SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List New policy to allow strict to run X again with tmpfs on /dev This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ Next in thread ] [ Replies ] From: Daniel J Walsh <dwalsh_at_redhat.com> Date: Wed, 08 Sep 2004 17:37:40 -0400 Bigest change is xserver needs to create /dev/dri directory. This should be fixed so Xorg uses udev in the future but for now I have granted the privs. ipsec seems to be a mess. Dan diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.17.11/attrib.te --- nsapolicy/attrib.te 2004-09-01 14:00:01.000000000 -0400 +++ policy-1.17.11/attrib.te 2004-09-08 11:52:35.000000000 -0400 @@ -347,9 +347,6 @@ # For web clients such as netscape and squid attribute web_client_domain; -# For a dbus client -attribute dbus_client_domain; - # For X Window System server domains attribute xserver; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.17.11/domains/program/fsadm.te --- nsapolicy/domains/program/fsadm.te 2004-09-04 07:28:21.000000000 -0400 +++ policy-1.17.11/domains/program/fsadm.te 2004-09-08 17:02:23.319811971 -0400 @@ -121,3 +121,4 @@ # Access to /initrd devices allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms; allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms; +allow fsadm_t usbfs_t:dir { getattr }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/hostname.te policy-1.17.11/domains/program/hostname.te --- nsapolicy/domains/program/hostname.te 2004-08-27 14:44:11.000000000 -0400 +++ policy-1.17.11/domains/program/hostname.te 2004-09-08 11:52:35.000000000 -0400 @@ -22,3 +22,4 @@ # for when /usr is not mounted dontaudit hostname_t file_t:dir search; +dontaudit hostname_t tmpfs_t:chr_file { read write }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.17.11/domains/program/initrc.te --- nsapolicy/domains/program/initrc.te 2004-08-30 09:49:15.000000000 -0400 +++ policy-1.17.11/domains/program/initrc.te 2004-09-08 17:17:57.419460417 -0400 @@ -209,10 +209,12 @@ # for /halt /.autofsck and other flag files file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file) +ifdef(`rpm.te', ` # Access /var/lib/rpm. allow initrc_t var_lib_rpm_t:dir rw_dir_perms; allow initrc_t var_lib_rpm_t:file create_file_perms; ') +') allow initrc_t system_map_t:{ file lnk_file } r_file_perms; @@ -314,3 +316,6 @@ # allow initrc_t security_t:dir { getattr search }; allow initrc_t security_t:file { getattr read }; +ifdef(`dbusd.te', ` +allow initrc_t system_dbusd_t:dbus { send_msg }; +') diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.17.11/domains/program/init.te --- nsapolicy/domains/program/init.te 2004-09-02 08:03:26.000000000 -0400 +++ policy-1.17.11/domains/program/init.te 2004-09-08 11:52:35.000000000 -0400 @@ -49,7 +49,7 @@ ') # Create /dev/initctl. -file_type_auto_trans(init_t, device_t, initctl_t, fifo_file) +file_type_auto_trans(init_t, { device_t tmpfs_t }, initctl_t, fifo_file) # Create ioctl.save. file_type_auto_trans(init_t, etc_t, etc_runtime_t, file) @@ -114,8 +114,7 @@ can_setbool(init_t) # Read and write the console and ttys. -allow init_t console_device_t:chr_file rw_file_perms; -allow init_t tty_device_t:chr_file rw_file_perms; +allow init_t { tmpfs_t tty_device_t console_device_t } :chr_file rw_file_perms; allow init_t ttyfile:chr_file rw_file_perms; allow init_t ptyfile:chr_file rw_file_perms; @@ -140,3 +139,5 @@ # file descriptors inherited from the rootfs. dontaudit init_t root_t:{ file chr_file } { read write }; + +rw_dir_file(init_t, tmpfs_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.17.11/domains/program/login.te --- nsapolicy/domains/program/login.te 2004-09-01 14:00:02.000000000 -0400 +++ policy-1.17.11/domains/program/login.te 2004-09-08 17:01:51.509233567 -0400 @@ -130,6 +130,7 @@ can_ypbind($1_login_t) allow $1_login_t mouse_device_t:chr_file { getattr setattr }; +dontaudit $1_login_t init_t:fd { use }; ')dnl end login_domain macro ################################# # diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.17.11/domains/program/mount.te --- nsapolicy/domains/program/mount.te 2004-09-01 14:00:02.000000000 -0400 +++ policy-1.17.11/domains/program/mount.te 2004-09-08 17:01:40.155180930 -0400 @@ -98,3 +98,6 @@ allow mount_t mnt_t:dir { getattr }; dontaudit mount_t { userdomain kernel_t}:fd use; can_exec(mount_t, { sbin_t bin_t }) +dontaudit mount_t tmpfs_t:chr_file { read write }; +allow mount_t device_t:dir r_dir_perms; +allow mount_t tmpfs_t:dir { mounton }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.17.11/domains/program/restorecon.te --- nsapolicy/domains/program/restorecon.te 2004-08-27 14:44:11.000000000 -0400 +++ policy-1.17.11/domains/program/restorecon.te 2004-09-08 11:52:35.000000000 -0400 @@ -41,7 +41,9 @@ allow restorecon_t unlabeled_t:dir_file_class_set { getattr relabelfrom }; allow restorecon_t unlabeled_t:dir read; allow restorecon_t device_type:{ chr_file blk_file } { getattr relabelfrom relabelto }; -allow restorecon_t device_t:{ chr_file blk_file } { getattr relabelfrom }; +allow restorecon_t { tmpfs_t device_t device_type }:{chr_file blk_file} { getattr relabelfrom relabelto }; +allow restorecon_t tmpfs_t:{chr_file blk_file} { read write }; + allow restorecon_t ptyfile:chr_file getattr; allow restorecon_t fs_t:filesystem getattr; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.17.11/domains/program/syslogd.te --- nsapolicy/domains/program/syslogd.te 2004-08-30 09:49:15.000000000 -0400 +++ policy-1.17.11/domains/program/syslogd.te 2004-09-08 11:54:04.000000000 -0400 @@ -95,3 +95,6 @@ # dontaudit syslogd_t file_t:dir search; allow syslogd_t devpts_t:dir { search }; + +dontaudit syslogd_t kernel_t:fd use; +dontaudit syslogd_t kernel_t:file read; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/anaconda.te policy-1.17.11/domains/program/unused/anaconda.te --- nsapolicy/domains/program/unused/anaconda.te 2004-08-27 14:44:11.000000000 -0400 +++ policy-1.17.11/domains/program/unused/anaconda.te 2004-09-08 17:18:38.932630923 -0400 @@ -185,11 +185,13 @@ ifdef(`sound.te', `allow anaconda_t sound_file_t:file { setattr write };') ifdef(`distro_redhat', ` +ifdef(`rpm.te', ` # Access /var/lib/rpm. allow anaconda_t var_lib_rpm_t:dir rw_dir_perms; allow anaconda_t var_lib_rpm_t:file create_file_perms; domain_auto_trans(anaconda_t, rpm_exec_t, rpm_t) ') +') # Update /var/log/ksyms.. # badly named type, /var/log/boot gets the same name too which is confusing diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.17.11/domains/program/unused/apmd.te --- nsapolicy/domains/program/unused/apmd.te 2004-08-27 14:44:11.000000000 -0400 +++ policy-1.17.11/domains/program/unused/apmd.te 2004-09-08 17:01:24.739835578 -0400* @@ -122,3 +122,4 @@ # for a find /dev operation that gets /dev/shm dontaudit apmd_t tmpfs_t:dir r_dir_perms; +dontaudit apmd_t selinux_config_t:dir search; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.17.11/domains/program/unused/bluetooth.te --- nsapolicy/domains/program/unused/bluetooth.te 2004-08-27 14:44:11.000000000 -0400 +++ policy-1.17.11/domains/program/unused/bluetooth.te 2004-09-08 11:52:35.000000000 -0400 @@ -8,7 +8,7 @@ # # Rules for the bluetooth_t domain. # -daemon_domain(bluetooth, `, dbus_client_domain') +daemon_domain(bluetooth) file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file) @@ -22,6 +22,7 @@ # Use the network. can_network(bluetooth_t) can_ypbind(bluetooth_t) +dbusd_client(system, bluetooth_t) allow bluetooth_t self:socket { create setopt ioctl bind listen }; allow bluetooth_t self:unix_dgram_socket create_socket_perms; allow bluetooth_t self:unix_stream_socket create_stream_socket_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.17.11/domains/program/unused/consoletype.te --- nsapolicy/domains/program/unused/consoletype.te 2004-08-27 14:44:11.000000000 -0400 +++ policy-1.17.11/domains/program/unused/consoletype.te 2004-09-08 17:01:16.574246875 -0400 @@ -51,3 +51,4 @@ ifdef(`pam.te', ` allow consoletype_t pam_var_run_t:file { getattr read }; ') +dontaudit consoletype_t tmpfs_t:chr_file { read write }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.11/domains/program/unused/cups.te --- nsapolicy/domains/program/unused/cups.te 2004-08-30 09:49:15.000000000 -0400 +++ policy-1.17.11/domains/program/unused/cups.te 2004-09-08 17:20:59.777799778 -0400 @@ -2,7 +2,7 @@ # # Created cups policy from lpd policy: Russell Coker <russell@coker.com.au> # X-Debian-Packages: cupsys cupsys-client cupsys-bsd -# Depends: lpd.te +# Depends: lpd.te lpr.te ################################# # @@ -12,7 +12,7 @@ # cupsd_exec_t is the type of the cupsd executable. # type ipp_port_t, port_type; -daemon_domain(cupsd, `, auth_chkpwd, dbus_client_domain') +daemon_domain(cupsd, `, auth_chkpwd') etcdir_domain(cupsd) typealias cupsd_etc_t alias etc_cupsd_t; type cupsd_rw_etc_t, file_type, sysadmfile, usercanread; @@ -20,6 +20,7 @@ can_network(cupsd_t) can_ypbind(cupsd_t) +dbusd_client(system, cupsd_t) logdir_domain(cupsd) tmp_domain(cupsd) @@ -35,6 +36,7 @@ ifdef(`usbmodules.te', ` r_dir_file(cupsd_t, usbdevfs_t) +r_dir_file(cupsd_t, usbfs_t) ') ifdef(`logrotate.te', ` diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.17.11/domains/program/unused/dbusd.te --- nsapolicy/domains/program/unused/dbusd.te 2004-09-01 14:00:02.000000000 -0400 +++ policy-1.17.11/domains/program/unused/dbusd.te 2004-09-08 11:52:35.000000000 -0400 @@ -2,34 +2,17 @@ # # Author: Russell Coker <russell@coker.com.au> -daemon_domain(dbusd, `, userspace_objmgr') -type etc_dbusd_t, file_type, sysadmfile; +dbusd_domain(system) -allow dbusd_t dbusd_var_run_t:sock_file create_file_perms; +allow system_dbusd_t dbusd_var_run_t:sock_file create_file_perms; ifdef(`pamconsole.te', ` -r_dir_file(dbusd_t, pam_var_console_t) +r_dir_file(system_dbusd_t, pam_var_console_t) ') -r_dir_file(dbusd_t, etc_dbusd_t) -allow dbusd_t self:unix_stream_socket create_stream_socket_perms; -allow dbusd_t self:unix_dgram_socket create_socket_perms; - -allow dbusd_t etc_t:file { getattr read }; # dac_override: /var/run/dbus is owned by messagebus on Debian -allow dbusd_t self:capability { dac_override setgid setuid }; -allow dbusd_t self:file { getattr read }; -allow dbusd_t proc_t:file { read }; -can_ypbind(dbusd_t) +allow system_dbusd_t self:capability { dac_override setgid setuid }; +can_ypbind(system_dbusd_t) # I expect we need more than this -allow { dbus_client_domain userdomain } { var_run_t dbusd_var_run_t }:dir search; -allow { dbus_client_domain userdomain } dbusd_var_run_t:sock_file { write }; -allow { dbus_client_domain userdomain } dbusd_t:unix_stream_socket { connectto }; - -# Permissions for SE-DBus operation -r_dir_file(dbusd_t,selinux_config_t) - -# SE-DBus specific permissions -allow { dbus_client_domain userdomain } { dbusd_t self }:dbus { send_msg }; -domain_auto_trans(userdomain, dbusd_exec_t, dbusd_t) + diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.17.11/domains/program/unused/dhcpc.te --- nsapolicy/domains/program/unused/dhcpc.te 2004-08-27 14:44:11.000000000 -0400 +++ policy-1.17.11/domains/program/unused/dhcpc.te 2004-09-08 17:00:48.867062937 -0400 @@ -128,3 +128,4 @@ allow dhcpc_t home_root_t:dir { search }; allow initrc_t dhcpc_state_t:file { getattr read }; +dontaudit dhcpc_t var_lock_t:dir { search }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.17.11/domains/program/unused/hald.te --- nsapolicy/domains/program/unused/hald.te 2004-09-08 09:44:50.000000000 -0400 +++ policy-1.17.11/domains/program/unused/hald.te 2004-09-08 17:23:29.567470542 -0400 @@ -10,15 +10,18 @@ # # hald_exec_t is the type of the hald executable. # -daemon_domain(hald, `, dbus_client_domain, fs_domain') +daemon_domain(hald, `, fs_domain') -can_exec(hald_t, hald_exec_t) +can_exec(hald_t, { hald_exec_t shell_exec_t } ) allow hald_t { etc_t etc_runtime_t }:file { getattr read }; allow hald_t self:unix_stream_socket create_stream_socket_perms; allow hald_t self:unix_dgram_socket create_socket_perms; -allow hald_t dbusd_t:dbus { acquire_svc }; +ifdef(`dbus.te', ` +allow hald_t system_dbusd_t:dbus { acquire_svc }; +dbusd_client(system, hald_t) +') allow hald_t { self proc_t }:file { getattr read }; @@ -39,6 +42,7 @@ ifdef(`updfstab.te', ` domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t) allow updfstab_t hald_t:dbus { send_msg }; +allow hald_t updfstab_t:dbus { send_msg }; ') ifdef(`udev.te', ` domain_auto_trans(hald_t, udev_exec_t, udev_t) @@ -49,3 +53,5 @@ allow hald_t usbdevfs_t:file { getattr read }; allow hald_t usbfs_t:dir search; allow hald_t usbfs_t:file { getattr read }; +allow hald_t bin_t:lnk_file read; +can_exec(hald_t, sbin_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.17.11/domains/program/unused/hotplug.te --- nsapolicy/domains/program/unused/hotplug.te 2004-09-01 14:00:02.000000000 -0400 +++ policy-1.17.11/domains/program/unused/hotplug.te 2004-09-08 11:52:35.000000000 -0400 @@ -11,7 +11,7 @@ # hotplug_exec_t is the type of the hotplug executable. # ifdef(`unlimitedUtils', ` -daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, dbus_client_domain, unrestricted') +daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, unrestricted') ', ` daemon_domain(hotplug, `, privmodule, dbus_client_domain') ') @@ -143,6 +143,7 @@ can_network(hotplug_t) can_ypbind(hotplug_t) +dbusd_client(system, hotplug_t) # Allow hotplug (including /sbin/ifup-local) to start/stop services and # run sendmail -q domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t) diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.17.11/domains/program/unused/ipsec.te --- nsapolicy/domains/program/unused/ipsec.te 2004-09-04 07:28:22.000000000 -0400 +++ policy-1.17.11/domains/program/unused/ipsec.te 2004-09-08 17:24:30.007441496 -0400 @@ -29,6 +29,7 @@ type ipsec_mgmt_exec_t, file_type, sysadmfile, exec_type; domain_auto_trans(ipsec_mgmt_t, ipsec_exec_t, ipsec_t) file_type_auto_trans(ipsec_mgmt_t, var_run_t, ipsec_var_run_t, sock_file) +file_type_auto_trans(ipsec_t, var_run_t, ipsec_var_run_t, sock_file) allow ipsec_mgmt_t modules_object_t:dir search; allow ipsec_mgmt_t modules_object_t:file getattr; @@ -71,6 +72,7 @@ allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; can_exec(ipsec_mgmt_t, shell_exec_t) can_exec(ipsec_t, shell_exec_t) +can_exec(ipsec_t, bin_t) can_exec(ipsec_t, ipsec_mgmt_exec_t) can_exec(ipsec_mgmt_t, ifconfig_exec_t) @@ -89,12 +91,13 @@ # need access to /proc/sys/net/ipsec/icmp allow ipsec_mgmt_t sysctl_t:file write; +allow ipsec_mgmt_t sysctl_net_t:dir { search }; allow ipsec_mgmt_t sysctl_net_t:file { write setattr }; # whack needs to be able to read/write pluto.ctl allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write }; # and it wants to connect to a socket... -allow ipsec_mgmt_t ipsec_mgmt_t:unix_stream_socket { create connect read write }; +allow ipsec_mgmt_t ipsec_mgmt_t:unix_stream_socket { create connect read write setopt }; allow ipsec_mgmt_t ipsec_t:unix_stream_socket { connectto read write }; # allow system administrator to use the ipsec script to look @@ -162,7 +165,7 @@ allow { ipsec_t ipsec_mgmt_t } bin_t:lnk_file read; # -allow ipsec_mgmt_t self:process { sigchld signal }; +allow ipsec_mgmt_t self:process { sigchld signal setrlimit }; # Allow read/write access to /var/run/pluto.ctl allow ipsec_t ipsec_t:unix_stream_socket {create setopt bind listen accept read write }; @@ -204,3 +207,20 @@ allow ipsec_t initrc_devpts_t:chr_file { getattr read write }; allow ipsec_mgmt_t self:lnk_file read; +allow ipsec_mgmt_t ipsec_mgmt_t:capability { sys_tty_config dac_read_search }; +read_locale(ipsec_mgmt_t) +var_run_domain(ipsec_mgmt) +dontaudit ipsec_mgmt_t default_t:dir { getattr }; +dontaudit ipsec_mgmt_t default_t:file { getattr }; +allow ipsec_mgmt_t tmpfs_t:dir { getattr read }; +allow ipsec_mgmt_t self:key_socket { create setopt }; +can_exec(ipsec_mgmt_t, initrc_exec_t) +allow ipsec_t self:netlink_xfrm_socket create_socket_perms; +read_locale(ipsec_t) +ifdef(`consoletype.te', ` +can_exec(ipsec_mgmt_t, consoletype_exec_t ) +') +dontaudit ipsec_mgmt_t selinux_config_t:dir { search }; +dontaudit ipsec_t ttyfile:chr_file { read write }; +allow ipsec_t ipsec_t:capability { dac_override dac_read_search }; +allow ipsec_t reserved_port_t:udp_socket { name_bind }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.17.11/domains/program/unused/rpm.te --- nsapolicy/domains/program/unused/rpm.te 2004-09-08 09:44:50.000000000 -0400 +++ policy-1.17.11/domains/program/unused/rpm.te 2004-09-08 17:34:48.993021252 -0400 @@ -132,8 +132,10 @@ role sysadm_r types rpm_script_t; domain_trans(rpm_t, shell_exec_t, rpm_script_t) ifdef(`hide_broken_symptoms', ` +ifdef(`pamconsole.te', ` domain_trans(rpm_t, pam_console_exec_t, rpm_script_t) ') +') tmp_domain(rpm_script) @@ -161,7 +163,6 @@ ') ifdef(`crond.te', ` allow crond_t rpm_t:fifo_file r_file_perms; -allow rpm_script_t self:passwd crontab; ') allow rpm_script_t proc_t:dir { search getattr }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.17.11/domains/program/unused/sendmail.te --- nsapolicy/domains/program/unused/sendmail.te 2004-08-27 14:44:11.000000000 -0400 +++ policy-1.17.11/domains/program/unused/sendmail.te 2004-09-08 17:33:46.401210768 -0400 @@ -43,8 +43,10 @@ # Need this transition to create /etc/aliases.db # ifdef(`distro_redhat', ` +ifdef(`rpm.te', ` domain_auto_trans(rpm_script_t, sendmail_exec_t, system_mail_t) ') +') allow sendmail_t etc_mail_t:dir rw_dir_perms; allow sendmail_t etc_mail_t:file create_file_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.17.11/domains/program/unused/snmpd.te --- nsapolicy/domains/program/unused/snmpd.te 2004-08-27 14:44:11.000000000 -0400 +++ policy-1.17.11/domains/program/unused/snmpd.te 2004-09-08 17:33:16.630135317 -0400 @@ -46,10 +46,12 @@ allow snmpd_t self:file { getattr read }; ifdef(`distro_redhat', ` +ifdef(`rpm.te', ` r_dir_file(snmpd_t, rpm_var_lib_t) dontaudit snmpd_t rpm_var_lib_t:dir { write }; dontaudit snmpd_t rpm_var_lib_t:file { write }; ') +') allow snmpd_t home_root_t:dir search; allow snmpd_t initrc_var_run_t:file r_file_perms; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.11/domains/program/unused/udev.te --- nsapolicy/domains/program/unused/udev.te 2004-09-01 14:00:02.000000000 -0400 +++ policy-1.17.11/domains/program/unused/udev.te 2004-09-08 16:59:58.319964054 -0400 @@ -9,7 +9,7 @@ # # udev_exec_t is the type of the udev executable. # -daemon_domain(udev, `, privmodule, privmem, fs_domain, privfd, dbus_client_domain') +daemon_domain(udev, `, privmodule, privmem, fs_domain, privfd') general_domain_access(udev_t) @@ -28,10 +28,10 @@ allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms}; allow udev_t self:unix_dgram_socket create_socket_perms; allow udev_t self:fifo_file rw_file_perms; -allow udev_t device_t:blk_file create_file_perms; -allow udev_t device_t:chr_file create_file_perms; -allow udev_t device_t:sock_file create_file_perms; -allow udev_t device_t:lnk_file create_lnk_perms; +allow udev_t { tmpfs_t device_t }:blk_file create_file_perms; +allow udev_t { tmpfs_t device_t }:chr_file create_file_perms; +allow udev_t { tmpfs_t device_t }:sock_file create_file_perms; +allow udev_t { tmpfs_t device_t }:lnk_file create_lnk_perms; allow udev_t etc_t:file { getattr read }; allow udev_t { bin_t sbin_t }:dir r_dir_perms; allow udev_t { sbin_t bin_t }:lnk_file read; @@ -40,7 +40,7 @@ can_exec(udev_t, udev_exec_t) r_dir_file(udev_t, sysfs_t) allow udev_t sysadm_tty_device_t:chr_file { read write }; -allow udev_t { device_t device_type }:{chr_file blk_file} { relabelfrom relabelto create_file_perms }; +allow udev_t { tmpfs_t device_t device_type }:{chr_file blk_file} { relabelfrom relabelto create_file_perms }; # to read the file_contexts file r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } ) @@ -96,3 +96,11 @@ ifdef(`dhcpc.te', ` domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t) ') + +allow udev_t tmpfs_t:dir { search }; +rw_dir_create_file(udev_t, { device_t tmpfs_t }) +allow udev_t udev_helper_exec_t:dir r_dir_perms; + +dbusd_client(system, udev_t) + +allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms }; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/updfstab.te policy-1.17.11/domains/program/unused/updfstab.te --- nsapolicy/domains/program/unused/updfstab.te 2004-09-02 08:03:26.000000000 -0400 +++ policy-1.17.11/domains/program/unused/updfstab.te 2004-09-08 11:52:35.000000000 -0400 @@ -3,7 +3,7 @@ # Author: Russell Coker <russell@coker.com.au> # -daemon_base_domain(updfstab, `, fs_domain, etc_writer, dbus_client_domain') +daemon_base_domain(updfstab, `, fs_domain, etc_writer') rw_dir_create_file(updfstab_t, etc_t) create_dir_file(updfstab_t, mnt_t) @@ -28,6 +28,8 @@ read_locale(updfstab_t) +dbusd_client(system, updfstab_t) + # not sure what the sysctl_kernel_t file is, or why it wants to write it, so # I will not allow it dontaudit updfstab_t { sysctl_t sysctl_kernel_t }:dir search; diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/zebra.te policy-1.17.11/domains/program/zebra.te --- nsapolicy/domains/program/zebra.te 1969-12-31 19:00:00.000000000 -0500 +++ policy-1.17.11/domains/program/zebra.te 2004-09-08 09:59:01.000000000 -0400 @@ -0,0 +1,34 @@ +#DESC Zebra - BGP server +# +# Author: Russell Coker <russell@coker.com.au> +# X-Debian-Packages: zebra +# +type zebra_port_t, port_type; + +daemon_domain(zebra, `, sysctl_net_writer') +type zebra_conf_t, file_type, sysadmfile; +r_dir_file({ initrc_t zebra_t }, zebra_conf_t) + +can_network(zebra_t) +can_ypbind(zebra_t) +allow zebra_t { etc_t etc_runtime_t }:file { getattr read }; + +allow zebra_t self:process setcap; +allow zebra_t self:capability { setgid setuid net_bind_service net_admin net_raw }; +file_type_auto_trans(zebra_t, var_run_t, zebra_var_run_t, sock_file) + +logdir_domain(zebra) + +# /tmp/.bgpd is such a bad idea! +type zebra_tmp_t, file_type, sysadmfile, tmpfile; +file_type_auto_trans(zebra_t, tmp_t, zebra_tmp_t, sock_file) + +allow zebra_t self:unix_dgram_socket create_socket_perms; +allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow zebra_t self:rawip_socket create_socket_perms; +allow zebra_t self:netlink_route_socket r_netlink_socket_perms; +allow zebra_t zebra_port_t:tcp_socket name_bind; + +allow zebra_t proc_t:file { getattr read }; +allow zebra_t { sysctl_t sysctl_net_t }:dir search; +allow zebra_t sysctl_net_t:file rw_file_perms; diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/file_contexts policy-1.17.11/file_contexts/file_contexts --- nsapolicy/file_contexts/file_contexts 1969-12-31 19:00:00.000000000 -0500 +++ policy-1.17.11/file_contexts/file_contexts 2004-09-08 17:28:47.308950505 -0400 @@ -0,0 +1,788 @@ +# Distro-specific customizations. + +# Comment out all but the one that matches your distro. +# The policy .te files can then wrap distro-specific customizations with +# appropriate ifdefs. + + + + + + +# Allow all domains to connect to nscd + +# Allow users to control network interfaces (also needs USERCTL=true) + +# Allow users to execute the mount command + + +# Allow rpm to run unconfined. + + +# Allow privileged utilities like hotplug and insmod to run unconfined. + + +# Support NFS home directories + + +# Allow users to run games + + +# Allow ypbind to run with NIS + + +# Allow rc scripts to run unconfined, including any daemon +# started by an rc script that does not have a domain transition +# explicitly defined. + + +# Allow sysadm_t to directly start daemons + + +# Do not audit things that we know to be broken but which +# are not security risks + + +# Allow sysadm_t to do almost everything + +# Allow the read/write/create on any NFS file system + + +# Allow the reading on any NFS file system + +# Allow user_r to reach sysadm_r via su, sudo, or userhelper. +# Otherwise, only staff_r can do so. + + +# Allow xinetd to run unconfined, including any services it starts +# that do not have a domain transition explicitly defined. + +# +# This file describes the security contexts to be applied to files +# when the security policy is installed. The setfiles program +# reads this file and labels files accordingly. +# +# Each specification has the form: +# regexp [ -type ] ( context \| <<none>> ) +# +# By default, the regexp is an anchored match on both ends (i.e. a +# caret (^) is prepended and a dollar sign ($) is appended automatically). +# This default may be overridden by using . at the beginning and/or* +# end of the regular expression. +# +# The optional type field specifies the file type as shown in the mode +# field by ls, e.g. use -d to match only directories or -- to match only +# regular files. +# +# The value of <<none> may be used to indicate that matching files +# should not be relabeled. +# +# The last matching specification is used. +# +# If there are multiple hard links to a file that match +# different specifications and those specifications indicate +# different security contexts, then a warning is displayed +# but the file is still labeled based on the last matching +# specification other than <<none>>. +# +# Some of the files listed here get re-created during boot and therefore +# need type transition rules to retain the correct type. These files are +# listed here anyway so that if the setfiles program is used on a running +# system it does not relabel them to something we do not want. An example of +# this is /var/run/utmp. +# + +# +# The security context for all files not otherwise specified. +# +/. system_u:object_r:default_t* + +# +# The root directory. +# +/ -d system_u:object_r:root_t + +# +# Ordinary user home directories. +# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd +# HOME_DIR expands to each user's home directory, +# and to HOME_ROOT/[^/]+ for each HOME_ROOT. +# ROLE expands to each user's role when role != user_r, and to "user" otherwise. +# +/home -d system_u:object_r:home_root_t +/home/[^/]+ -d system_u:object_r:user_home_dir_t +/home/[^/]+/.+ system_u:object_r:user_home_t + +# +# A common mount point +/mnt(/.)? -d system_u:object_r:mnt_t* +/media(/.)? -d system_u:object_r:mnt_t* + +# +# /var +# +/var(/.)? system_u:object_r:var_t* +/var/catman(/.)? system_u:object_r:catman_t* +/var/cache/man(/.)? system_u:object_r:catman_t* +/var/yp(/.)? system_u:object_r:var_yp_t* +/var/lib(/.)? system_u:object_r:var_lib_t* +/var/lib/nfs(/.)? system_u:object_r:var_lib_nfs_t* +/var/lib/texmf(/.)? system_u:object_r:tetex_data_t* +/var/cache/fonts(/.)? system_u:object_r:tetex_data_t* +/var/lock(/.)? system_u:object_r:var_lock_t* +/var/tmp -d system_u:object_r:tmp_t +/var/tmp/. <<none>>* +/var/tmp/vi\.recover -d system_u:object_r:tmp_t +/var/lib/nfs/rpc_pipefs(/)? <<none>>* +/var/mailman/bin(/.)? system_u:object_r:bin_t* +/var/mailman/pythonlib(/.)?/.\.so(\..)? -- system_u:object_r:shlib_t* + +# +# /var/ftp +# +/var/ftp/bin(/.)? system_u:object_r:bin_t* +/var/ftp/bin/ls -- system_u:object_r:ls_exec_t +/var/ftp/lib(64)?(/.)? system_u:object_r:lib_t* +/var/ftp/lib(64)?/ld[^/]\.so(\.[^/]) -- system_u:object_r:ld_so_t* +/var/ftp/lib(64)?/lib[^/]\.so(\.[^/]) -- system_u:object_r:shlib_t* +/var/ftp/etc(/.)? system_u:object_r:etc_t* + +# +# /bin +# +/bin(/.)? system_u:object_r:bin_t* +/bin/tcsh -- system_u:object_r:shell_exec_t +/bin/bash -- system_u:object_r:shell_exec_t +/bin/bash2 -- system_u:object_r:shell_exec_t +/bin/sash -- system_u:object_r:shell_exec_t +/bin/d?ash -- system_u:object_r:shell_exec_t +/bin/zsh. -- system_u:object_r:shell_exec_t* +/usr/sbin/sesh -- system_u:object_r:shell_exec_t +/bin/ls -- system_u:object_r:ls_exec_t + +# +# /boot +# +/boot(/.)? system_u:object_r:boot_t* +/boot/System\.map-. -- system_u:object_r:system_map_t* +/boot/kernel\.h. -- system_u:object_r:boot_runtime_t* + +# +# /dev +# +/u?dev(/.)? system_u:object_r:device_t* +/u?dev/pts(/.)? <<none>>* +/u?dev/cpu/. -c system_u:object_r:cpu_device_t* +/u?dev/microcode -c system_u:object_r:cpu_device_t +/u?dev/MAKEDEV -- system_u:object_r:sbin_t +/u?dev/null -c system_u:object_r:null_device_t +/u?dev/full -c system_u:object_r:null_device_t +/u?dev/zero -c system_u:object_r:zero_device_t +/u?dev/console -c system_u:object_r:console_device_t +/u?dev/(kmem\|mem\|port) -c system_u:object_r:memory_device_t +/u?dev/nvram -c system_u:object_r:memory_device_t +/u?dev/random -c system_u:object_r:random_device_t +/u?dev/urandom -c system_u:object_r:urandom_device_t +/u?dev/capi. -c system_u:object_r:tty_device_t* +/u?dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t +/u?dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t +/u?dev/ircomm[0-9]+ -c system_u:object_r:tty_device_t +/u?dev/isdn. -c system_u:object_r:tty_device_t* +/u?dev/.tty[^/]* -c system_u:object_r:tty_device_t* +/u?dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f] -c system_u:object_r:bsdpty_device_t +/u?dev/cu. -c system_u:object_r:tty_device_t* +/u?dev/vcs[^/] -c system_u:object_r:tty_device_t* +/u?dev/ip2[^/] -c system_u:object_r:tty_device_t* +/u?dev/tty -c system_u:object_r:devtty_t +/dev/lp. -c system_u:object_r:printer_device_t* +/dev/par. -c system_u:object_r:printer_device_t* +/dev/usb/lp. -c system_u:object_r:printer_device_t* +/dev/usblp. -c system_u:object_r:printer_device_t* +/u?dev/[shmx]d[^/] -b system_u:object_r:fixed_disk_device_t* +/u?dev/dm-[0-9]+ -b system_u:object_r:fixed_disk_device_t +/u?dev/sg[0-9]+ -c system_u:object_r:scsi_generic_device_t +/u?dev/rd. -b system_u:object_r:fixed_disk_device_t* +/u?dev/i2o/hd[^/] -b system_u:object_r:fixed_disk_device_t* +/u?dev/ubd[^/] -b system_u:object_r:fixed_disk_device_t* +/u?dev/cciss/[^/] -b system_u:object_r:fixed_disk_device_t* +/u?dev/ida/[^/] -b system_u:object_r:fixed_disk_device_t* +/u?dev/dasd[^/] -b system_u:object_r:fixed_disk_device_t* +/u?dev/flash[^/] -b system_u:object_r:fixed_disk_device_t* +/u?dev/nb[^/]+ -b system_u:object_r:fixed_disk_device_t +/u?dev/ataraid/. -b system_u:object_r:fixed_disk_device_t* +/u?dev/loop. -b system_u:object_r:fixed_disk_device_t* +/u?dev/net/. -c system_u:object_r:tun_tap_device_t* +/u?dev/ram. -b system_u:object_r:fixed_disk_device_t* +/u?dev/rawctl -c system_u:object_r:fixed_disk_device_t +/u?dev/raw/raw[0-9]+ -c system_u:object_r:fixed_disk_device_t +/u?dev/scramdisk/. -b system_u:object_r:fixed_disk_device_t* +/u?dev/initrd -b system_u:object_r:fixed_disk_device_t +/u?dev/jsfd -b system_u:object_r:fixed_disk_device_t +/u?dev/js. -c system_u:object_r:mouse_device_t* +/u?dev/jsflash -c system_u:object_r:fixed_disk_device_t +/u?dev/s(cd\|r)[^/] -b system_u:object_r:removable_device_t* +/u?dev/usb/rio500 -c system_u:object_r:removable_device_t +/u?dev/fd[^/]+ -b system_u:object_r:removable_device_t +# I think a parallel port disk is a removable device... +/u?dev/pd[a-d][^/] -b system_u:object_r:removable_device_t* +/u?dev/p[fg][0-3] -b system_u:object_r:removable_device_t +/u?dev/aztcd -b system_u:object_r:removable_device_t +/u?dev/bpcd -b system_u:object_r:removable_device_t +/u?dev/gscd -b system_u:object_r:removable_device_t +/u?dev/hitcd -b system_u:object_r:removable_device_t +/u?dev/pcd[0-3] -b system_u:object_r:removable_device_t +/u?dev/mcdx? -b system_u:object_r:removable_device_t +/u?dev/cdu. -b system_u:object_r:removable_device_t* +/u?dev/cm20. -b system_u:object_r:removable_device_t* +/u?dev/optcd -b system_u:object_r:removable_device_t +/u?dev/sbpcd. -b system_u:object_r:removable_device_t* +/u?dev/sjcd -b system_u:object_r:removable_device_t +/u?dev/sonycd -b system_u:object_r:removable_device_t +# parallel port ATAPI generic device +/u?dev/pg[0-3] -c system_u:object_r:removable_device_t +/u?dev/rtc -c system_u:object_r:clock_device_t +/u?dev/psaux -c system_u:object_r:mouse_device_t +/u?dev/atibm -c system_u:object_r:mouse_device_t +/u?dev/logibm -c system_u:object_r:mouse_device_t +/u?dev/.mouse.* -c system_u:object_r:mouse_device_t* +/u?dev/input/.mouse.* -c system_u:object_r:mouse_device_t* +/u?dev/input/event. -c system_u:object_r:event_device_t* +/u?dev/input/mice -c system_u:object_r:mouse_device_t +/u?dev/input/js. -c system_u:object_r:mouse_device_t* +/u?dev/ptmx -c system_u:object_r:ptmx_t +/u?dev/sequencer -c system_u:object_r:misc_device_t +/u?dev/fb[0-9] -c system_u:object_r:framebuf_device_t* +/u?dev/apm_bios -c system_u:object_r:apm_bios_t +/u?dev/cpu/mtrr -c system_u:object_r:mtrr_device_t +/u?dev/(radio\|video\|vbi\|vtx). -c system_u:object_r:v4l_device_t* +/u?dev/winradio. -c system_u:object_r:v4l_device_t +/u?dev/vttuner -c system_u:object_r:v4l_device_t +/u?dev/tlk[0-3] -c system_u:object_r:v4l_device_t +/u?dev/adsp -c system_u:object_r:sound_device_t +/u?dev/mixer. -c system_u:object_r:sound_device_t* +/u?dev/dsp. -c system_u:object_r:sound_device_t* +/u?dev/audio. -c system_u:object_r:sound_device_t* +/u?dev/r?midi. -c system_u:object_r:sound_device_t* +/u?dev/sequencer2 -c system_u:object_r:sound_device_t +/u?dev/smpte. -c system_u:object_r:sound_device_t* +/u?dev/sndstat -c system_u:object_r:sound_device_t +/u?dev/beep -c system_u:object_r:sound_device_t +/u?dev/patmgr[01] -c system_u:object_r:sound_device_t +/u?dev/mpu401. -c system_u:object_r:sound_device_t* +/u?dev/srnd[0-7] -c system_u:object_r:sound_device_t +/u?dev/aload. -c system_u:object_r:sound_device_t* +/u?dev/amidi. -c system_u:object_r:sound_device_t* +/u?dev/amixer. -c system_u:object_r:sound_device_t* +/u?dev/snd/. -c system_u:object_r:sound_device_t* +/u?dev/n?[hs]t[0-9]. -c system_u:object_r:tape_device_t* +/u?dev/n?(raw)?[qr]ft[0-3] -c system_u:object_r:tape_device_t +/u?dev/n?z?qft[0-3] -c system_u:object_r:tape_device_t +/u?dev/n?tpqic[12]. -c system_u:object_r:tape_device_t* +/u?dev/ht[0-1] -b system_u:object_r:tape_device_t +/u?dev/n?osst[0-3]. -c system_u:object_r:tape_device_t* +/u?dev/n?pt[0-9]+ -c system_u:object_r:tape_device_t +/u?dev/tape. -c system_u:object_r:tape_device_t* +/u?dev/usb/scanner. -c system_u:object_r:scanner_device_t* +/u?dev/usb/dc2xx. -c system_u:object_r:scanner_device_t* +/u?dev/usb/mdc800. -c system_u:object_r:scanner_device_t* +/u?dev/usb/tty. -c system_u:object_r:usbtty_device_t* +/u?dev/mmetfgrab -c system_u:object_r:scanner_device_t +/u?dev/nvidia. -c system_u:object_r:xserver_misc_device_t* +/u?dev/dri/.+ -c system_u:object_r:dri_device_t +/u?dev/radeon -c system_u:object_r:dri_device_t +/u?dev/agpgart -c system_u:object_r:agp_device_t + +/proc(/.)? <<none>>* +/sys(/.)? <<none>>* +/selinux(/.)? <<none>>* +/opt(/.)? system_u:object_r:usr_t* +/opt/[^/]/bin(/.)? system_u:object_r:bin_t +/opt/[^/]/lib(/.)? system_u:object_r:lib_t +/opt/[^/]/lib/lib[^/]\.so(\.[^/])* -- system_u:object_r:shlib_t* +/opt/[^/]/lib/./lib[^/]\.so(\.[^/]) -- system_u:object_r:shlib_t* +/opt/[^/]/man(/.)? system_u:object_r:man_t +/opt/[^/]/libexec(/.)? system_u:object_r:bin_t + +# +# /etc +# +/etc(/.)? system_u:object_r:etc_t* +/etc/\.pwd\.lock -- system_u:object_r:shadow_t +/etc/passwd\.lock -- system_u:object_r:shadow_t +/etc/group\.lock -- system_u:object_r:shadow_t +/etc/shadow. -- system_u:object_r:shadow_t* +/etc/gshadow. -- system_u:object_r:shadow_t* +/etc/blkid\.tab -- system_u:object_r:etc_runtime_t +/etc/fstab\.REVOKE -- system_u:object_r:etc_runtime_t +/etc/HOSTNAME -- system_u:object_r:etc_runtime_t +/etc/ioctl\.save -- system_u:object_r:etc_runtime_t +/etc/mtab -- system_u:object_r:etc_runtime_t +/etc/motd -- system_u:object_r:etc_runtime_t +/etc/issue -- system_u:object_r:etc_runtime_t +/etc/issue\.net -- system_u:object_r:etc_runtime_t +/etc/sysconfig/hwconf -- system_u:object_r:etc_runtime_t +/etc/sysconfig/iptables.save -- system_u:object_r:etc_runtime_t +/etc/sysconfig/firstboot -- system_u:object_r:etc_runtime_t +/etc/asound\.state -- system_u:object_r:etc_runtime_t +/etc/ptal/ptal-printd-like -- system_u:object_r:etc_runtime_t +/etc/ld\.so\.cache -- system_u:object_r:ld_so_cache_t +/etc/ld\.so\.preload -- system_u:object_r:ld_so_cache_t +/etc/yp\.conf. -- system_u:object_r:net_conf_t* +/etc/resolv\.conf. -- system_u:object_r:net_conf_t* + +/etc/selinux(/.)? system_u:object_r:selinux_config_t* +/etc/security/selinux(/.)? system_u:object_r:policy_config_t* +/etc/security/selinux/src(/.)? system_u:object_r:policy_src_t* +/etc/security/default_contexts. system_u:object_r:default_context_t* +/etc/services -- system_u:object_r:etc_t + +/etc/selinux/[^/]/policy(/.)? system_u:object_r:policy_config_t +/etc/selinux/[^/]/src(/.)? system_u:object_r:policy_src_t +/etc/selinux/[^/]/contexts(/.)? system_u:object_r:default_context_t +/etc/selinux/[^/]/contexts/files(/.)? system_u:object_r:file_context_t + + +# +# /lib(64)? +# +/lib(64)?(/.)? system_u:object_r:lib_t* +/lib(64)?/ld[^/]\.so(\.[^/]) -- system_u:object_r:ld_so_t* +/lib(64)?/tls/ld[^/]\.so(\.[^/]) -- system_u:object_r:ld_so_t* +/lib(64)?/lib[^/]\.so(\.[^/]) -- system_u:object_r:shlib_t* +/lib(64)?/[^/]/lib[^/]\.so(\.[^/])* -- system_u:object_r:shlib_t* +/lib(64)?/security/[^/]\.so(\.[^/]) -- system_u:object_r:shlib_t* +/lib(64)?/tls/i686/cmov/[^/]\.so(\.[^/]) -- system_u:object_r:shlib_t* + +# +# /sbin +# +/sbin(/.)? system_u:object_r:sbin_t* + +# +# /tmp +# +/tmp -d system_u:object_r:tmp_t +/tmp/. <<none>>* + +# +# /usr +# +/usr(/.)? system_u:object_r:usr_t* +/usr/etc(/.)? system_u:object_r:etc_t* +/usr/libexec(/.)? system_u:object_r:bin_t* +/usr/src(/.)? system_u:object_r:src_t* +/usr/tmp(/.)? system_u:object_r:tmp_t* +/usr/man(/.)? system_u:object_r:man_t* +/usr/share/man(/.)? system_u:object_r:man_t* +/usr/share/mc/extfs/. -- system_u:object_r:bin_t* +/usr/share/texmf/teTeX/bin(/.)? system_u:object_r:bin_t* +/usr/share/selinux(/.)? system_u:object_r:policy_src_t* + +# +# /usr/bin +# +/usr/bin(/.)? system_u:object_r:bin_t* + +# +# /usr/lib(64)? +# +/usr/lib(64)?(/.)? system_u:object_r:lib_t* +/usr/lib(64)?/lib[^/]\.so(\.[^/]) -- system_u:object_r:shlib_t* +/usr/lib(64)?/python.\.so -- system_u:object_r:shlib_t* +/usr/lib(64)?/./lib[^/]\.so(\.[^/])* -- system_u:object_r:shlib_t* +/usr/lib(64)?/./.\.so -- system_u:object_r:shlib_t +/usr/lib(64)?/autofs/.\.so -- system_u:object_r:shlib_t* +/usr/lib(64)?/perl5/man(/.)? system_u:object_r:man_t* +/usr/lib(64)?/perl.\.so -- system_u:object_r:shlib_t* +/usr/lib(64)?/selinux(/.)? system_u:object_r:policy_src_t* +/usr/lib(64)?/emacsen-common/. system_u:object_r:bin_t* +/usr/lib(64)?/./bin(/.)? system_u:object_r:bin_t +/usr/lib(64)?/gconv/.\.so -- system_u:object_r:shlib_t* +/usr/share/guile/g-wrapped/.\.so -- system_u:object_r:shlib_t* + +# +# /usr/.glibc.-linux/lib(64)? +# +/usr/.glibc.-linux/lib(64)?(/.)? system_u:object_r:lib_t* +/usr/.glibc.-linux/lib(64)?/ld[^/]\.so(\.[^/]) -- system_u:object_r:ld_so_t* +/usr/.glibc.-linux/lib(64)?/lib[^/]\.so(\.[^/]) -- system_u:object_r:shlib_t* + +# /usr/.redhat-linux/lib(64)?* +# +/usr/.redhat-linux/lib(64)?(/.)? system_u:object_r:lib_t +/usr/.redhat-linux/lib(64)?/ld[^/]\.so(\.[^/])* -- system_u:object_r:ld_so_t* +/usr/.redhat-linux/lib(64)?/lib[^/]\.so(\.[^/])* -- system_u:object_r:shlib_t* + +# +# /usr/.linux-libc./lib(64)? +# +/usr/.linux-libc./lib(64)?(/.)? system_u:object_r:lib_t* +/usr/.linux-libc./lib(64)?/ld[^/]\.so(\.[^/]) -- system_u:object_r:ld_so_t* +/usr/.linux-libc./lib(64)?/lib[^/]\.so(\.[^/]) -- system_u:object_r:shlib_t* + +# +# /usr/local +# +/usr/local/etc(/.)? system_u:object_r:etc_t* +/usr/local/src(/.)? system_u:object_r:src_t* +/usr/local/sbin(/.)? system_u:object_r:sbin_t* +/usr/local/man(/.)? system_u:object_r:man_t* + +# +# /usr/local/bin +# +/usr/local/bin(/.)? system_u:object_r:bin_t* + +# +# /usr/local/lib(64)? +# +/usr/local/lib(64)?(/.)? system_u:object_r:lib_t* +/usr/local/lib(64)?(/.)+\.so(\.[^/]) -- system_u:object_r:shlib_t* + +# +# /usr/sbin +# +/usr/sbin(/.)? system_u:object_r:sbin_t* + +# +# /usr/X11R6/(./)?bin* +# +/usr/X11R6/(./)?bin(/.)? system_u:object_r:bin_t + +# +# /usr/X11R6/(./)?lib(64)?* +# +/usr/X11R6/(./)?lib(64)?(/.)? system_u:object_r:lib_t +/usr/X11R6/(./)?lib(64)?(/.)+\.so(\.[^/])* -- system_u:object_r:shlib_t* + +# +# /usr/X11R6/man +# +/usr/X11R6/man(/.)? system_u:object_r:man_t* + +# +# /usr/kerberos +# +/usr/kerberos/bin(/.)? system_u:object_r:bin_t* +/usr/kerberos/sbin(/.)? system_u:object_r:sbin_t* +/usr/kerberos/lib(64)?(/.)? system_u:object_r:lib_t* +/usr/kerberos/lib(64)?/lib[^/]\.so(\.[^/]) -- system_u:object_r:shlib_t* + +# +# Fonts dir +# +/usr/X11R6/lib/X11/fonts(/.)? system_u:object_r:fonts_t* + +/usr/share/fonts(/.)? system_u:object_r:fonts_t* +/usr/local/share/fonts(/.)? system_u:object_r:fonts_t* + +# +# /var/run +# +/var/run(/.)? system_u:object_r:var_run_t* +/var/run/.\.pid <<none>> + +# +# /var/spool +# +/var/spool(/.)? system_u:object_r:var_spool_t* +/var/spool/texmf(/.)? system_u:object_r:tetex_data_t* + +# +# /var/log +# +/var/log(/.)? system_u:object_r:var_log_t* +/var/log/wtmp. -- system_u:object_r:wtmp_t* +/var/log/btmp. -- system_u:object_r:faillog_t* +/var/log/faillog -- system_u:object_r:faillog_t +/var/log/ksyms. -- system_u:object_r:var_log_ksyms_t* +/var/log/dmesg -- system_u:object_r:var_log_t +/var/log/lastlog -- system_u:object_r:lastlog_t +/var/log/ksymoops(/.)? system_u:object_r:var_log_ksyms_t* +/var/log/syslog -- system_u:object_r:var_log_t + +# +# Journal files +# +/\.journal <<none>> +/usr/\.journal <<none>> +/boot/\.journal <<none>> +/home/\.journal <<none>> +/var/\.journal <<none>> +/tmp/\.journal <<none>> +/usr/local/\.journal <<none>> + +# +# Lost and found directories. +# +/lost\+found(/.)? system_u:object_r:lost_found_t* +/usr/lost\+found(/.)? system_u:object_r:lost_found_t* +/boot/lost\+found(/.)? system_u:object_r:lost_found_t* +/home/lost\+found(/.)? system_u:object_r:lost_found_t* +/var/lost\+found(/.)? system_u:object_r:lost_found_t* +/tmp/lost\+found(/.)? system_u:object_r:lost_found_t* +/usr/local/lost\+found(/.)? system_u:object_r:lost_found_t* + +# +# system localization +# +/usr/share/zoneinfo(/.)? system_u:object_r:locale_t* +/usr/share/locale(/.)? system_u:object_r:locale_t* +/usr/lib/locale(/.)? system_u:object_r:locale_t* +/etc/localtime -- system_u:object_r:locale_t +/etc/localtime -l system_u:object_r:etc_t + +# +# Gnu Cash +# +/usr/share/gnucash/finance-quote-check -- system_u:object_r:bin_t +/usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t + +# +# initrd mount point, only used during boot +# +/initrd -d system_u:object_r:root_t + +# +# The Sun Java development kit, RPM install +# +/usr/java/j2./bin(/.)? system_u:object_r:bin_t +/usr/java/j2./jre/lib(64)?/i386(/.)? system_u:object_r:lib_t +/usr/java/j2./jre/lib(64)?/i386(/.)?[^/]\.so(\.[^/]) -- system_u:object_r:shlib_t* +/usr/java/j2./plugin/i386(/.)?/lib[^/]\.so(\.[^/]) -- system_u:object_r:shlib_t* + +# +# The krb5.conf file is always being tested for writability, so +# we defined a type to dontautit +# +/etc/krb5\.conf -- system_u:object_r:krb5_conf_t +# checkpolicy +/usr/bin/checkpolicy -- system_u:object_r:checkpolicy_exec_t +/etc/selinux/policy/policy. -- system_u:object_r:policy_config_t* +/etc/selinux/./src/policy/policy.* -- system_u:object_r:policy_config_t* +# chkpwd +/sbin/unix_chkpwd -- system_u:object_r:chkpwd_exec_t +/sbin/unix_verify -- system_u:object_r:chkpwd_exec_t +# crond +/etc/crontab -- system_u:object_r:system_cron_spool_t +/etc/cron\.d(/.)? system_u:object_r:system_cron_spool_t* +/usr/sbin/cron(d)? -- system_u:object_r:crond_exec_t +/usr/sbin/anacron -- system_u:object_r:anacron_exec_t +/var/spool/cron -d system_u:object_r:cron_spool_t +/var/spool/cron/crontabs -d system_u:object_r:cron_spool_t +/var/spool/cron/crontabs/. -- <<none>>* +/var/spool/cron/crontabs/root -- system_u:object_r:sysadm_cron_spool_t +/var/spool/cron/root -- system_u:object_r:sysadm_cron_spool_t +/var/spool/cron/[^/] -- <<none>>* +/var/log/cron. -- system_u:object_r:crond_log_t* +/var/run/crond\.reboot -- system_u:object_r:crond_var_run_t +/var/run/crond\.pid -- system_u:object_r:crond_var_run_t +# fcron +/usr/sbin/fcron -- system_u:object_r:crond_exec_t +/var/spool/fcron -d system_u:object_r:cron_spool_t +/var/spool/fcron/. <<none>>* +/var/spool/fcron/systab.orig -- system_u:object_r:system_cron_spool_t +/var/spool/fcron/systab -- system_u:object_r:system_cron_spool_t +/var/spool/fcron/new.systab -- system_u:object_r:system_cron_spool_t +/var/run/fcron\.fifo -s system_u:object_r:crond_var_run_t +/var/run/fcron\.pid -- system_u:object_r:crond_var_run_t +# atd +/usr/sbin/atd -- system_u:object_r:crond_exec_t +/var/spool/at -d system_u:object_r:cron_spool_t +/var/spool/at/spool -d system_u:object_r:cron_spool_t +/var/spool/at/[^/] -- <<none>>* +/var/run/atd\.pid -- system_u:object_r:crond_var_run_t +# crontab +/usr/bin/(f)?crontab -- system_u:object_r:crontab_exec_t +/usr/bin/at -- system_u:object_r:crontab_exec_t +# dmesg +/bin/dmesg -- system_u:object_r:dmesg_exec_t +# fs admin utilities +/sbin/fsck. -- system_u:object_r:fsadm_exec_t* +/sbin/mkfs. -- system_u:object_r:fsadm_exec_t* +/sbin/e2fsck -- system_u:object_r:fsadm_exec_t +/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t +/sbin/dosfsck -- system_u:object_r:fsadm_exec_t +/sbin/reiserfs(ck\|tune) -- system_u:object_r:fsadm_exec_t +/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t +/sbin/resize.fs -- system_u:object_r:fsadm_exec_t* +/sbin/e2label -- system_u:object_r:fsadm_exec_t +/sbin/findfs -- system_u:object_r:fsadm_exec_t +/sbin/mkfs -- system_u:object_r:fsadm_exec_t +/sbin/mke2fs -- system_u:object_r:fsadm_exec_t +/sbin/mkswap -- system_u:object_r:fsadm_exec_t +/sbin/scsi_info -- system_u:object_r:fsadm_exec_t +/sbin/sfdisk -- system_u:object_r:fsadm_exec_t +/sbin/cfdisk -- system_u:object_r:fsadm_exec_t +/sbin/fdisk -- system_u:object_r:fsadm_exec_t +/sbin/parted -- system_u:object_r:fsadm_exec_t +/sbin/tune2fs -- system_u:object_r:fsadm_exec_t +/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t +/sbin/swapon. -- system_u:object_r:fsadm_exec_t* +/sbin/hdparm -- system_u:object_r:fsadm_exec_t +/sbin/raidstart -- system_u:object_r:fsadm_exec_t +/sbin/mkraid -- system_u:object_r:fsadm_exec_t +/sbin/blockdev -- system_u:object_r:fsadm_exec_t +/sbin/losetup. -- system_u:object_r:fsadm_exec_t* +/sbin/jfs_. -- system_u:object_r:fsadm_exec_t* +/sbin/lsraid -- system_u:object_r:fsadm_exec_t +/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t +/sbin/install-mbr -- system_u:object_r:fsadm_exec_t +/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t +/usr/bin/raw -- system_u:object_r:fsadm_exec_t +/sbin/partx -- system_u:object_r:fsadm_exec_t +/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t +# getty +/sbin/.getty -- system_u:object_r:getty_exec_t* +/etc/mgetty(/.)? system_u:object_r:getty_etc_t* +/bin/hostname -- system_u:object_r:hostname_exec_t +# ifconfig +/sbin/ifconfig -- system_u:object_r:ifconfig_exec_t +/sbin/iwconfig -- system_u:object_r:ifconfig_exec_t +/sbin/ip -- system_u:object_r:ifconfig_exec_t +/sbin/tc -- system_u:object_r:ifconfig_exec_t +/bin/ip -- system_u:object_r:ifconfig_exec_t +/sbin/ethtool -- system_u:object_r:ifconfig_exec_t +/sbin/mii-tool -- system_u:object_r:ifconfig_exec_t +# init rc scripts +/etc/X11/prefdm -- system_u:object_r:initrc_exec_t +/etc/rc\.d/rc -- system_u:object_r:initrc_exec_t +/etc/rc\.d/rc\.sysinit -- system_u:object_r:initrc_exec_t +/etc/rc\.d/rc\.local -- system_u:object_r:initrc_exec_t +/etc/rc\.d/init\.d/. -- system_u:object_r:initrc_exec_t* +/etc/rc\.d/init\.d/functions -- system_u:object_r:etc_t +/etc/init\.d/. -- system_u:object_r:initrc_exec_t* +/etc/init\.d/functions -- system_u:object_r:etc_t +/var/run/utmp -- system_u:object_r:initrc_var_run_t +/var/run/runlevel\.dir system_u:object_r:initrc_var_run_t +/var/run/random-seed -- system_u:object_r:initrc_var_run_t +/var/run/setmixer_flag -- system_u:object_r:initrc_var_run_t +# run_init +/usr/sbin/run_init -- system_u:object_r:run_init_exec_t + +/etc/nologin. -- system_u:object_r:etc_runtime_t* +/etc/nohotplug -- system_u:object_r:etc_runtime_t + +/halt -- system_u:object_r:etc_runtime_t +/\.autofsck -- system_u:object_r:etc_runtime_t + +# init +/dev/initctl -p system_u:object_r:initctl_t +/sbin/init -- system_u:object_r:init_exec_t +# klogd +/sbin/klogd -- system_u:object_r:klogd_exec_t +/usr/sbin/klogd -- system_u:object_r:klogd_exec_t +/var/run/klogd\.pid -- system_u:object_r:klogd_var_run_t +/sbin/ldconfig -- system_u:object_r:ldconfig_exec_t +# load_policy +/usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t +/sbin/load_policy -- system_u:object_r:load_policy_exec_t +# login +/bin/login -- system_u:object_r:login_exec_t +# logrotate +/usr/sbin/logrotate -- system_u:object_r:logrotate_exec_t +/usr/sbin/logcheck -- system_u:object_r:logrotate_exec_t + +/etc/cron\.(daily\|weekly)/sysklogd -- system_u:object_r:logrotate_exec_t +/var/lib/logrotate.status -- system_u:object_r:logrotate_var_lib_t +/var/lib/logcheck(/.)? system_u:object_r:logrotate_var_lib_t* +# using a hard-coded name under /var/tmp is a bug - new version fixes it +/var/tmp/logcheck -d system_u:object_r:logrotate_tmp_t +# module utilities +/etc/modules\.conf. -- system_u:object_r:modules_conf_t* +/etc/modprobe\.conf. -- system_u:object_r:modules_conf_t* +/lib(64)?/modules/modprobe.conf -- system_u:object_r:modules_conf_t +/lib(64)?/modules(/.)? system_u:object_r:modules_object_t* +/lib(64)?/modules/[^/]+/modules\..+ -- system_u:object_r:modules_dep_t +/lib(64)?/modules/modprobe\.conf. -- system_u:object_r:modules_conf_t* +/sbin/depmod. -- system_u:object_r:depmod_exec_t* +/sbin/modprobe. -- system_u:object_r:insmod_exec_t* +/sbin/insmod. -- system_u:object_r:insmod_exec_t* +/sbin/insmod_ksymoops_clean -- system_u:object_r:sbin_t +/sbin/rmmod. -- system_u:object_r:insmod_exec_t* +/sbin/update-modules -- system_u:object_r:update_modules_exec_t +/sbin/generate-modprobe.conf -- system_u:object_r:update_modules_exec_t +# mount +/bin/mount. -- system_u:object_r:mount_exec_t* +/bin/umount. -- system_u:object_r:mount_exec_t* +# network utilities +/sbin/arping -- system_u:object_r:netutils_exec_t +/usr/sbin/tcpdump -- system_u:object_r:netutils_exec_t +/etc/network/ifstate -- system_u:object_r:etc_runtime_t +# newrole +/usr/bin/newrole -- system_u:object_r:newrole_exec_t +# spasswd +/usr/bin/passwd -- system_u:object_r:passwd_exec_t +/usr/bin/chsh -- system_u:object_r:chfn_exec_t +/usr/bin/chfn -- system_u:object_r:chfn_exec_t +/usr/sbin/vipw -- system_u:object_r:admin_passwd_exec_t +/usr/sbin/vigr -- system_u:object_r:admin_passwd_exec_t +/usr/bin/vipw -- system_u:object_r:admin_passwd_exec_t +/usr/bin/vigr -- system_u:object_r:admin_passwd_exec_t +/usr/sbin/pwconv -- system_u:object_r:admin_passwd_exec_t +/usr/sbin/pwunconv -- system_u:object_r:admin_passwd_exec_t +/usr/sbin/grpconv -- system_u:object_r:admin_passwd_exec_t +/usr/sbin/grpunconv -- system_u:object_r:admin_passwd_exec_t +# restorecon +/sbin/restorecon -- system_u:object_r:restorecon_exec_t +# setfiles +/usr/sbin/setfiles. -- system_u:object_r:setfiles_exec_t* + +# ssh +/usr/bin/ssh -- system_u:object_r:ssh_exec_t +/usr/bin/ssh-keygen -- system_u:object_r:ssh_keygen_exec_t +# sshd +/etc/ssh/primes -- system_u:object_r:sshd_key_t +/etc/ssh/ssh_host_key -- system_u:object_r:sshd_key_t +/etc/ssh/ssh_host_dsa_key -- system_u:object_r:sshd_key_t +/etc/ssh/ssh_host_rsa_key -- system_u:object_r:sshd_key_t +/usr/sbin/sshd -- system_u:object_r:sshd_exec_t +/home/[^/]+/\.ssh(/.)? system_u:object_r:user_home_ssh_t* +# subsystems +/usr/lib(64)?/misc/sftp-server -- system_u:object_r:bin_t +/usr/libexec/openssh/sftp-server -- system_u:object_r:bin_t +/usr/lib(64)?/sftp-server -- system_u:object_r:bin_t +# sulogin +/sbin/sulogin -- system_u:object_r:sulogin_exec_t +# su +/bin/su -- system_u:object_r:su_exec_t +# syslogd +/sbin/syslogd -- system_u:object_r:syslogd_exec_t +/sbin/minilogd -- system_u:object_r:syslogd_exec_t +/usr/sbin/syslogd -- system_u:object_r:syslogd_exec_t +/sbin/syslog-ng -- system_u:object_r:syslogd_exec_t +/dev/log -s system_u:object_r:devlog_t +/var/run/log -s system_u:object_r:devlog_t +/var/run/syslogd\.pid -- system_u:object_r:syslogd_var_run_t +# tmpreaper or tmpwatch +/usr/sbin/tmpreaper -- system_u:object_r:tmpreaper_exec_t +/usr/sbin/tmpwatch -- system_u:object_r:tmpreaper_exec_t +# Add programs here which should not be confined by SELinux +# e.g.: +# /usr/local/bin/appsrv -- system_u:object_r:unconfined_exec_t +#useradd +/usr/sbin/usermod -- system_u:object_r:useradd_exec_t +/usr/sbin/useradd -- system_u:object_r:useradd_exec_t +/usr/sbin/userdel -- system_u:object_r:useradd_exec_t +#groupadd +/usr/sbin/groupmod -- system_u:object_r:groupadd_exec_t +/usr/sbin/groupadd -- system_u:object_r:groupadd_exec_t +/usr/sbin/groupdel -- system_u:object_r:groupadd_exec_t +/usr/bin/gpasswd -- system_u:object_r:groupadd_exec_t +/usr/sbin/gpasswd -- system_u:object_r:groupadd_exec_t +# Zebra - BGP daemon +/usr/sbin/zebra -- system_u:object_r:zebra_exec_t +/usr/sbin/bgpd -- system_u:object_r:zebra_exec_t +/var/log/zebra(/.)? system_u:object_r:zebra_log_t* +/etc/zebra(/.)? system_u:object_r:zebra_conf_t* +/var/run/.zserv -s system_u:object_r:zebra_var_run_t +/var/run/.zebra -s system_u:object_r:zebra_var_run_t + +# +# User-specific file contexts +# + +/root -d root:object_r:staff_home_dir_t +/root/.+ root:object_r:staff_home_t +/root/\.ssh(/.)? root:object_r:staff_home_ssh_t* +/root/.default_contexts -- system_u:object_r:default_context_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/hald.fc policy-1.17.11/file_contexts/program/hald.fc --- nsapolicy/file_contexts/program/hald.fc 2004-09-02 08:03:26.000000000 -0400 +++ policy-1.17.11/file_contexts/program/hald.fc 2004-09-08 17:04:56.067904600 -0400 @@ -1,3 +1,4 @@ # hald - hardware informationd daemon /usr/sbin/hald -- system_u:object_r:hald_exec_t /usr/libexec/hal-hotplug-map -- system_u:object_r:hald_exec_t +/etc/hal/device.d/printer_remove.hal -- system_u:object_r:hald_exec_t diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/named.fc policy-1.17.11/file_contexts/program/named.fc --- nsapolicy/file_contexts/program/named.fc 2004-08-31 10:55:37.000000000 -0400 +++ policy-1.17.11/file_contexts/program/named.fc 2004-09-08 11:52:35.000000000 -0400 @@ -14,7 +14,7 @@ ') dnl distro_debian /etc/rndc.* -- system_u:object_r:named_conf_t -/usr/sbin/named.* -- system_u:object_r:named_exec_t +/usr/sbin/named -- system_u:object_r:named_exec_t /usr/sbin/r?ndc -- system_u:object_r:ndc_exec_t /var/run/ndc -s system_u:object_r:named_var_run_t /var/run/bind(/.)? system_u:object_r:named_var_run_t diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.17.11/macros/base_user_macros.te --- nsapolicy/macros/base_user_macros.te 2004-09-04 07:28:25.000000000 -0400 +++ policy-1.17.11/macros/base_user_macros.te 2004-09-08 17:17:09.106752883 -0400* @@ -185,6 +185,17 @@ can_network($1_t) can_ypbind($1_t) +# Grant permissions to access the system DBus +ifdef(`dbus.te', ` +dbusd_client(system, $1_t) +dbusd_client($1, $1_t) +dbusd_domain($1) +ifdef(`hald.te', ` +allow $1_t hald_t:dbus { send_msg }; +allow hald_t $1_t:dbus { send_msg }; +') dnl end ifdef hald.te +') dnl end ifdef dbus.te + # allow port_t name binding for UDP because it is not very usable otherwise allow $1_t port_t:udp_socket name_bind; @@ -222,6 +233,10 @@ dontaudit $1_t domain:dir r_dir_perms; dontaudit $1_t domain:notdevfile_class_set r_file_perms; dontaudit $1_t domain:process { getattr getsession }; +# +# Cups daemon running as user tries to write /etc/printcap +# +dontaudit $1_t usr_t:file { setattr }; ifdef(`xserver.te', ` # for /tmp/.ICE-unix diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.17.11/macros/program/chkpwd_macros.te --- nsapolicy/macros/program/chkpwd_macros.te 2004-08-27 14:44:11.000000000 -0400 +++ policy-1.17.11/macros/program/chkpwd_macros.te 2004-09-08 17:04:11.194382931 -0400 @@ -51,6 +51,7 @@ allow $1_chkpwd_t etc_t:file { getattr read }; allow $1_chkpwd_t self:unix_dgram_socket create_socket_perms; allow $1_chkpwd_t self:unix_stream_socket create_socket_perms; +allow $1_chkpwd_t tty_device_t:chr_file { read write }; read_locale($1_chkpwd_t) # Use capabilities. diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.17.11/macros/program/dbusd_macros.te --- nsapolicy/macros/program/dbusd_macros.te 1969-12-31 19:00:00.000000000 -0500 +++ policy-1.17.11/macros/program/dbusd_macros.te 2004-09-08 17:03:58.650428142 -0400 @@ -0,0 +1,69 @@ +# +# Macros for Dbus +# +# Author: Colin Walters <walters@redhat.com> + +# dbusd_domain(domain_prefix) +# +# Define a derived domain for the DBus daemon. + +define(`dbusd_domain', ` +ifelse(`system', `$1',` +daemon_domain(system_dbusd, `, userspace_objmgr') +# For backwards compatibility +typealias system_dbusd_t alias dbusd_t; +typealias system_dbusd_exec_t alias dbusd_exec_t; +typealias system_dbusd_var_run_t alias dbusd_var_run_t; +type etc_dbusd_t, file_type, sysadmfile; +',` +ifdef(`single_userdomain', ` +typealias $1_t alias $1_dbusd_t; +', ` +type $1_dbusd_t, domain, privlog, userspace_objmgr; +role $1_r types $1_dbusd_t; +domain_auto_trans($1_t, dbusd_exec_t, $1_dbusd_t) +read_locale($1_dbusd_t) +dontaudit $1_dbusd_t var_t:dir { getattr search }; +')dnl end ifdef single_userdomain +')dnl end ifelse system + +base_file_read_access($1_dbusd_t) +uses_shlib($1_dbusd_t) +allow $1_dbusd_t etc_t:file { getattr read }; +r_dir_file($1_dbusd_t, etc_dbusd_t) +tmp_domain($1_dbusd) +allow $1_dbusd_t self:process { fork }; +ifdef(`xdm.te', ` +allow $1_dbusd_t xdm_t:fd { use }; +allow $1_dbusd_t xdm_t:fifo_file { write }; +') + +allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms; +allow $1_dbusd_t self:unix_dgram_socket create_socket_perms; + +allow $1_dbusd_t urandom_device_t:chr_file { getattr read }; +allow $1_dbusd_t self:file { getattr read }; +allow $1_dbusd_t proc_t:file { read }; + +')dnl end dbusd_domain definition + +# dbusd_client(dbus_type, domain) +# Example: dbusd_client_domain(system, user_t) +# +# Grant permissions for connecting to the specified DBus type +# from domain. +define(`dbusd_client',`') +ifdef(`dbusd.te',` +undefine(`dbusd_client') +define(`dbusd_client',` +# For connecting to the bus +allow $2 $1_dbusd_t:unix_stream_socket { connectto }; +ifelse(`system', `$1', ` +allow { $2 } { var_run_t system_dbusd_var_run_t }:dir search; +allow { $2 } system_dbusd_var_run_t:sock_file { write }; +',` +') dnl endif system +# SE-DBus specific permissions +allow $2 { $1_dbusd_t self }:dbus { send_msg }; +') dnl endif dbusd.te +') diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.17.11/macros/program/userhelper_macros.te --- nsapolicy/macros/program/userhelper_macros.te 2004-08-27 14:44:11.000000000 -0400 +++ policy-1.17.11/macros/program/userhelper_macros.te 2004-09-08 17:32:29.340753830 -0400 @@ -63,9 +63,11 @@ can_setexec($1_userhelper_t) ifdef(`distro_redhat', ` +ifdef(`rpm.te', ` # Allow transitioning to rpm_t, for up2date allow $1_userhelper_t rpm_t:process { transition siginh rlimitinh noatsecure }; ') +') # Use capabilities. allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config }; diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.17.11/macros/program/xserver_macros.te --- nsapolicy/macros/program/xserver_macros.te 2004-09-04 07:28:25.000000000 -0400 +++ policy-1.17.11/macros/program/xserver_macros.te 2004-09-08 17:31:29.799519751 -0400 @@ -65,6 +65,7 @@ allow xdm_xserver_t init_t:fd use; +dontaudit xdm_xserver_t user_home_dir_t:dir { read search }; dontaudit xdm_xserver_t sysadm_home_dir_t:dir { read search }; ', ` # The user role is authorized for this domain. @@ -162,6 +163,7 @@ ifdef(`xdm.te', ` allow $1_t xdm_tmp_t:sock_file { unlink }; allow $1_xserver_t xdm_var_run_t:dir { search }; +allow xdm_t xserver_misc_device_t:chr_file { getattr }; # for /tmp/.ICE-unix file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file) ') @@ -248,6 +250,7 @@ allow $1_xserver_t var_lib_t:dir search; rw_dir_create_file($1_xserver_t, var_lib_xkb_t) dontaudit $1_xserver_t selinux_config_t:dir { search }; +allow $1_xserver_t device_t:dir { create }; # for fonts r_dir_file($1_xserver_t, fonts_t) Binary files nsapolicy/policy.18 and policy-1.17.11/policy.18 differ diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.11/tunables/distro.tun --- nsapolicy/tunables/distro.tun 2004-08-27 14:44:11.000000000 -0400 +++ policy-1.17.11/tunables/distro.tun 2004-09-08 11:52:35.000000000 -0400 @@ -5,7 +5,7 @@ # appropriate ifdefs. -dnl define(`distro_redhat') +define(`distro_redhat') dnl define(`distro_suse') diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.11/tunables/tunable.tun --- nsapolicy/tunables/tunable.tun 2004-08-27 14:44:11.000000000 -0400 +++ policy-1.17.11/tunables/tunable.tun 2004-09-08 11:52:35.000000000 -0400 @@ -5,50 +5,47 @@ dnl define(`user_net_control') # Allow users to execute the mount command -dnl define(`user_can_mount') +define(`user_can_mount') # Allow rpm to run unconfined. -dnl define(`unlimitedRPM') +define(`unlimitedRPM') # Allow privileged utilities like hotplug and insmod to run unconfined. -dnl define(`unlimitedUtils') +define(`unlimitedUtils') # Support NFS home directories -dnl define(`nfs_home_dirs') +define(`nfs_home_dirs') # Allow users to run games -dnl define(`use_games') +define(`use_games') # Allow ypbind to run with NIS -dnl define(`allow_ypbind') +define(`allow_ypbind') # Allow rc scripts to run unconfined, including any daemon # started by an rc script that does not have a domain transition # explicitly defined. -dnl define(`unlimitedRC') +define(`unlimitedRC') # Allow sysadm_t to directly start daemons define(`direct_sysadm_daemon') # Do not audit things that we know to be broken but which # are not security risks -dnl define(`hide_broken_symptoms') +define(`hide_broken_symptoms') # Allow sysadm_t to do almost everything dnl define(`unrestricted_admin') # Allow the read/write/create on any NFS file system -dnl define(`nfs_export_all_rw') - -# Allow users to unrestricted access -dnl define(`unlimitedUsers') +define(`nfs_export_all_rw') # Allow the reading on any NFS file system dnl define(`nfs_export_all_ro') # Allow user_r to reach sysadm_r via su, sudo, or userhelper. # Otherwise, only staff_r can do so. -dnl define(`user_canbe_sysadm') +define(`user_canbe_sysadm') # Allow xinetd to run unconfined, including any services it starts # that do not have a domain transition explicitly defined. diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.17.11/types/file.te --- nsapolicy/types/file.te 2004-08-30 09:49:16.000000000 -0400 +++ policy-1.17.11/types/file.te 2004-09-08 11:52:35.000000000 -0400 @@ -258,6 +258,7 @@ # the default file system type. # allow { file_type device_type } fs_t:filesystem associate; +allow { file_type device_type } tmpfs_t:filesystem associate; # Allow the pty to be associated with the file system. allow devpts_t devpts_t:filesystem associate; -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Thu 9 Sep 2004 - 10:04:47 EDT This message: [ Message body ] Next message: Russell Coker: "Re: at last: info regarding boot problems on multiple partitions" Previous message: Luke Kenneth Casson Leighton: "Re: at last: info regarding boot problems on multiple partitions" Next in thread: James Carter: "Re: New policy to allow strict to run X again with tmpfs on /dev" Reply: James Carter: "Re: New policy to allow strict to run X again with tmpfs on /dev" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom