file_perms;
-dontaudit krb5kdc_t krb5kdc_principal_t:file write;
+allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
 
 manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
 manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
@@ -249,6 +252,7 @@ selinux_validate_context(krb5kdc_t)
 
 logging_send_syslog_msg(krb5kdc_t)
 
+miscfiles_read_generic_certs(krb5kdc_t)
 miscfiles_read_localization(krb5kdc_t)
 
 seutil_read_file_contexts(krb5kdc_t)

diff --git a/policy/modules/services/ksmtuned.fc b/policy/modules/services/ksmtuned.fc
index 9c0c835414f94dcebae0cfcae7a8de42e272915f..83601662f985bdc49234a3c6553af52fabc6cd11 100644 (file)
--- a/policy/modules/services/ksmtuned.fc
+++ b/policy/modules/services/ksmtuned.fc
@@ -3,3 +3,5 @@
 /usr/sbin/ksmtuned             --      gen_context(system_u:object_r:ksmtuned_exec_t,s0)
 
 /var/run/ksmtune\.pid          --      gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
+
+/var/log/ksmtuned.*                    gen_context(system_u:object_r:ksmtuned_log_t,s0)

diff --git a/policy/modules/services/ksmtuned.if b/policy/modules/services/ksmtuned.if
index 6fd0b4c0919ed1dc2ce494f7bab3b8044adf119a..d17f349bc822805f8586fe63a19ab20d7c71399c 100644 (file)
--- a/policy/modules/services/ksmtuned.if
+++ b/policy/modules/services/ksmtuned.if
@@ -60,7 +60,7 @@ interface(`ksmtuned_admin',`
        ')
 
        allow $1 ksmtuned_t:process { ptrace signal_perms };
-       ps_process_pattern(ksmtumed_t)
+       ps_process_pattern($1, ksmtuned_t)
 
        files_list_pids($1)
        admin_pattern($1, ksmtuned_var_run_t)

diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te
index a73b7a12f804f9e1047667b6f9113abda75f62df..ffe035c14da2e2abe96295078268da9e20fa32f9 100644 (file)
--- a/policy/modules/services/ksmtuned.te
+++ b/policy/modules/services/ksmtuned.te
@@ -9,6 +9,9 @@ type ksmtuned_t;
 type ksmtuned_exec_t;
 init_daemon_domain(ksmtuned_t, ksmtuned_exec_t)
 
+type ksmtuned_log_t;
+logging_log_file(ksmtuned_log_t)
+
 type ksmtuned_initrc_exec_t;
 init_script_file(ksmtuned_initrc_exec_t)
 
@@ -23,6 +26,10 @@ files_pid_file(ksmtuned_var_run_t)
 allow ksmtuned_t self:capability { sys_ptrace sys_tty_config };
 allow ksmtuned_t self:fifo_file rw_file_perms;
 
+manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
+manage_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
+logging_log_filetrans(ksmtuned_t, ksmtuned_log_t, { file dir })
+
 manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
 files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
 
@@ -31,9 +38,15 @@ kernel_read_system_state(ksmtuned_t)
 dev_rw_sysfs(ksmtuned_t)
 
 domain_read_all_domains_state(ksmtuned_t)
+domain_dontaudit_read_all_domains_state(ksmtuned_t)
 
 corecmd_exec_bin(ksmtuned_t)
 
 files_read_etc_files(ksmtuned_t)
 
+mls_file_read_to_clearance(ksmtuned_t)
+
+term_use_all_terms(ksmtuned_t)
+
 miscfiles_read_localization(ksmtuned_t)
+

diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
index c62f23e3d0b2806beebce7c44354ed725ad56bcc..335fda1063b28b6f4f56bcd35358d635f3723aec 100644 (file)
--- a/policy/modules/services/ldap.fc
+++ b/policy/modules/services/ldap.fc
@@ -1,6 +1,8 @@
 
 /etc/ldap/slapd\.conf  --      gen_context(system_u:object_r:slapd_etc_t,s0)
-/etc/rc\.d/init\.d/ldap        --      gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+/etc/openldap/slapd\.d(/.*)?   gen_context(system_u:object_r:slapd_db_t,s0)
+
+/etc/rc\.d/init\.d/sldap       --      gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
 
 /usr/sbin/slapd                --      gen_context(system_u:object_r:slapd_exec_t,s0)
 
@@ -15,3 +17,4 @@ ifdef(`distro_debian',`
 /var/run/openldap(/.*)?                gen_context(system_u:object_r:slapd_var_run_t,s0)
 /var/run/slapd\.args   --      gen_context(system_u:object_r:slapd_var_run_t,s0)
 /var/run/slapd\.pid    --      gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd.*       -s      gen_context(system_u:object_r:slapd_var_run_t,s0)

diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
index 3aa8fa778485e56f67c94525666a0928cad17de9..d15f94d81e52ae4600154cdd0ea25c9f36c31fe0 100644 (file)
--- a/policy/modules/services/ldap.if
+++ b/policy/modules/services/ldap.if
@@ -1,5 +1,43 @@
 ## <summary>OpenLDAP directory server</summary>
 
+#######################################
+## <summary>
+##      Execute OpenLDAP in the ldap domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`ldap_domtrans',`
+        gen_require(`
+                type slapd_t, slapd_exec_t;
+        ')
+
+        domtrans_pattern($1, slapd_exec_t, slapd_t)
+
+')
+
+#######################################
+## <summary>
+##      Execute OpenLDAP server in the ldap domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`ldap_initrc_domtrans',`
+        gen_require(`
+                type slapd_initrc_exec_t;
+        ')
+
+        init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+')
+
+
 ########################################
 ## <summary>
 ##     Read the contents of the OpenLDAP
@@ -19,6 +57,25 @@ interface(`ldap_list_db',`
        allow $1 slapd_db_t:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##     Read the contents of the OpenLDAP
+##     database files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`ldap_read_db_files',`
+       gen_require(`
+               type slapd_db_t;
+       ')
+
+       read_files_pattern($1, slapd_db_t, slapd_db_t)
+')
+
 ########################################
 ## <summary>
 ##     Read the OpenLDAP configuration files.
@@ -69,8 +126,30 @@ interface(`ldap_stream_connect',`
        ')
 
        files_search_pids($1)
-       allow $1 slapd_var_run_t:sock_file write;
-       allow $1 slapd_t:unix_stream_socket connectto;
+       stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
+
+       optional_policy(`
+               ldap_stream_connect_dirsrv($1)
+       ')
+')
+
+########################################
+## <summary>
+##     Connect to dirsrv over an unix stream socket.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`ldap_stream_connect_dirsrv',`
+       gen_require(`
+               type dirsrv_t, dirsrv_var_run_t;
+       ')
+
+       files_search_pids($1)
+       stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
 ')
 
 ########################################

diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index 64fd1ff503e52c1c4ed92888b295bc8963b2f4c5..ee5e34570a85894e8306c8e85c33b21cdd2dde8d 100644 (file)
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -10,7 +10,7 @@ type slapd_exec_t;
 init_daemon_domain(slapd_t, slapd_exec_t)
 
 type slapd_cert_t;
-files_type(slapd_cert_t)
+miscfiles_cert_type(slapd_cert_t)
 
 type slapd_db_t;
 files_type(slapd_db_t)
@@ -27,9 +27,15 @@ files_lock_file(slapd_lock_t)
 type slapd_replog_t;
 files_type(slapd_replog_t)
 
+type slapd_log_t;
+logging_log_file(slapd_log_t)
+
 type slapd_tmp_t;
 files_tmp_file(slapd_tmp_t)
 
+type slapd_tmpfs_t;
+files_tmpfs_file(slapd_tmpfs_t)
+
 type slapd_var_run_t;
 files_pid_file(slapd_var_run_t)
 
@@ -67,13 +73,21 @@ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
 manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
 manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
 
+manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
+manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
+
 manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
 manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
 files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
 
+manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t)
+fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t,file)
+
+manage_dirs_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
 manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
 manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
-files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file })
+files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
 
 kernel_read_system_state(slapd_t)
 kernel_read_kernel_sysctls(slapd_t)

diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te
index 6a78de1e7bfe47ef20b6cea836cdb1dc73c2844f..02f6985a1040a008dc49276bd2323cbe6e29bdc7 100644 (file)
--- a/policy/modules/services/lircd.te
+++ b/policy/modules/services/lircd.te
@@ -24,6 +24,7 @@ files_pid_file(lircd_var_run_t)
 #
 
 allow lircd_t self:capability { chown kill sys_admin };
+allow lircd_t self:process { fork signal };
 allow lircd_t self:fifo_file rw_fifo_file_perms;
 allow lircd_t self:unix_dgram_socket create_socket_perms;
 allow lircd_t self:tcp_socket create_stream_socket_perms;
@@ -34,7 +35,7 @@ read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
 manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
 manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
 manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
-files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file })
+files_pid_filetrans(lircd_t, lircd_var_run_t, { file dir })
 # /dev/lircd socket
 dev_filetrans(lircd_t, lircd_var_run_t, sock_file)
 
@@ -44,7 +45,7 @@ corenet_tcp_bind_lirc_port(lircd_t)
 corenet_tcp_sendrecv_all_ports(lircd_t)
 corenet_tcp_connect_lirc_port(lircd_t)
 
-dev_read_generic_usb_dev(lircd_t)
+dev_rw_generic_usb_dev(lircd_t)
 dev_read_mouse(lircd_t)
 dev_filetrans_lirc(lircd_t)
 dev_rw_lirc(lircd_t)

diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
index a4f32f54afeb5abe0faaccad3794f209540e38b7..d801ec0e5651cf10f25b66fce1f157f52631a884 100644 (file)
--- a/policy/modules/services/lpd.if
+++ b/policy/modules/services/lpd.if
@@ -153,7 +153,7 @@ interface(`lpd_relabel_spool',`
        ')
 
        files_search_spool($1)
-       allow $1 print_spool_t:file { relabelto relabelfrom };
+       allow $1 print_spool_t:file relabel_file_perms;
 ')
 
 ########################################

diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 93c14ca4e9814d166df3c8f153a9074d39d9e7b0..4d3111886c400dc0062f0bbff33a4716c44b5c9f 100644 (file)
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -145,9 +145,10 @@ manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
 manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
 files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
 
+manage_dirs_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
 manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
 manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
-files_pid_filetrans(lpd_t, lpd_var_run_t, file)
+files_pid_filetrans(lpd_t, lpd_var_run_t, { dir file })
 
 # Write to /var/spool/lpd.
 manage_files_pattern(lpd_t, print_spool_t, print_spool_t)
@@ -308,12 +309,14 @@ tunable_policy(`use_lpd_server',`
 ')
 
 tunable_policy(`use_nfs_home_dirs',`
+       files_list_home(lpr_t)
        fs_list_auto_mountpoints(lpr_t)
        fs_read_nfs_files(lpr_t)
        fs_read_nfs_symlinks(lpr_t)
 ')
 
 tunable_policy(`use_samba_home_dirs',`
+       files_list_home(lpr_t)
        fs_list_auto_mountpoints(lpr_t)
        fs_read_cifs_files(lpr_t)
        fs_read_cifs_symlinks(lpr_t)

diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if
index 67c7fddfafe62d8c54ff5032b4a433f459a35e0b..19bcae2aa1a19e52f46e7e81c0b5e69dcf6198b2 100644 (file)
--- a/policy/modules/services/mailman.if
+++ b/policy/modules/services/mailman.if
@@ -74,7 +74,7 @@ template(`mailman_domain_template', `
        corecmd_exec_all_executables(mailman_$1_t)
 
        files_exec_etc_files(mailman_$1_t)
-       files_list_usr(mailman_$1_t)
+       files_read_usr_files(mailman_$1_t)
        files_list_var(mailman_$1_t)
        files_list_var_lib(mailman_$1_t)
        files_read_var_lib_symlinks(mailman_$1_t)

diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
index af4d5728a0fa30ebec4ecc3842bf1a4406500e35..ac97ed9d2834ba8481289ebc797da31d7c4b7dda 100644 (file)
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@@ -80,6 +80,10 @@ optional_policy(`
        courier_read_spool(mailman_mail_t)
 ')
 
+optional_policy(`
+       gnome_dontaudit_search_config(mailman_mail_t)
+')
+
 optional_policy(`
        cron_read_pipes(mailman_mail_t)
 ')
@@ -125,4 +129,4 @@ optional_policy(`
 
 optional_policy(`
        su_exec(mailman_queue_t)
-')
\ No newline at end of file
+')

diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if
index db4fd6fbc5442c021b0e014414d843fb75ea6903..ee60e59169ed64d2f25a472753219c32ffa0def0 100644 (file)
--- a/policy/modules/services/memcached.if
+++ b/policy/modules/services/memcached.if
@@ -59,6 +59,7 @@ interface(`memcached_admin',`
        gen_require(`
                type memcached_t;
                type memcached_initrc_exec_t;
+               type memcached_var_run_t;
        ')
 
        allow $1 memcached_t:process { ptrace signal_perms };
@@ -69,5 +70,6 @@ interface(`memcached_admin',`
        role_transition $2 memcached_initrc_exec_t system_r;
        allow $2 system_r;
 
+       files_search_pids($1)
        admin_pattern($1, memcached_var_run_t)
 ')

diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc
index 55a3e2f8a53849bf4a212081c42d28e6103504c3..613c69d53b45a6d7ee5948412ef9dbb13256da56 100644 (file)
--- a/policy/modules/services/milter.fc
+++ b/policy/modules/services/milter.fc
@@ -1,3 +1,6 @@
+/etc/mail/dkim-milter/keys(/.*)?        gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/usr/sbin/dkim-filter           --      gen_context(system_u:object_r:dkim_milter_exec_t,s0)
 /usr/sbin/milter-greylist      --      gen_context(system_u:object_r:greylist_milter_exec_t,s0)
 /usr/sbin/milter-regex                         --      gen_context(system_u:object_r:regex_milter_exec_t,s0)
 /usr/sbin/spamass-milter       --      gen_context(system_u:object_r:spamass_milter_exec_t,s0)
@@ -5,6 +8,7 @@
 /var/lib/milter-greylist(/.*)?         gen_context(system_u:object_r:greylist_milter_data_t,s0)
 /var/lib/spamass-milter(/.*)?          gen_context(system_u:object_r:spamass_milter_state_t,s0)
 
+/var/run/dkim-milter(/.*)?              gen_context(system_u:object_r:dkim_milter_data_t,s0)
 /var/run/milter-greylist(/.*)?         gen_context(system_u:object_r:greylist_milter_data_t,s0)
 /var/run/milter-greylist\.pid  --      gen_context(system_u:object_r:greylist_milter_data_t,s0)
 /var/run/spamass-milter(/.*)?          gen_context(system_u:object_r:spamass_milter_data_t,s0)

diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if
index ed1af3c024de2811f6ae9129217dafe8e8a045c8..a000225c9df68843e4eb297777c9fea06601fcb0 100644 (file)
--- a/policy/modules/services/milter.if
+++ b/policy/modules/services/milter.if
@@ -37,6 +37,8 @@ template(`milter_template',`
 
        files_read_etc_files($1_milter_t)
 
+       kernel_dontaudit_read_system_state($1_milter_t)
+
        miscfiles_read_localization($1_milter_t)
 
        logging_send_syslog_msg($1_milter_t)
@@ -80,6 +82,24 @@ interface(`milter_getattr_all_sockets',`
        getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
 ')
 
+########################################
+## <summary>
+##     Allow setattr of milter dirs
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`milter_setattr_all_dirs',`
+       gen_require(`
+               attribute milter_data_type;
+       ')
+
+       setattr_dirs_pattern($1, milter_data_type, milter_data_type)
+')
+
 ########################################
 ## <summary>
 ##     Manage spamassassin milter state
@@ -100,3 +120,22 @@ interface(`milter_manage_spamass_state',`
        manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
        manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
 ')
+
+#######################################
+## <summary>
+##      Delete dkim-milter PID files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`milter_delete_dkim_pid_files',`
+        gen_require(`
+                type dkim_milter_data_t;
+        ')
+
+        files_search_pids($1)
+        delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')

diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te
index 1b6dea0e512d32685b5cb9c511ca0f7a69baaebc..6ba48ffe075d18283057d909642244665cdd8829 100644 (file)
--- a/policy/modules/services/milter.te
+++ b/policy/modules/services/milter.te
@@ -9,6 +9,13 @@ policy_module(milter, 1.2.1)
 attribute milter_domains;
 attribute milter_data_type;
 
+# support for dkim-milter - domainKeys Identified Mail sender authentication sendmail milter
+milter_template(dkim)
+
+# type for the private key of dkim-milter
+type dkim_milter_private_key_t;
+files_type(dkim_milter_private_key_t)
+
 # currently-supported milters are milter-greylist, milter-regex and spamass-milter
 milter_template(greylist)
 milter_template(regex)
@@ -20,6 +27,23 @@ milter_template(spamass)
 type spamass_milter_state_t;
 files_type(spamass_milter_state_t)
 
+#######################################
+#
+# dkim-milter local policy
+#
+
+allow dkim_milter_t self:capability { kill setgid setuid };
+
+allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
+
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
+
+auth_use_nsswitch(dkim_milter_t)
+
+sysnet_dns_name_resolve(dkim_milter_t)
+
+mta_read_config(dkim_milter_t)
+
 ########################################
 #
 # milter-greylist local policy

diff --git a/policy/modules/services/mock.fc b/policy/modules/services/mock.fc
new file mode 100644 (file)
index 0000000..42bb2a3
--- /dev/null
+++ b/policy/modules/services/mock.fc
@@ -0,0 +1,6 @@
+
+/usr/sbin/mock         --      gen_context(system_u:object_r:mock_exec_t,s0)
+
+/var/lib/mock(/.*)?            gen_context(system_u:object_r:mock_var_lib_t,s0)
+
+/var/cache/mock(/.*)?          gen_context(system_u:object_r:mock_cache_t,s0)

diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if
new file mode 100644 (file)
index 0000000..5a1698c
--- /dev/null
+++ b/policy/modules/services/mock.if
@@ -0,0 +1,238 @@
+
+## <summary>policy for mock</summary>
+
+########################################
+## <summary>
+##     Execute a domain transition to run mock.
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mock_domtrans',`
+       gen_require(`
+               type mock_t, mock_exec_t;
+       ')
+
+       domtrans_pattern($1, mock_exec_t, mock_t)
+')
+
+
+########################################
+## <summary>
+##     Search mock lib directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mock_search_lib',`
+       gen_require(`
+               type mock_var_lib_t;
+       ')
+
+       allow $1 mock_var_lib_t:dir search_dir_perms;
+       files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##     Read mock lib files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mock_read_lib_files',`
+       gen_require(`
+               type mock_var_lib_t;
+       ')
+
+       files_search_var_lib($1)
+        read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+## <summary>
+##     Create, read, write, and delete
+##     mock lib files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mock_manage_lib_files',`
+       gen_require(`
+               type mock_var_lib_t;
+       ')
+
+       files_search_var_lib($1)
+        manage_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+## <summary>
+##     Manage mock lib dirs files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mock_manage_lib_dirs',`
+       gen_require(`
+               type mock_var_lib_t;
+       ')
+
+       files_search_var_lib($1)
+        manage_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+#########################################
+## <summary>
+##     Manage mock lib symlinks.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mock_manage_lib_symlinks',`
+       gen_require(`
+               type mock_var_lib_t;
+       ')
+
+       files_search_var_lib($1)
+        manage_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+## <summary>
+##     Manage mock lib files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mock_manage_lib_chr_files',`
+       gen_require(`
+               type mock_var_lib_t;
+       ')
+
+       files_search_var_lib($1)
+        manage_chr_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+## <summary>
+##     Execute mock in the mock domain, and
+##     allow the specified role the mock domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     The role to be allowed the mock domain.
+##     </summary>
+## </param>
+#
+interface(`mock_run',`
+       gen_require(`
+               type mock_t;
+       ')
+
+       mock_domtrans($1)
+       role $2 types mock_t;
+')
+
+########################################
+## <summary>
+##     Role access for mock
+## </summary>
+## <param name="role">
+##     <summary>
+##     Role allowed access
+##     </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##     User domain for the role
+##     </summary>
+## </param>
+#
+interface(`mock_role',`
+       gen_require(`
+              type mock_t;
+       ')
+
+       role $1 types mock_t;
+
+       mock_domtrans($2)
+
+       ps_process_pattern($2, mock_t)
+       allow $2 mock_t:process signal;
+')
+
+#######################################
+## <summary>
+##     Send a generic signal to mock.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mock_signal',`
+       gen_require(`
+               type mock_t;
+       ')
+
+       allow $1 mock_t:process signal;
+')
+
+########################################
+## <summary>
+##     All of the rules required to administrate 
+##     an mock environment
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     Role allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mock_admin',`
+       gen_require(`
+               type mock_t;
+                type mock_var_lib_t;
+       ')
+
+       allow $1 mock_t:process { ptrace signal_perms };
+       ps_process_pattern($1, mock_t)
+
+       files_search_var_lib($1)
+       admin_pattern($1, mock_var_lib_t)
+
+')

diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te
new file mode 100644 (file)
index 0000000..6f8fda5
--- /dev/null
+++ b/policy/modules/services/mock.te
@@ -0,0 +1,98 @@
+policy_module(mock,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mock_t;
+type mock_exec_t;
+application_domain(mock_t, mock_exec_t)
+domain_role_change_exemption(mock_t)
+domain_system_change_exemption(mock_t)
+role system_r types mock_t;
+
+permissive mock_t;
+
+type mock_cache_t;
+files_type(mock_cache_t)
+
+type mock_tmp_t;
+files_tmp_file(mock_tmp_t)
+
+type mock_var_lib_t;
+files_type(mock_var_lib_t)
+
+########################################
+#
+# mock local policy
+#
+allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
+allow mock_t self:process { siginh noatsecure signull transition rlimitinh setsched setpgid sigkill };
+dontaudit mock_t self:process { siginh noatsecure rlimitinh };
+allow mock_t self:fifo_file manage_fifo_file_perms;
+allow mock_t self:unix_stream_socket create_stream_socket_perms;
+allow mock_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(mock_t, mock_cache_t, mock_cache_t)
+manage_files_pattern(mock_t, mock_cache_t, mock_cache_t)
+files_var_filetrans(mock_t, mock_cache_t, { dir file } )
+
+manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+files_tmp_filetrans(mock_t, mock_tmp_t, { dir file } )
+can_exec(mock_t, mock_tmp_t)
+
+manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file } )
+can_exec(mock_t, mock_var_lib_t)
+allow mock_t mock_var_lib_t:dir mounton;
+
+kernel_list_proc(mock_t)
+kernel_read_irq_sysctls(mock_t)
+kernel_read_system_state(mock_t)
+kernel_read_kernel_sysctls(mock_t)
+kernel_request_load_module(mock_t)
+
+corecmd_exec_bin(mock_t)
+corecmd_exec_shell(mock_t)
+
+corenet_tcp_connect_http_port(mock_t)
+
+dev_read_urand(mock_t)
+
+domain_read_all_domains_state(mock_t)
+domain_use_interactive_fds(mock_t)
+
+files_read_etc_files(mock_t)
+files_read_usr_files(mock_t)
+
+fs_getattr_all_fs(mock_t)
+
+selinux_get_enforce_mode(mock_t)
+
+auth_use_nsswitch(mock_t)
+
+init_exec(mock_t)
+
+libs_domtrans_ldconfig(mock_t)
+
+logging_send_audit_msgs(mock_t)
+logging_send_syslog_msg(mock_t)
+
+miscfiles_read_localization(mock_t)
+
+mount_domtrans(mock_t)
+
+optional_policy(`
+       rpm_exec(mock_t)
+       rpm_manage_db(mock_t)
+       rpm_entry_type(mock_t)
+')
+
+optional_policy(`
+       apache_read_sys_content_rw_files(mock_t)
+')

diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te
index b3ace1618f86cff90f26a4856dee2417ac988c11..3dd940c1e8a70f0764917d6efad43fcb4cc74753 100644 (file)
--- a/policy/modules/services/modemmanager.te
+++ b/policy/modules/services/modemmanager.te
@@ -16,7 +16,8 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
 # ModemManager local policy
 #
 
-allow modemmanager_t self:process signal;
+allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
+allow modemmanager_t self:process { getsched signal };  
 allow modemmanager_t self:fifo_file rw_file_perms;
 allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
 allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -28,6 +29,7 @@ dev_rw_modem(modemmanager_t)
 
 files_read_etc_files(modemmanager_t)
 
+term_use_generic_ptys(modemmanager_t)
 term_use_unallocated_ttys(modemmanager_t)
 
 miscfiles_read_localization(modemmanager_t)
@@ -36,6 +38,10 @@ logging_send_syslog_msg(modemmanager_t)
 
 networkmanager_dbus_chat(modemmanager_t)
 
+optional_policy(`
+       policykit_dbus_chat(modemmanager_t)
+')
+
 optional_policy(`
        udev_read_db(modemmanager_t)
 ')

diff --git a/policy/modules/services/mojomojo.if b/policy/modules/services/mojomojo.if
index 657a9fc20e1e0cb1627e81385ba8fffcdf246a43..cf7968d470df3d2a1688fed99536def2667aacad 100644 (file)
--- a/policy/modules/services/mojomojo.if
+++ b/policy/modules/services/mojomojo.if
@@ -21,13 +21,16 @@ interface(`mojomojo_admin',`
        gen_require(`
                type httpd_mojomojo_script_t;
                type httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t;
-               type httpd_mojomojo_rw_content_t;
+               type httpd_mojomojo_rw_content_t, httpd_mojomojo_tmp_t;
                type httpd_mojomojo_script_exec_t, httpd_mojomojo_htaccess_t;
        ')
 
        allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms };
        ps_process_pattern($1, httpd_mojomojo_script_t)
 
+       files_list_tmp($1)
+       admin_pattern($1, httpd_mojomojo_tmp_t)
+
        files_search_var_lib(httpd_mojomojo_script_t)
 
        apache_search_sys_content($1)

diff --git a/policy/modules/services/mojomojo.te b/policy/modules/services/mojomojo.te
index 83f002c38617e1c688c8450c0283fd05f07a80ea..ed699969e0b9bdd4cf73e38896e5cf82b46ed614 100644 (file)
--- a/policy/modules/services/mojomojo.te
+++ b/policy/modules/services/mojomojo.te
@@ -7,6 +7,9 @@ policy_module(mojomojo, 1.0.0)
 
 apache_content_template(mojomojo)
 
+type httpd_mojomojo_tmp_t;
+files_tmp_file(httpd_mojomojo_tmp_t)
+
 ########################################
 #
 # mojomojo local policy
@@ -14,6 +17,10 @@ apache_content_template(mojomojo)
 
 allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
 
+manage_dirs_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
+manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
+files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir })
+
 corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
 corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
 corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)

diff --git a/policy/modules/services/mpd.fc b/policy/modules/services/mpd.fc
new file mode 100644 (file)
index 0000000..564b22d
--- /dev/null
+++ b/policy/modules/services/mpd.fc
@@ -0,0 +1,10 @@
+
+/etc/mpd\.conf         --      gen_context(system_u:object_r:mpd_etc_t,s0)
+
+/etc/rc\.d/init\.d/mpd --      gen_context(system_u:object_r:mpd_initrc_exec_t,s0)
+
+/usr/bin/mpd           --      gen_context(system_u:object_r:mpd_exec_t,s0)
+
+/var/lib/mpd(/.*)?             gen_context(system_u:object_r:mpd_var_lib_t,s0)
+/var/lib/mpd/music(/.*)?       gen_context(system_u:object_r:mpd_data_t,s0)    
+/var/lib/mpd/playlists(/.*)?   gen_context(system_u:object_r:mpd_data_t,s0)

diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if
new file mode 100644 (file)
index 0000000..5599d14
--- /dev/null
+++ b/policy/modules/services/mpd.if
@@ -0,0 +1,273 @@
+
+## <summary>policy for daemon for playing music</summary>
+
+########################################
+## <summary>
+##     Execute a domain transition to run mpd.
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mpd_domtrans',`
+       gen_require(`
+               type mpd_t, mpd_exec_t;
+       ')
+
+       domtrans_pattern($1, mpd_exec_t, mpd_t)
+')
+
+
+########################################
+## <summary>
+##     Execute mpd server in the mpd domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mpd_initrc_domtrans',`
+       gen_require(`
+               type mpd_initrc_exec_t;
+       ')
+
+       init_labeled_script_domtrans($1, mpd_initrc_exec_t)
+')
+
+#######################################
+## <summary>
+##      Read mpd data files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mpd_read_data_files',`
+        gen_require(`
+                type mpd_data_t;
+        ')
+
+       mpd_search_lib($1)
+        read_files_pattern($1, mpd_data_t, mpd_data_t)
+')
+
+#######################################
+## <summary>
+##      Read mpd tmpfs files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mpd_read_tmpfs_files',`
+        gen_require(`
+                type mpd_tmpfs_t;
+        ')
+
+       fs_search_tmpfs($1)
+        read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
+')
+
+###################################
+## <summary>
+##      Manage mpd tmpfs files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mpd_manage_tmpfs_files',`
+        gen_require(`
+                type mpd_tmpfs_t;
+        ')
+
+       fs_search_tmpfs($1)
+        manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
+        manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
+')
+
+######################################
+## <summary>
+##      Manage mpd data files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mpd_manage_data_files',`
+        gen_require(`
+                type mpd_data_t;
+        ')
+
+        mpd_search_lib($1)
+        manage_files_pattern($1, mpd_data_t, mpd_data_t)
+')
+
+########################################
+## <summary>
+##     Search mpd lib directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mpd_search_lib',`
+       gen_require(`
+               type mpd_var_lib_t;
+       ')
+
+       allow $1 mpd_var_lib_t:dir search_dir_perms;
+       files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##     Read mpd lib files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mpd_read_lib_files',`
+       gen_require(`
+               type mpd_var_lib_t;
+       ')
+
+       files_search_var_lib($1)
+        read_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
+')
+
+########################################
+## <summary>
+##     Create, read, write, and delete
+##     mpd lib files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mpd_manage_lib_files',`
+       gen_require(`
+               type mpd_var_lib_t;
+       ')
+
+       files_search_var_lib($1)
+        manage_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
+')
+
+#######################################
+## <summary>
+##      Create an object in the root directory, with a private
+##      type using a type transition.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <param name="private type">
+##      <summary>
+##      The type of the object to be created.
+##      </summary>
+## </param>
+## <param name="object">
+##      <summary>
+##      The object class of the object being created.
+##      </summary>
+## </param>
+#
+interface(`mpd_var_lib_filetrans',`
+    gen_require(`
+        type mpd_var_lib_t;
+    ')
+
+    filetrans_pattern($1, mpd_var_lib_t, $2, $3)
+')
+
+########################################
+## <summary>
+##     Manage mpd lib dirs files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mpd_manage_lib_dirs',`
+       gen_require(`
+               type mpd_var_lib_t;
+       ')
+
+       files_search_var_lib($1)
+        manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
+')
+
+########################################
+## <summary>
+##     All of the rules required to administrate 
+##     an mpd environment
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     Role allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mpd_admin',`
+       gen_require(`
+               type mpd_t;
+               type mpd_initrc_exec_t;
+               type mpd_etc_t;
+               type mpd_data_t;
+               type mpd_log_t;
+                type mpd_var_lib_t;
+               type mpd_tmpfs_t;
+       ')
+
+       allow $1 mpd_t:process { ptrace signal_perms };
+       ps_process_pattern($1, mpd_t)
+
+       mpd_initrc_domtrans($1)
+       domain_system_change_exemption($1)
+       role_transition $2 mpd_initrc_exec_t system_r;
+       allow $2 system_r;
+
+       admin_pattern($1, mpd_etc_t)
+        files_search_etc($1)
+
+       files_search_var_lib($1)
+       admin_pattern($1, mpd_var_lib_t)
+       
+       mpd_search_lib($1)
+       admin_pattern($1, mpd_data_t)
+
+       admin_pattern($1, mpd_log_t)
+
+       fs_search_tmpfs($1)
+       admin_pattern($1, mpd_tmpfs_t)
+')

diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
new file mode 100644 (file)
index 0000000..71464f6
--- /dev/null
+++ b/policy/modules/services/mpd.te
@@ -0,0 +1,111 @@
+policy_module(mpd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mpd_t;
+type mpd_exec_t;
+init_daemon_domain(mpd_t, mpd_exec_t)
+
+permissive mpd_t;
+
+type mpd_initrc_exec_t;
+init_script_file(mpd_initrc_exec_t)
+
+type mpd_etc_t;
+files_config_file(mpd_etc_t)
+
+# type for music content
+type mpd_data_t;
+files_type(mpd_data_t)
+
+type mpd_log_t;
+logging_log_file(mpd_log_t)
+
+type mpd_tmp_t;
+files_tmp_file(mpd_tmp_t)
+
+type mpd_tmpfs_t;
+files_tmpfs_file(mpd_tmpfs_t)
+
+type mpd_var_lib_t;
+files_type(mpd_var_lib_t)
+
+########################################
+#
+# mpd local policy
+#
+
+#cjp: dac_override bug in mpd relating to mpd.log file
+allow mpd_t self:capability { dac_override kill setgid setuid };
+allow mpd_t self:process { getsched setsched setrlimit signal signull };
+
+allow mpd_t self:fifo_file rw_fifo_file_perms;
+allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow mpd_t self:tcp_socket create_stream_socket_perms;
+allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
+
+read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t)
+
+manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t)
+manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
+
+manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+files_tmp_filetrans(mpd_t, mpd_tmp_t, { dir file sock_file })
+
+manage_files_pattern(mpd_t, mpd_tmpfs_t, mpd_tmpfs_t)
+manage_dirs_pattern(mpd_t, mpd_tmpfs_t, mpd_tmpfs_t)
+fs_tmpfs_filetrans(mpd_t, mpd_tmpfs_t, file )
+
+manage_dirs_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+files_var_lib_filetrans(mpd_t, mpd_var_lib_t, { dir file lnk_file })
+
+kernel_read_system_state(mpd_t)
+kernel_read_kernel_sysctls(mpd_t)
+
+corecmd_exec_bin(mpd_t)
+
+corenet_sendrecv_pulseaudio_client_packets(mpd_t)
+corenet_tcp_connect_http_port(mpd_t)
+corenet_tcp_connect_http_cache_port(mpd_t)
+corenet_tcp_connect_pulseaudio_port(mpd_t)
+corenet_tcp_bind_mpd_port(mpd_t)
+corenet_tcp_bind_soundd_port(mpd_t)
+
+dev_read_sysfs(mpd_t)
+
+files_read_usr_files(mpd_t)
+
+fs_getattr_tmpfs(mpd_t)
+fs_list_inotifyfs(mpd_t)
+fs_rw_anon_inodefs_files(mpd_t)
+
+auth_use_nsswitch(mpd_t)
+
+logging_send_syslog_msg(mpd_t)
+
+miscfiles_read_localization(mpd_t)
+
+userdom_read_home_audio_files(mpd_t)
+userdom_read_user_tmpfs_files(mpd_t)
+
+optional_policy(`
+       dbus_system_bus_client(mpd_t)
+')
+
+optional_policy(`
+       pulseaudio_exec(mpd_t)
+       pulseaudio_stream_connect(mpd_t)
+       pulseaudio_signull(mpd_t)
+')
+
+optional_policy(`
+        udev_read_db(mpd_t)
+')

diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
index 256166a9eb223db08d4b2111f0b51ac918bb6dfb..c526ce89d140e098c2ac3fe9515410a80b6cbf4e 100644 (file)
--- a/policy/modules/services/mta.fc
+++ b/policy/modules/services/mta.fc
@@ -1,4 +1,5 @@
-HOME_DIR/\.forward     --      gen_context(system_u:object_r:mail_forward_t,s0)
+HOME_DIR/\.forward     --      gen_context(system_u:object_r:mail_home_t,s0)
+HOME_DIR/dead.letter   --      gen_context(system_u:object_r:mail_home_t,s0)
 
 /bin/mail(x)?          --      gen_context(system_u:object_r:sendmail_exec_t,s0)
 
@@ -11,6 +12,9 @@ ifdef(`distro_redhat',`
 /etc/postfix/aliases.*         gen_context(system_u:object_r:etc_aliases_t,s0)
 ')
 
+/root/\.forward        --      gen_context(system_u:object_r:mail_home_t,s0)
+/root/dead.letter      --      gen_context(system_u:object_r:mail_home_t,s0)
+
 /usr/bin/esmtp                 -- gen_context(system_u:object_r:sendmail_exec_t,s0)
 
 /usr/lib(64)?/sendmail --      gen_context(system_u:object_r:sendmail_exec_t,s0)

diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 343cee395d7b4cc329f0664b1a87e75c7f2f1757..a9ebda2747c3fb09786979d4cdb2100c1163d4a3 100644 (file)
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -220,6 +220,25 @@ interface(`mta_agent_executable',`
        application_executable_file($1)
 ')
 
+######################################
+## <summary>
+##  Dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`mta_dontaudit_leaks_system_mail',`
+    gen_require(`
+        type system_mail_t;
+    ')
+
+    dontaudit $1 system_mail_t:fifo_file write;
+    dontaudit $1 system_mail_t:tcp_socket { read write };
+')
+
 ########################################
 ## <summary>
 ##     Make the specified type by a system MTA.
@@ -330,12 +349,6 @@ interface(`mta_mailserver_user_agent',`
        ')
 
        typeattribute $1 mta_user_agent;
-
-       optional_policy(`
-               # apache should set close-on-exec
-               apache_dontaudit_rw_stream_sockets($1)
-               apache_dontaudit_rw_sys_script_stream_sockets($1)
-       ')
 ')
 
 ########################################
@@ -362,6 +375,10 @@ interface(`mta_send_mail',`
        allow mta_user_agent $1:fd use;
        allow mta_user_agent $1:process sigchld;
        allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
+
+       ifdef(`hide_broken_symptoms', `
+               dontaudit system_mail_t $1:socket_class_set { read write };
+       ')
 ')
 
 ########################################
@@ -391,12 +408,15 @@ interface(`mta_send_mail',`
 #
 interface(`mta_sendmail_domtrans',`
        gen_require(`
-               type sendmail_exec_t;
+               attribute mta_exec_type;
        ')
 
        files_search_usr($1)
+       allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
        corecmd_read_bin_symlinks($1)
-       domain_auto_trans($1, sendmail_exec_t, $2)
+
+       allow $2 mta_exec_type:file entrypoint;
+       domtrans_pattern($1, mta_exec_type, $2)
 ')
 
 ########################################
@@ -418,6 +438,25 @@ interface(`mta_signal_system_mail',`
        allow $1 system_mail_t:process signal;
 ')
 
+########################################
+## <summary>
+##     Send system mail client a kill signal
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+#
+interface(`mta_kill_system_mail',`
+       gen_require(`
+               type system_mail_t;
+       ')
+
+       allow $1 system_mail_t:process sigkill;
+')
+
 ########################################
 ## <summary>
 ##     Execute sendmail in the caller domain.
@@ -474,7 +513,8 @@ interface(`mta_write_config',`
                type etc_mail_t;
        ')
 
-       write_files_pattern($1, etc_mail_t, etc_mail_t)
+       manage_files_pattern($1, etc_mail_t, etc_mail_t)
+       allow $1 etc_mail_t:file setattr;
 ')
 
 ########################################
@@ -698,7 +738,7 @@ interface(`mta_rw_spool',`
        files_search_spool($1)
        allow $1 mail_spool_t:dir list_dir_perms;
        allow $1 mail_spool_t:file setattr;
-       rw_files_pattern($1, mail_spool_t, mail_spool_t)
+       manage_files_pattern($1, mail_spool_t, mail_spool_t)
        read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
 ')
 
@@ -899,3 +939,43 @@ interface(`mta_rw_user_mail_stream_sockets',`
 
        allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
 ')
+
+########################################
+## <summary>
+##     Type transition files created in calling dir 
+##     to the mail address aliases type.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##     Directory to transition on.
+##     </summary>
+## </param>
+#
+interface(`mta_filetrans_aliases',`
+       filetrans_pattern($1, $2, etc_aliases_t, file)
+')
+
+######################################
+## <summary>
+##  ALlow domain to read mail content in the homedir 
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`mta_read_home',`
+    gen_require(`
+        type mail_home_t;
+    ')
+
+    userdom_search_user_home_dirs($1)
+    userdom_search_admin_dir($1)
+    read_files_pattern($1, mail_home_t, mail_home_t)
+')

diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 64268e4f80e332235c595693872311d2479b15df..f99b9fc458c62411f9b96d67aecc36855bece776 100644 (file)
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,8 +20,8 @@ files_type(etc_aliases_t)
 type etc_mail_t;
 files_config_file(etc_mail_t)
 
-type mail_forward_t;
-files_type(mail_forward_t)
+type mail_home_t alias mail_forward_t;
+userdom_user_home_content(mail_home_t)
 
 type mqueue_spool_t;
 files_mountpoint(mqueue_spool_t)
@@ -50,22 +50,9 @@ ubac_constrained(user_mail_tmp_t)
 
 # newalias required this, not sure if it is needed in 'if' file
 allow system_mail_t self:capability { dac_override fowner };
-allow system_mail_t self:fifo_file rw_fifo_file_perms;
-
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
 
 read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
 
-allow system_mail_t mail_forward_t:file read_file_perms;
-
-allow system_mail_t mta_exec_type:file entrypoint;
-
-can_exec(system_mail_t, mta_exec_type)
-
-kernel_read_system_state(system_mail_t)
-kernel_read_network_state(system_mail_t)
-kernel_request_load_module(system_mail_t)
-
 dev_read_sysfs(system_mail_t)
 dev_read_rand(system_mail_t)
 dev_read_urand(system_mail_t)
@@ -82,6 +69,9 @@ init_use_script_ptys(system_mail_t)
 
 userdom_use_user_terminals(system_mail_t)
 userdom_dontaudit_search_user_home_dirs(system_mail_t)
+userdom_dontaudit_list_admin_dir(system_mail_t)
+
+logging_append_all_logs(system_mail_t)
 
 optional_policy(`
        apache_read_squirrelmail_data(system_mail_t)
@@ -92,6 +82,12 @@ optional_policy(`
        apache_dontaudit_rw_stream_sockets(system_mail_t)
        apache_dontaudit_rw_tcp_sockets(system_mail_t)
        apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
+       apache_dontaudit_write_tmp_files(system_mail_t)
+
+       # apache should set close-on-exec
+       apache_dontaudit_rw_stream_sockets(mta_user_agent)
+       apache_dontaudit_rw_sys_script_stream_sockets(mta_user_agent)
+       apache_append_log(mta_user_agent)
 ')
 
 optional_policy(`
@@ -102,6 +98,11 @@ optional_policy(`
        ')
 ')
 
+optional_policy(`
+       bugzilla_search_dirs(system_mail_t)
+       bugzilla_dontaudit_rw_script_stream_sockets(system_mail_t)
+')
+
 optional_policy(`
        clamav_stream_connect(system_mail_t)
        clamav_append_log(system_mail_t)
@@ -111,6 +112,8 @@ optional_policy(`
        cron_read_system_job_tmp_files(system_mail_t)
        cron_dontaudit_write_pipes(system_mail_t)
        cron_rw_system_job_stream_sockets(system_mail_t)
+       cron_rw_inherited_spool_files(system_mail_t)
+       cron_rw_inherited_user_spool_files(system_mail_t)
 ')
 
 optional_policy(`
@@ -123,13 +126,9 @@ optional_policy(`
        cvs_read_data(system_mail_t)
 ')
 
-optional_policy(`
-       exim_domtrans(system_mail_t)
-       exim_manage_log(system_mail_t)
-')
-
 optional_policy(`
        fail2ban_append_log(system_mail_t)
+       fail2ban_dontaudit_leaks(system_mail_t)
 ')
 
 optional_policy(`
@@ -145,6 +144,10 @@ optional_policy(`
        milter_getattr_all_sockets(system_mail_t)
 ')
 
+optional_policy(`
+       munin_dontaudit_leaks(system_mail_t)
+')
+
 optional_policy(`
        nagios_read_tmp_files(system_mail_t)
 ')
@@ -158,18 +161,6 @@ optional_policy(`
        files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
 
        domain_use_interactive_fds(system_mail_t)
-
-       # postfix needs this for newaliases
-       files_getattr_tmp_dirs(system_mail_t)
-
-       postfix_exec_master(system_mail_t)
-       postfix_read_config(system_mail_t)
-       postfix_search_spool(system_mail_t)
-
-       ifdef(`distro_redhat',`
-               # compatability for old default main.cf
-               postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
-       ')
 ')
 
 optional_policy(`
@@ -188,6 +179,10 @@ optional_policy(`
        ')
 ')
 
+optional_policy(`
+       spamd_stream_connect(system_mail_t)
+')
+
 optional_policy(`
        smartmon_read_tmp_files(system_mail_t)
 ')
@@ -220,7 +215,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
 
-read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
+userdom_search_admin_dir(mailserver_delivery)
+read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t)
 
 read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
 
@@ -249,11 +245,16 @@ optional_policy(`
        mailman_read_data_symlinks(mailserver_delivery)
 ')
 
+optional_policy(`
+       uucp_domtrans_uux(mailserver_delivery)
+')
+
 ########################################
 #
 # User send mail local policy
 #
 
+
 domain_use_interactive_fds(user_mail_t)
 
 userdom_use_user_terminals(user_mail_t)
@@ -292,3 +293,44 @@ optional_policy(`
        postfix_read_config(user_mail_t)
        postfix_list_spool(user_mail_t)
 ')
+
+########################################
+#
+# Comman user_mail_domain policy
+#
+
+allow user_mail_domain self:fifo_file rw_fifo_file_perms;
+allow user_mail_domain mta_exec_type:file entrypoint;
+
+read_files_pattern(user_mail_domain, etc_aliases_t, etc_aliases_t)
+
+can_exec(user_mail_domain, mta_exec_type)
+
+allow system_mail_t user_mail_domain:file read_file_perms;
+
+read_files_pattern(user_mail_domain, etc_mail_t, etc_mail_t)
+
+kernel_read_system_state(user_mail_domain)
+kernel_read_network_state(user_mail_domain)
+kernel_request_load_module(user_mail_domain)
+
+
+
+optional_policy(`
+       # postfix needs this for newaliases
+       files_getattr_tmp_dirs(user_mail_domain)
+
+       postfix_exec_master(user_mail_domain)
+       postfix_read_config(user_mail_domain)
+       postfix_search_spool(user_mail_domain)
+
+       ifdef(`distro_redhat',`
+               # compatability for old default main.cf
+               postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
+       ')
+')
+
+optional_policy(`
+       exim_domtrans(user_mail_domain)
+       exim_manage_log(user_mail_domain)
+')

diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc
index fd71d69fa1828245a3872d8708daa6170b3c1ed4..bad9920a62c2f4690f6d8cea137b186bb4167314 100644 (file)
--- a/policy/modules/services/munin.fc
+++ b/policy/modules/services/munin.fc
@@ -63,6 +63,7 @@
 /usr/share/munin/plugins/yum   --      gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
 
 /var/lib/munin(/.*)?                   gen_context(system_u:object_r:munin_var_lib_t,s0)
+/var/lib/munin/plugin-state(/.*)?      gen_context(system_u:object_r:munin_plugin_state_t,s0)
 /var/log/munin.*                       gen_context(system_u:object_r:munin_log_t,s0)
 /var/run/munin(/.*)?                   gen_context(system_u:object_r:munin_var_run_t,s0)
 /var/www/html/munin(/.*)?              gen_context(system_u:object_r:httpd_munin_content_t,s0)

diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
index c358d8fb4525bc63754480700e174f605357722b..dda8ca9c348f9a94c951123e07e3900f95eb419c 100644 (file)
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@@ -13,10 +13,11 @@
 #
 template(`munin_plugin_template',`
        gen_require(`
-               type munin_t, munin_exec_t, munin_etc_t;
+               type munin_t;
+               attribute munin_plugin_domain;
        ')
 
-       type $1_munin_plugin_t;
+       type $1_munin_plugin_t, munin_plugin_domain;
        type $1_munin_plugin_exec_t;
        typealias $1_munin_plugin_t alias munin_$1_plugin_t;
        typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t;
@@ -36,17 +37,8 @@ template(`munin_plugin_template',`
        # automatic transition rules from munin domain
        # to specific munin plugin domain
        domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t)
+       allow munin_t $1_munin_plugin_t:process signal;    
 
-       allow $1_munin_plugin_t munin_exec_t:file read_file_perms;
-       allow $1_munin_plugin_t munin_t:tcp_socket rw_socket_perms;
-
-       read_lnk_files_pattern($1_munin_plugin_t, munin_etc_t, munin_etc_t)
-
-       kernel_read_system_state($1_munin_plugin_t)
-
-       corecmd_exec_bin($1_munin_plugin_t)
-
-       miscfiles_read_localization($1_munin_plugin_t)
 ')
 
 ########################################
@@ -65,9 +57,8 @@ interface(`munin_stream_connect',`
                type munin_var_run_t, munin_t;
        ')
 
-       allow $1 munin_t:unix_stream_socket connectto;
-       allow $1 munin_var_run_t:sock_file { getattr write };
        files_search_pids($1)
+       stream_connect_pattern($1, munin_var_run_t, munin_var_run_t, munin_t)
 ')
 
 #######################################
@@ -92,6 +83,24 @@ interface(`munin_read_config',`
        files_search_etc($1)
 ')
 
+######################################
+## <summary>
+##  dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`munin_dontaudit_leaks',`
+    gen_require(`
+        type munin_t;
+    ')
+
+    dontaudit $1 munin_t:tcp_socket { read write };
+')
+
 #######################################
 ## <summary>
 ##     Append to the munin log.

diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index f17583b6f57dccc2fdfe63b5e3e29b6db61a7c6d..13d365dd8b214c83533f2943427fe5ede4e5e2ed 100644 (file)
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
 # Declarations
 #
 
+attribute munin_plugin_domain;
+
 type munin_t alias lrrd_t;
 type munin_exec_t alias lrrd_exec_t;
 init_daemon_domain(munin_t, munin_exec_t)
@@ -24,6 +26,9 @@ files_tmp_file(munin_tmp_t)
 type munin_var_lib_t alias lrrd_var_lib_t;
 files_type(munin_var_lib_t)
 
+type munin_plugin_state_t;
+files_type(munin_plugin_state_t)
+
 type munin_var_run_t alias lrrd_var_run_t;
 files_pid_file(munin_var_run_t)
 
@@ -40,7 +45,7 @@ munin_plugin_template(system)
 # Local policy
 #
 
-allow munin_t self:capability { chown dac_override setgid setuid };
+allow munin_t self:capability { chown dac_override setgid setuid sys_rawio };
 dontaudit munin_t self:capability sys_tty_config;
 allow munin_t self:process { getsched setsched signal_perms };
 allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -71,9 +76,12 @@ manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
 manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
 files_search_var_lib(munin_t)
 
+manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
 manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
 manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
-files_pid_filetrans(munin_t, munin_var_run_t, file)
+files_pid_filetrans(munin_t, munin_var_run_t, { file dir })
+
+read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
 
 kernel_read_system_state(munin_t)
 kernel_read_network_state(munin_t)
@@ -116,6 +124,7 @@ logging_read_all_logs(munin_t)
 
 miscfiles_read_fonts(munin_t)
 miscfiles_read_localization(munin_t)
+miscfiles_setattr_fonts_cache_dirs(munin_t)
 
 sysnet_exec_ifconfig(munin_t)
 
@@ -145,6 +154,7 @@ optional_policy(`
 optional_policy(`
        mta_read_config(munin_t)
        mta_send_mail(munin_t)
+       mta_list_queue(munin_t)
        mta_read_queue(munin_t)
 ')
 
@@ -159,6 +169,7 @@ optional_policy(`
 
 optional_policy(`
        postfix_list_spool(munin_t)
+       postfix_getattr_spool_files(munin_t)
 ')
 
 optional_policy(`
@@ -182,6 +193,7 @@ optional_policy(`
 # local policy for disk plugins
 #
 
+allow munin_disk_plugin_t self:capability { sys_admin sys_rawio };    
 allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
 
 rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -190,15 +202,13 @@ corecmd_exec_shell(disk_munin_plugin_t)
 
 corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
 
-files_read_etc_files(disk_munin_plugin_t)
 files_read_etc_runtime_files(disk_munin_plugin_t)
 
-fs_getattr_all_fs(disk_munin_plugin_t)
-
+dev_getattr_lvm_control(disk_munin_plugin_t)
 dev_read_sysfs(disk_munin_plugin_t)
 dev_read_urand(disk_munin_plugin_t)
 
-storage_getattr_fixed_disk_dev(disk_munin_plugin_t)
+storage_raw_read_fixed_disk(disk_munin_plugin_t)
 
 sysnet_read_config(disk_munin_plugin_t)
 
@@ -221,19 +231,17 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
 
 dev_read_urand(mail_munin_plugin_t)
 
-files_read_etc_files(mail_munin_plugin_t)
-
-fs_getattr_all_fs(mail_munin_plugin_t)
-
 logging_read_generic_logs(mail_munin_plugin_t)
 
 mta_read_config(mail_munin_plugin_t)
 mta_send_mail(mail_munin_plugin_t)
+mta_list_queue(mail_munin_plugin_t)
 mta_read_queue(mail_munin_plugin_t)
 
 optional_policy(`
        postfix_read_config(mail_munin_plugin_t)
        postfix_list_spool(mail_munin_plugin_t)
+       postfix_getattr_spool_files(mail_munin_plugin_t)
 ')
 
 optional_policy(`
@@ -255,10 +263,6 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
 dev_read_urand(services_munin_plugin_t)
 dev_read_rand(services_munin_plugin_t)
 
-fs_getattr_all_fs(services_munin_plugin_t)
-
-files_read_etc_files(services_munin_plugin_t)
-
 sysnet_read_config(services_munin_plugin_t)
 
 optional_policy(`
@@ -286,6 +290,10 @@ optional_policy(`
        snmp_read_snmp_var_lib_files(services_munin_plugin_t)
 ')
 
+optional_policy(`
+       varnishd_read_lib_files(services_munin_plugin_t)
+')
+
 ##################################
 #
 # local policy for system plugins
@@ -298,10 +306,6 @@ rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
 kernel_read_network_state(system_munin_plugin_t)
 kernel_read_all_sysctls(system_munin_plugin_t)
 
-corecmd_exec_shell(system_munin_plugin_t)
-
-fs_getattr_all_fs(system_munin_plugin_t)
-
 dev_read_sysfs(system_munin_plugin_t)
 dev_read_urand(system_munin_plugin_t)
 
@@ -313,3 +317,29 @@ init_read_utmp(system_munin_plugin_t)
 sysnet_exec_ifconfig(system_munin_plugin_t)
 
 term_getattr_unallocated_ttys(system_munin_plugin_t)
+term_getattr_all_ptys(system_munin_plugin_t)
+
+################################
+#
+# local policy for munin plugin domains
+#
+
+allow munin_plugin_domain munin_exec_t:file read_file_perms;
+allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
+
+# creates plugin state files
+manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
+
+read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
+
+kernel_read_system_state(munin_plugin_domain)
+
+corecmd_exec_bin(munin_plugin_domain)
+corecmd_exec_shell(munin_plugin_domain)
+
+files_read_etc_files(munin_plugin_domain)
+files_read_usr_files(munin_plugin_domain)
+
+fs_getattr_all_fs(munin_plugin_domain)
+
+miscfiles_read_localization(munin_plugin_domain)

diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
index e9c09824f1c30f18342281d738a57ee20f990721..b81e257b438ef6349c2b33a1984d1caa7eb7263a 100644 (file)
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -73,6 +73,7 @@ interface(`mysql_stream_connect',`
                type mysqld_t, mysqld_var_run_t, mysqld_db_t;
        ')
 
+       files_search_pids($1)
        stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
        stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
 ')

diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index 0a0d63ca96d83fe7ad1aaf022daa54b6c64d465b..b370d5368db841e61fae3e26c390f4bcfb5ec392 100644 (file)
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -64,6 +64,7 @@ allow mysqld_t self:udp_socket create_socket_perms;
 
 manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
 manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
 manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
 files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
 
@@ -78,9 +79,10 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
 manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
 files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
 
+manage_dirs_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
 manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
 manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
-files_pid_filetrans(mysqld_t, mysqld_var_run_t, { file sock_file })
+files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
 
 kernel_read_system_state(mysqld_t)
 kernel_read_kernel_sysctls(mysqld_t)
@@ -156,6 +158,7 @@ optional_policy(`
 allow mysqld_safe_t self:capability { chown dac_override fowner kill };
 dontaudit mysqld_safe_t self:capability sys_ptrace;
 allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
+allow mysqld_safe_t self:process { setsched getsched setrlimit };
 
 read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
 
@@ -175,6 +178,7 @@ dev_list_sysfs(mysqld_safe_t)
 
 domain_read_all_domains_state(mysqld_safe_t)
 
+files_dontaudit_search_all_mountpoints(mysqld_safe_t)
 files_read_etc_files(mysqld_safe_t)
 files_read_usr_files(mysqld_safe_t)
 files_dontaudit_getattr_all_dirs(mysqld_safe_t)

diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
index 8581040e9f8f28fbda007ad105aab07c3d6e6949..e3c827293f96ff90a1619027575d62fc00707e57 100644 (file)
--- a/policy/modules/services/nagios.if
+++ b/policy/modules/services/nagios.if
@@ -157,6 +157,26 @@ interface(`nagios_read_tmp_files',`
        files_search_tmp($1)
 ')
 
+########################################
+## <summary>
+##     Allow the specified domain to read
+##     nagios temporary files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`nagios_rw_inerited_tmp_files',`
+       gen_require(`
+               type nagios_tmp_t;
+       ')
+
+       allow $1 nagios_tmp_t:file rw_inherited_file_perms;
+       files_search_tmp($1)
+')
+
 ########################################
 ## <summary>
 ##     Execute the nagios NRPE with

diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index da5b33d07ce19bd63c40caf5cd42f225f1fc3732..10293892f42ab16de13ac537d2aadbaa0a1eef2f 100644 (file)
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -107,13 +107,11 @@ files_read_etc_files(nagios_t)
 files_read_etc_runtime_files(nagios_t)
 files_read_kernel_symbol_table(nagios_t)
 files_search_spool(nagios_t)
+files_read_usr_files(nagios_t)
 
 fs_getattr_all_fs(nagios_t)
 fs_search_auto_mountpoints(nagios_t)
 
-# for who
-init_read_utmp(nagios_t)
-
 auth_use_nsswitch(nagios_t)
 
 logging_send_syslog_msg(nagios_t)
@@ -124,10 +122,10 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t)
 userdom_dontaudit_search_user_home_dirs(nagios_t)
 
 mta_send_mail(nagios_t)
+mta_signal_system_mail(nagios_t)
+mta_kill_system_mail(nagios_t)
 
 optional_policy(`
-       netutils_domtrans_ping(nagios_t)
-       netutils_signal_ping(nagios_t)
        netutils_kill_ping(nagios_t)
 ')
 
@@ -340,6 +338,8 @@ files_read_usr_files(nagios_services_plugin_t)
 
 optional_policy(`
        netutils_domtrans_ping(nagios_services_plugin_t)
+       netutils_signal_ping(nagios_services_plugin_t)
+       netutils_kill_ping(nagios_services_plugin_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
index 386543b826e128256bdb324dbc2c4b10b0df2d30..d15cc4b106a7eb3b8c1c9aeaf515f67d6eaacf13 100644 (file)
--- a/policy/modules/services/networkmanager.fc
+++ b/policy/modules/services/networkmanager.fc
@@ -2,6 +2,10 @@
 
 /etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
 
+/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+
 /usr/libexec/nm-dispatcher.action --   gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
 
 /sbin/wpa_cli                  --      gen_context(system_u:object_r:wpa_cli_exec_t,s0)

diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
index 2324d9e5c0e04de87171b01ebf5e2117707afae7..1a1bfe4d029d49b1fa709cef1746319c1fbc16d0 100644 (file)
--- a/policy/modules/services/networkmanager.if
+++ b/policy/modules/services/networkmanager.if
@@ -135,6 +135,27 @@ interface(`networkmanager_dbus_chat',`
        allow NetworkManager_t $1:dbus send_msg;
 ')
 
+########################################
+## <summary>
+##     Send and receive messages from
+##     NetworkManager over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`networkmanager_dontaudit_dbus_chat',`
+       gen_require(`
+               type NetworkManager_t;
+               class dbus send_msg;
+       ')
+
+       dontaudit $1 NetworkManager_t:dbus send_msg;
+       dontaudit NetworkManager_t $1:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##     Send a generic signal to NetworkManager
@@ -191,3 +212,50 @@ interface(`networkmanager_read_pid_files',`
        files_search_pids($1)
        allow $1 NetworkManager_var_run_t:file read_file_perms;
 ')
+
+########################################
+## <summary>
+##     Execute NetworkManager in the NetworkManager domain, and
+##     allow the specified role the NetworkManager domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     The role to be allowed the NetworkManager domain.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`networkmanager_run',`
+       gen_require(`
+               type NetworkManager_t, NetworkManager_exec_t;
+       ')
+
+       networkmanager_domtrans($1)
+       role $2 types NetworkManager_t;
+')
+
+########################################
+## <summary>
+##     Allow the specified domain to append
+##     to Network Manager log files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`networkmanager_append_log',`
+       gen_require(`
+               type NetworkManager_log_t;
+       ')
+
+       logging_search_logs($1)
+       allow $1 NetworkManager_log_t:dir list_dir_perms;
+       append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+')

diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 061939528f79565e55f4ed9bb85bca6cfaa82d85..02ae4e09d19c4d7da9df3e770836f289a2d4fd0b 100644 (file)
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -35,7 +35,7 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
 
 # networkmanager will ptrace itself if gdb is installed
 # and it receives a unexpected signal (rh bug #204161)
-allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
 dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
 allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
 allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
@@ -44,7 +44,7 @@ allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
 allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
 allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
-allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom };
+allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
 allow NetworkManager_t self:udp_socket create_socket_perms;
 allow NetworkManager_t self:packet_socket create_socket_perms;
 
@@ -55,6 +55,7 @@ can_exec(NetworkManager_t, NetworkManager_exec_t)
 manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
 logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
 
+can_exec(NetworkManager_t, NetworkManager_tmp_t)
 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
 manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
 files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
@@ -141,22 +142,32 @@ sysnet_domtrans_ifconfig(NetworkManager_t)
 sysnet_domtrans_dhcpc(NetworkManager_t)
 sysnet_signal_dhcpc(NetworkManager_t)
 sysnet_read_dhcpc_pid(NetworkManager_t)
+sysnet_read_dhcp_config(NetworkManager_t)
 sysnet_delete_dhcpc_pid(NetworkManager_t)
+sysnet_kill_dhcpc(NetworkManager_t)
+sysnet_read_dhcpc_state(NetworkManager_t)
+sysnet_delete_dhcpc_state(NetworkManager_t)
 sysnet_search_dhcp_state(NetworkManager_t)
 # in /etc created by NetworkManager will be labelled net_conf_t.
 sysnet_manage_config(NetworkManager_t)
 sysnet_etc_filetrans_config(NetworkManager_t)
 
+userdom_stream_connect(NetworkManager_t)
 userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
 userdom_dontaudit_use_user_ttys(NetworkManager_t)
 # Read gnome-keyring
+userdom_read_home_certs(NetworkManager_t)
 userdom_read_user_home_content_files(NetworkManager_t)
+userdom_dgram_send(NetworkManager_t)
+
+cron_read_system_job_lib_files(NetworkManager_t)
 
 optional_policy(`
        avahi_domtrans(NetworkManager_t)
        avahi_kill(NetworkManager_t)
        avahi_signal(NetworkManager_t)
        avahi_signull(NetworkManager_t)
+       avahi_dbus_chat(NetworkManager_t)
 ')
 
 optional_policy(`
@@ -172,12 +183,14 @@ optional_policy(`
 ')
 
 optional_policy(`
-       consoletype_exec(NetworkManager_t)
+       consoletype_domtrans(NetworkManager_t)
 ')
 
 optional_policy(`
        dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
 
+       init_dbus_chat(NetworkManager_t)
+
        optional_policy(`
                consolekit_dbus_chat(NetworkManager_t)
        ')
@@ -201,6 +214,13 @@ optional_policy(`
        howl_signal(NetworkManager_t)
 ')
 
+optional_policy(`
+       ipsec_domtrans_mgmt(NetworkManager_t)
+       ipsec_kill_mgmt(NetworkManager_t)
+       ipsec_signal_mgmt(NetworkManager_t)
+       ipsec_signull_mgmt(NetworkManager_t)
+')
+
 optional_policy(`
        iptables_domtrans(NetworkManager_t)
 ')
@@ -263,6 +283,7 @@ optional_policy(`
        vpn_kill(NetworkManager_t)
        vpn_signal(NetworkManager_t)
        vpn_signull(NetworkManager_t)
+       vpn_relabelfrom_tun_socket(NetworkManager_t)
 ')
 
 ########################################

diff --git a/policy/modules/services/nis.fc b/policy/modules/services/nis.fc
index 15448d534106c4bbd4757fb7d0eec5837b49934d..0c97dabcd6bb015028b34f7056aac70751c9a9de 100644 (file)
--- a/policy/modules/services/nis.fc
+++ b/policy/modules/services/nis.fc
@@ -1,5 +1,5 @@
 /etc/rc\.d/init\.d/ypbind      --      gen_context(system_u:object_r:ypbind_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/yppasswd    --      gen_context(system_u:object_r:nis_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/yppasswdd   --      gen_context(system_u:object_r:nis_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/ypserv      --      gen_context(system_u:object_r:nis_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/ypxfrd      --      gen_context(system_u:object_r:nis_initrc_exec_t,s0)
 /etc/ypserv\.conf      --      gen_context(system_u:object_r:ypserv_conf_t,s0)
@@ -11,6 +11,7 @@
 
 /usr/sbin/rpc\.yppasswdd --    gen_context(system_u:object_r:yppasswdd_exec_t,s0)
 /usr/sbin/rpc\.ypxfrd  --      gen_context(system_u:object_r:ypxfr_exec_t,s0)
+/usr/sbin/ypbind       --      gen_context(system_u:object_r:ypbind_exec_t,s0)
 /usr/sbin/ypserv       --      gen_context(system_u:object_r:ypserv_exec_t,s0)
 
 /var/yp(/.*)?                  gen_context(system_u:object_r:var_yp_t,s0)

diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
index abe3f7f3ad055ca0a322349a2d6b0600c39a1f46..c42c26873e69c9730db29eebb2f2cbab5a5fdba7 100644 (file)
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -49,12 +49,12 @@ interface(`nis_use_ypbind_uncond',`
        corenet_udp_bind_generic_node($1)
        corenet_tcp_bind_generic_port($1)
        corenet_udp_bind_generic_port($1)
-       corenet_dontaudit_tcp_bind_all_reserved_ports($1)
-       corenet_dontaudit_udp_bind_all_reserved_ports($1)
+       corenet_tcp_bind_all_rpc_ports($1)
+       corenet_udp_bind_all_rpc_ports($1)
        corenet_dontaudit_tcp_bind_all_ports($1)
        corenet_dontaudit_udp_bind_all_ports($1)
        corenet_tcp_connect_portmap_port($1)
-       corenet_tcp_connect_reserved_port($1)
+       corenet_tcp_connect_all_reserved_ports($1)
        corenet_tcp_connect_generic_port($1)
        corenet_dontaudit_tcp_connect_all_ports($1)
        corenet_sendrecv_portmap_client_packets($1)

diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
index 85188dc77d2573f426df2ec2dcd5d843ba2691e1..ded2734a136be27f9d2e6663a26c4751d907c200 100644 (file)
--- a/policy/modules/services/nscd.if
+++ b/policy/modules/services/nscd.if
@@ -119,6 +119,24 @@ interface(`nscd_socket_use',`
        dontaudit $1 nscd_var_run_t:file { getattr read };
 ')
 
+########################################
+## <summary>
+##     Use nscd services
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`nscd_use',`
+       tunable_policy(`nscd_use_shm',`
+               nscd_shm_use($1)
+       ',`
+               nscd_socket_use($1)
+       ')
+')
+
 ########################################
 ## <summary>
 ##     Use NSCD services by mapping the database from
@@ -168,7 +186,7 @@ interface(`nscd_dontaudit_search_pid',`
                type nscd_var_run_t;
        ')
 
-       dontaudit $1 nscd_var_run_t:dir search;
+       dontaudit $1 nscd_var_run_t:dir search_dir_perms;
 ')
 
 ########################################

diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
index 7936e09ceae58a32f12f0d488243ac79f95baab9..6a174f5c307c3279b5b6703801504d9a9c36956e 100644 (file)
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -1,9 +1,16 @@
-policy_module(nscd, 1.10.0)
+policy_module(nscd, 1.10.1)
 
 gen_require(`
        class nscd all_nscd_perms;
 ')
 
+## <desc>
+## <p>
+## Allow confined applications to use nscd shared memory.
+## </p>
+## </desc>
+gen_tunable(nscd_use_shm, false)
+
 ########################################
 #
 # Declarations
@@ -30,7 +37,7 @@ logging_log_file(nscd_log_t)
 # Local policy
 #
 
-allow nscd_t self:capability { kill setgid setuid };
+allow nscd_t self:capability { kill setgid setuid sys_ptrace };
 dontaudit nscd_t self:capability sys_tty_config;
 allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
 allow nscd_t self:fifo_file read_fifo_file_perms;
@@ -47,9 +54,10 @@ allow nscd_t self:nscd { admin getstat };
 allow nscd_t nscd_log_t:file manage_file_perms;
 logging_log_filetrans(nscd_t, nscd_log_t, file)
 
+manage_dirs_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
 manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
 manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
-files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file })
+files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file dir })
 
 corecmd_search_bin(nscd_t)
 can_exec(nscd_t, nscd_exec_t)
@@ -90,6 +98,7 @@ selinux_compute_create_context(nscd_t)
 selinux_compute_relabel_context(nscd_t)
 selinux_compute_user_contexts(nscd_t)
 domain_use_interactive_fds(nscd_t)
+domain_search_all_domains_state(nscd_t)
 
 files_read_etc_files(nscd_t)
 files_read_generic_tmp_symlinks(nscd_t)
@@ -111,6 +120,10 @@ userdom_dontaudit_use_user_terminals(nscd_t)
 userdom_dontaudit_use_unpriv_user_fds(nscd_t)
 userdom_dontaudit_search_user_home_dirs(nscd_t)
 
+optional_policy(`
+       accountsd_dontaudit_rw_fifo_file(nscd_t)
+')
+
 optional_policy(`
        cron_read_system_job_tmp_files(nscd_t)
 ')
@@ -127,3 +140,16 @@ optional_policy(`
        xen_dontaudit_rw_unix_stream_sockets(nscd_t)
        xen_append_log(nscd_t)
 ')
+
+optional_policy(`
+       tunable_policy(`samba_domain_controller',`
+               samba_append_log(nscd_t)
+               samba_dontaudit_use_fds(nscd_t)
+       ')
+       samba_read_config(nscd_t)
+       samba_read_var_files(nscd_t)
+')
+
+optional_policy(`
+       unconfined_dontaudit_rw_packet_sockets(nscd_t)
+')

diff --git a/policy/modules/services/nslcd.if b/policy/modules/services/nslcd.if
index 23c769cf40dcabc0b12db29e8c5c2aed9415cf9e..b94add15a06826ecb15ee45d1ebaa29b7e63656c 100644 (file)
--- a/policy/modules/services/nslcd.if
+++ b/policy/modules/services/nslcd.if
@@ -106,9 +106,9 @@ interface(`nslcd_admin',`
        role_transition $2 nslcd_initrc_exec_t system_r;
        allow $2 system_r;
 
-       manage_files_pattern($1, nslcd_conf_t, nslcd_conf_t)
+       files_search_etc($1)
+       admin_pattern($1, nslcd_conf_t)
 
-       manage_dirs_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
-       manage_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
-       manage_lnk_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
+       files_search_pids($1)
+       admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
 ')

diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
index e80f8c06a7ca54d231c00e06c8829f3685d02ec2..6b240d98d8a72d753dc6ddd9978d8ff53a4338d2 100644 (file)
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -144,7 +144,7 @@ interface(`ntp_admin',`
                type ntpd_initrc_exec_t;
        ')
 
-       allow $1 ntpd_t:process { ptrace signal_perms getattr };
+       allow $1 ntpd_t:process { ptrace signal_perms };
        ps_process_pattern($1, ntpd_t)
 
        init_labeled_script_domtrans($1, ntpd_initrc_exec_t)

diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index c61adc8dd530b24bd299675b7d22083c1ef55724..b5b599208bc5dc5c0c5879ec9fd68cdd560deeec 100644 (file)
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -96,9 +96,12 @@ corenet_sendrecv_ntp_client_packets(ntpd_t)
 dev_read_sysfs(ntpd_t)
 # for SSP
 dev_read_urand(ntpd_t)
+dev_rw_realtime_clock(ntpd_t)
 
 fs_getattr_all_fs(ntpd_t)
 fs_search_auto_mountpoints(ntpd_t)
+# Necessary to communicate with gpsd devices
+fs_rw_tmpfs_files(ntpd_t)
 
 term_use_ptmx(ntpd_t)
 

diff --git a/policy/modules/services/nx.if b/policy/modules/services/nx.if
index 79a225ca0d9e1f5c98dd8515e5c8b973ed678c46..b1384ade6bb4e3f76956afe35ac974ad17cb0d19 100644 (file)
--- a/policy/modules/services/nx.if
+++ b/policy/modules/services/nx.if
@@ -35,6 +35,7 @@ interface(`nx_read_home_files',`
 
        allow $1 nx_server_var_lib_t:dir search_dir_perms;
        read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+       read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
 ')
 
 ########################################

diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te
index ebb9582b24dd06c3847a87b4b7e1026e7ab30074..c1825deccabb6f8a17a6c95cd5abc0653403fcf6 100644 (file)
--- a/policy/modules/services/nx.te
+++ b/policy/modules/services/nx.te
@@ -27,6 +27,9 @@ files_type(nx_server_var_lib_t)
 type nx_server_var_run_t;
 files_pid_file(nx_server_var_run_t)
 
+type nx_server_home_ssh_t;
+files_type(nx_server_home_ssh_t)
+
 ########################################
 #
 # NX server local policy
@@ -50,6 +53,9 @@ files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir })
 manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
 files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)
 
+manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
+manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
+
 kernel_read_system_state(nx_server_t)
 kernel_read_kernel_sysctls(nx_server_t)
 

diff --git a/policy/modules/services/oddjob.fc b/policy/modules/services/oddjob.fc
index bdf8c89312c1b4264256978c9cbc53bdd5af4c4b..5ee159840f6931bafa6133ea8be1a5d3f7789ec6 100644 (file)
--- a/policy/modules/services/oddjob.fc
+++ b/policy/modules/services/oddjob.fc
@@ -1,4 +1,5 @@
 /usr/lib(64)?/oddjob/mkhomedir --      gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/libexec/oddjob/mkhomedir  --      gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
 
 /usr/sbin/oddjobd              --      gen_context(system_u:object_r:oddjob_exec_t,s0)
 

diff --git a/policy/modules/services/oddjob.if b/policy/modules/services/oddjob.if
index bd76ec2634c035b9f866912aa6b7c6f7760067de..ca33ae3d9af06e94b3728953c4cdf36944b3367f 100644 (file)
--- a/policy/modules/services/oddjob.if
+++ b/policy/modules/services/oddjob.if
@@ -22,6 +22,25 @@ interface(`oddjob_domtrans',`
        domtrans_pattern($1, oddjob_exec_t, oddjob_t)
 ')
 
+#####################################
+## <summary>
+##      Do not audit attempts to read and write 
+##      oddjob fifo file.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`oddjob_dontaudit_rw_fifo_file',`
+        gen_require(`
+                type shutdown_t;
+        ')
+
+        dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Make the specified program domain accessable
@@ -44,6 +63,7 @@ interface(`oddjob_system_entry',`
        ')
 
        domtrans_pattern(oddjob_t, $2, $1)
+       domain_user_exemption_target($1)
 ')
 
 ########################################
@@ -67,6 +87,24 @@ interface(`oddjob_dbus_chat',`
        allow oddjob_t $1:dbus send_msg;
 ')
 
+######################################
+## <summary>
+##      Send a SIGCHLD signal to oddjob.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`oddjob_sigchld',`
+        gen_require(`
+                type oddjob_t;
+        ')
+
+        allow $1 oddjob_t:process sigchld;
+')
+
 ########################################
 ## <summary>
 ##     Execute a domain transition to run oddjob_mkhomedir.

diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te
index cadfc63daab4a9ddd519b069b70bb605755c5eb2..ef6919f275a75f4612d8c632fca6a99c7398ebf6 100644 (file)
--- a/policy/modules/services/oddjob.te
+++ b/policy/modules/services/oddjob.te
@@ -99,8 +99,7 @@ seutil_read_default_contexts(oddjob_mkhomedir_t)
 
 # Add/remove user home directories
 userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
-userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
-userdom_manage_user_home_content_files(oddjob_mkhomedir_t)
 userdom_manage_user_home_dirs(oddjob_mkhomedir_t)
-userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set)
+userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
+userdom_manage_user_home_content(oddjob_mkhomedir_t)
 

diff --git a/policy/modules/services/oident.te b/policy/modules/services/oident.te
index 0a244b119afa9826a6356056fe4a5a0eaa34d989..9097656538b441c40595b62e9119f28430ab3b4c 100644 (file)
--- a/policy/modules/services/oident.te
+++ b/policy/modules/services/oident.te
@@ -48,6 +48,7 @@ kernel_read_kernel_sysctls(oidentd_t)
 kernel_read_network_state(oidentd_t)
 kernel_read_network_state_symlinks(oidentd_t)
 kernel_read_sysctl(oidentd_t)
+kernel_request_load_module(oidentd_t)
 
 logging_send_syslog_msg(oidentd_t)
 

diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 8b550f4da38e663d727c4ef8f277b5636b87bc0b..ba7c06b037ab3bfa5a0e65f6c242b24a46d726a7 100644 (file)
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -24,6 +24,9 @@ files_config_file(openvpn_etc_t)
 type openvpn_etc_rw_t;
 files_config_file(openvpn_etc_rw_t)
 
+type openvpn_tmp_t;
+files_tmp_file(openvpn_tmp_t)
+
 type openvpn_initrc_exec_t;
 init_script_file(openvpn_initrc_exec_t)
 
@@ -48,7 +51,7 @@ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
 allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow openvpn_t self:udp_socket create_socket_perms;
 allow openvpn_t self:tcp_socket server_stream_socket_perms;
-allow openvpn_t self:tun_socket create;
+allow openvpn_t self:tun_socket { create_socket_perms relabelfrom };
 allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
 
 can_exec(openvpn_t, openvpn_etc_t)
@@ -58,9 +61,13 @@ read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
 manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
 filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
 
+manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
+files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
+
 allow openvpn_t openvpn_var_log_t:file manage_file_perms;
 logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
 
+manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
 manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
 files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
 
@@ -68,6 +75,7 @@ kernel_read_kernel_sysctls(openvpn_t)
 kernel_read_net_sysctls(openvpn_t)
 kernel_read_network_state(openvpn_t)
 kernel_read_system_state(openvpn_t)
+kernel_request_load_module(openvpn_t)
 
 corecmd_exec_bin(openvpn_t)
 corecmd_exec_shell(openvpn_t)
@@ -113,19 +121,19 @@ sysnet_manage_config(openvpn_t)
 sysnet_etc_filetrans_config(openvpn_t)
 
 userdom_use_user_terminals(openvpn_t)
+userdom_read_home_certs(openvpn_t)
+userdom_attach_admin_tun_iface(openvpn_t)
 
 tunable_policy(`openvpn_enable_homedirs',`
-       userdom_read_user_home_content_files(openvpn_t)
+       userdom_search_user_home_dirs(openvpn_t)
 ')
 
 tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
         fs_read_nfs_files(openvpn_t)
-        fs_read_nfs_symlinks(openvpn_t)
 ')  
 
 tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
         fs_read_cifs_files(openvpn_t)
-        fs_read_cifs_symlinks(openvpn_t)
 ')  
 
 optional_policy(`
@@ -138,3 +146,7 @@ optional_policy(`
 
        networkmanager_dbus_chat(openvpn_t)
 ')
+
+optional_policy(`
+       unconfined_attach_tun_iface(openvpn_t)
+')

diff --git a/policy/modules/services/pads.if b/policy/modules/services/pads.if
index 8ac407e5f4bbeb055041153fb3ce261e92273798..4452d3b1b21b95816730f219686a1c5103a7c4a2 100644 (file)
--- a/policy/modules/services/pads.if
+++ b/policy/modules/services/pads.if
@@ -39,6 +39,9 @@ interface(`pads_admin', `
        role_transition $2 pads_initrc_exec_t system_r;
        allow $2 system_r;
 
+       files_search_pids($1)
        admin_pattern($1, pads_var_run_t)
+
+       files_search_etc($1)
        admin_pattern($1, pads_config_t)
 ')

diff --git a/policy/modules/services/passenger.fc b/policy/modules/services/passenger.fc
new file mode 100644 (file)
index 0000000..8d00972
--- /dev/null
+++ b/policy/modules/services/passenger.fc
@@ -0,0 +1,6 @@
+
+/usr/lib(64)?/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
+
+/var/lib/passenger(/.*)?           gen_context(system_u:object_r:passenger_var_lib_t,s0)
+
+/var/run/passenger(/.*)?           gen_context(system_u:object_r:passenger_var_run_t,s0)

diff --git a/policy/modules/services/passenger.if b/policy/modules/services/passenger.if
new file mode 100644 (file)
index 0000000..7ca90f6
--- /dev/null
+++ b/policy/modules/services/passenger.if
@@ -0,0 +1,69 @@
+## <summary>Passenger policy</summary>
+
+######################################
+## <summary>
+##      Execute passenger in the passenger domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      The type of the process performing this action.
+##      </summary>
+## </param>
+#
+interface(`passenger_domtrans',`
+        gen_require(`
+                type passenger_t;
+                type passenger_exec_t;
+        ')
+
+       allow $1 self:capability { fowner fsetid };
+
+       allow $1 passenger_t:process signal;
+
+       domtrans_pattern($1, passenger_exec_t, passenger_t)
+       allow $1 passenger_t:unix_stream_socket { read write shutdown };
+       allow passenger_t $1:unix_stream_socket { read write };
+')
+
+######################################
+## <summary>
+##      Manage passenger var_run content.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`passenger_manage_pid_content',`
+        gen_require(`
+                type passenger_var_run_t;
+        ')
+
+        files_search_pids($1)
+       manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t)
+        manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+       manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+       manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+')
+
+########################################
+## <summary>
+##      Read passenger lib files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`passenger_read_lib_files',`
+        gen_require(`
+                type passenger_var_lib_t;
+        ')
+
+       files_search_var_lib($1)
+        read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+        read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+')
+

diff --git a/policy/modules/services/passenger.te b/policy/modules/services/passenger.te
new file mode 100644 (file)
index 0000000..9cb0d1c
--- /dev/null
+++ b/policy/modules/services/passenger.te
@@ -0,0 +1,68 @@
+
+policy_module(passanger,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type passenger_t;
+type passenger_exec_t;
+domain_type(passenger_t)
+domain_entry_file(passenger_t, passenger_exec_t)
+role system_r types passenger_t;
+
+type passenger_tmp_t;
+files_tmp_file(passenger_tmp_t)
+
+type passenger_var_lib_t;
+files_type(passenger_var_lib_t)
+
+type passenger_var_run_t;
+files_pid_file(passenger_var_run_t)
+
+permissive passenger_t;
+
+########################################
+#
+# passanger local policy
+#
+
+allow passenger_t self:capability { dac_override fsetid fowner chown setuid setgid };
+allow passenger_t self:process signal;
+
+allow passenger_t self:fifo_file rw_fifo_file_perms;
+allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+files_search_var_lib(passenger_t)
+manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
+manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
+
+manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
+
+kernel_read_system_state(passenger_t)
+kernel_read_kernel_sysctls(passenger_t)
+
+corenet_tcp_connect_http_port(passenger_t)
+
+corecmd_exec_bin(passenger_t)
+corecmd_exec_shell(passenger_t)
+
+dev_read_urand(passenger_t)
+
+files_read_etc_files(passenger_t)
+
+auth_use_nsswitch(passenger_t)
+
+miscfiles_read_localization(passenger_t)
+
+userdom_dontaudit_use_user_terminals(passenger_t)
+
+optional_policy(`
+       apache_append_log(passenger_t)
+       apache_read_sys_content(passenger_t)
+')

diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
index 3185114666cef3dd21369844bc5fe766db06386c..e2e2f67ad9878e41cec24da0a52d64f48716e995 100644 (file)
--- a/policy/modules/services/pegasus.te
+++ b/policy/modules/services/pegasus.te
@@ -29,7 +29,7 @@ files_pid_file(pegasus_var_run_t)
 # Local policy
 #
 
-allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service };
+allow pegasus_t self:capability { chown ipc_lock sys_nice setuid setgid dac_override net_bind_service };
 dontaudit pegasus_t self:capability sys_tty_config;
 allow pegasus_t self:process signal;
 allow pegasus_t self:fifo_file rw_fifo_file_perms;
@@ -57,14 +57,17 @@ manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
 files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
 
 allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
+manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
 manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
-files_pid_filetrans(pegasus_t, pegasus_var_run_t, file)
+files_pid_filetrans(pegasus_t, pegasus_var_run_t, { file dir })
 
 kernel_read_kernel_sysctls(pegasus_t)
 kernel_read_fs_sysctls(pegasus_t)
 kernel_read_system_state(pegasus_t)
 kernel_search_vm_sysctl(pegasus_t)
 kernel_read_net_sysctls(pegasus_t)
+kernel_read_xen_state(pegasus_t)
+kernel_write_xen_state(pegasus_t)
 
 corenet_all_recvfrom_unlabeled(pegasus_t)
 corenet_all_recvfrom_netlabel(pegasus_t)
@@ -95,13 +98,12 @@ files_getattr_all_dirs(pegasus_t)
 
 auth_use_nsswitch(pegasus_t)
 auth_domtrans_chk_passwd(pegasus_t)
+auth_read_shadow(pegasus_t)
 
 domain_use_interactive_fds(pegasus_t)
 domain_read_all_domains_state(pegasus_t)
 
-files_read_etc_files(pegasus_t)
-files_list_var_lib(pegasus_t)
-files_read_var_lib_files(pegasus_t)
+files_read_all_files(pegasus_t)
 files_read_var_lib_symlinks(pegasus_t)
 
 hostname_exec(pegasus_t)
@@ -114,7 +116,6 @@ logging_send_syslog_msg(pegasus_t)
 
 miscfiles_read_localization(pegasus_t)
 
-sysnet_read_config(pegasus_t)
 sysnet_domtrans_ifconfig(pegasus_t)
 
 userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
@@ -124,6 +125,14 @@ optional_policy(`
        rpm_exec(pegasus_t)
 ')
 
+optional_policy(`
+       samba_manage_config(pegasus_t)
+')
+
+optional_policy(`
+       ssh_exec(pegasus_t)
+')
+
 optional_policy(`
        seutil_sigchld_newrole(pegasus_t)
        seutil_dontaudit_read_config(pegasus_t)
@@ -136,3 +145,13 @@ optional_policy(`
 optional_policy(`
        unconfined_signull(pegasus_t)
 ')
+
+optional_policy(`
+       virt_domtrans(pegasus_t)
+       virt_manage_config(pegasus_t)
+')
+
+optional_policy(`
+       xen_stream_connect(pegasus_t)
+       xen_stream_connect_xenstore(pegasus_t)
+')

diff --git a/policy/modules/services/piranha.fc b/policy/modules/services/piranha.fc
new file mode 100644 (file)
index 0000000..2c7e06f
--- /dev/null
+++ b/policy/modules/services/piranha.fc
@@ -0,0 +1,26 @@
+
+/etc/rc\.d/init\.d/pulse       --      gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0)
+
+# RHEL6
+#/etc/sysconfig/ha/lvs\.cf     --      gen_context(system_u:object_r:piranha_etc_rw_t,s0)
+
+/etc/piranha/lvs\.cf           --      gen_context(system_u:object_r:piranha_etc_rw_t,s0)
+
+/usr/bin/paster         --      gen_context(system_u:object_r:piranha_web_exec_t,s0)
+
+/usr/sbin/fos               --  gen_context(system_u:object_r:piranha_fos_exec_t,s0)
+/usr/sbin/lvsd                         --      gen_context(system_u:object_r:piranha_lvs_exec_t,s0)
+/usr/sbin/piranha_gui          --      gen_context(system_u:object_r:piranha_web_exec_t,s0)
+/usr/sbin/pulse                --  gen_context(system_u:object_r:piranha_pulse_exec_t,s0)
+
+/var/lib/luci(/.*)?             gen_context(system_u:object_r:piranha_web_data_t,s0)
+/var/lib/luci/cert(/.*)?        gen_context(system_u:object_r:piranha_web_conf_t,s0)
+/var/lib/luci/etc(/.*)?         gen_context(system_u:object_r:piranha_web_conf_t,s0)
+
+/var/log/piranha(/.*)?                 gen_context(system_u:object_r:piranha_log_t,s0)
+
+/var/run/fos\.pid           --  gen_context(system_u:object_r:piranha_fos_var_run_t,s0)
+/var/run/lvs\.pid                      --      gen_context(system_u:object_r:piranha_lvs_var_run_t,s0)
+/var/run/piranha-httpd\.pid -- gen_context(system_u:object_r:piranha_web_var_run_t,s0)
+/var/run/pulse\.pid         --  gen_context(system_u:object_r:piranha_pulse_var_run_t,s0)
+

diff --git a/policy/modules/services/piranha.if b/policy/modules/services/piranha.if
new file mode 100644 (file)
index 0000000..8ecd276
--- /dev/null
+++ b/policy/modules/services/piranha.if
@@ -0,0 +1,175 @@
+
+## <summary>policy for piranha</summary>
+
+#######################################
+## <summary>
+##  Creates types and rules for a basic
+##  cluster init daemon domain.
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`piranha_domain_template',`
+
+    gen_require(`
+        attribute piranha_domain;        
+    ')
+
+       ##############################
+       #   
+       #  piranha_$1_t declarations
+       #            
+
+       type piranha_$1_t, piranha_domain;
+       type piranha_$1_exec_t;
+       init_daemon_domain(piranha_$1_t, piranha_$1_exec_t)
+
+       # pid files
+    type piranha_$1_var_run_t;
+    files_pid_file(piranha_$1_var_run_t)
+
+       ##############################
+       #   
+       #  piranha_$1_t local policy
+       #            
+
+    manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
+       manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
+    files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { file })
+')
+
+########################################
+## <summary>
+##     Execute a domain transition to run fos.
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`piranha_domtrans_fos',`
+       gen_require(`
+               type piranha_fos_t, piranha_fos_exec_t;
+       ')
+
+       domtrans_pattern($1, piranha_fos_exec_t, piranha_fos_t)
+')
+
+#######################################
+## <summary>
+##  Execute a domain transition to run lvsd.
+## </summary>
+## <param name="domain">
+## <summary>
+##  Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`piranha_domtrans_lvs',`
+    gen_require(`
+        type piranha_lvs_t, piranha_lvs_exec_t;
+    ')
+
+    domtrans_pattern($1, piranha_lvs_exec_t, piranha_lvs_t)
+')
+
+#######################################
+## <summary>
+##  Execute a domain transition to run pulse.
+## </summary>
+## <param name="domain">
+## <summary>
+##  Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`piranha_domtrans_pulse',`
+    gen_require(`
+        type piranha_pulse_t, piranha_pulse_exec_t;
+    ')
+
+    domtrans_pattern($1, piranha_pulse_exec_t, piranha_pulse_t)
+')
+
+#######################################
+## <summary>
+##  Execute pulse server in the pulse domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`piranha_pulse_initrc_domtrans',`
+    gen_require(`
+        type piranha_pulse_initrc_exec_t;
+    ')
+
+    init_labeled_script_domtrans($1, piranha_pulse_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##     Allow the specified domain to read piranha's log files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`piranha_read_log',`
+       gen_require(`
+               type piranha_log_t;
+       ')
+
+       logging_search_logs($1)
+    read_files_pattern($1, piranha_log_t, piranha_log_t)
+')
+
+########################################
+## <summary>
+##     Allow the specified domain to append
+##     piranha log files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
+## </param>
+#
+interface(`piranha_append_log',`
+       gen_require(`
+               type piranha_log_t;
+       ')
+
+       logging_search_logs($1)
+       append_files_pattern($1, piranha_log_t, piranha_log_t)
+')
+
+########################################
+## <summary>
+##     Allow domain to manage piranha log files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`piranha_manage_log',`
+       gen_require(`
+               type piranha_log_t;
+       ')
+
+       logging_search_logs($1)
+    manage_dirs_pattern($1, piranha_log_t, piranha_log_t)
+    manage_files_pattern($1, piranha_log_t, piranha_log_t)
+    manage_lnk_files_pattern($1, piranha_log_t, piranha_log_t)
+')

diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te
new file mode 100644 (file)
index 0000000..0a5f27d
--- /dev/null
+++ b/policy/modules/services/piranha.te
@@ -0,0 +1,220 @@
+policy_module(piranha,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow piranha-lvs domain to connect to the network using TCP.
+## </p>
+## </desc>
+gen_tunable(piranha_lvs_can_network_connect, false)
+
+attribute piranha_domain;
+
+piranha_domain_template(fos)
+
+piranha_domain_template(lvs)
+
+piranha_domain_template(pulse)
+
+type piranha_pulse_initrc_exec_t;
+init_script_file(piranha_pulse_initrc_exec_t)
+
+piranha_domain_template(web)
+
+type piranha_web_tmpfs_t;
+files_tmpfs_file(piranha_web_tmpfs_t)
+
+type piranha_web_conf_t;
+files_type(piranha_web_conf_t)
+
+type piranha_web_data_t;
+files_type(piranha_web_data_t)
+
+type piranha_web_tmp_t;
+files_tmp_file(piranha_web_tmp_t)
+
+type piranha_etc_rw_t;
+files_type(piranha_etc_rw_t)
+
+type piranha_log_t;
+logging_log_file(piranha_log_t)
+
+#######################################
+#
+# piranha-fos local policy
+#
+
+kernel_read_kernel_sysctls(piranha_fos_t)
+
+domain_read_all_domains_state(piranha_fos_t)
+
+consoletype_exec(piranha_fos_t)
+
+# start and stop services
+init_domtrans_script(piranha_fos_t)
+
+########################################
+#
+# piranha-gui local policy
+#
+
+allow piranha_web_t self:capability { setuid sys_nice kill setgid };
+allow piranha_web_t self:process { getsched setsched signal signull ptrace };
+allow piranha_web_t self:rawip_socket create_socket_perms;
+
+allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
+allow piranha_web_t self:sem create_sem_perms;
+allow piranha_web_t self:shm create_shm_perms;
+
+manage_files_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
+manage_dirs_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
+files_var_lib_filetrans(piranha_web_t, piranha_web_data_t, file)
+
+read_files_pattern(piranha_web_t, piranha_web_conf_t, piranha_web_conf_t)
+
+rw_files_pattern(piranha_web_t, piranha_etc_rw_t, piranha_etc_rw_t)
+
+manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
+manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
+logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file } )
+
+can_exec(piranha_web_t, piranha_web_tmp_t)
+manage_dirs_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
+manage_files_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
+files_tmp_filetrans(piranha_web_t, piranha_web_tmp_t, { file dir })
+
+manage_dirs_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
+manage_files_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
+fs_tmpfs_filetrans(piranha_web_t, piranha_web_tmpfs_t, { dir file })
+
+piranha_pulse_initrc_domtrans(piranha_web_t)
+
+kernel_read_kernel_sysctls(piranha_web_t)
+
+corenet_tcp_bind_http_cache_port(piranha_web_t)
+corenet_tcp_bind_luci_port(piranha_web_t)
+corenet_tcp_bind_piranha_port(piranha_web_t)
+corenet_tcp_connect_ricci_port(piranha_web_t)
+
+dev_read_urand(piranha_web_t)
+
+domain_read_all_domains_state(piranha_web_t)
+
+files_read_usr_files(piranha_web_t)
+
+consoletype_exec(piranha_web_t)
+
+optional_policy(`
+       apache_read_config(piranha_web_t)
+       apache_exec_modules(piranha_web_t)
+       apache_exec(piranha_web_t)
+')
+
+optional_policy(`
+       gnome_dontaudit_search_config(piranha_web_t)
+')
+
+optional_policy(`
+        sasl_connect(piranha_web_t)
+')
+
+######################################
+#
+# piranha-lvs local policy
+#
+
+# neede by nanny
+allow piranha_lvs_t self:capability { net_raw sys_nice };
+
+allow piranha_lvs_t self:process signal;
+
+allow piranha_lvs_t self:unix_dgram_socket create_socket_perms;
+allow piranha_lvs_t self:rawip_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(piranha_lvs_t)
+
+# needed by nanny
+corenet_tcp_connect_ftp_port(piranha_lvs_t)
+corenet_tcp_connect_http_port(piranha_lvs_t)
+
+sysnet_dns_name_resolve(piranha_lvs_t)
+
+# needed by nanny
+tunable_policy(`piranha_lvs_can_network_connect',`
+    corenet_tcp_connect_all_ports(piranha_lvs_t)
+')
+
+# needed by ipvsadm
+optional_policy(`
+       iptables_domtrans(piranha_lvs_t)
+')
+
+#######################################
+#
+# piranha-pulse local policy
+#
+
+allow piranha_pulse_t self:packet_socket create_socket_perms;
+
+# pulse starts fos and lvs daemon
+domtrans_pattern(piranha_fos_t, piranha_fos_exec_t, piranha_fos_t)
+allow piranha_pulse_t piranha_fos_t:process signal;
+
+domtrans_pattern(piranha_pulse_t, piranha_lvs_exec_t, piranha_lvs_t)
+allow piranha_pulse_t piranha_lvs_t:process signal;
+
+corenet_udp_bind_apertus_ldp_port(piranha_pulse_t)
+
+sysnet_dns_name_resolve(piranha_pulse_t)
+
+optional_policy(`
+       netutils_domtrans_ping(piranha_pulse_t)
+')
+
+optional_policy(`
+    sysnet_domtrans_ifconfig(piranha_pulse_t)
+')
+
+####################################
+#
+# piranha domains common policy
+#
+
+allow piranha_domain self:fifo_file rw_fifo_file_perms;
+allow piranha_domain self:tcp_socket create_stream_socket_perms;
+allow piranha_domain self:udp_socket create_socket_perms;
+allow piranha_domain self:unix_stream_socket create_stream_socket_perms;
+
+read_files_pattern(piranha_domain, piranha_etc_rw_t, piranha_etc_rw_t)
+
+kernel_read_system_state(piranha_domain)
+kernel_read_network_state(piranha_domain)
+
+corenet_all_recvfrom_unlabeled(piranha_domain)
+corenet_all_recvfrom_netlabel(piranha_domain)
+corenet_tcp_sendrecv_generic_if(piranha_domain)
+corenet_udp_sendrecv_generic_if(piranha_domain)
+corenet_tcp_sendrecv_generic_node(piranha_domain)
+corenet_udp_sendrecv_generic_node(piranha_domain)
+corenet_tcp_sendrecv_all_ports(piranha_domain)
+corenet_udp_sendrecv_all_ports(piranha_domain)
+corenet_tcp_bind_generic_node(piranha_domain)
+corenet_udp_bind_generic_node(piranha_domain)
+
+files_read_etc_files(piranha_domain)
+
+corecmd_exec_bin(piranha_domain)
+corecmd_exec_shell(piranha_domain)
+
+libs_use_ld_so(piranha_domain)
+libs_use_shared_libs(piranha_domain)
+
+logging_send_syslog_msg(piranha_domain)
+
+miscfiles_read_localization(piranha_domain)
+
+sysnet_read_config(piranha_domain)

diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if
index 9759ed80b39dc34ea4ef38dbd30309216087fb93..fecc0dc33b1b307f568783c5c6bdaea9373e9882 100644 (file)
--- a/policy/modules/services/plymouthd.if
+++ b/policy/modules/services/plymouthd.if
@@ -249,12 +249,14 @@ interface(`plymouthd_admin', `
                type plymouthd_var_run_t;
        ')
 
-       allow $1 plymouthd_t:process { ptrace signal_perms getattr };
-       read_files_pattern($1, plymouthd_t, plymouthd_t)
+       allow $1 plymouthd_t:process { ptrace signal_perms };
+       ps_process_pattern($1, plymouthd_t)
 
+       files_search_var_lib($1)
        admin_pattern($1, plymouthd_spool_t)
 
        admin_pattern($1, plymouthd_var_lib_t)
 
+       files_search_pids($1)
        admin_pattern($1, plymouthd_var_run_t)
 ')

diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
index fb8dc84aba8110b3e719d593b10929d8003a39ed..c30505a86e5ad54e0791ac4c12b6a7f2918485eb 100644 (file)
--- a/policy/modules/services/plymouthd.te
+++ b/policy/modules/services/plymouthd.te
@@ -60,10 +60,14 @@ domain_use_interactive_fds(plymouthd_t)
 files_read_etc_files(plymouthd_t)
 files_read_usr_files(plymouthd_t)
 
+term_use_unallocated_ttys(plymouthd_t)
+
 miscfiles_read_localization(plymouthd_t)
 miscfiles_read_fonts(plymouthd_t)
 miscfiles_manage_fonts_cache(plymouthd_t)
 
+userdom_read_admin_home_files(plymouthd_t)
+
 ########################################
 #
 # Plymouth private policy
@@ -74,6 +78,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
 allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
 
 kernel_read_system_state(plymouth_t)
+kernel_stream_connect(plymouth_t)
 
 domain_use_interactive_fds(plymouth_t)
 

diff --git a/policy/modules/services/policykit.fc b/policy/modules/services/policykit.fc
index 27c739c97010b66c5a6b5215ed8ab5da2c27c925..c65d18f823de31dabfc5665dab814e66ad129b12 100644 (file)
--- a/policy/modules/services/policykit.fc
+++ b/policy/modules/services/policykit.fc
@@ -6,10 +6,13 @@
 /usr/libexec/polkit-read-auth-helper   --      gen_context(system_u:object_r:policykit_auth_exec_t,s0)
 /usr/libexec/polkit-grant-helper.*     --      gen_context(system_u:object_r:policykit_grant_exec_t,s0)
 /usr/libexec/polkit-resolve-exe-helper.* --    gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
-/usr/libexec/polkitd                   --      gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkitd.*                 --      gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/libexec/polkit-1/polkitd.*                --      gen_context(system_u:object_r:policykit_exec_t,s0)
 
 /var/lib/misc/PolicyKit.reload                 gen_context(system_u:object_r:policykit_reload_t,s0)
 /var/lib/PolicyKit(/.*)?                       gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/lib/polkit-1(/.*)?                        gen_context(system_u:object_r:policykit_var_lib_t,s0)
 /var/lib/PolicyKit-public(/.*)?                        gen_context(system_u:object_r:policykit_var_lib_t,s0)
 /var/run/PolicyKit(/.*)?                       gen_context(system_u:object_r:policykit_var_run_t,s0)
 

diff --git a/policy/modules/services/policykit.if b/policy/modules/services/policykit.if
index 48ff1e8a38e8c840ce618bbc951d1e62acf0e812..29c9906800c064a69c431e1c4f35d66c217799f9 100644 (file)
--- a/policy/modules/services/policykit.if
+++ b/policy/modules/services/policykit.if
@@ -17,10 +17,35 @@ interface(`policykit_dbus_chat',`
                class dbus send_msg;
        ')
 
+       ps_process_pattern(policykit_t, $1)
+
        allow $1 policykit_t:dbus send_msg;
        allow policykit_t $1:dbus send_msg;
 ')
 
+########################################
+## <summary>
+##     Send and receive messages from
+##     policykit over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`policykit_dbus_chat_auth',`
+       gen_require(`
+               type policykit_auth_t;
+               class dbus send_msg;
+       ')
+
+       ps_process_pattern(policykit_auth_t, $1)
+
+       allow $1 policykit_auth_t:dbus send_msg;
+       allow policykit_auth_t $1:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##     Execute a domain transition to run polkit_auth.
@@ -62,6 +87,9 @@ interface(`policykit_run_auth',`
 
        policykit_domtrans_auth($1)
        role $2 types policykit_auth_t;
+
+       allow $1 policykit_auth_t:process signal;
+       ps_process_pattern(policykit_auth_t, $1)
 ')
 
 ########################################
@@ -206,4 +234,47 @@ interface(`policykit_read_lib',`
 
        files_search_var_lib($1)
        read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
+
+       # Broken placement
+       cron_read_system_job_lib_files($1)
+')
+
+#######################################
+## <summary>
+##     The per role template for the policykit module.
+## </summary>
+## <param name="user_role">
+##     <summary>
+##     Role allowed access
+##     </summary>
+## </param>
+## <param name="user_domain">
+##     <summary>
+##     User domain for the role
+##     </summary>
+## </param>
+#
+template(`policykit_role',`
+       policykit_run_auth($2, $1)
+       policykit_run_grant($2, $1)
+       policykit_read_lib($2)
+       policykit_read_reload($2)
+       policykit_dbus_chat($2)
+')
+########################################
+## <summary>
+##     Send generic signal to policy_auth
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`policykit_signal_auth',`
+       gen_require(`
+               type policykit_auth_t;
+       ')
+
+       allow $1 policykit_auth_t:process signal;
 ')

diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
index 1e7169d87ca8b32273d5a097430965d13156a2fb..e731afa4ddb9aef8252618c961c8cb544cc91558 100644 (file)
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -24,6 +24,9 @@ init_system_domain(policykit_resolve_t, policykit_resolve_exec_t)
 type policykit_reload_t alias polkit_reload_t;
 files_type(policykit_reload_t)
 
+type policykit_tmp_t;
+files_tmp_file(policykit_tmp_t)
+
 type policykit_var_lib_t alias polkit_var_lib_t;
 files_type(policykit_var_lib_t)
 
@@ -35,11 +38,12 @@ files_pid_file(policykit_var_run_t)
 # policykit local policy
 #
 
-allow policykit_t self:capability { setgid setuid };
-allow policykit_t self:process getattr;
-allow policykit_t self:fifo_file rw_file_perms;
+allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace };
+allow policykit_t self:process { getsched getattr signal };
+allow policykit_t self:fifo_file rw_fifo_file_perms;
+
 allow policykit_t self:unix_dgram_socket create_socket_perms;
-allow policykit_t self:unix_stream_socket create_stream_socket_perms;
+allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto };
 
 policykit_domtrans_auth(policykit_t)
 
@@ -56,10 +60,16 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
 manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
 files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
 
+kernel_read_system_state(policykit_t)
 kernel_read_kernel_sysctls(policykit_t)
 
+domain_read_all_domains_state(policykit_t)
+
 files_read_etc_files(policykit_t)
 files_read_usr_files(policykit_t)
+files_dontaudit_search_all_mountpoints(policykit_t)
+
+fs_list_inotifyfs(policykit_t)
 
 auth_use_nsswitch(policykit_t)
 
@@ -67,45 +77,90 @@ logging_send_syslog_msg(policykit_t)
 
 miscfiles_read_localization(policykit_t)
 
+userdom_getattr_all_users(policykit_t)
 userdom_read_all_users_state(policykit_t)
+userdom_dontaudit_search_admin_dir(policykit_t)
+
+optional_policy(`
+       dbus_system_domain(policykit_t, policykit_exec_t)
+
+       optional_policy(`
+               consolekit_dbus_chat(policykit_t)
+       ')
+
+       optional_policy(`
+               rpm_dbus_chat(policykit_t)
+       ')
+')
+
+optional_policy(`
+       consolekit_list_pid_files(policykit_t)
+       consolekit_read_pid_files(policykit_t)
+')
+
+optional_policy(`
+       gnome_read_config(policykit_t)
+')
 
 ########################################
 #
 # polkit_auth local policy
 #
 
-allow policykit_auth_t self:capability setgid;
-allow policykit_auth_t self:process getattr;
-allow policykit_auth_t self:fifo_file rw_file_perms;
+allow policykit_auth_t self:capability { ipc_lock setgid setuid };
+dontaudit policykit_auth_t self:capability sys_tty_config;
+allow policykit_auth_t self:process { getattr getsched signal };
+allow policykit_auth_t self:fifo_file rw_fifo_file_perms;
+
 allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
 allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
 
+policykit_dbus_chat(policykit_auth_t)
+
+kernel_read_system_state(policykit_auth_t)
+
 can_exec(policykit_auth_t, policykit_auth_exec_t)
-corecmd_search_bin(policykit_auth_t)
+corecmd_exec_bin(policykit_auth_t)
 
 rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
 
+manage_dirs_pattern(policykit_auth_t, policykit_tmp_t, policykit_tmp_t)
+manage_files_pattern(policykit_auth_t, policykit_tmp_t, policykit_tmp_t)
+files_tmp_filetrans(policykit_auth_t, policykit_tmp_t, { file dir })
+
 manage_files_pattern(policykit_auth_t, policykit_var_lib_t, policykit_var_lib_t)
 
 manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
 manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
 files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
 
-kernel_read_system_state(policykit_auth_t)
+kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
+
+dev_read_video_dev(policykit_auth_t)
 
 files_read_etc_files(policykit_auth_t)
 files_read_usr_files(policykit_auth_t)
+files_search_home(policykit_auth_t)
+
+fs_getattr_all_fs(polkit_auth_t)
+fs_search_tmpfs(polkit_auth_t)
 
 auth_use_nsswitch(policykit_auth_t)
+auth_read_var_auth(policykit_auth_t)
+auth_domtrans_chk_passwd(policykit_auth_t)
 
 logging_send_syslog_msg(policykit_auth_t)
 
 miscfiles_read_localization(policykit_auth_t)
+miscfiles_read_fonts(policykit_auth_t)
+miscfiles_setattr_fonts_cache_dirs(policykit_auth_t)
 
 userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
+userdom_dontaudit_write_user_tmp_files(policykit_auth_t)
+userdom_read_admin_home_files(policykit_auth_t)
 
 optional_policy(`
-       dbus_system_bus_client(policykit_auth_t)
+       dbus_system_domain( policykit_auth_t, policykit_auth_exec_t)
        dbus_session_bus_client(policykit_auth_t)
 
        optional_policy(`
@@ -118,6 +173,14 @@ optional_policy(`
        hal_read_state(policykit_auth_t)
 ')
 
+optional_policy(`
+       xserver_stream_connect(policykit_auth_t)
+       xserver_xdm_append_log(policykit_auth_t)
+       xserver_read_xdm_pid(policykit_auth_t)
+       xserver_search_xdm_lib(policykit_auth_t)
+       xserver_create_xdm_tmp_sockets(policykit_auth_t)
+')
+
 ########################################
 #
 # polkit_grant local policy
@@ -125,7 +188,8 @@ optional_policy(`
 
 allow policykit_grant_t self:capability setuid;
 allow policykit_grant_t self:process getattr;
-allow policykit_grant_t self:fifo_file rw_file_perms;
+allow policykit_grant_t self:fifo_file rw_fifo_file_perms;
+
 allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
 allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
 
@@ -155,8 +219,11 @@ miscfiles_read_localization(policykit_grant_t)
 userdom_read_all_users_state(policykit_grant_t)
 
 optional_policy(`
-       dbus_system_bus_client(policykit_grant_t)
+       cron_manage_system_job_lib_files(policykit_grant_t)
+')
 
+       optional_policy(`
+       dbus_system_bus_client(policykit_grant_t)
        optional_policy(`
                consolekit_dbus_chat(policykit_grant_t)
        ')
@@ -169,7 +236,8 @@ optional_policy(`
 
 allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
 allow policykit_resolve_t self:process getattr;
-allow policykit_resolve_t self:fifo_file rw_file_perms;
+allow policykit_resolve_t self:fifo_file rw_fifo_file_perms;
+
 allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
 allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
 

diff --git a/policy/modules/services/portreserve.fc b/policy/modules/services/portreserve.fc
index c69d0472caa8b83650798a8f63ed796e28fc9851..1d9fa7671295a745bf3fb56a385d1d4744a85c39 100644 (file)
--- a/policy/modules/services/portreserve.fc
+++ b/policy/modules/services/portreserve.fc
@@ -1,3 +1,6 @@
+
+/etc/rc\.d/init\.d/portreserve    --  gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
+
 /etc/portreserve(/.*)?                 gen_context(system_u:object_r:portreserve_etc_t,s0)
 
 /sbin/portreserve              --      gen_context(system_u:object_r:portreserve_exec_t,s0)

diff --git a/policy/modules/services/portreserve.if b/policy/modules/services/portreserve.if
index 10300a02f19eb93836cd21e9baaadc260622a016..d91c1f5af9643a6ceff2d8771e8c0f546b0ab790 100644 (file)
--- a/policy/modules/services/portreserve.if
+++ b/policy/modules/services/portreserve.if
@@ -18,6 +18,24 @@ interface(`portreserve_domtrans',`
        domtrans_pattern($1, portreserve_exec_t, portreserve_t)
 ')
 
+########################################
+## <summary>
+##     Execute portreserve in the portreserve domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`portreserve_initrc_domtrans', `
+       gen_require(`
+               type portreserve_initrc_exec_t;
+       ')
+
+       init_labeled_script_domtrans($1, portreserve_initrc_exec_t)
+')
+
 #######################################
 ## <summary>
 ##     Allow the specified domain to read
@@ -64,3 +82,40 @@ interface(`portreserve_manage_config',`
        manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
        read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
 ')
+
+########################################
+## <summary>
+##     All of the rules required to administrate
+##     an portreserve environment.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     Role allowed access.
+##     </summary>
+## </param>
+#
+interface(`portreserve_admin', `
+       gen_require(`
+               type portreserve_t, portreserve_etc_t;
+               type portreserve_initrc_exec_t, portreserve_var_run_t;
+       ')
+
+       allow $1 portreserve_t:process { ptrace signal_perms };
+       ps_process_pattern($1, portreserve_t)
+       
+       portreserve_initrc_domtrans($1)
+       domain_system_change_exemption($1)
+       role_transition $2 portreserve_initrc_exec_t system_r;
+       allow $2 system_r;
+
+       files_search_etc($1)
+       admin_pattern($1, portreserve_etc_t)
+
+       files_search_pids($1)
+       admin_pattern($1, portreserve_var_run_t)
+')

diff --git a/policy/modules/services/portreserve.te b/policy/modules/services/portreserve.te
index 4f2dae122cfbc05c2e7b52b10e410a245cda3b09..e091aba7812eebe0ed19cdd71709dd97f2b0df4d 100644 (file)
--- a/policy/modules/services/portreserve.te
+++ b/policy/modules/services/portreserve.te
@@ -9,6 +9,9 @@ type portreserve_t;
 type portreserve_exec_t;
 init_daemon_domain(portreserve_t, portreserve_exec_t)
 
+type portreserve_initrc_exec_t;
+init_script_file(portreserve_initrc_exec_t)
+
 type portreserve_etc_t;
 files_type(portreserve_etc_t)
 
@@ -35,7 +38,7 @@ read_files_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t)
 manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
 manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
 manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
-files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file })
+files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir })
 
 corecmd_getattr_bin_files(portreserve_t)
 
@@ -47,3 +50,5 @@ corenet_tcp_bind_all_ports(portreserve_t)
 corenet_udp_bind_all_ports(portreserve_t)
 
 files_read_etc_files(portreserve_t)
+
+userdom_dontaudit_search_user_home_content(portreserve_t)

diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc
index 55e62d2c60a9e701dfcfa1b1ad1131d066fc4df2..c114a40cb2d4e9245f6448411d48d328fb6eaf48 100644 (file)
--- a/policy/modules/services/postfix.fc
+++ b/policy/modules/services/postfix.fc
@@ -1,4 +1,5 @@
 # postfix
+/etc/rc\.d/init\.d/postfix    --  gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
 /etc/postfix(/.*)?             gen_context(system_u:object_r:postfix_etc_t,s0)
 ifdef(`distro_redhat', `
 /usr/libexec/postfix/.*        --      gen_context(system_u:object_r:postfix_exec_t,s0)
@@ -29,12 +30,10 @@ ifdef(`distro_redhat', `
 /usr/lib/postfix/smtpd --      gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
 /usr/lib/postfix/bounce        --      gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
 /usr/lib/postfix/pipe  --      gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/lib/postfix/virtual --    gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
 ')
 /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
 /etc/postfix/prng_exch --      gen_context(system_u:object_r:postfix_prng_t,s0)
 /usr/sbin/postalias    --      gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/sbin/postcat      --      gen_context(system_u:object_r:postfix_master_exec_t,s0)
 /usr/sbin/postdrop     --      gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
 /usr/sbin/postfix      --      gen_context(system_u:object_r:postfix_master_exec_t,s0)
 /usr/sbin/postkick     --      gen_context(system_u:object_r:postfix_master_exec_t,s0)

diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
index 46bee1291a2e3d30e4b898cceddc7baf942176af..cfcbac74d441f5ee1fc946609b5b28f8cfe3a5bc 100644 (file)
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -77,6 +77,7 @@ template(`postfix_domain_template',`
 
        files_read_etc_files(postfix_$1_t)
        files_read_etc_runtime_files(postfix_$1_t)
+       files_read_usr_files(postfix_$1_t)
        files_read_usr_symlinks(postfix_$1_t)
        files_search_spool(postfix_$1_t)
        files_getattr_tmp_dirs(postfix_$1_t)
@@ -376,6 +377,25 @@ interface(`postfix_domtrans_master',`
        domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
 ')
 
+
+########################################
+## <summary>
+##     Execute the master postfix in the postfix master domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`postfix_initrc_domtrans', `
+       gen_require(`
+               type postfix_initrc_exec_t;
+       ')
+
+       init_labeled_script_domtrans($1, postfix_initrc_exec_t)
+')
+
 ########################################
 ## <summary>
 ##     Execute the master postfix program in the
@@ -527,6 +547,25 @@ interface(`postfix_domtrans_smtp',`
        domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t)
 ')
 
+########################################
+## <summary>
+##     Getattr postfix mail spool files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`postfix_getattr_spool_files',`
+       gen_require(`
+               attribute postfix_spool_type;
+       ')
+
+       files_search_spool($1)
+       getattr_files_pattern($1, postfix_spool_type, postfix_spool_type)
+')
+
 ########################################
 ## <summary>
 ##     Search postfix mail spool directories.
@@ -539,10 +578,10 @@ interface(`postfix_domtrans_smtp',`
 #
 interface(`postfix_search_spool',`
        gen_require(`
-               type postfix_spool_t;
+               attribute postfix_spool_type;
        ')
 
-       allow $1 postfix_spool_t:dir search_dir_perms;
+       allow $1 postfix_spool_type:dir search_dir_perms;
        files_search_spool($1)
 ')
 
@@ -558,10 +597,10 @@ interface(`postfix_search_spool',`
 #
 interface(`postfix_list_spool',`
        gen_require(`
-               type postfix_spool_t;
+               attribute postfix_spool_type;
        ')
 
-       allow $1 postfix_spool_t:dir list_dir_perms;
+       allow $1 postfix_spool_type:dir list_dir_perms;
        files_search_spool($1)
 ')
 
@@ -577,11 +616,11 @@ interface(`postfix_list_spool',`
 #
 interface(`postfix_read_spool_files',`
        gen_require(`
-               type postfix_spool_t;
+               attribute postfix_spool_type;
        ')
 
        files_search_spool($1)
-       read_files_pattern($1, postfix_spool_t, postfix_spool_t)
+       read_files_pattern($1, postfix_spool_type, postfix_spool_type)
 ')
 
 ########################################
@@ -596,11 +635,11 @@ interface(`postfix_read_spool_files',`
 #
 interface(`postfix_manage_spool_files',`
        gen_require(`
-               type postfix_spool_t;
+               attribute postfix_spool_type;
        ')
 
        files_search_spool($1)
-       manage_files_pattern($1, postfix_spool_t, postfix_spool_t)
+       manage_files_pattern($1, postfix_spool_type, postfix_spool_type)
 ')
 
 ########################################
@@ -621,3 +660,101 @@ interface(`postfix_domtrans_user_mail_handler',`
 
        typeattribute $1 postfix_user_domtrans;
 ')
+
+########################################
+## <summary>
+##     All of the rules required to administrate
+##     an postfix environment.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     Role allowed access.
+##     </summary>
+## </param>
+#
+interface(`postfix_admin', `
+       gen_require(`
+               type postfix_bounce_t, postfix_cleanup_t, postfix_local_t; 
+               type postfix_master_t, postfix_pickup_t, postfix_qmgr_t; 
+               type postfix_smtpd_t;
+
+               attribute postfix_spool_type;
+
+               type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t;
+               type postfix_var_run_t;
+
+               type postfix_map_tmp_t, postfix_prng_t, postfix_public_t;
+       ')
+
+       allow $1 postfix_bounce_t:process { ptrace signal_perms };
+       ps_process_pattern($1, postfix_bounce_t)
+
+       allow $1 postfix_cleanup_t:process { ptrace signal_perms };
+       ps_process_pattern($1, postfix_cleanup_t)
+
+       allow $1 postfix_local_t:process { ptrace signal_perms };
+       ps_process_pattern($1, postfix_local_t)
+
+       allow $1 postfix_master_t:process { ptrace signal_perms };
+       ps_process_pattern($1, postfix_master_t)
+
+       allow $1 postfix_pickup_t:process { ptrace signal_perms };
+       ps_process_pattern($1, postfix_pickup_t)
+
+       allow $1 postfix_qmgr_t:process { ptrace signal_perms };
+       ps_process_pattern($1, postfix_qmgr_t)
+
+       allow $1 postfix_smtpd_t:process { ptrace signal_perms };
+       ps_process_pattern($1, postfix_smtpd_t)
+
+       postfix_run_map($1,$2)
+       postfix_run_postdrop($1,$2)
+               
+       postfix_initrc_domtrans($1)
+       domain_system_change_exemption($1)
+       role_transition $2 postfix_initrc_exec_t system_r;
+       allow $2 system_r;
+
+       admin_pattern($1, postfix_data_t) 
+
+       files_list_etc($1)
+       admin_pattern($1, postfix_etc_t)
+
+       files_search_spool($1)
+       admin_pattern($1,postfix_spool_type)    
+
+       admin_pattern($1, postfix_var_run_t)
+
+       files_search_tmp($1)
+       admin_pattern($1, postfix_map_tmp_t)
+       
+       admin_pattern($1, postfix_prng_t)
+
+       admin_pattern($1, postfix_public_t)
+')
+
+########################################
+## <summary>
+##     Execute the master postdrop in the
+##     postfix_postdrop domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`postfix_run_postdrop',`
+       gen_require(`
+               type postfix_postdrop_t;
+       ')
+
+       postfix_domtrans_postdrop($1)
+       role $2 types postfix_postdrop_t;
+')
+

diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 06e37d40eafb9c68081a81931e697c73985e4ca6..87043e171d37edfeaee367f03a438aa021eb7d20 100644 (file)
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,15 @@ policy_module(postfix, 1.12.0)
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow postfix_local domain full write access to mail_spool directories
+## 
+## </p>
+## </desc>
+gen_tunable(allow_postfix_local_write_mail_spool, false)
+
+attribute postfix_spool_type;
 attribute postfix_user_domains;
 # domains that transition to the
 # postfix user domains
@@ -12,7 +21,7 @@ attribute postfix_user_domtrans;
 
 postfix_server_domain_template(bounce)
 
-type postfix_spool_bounce_t;
+type postfix_spool_bounce_t,  postfix_spool_type;
 files_type(postfix_spool_bounce_t)
 
 postfix_server_domain_template(cleanup)
@@ -26,12 +35,21 @@ application_executable_file(postfix_exec_t)
 postfix_server_domain_template(local)
 mta_mailserver_delivery(postfix_local_t)
 
+# Handle vacation script
+mta_send_mail(postfix_local_t)
+
+userdom_read_user_home_content_files(postfix_local_t)
+
+tunable_policy(`allow_postfix_local_write_mail_spool',`
+       mta_manage_spool(postfix_local_t)
+')
+
 # Program for creating database files
 type postfix_map_t;
 type postfix_map_exec_t;
 application_domain(postfix_map_t, postfix_map_exec_t)
 role system_r types postfix_map_t;
-
+     
 type postfix_map_tmp_t;
 files_tmp_file(postfix_map_tmp_t)
 
@@ -41,6 +59,9 @@ typealias postfix_master_t alias postfix_t;
 # generation macro work
 mta_mailserver(postfix_t, postfix_master_exec_t)
 
+type postfix_initrc_exec_t;
+init_script_file(postfix_initrc_exec_t)
+
 postfix_server_domain_template(pickup)
 
 postfix_server_domain_template(pipe)
@@ -49,6 +70,7 @@ postfix_user_domain_template(postdrop)
 mta_mailserver_user_agent(postfix_postdrop_t)
 
 postfix_user_domain_template(postqueue)
+mta_mailserver_user_agent(postfix_postqueue_t)
 
 type postfix_private_t;
 files_type(postfix_private_t)
@@ -65,13 +87,13 @@ mta_mailserver_sender(postfix_smtp_t)
 
 postfix_server_domain_template(smtpd)
 
-type postfix_spool_t;
+type postfix_spool_t, postfix_spool_type;
 files_type(postfix_spool_t)
 
-type postfix_spool_maildrop_t;
+type postfix_spool_maildrop_t, postfix_spool_type;
 files_type(postfix_spool_maildrop_t)
 
-type postfix_spool_flush_t;
+type postfix_spool_flush_t, postfix_spool_type;
 files_type(postfix_spool_flush_t)
 
 type postfix_public_t;
@@ -99,7 +121,9 @@ allow postfix_master_t self:tcp_socket create_stream_socket_perms;
 allow postfix_master_t self:udp_socket create_socket_perms;
 allow postfix_master_t self:process setrlimit;
 
+allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
 allow postfix_master_t postfix_etc_t:file rw_file_perms;
+mta_filetrans_aliases(postfix_master_t, postfix_etc_t)
 
 can_exec(postfix_master_t, postfix_exec_t)
 
@@ -150,6 +174,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
 corenet_udp_sendrecv_generic_node(postfix_master_t)
 corenet_tcp_sendrecv_all_ports(postfix_master_t)
 corenet_udp_sendrecv_all_ports(postfix_master_t)
+corenet_udp_bind_generic_node(postfix_master_t)
+corenet_udp_bind_all_unreserved_ports(postfix_master_t)
+corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
 corenet_tcp_bind_generic_node(postfix_master_t)
 corenet_tcp_bind_amavisd_send_port(postfix_master_t)
 corenet_tcp_bind_smtp_port(postfix_master_t)
@@ -167,6 +194,8 @@ corecmd_exec_bin(postfix_master_t)
 domain_use_interactive_fds(postfix_master_t)
 
 files_read_usr_files(postfix_master_t)
+files_search_var_lib(postfix_master_t)
+files_search_tmp(postfix_master_t)
 
 term_dontaudit_search_ptys(postfix_master_t)
 
@@ -303,10 +332,18 @@ optional_policy(`
        mailman_read_log(postfix_local_t)
 ')
 
+optional_policy(`
+       nagios_search_spool(postfix_local_t)
+')
+
 optional_policy(`
        procmail_domtrans(postfix_local_t)
 ')
 
+optional_policy(`
+       zarafa_deliver_domtrans(postfix_local_t)
+')
+
 ########################################
 #
 # Postfix map local policy
@@ -401,6 +438,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
 
 domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
 
+corecmd_exec_bin(postfix_pipe_t)
+
 optional_policy(`
        dovecot_domtrans_deliver(postfix_pipe_t)
 ')
@@ -420,6 +459,7 @@ optional_policy(`
 
 optional_policy(`
        spamassassin_domtrans_client(postfix_pipe_t)
+       spamassassin_kill_client(postfix_pipe_t)
 ')
 
 optional_policy(`
@@ -588,6 +628,11 @@ corecmd_exec_bin(postfix_smtpd_t)
 
 # for OpenSSL certificates
 files_read_usr_files(postfix_smtpd_t)
+
+# postfix checks the size of all mounted file systems
+fs_getattr_all_dirs(postfix_smtpd_t)
+fs_getattr_all_fs(postfix_smtpd_t)
+
 mta_read_aliases(postfix_smtpd_t)
 
 optional_policy(`
@@ -630,3 +675,8 @@ mta_delete_spool(postfix_virtual_t)
 # For reading spamassasin
 mta_read_config(postfix_virtual_t)
 mta_manage_spool(postfix_virtual_t)
+
+userdom_manage_user_home_dirs(postfix_virtual_t)
+userdom_manage_user_home_content(postfix_virtual_t)
+userdom_home_filetrans_user_home_dir(postfix_virtual_t)
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })

diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 539a7c9a46079ff62b61f2350f4751adc7070d8f..2c6b7232a97f61a6dee47d8c3e24b37ce762e4d5 100644 (file)
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -312,10 +312,8 @@ interface(`postgresql_stream_connect',`
        ')
 
        files_search_pids($1)
-       allow $1 postgresql_t:unix_stream_socket connectto;
-       allow $1 postgresql_var_run_t:sock_file write;
-       # Some versions of postgresql put the sock file in /tmp
-       allow $1 postgresql_tmp_t:sock_file write;
+       files_search_tmp($1)
+       stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t}, { postgresql_var_run_t postgresql_tmp_t}, postgresql_t)
 ')
 
 ########################################
@@ -441,10 +439,13 @@ interface(`postgresql_admin',`
 
        admin_pattern($1, postgresql_var_run_t)
 
+       files_search_var_lib($1)
        admin_pattern($1, postgresql_db_t)
 
+       files_search_etc($1)
        admin_pattern($1, postgresql_etc_t)
 
+       logging_search_logs($1)
        admin_pattern($1, postgresql_log_t)
 
        admin_pattern($1, postgresql_tmp_t)

diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 39abf579875b42900706a56c571de2af96bbfc1e..4a85c1230ca9779afb10939d4afcf4678f29a82c 100644 (file)
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -251,8 +251,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
 domain_use_interactive_fds(postgresql_t)
 
 files_dontaudit_search_home(postgresql_t)
-files_manage_etc_files(postgresql_t)
-files_search_etc(postgresql_t)
+files_read_etc_files(postgresql_t)
 files_read_etc_runtime_files(postgresql_t)
 files_read_usr_files(postgresql_t)
 

diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index b524673245c313d83d53757e4a503ab28bfc8646..f916c76bda58e5438a4df1ce2120402e29c6341b 100644 (file)
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -360,7 +360,7 @@ interface(`ppp_admin',`
                type pppd_initrc_exec_t;
        ')
 
-       allow $1 pppd_t:process { ptrace signal_perms getattr };
+       allow $1 pppd_t:process { ptrace signal_perms };
        ps_process_pattern($1, pppd_t)
 
        ppp_initrc_domtrans($1)
@@ -386,7 +386,7 @@ interface(`ppp_admin',`
        files_list_pids($1)
        admin_pattern($1, pppd_var_run_t)
 
-       allow $1 pptp_t:process { ptrace signal_perms getattr };
+       allow $1 pptp_t:process { ptrace signal_perms };
        ps_process_pattern($1, pptp_t)
 
        admin_pattern($1, pptp_log_t)

diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 2af42e7c39390e57f649d67f661c1f365a479428..74f07f8a20e5ad89a5bab3b6da86e98c3d631b5f 100644 (file)
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -70,7 +70,7 @@ files_pid_file(pptp_var_run_t)
 # PPPD Local policy
 #
 
-allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override };
+allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override };
 dontaudit pppd_t self:capability sys_tty_config;
 allow pppd_t self:process { getsched signal };
 allow pppd_t self:fifo_file rw_fifo_file_perms;
@@ -104,8 +104,9 @@ manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
 manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
 files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
 
+manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
 manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
-files_pid_filetrans(pppd_t, pppd_var_run_t, file)
+files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file })
 
 allow pppd_t pptp_t:process signal;
 
@@ -194,6 +195,8 @@ optional_policy(`
 
 optional_policy(`
        mta_send_mail(pppd_t)
+       mta_system_content(pppd_etc_t)
+       mta_system_content(pppd_etc_rw_t)
 ')
 
 optional_policy(`
@@ -243,9 +246,10 @@ allow pptp_t pppd_log_t:file append_file_perms;
 allow pptp_t pptp_log_t:file manage_file_perms;
 logging_log_filetrans(pptp_t, pptp_log_t, file)
 
+manage_dirs_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
 manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
 manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
-files_pid_filetrans(pptp_t, pptp_var_run_t, file)
+files_pid_filetrans(pptp_t, pptp_var_run_t, { file dir })
 
 kernel_list_proc(pptp_t)
 kernel_read_kernel_sysctls(pptp_t)

diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if
index 23166537b539aaa18f37c3644e2ee4689fffb5a2..e4d879713a92a1098b555b9b6b89ab9bd55baae4 100644 (file)
--- a/policy/modules/services/prelude.if
+++ b/policy/modules/services/prelude.if
@@ -136,9 +136,16 @@ interface(`prelude_admin',`
        allow $2 system_r;
 
        admin_pattern($1, prelude_spool_t)
+
+       files_search_var_lib($1)
        admin_pattern($1, prelude_var_lib_t)
+
+       files_search_pids($1)
        admin_pattern($1, prelude_var_run_t)
        admin_pattern($1, prelude_audisp_var_run_t)
+
+       files_search_tmp($1)
        admin_pattern($1, prelude_lml_tmp_t)
+
        admin_pattern($1, prelude_lml_var_run_t)
 ')

diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if
index 1da26dc4058d56a87d181d409fb42c79097c5455..c8f6cb52e73e33dc000d1edb8ab203f996f81679 100644 (file)
--- a/policy/modules/services/privoxy.if
+++ b/policy/modules/services/privoxy.if
@@ -24,7 +24,7 @@ interface(`privoxy_admin',`
                type privoxy_initrc_exec_t;
        ')
 
-       allow $1 privoxy_t:process { ptrace signal_perms getattr };
+       allow $1 privoxy_t:process { ptrace signal_perms };
        ps_process_pattern($1, privoxy_t)
 
        init_labeled_script_domtrans($1, privoxy_initrc_exec_t)

diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
index 0d295a87b6eaf130d5d85f040c24112a0907498d..19138e1a03c788841cb2f7417731fd86add90c31 100644 (file)
--- a/policy/modules/services/privoxy.te
+++ b/policy/modules/services/privoxy.te
@@ -58,10 +58,12 @@ corenet_tcp_bind_generic_node(privoxy_t)
 corenet_tcp_bind_http_cache_port(privoxy_t)
 corenet_tcp_connect_http_port(privoxy_t)
 corenet_tcp_connect_http_cache_port(privoxy_t)
+corenet_tcp_connect_squid_port(privoxy_t)
 corenet_tcp_connect_ftp_port(privoxy_t)
 corenet_tcp_connect_pgpkeyserver_port(privoxy_t)
 corenet_tcp_connect_tor_port(privoxy_t)
 corenet_sendrecv_http_cache_client_packets(privoxy_t)
+corenet_sendrecv_squid_client_packets(privoxy_t)
 corenet_sendrecv_http_cache_server_packets(privoxy_t)
 corenet_sendrecv_http_client_packets(privoxy_t)
 corenet_sendrecv_ftp_client_packets(privoxy_t)

diff --git a/policy/modules/services/procmail.fc b/policy/modules/services/procmail.fc
index 1343621bffa5893c9a49862cb473e867cecba3eb..4b36a13de3033b5c407b11b03ef581682656e70b 100644 (file)
--- a/policy/modules/services/procmail.fc
+++ b/policy/modules/services/procmail.fc
@@ -1,3 +1,5 @@
+HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
+/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
 
 /usr/bin/procmail      --      gen_context(system_u:object_r:procmail_exec_t,s0)
 

diff --git a/policy/modules/services/procmail.if b/policy/modules/services/procmail.if
index b64b02fd5a0d4ed465397c58013b4aec9d5a072d..5bfbd7b6691e1f95ad6d1e942f74157ad691734d 100644 (file)
--- a/policy/modules/services/procmail.if
+++ b/policy/modules/services/procmail.if
@@ -77,3 +77,23 @@ interface(`procmail_rw_tmp_files',`
        files_search_tmp($1)
        rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
 ')
+
+########################################
+## <summary>
+##     Read procmail home directory content
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`procmail_read_home_files',`
+       gen_require(`
+               type procmail_home_t;
+       ')
+
+        userdom_search_user_home_dirs($1)
+       read_files_pattern($1, procmail_home_t, procmail_home_t)
+')
+

diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
index 29b929563d4cded1beba89d06fe8485b134b42aa..b5588113bcd0fe65d5a72845e1c14173aafddbf0 100644 (file)
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -10,6 +10,9 @@ type procmail_exec_t;
 application_domain(procmail_t, procmail_exec_t)
 role system_r types procmail_t;
 
+type procmail_home_t;
+userdom_user_home_content(procmail_home_t)
+
 type procmail_log_t;
 logging_log_file(procmail_log_t) 
 
@@ -76,9 +79,15 @@ files_search_pids(procmail_t)
 files_read_usr_files(procmail_t)
 
 logging_send_syslog_msg(procmail_t)
+logging_append_all_logs(procmail_t)
 
 miscfiles_read_localization(procmail_t)
 
+list_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
+read_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
+userdom_search_user_home_dirs(procmail_t)
+userdom_search_admin_dir(procmail_t)
+
 # only works until we define a different type for maildir
 userdom_manage_user_home_content_dirs(procmail_t)
 userdom_manage_user_home_content_files(procmail_t)
@@ -87,8 +96,8 @@ userdom_manage_user_home_content_pipes(procmail_t)
 userdom_manage_user_home_content_sockets(procmail_t)
 userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
 
-# Do not audit attempts to access /root.
-userdom_dontaudit_search_user_home_dirs(procmail_t)
+# Execute user executables
+userdom_exec_user_bin_files(procmail_t)
 
 mta_manage_spool(procmail_t)
 mta_read_queue(procmail_t)
@@ -127,6 +136,10 @@ optional_policy(`
        postfix_read_master_state(procmail_t)
 ')
 
+optional_policy(`
+       nagios_search_spool(procmail_t)
+')
+
 optional_policy(`
        pyzor_domtrans(procmail_t)
        pyzor_signal(procmail_t)

diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if
index bc329d186ee0394913de95d57ff40de9f5bf0003..a5ec9f55b7c0f92aeb1605762336d60ec82e113a 100644 (file)
--- a/policy/modules/services/psad.if
+++ b/policy/modules/services/psad.if
@@ -174,6 +174,26 @@ interface(`psad_append_log',`
        append_files_pattern($1, psad_var_log_t, psad_var_log_t)
 ')
 
+########################################
+## <summary>
+##     Allow the specified domain to write to psad's log files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`psad_write_log',`
+       gen_require(`
+               type psad_var_log_t;
+       ')
+
+       logging_search_logs($1)
+       write_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
 ########################################
 ## <summary>
 ##     Read and write psad fifo files.
@@ -234,7 +254,7 @@ interface(`psad_admin',`
        gen_require(`
                type psad_t, psad_var_run_t, psad_var_log_t;
                type psad_initrc_exec_t, psad_var_lib_t;
-               type psad_tmp_t;
+               type psad_tmp_t, psad_etc_t;
        ')
 
        allow $1 psad_t:process { ptrace signal_perms };

diff --git a/policy/modules/services/psad.te b/policy/modules/services/psad.te
index d4000e0dc9a12beb7dc427536f05f211587163aa..c23cd1490f0ca4e07ff993f805936b7cae0073f6 100644 (file)
--- a/policy/modules/services/psad.te
+++ b/policy/modules/services/psad.te
@@ -53,9 +53,10 @@ manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t)
 logging_log_filetrans(psad_t, psad_var_log_t, { file dir })
 
 # pid file
+manage_dirs_pattern(psad_t, psad_var_run_t, psad_var_run_t)
 manage_files_pattern(psad_t, psad_var_run_t, psad_var_run_t)
 manage_sock_files_pattern(psad_t, psad_var_run_t, psad_var_run_t)
-files_pid_filetrans(psad_t, psad_var_run_t, { file sock_file })
+files_pid_filetrans(psad_t, psad_var_run_t, { dir file sock_file })
 
 # tmp files
 manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t)
@@ -85,6 +86,7 @@ corenet_sendrecv_whois_client_packets(psad_t)
 dev_read_urand(psad_t)
 
 files_read_etc_runtime_files(psad_t)
+files_read_usr_files(psad_t)
 
 fs_getattr_all_fs(psad_t)
 

diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
index 64c5f959c2a49b0f68436603fe0b6d4e7586e15b..95872242d8195ab00dd784613e3379b68c376fac 100644 (file)
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -63,7 +63,7 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
 manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
 files_search_var_lib(puppet_t)
 
-setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
+manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
 manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
 files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
 
@@ -179,21 +179,26 @@ read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
 allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
 allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
 logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
+allow puppetmaster_t puppet_log_t:file relabel_file_perms;
 
 manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
 manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
 
 setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
 manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
 files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
+allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms;
 
 manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
 manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
 files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
+allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
 
 kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
 kernel_read_system_state(puppetmaster_t)
 kernel_read_crypto_sysctls(puppetmaster_t)
+kernel_read_kernel_sysctls(puppetmaster_t)
 
 corecmd_exec_bin(puppetmaster_t)
 corecmd_exec_shell(puppetmaster_t)
@@ -214,13 +219,19 @@ domain_read_all_domains_state(puppetmaster_t)
 files_read_etc_files(puppetmaster_t)
 files_search_var_lib(puppetmaster_t)
 
+selinux_validate_context(puppetmaster_t)
+
 logging_send_syslog_msg(puppetmaster_t)
 
 miscfiles_read_localization(puppetmaster_t)
 
+seutil_read_file_contexts(puppetmaster_t)
+
 sysnet_dns_name_resolve(puppetmaster_t)
 sysnet_run_ifconfig(puppetmaster_t, system_r)
 
+mta_send_mail(puppetmaster_t)
+
 optional_policy(`
        hostname_exec(puppetmaster_t)
 ')

diff --git a/policy/modules/services/pyzor.fc b/policy/modules/services/pyzor.fc
index d4a7750691d52d66d969294b5c936f6728acb8a8..705196e7a26003745d556a2228f2ac31bbcbf256 100644 (file)
--- a/policy/modules/services/pyzor.fc
+++ b/policy/modules/services/pyzor.fc
@@ -1,6 +1,10 @@
 /etc/pyzor(/.*)?               gen_context(system_u:object_r:pyzor_etc_t, s0)
+/etc/rc\.d/init\.d/pyzord      --      gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
 
 HOME_DIR/\.pyzor(/.*)?         gen_context(system_u:object_r:pyzor_home_t,s0)
+HOME_DIR/\.spamd(/.*)?         gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.pyzor(/.*)?            gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.spamd(/.*)?            gen_context(system_u:object_r:pyzor_home_t,s0)
 
 /usr/bin/pyzor         --      gen_context(system_u:object_r:pyzor_exec_t,s0)
 /usr/bin/pyzord                --      gen_context(system_u:object_r:pyzord_exec_t,s0)

diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if
index 494f7e2213dde8517104c1dc730978a05aef01f1..6443f306b813fdc55f79ff2f234d6cb3af1f1527 100644 (file)
--- a/policy/modules/services/pyzor.if
+++ b/policy/modules/services/pyzor.if
@@ -88,3 +88,50 @@ interface(`pyzor_exec',`
        corecmd_search_bin($1)
        can_exec($1, pyzor_exec_t)
 ')
+
+########################################
+## <summary>
+##     All of the rules required to administrate
+##     an pyzor environment
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     The role to be allowed to manage the pyzor domain.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`pyzor_admin',`
+       gen_require(`
+               type pyzord_t, pyzor_tmp_t, pyzord_log_t;
+               type pyzor_etc_t, pyzor_var_lib_t;
+               type pyzord_initrc_exec_t;
+       ')
+
+       allow $1 pyzord_t:process { ptrace signal_perms };
+       ps_process_pattern($1, pyzord_t)
+               
+       init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
+       domain_system_change_exemption($1)
+       role_transition $2 pyzord_initrc_exec_t system_r;
+       allow $2 system_r;
+
+       files_list_tmp($1)
+       admin_pattern($1, pyzor_tmp_t)
+
+       logging_list_logs($1)
+       admin_pattern($1, pyzord_log_t)
+
+       files_list_etc($1)
+       admin_pattern($1, pyzor_etc_t)
+
+       files_list_var_lib($1)
+       admin_pattern($1, pyzor_var_lib_t)
+')
+
+

diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
index cd683f9a4169a5cc98458912abc4b676f6710d73..2f03bad6a97780201a833417c3900e812ce529e8 100644 (file)
--- a/policy/modules/services/pyzor.te
+++ b/policy/modules/services/pyzor.te
@@ -5,6 +5,38 @@ policy_module(pyzor, 2.1.0)
 # Declarations
 #
 
+
+ifdef(`distro_redhat',`
+
+       gen_require(`
+               type spamc_t;
+               type spamc_exec_t;
+               type spamd_t;
+               type spamd_initrc_exec_t;
+               type spamd_exec_t;
+               type spamc_tmp_t;
+               type spamd_log_t;
+               type spamd_var_lib_t;
+               type spamd_etc_t;
+               type spamc_tmp_t;
+               type spamc_home_t;
+       ')
+
+       typealias spamc_t alias pyzor_t;
+       typealias spamc_exec_t alias pyzor_exec_t;
+       typealias spamd_t alias pyzord_t;
+       typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t;
+       typealias spamd_exec_t alias pyzord_exec_t;
+       typealias spamc_tmp_t alias pyzor_tmp_t;
+       typealias spamd_log_t alias pyzor_log_t;
+       typealias spamd_log_t alias pyzord_log_t;
+       typealias spamd_var_lib_t alias pyzor_var_lib_t;
+       typealias spamd_etc_t alias pyzor_etc_t;
+       typealias spamc_home_t alias pyzor_home_t;
+       typealias spamc_home_t alias user_pyzor_home_t;
+
+',`
+
 type pyzor_t;
 type pyzor_exec_t;
 typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
@@ -39,6 +71,7 @@ init_daemon_domain(pyzord_t, pyzord_exec_t)
 
 type pyzord_log_t;
 logging_log_file(pyzord_log_t)
+')
 
 ########################################
 #
@@ -76,12 +109,16 @@ corenet_tcp_connect_http_port(pyzor_t)
 
 dev_read_urand(pyzor_t)
 
+fs_getattr_xattr_fs(pyzor_t)
+
 files_read_etc_files(pyzor_t)
 
 auth_use_nsswitch(pyzor_t)
 
 miscfiles_read_localization(pyzor_t)
 
+mta_read_queue(pyzor_t)
+
 userdom_dontaudit_search_user_home_dirs(pyzor_t)
 
 optional_policy(`

diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te
index 355b2a28236504aca744b5d7509d7712f868378a..1b01d757e3722d5331725e5aa6c1291839543161 100644 (file)
--- a/policy/modules/services/qmail.te
+++ b/policy/modules/services/qmail.te
@@ -120,6 +120,10 @@ mta_append_spool(qmail_local_t)
 
 qmail_domtrans_queue(qmail_local_t)
 
+optional_policy(`
+       uucp_domtrans(qmail_local_t)
+')
+
 optional_policy(`
        spamassassin_domtrans_client(qmail_local_t)
 ')

diff --git a/policy/modules/services/qpidd.fc b/policy/modules/services/qpidd.fc
new file mode 100644 (file)
index 0000000..f3b89e4
--- /dev/null
+++ b/policy/modules/services/qpidd.fc
@@ -0,0 +1,9 @@
+
+/usr/sbin/qpidd        --      gen_context(system_u:object_r:qpidd_exec_t,s0)
+
+/etc/rc\.d/init\.d/qpidd       --      gen_context(system_u:object_r:qpidd_initrc_exec_t,s0)
+
+/var/lib/qpidd(/.*)?                   gen_context(system_u:object_r:qpidd_var_lib_t,s0)
+
+/var/run/qpidd(/.*)?                   gen_context(system_u:object_r:qpidd_var_run_t,s0)
+/var/run/qpidd\.pid                    gen_context(system_u:object_r:qpidd_var_run_t,s0)

diff --git a/policy/modules/services/qpidd.if b/policy/modules/services/qpidd.if
new file mode 100644 (file)
index 0000000..5dbca44
--- /dev/null
+++ b/policy/modules/services/qpidd.if
@@ -0,0 +1,236 @@
+
+## <summary>policy for qpidd</summary>
+
+########################################
+## <summary>
+##     Execute a domain transition to run qpidd.
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`qpidd_domtrans',`
+       gen_require(`
+               type qpidd_t, qpidd_exec_t;
+       ')
+
+       domtrans_pattern($1, qpidd_exec_t, qpidd_t)
+')
+
+
+########################################
+## <summary>
+##     Execute qpidd server in the qpidd domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`qpidd_initrc_domtrans',`
+       gen_require(`
+               type qpidd_initrc_exec_t;
+       ')
+
+       init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##     Read qpidd PID files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`qpidd_read_pid_files',`
+       gen_require(`
+               type qpidd_var_run_t;
+       ')
+
+       files_search_pids($1)
+       allow $1 qpidd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##     Manage qpidd var_run files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`qpidd_manage_var_run',`
+       gen_require(`
+               type qpidd_var_run_t;
+       ')
+
+         manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+         manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+         manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+')
+
+
+########################################
+## <summary>
+##     Search qpidd lib directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`qpidd_search_lib',`
+       gen_require(`
+               type qpidd_var_lib_t;
+       ')
+
+       allow $1 qpidd_var_lib_t:dir search_dir_perms;
+       files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##     Read qpidd lib files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`qpidd_read_lib_files',`
+       gen_require(`
+               type qpidd_var_lib_t;
+       ')
+
+       files_search_var_lib($1)
+        read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+')
+
+########################################
+## <summary>
+##     Create, read, write, and delete
+##     qpidd lib files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`qpidd_manage_lib_files',`
+       gen_require(`
+               type qpidd_var_lib_t;
+       ')
+
+       files_search_var_lib($1)
+        manage_files_pattern($1, qpidd_var_lib_t,  qpidd_var_lib_t)
+')
+
+########################################
+## <summary>
+##     Manage qpidd var_lib files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`qpidd_manage_var_lib',`
+       gen_require(`
+               type qpidd_var_lib_t;
+       ')
+
+         manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+         manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+         manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+')
+
+
+########################################
+## <summary>
+##     All of the rules required to administrate
+##     an qpidd environment
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     Role allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`qpidd_admin',`
+       gen_require(`
+               type qpidd_t;
+       ')
+
+       allow $1 qpidd_t:process { ptrace signal_perms };
+       ps_process_pattern($1, qpidd_t)
+               
+
+       gen_require(`
+               type qpidd_initrc_exec_t;
+       ')
+
+       # Allow qpidd_t to restart the apache service
+       qpidd_initrc_domtrans($1)
+       domain_system_change_exemption($1)
+       role_transition $2 qpidd_initrc_exec_t system_r;
+       allow $2 system_r;
+
+       qpidd_manage_var_run($1)
+
+       qpidd_manage_var_lib($1)
+
+')
+
+#####################################
+## <summary>
+##      Allow read and write access to qpidd semaphores.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`qpidd_rw_semaphores',`
+        gen_require(`
+                type qpidd_t;
+        ')
+
+        allow $1 qpidd_t:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+##      Read and write to qpidd shared memory.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`qpidd_rw_shm',`
+        gen_require(`
+                type qpidd_t;
+        ')
+
+        allow $1 qpidd_t:shm rw_shm_perms;
+')

diff --git a/policy/modules/services/qpidd.te b/policy/modules/services/qpidd.te
new file mode 100644 (file)
index 0000000..cf9a327
--- /dev/null
+++ b/policy/modules/services/qpidd.te
@@ -0,0 +1,59 @@
+policy_module(qpidd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type qpidd_t;
+type qpidd_exec_t;
+init_daemon_domain(qpidd_t, qpidd_exec_t)
+
+type qpidd_initrc_exec_t;
+init_script_file(qpidd_initrc_exec_t)
+
+type qpidd_var_run_t;
+files_pid_file(qpidd_var_run_t)
+
+type qpidd_var_lib_t;
+files_type(qpidd_var_lib_t)
+
+########################################
+#
+# qpidd local policy
+#
+
+allow qpidd_t self:process { setsched signull };
+allow qpidd_t self:fifo_file rw_fifo_file_perms;
+allow qpidd_t self:sem create_sem_perms;
+allow qpidd_t self:shm create_shm_perms;
+allow qpidd_t self:tcp_socket create_stream_socket_perms;
+allow qpidd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(qpidd_t, qpidd_var_lib_t,  qpidd_var_lib_t)
+manage_files_pattern(qpidd_t, qpidd_var_lib_t,  qpidd_var_lib_t)
+files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir } )
+
+manage_dirs_pattern(qpidd_t, qpidd_var_run_t,  qpidd_var_run_t)
+manage_files_pattern(qpidd_t, qpidd_var_run_t,  qpidd_var_run_t)
+files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir })
+
+kernel_read_system_state(qpidd_t)
+
+corenet_all_recvfrom_unlabeled(qpidd_t)
+corenet_all_recvfrom_netlabel(qpidd_t)
+corenet_tcp_bind_generic_node(qpidd_t)
+corenet_tcp_sendrecv_generic_if(qpidd_t)
+corenet_tcp_sendrecv_generic_node(qpidd_t)
+corenet_tcp_sendrecv_all_ports(qpidd_t)
+corenet_tcp_bind_amqp_port(qpidd_t)
+
+dev_read_urand(qpidd_t)
+
+files_read_etc_files(qpidd_t)
+
+logging_send_syslog_msg(qpidd_t)
+
+miscfiles_read_localization(qpidd_t)
+
+sysnet_dns_name_resolve(qpidd_t)

diff --git a/policy/modules/services/radius.if b/policy/modules/services/radius.if
index 9a78598ec3dc7340184922128f2590aee5494998..8f132e76ecf111f2111e9d6ca2c1c972edebd35f 100644 (file)
--- a/policy/modules/services/radius.if
+++ b/policy/modules/services/radius.if
@@ -38,7 +38,7 @@ interface(`radius_admin',`
                type radiusd_initrc_exec_t;
        ')
 
-       allow $1 radiusd_t:process { ptrace signal_perms getattr };
+       allow $1 radiusd_t:process { ptrace signal_perms };
        ps_process_pattern($1, radiusd_t)
 
        init_labeled_script_domtrans($1, radiusd_initrc_exec_t)

diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
index db6296acf740b0fddebdfa2462f9504edef47d9c..b3f1fd328cf64567515b86d38798b7afcad38d7c 100644 (file)
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -36,7 +36,7 @@ files_pid_file(radiusd_var_run_t)
 # gzip also needs chown access to preserve GID for radwtmp files
 allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
 dontaudit radiusd_t self:capability sys_tty_config;
-allow radiusd_t self:process { getsched setsched sigkill signal };
+allow radiusd_t self:process { getsched setrlimit setsched sigkill signal };
 allow radiusd_t self:fifo_file rw_fifo_file_perms;
 allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
 allow radiusd_t self:tcp_socket create_stream_socket_perms;
@@ -59,8 +59,9 @@ logging_log_filetrans(radiusd_t, radiusd_log_t,{ file dir })
 manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t)
 
 manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
+manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
 manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
-files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file })
+files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir })
 
 kernel_read_kernel_sysctls(radiusd_t)
 kernel_read_system_state(radiusd_t)
@@ -129,6 +130,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+       samba_domtrans_winbind_helper(radiusd_t)
        samba_read_var_files(radiusd_t)
 ')
 

diff --git a/policy/modules/services/razor.fc b/policy/modules/services/razor.fc
index 1efba0c0d2d50abc9c4b7f5faa8c2e27ef30b339..71d657cacde3736e4518e7f2053aaaab0213843c 100644 (file)
--- a/policy/modules/services/razor.fc
+++ b/policy/modules/services/razor.fc
@@ -1,3 +1,4 @@
+/root/\.razor(/.*)?            gen_context(system_u:object_r:razor_home_t,s0)
 HOME_DIR/\.razor(/.*)?         gen_context(system_u:object_r:razor_home_t,s0)
 
 /etc/razor(/.*)?               gen_context(system_u:object_r:razor_etc_t,s0)

diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if
index f04a5950b3b4ac03c35004075b1955b96d7ee517..13ad2fe0f5149e4414c8624d40bb4f67f661691e 100644 (file)
--- a/policy/modules/services/razor.if
+++ b/policy/modules/services/razor.if
@@ -157,3 +157,44 @@ interface(`razor_domtrans',`
 
        domtrans_pattern($1, razor_exec_t, razor_t)
 ')
+
+########################################
+## <summary>
+##     Create, read, write, and delete razor files
+##     in a user home subdirectory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+template(`razor_manage_user_home_files',`
+       gen_require(`
+               type razor_home_t;
+       ')
+
+       userdom_search_user_home_dirs($1)
+       manage_files_pattern($1, razor_home_t, razor_home_t)
+       read_lnk_files_pattern($1, razor_home_t, razor_home_t)
+')
+
+########################################
+## <summary>
+##     read razor lib files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`razor_read_lib_files',`
+       gen_require(`
+               type razor_var_lib_t;
+       ')
+
+       files_search_var_lib($1)
+       read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
+')
+

diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
index 340a6c0cfdbff1dc875f9052b745a24d6cd1e0e0..eaa87069be3bf552063a0bab3538c1695968f639 100644 (file)
--- a/policy/modules/services/razor.te
+++ b/policy/modules/services/razor.te
@@ -5,6 +5,32 @@ policy_module(razor, 2.1.1)
 # Declarations
 #
 
+ifdef(`distro_redhat',`
+
+       gen_require(`
+               type spamc_t;
+               type spamc_exec_t;
+               type spamd_log_t;
+               type spamd_spool_t;
+               type spamd_var_lib_t;
+               type spamd_etc_t;
+               type spamc_home_t;
+               type spamc_tmp_t;
+       ')
+
+       typealias spamc_t alias razor_t;
+       typealias spamc_exec_t alias razor_exec_t;
+       typealias spamd_log_t alias razor_log_t;
+       typealias spamd_var_lib_t alias razor_var_lib_t;
+       typealias spamd_etc_t alias razor_etc_t;
+       typealias spamc_home_t alias razor_home_t;
+       typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+       typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+       typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+       typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+
+',`
+
 type razor_exec_t;
 corecmd_executable_file(razor_exec_t)
 
@@ -14,6 +40,7 @@ files_config_file(razor_etc_t)
 type razor_home_t;
 typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
 typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+files_poly_member(razor_home_t)
 userdom_user_home_content(razor_home_t)
 
 type razor_log_t;
@@ -100,6 +127,8 @@ manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
 manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
 files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
 
+auth_use_nsswitch(razor_t)
+
 logging_send_syslog_msg(razor_t)
 
 userdom_search_user_home_dirs(razor_t)
@@ -118,5 +147,7 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 
 optional_policy(`
-       nscd_socket_use(razor_t)
+       milter_manage_spamass_state(razor_t)
+')
+
 ')

diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te
index 0a760273564fa42fb85092752622fa5c6c388205..cdd05425910e5f6795c00a954901768c56af293e 100644 (file)
--- a/policy/modules/services/remotelogin.te
+++ b/policy/modules/services/remotelogin.te
@@ -114,7 +114,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-       unconfined_domain(remote_login_t)
        unconfined_shell_domtrans(remote_login_t)
 ')
 

diff --git a/policy/modules/services/resmgr.if b/policy/modules/services/resmgr.if
index d457736d55593c2aa027b25e8e251707fa2ad018..eabdd784399628d31bf6b28dcc15fc19c2201331 100644 (file)
--- a/policy/modules/services/resmgr.if
+++ b/policy/modules/services/resmgr.if
@@ -16,7 +16,6 @@ interface(`resmgr_stream_connect',`
                type resmgrd_var_run_t, resmgrd_t;
        ')
 
-       allow $1 resmgrd_t:unix_stream_socket connectto;
-       allow $1 resmgrd_var_run_t:sock_file { getattr write };
        files_search_pids($1)
+       stream_connect_pattern($1, resmgrd_var_run_t, resmgrd_var_run_t, resmgrd_t)
 ')

diff --git a/policy/modules/services/rgmanager.fc b/policy/modules/services/rgmanager.fc
index 3c97ef04d2b18f6fc61f9f1cfab6b3cf6e13c84c..c025d590d55baefa0346d212aab06f6be00a152f 100644 (file)
--- a/policy/modules/services/rgmanager.fc
+++ b/policy/modules/services/rgmanager.fc
@@ -1,3 +1,5 @@
+/etc/rc\.d/init\.d/rgmanager          --  gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
+
 /usr/sbin/rgmanager                    --      gen_context(system_u:object_r:rgmanager_exec_t,s0)
 
 /var/log/cluster/rgmanager\.log                --      gen_context(system_u:object_r:rgmanager_var_log_t,s0)

diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if
index 7dc38d152288a2fc76fbe3071b09fb6e7c6f184c..aaf7c8523037e96c8078b4eec72ea4dd4af55334 100644 (file)
--- a/policy/modules/services/rgmanager.if
+++ b/policy/modules/services/rgmanager.if
@@ -75,3 +75,64 @@ interface(`rgmanager_manage_tmpfs_files',`
        fs_search_tmpfs($1)
        manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
 ')
+
+#######################################
+## <summary>
+##      Allow read and write access to rgmanager semaphores.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`rgmanager_rw_semaphores',`
+        gen_require(`
+                type rgmanager_t;
+        ')
+
+        allow $1 rgmanager_t:sem { unix_read unix_write associate read write };
+')
+
+######################################
+## <summary>
+##     All of the rules required to administrate
+##     an rgmanager environment
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##      </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     The role to be allowed to manage the rgmanager domain.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rgmanager_admin',`
+       gen_require(`
+               type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t; 
+               type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
+        ')
+
+       allow $1 rgmanager_t:process { ptrace signal_perms };
+       ps_process_pattern($1, rgmanager_t)
+
+       init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
+       domain_system_change_exemption($1)
+       role_transition $2 rgmanager_initrc_exec_t system_r;
+       allow $2 system_r;
+
+       files_search_tmp($1)
+       admin_pattern($1, rgmanager_tmp_t)
+
+       admin_pattern($1, rgmanager_tmpfs_t)
+
+       logging_search_logs($1)
+       admin_pattern($1, rgmanager_var_log_t)
+
+       files_search_pids($1)
+       admin_pattern($1, rgmanager_var_run_t)
+')

diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
index 00fa51446e9d8b623a07965a9aa9ca760020af5c..9ab1d808a47786fde04aa389eca34185bc0a84ff 100644 (file)
--- a/policy/modules/services/rgmanager.te
+++ b/policy/modules/services/rgmanager.te
@@ -17,6 +17,9 @@ type rgmanager_exec_t;
 domain_type(rgmanager_t)
 init_daemon_domain(rgmanager_t, rgmanager_exec_t)
 
+type rgmanager_initrc_exec_t;
+init_script_file(rgmanager_initrc_exec_t)
+
 type rgmanager_tmp_t;
 files_tmp_file(rgmanager_tmp_t)
 
@@ -55,11 +58,14 @@ fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file })
 manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t)
 logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file })
 
+manage_dirs_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
 manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
 manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
-files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file })
+files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file dir })
 
+kernel_kill(rgmanager_t)
 kernel_read_kernel_sysctls(rgmanager_t)
+kernel_read_rpc_sysctls(rgmanager_t)
 kernel_read_system_state(rgmanager_t)
 kernel_rw_rpc_sysctls(rgmanager_t)
 kernel_search_debugfs(rgmanager_t)
@@ -78,14 +84,19 @@ domain_read_all_domains_state(rgmanager_t)
 domain_getattr_all_domains(rgmanager_t)
 domain_dontaudit_ptrace_all_domains(rgmanager_t)
 
-files_list_all(rgmanager_t)
+files_create_var_run_dirs(rgmanager_t)
 files_getattr_all_symlinks(rgmanager_t)
+files_list_all(rgmanager_t)
 files_manage_mnt_dirs(rgmanager_t)
+files_manage_mnt_files(rgmanager_t)
+files_manage_mnt_symlinks(rgmanager_t)
+files_manage_isid_type_files(rgmanager_t)
 files_manage_isid_type_dirs(rgmanager_t)
 
 fs_getattr_xattr_fs(rgmanager_t)
 fs_getattr_all_fs(rgmanager_t)
 
+storage_raw_read_fixed_disk(rgmanager_t)
 storage_getattr_fixed_disk_dev(rgmanager_t)
 
 term_getattr_pty_fs(rgmanager_t)
@@ -139,6 +150,11 @@ optional_policy(`
        lvm_domtrans(rgmanager_t)
 ')
 
+optional_policy(`
+       ldap_initrc_domtrans(rgmanager_t)
+       ldap_domtrans(rgmanager_t)
+')
+
 optional_policy(`
        mysql_domtrans_mysql_safe(rgmanager_t)
        mysql_stream_connect(rgmanager_t)

diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc
index c2ba53b3009f0454830e77017a65ef85004a7c64..b19961eef4eee64b27af7e4f024830a1569e44fc 100644 (file)
--- a/policy/modules/services/rhcs.fc
+++ b/policy/modules/services/rhcs.fc
@@ -1,6 +1,7 @@
 /usr/sbin/dlm_controld                 --      gen_context(system_u:object_r:dlm_controld_exec_t,s0)
 /usr/sbin/fenced                       --      gen_context(system_u:object_r:fenced_exec_t,s0)
 /usr/sbin/fence_node                   --      gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_tool                    --      gen_context(system_u:object_r:fenced_exec_t,s0) 
 /usr/sbin/gfs_controld                 --      gen_context(system_u:object_r:gfs_controld_exec_t,s0)
 /usr/sbin/groupd                       --      gen_context(system_u:object_r:groupd_exec_t,s0)
 /usr/sbin/qdiskd                       --      gen_context(system_u:object_r:qdiskd_exec_t,s0)

diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if
index de37806c6971fc2a90eb6d0bd1a0cc6bbf7da162..692830133d028a0a77c08dc3e07a0a1c2f727c09 100644 (file)
--- a/policy/modules/services/rhcs.if
+++ b/policy/modules/services/rhcs.if
@@ -14,6 +14,8 @@
 template(`rhcs_domain_template',`
        gen_require(`
                attribute cluster_domain;
+               attribute cluster_tmpfs;
+               attribute cluster_pid;
        ')
 
        ##############################
@@ -25,13 +27,13 @@ template(`rhcs_domain_template',`
        type $1_exec_t;
        init_daemon_domain($1_t, $1_exec_t)
 
-       type $1_tmpfs_t;
+       type $1_tmpfs_t, cluster_tmpfs;
        files_tmpfs_file($1_tmpfs_t)
 
        type $1_var_log_t;
        logging_log_file($1_var_log_t)
 
-       type $1_var_run_t;
+       type $1_var_run_t, cluster_pid;
        files_pid_file($1_var_run_t)
 
        ##############################
@@ -335,6 +337,67 @@ interface(`rhcs_rw_groupd_shm',`
        manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
 ')
 
+########################################
+## <summary>
+##     Read and write to group shared memory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`rhcs_rw_cluster_shm',`
+       gen_require(`
+               attribute cluster_domain;
+               attribute cluster_tmpfs;
+       ')
+
+       allow $1 cluster_domain:shm { rw_shm_perms destroy };
+
+       fs_search_tmpfs($1)
+       manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
+')
+
+####################################
+## <summary>
+##      Read and write access to cluster domains semaphores.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`rhcs_rw_cluster_semaphores',`
+        gen_require(`
+               attribute cluster_domain;
+        ')
+
+        allow $1 cluster_domain:sem { rw_sem_perms destroy };
+')
+
+####################################
+## <summary>
+##  Connect to cluster domains over a unix domain
+##  stream socket.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`rhcs_stream_connect_cluster',`
+    gen_require(`
+        attribute cluster_domain;
+        attribute cluster_pid;
+    ')
+
+    files_search_pids($1)
+    stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
+')
+
 ######################################
 ## <summary>
 ##     Execute a domain transition to run qdiskd.
@@ -353,3 +416,21 @@ interface(`rhcs_domtrans_qdiskd',`
        corecmd_search_bin($1)
        domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
 ')
+
+########################################
+## <summary>
+##     Allow domain to read qdiskd tmpfs files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`rhcs_read_qdiskd_tmpfs_files',`
+       gen_require(`
+               type qdiskd_tmpfs_t;
+       ')
+
+       allow $1 qdiskd_tmpfs_t:file read_file_perms;
+')

diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
index 93c896a8d79976c683b504d572c9eb8ba787bcf1..68f2b99d1d8e87787eaec86b931a8cec994d7352 100644 (file)
--- a/policy/modules/services/rhcs.te
+++ b/policy/modules/services/rhcs.te
@@ -13,6 +13,8 @@ policy_module(rhcs, 1.1.0)
 gen_tunable(fenced_can_network_connect, false)
 
 attribute cluster_domain;
+attribute cluster_tmpfs;
+attribute cluster_pid;
 
 rhcs_domain_template(dlm_controld)
 
@@ -55,17 +57,13 @@ fs_manage_configfs_dirs(dlm_controld_t)
 
 init_rw_script_tmp_files(dlm_controld_t)
 
-optional_policy(`
-       ccs_stream_connect(dlm_controld_t)
-')
-
 #######################################
 #
 # fenced local policy
 #
 
 allow fenced_t self:capability { sys_rawio sys_resource };
-allow fenced_t self:process getsched;
+allow fenced_t self:process { getsched signal_perms };
 
 allow fenced_t self:tcp_socket create_stream_socket_perms;
 allow fenced_t self:udp_socket create_socket_perms;
@@ -82,7 +80,10 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
 
 stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
 
+kernel_read_system_state(fenced_t)
+
 corecmd_exec_bin(fenced_t)
+corecmd_exec_shell(fenced_t)
 
 corenet_tcp_connect_http_port(fenced_t)
 
@@ -106,7 +107,6 @@ tunable_policy(`fenced_can_network_connect',`
 
 optional_policy(`
        ccs_read_config(fenced_t)
-       ccs_stream_connect(fenced_t)
 ')
 
 optional_policy(`
@@ -138,10 +138,6 @@ storage_getattr_removable_dev(gfs_controld_t)
 
 init_rw_script_tmp_files(gfs_controld_t)
 
-optional_policy(`
-       ccs_stream_connect(gfs_controld_t)
-')
-
 optional_policy(`
        lvm_exec(gfs_controld_t)
        dev_rw_lvm_control(gfs_controld_t)
@@ -168,7 +164,7 @@ init_rw_script_tmp_files(groupd_t)
 # qdiskd local policy
 #
 
-allow qdiskd_t self:capability ipc_lock;
+allow qdiskd_t self:capability { ipc_lock sys_boot };
 
 allow qdiskd_t self:tcp_socket create_stream_socket_perms;
 allow qdiskd_t self:udp_socket create_socket_perms;
@@ -206,10 +202,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
 
 auth_use_nsswitch(qdiskd_t)
 
-optional_policy(`
-       ccs_stream_connect(qdiskd_t)
-')
-
 optional_policy(`
        netutils_domtrans_ping(qdiskd_t)
 ')
@@ -235,6 +227,10 @@ logging_send_syslog_msg(cluster_domain)
 
 miscfiles_read_localization(cluster_domain)
 
+optional_policy(`
+       ccs_stream_connect(cluster_domain)
+')
+
 optional_policy(`
        corosync_stream_connect(cluster_domain)
 ')

diff --git a/policy/modules/services/ricci.fc b/policy/modules/services/ricci.fc
index 5b08327f683f88d591d47cba420d21e616816b31..ed5dc05e51762bef7bc804eb29dd58488768724a 100644 (file)
--- a/policy/modules/services/ricci.fc
+++ b/policy/modules/services/ricci.fc
@@ -1,3 +1,6 @@
+
+/etc/rc\.d/init\.d/ricci    --  gen_context(system_u:object_r:ricci_initrc_exec_t,s0)
+
 /usr/libexec/modcluster                --      gen_context(system_u:object_r:ricci_modcluster_exec_t,s0)
 /usr/libexec/ricci-modlog      --      gen_context(system_u:object_r:ricci_modlog_exec_t,s0)
 /usr/libexec/ricci-modrpm      --      gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)

diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if
index f7826f94bbbf4019bb7f7c5cc5759dbc33bca910..ecc341c8e330dbe770aad67c861362bfddf8b7d9 100644 (file)
--- a/policy/modules/services/ricci.if
+++ b/policy/modules/services/ricci.if
@@ -18,6 +18,24 @@ interface(`ricci_domtrans',`
        domtrans_pattern($1, ricci_exec_t, ricci_t)
 ')
 
+#######################################
+## <summary>
+##  Execute ricci server in the ricci domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`ricci_initrc_domtrans', `
+    gen_require(`
+        type ricci_initrc_exec_t;
+    ')
+
+    init_labeled_script_domtrans($1, ricci_initrc_exec_t)
+')
+
 ########################################
 ## <summary>
 ##     Execute a domain transition to run ricci_modcluster.
@@ -90,8 +108,25 @@ interface(`ricci_stream_connect_modclusterd',`
        ')
 
        files_search_pids($1)
-       allow $1 ricci_modcluster_var_run_t:sock_file write;
-       allow $1 ricci_modclusterd_t:unix_stream_socket connectto;
+       stream_connect_pattern($1, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t, ricci_modclusterd_t)
+')
+
+########################################
+## <summary>
+##     Read and write to ricci_modcluserd temporary file system.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`ricci_rw_modclusterd_tmpfs_files',`
+       gen_require(`
+               type ricci_modcluserd_tmpfs_t;
+       ')
+
+       allow $1 ricci_modcluserd_tmpfs_t:file rw_file_perms;
 ')
 
 ########################################
@@ -165,3 +200,67 @@ interface(`ricci_domtrans_modstorage',`
 
        domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
 ')
+
+####################################
+## <summary>
+##      Allow the specified domain to manage ricci's lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`ricci_manage_lib_files',`
+    gen_require(`
+        type ricci_var_lib_t;
+    ')
+
+    files_search_var_lib($1)
+    manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
+    manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
+')
+
+########################################
+## <summary>
+##     All of the rules required to administrate
+##     an ricci environment
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     Role allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ricci_admin',`
+       gen_require(`
+               type ricci_t, ricci_initrc_exec_t, ricci_tmp_t;
+               type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t;
+       ')
+
+       allow $1 ricci_t:process { ptrace signal_perms };
+       ps_process_pattern($1, ricci_t)
+
+       ricci_initrc_domtrans($1)
+       domain_system_change_exemption($1)
+       role_transition $2 ricci_initrc_exec_t system_r;
+       allow $2 system_r;
+
+       files_search_tmp($1)
+       admin_pattern($1, ricci_tmp_t)
+       
+       files_search_var_lib($1)
+       admin_pattern($1, ricci_var_lib_t)
+
+       logging_search_logs($1)
+       admin_pattern($1, ricci_var_log_t)
+
+       files_search_pids($1)
+       admin_pattern($1, ricci_var_run_t)
+')

diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
index 33e72e80fa70826fb456687cd62187de7f38fb0b..e2434cb61ee048ef435de571746c2969aad9df21 100644 (file)
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -10,6 +10,9 @@ type ricci_exec_t;
 domain_type(ricci_t)
 init_daemon_domain(ricci_t, ricci_exec_t)
 
+type ricci_initrc_exec_t;
+init_script_file(ricci_initrc_exec_t)
+
 type ricci_tmp_t;
 files_tmp_file(ricci_tmp_t)
 
@@ -42,6 +45,9 @@ type ricci_modclusterd_exec_t;
 domain_type(ricci_modclusterd_t)
 init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)
 
+type ricci_modclusterd_tmpfs_t;
+files_tmpfs_file(ricci_modclusterd_tmpfs_t)
+
 type ricci_modlog_t;
 type ricci_modlog_exec_t;
 domain_type(ricci_modlog_t)
@@ -105,6 +111,7 @@ manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
 files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file })
 
 kernel_read_kernel_sysctls(ricci_t)
+kernel_read_system_state(ricci_t)
 
 corecmd_exec_bin(ricci_t)
 
@@ -169,6 +176,10 @@ optional_policy(`
        sasl_connect(ricci_t)
 ')
 
+optional_policy(`
+       shutdown_domtrans(ricci_t)
+')
+
 optional_policy(`
        unconfined_use_fds(ricci_t)
 ')
@@ -241,8 +252,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-       # XXX This has got to go.
-       unconfined_domain(ricci_modcluster_t)
+       rgmanager_stream_connect(ricci_modclusterd_t)
 ')
 
 ########################################
@@ -261,6 +271,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms;
 allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
 allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
 
+manage_dirs_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
+manage_files_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
+fs_tmpfs_filetrans(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, { dir file })
+
 allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
 manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
 manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
@@ -272,6 +286,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock
 
 kernel_read_kernel_sysctls(ricci_modclusterd_t)
 kernel_read_system_state(ricci_modclusterd_t)
+kernel_request_load_module(ricci_modclusterd_t)
 
 corecmd_exec_bin(ricci_modclusterd_t)
 
@@ -444,6 +459,12 @@ files_read_etc_runtime_files(ricci_modstorage_t)
 files_read_usr_files(ricci_modstorage_t)
 files_read_kernel_modules(ricci_modstorage_t)
 
+files_create_default_dir(ricci_modstorage_t)
+files_root_filetrans_default(ricci_modstorage_t, dir)
+files_mounton_default(ricci_modstorage_t)
+files_manage_default_dirs(ricci_modstorage_t)
+files_manage_default_files(ricci_modstorage_t)
+
 storage_raw_read_fixed_disk(ricci_modstorage_t)
 
 term_dontaudit_use_console(ricci_modstorage_t)

diff --git a/policy/modules/services/rlogin.fc b/policy/modules/services/rlogin.fc
index 27853373e9f1ce2ed61e76c9b0eb6a71f5ae0c97..c3c2775c378eed691d090b20b9d0d55a24f49041 100644 (file)
--- a/policy/modules/services/rlogin.fc
+++ b/policy/modules/services/rlogin.fc
@@ -1,4 +1,7 @@
 HOME_DIR/\.rlogin              --      gen_context(system_u:object_r:rlogind_home_t,s0)
+HOME_DIR/\.rhosts              --      gen_context(system_u:object_r:rlogind_home_t,s0)
+/root/\.rlogin                 --      gen_context(system_u:object_r:rlogind_home_t,s0)
+/root/\.rhosts         --      gen_context(system_u:object_r:rlogind_home_t,s0)
 
 /usr/kerberos/sbin/klogind     --      gen_context(system_u:object_r:rlogind_exec_t,s0)
 

diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
index 779fa445fcf76714cdaf4f26a7f630f05aa6f35d..29a5d0daed2a711671ebd6bb62c4309e88d904ab 100644 (file)
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -43,7 +43,6 @@ can_exec(rlogind_t, rlogind_exec_t)
 
 manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
 manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
-files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir })
 
 manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
 files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
@@ -71,6 +70,7 @@ fs_search_auto_mountpoints(rlogind_t)
 auth_domtrans_chk_passwd(rlogind_t)
 auth_rw_login_records(rlogind_t)
 auth_use_nsswitch(rlogind_t)
+auth_login_pgm_domain(rlogind_t)
 
 files_read_etc_files(rlogind_t)
 files_read_etc_runtime_files(rlogind_t)
@@ -88,6 +88,9 @@ seutil_read_config(rlogind_t)
 userdom_setattr_user_ptys(rlogind_t)
 # cjp: this is egregious
 userdom_read_user_home_content_files(rlogind_t)
+userdom_search_admin_dir(rlogind_t)
+userdom_manage_user_tmp_files(rlogind_t)
+userdom_tmp_filetrans_user_tmp(rlogind_t, file)
 
 remotelogin_domtrans(rlogind_t)
 remotelogin_signal(rlogind_t)

diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index cda37bb6f43f7d745aa4584fbd43654292da00cb..b65be0ccc3f56b9ef22b433cbf03f8abd4ab1390 100644 (file)
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -246,6 +246,26 @@ interface(`rpc_domtrans_rpcd',`
        allow rpcd_t $1:process signal;
 ')
 
+########################################
+## <summary>
+##     Execute rpcd in the rcpd domain, and
+##     allow the specified role the rpcd domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     The role to be allowed the rpcd domain.
+##     </summary>
+## </param>
+#
+interface(`rpc_run_rpcd',`
+       gen_require(`
+               type rpcd_t;
+       ')
+
+       rpc_domtrans_rpcd($1)
+       role $2 types rpcd_t;
+')
+
 #######################################
 ## <summary>
 ##     Execute domain in rpcd domain.
@@ -414,4 +434,5 @@ interface(`rpc_manage_nfs_state_data',`
 
        files_search_var_lib($1)
        manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+       allow $1 var_lib_nfs_t:file relabel_file_perms;
 ')

diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 8e1ab72cf42e1df56e1483f23b1d225500a08fae..9ae080e2286f8e571fb7d8db6412e85b6da40d34 100644 (file)
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -63,8 +63,9 @@ allow rpcd_t self:process { getcap setcap };
 allow rpcd_t self:fifo_file rw_fifo_file_perms;
 
 allow rpcd_t rpcd_var_run_t:dir setattr;
+manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
 manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
-files_pid_filetrans(rpcd_t, rpcd_var_run_t, file)
+files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir })
 
 # rpc.statd executes sm-notify
 can_exec(rpcd_t, rpcd_exec_t)
@@ -97,15 +98,26 @@ miscfiles_read_generic_certs(rpcd_t)
 
 seutil_dontaudit_search_config(rpcd_t)
 
+userdom_signal_unpriv_users(rpcd_t)
+userdom_read_user_home_content_files(rpcd_t)
+
 optional_policy(`
        automount_signal(rpcd_t)
        automount_dontaudit_write_pipes(rpcd_t)
 ')
 
+optional_policy(`
+       domain_unconfined_signal(rpcd_t)
+')
+
 optional_policy(`
        nis_read_ypserv_config(rpcd_t)
 ')
 
+optional_policy(`
+       rgmanager_manage_tmp_files(rpcd_t)
+')
+
 ########################################
 #
 # NFSD local policy
@@ -120,6 +132,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
 kernel_read_system_state(nfsd_t)
 kernel_read_network_state(nfsd_t)
 kernel_dontaudit_getattr_core_if(nfsd_t)
+kernel_setsched(nfsd_t)
 
 corenet_tcp_bind_all_rpc_ports(nfsd_t)
 corenet_udp_bind_all_rpc_ports(nfsd_t)
@@ -160,6 +173,7 @@ tunable_policy(`nfs_export_all_rw',`
        fs_read_noxattr_fs_files(nfsd_t)
        auth_manage_all_files_except_shadow(nfsd_t)
 ')
+userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
 
 tunable_policy(`nfs_export_all_ro',`
        dev_getattr_all_blk_files(nfsd_t)
@@ -218,6 +232,8 @@ tunable_policy(`allow_gssd_read_tmp',`
        userdom_list_user_tmp(gssd_t)
        userdom_read_user_tmp_files(gssd_t)
        userdom_read_user_tmp_symlinks(gssd_t)
+       userdom_write_user_tmp_files(gssd_t)
+       files_read_generic_tmp_files(gssd_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/services/rpcbind.fc b/policy/modules/services/rpcbind.fc
index f5c47d647530da33476ca6cc4dd6bf2c530b3b36..5a965e954ec42d5812227fd5c350b753cad1780f 100644 (file)
--- a/policy/modules/services/rpcbind.fc
+++ b/policy/modules/services/rpcbind.fc
@@ -2,6 +2,7 @@
 
 /sbin/rpcbind          --      gen_context(system_u:object_r:rpcbind_exec_t,s0)
 
+/var/cache/rpcbind(/.*)?       gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
 /var/lib/rpcbind(/.*)?         gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
 
 /var/run/rpc.statd\.pid        --      gen_context(system_u:object_r:rpcbind_var_run_t,s0)

diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if
index a96249cf9490a3052a4d9171bc0b8cbf1aa6c801..5a4d69d2b01b0c68321f8c97eefc16ac664cab14 100644 (file)
--- a/policy/modules/services/rpcbind.if
+++ b/policy/modules/services/rpcbind.if
@@ -34,8 +34,7 @@ interface(`rpcbind_stream_connect',`
        ')
 
        files_search_pids($1)
-       allow $1 rpcbind_var_run_t:sock_file write;
-       allow $1 rpcbind_t:unix_stream_socket connectto;
+       stream_connect_pattern($1, rpcbind_var_run_t, rpcbind_var_run_t, rpcbind_t)
 ')
 
 ########################################
@@ -141,8 +140,14 @@ interface(`rpcbind_admin',`
        allow $1 rpcbind_t:process { ptrace signal_perms };
        ps_process_pattern($1, rpcbind_t)
 
-       init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
+       init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
        domain_system_change_exemption($1)
        role_transition $2 rpcbind_initrc_exec_t system_r;
        allow $2 system_r;
+
+       files_search_var_lib($1)
+       admin_pattern($1, rpcbind_var_lib_t)
+
+       files_search_pids($1)
+       admin_pattern($1, rpcbind_var_run_t)
 ')

diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
index d6d76e14194f9395afd9a55c0e3877e0faef2327..9cb5e253e67e290b5adb4611352ad01ca42e03ab 100644 (file)
--- a/policy/modules/services/rpcbind.te
+++ b/policy/modules/services/rpcbind.te
@@ -43,6 +43,8 @@ kernel_read_system_state(rpcbind_t)
 kernel_read_network_state(rpcbind_t)
 kernel_request_load_module(rpcbind_t)
 
+corecmd_exec_shell(rpcbind_t)
+
 corenet_all_recvfrom_unlabeled(rpcbind_t)
 corenet_all_recvfrom_netlabel(rpcbind_t)
 corenet_tcp_sendrecv_generic_if(rpcbind_t)
@@ -71,3 +73,7 @@ sysnet_dns_name_resolve(rpcbind_t)
 ifdef(`hide_broken_symptoms',`
        dontaudit rpcbind_t self:udp_socket listen;
 ')
+
+optional_policy(`
+       nis_use_ypbind(rpcbind_t)
+')

diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
index 0b405d1027c89f8aa79c61b881623257d85fe696..49a42832a0a513cc73ad9876ddbf11c828bd8097 100644 (file)
--- a/policy/modules/services/rshd.te
+++ b/policy/modules/services/rshd.te
@@ -66,6 +66,7 @@ seutil_read_config(rshd_t)
 seutil_read_default_contexts(rshd_t)
 
 userdom_search_user_home_content(rshd_t)
+userdom_manage_tmp_role(system_r, rshd_t)
 
 tunable_policy(`use_nfs_home_dirs',`
        fs_read_nfs_files(rshd_t)

diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if
index 3386f29715f1f58e3559384b88ddf2aad46c6645..eefa3298cc111125d01d52daf4a863bad392bba2 100644 (file)
--- a/policy/modules/services/rsync.if
+++ b/policy/modules/services/rsync.if
@@ -119,7 +119,7 @@ interface(`rsync_read_config',`
                type rsync_etc_t;
        ')
 
-       allow $1 rsync_etc_t:file read_file_perms;
+       read_files_pattern($1, rsync_etc_t, rsync_etc_t)
        files_search_etc($1)
 ')
 
@@ -138,6 +138,49 @@ interface(`rsync_write_config',`
                type rsync_etc_t;
        ')
 
-       allow $1 rsync_etc_t:file read_file_perms;
+       write_files_pattern($1, rsync_etc_t, rsync_etc_t)
        files_search_etc($1)
 ')
+
+########################################
+## <summary>
+##     Manage rsync config files.
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed.
+## </summary>
+## </param>
+#
+interface(`rsync_manage_config',`
+       gen_require(`
+               type rsync_etc_t;
+       ')
+
+       manage_files_pattern($1, rsync_etc_t, rsync_etc_t)
+       files_search_etc($1)
+')
+
+########################################
+## <summary>
+##     Create objects in etc directories
+##     with rsync etc type.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
+## </param>
+## <param name="object_class">
+##     <summary>
+##     Class of the object being created.
+##     </summary>
+## </param>
+#
+interface(`rsync_filetrans_config',`
+       gen_require(`
+               type rsync_etc_t;
+       ')
+
+       files_etc_filetrans($1, rsync_etc_t, $2)
+')

diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
index 39015aef396c626e146545b7d89ae5910ea88126..5e7b7cf639ed6eb42bcf13d3b71d789d1d65f558 100644 (file)
--- a/policy/modules/services/rsync.te
+++ b/policy/modules/services/rsync.te
@@ -5,6 +5,13 @@ policy_module(rsync, 1.10.0)
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow rsync to run as a client
+## </p>
+## </desc>
+gen_tunable(rsync_client, false)
+
 ## <desc>
 ## <p>
 ## Allow rsync to export any files/directories read only.
@@ -23,7 +30,6 @@ gen_tunable(allow_rsync_anon_write, false)
 
 type rsync_t;
 type rsync_exec_t;
-init_daemon_domain(rsync_t, rsync_exec_t)
 application_executable_file(rsync_exec_t)
 role system_r types rsync_t;
 
@@ -59,7 +65,7 @@ allow rsync_t self:udp_socket connected_socket_perms;
 allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 #end for identd
 
-allow rsync_t rsync_etc_t:file read_file_perms;
+read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t)
 
 allow rsync_t rsync_data_t:dir list_dir_perms;
 read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
@@ -122,6 +128,7 @@ optional_policy(`
 ')
 
 tunable_policy(`rsync_export_all_ro',`
+       files_getattr_all_pipes(rsync_t)
        fs_read_noxattr_fs_files(rsync_t) 
        fs_read_nfs_files(rsync_t)
        fs_read_cifs_files(rsync_t)
@@ -130,4 +137,19 @@ tunable_policy(`rsync_export_all_ro',`
        auth_read_all_symlinks_except_shadow(rsync_t)
        auth_tunable_read_shadow(rsync_t)
 ')
+
+tunable_policy(`rsync_client',`
+       corenet_tcp_connect_rsync_port(rsync_t)
+       corenet_tcp_connect_ssh_port(rsync_t)
+       manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t)
+       manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+       manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+')
+
+optional_policy(`
+       tunable_policy(`rsync_client',`
+               ssh_exec(rsync_t) 
+       ')
+')
+
 auth_can_read_shadow_passwords(rsync_t)

diff --git a/policy/modules/services/rtkit.if b/policy/modules/services/rtkit.if
index 46dad1f939eb79cc0ba371f00f83e2514939f3f0..21079f8f47c3c988a68cbfcc52234ff50fcaf1b2 100644 (file)
--- a/policy/modules/services/rtkit.if
+++ b/policy/modules/services/rtkit.if
@@ -39,6 +39,27 @@ interface(`rtkit_daemon_dbus_chat',`
        allow rtkit_daemon_t $1:dbus send_msg;
 ')
 
+########################################
+## <summary>
+##     Do not audit send and receive messages from
+##     rtkit_daemon over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`rtkit_daemon_dontaudit_dbus_chat',`
+       gen_require(`
+               type rtkit_daemon_t;
+               class dbus send_msg;
+       ')
+
+       dontaudit $1 rtkit_daemon_t:dbus send_msg;
+       dontaudit rtkit_daemon_t $1:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##     Allow rtkit to control scheduling for your process

diff --git a/policy/modules/services/rtkit.te b/policy/modules/services/rtkit.te
index 6f8e2682e51f609761e27a4cb46283db737f155b..7d64285769f496f8461649cde86af576df0c36ad 100644 (file)
--- a/policy/modules/services/rtkit.te
+++ b/policy/modules/services/rtkit.te
@@ -8,6 +8,7 @@ policy_module(rtkit, 1.1.0)
 type rtkit_daemon_t;
 type rtkit_daemon_exec_t;
 dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
+init_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
 
 ########################################
 #

diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te
index a07b2f4037e8707f29998be76b27ad7faa5a2071..d78daf4ad6ef2a2d025335a8e644a71d01b146a7 100644 (file)
--- a/policy/modules/services/rwho.te
+++ b/policy/modules/services/rwho.te
@@ -55,6 +55,9 @@ files_read_etc_files(rwho_t)
 init_read_utmp(rwho_t)
 init_dontaudit_write_utmp(rwho_t)
 
+logging_send_syslog_msg(rwho_t)
+
 miscfiles_read_localization(rwho_t)
 
 sysnet_dns_name_resolve(rwho_t)
+

diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc
index 69a6074f9afe5abb7065bc22469327ad65a2ba14..73db5baf4a81cb9b3b9d886d13b2ddc3b6ffc375 100644 (file)
--- a/policy/modules/services/samba.fc
+++ b/policy/modules/services/samba.fc
@@ -51,3 +51,7 @@
 /var/run/winbindd(/.*)?                        gen_context(system_u:object_r:winbind_var_run_t,s0)
 
 /var/spool/samba(/.*)?                 gen_context(system_u:object_r:samba_var_t,s0)
+
+ifndef(`enable_mls',`
+/var/lib/samba/scripts(/.*)?           gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')

diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
index 82cb169c0eaf029e7a78c85e2daac3eaedf8d02d..84732e5115fb04622c9260dd0e0680a4c0b4f0e4 100644 (file)
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -77,6 +77,25 @@ interface(`samba_domtrans_net',`
        domtrans_pattern($1, samba_net_exec_t, samba_net_t)
 ')
 
+########################################
+## <summary>
+##     Execute samba net in the samba_unconfined_net domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`samba_domtrans_unconfined_net',`
+       gen_require(`
+               type samba_unconfined_net_t, samba_net_exec_t;
+       ')
+
+       corecmd_search_bin($1)
+       domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t)
+')
+
 ########################################
 ## <summary>
 ##     Execute samba net in the samba_net domain, and
@@ -103,6 +122,51 @@ interface(`samba_run_net',`
        role $2 types samba_net_t;
 ')
 
+#######################################
+## <summary>
+##     The role for the samba module.
+## </summary>
+## <param name="role">
+##     <summary>
+##     The role to be allowed the samba_net domain.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+template(`samba_role_notrans',`
+       gen_require(`
+               type smbd_t;
+       ')
+
+       role $1 types smbd_t;
+')
+
+########################################
+## <summary>
+##     Execute samba net in the samba_unconfined_net domain, and
+##     allow the specified role the samba_unconfined_net domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     The role to be allowed the samba_unconfined_net domain.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_run_unconfined_net',`
+       gen_require(`
+               type samba_unconfined_net_t;
+       ')
+
+       samba_domtrans_unconfined_net($1)
+       role $2 types samba_unconfined_net_t;
+')
+
 ########################################
 ## <summary>
 ##     Execute smbmount in the smbmount domain.
@@ -412,6 +476,7 @@ interface(`samba_manage_var_files',`
        files_search_var($1)
        files_search_var_lib($1)
        manage_files_pattern($1, samba_var_t, samba_var_t)
+       manage_lnk_files_pattern($1, samba_var_t, samba_var_t)
 ')
 
 ########################################
@@ -419,15 +484,14 @@ interface(`samba_manage_var_files',`
 ##     Execute a domain transition to run smbcontrol.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##     <summary>
 ##     Domain allowed to transition.
-## </summary>
+##     </summary>
 ## </param>
 #
 interface(`samba_domtrans_smbcontrol',`
        gen_require(`
-               type smbcontrol_t;
-               type smbcontrol_exec_t;
+               type smbcontrol_t, smbcontrol_exec_t;
        ')
 
        domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
@@ -564,6 +628,7 @@ interface(`samba_domtrans_winbind_helper',`
        ')
 
        domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
+       allow $1 winbind_helper_t:process signal;
 ')
 
 ########################################
@@ -642,6 +707,37 @@ interface(`samba_stream_connect_winbind',`
        ')
 ')
 
+########################################
+## <summary>
+##     Create a set of derived types for apache
+##     web content.
+## </summary>
+## <param name="prefix">
+##     <summary>
+##     The prefix to be used for deriving type names.
+##     </summary>
+## </param>
+#
+template(`samba_helper_template',`
+       gen_require(`
+               type smbd_t;
+               role system_r;
+       ')
+
+       #This type is for samba helper scripts
+       type samba_$1_script_t;
+       domain_type(samba_$1_script_t)
+       role system_r types samba_$1_script_t;
+
+       # This type is used for executable scripts files
+       type samba_$1_script_exec_t;
+       corecmd_shell_entry_type(samba_$1_script_t)
+       domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t)
+
+       domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
+       allow smbd_t samba_$1_script_exec_t:file ioctl;
+')
+
 ########################################
 ## <summary>
 ##     All of the rules required to administrate 
@@ -661,21 +757,13 @@ interface(`samba_stream_connect_winbind',`
 #
 interface(`samba_admin',`
        gen_require(`
-               type nmbd_t, nmbd_var_run_t;
-               type smbd_t, smbd_tmp_t;
-               type smbd_var_run_t;
-               type smbd_spool_t;
-
-               type samba_log_t, samba_var_t;
-               type samba_etc_t, samba_share_t;
-               type samba_secrets_t;
-
+               type nmbd_t, nmbd_var_run_t, smbd_var_run_t;
+               type smbd_t, smbd_tmp_t, samba_secrets_t;
+               type samba_initrc_exec_t, samba_log_t, samba_var_t;
+               type samba_etc_t, samba_share_t, winbind_log_t;
                type swat_var_run_t, swat_tmp_t;
-
                type winbind_var_run_t, winbind_tmp_t;
-               type winbind_log_t;
-
-               type samba_initrc_exec_t;
+               type samba_unconfined_script_t, samba_unconfined_script_exec_t;
        ')
 
        allow $1 smbd_t:process { ptrace signal_perms };
@@ -684,6 +772,9 @@ interface(`samba_admin',`
        allow $1 nmbd_t:process { ptrace signal_perms };
        ps_process_pattern($1, nmbd_t)
 
+       allow $1 samba_unconfined_script_t:process { ptrace signal_perms };
+       ps_process_pattern($1, samba_unconfined_script_t)
+
        samba_run_smbcontrol($1, $2, $3)
        samba_run_winbind_helper($1, $2, $3)
        samba_run_smbmount($1, $2, $3)
@@ -709,9 +800,6 @@ interface(`samba_admin',`
        admin_pattern($1, samba_var_t)
        files_list_var($1)
 
-       admin_pattern($1, smbd_spool_t)
-       files_list_spool($1)
-
        admin_pattern($1, smbd_var_run_t)
        files_list_pids($1)
 
@@ -727,4 +815,5 @@ interface(`samba_admin',`
        admin_pattern($1, winbind_tmp_t)
 
        admin_pattern($1, winbind_var_run_t)
+       admin_pattern($1, samba_unconfined_script_exec_t)
 ')

diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index e30bb63439d26a0c9c90e0aeb63ecdb63f57168e..2a5981d227f13721cd8949e235b3cce376ee9fe2 100644 (file)
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
 type winbind_log_t;
 logging_log_file(winbind_log_t)
 
-type winbind_tmp_t;
-files_tmp_file(winbind_tmp_t)
-
 type winbind_var_run_t;
 files_pid_file(winbind_var_run_t)
 
@@ -230,7 +227,7 @@ optional_policy(`
 #
 # smbd Local policy
 #
-allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
+allow smbd_t self:capability { chown fowner kill setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
 dontaudit smbd_t self:capability sys_tty_config;
 allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow smbd_t self:process setrlimit;
@@ -279,7 +276,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
 manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
 manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
 manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
-files_pid_filetrans(smbd_t, smbd_var_run_t, file)
+files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })
 
 allow smbd_t swat_t:process signal;
 
@@ -323,6 +320,7 @@ dev_getattr_all_blk_files(smbd_t)
 dev_getattr_all_chr_files(smbd_t)
 
 fs_getattr_all_fs(smbd_t)
+fs_getattr_all_dirs(smbd_t)
 fs_get_xattr_fs_quotas(smbd_t)
 fs_search_auto_mountpoints(smbd_t)
 fs_getattr_rpc_dirs(smbd_t)
@@ -343,6 +341,7 @@ files_read_usr_files(smbd_t)
 files_search_spool(smbd_t)
 # smbd seems to getattr all mountpoints
 files_dontaudit_getattr_all_dirs(smbd_t)
+files_dontaudit_list_all_mountpoints(smbd_t)
 # Allow samba to list mnt_t for potential mounted dirs
 files_list_mnt(smbd_t)
 
@@ -385,12 +384,7 @@ tunable_policy(`samba_domain_controller',`
 ')
 
 tunable_policy(`samba_enable_home_dirs',`
-       userdom_manage_user_home_content_dirs(smbd_t)
-       userdom_manage_user_home_content_files(smbd_t)
-       userdom_manage_user_home_content_symlinks(smbd_t)
-       userdom_manage_user_home_content_sockets(smbd_t)
-       userdom_manage_user_home_content_pipes(smbd_t)
-       userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file })
+       userdom_manage_user_home_content(smbd_t)
 ')
 
 # Support Samba sharing of NFS mount points
@@ -445,8 +439,8 @@ optional_policy(`
 tunable_policy(`samba_create_home_dirs',`
        allow smbd_t self:capability chown;
        userdom_create_user_home_dirs(smbd_t)
-       userdom_home_filetrans_user_home_dir(smbd_t)
 ')
+userdom_home_filetrans_user_home_dir(smbd_t)
 
 tunable_policy(`samba_export_all_ro',`
        fs_read_noxattr_fs_files(smbd_t) 
@@ -462,8 +456,8 @@ tunable_policy(`samba_export_all_rw',`
        auth_manage_all_files_except_shadow(smbd_t)
        fs_read_noxattr_fs_files(nmbd_t) 
        auth_manage_all_files_except_shadow(nmbd_t)
-       userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
 ')
+userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
 
 ########################################
 #
@@ -484,8 +478,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
 allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
 allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 
+manage_dirs_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
 manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
+files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file })
 
 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
 read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
@@ -567,6 +562,7 @@ allow smbcontrol_t smbd_t:process signal;
 
 allow smbcontrol_t winbind_t:process { signal signull };
 
+files_search_var_lib(smbcontrol_t)
 samba_read_config(smbcontrol_t)
 samba_rw_var_files(smbcontrol_t)
 samba_search_var(smbcontrol_t)
@@ -677,7 +673,7 @@ samba_domtrans_nmbd(swat_t)
 allow swat_t nmbd_t:process { signal signull };
 allow nmbd_t swat_t:process signal;
 
-allow swat_t smbd_var_run_t:file { lock unlink };
+allow swat_t nmbd_var_run_t:file read_file_perms;
 
 allow swat_t smbd_port_t:tcp_socket name_bind;
 
@@ -692,12 +688,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
 manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
 
 manage_files_pattern(swat_t, samba_var_t, samba_var_t)
+files_list_var_lib(swat_t)
 
 allow swat_t smbd_exec_t:file mmap_file_perms ;
 
 allow swat_t smbd_t:process signull;
 
 allow swat_t smbd_var_run_t:file read_file_perms;
+allow swat_t smbd_var_run_t:file { lock unlink };
 
 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
 manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
@@ -710,6 +708,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
 domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
 allow swat_t winbind_t:process { signal signull };
 
+read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)
 allow swat_t winbind_var_run_t:dir { write add_name remove_name };
 allow swat_t winbind_var_run_t:sock_file { create unlink };
 
@@ -754,6 +753,8 @@ logging_search_logs(swat_t)
 
 miscfiles_read_localization(swat_t)
 
+userdom_dontaudit_search_admin_dir(swat_t)
+
 optional_policy(`
        cups_read_rw_config(swat_t)
        cups_stream_connect(swat_t)
@@ -806,14 +807,14 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
 allow winbind_t winbind_log_t:file manage_file_perms;
 logging_log_filetrans(winbind_t, winbind_log_t, file)
 
-manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
-manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
-manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
-files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
+userdom_manage_user_tmp_dirs(winbind_t)
+userdom_manage_user_tmp_files(winbind_t)
+userdom_tmp_filetrans_user_tmp(winbind_t, { file dir })
 
+manage_dirs_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
 manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
 manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
-files_pid_filetrans(winbind_t, winbind_var_run_t, file)
+files_pid_filetrans(winbind_t, winbind_var_run_t, { file dir })
 
 kernel_read_kernel_sysctls(winbind_t)
 kernel_read_system_state(winbind_t)
@@ -833,6 +834,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
 corenet_tcp_bind_generic_node(winbind_t)
 corenet_udp_bind_generic_node(winbind_t)
 corenet_tcp_connect_smbd_port(winbind_t)
+corenet_tcp_connect_smbd_port(winbind_t)
 corenet_tcp_connect_epmap_port(winbind_t)
 corenet_tcp_connect_all_unreserved_ports(winbind_t)
 
@@ -922,6 +924,18 @@ optional_policy(`
 #
 
 optional_policy(`
+       type samba_unconfined_net_t;
+       domain_type(samba_unconfined_net_t)
+       domain_entry_file(samba_unconfined_net_t, samba_net_exec_t)
+       role system_r types samba_unconfined_net_t;
+
+       unconfined_domain(samba_unconfined_net_t)
+
+       manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t)
+       filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file)
+       userdom_use_user_terminals(samba_unconfined_net_t)
+')
+
        type samba_unconfined_script_t;
        type samba_unconfined_script_exec_t;
        domain_type(samba_unconfined_script_t)
@@ -932,9 +946,12 @@ optional_policy(`
        allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
        allow smbd_t samba_unconfined_script_exec_t:file ioctl;
 
+optional_policy(`
        unconfined_domain(samba_unconfined_script_t)
+')
 
        tunable_policy(`samba_run_unconfined',`
                domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
-       ')
+',`
+       can_exec(smbd_t, samba_unconfined_script_exec_t)
 ')

diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if
index f1aea88a7b9ed72040decc169291cd09dfdba263..c3ffa9d73b68088f1026aca35e48be42f6592215 100644 (file)
--- a/policy/modules/services/sasl.if
+++ b/policy/modules/services/sasl.if
@@ -42,7 +42,7 @@ interface(`sasl_admin',`
                type saslauthd_initrc_exec_t;
        ')
 
-       allow $1 saslauthd_t:process { ptrace signal_perms getattr };
+       allow $1 saslauthd_t:process { ptrace signal_perms };
        ps_process_pattern($1, saslauthd_t)
 
        init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)

diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
index 22184ad0886401caab6db33e1e20eafe2477209d..87810ec5ef33e2e96f3cd163af483da57ac5754b 100644 (file)
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -42,13 +42,17 @@ allow saslauthd_t saslauthd_tmp_t:dir setattr;
 manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t)
 files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file)
 
+manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
 manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
 manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
-files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, file)
+files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, { file dir })
 
 kernel_read_kernel_sysctls(saslauthd_t)
 kernel_read_system_state(saslauthd_t)
 
+#577519
+corecmd_exec_bin(saslauthd_t)
+
 corenet_all_recvfrom_unlabeled(saslauthd_t)
 corenet_all_recvfrom_netlabel(saslauthd_t)
 corenet_tcp_sendrecv_generic_if(saslauthd_t)

diff --git a/policy/modules/services/sendmail.fc b/policy/modules/services/sendmail.fc
index a86ec50e4c61fa192f9c8b11436374e7a1b3d009..ef4199bc0ecc073783179be0856f95213438d2ff 100644 (file)
--- a/policy/modules/services/sendmail.fc
+++ b/policy/modules/services/sendmail.fc
@@ -1,4 +1,6 @@
 
+/etc/rc\.d/init\.d/sendmail --  gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
+
 /var/log/sendmail\.st          --      gen_context(system_u:object_r:sendmail_log_t,s0)
 /var/log/mail(/.*)?                    gen_context(system_u:object_r:sendmail_log_t,s0)
 

diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if
index 7e94c7cfa5da444d8fb58435491ff0a3efaf3509..cf9fdcdd686bae81216e3be6be337ebd0c7bc6cb 100644 (file)
--- a/policy/modules/services/sendmail.if
+++ b/policy/modules/services/sendmail.if
@@ -51,10 +51,24 @@ interface(`sendmail_domtrans',`
        ')
 
        mta_sendmail_domtrans($1, sendmail_t)
+')
+
+#######################################
+## <summary>
+##  Execute sendmail in the sendmail domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`sendmail_initrc_domtrans',`
+       gen_require(`
+               type sendmail_initrc_exec_t;
+       ')
 
-       allow sendmail_t $1:fd use;
-       allow sendmail_t $1:fifo_file rw_file_perms;
-       allow sendmail_t $1:process sigchld;
+       init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
 ')
 
 ########################################
@@ -152,7 +166,7 @@ interface(`sendmail_rw_unix_stream_sockets',`
                type sendmail_t;
        ')
 
-       allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+       allow $1 sendmail_t:unix_stream_socket rw_socket_perms;
 ')
 
 ########################################
@@ -171,7 +185,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
                type sendmail_t;
        ')
 
-       dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+       dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms;
 ')
 
 ########################################
@@ -295,3 +309,50 @@ interface(`sendmail_run_unconfined',`
        sendmail_domtrans_unconfined($1)
        role $2 types unconfined_sendmail_t;
 ')
+
+########################################
+## <summary>
+##     All of the rules required to administrate
+##     an sendmail environment
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     Role allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_admin',`
+       gen_require(`
+               type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t; 
+               type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
+               type mail_spool_t;
+       ')
+
+       allow $1 sendmail_t:process { ptrace signal_perms };
+       ps_process_pattern($1, sendmail_t)
+
+       allow $1 unconfined_sendmail_t:process { ptrace signal_perms };
+       ps_process_pattern($1, unconfined_sendmail_t)
+
+       sendmail_initrc_domtrans($1)
+       domain_system_change_exemption($1)
+       role_transition $2 sendmail_initrc_exec_t system_r;
+
+       logging_search_logs($1)
+       admin_pattern($1, sendmail_log_t)
+
+       files_search_tmp($1)
+       admin_pattern($1, sendmail_tmp_t)
+
+       files_search_pids($1)
+       admin_pattern($1, sendmail_var_run_t)
+
+       files_search_spool($1)
+       admin_pattern($1, mail_spool_t)
+')

diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
index 22dac1fe98c387e38e3ac84ce4bc5a261e2ccf14..b6781d5df088717781e3ff7f7d44427e47b6e78a 100644 (file)
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -19,6 +19,9 @@ mta_sendmail_mailserver(sendmail_t)
 mta_mailserver_delivery(sendmail_t)
 mta_mailserver_sender(sendmail_t)
 
+type sendmail_initrc_exec_t;
+init_script_file(sendmail_initrc_exec_t)
+
 type unconfined_sendmail_t;
 application_domain(unconfined_sendmail_t, sendmail_exec_t)
 role system_r types unconfined_sendmail_t;
@@ -84,12 +87,14 @@ files_read_usr_files(sendmail_t)
 files_search_spool(sendmail_t)
 # for piping mail to a command
 files_read_etc_runtime_files(sendmail_t)
+files_read_all_tmp_files(sendmail_t)
 
 init_use_fds(sendmail_t)
 init_use_script_ptys(sendmail_t)
 # sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
 init_read_utmp(sendmail_t)
 init_dontaudit_write_utmp(sendmail_t)
+init_rw_script_tmp_files(sendmail_t)
 
 auth_use_nsswitch(sendmail_t)
 
@@ -103,7 +108,7 @@ miscfiles_read_generic_certs(sendmail_t)
 miscfiles_read_localization(sendmail_t)
 
 userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
-userdom_dontaudit_search_user_home_dirs(sendmail_t)
+userdom_read_user_home_content_files(sendmail_t)
 
 mta_read_config(sendmail_t)
 mta_etc_filetrans_aliases(sendmail_t)
@@ -149,7 +154,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+       postfix_domtrans_postdrop(sendmail_t)
        postfix_domtrans_master(sendmail_t)
+       postfix_domtrans_postqueue(sendmail_t)
        postfix_read_config(sendmail_t)
        postfix_search_spool(sendmail_t)
 ')
@@ -167,6 +174,10 @@ optional_policy(`
        sasl_connect(sendmail_t)
 ')
 
+optional_policy(`
+       spamd_stream_connect(sendmail_t)
+')
+
 optional_policy(`
        udev_read_db(sendmail_t)
 ')
@@ -183,5 +194,5 @@ optional_policy(`
 
 optional_policy(`
        mta_etc_filetrans_aliases(unconfined_sendmail_t)
-       unconfined_domain(unconfined_sendmail_t)
+       unconfined_domain_noaudit(unconfined_sendmail_t)
 ')

diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if
index 22dfeb4aae47c812ea2d80bc7de27a46164be378..a7fbedc2d542d5e58625a27e8708506de002a824 100644 (file)
--- a/policy/modules/services/setroubleshoot.if
+++ b/policy/modules/services/setroubleshoot.if
@@ -103,6 +103,25 @@ interface(`setroubleshoot_dbus_chat_fixit',`
        allow setroubleshoot_fixit_t $1:dbus send_msg;
 ')
 
+########################################
+## <summary>
+##     Dontaudit read/write to a setroubleshoot leaked sockets.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`setroubleshoot_fixit_dontaudit_leaks',`
+       gen_require(`
+               type setroubleshoot_fixit_t;
+       ')
+
+       dontaudit $1 setroubleshoot_fixit_t:unix_dgram_socket { read write };
+       dontaudit $1 setroubleshoot_fixit_t:unix_stream_socket { read write };
+')
+
 ########################################
 ## <summary>
 ##     All of the rules required to administrate
@@ -117,7 +136,7 @@ interface(`setroubleshoot_dbus_chat_fixit',`
 #
 interface(`setroubleshoot_admin',`
        gen_require(`
-               type setroubleshootd_t, setroubleshoot_log_t;
+               type setroubleshootd_t, setroubleshoot_var_log_t;
                type setroubleshoot_var_lib_t, setroubleshoot_var_run_t;
        ')
 
@@ -125,7 +144,7 @@ interface(`setroubleshoot_admin',`
        ps_process_pattern($1, setroubleshootd_t)
 
        logging_list_logs($1)
-       admin_pattern($1, setroubleshoot_log_t)
+       admin_pattern($1, setroubleshoot_var_log_t)
 
        files_list_var_lib($1)
        admin_pattern($1, setroubleshoot_var_lib_t)

diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
index 086cd5fe0d691e69b4696281dc288ab703eebb47..679558c21fdf4780cf96b26b3087f73cf28838a6 100644 (file)
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -32,6 +32,8 @@ files_pid_file(setroubleshoot_var_run_t)
 
 allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
 allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
+# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run
+allow setroubleshootd_t self:process { execmem execstack };
 allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
 allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
 allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -49,14 +51,17 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble
 logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir })
 
 # pid file
+manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
 manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
 manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
-files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file })
+files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file dir })
 
 kernel_read_kernel_sysctls(setroubleshootd_t)
 kernel_read_system_state(setroubleshootd_t)
 kernel_read_net_sysctls(setroubleshootd_t)
 kernel_read_network_state(setroubleshootd_t)
+kernel_dontaudit_list_all_proc(setroubleshootd_t)
+kernel_read_unlabeled_state(setroubleshootd_t)
 
 corecmd_exec_bin(setroubleshootd_t)
 corecmd_exec_shell(setroubleshootd_t)
@@ -120,6 +125,10 @@ seutil_read_bin_policy(setroubleshootd_t)
 
 userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
 
+optional_policy(`
+       locate_read_lib_files(setroubleshootd_t)
+')
+
 optional_policy(`
        dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
 ')
@@ -152,6 +161,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
 corecmd_exec_shell(setroubleshoot_fixit_t)
 
 seutil_domtrans_setfiles(setroubleshoot_fixit_t)
+seutil_domtrans_setsebool(setroubleshoot_fixit_t)
 
 files_read_usr_files(setroubleshoot_fixit_t)
 files_read_etc_files(setroubleshoot_fixit_t)
@@ -164,6 +174,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
 
 miscfiles_read_localization(setroubleshoot_fixit_t)
 
+userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t)
+userdom_signull_unpriv_users(setroubleshoot_fixit_t)
+
+optional_policy(`
+       gnome_dontaudit_search_config(setroubleshoot_fixit_t)
+')
+
 optional_policy(`
        rpm_signull(setroubleshoot_fixit_t)
        rpm_read_db(setroubleshoot_fixit_t)

diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if
index adea9f92273791ba0ec6110e012ca684addfa602..d5b2d9342b18d5c81fe3171884e99653a88c98d7 100644 (file)
--- a/policy/modules/services/smartmon.if
+++ b/policy/modules/services/smartmon.if
@@ -15,6 +15,7 @@ interface(`smartmon_read_tmp_files',`
                type fsdaemon_tmp_t;
        ')
 
+       files_search_tmp($1)
        allow $1 fsdaemon_tmp_t:file read_file_perms;
 ')
 
@@ -41,7 +42,7 @@ interface(`smartmon_admin',`
                type fsdaemon_initrc_exec_t;
        ')
 
-       allow $1 fsdaemon_t:process { ptrace signal_perms getattr };
+       allow $1 fsdaemon_t:process { ptrace signal_perms };
        ps_process_pattern($1, fsdaemon_t)
 
        init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)

diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
index 4804f142ab59b72e0134dfde994aa4ad0bfdd81f..894f62d7610b676b46db6d2258a9f50951c52a6a 100644 (file)
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -82,6 +82,8 @@ mls_file_read_all_levels(fsdaemon_t)
 storage_raw_read_fixed_disk(fsdaemon_t)
 storage_raw_write_fixed_disk(fsdaemon_t)
 storage_raw_read_removable_device(fsdaemon_t)
+storage_read_scsi_generic(fsdaemon_t)
+storage_write_scsi_generic(fsdaemon_t)
 
 term_dontaudit_search_ptys(fsdaemon_t)
 

diff --git a/policy/modules/services/smokeping.if b/policy/modules/services/smokeping.if
index 824d206e23e9f391ba13734a801d4be933539a90..82652781b1dcc492638e410df0f2cb7d49e397fe 100644 (file)
--- a/policy/modules/services/smokeping.if
+++ b/policy/modules/services/smokeping.if
@@ -5,9 +5,9 @@
 ##     Execute a domain transition to run smokeping.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##     <summary>
 ##     Domain allowed to transition.
-## </summary>
+##     </summary>
 ## </param>
 #
 interface(`smokeping_domtrans',`

diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te
index 4ca544913cd6c750afe190ec7ddaf3fe021d78d4..058bfc918f9af4436121d88375a68510270080ab 100644 (file)
--- a/policy/modules/services/smokeping.te
+++ b/policy/modules/services/smokeping.te
@@ -23,6 +23,7 @@ files_type(smokeping_var_lib_t)
 # smokeping local policy
 #
 
+dontaudit smokeping_t self:capability { dac_read_search dac_override };    
 allow smokeping_t self:fifo_file rw_fifo_file_perms;
 allow smokeping_t self:udp_socket create_socket_perms;
 allow smokeping_t self:unix_stream_socket create_stream_socket_perms;
@@ -44,6 +45,7 @@ files_read_usr_files(smokeping_t)
 files_search_tmp(smokeping_t)
 
 auth_use_nsswitch(smokeping_t)
+auth_dontaudit_read_shadow(smokeping_t)
 
 logging_send_syslog_msg(smokeping_t)
 

diff --git a/policy/modules/services/snmp.fc b/policy/modules/services/snmp.fc
index 623c8fad87ace8a555c4d3f2556bf4608a2e459b..ac1074078b03c2956329e927d9cd116ab2c264e1 100644 (file)
--- a/policy/modules/services/snmp.fc
+++ b/policy/modules/services/snmp.fc
@@ -18,7 +18,7 @@
 
 /var/log/snmpd\.log    --      gen_context(system_u:object_r:snmpd_log_t,s0)
 
-/var/net-snmp(/.*)             gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+/var/net-snmp(/.*)?            gen_context(system_u:object_r:snmpd_var_lib_t,s0)
 
 /var/run/snmpd(/.*)?           gen_context(system_u:object_r:snmpd_var_run_t,s0)
 /var/run/snmpd\.pid    --      gen_context(system_u:object_r:snmpd_var_run_t,s0)

diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
index 275f9fb5cb9915475e882f6d77da59912649d08f..6aa68d804f40fd1881d56831aceeb88c919d5de4 100644 (file)
--- a/policy/modules/services/snmp.if
+++ b/policy/modules/services/snmp.if
@@ -11,12 +11,12 @@
 ## </param>
 #
 interface(`snmp_stream_connect',`
-        gen_require(`
+       gen_require(`
                type snmpd_t, snmpd_var_lib_t;
-        ')
+       ')
 
-        files_search_var_lib($1)
-        stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
+       files_search_var_lib($1)
+       stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
 ')
 
 ########################################
@@ -62,6 +62,7 @@ interface(`snmp_read_snmp_var_lib_files',`
                type snmpd_var_lib_t;
        ')
 
+       files_search_var_lib($1)
        allow $1 snmpd_var_lib_t:dir list_dir_perms;
        read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
        read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
@@ -81,9 +82,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
        gen_require(`
                type snmpd_var_lib_t;
        ')
+
        dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;
        dontaudit $1 snmpd_var_lib_t:file read_file_perms;
-       dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
+       dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -128,7 +130,7 @@ interface(`snmp_admin',`
                type snmpd_initrc_exec_t;
        ')
 
-       allow $1 snmpd_t:process { ptrace signal_perms getattr };
+       allow $1 snmpd_t:process { ptrace signal_perms };
        ps_process_pattern($1, snmpd_t)
 
        init_labeled_script_domtrans($1, snmpd_initrc_exec_t)

diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index 3d8d1b3c22eaa44fea611bd6ad6635a9312d299e..b5cd366e39f8911dcfbf2c69f91fd0fc647b30ef 100644 (file)
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -24,7 +24,7 @@ files_type(snmpd_var_lib_t)
 #
 # Local policy
 #
-allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
+allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config };
 dontaudit snmpd_t self:capability { sys_module sys_tty_config };
 allow snmpd_t self:process { signal_perms getsched setsched };
 allow snmpd_t self:fifo_file rw_fifo_file_perms;
@@ -43,8 +43,9 @@ files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file)
 files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file })
 files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file)
 
+manage_dirs_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t)
 manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t)
-files_pid_filetrans(snmpd_t, snmpd_var_run_t, file)
+files_pid_filetrans(snmpd_t, snmpd_var_run_t, { file dir })
 
 kernel_read_device_sysctls(snmpd_t)
 kernel_read_kernel_sysctls(snmpd_t)
@@ -97,6 +98,7 @@ fs_search_auto_mountpoints(snmpd_t)
 
 storage_dontaudit_read_fixed_disk(snmpd_t)
 storage_dontaudit_read_removable_device(snmpd_t)
+storage_dontaudit_write_removable_device(snmpd_t)
 
 auth_use_nsswitch(snmpd_t)
 auth_read_all_dirs_except_shadow(snmpd_t)

diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if
index c117e8b55f1a02c002049c8409a0cc45e7657635..215f4254aa77fa34bfa6be0598bf1a46f974b6c5 100644 (file)
--- a/policy/modules/services/snort.if
+++ b/policy/modules/services/snort.if
@@ -5,9 +5,9 @@
 ##     Execute a domain transition to run snort.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##     <summary>
 ##     Domain allowed to transition.
-## </summary>
+##     </summary>
 ## </param>
 #
 interface(`snort_domtrans',`

diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc
index 6b3abf9e01386055aef04ad844b154591950e724..540981ff28afcea660729eeeefe065df130a7336 100644 (file)
--- a/policy/modules/services/spamassassin.fc
+++ b/policy/modules/services/spamassassin.fc
@@ -1,15 +1,26 @@
-HOME_DIR/\.spamassassin(/.*)?  gen_context(system_u:object_r:spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)?  gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.spamassassin(/.*)?     gen_context(system_u:object_r:spamc_home_t,s0)
+
+/etc/rc\.d/init\.d/spamd       --      gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mimedefang.*        --      gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
 
 /usr/bin/sa-learn      --      gen_context(system_u:object_r:spamc_exec_t,s0)
-/usr/bin/spamassassin  --      gen_context(system_u:object_r:spamassassin_exec_t,s0)
+/usr/bin/spamassassin  --      gen_context(system_u:object_r:spamc_exec_t,s0)
 /usr/bin/spamc         --      gen_context(system_u:object_r:spamc_exec_t,s0)
 /usr/bin/spamd         --      gen_context(system_u:object_r:spamd_exec_t,s0)
 
 /usr/sbin/spamd                --      gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/mimedefang-multiplexor --     gen_context(system_u:object_r:spamd_exec_t,s0)
 
 /var/lib/spamassassin(/.*)?    gen_context(system_u:object_r:spamd_var_lib_t,s0)
+/var/lib/spamassassin/compiled(/.*)?   gen_context(system_u:object_r:spamd_compiled_t,s0)
+
+/var/log/spamd\.log    --      gen_context(system_u:object_r:spamd_log_t,s0)
+/var/log/mimedefang    --      gen_context(system_u:object_r:spamd_log_t,s0)
 
 /var/run/spamassassin(/.*)?    gen_context(system_u:object_r:spamd_var_run_t,s0)
 
 /var/spool/spamassassin(/.*)?  gen_context(system_u:object_r:spamd_spool_t,s0)
 /var/spool/spamd(/.*)?         gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/MIMEDefang(/.*)?    gen_context(system_u:object_r:spamd_var_run_t,s0)

diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index c954f3191d290d4c03714c58264ec1568403865f..7f57f224dd056185eec609ef65e6167e245ed897 100644 (file)
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -14,6 +14,7 @@
 ##     User domain for the role
 ##     </summary>
 ## </param>
+## <rolecap/>
 #
 interface(`spamassassin_role',`
        gen_require(`
@@ -25,9 +26,13 @@ interface(`spamassassin_role',`
        role $1 types { spamc_t spamassassin_t };
 
        domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
+
+       allow $2 spamassassin_t:process { ptrace signal_perms };
        ps_process_pattern($2, spamassassin_t)
 
        domtrans_pattern($2, spamc_exec_t, spamc_t)
+
+       allow $2 spamc_t:process { ptrace signal_perms };
        ps_process_pattern($2, spamc_t)
 
        manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
@@ -55,7 +60,6 @@ interface(`spamassassin_exec',`
        ')
 
        can_exec($1, spamassassin_exec_t)
-
 ')
 
 ########################################
@@ -111,6 +115,46 @@ interface(`spamassassin_domtrans_client',`
        ')
 
        domtrans_pattern($1, spamc_exec_t, spamc_t)
+       allow $1 spamc_exec_t:file ioctl;
+')
+
+########################################
+## <summary>
+##     Send kill signal to spamassassin client
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`spamassassin_kill_client',`
+       gen_require(`
+               type spamc_t;
+       ')
+
+       allow $1 spamc_t:process sigkill;
+')
+
+########################################
+## <summary>
+##     Manage spamc home files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`spamassassin_manage_home_client',`
+       gen_require(`
+               type spamc_home_t;
+       ')
+
+       userdom_search_user_home_dirs($1)
+       manage_dirs_pattern($1, spamc_home_t, spamc_home_t)
+       manage_files_pattern($1, spamc_home_t, spamc_home_t)
+       manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
 ')
 
 ########################################
@@ -166,7 +210,9 @@ interface(`spamassassin_read_lib_files',`
        ')
 
        files_search_var_lib($1)
+       list_dirs_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
        read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
+       read_lnk_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
 ')
 
 ########################################
@@ -204,6 +250,7 @@ interface(`spamassassin_read_spamd_tmp_files',`
                type spamd_tmp_t;
        ')
 
+       files_search_tmp($1)
        allow $1 spamd_tmp_t:file read_file_perms;
 ')
 
@@ -223,5 +270,72 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
                type spamd_tmp_t;
        ')
 
-       dontaudit $1 spamd_tmp_t:sock_file getattr;
+       dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
+')
+
+########################################
+## <summary>
+##     Connect to run spamd.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to connect.
+##     </summary>
+## </param>
+#
+interface(`spamd_stream_connect',`
+       gen_require(`
+               type spamd_t, spamd_var_run_t;
+       ')
+
+       files_search_pids($1)
+       stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
+')
+
+########################################
+## <summary>
+##     All of the rules required to administrate
+##     an spamassassin environment
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     The role to be allowed to manage the spamassassin domain.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`spamassassin_spamd_admin',`
+       gen_require(`
+               type spamd_t, spamd_tmp_t, spamd_log_t;
+               type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t;
+               type spamd_initrc_exec_t;
+       ')
+
+       allow $1 spamd_t:process { ptrace signal_perms };
+       ps_process_pattern($1, spamd_t)
+
+       init_labeled_script_domtrans($1, spamd_initrc_exec_t)
+       domain_system_change_exemption($1)
+       role_transition $2 spamd_initrc_exec_t system_r;
+       allow $2 system_r;
+
+       files_list_tmp($1)
+       admin_pattern($1, spamd_tmp_t)
+
+       logging_list_logs($1)
+       admin_pattern($1, spamd_log_t)
+
+       files_list_spool($1)
+       admin_pattern($1, spamd_spool_t)
+
+       files_list_var_lib($1)
+       admin_pattern($1, spamd_var_lib_t)
+
+       files_list_pids($1)
+       admin_pattern($1, spamd_var_run_t)
 ')

diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 9d40380d76551b6d06b0acb90849a998d1a3193e..9ad4eff41322b44e242929b0ced4aa85d30e7569 100644 (file)
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -19,6 +19,35 @@ gen_tunable(spamassassin_can_network, false)
 ## </desc>
 gen_tunable(spamd_enable_home_dirs, true)
 
+ifdef(`distro_redhat',`
+# spamassassin client executable
+type spamc_t;
+type spamc_exec_t;
+application_domain(spamc_t, spamc_exec_t)
+role system_r types spamc_t;
+
+type spamd_etc_t;
+files_config_file(spamd_etc_t)
+
+typealias spamc_exec_t  alias spamassassin_exec_t;
+typealias spamc_t alias spamassassin_t;
+
+type spamc_home_t;
+userdom_user_home_content(spamc_home_t)
+typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
+typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
+typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
+typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
+
+type spamc_tmp_t;
+files_tmp_file(spamc_tmp_t)
+typealias spamc_tmp_t alias spamassassin_tmp_t;
+typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
+typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
+
+typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
+typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
+', `
 type spamassassin_t;
 type spamassassin_exec_t;
 typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
@@ -30,6 +59,7 @@ type spamassassin_home_t;
 typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
 typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
 userdom_user_home_content(spamassassin_home_t)
+files_poly_member(spamassassin_home_t)
 
 type spamassassin_tmp_t;
 typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
@@ -49,10 +79,21 @@ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tm
 typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
 files_tmp_file(spamc_tmp_t)
 ubac_constrained(spamc_tmp_t)
+')
 
 type spamd_t;
 type spamd_exec_t;
 init_daemon_domain(spamd_t, spamd_exec_t)
+can_exec(spamd_t, spamd_exec_t)
+
+type spamd_compiled_t;
+files_type(spamd_compiled_t)
+
+type spamd_initrc_exec_t;
+init_script_file(spamd_initrc_exec_t)
+
+type spamd_log_t;
+logging_log_file(spamd_log_t)
 
 type spamd_spool_t;
 files_type(spamd_spool_t)
@@ -108,6 +149,7 @@ kernel_read_kernel_sysctls(spamassassin_t)
 dev_read_urand(spamassassin_t)
 
 fs_search_auto_mountpoints(spamassassin_t)
+fs_getattr_all_fs(spamassassin_t)
 
 # this should probably be removed
 corecmd_list_bin(spamassassin_t)
@@ -148,6 +190,9 @@ tunable_policy(`spamassassin_can_network',`
        corenet_udp_sendrecv_all_ports(spamassassin_t)
        corenet_tcp_connect_all_ports(spamassassin_t)
        corenet_sendrecv_all_client_packets(spamassassin_t)
+       corenet_udp_bind_generic_node(spamassassin_t)
+       corenet_udp_bind_generic_port(spamassassin_t)
+       corenet_dontaudit_udp_bind_all_ports(spamassassin_t)
 
        sysnet_read_config(spamassassin_t)
 ')
@@ -184,6 +229,8 @@ optional_policy(`
 optional_policy(`
        mta_read_config(spamassassin_t)
        sendmail_stub(spamassassin_t)
+       sendmail_dontaudit_rw_unix_stream_sockets(spamassassin_t)
+       sendmail_dontaudit_rw_tcp_sockets(spamassassin_t)
 ')
 
 ########################################
@@ -205,16 +252,33 @@ allow spamc_t self:unix_dgram_socket sendto;
 allow spamc_t self:unix_stream_socket connectto;
 allow spamc_t self:tcp_socket create_stream_socket_perms;
 allow spamc_t self:udp_socket create_socket_perms;
+corenet_all_recvfrom_unlabeled(spamc_t)
+corenet_all_recvfrom_netlabel(spamc_t)
+corenet_tcp_sendrecv_generic_if(spamc_t)
+corenet_tcp_sendrecv_generic_node(spamc_t)
+corenet_tcp_connect_spamd_port(spamc_t)
+
+can_exec(spamc_t, spamc_exec_t)
 
 manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
 manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
 files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir })
 
+manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
+userdom_append_user_home_content_files(spamc_t)
+
 # Allow connecting to a local spamd
 allow spamc_t spamd_t:unix_stream_socket connectto;
 allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
+spamd_stream_connect(spamc_t)
 
 kernel_read_kernel_sysctls(spamc_t)
+kernel_read_system_state(spamc_t)
 
 corenet_all_recvfrom_unlabeled(spamc_t)
 corenet_all_recvfrom_netlabel(spamc_t)
@@ -244,9 +308,16 @@ files_read_usr_files(spamc_t)
 files_dontaudit_search_var(spamc_t)
 # cjp: this may be removable:
 files_list_home(spamc_t)
+files_list_var_lib(spamc_t)
+list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+
+fs_search_auto_mountpoints(spamc_t)
 
 logging_send_syslog_msg(spamc_t)
 
+auth_use_nsswitch(spamc_t)
+
 miscfiles_read_localization(spamc_t)
 
 # cjp: this should probably be removed:
@@ -254,27 +325,40 @@ seutil_read_config(spamc_t)
 
 sysnet_read_config(spamc_t)
 
+tunable_policy(`use_nfs_home_dirs',`
+       fs_manage_nfs_dirs(spamc_t)
+       fs_manage_nfs_files(spamc_t)
+       fs_manage_nfs_symlinks(spamc_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+       fs_manage_cifs_dirs(spamc_t)
+       fs_manage_cifs_files(spamc_t)
+       fs_manage_cifs_symlinks(spamc_t)
+')
+
 optional_policy(`
        # Allow connection to spamd socket above
        evolution_stream_connect(spamc_t)
 ')
 
 optional_policy(`
-       # Needed for pyzor/razor called from spamd
        milter_manage_spamass_state(spamc_t)
 ')
 
 optional_policy(`
-       nis_use_ypbind(spamc_t)
-')
-
-optional_policy(`
-       nscd_socket_use(spamc_t)
+       postfix_domtrans_postdrop(spamc_t)
+       postfix_search_spool(spamc_t)
+       postfix_rw_local_pipes(spamc_t)
 ')
 
 optional_policy(`
+       mta_send_mail(spamc_t)
        mta_read_config(spamc_t)
+       mta_read_queue(spamc_t)
        sendmail_stub(spamc_t)
+       sendmail_rw_pipes(spamc_t)
+       sendmail_dontaudit_rw_tcp_sockets(spamc_t)
 ')
 
 ########################################
@@ -286,7 +370,7 @@ optional_policy(`
 # setuids to the user running spamc.  Comment this if you are not
 # using this ability.
 
-allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
+allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config };
 dontaudit spamd_t self:capability sys_tty_config;
 allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow spamd_t self:fd use;
@@ -302,10 +386,17 @@ allow spamd_t self:unix_dgram_socket sendto;
 allow spamd_t self:unix_stream_socket connectto;
 allow spamd_t self:tcp_socket create_stream_socket_perms;
 allow spamd_t self:udp_socket create_socket_perms;
-allow spamd_t self:netlink_route_socket r_netlink_socket_perms;
+
+can_exec(spamd_t, spamd_compiled_t)
+manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
+manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
+
+manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t)
+logging_log_filetrans(spamd_t, spamd_log_t, file)
 
 manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
 manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
+manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
 files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
 
 manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
@@ -314,11 +405,13 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
 
 # var/lib files for spamd
 allow spamd_t spamd_var_lib_t:dir list_dir_perms;
-read_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
+manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
+manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
 
 manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
 manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
-files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
+manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
 
 kernel_read_all_sysctls(spamd_t)
 kernel_read_system_state(spamd_t)
@@ -367,22 +460,27 @@ files_read_var_lib_files(spamd_t)
 
 init_dontaudit_rw_utmp(spamd_t)
 
+auth_use_nsswitch(spamd_t)
+
 logging_send_syslog_msg(spamd_t)
 
 miscfiles_read_localization(spamd_t)
 
-sysnet_read_config(spamd_t)
-sysnet_use_ldap(spamd_t)
-sysnet_dns_name_resolve(spamd_t)
-
 userdom_use_unpriv_users_fds(spamd_t)
 userdom_search_user_home_dirs(spamd_t)
 
+optional_policy(`
+       exim_manage_spool_dirs(spamd_t)
+       exim_manage_spool_files(spamd_t)
+')
+
 tunable_policy(`use_nfs_home_dirs',`
+       fs_manage_nfs_dirs(spamd_t)
        fs_manage_nfs_files(spamd_t)
 ')
 
 tunable_policy(`use_samba_home_dirs',`
+       fs_manage_cifs_dirs(spamd_t)
        fs_manage_cifs_files(spamd_t)
 ')
 
@@ -399,7 +497,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+       dcc_domtrans_cdcc(spamd_t)
        dcc_domtrans_client(spamd_t)
+       dcc_signal_client(spamd_t)
        dcc_stream_connect_dccifd(spamd_t)
 ')
 
@@ -415,10 +515,6 @@ optional_policy(`
        mysql_stream_connect(spamd_t)
 ')
 
-optional_policy(`
-       nis_use_ypbind(spamd_t)
-')
-
 optional_policy(`
        postfix_read_config(spamd_t)
 ')
@@ -437,6 +533,10 @@ optional_policy(`
 
 optional_policy(`
        razor_domtrans(spamd_t)
+       razor_read_lib_files(spamd_t)
+       tunable_policy(`spamd_enable_home_dirs',`
+               razor_manage_user_home_files(spamd_t)
+       ')
 ')
 
 optional_policy(`

diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if
index d2496bd70f9f30de27b568640a99ae280c9b310e..dc4f590ce5c5823fa901009c03df733ea531e47b 100644 (file)
--- a/policy/modules/services/squid.if
+++ b/policy/modules/services/squid.if
@@ -71,7 +71,7 @@ interface(`squid_rw_stream_sockets',`
                type squid_t;
        ')
 
-       allow $1 squid_t:unix_stream_socket { getattr read write };
+       allow $1 squid_t:unix_stream_socket rw_socket_perms;
 ')
 
 ########################################
@@ -83,7 +83,6 @@ interface(`squid_rw_stream_sockets',`
 ##     Domain to not audit.
 ##     </summary>
 ## </param>
-## <rolecap/>
 #
 interface(`squid_dontaudit_search_cache',`
        gen_require(`

diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 078bcd7d33453cf18289ed114a8eebd6852bd4b2..dd706b0f435755f214cade88d0e6c9230df7c6d4 100644 (file)
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -1,4 +1,9 @@
 HOME_DIR/\.ssh(/.*)?                   gen_context(system_u:object_r:ssh_home_t,s0)
+HOME_DIR/\.shosts                      gen_context(system_u:object_r:ssh_home_t,s0)
+
+/var/lib/gitolite/\.ssh(/.*)?          gen_context(system_u:object_r:ssh_home_t,s0)
+
+/etc/rc\.d/init\.d/sshd        --  gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
 
 /etc/ssh/primes                        --      gen_context(system_u:object_r:sshd_key_t,s0)
 /etc/ssh/ssh_host_key          --      gen_context(system_u:object_r:sshd_key_t,s0)
@@ -14,3 +19,7 @@ HOME_DIR/\.ssh(/.*)?                  gen_context(system_u:object_r:ssh_home_t,s0)
 /usr/sbin/sshd                 --      gen_context(system_u:object_r:sshd_exec_t,s0)
 
 /var/run/sshd\.init\.pid       --      gen_context(system_u:object_r:sshd_var_run_t,s0)
+/var/run/sshd\.pid             --      gen_context(system_u:object_r:sshd_var_run_t,s0)
+
+/root/\.ssh(/.*)?                      gen_context(system_u:object_r:home_ssh_t,s0)
+/root/\.shosts                         gen_context(system_u:object_r:home_ssh_t,s0)

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 22adacadbc7306448b7f2f566f84a4cc70242e78..784c36359e1425ae2cb55a23d32d5ce3b485bfc4 100644 (file)
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
 ## </param>
 #
 template(`ssh_basic_client_template',`
-
        gen_require(`
                attribute ssh_server;
                type ssh_exec_t, sshd_key_t, sshd_tmp_t;
+               type ssh_home_t;
        ')
 
        ##############################
@@ -47,10 +47,6 @@ template(`ssh_basic_client_template',`
        application_domain($1_ssh_t, ssh_exec_t)
        role $3 types $1_ssh_t;
 
-       type $1_ssh_home_t;
-       files_type($1_ssh_home_t)
-       typealias $1_ssh_home_t alias $1_home_ssh_t;
-
        ##############################
        #
        # Client local policy
@@ -93,18 +89,18 @@ template(`ssh_basic_client_template',`
        ps_process_pattern($2, $1_ssh_t)
 
        # user can manage the keys and config
-       manage_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
-       manage_lnk_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
-       manage_sock_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t)
+       manage_files_pattern($2, ssh_home_t, ssh_home_t)
+       manage_lnk_files_pattern($2, ssh_home_t, ssh_home_t)
+       manage_sock_files_pattern($2, ssh_home_t, ssh_home_t)
 
        # ssh client can manage the keys and config
-       manage_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t)
-       read_lnk_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t)
+       manage_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
+       read_lnk_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
 
        # ssh servers can read the user keys and config
-       allow ssh_server $1_ssh_home_t:dir list_dir_perms;
-       read_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t)
-       read_lnk_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t)
+       allow ssh_server ssh_home_t:dir list_dir_perms;
+       read_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
+       read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
 
        kernel_read_kernel_sysctls($1_ssh_t)
        kernel_read_system_state($1_ssh_t)
@@ -116,6 +112,8 @@ template(`ssh_basic_client_template',`
        corenet_tcp_sendrecv_all_ports($1_ssh_t)
        corenet_tcp_connect_ssh_port($1_ssh_t)
        corenet_sendrecv_ssh_client_packets($1_ssh_t)
+       corenet_tcp_bind_generic_node($1_ssh_t)
+       corenet_tcp_bind_all_unreserved_ports($1_ssh_t)
 
        dev_read_urand($1_ssh_t)
 
@@ -168,7 +166,7 @@ template(`ssh_basic_client_template',`
 ##     </summary>
 ## </param>
 #
-template(`ssh_server_template', `
+template(`ssh_server_template',`
        type $1_t, ssh_server;
        auth_login_pgm_domain($1_t)
 
@@ -181,16 +179,16 @@ template(`ssh_server_template', `
        type $1_var_run_t;
        files_pid_file($1_var_run_t)
 
-       allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
+       allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
        allow $1_t self:fifo_file rw_fifo_file_perms;
-       allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
+       allow $1_t self:process { signal getsched setsched setrlimit setexec };
        allow $1_t self:tcp_socket create_stream_socket_perms;
        allow $1_t self:udp_socket create_socket_perms;
        # ssh agent connections:
        allow $1_t self:unix_stream_socket create_stream_socket_perms;
        allow $1_t self:shm create_shm_perms;
 
-       allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
+       allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
        term_create_pty($1_t, $1_devpts_t)
 
        manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
@@ -206,6 +204,7 @@ template(`ssh_server_template', `
 
        kernel_read_kernel_sysctls($1_t)
        kernel_read_network_state($1_t)
+       kernel_request_load_module(ssh_t)
 
        corenet_all_recvfrom_unlabeled($1_t)
        corenet_all_recvfrom_netlabel($1_t)
@@ -220,8 +219,11 @@ template(`ssh_server_template', `
        corenet_tcp_bind_generic_node($1_t)
        corenet_udp_bind_generic_node($1_t)
        corenet_tcp_bind_ssh_port($1_t)
-       corenet_tcp_connect_all_ports($1_t)
        corenet_sendrecv_ssh_server_packets($1_t)
+       # -R qualifier
+       corenet_sendrecv_ssh_server_packets($1_t)
+       # tunnel feature and -w (net_admin capability also)
+       corenet_rw_tun_tap_dev($1_t)
 
        fs_dontaudit_getattr_all_fs($1_t)
 
@@ -234,6 +236,7 @@ template(`ssh_server_template', `
        corecmd_getattr_bin_files($1_t)
 
        domain_interactive_fd($1_t)
+       domain_dyntrans_type($1_t)
 
        files_read_etc_files($1_t)
        files_read_etc_runtime_files($1_t)
@@ -243,9 +246,8 @@ template(`ssh_server_template', `
 
        miscfiles_read_localization($1_t)
 
-       userdom_create_all_users_keys($1_t)
        userdom_dontaudit_relabelfrom_user_ptys($1_t)
-       userdom_search_user_home_dirs($1_t)
+       userdom_read_user_home_content_files($1_t)
 
        # Allow checking users mail at login
        mta_getattr_spool($1_t)
@@ -268,6 +270,14 @@ template(`ssh_server_template', `
                files_read_var_lib_symlinks($1_t)
                nx_spec_domtrans_server($1_t)
        ')
+
+       optional_policy(`
+               rlogin_read_home_content($1_t)
+       ')
+
+       optional_policy(`
+               shutdown_getattr_exec_files($1_t)
+       ')
 ')
 
 ########################################
@@ -290,11 +300,11 @@ template(`ssh_server_template', `
 ##     User domain for the role
 ##     </summary>
 ## </param>
+## <rolecap/>
 #
 template(`ssh_role_template',`
        gen_require(`
                attribute ssh_server, ssh_agent_type;
-
                type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
                type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
                type ssh_agent_tmp_t;
@@ -327,7 +337,7 @@ template(`ssh_role_template',`
 
        # allow ps to show ssh
        ps_process_pattern($3, ssh_t)
-       allow $3 ssh_t:process signal;
+       allow $3 ssh_t:process { ptrace signal_perms };
 
        # for rsync
        allow ssh_t $3:unix_stream_socket rw_socket_perms;
@@ -338,6 +348,7 @@ template(`ssh_role_template',`
        manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
        manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
        userdom_search_user_home_dirs($1_t)
+       userdom_manage_tmp_role($2, ssh_t)
 
        ##############################
        #
@@ -359,7 +370,7 @@ template(`ssh_role_template',`
        stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
 
        # Allow the user shell to signal the ssh program.
-       allow $3 $1_ssh_agent_t:process signal;
+       allow $3 $1_ssh_agent_t:process { ptrace signal_perms };
 
        # allow ps to show ssh
        ps_process_pattern($3, $1_ssh_agent_t)
@@ -381,7 +392,6 @@ template(`ssh_role_template',`
 
        files_read_etc_files($1_ssh_agent_t)
        files_read_etc_runtime_files($1_ssh_agent_t)
-       files_search_home($1_ssh_agent_t)
 
        libs_read_lib_files($1_ssh_agent_t)
 
@@ -398,9 +408,6 @@ template(`ssh_role_template',`
        # for the transition back to normal privs upon exec
        userdom_search_user_home_content($1_ssh_agent_t)
        userdom_user_home_domtrans($1_ssh_agent_t, $3)
-       allow $3 $1_ssh_agent_t:fd use;
-       allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
-       allow $3 $1_ssh_agent_t:process sigchld;
 
        tunable_policy(`use_nfs_home_dirs',`
                fs_manage_nfs_files($1_ssh_agent_t)
@@ -477,8 +484,9 @@ interface(`ssh_read_pipes',`
                type sshd_t;
        ')
 
-       allow $1 sshd_t:fifo_file { getattr read };
+       allow $1 sshd_t:fifo_file read_fifo_file_perms;
 ')
+
 ########################################
 ## <summary>
 ##     Read and write a ssh server unnamed pipe.
@@ -494,7 +502,7 @@ interface(`ssh_rw_pipes',`
                type sshd_t;
        ')
 
-       allow $1 sshd_t:fifo_file { write read getattr ioctl };
+       allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
@@ -584,6 +592,24 @@ interface(`ssh_domtrans',`
        domtrans_pattern($1, sshd_exec_t, sshd_t)
 ')
 
+########################################
+## <summary>
+##     Execute sshd server in the sshd domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`ssh_initrc_domtrans',`
+       gen_require(`
+               type sshd_initrc_exec_t;
+       ')
+
+       init_labeled_script_domtrans($1, sshd_initrc_exec_t)
+')
+
 ########################################
 ## <summary>
 ##     Execute the ssh client in the caller domain.
@@ -618,7 +644,7 @@ interface(`ssh_setattr_key_files',`
                type sshd_key_t;
        ')
 
-       allow $1 sshd_key_t:file setattr;
+       allow $1 sshd_key_t:file setattr_file_perms;
        files_search_pids($1)
 ')
 
@@ -695,7 +721,7 @@ interface(`ssh_dontaudit_read_server_keys',`
                type sshd_key_t;
        ')
 
-       dontaudit $1 sshd_key_t:file { getattr read };
+       dontaudit $1 sshd_key_t:file read_file_perms;
 ')
 
 ######################################
@@ -735,3 +761,21 @@ interface(`ssh_delete_tmp',`
        files_search_tmp($1)
        delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
 ')
+
+########################################
+## <summary>
+##     Send a null signal to sshd processes.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`ssh_signull',`
+       gen_require(`
+               type sshd_t;
+       ')
+
+       allow $1 sshd_t:process signull;
+')

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 2dad3c8e4b1dad0dd4e8cbb134ec9e9e4342977e..68c305744d7dfcd58bcf90c3de8b9d5d049e2605 100644 (file)
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -19,6 +19,13 @@ gen_tunable(allow_ssh_keysign, false)
 ## </desc>
 gen_tunable(ssh_sysadm_login, false)
 
+## <desc>
+## <p>
+## allow sshd to forward port connections
+## </p>
+## </desc>
+gen_tunable(sshd_forward_ports, false)
+
 attribute ssh_server;
 attribute ssh_agent_type;
 
@@ -33,13 +40,12 @@ corecmd_executable_file(sshd_exec_t)
 ssh_server_template(sshd)
 init_daemon_domain(sshd_t, sshd_exec_t)
 
+type sshd_initrc_exec_t;
+init_script_file(sshd_initrc_exec_t)
+
 type sshd_key_t;
 files_type(sshd_key_t)
 
-type sshd_tmp_t;
-files_tmp_file(sshd_tmp_t)
-files_poly_parent(sshd_tmp_t)
-
 ifdef(`enable_mcs',`
        init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
 ')
@@ -99,11 +105,6 @@ allow ssh_t self:tcp_socket create_stream_socket_perms;
 # Read the ssh key file.
 allow ssh_t sshd_key_t:file read_file_perms;
 
-# Access the ssh temporary files.
-allow ssh_t sshd_tmp_t:dir manage_dir_perms;
-allow ssh_t sshd_tmp_t:file manage_file_perms;
-files_tmp_filetrans(ssh_t, sshd_tmp_t, { file dir })
-
 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
 manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
 manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
@@ -113,6 +114,7 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
 manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
 manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
 userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
+userdom_stream_connect(ssh_t)
 
 # Allow the ssh program to communicate with ssh-agent.
 stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
@@ -124,9 +126,10 @@ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
 read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
 
 # ssh servers can read the user keys and config
-allow ssh_server ssh_home_t:dir list_dir_perms;
-read_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
-read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
+manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t)
+manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
+userdom_user_home_dir_filetrans(ssh_server, ssh_home_t, dir)
+userdom_admin_home_dir_filetrans(ssh_server, ssh_home_t, dir)
 
 kernel_read_kernel_sysctls(ssh_t)
 kernel_read_system_state(ssh_t)
@@ -138,6 +141,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
 corenet_tcp_sendrecv_all_ports(ssh_t)
 corenet_tcp_connect_ssh_port(ssh_t)
 corenet_sendrecv_ssh_client_packets(ssh_t)
+corenet_tcp_bind_generic_node(ssh_t)
+corenet_tcp_bind_all_unreserved_ports(ssh_t)
 
 dev_read_urand(ssh_t)
 
@@ -169,8 +174,10 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
 userdom_search_user_home_dirs(ssh_t)
 # Write to the user domain tty.
 userdom_use_user_terminals(ssh_t)
-# needs to read krb tgt
+# needs to read krb/write tgt
 userdom_read_user_tmp_files(ssh_t)
+userdom_write_user_tmp_files(ssh_t)
+userdom_read_user_home_content_symlinks(ssh_t)
 
 tunable_policy(`allow_ssh_keysign',`
        domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
@@ -200,6 +207,54 @@ optional_policy(`
        xserver_domtrans_xauth(ssh_t)
 ')
 
+########################################
+#
+# ssh_keygen local policy
+#
+
+# ssh_keygen_t is the type of the ssh-keygen program when run at install time
+# and by sysadm_t
+
+dontaudit ssh_keygen_t self:capability sys_tty_config;
+allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
+
+allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
+
+allow ssh_keygen_t sshd_key_t:file manage_file_perms;
+files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
+
+kernel_read_kernel_sysctls(ssh_keygen_t)
+
+fs_search_auto_mountpoints(ssh_keygen_t)
+
+dev_read_sysfs(ssh_keygen_t)
+dev_read_urand(ssh_keygen_t)
+
+term_dontaudit_use_console(ssh_keygen_t)
+
+domain_use_interactive_fds(ssh_keygen_t)
+
+files_read_etc_files(ssh_keygen_t)
+
+init_use_fds(ssh_keygen_t)
+init_use_script_ptys(ssh_keygen_t)
+
+logging_send_syslog_msg(ssh_keygen_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
+
+optional_policy(`
+       nscd_socket_use(ssh_keygen_t)
+')
+
+optional_policy(`
+       seutil_sigchld_newrole(ssh_keygen_t)
+')
+
+optional_policy(`
+       udev_read_db(ssh_keygen_t)
+')
+
 ##############################
 #
 # ssh_keysign_t local policy
@@ -233,44 +288,65 @@ optional_policy(`
 allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
 allow sshd_t self:key { search link write };
 
-manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
-manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
-manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
-files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
+allow sshd_t self:process setcurrent;
 
 kernel_search_key(sshd_t)
 kernel_link_key(sshd_t)
 
 term_use_all_ptys(sshd_t)
 term_setattr_all_ptys(sshd_t)
+term_setattr_all_ttys(sshd_t)
 term_relabelto_all_ptys(sshd_t)
+term_use_ptmx(sshd_t)
 
 # for X forwarding
 corenet_tcp_bind_xserver_port(sshd_t)
 corenet_sendrecv_xserver_server_packets(sshd_t)
 
+tunable_policy(`sshd_forward_ports', `
+       corenet_tcp_bind_all_unreserved_ports(sshd_t)
+       corenet_tcp_connect_all_ports(sshd_t)
+')
+
+userdom_read_user_home_content_files(sshd_t)
+userdom_read_user_home_content_symlinks(sshd_t)
+userdom_search_admin_dir(sshd_t)
+userdom_manage_tmp_role(system_r, sshd_t)
+
 tunable_policy(`ssh_sysadm_login',`
        # Relabel and access ptys created by sshd
        # ioctl is necessary for logout() processing for utmp entry and for w to
        # display the tty.
        # some versions of sshd on the new SE Linux require setattr
-       userdom_spec_domtrans_all_users(sshd_t)
        userdom_signal_all_users(sshd_t)
-',`
-       userdom_spec_domtrans_unpriv_users(sshd_t)
-       userdom_signal_unpriv_users(sshd_t)
 ')
 
+userdom_spec_domtrans_unpriv_users(sshd_t)
+userdom_signal_unpriv_users(sshd_t)
+
 optional_policy(`
        daemontools_service_domain(sshd_t, sshd_exec_t)
 ')
 
+optional_policy(`
+       kerberos_keytab_template(sshd, sshd_t)
+')
+
+optional_policy(`
+       ftp_dyntrans_sftpd(sshd_t)
+       ftp_dyntrans_anon_sftpd(sshd_t)
+')
+
+optional_policy(`
+       gitosis_manage_lib_files(sshd_t)
+')
+
 optional_policy(`
        inetd_tcp_service_domain(sshd_t, sshd_exec_t)
 ')
 
 optional_policy(`
-       kerberos_keytab_template(sshd, sshd_t)
+       nx_read_home_files(sshd_t)
 ')
 
 optional_policy(`
@@ -283,6 +359,11 @@ optional_policy(`
        rssh_read_ro_content(sshd_t)
 ')
 
+optional_policy(`
+       usermanage_domtrans_passwd(sshd_t)
+       usermanage_read_crack_db(sshd_t)
+')
+
 optional_policy(`
        unconfined_shell_domtrans(sshd_t)
 ')
@@ -352,10 +433,6 @@ logging_send_syslog_msg(ssh_keygen_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
 
-optional_policy(`
-       nscd_socket_use(ssh_keygen_t)
-')
-
 optional_policy(`
        seutil_sigchld_newrole(ssh_keygen_t)
 ')

diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
index 941380a73e8e2729074db905397407f14fdbf090..6dbfc01688dabbd33d76d31c123854ae2773a65c 100644 (file)
--- a/policy/modules/services/sssd.if
+++ b/policy/modules/services/sssd.if
@@ -5,9 +5,9 @@
 ##     Execute a domain transition to run sssd.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##     <summary>
 ##     Domain allowed to transition.
-## </summary>
+##     </summary>
 ## </param>
 #
 interface(`sssd_domtrans',`
@@ -89,6 +89,7 @@ interface(`sssd_manage_pids',`
                type sssd_var_run_t;
        ')
 
+       files_search_pids($1)
        manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
        manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
 ')
@@ -128,7 +129,6 @@ interface(`sssd_dontaudit_search_lib',`
        ')
 
        dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
-       files_search_var_lib($1)
 ')
 
 ########################################
@@ -225,21 +225,15 @@ interface(`sssd_stream_connect',`
 ##     The role to be allowed to manage the sssd domain.
 ##     </summary>
 ## </param>
-## <param name="terminal">
-##     <summary>
-##     The type of the user terminal.
-##     </summary>
-## </param>
 ## <rolecap/>
 #
 interface(`sssd_admin',`
        gen_require(`
-               type sssd_t, sssd_public_t;
-               type sssd_initrc_exec_t;
+               type sssd_t, sssd_public_t, sssd_initrc_exec_t;
        ')
 
-       allow $1 sssd_t:process { ptrace signal_perms getattr };
-       read_files_pattern($1, sssd_t, sssd_t)
+       allow $1 sssd_t:process { ptrace signal_perms };
+       ps_process_pattern($1, sssd_t)
 
        # Allow sssd_t to restart the apache service
        sssd_initrc_domtrans($1)

diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
index 8ffa2577e7b69c723070fd78b61543cd46ca8612..07d6748fdb5e720a65fece383bf97e7b72558767 100644 (file)
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -28,9 +28,10 @@ files_pid_file(sssd_var_run_t)
 #
 # sssd local policy
 #
-allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
+allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid };
 allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
 allow sssd_t self:fifo_file rw_file_perms;
+allow sssd_t self:key manage_key_perms;
 allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 
 manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
@@ -48,6 +49,7 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
 manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
 files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
 
+kernel_read_network_state(sssd_t)
 kernel_read_system_state(sssd_t)
 
 corecmd_exec_bin(sssd_t)
@@ -80,6 +82,8 @@ logging_send_audit_msgs(sssd_t)
 
 miscfiles_read_localization(sssd_t)
 
+userdom_manage_tmp_role(system_r, sssd_t)
+
 optional_policy(`
        dbus_system_bus_client(sssd_t)
        dbus_connect_system_bus(sssd_t)

diff --git a/policy/modules/services/stunnel.if b/policy/modules/services/stunnel.if
index 6073656f29d1e9f591283007e82ae8bbb9f81302..eaf49b20ab785790ef6e0d37bd8344ecff8d1d1b 100644 (file)
--- a/policy/modules/services/stunnel.if
+++ b/policy/modules/services/stunnel.if
@@ -20,6 +20,6 @@ interface(`stunnel_service_domain',`
                type stunnel_t;
        ')
 
-       domtrans_pattern(stunnel_t,$2,$1)
+       domtrans_pattern(stunnel_t, $2, $1)
        allow $1 stunnel_t:tcp_socket rw_socket_perms;
 ')

diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te
index 52f0d6c29dc13598b5cb80a417bb00438fc9d30a..111b041d9229d4e495294e886e99f1ac7360bccf 100644 (file)
--- a/policy/modules/services/sysstat.te
+++ b/policy/modules/services/sysstat.te
@@ -18,8 +18,7 @@ logging_log_file(sysstat_log_t)
 # Local policy
 #
 
-allow sysstat_t self:capability { dac_override sys_resource sys_tty_config };
-dontaudit sysstat_t self:capability sys_admin;
+allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_config };
 allow sysstat_t self:fifo_file rw_fifo_file_perms;
 
 can_exec(sysstat_t, sysstat_exec_t)
@@ -68,3 +67,8 @@ optional_policy(`
 optional_policy(`
        logging_send_syslog_msg(sysstat_t)
 ')
+
+optional_policy(`
+       nscd_socket_use(sysstat_t)
+')
+

diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te
index f40e67b15dd4e61398cbdf8698cb7c825a3ccfce..a0eeea93958c31a8921f20680616b7d3cbeefa90 100644 (file)
--- a/policy/modules/services/telnet.te
+++ b/policy/modules/services/telnet.te
@@ -38,7 +38,6 @@ term_create_pty(telnetd_t, telnetd_devpts_t)
 
 manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
 manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
-files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
 
 manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t)
 files_pid_filetrans(telnetd_t, telnetd_var_run_t, file)
@@ -85,6 +84,8 @@ remotelogin_domtrans(telnetd_t)
 
 userdom_search_user_home_dirs(telnetd_t)
 userdom_setattr_user_ptys(telnetd_t)
+userdom_manage_user_tmp_files(telnetd_t)
+userdom_tmp_filetrans_user_tmp(telnetd_t, file)
 
 optional_policy(`
        kerberos_keytab_template(telnetd, telnetd_t)

diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if
index 38bb3127d05e1224b194fca19dd79e2abcace15e..1427b54b5df9313b028de8f26c24ce525a0d76a6 100644 (file)
--- a/policy/modules/services/tftp.if
+++ b/policy/modules/services/tftp.if
@@ -16,6 +16,26 @@ interface(`tftp_read_content',`
        ')
 
        read_files_pattern($1, tftpdir_t, tftpdir_t)
+       read_lnk_files_pattern($1, tftpdir_t, tftpdir_t)
+')
+
+########################################
+## <summary>
+##     Search tftp /var/lib directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`tftp_search_rw_content',`
+       gen_require(`
+               type tftpdir_rw_t;
+       ')
+
+       search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+       files_search_var_lib($1)
 ')
 
 ########################################
@@ -38,6 +58,36 @@ interface(`tftp_manage_rw_content',`
        manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
 ')
 
+########################################
+## <summary>
+##     Create objects in tftpdir directories
+##     with specified types.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="file_type">
+##     <summary>
+##     Private file type.
+##     </summary>
+## </param>
+## <param name="object_class">
+##     <summary>
+##     Class of the object being created.
+##     </summary>
+## </param>
+#
+interface(`tftp_filetrans_tftpdir',`
+       gen_require(`
+               type tftpdir_rw_t;
+       ')
+
+       filetrans_pattern($1, tftpdir_rw_t, $2, $3)
+       files_search_var_lib($1)
+')
+
 ########################################
 ## <summary>
 ##     All of the rules required to administrate
@@ -55,9 +105,10 @@ interface(`tftp_admin',`
                type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
        ')
 
-       allow $1 tftpd_t:process { ptrace signal_perms getattr };
+       allow $1 tftpd_t:process { ptrace signal_perms };
        ps_process_pattern($1, tftpd_t)
 
+       files_list_var_lib($1)
        admin_pattern($1, tftpdir_rw_t)
 
        admin_pattern($1, tftpdir_t)

diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index d50c10d0a98d87cbc041700cdec50131e2ceee03..66bfd1cad3256d7384ea005ef36387324b6c26f4 100644 (file)
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -93,6 +93,10 @@ tunable_policy(`tftp_anon_write',`
        miscfiles_manage_public_files(tftpd_t)
 ')
 
+optional_policy(`
+       cobbler_read_lib_files(tftpd_t)
+')
+
 optional_policy(`
        inetd_udp_service_domain(tftpd_t, tftpd_exec_t)
 ')

diff --git a/policy/modules/services/tgtd.if b/policy/modules/services/tgtd.if
index b113b410f43d79b4b32c70e99608b35200b2c4aa..c2ed23a8b718e02708fdf12773a91335b653b30f 100644 (file)
--- a/policy/modules/services/tgtd.if
+++ b/policy/modules/services/tgtd.if
@@ -11,18 +11,36 @@
 
 #####################################
 ## <summary>
-##      Allow read and write access to tgtd semaphores.
+##     Allow read and write access to tgtd semaphores.
 ## </summary>
 ## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
+##     <summary>
+##     Domain allowed access.
+##     </summary>
 ## </param>
 #
 interface(`tgtd_rw_semaphores',`
-        gen_require(`
-                type tgtd_t;
-        ')
+       gen_require(`
+               type tgtd_t;
+       ')
 
-        allow $1 tgtd_t:sem rw_sem_perms;
+       allow $1 tgtd_t:sem rw_sem_perms;
+')
+
+######################################
+## <summary>
+##     Manage tgtd sempaphores.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`tgtd_manage_semaphores',`
+       gen_require(`
+               type tgtd_t;
+       ')
+
+       allow $1 tgtd_t:sem create_sem_perms;
 ')

diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te
index aa0cc45658c5114682ae5de33553b86aabe7394f..678ab90305f6f837ebdf1cfb980a1eb88a8462c2 100644 (file)
--- a/policy/modules/services/tgtd.te
+++ b/policy/modules/services/tgtd.te
@@ -57,10 +57,18 @@ corenet_tcp_bind_generic_node(tgtd_t)
 corenet_tcp_bind_iscsi_port(tgtd_t)
 corenet_sendrecv_iscsi_server_packets(tgtd_t)
 
+dev_search_sysfs(tgtd_t)
+
 files_read_etc_files(tgtd_t)
 
+fs_read_anon_inodefs_files(tgtd_t)
+
 storage_manage_fixed_disk(tgtd_t)
 
 logging_send_syslog_msg(tgtd_t)
 
 miscfiles_read_localization(tgtd_t)
+
+optional_policy(`
+       iscsi_manage_semaphores(tgtd_t)
+')

diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if
index 904f13e107ab22bb3b298b4d7ca2ce3edf7db5b4..464347fef3b94a4b124f02092bbfd4631f50392a 100644 (file)
--- a/policy/modules/services/tor.if
+++ b/policy/modules/services/tor.if
@@ -42,7 +42,7 @@ interface(`tor_admin',`
                type tor_initrc_exec_t;
        ')
 
-       allow $1 tor_t:process { ptrace signal_perms getattr };
+       allow $1 tor_t:process { ptrace signal_perms };
        ps_process_pattern($1, tor_t)
 
        init_labeled_script_domtrans($1, tor_initrc_exec_t)

diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
index 9fa94e4dabf6bca4aa0c4f6fae5cb4e7595c74a6..0a0074cbe3bd3bb3812c74622e7dda8d268ffa06 100644 (file)
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
@@ -42,6 +42,8 @@ files_pid_file(tor_var_run_t)
 #
 
 allow tor_t self:capability { setgid setuid sys_tty_config };
+allow tor_t self:process signal;
+
 allow tor_t self:fifo_file rw_fifo_file_perms;
 allow tor_t self:unix_stream_socket create_stream_socket_perms;
 allow tor_t self:netlink_route_socket r_netlink_socket_perms;
@@ -67,9 +69,10 @@ manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
 logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir })
 
 # pid file
+manage_dirs_pattern(tor_t, tor_var_run_t, tor_var_run_t)
 manage_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
 manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
-files_pid_filetrans(tor_t, tor_var_run_t, { file sock_file })
+files_pid_filetrans(tor_t, tor_var_run_t, { file sock_file dir })
 
 kernel_read_system_state(tor_t)
 
@@ -88,6 +91,7 @@ corenet_tcp_connect_all_ports(tor_t)
 corenet_sendrecv_all_client_packets(tor_t)
 # ... especially including port 80 and other privileged ports
 corenet_tcp_connect_all_reserved_ports(tor_t)
+corenet_udp_bind_dns_port(tor_t)
 
 # tor uses crypto and needs random
 dev_read_urand(tor_t)
@@ -100,6 +104,8 @@ files_read_usr_files(tor_t)
 
 auth_use_nsswitch(tor_t)
 
+logging_send_syslog_msg(tor_t)
+
 miscfiles_read_localization(tor_t)
 
 tunable_policy(`tor_bind_all_unreserved_ports', `

diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if
index 54b86059bea8d17c6fc95203f45f7e500c0bcc9f..329f13907e860b4bc405e33089b4da8bad3e5257 100644 (file)
--- a/policy/modules/services/tuned.if
+++ b/policy/modules/services/tuned.if
@@ -5,9 +5,9 @@
 ##     Execute a domain transition to run tuned.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##     <summary>
 ##     Domain allowed to transition.
-## </summary>
+##     </summary>
 ## </param>
 #
 interface(`tuned_domtrans',`
@@ -112,8 +112,7 @@ interface(`tuned_initrc_domtrans',`
 #
 interface(`tuned_admin',`
        gen_require(`
-               type tuned_t, tuned_var_run_t;
-               type tuned_initrc_exec_t;
+               type tuned_t, tuned_var_run_t, tuned_initrc_exec_t;
        ')
 
        allow $1 tuned_t:process { ptrace signal_perms };

diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te
index db9d2a594b531ef8569a3575a6d6c80216cd290d..b3983a9727e9b7f1dce22048df16de9f52e985c8 100644 (file)
--- a/policy/modules/services/tuned.te
+++ b/policy/modules/services/tuned.te
@@ -24,6 +24,7 @@ files_pid_file(tuned_var_run_t)
 #
 
 dontaudit tuned_t self:capability { dac_override sys_tty_config };
+allow tuned_t self:fifo_file rw_fifo_file_perms;
 
 manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
 manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
@@ -58,6 +59,10 @@ optional_policy(`
        fstools_domtrans(tuned_t)
 ')
 
+optional_policy(`
+       gnome_dontaudit_search_config(tuned_t)
+')
+
 # to allow network interface tuning
 optional_policy(`
        sysnet_domtrans_ifconfig(tuned_t)

diff --git a/policy/modules/services/ucspitcp.if b/policy/modules/services/ucspitcp.if
index c1feba4f5472a83387ae119a065dce0f3c2f7963..1f6f55bd52a2f5291035461412bc9bdf79b3fe6d 100644 (file)
--- a/policy/modules/services/ucspitcp.if
+++ b/policy/modules/services/ucspitcp.if
@@ -20,7 +20,7 @@
 ##     </summary>
 ## </param>
 #
-interface(`ucspitcp_service_domain', `
+interface(`ucspitcp_service_domain',`
        gen_require(`
                type ucspitcp_t;
                role system_r;
@@ -31,8 +31,5 @@ interface(`ucspitcp_service_domain', `
 
        role system_r types $1;
 
-       domain_auto_trans(ucspitcp_t, $2, $1)
-       allow $1 ucspitcp_t:fd use;
-       allow $1 ucspitcp_t:process sigchld;
-       allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms;
+       domtrans_pattern(ucspitcp_t, $2, $1)
 ')

diff --git a/policy/modules/services/ucspitcp.te b/policy/modules/services/ucspitcp.te
index a0794bf50540ee6f6990e323b4dcf1d59cc733d1..dd23a9ce2f4981b9525b5d1c701929b8cf300709 100644 (file)
--- a/policy/modules/services/ucspitcp.te
+++ b/policy/modules/services/ucspitcp.te
@@ -91,3 +91,8 @@ optional_policy(`
        daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t)
        daemontools_read_svc(ucspitcp_t)
 ')
+
+optional_policy(`
+    daemontools_sigchld_run(ucspitcp_t)
+')
+

diff --git a/policy/modules/services/ulogd.if b/policy/modules/services/ulogd.if
index b078bf75838113b7019bc2a565839ead386e8cb6..e3c66d8a83fec8efd7715a41740a731a03911229 100644 (file)
--- a/policy/modules/services/ulogd.if
+++ b/policy/modules/services/ulogd.if
@@ -5,9 +5,9 @@
 ##     Execute a domain transition to run ulogd.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##     <summary>
 ##     Domain allowed to transition.
-## </summary>
+##     </summary>
 ## </param>
 #
 interface(`ulogd_domtrans',`
@@ -65,9 +65,9 @@ interface(`ulogd_read_log',`
 ##     Allow the specified domain to search ulogd's log files.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##     <summary>
 ##     Domain allowed access.
-## </summary>
+##     </summary>
 ## </param>
 #
 interface(`ulogd_search_log',`
@@ -119,9 +119,8 @@ interface(`ulogd_append_log',`
 #
 interface(`ulogd_admin',`
        gen_require(`
-               type ulogd_t, ulogd_etc_t;
+               type ulogd_t, ulogd_etc_t, ulogd_modules_t;
                type ulogd_var_log_t, ulogd_initrc_exec_t;
-               type ulogd_modules_t;
        ')
 
        allow $1 ulogd_t:process { ptrace signal_perms };

diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te
index eeaa6411d2061b7ec6f3d3e82267c88737cc3ebe..eb4d8d504926ab40261945a6338ae1060dff75ab 100644 (file)
--- a/policy/modules/services/ulogd.te
+++ b/policy/modules/services/ulogd.te
@@ -31,6 +31,9 @@ logging_log_file(ulogd_var_log_t)
 
 allow ulogd_t self:capability net_admin;
 allow ulogd_t self:netlink_nflog_socket create_socket_perms;
+allow ulogd_t self:netlink_route_socket r_netlink_socket_perms;
+allow ulogd_t self:tcp_socket { create_stream_socket_perms connect };
+allow ulogd_t self:udp_socket create_socket_perms;
 
 # config files
 read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
@@ -43,6 +46,18 @@ mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
 manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
 logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
 
-files_search_etc(ulogd_t)
+files_read_etc_files(ulogd_t)
+files_read_usr_files(ulogd_t)
 
 miscfiles_read_localization(ulogd_t)
+
+sysnet_dns_name_resolve(ulogd_t)
+
+optional_policy(`
+        mysql_stream_connect(ulogd_t)
+')
+
+optional_policy(`
+        postgresql_stream_connect(ulogd_t)
+       postgresql_tcp_connect(ulogd_t)
+')

diff --git a/policy/modules/services/usbmuxd.fc b/policy/modules/services/usbmuxd.fc
index fa54aee3879af37e4f2fec3e5b5b07989545e1e2..40b8b8d30eb20c31647889f8cdb0a623d44c5d4b 100644 (file)
--- a/policy/modules/services/usbmuxd.fc
+++ b/policy/modules/services/usbmuxd.fc
@@ -1,3 +1,3 @@
 /usr/sbin/usbmuxd      --      gen_context(system_u:object_r:usbmuxd_exec_t,s0)
 
-/var/run/usbmuxd       -s      gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+/var/run/usbmuxd.*             gen_context(system_u:object_r:usbmuxd_var_run_t,s0)

diff --git a/policy/modules/services/usbmuxd.if b/policy/modules/services/usbmuxd.if
index 50150434de16604d317ae8a42e3635f401f891a9..53792d33cc3c3641140be74b536c155d3cadce3b 100644 (file)
--- a/policy/modules/services/usbmuxd.if
+++ b/policy/modules/services/usbmuxd.if
@@ -5,9 +5,9 @@
 ##     Execute a domain transition to run usbmuxd.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##     <summary>
 ##     Domain allowed to transition.
-## </summary>
+##     </summary>
 ## </param>
 #
 interface(`usbmuxd_domtrans',`

diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if
index a4fbe319276f1027a6feef95b494260f39cedcf0..a717e2d6f7477114dd32ae4e7f4be936a443e660 100644 (file)
--- a/policy/modules/services/uucp.if
+++ b/policy/modules/services/uucp.if
@@ -1,5 +1,24 @@
 ## <summary>Unix to Unix Copy</summary>
 
+########################################
+## <summary>
+##     Execute the uucico program in the
+##     uucpd_t domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
+## </param>
+#
+interface(`uucp_domtrans',`
+       gen_require(`
+               type uucpd_t, uucpd_exec_t;
+       ')
+
+       domtrans_pattern($1, uucpd_exec_t, uucpd_t)
+')
+
 ########################################
 ## <summary>
 ##     Allow the specified domain to append
@@ -80,7 +99,7 @@ interface(`uucp_admin',`
                type uucpd_var_run_t;
        ')
 
-       allow $1 uucpd_t:process { ptrace signal_perms getattr };
+       allow $1 uucpd_t:process { ptrace signal_perms };
        ps_process_pattern($1, uucpd_t)
 
        logging_list_logs($1)

diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
index b775aaf39e06a11d224295ec16603ac260979790..ec1562b437b2b38b8aa3c296ecfe95a65f3c7d9e 100644 (file)
--- a/policy/modules/services/uucp.te
+++ b/policy/modules/services/uucp.te
@@ -83,6 +83,7 @@ corenet_tcp_sendrecv_generic_node(uucpd_t)
 corenet_udp_sendrecv_generic_node(uucpd_t)
 corenet_tcp_sendrecv_all_ports(uucpd_t)
 corenet_udp_sendrecv_all_ports(uucpd_t)
+corenet_tcp_connect_ssh_port(uucpd_t)
 
 dev_read_urand(uucpd_t)
 
@@ -113,6 +114,10 @@ optional_policy(`
        kerberos_use(uucpd_t)
 ')
 
+optional_policy(`
+       ssh_exec(uucpd_t)
+')
+
 ########################################
 #
 # UUX Local policy

diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if
index b4d90ac179acd7fcc9389f81156a23d552f29575..e0f819e97b9ba658d8d977bf4541a75dea60aa26 100644 (file)
--- a/policy/modules/services/varnishd.if
+++ b/policy/modules/services/varnishd.if
@@ -21,7 +21,7 @@ interface(`varnishd_domtrans',`
 
 #######################################
 ## <summary>
-##     Execute varnishd 
+##     Execute varnishd
 ## </summary>
 ## <param name="domain">
 ##     <summary>
@@ -56,6 +56,25 @@ interface(`varnishd_read_config',`
        read_files_pattern($1, varnishd_etc_t, varnishd_etc_t)
 ')
 
+#####################################
+## <summary>
+##  Read varnish lib files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`varnishd_read_lib_files',`
+       gen_require(`
+               type varnishd_var_lib_t;
+       ')
+
+       files_search_var_lib($1)
+       read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t)
+')
+
 #######################################
 ## <summary>
 ##     Read varnish logs.
@@ -132,9 +151,8 @@ interface(`varnishd_manage_log',`
 #
 interface(`varnishd_admin_varnishlog',`
        gen_require(`
-               type varnishlog_t;
+               type varnishlog_t, varnishlog_initrc_exec_t;
                type varnishlog_var_run_t, varnishlog_log_t;
-               type varnishlog_initrc_exec_t;
        ')
 
        allow $1 varnishlog_t:process { ptrace signal_perms };
@@ -146,11 +164,10 @@ interface(`varnishd_admin_varnishlog',`
        allow $2 system_r;
 
        files_search_pids($1)
-       admin_pattern($1, varnishlog_var_run_t)
+       admin_pattern($1, varnishlog_var_run_t)
 
        logging_list_logs($1)
        admin_pattern($1, varnishlog_log_t)
-
 ')
 
 #######################################
@@ -173,7 +190,7 @@ interface(`varnishd_admin_varnishlog',`
 interface(`varnishd_admin',`
        gen_require(`
                type varnishd_t, varnishd_var_lib_t, varnishd_etc_t;
-               type varnishd_var_run_t, varnishd_tmp_t; 
+               type varnishd_var_run_t, varnishd_tmp_t;
                type varnishd_initrc_exec_t;
        ')
 
@@ -196,5 +213,4 @@ interface(`varnishd_admin',`
 
        files_search_tmp($1)
        admin_pattern($1, varnishd_tmp_t)
-
 ')

diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te
index 1cc80e8994f4736af50cfcfc1cbee7c73390a4ee..95c6dc384243c89270176c235f39243d05f03136 100644 (file)
--- a/policy/modules/services/varnishd.te
+++ b/policy/modules/services/varnishd.te
@@ -50,7 +50,8 @@ files_type(varnishlog_log_t)
 # varnishd local policy
 #
 
-allow varnishd_t self:capability { dac_override ipc_lock setuid setgid };
+allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
+dontaudit varnishd_t self:capability sys_tty_config;
 allow varnishd_t self:process signal;
 allow varnishd_t self:fifo_file rw_fifo_file_perms;
 allow varnishd_t self:tcp_socket create_stream_socket_perms;

diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if
index 1f872b5ed46e0e0093a85f2b799c88052d448db6..da605baaebf4ebfbf72e21e8e6ac0cb66432fb59 100644 (file)
--- a/policy/modules/services/vhostmd.if
+++ b/policy/modules/services/vhostmd.if
@@ -5,9 +5,9 @@
 ##     Execute a domain transition to run vhostmd.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##     <summary>
 ##     Domain allowed to transition.
-## </summary>
+##     </summary>
 ## </param>
 #
 interface(`vhostmd_domtrans',`
@@ -52,7 +52,7 @@ interface(`vhostmd_read_tmpfs_files',`
        ')
 
        allow $1 vhostmd_tmpfs_t:file read_file_perms;
-       files_search_tmp($1)
+       fs_search_tmpfs($1)
 ')
 
 ########################################
@@ -90,7 +90,7 @@ interface(`vhostmd_rw_tmpfs_files',`
        ')
 
        rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
-       files_search_tmp($1)
+       fs_search_tmpfs($1)
 ')
 
 ########################################
@@ -109,7 +109,7 @@ interface(`vhostmd_manage_tmpfs_files',`
        ')
 
        manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
-       files_search_tmp($1)
+       fs_search_tmpfs($1)
 ')
 
 ########################################
@@ -146,7 +146,8 @@ interface(`vhostmd_manage_pid_files',`
                type vhostmd_var_run_t;
        ')
 
-        manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
+       files_search_pids($1)
+       manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
 ')
 
 ########################################
@@ -209,7 +210,7 @@ interface(`vhostmd_admin',`
                type vhostmd_t, vhostmd_initrc_exec_t;
        ')
 
-       allow $1 vhostmd_t:process { ptrace signal_perms getattr };
+       allow $1 vhostmd_t:process { ptrace signal_perms };
        ps_process_pattern($1, vhostmd_t)
 
        vhostmd_initrc_domtrans($1)
@@ -220,5 +221,4 @@ interface(`vhostmd_admin',`
        vhostmd_manage_tmpfs_files($1)
 
        vhostmd_manage_pid_files($1)
-
 ')

diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te
index 32a3c13501f621d53182c450deffd9986499347a..f56f51f9065e99bfb3f56007e8b39565cebab3df 100644 (file)
--- a/policy/modules/services/vhostmd.te
+++ b/policy/modules/services/vhostmd.te
@@ -44,6 +44,8 @@ corecmd_exec_shell(vhostmd_t)
 
 corenet_tcp_connect_soundd_port(vhostmd_t)
 
+# 579803
+files_list_tmp(vhostmd_t)
 files_read_etc_files(vhostmd_t)
 files_read_usr_files(vhostmd_t)
 
@@ -66,6 +68,7 @@ optional_policy(`
 
 optional_policy(`
        virt_stream_connect(vhostmd_t)
+       virt_write_content(vhostmd_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
index 2124b6add920aa095e3be36490d6dfcdec8eb937..be4b00f6efbe8a426a143c5d09c15f59e0dcfb7f 100644 (file)
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
@@ -1,3 +1,4 @@
+HOME_DIR/.libvirt(/.*)?        gen_context(system_u:object_r:virt_content_t,s0)
 HOME_DIR/.virtinst(/.*)?       gen_context(system_u:object_r:virt_content_t,s0)
 HOME_DIR/VirtualMachines(/.*)?         gen_context(system_u:object_r:virt_image_t,s0)
 HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
@@ -13,17 +14,19 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
 /etc/xen/.*/.*                 gen_context(system_u:object_r:virt_etc_rw_t,s0)
 
 /usr/sbin/libvirtd     --      gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/virsh         --      gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/sbin/condor_vm-gahp       --      gen_context(system_u:object_r:virtd_exec_t,s0)
 
-/var/cache/libvirt(/.*)?       gen_context(system_u:object_r:svirt_cache_t,s0)
+/var/cache/libvirt(/.*)?       gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
 
 /var/lib/libvirt(/.*)?         gen_context(system_u:object_r:virt_var_lib_t,s0)
 /var/lib/libvirt/boot(/.*)?    gen_context(system_u:object_r:virt_content_t,s0)
 /var/lib/libvirt/images(/.*)?  gen_context(system_u:object_r:virt_image_t,s0)
 /var/lib/libvirt/isos(/.*)?    gen_context(system_u:object_r:virt_content_t,s0)
-/var/lib/libvirt/qemu(/.*)?    gen_context(system_u:object_r:svirt_var_run_t,s0)
+/var/lib/libvirt/qemu(/.*)?    gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
 
 /var/log/libvirt(/.*)?         gen_context(system_u:object_r:virt_log_t,s0)
 /var/run/libvirt(/.*)?         gen_context(system_u:object_r:virt_var_run_t,s0)
-/var/run/libvirt/qemu(/.*)?    gen_context(system_u:object_r:svirt_var_run_t,s0)
+/var/run/libvirt/qemu(/.*)?    gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
 
 /var/vdsm(/.*)?                        gen_context(system_u:object_r:virt_var_run_t,s0)

diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
index 7c5d8d82b3d2ca6796d005cfb239ca8ca5766a91..e584e21c145924d1a457dd8f88a7663aff0cb20d 100644 (file)
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -14,13 +14,13 @@
 template(`virt_domain_template',`
        gen_require(`
                type virtd_t;
-               attribute virt_image_type;
-               attribute virt_domain;
+               attribute virt_image_type, virt_domain;
        ')
 
        type $1_t, virt_domain;
        domain_type($1_t)
        domain_user_exemption_target($1_t)
+       mls_rangetrans_target($1_t)
        role system_r types $1_t;
 
        type $1_devpts_t;
@@ -35,17 +35,18 @@ template(`virt_domain_template',`
        type $1_image_t, virt_image_type;
        files_type($1_image_t)
        dev_node($1_image_t)
+       dev_associate_sysfs($1_image_t)
 
-       type $1_var_run_t;
-       files_pid_file($1_var_run_t)
-
-       allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
+       allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
        term_create_pty($1_t, $1_devpts_t)
 
        manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
        manage_files_pattern($1_t, $1_image_t, $1_image_t)
+       manage_fifo_files_pattern($1_t, $1_image_t, $1_image_t)
        read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
+       rw_chr_files_pattern($1_t, $1_image_t, $1_image_t)
        rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
+       fs_hugetlbfs_filetrans($1_t, $1_image_t, file)
 
        manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
        manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
@@ -57,18 +58,6 @@ template(`virt_domain_template',`
        manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
        fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
 
-       stream_connect_pattern(virtd_t, $1_var_run_t, $1_var_run_t, virt_domain)
-       manage_dirs_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
-       manage_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
-       manage_sock_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
-
-       manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
-       manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
-       manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
-       manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
-       files_pid_filetrans($1_t, $1_var_run_t, { dir file })
-       stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t)
-
        optional_policy(`
                xserver_rw_shm($1_t)
        ')
@@ -101,9 +90,9 @@ interface(`virt_image',`
 ##     Execute a domain transition to run virt.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##     <summary>
 ##     Domain allowed to transition.
-## </summary>
+##     </summary>
 ## </param>
 #
 interface(`virt_domtrans',`
@@ -164,13 +153,13 @@ interface(`virt_attach_tun_iface',`
 #
 interface(`virt_read_config',`
        gen_require(`
-               type virt_etc_t;
-               type virt_etc_rw_t;
+               type virt_etc_t, virt_etc_rw_t;
        ')
 
        files_search_etc($1)
        read_files_pattern($1, virt_etc_t, virt_etc_t)
        read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+       read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
 ')
 
 ########################################
@@ -185,13 +174,13 @@ interface(`virt_read_config',`
 #
 interface(`virt_manage_config',`
        gen_require(`
-               type virt_etc_t;
-               type virt_etc_rw_t;
+               type virt_etc_t, virt_etc_rw_t;
        ')
 
        files_search_etc($1)
        manage_files_pattern($1, virt_etc_t, virt_etc_t)
        manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+       manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
 ')
 
 ########################################
@@ -229,6 +218,24 @@ interface(`virt_read_content',`
        ')
 ')
 
+########################################
+## <summary>
+##     Allow domain to write virt image files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`virt_write_content',`
+       gen_require(`
+               type virt_content_t;
+       ')
+
+       allow $1 virt_content_t:file write_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Read virt PID files.
@@ -306,6 +313,24 @@ interface(`virt_read_lib_files',`
        read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
 ')
 
+########################################
+## <summary>
+##     Dontaudit inherited read virt lib files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`virt_dontaudit_read_lib_files',`
+       gen_require(`
+               type virt_var_lib_t;
+       ')
+
+       dontaudit $1 virt_var_lib_t:file read_inherited_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Create, read, write, and delete
@@ -352,9 +377,9 @@ interface(`virt_read_log',`
 ##     virt log files.
 ## </summary>
 ## <param name="domain">
-##     <summary>
+##     <summary>
 ##     Domain allowed access.
-##     </summary>
+##     </summary>
 ## </param>
 #
 interface(`virt_append_log',`
@@ -422,6 +447,24 @@ interface(`virt_read_images',`
        ')
 ')
 
+########################################
+## <summary>
+##     Allow domain to read virt blk image files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`virt_read_blk_images',`
+       gen_require(`
+               attribute virt_image_type;
+       ')
+
+       read_blk_files_pattern($1, virt_image_type, virt_image_type)
+')
+
 ########################################
 ## <summary>
 ##     Create, read, write, and delete
@@ -433,15 +476,15 @@ interface(`virt_read_images',`
 ##     </summary>
 ## </param>
 #
-interface(`virt_manage_svirt_cache',`
+interface(`virt_manage_cache',`
        gen_require(`
-               type svirt_cache_t;
+               type virt_cache_t;
        ')
 
        files_search_var($1)
-       manage_dirs_pattern($1, svirt_cache_t, svirt_cache_t)
-       manage_files_pattern($1, svirt_cache_t, svirt_cache_t)
-       manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t)
+       manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
+       manage_files_pattern($1, virt_cache_t, virt_cache_t)
+       manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
 ')
 
 ########################################
@@ -516,3 +559,51 @@ interface(`virt_admin',`
 
        virt_manage_log($1)
 ')
+
+########################################
+## <summary>
+##     Execute qemu in the svirt domain, and
+##     allow the specified role the svirt domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     The role to be allowed the sandbox domain.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`virt_transition_svirt',`
+       gen_require(`
+               type svirt_t;
+       ')
+
+       allow $1 svirt_t:process transition;
+       role $2 types svirt_t;
+
+       optional_policy(`
+               ptchown_run(svirt_t, $2)
+       ')
+')
+
+########################################
+## <summary>
+##     Do not audit attempts to write virt daemon unnamed pipes.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`virt_dontaudit_write_pipes',`
+       gen_require(`
+               type virtd_t;
+       ')
+
+       dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
+')

diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 3eca0207c5cb5c35b647d35e870cdde4dcee4155..fec701f9ad1ddefab4f5c8cdf1d25ffbbde8223f 100644 (file)
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -4,6 +4,7 @@ policy_module(virt, 1.4.0)
 #
 # Declarations
 #
+attribute virsh_transition_domain;
 
 ## <desc>
 ## <p>
@@ -40,6 +41,13 @@ gen_tunable(virt_use_samba, false)
 ## </desc>
 gen_tunable(virt_use_sysfs, false)
 
+## <desc>
+## <p>
+## Allow virtual machine to interact with the xserver
+## </p>
+## </desc>
+gen_tunable(virt_use_xserver, false)
+
 ## <desc>
 ## <p>
 ## Allow virt to use usb devices
@@ -50,12 +58,12 @@ gen_tunable(virt_use_usb, true)
 virt_domain_template(svirt)
 role system_r types svirt_t;
 
-type svirt_cache_t;
-files_type(svirt_cache_t)
-
 attribute virt_domain;
 attribute virt_image_type;
 
+type virt_cache_t alias svirt_cache_t;
+files_type(virt_cache_t)
+
 type virt_etc_t;
 files_config_file(virt_etc_t)
 
@@ -65,20 +73,25 @@ files_type(virt_etc_rw_t)
 # virt Image files
 type virt_image_t; # customizable
 virt_image(virt_image_t)
+files_mountpoint(virt_image_t)
 
 # virt Image files
 type virt_content_t; # customizable
 virt_image(virt_content_t)
 userdom_user_home_content(virt_content_t)
 
+type virt_tmp_t;
+files_tmp_file(virt_tmp_t)
+
 type virt_log_t;
 logging_log_file(virt_log_t)
+mls_trusted_object(virt_log_t)
 
 type virt_var_run_t;
 files_pid_file(virt_var_run_t)
 
 type virt_var_lib_t;
-files_type(virt_var_lib_t)
+files_mountpoint(virt_var_lib_t)
 
 type virtd_t;
 type virtd_exec_t;
@@ -89,6 +102,11 @@ domain_subj_id_change_exemption(virtd_t)
 type virtd_initrc_exec_t;
 init_script_file(virtd_initrc_exec_t)
 
+type qemu_var_run_t;
+typealias qemu_var_run_t alias svirt_var_run_t;
+files_pid_file(qemu_var_run_t)
+mls_trusted_object(qemu_var_run_t)
+
 ifdef(`enable_mcs',`
        init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
 ')
@@ -104,15 +122,12 @@ ifdef(`enable_mls',`
 
 allow svirt_t self:udp_socket create_socket_perms;
 
-manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
-manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
-files_var_filetrans(svirt_t, svirt_cache_t, { file dir })
-
 read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
 
 allow svirt_t svirt_image_t:dir search_dir_perms;
 manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
 manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
+manage_fifo_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
 fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
 
 list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
@@ -147,11 +162,15 @@ tunable_policy(`virt_use_fusefs',`
 tunable_policy(`virt_use_nfs',`
        fs_manage_nfs_dirs(svirt_t)
        fs_manage_nfs_files(svirt_t)
+       fs_manage_nfs_named_sockets(svirt_t)
+       fs_read_nfs_symlinks(svirt_t)
 ')
 
 tunable_policy(`virt_use_samba',`
        fs_manage_cifs_dirs(svirt_t)
        fs_manage_cifs_files(svirt_t)
+       fs_manage_cifs_named_sockets(svirt_t)
+       fs_read_cifs_symlinks(virtd_t)
 ')
 
 tunable_policy(`virt_use_sysfs',`
@@ -160,10 +179,21 @@ tunable_policy(`virt_use_sysfs',`
 
 tunable_policy(`virt_use_usb',`
        dev_rw_usbfs(svirt_t)
+       dev_read_sysfs(svirt_t)
        fs_manage_dos_dirs(svirt_t)
        fs_manage_dos_files(svirt_t)
 ')
 
+optional_policy(`
+       tunable_policy(`virt_use_xserver',`
+               xserver_stream_connect(svirt_t)
+       ')
+')
+
+optional_policy(`
+       xen_rw_image_files(svirt_t)
+')
+
 optional_policy(`
        xen_rw_image_files(svirt_t)
 ')
@@ -174,22 +204,29 @@ optional_policy(`
 #
 
 allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
 
 allow virtd_t self:fifo_file rw_fifo_file_perms;
 allow virtd_t self:unix_stream_socket create_stream_socket_perms;
 allow virtd_t self:tcp_socket create_stream_socket_perms;
 allow virtd_t self:tun_socket create_socket_perms;
+allow virtd_t self:rawip_socket create_socket_perms;
 allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
 
-manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
-manage_files_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
+manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t)
+manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t)
 
 manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
 manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
 
 allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
 
+allow virtd_t qemu_var_run_t:file relabel_file_perms;
+manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+manage_sock_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+stream_connect_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t, virt_domain)
+
 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
 read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
 
@@ -200,8 +237,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
 
 manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
 manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
-allow virtd_t virt_image_type:file { relabelfrom relabelto };
-allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
+manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
+allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
+
+manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
+can_exec(virtd_t, virt_tmp_t)
 
 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
 manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
@@ -220,6 +263,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
 kernel_read_system_state(virtd_t)
 kernel_read_network_state(virtd_t)
 kernel_rw_net_sysctls(virtd_t)
+kernel_read_kernel_sysctls(virtd_t)
 kernel_request_load_module(virtd_t)
 kernel_search_debugfs(virtd_t)
 
@@ -243,18 +287,27 @@ dev_read_rand(virtd_t)
 dev_rw_kvm(virtd_t)
 dev_getattr_all_chr_files(virtd_t)
 dev_rw_mtrr(virtd_t)
+dev_rw_vhost(virtd_t)
 
 # Init script handling
 domain_use_interactive_fds(virtd_t)
 domain_read_all_domains_state(virtd_t)
+domain_read_all_domains_state(virtd_t)
 
 files_read_usr_files(virtd_t)
 files_read_etc_files(virtd_t)
+files_read_usr_files(virtd_t)
 files_read_etc_runtime_files(virtd_t)
 files_search_all(virtd_t)
 files_read_kernel_modules(virtd_t)
 files_read_usr_src_files(virtd_t)
-files_manage_etc_files(virtd_t)
+files_relabelto_system_conf_files(virtd_t)
+files_relabelfrom_system_conf_files(virtd_t)
+
+# Manages /etc/sysconfig/system-config-firewall
+files_manage_system_conf_files(virtd_t)
+files_manage_system_conf_files(virtd_t)
+files_etc_filetrans_system_conf(virtd_t)
 
 fs_list_auto_mountpoints(virtd_t)
 fs_getattr_xattr_fs(virtd_t)
@@ -262,6 +315,18 @@ fs_rw_anon_inodefs_files(virtd_t)
 fs_list_inotifyfs(virtd_t)
 fs_manage_cgroup_dirs(virtd_t)
 fs_rw_cgroup_files(virtd_t)
+fs_manage_hugetlbfs_dirs(virtd_t)
+fs_rw_hugetlbfs_files(virtd_t)
+
+mls_fd_share_all_levels(virtd_t)
+mls_file_read_to_clearance(virtd_t)
+mls_file_write_to_clearance(virtd_t)
+mls_process_read_to_clearance(virtd_t)
+mls_process_write_to_clearance(virtd_t)
+mls_net_write_within_range(virtd_t)
+mls_socket_write_to_clearance(virtd_t)
+mls_socket_read_to_clearance(virtd_t)
+mls_rangetrans_source(virtd_t)
 
 mcs_process_set_categories(virtd_t)
 
@@ -286,15 +351,24 @@ modutils_manage_module_config(virtd_t)
 
 logging_send_syslog_msg(virtd_t)
 
+selinux_validate_context(virtd_t)
+
+seutil_read_config(virtd_t)
 seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
 
 sysnet_domtrans_ifconfig(virtd_t)
 sysnet_read_config(virtd_t)
 
+userdom_list_admin_dir(virtd_t)
 userdom_getattr_all_users(virtd_t)
 userdom_list_user_home_content(virtd_t)
 userdom_read_all_users_state(virtd_t)
 userdom_read_user_home_content_files(virtd_t)
+userdom_relabel_user_home_files(virtd_t)
+userdom_setattr_user_home_content_files(virtd_t)
+
+consoletype_exec(virtd_t)
 
 tunable_policy(`virt_use_nfs',`
        fs_manage_nfs_dirs(virtd_t)
@@ -365,6 +439,8 @@ optional_policy(`
        qemu_signal(virtd_t)
        qemu_kill(virtd_t)
        qemu_setsched(virtd_t)
+       qemu_entry_type(virt_domain)
+       qemu_exec(virt_domain)
 ')
 
 optional_policy(`
@@ -402,6 +478,19 @@ allow virt_domain self:unix_stream_socket create_stream_socket_perms;
 allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
 allow virt_domain self:tcp_socket create_stream_socket_perms;
 
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
+
+manage_dirs_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+manage_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+manage_sock_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+manage_lnk_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+files_pid_filetrans(virt_domain, qemu_var_run_t, { dir file })
+stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
+
+dontaudit virtd_t virt_domain:process  { siginh noatsecure rlimitinh };
+
 append_files_pattern(virt_domain, virt_log_t, virt_log_t)
 
 append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
@@ -422,6 +511,7 @@ corenet_rw_tun_tap_dev(virt_domain)
 corenet_tcp_bind_virt_migration_port(virt_domain)
 corenet_tcp_connect_virt_migration_port(virt_domain)
 
+dev_read_generic_symlinks(virt_domain)
 dev_read_rand(virt_domain)
 dev_read_sound(virt_domain)
 dev_read_urand(virt_domain)
@@ -429,10 +519,12 @@ dev_write_sound(virt_domain)
 dev_rw_ksm(virt_domain)
 dev_rw_kvm(virt_domain)
 dev_rw_qemu(virt_domain)
+dev_rw_vhost(virt_domain)
 
 domain_use_interactive_fds(virt_domain)
 
 files_read_etc_files(virt_domain)
+files_read_mnt_symlinks(virt_domain)
 files_read_usr_files(virt_domain)
 files_read_var_files(virt_domain)
 files_search_all(virt_domain)
@@ -440,6 +532,11 @@ files_search_all(virt_domain)
 fs_getattr_tmpfs(virt_domain)
 fs_rw_anon_inodefs_files(virt_domain)
 fs_rw_tmpfs_files(virt_domain)
+fs_getattr_hugetlbfs(virt_domain)
+
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
 
 term_use_all_terms(virt_domain)
 term_getattr_pty_fs(virt_domain)
@@ -456,9 +553,122 @@ optional_policy(`
        ptchown_domtrans(virt_domain)
 ')
 
+optional_policy(`
+       pulseaudio_dontaudit_exec(virt_domain)
+')
+
 optional_policy(`
        virt_read_config(virt_domain)
        virt_read_lib_files(virt_domain)
        virt_read_content(virt_domain)
        virt_stream_connect(virt_domain)
 ')
+
+########################################
+#
+# xm local policy
+#
+type virsh_t;
+type virsh_exec_t;
+domain_type(virsh_t)
+init_system_domain(virsh_t, virsh_exec_t)
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
+
+allow virsh_t self:capability { dac_override ipc_lock sys_tty_config };
+allow virsh_t self:process { getcap getsched setcap signal };
+
+# internal communication is often done using fifo and unix sockets.
+allow virsh_t self:fifo_file rw_fifo_file_perms;
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow virsh_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
+manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+
+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
+
+kernel_read_system_state(virsh_t)
+kernel_read_network_state(virsh_t)
+kernel_read_kernel_sysctls(virsh_t)
+kernel_read_sysctl(virsh_t)
+kernel_read_xen_state(virsh_t)
+kernel_write_xen_state(virsh_t)
+
+corecmd_exec_bin(virsh_t)
+corecmd_exec_shell(virsh_t)
+
+corenet_tcp_sendrecv_generic_if(virsh_t)
+corenet_tcp_sendrecv_generic_node(virsh_t)
+corenet_tcp_connect_soundd_port(virsh_t)
+
+dev_read_urand(virsh_t)
+dev_read_sysfs(virsh_t)
+
+files_read_etc_runtime_files(virsh_t)
+files_read_usr_files(virsh_t)
+files_list_mnt(virsh_t)
+# Some common macros (you might be able to remove some)
+files_read_etc_files(virsh_t)
+
+fs_getattr_all_fs(virsh_t)
+fs_manage_xenfs_dirs(virsh_t)
+fs_manage_xenfs_files(virsh_t)
+fs_search_auto_mountpoints(virsh_t)
+
+storage_raw_read_fixed_disk(virsh_t)
+
+term_use_all_terms(virsh_t)
+
+init_stream_connect_script(virsh_t)
+init_rw_script_stream_sockets(virsh_t)
+init_use_fds(virsh_t)
+
+miscfiles_read_localization(virsh_t)
+
+sysnet_dns_name_resolve(virsh_t)
+
+optional_policy(`
+       xen_manage_image_dirs(virsh_t)
+       xen_append_log(virsh_t)
+       xen_stream_connect(virsh_t)
+       xen_stream_connect_xenstore(virsh_t)
+')
+
+optional_policy(`
+       dbus_system_bus_client(virsh_t)
+
+       optional_policy(`
+               hal_dbus_chat(virsh_t)
+       ')
+')
+
+optional_policy(`
+       vhostmd_rw_tmpfs_files(virsh_t)
+       vhostmd_stream_connect(virsh_t)
+       vhostmd_dontaudit_rw_stream_connect(virsh_t)
+')
+
+optional_policy(`
+       virt_domtrans(virsh_t)
+       virt_manage_images(virsh_t)
+       virt_manage_config(virsh_t)
+       virt_stream_connect(virsh_t)
+')
+
+optional_policy(`
+       ssh_basic_client_template(virsh, virsh_t, system_r)
+
+       kernel_read_xen_state(virsh_ssh_t)
+       kernel_write_xen_state(virsh_ssh_t)
+
+       dontaudit virsh_ssh_t virsh_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+       files_search_tmp(virsh_ssh_t)
+
+       fs_manage_xenfs_dirs(virsh_ssh_t)
+       fs_manage_xenfs_files(virsh_ssh_t)
+
+       userdom_search_admin_dir(virsh_ssh_t)
+')
+

diff --git a/policy/modules/services/w3c.te b/policy/modules/services/w3c.te
index 1174ad843e3e5402a70ed419cb2988e386e014a0..f4c4c1b653e30da1082c8e7f0b703aab8b551ffd 100644 (file)
--- a/policy/modules/services/w3c.te
+++ b/policy/modules/services/w3c.te
@@ -7,11 +7,18 @@ policy_module(w3c, 1.0.0)
 
 apache_content_template(w3c_validator)
 
+type httpd_w3c_validator_tmp_t;
+files_tmp_file(httpd_w3c_validator_tmp_t)
+
 ########################################
 #
 # Local policy
 #
 
+manage_dirs_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t)
+manage_files_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t)
+files_tmp_filetrans(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, { file dir })
+
 corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
 corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
 corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
@@ -22,3 +29,5 @@ corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
 miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
 
 sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
+
+apache_dontaudit_rw_tmp_files(httpd_w3c_validator_script_t)

diff --git a/policy/modules/services/xfs.if b/policy/modules/services/xfs.if
index aa6e5a8d8bec49149e4c62588af4cf09d6daedcb..42a0efbd4b8d9b046beaeb958cd7ca8d3f66e832 100644 (file)
--- a/policy/modules/services/xfs.if
+++ b/policy/modules/services/xfs.if
@@ -1,4 +1,4 @@
-## <summary>X Windows Font Server </summary>
+## <summary>X Windows Font Server</summary>
 
 ########################################
 ## <summary>

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 6f1e3c76dd40bd040fe300e3e93b04199ae7fc06..39c2bb34d8906081164e4defead6deee161d1f39 100644 (file)
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,23 @@
 # HOME_DIR
 #
 HOME_DIR/\.fonts\.conf --      gen_context(system_u:object_r:user_fonts_config_t,s0)
+HOME_DIR/\.fonts\.d(/.*)?      gen_context(system_u:object_r:user_fonts_config_t,s0)
 HOME_DIR/\.fonts(/.*)?         gen_context(system_u:object_r:user_fonts_t,s0)
+HOME_DIR/\.fontconfig(/.*)?    gen_context(system_u:object_r:user_fonts_cache_t,s0)
 HOME_DIR/\.fonts/auto(/.*)?    gen_context(system_u:object_r:user_fonts_cache_t,s0)
 HOME_DIR/\.fonts\.cache-.* --  gen_context(system_u:object_r:user_fonts_cache_t,s0)
+HOME_DIR/\.DCOP.*         --   gen_context(system_u:object_r:iceauth_home_t,s0)
 HOME_DIR/\.ICEauthority.* --   gen_context(system_u:object_r:iceauth_home_t,s0)
+HOME_DIR/\.ICEauthority.* --   gen_context(system_u:object_r:iceauth_home_t,s0)
+HOME_DIR/\.serverauth.*        --      gen_context(system_u:object_r:xauth_home_t,s0)
 HOME_DIR/\.xauth.*     --      gen_context(system_u:object_r:xauth_home_t,s0)
 HOME_DIR/\.Xauthority.*        --      gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors.*   --      gen_context(system_u:object_r:xdm_home_t,s0)
+HOME_DIR/\.dmrc.*      --      gen_context(system_u:object_r:xdm_home_t,s0)
 
+/root/\.serverauth.*   --      gen_context(system_u:object_r:xauth_home_t,s0)
+/root/\.Xauth.*                --      gen_context(system_u:object_r:xauth_home_t,s0)
+/root/\.xauth.*                --      gen_context(system_u:object_r:xauth_home_t,s0)
 #
 # /dev
 #
@@ -20,6 +30,8 @@ HOME_DIR/\.Xauthority.*       --      gen_context(system_u:object_r:xauth_home_t,s0)
 
 /etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
 
+/etc/gdm(/.*)?                 gen_context(system_u:object_r:xdm_etc_t,s0)
+
 /etc/kde3?/kdm/Xstartup        --      gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/kde3?/kdm/Xreset  --      gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/kde3?/kdm/Xsession        --      gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -32,11 +44,6 @@ HOME_DIR/\.Xauthority.*      --      gen_context(system_u:object_r:xauth_home_t,s0)
 /etc/X11/wdm/Xstartup.*        --      gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/X11/Xsession[^/]* --      gen_context(system_u:object_r:xsession_exec_t,s0)
 
-ifdef(`distro_redhat',`
-/etc/gdm/PostSession/.*        --      gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/gdm/PreSession/.* --      gen_context(system_u:object_r:xsession_exec_t,s0)
-')
-
 #
 # /opt
 #
@@ -47,21 +54,23 @@ ifdef(`distro_redhat',`
 # /tmp
 #
 
-/tmp/\.ICE-unix                -d      gen_context(system_u:object_r:xdm_tmp_t,s0)
-/tmp/\.ICE-unix/.*     -s      <<none>>
-/tmp/\.X0-lock         --      gen_context(system_u:object_r:xserver_tmp_t,s0)
-/tmp/\.X11-unix                -d      gen_context(system_u:object_r:xdm_tmp_t,s0)
-/tmp/\.X11-unix/.*     -s      <<none>>
+/tmp/\.X0-lock         --      gen_context(system_u:object_r:xdm_tmp_t,s0)
+/tmp/\.X11-unix(/.*)?                  gen_context(system_u:object_r:xdm_tmp_t,s0)
+/tmp/\.ICE-unix(/.*)?                  gen_context(system_u:object_r:xdm_tmp_t,s0)
 
 #
 # /usr
 #
 
 /usr/(s)?bin/gdm-binary        --      gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/(s)?bin/lxdm      --      gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/(s)?bin/lxdm-binary --    gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/(s)?bin/[xgkw]dm  --      gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/gpe-dm                --      gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/iceauth       --      gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/slim          --      gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/Xair          --      gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/Xephyr                --      gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/bin/xauth         --      gen_context(system_u:object_r:xauth_exec_t,s0)
 /usr/bin/Xorg          --      gen_context(system_u:object_r:xserver_exec_t,s0)
 ifdef(`distro_debian', `
@@ -89,17 +98,43 @@ ifdef(`distro_debian', `
 
 /var/[xgk]dm(/.*)?             gen_context(system_u:object_r:xserver_log_t,s0)
 
-/var/lib/[xkw]dm(/.*)?         gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/[gxkw]dm(/.*)?                gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/lxdm(/.*)?            gen_context(system_u:object_r:xdm_var_lib_t,s0)
 /var/lib/xkb(/.*)?             gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/xorg(/.*)?            gen_context(system_u:object_r:xserver_var_lib_t,s0)
+
+/var/cache/gdm(/.*)?           gen_context(system_u:object_r:xdm_var_lib_t,s0)
 
-/var/log/[kw]dm\.log   --      gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/gdm(/.*)?             gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/gdm(/.*)?             gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/lxdm\.log.*   --      gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/[kw]dm\.log.* --      gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/XFree86.*     --      gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/Xorg.*                --      gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/nvidia-installer\.log.* --    gen_context(system_u:object_r:xserver_log_t,s0)
 
+/var/spool/gdm(/.*)?           gen_context(system_u:object_r:xdm_spool_t,s0)
+
+/var/run/slim(/.*)?            gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/kdm(/.*)?             gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm(/.*)?             gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm_socket    -s      gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/[gx]dm\.pid   --      gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm\.pid     --      gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xdmctl(/.*)?          gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xauth(/.*)?           gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim.*                --      gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm\.auth    --      gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm(/*.)?            gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+/var/run/video.rom     --      gen_context(system_u:object_r:xserver_var_run_t,s0)
+/var/run/xorg(/.*)?            gen_context(system_u:object_r:xserver_var_run_t,s0)
 
 ifdef(`distro_suse',`
 /var/lib/pam_devperm/:0        --      gen_context(system_u:object_r:xdm_var_lib_t,s0)
 ')
+
+/var/lib/nxserver/home/\.xauth.*       --      gen_context(system_u:object_r:xauth_home_t,s0)
+/var/lib/nxserver/home/\.Xauthority.*  --      gen_context(system_u:object_r:xauth_home_t,s0)
+/var/lib/pqsql/\.xauth.*       --      gen_context(system_u:object_r:xauth_home_t,s0)
+/var/lib/pqsql/\.Xauthority.*  --      gen_context(system_u:object_r:xauth_home_t,s0)
+

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index da2601a2dad2b2509c647659b699427fc6e7d592..f34a53f2567d93a8496c42e05292d1a5d808c93f 100644 (file)
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
 interface(`xserver_restricted_role',`
        gen_require(`
                type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t;
-               type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
+               type user_fonts_t, user_fonts_cache_t, user_fonts_config_t, xdm_tmp_t;
                type iceauth_t, iceauth_exec_t, iceauth_home_t;
                type xauth_t, xauth_exec_t, xauth_home_t;
+               class dbus send_msg;
        ')
 
        role $1 types { xserver_t xauth_t iceauth_t };
@@ -31,12 +32,13 @@ interface(`xserver_restricted_role',`
        allow xserver_t $2:shm rw_shm_perms;
 
        domtrans_pattern($2, xserver_exec_t, xserver_t)
-       allow xserver_t $2:process signal;
+       allow xserver_t $2:process { getpgid signal };
 
        allow xserver_t $2:shm rw_shm_perms;
 
        allow $2 user_fonts_t:dir list_dir_perms;
        allow $2 user_fonts_t:file read_file_perms;
+       allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
 
        allow $2 user_fonts_config_t:dir list_dir_perms;
        allow $2 user_fonts_config_t:file read_file_perms;
@@ -45,6 +47,7 @@ interface(`xserver_restricted_role',`
        manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
 
        stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
+       allow $2 xserver_tmp_t:sock_file unlink;
        files_search_tmp($2)
 
        # Communicate via System V shared memory.
@@ -70,17 +73,21 @@ interface(`xserver_restricted_role',`
 
        # for when /tmp/.X11-unix is created by the system
        allow $2 xdm_t:fd use;
-       allow $2 xdm_t:fifo_file { getattr read write ioctl };
-       allow $2 xdm_tmp_t:dir search;
-       allow $2 xdm_tmp_t:sock_file { read write };
+       allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
+       allow $2 xdm_tmp_t:dir search_dir_perms;
+       allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
        dontaudit $2 xdm_t:tcp_socket { read write };
+       dontaudit $2 xdm_tmp_t:dir setattr_dir_perms;
+
+       allow $2 xdm_t:dbus send_msg;
+       allow xdm_t  $2:dbus send_msg;
 
        # Client read xserver shm
        allow $2 xserver_t:fd use;
        allow $2 xserver_tmpfs_t:file read_file_perms;
 
        # Read /tmp/.X0-lock
-       allow $2 xserver_tmp_t:file { getattr read };
+       allow $2 xserver_tmp_t:file read_inherited_file_perms;
 
        dev_rw_xserver_misc($2)
        dev_rw_power_management($2)
@@ -89,14 +96,14 @@ interface(`xserver_restricted_role',`
        dev_write_misc($2)
        # open office is looking for the following
        dev_getattr_agp_dev($2)
-       dev_dontaudit_rw_dri($2)
+
        # GNOME checks for usb and other devices:
        dev_rw_usbfs($2)
 
        miscfiles_read_fonts($2)
+       miscfiles_setattr_fonts_cache_dirs($2)
 
        xserver_common_x_domain_template(user, $2)
-       xserver_unconfined($2)
        xserver_xsession_entry_type($2)
        xserver_dontaudit_write_log($2)
        xserver_stream_connect_xdm($2)
@@ -107,11 +114,19 @@ interface(`xserver_restricted_role',`
        # Needed for escd, remove if we get escd policy
        xserver_manage_xdm_tmp_files($2)
 
+       ifdef(`hide_broken_symptoms',`
+               dontaudit iceauth_t $2:socket_class_set { read write };
+       ')
+
        # Client write xserver shm
        tunable_policy(`allow_write_xshm',`
                allow $2 xserver_t:shm rw_shm_perms;
                allow $2 xserver_tmpfs_t:file rw_file_perms;
        ')
+
+       tunable_policy(`user_direct_dri',`
+               dev_rw_dri($2)
+       ')
 ')
 
 ########################################
@@ -143,13 +158,15 @@ interface(`xserver_role',`
        allow $2 xserver_tmpfs_t:file rw_file_perms;
 
        allow $2 iceauth_home_t:file manage_file_perms;
-       allow $2 iceauth_home_t:file { relabelfrom relabelto };
+       allow $2 iceauth_home_t:file relabel_file_perms;
 
        allow $2 xauth_home_t:file manage_file_perms;
-       allow $2 xauth_home_t:file { relabelfrom relabelto };
+       allow $2 xauth_home_t:file relabel_file_perms;
 
+       mls_xwin_read_to_clearance($2)
        manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
        manage_files_pattern($2, user_fonts_t, user_fonts_t)
+       allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
        relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
        relabel_files_pattern($2, user_fonts_t, user_fonts_t)
 
@@ -162,7 +179,6 @@ interface(`xserver_role',`
        manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
        relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
        relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
-
 ')
 
 #######################################
@@ -197,7 +213,7 @@ interface(`xserver_ro_session',`
        allow $1 xserver_t:process signal;
 
        # Read /tmp/.X0-lock
-       allow $1 xserver_tmp_t:file { getattr read };
+       allow $1 xserver_tmp_t:file read_file_perms;
 
        # Client read xserver shm
        allow $1 xserver_t:fd use;
@@ -291,12 +307,12 @@ interface(`xserver_user_client',`
        allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
 
        # Read .Xauthority file
-       allow $1 xauth_home_t:file { getattr read };
-       allow $1 iceauth_home_t:file { getattr read };
+       allow $1 xauth_home_t:file read_file_perms;
+       allow $1 iceauth_home_t:file read_file_perms;
 
        # for when /tmp/.X11-unix is created by the system
        allow $1 xdm_t:fd use;
-       allow $1 xdm_t:fifo_file { getattr read write ioctl };
+       allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
        allow $1 xdm_tmp_t:dir search;
        allow $1 xdm_tmp_t:sock_file { read write };
        dontaudit $1 xdm_t:tcp_socket { read write };
@@ -347,14 +363,19 @@ template(`xserver_common_x_domain_template',`
                type xevent_t, client_xevent_t;
                type input_xevent_t, $1_input_xevent_t;
 
-               attribute x_domain;
+               attribute x_domain, input_xevent_type;
                attribute xdrawable_type, xcolormap_type;
-               attribute input_xevent_type;
 
                class x_drawable all_x_drawable_perms;
                class x_property all_x_property_perms;
                class x_event all_x_event_perms;
                class x_synthetic_event all_x_synthetic_event_perms;
+               class x_client destroy;
+               class x_server manage;
+               class x_screen { saver_setattr saver_hide saver_show };
+               class x_pointer { get_property set_property manage };
+               class x_keyboard { read manage };
+               type xdm_t, xserver_t;
        ')
 
        ##############################
@@ -386,6 +407,15 @@ template(`xserver_common_x_domain_template',`
        allow $2 xevent_t:{ x_event x_synthetic_event } receive;
        # dont audit send failures
        dontaudit $2 input_xevent_type:x_event send;
+
+       allow $2 xdm_t:x_drawable { hide read add_child manage };
+       allow $2 xdm_t:x_client destroy;
+
+       allow $2 root_xdrawable_t:x_drawable write;
+       allow $2 xserver_t:x_server manage;
+       allow $2 xserver_t:x_screen { saver_setattr saver_hide saver_show };
+       allow $2 xserver_t:x_pointer { get_property set_property manage };
+       allow $2 xserver_t:x_keyboard { read manage };
 ')
 
 #######################################
@@ -458,9 +488,9 @@ template(`xserver_user_x_domain_template',`
 
        # for when /tmp/.X11-unix is created by the system
        allow $2 xdm_t:fd use;
-       allow $2 xdm_t:fifo_file { getattr read write ioctl };
+       allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
        allow $2 xdm_tmp_t:dir search_dir_perms;
-       allow $2 xdm_tmp_t:sock_file { read write };
+       allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
        dontaudit $2 xdm_t:tcp_socket { read write };
 
        # Allow connections to X server.
@@ -472,20 +502,25 @@ template(`xserver_user_x_domain_template',`
        # for .xsession-errors
        userdom_dontaudit_write_user_home_content_files($2)
 
-       xserver_ro_session($2,$3)
+       xserver_ro_session($2, $3)
        xserver_use_user_fonts($2)
 
        xserver_read_xdm_tmp_files($2)
+       xserver_read_xdm_pid($2)
 
        # X object manager
        xserver_object_types_template($1)
-       xserver_common_x_domain_template($1,$2)
+       xserver_common_x_domain_template($1, $2)
 
        # Client write xserver shm
        tunable_policy(`allow_write_xshm',`
                allow $2 xserver_t:shm rw_shm_perms;
                allow $2 xserver_tmpfs_t:file rw_file_perms;
        ')
+
+       tunable_policy(`user_direct_dri',`
+               dev_rw_dri($2)
+       ')
 ')
 
 ########################################
@@ -517,6 +552,7 @@ interface(`xserver_use_user_fonts',`
        # Read per user fonts
        allow $1 user_fonts_t:dir list_dir_perms;
        allow $1 user_fonts_t:file read_file_perms;
+       allow $1 user_fonts_t:lnk_file read_lnk_file_perms;
 
        # Manipulate the global font cache
        manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
@@ -545,6 +581,28 @@ interface(`xserver_domtrans_xauth',`
        ')
 
        domtrans_pattern($1, xauth_exec_t, xauth_t)
+
+       ifdef(`hide_broken_symptoms',`
+               dontaudit xauth_t $1:socket_class_set { read write };
+       ')
+')
+
+########################################
+## <summary>
+##     Dontaudit exec of Xauthority program.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`xserver_dontaudit_exec_xauth',`
+       gen_require(`
+               type xauth_exec_t;
+       ')
+
+       dontaudit $1 xauth_exec_t:file execute;
 ')
 
 ########################################
@@ -598,6 +656,7 @@ interface(`xserver_read_user_xauth',`
 
        allow $1 xauth_home_t:file read_file_perms;
        userdom_search_user_home_dirs($1)
+       xserver_read_xdm_pid($1)
 ')
 
 ########################################
@@ -615,7 +674,7 @@ interface(`xserver_setattr_console_pipes',`
                type xconsole_device_t;
        ')
 
-       allow $1 xconsole_device_t:fifo_file setattr;
+       allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
 ')
 
 ########################################
@@ -651,7 +710,7 @@ interface(`xserver_use_xdm_fds',`
                type xdm_t;
        ')
 
-       allow $1 xdm_t:fd use; 
+       allow $1 xdm_t:fd use;
 ')
 
 ########################################
@@ -670,7 +729,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
                type xdm_t;
        ')
 
-       dontaudit $1 xdm_t:fd use; 
+       dontaudit $1 xdm_t:fd use;
 ')
 
 ########################################
@@ -688,7 +747,7 @@ interface(`xserver_rw_xdm_pipes',`
                type xdm_t;
        ')
 
-       allow $1 xdm_t:fifo_file { getattr read write }; 
+       allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
@@ -703,12 +762,11 @@ interface(`xserver_rw_xdm_pipes',`
 ## </param>
 #
 interface(`xserver_dontaudit_rw_xdm_pipes',`
-
        gen_require(`
                type xdm_t;
        ')
 
-       dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; 
+       dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
 ')
 
 ########################################
@@ -724,11 +782,13 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
 #
 interface(`xserver_stream_connect_xdm',`
        gen_require(`
-               type xdm_t, xdm_tmp_t;
+               type xdm_t, xdm_tmp_t, xdm_var_run_t;
        ')
 
        files_search_tmp($1)
+       files_search_pids($1)
        stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
+       stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t)
 ')
 
 ########################################
@@ -765,7 +825,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
                type xdm_tmp_t;
        ')
 
-       allow $1 xdm_tmp_t:dir setattr;
+       allow $1 xdm_tmp_t:dir setattr_dir_perms;
 ')
 
 ########################################
@@ -805,7 +865,7 @@ interface(`xserver_read_xdm_pid',`
        ')
 
        files_search_pids($1)
-       allow $1 xdm_var_run_t:file read_file_perms;
+       read_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
 ')
 
 ########################################
@@ -897,7 +957,7 @@ interface(`xserver_getattr_log',`
        ')
 
        logging_search_logs($1)
-       allow $1 xserver_log_t:file getattr;
+       allow $1 xserver_log_t:file getattr_file_perms;
 ')
 
 ########################################
@@ -916,7 +976,7 @@ interface(`xserver_dontaudit_write_log',`
                type xserver_log_t;
        ')
 
-       dontaudit $1 xserver_log_t:file { append write };
+       dontaudit $1 xserver_log_t:file rw_inherited_file_perms;
 ')
 
 ########################################
@@ -961,6 +1021,44 @@ interface(`xserver_read_xkb_libs',`
        read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
 ')
 
+########################################
+## <summary>
+##     Read xdm config files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit
+##     </summary>
+## </param>
+#
+interface(`xserver_read_xdm_etc_files',`
+       gen_require(`
+               type xdm_etc_t;
+       ')
+
+       files_search_etc($1)
+       read_files_pattern($1, xdm_etc_t, xdm_etc_t)
+')
+
+########################################
+## <summary>
+##     Manage xdm config files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit
+##     </summary>
+## </param>
+#
+interface(`xserver_manage_xdm_etc_files',`
+       gen_require(`
+               type xdm_etc_t;
+       ')
+
+       files_search_etc($1)
+       manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
+')
+
 ########################################
 ## <summary>
 ##     Read xdm temporary files.
@@ -976,7 +1074,7 @@ interface(`xserver_read_xdm_tmp_files',`
                type xdm_tmp_t;
        ')
 
-       files_search_tmp($1)
+       files_search_tmp($1)
        read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
 ')
 
@@ -1052,7 +1150,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
                type xdm_tmp_t;
        ')
 
-       dontaudit $1 xdm_tmp_t:sock_file getattr;
+       dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
 ')
 
 ########################################
@@ -1070,8 +1168,10 @@ interface(`xserver_domtrans',`
                type xserver_t, xserver_exec_t;
        ')
 
-       allow $1 xserver_t:process siginh;
+       allow $1 xserver_t:process siginh;
        domtrans_pattern($1, xserver_exec_t, xserver_t)
+
+       allow xserver_t $1:process getpgid;
 ')
 
 ########################################
@@ -1185,6 +1285,7 @@ interface(`xserver_stream_connect',`
 
        files_search_tmp($1)
        stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
+       allow xserver_t $1:shm rw_shm_perms;
 ')
 
 ########################################
@@ -1210,7 +1311,7 @@ interface(`xserver_read_tmp_files',`
 ## <summary>
 ##     Interface to provide X object permissions on a given X server to
 ##     an X client domain.  Gives the domain permission to read the
-##      virtual core keyboard and virtual core pointer devices.
+##     virtual core keyboard and virtual core pointer devices.
 ## </summary>
 ## <param name="domain">
 ##     <summary>
@@ -1220,13 +1321,23 @@ interface(`xserver_read_tmp_files',`
 #
 interface(`xserver_manage_core_devices',`
        gen_require(`
-               type xserver_t;
+               type xserver_t, root_xdrawable_t;
                class x_device all_x_device_perms;
                class x_pointer all_x_pointer_perms;
                class x_keyboard all_x_keyboard_perms;
+               class x_screen all_x_screen_perms;
+               class x_drawable { manage };
+               attribute x_domain;
+               class x_drawable { read manage setattr show };
+               class x_resource { write read };
        ')
 
        allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
+       allow $1 xserver_t:{ x_screen } setattr;
+       
+       allow $1 x_domain:x_drawable { read manage setattr show };
+       allow $1 x_domain:x_resource { write read };
+       allow $1 root_xdrawable_t:x_drawable { manage read };
 ')
 
 ########################################
@@ -1243,10 +1354,331 @@ interface(`xserver_manage_core_devices',`
 #
 interface(`xserver_unconfined',`
        gen_require(`
-               attribute x_domain;
-               attribute xserver_unconfined_type;
+               attribute x_domain, xserver_unconfined_type;
        ')
 
        typeattribute $1 x_domain;
        typeattribute $1 xserver_unconfined_type;
 ')
+
+########################################
+## <summary>
+##     Dontaudit append to .xsession-errors file
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit
+##     </summary>
+## </param>
+#
+interface(`xserver_dontaudit_append_xdm_home_files',`
+       gen_require(`
+               type xdm_home_t, xserver_tmp_t;
+       ')
+
+       dontaudit $1 xdm_home_t:file rw_inherited_file_perms;
+       dontaudit $1 xserver_tmp_t:file rw_inherited_file_perms;
+
+       tunable_policy(`use_nfs_home_dirs',`
+               fs_dontaudit_rw_nfs_files($1)
+       ')
+
+       tunable_policy(`use_samba_home_dirs',`
+               fs_dontaudit_rw_cifs_files($1)
+       ')
+')
+
+########################################
+## <summary>
+##     append to .xsession-errors file
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit
+##     </summary>
+## </param>
+#
+interface(`xserver_append_xdm_home_files',`
+       gen_require(`
+               type xdm_home_t, xserver_tmp_t;
+       ')
+
+       allow $1 xdm_home_t:file append_file_perms;
+       allow $1 xserver_tmp_t:file append_file_perms;
+
+       tunable_policy(`use_nfs_home_dirs',`
+               fs_append_nfs_files($1)
+       ')
+
+       tunable_policy(`use_samba_home_dirs',`
+               fs_append_cifs_files($1)
+       ')
+')
+
+########################################
+## <summary>
+##     Manage the xdm_spool files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`xserver_xdm_manage_spool',`
+       gen_require(`
+               type xdm_spool_t;
+       ')
+
+       files_search_spool($1)
+       manage_files_pattern($1, xdm_spool_t, xdm_spool_t)
+')
+
+########################################
+## <summary>
+##     Send and receive messages from
+##     xdm over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`xserver_dbus_chat_xdm',`
+       gen_require(`
+               type xdm_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 xdm_t:dbus send_msg;
+       allow xdm_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##     Read xserver files created in /var/run
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`xserver_read_pid',`
+       gen_require(`
+               type xserver_var_run_t;
+       ')
+
+       files_search_pids($1)
+       read_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
+')
+
+########################################
+## <summary>
+##     Execute xserver files created in /var/run
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`xserver_exec_pid',`
+       gen_require(`
+               type xserver_var_run_t;
+       ')
+
+       files_search_pids($1)
+       exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
+')
+
+########################################
+## <summary>
+##     Write xserver files created in /var/run
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`xserver_write_pid',`
+       gen_require(`
+               type xserver_var_run_t;
+       ')
+
+       files_search_pids($1)
+       write_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
+')
+
+########################################
+## <summary>
+##     Allow append the xdm
+##     log files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit
+##     </summary>
+## </param>
+#
+interface(`xserver_xdm_append_log',`
+       gen_require(`
+               type xdm_log_t;
+               attribute xdmhomewriter;
+       ')
+
+       typeattribute $1 xdmhomewriter;
+       append_files_pattern($1, xdm_log_t, xdm_log_t)
+')
+
+########################################
+## <summary>
+##     Read a user Iceauthority domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+template(`xserver_read_user_iceauth',`
+       gen_require(`
+               type iceauth_home_t;
+       ')
+
+       # Read .Iceauthority file
+       allow $1 iceauth_home_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##     Read user homedir fonts.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`xserver_rw_inherited_user_fonts',`
+       gen_require(`
+               type user_fonts_t, user_fonts_config_t;
+       ')
+
+       allow $1 user_fonts_t:file rw_inherited_file_perms;
+       allow $1 user_fonts_t:file read_lnk_file_perms;
+
+       allow $1 user_fonts_config_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##     Search XDM var lib dirs.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`xserver_search_xdm_lib',`
+       gen_require(`
+               type xdm_var_lib_t;
+       ')
+
+       allow $1 xdm_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##     Make an X executable an entrypoint for the specified domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     The domain for which the shell is an entrypoint.
+##     </summary>
+## </param>
+#
+interface(`xserver_entry_type',`
+       gen_require(`
+               type xserver_exec_t;
+       ')
+
+       domain_entry_file($1, xserver_exec_t)
+')
+
+########################################
+## <summary>
+##     Execute xsever in the xserver domain, and
+##     allow the specified role the xserver domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     The role to be allowed the xserver domain.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`xserver_run',`
+       gen_require(`
+               type xserver_t;
+       ')
+
+       xserver_domtrans($1)
+       role $2 types xserver_t;
+')
+
+########################################
+## <summary>
+##     Execute xsever in the xserver domain, and
+##     allow the specified role the xserver domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     The role to be allowed the xserver domain.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`xserver_run_xauth',`
+       gen_require(`
+               type xauth_t;
+       ')
+
+       xserver_domtrans_xauth($1)
+       role $2 types xauth_t;
+')
+########################################
+## <summary>
+##     Read user homedir fonts.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`xserver_manage_home_fonts',`
+       gen_require(`
+               type user_fonts_t, user_fonts_config_t;
+       ')
+
+       manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
+       manage_files_pattern($1, user_fonts_t, user_fonts_t)
+       manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
+
+       manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index e226da4e82254ba7fbdbd77aaf50dd34c793a803..5fbf38f1ccb8847a239754842e0039e8ac415378 100644 (file)
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -33,6 +33,13 @@ gen_require(`
 ## </desc>
 gen_tunable(allow_write_xshm, false)
 
+## <desc>
+## <p>
+## Allows XServer to execute writable memory
+## </p>
+## </desc>
+gen_tunable(allow_xserver_execmem, false)
+
 ## <desc>
 ## <p>
 ## Allow xdm logins as sysadm
@@ -47,6 +54,16 @@ gen_tunable(xdm_sysadm_login, false)
 ## </desc>
 gen_tunable(xserver_object_manager, false)
 
+## <desc>
+## <p>
+## Allow regular users direct dri device access
+## </p>
+## </desc>
+gen_tunable(user_direct_dri, false)
+
+attribute xdmhomewriter;
+attribute x_userdomain;
+
 attribute x_domain;
 
 # X Events
@@ -109,21 +126,26 @@ xserver_common_x_domain_template(remote,remote_t)
 type user_fonts_t;
 typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
 typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
+typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t  user_fonts_home_t };
 userdom_user_home_content(user_fonts_t)
 
 type user_fonts_cache_t;
 typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t };
 typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t };
+typealias user_fonts_cache_t alias { xguest_fonts_cache_t unconfined_fonts_cache_t };
+;
 userdom_user_home_content(user_fonts_cache_t)
 
 type user_fonts_config_t;
 typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t };
 typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t };
+typealias user_fonts_config_t alias { fonts_config_home_t xguest_fonts_config_t unconfined_fonts_config_t };
 userdom_user_home_content(user_fonts_config_t)
 
 type iceauth_t;
 type iceauth_exec_t;
 typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t };
+typealias iceauth_t alias { xguest_iceauth_t };
 typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t };
 application_domain(iceauth_t, iceauth_exec_t)
 ubac_constrained(iceauth_t)
@@ -131,22 +153,28 @@ ubac_constrained(iceauth_t)
 type iceauth_home_t;
 typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
 typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
+typealias iceauth_home_t alias {  xguest_iceauth_home_t };
+files_poly_member(iceauth_home_t)
 userdom_user_home_content(iceauth_home_t)
 
 type xauth_t;
 type xauth_exec_t;
 typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
 typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
+typealias xauth_t alias { xguest_xauth_t unconfined_xauth_t };
 application_domain(xauth_t, xauth_exec_t)
 ubac_constrained(xauth_t)
 
 type xauth_home_t;
 typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t };
 typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t };
+typealias xauth_home_t alias { xguest_xauth_home_t unconfined_xauth_home_t };
+files_poly_member(xauth_home_t)
 userdom_user_home_content(xauth_home_t)
 
 type xauth_tmp_t;
 typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t };
+typealias xauth_tmp_t alias { xguest_xauth_tmp_t unconfined_xauth_tmp_t };
 typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
 files_tmp_file(xauth_tmp_t)
 ubac_constrained(xauth_tmp_t)
@@ -161,15 +189,21 @@ type xdm_t;
 type xdm_exec_t;
 auth_login_pgm_domain(xdm_t)
 init_domain(xdm_t, xdm_exec_t)
-init_daemon_domain(xdm_t, xdm_exec_t)
+init_system_domain(xdm_t, xdm_exec_t)
 xserver_object_types_template(xdm)
 xserver_common_x_domain_template(xdm, xdm_t)
 
 type xdm_lock_t;
 files_lock_file(xdm_lock_t)
 
+type xdm_etc_t;
+files_config_file(xdm_etc_t)
+
 type xdm_rw_etc_t;
-files_type(xdm_rw_etc_t)
+files_config_file(xdm_rw_etc_t)
+
+type xdm_spool_t;
+files_type(xdm_spool_t)
 
 type xdm_var_lib_t;
 files_type(xdm_var_lib_t)
@@ -177,13 +211,27 @@ files_type(xdm_var_lib_t)
 type xdm_var_run_t;
 files_pid_file(xdm_var_run_t)
 
+type xserver_var_lib_t;
+files_type(xserver_var_lib_t)
+
+type xserver_var_run_t;
+files_pid_file(xserver_var_run_t)
+
 type xdm_tmp_t;
 files_tmp_file(xdm_tmp_t)
-typealias xdm_tmp_t alias ice_tmp_t;
+typealias xdm_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t };
+typealias xdm_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
+ubac_constrained(xdm_tmp_t)
 
 type xdm_tmpfs_t;
 files_tmpfs_file(xdm_tmpfs_t)
 
+type xdm_home_t;
+userdom_user_home_content(xdm_home_t)
+
+type xdm_log_t;
+logging_log_file(xdm_log_t)
+
 # type for /var/lib/xkb
 type xkb_var_lib_t;
 files_type(xkb_var_lib_t)
@@ -196,15 +244,9 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
 init_system_domain(xserver_t, xserver_exec_t)
 ubac_constrained(xserver_t)
 
-type xserver_tmp_t;
-typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t };
-typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
-files_tmp_file(xserver_tmp_t)
-ubac_constrained(xserver_tmp_t)
-
 type xserver_tmpfs_t;
-typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
-typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t };
+typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t };
+typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t };
 files_tmpfs_file(xserver_tmpfs_t)
 ubac_constrained(xserver_tmpfs_t)
 
@@ -234,9 +276,13 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
 
 allow xdm_t iceauth_home_t:file read_file_perms;
 
+dev_read_rand(iceauth_t)
+
 fs_search_auto_mountpoints(iceauth_t)
 
 userdom_use_user_terminals(iceauth_t)
+userdom_read_user_tmp_files(iceauth_t)
+userdom_read_all_users_state(iceauth_t)
 
 tunable_policy(`use_nfs_home_dirs',`
        fs_manage_nfs_files(iceauth_t)
@@ -246,30 +292,64 @@ tunable_policy(`use_samba_home_dirs',`
        fs_manage_cifs_files(iceauth_t)
 ')
 
+ifdef(`hide_broken_symptoms', `
+       dev_dontaudit_read_urand(iceauth_t)
+       dev_dontaudit_rw_dri(iceauth_t)
+       dev_dontaudit_rw_generic_dev_nodes(iceauth_t)
+       fs_dontaudit_list_inotifyfs(iceauth_t)
+       fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
+        term_dontaudit_use_unallocated_ttys(iceauth_t)
+
+       userdom_dontaudit_read_user_home_content_files(iceauth_t)
+       userdom_dontaudit_write_user_home_content_files(iceauth_t)
+       userdom_dontaudit_write_user_tmp_files(iceauth_t)
+
+       optional_policy(`
+               mozilla_dontaudit_rw_user_home_files(iceauth_t)
+       ')
+')
+
 ########################################
 #
 # Xauth local policy
 #
 
+allow xauth_t self:capability dac_override;
 allow xauth_t self:process signal;
 allow xauth_t self:unix_stream_socket create_stream_socket_perms;
 
+allow xauth_t xdm_t:process sigchld;
+allow xauth_t xserver_t:unix_stream_socket connectto;
+
+corenet_tcp_connect_xserver_port(xauth_t)
+
 allow xauth_t xauth_home_t:file manage_file_perms;
 userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
+userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file)
+
+manage_dirs_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t)
+manage_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t)
 
 manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
 manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
 files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
 
-allow xdm_t xauth_home_t:file manage_file_perms;
-userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
+stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+
+kernel_read_system_state(xauth_t)
 
 domain_use_interactive_fds(xauth_t)
+domain_dontaudit_leaks(xauth_t)
 
 files_read_etc_files(xauth_t)
+files_read_usr_files(xauth_t)
 files_search_pids(xauth_t)
+files_dontaudit_getattr_all_dirs(xauth_t)
+files_dontaudit_leaks(xauth_t)
+files_var_lib_filetrans(xauth_t, xauth_home_t, file)
 
-fs_getattr_xattr_fs(xauth_t)
+fs_dontaudit_leaks(xauth_t)
+fs_getattr_all_fs(xauth_t)
 fs_search_auto_mountpoints(xauth_t)
 
 # cjp: why?
@@ -279,17 +359,37 @@ auth_use_nsswitch(xauth_t)
 
 userdom_use_user_terminals(xauth_t)
 userdom_read_user_tmp_files(xauth_t)
+userdom_read_all_users_state(xauth_t)
+
+ifdef(`hide_broken_symptoms', `
+     fs_dontaudit_rw_anon_inodefs_files(xauth_t)
+     fs_dontaudit_list_inotifyfs(xauth_t)
+     userdom_manage_user_home_content_files(xauth_t)
+     userdom_manage_user_tmp_files(xauth_t)
+     dev_dontaudit_rw_generic_dev_nodes(xauth_t)
+     miscfiles_read_fonts(xauth_t)
+')
 
 xserver_rw_xdm_tmp_files(xauth_t)
 
 tunable_policy(`use_nfs_home_dirs',`
        fs_manage_nfs_files(xauth_t)
+       fs_read_nfs_symlinks(xauth_t)
 ')
 
 tunable_policy(`use_samba_home_dirs',`
        fs_manage_cifs_files(xauth_t)
 ')
 
+ifdef(`hide_broken_symptoms', `
+        term_dontaudit_use_unallocated_ttys(xauth_t)
+       dev_dontaudit_rw_dri(xauth_t)
+')
+
+optional_policy(`
+       nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
+')
+
 optional_policy(`
        ssh_sigchld(xauth_t)
        ssh_read_pipes(xauth_t)
@@ -301,20 +401,33 @@ optional_policy(`
 # XDM Local policy
 #
 
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
+allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate ptrace };
+allow xdm_t self:process { getattr getcap setcap };
 allow xdm_t self:fifo_file rw_fifo_file_perms;
 allow xdm_t self:shm create_shm_perms;
 allow xdm_t self:sem create_sem_perms;
 allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow xdm_t self:unix_dgram_socket create_socket_perms;
+allow xdm_t self:unix_dgram_socket { create_socket_perms sendto };
 allow xdm_t self:tcp_socket create_stream_socket_perms;
 allow xdm_t self:udp_socket create_socket_perms;
+allow xdm_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow xdm_t self:socket create_socket_perms;
 allow xdm_t self:appletalk_socket create_socket_perms;
 allow xdm_t self:key { search link write };
 
+allow xdm_t xauth_home_t:file manage_file_perms;
+
 allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+
+manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
+userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
+#Handle mislabeled files in homedir
+userdom_delete_user_home_content_files(xdm_t)
+userdom_signull_unpriv_users(xdm_t)
+userdom_dontaudit_read_admin_home_lnk_files(xdm_t)
 
 # Allow gdm to run gdm-binary
 can_exec(xdm_t, xdm_exec_t)
@@ -322,32 +435,55 @@ can_exec(xdm_t, xdm_exec_t)
 allow xdm_t xdm_lock_t:file manage_file_perms;
 files_lock_filetrans(xdm_t, xdm_lock_t, file)
 
+read_lnk_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
+read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
 # wdm has its own config dir /etc/X11/wdm
 # this is ugly, daemons should not create files under /etc!
 manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
 
 manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
 manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+manage_lnk_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
-files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
+files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file })
+relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
 
 manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
 manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
 manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
 manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
 manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
-fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+fs_getattr_all_fs(xdm_t)
+fs_list_inotifyfs(xdm_t)
+fs_read_noxattr_fs_files(xdm_t)
+fs_dontaudit_list_fusefs(xdm_t)
+fs_manage_cgroup_dirs(xdm_t)
+fs_manage_cgroup_files(xdm_t)
+
+manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
+
+files_search_spool(xdm_t)
+manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
+manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
+files_spool_filetrans(xdm_t, xdm_spool_t, { file dir })
 
 manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)       
 manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
-files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file)
+manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir })
+# Read machine-id
+files_read_var_lib_files(xdm_t)
 
 manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
 manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
 manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
-files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file })
+manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
+files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file })
 
-allow xdm_t xserver_t:process signal;
+allow xdm_t xserver_t:process { signal signull };
 allow xdm_t xserver_t:unix_stream_socket connectto;
 
 allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
@@ -355,10 +491,13 @@ allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms };
 
 # transition to the xdm xserver
 domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
+
+ps_process_pattern(xserver_t, xdm_t)
 allow xserver_t xdm_t:process signal;
 allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
 
 allow xdm_t xserver_t:shm rw_shm_perms;
+read_files_pattern(xdm_t, xserver_t, xserver_t)
 
 # connect to xdm xserver over stream socket
 stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -367,15 +506,22 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
 delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
 delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
 
+manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t)
+manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
+manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
+logging_log_filetrans(xdm_t, xdm_log_t, { dir file })
+
 manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t)
 manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
 manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
-logging_log_filetrans(xdm_t, xserver_log_t, file)
 
 kernel_read_system_state(xdm_t)
+kernel_read_device_sysctls(xdm_t)
 kernel_read_kernel_sysctls(xdm_t)
 kernel_read_net_sysctls(xdm_t)
 kernel_read_network_state(xdm_t)
+kernel_request_load_module(xdm_t)
+kernel_stream_connect(xdm_t)
 
 corecmd_exec_shell(xdm_t)
 corecmd_exec_bin(xdm_t)
@@ -390,18 +536,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
 corenet_udp_sendrecv_all_ports(xdm_t)
 corenet_tcp_bind_generic_node(xdm_t)
 corenet_udp_bind_generic_node(xdm_t)
+corenet_udp_bind_ipp_port(xdm_t)
+corenet_udp_bind_xdmcp_port(xdm_t)
 corenet_tcp_connect_all_ports(xdm_t)
 corenet_sendrecv_all_client_packets(xdm_t)
 # xdm tries to bind to biff_port_t
 corenet_dontaudit_tcp_bind_all_ports(xdm_t)
 
+dev_rwx_zero(xdm_t)
 dev_read_rand(xdm_t)
-dev_read_sysfs(xdm_t)
+dev_rw_sysfs(xdm_t)
 dev_getattr_framebuffer_dev(xdm_t)
 dev_setattr_framebuffer_dev(xdm_t)
 dev_getattr_mouse_dev(xdm_t)
 dev_setattr_mouse_dev(xdm_t)
 dev_rw_apm_bios(xdm_t)
+dev_rw_input_dev(xdm_t)
 dev_setattr_apm_bios_dev(xdm_t)
 dev_rw_dri(xdm_t)
 dev_rw_agp(xdm_t)
@@ -410,18 +560,23 @@ dev_setattr_xserver_misc_dev(xdm_t)
 dev_getattr_misc_dev(xdm_t)
 dev_setattr_misc_dev(xdm_t)
 dev_dontaudit_rw_misc(xdm_t)
-dev_getattr_video_dev(xdm_t)
+dev_read_video_dev(xdm_t)
+dev_write_video_dev(xdm_t)
 dev_setattr_video_dev(xdm_t)
 dev_getattr_scanner_dev(xdm_t)
 dev_setattr_scanner_dev(xdm_t)
-dev_getattr_sound_dev(xdm_t)
-dev_setattr_sound_dev(xdm_t)
+dev_read_sound(xdm_t)
+dev_write_sound(xdm_t)
 dev_getattr_power_mgmt_dev(xdm_t)
 dev_setattr_power_mgmt_dev(xdm_t)
+dev_getattr_null_dev(xdm_t)
+dev_setattr_null_dev(xdm_t)
 
 domain_use_interactive_fds(xdm_t)
 # Do not audit denied probes of /proc.
 domain_dontaudit_read_all_domains_state(xdm_t)
+domain_dontaudit_ptrace_all_domains(xdm_t)
+domain_dontaudit_signal_all_domains(xdm_t)
 
 files_read_etc_files(xdm_t)
 files_read_var_files(xdm_t)
@@ -432,9 +587,17 @@ files_list_mnt(xdm_t)
 files_read_usr_files(xdm_t)
 # Poweroff wants to create the /poweroff file when run from xdm
 files_create_boot_flag(xdm_t)
+files_dontaudit_getattr_boot_dirs(xdm_t)
+files_dontaudit_write_usr_files(xdm_t)
+files_dontaudit_getattr_all_dirs(xdm_t)
+files_dontaudit_getattr_all_symlinks(xdm_t)
 
 fs_getattr_all_fs(xdm_t)
 fs_search_auto_mountpoints(xdm_t)
+fs_rw_anon_inodefs_files(xdm_t)
+fs_mount_tmpfs(xdm_t)
+
+mls_socket_write_to_clearance(xdm_t)
 
 storage_dontaudit_read_fixed_disk(xdm_t)
 storage_dontaudit_write_fixed_disk(xdm_t)
@@ -443,28 +606,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
 storage_dontaudit_raw_write_removable_device(xdm_t)
 storage_dontaudit_setattr_removable_dev(xdm_t)
 storage_dontaudit_rw_scsi_generic(xdm_t)
+storage_dontaudit_rw_fuse(xdm_t)
 
 term_setattr_console(xdm_t)
+term_use_console(xdm_t)
 term_use_unallocated_ttys(xdm_t)
 term_setattr_unallocated_ttys(xdm_t)
+term_relabel_all_ttys(xdm_t)
+term_relabel_unallocated_ttys(xdm_t)
 
 auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
+auth_signal_pam(xdm_t)
 auth_rw_faillog(xdm_t)
 auth_write_login_records(xdm_t)
 
 # Run telinit->init to shutdown.
 init_telinit(xdm_t)
+init_dbus_chat(xdm_t)
 
 libs_exec_lib_files(xdm_t)
 
 logging_read_generic_logs(xdm_t)
 
+miscfiles_search_man_pages(xdm_t)
 miscfiles_read_localization(xdm_t)
 miscfiles_read_fonts(xdm_t)
-
-sysnet_read_config(xdm_t)
+miscfiles_manage_fonts_cache(xdm_t)
+miscfiles_manage_localization(xdm_t)
+miscfiles_read_hwdata(xdm_t)
 
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
@@ -473,6 +644,13 @@ userdom_read_user_home_content_files(xdm_t)
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
+userdom_stream_connect(xdm_t)
+userdom_manage_user_tmp_dirs(xdm_t)
+userdom_manage_user_tmp_files(xdm_t)
+userdom_manage_user_tmp_sockets(xdm_t)
+userdom_manage_tmpfs_role(system_r, xdm_t)
+
+application_signal(xdm_t)
 
 xserver_rw_session(xdm_t, xdm_tmpfs_t)
 xserver_unconfined(xdm_t)
@@ -503,24 +681,69 @@ tunable_policy(`xdm_sysadm_login',`
 #      allow xserver_t xdm_tmpfs_t:file rw_file_perms;
 ')
 
+optional_policy(`
+       accountsd_read_lib_files(xdm_t)
+')
+
 optional_policy(`
        alsa_domtrans(xdm_t)
+       alsa_read_rw_config(xdm_t)
 ')
 
 optional_policy(`
        consolekit_dbus_chat(xdm_t)
+       consolekit_read_log(xdm_t)
 ')
 
 optional_policy(`
        consoletype_exec(xdm_t)
 ')
 
+optional_policy(`
+       # Use dbus to start other processes as xdm_t
+       dbus_role_template(xdm, system_r, xdm_t)
+
+       dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms;
+       xserver_xdm_append_log(xdm_dbusd_t)
+       xserver_read_xdm_pid(xdm_dbusd_t)
+
+       corecmd_bin_entry_type(xdm_t)
+
+       dbus_system_bus_client(xdm_t)
+
+       optional_policy(`
+               bluetooth_dbus_chat(xdm_t)
+       ')
+
+       optional_policy(`
+               devicekit_dbus_chat_disk(xdm_t)
+               devicekit_dbus_chat_power(xdm_t)
+       ')
+
+       optional_policy(`
+               hal_dbus_chat(xdm_t)
+       ')
+
+       optional_policy(`
+               networkmanager_dbus_chat(xdm_t)
+       ')
+
+')
+
+
 optional_policy(`
        # Talk to the console mouse server.
        gpm_stream_connect(xdm_t)
        gpm_setattr_gpmctl(xdm_t)
 ')
 
+optional_policy(`
+       gnome_manage_config(xdm_t)
+       gnome_manage_gconf_home_files(xdm_t)
+       gnome_read_config(xdm_t)
+       gnome_read_gconf_config(xdm_t)
+')
+
 optional_policy(`
        hostname_exec(xdm_t)
 ')
@@ -538,21 +761,65 @@ optional_policy(`
        mta_dontaudit_getattr_spool_files(xdm_t)
 ')
 
+optional_policy(`
+        policykit_dbus_chat(xdm_t)
+       policykit_domtrans_auth(xdm_t)
+       policykit_read_lib(xdm_t)
+       policykit_read_reload(xdm_t)
+       policykit_signal_auth(xdm_t)
+')
+
+optional_policy(`
+       pcscd_stream_connect(xdm_t)
+')
+
+optional_policy(`
+       plymouthd_search_spool(xdm_t)
+       plymouthd_exec_plymouth(xdm_t)
+       plymouthd_stream_connect(xdm_t)
+')
+
+optional_policy(`
+       pulseaudio_exec(xdm_t)
+       pulseaudio_dbus_chat(xdm_t)
+       pulseaudio_stream_connect(xdm_t)
+')
+
 optional_policy(`
        resmgr_stream_connect(xdm_t)
 ')
 
+# On crash gdm execs gdb to dump stack
+optional_policy(`
+       rpm_exec(xdm_t)
+       rpm_read_db(xdm_t)
+       rpm_dontaudit_manage_db(xdm_t)
+')
+
+optional_policy(`
+       rtkit_scheduled(xdm_t)
+')
+
 optional_policy(`
        seutil_sigchld_newrole(xdm_t)
 ')
 
+optional_policy(`
+       ssh_signull(xdm_t)
+')
+
+optional_policy(`
+       shutdown_domtrans(xdm_t)
+')
+
 optional_policy(`
        udev_read_db(xdm_t)
 ')
 
 optional_policy(`
-       unconfined_domain(xdm_t)
-       unconfined_domtrans(xdm_t)
+       unconfined_shell_domtrans(xdm_t)
+       unconfined_signal(xdm_t)
+')
 
        ifndef(`distro_redhat',`
                allow xdm_t self:process { execheap execmem };
@@ -561,7 +828,6 @@ optional_policy(`
        ifdef(`distro_rhel4',`
                allow xdm_t self:process { execheap execmem };
        ')
-')
 
 optional_policy(`
        userhelper_dontaudit_search_config(xdm_t)
@@ -571,6 +837,10 @@ optional_policy(`
        usermanage_read_crack_db(xdm_t)
 ')
 
+optional_policy(`
+       wm_exec(xdm_t)
+')
+
 optional_policy(`
        xfs_stream_connect(xdm_t)
 ')
@@ -596,7 +866,7 @@ allow xserver_t input_xevent_t:x_event send;
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
 
-allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_ptrace sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
 dontaudit xserver_t self:capability chown;
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:fd use;
@@ -610,6 +880,18 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
+allow xserver_t self:netlink_selinux_socket create_socket_perms;
+allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+# Device rules
+allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
+allow x_domain xserver_t:x_screen getattr;
+
+allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
+
+domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
+
+allow xserver_t xauth_home_t:file read_file_perms;
 
 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
@@ -629,12 +911,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
 
-domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
-allow xserver_t xauth_home_t:file read_file_perms;
+manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)   
+manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
+files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir)
+
+manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)   
+manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
+manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
+files_pid_filetrans(xserver_t, xserver_var_run_t, { file dir })
 
 # Create files in /var/log with the xserver_log_t type.
 manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
 logging_log_filetrans(xserver_t, xserver_log_t, file)
+manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t)
 
 kernel_read_system_state(xserver_t)
 kernel_read_device_sysctls(xserver_t)
@@ -642,6 +931,7 @@ kernel_read_modprobe_sysctls(xserver_t)
 # Xorg wants to check if kernel is tainted
 kernel_read_kernel_sysctls(xserver_t)
 kernel_write_proc_files(xserver_t)
+kernel_request_load_module(xserver_t)
 
 # Run helper programs in xserver_t.
 corecmd_exec_bin(xserver_t)
@@ -668,7 +958,6 @@ dev_rw_apm_bios(xserver_t)
 dev_rw_agp(xserver_t)
 dev_rw_framebuffer(xserver_t)
 dev_manage_dri_dev(xserver_t)
-dev_filetrans_dri(xserver_t)
 dev_create_generic_dirs(xserver_t)
 dev_setattr_generic_dirs(xserver_t)
 # raw memory access is needed if not using the frame buffer
@@ -678,8 +967,13 @@ dev_wx_raw_memory(xserver_t)
 dev_rw_xserver_misc(xserver_t)
 # read events - the synaptics touchpad driver reads raw events
 dev_rw_input_dev(xserver_t)
+dev_read_raw_memory(xserver_t)
+dev_write_raw_memory(xserver_t)
 dev_rwx_zero(xserver_t)
 
+domain_dontaudit_read_all_domains_state(xserver_t)
+domain_signal_all_domains(xserver_t)
+
 files_read_etc_files(xserver_t)
 files_read_etc_runtime_files(xserver_t)
 files_read_usr_files(xserver_t)
@@ -693,8 +987,13 @@ fs_getattr_xattr_fs(xserver_t)
 fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
+fs_rw_tmpfs_files(xserver_t)
 
 mls_xwin_read_to_clearance(xserver_t)
+mls_process_write_to_clearance(xserver_t)
+mls_file_read_to_clearance(xserver_t)
+mls_file_write_all_levels(xserver_t)
+mls_file_upgrade(xserver_t)
 
 selinux_validate_context(xserver_t)
 selinux_compute_access_vector(xserver_t)
@@ -716,11 +1015,14 @@ logging_send_audit_msgs(xserver_t)
 
 miscfiles_read_localization(xserver_t)
 miscfiles_read_fonts(xserver_t)
+miscfiles_read_hwdata(xserver_t)
 
 modutils_domtrans_insmod(xserver_t)
 
 # read x_contexts
 seutil_read_default_contexts(xserver_t)
+seutil_read_config(xserver_t)
+seutil_read_file_contexts(xserver_t)
 
 userdom_search_user_home_dirs(xserver_t)
 userdom_use_user_ttys(xserver_t)
@@ -772,13 +1074,29 @@ optional_policy(`
        auth_search_pam_console_data(xserver_t)
 ')
 
+optional_policy(`
+       devicekit_signal_power(xserver_t)
+')
+
 optional_policy(`
        rhgb_getpgid(xserver_t)
        rhgb_signal(xserver_t)
 ')
 
 optional_policy(`
-       unconfined_domain_noaudit(xserver_t)
+       setrans_translate_context(xserver_t)
+')
+
+optional_policy(`
+       sandbox_rw_xserver_tmpfs_files(xserver_t)
+')
+
+optional_policy(`
+       udev_read_db(xserver_t)
+')
+
+optional_policy(`
+       unconfined_domain(xserver_t)
        unconfined_domtrans(xserver_t)
 ')
 
@@ -786,6 +1104,10 @@ optional_policy(`
        userhelper_search_config(xserver_t)
 ')
 
+optional_policy(`
+       wine_rw_shm(xserver_t)
+')
+
 optional_policy(`
        xfs_stream_connect(xserver_t)
 ')
@@ -802,10 +1124,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
-allow xserver_t xdm_var_lib_t:file { getattr read };
+allow xserver_t xdm_var_lib_t:file read_file_perms;
 dontaudit xserver_t xdm_var_lib_t:dir search;
 
-allow xserver_t xdm_var_run_t:file read_file_perms;
+read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
@@ -826,6 +1148,13 @@ init_use_fds(xserver_t)
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
+userdom_read_all_users_state(xserver_t)
+
+xserver_use_user_fonts(xserver_t)
+
+optional_policy(`
+       userhelper_search_config(xserver_t)
+')
 
 tunable_policy(`use_nfs_home_dirs',`
        fs_manage_nfs_dirs(xserver_t)
@@ -841,11 +1170,14 @@ tunable_policy(`use_samba_home_dirs',`
 
 optional_policy(`
        dbus_system_bus_client(xserver_t)
-       hal_dbus_chat(xserver_t)
+
+       optional_policy(`
+               hal_dbus_chat(xserver_t)
+       ')
 ')
 
 optional_policy(`
-       resmgr_stream_connect(xdm_t)
+       mono_rw_shm(xserver_t)
 ')
 
 optional_policy(`
@@ -991,3 +1323,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
 allow xserver_unconfined_type xextension_type:x_extension *;
 allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
 allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
+
+optional_policy(`
+       unconfined_rw_shm(xserver_t)
+       unconfined_execmem_rw_shm(xserver_t)
+
+       # xserver signals unconfined user on startx
+       unconfined_signal(xserver_t)
+       unconfined_getpgid(xserver_t)
+')
+
+tunable_policy(`allow_xserver_execmem',`
+       allow xserver_t self:process { execheap execmem execstack };
+')
+
+# Hack to handle the problem of using the nvidia blobs
+tunable_policy(`allow_execmem',`
+       allow xdm_t self:process execmem;
+')
+
+tunable_policy(`allow_execstack',`
+       allow xdm_t self:process { execstack execmem };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+       fs_append_nfs_files(xdmhomewriter)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+       fs_append_cifs_files(xdmhomewriter)
+')

diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if
index d77e631f489447738b45ea3ad6187c19399ddc3e..4776863d9a0c7744491d57656322095057041731 100644 (file)
--- a/policy/modules/services/zabbix.if
+++ b/policy/modules/services/zabbix.if
@@ -5,9 +5,9 @@
 ##     Execute a domain transition to run zabbix.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##     <summary>
 ##     Domain allowed to transition.
-## </summary>
+##     </summary>
 ## </param>
 #
 interface(`zabbix_domtrans',`
@@ -44,9 +44,9 @@ interface(`zabbix_read_log',`
 ##     zabbix log files.
 ## </summary>
 ## <param name="domain">
-##     <summary>
+##     <summary>
 ##     Domain allowed access.
-##     </summary>
+##     </summary>
 ## </param>
 #
 interface(`zabbix_append_log',`

diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
new file mode 100644 (file)
index 0000000..56cb5af
--- /dev/null
+++ b/policy/modules/services/zarafa.fc
@@ -0,0 +1,27 @@
+
+/etc/zarafa(/.*)?                      gen_context(system_u:object_r:zarafa_etc_t,s0)
+
+/usr/bin/zarafa-dagent --      gen_context(system_u:object_r:zarafa_deliver_exec_t,s0)
+
+/usr/bin/zarafa-server --      gen_context(system_u:object_r:zarafa_server_exec_t,s0)
+
+/usr/bin/zarafa-gateway        --      gen_context(system_u:object_r:zarafa_gateway_exec_t,s0)
+
+/usr/bin/zarafa-spooler        --      gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
+
+/usr/bin/zarafa-ical   --      gen_context(system_u:object_r:zarafa_ical_exec_t,s0)
+
+/usr/bin/zarafa-monitor        --      gen_context(system_u:object_r:zarafa_monitor_exec_t,s0)
+
+/var/log/zarafa/server\.log            --      gen_context(system_u:object_r:zarafa_server_log_t,s0)
+/var/log/zarafa/spooler\.log   --      gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
+/var/log/zarafa/gateway\.log   --      gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
+/var/log/zarafa/ical\.log              --      gen_context(system_u:object_r:zarafa_ical_log_t,s0)
+/var/log/zarafa/monitor\.log   --      gen_context(system_u:object_r:zarafa_monitor_log_t,s0)
+
+/var/run/zarafa                                -s      gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
+/var/run/zarafa-gateway\.pid   --              gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0)
+/var/run/zarafa-server\.pid     --      gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
+/var/run/zarafa-spooler\.pid    --      gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0)
+/var/run/zarafa-ical\.pid       --      gen_context(system_u:object_r:zarafa_ical_var_run_t,s0)
+/var/run/zarafa-monitor\.pid    --      gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)

diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if
new file mode 100644 (file)
index 0000000..78fc104
--- /dev/null
+++ b/policy/modules/services/zarafa.if
@@ -0,0 +1,102 @@
+## <summary>policy for zarafa services</summary>
+
+######################################
+## <summary>
+##     Creates types and rules for a basic
+##     zararfa init daemon domain.
+## </summary>
+## <param name="prefix">
+##     <summary>
+##     Prefix for the domain.
+##     </summary>
+## </param>
+#
+template(`zarafa_domain_template',`
+       gen_require(`
+               attribute zarafa_domain;
+       ')
+
+       ##############################
+       #
+       # $1_t declarations
+       #
+
+       type zarafa_$1_t, zarafa_domain;
+       type zarafa_$1_exec_t;
+       init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t)
+
+       type zarafa_$1_log_t;
+       logging_log_file(zarafa_$1_log_t)
+
+       type zarafa_$1_var_run_t;
+       files_pid_file(zarafa_$1_var_run_t)
+
+       ##############################
+       #
+       # $1_t local policy
+       #
+
+       manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
+       manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
+       files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file })
+       #stream_connect_pattern(zarafa_$1_t, $1_var_run_t, $1_var_run_t, virtd_t)
+
+       manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t,zarafa_$1_log_t)
+       #manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_log_t,zarafa_$1_log_t)
+       logging_log_filetrans(zarafa_$1_t,zarafa_$1_log_t,{ file })
+')
+
+########################################
+## <summary>
+##     Execute a domain transition to run zarafa_server.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
+## </param>
+#
+interface(`zarafa_server_domtrans',`
+       gen_require(`
+               type zarafa_server_t, zarafa_server_exec_t;
+       ')
+
+       domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t)
+')
+
+########################################
+## <summary>
+##     Execute a domain transition to run zarafa_deliver.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
+## </param>
+#
+interface(`zarafa_deliver_domtrans',`
+       gen_require(`
+               type zarafa_deliver_t, zarafa_deliver_exec_t;
+       ')
+
+       domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t)
+')
+
+#######################################
+## <summary>
+##     Connect to zarafa-server unix domain stream socket.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`zarafa_stream_connect_server',`
+       gen_require(`
+               type zarafa_server_t, zarafa_server_var_run_t;
+       ')
+
+       files_search_var_lib($1)
+       stream_connect_pattern($1, zarafa_server_t, zarafa_server_var_run_t, zarafa_server_t)
+')

diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
new file mode 100644 (file)
index 0000000..3509088
--- /dev/null
+++ b/policy/modules/services/zarafa.te
@@ -0,0 +1,133 @@
+policy_module(zarafa, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute zarafa_domain;
+
+zarafa_domain_template(monitor)
+zarafa_domain_template(ical)
+zarafa_domain_template(server)
+zarafa_domain_template(spooler)
+zarafa_domain_template(gateway)
+zarafa_domain_template(deliver)
+
+type zarafa_deliver_tmp_t;
+files_tmp_file(zarafa_deliver_tmp_t)
+
+type zarafa_etc_t;
+files_config_file(zarafa_etc_t)
+
+type zarafa_share_t;
+files_type(zarafa_share_t)
+
+permissive zarafa_server_t;
+permissive zarafa_spooler_t;
+permissive zarafa_gateway_t;
+permissive zarafa_deliver_t;
+permissive zarafa_ical_t;
+permissive zarafa_monitor_t;
+
+########################################
+#
+# zarafa-deliver local policy
+#
+
+manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
+manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
+files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
+
+#temporary
+#allow zarafa_deliver_t port_t:tcp_socket name_bind;
+
+########################################
+#
+# zarafa_server local policy
+#
+
+allow zarafa_server_t self:capability { chown kill net_bind_service};
+allow zarafa_server_t self:process { setrlimit signal };
+
+corenet_tcp_bind_zarafa_port(zarafa_server_t)
+
+files_read_usr_files(zarafa_server_t)
+
+logging_send_syslog_msg(zarafa_server_t)
+logging_send_audit_msgs(zarafa_server_t)
+
+sysnet_dns_name_resolve(zarafa_server_t)
+
+optional_policy(`
+       mysql_stream_connect(zarafa_server_t)
+')
+
+optional_policy(`
+       kerberos_use(zarafa_server_t)
+')
+
+########################################
+#
+# zarafa_spooler local policy
+#
+
+allow zarafa_spooler_t self:capability { chown kill };
+allow zarafa_spooler_t self:process {  signal };
+
+corenet_tcp_connect_smtp_port(zarafa_spooler_t)
+
+########################################
+#
+# zarafa_gateway local policy
+#
+
+allow zarafa_gateway_t self:capability { chown kill };
+allow zarafa_gateway_t self:process { setrlimit signal };
+
+corenet_tcp_bind_pop_port(zarafa_gateway_t)
+
+#######################################
+#
+# zarafa-ical local policy
+#
+
+allow zarafa_ical_t self:capability chown;
+
+corenet_tcp_bind_http_cache_port(zarafa_ical_t)
+
+######################################
+#
+# zarafa-monitor local policy
+#
+
+allow zarafa_monitor_t self:capability chown;
+
+########################################
+#
+# zarafa domains local policy
+#
+
+# bad permission on /etc/zarafa
+allow zarafa_domain self:capability { dac_override setgid setuid };
+
+allow zarafa_domain self:fifo_file rw_fifo_file_perms;
+allow zarafa_domain self:tcp_socket create_stream_socket_perms;
+allow zarafa_domain self:unix_stream_socket create_stream_socket_perms;
+
+stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
+
+read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t)
+
+kernel_read_system_state(zarafa_domain)
+
+files_read_etc_files(zarafa_domain)
+
+auth_use_nsswitch(zarafa_domain)
+
+miscfiles_read_localization(zarafa_domain)
+
+# temporary rules
+optional_policy(`
+       apache_content_template(zarafa)
+')

diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
index 6b8760509c8f950bb90df7988a0d0f61024ca950..5860687fd61afd1dccc3e2a21f609d5825885ef5 100644 (file)
--- a/policy/modules/services/zebra.if
+++ b/policy/modules/services/zebra.if
@@ -38,8 +38,7 @@ interface(`zebra_stream_connect',`
        ')
 
        files_search_pids($1)
-       allow $1 zebra_var_run_t:sock_file write;
-       allow $1 zebra_t:unix_stream_socket connectto;
+       stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)
 ')
 
 ########################################

diff --git a/policy/modules/services/zosremote.if b/policy/modules/services/zosremote.if
index 702e76803a95a29e0a7b80fd227cd8ee549d9622..1d24e1edda5065c48da8b983e59f9497305ace25 100644 (file)
--- a/policy/modules/services/zosremote.if
+++ b/policy/modules/services/zosremote.if
@@ -5,9 +5,9 @@
 ##     Execute a domain transition to run audispd-zos-remote.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##     <summary>
 ##     Domain allowed to transition.
-## </summary>
+##     </summary>
 ## </param>
 #
 interface(`zosremote_domtrans',`

diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
index ac503330cdff69441a90bf6eac159b233b4426ab..108595b099622f4b14b39b3c7ffd582fbe4e991c 100644 (file)
--- a/policy/modules/system/application.if
+++ b/policy/modules/system/application.if
@@ -130,3 +130,21 @@ interface(`application_signull',`
 
        allow $1 application_domain_type:process signull;
 ')
+
+########################################
+## <summary>
+##     Send signal to all application domains.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`application_signal',`
+       gen_require(`
+               attribute application_domain_type;
+       ')
+
+       allow $1 application_domain_type:process signal;
+')

diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
index 88df85d29a8330256ac66b3b863964bd464caf2d..2fa3974fbbbb084802d770beb195e707135919c8 100644 (file)
--- a/policy/modules/system/application.te
+++ b/policy/modules/system/application.te
@@ -6,6 +6,22 @@ attribute application_domain_type;
 # Executables to be run by user
 attribute application_exec_type;
 
+userdom_inherit_append_user_home_content_files(application_domain_type)
+userdom_inherit_append_admin_home_files(application_domain_type)
+userdom_inherit_append_user_tmp_files(application_domain_type)
+logging_inherit_append_all_logs(application_domain_type)
+
+files_dontaudit_search_all_dirs(application_domain_type)
+
+optional_policy(`
+       afs_rw_udp_sockets(application_domain_type)
+')
+
+optional_policy(`
+       cron_rw_inherited_user_spool_files(application_domain_type)
+       cron_sigchld(application_domain_type)
+')
+
 optional_policy(`
        ssh_sigchld(application_domain_type)
        ssh_rw_stream_sockets(application_domain_type)

diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index 1c4b1e711c8dd895feaefddb595b268bf48d8349..2997dd730987756f60d93a9a2a8ac6b7bd7f9fff 100644 (file)
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -10,6 +10,7 @@
 /sbin/pam_console_apply         --     gen_context(system_u:object_r:pam_console_exec_t,s0)
 /sbin/pam_timestamp_check --   gen_context(system_u:object_r:pam_exec_t,s0)
 /sbin/unix_chkpwd      --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/usr/sbin/validate     --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
 /sbin/unix_update      --      gen_context(system_u:object_r:updpwd_exec_t,s0)
 /sbin/unix_verify      --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
 ifdef(`distro_suse', `
@@ -27,6 +28,7 @@ ifdef(`distro_gentoo', `
 
 /var/db/shadow.*       --      gen_context(system_u:object_r:shadow_t,s0)
 
+/var/run/user(/.*)?            gen_context(system_u:object_r:var_auth_t,s0)
 /var/lib/abl(/.*)?             gen_context(system_u:object_r:var_auth_t,s0)
 /var/lib/pam_ssh(/.*)?         gen_context(system_u:object_r:var_auth_t,s0)
 

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index bea0adeec35464f8263cdd37a2c35abfd213679f..581921138a803f98ebc045012d98c556da490c65 100644 (file)
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
        auth_exec_pam($1)
        auth_use_nsswitch($1)
 
+       init_rw_stream_sockets($1)
+
        logging_send_audit_msgs($1)
        logging_send_syslog_msg($1)
 
@@ -66,6 +68,10 @@ interface(`auth_use_pam',`
                optional_policy(`
                        consolekit_dbus_chat($1)
                ')
+
+               optional_policy(`
+                       fprintd_dbus_chat($1)
+               ')
        ')
 
        optional_policy(`
@@ -91,9 +97,12 @@ interface(`auth_use_pam',`
 interface(`auth_login_pgm_domain',`
        gen_require(`
                type var_auth_t, auth_cache_t;
+               attribute polydomain;
        ')
 
        domain_type($1)
+       typeattribute $1 polydomain;
+
        domain_subj_id_change_exemption($1)
        domain_role_change_exemption($1)
        domain_obj_id_change_exemption($1)
@@ -107,8 +116,10 @@ interface(`auth_login_pgm_domain',`
        allow $1 self:capability ipc_lock;
        allow $1 self:process setkeycreate;
        allow $1 self:key manage_key_perms;
+       userdom_manage_all_users_keys($1)
 
        files_list_var_lib($1)
+       manage_dirs_pattern($1, var_auth_t, var_auth_t)
        manage_files_pattern($1, var_auth_t, var_auth_t)
 
        manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
@@ -126,6 +137,8 @@ interface(`auth_login_pgm_domain',`
        files_read_etc_files($1)
 
        fs_list_auto_mountpoints($1)
+       fs_manage_cgroup_dirs($1)
+       fs_manage_cgroup_files($1)
 
        selinux_get_fs_mount($1)
        selinux_validate_context($1)
@@ -141,6 +154,7 @@ interface(`auth_login_pgm_domain',`
        mls_process_set_level($1)
        mls_fd_share_all_levels($1)
 
+       auth_manage_pam_pid($1)
        auth_use_pam($1)
 
        init_rw_utmp($1)
@@ -151,8 +165,38 @@ interface(`auth_login_pgm_domain',`
        seutil_read_config($1)
        seutil_read_default_contexts($1)
 
-       tunable_policy(`allow_polyinstantiation',`
-               files_polyinstantiate_all($1)
+       userdom_set_rlimitnh($1)
+       userdom_read_user_home_content_symlinks($1)
+       userdom_delete_user_tmp_files($1)
+       userdom_search_admin_dir($1)
+
+       optional_policy(`
+               afs_rw_udp_sockets($1)
+       ')
+
+       optional_policy(`
+               kerberos_read_config($1)
+       ')
+
+       optional_policy(`
+               oddjob_dbus_chat($1)
+               oddjob_domtrans_mkhomedir($1)
+       ')
+
+       optional_policy(`
+               corecmd_exec_bin($1)
+               storage_getattr_fixed_disk_dev($1)
+               mount_domtrans($1)
+       ')
+
+       optional_policy(`
+               fprintd_dbus_chat($1)
+       ')
+
+       optional_policy(`
+               ssh_agent_exec($1)
+               ssh_read_user_home_files($1)
+               userdom_read_user_home_content_files($1)
        ')
 ')
 
@@ -365,13 +409,15 @@ interface(`auth_domtrans_chk_passwd',`
        ')
 
        optional_policy(`
-               pcscd_read_pub_files($1)
+               pcscd_manage_pub_files($1)
+               pcscd_manage_pub_pipes($1)
                pcscd_stream_connect($1)
        ')
 
        optional_policy(`
                samba_stream_connect_winbind($1)
        ')
+       auth_domtrans_upd_passwd($1)
 ')
 
 ########################################
@@ -418,6 +464,7 @@ interface(`auth_run_chk_passwd',`
 
        auth_domtrans_chk_passwd($1)
        role $2 types chkpwd_t;
+       auth_run_upd_passwd($1, $2)
 ')
 
 ########################################
@@ -694,7 +741,7 @@ interface(`auth_relabel_shadow',`
        ')
 
        files_search_etc($1)
-       allow $1 shadow_t:file { relabelfrom relabelto };
+       allow $1 shadow_t:file relabel_file_perms;
        typeattribute $1 can_relabelto_shadow_passwords;
 ')
 
@@ -872,6 +919,26 @@ interface(`auth_exec_pam',`
        can_exec($1, pam_exec_t)
 ')
 
+########################################
+## <summary>
+##     Read var auth files. Used by various other applications
+##     and pam applets etc.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`auth_read_var_auth',`
+       gen_require(`
+               type var_auth_t;
+       ')
+
+       files_search_var($1)
+       read_files_pattern($1, var_auth_t, var_auth_t)
+')
+
 ########################################
 ## <summary>
 ##     Manage var auth files. Used by various other applications
@@ -1500,6 +1567,8 @@ interface(`auth_manage_login_records',`
 #
 interface(`auth_use_nsswitch',`
 
+       allow $1 self:netlink_route_socket r_netlink_socket_perms;
+
        files_list_var_lib($1)
 
        # read /etc/nsswitch.conf
@@ -1531,7 +1600,15 @@ interface(`auth_use_nsswitch',`
        ')
 
        optional_policy(`
-               nscd_socket_use($1)
+               nscd_use($1)
+       ')
+
+       optional_policy(`
+               nslcd_stream_connect($1)
+       ')
+
+       optional_policy(`
+               sssd_stream_connect($1)
        ')
 
        optional_policy(`

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 54d122b113cf8731839467eb410d9c5ecff1b85b..ee0fe55f8ee1efb41417a908ca4ce100b277ef25 100644 (file)
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -8,6 +8,7 @@ policy_module(authlogin, 2.2.0)
 attribute can_read_shadow_passwords;
 attribute can_write_shadow_passwords;
 attribute can_relabelto_shadow_passwords;
+attribute polydomain;
 
 type auth_cache_t;
 logging_log_file(auth_cache_t)
@@ -83,7 +84,7 @@ logging_log_file(wtmp_t)
 
 allow chkpwd_t self:capability { dac_override setuid };
 dontaudit chkpwd_t self:capability sys_tty_config;
-allow chkpwd_t self:process getattr;
+allow chkpwd_t self:process { getattr signal };
 
 allow chkpwd_t shadow_t:file read_file_perms;
 files_list_etc(chkpwd_t)
@@ -394,3 +395,11 @@ optional_policy(`
        xserver_use_xdm_fds(utempter_t)
        xserver_rw_xdm_pipes(utempter_t)
 ')
+
+tunable_policy(`allow_polyinstantiation',`
+       files_polyinstantiate_all(polydomain)
+       userdom_manage_user_home_content_dirs(polydomain)
+       userdom_manage_user_home_content_files(polydomain)
+       userdom_relabelto_user_home_dirs(polydomain)
+       userdom_relabelto_user_home_files(polydomain)
+')

diff --git a/policy/modules/system/daemontools.if b/policy/modules/system/daemontools.if
index 89cc088da767a12b20fd8d3c382bad3ecc5880f2..81e5ed47d807d108c24da947d0a2ca2bab340cca 100644 (file)
--- a/policy/modules/system/daemontools.if
+++ b/policy/modules/system/daemontools.if
@@ -71,6 +71,32 @@ interface(`daemontools_domtrans_start',`
        domtrans_pattern($1, svc_start_exec_t, svc_start_t)
 ')
 
+######################################
+## <summary>
+##  Execute svc_start in the svc_start domain, and
+##  allow the specified role the svc_start domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  The role to be allowed the svc_start domain.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`daemonstools_run_start',`
+    gen_require(`
+        type svc_start_t;
+    ')
+
+    daemontools_domtrans_start($1)
+    role $2 types svc_start_t;
+')
+
 ########################################
 ## <summary>
 ##     Execute in the svc_run_t domain.
@@ -127,6 +153,24 @@ interface(`daemontools_read_svc',`
        allow $1 svc_svc_t:file read_file_perms;
 ')
 
+######################################
+## <summary>
+##  Search svc_svc_t  directory.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`daemontools_search_svc_dir',`
+    gen_require(`
+        type svc_svc_t;
+    ')
+
+    allow $1 svc_svc_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##     Allow a domain to create svc_svc_t files.
@@ -148,3 +192,21 @@ interface(`daemontools_manage_svc',`
        allow $1 svc_svc_t:file manage_file_perms;
        allow $1 svc_svc_t:lnk_file { read create };
 ')
+
+######################################
+## <summary>
+##  Send a SIGCHLD signal to svc_run domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`daemontools_sigchld_run',`
+    gen_require(`
+        type svc_run_t;
+    ')
+
+    allow $1 svc_run_t:process sigchld;
+')

diff --git a/policy/modules/system/daemontools.te b/policy/modules/system/daemontools.te
index 183fcf1f8b9dfb218a218826296a5dca7579acd9..699451c919f9210076563c3d0aec9bc222a9d0cc 100644 (file)
--- a/policy/modules/system/daemontools.te
+++ b/policy/modules/system/daemontools.te
@@ -38,7 +38,10 @@ files_type(svc_svc_t)
 # multilog creates /service/*/log/status
 manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)
 
+term_write_console(svc_multilog_t)
+
 init_use_fds(svc_multilog_t)
+init_dontaudit_use_script_fds(svc_multilog_t)
 
 # writes to /var/log/*/*
 logging_manage_generic_logs(svc_multilog_t)
@@ -52,7 +55,7 @@ daemontools_ipc_domain(svc_multilog_t)
 # ie. softlimit, setuidgid, envuidgid, envdir, fghack ..
 #
 
-allow svc_run_t self:capability { setgid setuid chown fsetid };
+allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource };
 allow svc_run_t self:process setrlimit;
 allow svc_run_t self:fifo_file rw_fifo_file_perms;
 allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
@@ -64,9 +67,13 @@ can_exec(svc_run_t, svc_run_exec_t)
 
 kernel_read_system_state(svc_run_t)
 
+dev_read_urand(svc_run_t)
+
 corecmd_exec_bin(svc_run_t)
 corecmd_exec_shell(svc_run_t)
 
+term_write_console(svc_run_t)
+
 files_read_etc_files(svc_run_t)
 files_read_etc_runtime_files(svc_run_t)
 files_search_pids(svc_run_t)
@@ -88,21 +95,36 @@ optional_policy(`
 # ie svc, svscan, supervise ...
 #
 
-allow svc_start_t svc_run_t:process signal;
+allow svc_start_t svc_run_t:process { signal setrlimit };
 
 allow svc_start_t self:fifo_file rw_fifo_file_perms;
 allow svc_start_t self:capability kill;
+allow svc_start_t self:tcp_socket create_stream_socket_perms;
 allow svc_start_t self:unix_stream_socket create_socket_perms;
 
 can_exec(svc_start_t, svc_start_exec_t)
 
+mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t)
+
+kernel_read_kernel_sysctls(svc_start_t)
+kernel_read_system_state(svc_start_t)
+
 corecmd_exec_bin(svc_start_t)
 corecmd_exec_shell(svc_start_t)
 
+corenet_tcp_bind_generic_node(svc_start_t)
+corenet_tcp_bind_generic_port(svc_start_t)
+
+term_write_console(svc_start_t)
+
 files_read_etc_files(svc_start_t)
 files_read_etc_runtime_files(svc_start_t)
 files_search_var(svc_start_t)
 files_search_pids(svc_start_t)
 
+logging_send_syslog_msg(svc_start_t)
+
+miscfiles_read_localization(svc_start_t)
+
 daemontools_domtrans_run(svc_start_t)
 daemontools_manage_svc(svc_start_t)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index a97a0964d8fd351712c13d140c6d77f72629f7bd..dd65c157aec7a2110bd02101ba1be5ffad862a78 100644 (file)
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -1,4 +1,3 @@
-/sbin/badblocks                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/blkid            --      gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/blockdev         --      gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/cfdisk           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -23,7 +22,6 @@
 /sbin/mkfs.*           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/mkraid           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/mkreiserfs       --      gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/mkswap           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/parted           --      gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/partprobe                --      gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/partx            --      gen_context(system_u:object_r:fsadm_exec_t,s0)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index a442acc77c1d46bb1aa2924f04b89a447e302ba8..7cb758255ad3291a5e21f2c60df2e9810f13fbd6 100644 (file)
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -55,6 +55,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon };
 
 kernel_read_system_state(fsadm_t)
 kernel_read_kernel_sysctls(fsadm_t)
+kernel_request_load_module(fsadm_t)
 # Allow console log change (updfstab)
 kernel_change_ring_buffer_level(fsadm_t)
 # mkreiserfs needs this
@@ -117,6 +118,9 @@ fs_remount_xattr_fs(fsadm_t)
 fs_search_tmpfs(fsadm_t)
 fs_getattr_tmpfs_dirs(fsadm_t)
 fs_read_tmpfs_symlinks(fsadm_t)
+fs_manage_nfs_files(fsadm_t)
+fs_manage_cifs_files(fsadm_t)
+fs_rw_hugetlbfs_files(fsadm_t)
 # Recreate /mnt/cdrom.
 files_manage_mnt_dirs(fsadm_t)
 # for tune2fs
@@ -147,7 +151,7 @@ modutils_read_module_deps(fsadm_t)
 
 seutil_read_config(fsadm_t)
 
-userdom_use_user_terminals(fsadm_t)
+term_use_all_terms(fsadm_t)
 
 ifdef(`distro_redhat',`
        optional_policy(`
@@ -165,6 +169,14 @@ optional_policy(`
        cron_system_entry(fsadm_t, fsadm_exec_t)
 ')
 
+optional_policy(`
+       hal_dontaudit_write_log(fsadm_t)
+')
+
+optional_policy(`
+       livecd_rw_tmp_files(fsadm_t)
+')
+
 optional_policy(`
        nis_use_ypbind(fsadm_t)
 ')
@@ -174,6 +186,10 @@ optional_policy(`
        rhgb_stub(fsadm_t)
 ')
 
+optional_policy(`
+       virt_read_blk_images(fsadm_t)
+')
+
 optional_policy(`
        xen_append_log(fsadm_t)
        xen_rw_image_files(fsadm_t)

diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index 408f4e65c2573bd19e96293a4cde3e57dc3d7215..55c2d036bd086885115652ce91ce20ca3c380ccb 100644 (file)
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -83,7 +83,7 @@ term_use_unallocated_ttys(getty_t)
 term_setattr_all_ttys(getty_t)
 term_setattr_unallocated_ttys(getty_t)
 term_setattr_console(getty_t)
-term_dontaudit_use_console(getty_t)
+term_use_console(getty_t)
 
 auth_rw_login_records(getty_t)
 

diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index 1fd31c1a397b877a46fe825d1e780626ecf95eab..683494c5f02d9490c3c8232f722fe29ee1f8eea1 100644 (file)
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -28,15 +28,18 @@ dev_read_sysfs(hostname_t)
 # Early devtmpfs, before udev relabel
 dev_dontaudit_rw_generic_chr_files(hostname_t)
 
+domain_dontaudit_leaks(hostname_t)
 domain_use_interactive_fds(hostname_t)
 
 files_read_etc_files(hostname_t)
+files_dontaudit_leaks(hostname_t)
 files_dontaudit_search_var(hostname_t)
 # for when /usr is not mounted:
 files_dontaudit_search_isid_type_dirs(hostname_t)
 
 fs_getattr_xattr_fs(hostname_t)
 fs_search_auto_mountpoints(hostname_t)
+fs_dontaudit_leaks(hostname_t)
 fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
 
 term_dontaudit_use_console(hostname_t)
@@ -54,6 +57,10 @@ miscfiles_read_localization(hostname_t)
 sysnet_read_config(hostname_t)
 sysnet_dns_name_resolve(hostname_t)
 
+optional_policy(`
+       nis_use_ypbind(hostname_t)
+')
+
 optional_policy(`
        xen_append_log(hostname_t)
        xen_dontaudit_use_fds(hostname_t)

diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
index 15e02e4e2bd635bc7b5e48c98e0ae05482f1d038..7c6933f2e1fe5a9b2eafb38eb6dc8bdbf9996e5a 100644 (file)
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t)
 #
 
 allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
-dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
+dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config };
 # for access("/etc/bashrc", X_OK) on Red Hat
 dontaudit hotplug_t self:capability { dac_override dac_read_search };
 allow hotplug_t self:process { setpgid getsession getattr signal_perms };
@@ -39,14 +39,16 @@ allow hotplug_t hotplug_etc_t:dir list_dir_perms;
 
 can_exec(hotplug_t, hotplug_exec_t)
 
+manage_dirs_pattern(hotplug_t, hotplug_var_run_t, hotplug_var_run_t)
 manage_files_pattern(hotplug_t, hotplug_var_run_t, hotplug_var_run_t)
-files_pid_filetrans(hotplug_t, hotplug_var_run_t, file)
+files_pid_filetrans(hotplug_t, hotplug_var_run_t, { dir file })
 
 kernel_sigchld(hotplug_t)
 kernel_setpgid(hotplug_t)
 kernel_read_system_state(hotplug_t)
+kernel_read_network_state(hotplug_t)
 kernel_read_kernel_sysctls(hotplug_t)
-kernel_read_net_sysctls(hotplug_t)
+kernel_rw_net_sysctls(hotplug_t)
 
 files_read_kernel_modules(hotplug_t)
 

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 9775375405fd185a4b5d09e96646e175ecfe33ed..b3384819cb5ec4d4b948e806582c6494450bb54d 100644 (file)
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -21,10 +21,16 @@ ifdef(`distro_gentoo',`
 #
 /dev/initctl           -p      gen_context(system_u:object_r:initctl_t,s0)
 
+#
+# /sbin
+#
+/bin/systemd           --      gen_context(system_u:object_r:init_exec_t,s0)
+
 #
 # /sbin
 #
 /sbin/init(ng)?                --      gen_context(system_u:object_r:init_exec_t,s0)
+/sbin/upstart          --      gen_context(system_u:object_r:init_exec_t,s0)
 
 ifdef(`distro_gentoo', `
 /sbin/rc               --      gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -44,6 +50,9 @@ ifdef(`distro_gentoo', `
 
 /usr/sbin/apachectl    --      gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/sbin/open_init_pty        --      gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/startx       --      gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/usr/share/system-config-services/system-config-services-mechanism\.py  --     gen_context(system_u:object_r:initrc_exec_t,s0)
 
 #
 # /var

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index f6aafe72ad4b8b1029665c4b702524db7fba526c..447aaec3ab300fc92b6b63887514d1384719c15d 100644 (file)
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -105,7 +105,11 @@ interface(`init_domain',`
 
        role system_r types $1;
 
-       domtrans_pattern(init_t,$2,$1)
+       tunable_policy(`init_systemd',`', `
+               domtrans_pattern(init_t,$2,$1)
+               allow init_t $1:unix_stream_socket create_stream_socket_perms;
+               allow $1 init_t:unix_dgram_socket sendto;
+       ')
 
        ifdef(`hide_broken_symptoms',`
                # RHEL4 systems seem to have a stray
@@ -193,8 +197,10 @@ interface(`init_daemon_domain',`
        gen_require(`
                attribute direct_run_init, direct_init, direct_init_entry;
                type initrc_t;
+               type init_t;
                role system_r;
                attribute daemon;
+               attribute initrc_transition_domain;
        ')
 
        typeattribute $1 daemon;
@@ -205,6 +211,20 @@ interface(`init_daemon_domain',`
        role system_r types $1;
 
        domtrans_pattern(initrc_t,$2,$1)
+       allow initrc_t $1:process siginh;
+       allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+       allow $1 initrc_transition_domain:fd use;
+
+       tunable_policy(`init_upstart || init_systemd',`
+               # Handle upstart direct transition to a executable
+               domtrans_pattern(init_t,$2,$1)
+               allow init_t $1:process siginh;
+       ')
+
+       tunable_policy(`init_systemd',`
+               allow init_t $1:unix_stream_socket create_stream_socket_perms;
+               allow $1 init_t:unix_dgram_socket sendto;
+       ')
 
        # daemons started from init will
        # inherit fds from init for the console
@@ -285,7 +305,7 @@ interface(`init_ranged_daemon_domain',`
                type initrc_t;
        ')
 
-       init_daemon_domain($1,$2)
+#      init_daemon_domain($1,$2)
 
        ifdef(`enable_mcs',`
                range_transition initrc_t $2:process $3;
@@ -336,8 +356,10 @@ interface(`init_ranged_daemon_domain',`
 #
 interface(`init_system_domain',`
        gen_require(`
+               type init_t;
                type initrc_t;
                role system_r;
+               attribute initrc_transition_domain;
        ')
 
        application_domain($1,$2)
@@ -345,6 +367,17 @@ interface(`init_system_domain',`
        role system_r types $1;
 
        domtrans_pattern(initrc_t,$2,$1)
+       allow initrc_t $1:process siginh;
+       allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+       allow $1 initrc_transition_domain:fd use;
+
+       tunable_policy(`init_systemd',`
+               # Handle upstart/systemd direct transition to a executable
+               domtrans_pattern(init_t,$2,$1)
+               allow init_t $1:process siginh;
+               allow init_t $1:unix_stream_socket create_stream_socket_perms;
+               allow $1 init_t:unix_dgram_socket sendto;
+       ')
 
        ifdef(`hide_broken_symptoms',`
                # RHEL4 systems seem to have a stray
@@ -353,6 +386,37 @@ interface(`init_system_domain',`
                        kernel_dontaudit_use_fds($1)
                ')
        ')
+
+       userdom_dontaudit_search_user_home_dirs($1)
+       userdom_dontaudit_rw_stream($1)
+       userdom_dontaudit_write_user_tmp_files($1)
+
+       tunable_policy(`allow_daemons_use_tty',`
+          term_use_all_ttys($1)
+          term_use_all_ptys($1)
+       ',`
+          term_dontaudit_use_all_ttys($1)
+          term_dontaudit_use_all_ptys($1)
+       ')
+
+       # these apps are often redirect output to random log files
+       logging_inherit_append_all_logs($1)
+
+       optional_policy(`
+               cron_rw_pipes($1)
+       ')
+
+       optional_policy(`
+               xserver_dontaudit_append_xdm_home_files($1)
+       ')
+
+       optional_policy(`
+               unconfined_dontaudit_rw_pipes($1)
+               unconfined_dontaudit_rw_stream($1)
+               userdom_dontaudit_read_user_tmp_files($1)
+       ')
+
+       init_rw_script_stream_sockets($1)
 ')
 
 ########################################
@@ -669,19 +733,24 @@ interface(`init_telinit',`
                type initctl_t;
        ')
 
+       corecmd_exec_bin($1)
+
        dev_list_all_dev_nodes($1)
        allow $1 initctl_t:fifo_file rw_fifo_file_perms;
 
        init_exec($1)
 
-       tunable_policy(`init_upstart',`
+       tunable_policy(`init_upstart || init_systemd',`
                gen_require(`
                        type init_t;
                ')
 
+               allow $1 init_t:process signal;
                # upstart uses a datagram socket instead of initctl pipe
                allow $1 self:unix_dgram_socket create_socket_perms;
                allow $1 init_t:unix_dgram_socket sendto;
+               #576913
+               allow $1 init_t:unix_stream_socket connectto;
        ')
 ')
 
@@ -754,18 +823,19 @@ interface(`init_script_file_entry_type',`
 #
 interface(`init_spec_domtrans_script',`
        gen_require(`
-               type initrc_t, initrc_exec_t;
+               type initrc_t;
+               attribute init_script_file_type;
        ')
 
        files_list_etc($1)
-       spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
+       spec_domtrans_pattern($1, init_script_file_type, initrc_t)
 
        ifdef(`enable_mcs',`
-               range_transition $1 initrc_exec_t:process s0;
+               range_transition $1 init_script_file_type:process s0;
        ')
 
        ifdef(`enable_mls',`
-               range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+               range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
        ')
 ')
 
@@ -781,21 +851,43 @@ interface(`init_spec_domtrans_script',`
 #
 interface(`init_domtrans_script',`
        gen_require(`
-               type initrc_t, initrc_exec_t;
+               type initrc_t;
+               attribute init_script_file_type;
+               attribute initrc_transition_domain;
        ')
+       typeattribute $1 initrc_transition_domain;
 
        files_list_etc($1)
-       domtrans_pattern($1, initrc_exec_t, initrc_t)
+       domtrans_pattern($1, init_script_file_type, initrc_t)
 
        ifdef(`enable_mcs',`
-               range_transition $1 initrc_exec_t:process s0;
+               range_transition $1 init_script_file_type:process s0;
        ')
 
        ifdef(`enable_mls',`
-               range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+               range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
        ')
 ')
 
+########################################
+## <summary>
+##     Execute a file in a bin directory
+##     in the initrc_t domain 
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`init_bin_domtrans_spec',`
+       gen_require(`
+               type initrc_t;
+       ')
+
+       corecmd_bin_domtrans($1, initrc_t)
+')
+
 ########################################
 ## <summary>
 ##     Execute a init script in a specified domain.
@@ -849,8 +941,12 @@ interface(`init_script_file_domtrans',`
 interface(`init_labeled_script_domtrans',`
        gen_require(`
                type initrc_t;
+               attribute initrc_transition_domain;
        ')
 
+       typeattribute $1 initrc_transition_domain;
+       # service script searches all filesystems via mountpoint
+       fs_search_all($1)
        domtrans_pattern($1, $2, initrc_t)
        files_search_etc($1)
 ')
@@ -1335,6 +1431,27 @@ interface(`init_dbus_send_script',`
        allow $1 initrc_t:dbus send_msg;
 ')
 
+########################################
+## <summary>
+##     Send and receive messages from
+##     init over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`init_dbus_chat',`
+       gen_require(`
+               type init_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 init_t:dbus send_msg;
+       allow init_t $1:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##     Send and receive messages from
@@ -1422,6 +1539,25 @@ interface(`init_getattr_script_status_files',`
        getattr_files_pattern($1, initrc_state_t, initrc_state_t)
 ')
 
+########################################
+## <summary>
+##     Manage init script
+##     status files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`init_manage_script_status_files',`
+       gen_require(`
+               type initrc_state_t;
+       ')
+
+       manage_files_pattern($1, initrc_state_t, initrc_state_t)
+')
+
 ########################################
 ## <summary>
 ##     Do not audit attempts to read init script
@@ -1637,7 +1773,7 @@ interface(`init_dontaudit_rw_utmp',`
                type initrc_var_run_t;
        ')
 
-       dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
+       dontaudit $1 initrc_var_run_t:file rw_file_perms;
 ')
 
 ########################################
@@ -1712,3 +1848,94 @@ interface(`init_udp_recvfrom_all_daemons',`
        ')
        corenet_udp_recvfrom_labeled($1, daemon)
 ')
+
+########################################
+## <summary>
+##     Transition to system_r when execute an init script
+## </summary>
+## <desc>
+##      <p>
+##     Execute a init script in a specified role
+##      </p>
+##      <p>
+##      No interprocess communication (signals, pipes,
+##      etc.) is provided by this interface since
+##      the domains are not owned by this module.
+##      </p>
+## </desc>
+## <param name="source_role">
+##     <summary>
+##     Role to transition from.
+##     </summary>
+## </param>
+#
+interface(`init_script_role_transition',`
+       gen_require(`
+               attribute init_script_file_type;
+       ')
+
+       role_transition $1 init_script_file_type system_r;
+')
+
+########################################
+## <summary>
+##     dontaudit read and write an leaked init scrip file descriptors
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`init_dontaudit_script_leaks',`
+       gen_require(`
+               type initrc_t;
+       ')
+
+       dontaudit $1 initrc_t:tcp_socket { read write };
+       dontaudit $1 initrc_t:udp_socket { read write };
+       dontaudit $1 initrc_t:unix_dgram_socket { read write };
+       dontaudit $1 initrc_t:unix_stream_socket { read write };
+       dontaudit $1 initrc_t:shm rw_shm_perms;
+       init_dontaudit_use_script_ptys($1)
+       init_dontaudit_use_script_fds($1)
+')
+
+
+########################################
+## <summary>
+##     Allow the specified domain to connect to
+##     the init process with a unix socket.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`init_stream_connect',`
+       gen_require(`
+               type init_t;
+       ')
+
+       allow $1 init_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##     Allow the specified domain to read/write to
+##     init with a unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`init_rw_stream_sockets',`
+       gen_require(`
+               type init_t;
+       ')
+
+       allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 698c11e22af3581919896026430a16b9bfba04ef..1b6733fae5899393875972ef6549a420458ccae1 100644 (file)
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
 ## </desc>
 gen_tunable(init_upstart, false)
 
+## <desc>
+## <p>
+## Enable support for systemd as the init program.
+## </p>
+## </desc>
+gen_tunable(init_systemd, false)
+
+## <desc>
+## <p>
+## Allow all daemons the ability to read/write terminals
+## </p>
+## </desc>
+gen_tunable(allow_daemons_use_tty, false)
+
+## <desc>
+## <p>
+## Allow all daemons to write corefiles to /
+## </p>
+## </desc>
+gen_tunable(allow_daemons_dump_core, false)
+
 # used for direct running of init scripts
 # by admin domains
 attribute direct_run_init;
@@ -25,6 +46,7 @@ attribute direct_init_entry;
 attribute init_script_domain_type;
 attribute init_script_file_type;
 attribute init_run_all_scripts_domain;
+attribute initrc_transition_domain;
 
 # Mark process types as daemons
 attribute daemon;
@@ -32,7 +54,7 @@ attribute daemon;
 #
 # init_t is the domain of the init process.
 #
-type init_t;
+type init_t, initrc_transition_domain;
 type init_exec_t;
 domain_type(init_t)
 domain_entry_file(init_t, init_exec_t)
@@ -63,6 +85,7 @@ role system_r types initrc_t;
 # of the below init_upstart tunable
 # but this has a typeattribute in it
 corecmd_shell_entry_type(initrc_t)
+corecmd_bin_entry_type(initrc_t)
 
 type initrc_devpts_t;
 term_pty(initrc_devpts_t)
@@ -87,7 +110,7 @@ ifdef(`enable_mls',`
 #
 
 # Use capabilities. old rule:
-allow init_t self:capability ~sys_module;
+allow init_t self:capability ~{ audit_control audit_write sys_module };
 # is ~sys_module really needed? observed:
 # sys_boot
 # sys_tty_config
@@ -100,7 +123,9 @@ allow init_t self:fifo_file rw_fifo_file_perms;
 # Re-exec itself
 can_exec(init_t, init_exec_t)
 
-allow init_t initrc_t:unix_stream_socket connectto;
+allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms };
+allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms };
+allow initrc_t init_t:fifo_file rw_fifo_file_perms;
 
 # For /var/run/shutdown.pid.
 allow init_t init_var_run_t:file manage_file_perms;
@@ -119,6 +144,7 @@ corecmd_exec_chroot(init_t)
 corecmd_exec_bin(init_t)
 
 dev_read_sysfs(init_t)
+dev_read_urand(init_t)
 # Early devtmpfs
 dev_rw_generic_chr_files(init_t)
 
@@ -127,9 +153,12 @@ domain_kill_all_domains(init_t)
 domain_signal_all_domains(init_t)
 domain_signull_all_domains(init_t)
 domain_sigstop_all_domains(init_t)
+domain_sigstop_all_domains(init_t)
 domain_sigchld_all_domains(init_t)
+domain_read_all_domains_state(init_t)
 
 files_read_etc_files(init_t)
+files_read_all_pids(init_t)
 files_rw_generic_pids(init_t)
 files_dontaudit_search_isid_type_dirs(init_t)
 files_manage_etc_runtime_files(init_t)
@@ -162,12 +191,15 @@ init_domtrans_script(init_t)
 libs_rw_ld_so_cache(init_t)
 
 logging_send_syslog_msg(init_t)
+logging_send_audit_msgs(init_t)
 logging_rw_generic_logs(init_t)
 
 seutil_read_config(init_t)
 
 miscfiles_read_localization(init_t)
 
+allow init_t self:process setsched;
+
 ifdef(`distro_gentoo',`
        allow init_t self:process { getcap setcap };
 ')
@@ -178,7 +210,7 @@ ifdef(`distro_redhat',`
        fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
 ')
 
-tunable_policy(`init_upstart',`
+tunable_policy(`init_upstart || init_systemd',`
        corecmd_shell_domtrans(init_t, initrc_t)
 ',`
        # Run the shell in the sysadm role for single-user mode.
@@ -186,22 +218,93 @@ tunable_policy(`init_upstart',`
        sysadm_shell_domtrans(init_t)
 ')
 
+storage_raw_rw_fixed_disk(init_t)
+modutils_domtrans_insmod(init_t)
+
+tunable_policy(`init_systemd',`
+       allow init_t self:unix_dgram_socket { create_socket_perms sendto };
+       allow init_t self:process { setsockcreate setfscreate };
+       allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
+       allow init_t self:netlink_kobject_uevent_socket create_socket_perms; 
+       # Until systemd is fixed
+       allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
+       allow init_t self:netlink_route_socket create_netlink_socket_perms;
+
+       kernel_list_unlabeled(init_t)
+       kernel_read_network_state(init_t)
+       kernel_unmount_debugfs(init_t)
+
+       dev_write_kmsg(init_t)
+       dev_rw_autofs(init_t)
+       dev_manage_generic_dirs(init_t)
+       dev_manage_generic_files(init_t)
+       dev_read_generic_chr_files(init_t)
+       dev_relabelfrom_generic_chr_files(init_t)
+       dev_relabel_autofs_dev(init_t)
+       dev_manage_sysfs_dirs(init_t)
+
+       files_mounton_all_mountpoints(init_t)
+       files_manage_all_pids_dirs(init_t)
+
+       fs_manage_cgroup_dirs(init_t)
+       fs_manage_hugetlbfs_dirs(init_t)
+       fs_manage_tmpfs_dirs(init_t)
+       fs_mount_all_fs(init_t)
+       fs_list_auto_mountpoints(init_t)
+       fs_read_cgroup_files(init_t)
+       fs_write_cgroup_files(init_t)
+       fs_search_cgroup_dirs(daemon)
+
+       selinux_compute_create_context(init_t)
+       selinux_validate_context(init_t)
+       selinux_unmount_fs(init_t)
+
+       storage_getattr_removable_dev(init_t)
+
+       init_read_script_state(init_t)
+
+       seutil_read_file_contexts(init_t)
+')
+
 optional_policy(`
        auth_rw_login_records(init_t)
 ')
 
 optional_policy(`
+       consolekit_manage_log(init_t)
+')
+
+optional_policy(`
+       dbus_connect_system_bus(init_t)
        dbus_system_bus_client(init_t)
+       dbus_delete_pid_files(init_t)
+')
+
+optional_policy(`
+       # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+       # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+       # the directory. But we do not want to allow this.
+       # The master process of dovecot will manage this file.
+       dovecot_dontaudit_unlink_lib_files(initrc_t)
 ')
 
 optional_policy(`
        nscd_socket_use(init_t)
 ')
 
+optional_policy(`
+       plymouthd_stream_connect(init_t)
+       plymouthd_exec_plymouth(init_t)
+')
+
 optional_policy(`
        sssd_stream_connect(init_t)
 ')
 
+optional_policy(`
+       udev_read_db(init_t)
+')
+
 optional_policy(`
        unconfined_domain(init_t)
 ')
@@ -212,7 +315,7 @@ optional_policy(`
 #
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
-allow initrc_t self:capability ~{ sys_admin sys_module };
+allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module };
 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
@@ -241,6 +344,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
+files_manage_generic_pids_symlinks(initrc_t)
 
 can_exec(initrc_t, initrc_tmp_t)
 manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
@@ -258,11 +362,22 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
+kernel_request_load_module(initrc_t)
 kernel_rw_all_sysctls(initrc_t)
 # for lsof which is used by alsa shutdown:
 kernel_dontaudit_getattr_message_if(initrc_t)
+kernel_stream_connect(initrc_t)
+files_read_kernel_modules(initrc_t)
+files_read_config_files(initrc_t)
+files_read_var_lib_symlinks(initrc_t)
+files_setattr_pid_dirs(initrc_t)
 
 files_read_kernel_symbol_table(initrc_t)
+files_exec_etc_files(initrc_t)
+files_manage_etc_symlinks(initrc_t)
+
+fs_manage_tmpfs_dirs(initrc_t)
+fs_tmpfs_filetrans(initrc_t, initrc_state_t, file)
 
 corecmd_exec_all_executables(initrc_t)
 
@@ -291,6 +406,7 @@ dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
 dev_setattr_all_chr_files(initrc_t)
 dev_rw_lvm_control(initrc_t)
+dev_rw_generic_chr_files(initrc_t)
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
@@ -298,13 +414,13 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
-# Early devtmpfs
-dev_rw_generic_chr_files(initrc_t)
+dev_rw_xserver_misc(initrc_t)
 
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
 domain_signull_all_domains(initrc_t)
 domain_sigstop_all_domains(initrc_t)
+domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@@ -323,8 +439,10 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
-files_delete_all_locks(initrc_t)
+files_manage_all_locks(initrc_t)
+files_manage_boot_files(initrc_t)
 files_read_all_pids(initrc_t)
+files_delete_root_files(initrc_t)
 files_delete_all_pids(initrc_t)
 files_delete_all_pid_dirs(initrc_t)
 files_read_etc_files(initrc_t)
@@ -340,8 +458,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
+files_manage_mnt_dirs(initrc_t)
+files_manage_mnt_files(initrc_t)
 
-fs_write_cgroup_files(initrc_t)
+fs_delete_cgroup_dirs(initrc_t)
+fs_list_cgroup_dirs(initrc_t)
+fs_rw_cgroup_files(initrc_t)
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
@@ -351,6 +473,8 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
+fs_search_all(initrc_t)
+fs_getattr_nfsd_files(initrc_t)
 
 # initrc_t needs to do a pidof which requires ptrace
 mcs_ptrace_all(initrc_t)
@@ -363,6 +487,7 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
+mls_socket_write_to_clearance(initrc_t)
 
 selinux_get_enforce_mode(initrc_t)
 
@@ -394,13 +519,14 @@ logging_read_audit_config(initrc_t)
 
 miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
-miscfiles_read_generic_certs(initrc_t)
+miscfiles_manage_cert_files(initrc_t)
 
 modutils_read_module_config(initrc_t)
 modutils_domtrans_insmod(initrc_t)
 
 seutil_read_config(initrc_t)
 
+userdom_read_admin_home_files(initrc_t)
 userdom_read_user_home_content_files(initrc_t)
 # Allow access to the sysadm TTYs. Note that this will give access to the
 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
@@ -473,7 +599,7 @@ ifdef(`distro_redhat',`
 
        # Red Hat systems seem to have a stray
        # fd open from the initrd
-       kernel_dontaudit_use_fds(initrc_t)
+       kernel_use_fds(initrc_t)
        files_dontaudit_read_root_files(initrc_t)
 
        # These seem to be from the initrd
@@ -519,6 +645,19 @@ ifdef(`distro_redhat',`
        optional_policy(`
                bind_manage_config_dirs(initrc_t)
                bind_write_config(initrc_t)
+               bind_setattr_zone_dirs(initrc_t)
+       ')
+
+       optional_policy(`
+               gnome_manage_gconf_config(initrc_t)
+       ')
+
+       optional_policy(`
+               ldap_read_db_files(initrc_t)
+       ')
+
+       optional_policy(`
+               pulseaudio_stream_connect(initrc_t)
        ')
 
        optional_policy(`
@@ -526,10 +665,17 @@ ifdef(`distro_redhat',`
                rpc_write_exports(initrc_t)
                rpc_manage_nfs_state_data(initrc_t)
        ')
+       optional_policy(`
+               rpcbind_stream_connect(initrc_t)
+       ')
 
        optional_policy(`
                sysnet_rw_dhcp_config(initrc_t)
                sysnet_manage_config(initrc_t)
+               sysnet_manage_dhcpc_state(initrc_t)
+               sysnet_relabelfrom_dhcpc_state(initrc_t)
+               sysnet_relabelfrom_net_conf(initrc_t)
+               sysnet_relabelto_net_conf(initrc_t)
        ')
 
        optional_policy(`
@@ -544,6 +690,35 @@ ifdef(`distro_suse',`
        ')
 ')
 
+domain_dontaudit_use_interactive_fds(daemon)
+
+userdom_dontaudit_list_admin_dir(daemon)
+userdom_dontaudit_search_user_tmp(daemon)
+
+tunable_policy(`allow_daemons_use_tty',`
+       term_use_unallocated_ttys(daemon)
+       term_use_generic_ptys(daemon)
+       term_use_all_ttys(daemon)
+       term_use_all_ptys(daemon)
+',`
+       term_dontaudit_use_unallocated_ttys(daemon)
+       term_dontaudit_use_generic_ptys(daemon)
+       term_dontaudit_use_all_ttys(daemon)
+       term_dontaudit_use_all_ptys(daemon)
+ ')
+ 
+# system-config-services causes avc messages that should be dontaudited
+tunable_policy(`allow_daemons_dump_core',`
+       files_manage_root_files(daemon)
+')
+
+optional_policy(`
+       unconfined_dontaudit_rw_pipes(daemon)
+       unconfined_dontaudit_rw_stream(daemon)
+       userdom_dontaudit_read_user_tmp_files(daemon)
+       userdom_dontaudit_write_user_tmp_files(daemon)
+')
+ 
 optional_policy(`
        amavis_search_lib(initrc_t)
        amavis_setattr_pid_files(initrc_t)
@@ -556,6 +731,8 @@ optional_policy(`
 optional_policy(`
        apache_read_config(initrc_t)
        apache_list_modules(initrc_t)
+       # webmin seems to cause this.
+       apache_search_sys_content(daemon)
 ')
 
 optional_policy(`
@@ -572,6 +749,7 @@ optional_policy(`
 
 optional_policy(`
        cgroup_stream_connect_cgred(initrc_t)
+       domain_setpriority_all_domains(initrc_t)
 ')
 
 optional_policy(`
@@ -583,6 +761,11 @@ optional_policy(`
        dev_getattr_cpu_dev(initrc_t)
 ')
 
+optional_policy(`
+       chronyd_append_keys(initrc_t)
+       chronyd_read_keys(initrc_t)
+')
+
 optional_policy(`
        dev_getattr_printer_dev(initrc_t)
 
@@ -600,6 +783,9 @@ optional_policy(`
        dbus_connect_system_bus(initrc_t)
        dbus_system_bus_client(initrc_t)
        dbus_read_config(initrc_t)
+       dbus_manage_lib_files(initrc_t)
+
+       init_dbus_chat(initrc_t)
 
        optional_policy(`
                consolekit_dbus_chat(initrc_t)
@@ -700,8 +886,14 @@ optional_policy(`
        mailman_read_data_symlinks(initrc_t)
 ')
 
+optional_policy(`
+        milter_delete_dkim_pid_files(initrc_t)
+       milter_setattr_all_dirs(initrc_t)
+')
+
 optional_policy(`
        mta_read_config(initrc_t)
+       mta_write_config(initrc_t)
        mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
 
@@ -723,6 +915,10 @@ optional_policy(`
        openvpn_read_config(initrc_t)
 ')
 
+optional_policy(`
+       plymouthd_stream_connect(initrc_t)
+')
+
 optional_policy(`
        postgresql_manage_db(initrc_t)
        postgresql_read_config(initrc_t)
@@ -744,6 +940,10 @@ optional_policy(`
        raid_manage_mdadm_pid(initrc_t)
 ')
 
+optional_policy(`
+       ricci_manage_lib_files(initrc_t)
+')
+
 optional_policy(`
        fs_write_ramfs_sockets(initrc_t)
        fs_search_ramfs(initrc_t)
@@ -766,8 +966,6 @@ optional_policy(`
        # bash tries ioctl for some reason
        files_dontaudit_ioctl_all_pids(initrc_t)
 
-       # why is this needed:
-       rpm_manage_db(initrc_t)
 ')
 
 optional_policy(`
@@ -775,15 +973,22 @@ optional_policy(`
        samba_read_winbind_pid(initrc_t)
 ')
 
+optional_policy(`
+    # shorewall-init script run /var/lib/shorewall/firewall
+    shorewall_domtrans_lib(initrc_t)
+')
+
 optional_policy(`
        squid_read_config(initrc_t)
        squid_manage_logs(initrc_t)
 ')
 
+ifdef(`enabled_mls',`
 optional_policy(`
        # allow init scripts to su
        su_restricted_domain_template(initrc, initrc_t, system_r)
 ')
+')
 
 optional_policy(`
        ssh_dontaudit_read_server_keys(initrc_t)
@@ -805,11 +1010,19 @@ optional_policy(`
 ')
 
 optional_policy(`
-       virt_manage_svirt_cache(initrc_t)
+       virt_manage_cache(initrc_t)
+       virt_manage_lib_files(initrc_t)
+')
+
+# Cron jobs used to start and stop services
+optional_policy(`
+       cron_rw_pipes(daemon)
+       cron_rw_inherited_user_spool_files(daemon)
 ')
 
 optional_policy(`
        unconfined_domain(initrc_t)
+       domain_role_change_exemption(initrc_t)
 
        ifdef(`distro_redhat',`
                # system-config-services causes avc messages that should be dontaudited
@@ -819,6 +1032,25 @@ optional_policy(`
        optional_policy(`
                mono_domtrans(initrc_t)
        ')
+
+       # Allow SELinux aware applications to request rpm_script_t execution
+       rpm_transition_script(initrc_t)
+
+       
+       optional_policy(`
+               gen_require(`
+                       type unconfined_execmem_t, execmem_exec_t;              
+               ')
+               init_system_domain(unconfined_execmem_t, execmem_exec_t)
+       ')
+
+       optional_policy(`
+               rtkit_scheduled(initrc_t)
+       ')
+')
+
+optional_policy(`
+       rpm_delete_db(initrc_t)
 ')
 
 optional_policy(`
@@ -844,3 +1076,55 @@ optional_policy(`
 optional_policy(`
        zebra_read_config(initrc_t)
 ')
+
+userdom_inherit_append_user_home_content_files(daemon)
+userdom_inherit_append_user_tmp_files(daemon)
+userdom_dontaudit_rw_stream(daemon)
+
+logging_append_all_logs(daemon)
+
+optional_policy(`
+       # sudo service restart causes this 
+       unconfined_signull(daemon)
+')
+
+
+optional_policy(`
+       xserver_dontaudit_append_xdm_home_files(daemon)
+       tunable_policy(`use_nfs_home_dirs',`
+               fs_dontaudit_rw_nfs_files(daemon)
+       ')
+       tunable_policy(`use_samba_home_dirs',`
+               fs_dontaudit_rw_cifs_files(daemon)
+       ')
+')
+
+init_rw_script_stream_sockets(daemon)
+
+optional_policy(`
+       fail2ban_read_lib_files(daemon)
+')
+
+init_rw_stream_sockets(daemon)
+
+ifdef(`hide_broken_symptoms',`
+optional_policy(`
+gen_require(`
+       type system_dbusd_var_run_t;
+       type fsadm_t;
+       type avahi_var_run_t;
+')
+
+fs_list_auto_mountpoints(fsadm_t)
+
+fs_list_auto_mountpoints(lvm_t)
+fs_list_hugetlbfs(lvm_t)
+
+allow init_t avahi_var_run_t:dir { write add_name };
+allow init_t avahi_var_run_t:sock_file create;
+
+allow init_t system_dbusd_var_run_t:dir { write add_name };
+allow init_t system_dbusd_var_run_t:sock_file create;
+
+')
+')

diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 07eba2b450f8db60c99217814e732d46def408df..942bea15e5c6a03c2021b49aed42c0e5653a869e 100644 (file)
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -25,6 +25,7 @@
 /usr/libexec/ipsec/klipsdebug  --      gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/pluto       --      gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/spi         --      gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/nm-openswan-service       --      gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 
 /usr/local/lib(64)?/ipsec/eroute --    gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
@@ -35,6 +36,8 @@
 /usr/sbin/racoon               --      gen_context(system_u:object_r:racoon_exec_t,s0)
 /usr/sbin/setkey               --      gen_context(system_u:object_r:setkey_exec_t,s0)
 
+/var/lock/subsys/ipsec         --      gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
+
 /var/log/pluto\.log            --      gen_context(system_u:object_r:ipsec_log_t,s0)
 
 /var/racoon(/.*)?                      gen_context(system_u:object_r:ipsec_var_run_t,s0)

diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index 8232f911be7138e6fd93ed5b063777b20e69802e..cba1b300a53bb32ab874f8290f0cc957e496242a 100644 (file)
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -18,6 +18,24 @@ interface(`ipsec_domtrans',`
        domtrans_pattern($1, ipsec_exec_t, ipsec_t)
 ')
 
+########################################
+## <summary>
+##     Execute ipsec in the ipsec mgmt domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`ipsec_domtrans_mgmt',`
+       gen_require(`
+               type ipsec_mgmt_t, ipsec_mgmt_exec_t;
+       ')
+
+       domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t)
+')
+
 ########################################
 ## <summary>
 ##     Connect to IPSEC using a unix domain stream socket.
@@ -273,3 +291,81 @@ interface(`ipsec_run_setkey',`
        ipsec_domtrans_setkey($1)
        role $2 types setkey_t;
 ')
+
+########################################
+## <summary>
+##     Send ipsec mgmt a signal
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+#
+interface(`ipsec_signal_mgmt',`
+       gen_require(`
+               type ipsec_mgmt_t;
+       ')
+
+       allow $1 ipsec_mgmt_t:process signal;
+')
+
+########################################
+## <summary>
+##     Send ipsec mgmt a signull
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+#
+interface(`ipsec_signull_mgmt',`
+       gen_require(`
+               type ipsec_mgmt_t;
+       ')
+
+       allow $1 ipsec_mgmt_t:process signull;
+')
+
+########################################
+## <summary>
+##     Send ipsec mgmt a kill signal.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+#
+interface(`ipsec_kill_mgmt',`
+       gen_require(`
+               type ipsec_mgmt_t;
+       ')
+
+       allow $1 ipsec_mgmt_t:process sigkill;
+')
+
+######################################
+## <summary>
+##      Send and receive messages from
+##      ipsec-mgmt over dbus.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`ipsec_mgmt_dbus_chat',`
+        gen_require(`
+                type ipsec_mgmt_t;
+                class dbus send_msg;
+        ')
+
+        allow $1 ipsec_mgmt_t:dbus send_msg;
+        allow ipsec_mgmt_t $1:dbus send_msg;
+')

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index d82ff45f1bdec42d12e882caf18b970f436fd5e4..6de1ab4e628154c500524fffc90cf80bd91ccf43 100644 (file)
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -72,7 +72,7 @@ role system_r types setkey_t;
 #
 
 allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
-dontaudit ipsec_t self:capability sys_tty_config;
+dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
 allow ipsec_t self:process { getcap setcap getsched signal setsched };
 allow ipsec_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_t self:udp_socket create_socket_perms;
@@ -94,9 +94,10 @@ manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
 manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
 files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file }) 
 
+manage_dirs_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
 manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
 manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
-files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file })
+files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file })
 
 can_exec(ipsec_t, ipsec_mgmt_exec_t)
 
@@ -107,7 +108,7 @@ can_exec(ipsec_t, ipsec_mgmt_exec_t)
 corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
 allow ipsec_mgmt_t ipsec_t:fd use;
 allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
-dontaudit ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
+allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
 allow ipsec_mgmt_t ipsec_t:process sigchld;
 
 kernel_read_kernel_sysctls(ipsec_t)
@@ -149,6 +150,7 @@ domain_use_interactive_fds(ipsec_t)
 files_list_tmp(ipsec_t)
 files_read_etc_files(ipsec_t)
 files_read_usr_files(ipsec_t)
+files_dontaudit_search_home(ipsec_t)
 
 fs_getattr_all_fs(ipsec_t)
 fs_search_auto_mountpoints(ipsec_t)
@@ -166,6 +168,8 @@ logging_send_syslog_msg(ipsec_t)
 miscfiles_read_localization(ipsec_t)
 
 sysnet_domtrans_ifconfig(ipsec_t)
+sysnet_manage_config(ipsec_t)
+sysnet_etc_filetrans_config(ipsec_t)
 
 userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
 userdom_dontaudit_search_user_home_dirs(ipsec_t)
@@ -184,8 +188,8 @@ optional_policy(`
 #
 
 allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
-dontaudit ipsec_mgmt_t self:capability sys_tty_config;
-allow ipsec_mgmt_t self:process { getsched ptrace setrlimit signal };
+dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
+allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
 allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_mgmt_t self:udp_socket create_socket_perms;
@@ -224,7 +228,6 @@ allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
 
 manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
 manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
-files_etc_filetrans(ipsec_mgmt_t, ipsec_key_file_t, file)
 
 # whack needs to connect to pluto
 stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
@@ -243,6 +246,17 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
 kernel_getattr_core_if(ipsec_mgmt_t)
 kernel_getattr_message_if(ipsec_mgmt_t)
 
+# don't audit using of lsof
+dontaudit ipsec_mgmt_t self:capability sys_ptrace;
+
+domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
+domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t)
+
+dev_dontaudit_getattr_all_blk_files(ipsec_mgmt_t)
+dev_dontaudit_getattr_all_chr_files(ipsec_mgmt_t)
+
+files_dontaudit_getattr_all_files(ipsec_mgmt_t)
+files_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
 files_read_kernel_symbol_table(ipsec_mgmt_t)
 files_getattr_kernel_modules(ipsec_mgmt_t)
 
@@ -257,7 +271,7 @@ dev_read_urand(ipsec_mgmt_t)
 
 domain_use_interactive_fds(ipsec_mgmt_t)
 # denials when ps tries to search /proc. Do not audit these denials.
-domain_dontaudit_list_all_domains_state(ipsec_mgmt_t)
+domain_dontaudit_read_all_domains_state(ipsec_mgmt_t)
 # suppress audit messages about unnecessary socket access
 # cjp: this seems excessive
 domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
@@ -275,8 +289,11 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
 fs_list_tmpfs(ipsec_mgmt_t)
 
 term_use_console(ipsec_mgmt_t)
-term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
+term_use_all_terms(ipsec_mgmt_t)
+
+auth_dontaudit_read_login_records(ipsec_mgmt_t)
 
+init_read_utmp(ipsec_mgmt_t)
 init_use_script_ptys(ipsec_mgmt_t)
 init_exec_script_files(ipsec_mgmt_t)
 init_use_fds(ipsec_mgmt_t)
@@ -290,7 +307,9 @@ modutils_domtrans_insmod(ipsec_mgmt_t)
 
 seutil_dontaudit_search_config(ipsec_mgmt_t)
 
+sysnet_manage_config(ipsec_mgmt_t)
 sysnet_domtrans_ifconfig(ipsec_mgmt_t)
+sysnet_etc_filetrans_config(ipsec_mgmt_t)
 
 userdom_use_user_terminals(ipsec_mgmt_t)
 
@@ -298,6 +317,23 @@ optional_policy(`
        consoletype_exec(ipsec_mgmt_t)
 ')
 
+optional_policy(`
+        hostname_exec(ipsec_mgmt_t)
+')
+
+optional_policy(`
+        dbus_system_bus_client(ipsec_mgmt_t)
+        dbus_connect_system_bus(ipsec_mgmt_t)
+
+       optional_policy(`
+               networkmanager_dbus_chat(ipsec_mgmt_t)
+       ')
+')
+
+optional_policy(`
+        iptables_domtrans(ipsec_mgmt_t)
+')
+
 optional_policy(`
        nscd_socket_use(ipsec_mgmt_t)
 ')
@@ -385,6 +421,8 @@ miscfiles_read_localization(racoon_t)
 
 sysnet_exec_ifconfig(racoon_t)
 
+auth_use_pam(racoon_t)
+
 auth_can_read_shadow_passwords(racoon_t)
 tunable_policy(`racoon_read_shadow',`
        auth_tunable_read_shadow(racoon_t)
@@ -411,6 +449,7 @@ domain_ipsec_setcontext_all_domains(setkey_t)
 files_read_etc_files(setkey_t)
 
 init_dontaudit_use_fds(setkey_t)
+init_read_script_tmp_files(setkey_t)
 
 # allow setkey to set the context for ipsec SAs and policy.
 ipsec_setcontext_default_spd(setkey_t)
@@ -422,3 +461,4 @@ miscfiles_read_localization(setkey_t)
 seutil_read_config(setkey_t)
 
 userdom_use_user_terminals(setkey_t)
+userdom_read_user_tmp_files(setkey_t)

diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 13f62a6eec34254d4dee05a18b49c7cab07259ba..fd99a6eb830c53a4f258d8996818ee026f9683a9 100644 (file)
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -1,12 +1,19 @@
 /etc/rc\.d/init\.d/ip6?tables  --      gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.*    --      gen_context(system_u:object_r:iptables_conf_t,s0)
-/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
+/etc/rc\.d/init\.d/ebtables            --  gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
 
 /sbin/ipchains.*               --      gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/ip6?tables               --      gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/ip6?tables-restore       --      gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/ip6?tables-multi         --      gen_context(system_u:object_r:iptables_exec_t,s0)
 
+/sbin/ebtables                 --  gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ebtables-restore --  gen_context(system_u:object_r:iptables_exec_t,s0)
+
+/sbin/ipvsadm           --  gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ipvsadm-restore   --  gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ipvsadm-save      --  gen_context(system_u:object_r:iptables_exec_t,s0)
+
+
 /usr/sbin/ipchains.*           --      gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/iptables             --      gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/iptables-multi       --      gen_context(system_u:object_r:iptables_exec_t,s0)

diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 5c94dfeefd8e769a8a40dc0f04f647b0ac50d606..59bfb1767f733adb8f4e8f5a41ecbb0998fad29d 100644 (file)
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -17,6 +17,10 @@ interface(`iptables_domtrans',`
 
        corecmd_search_bin($1)
        domtrans_pattern($1, iptables_exec_t, iptables_t)
+
+       ifdef(`hide_broken_symptoms', `
+               dontaudit iptables_t $1:socket_class_set { read write };
+       ')
 ')
 
 ########################################

diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index a3fdcb389b8a47fa92dc7071f72321ef028a7b78..bce3aeaf979149827faddf5b84a1b07f0250e810 100644 (file)
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -13,9 +13,6 @@ role system_r types iptables_t;
 type iptables_initrc_exec_t;
 init_script_file(iptables_initrc_exec_t)
 
-type iptables_conf_t;
-files_config_file(iptables_conf_t)
-
 type iptables_tmp_t;
 files_tmp_file(iptables_tmp_t)
 
@@ -31,10 +28,12 @@ allow iptables_t self:capability { dac_read_search dac_override net_admin net_ra
 dontaudit iptables_t self:capability sys_tty_config;
 allow iptables_t self:fifo_file rw_fifo_file_perms;
 allow iptables_t self:process { sigchld sigkill sigstop signull signal };
+# needed by ipvsadm
+allow iptables_t self:netlink_socket create_socket_perms;
 allow iptables_t self:rawip_socket create_socket_perms;
 
-manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
-files_etc_filetrans(iptables_t, iptables_conf_t, file)
+files_manage_system_conf_files(iptables_t)
+files_etc_filetrans_system_conf(iptables_t)
 
 manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
 files_pid_filetrans(iptables_t, iptables_var_run_t, file)
@@ -52,10 +51,17 @@ kernel_read_kernel_sysctls(iptables_t)
 kernel_read_modprobe_sysctls(iptables_t)
 kernel_use_fds(iptables_t)
 
+# needed by ipvsadm
+corecmd_exec_bin(iptables_t)
+corecmd_exec_shell(iptables_t)
+
 corenet_relabelto_all_packets(iptables_t)
 corenet_dontaudit_rw_tun_tap_dev(iptables_t)
 
 dev_read_sysfs(iptables_t)
+ifdef(`hide_broken_symptoms',`
+       dev_dontaudit_write_mtrr(iptables_t)
+')
 
 fs_getattr_xattr_fs(iptables_t)
 fs_search_auto_mountpoints(iptables_t)
@@ -64,11 +70,13 @@ fs_list_inotifyfs(iptables_t)
 mls_file_read_all_levels(iptables_t)
 
 term_dontaudit_use_console(iptables_t)
+term_use_all_terms(iptables_t)
 
 domain_use_interactive_fds(iptables_t)
 
 files_read_etc_files(iptables_t)
 files_read_etc_runtime_files(iptables_t)
+files_read_usr_files(iptables_t)
 
 auth_use_nsswitch(iptables_t)
 
@@ -77,6 +85,7 @@ init_use_script_ptys(iptables_t)
 # to allow rules to be saved on reboot:
 init_rw_script_tmp_files(iptables_t)
 init_rw_script_stream_sockets(iptables_t)
+init_dontaudit_script_leaks(iptables_t)
 
 logging_send_syslog_msg(iptables_t)
 
@@ -90,6 +99,7 @@ userdom_use_all_users_fds(iptables_t)
 
 optional_policy(`
        fail2ban_append_log(iptables_t)
+       fail2ban_dontaudit_leaks(iptables_t)
 ')
 
 optional_policy(`
@@ -112,6 +122,7 @@ optional_policy(`
 
 optional_policy(`
        psad_rw_tmp_files(iptables_t)
+       psad_write_log(iptables_t)
 ')
 
 optional_policy(`
@@ -124,6 +135,7 @@ optional_policy(`
 
 optional_policy(`
        shorewall_rw_lib_files(iptables_t)
+       shorewall_read_tmp_files(iptables_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/system/iscsi.if b/policy/modules/system/iscsi.if
index 663a47b08d93687688802dcb68afafebfb5d583b..ad0b8641345b72c052514ac7941534e236f3bb77 100644 (file)
--- a/policy/modules/system/iscsi.if
+++ b/policy/modules/system/iscsi.if
@@ -56,3 +56,21 @@ interface(`iscsi_read_lib_files',`
        allow $1 iscsi_var_lib_t:dir list_dir_perms;
        files_search_var_lib($1)
 ')
+
+########################################
+## <summary>
+##     Manage iscsid sempaphores.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`iscsi_manage_semaphores',`
+       gen_require(`
+               type iscsid_t;
+       ')
+
+       allow $1 iscsid_t:sem create_sem_perms;
+')

diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
index 1d1c39962fb089a449a8f1ded346aee21e7ec00f..3ab3a47ee3d0fba55d66aae5ed0222f382f03516 100644 (file)
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@@ -76,6 +76,8 @@ corenet_tcp_connect_isns_port(iscsid_t)
 
 dev_rw_sysfs(iscsid_t)
 dev_rw_userio_dev(iscsid_t)
+dev_read_raw_memory(iscsid_t)
+dev_write_raw_memory(iscsid_t)
 
 domain_use_interactive_fds(iscsid_t)
 domain_dontaudit_read_all_domains_state(iscsid_t)
@@ -91,5 +93,5 @@ logging_send_syslog_msg(iscsid_t)
 miscfiles_read_localization(iscsid_t)
 
 optional_policy(`
-       tgtd_rw_semaphores(iscsid_t)
+       tgtd_manage_semaphores(iscsid_t)
 ')

diff --git a/policy/modules/system/kdump.te b/policy/modules/system/kdump.te
index 57c645b824cc0508d2bcdf43a565d88da00da128..76826973fd4d986c0dd222212f581fdae482cace 100644 (file)
--- a/policy/modules/system/kdump.te
+++ b/policy/modules/system/kdump.te
@@ -29,6 +29,8 @@ files_read_kernel_img(kdump_t)
 
 kernel_read_system_state(kdump_t)
 kernel_read_core_if(kdump_t)
+kernel_read_debugfs(kdump_t)
+kernel_request_load_module(kdump_t)
 
 dev_read_framebuffer(kdump_t)
 dev_read_sysfs(kdump_t)

diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 9df8c4da5d27fde45a97878df1f52f04f0188bcc..1d2236baf4ef0d070dce2397b7158f8825e5ea86 100644 (file)
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -129,15 +129,13 @@ ifdef(`distro_redhat',`
 /usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so --        gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/vlc/codec/librealvideo_plugin\.so --  gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/vlc/codec/libdmo_plugin\.so   --      gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/vlc/codec/librealaudio_plugin\.so --  gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib64/vlc/codec/librealvideo_plugin\.so --        gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib64/vlc/codec/libdmo_plugin\.so --      gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib64/vlc/codec/librealaudio_plugin\.so --        gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vlc/codec/librealvideo_plugin\.so --     gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vlc/.*\.so       --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libtfmessbsp\.so(\.[^/]*)* --    gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/X11R6/lib/libGL\.so.*             --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libGL\.so(\.[^/]*)*      --      gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/catalyst/libGL\.so(\.[^/]*)* --  gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/catalyst/.*\.so(\.[^/]*)* --     gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libADM5.*\.so(\.[^/]*)*  --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libatiadlxx\.so(\.[^/]*)*        --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/win32/.*\.so(\.[^/]*)*   --      gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -151,6 +149,7 @@ ifdef(`distro_redhat',`
 /usr/lib(64)?/fglrx/.*\.so(\.[^/]*)*   --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libjs\.so.*              --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/sse2/libx264\.so(\.[^/]*)*       -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libzita-convolver\.so(\.[^/]*)* --       gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -208,6 +207,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* --  gen_context(system_u:object_r:textrel_shlib_t
 
 /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 --   gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libgpac\.so.*            --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libglide3\.so.*          --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libglide3-v[0-9]*\.so.*  --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/helix/plugins/[^/]*\.so --       gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -247,6 +247,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* --  gen_context(system_u:object_r:textrel_shlib_t
 /usr/lib(64)?/ladspa/sc3_1427\.so      --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/ladspa/sc4_1882\.so      --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/ladspa/se4_1883\.so      --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/sane/libsane-epkowa\.so.* --  gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/ocaml/stublibs/dllnums\.so --    gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
@@ -302,13 +303,8 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --    gen_context(system_u:object_r:te
 /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/acroread/.+\.api              --      gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/acroread/(.*/)?ADMPlugin\.apl --      gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/.*/program(/.*)?\.so                  gen_context(system_u:object_r:lib_t,s0)
-/usr/lib64/.*/program(/.*)?\.so                        gen_context(system_u:object_r:lib_t,s0)
-/usr/lib(64)?/pgsql/.*\.so.*           --      gen_context(system_u:object_r:lib_t,s0)
-/usr/lib(64)?/pgsql/test/regress/.*\.so.* --   gen_context(system_u:object_r:lib_t,s0)
-
-/usr/share/hplip/prnt/plugins(/.*)?            gen_context(system_u:object_r:lib_t,s0)
-/usr/share/squeezeboxserver/CPAN/arch/.+\.so --        gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/.*/program(/.*)?\.so          gen_context(system_u:object_r:lib_t,s0)
+/usr/lib64/.*/program(/.*)?\.so                gen_context(system_u:object_r:lib_t,s0)
 ') dnl end distro_redhat
 
 #
@@ -319,14 +315,149 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --  gen_context(system_u:object_r:te
 /var/ftp/lib(64)?(/.*)?                                gen_context(system_u:object_r:lib_t,s0)
 /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)*        --      gen_context(system_u:object_r:ld_so_t,s0)
 
-/var/lib/spamassassin/compiled/.*\.so.*        --      gen_context(system_u:object_r:lib_t,s0)
-
 /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? --  gen_context(system_u:object_r:lib_t,s0)
 
+/usr/lib(64)?/pgsql/.*\.so.*           --      gen_context(system_u:object_r:lib_t,s0)
+/usr/lib(64)?/pgsql/test/regress/.*\.so.*              --      gen_context(system_u:object_r:lib_t,s0)
+/var/lib/spamassassin/compiled/.*\.so.*    --     gen_context(system_u:object_r:lib_t,s0)
+
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+\.so(\.[^/]*)*    -l      gen_context(system_u:object_r:lib_t,s0)
 ')
 
+/usr/share/hplip/prnt/plugins(/.*)?            gen_context(system_u:object_r:lib_t,s0)
+/usr/share/squeezeboxserver/CPAN/arch/.+\.so           --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+
 /var/spool/postfix/lib(64)?(/.*)?              gen_context(system_u:object_r:lib_t,s0)
 /var/spool/postfix/usr(/.*)?                   gen_context(system_u:object_r:lib_t,s0)
 /var/spool/postfix/lib(64)?/ld.*\.so.* --      gen_context(system_u:object_r:ld_so_t,s0)
+
+/usr/lib(64)?/libmyth[^/]+\.so.*       --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/mythtv/filters/.*\.so.*  --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so         --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/jvm/java(.*/)bin(/.*)?/.*\.so       --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/altera9.1/quartus/linux/libccl_err\.so    --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/novell/groupwise/client/lib/libgwapijni\.so\.1    --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/sse2/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/i686/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/google-earth/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/googleearth/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/google-earth/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google-earth/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/google-earth/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0)
+
+/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/oracle(64)?/.*/lib/libclntsh\.so(\.[^/]*)*    gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/(.*/)?oracle/(.*/)?libnnz.*\.so --        gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libnnz11.so(\.[^/]*)*    gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libxvidcore\.so.*                --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+
+/opt/matlab.*\.so(\.[^/]*)*            gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/matlab.*\.so(\.[^/]*)*            gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/local/matlab.*\.so(\.[^/]*)*      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/matlab.*\.so(\.[^/]*)*      gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/local/Zend/lib/ZendExtensionManager\.so   gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)*       gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/midori/.*\.so(\.[^/]*)*  gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libav.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/xine/plugins/.+\.so      --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/yafaray/libDarkSky.so       --   gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libpostproc\.so.*                --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libswscale\.so.*          --     gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/libADM.*\.so.*                         --     gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* --    gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libx264\.so(\.[^/]*)*    -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libmp3lame\.so.*         --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libmpeg2\.so.*           --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ifdef(`fixed',`
+/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavdevice\.so.*         --     gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* --   gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavcodec.*\.so(\.[^/]*)* --    gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavutil.*\.so(\.[^/]*)* --     gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libdv\.so.*              --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libGLU\.so(\.[^/]*)*     --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libgsm\.so.*             --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libImlib2\.so.*          --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libjackserver\.so.*      --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/X11R6/lib/libOSMesa.*\.so.*               --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libOSMesa.*\.so.*                --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libSDL-.*\.so.*          --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xulrunner-[^/]*/libxul\.so --    gen_context(system_u:object_r:textrel_shlib_t,s0)
+# Flash plugin, Macromedia
+HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/libflashplayer\.so.*  --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/(.*/)?libflashplayer\.so.*  --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/php/modules/.+\.so       --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/dri/.+\.so  --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/X11R6/lib/modules/dri/.+\.so      --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/dri/.+\.so               --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/httpd/modules/libphp5\.so        --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+')
+/opt/VBoxGuestAdditions.*/lib/VBox.*\.so       --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/nmm/liba52\.so.* --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lampp/lib/libct\.so.*     --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lampp/lib/.*\.so.*        --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/VirtualBox(/.*)?/VBox.*\.so       --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/chromium-browser/.*\.so  --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/zend/lib/apache2/libphp5\.so                --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/python.*/site-packages/pymedia/muxer\.so --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/games/darwinia/lib/libSDL.*\.so.* --        gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ocp-.*/mixclip\.so                    -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/octagaplayer/libapplication\.so               -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/AutoScan/usr/lib/libvte\.so.*                          -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/bin/bsnes              -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/firefox/plugins/libractrl\.so      -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libGLcore\.so.*       -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libkmplayercommon\.so.*       -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/Unify/SQLBase/libgptsblmsui11\.so.*            -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/real/RealPlayer/plugins(/.*)?     --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/real/RealPlayer/codecs(/.*)?      --      gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/vdpau/libvdpau_nvidia\.so.*  --  gen_context(system_u:object_r:textrel_shlib_t,s0)       
+
+/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/nsr/(.*/)?.*\.so              -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lgtonmc/bin/.*\.so(\.[0-9])?      --  gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.dll     --  gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.yti     --  gen_context(system_u:object_r:textrel_shlib_t,s0)

diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index d97d16da889b240faa949e9cd3f0a058630e7096..8b174c894953b9af74c0670d32e1a73b99191f0f 100644 (file)
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -44,6 +44,26 @@ interface(`libs_run_ldconfig',`
        role $2 types ldconfig_t;
 ')
 
+########################################
+## <summary>
+##     Execute ldconfig in the caller domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`libs_exec_ldconfig',`
+       gen_require(`
+               type ldconfig_exec_t;
+       ')
+
+       corecmd_search_bin($1)
+       can_exec($1, ldconfig_exec_t)
+')
+
 ########################################
 ## <summary>
 ##     Use the dynamic link/loader for automatic loading

diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index bf416a4302e074af81d9382aab22d391fb5f55c6..99d7f60f66313f53888af205aaebb38a8e5cf359 100644 (file)
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
 
 manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
 
-allow ldconfig_t ld_so_cache_t:file manage_file_perms;
+manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t)
 files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
 
 manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
@@ -79,6 +79,7 @@ corecmd_search_bin(ldconfig_t)
 
 domain_use_interactive_fds(ldconfig_t)
 
+files_search_home(ldconfig_t)
 files_search_var_lib(ldconfig_t)
 files_read_etc_files(ldconfig_t)
 files_read_usr_files(ldconfig_t)
@@ -94,6 +95,7 @@ miscfiles_read_localization(ldconfig_t)
 
 logging_send_syslog_msg(ldconfig_t)
 
+term_use_console(ldconfig_t)
 userdom_use_user_terminals(ldconfig_t)
 userdom_use_all_users_fds(ldconfig_t)
 
@@ -103,6 +105,10 @@ ifdef(`distro_ubuntu',`
        ')
 ')
 
+userdom_manage_user_home_content_files(ldconfig_t)
+userdom_manage_user_tmp_files(ldconfig_t)
+userdom_manage_user_tmp_symlinks(ldconfig_t)
+
 ifdef(`hide_broken_symptoms',`
        ifdef(`distro_gentoo',`
                # leaked fds from portage
@@ -130,6 +136,10 @@ optional_policy(`
        apt_use_ptys(ldconfig_t)
 ')
 
+optional_policy(`
+       gnome_append_generic_cache_files(ldconfig_t)
+')
+
 optional_policy(`
        puppet_rw_tmp(ldconfig_t)
 ')
@@ -144,3 +154,4 @@ optional_policy(`
 optional_policy(`
        unconfined_domain(ldconfig_t)
 ')
+

diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc
index 757058361035d5ff17587317ff4cdddf9ced89f6..be6a81b80d0c77b03de7d1ad5edd1a74b65f82df 100644 (file)
--- a/policy/modules/system/locallogin.fc
+++ b/policy/modules/system/locallogin.fc
@@ -1,2 +1,3 @@
 
 /sbin/sulogin          --      gen_context(system_u:object_r:sulogin_exec_t,s0)
+/sbin/sushell          --      gen_context(system_u:object_r:sulogin_exec_t,s0)

diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 3fb19157027f15bfa280d700a8e3e69f4a7c1e79..26e9f794ba8f0459b602c7b94426009ebd735572 100644 (file)
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -32,9 +32,8 @@ role system_r types sulogin_t;
 # Local login local policy
 #
 
-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow local_login_t self:process { setrlimit setexec };
+allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_ptrace sys_resource sys_tty_config };
+allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
 allow local_login_t self:fd use;
 allow local_login_t self:fifo_file rw_fifo_file_perms;
 allow local_login_t self:sock_file read_sock_file_perms;
@@ -73,6 +72,8 @@ dev_getattr_power_mgmt_dev(local_login_t)
 dev_setattr_power_mgmt_dev(local_login_t)
 dev_getattr_sound_dev(local_login_t)
 dev_setattr_sound_dev(local_login_t)
+dev_rw_generic_usb_dev(local_login_t)
+dev_read_video_dev(local_login_t)
 dev_dontaudit_getattr_apm_bios_dev(local_login_t)
 dev_dontaudit_setattr_apm_bios_dev(local_login_t)
 dev_dontaudit_read_framebuffer(local_login_t)
@@ -125,6 +126,7 @@ auth_manage_pam_console_data(local_login_t)
 auth_domtrans_pam_console(local_login_t)
 
 init_dontaudit_use_fds(local_login_t)
+init_stream_connect(local_login_t)
 
 miscfiles_read_localization(local_login_t)
 
@@ -151,6 +153,12 @@ tunable_policy(`use_samba_home_dirs',`
        fs_read_cifs_symlinks(local_login_t)
 ')
 
+tunable_policy(`allow_console_login',`
+     term_use_console(local_login_t)
+     term_relabel_console(local_login_t)
+     term_setattr_console(local_login_t)
+')
+
 optional_policy(`
        alsa_domtrans(local_login_t)
 ')
@@ -180,7 +188,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-       unconfined_domain(local_login_t)
+       unconfined_shell_domtrans(local_login_t)
 ')
 
 optional_policy(`
@@ -197,9 +205,10 @@ optional_policy(`
 # Sulogin local policy
 #
 
+allow sulogin_t self:capability dac_override;
 allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow sulogin_t self:fd use;
-allow sulogin_t self:fifo_file rw_file_perms;
+allow sulogin_t self:fifo_file rw_fifo_file_perms;
 allow sulogin_t self:unix_dgram_socket create_socket_perms;
 allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
 allow sulogin_t self:unix_dgram_socket sendto;
@@ -219,6 +228,7 @@ files_read_etc_files(sulogin_t)
 files_dontaudit_search_isid_type_dirs(sulogin_t)
 
 auth_read_shadow(sulogin_t)
+auth_use_nsswitch(sulogin_t)
 
 init_getpgid_script(sulogin_t)
 
@@ -232,14 +242,23 @@ userdom_use_unpriv_users_fds(sulogin_t)
 userdom_search_user_home_dirs(sulogin_t)
 userdom_use_user_ptys(sulogin_t)
 
-sysadm_shell_domtrans(sulogin_t)
+term_use_console(sulogin_t)
+term_use_unallocated_ttys(sulogin_t)
+
+ifdef(`enable_mls',`
+       sysadm_shell_domtrans(sulogin_t)
+',`
+       optional_policy(`
+               unconfined_shell_domtrans(sulogin_t)
+       ')
+')
 
 # suse and debian do not use pam with sulogin...
 ifdef(`distro_suse', `define(`sulogin_no_pam')')
 ifdef(`distro_debian', `define(`sulogin_no_pam')')
 
+allow sulogin_t self:capability sys_tty_config;
 ifdef(`sulogin_no_pam', `
-       allow sulogin_t self:capability sys_tty_config;
        init_getpgid(sulogin_t)
 ', `
        allow sulogin_t self:process setexec;
@@ -250,11 +269,3 @@ ifdef(`sulogin_no_pam', `
        selinux_compute_relabel_context(sulogin_t)
        selinux_compute_user_contexts(sulogin_t)
 ')
-
-optional_policy(`
-       nis_use_ypbind(sulogin_t)
-')
-
-optional_policy(`
-       nscd_socket_use(sulogin_t)
-')

diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 362614c7228347b7fba2fcc72c4806c100de7726..a76d2fcd7705b5a1f300e1ac3e88638a73815783 100644 (file)
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -17,6 +17,10 @@
 /sbin/syslogd          --      gen_context(system_u:object_r:syslogd_exec_t,s0)
 /sbin/syslog-ng                --      gen_context(system_u:object_r:syslogd_exec_t,s0)
 
+/opt/zimbra/log(/.*)?          gen_context(system_u:object_r:var_log_t,s0)
+
+/usr/local/centreon/log(/.*)?  gen_context(system_u:object_r:var_log_t,s0)
+
 /usr/sbin/klogd                --      gen_context(system_u:object_r:klogd_exec_t,s0)
 /usr/sbin/metalog      --      gen_context(system_u:object_r:syslogd_exec_t,s0)
 /usr/sbin/rklogd       --      gen_context(system_u:object_r:klogd_exec_t,s0)
@@ -54,14 +58,16 @@ ifdef(`distro_redhat',`
 /var/named/chroot/dev/log -s   gen_context(system_u:object_r:devlog_t,s0)
 ')
 
-/var/run/audit_events  -s      gen_context(system_u:object_r:auditd_var_run_t,s0)
-/var/run/audispd_events        -s      gen_context(system_u:object_r:audisp_var_run_t,s0)
-/var/run/auditd\.pid   --      gen_context(system_u:object_r:auditd_var_run_t,s0)
-/var/run/auditd_sock   -s      gen_context(system_u:object_r:auditd_var_run_t,s0)
+/var/run/audit_events  -s      gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
+/var/run/audispd_events        -s      gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh)
+/var/run/auditd\.pid   --      gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
+/var/run/auditd_sock   -s      gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
 /var/run/klogd\.pid    --      gen_context(system_u:object_r:klogd_var_run_t,s0)
 /var/run/log           -s      gen_context(system_u:object_r:devlog_t,s0)
 /var/run/metalog\.pid  --      gen_context(system_u:object_r:syslogd_var_run_t,s0)
 /var/run/syslogd\.pid  --      gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/syslog-ng.ctl --      gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/syslog-ng(/.*)?       gen_context(system_u:object_r:syslogd_var_run_t,s0)
 
 /var/spool/bacula/log(/.*)?    gen_context(system_u:object_r:var_log_t,s0)
 /var/spool/postfix/pid -d      gen_context(system_u:object_r:var_run_t,s0)
@@ -69,3 +75,5 @@ ifdef(`distro_redhat',`
 /var/spool/rsyslog(/.*)?       gen_context(system_u:object_r:var_log_t,s0)
 
 /var/tinydns/log/main(/.*)?    gen_context(system_u:object_r:var_log_t,s0)
+
+/var/webmin(/.*)?              gen_context(system_u:object_r:var_log_t,s0)

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index c7cfb6234fe8cfa513c4e8de170e21977316c7e9..453377e8d143d2c1a48cb626e133e095fe0e550b 100644 (file)
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -543,6 +543,25 @@ interface(`logging_send_syslog_msg',`
        term_dontaudit_read_console($1)
 ')
 
+########################################
+## <summary>
+##     Connect to the syslog control unix stream socket.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`logging_stream_connect_syslog',`
+       gen_require(`
+               type syslogd_t, syslogd_var_run_t;
+       ')
+
+       files_search_pids($1)
+       stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
+')
+
 ########################################
 ## <summary>
 ##     Read the auditd configuration files.
@@ -715,7 +734,25 @@ interface(`logging_append_all_logs',`
        ')
 
        files_search_var($1)
-       append_files_pattern($1, var_log_t, logfile)
+       append_files_pattern($1, logfile, logfile)
+')
+
+########################################
+## <summary>
+##     Append to all log files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`logging_inherit_append_all_logs',`
+       gen_require(`
+               attribute logfile;
+       ')
+
+       allow $1 logfile:file { getattr append };
 ')
 
 ########################################
@@ -798,7 +835,7 @@ interface(`logging_manage_all_logs',`
 
        files_search_var($1)
        manage_files_pattern($1, logfile, logfile)
-       read_lnk_files_pattern($1, logfile, logfile)
+       manage_lnk_files_pattern($1, logfile, logfile)
 ')
 
 ########################################
@@ -996,6 +1033,8 @@ interface(`logging_admin_syslog',`
        manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
 
        logging_manage_all_logs($1)
+       allow $1 logfile:dir relabel_dir_perms;
+       allow $1 logfile:file relabel_file_perms;
 
        init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
        domain_system_change_exemption($1)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 828156a38af607a211f3757966bebbff9a26efbf..4762f02c60cd476ba433976e271745f07c8542b1 100644 (file)
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -60,6 +60,7 @@ files_type(syslog_conf_t)
 type syslogd_t;
 type syslogd_exec_t;
 init_daemon_domain(syslogd_t, syslogd_exec_t)
+mls_trusted_object(syslogd_t)
 
 type syslogd_initrc_exec_t;
 init_script_file(syslogd_initrc_exec_t)
@@ -179,6 +180,8 @@ logging_send_syslog_msg(auditd_t)
 logging_domtrans_dispatcher(auditd_t)
 logging_signal_dispatcher(auditd_t)
 
+auth_use_nsswitch(auditd_t)
+
 miscfiles_read_localization(auditd_t)
 
 mls_file_read_all_levels(auditd_t)
@@ -234,7 +237,12 @@ domain_use_interactive_fds(audisp_t)
 files_read_etc_files(audisp_t)
 files_read_etc_runtime_files(audisp_t)
 
+mls_file_read_all_levels(audisp_t)
 mls_file_write_all_levels(audisp_t)
+mls_socket_write_all_levels(audisp_t)
+mls_dbus_send_all_levels(audisp_t)
+
+auth_use_nsswitch(audisp_t)
 
 logging_send_syslog_msg(audisp_t)
 
@@ -244,14 +252,22 @@ sysnet_dns_name_resolve(audisp_t)
 
 optional_policy(`
        dbus_system_bus_client(audisp_t)
+
+       optional_policy(`
+               setroubleshoot_dbus_chat(audisp_t)
+       ')
 ')
 
 ########################################
 #
 # Audit remote logger local policy
 #
-
+allow audisp_remote_t self:capability { setuid  setpcap };
+allow audisp_remote_t self:process { getcap setcap };
 allow audisp_remote_t self:tcp_socket create_socket_perms;
+allow audisp_remote_t var_log_t:dir search_dir_perms;
+
+corecmd_exec_bin(audisp_remote_t)
 
 corenet_all_recvfrom_unlabeled(audisp_remote_t)
 corenet_all_recvfrom_netlabel(audisp_remote_t)
@@ -266,9 +282,16 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
 files_read_etc_files(audisp_remote_t)
 
 logging_send_syslog_msg(audisp_remote_t)
+logging_send_audit_msgs(audisp_remote_t)
+
+auth_use_nsswitch(audisp_remote_t)
 
 miscfiles_read_localization(audisp_remote_t)
 
+init_telinit(audisp_remote_t)
+init_read_utmp(audisp_remote_t)
+init_dontaudit_write_utmp(audisp_remote_t)
+
 sysnet_dns_name_resolve(audisp_remote_t)
 
 ########################################
@@ -369,9 +392,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
 
+manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
 manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
 files_search_var_lib(syslogd_t)
 
+manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir })
+
 # manage pid file
 manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
 files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
@@ -412,6 +441,7 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
 
 dev_filetrans(syslogd_t, devlog_t, sock_file)
 dev_read_sysfs(syslogd_t)
+dev_read_rand(syslogd_t)
 
 domain_use_interactive_fds(syslogd_t)
 
@@ -487,6 +517,10 @@ optional_policy(`
        seutil_sigchld_newrole(syslogd_t)
 ')
 
+optional_policy(`
+    daemontools_search_svc_dir(syslogd_t)
+')
+
 optional_policy(`
        udev_read_db(syslogd_t)
 ')

diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index 879bb1e8ee7f9f6523b6f571961806959e2edf6b..31efcb23191d8571d74fe6f494900185ba865601 100644 (file)
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -28,10 +28,12 @@ ifdef(`distro_gentoo',`
 #
 /lib/lvm-10/.*         --      gen_context(system_u:object_r:lvm_exec_t,s0)
 /lib/lvm-200/.*                --      gen_context(system_u:object_r:lvm_exec_t,s0)
+/lib/udev/udisks-lvm-pv-export --      gen_context(system_u:object_r:lvm_exec_t,s0)
 
 #
 # /sbin
 #
+/sbin/mount\.crypt     --      gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/cryptsetup       --      gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/dmraid           --      gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/dmsetup          --      gen_context(system_u:object_r:lvm_exec_t,s0)

diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 58bc27f2275239b3bfb3f3272f0b2b226ed73278..b4f0663401dcaee3ae26527f92ef53dd835a0fc1 100644 (file)
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -123,3 +123,21 @@ interface(`lvm_domtrans_clvmd',`
        corecmd_search_bin($1)
        domtrans_pattern($1, clvmd_exec_t, clvmd_t)
 ')
+
+########################################
+## <summary>
+##     Read and write to lvm temporary file system.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`lvm_rw_clvmd_tmpfs_files',`
+       gen_require(`
+               type clvmd_tmpfs_t;
+       ')
+
+       allow $1 clvmd_tmpfs_t:file rw_file_perms;
+')

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 86ef2da27da2addc66ff4897edd8f56e5c3dfddd..7f649d58f98263ece633674425d1f6f4157b156c 100644 (file)
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
 type clvmd_initrc_exec_t;
 init_script_file(clvmd_initrc_exec_t)
 
+type clmvd_tmpfs_t;
+files_tmpfs_file(clmvd_tmpfs_t)
+
 type clvmd_var_run_t;
 files_pid_file(clvmd_var_run_t)
 
@@ -56,6 +59,10 @@ allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow clvmd_t self:tcp_socket create_stream_socket_perms;
 allow clvmd_t self:udp_socket create_socket_perms;
 
+manage_dirs_pattern(clvmd_t, clmvd_tmpfs_t, clmvd_tmpfs_t)
+manage_files_pattern(clvmd_t, clmvd_tmpfs_t,clmvd_tmpfs_t)
+fs_tmpfs_filetrans(clvmd_t, clmvd_tmpfs_t, { dir file })
+
 manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
 files_pid_filetrans(clvmd_t, clvmd_var_run_t, file)
 
@@ -140,6 +147,11 @@ ifdef(`distro_redhat',`
        ')
 ')
 
+optional_policy(`
+       aisexec_stream_connect(clvmd_t)
+       corosync_stream_connect(clvmd_t)
+')
+
 optional_policy(`
        ccs_stream_connect(clvmd_t)
 ')
@@ -170,6 +182,7 @@ dontaudit lvm_t self:capability sys_tty_config;
 allow lvm_t self:process { sigchld sigkill sigstop signull signal };
 # LVM will complain a lot if it cannot set its priority.
 allow lvm_t self:process setsched;
+allow lvm_t self:sem create_sem_perms;
 allow lvm_t self:file rw_file_perms;
 allow lvm_t self:fifo_file manage_fifo_file_perms;
 allow lvm_t self:unix_dgram_socket create_socket_perms;
@@ -210,12 +223,15 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
 files_etc_filetrans(lvm_t, lvm_metadata_t, file)
 files_search_mnt(lvm_t)
 
+kernel_get_sysvipc_info(lvm_t)
 kernel_read_system_state(lvm_t)
+kernel_read_kernel_sysctls(lvm_t)
 # Read system variables in /proc/sys
 kernel_read_kernel_sysctls(lvm_t)
 # it has no reason to need this
 kernel_dontaudit_getattr_core_if(lvm_t)
 kernel_use_fds(lvm_t)
+kernel_request_load_module(lvm_t)
 kernel_search_debugfs(lvm_t)
 
 corecmd_exec_bin(lvm_t)
@@ -242,6 +258,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
 dev_dontaudit_getattr_generic_blk_files(lvm_t)
 dev_dontaudit_getattr_generic_pipes(lvm_t)
 dev_create_generic_dirs(lvm_t)
+dev_rw_generic_files(lvm_t)
 
 domain_use_interactive_fds(lvm_t)
 domain_read_all_domains_state(lvm_t)
@@ -251,8 +268,9 @@ files_read_etc_files(lvm_t)
 files_read_etc_runtime_files(lvm_t)
 # for when /usr is not mounted:
 files_dontaudit_search_isid_type_dirs(lvm_t)
+files_dontaudit_getattr_tmpfs_files(lvm_t)
 
-fs_getattr_xattr_fs(lvm_t)
+fs_getattr_all_fs(lvm_t)
 fs_search_auto_mountpoints(lvm_t)
 fs_list_tmpfs(lvm_t)
 fs_read_tmpfs_symlinks(lvm_t)
@@ -262,6 +280,7 @@ fs_rw_anon_inodefs_files(lvm_t)
 
 mls_file_read_all_levels(lvm_t)
 mls_file_write_to_clearance(lvm_t)
+mls_file_upgrade(lvm_t)
 
 selinux_get_fs_mount(lvm_t)
 selinux_validate_context(lvm_t)
@@ -308,6 +327,11 @@ ifdef(`distro_redhat',`
        ')
 ')
 
+optional_policy(`
+       aisexec_stream_connect(lvm_t)
+       corosync_stream_connect(lvm_t)
+')
+
 optional_policy(`
        bootloader_rw_tmp_files(lvm_t)
 ')
@@ -328,6 +352,10 @@ optional_policy(`
        ')
 ')
 
+optional_policy(`
+       livecd_rw_semaphores(lvm_t)
+')
+
 optional_policy(`
        modutils_domtrans_insmod(lvm_t)
 ')

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 7711464d15fb2c8d06ce941119fde7127f4e3d57..1f0ccfd3ca0c0ecc7d09be35a7fe74de3fed43df 100644 (file)
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -11,6 +11,7 @@ ifdef(`distro_gentoo',`
 /etc/avahi/etc/localtime --    gen_context(system_u:object_r:locale_t,s0)
 /etc/localtime         --      gen_context(system_u:object_r:locale_t,s0)
 /etc/pki(/.*)?                 gen_context(system_u:object_r:cert_t,s0)
+/etc/httpd/alias/[^/]*\.db(\.[^/]*)*   --      gen_context(system_u:object_r:cert_t,s0)
 
 ifdef(`distro_redhat',`
 /etc/sysconfig/clock   --      gen_context(system_u:object_r:locale_t,s0)
@@ -75,13 +76,11 @@ ifdef(`distro_redhat',`
 /var/cache/fonts(/.*)?         gen_context(system_u:object_r:tetex_data_t,s0)
 /var/cache/man(/.*)?           gen_context(system_u:object_r:man_t,s0)
 
-/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
-
 /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
 
-/var/spool/texmf(/.*)?         gen_context(system_u:object_r:tetex_data_t,s0)
+/var/spool/abrt-upload(/.*)?    gen_context(system_u:object_r:public_content_rw_t,s0)
 
-/var/www/cobbler/images(/.*)?  gen_context(system_u:object_r:public_content_rw_t, s0)
+/var/spool/texmf(/.*)?         gen_context(system_u:object_r:tetex_data_t,s0)
 
 ifdef(`distro_debian',`
 /var/lib/msttcorefonts(/.*)?   gen_context(system_u:object_r:fonts_t,s0)

diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index fe4e741648e6ce0659bf9da8c65bd0ac8b8de178..926ba658064f0ea5c73f365dd2020770bedfbd5b 100644 (file)
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -414,9 +414,6 @@ interface(`miscfiles_read_localization',`
        allow $1 locale_t:dir list_dir_perms;
        read_files_pattern($1, locale_t, locale_t)
        read_lnk_files_pattern($1, locale_t, locale_t)
-
-       # why?
-       libs_read_lib_files($1)
 ')
 
 ########################################

diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index c51f7f57c17ed18a11df6c5482bd0ac5cee5d4a3..59c70bff1b2f793ad7e1dd5df453e9f36ac24db6 100644 (file)
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.8.1)
 #
 # Declarations
 #
-
 attribute cert_type;
 
 #
@@ -12,6 +11,7 @@ attribute cert_type;
 #
 type cert_t;
 miscfiles_cert_type(cert_t)
+
 #
 # fonts_t is the type of various font
 # files in /usr

diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 9c0faab1ef77860e37f9ed518c4f752d592b2e4a..def8d5abdbb21bb7c2cad74b1b06cd656191467f 100644 (file)
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -37,6 +37,26 @@ interface(`modutils_read_module_deps',`
        allow $1 modules_dep_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##     list the configuration options used when
+##     loading modules.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`modutils_list_module_config',`
+       gen_require(`
+               type modules_conf_t;
+       ')
+
+       list_dirs_pattern($1, modules_conf_t, modules_conf_t)
+')
+
 ########################################
 ## <summary>
 ##     Read the configuration options used when

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 74a446698c6f7047068d80ef8a14197b37a95add..9abf3b17c646b9c6948f7a548f69df6b658e8327 100644 (file)
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -18,6 +18,7 @@ type insmod_t;
 type insmod_exec_t;
 application_domain(insmod_t, insmod_exec_t)
 mls_file_write_all_levels(insmod_t)
+mls_process_write_down(insmod_t)
 role system_r types insmod_t;
 
 # module loading config
@@ -55,12 +56,15 @@ corecmd_search_bin(depmod_t)
 
 domain_use_interactive_fds(depmod_t)
 
+files_delete_kernel_modules(depmod_t)
 files_read_kernel_symbol_table(depmod_t)
 files_read_kernel_modules(depmod_t)
 files_read_etc_runtime_files(depmod_t)
 files_read_etc_files(depmod_t)
 files_read_usr_src_files(depmod_t)
 files_list_usr(depmod_t)
+files_append_var_files(depmod_t)
+files_read_boot_files(depmod_t)
 
 fs_getattr_xattr_fs(depmod_t)
 
@@ -74,6 +78,7 @@ userdom_use_user_terminals(depmod_t)
 # Read System.map from home directories.
 files_list_home(depmod_t)
 userdom_read_user_home_content_files(depmod_t)
+userdom_manage_user_tmp_files(depmod_t)
 
 ifdef(`distro_ubuntu',`
        optional_policy(`
@@ -104,7 +109,7 @@ optional_policy(`
 # insmod local policy
 #
 
-allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
+allow insmod_t self:capability { dac_override mknod net_raw sys_nice sys_tty_config };
 allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
 
 allow insmod_t self:udp_socket create_socket_perms;
@@ -125,6 +130,7 @@ kernel_write_proc_files(insmod_t)
 kernel_mount_debugfs(insmod_t)
 kernel_mount_kvmfs(insmod_t)
 kernel_read_debugfs(insmod_t)
+kernel_request_load_module(insmod_t)
 # Rules for /proc/sys/kernel/tainted
 kernel_read_kernel_sysctls(insmod_t)
 kernel_rw_kernel_sysctl(insmod_t)
@@ -142,6 +148,7 @@ dev_rw_agp(insmod_t)
 dev_read_sound(insmod_t)
 dev_write_sound(insmod_t)
 dev_rw_apm_bios(insmod_t)
+dev_create_generic_chr_files(insmod_t)
 
 domain_signal_all_domains(insmod_t)
 domain_use_interactive_fds(insmod_t)
@@ -160,11 +167,15 @@ files_write_kernel_modules(insmod_t)
 
 fs_getattr_xattr_fs(insmod_t)
 fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
+fs_mount_rpc_pipefs(insmod_t)
+fs_search_rpc(insmod_t)
 
 init_rw_initctl(insmod_t)
 init_use_fds(insmod_t)
 init_use_script_fds(insmod_t)
 init_use_script_ptys(insmod_t)
+init_spec_domtrans_script(insmod_t)
+init_rw_script_tmp_files(insmod_t)
 
 logging_send_syslog_msg(insmod_t)
 logging_search_logs(insmod_t)
@@ -173,8 +184,7 @@ miscfiles_read_localization(insmod_t)
 
 seutil_read_file_contexts(insmod_t)
 
-userdom_use_user_terminals(insmod_t)
-
+term_use_all_terms(insmod_t)
 userdom_dontaudit_search_user_home_dirs(insmod_t)
 
 if( ! secure_mode_insmod ) {
@@ -190,6 +200,10 @@ optional_policy(`
        firstboot_dontaudit_rw_stream_sockets(insmod_t)
 ')
 
+optional_policy(`
+       firewallgui_dontaudit_rw_pipes(insmod_t)
+')
+
 optional_policy(`
        hal_write_log(insmod_t)
 ')
@@ -234,6 +248,10 @@ optional_policy(`
        unconfined_dontaudit_rw_pipes(insmod_t)
 ')
 
+optional_policy(`
+       virt_dontaudit_write_pipes(insmod_t)
+')
+
 optional_policy(`
        # cjp: why is this needed:
        dev_rw_xserver_misc(insmod_t)

diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
index 72c746e7fd1638c28806a207fab44a6e7c773481..e3d06fd100e78a8f5a0a7fc648359630ad4d7e40 100644 (file)
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
@@ -1,4 +1,10 @@
 /bin/mount.*                   --      gen_context(system_u:object_r:mount_exec_t,s0)
 /bin/umount.*                  --      gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/mount.*                  --      gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/umount.*                 --      gen_context(system_u:object_r:mount_exec_t,s0)
+/bin/fusermount                --      gen_context(system_u:object_r:fusermount_exec_t,s0)
+/usr/bin/fusermount            --      gen_context(system_u:object_r:fusermount_exec_t,s0)
+/usr/sbin/showmount            --  gen_context(system_u:object_r:showmount_exec_t,s0)
 
-/usr/bin/fusermount            --      gen_context(system_u:object_r:mount_exec_t,s0)
+/var/cache/davfs2(/.*)?                gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/davfs2(/.*)?          gen_context(system_u:object_r:mount_var_run_t,s0)

diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 8b5c196256080d221eca1767284db7f2b9bf9c2e..34904975eafebc2889f6f0b411707e1280d74379 100644 (file)
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -16,6 +16,14 @@ interface(`mount_domtrans',`
        ')
 
        domtrans_pattern($1, mount_exec_t, mount_t)
+       mount_domtrans_fusermount($1)
+
+ifdef(`hide_broken_symptoms', `
+       dontaudit mount_t $1:unix_stream_socket { read write };
+       dontaudit mount_t $1:tcp_socket  { read write };
+       dontaudit mount_t $1:udp_socket { read write };
+')
+
 ')
 
 ########################################
@@ -45,10 +53,56 @@ interface(`mount_run',`
        role $2 types mount_t;
 
        optional_policy(`
-               samba_run_smbmount($1, $2)
+               fstools_run(mount_t, $2)
+       ')
+
+       # Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711
+       optional_policy(`
+               lvm_run(mount_t, $2)
+       ')
+
+       optional_policy(`
+               modutils_run_insmod(mount_t, $2)
+       ')
+
+       optional_policy(`
+               rpc_run_rpcd(mount_t, $2)
+       ')
+
+       optional_policy(`
+               samba_run_smbmount(mount_t, $2)
        ')
 ')
 
+########################################
+## <summary>
+##     Execute fusermount in the mount domain, and
+##     allow the specified role the mount domain,
+##     and use the caller's terminal.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     The role to be allowed the mount domain.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mount_run_fusermount',`
+       gen_require(`
+               type mount_t;
+       ')
+
+       mount_domtrans_fusermount($1)
+       role $2 types mount_t;
+
+       fstools_run(mount_t, $2)
+')
+
 ########################################
 ## <summary>
 ##     Execute mount in the caller domain.
@@ -84,9 +138,11 @@ interface(`mount_exec',`
 interface(`mount_signal',`
        gen_require(`
                type mount_t;
+               type unconfined_mount_t;
        ')
 
        allow $1 mount_t:process signal;
+       allow $1 unconfined_mount_t:process signal;
 ')
 
 ########################################
@@ -95,7 +151,7 @@ interface(`mount_signal',`
 ## </summary>
 ## <param name="domain">
 ##     <summary>
-##     The type of the process performing this action.
+##     Domain allowed access.
 ##     </summary>
 ## </param>
 #
@@ -176,4 +232,109 @@ interface(`mount_run_unconfined',`
 
        mount_domtrans_unconfined($1)
        role $2 types unconfined_mount_t;
+
+       optional_policy(`
+               rpc_run_rpcd(unconfined_mount_t, $2)
+       ')
+
+       optional_policy(`
+               samba_run_smbmount(unconfined_mount_t, $2)
+       ')
+')
+
+########################################
+## <summary>
+##     Execute fusermount in the mount domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mount_domtrans_fusermount',`
+       gen_require(`
+               type mount_t, fusermount_exec_t;
+       ')
+
+       domtrans_pattern($1, fusermount_exec_t, mount_t)
+')
+
+########################################
+## <summary>
+##     Execute fusermount.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mount_exec_fusermount',`
+       gen_require(`
+               type fusermount_exec_t;
+       ')
+
+       can_exec($1, fusermount_exec_t)
+')
+
+########################################
+## <summary>
+##     dontaudit Execute fusermount.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mount_dontaudit_exec_fusermount',`
+       gen_require(`
+               type fusermount_exec_t;
+       ')
+
+       dontaudit $1 fusermount_exec_t:file exec_file_perms;
+')
+
+######################################
+## <summary>
+##  Execute a domain transition to run showmount.
+## </summary>
+## <param name="domain">
+## <summary>
+##  Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mount_domtrans_showmount',`
+    gen_require(`
+        type showmount_t, showmount_exec_t;
+    ')
+
+    domtrans_pattern($1, showmount_exec_t, showmount_t)
+')
+
+######################################
+## <summary>
+##  Execute showmount in the showmount domain, and
+##  allow the specified role the showmount domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access
+##  </summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  The role to be allowed the showmount domain.
+##  </summary>
+## </param>
+#
+interface(`mount_run_showmount',`
+    gen_require(`
+        type showmount_t;
+    ')
+
+    mount_domtrans_showmount($1)
+    role $2 types showmount_t;
 ')

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index fca694734dc6fa89e2ba1ef078fc3f0bbc39d0b2..0fcd4e7fdedc74a08b465c3bf21518d42261fd58 100644 (file)
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,8 +17,15 @@ type mount_exec_t;
 init_system_domain(mount_t, mount_exec_t)
 role system_r types mount_t;
 
+type fusermount_exec_t;
+domain_entry_file(mount_t, fusermount_exec_t)
+
+typealias mount_t alias mount_ntfs_t;
+typealias mount_exec_t alias mount_ntfs_exec_t;
+
 type mount_loopback_t; # customizable
 files_type(mount_loopback_t)
+typealias mount_loopback_t alias mount_loop_t;
 
 type mount_tmp_t;
 files_tmp_file(mount_tmp_t)
@@ -28,6 +35,17 @@ files_tmp_file(mount_tmp_t)
 # policy--duplicate type declaration
 type unconfined_mount_t;
 application_domain(unconfined_mount_t, mount_exec_t)
+role system_r types unconfined_mount_t;
+
+type mount_var_run_t;
+files_pid_file(mount_var_run_t)
+
+# showmount - show mount information for an NFS server
+
+type showmount_t;
+type showmount_exec_t;
+application_domain(showmount_t, showmount_exec_t)
+role system_r types showmount_t;
 
 ########################################
 #
@@ -35,7 +53,11 @@ application_domain(unconfined_mount_t, mount_exec_t)
 #
 
 # setuid/setgid needed to mount cifs 
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:capability { fsetid ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid };
+allow mount_t self:process { getcap getsched ptrace setcap setrlimit signal };
+allow mount_t self:fifo_file rw_fifo_file_perms;
+allow mount_t self:unix_stream_socket create_stream_socket_perms;
+allow mount_t self:unix_dgram_socket create_socket_perms; 
 
 allow mount_t mount_loopback_t:file read_file_perms;
 
@@ -46,32 +68,56 @@ can_exec(mount_t, mount_exec_t)
 
 files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
 
+manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
+manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
+files_pid_filetrans(mount_t,mount_var_run_t,dir)
+files_var_filetrans(mount_t,mount_var_run_t,dir)
+
+# In order to mount reiserfs_t
+kernel_dontaudit_getattr_core_if(mount_t)
+kernel_list_unlabeled(mount_t)
+kernel_mount_unlabeled(mount_t)
+kernel_unmount_unlabeled(mount_t)
 kernel_read_system_state(mount_t)
+kernel_read_network_state(mount_t)
 kernel_read_kernel_sysctls(mount_t)
-kernel_dontaudit_getattr_core_if(mount_t)
+kernel_manage_debugfs(mount_t)
+kernel_setsched(mount_t)
+kernel_use_fds(mount_t)
+kernel_request_load_module(mount_t)
 
 # required for mount.smbfs
 corecmd_exec_bin(mount_t)
 
+dev_getattr_generic_blk_files(mount_t)
 dev_getattr_all_blk_files(mount_t)
 dev_list_all_dev_nodes(mount_t)
+dev_read_usbfs(mount_t)
+dev_read_rand(mount_t)
+dev_read_sysfs(mount_t)
 dev_rw_lvm_control(mount_t)
 dev_dontaudit_getattr_all_chr_files(mount_t)
 dev_dontaudit_getattr_memory_dev(mount_t)
 dev_getattr_sound_dev(mount_t)
+ifdef(`hide_broken_symptoms',`
+       dev_rw_generic_blk_files(mount_t)
+')
 # Early devtmpfs, before udev relabel
 dev_dontaudit_rw_generic_chr_files(mount_t)
 
 domain_use_interactive_fds(mount_t)
+domain_dontaudit_search_all_domains_state(mount_t)
 
 files_search_all(mount_t)
 files_read_etc_files(mount_t)
 files_manage_etc_runtime_files(mount_t)
 files_etc_filetrans_etc_runtime(mount_t, file)
 files_mounton_all_mountpoints(mount_t)
+# ntfs-3g checks whether the mountpoint is writable before mounting
+files_write_all_mountpoints(mount_t)
 files_unmount_rootfs(mount_t)
 # These rules need to be generalized.  Only admin, initrc should have it:
-files_relabelto_all_file_type_fs(mount_t)
+files_relabel_all_file_type_fs(mount_t)
 files_mount_all_file_type_fs(mount_t)
 files_unmount_all_file_type_fs(mount_t)
 # for when /etc/mtab loses its type
@@ -81,25 +127,34 @@ files_read_isid_type_files(mount_t)
 files_read_usr_files(mount_t)
 files_list_mnt(mount_t)
 
-fs_getattr_xattr_fs(mount_t)
-fs_getattr_cifs(mount_t)
+fs_list_all(mount_t)
+fs_getattr_all_fs(mount_t)
 fs_mount_all_fs(mount_t)
 fs_unmount_all_fs(mount_t)
 fs_remount_all_fs(mount_t)
 fs_relabelfrom_all_fs(mount_t)
-fs_list_auto_mountpoints(mount_t)
+fs_rw_anon_inodefs_files(mount_t)
 fs_rw_tmpfs_chr_files(mount_t)
+fs_rw_nfsd_fs(mount_t)
+fs_manage_tmpfs_dirs(mount_t)
 fs_read_tmpfs_symlinks(mount_t)
+fs_read_fusefs_files(mount_t)
+fs_manage_nfs_dirs(mount_t)
+fs_read_nfs_symlinks(mount_t)
+fs_manage_cgroup_dirs(mount_t)
+fs_manage_cgroup_files(mount_t)
 
 mls_file_read_all_levels(mount_t)
 mls_file_write_all_levels(mount_t)
 
 selinux_get_enforce_mode(mount_t)
+selinux_dontaudit_write_fs(mount_t)
 
 storage_raw_read_fixed_disk(mount_t)
 storage_raw_write_fixed_disk(mount_t)
 storage_raw_read_removable_device(mount_t)
 storage_raw_write_removable_device(mount_t)
+storage_rw_fuse(mount_t)
 
 term_use_all_terms(mount_t)
 
@@ -108,6 +163,8 @@ auth_use_nsswitch(mount_t)
 init_use_fds(mount_t)
 init_use_script_ptys(mount_t)
 init_dontaudit_getattr_initctl(mount_t)
+init_stream_connect_script(mount_t)
+init_rw_script_stream_sockets(mount_t)
 
 logging_send_syslog_msg(mount_t)
 
@@ -118,6 +175,12 @@ sysnet_use_portmap(mount_t)
 seutil_read_config(mount_t)
 
 userdom_use_all_users_fds(mount_t)
+userdom_manage_user_home_content_dirs(mount_t)
+userdom_read_user_home_content_symlinks(mount_t)
+
+optional_policy(`
+       abrt_rw_fifo_file(mount_t)
+')
 
 ifdef(`distro_redhat',`
        optional_policy(`
@@ -133,10 +196,17 @@ ifdef(`distro_ubuntu',`
        ')
 ')
 
+corecmd_exec_shell(mount_t)
+
+modutils_domtrans_insmod(mount_t)
+
+fstools_domtrans(mount_t)
+
 tunable_policy(`allow_mount_anyfile',`
        auth_read_all_dirs_except_shadow(mount_t)
        auth_read_all_files_except_shadow(mount_t)
        files_mounton_non_security(mount_t)
+       files_rw_all_inherited_files(mount_t)
 ')
 
 optional_policy(`
@@ -166,12 +236,33 @@ optional_policy(`
        fs_search_rpc(mount_t)
 
        rpc_stub(mount_t)
+
+       rpc_domtrans_rpcd(mount_t)
 ')
 
 optional_policy(`
        apm_use_fds(mount_t)
 ')
 
+optional_policy(`
+       cron_system_entry(mount_t, mount_exec_t)
+')
+
+optional_policy(`
+       dbus_system_bus_client(mount_t)
+
+       optional_policy(`
+               hal_dbus_chat(mount_t)
+       ')
+')
+
+
+optional_policy(`
+       hal_write_log(mount_t)
+       hal_use_fds(mount_t)
+       hal_dontaudit_rw_pipes(mount_t)
+')
+
 optional_policy(`
        ifdef(`hide_broken_symptoms',`
                # for a bug in the X server
@@ -180,13 +271,36 @@ optional_policy(`
        ')
 ')
 
+optional_policy(`
+       livecd_rw_tmp_files(mount_t)
+')
+
+# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711
+optional_policy(`
+       lvm_domtrans(mount_t)
+')
+
 # for kernel package installation
 optional_policy(`
        rpm_rw_pipes(mount_t)
+       rpm_dontaudit_leaks(mount_t)
 ')
 
 optional_policy(`
        samba_domtrans_smbmount(mount_t)
+       samba_read_config(mount_t)
+')
+
+optional_policy(`
+       ssh_exec(mount_t)
+')
+
+optional_policy(`
+       usbmuxd_stream_connect(mount_t)
+')
+
+optional_policy(`
+       vmware_exec_host(mount_t)
 ')
 
 ########################################
@@ -195,6 +309,42 @@ optional_policy(`
 #
 
 optional_policy(`
+       unconfined_domain_noaudit(unconfined_mount_t)
+')
+
+optional_policy(`
+       userdom_unpriv_usertype(unconfined, unconfined_mount_t)
        files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
-       unconfined_domain(unconfined_mount_t)
 ')
+
+######################################
+#
+# showmount local policy
+#
+
+allow showmount_t self:tcp_socket create_stream_socket_perms;
+allow showmount_t self:udp_socket create_socket_perms;
+
+kernel_read_system_state(showmount_t)
+
+corenet_all_recvfrom_unlabeled(showmount_t)
+corenet_all_recvfrom_netlabel(showmount_t)
+corenet_tcp_sendrecv_generic_if(showmount_t)
+corenet_udp_sendrecv_generic_if(showmount_t)
+corenet_tcp_sendrecv_generic_node(showmount_t)
+corenet_udp_sendrecv_generic_node(showmount_t)
+corenet_tcp_sendrecv_all_ports(showmount_t)
+corenet_udp_sendrecv_all_ports(showmount_t)
+corenet_tcp_bind_generic_node(showmount_t)
+corenet_udp_bind_generic_node(showmount_t)
+corenet_tcp_bind_all_rpc_ports(showmount_t)
+corenet_udp_bind_all_rpc_ports(showmount_t)
+corenet_tcp_connect_all_ports(showmount_t)
+
+files_read_etc_files(showmount_t)
+
+miscfiles_read_localization(showmount_t)
+
+sysnet_dns_name_resolve(showmount_t)
+
+userdom_use_user_terminals(showmount_t)

diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc
index ed9c70d4fc1a1d8c96aec7a2e2a9cc0e91f4abc1..42d3890a355ccd7c44edbe90645e1e4ade3fc21d 100644 (file)
--- a/policy/modules/system/raid.fc
+++ b/policy/modules/system/raid.fc
@@ -1,4 +1,5 @@
-/dev/.mdadm.map                --      gen_context(system_u:object_r:mdadm_map_t,s0)
+/dev/.mdadm\.map       --      gen_context(system_u:object_r:mdadm_var_run_t,s0)
+/dev/md(/.*)?                  gen_context(system_u:object_r:mdadm_var_run_t,s0)
 
 /sbin/mdadm            --      gen_context(system_u:object_r:mdadm_exec_t,s0)
 /sbin/mdmpd            --      gen_context(system_u:object_r:mdadm_exec_t,s0)

diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index 09845c498b3adb062872f48afe09178d308e072e..6500830bee50c260fc29ea78526202eb96a37ae5 100644 (file)
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -10,11 +10,9 @@ type mdadm_exec_t;
 init_daemon_domain(mdadm_t, mdadm_exec_t)
 role system_r types mdadm_t;
 
-type mdadm_map_t;
-files_type(mdadm_map_t)
-
-type mdadm_var_run_t;
+type mdadm_var_run_t alias mdadm_map_t;
 files_pid_file(mdadm_var_run_t)
+dev_associate(mdadm_var_run_t)
 
 ########################################
 #
@@ -26,12 +24,11 @@ dontaudit mdadm_t self:capability sys_tty_config;
 allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
 allow mdadm_t self:fifo_file rw_fifo_file_perms;
 
-# create .mdadm files in /dev
-allow mdadm_t mdadm_map_t:file manage_file_perms;
-dev_filetrans(mdadm_t, mdadm_map_t, file)
-
+manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
 manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
-files_pid_filetrans(mdadm_t, mdadm_var_run_t, file)
+manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
+files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir })
+dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file })
 
 kernel_read_system_state(mdadm_t)
 kernel_read_kernel_sysctls(mdadm_t)
@@ -52,13 +49,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
 dev_read_realtime_clock(mdadm_t)
 # unfortunately needed for DMI decoding:
 dev_read_raw_memory(mdadm_t)
+dev_read_generic_files(mdadm_t)
 
 domain_use_interactive_fds(mdadm_t)
 
 files_read_etc_files(mdadm_t)
 files_read_etc_runtime_files(mdadm_t)
+files_dontaudit_getattr_tmpfs_files(mdadm_t)
 
-fs_search_auto_mountpoints(mdadm_t)
+fs_list_hugetlbfs(mdadm_t)
+fs_list_auto_mountpoints(mdadm_t)
 fs_dontaudit_list_tmpfs(mdadm_t)
 
 mls_file_read_all_levels(mdadm_t)

diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 2cc4bda302f488189730895fc0d37d76ac9a6cc1..9e81136bdeb916de5e36a9e8d641eeac2047dbaf 100644 (file)
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -6,13 +6,13 @@
 /etc/selinux(/.*)?                     gen_context(system_u:object_r:selinux_config_t,s0)
 /etc/selinux/([^/]*/)?contexts(/.*)?   gen_context(system_u:object_r:default_context_t,s0)
 /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
-/etc/selinux/([^/]*/)?policy(/.*)?     gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?policy(/.*)?     gen_context(system_u:object_r:semanage_store_t,s0)
 /etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-/etc/selinux/([^/]*/)?seusers  --      gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?seusers  --      gen_context(system_u:object_r:selinux_config_t,s0)
 /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
 /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
 /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
-/etc/selinux/([^/]*/)?users(/.*)? --   gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?users(/.*)? --   gen_context(system_u:object_r:selinux_config_t,s0)
 
 #
 # /root
@@ -38,11 +38,20 @@
 /usr/sbin/restorecond          --      gen_context(system_u:object_r:restorecond_exec_t,s0)
 /usr/sbin/run_init             --      gen_context(system_u:object_r:run_init_exec_t,s0)
 /usr/sbin/setfiles.*           --      gen_context(system_u:object_r:setfiles_exec_t,s0)
-/usr/sbin/setsebool            --      gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/setsebool            --      gen_context(system_u:object_r:setsebool_exec_t,s0)
 /usr/sbin/semanage             --      gen_context(system_u:object_r:semanage_exec_t,s0)
 /usr/sbin/semodule             --      gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/share/system-config-selinux/system-config-selinux-dbus\.py                --      gen_context(system_u:object_r:semanage_exec_t,s0)
 
 #
 # /var/run
 #
 /var/run/restorecond\.pid      --      gen_context(system_u:object_r:restorecond_var_run_t,s0)
+
+#
+# /var/lib
+#
+/var/lib/selinux(/.*)?                 gen_context(system_u:object_r:selinux_var_lib_t,s0)
+
+/etc/share/selinux/targeted(/.*)?      gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)?           gen_context(system_u:object_r:semanage_store_t,s0)

diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 170e2c7258d663967cea71768999d78ecf543402..bbaa8cfe2519a1603a20823f2edcc7060a934fdf 100644 (file)
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -85,6 +85,10 @@ interface(`seutil_domtrans_loadpolicy',`
 
        corecmd_search_bin($1)
        domtrans_pattern($1, load_policy_exec_t, load_policy_t)
+
+       ifdef(`hide_broken_symptoms', `
+               dontaudit load_policy_t $1:socket_class_set { read write };
+       ')
 ')
 
 ########################################
@@ -359,6 +363,27 @@ interface(`seutil_exec_restorecon',`
        seutil_exec_setfiles($1)
 ')
 
+########################################
+## <summary>
+##     Execute restorecond in the caller domain. 
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_exec_restorecond',`
+       gen_require(`
+               type restorecond_exec_t;
+       ')
+
+       files_search_usr($1)
+       corecmd_search_bin($1)
+       can_exec($1, restorecond_exec_t)
+')
+
 ########################################
 ## <summary>
 ##     Execute run_init in the run_init domain.
@@ -514,6 +539,10 @@ interface(`seutil_domtrans_setfiles',`
        files_search_usr($1)
        corecmd_search_bin($1)
        domtrans_pattern($1, setfiles_exec_t, setfiles_t)
+
+       ifdef(`hide_broken_symptoms', `
+               dontaudit setfiles_t $1:socket_class_set { read write };
+       ')
 ')
 
 ########################################
@@ -543,6 +572,53 @@ interface(`seutil_run_setfiles',`
        role $2 types setfiles_t;
 ')
 
+########################################
+## <summary>
+##     Execute setfiles in the setfiles domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`seutil_domtrans_setfiles_mac',`
+       gen_require(`
+               type setfiles_mac_t, setfiles_exec_t;
+       ')
+
+       files_search_usr($1)
+       corecmd_search_bin($1)
+       domtrans_pattern($1, setfiles_exec_t, setfiles_mac_t)
+')
+
+########################################
+## <summary>
+##     Execute setfiles in the setfiles_mac domain, and
+##     allow the specified role the setfiles_mac domain,
+##     and use the caller's terminal.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     The role to be allowed the setfiles_mac domain.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_run_setfiles_mac',`
+       gen_require(`
+               type setfiles_mac_t;
+       ')
+
+       seutil_domtrans_setfiles_mac($1)
+       role $2 types setfiles_mac_t;
+')
+
 ########################################
 ## <summary>
 ##     Execute setfiles in the caller domain.
@@ -690,6 +766,7 @@ interface(`seutil_manage_config',`
        ')
 
        files_search_etc($1)
+       manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
        manage_files_pattern($1, selinux_config_t, selinux_config_t)
        read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
 ')
@@ -1005,6 +1082,30 @@ interface(`seutil_domtrans_semanage',`
        files_search_usr($1)
        corecmd_search_bin($1)
        domtrans_pattern($1, semanage_exec_t, semanage_t)
+
+       ifdef(`hide_broken_symptoms', `
+               dontaudit semanage_t $1:socket_class_set { read write };
+       ')
+')
+
+########################################
+## <summary>
+##     Execute a domain transition to run setsebool.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
+## </param>
+#
+interface(`seutil_domtrans_setsebool',`
+       gen_require(`
+               type setsebool_t, setsebool_exec_t;
+       ')
+
+       files_search_usr($1)
+       corecmd_search_bin($1)
+       domtrans_pattern($1, setsebool_exec_t, setsebool_t)
 ')
 
 ########################################
@@ -1036,6 +1137,54 @@ interface(`seutil_run_semanage',`
        role $2 types semanage_t;
 ')
 
+########################################
+## <summary>
+##     Execute setsebool in the semanage domain, and
+##     allow the specified role the semanage domain,
+##     and use the caller's terminal.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     The role to be allowed the setsebool domain.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_run_setsebool',`
+       gen_require(`
+               type semanage_t;
+       ')
+
+       seutil_domtrans_setsebool($1)
+       role $2 types setsebool_t;
+')
+
+########################################
+## <summary>
+##     Full management of the semanage
+##     module store.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`seutil_read_module_store',`
+       gen_require(`
+               type selinux_config_t, semanage_store_t;
+       ')
+
+       files_search_etc($1)
+       list_dirs_pattern($1, selinux_config_t, semanage_store_t)
+       read_files_pattern($1, semanage_store_t, semanage_store_t)
+')
+
 ########################################
 ## <summary>
 ##     Full management of the semanage
@@ -1149,3 +1298,194 @@ interface(`seutil_dontaudit_libselinux_linked',`
        selinux_dontaudit_get_fs_mount($1)
        seutil_dontaudit_read_config($1)
 ')
+
+#######################################
+## <summary>
+##     All rules necessary to run semanage command
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`seutil_semanage_policy',`
+       gen_require(`
+               type semanage_tmp_t;
+               type policy_config_t;
+       ')
+       allow $1 self:capability { dac_override sys_resource };
+       dontaudit $1 self:capability sys_tty_config;
+       allow $1 self:process signal;
+       allow $1 self:unix_stream_socket create_stream_socket_perms;
+       allow $1 self:unix_dgram_socket create_socket_perms;
+       logging_send_audit_msgs($1)
+
+       # Running genhomedircon requires this for finding all users
+       auth_use_nsswitch($1)
+
+       allow $1 policy_config_t:file { read write };
+
+       allow $1 semanage_tmp_t:dir manage_dir_perms;
+       allow $1 semanage_tmp_t:file manage_file_perms;
+       files_tmp_filetrans($1, semanage_tmp_t, { file dir })
+
+       kernel_read_system_state($1)
+       kernel_read_kernel_sysctls($1)
+
+       corecmd_exec_bin($1)
+       corecmd_exec_shell($1)
+
+       dev_read_urand($1)
+
+       domain_use_interactive_fds($1)
+
+       files_read_etc_files($1)
+       files_read_etc_runtime_files($1)
+       files_read_usr_files($1)
+       files_list_pids($1)
+       fs_list_inotifyfs($1)
+       fs_getattr_all_fs($1)
+
+       mls_file_write_all_levels($1)
+       mls_file_read_all_levels($1)
+
+       selinux_getattr_fs($1)
+       selinux_validate_context($1)
+       selinux_get_enforce_mode($1)
+
+       term_use_all_terms($1)
+
+       locallogin_use_fds($1)
+
+       logging_send_syslog_msg($1)
+
+       miscfiles_read_localization($1)
+
+       seutil_search_default_contexts($1)
+       seutil_domtrans_loadpolicy($1)
+       seutil_read_config($1)
+       seutil_manage_bin_policy($1)
+       seutil_use_newrole_fds($1)
+       seutil_manage_module_store($1)
+       seutil_get_semanage_trans_lock($1)
+       seutil_get_semanage_read_lock($1)
+
+       userdom_dontaudit_write_user_home_content_files($1)
+
+')
+
+
+#######################################
+## <summary>
+##     All rules necessary to run setfiles command
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`seutil_setfiles',`
+
+allow $1 self:capability { dac_override dac_read_search fowner };
+dontaudit $1 self:capability sys_tty_config;
+allow $1 self:fifo_file rw_file_perms;
+dontaudit $1 self:dir relabelfrom;
+dontaudit $1 self:file relabelfrom;
+dontaudit $1 self:lnk_file relabelfrom;
+
+
+allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
+allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
+allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
+
+logging_send_audit_msgs($1)
+
+kernel_read_system_state($1)
+kernel_relabelfrom_unlabeled_dirs($1)
+kernel_relabelfrom_unlabeled_files($1)
+kernel_relabelfrom_unlabeled_symlinks($1)
+kernel_relabelfrom_unlabeled_pipes($1)
+kernel_relabelfrom_unlabeled_sockets($1)
+kernel_use_fds($1)
+kernel_rw_pipes($1)
+kernel_rw_unix_dgram_sockets($1)
+kernel_dontaudit_list_all_proc($1)
+kernel_read_all_sysctls($1)
+kernel_read_network_state_symlinks($1)
+
+dev_relabel_all_dev_nodes($1)
+
+domain_use_interactive_fds($1)
+domain_read_all_domains_state($1)
+ 
+files_read_etc_runtime_files($1)
+files_read_etc_files($1)
+files_list_all($1)
+files_relabel_all_files($1)
+files_list_isid_type_dirs($1)
+files_read_isid_type_files($1)
+files_dontaudit_read_all_symlinks($1)
+
+fs_getattr_xattr_fs($1)
+fs_list_all($1)
+fs_getattr_all_files($1)
+fs_search_auto_mountpoints($1)
+fs_relabelfrom_noxattr_fs($1)
+
+mls_file_read_all_levels($1)
+mls_file_write_all_levels($1)
+mls_file_upgrade($1)
+mls_file_downgrade($1)
+
+selinux_validate_context($1)
+selinux_compute_access_vector($1)
+selinux_compute_create_context($1)
+selinux_compute_relabel_context($1)
+selinux_compute_user_contexts($1)
+
+term_use_all_terms($1)
+
+# this is to satisfy the assertion:
+auth_relabelto_shadow($1)
+
+init_use_fds($1)
+init_use_script_fds($1)
+init_use_script_ptys($1)
+init_exec_script_files($1)
+
+logging_send_syslog_msg($1)
+
+miscfiles_read_localization($1)
+
+seutil_libselinux_linked($1)
+
+userdom_use_all_users_fds($1)
+# for config files in a home directory
+userdom_read_user_home_content_files($1)
+
+ifdef(`distro_debian',`
+       # udev tmpfs is populated with static device nodes
+       # and then relabeled afterwards; thus
+       # /dev/console has the tmpfs type
+       fs_rw_tmpfs_chr_files($1)
+')
+
+ifdef(`distro_redhat',`
+       fs_rw_tmpfs_chr_files($1)
+       fs_rw_tmpfs_blk_files($1)
+       fs_relabel_tmpfs_blk_file($1)
+       fs_relabel_tmpfs_chr_file($1)
+')
+
+ifdef(`distro_ubuntu',`
+       optional_policy(`
+               unconfined_domain($1)
+       ')
+')
+
+optional_policy(`
+       hotplug_use_fds($1)
+')
+')

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index ff5d72d37db083a2cd225247121947820b98e056..edee96395e044e80a94de4db949c2362244fc2db 100644 (file)
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
 type selinux_config_t;
 files_type(selinux_config_t)
 
+type selinux_var_lib_t;
+files_type(selinux_var_lib_t)
+
 type checkpolicy_t, can_write_binary_policy;
 type checkpolicy_exec_t;
 application_domain(checkpolicy_t, checkpolicy_exec_t)
@@ -57,8 +60,9 @@ domain_interactive_fd(newrole_t)
 # policy_config_t is the type of /etc/security/selinux/*
 # the security server policy configuration.
 #
-type policy_config_t;
-files_type(policy_config_t)
+#type policy_config_t;
+#files_type(policy_config_t)
+typealias semanage_store_t alias policy_config_t;
 
 neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
 #neverallow ~can_write_binary_policy policy_config_t:file { write append };
@@ -74,7 +78,6 @@ type restorecond_t;
 type restorecond_exec_t;
 init_daemon_domain(restorecond_t, restorecond_exec_t)
 domain_obj_id_change_exemption(restorecond_t)
-role system_r types restorecond_t;
 
 type restorecond_var_run_t;
 files_pid_file(restorecond_var_run_t)
@@ -88,9 +91,14 @@ role system_r types run_init_t;
 type semanage_t;
 type semanage_exec_t;
 application_domain(semanage_t, semanage_exec_t)
+dbus_system_domain(semanage_t, semanage_exec_t)
 domain_interactive_fd(semanage_t)
 role system_r types semanage_t;
 
+type setsebool_t;
+type setsebool_exec_t;
+init_system_domain(setsebool_t, setsebool_exec_t)
+
 type semanage_store_t;
 files_type(semanage_store_t)
 
@@ -108,6 +116,11 @@ type setfiles_exec_t alias restorecon_exec_t;
 init_system_domain(setfiles_t, setfiles_exec_t)
 domain_obj_id_change_exemption(setfiles_t)
 
+type setfiles_mac_t;
+domain_type(setfiles_mac_t)
+domain_entry_file(setfiles_mac_t, setfiles_exec_t)
+domain_obj_id_change_exemption(setfiles_mac_t)
+
 ########################################
 #
 # Checkpolicy local policy
@@ -176,6 +189,7 @@ term_list_ptys(load_policy_t)
 
 init_use_script_fds(load_policy_t)
 init_use_script_ptys(load_policy_t)
+init_write_script_pipes(load_policy_t)
 
 miscfiles_read_localization(load_policy_t)
 
@@ -216,7 +230,7 @@ allow newrole_t self:msgq create_msgq_perms;
 allow newrole_t self:msg { send receive };
 allow newrole_t self:unix_dgram_socket sendto;
 allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+logging_send_audit_msgs(newrole_t)
 
 read_files_pattern(newrole_t, default_context_t, default_context_t)
 read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
@@ -260,25 +274,25 @@ term_relabel_all_ptys(newrole_t)
 term_getattr_unallocated_ttys(newrole_t)
 term_dontaudit_use_unallocated_ttys(newrole_t)
 
-auth_use_nsswitch(newrole_t)
-auth_domtrans_chk_passwd(newrole_t)
-auth_domtrans_upd_passwd(newrole_t)
-auth_rw_faillog(newrole_t)
+auth_use_pam(newrole_t)
 
 # Write to utmp.
 init_rw_utmp(newrole_t)
 init_use_fds(newrole_t)
 
-logging_send_syslog_msg(newrole_t)
-
 miscfiles_read_localization(newrole_t)
 
 seutil_libselinux_linked(newrole_t)
 
+userdom_use_unpriv_users_fds(newrole_t)
 # for some PAM modules and for cwd
 userdom_dontaudit_search_user_home_content(newrole_t)
 userdom_search_user_home_dirs(newrole_t)
 
+optional_policy(`
+       xserver_dontaudit_exec_xauth(newrole_t)
+')
+
 ifdef(`distro_ubuntu',`
        optional_policy(`
                unconfined_domain(newrole_t)
@@ -312,6 +326,8 @@ kernel_use_fds(restorecond_t)
 kernel_rw_pipes(restorecond_t)
 kernel_read_system_state(restorecond_t)
 
+files_dontaudit_read_all_symlinks(restorecond_t)
+
 fs_relabelfrom_noxattr_fs(restorecond_t)
 fs_dontaudit_list_nfs(restorecond_t)
 fs_getattr_xattr_fs(restorecond_t)
@@ -335,6 +351,8 @@ miscfiles_read_localization(restorecond_t)
 
 seutil_libselinux_linked(restorecond_t)
 
+userdom_read_user_home_content_symlinks(restorecond_t)
+
 ifdef(`distro_ubuntu',`
        optional_policy(`
                unconfined_domain(restorecond_t)
@@ -353,7 +371,7 @@ optional_policy(`
 allow run_init_t self:process setexec;
 allow run_init_t self:capability setuid;
 allow run_init_t self:fifo_file rw_file_perms;
-allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+logging_send_audit_msgs(run_init_t)
 
 # often the administrator runs such programs from a directory that is owned
 # by a different user or has restrictive SE permissions, do not want to audit
@@ -405,6 +423,10 @@ ifndef(`direct_sysadm_daemon',`
        ')
 ')
 
+optional_policy(`
+       rpm_domtrans(run_init_t)
+')
+
 ifdef(`distro_ubuntu',`
        optional_policy(`
                unconfined_domain(run_init_t)
@@ -420,61 +442,22 @@ optional_policy(`
 # semodule local policy
 #
 
-allow semanage_t self:capability { dac_override audit_write };
-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
-allow semanage_t self:unix_dgram_socket create_socket_perms;
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
-allow semanage_t policy_config_t:file rw_file_perms;
-
-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file manage_file_perms;
-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
-
-kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t)
-
-corecmd_exec_bin(semanage_t)
+seutil_semanage_policy(semanage_t)
+allow semanage_t self:fifo_file rw_fifo_file_perms;
 
-dev_read_urand(semanage_t)
+manage_dirs_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
+manage_files_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
 
-domain_use_interactive_fds(semanage_t)
-
-files_read_etc_files(semanage_t)
-files_read_etc_runtime_files(semanage_t)
-files_read_usr_files(semanage_t)
-files_list_pids(semanage_t)
-
-mls_file_write_all_levels(semanage_t)
-mls_file_read_all_levels(semanage_t)
-
-selinux_validate_context(semanage_t)
-selinux_get_enforce_mode(semanage_t)
-selinux_getattr_fs(semanage_t)
-# for setsebool:
 selinux_set_all_booleans(semanage_t)
+can_exec(semanage_t, semanage_exec_t)
 
-term_use_all_terms(semanage_t)
-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
+# Admins are creating pp files in random locations
+auth_read_all_files_except_shadow(semanage_t)
 
-locallogin_use_fds(semanage_t)
-
-logging_send_syslog_msg(semanage_t)
-
-miscfiles_read_localization(semanage_t)
-
-seutil_libselinux_linked(semanage_t)
 seutil_manage_file_contexts(semanage_t)
 seutil_manage_config(semanage_t)
 seutil_domtrans_setfiles(semanage_t)
-seutil_domtrans_loadpolicy(semanage_t)
-seutil_manage_bin_policy(semanage_t)
-seutil_use_newrole_fds(semanage_t)
-seutil_manage_module_store(semanage_t)
-seutil_get_semanage_trans_lock(semanage_t)
-seutil_get_semanage_read_lock(semanage_t)
+
 # netfilter_contexts:
 seutil_manage_default_contexts(semanage_t)
 
@@ -483,12 +466,23 @@ ifdef(`distro_debian',`
        files_read_var_lib_symlinks(semanage_t)
 ')
 
+optional_policy(`
+       setrans_initrc_domtrans(semanage_t)
+        domain_system_change_exemption(semanage_t)
+       consoletype_exec(semanage_t)
+')
+
 ifdef(`distro_ubuntu',`
        optional_policy(`
                unconfined_domain(semanage_t)
        ')
 ')
 
+optional_policy(`
+       #signal mcstrans on reload
+       init_spec_domtrans_script(semanage_t)
+')
+
 # cjp: need a more general way to handle this:
 ifdef(`enable_mls',`
        # read secadm tmp files
@@ -498,112 +492,50 @@ ifdef(`enable_mls',`
        userdom_read_user_tmp_files(semanage_t)
 ')
 
-########################################
+userdom_search_admin_dir(semanage_t)
+
+####################################n####
 #
-# Setfiles local policy
+# setsebool local policy
 #
+seutil_semanage_policy(setsebool_t)
+selinux_set_all_booleans(setsebool_t)
 
-allow setfiles_t self:capability { dac_override dac_read_search fowner };
-dontaudit setfiles_t self:capability sys_tty_config;
-allow setfiles_t self:fifo_file rw_file_perms;
-
-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
-
-kernel_read_system_state(setfiles_t)
-kernel_relabelfrom_unlabeled_dirs(setfiles_t)
-kernel_relabelfrom_unlabeled_files(setfiles_t)
-kernel_relabelfrom_unlabeled_symlinks(setfiles_t)
-kernel_relabelfrom_unlabeled_pipes(setfiles_t)
-kernel_relabelfrom_unlabeled_sockets(setfiles_t)
-kernel_use_fds(setfiles_t)
-kernel_rw_pipes(setfiles_t)
-kernel_rw_unix_dgram_sockets(setfiles_t)
-kernel_dontaudit_list_all_proc(setfiles_t)
-kernel_dontaudit_list_all_sysctls(setfiles_t)
-
-dev_relabel_all_dev_nodes(setfiles_t)
-
-domain_use_interactive_fds(setfiles_t)
-domain_dontaudit_search_all_domains_state(setfiles_t)
-
-files_read_etc_runtime_files(setfiles_t)
-files_read_etc_files(setfiles_t)
-files_list_all(setfiles_t)
-files_relabel_all_files(setfiles_t)
-files_read_usr_symlinks(setfiles_t)
-
-fs_getattr_xattr_fs(setfiles_t)
-fs_list_all(setfiles_t)
-fs_search_auto_mountpoints(setfiles_t)
-fs_relabelfrom_noxattr_fs(setfiles_t)
-
-mls_file_read_all_levels(setfiles_t)
-mls_file_write_all_levels(setfiles_t)
-mls_file_upgrade(setfiles_t)
-mls_file_downgrade(setfiles_t)
-
-selinux_validate_context(setfiles_t)
-selinux_compute_access_vector(setfiles_t)
-selinux_compute_create_context(setfiles_t)
-selinux_compute_relabel_context(setfiles_t)
-selinux_compute_user_contexts(setfiles_t)
-
-term_use_all_ttys(setfiles_t)
-term_use_all_ptys(setfiles_t)
-term_use_unallocated_ttys(setfiles_t)
-
-# this is to satisfy the assertion:
-auth_relabelto_shadow(setfiles_t)
-
-init_use_fds(setfiles_t)
-init_use_script_fds(setfiles_t)
-init_use_script_ptys(setfiles_t)
-init_exec_script_files(setfiles_t)
-
-logging_send_syslog_msg(setfiles_t)
-
-miscfiles_read_localization(setfiles_t)
+init_dontaudit_use_fds(setsebool_t)
 
-seutil_libselinux_linked(setfiles_t)
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
 
-userdom_use_all_users_fds(setfiles_t)
-# for config files in a home directory
-userdom_read_user_home_content_files(setfiles_t)
+########################################
+#
+# Setfiles local policy
+#
 
-ifdef(`distro_debian',`
-       # udev tmpfs is populated with static device nodes
-       # and then relabeled afterwards; thus
-       # /dev/console has the tmpfs type
-       fs_rw_tmpfs_chr_files(setfiles_t)
-')
+seutil_setfiles(setfiles_t)
+# During boot in Rawhide
+term_use_generic_ptys(setfiles_t)
 
-ifdef(`distro_redhat', `
-       fs_rw_tmpfs_chr_files(setfiles_t)
-       fs_rw_tmpfs_blk_files(setfiles_t)
-       fs_relabel_tmpfs_blk_file(setfiles_t)
-       fs_relabel_tmpfs_chr_file(setfiles_t)
-')
+seutil_setfiles(setfiles_mac_t)
+allow setfiles_mac_t self:capability2 mac_admin;
+kernel_relabelto_unlabeled(setfiles_mac_t)
 
-ifdef(`distro_ubuntu',`
-       optional_policy(`
-               unconfined_domain(setfiles_t)
-       ')
+optional_policy(`
+       files_dontaudit_write_isid_chr_files(setfiles_mac_t)
+       livecd_dontaudit_leaks(setfiles_mac_t)
+       livecd_rw_tmp_files(setfiles_mac_t)
+       dev_dontaudit_write_all_chr_files(setfiles_mac_t)
 ')
 
 ifdef(`hide_broken_symptoms',`
        optional_policy(`
-               udev_dontaudit_rw_dgram_sockets(setfiles_t)
-       ')
-
-       # cjp: cover up stray file descriptors.
-       optional_policy(`
-               unconfined_dontaudit_read_pipes(setfiles_t)
-               unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
+               setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
+               setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
        ')
 ')
 
 optional_policy(`
-       hotplug_use_fds(setfiles_t)
+       unconfined_domain(setfiles_mac_t)
 ')

diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 4ec45a4828bed57aefacc32f4e0599405c28c97d..4488c6d8b6898c060d6ea81153212fa98afa727e 100644 (file)
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -12,6 +12,7 @@ gen_require(`
 type setrans_t;
 type setrans_exec_t;
 init_daemon_domain(setrans_t, setrans_exec_t)
+mls_trusted_object(setrans_t)
 
 type setrans_initrc_exec_t;
 init_script_file(setrans_initrc_exec_t)
@@ -44,9 +45,10 @@ can_exec(setrans_t, setrans_exec_t)
 corecmd_search_bin(setrans_t)
 
 # create unix domain socket in /var
+manage_dirs_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
 manage_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
 manage_sock_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
-files_pid_filetrans(setrans_t, setrans_var_run_t, file)
+files_pid_filetrans(setrans_t, setrans_var_run_t, { file dir })
 
 kernel_read_kernel_sysctls(setrans_t)
 kernel_read_proc_symlinks(setrans_t)

diff --git a/policy/modules/system/sosreport.fc b/policy/modules/system/sosreport.fc
new file mode 100644 (file)
index 0000000..0928140
--- /dev/null
+++ b/policy/modules/system/sosreport.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/sosreport    --      gen_context(system_u:object_r:sosreport_exec_t,s0)

diff --git a/policy/modules/system/sosreport.if b/policy/modules/system/sosreport.if
new file mode 100644 (file)
index 0000000..fec3374
--- /dev/null
+++ b/policy/modules/system/sosreport.if
@@ -0,0 +1,131 @@
+
+## <summary>policy for sosreport</summary>
+
+########################################
+## <summary>
+##     Execute a domain transition to run sosreport.
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sosreport_domtrans',`
+       gen_require(`
+               type sosreport_t, sosreport_exec_t;
+       ')
+
+       domtrans_pattern($1, sosreport_exec_t, sosreport_t)
+')
+
+
+########################################
+## <summary>
+##     Execute sosreport in the sosreport domain, and
+##     allow the specified role the sosreport domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     The role to be allowed the sosreport domain.
+##     </summary>
+## </param>
+#
+interface(`sosreport_run',`
+       gen_require(`
+               type sosreport_t;
+       ')
+
+       sosreport_domtrans($1)
+       role $2 types sosreport_t;
+')
+
+########################################
+## <summary>
+##     Role access for sosreport
+## </summary>
+## <param name="role">
+##     <summary>
+##     Role allowed access
+##     </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##     User domain for the role
+##     </summary>
+## </param>
+#
+interface(`sosreport_role',`
+       gen_require(`
+              type sosreport_t;
+       ')
+
+       role $1 types sosreport_t;
+
+       sosreport_domtrans($2)
+
+       ps_process_pattern($2, sosreport_t)
+       allow $2 sosreport_t:process signal;
+')
+
+########################################
+## <summary>
+##     Allow the specified domain to read
+##     sosreport tmp files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`sosreport_read_tmp_files',`
+       gen_require(`
+               type sosreport_tmp_t;
+       ')
+
+       files_search_tmp($1)
+       read_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
+')
+
+########################################
+## <summary>
+##     Delete sosreport tmp files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`sosreport_delete_tmp_files',`
+       gen_require(`
+               type sosreport_tmp_t;
+       ')
+
+       files_delete_tmp_dir_entry($1)
+       delete_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
+')
+
+########################################
+## <summary>
+##     Append sosreport tmp files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`sosreport_append_tmp_files',`
+       gen_require(`
+               type sosreport_tmp_t;
+       ')
+
+       allow $1 sosreport_tmp_t:file append;
+')

diff --git a/policy/modules/system/sosreport.te b/policy/modules/system/sosreport.te
new file mode 100644 (file)
index 0000000..c15bcea
--- /dev/null
+++ b/policy/modules/system/sosreport.te
@@ -0,0 +1,154 @@
+policy_module(sosreport,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sosreport_t;
+type sosreport_exec_t;
+application_domain(sosreport_t, sosreport_exec_t)
+role system_r types sosreport_t;
+
+type sosreport_tmp_t;
+files_tmp_file(sosreport_tmp_t)
+
+type sosreport_tmpfs_t;
+files_tmpfs_file(sosreport_tmpfs_t)
+
+########################################
+#
+# sosreport local policy
+#
+
+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override };
+allow sosreport_t self:process { setsched signull };
+
+allow sosreport_t self:fifo_file rw_fifo_file_perms;
+allow sosreport_t self:tcp_socket create_stream_socket_perms;
+allow sosreport_t self:udp_socket create_socket_perms;
+allow sosreport_t self:unix_dgram_socket create_socket_perms;
+allow sosreport_t self:netlink_route_socket r_netlink_socket_perms;
+allow sosreport_t self:unix_stream_socket create_stream_socket_perms;
+
+# sosreport tmp files 
+manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir })
+
+manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
+fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t,file)
+
+kernel_read_network_state(sosreport_t)
+kernel_read_all_sysctls(sosreport_t)
+kernel_read_software_raid_state(sosreport_t)
+kernel_search_debugfs(sosreport_t)
+kernel_read_messages(sosreport_t)
+
+corecmd_exec_all_executables(sosreport_t)
+
+dev_getattr_all_chr_files(sosreport_t)
+dev_getattr_all_blk_files(sosreport_t)
+dev_getattr_generic_chr_files(sosreport_t)
+dev_getattr_generic_blk_files(sosreport_t)
+dev_getattr_mtrr_dev(sosreport_t)
+
+dev_read_rand(sosreport_t)
+dev_read_urand(sosreport_t)
+dev_read_raw_memory(sosreport_t)
+dev_read_sysfs(sosreport_t)
+
+domain_getattr_all_domains(sosreport_t)
+domain_read_all_domains_state(sosreport_t)
+domain_getattr_all_sockets(sosreport_t)
+domain_getattr_all_pipes(sosreport_t)
+domain_signull_all_domains(sosreport_t)
+
+# for blkid.tab
+files_manage_etc_runtime_files(sosreport_t)
+files_etc_filetrans_etc_runtime(sosreport_t, file)
+
+files_getattr_all_sockets(sosreport_t)
+files_exec_etc_files(sosreport_t)
+files_list_all(sosreport_t)
+files_read_config_files(sosreport_t)
+files_read_etc_files(sosreport_t)
+files_read_generic_tmp_files(sosreport_t)
+files_read_usr_files(sosreport_t)
+files_read_var_lib_files(sosreport_t)
+files_read_var_symlinks(sosreport_t)
+files_read_kernel_modules(sosreport_t)
+files_read_all_symlinks(sosreport_t)
+
+fs_getattr_all_fs(sosreport_t)
+fs_list_inotifyfs(sosreport_t)
+
+# cjp: some config files do not have configfile attribute
+# sosreport needs to read various files on system
+auth_read_all_files_except_shadow(sosreport_t)
+auth_use_nsswitch(sosreport_t)
+
+init_domtrans_script(sosreport_t)
+
+libs_domtrans_ldconfig(sosreport_t)
+
+logging_read_all_logs(sosreport_t)
+logging_send_syslog_msg(sosreport_t)
+
+miscfiles_read_localization(sosreport_t)
+
+# needed by modinfo
+modutils_read_module_deps(sosreport_t)
+
+sysnet_read_config(sosreport_t)
+
+optional_policy(`
+       abrt_manage_pid_files(sosreport_t)
+')
+
+optional_policy(`
+       cups_stream_connect(sosreport_t)
+')
+
+optional_policy(`
+       dmesg_domtrans(sosreport_t)
+')
+
+optional_policy(`
+       fstools_domtrans(sosreport_t)
+')
+
+optional_policy(`
+       dbus_system_bus_client(sosreport_t)
+
+       optional_policy(`
+               hal_dbus_chat(sosreport_t)
+       ')
+')
+
+optional_policy(`
+    lvm_domtrans(sosreport_t)
+')
+
+optional_policy(`
+       mount_domtrans(sosreport_t)
+')
+
+optional_policy(`
+       pulseaudio_stream_connect(sosreport_t)
+')
+
+optional_policy(`
+    rpm_exec(sosreport_t)
+    rpm_dontaudit_manage_db(sosreport_t)
+    rpm_read_db(sosreport_t)
+')
+
+optional_policy(`
+       xserver_stream_connect(sosreport_t)
+')
+
+optional_policy(`
+       unconfined_domain(sosreport_t)
+')

diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index 726619b46b996c9b3b05dee620e9d0b513abef00..4bb31589b636113a9d9b09152061d19384ee4771 100644 (file)
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -64,3 +64,5 @@ ifdef(`distro_redhat',`
 ifdef(`distro_gentoo',`
 /var/lib/dhcpc(/.*)?           gen_context(system_u:object_r:dhcpc_state_t,s0)
 ')
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 8e71fb7af2f58b0fee270e5dc2b50ecc85a9813c..350d003dd4f5d6492498e3e4526ec03bfce0d303 100644 (file)
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -60,6 +60,24 @@ interface(`sysnet_run_dhcpc',`
                netutils_run(dhcpc_t, $2)
                netutils_run_ping(dhcpc_t, $2)
        ')
+
+       optional_policy(`
+               networkmanager_run(dhcpc_t, $2)
+       ')
+
+       optional_policy(`
+               nis_run_ypbind(dhcpc_t, $2)
+       ')
+
+       optional_policy(`
+               nscd_run(dhcpc_t, $2)
+       ')
+
+       optional_policy(`
+               ntp_run(dhcpc_t, $2)
+       ')
+
+       seutil_run_setfiles(dhcpc_t, $2)
 ')
 
 ########################################
@@ -249,6 +267,43 @@ interface(`sysnet_delete_dhcpc_state',`
        delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
 ')
 
+########################################
+## <summary>
+##     Allow caller to relabel dhcpc_state files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`sysnet_relabelfrom_dhcpc_state',`
+
+       gen_require(`
+               type dhcpc_state_t;
+       ')
+
+       allow $1 dhcpc_state_t:file relabelfrom;
+')
+
+#######################################
+## <summary>
+##     Manage the dhcp client state files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`sysnet_manage_dhcpc_state',`
+       gen_require(`
+               type dhcpc_state_t;
+       ')
+
+       manage_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
+')
+
 #######################################
 ## <summary>
 ##     Set the attributes of network config files.
@@ -268,6 +323,44 @@ interface(`sysnet_setattr_config',`
        allow $1 net_conf_t:file setattr;
 ')
 
+#######################################
+## <summary>
+##      Allow caller to relabel net_conf files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`sysnet_relabelfrom_net_conf',`
+
+        gen_require(`
+                type net_conf_t;
+        ')
+
+        allow $1 net_conf_t:file relabelfrom;
+')
+
+######################################
+## <summary>
+##      Allow caller to relabel net_conf files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`sysnet_relabelto_net_conf',`
+
+        gen_require(`
+                type net_conf_t;
+        ')
+
+        allow $1 net_conf_t:file relabelto;
+')
+
 #######################################
 ## <summary>
 ##     Read network config files.
@@ -403,11 +496,8 @@ interface(`sysnet_manage_config',`
                type net_conf_t;
        ')
 
-       allow $1 net_conf_t:file manage_file_perms;
-
-       ifdef(`distro_redhat',`
-               manage_files_pattern($1, net_conf_t, net_conf_t)
-       ')
+       allow $1 net_conf_t:dir list_dir_perms;
+       manage_files_pattern($1, net_conf_t, net_conf_t)
 ')
 
 #######################################
@@ -444,6 +534,7 @@ interface(`sysnet_delete_dhcpc_pid',`
                type dhcpc_var_run_t;
        ')
 
+       files_rw_pid_dirs($1)
        allow $1 dhcpc_var_run_t:file unlink;
 ')
 
@@ -464,6 +555,10 @@ interface(`sysnet_domtrans_ifconfig',`
 
        corecmd_search_bin($1)
        domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
+       ifdef(`hide_broken_symptoms', `
+               dontaudit ifconfig_t $1:socket_class_set { read write };
+       ')
+
 ')
 
 ########################################
@@ -532,6 +627,25 @@ interface(`sysnet_signal_ifconfig',`
        allow $1 ifconfig_t:process signal;
 ')
 
+########################################
+## <summary>
+##     Send a kill signal to iconfig.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_kill_ifconfig',`
+       gen_require(`
+               type ifconfig_t;
+       ')
+
+       allow $1 ifconfig_t:process sigkill;
+')
+
 ########################################
 ## <summary>
 ##     Read the DHCP configuration files.
@@ -677,7 +791,10 @@ interface(`sysnet_use_ldap',`
        corenet_tcp_connect_ldap_port($1)
        corenet_sendrecv_ldap_client_packets($1)
 
-       sysnet_read_config($1)
+       files_search_etc($1)
+       allow $1 net_conf_t:file read_file_perms;
+       # LDAP Configuration using encrypted requires
+       dev_read_urand($1)
 ')
 
 ########################################
@@ -709,5 +826,52 @@ interface(`sysnet_use_portmap',`
        corenet_tcp_connect_portmap_port($1)
        corenet_sendrecv_portmap_client_packets($1)
 
-       sysnet_read_config($1)
+       files_search_etc($1)
+       allow $1 net_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##     Do not audit attempts to use
+##     the dhcp file descriptors.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     The domain sending the SIGCHLD.
+##     </summary>
+## </param>
+#
+interface(`sysnet_dontaudit_dhcpc_use_fds',`
+       gen_require(`
+               type dhcpc_t;
+       ')
+
+       dontaudit $1 dhcpc_t:fd use;
+')
+
+########################################
+## <summary>
+##     Transition to system_r when execute an dhclient script
+## </summary>
+## <desc>
+##      <p>
+##     Execute dhclient script in a specified role
+##      </p>
+##      <p>
+##      No interprocess communication (signals, pipes,
+##      etc.) is provided by this interface since
+##      the domains are not owned by this module.
+##      </p>
+## </desc>
+## <param name="source_role">
+##     <summary>
+##     Role to transition from.
+##     </summary>
+## </param>
+interface(`sysnet_role_transition_dhcpc',`
+       gen_require(`
+               type dhcpc_exec_t;
+       ')
+
+       role_transition $1 dhcpc_exec_t system_r;
 ')

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index dfbe7365c92d99359d7a1b131880acb68ace91a7..36638025042ca2d422e5319fbcce221c6245e8f0 100644 (file)
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.0)
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow dhcpc client applications to execute iptables commands
+## </p>
+## </desc>
+gen_tunable(dhcpc_exec_iptables, false)
+
 # this is shared between dhcpc and dhcpd:
 type dhcp_etc_t;
 typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
@@ -19,6 +26,9 @@ type dhcpc_exec_t;
 init_daemon_domain(dhcpc_t, dhcpc_exec_t)
 role system_r types dhcpc_t;
 
+type dhcpc_helper_exec_t;
+init_script_file(dhcpc_helper_exec_t)
+
 type dhcpc_state_t;
 files_type(dhcpc_state_t)
 
@@ -57,8 +67,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
 exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
 
 allow dhcpc_t dhcp_state_t:file read_file_perms;
+allow dhcpc_t dhcp_state_t:file relabel_file_perms;
+
 manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
 filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
+allow dhcpc_t dhcpc_state_t:file relabel_file_perms;
 
 # create pid file
 manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
@@ -66,6 +79,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file)
 
 # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
 # in /etc created by dhcpcd will be labelled net_conf_t.
+allow dhcpc_t net_conf_t:file manage_file_perms;
+allow dhcpc_t net_conf_t:file relabel_file_perms;
 sysnet_manage_config(dhcpc_t)
 files_etc_filetrans(dhcpc_t, net_conf_t, file)
 
@@ -105,11 +120,14 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
 corenet_tcp_connect_all_ports(dhcpc_t)
 corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
 corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(dhcpc_t)
+corenet_udp_bind_all_unreserved_ports(dhcpc_t) 
 
 dev_read_sysfs(dhcpc_t)
 # for SSP:
 dev_read_urand(dhcpc_t)
 
+domain_obj_id_change_exemption(dhcpc_t)
 domain_use_interactive_fds(dhcpc_t)
 domain_dontaudit_read_all_domains_state(dhcpc_t)
 
@@ -130,6 +148,7 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t)
 term_dontaudit_use_generic_ptys(dhcpc_t)
 
 init_rw_utmp(dhcpc_t)
+init_stream_connect(dhcpc_t)
 
 logging_send_syslog_msg(dhcpc_t)
 
@@ -154,6 +173,10 @@ optional_policy(`
        consoletype_domtrans(dhcpc_t)
 ')
 
+optional_policy(`
+       chronyd_initrc_domtrans(dhcpc_t)
+')
+
 optional_policy(`
        init_dbus_chat_script(dhcpc_t)
 
@@ -171,6 +194,8 @@ optional_policy(`
 
 optional_policy(`
        hal_dontaudit_rw_dgram_sockets(dhcpc_t)
+       hal_dontaudit_read_pid_files(dhcpc_t)
+       hal_dontaudit_write_log(dhcpc_t)
 ')
 
 optional_policy(`
@@ -192,6 +217,13 @@ optional_policy(`
 ')
 
 optional_policy(`
+       networkmanager_domtrans(dhcpc_t)
+       networkmanager_read_pid_files(dhcpc_t)
+       networkmanager_read_lib_files(dhcpc_t)
+')
+
+optional_policy(`
+       nis_initrc_domtrans_ypbind(dhcpc_t)
        nis_read_ypbind_pid(dhcpc_t)
 ')
 
@@ -213,6 +245,7 @@ optional_policy(`
 optional_policy(`
        seutil_sigchld_newrole(dhcpc_t)
        seutil_dontaudit_search_config(dhcpc_t)
+       seutil_domtrans_setfiles(dhcpc_t)
 ')
 
 optional_policy(`
@@ -276,8 +309,11 @@ dev_read_urand(ifconfig_t)
 
 domain_use_interactive_fds(ifconfig_t)
 
+read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
+
 files_read_etc_files(ifconfig_t)
 files_read_etc_runtime_files(ifconfig_t)
+files_read_usr_files(ifconfig_t)
 
 fs_getattr_xattr_fs(ifconfig_t)
 fs_search_auto_mountpoints(ifconfig_t)
@@ -305,6 +341,8 @@ modutils_domtrans_insmod(ifconfig_t)
 
 seutil_use_runinit_fds(ifconfig_t)
 
+sysnet_dns_name_resolve(ifconfig_t)
+
 userdom_use_user_terminals(ifconfig_t)
 userdom_use_all_users_fds(ifconfig_t)
 
@@ -314,6 +352,10 @@ ifdef(`distro_ubuntu',`
        ')
 ')
 
+optional_policy(`
+       brctl_domtrans(ifconfig_t)
+')
+
 ifdef(`hide_broken_symptoms',`
        optional_policy(`
                dev_dontaudit_rw_cardmgr(ifconfig_t)
@@ -327,12 +369,18 @@ ifdef(`hide_broken_symptoms',`
 optional_policy(`
        hal_dontaudit_rw_pipes(ifconfig_t)
        hal_dontaudit_rw_dgram_sockets(ifconfig_t)
+       hal_dontaudit_read_pid_files(ifconfig_t)
+       hal_write_log(ifconfig_t)
 ')
 
 optional_policy(`
        ipsec_write_pid(ifconfig_t)
 ')
 
+optional_policy(`
+       netutils_domtrans(dhcpc_t)
+')
+
 optional_policy(`
        nis_use_ypbind(ifconfig_t)
 ')
@@ -355,3 +403,9 @@ optional_policy(`
        xen_append_log(ifconfig_t)
        xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
 ')
+
+optional_policy(`
+       tunable_policy(`dhcpc_exec_iptables',`
+               iptables_domtrans(dhcpc_t)
+       ')
+')

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 02916857672910325a51a39f088b669bc923be83..44fe366be42a4a41cc5037f4b9a98593617deb72 100644 (file)
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -22,3 +22,4 @@
 /usr/bin/udevinfo --   gen_context(system_u:object_r:udev_exec_t,s0)
 
 /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/libgpod(/.*)?         gen_context(system_u:object_r:udev_var_run_t,s0)    

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 025348a454644d1baf644fee6ff473479e3874bc..5b277ea47bb4b213bc2b204e31573abae92f4f12 100644 (file)
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -34,6 +34,7 @@ interface(`udev_domtrans',`
        ')
 
        domtrans_pattern($1, udev_exec_t, udev_t)
+       allow $1 udev_t:process noatsecure;
 ')
 
 ########################################
@@ -88,8 +89,7 @@ interface(`udev_read_state',`
        ')
 
        kernel_search_proc($1)
-       allow $1 udev_t:file read_file_perms;
-       allow $1 udev_t:lnk_file read_lnk_file_perms;
+       ps_process_pattern($1, udev_t)
 ')
 
 ########################################

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a054cf55871f309b11919e1c48db3a4f851cd23e..4867243190d0a9bef994c5e31c984b5f4079e57e 100644 (file)
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto;
 allow udev_t self:unix_stream_socket connectto;
 allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow udev_t self:rawip_socket create_socket_perms;
+allow udev_t self:netlink_socket create_socket_perms;
 
 allow udev_t udev_exec_t:file write;
 can_exec(udev_t, udev_exec_t)
@@ -72,7 +73,7 @@ read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
 manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
-files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
+files_pid_filetrans(udev_t, udev_var_run_t, { file dir })
 
 kernel_read_system_state(udev_t)
 kernel_request_load_module(udev_t)
@@ -111,15 +112,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
 
 files_read_usr_files(udev_t)
 files_read_etc_runtime_files(udev_t)
-files_read_etc_files(udev_t)
+
+# console_init manages files in /etc/sysconfig
+files_manage_etc_files(udev_t)
 files_exec_etc_files(udev_t)
 files_dontaudit_search_isid_type_dirs(udev_t)
 files_getattr_generic_locks(udev_t)
 files_search_mnt(udev_t)
+files_list_tmp(udev_t)
 
 fs_getattr_all_fs(udev_t)
 fs_list_inotifyfs(udev_t)
 fs_rw_anon_inodefs_files(udev_t)
+fs_list_auto_mountpoints(udev_t)
+fs_list_hugetlbfs(udev_t)
 
 mcs_ptrace_all(udev_t)
 
@@ -186,6 +192,7 @@ ifdef(`distro_redhat',`
        fs_manage_tmpfs_chr_files(udev_t)
        fs_relabel_tmpfs_blk_file(udev_t)
        fs_relabel_tmpfs_chr_file(udev_t)
+       fs_manage_hugetlbfs_dirs(udev_t)
 
        term_search_ptys(udev_t)
 
@@ -215,12 +222,17 @@ optional_policy(`
        clock_domtrans(udev_t)
 ')
 
+optional_policy(`
+       consolekit_read_pid_files(udev_t)
+')
+
 optional_policy(`
        consoletype_exec(udev_t)
 ')
 
 optional_policy(`
        cups_domtrans_config(udev_t)
+       cups_read_config(udev_t)
 ')
 
 optional_policy(`
@@ -232,6 +244,10 @@ optional_policy(`
        devicekit_dgram_send(udev_t)
 ')
 
+optional_policy(`
+       gnome_read_home_config(udev_t)
+')
+
 optional_policy(`
        lvm_domtrans(udev_t)
 ')
@@ -258,6 +274,10 @@ optional_policy(`
        mount_domtrans(udev_t)
 ')
 
+optional_policy(`
+       networkmanager_dbus_chat(udev_t)
+')
+
 optional_policy(`
        openct_read_pid_files(udev_t)
        openct_domtrans(udev_t)
@@ -272,6 +292,11 @@ optional_policy(`
        raid_domtrans_mdadm(udev_t)
 ')
 
+optional_policy(`
+       usbmuxd_domtrans(udev_t)
+       usbmuxd_stream_connect(udev_t)
+')
+
 optional_policy(`
        unconfined_signal(udev_t)
 ')

diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc
index ce2fbb9c1b57b7c2db17119a7c8e094aecfdad09..8b34dbc095d9b972416080212fcae22112442282 100644 (file)
--- a/policy/modules/system/unconfined.fc
+++ b/policy/modules/system/unconfined.fc
@@ -1,15 +1 @@
 # Add programs here which should not be confined by SELinux
-# e.g.:
-# /usr/local/bin/appsrv                --      gen_context(system_u:object_r:unconfined_exec_t,s0)
-# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-/usr/bin/valgrind              --      gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/bin/vncserver             --      gen_context(system_u:object_r:unconfined_exec_t,s0)
-
-/usr/lib/ia32el/ia32x_loader   --      gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-
-/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-
-ifdef(`distro_gentoo',`
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')

diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 416e668571c87ab068d725d77edb04f31bedfc45..c6e8ffef00b339b644a16c6ffa9246b5c509f805 100644 (file)
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -12,14 +12,13 @@
 #
 interface(`unconfined_domain_noaudit',`
        gen_require(`
-               type unconfined_t;
                class dbus all_dbus_perms;
                class nscd all_nscd_perms;
                class passwd all_passwd_perms;
        ')
 
        # Use any Linux capability.
-       allow $1 self:capability *;
+       allow $1 self:capability all_capabilities;
        allow $1 self:fifo_file manage_fifo_file_perms;
 
        # Transition to myself, to make get_ordered_context_list happy.
@@ -27,12 +26,14 @@ interface(`unconfined_domain_noaudit',`
 
        # Write access is for setting attributes under /proc/self/attr.
        allow $1 self:file rw_file_perms;
+       allow $1 self:dir rw_dir_perms;
 
        # Userland object managers
-       allow $1 self:nscd *;
-       allow $1 self:dbus *;
-       allow $1 self:passwd *;
-       allow $1 self:association *;
+       allow $1 self:nscd all_nscd_perms;
+       allow $1 self:dbus all_dbus_perms;
+       allow $1 self:passwd all_passwd_perms;
+       allow $1 self:association all_association_perms;
+       allow $1 self:socket_class_set create_socket_perms;
 
        kernel_unconfined($1)
        corenet_unconfined($1)
@@ -44,6 +45,12 @@ interface(`unconfined_domain_noaudit',`
        fs_unconfined($1)
        selinux_unconfined($1)
 
+       domain_mmap_low($1)
+
+       mls_file_read_all_levels($1)
+
+       ubac_process_exempt($1)
+
        tunable_policy(`allow_execheap',`
                # Allow making the stack executable via mprotect.
                allow $1 self:process execheap;
@@ -69,6 +76,7 @@ interface(`unconfined_domain_noaudit',`
        optional_policy(`
                # Communicate via dbusd.
                dbus_system_bus_unconfined($1)
+               dbus_unconfined($1)
        ')
 
        optional_policy(`
@@ -122,6 +130,10 @@ interface(`unconfined_domain_noaudit',`
 ## </param>
 #
 interface(`unconfined_domain',`
+       gen_require(`
+               attribute unconfined_services;
+       ')      
+
        unconfined_domain_noaudit($1)
 
        tunable_policy(`allow_execheap',`
@@ -178,412 +190,3 @@ interface(`unconfined_alias_domain',`
 interface(`unconfined_execmem_alias_program',`
        refpolicywarn(`$0($1) has been deprecated.')
 ')
-
-########################################
-## <summary>
-##     Transition to the unconfined domain.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed to transition.
-##     </summary>
-## </param>
-#
-interface(`unconfined_domtrans',`
-       gen_require(`
-               type unconfined_t, unconfined_exec_t;
-       ')
-
-       domtrans_pattern($1, unconfined_exec_t, unconfined_t)
-')
-
-########################################
-## <summary>
-##     Execute specified programs in the unconfined domain.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed to transition.
-##     </summary>
-## </param>
-## <param name="role">
-##     <summary>
-##     The role to allow the unconfined domain.
-##     </summary>
-## </param>
-#
-interface(`unconfined_run',`
-       gen_require(`
-               type unconfined_t;
-       ')
-
-       unconfined_domtrans($1)
-       role $2 types unconfined_t;
-')
-
-########################################
-## <summary>
-##     Transition to the unconfined domain by executing a shell.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed to transition.
-##     </summary>
-## </param>
-#
-interface(`unconfined_shell_domtrans',`
-       gen_require(`
-               type unconfined_t;
-       ')
-
-       corecmd_shell_domtrans($1, unconfined_t)
-       allow unconfined_t $1:fd use;
-       allow unconfined_t $1:fifo_file rw_file_perms;
-       allow unconfined_t $1:process sigchld;
-')
-
-########################################
-## <summary>
-##     Allow unconfined to execute the specified program in
-##     the specified domain.
-## </summary>
-## <desc>
-##     <p>
-##     Allow unconfined to execute the specified program in
-##     the specified domain.
-##     </p>
-##     <p>
-##     This is a interface to support third party modules
-##     and its use is not allowed in upstream reference
-##     policy.
-##     </p>
-## </desc>
-## <param name="domain">
-##     <summary>
-##     Domain to execute in.
-##     </summary>
-## </param>
-## <param name="entry_file">
-##     <summary>
-##     Domain entry point file.
-##     </summary>
-## </param>
-#
-interface(`unconfined_domtrans_to',`
-       gen_require(`
-               type unconfined_t;
-       ')
-
-       domtrans_pattern(unconfined_t,$2,$1)
-')
-
-########################################
-## <summary>
-##     Allow unconfined to execute the specified program in
-##     the specified domain.  Allow the specified domain the
-##     unconfined role and use of unconfined user terminals.
-## </summary>
-## <desc>
-##     <p>
-##     Allow unconfined to execute the specified program in
-##     the specified domain.  Allow the specified domain the
-##     unconfined role and use of unconfined user terminals.
-##     </p>
-##     <p>
-##     This is a interface to support third party modules
-##     and its use is not allowed in upstream reference
-##     policy.
-##     </p>
-## </desc>
-## <param name="domain">
-##     <summary>
-##     Domain to execute in.
-##     </summary>
-## </param>
-## <param name="entry_file">
-##     <summary>
-##     Domain entry point file.
-##     </summary>
-## </param>
-#
-interface(`unconfined_run_to',`
-       gen_require(`
-               type unconfined_t;
-               role unconfined_r;
-       ')
-
-       domtrans_pattern(unconfined_t,$2,$1)
-       role unconfined_r types $1;
-       userdom_use_user_terminals($1)
-')
-
-########################################
-## <summary>
-##     Inherit file descriptors from the unconfined domain.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-#
-interface(`unconfined_use_fds',`
-       gen_require(`
-               type unconfined_t;
-       ')
-
-       allow $1 unconfined_t:fd use;
-')
-
-########################################
-## <summary>
-##     Send a SIGCHLD signal to the unconfined domain.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-#
-interface(`unconfined_sigchld',`
-       gen_require(`
-               type unconfined_t;
-       ')
-
-       allow $1 unconfined_t:process sigchld;
-')
-
-########################################
-## <summary>
-##     Send a SIGNULL signal to the unconfined domain.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-#
-interface(`unconfined_signull',`
-       gen_require(`
-               type unconfined_t;
-       ')
-
-       allow $1 unconfined_t:process signull;
-')
-
-########################################
-## <summary>
-##     Send generic signals to the unconfined domain.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-#
-interface(`unconfined_signal',`
-       gen_require(`
-               type unconfined_t;
-       ')
-
-       allow $1 unconfined_t:process signal;
-')
-
-########################################
-## <summary>
-##     Read unconfined domain unnamed pipes.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-#
-interface(`unconfined_read_pipes',`
-       gen_require(`
-               type unconfined_t;
-       ')
-
-       allow $1 unconfined_t:fifo_file read_fifo_file_perms;
-')
-
-########################################
-## <summary>
-##     Do not audit attempts to read unconfined domain unnamed pipes.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain to not audit.
-##     </summary>
-## </param>
-#
-interface(`unconfined_dontaudit_read_pipes',`
-       gen_require(`
-               type unconfined_t;
-       ')
-
-       dontaudit $1 unconfined_t:fifo_file read;
-')
-
-########################################
-## <summary>
-##     Read and write unconfined domain unnamed pipes.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-#
-interface(`unconfined_rw_pipes',`
-       gen_require(`
-               type unconfined_t;
-       ')
-
-       allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
-')
-
-########################################
-## <summary>
-##     Do not audit attempts to read and write
-##     unconfined domain unnamed pipes.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain to not audit.
-##     </summary>
-## </param>
-#
-interface(`unconfined_dontaudit_rw_pipes',`
-       gen_require(`
-               type unconfined_t;
-       ')
-
-       dontaudit $1 unconfined_t:fifo_file rw_file_perms;
-')
-
-########################################
-## <summary>
-##     Connect to the unconfined domain using
-##     a unix domain stream socket.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-#
-interface(`unconfined_stream_connect',`
-       gen_require(`
-               type unconfined_t;
-       ')
-
-       allow $1 unconfined_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
-##     Do not audit attempts to read or write
-##     unconfined domain tcp sockets.
-## </summary>
-## <desc>
-##     <p>
-##     Do not audit attempts to read or write
-##     unconfined domain tcp sockets.
-##     </p>
-##     <p>
-##     This interface was added due to a broken
-##     symptom in ldconfig.
-##     </p>
-## </desc>
-## <param name="domain">
-##     <summary>
-##     Domain to not audit.
-##     </summary>
-## </param>
-#
-interface(`unconfined_dontaudit_rw_tcp_sockets',`
-       gen_require(`
-               type unconfined_t;
-       ')
-
-       dontaudit $1 unconfined_t:tcp_socket { read write };
-')
-
-########################################
-## <summary>
-##     Create keys for the unconfined domain.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-#
-interface(`unconfined_create_keys',`
-       gen_require(`
-               type unconfined_t;
-       ')
-
-       allow $1 unconfined_t:key create;
-')
-
-########################################
-## <summary>
-##     Send messages to the unconfined domain over dbus.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-#
-interface(`unconfined_dbus_send',`
-       gen_require(`
-               type unconfined_t;
-               class dbus send_msg;
-       ')
-
-       allow $1 unconfined_t:dbus send_msg;
-')
-
-########################################
-## <summary>
-##     Send and receive messages from
-##     unconfined_t over dbus.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-#
-interface(`unconfined_dbus_chat',`
-       gen_require(`
-               type unconfined_t;
-               class dbus send_msg;
-       ')
-
-       allow $1 unconfined_t:dbus send_msg;
-       allow unconfined_t $1:dbus send_msg;
-')
-
-########################################
-## <summary>
-##     Connect to the the unconfined DBUS
-##     for service (acquire_svc).
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-#
-interface(`unconfined_dbus_connect',`
-       gen_require(`
-               type unconfined_t;
-               class dbus acquire_svc;
-       ')
-
-       allow $1 unconfined_t:dbus acquire_svc;
-')

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index f97634416d4cc0ee0d86f03bb7d10a8c3ca8c4e3..4474379c5e24f0e8963c8f029224a1af56f340f2 100644 (file)
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -4,227 +4,5 @@ policy_module(unconfined, 3.2.0)
 #
 # Declarations
 #
+attribute unconfined_services;
 
-# usage in this module of types created by these
-# calls is not correct, however we dont currently
-# have another method to add access to these types
-userdom_base_user_template(unconfined)
-userdom_manage_home_role(unconfined_r, unconfined_t)
-userdom_manage_tmp_role(unconfined_r, unconfined_t)
-userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
-
-type unconfined_exec_t;
-init_system_domain(unconfined_t, unconfined_exec_t)
-
-type unconfined_execmem_t;
-type unconfined_execmem_exec_t;
-init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
-role unconfined_r types unconfined_execmem_t;
-
-########################################
-#
-# Local policy
-#
-
-domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t)
-
-files_create_boot_flag(unconfined_t)
-
-mcs_killall(unconfined_t)
-mcs_ptrace_all(unconfined_t)
-
-init_run_daemon(unconfined_t, unconfined_r)
-
-libs_run_ldconfig(unconfined_t, unconfined_r)
-
-logging_send_syslog_msg(unconfined_t)
-logging_run_auditctl(unconfined_t, unconfined_r)
-
-mount_run_unconfined(unconfined_t, unconfined_r)
-
-seutil_run_setfiles(unconfined_t, unconfined_r)
-seutil_run_semanage(unconfined_t, unconfined_r)
-
-unconfined_domain(unconfined_t)
-
-userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
-
-ifdef(`distro_gentoo',`
-       seutil_run_runinit(unconfined_t, unconfined_r)
-       seutil_init_script_run_runinit(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
-       ada_domtrans(unconfined_t)
-')
-
-optional_policy(`
-       apache_run_helper(unconfined_t, unconfined_r)
-       apache_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
-       bind_run_ndc(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
-       bootloader_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
-       cron_unconfined_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
-       init_dbus_chat_script(unconfined_t)
-
-       dbus_stub(unconfined_t)
-
-       optional_policy(`
-               avahi_dbus_chat(unconfined_t)
-       ')
-
-       optional_policy(`
-               bluetooth_dbus_chat(unconfined_t)
-       ')
-
-       optional_policy(`
-               consolekit_dbus_chat(unconfined_t)
-       ')
-
-       optional_policy(`
-               cups_dbus_chat_config(unconfined_t)
-       ')
-
-       optional_policy(`
-               hal_dbus_chat(unconfined_t)
-       ')
-
-       optional_policy(`
-               networkmanager_dbus_chat(unconfined_t)
-       ')
-
-       optional_policy(`
-               oddjob_dbus_chat(unconfined_t)
-       ')
-')
-
-optional_policy(`
-       firstboot_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
-       ftp_run_ftpdctl(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
-       inn_domtrans(unconfined_t)
-')
-
-optional_policy(`
-       java_run_unconfined(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
-       lpd_run_checkpc(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
-       modutils_run_update_mods(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
-       mono_domtrans(unconfined_t)
-')
-
-optional_policy(`
-       mta_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
-       oddjob_domtrans_mkhomedir(unconfined_t)
-')
-
-optional_policy(`
-       prelink_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
-       portmap_run_helper(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
-       postfix_run_map(unconfined_t, unconfined_r)
-       # cjp: this should probably be removed:
-       postfix_domtrans_master(unconfined_t)
-')
-
-optional_policy(`
-       pyzor_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
-       # cjp: this should probably be removed:
-       rpc_domtrans_nfsd(unconfined_t)
-')
-
-optional_policy(`
-       rpm_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
-       samba_run_net(unconfined_t, unconfined_r)
-       samba_run_winbind_helper(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
-       spamassassin_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
-       sysnet_run_dhcpc(unconfined_t, unconfined_r)
-       sysnet_dbus_chat_dhcpc(unconfined_t)
-')
-
-optional_policy(`
-       tzdata_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
-       usermanage_run_admin_passwd(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
-       vpn_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
-       webalizer_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
-       wine_domtrans(unconfined_t)
-')
-
-optional_policy(`
-       xserver_domtrans(unconfined_t)
-')
-
-########################################
-#
-# Unconfined Execmem Local policy
-#
-
-allow unconfined_execmem_t self:process { execstack execmem };
-unconfined_domain_noaudit(unconfined_execmem_t)
-
-optional_policy(`
-       dbus_stub(unconfined_execmem_t)
-
-       init_dbus_chat_script(unconfined_execmem_t)
-       unconfined_dbus_chat(unconfined_execmem_t)
-
-       optional_policy(`
-               hal_dbus_chat(unconfined_execmem_t)
-       ')
-')

diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index db7597682d59871c82d2c5f8617d31bd0abf3aae..392d1eef96cea3303f60591bfb401c883020d074 100644 (file)
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -1,4 +1,17 @@
 HOME_DIR       -d      gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR       -l      gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 HOME_DIR/.+            gen_context(system_u:object_r:user_home_t,s0)
-
 /tmp/gconfd-USER -d    gen_context(system_u:object_r:user_tmp_t,s0)
+/root(/.*)?            gen_context(system_u:object_r:admin_home_t,s0)
+/root/\.cert(/.*)?     gen_context(system_u:object_r:home_cert_t,s0)
+/root/\.debug(/.*)?    <<none>>
+/dev/shm/pulse-shm.*   gen_context(system_u:object_r:user_tmpfs_t,s0)
+/dev/shm/mono.*                gen_context(system_u:object_r:user_tmpfs_t,s0)
+HOME_DIR/bin(/.*)?     gen_context(system_u:object_r:home_bin_t,s0)
+HOME_DIR/local/bin(/.*)?       gen_context(system_u:object_r:home_bin_t,s0)
+HOME_DIR/Audio(/.*)?    gen_context(system_u:object_r:audio_home_t,s0)
+HOME_DIR/Music(/.*)?    gen_context(system_u:object_r:audio_home_t,s0)
+HOME_DIR/\.cert(/.*)?  gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.pki(/.*)?           gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.gvfs(/.*)?  <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 2aa8928ed38709d9f0161b4634b5455706de3f2c..b4d758bdb602ac214631980a7906bf3e5c99570d 100644 (file)
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
        ')
 
        attribute $1_file_type;
+       attribute $1_usertype;
 
-       type $1_t, userdomain;
+       type $1_t, userdomain, $1_usertype;
        domain_type($1_t)
        corecmd_shell_entry_type($1_t)
        corecmd_bin_entry_type($1_t)
@@ -43,69 +44,98 @@ template(`userdom_base_user_template',`
        term_user_pty($1_t, user_devpts_t)
 
        term_user_tty($1_t, user_tty_device_t)
-
-       allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
-       allow $1_t self:fd use;
-       allow $1_t self:fifo_file rw_fifo_file_perms;
-       allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
-       allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
-       allow $1_t self:shm create_shm_perms;
-       allow $1_t self:sem create_sem_perms;
-       allow $1_t self:msgq create_msgq_perms;
-       allow $1_t self:msg { send receive };
-       allow $1_t self:context contains;
-       dontaudit $1_t self:socket create;
-
-       allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms };
-       term_create_pty($1_t, user_devpts_t)
+       term_dontaudit_getattr_generic_ptys($1_t)
+
+       allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
+       allow $1_usertype $1_usertype:fd use;
+       allow $1_usertype $1_t:key { create view read write search link setattr };
+
+       allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
+       allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto };
+       allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto };
+       allow $1_usertype $1_usertype:shm create_shm_perms;
+       allow $1_usertype $1_usertype:sem create_sem_perms;
+       allow $1_usertype $1_usertype:msgq create_msgq_perms;
+       allow $1_usertype $1_usertype:msg { send receive };
+       allow $1_usertype $1_usertype:context contains;
+       dontaudit $1_usertype $1_usertype:socket create;
+
+       allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms };
+       term_create_pty($1_usertype, user_devpts_t)
        # avoid annoying messages on terminal hangup on role change
-       dontaudit $1_t user_devpts_t:chr_file ioctl;
+       dontaudit $1_usertype user_devpts_t:chr_file ioctl;
 
-       allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms };
+       allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms };
        # avoid annoying messages on terminal hangup on role change
-       dontaudit $1_t user_tty_device_t:chr_file ioctl;
-
-       kernel_read_kernel_sysctls($1_t)
-       kernel_dontaudit_list_unlabeled($1_t)
-       kernel_dontaudit_getattr_unlabeled_files($1_t)
-       kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
-       kernel_dontaudit_getattr_unlabeled_pipes($1_t)
-       kernel_dontaudit_getattr_unlabeled_sockets($1_t)
-       kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
-       kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
-
-       dev_dontaudit_getattr_all_blk_files($1_t)
-       dev_dontaudit_getattr_all_chr_files($1_t)
+       dontaudit $1_usertype user_tty_device_t:chr_file ioctl;
+
+       application_exec_all($1_usertype)
+
+       kernel_read_kernel_sysctls($1_usertype)
+       kernel_read_all_sysctls($1_usertype)
+       kernel_dontaudit_list_unlabeled($1_usertype)
+       kernel_dontaudit_getattr_unlabeled_files($1_usertype)
+       kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype)
+       kernel_dontaudit_getattr_unlabeled_pipes($1_usertype)
+       kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
+       kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
+       kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
+       kernel_dontaudit_list_proc($1_usertype)
+
+       dev_dontaudit_getattr_all_blk_files($1_usertype)
+       dev_dontaudit_getattr_all_chr_files($1_usertype)
+       dev_getattr_mtrr_dev($1_t)
 
        # When the user domain runs ps, there will be a number of access
        # denials when ps tries to search /proc. Do not audit these denials.
-       domain_dontaudit_read_all_domains_state($1_t)
-       domain_dontaudit_getattr_all_domains($1_t)
-       domain_dontaudit_getsession_all_domains($1_t)
-
-       files_read_etc_files($1_t)
-       files_read_etc_runtime_files($1_t)
-       files_read_usr_files($1_t)
+       domain_dontaudit_read_all_domains_state($1_usertype)
+       domain_dontaudit_getattr_all_domains($1_usertype)
+       domain_dontaudit_getsession_all_domains($1_usertype)
+
+       files_read_etc_files($1_usertype)
+       files_list_mnt($1_usertype)
+       files_read_mnt_files($1_usertype)
+       files_read_etc_runtime_files($1_usertype)
+       files_read_usr_files($1_usertype)
+       files_read_usr_src_files($1_usertype)
        # Read directories and files with the readable_t type.
        # This type is a general type for "world"-readable files.
-       files_list_world_readable($1_t)
-       files_read_world_readable_files($1_t)
-       files_read_world_readable_symlinks($1_t)
-       files_read_world_readable_pipes($1_t)
-       files_read_world_readable_sockets($1_t)
+       files_list_world_readable($1_usertype)
+       files_read_world_readable_files($1_usertype)
+       files_read_world_readable_symlinks($1_usertype)
+       files_read_world_readable_pipes($1_usertype)
+       files_read_world_readable_sockets($1_usertype)
        # old broswer_domain():
-       files_dontaudit_list_non_security($1_t)
-       files_dontaudit_getattr_non_security_files($1_t)
-       files_dontaudit_getattr_non_security_symlinks($1_t)
-       files_dontaudit_getattr_non_security_pipes($1_t)
-       files_dontaudit_getattr_non_security_sockets($1_t)
+       files_dontaudit_getattr_all_dirs($1_usertype)
+       files_dontaudit_list_non_security($1_usertype)
+       files_dontaudit_getattr_all_files($1_usertype)
+       files_dontaudit_getattr_non_security_symlinks($1_usertype)
+       files_dontaudit_getattr_non_security_pipes($1_usertype)
+       files_dontaudit_getattr_non_security_sockets($1_usertype)
+
+       files_exec_usr_files($1_t)
+
+       fs_list_cgroup_dirs($1_usertype)
+       fs_dontaudit_rw_cgroup_files($1_usertype)
+
+       storage_rw_fuse($1_usertype)
+
+       auth_use_nsswitch($1_usertype)
 
-       libs_exec_ld_so($1_t)
+       init_stream_connect($1_usertype)
+       # The library functions always try to open read-write first,
+       # then fall back to read-only if it fails. 
+       init_dontaudit_rw_utmp($1_usertype)
+
+       libs_exec_ld_so($1_usertype)
 
        miscfiles_read_localization($1_t)
        miscfiles_read_generic_certs($1_t)
 
-       sysnet_read_config($1_t)
+       miscfiles_read_all_certs($1_usertype)
+       miscfiles_read_localization($1_usertype)
+       miscfiles_read_man_pages($1_usertype)
+       miscfiles_read_public_files($1_usertype)
 
        tunable_policy(`allow_execmem',`
                # Allow loading DSOs that require executable stack.
@@ -116,6 +146,16 @@ template(`userdom_base_user_template',`
                # Allow making the stack executable via mprotect.
                allow $1_t self:process execstack;
        ')
+
+       optional_policy(`
+               fs_list_cgroup_dirs($1_usertype)
+       ')
+
+       optional_policy(`
+               ssh_rw_stream_sockets($1_usertype)
+               ssh_delete_tmp($1_t)
+               ssh_signal($1_t)
+       ')
 ')
 
 #######################################
@@ -149,6 +189,8 @@ interface(`userdom_ro_home_role',`
                type user_home_t, user_home_dir_t;
        ')
 
+       role $1 types { user_home_t user_home_dir_t };
+
        ##############################
        #
        # Domain access to home dir
@@ -166,27 +208,6 @@ interface(`userdom_ro_home_role',`
        read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
        files_list_home($2)
 
-       tunable_policy(`use_nfs_home_dirs',`
-               fs_list_nfs($2)
-               fs_read_nfs_files($2)
-               fs_read_nfs_symlinks($2)
-               fs_read_nfs_named_sockets($2)
-               fs_read_nfs_named_pipes($2)
-       ',`
-               fs_dontaudit_list_nfs($2)
-               fs_dontaudit_read_nfs_files($2)
-       ')
-
-       tunable_policy(`use_samba_home_dirs',`
-               fs_list_cifs($2)
-               fs_read_cifs_files($2)
-               fs_read_cifs_symlinks($2)
-               fs_read_cifs_named_sockets($2)
-               fs_read_cifs_named_pipes($2)
-       ',`
-               fs_dontaudit_list_cifs($2)
-               fs_dontaudit_read_cifs_files($2)
-       ')
 ')
 
 #######################################
@@ -218,8 +239,11 @@ interface(`userdom_ro_home_role',`
 interface(`userdom_manage_home_role',`
        gen_require(`
                type user_home_t, user_home_dir_t;
+               attribute user_home_type;
        ')
 
+       role $1 types { user_home_type user_home_dir_t };
+
        ##############################
        #
        # Domain access to home dir
@@ -228,17 +252,21 @@ interface(`userdom_manage_home_role',`
        type_member $2 user_home_dir_t:dir user_home_dir_t;
 
        # full control of the home directory
+       allow $2 user_home_t:dir mounton;
        allow $2 user_home_t:file entrypoint;
-       manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-       manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-       manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-       manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-       manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-       relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-       relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-       relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-       relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
-       relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+
+       allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom };
+       allow $2 user_home_dir_t:lnk_file read_lnk_file_perms;
+       manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+       manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+       manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+       manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+       manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+       relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+       relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+       relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+       relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+       relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
        filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
        files_list_home($2)
 
@@ -246,25 +274,23 @@ interface(`userdom_manage_home_role',`
        allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
 
        tunable_policy(`use_nfs_home_dirs',`
+               fs_mount_nfs($2)
+               fs_mounton_nfs($2)
                fs_manage_nfs_dirs($2)
                fs_manage_nfs_files($2)
                fs_manage_nfs_symlinks($2)
                fs_manage_nfs_named_sockets($2)
                fs_manage_nfs_named_pipes($2)
-       ',`
-               fs_dontaudit_manage_nfs_dirs($2)
-               fs_dontaudit_manage_nfs_files($2)
        ')
 
        tunable_policy(`use_samba_home_dirs',`
+               fs_mount_cifs($2)
+               fs_mounton_cifs($2)
                fs_manage_cifs_dirs($2)
                fs_manage_cifs_files($2)
                fs_manage_cifs_symlinks($2)
                fs_manage_cifs_named_sockets($2)
                fs_manage_cifs_named_pipes($2)
-       ',`
-               fs_dontaudit_manage_cifs_dirs($2)
-               fs_dontaudit_manage_cifs_files($2)
        ')
 ')
 
@@ -289,6 +315,8 @@ interface(`userdom_manage_tmp_role',`
                type user_tmp_t;
        ')
 
+       role $1 types user_tmp_t;
+
        files_poly_member_tmp($2, user_tmp_t)
 
        manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
@@ -297,6 +325,45 @@ interface(`userdom_manage_tmp_role',`
        manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
        manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
        files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
+       relabel_files_pattern($2, user_tmp_t, user_tmp_t)
+')
+
+#######################################
+## <summary>
+##     Dontaudit search of user bin dirs.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_dontaudit_search_user_bin_dirs',`
+       gen_require(`
+               type home_bin_t;
+       ')
+
+       dontaudit $1 home_bin_t:dir search_dir_perms;
+')
+
+#######################################
+## <summary>
+##     Execute user bin files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_exec_user_bin_files',`
+       gen_require(`
+               attribute user_home_type;
+               type home_bin_t, user_home_dir_t;
+       ')
+
+       exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t)
+       files_search_home($1)
 ')
 
 #######################################
@@ -316,6 +383,7 @@ interface(`userdom_exec_user_tmp_files',`
        ')
 
        exec_files_pattern($1, user_tmp_t, user_tmp_t)
+       dontaudit $1 user_tmp_t:sock_file execute;
        files_search_tmp($1)
 ')
 
@@ -350,6 +418,8 @@ interface(`userdom_manage_tmpfs_role',`
                type user_tmpfs_t;
        ')
 
+       role $1 types user_tmpfs_t;
+
        manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
        manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
        manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
@@ -360,46 +430,41 @@ interface(`userdom_manage_tmpfs_role',`
 
 #######################################
 ## <summary>
-##     The template allowing the user basic
+##     The interface allowing the user basic
 ##     network permissions
 ## </summary>
-## <param name="userdomain_prefix">
+## <param name="userdomain">
 ##     <summary>
-##     The prefix of the user domain (e.g., user
-##     is the prefix for user_t).
+##     The user domain 
 ##     </summary>
 ## </param>
 ## <rolebase/>
 #
-template(`userdom_basic_networking_template',`
-       gen_require(`
-               type $1_t;
-       ')
-
-       allow $1_t self:tcp_socket create_stream_socket_perms;
-       allow $1_t self:udp_socket create_socket_perms;
-
-       corenet_all_recvfrom_unlabeled($1_t)
-       corenet_all_recvfrom_netlabel($1_t)
-       corenet_tcp_sendrecv_generic_if($1_t)
-       corenet_udp_sendrecv_generic_if($1_t)
-       corenet_tcp_sendrecv_generic_node($1_t)
-       corenet_udp_sendrecv_generic_node($1_t)
-       corenet_tcp_sendrecv_all_ports($1_t)
-       corenet_udp_sendrecv_all_ports($1_t)
-       corenet_tcp_connect_all_ports($1_t)
-       corenet_sendrecv_all_client_packets($1_t)
-
-       corenet_all_recvfrom_labeled($1_t, $1_t)
+interface(`userdom_basic_networking',`
+
+       allow $1 self:tcp_socket create_stream_socket_perms;
+       allow $1 self:udp_socket create_socket_perms;
+
+       corenet_all_recvfrom_unlabeled($1)
+       corenet_all_recvfrom_netlabel($1)
+       corenet_tcp_sendrecv_generic_if($1)
+       corenet_udp_sendrecv_generic_if($1)
+       corenet_tcp_sendrecv_generic_node($1)
+       corenet_udp_sendrecv_generic_node($1)
+       corenet_tcp_sendrecv_all_ports($1)
+       corenet_udp_sendrecv_all_ports($1)
+       corenet_tcp_connect_all_ports($1)
+       corenet_sendrecv_all_client_packets($1)
 
        optional_policy(`
-               init_tcp_recvfrom_all_daemons($1_t)
-               init_udp_recvfrom_all_daemons($1_t)
+               init_tcp_recvfrom_all_daemons($1)
+               init_udp_recvfrom_all_daemons($1)
        ')
 
        optional_policy(`
-               ipsec_match_default_spd($1_t)
+               ipsec_match_default_spd($1)
        ')
+
 ')
 
 #######################################
@@ -430,6 +495,7 @@ template(`userdom_xwindows_client_template',`
        dev_dontaudit_rw_dri($1_t)
        # GNOME checks for usb and other devices:
        dev_rw_usbfs($1_t)
+       dev_rw_generic_usb_dev($1_t)
 
        xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
        xserver_xsession_entry_type($1_t)
@@ -490,7 +556,7 @@ template(`userdom_common_user_template',`
                attribute unpriv_userdomain;
        ')
 
-       userdom_basic_networking_template($1)
+       userdom_basic_networking($1_usertype)
 
        ##############################
        #
@@ -500,73 +566,78 @@ template(`userdom_common_user_template',`
        # evolution and gnome-session try to create a netlink socket
        dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
        dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+       allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
+       allow $1_t self:socket create_socket_perms;
 
-       allow $1_t unpriv_userdomain:fd use;
+       allow $1_usertype unpriv_userdomain:fd use;
 
-       kernel_read_system_state($1_t)
-       kernel_read_network_state($1_t)
-       kernel_read_net_sysctls($1_t)
+       kernel_read_system_state($1_usertype)
+       kernel_read_network_state($1_usertype)
+       kernel_read_net_sysctls($1_usertype)
        # Very permissive allowing every domain to see every type:
-       kernel_get_sysvipc_info($1_t)
+       kernel_get_sysvipc_info($1_usertype)
        # Find CDROM devices:
-       kernel_read_device_sysctls($1_t)
+       kernel_read_device_sysctls($1_usertype)
+       kernel_request_load_module($1_usertype)
 
-       corecmd_exec_bin($1_t)
+       corenet_udp_bind_generic_node($1_usertype)
+       corenet_udp_bind_generic_port($1_usertype)
 
-       corenet_udp_bind_generic_node($1_t)
-       corenet_udp_bind_generic_port($1_t)
+       dev_read_rand($1_usertype)
+       dev_write_sound($1_usertype)
+       dev_read_sound($1_usertype)
+       dev_read_sound_mixer($1_usertype)
+       dev_write_sound_mixer($1_usertype)
 
-       dev_read_rand($1_t)
-       dev_write_sound($1_t)
-       dev_read_sound($1_t)
-       dev_read_sound_mixer($1_t)
-       dev_write_sound_mixer($1_t)
-
-       files_exec_etc_files($1_t)
-       files_search_locks($1_t)
+       files_exec_etc_files($1_usertype)
+       files_search_locks($1_usertype)
        # Check to see if cdrom is mounted
-       files_search_mnt($1_t)
+       files_search_mnt($1_usertype)
        # cjp: perhaps should cut back on file reads:
-       files_read_var_files($1_t)
-       files_read_var_symlinks($1_t)
-       files_read_generic_spool($1_t)
-       files_read_var_lib_files($1_t)
+       files_read_var_files($1_usertype)
+       files_read_var_symlinks($1_usertype)
+       files_read_generic_spool($1_usertype)
+       files_read_var_lib_files($1_usertype)
        # Stat lost+found.
-       files_getattr_lost_found_dirs($1_t)
+       files_getattr_lost_found_dirs($1_usertype)
+       files_read_config_files($1_usertype)
+       fs_read_noxattr_fs_files($1_usertype)
+       fs_read_noxattr_fs_symlinks($1_usertype)
+       fs_rw_cgroup_files($1_usertype)
 
-       fs_rw_cgroup_files($1_t)
+       logging_send_syslog_msg($1_usertype)
+       logging_send_audit_msgs($1_usertype)
+       selinux_get_enforce_mode($1_usertype)
 
        # cjp: some of this probably can be removed
-       selinux_get_fs_mount($1_t)
-       selinux_validate_context($1_t)
-       selinux_compute_access_vector($1_t)
-       selinux_compute_create_context($1_t)
-       selinux_compute_relabel_context($1_t)
-       selinux_compute_user_contexts($1_t)
+       selinux_get_fs_mount($1_usertype)
+       selinux_validate_context($1_usertype)
+       selinux_compute_access_vector($1_usertype)
+       selinux_compute_create_context($1_usertype)
+       selinux_compute_relabel_context($1_usertype)
+       selinux_compute_user_contexts($1_usertype)
 
        # for eject
-       storage_getattr_fixed_disk_dev($1_t)
+       storage_getattr_fixed_disk_dev($1_usertype)
 
-       auth_use_nsswitch($1_t)
-       auth_read_login_records($1_t)
-       auth_search_pam_console_data($1_t)
+       auth_read_login_records($1_usertype)
        auth_run_pam($1_t,$1_r)
        auth_run_utempter($1_t,$1_r)
 
-       init_read_utmp($1_t)
+       init_read_utmp($1_usertype)
 
-       seutil_read_file_contexts($1_t)
-       seutil_read_default_contexts($1_t)
+       seutil_read_file_contexts($1_usertype)
+       seutil_read_default_contexts($1_usertype)
        seutil_run_newrole($1_t,$1_r)
        seutil_exec_checkpolicy($1_t)
-       seutil_exec_setfiles($1_t)
+       seutil_exec_setfiles($1_usertype)
        # for when the network connection is killed
        # this is needed when a login role can change
        # to this one.
        seutil_dontaudit_signal_newrole($1_t)
 
        tunable_policy(`user_direct_mouse',`
-               dev_read_mouse($1_t)
+               dev_read_mouse($1_usertype)
        ')
 
        tunable_policy(`user_ttyfile_stat',`
@@ -574,65 +645,108 @@ template(`userdom_common_user_template',`
        ')
 
        optional_policy(`
-               alsa_read_rw_config($1_t)
+               alsa_read_rw_config($1_usertype)
        ')
 
        optional_policy(`
                # Allow graphical boot to check battery lifespan
-               apm_stream_connect($1_t)
+               apm_stream_connect($1_usertype)
+       ')
+
+       optional_policy(`
+               canna_stream_connect($1_usertype)
        ')
 
        optional_policy(`
-               canna_stream_connect($1_t)
+               chrome_role($1_r, $1_usertype)
        ')
 
        optional_policy(`
-               dbus_system_bus_client($1_t)
+               dbus_system_bus_client($1_usertype)
+
+               allow $1_usertype $1_usertype:dbus  send_msg;
+
+               optional_policy(`
+                       avahi_dbus_chat($1_usertype)
+               ')
+
+               optional_policy(`
+                       policykit_dbus_chat($1_usertype)
+               ')
+
+               optional_policy(`
+                       bluetooth_dbus_chat($1_usertype)
+               ')
+
+               optional_policy(`
+                       consolekit_dbus_chat($1_usertype)
+                       consolekit_read_log($1_usertype)
+               ')
+
+               optional_policy(`
+                       devicekit_dbus_chat($1_usertype)
+                       devicekit_dbus_chat_power($1_usertype)
+                       devicekit_dbus_chat_disk($1_usertype)
+               ')
+
+               optional_policy(`
+                       evolution_dbus_chat($1_usertype)
+                       evolution_alarm_dbus_chat($1_usertype)
+               ')
 
                optional_policy(`
-                       bluetooth_dbus_chat($1_t)
+                       gnome_dbus_chat_gconfdefault($1_usertype)
                ')
 
                optional_policy(`
-                       evolution_dbus_chat($1_t)
-                       evolution_alarm_dbus_chat($1_t)
+                       hal_dbus_chat($1_usertype)
                ')
 
                optional_policy(`
-                       cups_dbus_chat_config($1_t)
+                       modemmanager_dbus_chat($1_usertype)
                ')
 
                optional_policy(`
-                       hal_dbus_chat($1_t)
+                       networkmanager_dbus_chat($1_usertype)
+                       networkmanager_read_lib_files($1_usertype)
                ')
 
                optional_policy(`
-                       networkmanager_dbus_chat($1_t)
+                       vpn_dbus_chat($1_usertype)
                ')
        ')
 
        optional_policy(`
-               inetd_use_fds($1_t)
-               inetd_rw_tcp_sockets($1_t)
+               git_session_role($1_r, $1_usertype)
+       ')
+
+       optional_policy(`
+               inetd_use_fds($1_usertype)
+               inetd_rw_tcp_sockets($1_usertype)
        ')
 
        optional_policy(`
-               inn_read_config($1_t)
-               inn_read_news_lib($1_t)
-               inn_read_news_spool($1_t)
+               inn_read_config($1_usertype)
+               inn_read_news_lib($1_usertype)
+               inn_read_news_spool($1_usertype)
        ')
 
        optional_policy(`
-               locate_read_lib_files($1_t)
+               locate_read_lib_files($1_usertype)
        ')
 
        # for running depmod as part of the kernel packaging process
        optional_policy(`
-               modutils_read_module_config($1_t)
+               modutils_read_module_config($1_usertype)
        ')
 
        optional_policy(`
-               mta_rw_spool($1_t)
+               mta_rw_spool($1_usertype)
+               mta_manage_queue($1_usertype)
+       ')
+
+       optional_policy(`
+               nsplugin_role($1_r, $1_usertype)
        ')
 
        optional_policy(`
@@ -643,41 +757,50 @@ template(`userdom_common_user_template',`
 
        optional_policy(`
                # to allow monitoring of pcmcia status
-               pcmcia_read_pid($1_t)
+               pcmcia_read_pid($1_usertype)
        ')
 
        optional_policy(`
-               pcscd_read_pub_files($1_t)
-               pcscd_stream_connect($1_t)
+               pcscd_read_pub_files($1_usertype)
+               pcscd_stream_connect($1_usertype)
        ')
 
        optional_policy(`
                tunable_policy(`allow_user_postgresql_connect',`
-                       postgresql_stream_connect($1_t)
-                       postgresql_tcp_connect($1_t)
+                       postgresql_stream_connect($1_usertype)
+                       postgresql_tcp_connect($1_usertype)
                ')
        ')
 
        optional_policy(`
-               resmgr_stream_connect($1_t)
+               resmgr_stream_connect($1_usertype)
+       ')
+
+       optional_policy(`
+               rpc_dontaudit_getattr_exports($1_usertype)
+               rpc_manage_nfs_rw_content($1_usertype)
+       ')
+
+       optional_policy(`
+               rpcbind_stream_connect($1_usertype)
        ')
 
        optional_policy(`
-               rpc_dontaudit_getattr_exports($1_t)
-               rpc_manage_nfs_rw_content($1_t)
+               samba_stream_connect_winbind($1_usertype)
        ')
 
        optional_policy(`
-               samba_stream_connect_winbind($1_t)
+               sandbox_transition($1_usertype, $1_r)
        ')
 
        optional_policy(`
-               slrnpull_search_spool($1_t)
+               seunshare_role_template($1, $1_r, $1_t)
        ')
 
        optional_policy(`
-               usernetctl_run($1_t,$1_r)
+               slrnpull_search_spool($1_usertype)
        ')
+
 ')
 
 #######################################
@@ -705,13 +828,26 @@ template(`userdom_login_user_template', `
 
        userdom_base_user_template($1)
 
-       userdom_manage_home_role($1_r, $1_t)
+       userdom_manage_home_role($1_r, $1_usertype)
+
+       userdom_manage_tmp_role($1_r, $1_usertype)
+       userdom_manage_tmpfs_role($1_r, $1_usertype)
+
+       ifelse(`$1',`unconfined',`',`
+               gen_tunable(allow_$1_exec_content, true)
 
-       userdom_manage_tmp_role($1_r, $1_t)
-       userdom_manage_tmpfs_role($1_r, $1_t)
+               tunable_policy(`allow_$1_exec_content',`
+                       userdom_exec_user_tmp_files($1_usertype)
+                       userdom_exec_user_home_content_files($1_usertype)
+               ')
+               tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+                        fs_exec_nfs_files($1_usertype)
+               ')
 
-       userdom_exec_user_tmp_files($1_t)
-       userdom_exec_user_home_content_files($1_t)
+               tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+                       fs_exec_cifs_files($1_usertype)
+               ')
+       ')
 
        userdom_change_password_template($1)
 
@@ -729,72 +865,71 @@ template(`userdom_login_user_template', `
 
        allow $1_t self:context contains;
 
-       kernel_dontaudit_read_system_state($1_t)
+       kernel_dontaudit_read_system_state($1_usertype)
+       kernel_dontaudit_list_all_proc($1_usertype)
 
-       dev_read_sysfs($1_t)
-       dev_read_urand($1_t)
+       dev_read_sysfs($1_usertype)
+       dev_read_urand($1_usertype)
 
-       domain_use_interactive_fds($1_t)
+       domain_use_interactive_fds($1_usertype)
        # Command completion can fire hundreds of denials
-       domain_dontaudit_exec_all_entry_files($1_t)
+       domain_dontaudit_exec_all_entry_files($1_usertype)
 
-       files_dontaudit_list_default($1_t)
-       files_dontaudit_read_default_files($1_t)
+       files_dontaudit_list_default($1_usertype)
+       files_dontaudit_read_default_files($1_usertype)
        # Stat lost+found.
-       files_getattr_lost_found_dirs($1_t)
+       files_getattr_lost_found_dirs($1_usertype)
 
-       fs_get_all_fs_quotas($1_t)
-       fs_getattr_all_fs($1_t)
-       fs_getattr_all_dirs($1_t)
-       fs_search_auto_mountpoints($1_t)
-       fs_list_cgroup_dirs($1_t)
-       fs_list_inotifyfs($1_t)
-       fs_rw_anon_inodefs_files($1_t)
-       fs_dontaudit_rw_cgroup_files($1_t)
+       fs_get_all_fs_quotas($1_usertype)
+       fs_getattr_all_fs($1_usertype)
+       fs_search_all($1_usertype)
+       fs_list_inotifyfs($1_usertype)
+       fs_rw_anon_inodefs_files($1_usertype)
 
        auth_dontaudit_write_login_records($1_t)
+       auth_rw_cache($1_t)
 
-       application_exec_all($1_t)
-
-       # The library functions always try to open read-write first,
-       # then fall back to read-only if it fails. 
-       init_dontaudit_rw_utmp($1_t)
        # Stop warnings about access to /dev/console
-       init_dontaudit_use_fds($1_t)
-       init_dontaudit_use_script_fds($1_t)
+       init_dontaudit_use_fds($1_usertype)
+       init_dontaudit_use_script_fds($1_usertype)
 
-       libs_exec_lib_files($1_t)
+       libs_exec_lib_files($1_usertype)
 
-       logging_dontaudit_getattr_all_logs($1_t)
+       logging_dontaudit_getattr_all_logs($1_usertype)
 
-       miscfiles_read_man_pages($1_t)
        # for running TeX programs
-       miscfiles_read_tetex_data($1_t)
-       miscfiles_exec_tetex_data($1_t)
+       miscfiles_read_tetex_data($1_usertype)
+       miscfiles_exec_tetex_data($1_usertype)
 
-       seutil_read_config($1_t)
+       seutil_read_config($1_usertype)
 
        optional_policy(`
-               cups_read_config($1_t)
-               cups_stream_connect($1_t)
-               cups_stream_connect_ptal($1_t)
+               cups_read_config($1_usertype)
+               cups_stream_connect($1_usertype)
+               cups_stream_connect_ptal($1_usertype)
        ')
 
        optional_policy(`
-               kerberos_use($1_t)
+               kerberos_use($1_usertype)
+               kerberos_connect_524($1_usertype)
        ')
 
        optional_policy(`
-               mta_dontaudit_read_spool_symlinks($1_t)
+               mta_dontaudit_read_spool_symlinks($1_usertype)
        ')
 
        optional_policy(`
-               quota_dontaudit_getattr_db($1_t)
+               quota_dontaudit_getattr_db($1_usertype)
        ')
 
        optional_policy(`
-               rpm_read_db($1_t)
-               rpm_dontaudit_manage_db($1_t)
+               rpm_read_db($1_usertype)
+               rpm_dontaudit_manage_db($1_usertype)
+               rpm_read_cache($1_usertype)
+       ')
+
+       optional_policy(`
+               oddjob_run_mkhomedir($1_t, $1_r)
        ')
 ')
 
@@ -826,6 +961,9 @@ template(`userdom_restricted_user_template',`
        typeattribute $1_t unpriv_userdomain;
        domain_interactive_fd($1_t)
 
+       allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms;
+       dontaudit $1_usertype self:netlink_audit_socket create_socket_perms;
+
        ##############################
        #
        # Local policy
@@ -867,45 +1005,103 @@ template(`userdom_restricted_xwindows_user_template',`
        #
 
        auth_role($1_r, $1_t)
-       auth_search_pam_console_data($1_t)
+       auth_search_pam_console_data($1_usertype)
 
-       dev_read_sound($1_t)
-       dev_write_sound($1_t)
+       dev_read_sound($1_usertype)
+       dev_write_sound($1_usertype)
        # gnome keyring wants to read this.
-       dev_dontaudit_read_rand($1_t)
+       dev_dontaudit_read_rand($1_usertype)
+       # temporarily allow since openoffice requires this
+       dev_read_rand($1_usertype)
 
-       logging_send_syslog_msg($1_t)
+       dev_read_video_dev($1_usertype)
+       dev_write_video_dev($1_usertype)
+       dev_rw_wireless($1_usertype)
+
+       tunable_policy(`user_rw_noexattrfile',`
+               dev_rw_usbfs($1_t)
+               dev_rw_generic_usb_dev($1_usertype)
+
+               fs_manage_noxattr_fs_files($1_usertype)
+               fs_manage_noxattr_fs_dirs($1_usertype)
+               fs_manage_dos_dirs($1_usertype)
+               fs_manage_dos_files($1_usertype)
+               storage_raw_read_removable_device($1_usertype)
+               storage_raw_write_removable_device($1_usertype)
+       ')
+
+       logging_send_syslog_msg($1_usertype)
        logging_dontaudit_send_audit_msgs($1_t)
 
        # Need to to this just so screensaver will work. Should be moved to screensaver domain
        logging_send_audit_msgs($1_t)
        selinux_get_enforce_mode($1_t)
+       seutil_exec_restorecond($1_t)
+       seutil_read_file_contexts($1_t)
+       seutil_read_default_contexts($1_t)
 
        xserver_restricted_role($1_r, $1_t)
 
        optional_policy(`
-               alsa_read_rw_config($1_t)
+               alsa_read_rw_config($1_usertype)
        ')
 
        optional_policy(`
-               dbus_role_template($1, $1_r, $1_t)
-               dbus_system_bus_client($1_t)
+               dbus_role_template($1, $1_r, $1_usertype)
+               dbus_system_bus_client($1_usertype)
+               allow $1_usertype $1_usertype:dbus send_msg;
+
+               optional_policy(`
+                       abrt_dbus_chat($1_usertype)
+                       abrt_run_helper($1_usertype, $1_r)
+               ')
+
+               optional_policy(`
+                       consolekit_dbus_chat($1_usertype)
+               ')
+
+               optional_policy(`
+                       cups_dbus_chat($1_usertype)
+                       cups_dbus_chat_config($1_usertype)
+               ')
 
                optional_policy(`
-                       consolekit_dbus_chat($1_t)
+                       devicekit_dbus_chat($1_usertype)
+                       devicekit_dbus_chat_disk($1_usertype)
+                       devicekit_dbus_chat_power($1_usertype)
                ')
 
                optional_policy(`
-                       cups_dbus_chat($1_t)
+                       fprintd_dbus_chat($1_t)
                ')
        ')
 
        optional_policy(`
-               java_role($1_r, $1_t)
+               openoffice_role_template($1, $1_r, $1_usertype)
+       ')
+
+       optional_policy(`
+               policykit_role($1_r, $1_usertype)
+       ')
+
+       optional_policy(`
+               pulseaudio_role($1_r, $1_usertype)
+       ')
+
+       optional_policy(`
+               rtkit_scheduled($1_usertype)
        ')
 
        optional_policy(`
                setroubleshoot_dontaudit_stream_connect($1_t)
+        ')
+
+       optional_policy(`
+               udev_read_db($1_usertype)
+        ')
+
+       optional_policy(`
+               wm_role_template($1, $1_r, $1_t)
        ')
 ')
 
@@ -940,7 +1136,7 @@ template(`userdom_unpriv_user_template', `
        #
 
        # Inherit rules for ordinary users.
-       userdom_restricted_user_template($1)
+       userdom_restricted_xwindows_user_template($1)
        userdom_common_user_template($1)
 
        ##############################
@@ -949,54 +1145,77 @@ template(`userdom_unpriv_user_template', `
        #
 
        # port access is audited even if dac would not have allowed it, so dontaudit it here
-       corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
+#      corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
        # Need the following rule to allow users to run vpnc
        corenet_tcp_bind_xserver_port($1_t)
+       corenet_tcp_bind_all_nodes($1_usertype)
 
-       files_exec_usr_files($1_t)
-       # cjp: why?
-       files_read_kernel_symbol_table($1_t)
-
-       ifndef(`enable_mls',`
-               fs_exec_noxattr($1_t)
-
-               tunable_policy(`user_rw_noexattrfile',`
-                       fs_manage_noxattr_fs_files($1_t)
-                       fs_manage_noxattr_fs_dirs($1_t)
-                       # Write floppies 
-                       storage_raw_read_removable_device($1_t)
-                       storage_raw_write_removable_device($1_t)
-               ',`
-                       storage_raw_read_removable_device($1_t)
-               ')
-       ')
+       storage_rw_fuse($1_t)
 
-       tunable_policy(`user_dmesg',`
-               kernel_read_ring_buffer($1_t)
-       ',`
-               kernel_dontaudit_read_ring_buffer($1_t)
-       ')
+       miscfiles_read_hwdata($1_usertype)
 
        # Allow users to run TCP servers (bind to ports and accept connection from
        # the same domain and outside users) disabling this forces FTP passive mode
        # and may change other protocols
        tunable_policy(`user_tcp_server',`
-               corenet_tcp_bind_generic_node($1_t)
-               corenet_tcp_bind_generic_port($1_t)
+               corenet_tcp_bind_all_unreserved_ports($1_usertype)
+       ')
+
+       tunable_policy(`user_setrlimit',`
+               allow $1_usertype self:process setrlimit;
        ')
 
        optional_policy(`
-               netutils_run_ping_cond($1_t,$1_r)
-               netutils_run_traceroute_cond($1_t,$1_r)
+               cdrecord_role($1_r, $1_t)
+       ')
+
+       optional_policy(`
+               cron_role($1_r, $1_t)
+       ')
+
+       optional_policy(`
+               games_rw_data($1_usertype)
+       ')
+
+       optional_policy(`
+               gpg_role($1_r, $1_usertype)
+       ')
+
+       optional_policy(`
+               gnomeclock_dbus_chat($1_t)
+       ')
+
+       optional_policy(`
+               gpm_stream_connect($1_usertype)
+       ')
+
+       optional_policy(`
+               execmem_role_template($1, $1_r, $1_t)
+       ')
+
+       optional_policy(`
+               java_role_template($1, $1_r, $1_t)
+       ')
+
+       optional_policy(`
+               mono_role_template($1, $1_r, $1_t)
+       ')
+
+       optional_policy(`
+               mount_run_fusermount($1_t, $1_r)
+       ')
+
+       optional_policy(`
+               wine_role_template($1, $1_r, $1_t)
        ')
 
-       # Run pppd in pppd_t by default for user
        optional_policy(`
-               ppp_run_cond($1_t,$1_r)
+               postfix_run_postdrop($1_t, $1_r)
        ')
 
+       # Run pppd in pppd_t by default for user
        optional_policy(`
-               setroubleshoot_stream_connect($1_t)
+               ppp_run_cond($1_t, $1_r)
        ')
 ')
 
@@ -1032,7 +1251,7 @@ template(`userdom_unpriv_user_template', `
 template(`userdom_admin_user_template',`
        gen_require(`
                attribute admindomain;
-               class passwd { passwd chfn chsh rootok };
+               class passwd { passwd chfn chsh rootok crontab };
        ')
 
        ##############################
@@ -1067,6 +1286,9 @@ template(`userdom_admin_user_template',`
        # Skip authentication when pam_rootok is specified.
        allow $1_t self:passwd rootok;
 
+       # Manipulate other users crontab.
+       allow $1_t self:passwd crontab;
+
        kernel_read_software_raid_state($1_t)
        kernel_getattr_core_if($1_t)
        kernel_getattr_message_if($1_t)
@@ -1081,6 +1303,7 @@ template(`userdom_admin_user_template',`
        kernel_sigstop_unlabeled($1_t)
        kernel_signull_unlabeled($1_t)
        kernel_sigchld_unlabeled($1_t)
+       kernel_signal($1_t)
 
        corenet_tcp_bind_generic_port($1_t)
        # allow setting up tunnels
@@ -1112,10 +1335,13 @@ template(`userdom_admin_user_template',`
        domain_sigchld_all_domains($1_t)
        # for lsof
        domain_getattr_all_sockets($1_t)
+       domain_dontaudit_getattr_all_sockets($1_t)
 
        files_exec_usr_src_files($1_t)
 
        fs_getattr_all_fs($1_t)
+       fs_getattr_all_files($1_t)
+       fs_list_all($1_t)
        fs_set_all_quotas($1_t)
        fs_exec_noxattr($1_t)
 
@@ -1135,6 +1361,7 @@ template(`userdom_admin_user_template',`
        logging_send_syslog_msg($1_t)
 
        modutils_domtrans_insmod($1_t)
+       modutils_domtrans_depmod($1_t)
 
        # The following rule is temporary until such time that a complete
        # policy management infrastructure is in place so that an administrator
@@ -1203,6 +1430,8 @@ template(`userdom_security_admin_template',`
        dev_relabel_all_dev_nodes($1)
 
        files_create_boot_flag($1)
+       files_create_default_dir($1)
+       files_root_filetrans_default($1, dir)
 
        # Necessary for managing /boot/efi
        fs_manage_dos_files($1)
@@ -1230,6 +1459,7 @@ template(`userdom_security_admin_template',`
        seutil_run_checkpolicy($1,$2)
        seutil_run_loadpolicy($1,$2)
        seutil_run_semanage($1,$2)
+       seutil_run_setsebool($1,$2)
        seutil_run_setfiles($1, $2)
 
        optional_policy(`
@@ -1268,12 +1498,15 @@ template(`userdom_security_admin_template',`
 interface(`userdom_user_home_content',`
        gen_require(`
                type user_home_t;
+               attribute user_home_type;
        ')
 
        allow $1 user_home_t:filesystem associate;
        files_type($1)
-       files_poly_member($1)
        ubac_constrained($1)
+
+       files_poly_member($1)
+       typeattribute $1  user_home_type;
 ')
 
 ########################################
@@ -1384,6 +1617,7 @@ interface(`userdom_search_user_home_dirs',`
        ')
 
        allow $1 user_home_dir_t:dir search_dir_perms;
+       allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
        files_search_home($1)
 ')
 
@@ -1430,6 +1664,14 @@ interface(`userdom_list_user_home_dirs',`
 
        allow $1 user_home_dir_t:dir list_dir_perms;
        files_search_home($1)
+
+       tunable_policy(`use_nfs_home_dirs',`
+               fs_list_nfs($1)
+       ')
+
+       tunable_policy(`use_samba_home_dirs',`
+               fs_list_cifs($1)
+       ')
 ')
 
 ########################################
@@ -1445,9 +1687,11 @@ interface(`userdom_list_user_home_dirs',`
 interface(`userdom_dontaudit_list_user_home_dirs',`
        gen_require(`
                type user_home_dir_t;
+               type user_home_t;
        ')
 
        dontaudit $1 user_home_dir_t:dir list_dir_perms;
+       dontaudit $1 user_home_t:dir list_dir_perms;
 ')
 
 ########################################
@@ -1504,6 +1748,42 @@ interface(`userdom_relabelto_user_home_dirs',`
        allow $1 user_home_dir_t:dir relabelto;
 ')
 
+
+########################################
+## <summary>
+##     Relabel to user home files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_relabelto_user_home_files',`
+       gen_require(`
+               type user_home_t;
+       ')
+
+       allow $1 user_home_t:file relabelto;
+')
+########################################
+## <summary>
+##     Relabel user home files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_relabel_user_home_files',`
+       gen_require(`
+               type user_home_t;
+       ')
+
+       allow $1 user_home_t:file relabel_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Create directories in the home dir root with
@@ -1578,6 +1858,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
        ')
 
        dontaudit $1 user_home_t:dir search_dir_perms;
+       fs_dontaudit_list_nfs($1)
+       fs_dontaudit_list_cifs($1)
 ')
 
 ########################################
@@ -1592,10 +1874,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
 #
 interface(`userdom_list_user_home_content',`
        gen_require(`
-               type user_home_t;
+               type user_home_dir_t;
+               attribute user_home_type;
        ')
 
-       allow $1 user_home_t:dir list_dir_perms;
+       files_list_home($1)
+       allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
 ')
 
 ########################################
@@ -1638,34 +1922,53 @@ interface(`userdom_delete_user_home_content_dirs',`
 
 ########################################
 ## <summary>
-##     Do not audit attempts to set the
-##     attributes of user home files.
+##     Set the attributes of user home files.
 ## </summary>
 ## <param name="domain">
 ##     <summary>
-##     Domain to not audit.
+##     Domain allowed access.
 ##     </summary>
 ## </param>
+## <rolecap/>
 #
-interface(`userdom_dontaudit_setattr_user_home_content_files',`
+interface(`userdom_setattr_user_home_content_files',`
        gen_require(`
                type user_home_t;
        ')
 
-       dontaudit $1 user_home_t:file setattr_file_perms;
+       allow $1 user_home_t:file setattr;
 ')
 
 ########################################
 ## <summary>
-##     Mmap user home files.
+##     Do not audit attempts to set the
+##     attributes of user home files.
 ## </summary>
 ## <param name="domain">
 ##     <summary>
-##     Domain allowed access.
+##     Domain to not audit.
 ##     </summary>
 ## </param>
 #
-interface(`userdom_mmap_user_home_content_files',`
+interface(`userdom_dontaudit_setattr_user_home_content_files',`
+       gen_require(`
+               type user_home_t;
+       ')
+
+       dontaudit $1 user_home_t:file setattr_file_perms;
+')
+
+########################################
+## <summary>
+##     Mmap user home files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_mmap_user_home_content_files',`
        gen_require(`
                type user_home_dir_t, user_home_t;
        ')
@@ -1689,10 +1992,30 @@ interface(`userdom_read_user_home_content_files',`
                type user_home_dir_t, user_home_t;
        ')
 
+       list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t })
        read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
        files_search_home($1)
 ')
 
+########################################
+## <summary>
+##     Do not audit attempts to getattr user home files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`userdom_dontaudit_getattr_user_home_content',`
+       gen_require(`
+               attribute user_home_type;
+       ')
+
+       dontaudit $1 user_home_type:dir getattr;
+       dontaudit $1 user_home_type:file getattr;
+')
+
 ########################################
 ## <summary>
 ##     Do not audit attempts to read user home files.
@@ -1705,11 +2028,14 @@ interface(`userdom_read_user_home_content_files',`
 #
 interface(`userdom_dontaudit_read_user_home_content_files',`
        gen_require(`
-               type user_home_t;
+               attribute user_home_type;
+               type user_home_dir_t;
        ')
 
-       dontaudit $1 user_home_t:dir list_dir_perms;
-       dontaudit $1 user_home_t:file read_file_perms;
+       dontaudit $1 user_home_dir_t:dir list_dir_perms;
+       dontaudit $1 user_home_type:dir list_dir_perms;
+       dontaudit $1 user_home_type:file read_file_perms;
+       dontaudit $1 user_home_type:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -1799,8 +2125,7 @@ interface(`userdom_read_user_home_content_symlinks',`
                type user_home_dir_t, user_home_t;
        ')
 
-       read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-       files_search_home($1)
+       allow $1 { user_home_dir_t user_home_t }:lnk_file  read_lnk_file_perms;
 ')
 
 ########################################
@@ -1816,20 +2141,14 @@ interface(`userdom_read_user_home_content_symlinks',`
 #
 interface(`userdom_exec_user_home_content_files',`
        gen_require(`
-               type user_home_dir_t, user_home_t;
+               type user_home_dir_t;
+               attribute user_home_type;
        ')
 
        files_search_home($1)
-       exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-
-       tunable_policy(`use_nfs_home_dirs',`
-               fs_exec_nfs_files($1)
-       ')
-
-       tunable_policy(`use_samba_home_dirs',`
-               fs_exec_cifs_files($1)
+       exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+       dontaudit $1 user_home_type:sock_file execute;
        ')
-')
 
 ########################################
 ## <summary>
@@ -2171,7 +2490,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
                type user_tmp_t;
        ')
 
-       dontaudit $1 user_tmp_t:file read_file_perms;
+       dontaudit $1 user_tmp_t:file read_inherited_file_perms;
 ')
 
 ########################################
@@ -2424,13 +2743,14 @@ interface(`userdom_read_user_tmpfs_files',`
        ')
 
        read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+       read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
        allow $1 user_tmpfs_t:dir list_dir_perms;
        fs_search_tmpfs($1)
 ')
 
 ########################################
 ## <summary>
-##     Read user tmpfs files.
+##     Read/Write user tmpfs files.
 ## </summary>
 ## <param name="domain">
 ##     <summary>
@@ -2449,26 +2769,6 @@ interface(`userdom_rw_user_tmpfs_files',`
        fs_search_tmpfs($1)
 ')
 
-########################################
-## <summary>
-##     Create, read, write, and delete user tmpfs files.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-#
-interface(`userdom_manage_user_tmpfs_files',`
-       gen_require(`
-               type user_tmpfs_t;
-       ')
-
-       manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-       allow $1 user_tmpfs_t:dir list_dir_perms;
-       fs_search_tmpfs($1)
-')
-
 ########################################
 ## <summary>
 ##     Get the attributes of a user domain tty.
@@ -2804,7 +3104,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
 
        domain_entry_file_spec_domtrans($1, unpriv_userdomain)
        allow unpriv_userdomain $1:fd use;
-       allow unpriv_userdomain $1:fifo_file rw_file_perms;
+       allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms;
        allow unpriv_userdomain $1:process sigchld;
 ')
 
@@ -2820,11 +3120,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
 #
 interface(`userdom_search_user_home_content',`
        gen_require(`
-               type user_home_dir_t, user_home_t;
+               type user_home_dir_t;
+               attribute user_home_type;
        ')
 
        files_list_home($1)
-       allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
+       allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
+       allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -2906,7 +3208,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
                type user_devpts_t;
        ')
 
-       dontaudit $1 user_devpts_t:chr_file rw_file_perms;
+       dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms;
 ')
 
 ########################################
@@ -2961,7 +3263,45 @@ interface(`userdom_write_user_tmp_files',`
                type user_tmp_t;
        ')
 
-       allow $1 user_tmp_t:file write_file_perms;
+       write_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+## <summary>
+##     Do not audit attempts to write users
+##     temporary files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`userdom_dontaudit_write_user_tmp_files',`
+       gen_require(`
+               type user_tmp_t;
+       ')
+
+       dontaudit $1 user_tmp_t:file write;
+')
+
+########################################
+## <summary>
+##     Do not audit attempts to read/write users
+##     temporary fifo files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
+       gen_require(`
+               type user_tmp_t;
+       ')
+
+       dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
@@ -2998,6 +3338,7 @@ interface(`userdom_read_all_users_state',`
        ')
 
        read_files_pattern($1, userdomain, userdomain)
+       read_lnk_files_pattern($1,userdomain,userdomain)
        kernel_search_proc($1)
 ')
 
@@ -3128,3 +3469,854 @@ interface(`userdom_dbus_send_all_users',`
 
        allow $1 userdomain:dbus send_msg;
 ')
+
+########################################
+## <summary>
+##     Allow apps to set rlimits on userdomain
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_set_rlimitnh',`
+       gen_require(`
+               attribute userdomain;
+       ')
+
+       allow $1 userdomain:process rlimitinh;
+')
+
+########################################
+## <summary>
+##     Define this type as a Allow apps to set rlimits on userdomain
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="userdomain_prefix">
+##     <summary>
+##     The prefix of the user domain (e.g., user
+##     is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+template(`userdom_unpriv_usertype',`
+       gen_require(`
+               attribute unpriv_userdomain, userdomain;
+               attribute $1_usertype;
+       ')
+       typeattribute $2  $1_usertype;
+       typeattribute $2  unpriv_userdomain;
+       typeattribute $2  userdomain;
+
+       ubac_constrained($2)
+')
+
+########################################
+## <summary>
+##     Connect to users over an unix stream socket.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_stream_connect',`
+       gen_require(`
+               type user_tmp_t;
+               attribute userdomain;
+       ')
+
+       stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain)
+')
+
+########################################
+## <summary>
+##     Ptrace user domains.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_ptrace_all_users',`
+       gen_require(`
+               attribute userdomain;
+       ')
+
+       allow $1 userdomain:process ptrace;
+')
+
+########################################
+## <summary>
+##     dontaudit Search /root
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_dontaudit_search_admin_dir',`
+       gen_require(`
+               type admin_home_t;
+       ')
+
+       dontaudit $1 admin_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##     dontaudit list /root
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_dontaudit_list_admin_dir',`
+       gen_require(`
+               type admin_home_t;
+       ')
+
+       dontaudit $1 admin_home_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##     Allow domain to  list /root
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_list_admin_dir',`
+       gen_require(`
+               type admin_home_t;
+       ')
+
+       allow $1 admin_home_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##     Allow Search /root
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_search_admin_dir',`
+       gen_require(`
+               type admin_home_t;
+       ')
+
+       allow $1 admin_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##     RW unpriviledged user SysV sempaphores.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_rw_semaphores',`
+       gen_require(`
+               attribute unpriv_userdomain;
+       ')
+
+       allow $1 unpriv_userdomain:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+##     Send a message to unpriv users over a unix domain
+##     datagram socket.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_dgram_send',`
+       gen_require(`
+               attribute unpriv_userdomain;
+       ')
+
+       allow $1 unpriv_userdomain:unix_dgram_socket sendto;
+')
+
+######################################
+## <summary>
+##      Send a message to users over a unix domain
+##      datagram socket.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`userdom_users_dgram_send',`
+        gen_require(`
+                 attribute userdomain;
+      ')
+
+       allow $1 userdomain:unix_dgram_socket sendto;
+')
+
+#######################################
+## <summary>
+##     Allow execmod on files in homedirectory 
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolebase/>
+#
+interface(`userdom_execmod_user_home_files',`
+       gen_require(`
+               type user_home_type;
+       ')
+
+       allow $1 user_home_type:file execmod;
+')
+
+########################################
+## <summary>
+##     Read admin home files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_read_admin_home_files',`
+       gen_require(`
+               type admin_home_t;
+       ')
+
+       read_files_pattern($1, admin_home_t, admin_home_t)
+')
+
+########################################
+## <summary>
+##     Execute admin home files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_exec_admin_home_files',`
+       gen_require(`
+               type admin_home_t;
+       ')
+
+       exec_files_pattern($1, admin_home_t, admin_home_t)
+')
+
+########################################
+## <summary>
+##     Append files inherited
+##     in the /root directory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_inherit_append_admin_home_files',`
+       gen_require(`
+               type admin_home_t;
+       ')
+
+       allow $1 admin_home_t:file { getattr append };
+')
+
+
+#######################################
+## <summary>
+##     Manage all files/directories in the homedir
+## </summary>
+## <param name="userdomain">
+##     <summary>
+##     The user domain
+##     </summary>
+## </param>
+## <rolebase/>
+#
+interface(`userdom_manage_user_home_content',`
+       gen_require(`
+               type user_home_dir_t, user_home_t;
+               attribute user_home_type;
+       ')
+
+       files_list_home($1)
+       manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+       manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+       manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+       manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+       manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+       filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
+
+')
+
+
+########################################
+## <summary>
+##     Create objects in a user home directory
+##     with an automatic type transition to
+##     the user home file type.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="object_class">
+##     <summary>
+##     The class of the object to be created.
+##     </summary>
+## </param>
+#
+interface(`userdom_user_home_dir_filetrans_pattern',`
+       gen_require(`
+               type user_home_dir_t, user_home_t;
+       ')
+
+       type_transition $1 user_home_dir_t:$2 user_home_t;
+')
+
+########################################
+## <summary>
+##     Create objects in the /root directory
+##     with an automatic type transition to
+##     a specified private type.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="private_type">
+##     <summary>
+##     The type of the object to create.
+##     </summary>
+## </param>
+## <param name="object_class">
+##     <summary>
+##     The class of the object to be created.
+##     </summary>
+## </param>
+#
+interface(`userdom_admin_home_dir_filetrans',`
+       gen_require(`
+               type admin_home_t;
+       ')
+
+       filetrans_pattern($1, admin_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+##     Send signull to unprivileged user domains.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_signull_unpriv_users',`
+       gen_require(`
+               attribute unpriv_userdomain;
+       ')
+
+       allow $1 unpriv_userdomain:process signull;
+')
+
+########################################
+## <summary>
+##     Write all users files in /tmp
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_write_user_tmp_dirs',`
+       gen_require(`
+               type user_tmp_t;
+       ')
+
+       write_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+## <summary>
+##     Manage keys for all user domains.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_manage_all_users_keys',`
+       gen_require(`
+               attribute userdomain;
+       ')
+
+       allow $1 userdomain:key manage_key_perms;
+')
+
+
+########################################
+## <summary>
+##     Do not audit attempts to read and write
+##     unserdomain stream.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`userdom_dontaudit_rw_stream',`
+       gen_require(`
+               attribute userdomain;
+       ')
+
+       dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+##     Append files
+##     in a user home subdirectory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_append_user_home_content_files',`
+       gen_require(`
+               type user_home_dir_t, user_home_t;
+       ')
+
+       append_files_pattern($1, user_home_t, user_home_t)
+       allow $1 user_home_dir_t:dir search_dir_perms;
+       files_search_home($1)
+')
+
+########################################
+## <summary>
+##     Read files inherited
+##     in a user home subdirectory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_read_inherited_user_home_content_files',`
+       gen_require(`
+               attribute user_home_type;
+       ')
+
+       allow $1 user_home_type:file { getattr read };
+')
+
+########################################
+## <summary>
+##     Append files inherited
+##     in a user home subdirectory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_inherit_append_user_home_content_files',`
+       gen_require(`
+               type user_home_t;
+       ')
+
+       allow $1 user_home_t:file { getattr append };
+')
+
+########################################
+## <summary>
+##     Append files inherited
+##     in a user tmp files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_inherit_append_user_tmp_files',`
+       gen_require(`
+               type user_tmp_t;
+       ')
+
+       allow $1 user_tmp_t:file { getattr append };
+')
+
+######################################
+## <summary>
+##      Read audio files in the users homedir.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_read_home_audio_files',`
+        gen_require(`
+                type audio_home_t;
+        ')
+
+        userdom_search_user_home_dirs($1)
+        allow $1 audio_home_t:dir list_dir_perms;
+        read_files_pattern($1, audio_home_t, audio_home_t)
+        read_lnk_files_pattern($1, audio_home_t, audio_home_t)
+')
+
+########################################
+## <summary>
+##     Read system SSL certificates in the users homedir.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_read_home_certs',`
+       gen_require(`
+               type home_cert_t;
+       ')
+
+       userdom_search_user_home_dirs($1)
+       allow $1 home_cert_t:dir list_dir_perms;
+       read_files_pattern($1, home_cert_t, home_cert_t)
+       read_lnk_files_pattern($1, home_cert_t, home_cert_t)
+')
+
+########################################
+## <summary>
+##     dontaudit Search getatrr /root files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_dontaudit_getattr_admin_home_files',`
+       gen_require(`
+               type admin_home_t;
+       ')
+
+       dontaudit $1 admin_home_t:file getattr;
+')
+
+########################################
+## <summary>
+##     dontaudit read /root lnk files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_dontaudit_read_admin_home_lnk_files',`
+       gen_require(`
+               type admin_home_t;
+       ')
+
+       dontaudit $1 admin_home_t:lnk_file read;
+')
+
+########################################
+## <summary>
+##     dontaudit read /root files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_dontaudit_read_admin_home_files',`
+       gen_require(`
+               type admin_home_t;
+       ')
+
+       dontaudit $1 admin_home_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##     Create, read, write, and delete user
+##     temporary chr files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_manage_user_tmp_chr_files',`
+       gen_require(`
+               type user_tmp_t;
+       ')
+
+       manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
+       files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##     Create, read, write, and delete user
+##     temporary blk files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_manage_user_tmp_blk_files',`
+       gen_require(`
+               type user_tmp_t;
+       ')
+
+       manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
+       files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##     Dontaudit attempt to set attributes on  user temporary directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_dontaudit_setattr_user_tmp',`
+       gen_require(`
+               type user_tmp_t;
+       ')
+
+       dontaudit $1 user_tmp_t:dir setattr;
+')
+
+########################################
+## <summary>
+##     Write all inherited users files in /tmp
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_write_inherited_user_tmp_files',`
+       gen_require(`
+               type user_tmp_t;
+       ')
+
+       allow $1 user_tmp_t:file write;
+')
+
+########################################
+## <summary>
+##     Delete all users files in /tmp
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_delete_user_tmp_files',`
+       gen_require(`
+               type user_tmp_t;
+       ')
+
+       allow $1 user_tmp_t:file delete_file_perms;
+')
+
+########################################
+## <summary>
+##     Delete user tmpfs files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_delete_user_tmpfs_files',`
+       gen_require(`
+               type user_tmpfs_t;
+       ')
+
+       allow $1 user_tmpfs_t:file delete_file_perms;
+')
+
+########################################
+## <summary>
+##     Read/Write unpriviledged user SysV shared
+##     memory segments.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_rw_unpriv_user_shared_mem',`
+       gen_require(`
+               attribute unpriv_userdomain;
+       ')
+
+       allow $1 unpriv_userdomain:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+##     Do not audit attempts to search user
+##     temporary directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`userdom_dontaudit_search_user_tmp',`
+       gen_require(`
+               type user_tmp_t;
+       ')
+
+       dontaudit $1 user_tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##     Execute a file in a user home directory
+##     in the specified domain.
+## </summary>
+## <desc>
+##     <p>
+##     Execute a file in a user home directory
+##     in the specified domain.
+##     </p>
+##     <p>
+##     No interprocess communication (signals, pipes,
+##     etc.) is provided by this interface since
+##     the domains are not owned by this module.
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="target_domain">
+##     <summary>
+##     The type of the new process.
+##     </summary>
+## </param>
+#
+interface(`userdom_domtrans_user_home',`
+       gen_require(`
+               type user_home_t;
+       ')
+
+       read_lnk_files_pattern($1, user_home_t, user_home_t)
+       domain_transition_pattern($1, user_home_t, $2)
+       type_transition $1 user_home_t:process $2;
+')
+
+########################################
+## <summary>
+##     Execute a file in a user tmp directory
+##     in the specified domain.
+## </summary>
+## <desc>
+##     <p>
+##     Execute a file in a user tmp directory
+##     in the specified domain.
+##     </p>
+##     <p>
+##     No interprocess communication (signals, pipes,
+##     etc.) is provided by this interface since
+##     the domains are not owned by this module.
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="target_domain">
+##     <summary>
+##     The type of the new process.
+##     </summary>
+## </param>
+#
+interface(`userdom_domtrans_user_tmp',`
+       gen_require(`
+               type user_tmp_t;
+       ')
+
+       files_search_tmp($1)
+       read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+       domain_transition_pattern($1, user_tmp_t, $2)
+       type_transition $1 user_tmp_t:process $2;
+')

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 60937f05b3bacd39cc4c018d9367750c895e530c..0aa5ce3b39ae851653269a197299789499afff02 100644 (file)
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -41,6 +41,13 @@ gen_tunable(user_dmesg, false)
 ## </desc>
 gen_tunable(user_rw_noexattrfile, false)
 
+## <desc>
+## <p>
+## Allow user processes to change their priority 
+## </p>
+## </desc>
+gen_tunable(user_setrlimit, false)
+
 ## <desc>
 ## <p>
 ## Allow w to display everyone
@@ -59,6 +66,15 @@ attribute unpriv_userdomain;
 attribute untrusted_content_type;
 attribute untrusted_content_tmp_type;
 
+# unprivileged user domains
+attribute user_home_type;
+
+type admin_home_t;
+files_type(admin_home_t)
+files_associate_tmp(admin_home_t)
+fs_associate_tmpfs(admin_home_t)
+files_mountpoint(admin_home_t)
+
 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
 fs_associate_tmpfs(user_home_dir_t)
 files_type(user_home_dir_t)
@@ -71,18 +87,21 @@ ubac_constrained(user_home_dir_t)
 
 type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
 typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
+typeattribute user_home_t user_home_type;
 userdom_user_home_content(user_home_t)
 fs_associate_tmpfs(user_home_t)
 files_associate_tmp(user_home_t)
+files_poly_member(user_home_t)
 files_poly_parent(user_home_t)
 files_mountpoint(user_home_t)
+ubac_constrained(user_home_t)
 
 type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
 dev_node(user_devpts_t)
 files_type(user_devpts_t)
 ubac_constrained(user_devpts_t)
 
-type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
+type user_tmp_t alias { winbind_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
 typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
 files_tmp_file(user_tmp_t)
 userdom_user_home_content(user_tmp_t)
@@ -94,3 +113,25 @@ userdom_user_home_content(user_tmpfs_t)
 type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
 dev_node(user_tty_device_t)
 ubac_constrained(user_tty_device_t)
+
+type audio_home_t;
+userdom_user_home_content(audio_home_t)
+ubac_constrained(audio_home_t)
+
+type home_bin_t;
+userdom_user_home_content(home_bin_t)
+ubac_constrained(home_bin_t)
+
+type home_cert_t;
+miscfiles_cert_type(home_cert_t)
+userdom_user_home_content(home_cert_t)
+ubac_constrained(home_cert_t)
+
+tunable_policy(`allow_console_login',`
+       term_use_console(userdomain)
+')
+
+allow userdomain userdomain:process signull;
+
+# Nautilus causes this avc
+dontaudit unpriv_userdomain self:dir setattr;

diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
index 8c827f8fa5540a037c6cf577507aa6cb4590771e..744fa641a1cc1b2c0c9edcfafee98d419b746d3e 100644 (file)
--- a/policy/modules/system/xen.fc
+++ b/policy/modules/system/xen.fc
@@ -1,7 +1,5 @@
 /dev/xen/tapctrl.*     -p      gen_context(system_u:object_r:xenctl_t,s0)
 
-/usr/bin/virsh         --      gen_context(system_u:object_r:xm_exec_t,s0)
-
 /usr/sbin/evtchnd      --      gen_context(system_u:object_r:evtchnd_exec_t,s0)
 
 ifdef(`distro_debian',`

diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if
index 77d41b649a0c2f38b816d09d2a0afce1422ff5b4..4aa96c6de19f0bc85e1936699fda9082b4e6220d 100644 (file)
--- a/policy/modules/system/xen.if
+++ b/policy/modules/system/xen.if
@@ -87,6 +87,26 @@ interface(`xen_read_image_files',`
 ##     </summary>
 ## </param>
 #
+interface(`xen_manage_image_dirs',`
+       gen_require(`
+               type xend_var_lib_t;
+       ')
+
+       files_list_var_lib($1)
+       manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
+')
+
+########################################
+## <summary>
+##     Allow the specified domain to read/write
+##     xend image files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
+## </param>
+#
 interface(`xen_rw_image_files',`
        gen_require(`
                type xen_image_t, xend_var_lib_t;
@@ -213,8 +233,9 @@ interface(`xen_stream_connect',`
 interface(`xen_domtrans_xm',`
        gen_require(`
                type xm_t, xm_exec_t;
+               attribute virsh_transition_domain;
        ')
-
+       typeattribute $1 virsh_transition_domain;
        domtrans_pattern($1, xm_exec_t, xm_t)
 ')
 
@@ -230,7 +251,7 @@ interface(`xen_domtrans_xm',`
 #
 interface(`xen_stream_connect_xm',`
        gen_require(`
-               type xm_t;
+               type xm_t, xenstored_var_run_t;
        ')
 
        files_search_pids($1)

diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index f661f5a5ff8176f6f819e8d98d1cf17fbac063f8..600d43fc216543659ede7e562ba6ca5d42d2c473 100644 (file)
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -4,6 +4,7 @@ policy_module(xen, 1.10.0)
 #
 # Declarations
 #
+attribute xm_transition_domain;
 
 ## <desc>
 ## <p>
@@ -34,6 +35,7 @@ type xen_image_t; # customizable
 files_type(xen_image_t)
 # xen_image_t can be assigned to blk devices
 dev_node(xen_image_t)
+virt_image(xen_image_t)
 
 type xenctl_t;
 files_type(xenctl_t)
@@ -89,11 +91,6 @@ init_daemon_domain(xenconsoled_t, xenconsoled_exec_t)
 type xenconsoled_var_run_t;
 files_pid_file(xenconsoled_var_run_t)
 
-type xm_t;
-type xm_exec_t;
-domain_type(xm_t)
-init_system_domain(xm_t, xm_exec_t)
-
 #######################################
 #
 # evtchnd local policy
@@ -113,7 +110,7 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
 # xend local policy
 #
 
-allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_nice sys_ptrace sys_tty_config net_raw };
+allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_ptrace sys_tty_config net_raw };
 dontaudit xend_t self:capability { sys_ptrace };
 allow xend_t self:process { signal sigkill };
 dontaudit xend_t self:process ptrace;
@@ -228,6 +225,7 @@ logging_send_syslog_msg(xend_t)
 lvm_domtrans(xend_t)
 
 miscfiles_read_localization(xend_t)
+miscfiles_read_hwdata(xend_t)
 
 mount_domtrans(xend_t)
 
@@ -245,6 +243,8 @@ xen_stream_connect_xenstore(xend_t)
 
 netutils_domtrans(xend_t)
 
+virt_read_config(xend_t)
+
 optional_policy(`
        brctl_domtrans(xend_t)
 ')
@@ -317,9 +317,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
 files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
 
 # pid file
+manage_dirs_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
 manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
 manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
-files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file })
+files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file dir })
 
 # log files
 manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
@@ -346,6 +347,7 @@ dev_read_sysfs(xenstored_t)
 
 files_read_usr_files(xenstored_t)
 
+fs_search_xenfs(xenstored_t)
 fs_manage_xenfs_files(xenstored_t)
 
 storage_raw_read_fixed_disk(xenstored_t)
@@ -353,6 +355,7 @@ storage_raw_write_fixed_disk(xenstored_t)
 storage_raw_read_removable_device(xenstored_t)
 
 term_use_generic_ptys(xenstored_t)
+term_use_console(xenconsoled_t)
 
 init_use_fds(xenstored_t)
 init_use_script_ptys(xenstored_t)
@@ -363,100 +366,11 @@ miscfiles_read_localization(xenstored_t)
 
 xen_append_log(xenstored_t)
 
-########################################
-#
-# xm local policy
-#
-
-allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
-allow xm_t self:process { getsched signal };
-
-# internal communication is often done using fifo and unix sockets.
-allow xm_t self:fifo_file rw_fifo_file_perms;
-allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow xm_t self:tcp_socket create_stream_socket_perms;
-
-manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
-manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
-manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
-files_search_var_lib(xm_t)
-
-allow xm_t xen_image_t:dir rw_dir_perms;
-allow xm_t xen_image_t:file read_file_perms;
-allow xm_t xen_image_t:blk_file read_blk_file_perms;
-
-kernel_read_system_state(xm_t)
-kernel_read_kernel_sysctls(xm_t)
-kernel_read_sysctl(xm_t)
-kernel_read_xen_state(xm_t)
-kernel_write_xen_state(xm_t)
-
-corecmd_exec_bin(xm_t)
-corecmd_exec_shell(xm_t)
-
-corenet_tcp_sendrecv_generic_if(xm_t)
-corenet_tcp_sendrecv_generic_node(xm_t)
-corenet_tcp_connect_soundd_port(xm_t)
-
-dev_read_urand(xm_t)
-dev_read_sysfs(xm_t)
-
-files_read_etc_runtime_files(xm_t)
-files_read_usr_files(xm_t)
-files_list_mnt(xm_t)
-# Some common macros (you might be able to remove some)
-files_read_etc_files(xm_t)
-
-fs_getattr_all_fs(xm_t)
-fs_manage_xenfs_dirs(xm_t)
-fs_manage_xenfs_files(xm_t)
-
-storage_raw_read_fixed_disk(xm_t)
-
-term_use_all_terms(xm_t)
-
-init_stream_connect_script(xm_t)
-init_rw_script_stream_sockets(xm_t)
-init_use_fds(xm_t)
-
-miscfiles_read_localization(xm_t)
-
-sysnet_dns_name_resolve(xm_t)
-
-xen_append_log(xm_t)
-xen_stream_connect(xm_t)
-xen_stream_connect_xenstore(xm_t)
-
-optional_policy(`
-       dbus_system_bus_client(xm_t)
-
-       optional_policy(`
-               hal_dbus_chat(xm_t)
-       ')
-')
-
-optional_policy(`
-       virt_domtrans(xm_t)
-       virt_manage_images(xm_t)
-       virt_manage_config(xm_t)
-       virt_stream_connect(xm_t)
-')
-
 ########################################
 #
 # SSH component local policy
 #
 optional_policy(`
-       ssh_basic_client_template(xm, xm_t, system_r)
-
-       kernel_read_xen_state(xm_ssh_t)
-       kernel_write_xen_state(xm_ssh_t)
-
-       files_search_tmp(xm_ssh_t)
-
-       fs_manage_xenfs_dirs(xm_ssh_t)
-       fs_manage_xenfs_files(xm_ssh_t)
-
        #Should have a boolean wrapping these
        fs_list_auto_mountpoints(xend_t)
        files_search_mnt(xend_t)
@@ -469,8 +383,4 @@ optional_policy(`
                fs_manage_nfs_files(xend_t)
                fs_read_nfs_symlinks(xend_t)
        ')
-
-       optional_policy(`
-               unconfined_domain(xend_t)
-       ')
 ')

diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
index 22ca0115783f50d602e1b95dbfdc2e7463d420f1..df6b5de210fb9b0862b7071580dcd149f8ba4bf4 100644 (file)
--- a/policy/support/misc_patterns.spt
+++ b/policy/support/misc_patterns.spt
@@ -15,7 +15,7 @@ define(`spec_domtrans_pattern',`
        domain_transition_pattern($1,$2,$3)
 
        allow $3 $1:fd use;
-       allow $3 $1:fifo_file rw_fifo_file_perms;
+       allow $3 $1:fifo_file rw_inherited_fifo_file_perms;
        allow $3 $1:process sigchld;
 ')
 
@@ -34,8 +34,12 @@ define(`domtrans_pattern',`
        domain_auto_transition_pattern($1,$2,$3)
 
        allow $3 $1:fd use;
-       allow $3 $1:fifo_file rw_fifo_file_perms;
+       allow $3 $1:fifo_file rw_inherited_fifo_file_perms;
        allow $3 $1:process sigchld;
+
+       ifdef(`hide_broken_symptoms', `
+               dontaudit $3 $1:socket_class_set { read write };
+       ')
 ')
 
 #

diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index b785e35a319a491dd7b34306b0561ad87fed6f29..d9b0868d613dbf01ea51d4e80583913371ee6aec 100644 (file)
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -28,7 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
 #
 # All socket classes.
 #
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
 
 
 #
@@ -105,7 +105,7 @@ define(`mount_fs_perms', `{ mount remount unmount getattr }')
 #
 # Permissions for using sockets.
 # 
-define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
+define(`rw_socket_perms', `{ ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }')
 
 #
 # Permissions for creating and using sockets.
@@ -199,12 +199,14 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
 #
 define(`getattr_file_perms',`{ getattr }')
 define(`setattr_file_perms',`{ setattr }')
-define(`read_file_perms',`{ getattr open read lock ioctl }')
+define(`read_inherited_file_perms',`{ getattr read ioctl lock }')
+define(`read_file_perms',`{ open read_inherited_file_perms }')
 define(`mmap_file_perms',`{ getattr open read execute ioctl }')
 define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
 define(`append_file_perms',`{ getattr open append lock ioctl }')
 define(`write_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_file_perms',`{ open rw_inherited_file_perms }')
 define(`create_file_perms',`{ getattr create open }')
 define(`rename_file_perms',`{ getattr rename }')
 define(`delete_file_perms',`{ getattr unlink }')
@@ -225,7 +227,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
 define(`create_lnk_file_perms',`{ create getattr }')
 define(`rename_lnk_file_perms',`{ getattr rename }')
 define(`delete_lnk_file_perms',`{ getattr unlink }')
-define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename }')
+define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
 define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
 define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
 define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
@@ -238,7 +240,8 @@ define(`setattr_fifo_file_perms',`{ setattr }')
 define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
 define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
 define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')
 define(`create_fifo_file_perms',`{ getattr create open }')
 define(`rename_fifo_file_perms',`{ getattr rename }')
 define(`delete_fifo_file_perms',`{ getattr unlink }')
@@ -254,7 +257,8 @@ define(`getattr_sock_file_perms',`{ getattr }')
 define(`setattr_sock_file_perms',`{ setattr }')
 define(`read_sock_file_perms',`{ getattr open read }')
 define(`write_sock_file_perms',`{ getattr write open append }')
-define(`rw_sock_file_perms',`{ getattr open read write append }')
+define(`rw_inherited_sock_file_perms',`{ getattr read write append }')
+define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }')
 define(`create_sock_file_perms',`{ getattr create open }')
 define(`rename_sock_file_perms',`{ getattr rename }')
 define(`delete_sock_file_perms',`{ getattr unlink }')
@@ -271,7 +275,8 @@ define(`setattr_blk_file_perms',`{ setattr }')
 define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
 define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
 define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_blk_file_perms',`{ open rw_inherited_blk_file_perms }')
 define(`create_blk_file_perms',`{ getattr create }')
 define(`rename_blk_file_perms',`{ getattr rename }')
 define(`delete_blk_file_perms',`{ getattr unlink }')
@@ -288,7 +293,8 @@ define(`setattr_chr_file_perms',`{ setattr }')
 define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
 define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
 define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }')
 define(`create_chr_file_perms',`{ getattr create }')
 define(`rename_chr_file_perms',`{ getattr rename }')
 define(`delete_chr_file_perms',`{ getattr unlink }')
@@ -305,7 +311,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
 #
 # Use (read and write) terminals
 #
-define(`rw_term_perms', `{ getattr open read write ioctl }')
+define(`rw_inherited_term_perms', `{ getattr open read write ioctl append }')
+define(`rw_term_perms', `{ open rw_inherited_term_perms }')
 
 #
 # Sockets
@@ -317,3 +324,14 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
 # Keys
 #
 define(`manage_key_perms', `{ create link read search setattr view write } ')
+
+#
+# All 
+#
+define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }
+')
+
+define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ')
+define(`all_dbus_perms', `{ acquire_svc send_msg } ')
+define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')

diff --git a/policy/users b/policy/users
index c4ebc7e4303cd368b99ee0ae71a5cf4e45dcd36f..be2a04c4ce00d1634c80882af20bc5c2cff2519e 100644 (file)
--- a/policy/users
+++ b/policy/users
@@ -15,7 +15,7 @@
 # and a user process should never be assigned the system user
 # identity.
 #
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 #
 # user_u is a generic user identity for Linux users who have no
@@ -25,11 +25,8 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-# Until order dependence is fixed for users:
-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 #
 # The following users correspond to Unix identities.
@@ -38,8 +35,4 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al
 # role should use the staff_r role instead of the user_r role when
 # not in the sysadm_r.
 #
-ifdef(`direct_sysadm_daemon',`
-       gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-',`
-       gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)