Bug#610272: pu: package refpolicy/2:0.2.20100524-6
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
The following patch fixes many issues with the SE Linux policy that were
discovered after the release of Lenny. It also supports using the Squeeze
kernel which is really useful for virtual servers that have Lenny DomU and
Squeeze Dom0.
diff -u refpolicy-0.0.20080702/policy/modules/admin/logrotate.te refpolicy-0.0.20080702/policy/modules/admin/logrotate.te
--- refpolicy-0.0.20080702/policy/modules/admin/logrotate.te
+++ refpolicy-0.0.20080702/policy/modules/admin/logrotate.te
@@ -122,14 +122,13 @@
cron_system_entry(logrotate_t, logrotate_exec_t)
cron_search_spool(logrotate_t)
-# for logcheck: (Note that this is a design-rule violation for refpolicy,
-# using crond_t in this file directly, should be via an interface!)
-allow crond_t logrotate_var_lib_t:dir search;
mta_send_mail(logrotate_t)
sysadm_dontaudit_search_home_dirs(logrotate_t)
+term_dontaudit_getattr_unallocated_ttys(logrotate_t)
+
ifdef(`distro_debian', `
allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
# for savelog
@@ -137,6 +136,13 @@
# for syslogd-listfiles
logging_read_syslog_config(logrotate_t)
+
+ # for "test -x /sbin/syslogd"
+ logging_check_exec_syslog(logrotate_t)
+')
+
+optional_policy(`
+ unconfined_dontaudit_search_home_dirs(logrotate_t)
')
optional_policy(`
@@ -152,6 +158,10 @@
')
optional_policy(`
+ webalizer_domtrans(logrotate_t)
+')
+
+optional_policy(`
consoletype_exec(logrotate_t)
')
diff -u refpolicy-0.0.20080702/policy/modules/admin/dpkg.te refpolicy-0.0.20080702/policy/modules/admin/dpkg.te
--- refpolicy-0.0.20080702/policy/modules/admin/dpkg.te
+++ refpolicy-0.0.20080702/policy/modules/admin/dpkg.te
@@ -52,8 +52,8 @@
# dpkg Local policy
#
-allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
-allow dpkg_t self:process { setpgid fork getsched setfscreate };
+allow dpkg_t self:capability { chown dac_override fowner fsetid kill setgid setuid linux_immutable ipc_lock sys_nice sys_resource sys_tty_config mknod };
+allow dpkg_t self:process { setrlimit setpgid fork getsched setfscreate };
allow dpkg_t self:fd use;
allow dpkg_t self:fifo_file rw_fifo_file_perms;
allow dpkg_t self:unix_dgram_socket create_socket_perms;
diff -u refpolicy-0.0.20080702/policy/modules/admin/apt.fc refpolicy-0.0.20080702/policy/modules/admin/apt.fc
--- refpolicy-0.0.20080702/policy/modules/admin/apt.fc
+++ refpolicy-0.0.20080702/policy/modules/admin/apt.fc
@@ -15,7 +15,7 @@
# aptitude lock
/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
# aptitude log
-/var/log/aptitude gen_context(system_u:object_r:apt_var_log_t,s0)
+/var/log/aptitude.* -- gen_context(system_u:object_r:apt_var_log_t,s0)
# dpkg terminal log
/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)
diff -u refpolicy-0.0.20080702/policy/modules/admin/apt.if refpolicy-0.0.20080702/policy/modules/admin/apt.if
--- refpolicy-0.0.20080702/policy/modules/admin/apt.if
+++ refpolicy-0.0.20080702/policy/modules/admin/apt.if
@@ -17,7 +17,7 @@
files_search_usr($1)
corecmd_search_bin($1)
- domtrans_pattern($1,apt_exec_t,apt_t)
+ domtrans_pattern($1, apt_exec_t, apt_t)
')
########################################
@@ -184,8 +184,8 @@
files_search_var_lib($1)
allow $1 apt_var_lib_t:dir list_dir_perms;
- read_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
- read_lnk_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
+ read_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
+ read_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
')
########################################
@@ -204,10 +204,10 @@
')
files_search_var_lib($1)
- manage_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
+ manage_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
# cjp: shouldnt this be manage_lnk_files?
- rw_lnk_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
- delete_lnk_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
+ rw_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
+ delete_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
')
########################################
diff -u refpolicy-0.0.20080702/policy/modules/admin/apt.te refpolicy-0.0.20080702/policy/modules/admin/apt.te
--- refpolicy-0.0.20080702/policy/modules/admin/apt.te
+++ refpolicy-0.0.20080702/policy/modules/admin/apt.te
@@ -1,5 +1,5 @@
-policy_module(apt,1.4.0)
+policy_module(apt, 1.4.0)
########################################
#
@@ -8,7 +8,7 @@
type apt_t;
type apt_exec_t;
-init_system_domain(apt_t,apt_exec_t)
+init_system_domain(apt_t, apt_exec_t)
domain_system_change_exemption(apt_t)
role system_r types apt_t;
@@ -62,30 +62,31 @@
allow apt_t self:netlink_route_socket r_netlink_socket_perms;
# Access /var/cache/apt files
-manage_files_pattern(apt_t,apt_var_cache_t,apt_var_cache_t)
-files_var_filetrans(apt_t,apt_var_cache_t,dir)
+manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
+files_var_filetrans(apt_t, apt_var_cache_t, dir)
-manage_dirs_pattern(apt_t,apt_tmp_t,apt_tmp_t)
-manage_files_pattern(apt_t,apt_tmp_t,apt_tmp_t)
+manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t)
+manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t)
files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
-manage_dirs_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
-manage_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
-manage_lnk_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
-manage_fifo_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
-manage_sock_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
-fs_tmpfs_filetrans(apt_t,apt_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
+manage_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
+manage_lnk_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
+manage_fifo_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
+manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
+fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
# Access /var/lib/apt files
-manage_files_pattern(apt_t,apt_var_lib_t,apt_var_lib_t)
-files_var_lib_filetrans(apt_t,apt_var_lib_t,dir)
+manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
+files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
# lock files
allow apt_t apt_lock_t:dir manage_dir_perms;
allow apt_t apt_lock_t:file manage_file_perms;
-files_lock_filetrans(apt_t,apt_lock_t,{dir file})
+files_lock_filetrans(apt_t, apt_lock_t, {dir file})
# log files
+allow apt_t apt_var_log_t:dir manage_dir_perms;
allow apt_t apt_var_log_t:file manage_file_perms;
kernel_read_system_state(apt_t)
@@ -145,7 +146,7 @@
# with boolean, for cron-apt and such?
#optional_policy(`
-# cron_system_entry(apt_t,apt_exec_t)
+# cron_system_entry(apt_t, apt_exec_t)
#')
optional_policy(`
diff -u refpolicy-0.0.20080702/policy/modules/kernel/files.fc refpolicy-0.0.20080702/policy/modules/kernel/files.fc
--- refpolicy-0.0.20080702/policy/modules/kernel/files.fc
+++ refpolicy-0.0.20080702/policy/modules/kernel/files.fc
@@ -65,7 +65,7 @@
/etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)
-/etc/network/ifstate -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/network/run/ifstate -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/ptal/ptal-printd-like -- gen_context(system_u:object_r:etc_runtime_t,s0)
diff -u refpolicy-0.0.20080702/policy/modules/kernel/filesystem.te refpolicy-0.0.20080702/policy/modules/kernel/filesystem.te
--- refpolicy-0.0.20080702/policy/modules/kernel/filesystem.te
+++ refpolicy-0.0.20080702/policy/modules/kernel/filesystem.te
@@ -164,6 +164,7 @@
fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
+fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0);
allow tmpfs_t noxattrfs:filesystem associate;
diff -u refpolicy-0.0.20080702/policy/modules/services/apache.te refpolicy-0.0.20080702/policy/modules/services/apache.te
--- refpolicy-0.0.20080702/policy/modules/services/apache.te
+++ refpolicy-0.0.20080702/policy/modules/services/apache.te
@@ -398,6 +398,14 @@
tunable_policy(`httpd_enable_homedirs',`
userdom_read_unpriv_users_home_content_files(httpd_t)
')
+optional_policy(`
+ gen_require(`
+ bool daemon_access_unconfined_home;
+ ')
+ tunable_policy(`httpd_enable_homedirs && daemon_access_unconfined_home', `
+ unconfined_read_home_content_files(httpd_t)
+ ')
+')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(httpd_t)
@@ -434,7 +442,10 @@
')
optional_policy(`
+# for cron jobs to restart Apache
cron_system_entry(httpd_t, httpd_exec_t)
+# For cron jobs to run from accounts with home directories in the web store
+ crond_search_dir(httpd_sys_content_t)
')
optional_policy(`
@@ -647,6 +658,14 @@
tunable_policy(`httpd_enable_homedirs',`
userdom_read_unpriv_users_home_content_files(httpd_suexec_t)
')
+optional_policy(`
+ gen_require(`
+ bool daemon_access_unconfined_home;
+ ')
+ tunable_policy(`httpd_enable_homedirs && daemon_access_unconfined_home', `
+ unconfined_read_home_content_files(httpd_suexec_t)
+ ')
+')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(httpd_suexec_t)
@@ -705,6 +724,14 @@
tunable_policy(`httpd_enable_homedirs',`
userdom_read_unpriv_users_home_content_files(httpd_sys_script_t)
')
+optional_policy(`
+ gen_require(`
+ bool daemon_access_unconfined_home;
+ ')
+ tunable_policy(`httpd_enable_homedirs && daemon_access_unconfined_home', `
+ unconfined_read_home_content_files(httpd_sys_script_t)
+ ')
+')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(httpd_sys_script_t)
diff -u refpolicy-0.0.20080702/policy/modules/services/cron.te refpolicy-0.0.20080702/policy/modules/services/cron.te
--- refpolicy-0.0.20080702/policy/modules/services/cron.te
+++ refpolicy-0.0.20080702/policy/modules/services/cron.te
@@ -101,6 +101,11 @@
allow crond_t cron_spool_t:dir rw_dir_perms;
allow crond_t cron_spool_t:file read_file_perms;
+tunable_policy(`fcron_crond', `
+files_pid_filetrans(crond_t,crond_var_run_t,sock_file)
+# I think this is a design flaw in fcron - rjc
+allow crond_t cron_spool_t:file create_file_perms;
+')
manage_dirs_pattern(crond_t,crond_tmp_t,crond_tmp_t)
manage_files_pattern(crond_t,crond_tmp_t,crond_tmp_t)
diff -u refpolicy-0.0.20080702/policy/modules/services/xserver.fc refpolicy-0.0.20080702/policy/modules/services/xserver.fc
--- refpolicy-0.0.20080702/policy/modules/services/xserver.fc
+++ refpolicy-0.0.20080702/policy/modules/services/xserver.fc
@@ -26,6 +26,11 @@
/etc/X11/wdm/Xsetup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
+ifdef(`distro_debian',`
+/etc/gdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/gdm/PreSession/Default -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/gdm/PostSession/Default -- gen_context(system_u:object_r:xsession_exec_t,s0)
+')
ifdef(`distro_redhat',`
/etc/gdm/PostSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -82,13 +87,15 @@
/var/lib/[xgkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xauth/.* -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
ifdef(`distro_suse',`
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -u refpolicy-0.0.20080702/policy/modules/services/cups.te refpolicy-0.0.20080702/policy/modules/services/cups.te
--- refpolicy-0.0.20080702/policy/modules/services/cups.te
+++ refpolicy-0.0.20080702/policy/modules/services/cups.te
@@ -157,6 +157,7 @@
dev_read_urand(cupsd_t)
dev_read_sysfs(cupsd_t)
dev_read_usbfs(cupsd_t)
+dev_rw_generic_usb_dev(cupsd_t)
dev_getattr_printer_dev(cupsd_t)
domain_read_all_domains_state(cupsd_t)
diff -u refpolicy-0.0.20080702/policy/modules/services/courier.fc refpolicy-0.0.20080702/policy/modules/services/courier.fc
--- refpolicy-0.0.20080702/policy/modules/services/courier.fc
+++ refpolicy-0.0.20080702/policy/modules/services/courier.fc
@@ -14,7 +14,8 @@
/usr/lib(64)?/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib(64)?/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib(64)?/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
-/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
+/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:courier_sqwebmail_exec_t,s0)
+/var/cache/sqwebmail(/.*)? gen_context(system_u:object_r:courier_sqwebmail_cache_t,s0)
/var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
diff -u refpolicy-0.0.20080702/policy/modules/services/xserver.if refpolicy-0.0.20080702/policy/modules/services/xserver.if
--- refpolicy-0.0.20080702/policy/modules/services/xserver.if
+++ refpolicy-0.0.20080702/policy/modules/services/xserver.if
@@ -360,13 +360,6 @@
userhelper_search_config($1_xserver_t)
')
- ifdef(`TODO',`
- ifdef(`xdm.te', `
- allow $1_t xdm_tmp_t:sock_file unlink;
- allow $1_xserver_t xdm_var_run_t:dir search;
- ')
- ') dnl end TODO
-
##############################
#
# $1_xauth_t Local policy
@@ -428,6 +421,11 @@
ssh_dontaudit_rw_tcp_sockets($1_xauth_t)
')
+ # for switch-user
+ allow $1_t xdm_var_run_t:sock_file rw_file_perms;
+ allow $1_t xdm_var_run_t:dir search;
+ allow $1_t xdm_t:process signull;
+
##############################
#
# $1_iceauth_t Local policy
diff -u refpolicy-0.0.20080702/policy/modules/services/courier.te refpolicy-0.0.20080702/policy/modules/services/courier.te
--- refpolicy-0.0.20080702/policy/modules/services/courier.te
+++ refpolicy-0.0.20080702/policy/modules/services/courier.te
@@ -26,9 +26,16 @@
type courier_exec_t;
files_type(courier_exec_t)
+type courier_sqwebmail_cache_t;
+files_type(courier_sqwebmail_cache_t)
+
courier_domain_template(sqwebmail)
typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t;
+manage_files_pattern(courier_sqwebmail_t, courier_sqwebmail_cache_t, courier_sqwebmail_cache_t)
+
+dev_read_urand(courier_sqwebmail_t)
+
########################################
#
# Authdaemon local policy
@@ -43,12 +50,9 @@
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms;
-allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:process sigchld;
allow courier_authdaemon_t courier_tcpd_t:fd use;
-allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
-allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
corecmd_search_bin(courier_authdaemon_t)
@@ -89,9 +93,15 @@
allow courier_pop_t courier_authdaemon_t:process sigchld;
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
+dev_read_urand(courier_pop_t)
+
+# for FAM with IMAP
+sysnet_use_portmap(courier_pop_t)
+corenet_tcp_bind_all_rpc_ports(courier_pop_t)
+corenet_tcp_bind_all_nodes(courier_pop_t)
-# inherits file handle - should it?
-allow courier_pop_t courier_var_lib_t:file { read write };
+# for /var/lib/courier/couriersslcache
+allow courier_pop_t courier_var_lib_t:file rw_file_perms;
miscfiles_read_localization(courier_pop_t)
@@ -107,4 +117,13 @@
userdom_read_user_home_content_symlinks(user,courier_pop_t)
+optional_policy(`
+ gen_require(`
+ bool daemon_access_unconfined_home;
+ ')
+ if(daemon_access_unconfined_home) {
+ unconfined_write_home_content_files(courier_pop_t)
+ }
+')
+
########################################
#
diff -u refpolicy-0.0.20080702/policy/modules/services/clamav.te refpolicy-0.0.20080702/policy/modules/services/clamav.te
--- refpolicy-0.0.20080702/policy/modules/services/clamav.te
+++ refpolicy-0.0.20080702/policy/modules/services/clamav.te
@@ -1,6 +1,12 @@
-
policy_module(clamav,1.6.0)
+## <desc>
+## <p>
+## Allow clamd to use JIT compiler
+## </p>
+## </desc>
+gen_tunable(clamd_use_jit, false)
+
########################################
#
# Declarations
@@ -27,6 +33,10 @@
type clamd_var_lib_t;
files_type(clamd_var_lib_t)
+# spool files
+type clamd_spool_t;
+files_type(clamd_spool_t)
+
# pid files
type clamd_var_run_t;
files_pid_file(clamd_var_run_t)
@@ -44,6 +54,8 @@
type freshclam_exec_t;
init_daemon_domain(freshclam_t, freshclam_exec_t)
+allow freshclam_t self:netlink_route_socket r_netlink_socket_perms;
+
# log files
type freshclam_var_log_t;
logging_log_file(freshclam_var_log_t)
@@ -53,11 +65,22 @@
# clamd local policy
#
+allow clamd_t self:process signull;
+allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow clamd_t self:capability { kill setgid setuid dac_override };
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket create_stream_socket_perms;
allow clamd_t self:unix_dgram_socket create_socket_perms;
allow clamd_t self:tcp_socket { listen accept };
+allow clamd_t self:fd use;
+corecmd_exec_bin(clamd_t)
+corecmd_read_bin_symlinks(clamd_t)
+files_read_usr_files(clamd_t)
+
+optional_policy(`
+# to allow creating the unix domain socket
+ postfix_search_spool(clamd_t)
+')
# configuration files
allow clamd_t clamd_etc_t:dir list_dir_perms;
@@ -73,6 +96,10 @@
manage_dirs_pattern(clamd_t,clamd_var_lib_t,clamd_var_lib_t)
manage_files_pattern(clamd_t,clamd_var_lib_t,clamd_var_lib_t)
+# spool files
+manage_dirs_pattern(clamd_t,clamd_spool_t,clamd_spool_t)
+manage_files_pattern(clamd_t,clamd_spool_t,clamd_spool_t)
+
# log files
manage_dirs_pattern(clamd_t,clamd_var_log_t,clamd_var_log_t)
manage_files_pattern(clamd_t,clamd_var_log_t,clamd_var_log_t)
@@ -88,15 +115,20 @@
kernel_read_sysctl(clamd_t)
kernel_read_kernel_sysctls(clamd_t)
+# for /proc/meminfo
+allow clamd_t proc_t:file { getattr read };
+
corenet_all_recvfrom_unlabeled(clamd_t)
corenet_all_recvfrom_netlabel(clamd_t)
corenet_tcp_sendrecv_all_if(clamd_t)
corenet_tcp_sendrecv_all_nodes(clamd_t)
corenet_tcp_sendrecv_all_ports(clamd_t)
corenet_tcp_sendrecv_clamd_port(clamd_t)
+corenet_tcp_sendrecv_amavisd_send_port(clamd_t)
corenet_tcp_bind_all_nodes(clamd_t)
corenet_tcp_bind_clamd_port(clamd_t)
corenet_sendrecv_clamd_server_packets(clamd_t)
+corenet_udp_bind_all_nodes(clamd_t)
dev_read_rand(clamd_t)
dev_read_urand(clamd_t)
@@ -120,6 +152,7 @@
cron_use_fds(clamd_t)
cron_use_system_job_fds(clamd_t)
cron_rw_pipes(clamd_t)
+crond_search_dir(clamd_var_lib_t)
optional_policy(`
amavis_read_lib_files(clamd_t)
@@ -133,6 +166,8 @@
# Freshclam local policy
#
+files_search_var_lib(freshclam_t)
+
allow freshclam_t self:capability { setgid setuid dac_override };
allow freshclam_t self:fifo_file rw_fifo_file_perms;
allow freshclam_t self:unix_stream_socket create_stream_socket_perms;
@@ -166,6 +201,7 @@
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
+corenet_tcp_connect_http_cache_port(freshclam_t)
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
@@ -231,6 +267,16 @@
clamav_stream_connect(clamscan_t)
+mta_send_mail(clamscan_t)
+
+tunable_policy(`clamd_use_jit',`
+ allow clamd_t self:process execmem;
+ allow freshclam_t self:process execmem;
+', `
+ dontaudit clamd_t self:process execmem;
+ dontaudit freshclam_t self:process execmem;
+')
+
optional_policy(`
apache_read_sys_content(clamscan_t)
')
diff -u refpolicy-0.0.20080702/policy/modules/services/xserver.te refpolicy-0.0.20080702/policy/modules/services/xserver.te
--- refpolicy-0.0.20080702/policy/modules/services/xserver.te
+++ refpolicy-0.0.20080702/policy/modules/services/xserver.te
@@ -179,7 +179,7 @@
manage_dirs_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
manage_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
manage_fifo_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
-files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file })
+files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file sock_file })
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
@@ -478,6 +478,7 @@
optional_policy(`
unconfined_domain_noaudit(xdm_xserver_t)
unconfined_domtrans(xdm_xserver_t)
+ unconfined_dbus_send(xdm_xserver_t)
ifndef(`distro_redhat',`
allow xdm_xserver_t self:process { execheap execmem };
diff -u refpolicy-0.0.20080702/policy/modules/apps/gpg.if refpolicy-0.0.20080702/policy/modules/apps/gpg.if
--- refpolicy-0.0.20080702/policy/modules/apps/gpg.if
+++ refpolicy-0.0.20080702/policy/modules/apps/gpg.if
@@ -75,7 +75,7 @@
allow $1_gpg_t self:capability { ipc_lock setuid };
allow { $2 $1_gpg_t } $1_gpg_t:process signal;
# setrlimit is for ulimit -c 0
- allow $1_gpg_t self:process { setrlimit setcap setpgid };
+ allow $1_gpg_t self:process { setrlimit getcap setcap setpgid };
allow $1_gpg_t self:fifo_file rw_fifo_file_perms;
allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
@@ -137,6 +137,8 @@
nis_use_ypbind($1_gpg_t)
')
+ fs_list_inotifyfs($1_gpg_t)
+
########################################
#
# GPG helper local policy
diff -u refpolicy-0.0.20080702/policy/modules/system/userdomain.if refpolicy-0.0.20080702/policy/modules/system/userdomain.if
--- refpolicy-0.0.20080702/policy/modules/system/userdomain.if
+++ refpolicy-0.0.20080702/policy/modules/system/userdomain.if
@@ -45,7 +45,7 @@
type $1_tty_device_t;
term_user_tty($1_t,$1_tty_device_t)
- allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
+ allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
allow $1_t self:fd use;
allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -124,6 +124,10 @@
# does not really matter
apt_read_cache($1_t)
')
+
+ optional_policy(`
+ postfix_per_role_template($1, $1_t, $1_r)
+ ')
')
#######################################
@@ -1429,6 +1433,12 @@
optional_policy(`
userhelper_exec($1_t)
')
+ optional_policy(`
+ gen_require(`
+ type $1_mail_t;
+ ')
+ postfix_domtrans_master($1_mail_t)
+ ')
')
########################################
diff -u refpolicy-0.0.20080702/policy/modules/system/unconfined.te refpolicy-0.0.20080702/policy/modules/system/unconfined.te
--- refpolicy-0.0.20080702/policy/modules/system/unconfined.te
+++ refpolicy-0.0.20080702/policy/modules/system/unconfined.te
@@ -22,6 +22,15 @@
init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
role unconfined_r types unconfined_execmem_t;
+## <desc>
+## <p>
+## Enabling this allows some daemons to access unconfined_home_dir_t and
+## unconfined_home_t as if they were regular home directories. This does
+## reduce the protection...
+## </p>
+## </desc>
+gen_bool(daemon_access_unconfined_home,true)
+
########################################
#
# Local policy
@@ -52,6 +61,9 @@
userdom_priveleged_home_dir_manager(unconfined_t)
+ifdef(`distro_debian',`
+ seutil_run_runinit(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
+')
ifdef(`distro_gentoo',`
seutil_run_runinit(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
seutil_init_script_run_runinit(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
@@ -77,9 +89,7 @@
')
optional_policy(`
- cron_per_role_template(unconfined, unconfined_t, unconfined_r)
- # this is disallowed usage:
- unconfined_domain(unconfined_crond_t)
+ cron_existing_domain_per_role_template(unconfined, unconfined_t, unconfined_r)
')
optional_policy(`
@@ -146,6 +156,16 @@
optional_policy(`
mta_per_role_template(unconfined, unconfined_t, unconfined_r)
+
+ optional_policy(`
+ gen_require(`
+ attribute can_system_change;
+ ')
+ postfix_domtrans_master(unconfined_mail_t)
+# this is not ideal. It would probably be best if we could avoid the sysadm_r
+# transition.
+ typeattribute unconfined_mail_t can_system_change;
+ ')
')
optional_policy(`
@@ -164,6 +184,8 @@
postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
# cjp: this should probably be removed:
postfix_domtrans_master(unconfined_t)
+
+ postfix_per_role_template(unconfined, unconfined_t, unconfined_r)
')
diff -u refpolicy-0.0.20080702/policy/modules/system/init.fc refpolicy-0.0.20080702/policy/modules/system/init.fc
--- refpolicy-0.0.20080702/policy/modules/system/init.fc
+++ refpolicy-0.0.20080702/policy/modules/system/init.fc
@@ -16,8 +16,8 @@
/etc/x11/startDM\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
')
ifdef(`distro_debian',`
-/var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_exec_t,s0)
-/var/run/kdm/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/kdm/.* -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
#
diff -u refpolicy-0.0.20080702/policy/modules/system/logging.if refpolicy-0.0.20080702/policy/modules/system/logging.if
--- refpolicy-0.0.20080702/policy/modules/system/logging.if
+++ refpolicy-0.0.20080702/policy/modules/system/logging.if
@@ -283,6 +283,26 @@
########################################
## <summary>
+## Check if syslogd is executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_check_exec_syslog',`
+ gen_require(`
+ type syslogd_exec_t;
+ ')
+
+ corecmd_list_bin($1)
+ corecmd_read_bin_symlinks($1)
+ allow $1 syslogd_exec_t:file execute;
+')
+
+########################################
+## <summary>
## Execute syslogd in the syslog domain.
## </summary>
## <param name="domain">
diff -u refpolicy-0.0.20080702/policy/modules/system/udev.te refpolicy-0.0.20080702/policy/modules/system/udev.te
--- refpolicy-0.0.20080702/policy/modules/system/udev.te
+++ refpolicy-0.0.20080702/policy/modules/system/udev.te
@@ -108,7 +108,7 @@
domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
files_read_usr_files(udev_t)
-files_read_etc_runtime_files(udev_t)
+files_rw_etc_runtime_files(udev_t)
files_read_etc_files(udev_t)
files_exec_etc_files(udev_t)
files_dontaudit_search_isid_type_dirs(udev_t)
@@ -170,6 +170,8 @@
userdom_dontaudit_search_all_users_home_content(udev_t)
+fstools_getattr_swap_files(udev_t)
+
ifdef(`distro_gentoo',`
# during boot, init scripts use /dev/.rcsysinit
# existance to determine if we are in early booting
diff -u refpolicy-0.0.20080702/policy/modules/system/libraries.fc refpolicy-0.0.20080702/policy/modules/system/libraries.fc
--- refpolicy-0.0.20080702/policy/modules/system/libraries.fc
+++ refpolicy-0.0.20080702/policy/modules/system/libraries.fc
@@ -296,6 +296,8 @@
#
# /var
#
+/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
+
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -304,10 +306,6 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
')
-ifdef(`distro_debian', `
-/var/cache/ldconfig/aux-cache -- gen_context(system_u:object_r:ld_so_cache_t,s0)
-/var/cache/ldconfig -d gen_context(system_u:object_r:etc_t,s0)
-')
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
diff -u refpolicy-0.0.20080702/policy/modules/system/libraries.te refpolicy-0.0.20080702/policy/modules/system/libraries.te
--- refpolicy-0.0.20080702/policy/modules/system/libraries.te
+++ refpolicy-0.0.20080702/policy/modules/system/libraries.te
@@ -23,6 +23,9 @@
init_system_domain(ldconfig_t,ldconfig_exec_t)
role system_r types ldconfig_t;
+type ldconfig_cache_t;
+files_type(ldconfig_cache_t)
+
type ldconfig_tmp_t;
files_tmp_file(ldconfig_tmp_t)
@@ -51,6 +54,8 @@
allow ldconfig_t self:capability sys_chroot;
+manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
+
allow ldconfig_t ld_so_cache_t:file manage_file_perms;
files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
diff -u refpolicy-0.0.20080702/policy/modules/system/unconfined.fc refpolicy-0.0.20080702/policy/modules/system/unconfined.fc
--- refpolicy-0.0.20080702/policy/modules/system/unconfined.fc
+++ refpolicy-0.0.20080702/policy/modules/system/unconfined.fc
@@ -4,6 +4,7 @@
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/kvm.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff -u refpolicy-0.0.20080702/policy/modules/system/selinuxutil.te refpolicy-0.0.20080702/policy/modules/system/selinuxutil.te
--- refpolicy-0.0.20080702/policy/modules/system/selinuxutil.te
+++ refpolicy-0.0.20080702/policy/modules/system/selinuxutil.te
@@ -439,6 +439,7 @@
allow semanage_t self:unix_stream_socket create_stream_socket_perms;
allow semanage_t self:unix_dgram_socket create_socket_perms;
allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+fs_getattr_xattr_fs(semanage_t)
allow semanage_t policy_config_t:file { read write };
diff -u refpolicy-0.0.20080702/policy/modules/system/init.te refpolicy-0.0.20080702/policy/modules/system/init.te
--- refpolicy-0.0.20080702/policy/modules/system/init.te
+++ refpolicy-0.0.20080702/policy/modules/system/init.te
@@ -227,6 +227,7 @@
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t,initrc_var_run_t,file)
+storage_var_run_filetrans_fixed_disk(initrc_t)
can_exec(initrc_t,initrc_tmp_t)
allow initrc_t initrc_tmp_t:file manage_file_perms;
@@ -276,8 +277,13 @@
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-# Wants to remove udev.tbl:
-dev_delete_generic_symlinks(initrc_t)
+
+optional_policy(`
+ # Wants to remove udev.tbl:
+ dev_delete_generic_symlinks(initrc_t)
+ udev_unlink_table(initrc_t)
+ dev_delete_generic_dirs(initrc_t)
+')
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
diff -u refpolicy-0.0.20080702/debian/changelog refpolicy-0.0.20080702/debian/changelog
--- refpolicy-0.0.20080702/debian/changelog
+++ refpolicy-0.0.20080702/debian/changelog
@@ -1,3 +1,276 @@
+refpolicy (2:0.0.20080702-21) unstable; urgency=low
+
+ * Backported the clamd_use_jit boolean to allow execmem access to clamd.
+ * Allow setrans_t to read proc_t files.
+ * Allow mount_t setsched access to kernel_t - requested by kernel 2.6.32+
+ * Give freshclam_t and clamd_t the same access WRT execmem.
+ * Label /dev/vd* as fixed_disk_device_t, closes: #589997
+
+ -- Russell Coker <russell@coker.com.au> Mon, 26 Jul 2010 11:14:00 +1000
+
+refpolicy (2:0.0.20080702-20) unstable; urgency=low
+
+ * Allow postfix_local_t to run sendmail for programs like vacation
+ * Allow nrpe_t to execute sudo and search /var/spool and process setsched.
+ * dontaudit self { ptrace setrlimit } access and capability sys_resource
+ for nrpe_t.
+ * Added new milter module from new upstream policy. I don't recommend using
+ it but the interface is very useful for milter policy development.
+ * Fixed a syntax error in logging.if to allow sepolgen-ifgen to work.
+
+ -- Russell Coker <russell@coker.com.au> Sat, 10 Jul 2010 07:58:00 +1000
+
+refpolicy (2:0.0.20080702-19) unstable; urgency=low
+
+ * Allow iptables_t to request module loading.
+
+ -- Russell Coker <russell@coker.com.au> Thu, 29 Apr 2010 10:56:14 +1000
+
+refpolicy (2:0.0.20080702-18) unstable; urgency=low
+
+ * Allow pppd_t to trigger module loading.
+ * Added open to class sock_file and nlmsg_tty_audit to class
+ netlink_audit_socket to stop warning messages.
+
+ -- Russell Coker <rjc@athena.coker.com.au> Wed, 21 Apr 2010 22:00:54 +1000
+
+refpolicy (2:0.0.20080702-17) unstable; urgency=low
+
+ * Release the changes.
+
+ -- Russell Coker <russell@coker.com.au> Tue, 16 Mar 2010 10:36:51 +1100
+
+refpolicy (2:0.0.20080702-16.4) unstable; urgency=low
+
+ * Label kvm as unconfined_execmem_exec_t
+ * Treat devtmpfs the same way as tmpfs
+ * Changed upstream to http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease
+ * Allow openvpn_t, insmod_t and mount_t to do module_request.
+ * Allow openvpn_t to create socket and tun_socket objects.
+
+ -- Russell Coker <russell@coker.com.au> Tue, 23 Feb 2010 21:05:30 +1100
+
+refpolicy (2:0.0.20080702-16.3) unstable; urgency=low
+
+ * Added perdition support.
+ * Allow perdition_t to access perdition_etc_t:dir and random_device_t.
+ * Allow perdition_t to connect to pop_port_t
+ * Allow saslauthd_t to access mysqld_port_t.
+ * Allow nrpe_t to run sendmail_exec_t
+ * Allow postfix_cleanup_t to access TCP milter sockets from postfix_smtpd_t
+ and mysql unix domain sockets
+
+ -- Russell Coker <russell@coker.com.au> Tue, 16 Feb 2010 19:24:58 +1100
+
+refpolicy (2:0.0.20080702-16.2) unstable; urgency=low
+
+ * Allow watchdog_t to send sigstop and to do raw IP networking (for pinging)
+ * Label wd_keepalive as watchdog_exec_t
+ * label /etc/openvpn/ipp.txt as openvpn_var_run_t
+
+ -- Russell Coker <russell@coker.com.au> Tue, 27 Oct 2009 22:38:10 +1100
+
+refpolicy (2:0.0.20080702-16.1) unstable; urgency=low
+
+ * Made the sasl module depend on libsasl2-2 and allow it to connect to
+ mysql and postgresql.
+ * Made the clamav module depend on clamav-milter or clamav-daemon.
+ * Allow dkim_t to signal itself.
+
+ -- Russell Coker <russell@coker.com.au> Tue, 16 Jun 2009 15:04:10 +1000
+
+refpolicy (2:0.0.20080702-16) unstable; urgency=low
+
+ * Allow system_dbusd_t to read /proc/X/cmdline so it knows the client name
+ * Label /usr/lib/gnome-vfs-2.0/gnome-vfs-daemon as bin_t
+ * Allow $1_gpg_t to read inotifyfs_t directories
+ * Allow user_t signull access to xdm_t for gdmflexiserver
+ * Fix the path for deliver in lda.fc
+ * Load lda.pp when dovecot-common is installed and dovecot.pp when other
+ dovecot packages are installed. Allow lda_t to use dovecot auth socket
+ * Allow dovecot_auth_t to create sockets labeled as dovecot_var_run_t,
+ also allow chown capability to apply correct ownership
+ * Label /usr/sbin/nrpe and allow it to search nagios_etc_t:dir, read etc_t
+ files, do setgid() and setuid(), create a pidfile, bind to port 5666, stat
+ filesystems, get a list of processes, and check mysql and postgresql
+ databases.
+ * Make mail_spool_t a filesystem_type.
+ * Allow snmpd_t capabilities setuid and chown
+ * Allow xdm_xserver_t to send dbus messages to unconfined_t
+ * Allow postfix_cleanup_t shutdown access to a postfix_smtpd_t
+ unix_stream_socket
+ * Allow clamd_t access to inherit it's own fds.
+ * Enable the watchdog policy in the build.
+ * Grant capability ipc_lock to dpkg_t
+
+ -- Russell Coker <russell@coker.com.au> Wed, 13 May 2009 09:13:38 +1000
+
+refpolicy (2:0.0.20080702-15) unstable; urgency=low
+
+ * Gave every domain that has process:setcap access also have process:getcap.
+ * Set the type of /etc/network/run/ifstate to etc_runtime_t and allow
+ udev_t to write to it.
+ * allow apt_t to manage directories of type apt_var_log_t
+ * allow initrc_t postfix_etc_t:file ioctl;
+ * allow postfix_showq_t to be used from user roles.
+ * allow postfix_virtual_t to connect to postfix_private_t sockets
+ * allow postfix_pipe_t to execute bin_t
+ * allow initrc_t udev_tbl_t:file unlink and device_t:dir rmdir
+ * allow the Courier POP server fill rw_file_perms access to courier_var_lib_t.
+ * allow jabberd_t to connect to jabber_interserver_port_t.
+ * allow fcrond to do all the funky things it desires.
+ * allow cupsd_t to read/write generic USB devices.
+ * allow webalizer to read /usr files (for GeoIP).
+ * Enable dovecot_t for daemon_access_unconfined_home
+ * dontaudit logrotate stating terminal devices.
+ * allow dpkg_t to set rlimit
+ * Label /var/lib/squirrelmail/data(/.*)? as httpd_squirrelmail_t.
+ * allow apmd_t to talk to hald_t via dbus.
+ * allow dovecot to connect to Mysql and PostgreSQL
+ * label most /usr/lib/dovecot/* files as bin_t
+ * Added new "lda" module for email local delivery agents such as maildrop
+ and procmail and don't build procmail.pp any more.
+ * Label /var/run/xauth/* as xdm_var_run_t.
+ * Label /var/run/openvpn.client* as openvpn_var_run_t.
+ * Make /var/log/?dm.log.* files get the type xserver_log_t
+ * Make /var/log/aptitude* files get the type apt_var_log_t
+ * Make /var/run/gdm_socket get the type xdm_var_run_t
+ * Labelled the entrypoint scripts under /etc/gdm as xsession_exec_t
+ * Fixed Debian labelling for atspool
+ * allow openvpn_t to access var_lib_t and usr_t files for vulnkey.
+ * allow user domains to access the xdm socket of type xdm_var_run_t for
+ switch user.
+ * allow unconfined_t to transition to system_dbusd_t.
+ Closes: #498965
+
+ -- Russell Coker <russell@coker.com.au> Wed, 04 Mar 2009 23:10:14 +1100
+
+refpolicy (2:0.0.20080702-14) unstable; urgency=high
+
+ * Allow noatsecure for Xen domains so that LD_PRELOAD will work across
+ a domain transition. Also dontaudit searching of the sysadm home dir
+ and allow xend_t to manage xenstored_var_run_t.
+ Allow losetup (fsadm_t) and udev access to Xen image files
+ * Add support for Exim.
+ * Add support for Jabber, including adding the epmd_t domain for the Erlang
+ Port Mapper Daemon (used by ejabberd). Label port 5280 as being for Jabber
+ (the ejabberd web administration service) and port 7777 (SOCKS5
+ Bytestreams (XEP-0065) for proxy file transfer).
+ * Allow cron to search httpd_sys_content_t
+ * Dontaudit logrotate search access to unconfined_home_dir_t.
+ * Fixed labelling of /var/lock/mailman
+ * Allow courier_pop_t to read /dev/urandom and to do ioctl on it's fifos.
+ Also allow it to talk to portmap so the IMAP server can do FAM.
+
+ -- Russell Coker <russell@coker.com.au> Mon, 27 Oct 2008 23:01:33 +1100
+
+refpolicy (2:0.0.20080702-13) unstable; urgency=high
+
+ * Allow spamd_t to create a Unix domain socket.
+ * Allow clamd_t to read files under /usr (for Perl).
+ Allow it to connect to amavisd_send_port_t.
+ Allow it to talk to itself by unix stream sockets and bind to UDP nodes.
+ Closes: #502274
+ * Allow logrotate_t to transition to webalizer_t for web log processing.
+ * Allow initrc_t to create fixed_disk_device_t nodes under var_run_t,
+ for the case where /etc/fstab has an error regarding the root fs.
+ * Use the Lenny paths for xm, xend, xenstored, and xenconsoled.
+ Add some extra permissions that Xen needs.
+
+ -- Russell Coker <russell@coker.com.au> Tue, 21 Oct 2008 00:36:00 +1100
+
+refpolicy (2:0.0.20080702-12) unstable; urgency=low
+
+ * Allow procmail to deliver mail to the unconfined home directories if
+ daemon_access_unconfined_home is set.
+ * Add the audioentropy module for use with the randomsound package.
+ * Allow spamd_t the kill capability.
+ * Make the default range for MCS __default__ users be s0-s0:c0.c1023,
+ this fixes a problem with restarting daemons after logging in as non-root
+ and running "su -".
+
+ -- Russell Coker <russell@coker.com.au> Tue, 07 Oct 2008 13:17:01 +1100
+
+refpolicy (2:0.0.20080702-11) unstable; urgency=high
+
+ * Create new interface crond_search_dir() and use it to allow crond_t to
+ search clamd_var_lib_t for amavis cron jobs.
+ * Allow postfix_cleanup_t to talk to dkim for signing local messages.
+ * Allow freshclam_t to read the routing table and talk to http_cache_port_t.
+ * Allow clamd_t to search bin_t and read bin_t links.
+ * Allow clamd_t to search postfix_spool_t for creation of Unix domain socket
+ in the sub-directory, this is ugly and a little bit wrong but makes it
+ easier to configure Postfix.
+ * Allow semanage_t (for setsebool and semodule) to call statfs().
+ * Add Asterisk policy module, and grant setcap access.
+ * Copy the Fedora 10 cron changes to reduce the policy size.
+ Allow user_t to send sigchld to user_crontab_t and to write to
+ user_crontab_tmp_t files. Necessary for full functionality!
+
+ -- Russell Coker <russell@coker.com.au> Sat, 27 Sep 2008 18:52:00 +1000
+
+refpolicy (2:0.0.20080702-10) unstable; urgency=low
+
+ * Allow mailserver local delivery agent to manage_file_perm access to
+ mail_spool_t
+ Closes: #499218
+ * Build a module for xen, and make lvm support optional in it.
+ * Make the postinst link the xen, lvm, and pcmcia modules if appropriate.
+ * Added the clamav module to the policy.
+ * Wrote a new DKIM module.
+ * Allowed crontab to create directories under /tmp.
+ * Made unconfined_crond_t an alias for unconfined_t and made unconfined cron
+ jobs work.
+ * Built the NAGIOS module and include the suggested change from #493979.
+ NB I won't have time to do any testing of this so someone else will need
+ to deploy it on a fully functional NAGIOS system.
+ Closes: #493979
+
+ -- Russell Coker <russell@coker.com.au> Fri, 19 Sep 2008 22:25:00 +1000
+
+refpolicy (2:0.0.20080702-9) unstable; urgency=low
+
+ * Allow the Postfix newaliases to create new /etc/aliases.db file so that
+ the postinst for Postfix can work.
+ * The last update broke unconfined_mail_t for systems not running postfix,
+ fixing that (thanks Martin Orr).
+ Closes: #499064
+ * Fix a check for syslogd being executable by logrotate (thanks Václav Ovsk).
+ Closes: #496809
+
+ -- Russell Coker <russell@coker.com.au> Tue, 16 Sep 2008 20:42:00 +1000
+
+refpolicy (2:0.0.20080702-8) unstable; urgency=low
+
+ * Made the postinst faster on machines with small amounts of memory. 5%
+ improvement on AMD64 with 64M of RAM. Not sure how much benefit it might
+ give for a NSLUG.
+ * Allowed dictd to create pid file.
+ * Allowed mcstransd to getcap.
+ * Revert part of the change from 2:0.0.20080702-7, we don't want /etc/init.d
+ scripts running as run_init_t.
+ Closes: #498965
+ * Makes Postfix work correctly.
+ Closes: #473043
+ * Allow $1_mail_t to read proc_t:file (for Postfix).
+
+ -- Russell Coker <russell@coker.com.au> Fri, 12 Sep 2008 10:51:01 +1000
+
+refpolicy (2:0.0.20080702-7) unstable; urgency=low
+
+ * Polish updates, added labelling for /lib/udev/create_static_nodes,
+ /var/log/prelink.log, and corrected labelling for /var/run/kdm
+ * Made Postfix work with unconfined_t.
+ * Made spamass-milter run in the spamd_t domain, and allow postfix_smtpd_t
+ to talk to it.
+ * Labelled /var/cache/sqwebmail and allowed courier_sqwebmail_t to access it.
+ Also allowed courier_sqwebmail_t to access /dev/urandom.
+ * Allowed courier-pop and apache to access unconfined home directories.
+ * Changed the policy for /var/cache/ldconfig to match upstream.
+ * Allowed unconfined_t to run run_init.
+
+ -- Russell Coker <russell@coker.com.au> Wed, 10 Sep 2008 11:10:00 +1000
+
refpolicy (2:0.0.20080702-6) unstable; urgency=low
* Made it build-depend on policycoreutils 2.0.49 and checkpolicy 2.0.16.
diff -u refpolicy-0.0.20080702/debian/modules.conf.default refpolicy-0.0.20080702/debian/modules.conf.default
--- refpolicy-0.0.20080702/debian/modules.conf.default
+++ refpolicy-0.0.20080702/debian/modules.conf.default
@@ -298,6 +298,69 @@
storage = base
# Layer: services
+# Module: watchdog
+#
+# Policy for the watchdog daemon
+#
+watchdog = module
+
+# Layer: services
+# Module: epmd
+#
+# Policy for Erlang Port Mapping Daemon
+#
+epmd = module
+
+# Layer: services
+# Module: jabber
+#
+# Policy for jabber messaging server
+#
+jabber = module
+
+# Layer: services
+# Module: audioentropy
+#
+# Policy for daemons that use a microphone input as a source of entropy
+#
+audioentropy = module
+
+# Layer: services
+# Module: nagios
+#
+# Policy for NAGIOS network monitor
+#
+nagios = module
+
+# Layer: services
+# Module: dkim
+#
+# Policy for DKIM mail signing milter
+#
+dkim = module
+
+# Layer: services
+# Module: milter
+#
+# Milter mail filters
+#
+milter = module
+
+# Layer: services
+# Module: clamav
+#
+# Policy for Clam Anti Virus
+#
+clamav = module
+
+# Layer: services
+# Module: asterisk
+#
+# Policy for Asterisk VOIP server
+#
+asterisk = module
+
+# Layer: services
# Module: nis
#
# Policy for NIS (YP) servers and clients
@@ -482,6 +545,13 @@
arpwatch = module
# Layer: services
+# Module: perdition
+#
+# Perdition POP and IMAP proxy
+#
+perdition = module
+
+# Layer: services
# Module: dovecot
#
# Dovecot POP and IMAP mail server
@@ -552,11 +622,11 @@
ktalk = module
# Layer: services
-# Module: procmail
+# Module: lda
#
-# Procmail mail delivery agent
+# mail delivery agent
#
-procmail = module
+lda = module
# Layer: services
# Module: lpd
@@ -622,6 +692,13 @@
mta = base
# Layer: services
+# Module: exim
+#
+# Exim email server
+#
+exim = module
+
+# Layer: services
# Module: postfix
#
# Postfix email server
@@ -883,6 +960,13 @@
udev = base
# Layer: system
+# Module: xen
+#
+# Xen virtualisation management
+#
+xen = module
+
+# Layer: system
# Module: pcmcia
#
# PCMCIA card management services
diff -u refpolicy-0.0.20080702/debian/control refpolicy-0.0.20080702/debian/control
--- refpolicy-0.0.20080702/debian/control
+++ refpolicy-0.0.20080702/debian/control
@@ -3,7 +3,7 @@
VCS-Browser: http://arch.debian.org/cgi-bin/archzoom.cgi/srivasta@debian.org--lenny/refpolicy?expand
Priority: standard
Section: admin
-Homepage: http://serefpolicy.sourceforge.net/
+Homepage: http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease
Maintainer: Russell Coker <russell@coker.com.au>
Uploaders: Erich Schubert <erich@debian.org>, Manoj Srivastava <srivasta@debian.org>
Standards-Version: 3.7.3.0
diff -u refpolicy-0.0.20080702/debian/postinst.policy refpolicy-0.0.20080702/debian/postinst.policy
--- refpolicy-0.0.20080702/debian/postinst.policy
+++ refpolicy-0.0.20080702/debian/postinst.policy
@@ -66,37 +66,49 @@
'amavis' => [ 'amavisd-new' ],
'apache' => [ 'apache*' ],
'apm' => [ 'acpid' ],
+ 'asterisk' => [ 'asterisk' ],
+ 'audioentropy' => [ 'randomsound' ],
'automount' => [ 'autofs*' ],
'avahi' => [ 'avahi-*' ],
'bind' => [ 'bind9' ],
# 'bootloader' => [ 'grub', 'lilo' ],
'cdrecord' => [ 'wodim' ],
+ 'clamav' => [ 'clamav', 'clamav-daemon', 'clamav-milter' ],
'courier' => [ 'courier*' ],
'cups' => [ 'cupsys*' ],
'cyrus' => [ 'cyrus*' ],
+ 'dovecot' => [ 'dovecot-imapd', 'dovecot-pop3d' ],
'dhcp' => [ 'dhcp*', 'dhclient*', 'pump' ],
+ 'dkim' => [ 'dkim-filter' ],
+ 'epmd' => [ 'erlang-base' ],
'exim' => [ 'exim4' ],
'finger' => [ 'finger', '*fingerd' ],
'ftp' => [ 'ftp', '*ftpd' ],
'gpg' => [ 'gnupg' ],
'hwclock' => [ 'util-linux' ],
'inetd' => [ '*-inetd', 'openbsd-inetd', 'netkit-inetd', 'rinetd', 'rlinetd', 'xinetd' ],
+ 'jabber' => [ 'jabber', 'ejabberd' ],
'java' => [ 'sun-java5*', 'cacao', 'gcj*', 'gij*', 'kaffe*',
'java*', 'jvm*', 'jre*', 'jsdk*' ],
+ 'lda' => [ 'procmail', 'courier-maildrop', 'dovecot-common' ],
'ldap' => [ 'slapd' ],
'lpd' => [ 'lprng', 'rlpr' ],
'loadkeys' => [ 'console-tools' ],
+ 'lvm' => [ 'lvm2' ],
'mono' => [ 'mono*' ],
'munin' => [ 'munin-node' ],
'mysql' => [ 'mysql-server', 'mysql-server*' ],
'mozilla' => [ 'mozilla-browser', 'firefox', 'galeon',
'mozilla-*', 'firefox*', 'epiphany-browser' ],
+ 'nagios' => [ 'nagios*' ],
'netutils' => [ 'arping', 'nmap', '*-ping', 'traceroute*' ],
+ 'pcmcia' => [ 'pcmciautils' ],
+ 'perdition' => [ 'perdition' ],
'pythonsupport' => [ 'python-support' ],
'radius' => [ 'freeradius*', 'radiusd*' ],
'raid' => [ 'mdadm' ],
'rpc' => [ 'nfs-common', 'nfs-kernel-server' ],
- 'sasl' => [ 'libsasl2' ],
+ 'sasl' => [ 'libsasl2-2' ],
'ssh' => [ 'openssh*' ],
# 'su' => [ 'login' ],
'sysstat' => [ 'atsar' ],
@@ -105,6 +117,7 @@
'uptime' => [ 'uptimed' ],
'usbmodules' => [ 'usbutils' ],
# 'usermanage' => [ 'passwd' ],
+ 'xen' => [ 'xen-utils-common' ],
'xserver' => [ 'gdm', 'kdm', 'xdm', 'xserver*', 'xbase-clients' ]
);
@@ -265,29 +278,21 @@
&get_ordering();
&installed_modules();
chdir "$src_dir" or die "Can't access $src_dir";
- if (system("semodule -b base.pp -s $policy_name -n ") == 0) {
- print STDERR "Loaded base policy\n";
- my $semod = "semodule";
- if("$type" eq "default") {
- $semod .= " -i unconfined.pp";
- }
- my $mod_list;
- for my $mod (@Load_Order) {
- $semod .= " -i ${mod}.pp";
- $mod_list .= " $mod";
- }
- $semod .= " -s $policy_name -n";
- if (system($semod) == 0) {
- print STDERR "Loaded modules $mod_list\n";
- change_policy_type();
- }
- else {
- print STDERR "Error running \"$semod\", please fix manually and report a bug.\n";
- }
+ my $semod = "semodule -b base.pp -s $policy_name -n ";
+ if("$type" eq "default") {
+ $semod .= " -i unconfined.pp";
+ }
+ my $mod_list;
+ for my $mod (@Load_Order) {
+ $semod .= " -i ${mod}.pp";
+ $mod_list .= " $mod";
+ }
+ if (system($semod) == 0) {
+ print STDERR "Loaded modules $mod_list\n";
+ change_policy_type();
}
else {
- print STDERR "Could not load $src_dir/base.pp for $policy_name.\n";
- print STDERR "Failed to load base policy, please load policy manually.\n";
+ print STDERR "Error running \"$semod\", please load policy manually and report a bug.\n";
}
}
else {
diff -u refpolicy-0.0.20080702/debian/modules.conf.mls refpolicy-0.0.20080702/debian/modules.conf.mls
--- refpolicy-0.0.20080702/debian/modules.conf.mls
+++ refpolicy-0.0.20080702/debian/modules.conf.mls
@@ -298,6 +298,69 @@
storage = base
# Layer: services
+# Module: watchdog
+#
+# Policy for the watchdog daemon
+#
+watchdog = module
+
+# Layer: services
+# Module: epmd
+#
+# Policy for Erlang Port Mapping Daemon
+#
+epmd = module
+
+# Layer: services
+# Module: jabber
+#
+# Policy for jabber messaging server
+#
+jabber = module
+
+# Layer: services
+# Module: audioentropy
+#
+# Policy for daemons that use a microphone input as a source of entropy
+#
+audioentropy = module
+
+# Layer: services
+# Module: nagios
+#
+# Policy for NAGIOS network monitor
+#
+nagios = module
+
+# Layer: services
+# Module: dkim
+#
+# Policy for DKIM mail signing milter
+#
+dkim = module
+
+# Layer: services
+# Module: milter
+#
+# Milter mail filters
+#
+milter = module
+
+# Layer: services
+# Module: clamav
+#
+# Policy for Clam Anti Virus
+#
+clamav = module
+
+# Layer: services
+# Module: asterisk
+#
+# Policy for Asterisk VOIP server
+#
+asterisk = module
+
+# Layer: services
# Module: nis
#
# Policy for NIS (YP) servers and clients
@@ -489,6 +552,13 @@
dovecot = module
# Layer: services
+# Module: perdition
+#
+# Perdition POP and IMAP proxy
+#
+perdition = module
+
+# Layer: services
# Module: cups
#
# Common UNIX printing system
@@ -552,11 +622,11 @@
ktalk = module
# Layer: services
-# Module: procmail
+# Module: lda
#
-# Procmail mail delivery agent
+# mail delivery agent
#
-procmail = module
+lda = module
# Layer: services
# Module: lpd
@@ -622,6 +692,13 @@
mta = base
# Layer: services
+# Module: exim
+#
+# Exim email server
+#
+exim = module
+
+# Layer: services
# Module: postfix
#
# Postfix email server
@@ -883,6 +960,13 @@
udev = base
# Layer: system
+# Module: xen
+#
+# Xen virtualisation management
+#
+xen = module
+
+# Layer: system
# Module: pcmcia
#
# PCMCIA card management services
diff -u refpolicy-0.0.20080702/config/appconfig-mcs/seusers refpolicy-0.0.20080702/config/appconfig-mcs/seusers
--- refpolicy-0.0.20080702/config/appconfig-mcs/seusers
+++ refpolicy-0.0.20080702/config/appconfig-mcs/seusers
@@ -3 +3 @@
-__default__:unconfined_u:s0
+__default__:unconfined_u:s0-mcs_systemhigh
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/admin/sudo.if
+++ refpolicy-0.0.20080702/policy/modules/admin/sudo.if
@@ -135,3 +135,29 @@
') dnl end TODO
')
+
+#######################################
+## <summary>
+## Execute sudo_exec_t without a domain transition
+## </summary>
+## <desc>
+## <p>
+## This interface allows a domain to execute sudo_exec_t without a
+## domain transition. It is for daemons that already have setuid
+## access but are running as uid != 0.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The domain that can execute sudo.
+## </summary>
+## </param>
+#
+template(`can_exec_sudo',`
+
+ gen_require(`
+ type sudo_exec_t;
+ ')
+
+ can_exec($1, sudo_exec_t)
+')
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/admin/acct.if
+++ refpolicy-0.0.20080702/policy/modules/admin/acct.if
@@ -16,7 +16,7 @@
')
corecmd_search_bin($1)
- domtrans_pattern($1,acct_exec_t,acct_t)
+ domtrans_pattern($1, acct_exec_t,acct_t)
')
########################################
@@ -35,7 +35,7 @@
')
corecmd_search_bin($1)
- can_exec($1,acct_exec_t)
+ can_exec($1, acct_exec_t)
')
########################################
@@ -56,7 +56,7 @@
')
files_search_var($1)
- can_exec($1,acct_data_t)
+ can_exec($1, acct_data_t)
')
########################################
@@ -75,6 +75,6 @@
')
files_search_var($1)
- manage_files_pattern($1,acct_data_t,acct_data_t)
- manage_lnk_files_pattern($1,acct_data_t,acct_data_t)
+ manage_files_pattern($1, acct_data_t, acct_data_t)
+ manage_lnk_files_pattern($1, acct_data_t, acct_data_t)
')
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/kernel/kernel.if
+++ refpolicy-0.0.20080702/policy/modules/kernel/kernel.if
@@ -486,6 +486,25 @@
########################################
## <summary>
+## Allows caller to request the kernel to load a module
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_request_load_module',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:system module_request;
+')
+
+########################################
+## <summary>
## Get information on all System V IPC objects.
## </summary>
## <param name="domain">
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/kernel/corenetwork.te.in
+++ refpolicy-0.0.20080702/policy/modules/kernel/corenetwork.te.in
@@ -90,6 +90,7 @@
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
+network_port(epmd, tcp,4369,s0)
network_port(fingerd, tcp,79,s0)
network_port(ftp_data, tcp,20,s0)
network_port(ftp, tcp,21,s0)
@@ -102,14 +103,14 @@
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
-network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
+network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0)
network_port(innd, tcp,119,s0)
network_port(ipp, tcp,631,s0, udp,631,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
network_port(ircd, tcp,6667,s0)
network_port(isakmp, udp,500,s0)
network_port(iscsi, tcp,3260,s0)
-network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
+network_port(jabber_client, tcp,5222,s0, tcp,5223,s0, tcp,5280,s0, tcp,7777,s0)
network_port(jabber_interserver, tcp,5269,s0)
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
@@ -127,6 +128,7 @@
network_port(nessus, tcp,1241,s0)
network_port(netsupport, tcp,5405,s0, udp,5405,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
+network_port(nrpe, tcp,5666,s0)
network_port(ntp, udp,123,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/kernel/storage.fc
+++ refpolicy-0.0.20080702/policy/modules/kernel/storage.fc
@@ -5,7 +5,7 @@
/dev/n?osst[0-3].* -c gen_context(system_u:object_r:tape_device_t,s0)
/dev/n?pt[0-9]+ -c gen_context(system_u:object_r:tape_device_t,s0)
/dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0)
-/dev/[shmx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/[shmxv]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/bsg/.+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/kernel/storage.if
+++ refpolicy-0.0.20080702/policy/modules/kernel/storage.if
@@ -249,6 +249,24 @@
########################################
## <summary>
+## Create block devices in a directory labelled as var_run_t
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`storage_var_run_filetrans_fixed_disk',`
+ gen_require(`
+ type fixed_disk_device_t;
+ ')
+
+ files_pid_filetrans($1,fixed_disk_device_t,blk_file)
+')
+
+########################################
+## <summary>
## Relabel fixed disk device nodes.
## </summary>
## <param name="domain">
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/lda.if
+++ refpolicy-0.0.20080702/policy/modules/services/lda.if
@@ -0,0 +1,41 @@
+## <summary>mail delivery agent</summary>
+
+########################################
+## <summary>
+## Execute lda with a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lda_domtrans',`
+ gen_require(`
+ type lda_exec_t, lda_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1,lda_exec_t,lda_t)
+')
+
+########################################
+## <summary>
+## Execute lda in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lda_exec',`
+ gen_require(`
+ type lda_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ can_exec($1,lda_exec_t)
+')
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/mta.if
+++ refpolicy-0.0.20080702/policy/modules/services/mta.if
@@ -96,12 +96,14 @@
miscfiles_read_localization($1_mail_t)
+ kernel_read_system_state($1_mail_t)
+
optional_policy(`
postfix_domtrans_user_mail_handler($1_mail_t)
')
optional_policy(`
- procmail_exec($1_mail_t)
+ lda_exec($1_mail_t)
')
optional_policy(`
@@ -383,8 +385,7 @@
typeattribute $1 mailserver_delivery;
allow $1 mail_spool_t:dir list_dir_perms;
- create_files_pattern($1,mail_spool_t,mail_spool_t)
- read_files_pattern($1,mail_spool_t,mail_spool_t)
+ manage_files_pattern($1,mail_spool_t,mail_spool_t)
create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/spamassassin.te
+++ refpolicy-0.0.20080702/policy/modules/services/spamassassin.te
@@ -27,6 +27,7 @@
type spamd_t;
type spamd_exec_t;
init_daemon_domain(spamd_t,spamd_exec_t)
+can_exec(spamd_t, spamc_exec_t)
type spamd_spool_t;
files_type(spamd_spool_t)
@@ -40,6 +41,7 @@
type spamd_var_run_t;
files_pid_file(spamd_var_run_t)
+manage_sock_files_pattern(spamd_t,spamd_var_run_t,spamd_var_run_t)
type spamassassin_exec_t;
application_executable_file(spamassassin_exec_t)
@@ -53,7 +55,7 @@
# setuids to the user running spamc. Comment this if you are not
# using this ability.
-allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
+allow spamd_t self:capability { kill setgid setuid dac_override sys_tty_config };
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
@@ -100,6 +102,7 @@
corenet_udp_sendrecv_all_ports(spamd_t)
corenet_tcp_bind_all_nodes(spamd_t)
corenet_tcp_bind_spamd_port(spamd_t)
+corenet_tcp_connect_spamd_port(spamd_t)
corenet_tcp_connect_razor_port(spamd_t)
corenet_tcp_connect_smtp_port(spamd_t)
corenet_sendrecv_razor_client_packets(spamd_t)
@@ -186,6 +189,7 @@
optional_policy(`
postfix_read_config(spamd_t)
+ postfix_search_spool(spamd_t)
')
optional_policy(`
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/audioentropy.te
+++ refpolicy-0.0.20080702/policy/modules/services/audioentropy.te
@@ -1,5 +1,5 @@
-policy_module(audio_entropy, 1.4.0)
+policy_module(audioentropy, 1.4.1)
########################################
#
@@ -20,11 +20,24 @@
allow entropyd_t self:capability { dac_override ipc_lock sys_admin };
dontaudit entropyd_t self:capability sys_tty_config;
-allow entropyd_t self:process signal_perms;
+allow entropyd_t self:process { signal_perms setpgid };
+allow entropyd_t self:sem create_sem_perms;
+allow entropyd_t self:shm create_shm_perms;
+type entropyd_tmpfs_t;
+files_type(entropyd_tmpfs_t)
+manage_files_pattern(entropyd_t,entropyd_tmpfs_t,entropyd_tmpfs_t)
+fs_tmpfs_filetrans(entropyd_t,entropyd_tmpfs_t, file)
+
+# for alsa config
+files_read_usr_files(entropyd_t)
manage_files_pattern(entropyd_t,entropyd_var_run_t,entropyd_var_run_t)
files_pid_filetrans(entropyd_t,entropyd_var_run_t,file)
+files_read_etc_files(entropyd_t)
+corecmd_search_bin(entropyd_t)
+corecmd_exec_bin(entropyd_t)
+
kernel_read_kernel_sysctls(entropyd_t)
kernel_list_proc(entropyd_t)
kernel_read_proc_symlinks(entropyd_t)
@@ -35,6 +48,7 @@
dev_read_rand(entropyd_t)
dev_write_rand(entropyd_t)
dev_read_sound(entropyd_t)
+dev_write_sound(entropyd_t)
fs_getattr_all_fs(entropyd_t)
fs_search_auto_mountpoints(entropyd_t)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/dbus.te
+++ refpolicy-0.0.20080702/policy/modules/services/dbus.te
@@ -35,7 +35,7 @@
# cjp: dac_override should probably go in a distro_debian
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
-allow system_dbusd_t self:process { getattr signal_perms setcap };
+allow system_dbusd_t self:process { getattr signal_perms getcap setcap };
allow system_dbusd_t self:fifo_file { read write };
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
@@ -128,3 +128,7 @@
optional_policy(`
udev_read_db(system_dbusd_t)
')
+
+optional_policy(`
+ unconfined_run_to(system_dbusd_t, system_dbusd_exec_t)
+')
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/epmd.fc
+++ refpolicy-0.0.20080702/policy/modules/services/epmd.fc
@@ -0,0 +1 @@
+/usr/lib/erlang/erts-[^/]*/bin/epmd -- gen_context(system_u:object_r:epmd_exec_t,s0)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/lda.fc
+++ refpolicy-0.0.20080702/policy/modules/services/lda.fc
@@ -0,0 +1,9 @@
+
+/usr/bin/procmail -- gen_context(system_u:object_r:lda_exec_t,s0)
+/usr/bin/maildrop -- gen_context(system_u:object_r:lda_exec_t,s0)
+/usr/sbin/deliverquota.maildrop -- gen_context(system_u:object_r:lda_exec_t,s0)
+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:lda_exec_t,s0)
+/usr/bin/mailbot -- gen_context(system_u:object_r:lda_exec_t,s0)
+
+/etc/courier/maildroprc -- gen_context(system_u:object_r:lda_etc_t,s0)
+/var/log/maildrop.log -- gen_context(system_u:object_r:lda_log_t,s0)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/milter.fc
+++ refpolicy-0.0.20080702/policy/modules/services/milter.fc
@@ -0,0 +1,19 @@
+/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
+ifdef(`unused', `
+/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
+')
+
+/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+ifdef(`unused', `
+/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
+')
+
+/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
+ifdef(`unused', `
+/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
+')
+
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/postfix.te
+++ refpolicy-0.0.20080702/policy/modules/services/postfix.te
@@ -30,6 +30,9 @@
type postfix_local_tmp_t;
files_tmp_file(postfix_local_tmp_t)
+# allow postfix_local_t to run programs like vacation that send mail
+mta_sendmail_domtrans(postfix_local_t, postfix_postdrop_t)
+
# Program for creating database files
type postfix_map_t;
type postfix_map_exec_t;
@@ -187,12 +190,18 @@
')
optional_policy(`
+ milter_stream_connect_all(postfix_smtpd_t)
+')
+
+optional_policy(`
# for postalias
mailman_manage_data_files(postfix_master_t)
')
optional_policy(`
mysql_stream_connect(postfix_master_t)
+ mysql_stream_connect(postfix_smtpd_t)
+ mysql_stream_connect(postfix_cleanup_t)
')
optional_policy(`
@@ -204,12 +213,13 @@
# Partially converted rules. THESE ARE ONLY TEMPORARY
#
+mta_etc_filetrans_aliases(postfix_master_t)
+allow postfix_master_t etc_aliases_t:file manage_file_perms;
+
ifdef(`distro_redhat',`
# for newer main.cf that uses /etc/aliases
allow postfix_master_t etc_aliases_t:dir manage_dir_perms;
- allow postfix_master_t etc_aliases_t:file manage_file_perms;
allow postfix_master_t etc_aliases_t:lnk_file manage_lnk_file_perms;
- mta_etc_filetrans_aliases(postfix_master_t)
filetrans_pattern(postfix_master_t,postfix_etc_t,etc_aliases_t,{ dir file lnk_file })
')
@@ -255,6 +265,11 @@
corecmd_exec_bin(postfix_cleanup_t)
+# for milters - may be a bug in postfix
+allow postfix_cleanup_t postfix_smtpd_t:fd use;
+allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket { getattr read write shutdown };
+allow postfix_cleanup_t postfix_smtpd_t:tcp_socket { read write getattr getopt };
+
########################################
#
# Postfix local local policy
@@ -295,7 +310,7 @@
')
optional_policy(`
- procmail_domtrans(postfix_local_t)
+ lda_domtrans(postfix_local_t)
')
########################################
@@ -398,11 +413,17 @@
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
+corecmd_exec_bin(postfix_pipe_t)
+
optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
optional_policy(`
+ lda_domtrans(postfix_pipe_t)
+')
+
+optional_policy(`
mailman_domtrans_queue(postfix_pipe_t)
')
@@ -561,6 +582,15 @@
')
optional_policy(`
+ clamav_stream_connect(postfix_smtpd_t)
+')
+
+optional_policy(`
+ dkim_stream_connect(postfix_smtpd_t)
+ dkim_stream_connect(postfix_cleanup_t)
+')
+
+optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -580,6 +610,7 @@
# connect to master process
stream_connect_pattern(postfix_virtual_t,postfix_public_t,postfix_public_t,postfix_master_t)
+write_sock_files_pattern(postfix_virtual_t,postfix_private_t,postfix_private_t)
corecmd_exec_shell(postfix_virtual_t)
corecmd_exec_bin(postfix_virtual_t)
@@ -591,3 +622,8 @@
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
+
+# for talking to spamass-milter
+optional_policy(`
+ spamassassin_connect_unix_sock(postfix_smtpd_t)
+')
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/nagios.fc
+++ refpolicy-0.0.20080702/policy/modules/services/nagios.fc
@@ -1,8 +1,14 @@
/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
-/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/nagios/nrpe.* -- gen_context(system_u:object_r:nrpe_etc_t,s0)
/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+ifdef(`distro_debian', `
+/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
+',`
/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
+')
+
+/var/run/nrpe.pid -- gen_context(system_u:object_r:nrpe_var_run_t,s0)
/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
@@ -11,6 +17,7 @@
/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
ifdef(`distro_debian',`
-/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+/usr/sbin/nagios.* -- gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/lib/cgi-bin/nagios.?/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+/usr/lib/nagios3/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
')
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/spamassassin.if
+++ refpolicy-0.0.20080702/policy/modules/services/spamassassin.if
@@ -528,3 +528,23 @@
dontaudit $1 spamd_tmp_t:sock_file getattr;
')
+
+########################################
+## <summary>
+## Connect to spamd via unix socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to connect
+## </summary>
+## </param>
+#
+interface(`spamassassin_connect_unix_sock',`
+ gen_require(`
+ type spamd_t, spamd_var_run_t;
+ ')
+
+ allow $1 spamd_var_run_t:dir search_dir_perms;
+ allow $1 spamd_var_run_t:sock_file write;
+ allow $1 spamd_t:unix_stream_socket connectto;
+')
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/dbus.if
+++ refpolicy-0.0.20080702/policy/modules/services/dbus.if
@@ -223,6 +223,8 @@
files_search_pids($2)
stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t)
dbus_read_config($2)
+ allow system_dbusd_t $2:dir search;
+ allow system_dbusd_t $2:file read_file_perms;
')
#######################################
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/mysql.if
+++ refpolicy-0.0.20080702/policy/modules/services/mysql.if
@@ -20,6 +20,27 @@
########################################
## <summary>
+## Allow the specified domain to connect to postgresql with a tcp socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_tcp_connect',`
+ gen_require(`
+ type mysqld_t;
+ ')
+
+ corenet_tcp_recvfrom_labeled($1, mysqld_t)
+ corenet_tcp_sendrecv_mysqld_port($1)
+ corenet_tcp_connect_mysqld_port($1)
+ corenet_sendrecv_mysqld_client_packets($1)
+')
+
+########################################
+## <summary>
## Connect to MySQL using a unix domain stream socket.
## </summary>
## <param name="domain">
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/dnsmasq.te
+++ refpolicy-0.0.20080702/policy/modules/services/dnsmasq.te
@@ -23,7 +23,7 @@
allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw };
dontaudit dnsmasq_t self:capability sys_tty_config;
-allow dnsmasq_t self:process { setcap signal_perms };
+allow dnsmasq_t self:process { getcap setcap signal_perms };
allow dnsmasq_t self:fifo_file { read write };
allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/perdition.te
+++ refpolicy-0.0.20080702/policy/modules/services/perdition.te
@@ -21,17 +21,21 @@
# Local policy
#
-allow perdition_t self:capability { setgid setuid };
+allow perdition_t self:capability { dac_read_search chown fowner setgid setuid };
+allow perdition_t self:netlink_route_socket create_netlink_socket_perms;
dontaudit perdition_t self:capability sys_tty_config;
allow perdition_t self:process signal_perms;
allow perdition_t self:tcp_socket create_stream_socket_perms;
allow perdition_t self:udp_socket create_socket_perms;
allow perdition_t perdition_etc_t:file { getattr read };
+allow perdition_t perdition_etc_t:dir list_dir_perms;
files_search_etc(perdition_t)
manage_files_pattern(perdition_t,perdition_var_run_t,perdition_var_run_t)
-files_pid_filetrans(perdition_t,perdition_var_run_t,file)
+files_pid_filetrans(perdition_t,perdition_var_run_t, { file dir })
+dev_read_rand(perdition_t)
+dev_read_urand(perdition_t)
kernel_read_kernel_sysctls(perdition_t)
kernel_list_proc(perdition_t)
@@ -47,6 +51,7 @@
corenet_udp_sendrecv_all_ports(perdition_t)
corenet_tcp_bind_all_nodes(perdition_t)
corenet_tcp_bind_pop_port(perdition_t)
+corenet_tcp_connect_pop_port(perdition_t)
corenet_sendrecv_pop_server_packets(perdition_t)
dev_read_sysfs(perdition_t)
@@ -78,3 +83,19 @@
optional_policy(`
udev_read_db(perdition_t)
')
+
+corenet_tcp_connect_mysqld_port(perdition_t)
+
+optional_policy(`
+ mysql_tcp_connect(perdition_t)
+ mysql_stream_connect(perdition_t)
+')
+
+corenet_tcp_connect_postgresql_port(perdition_t)
+
+optional_policy(`
+ postgresql_tcp_connect(perdition_t)
+ postgresql_stream_connect(perdition_t)
+')
+
+
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/mta.te
+++ refpolicy-0.0.20080702/policy/modules/services/mta.te
@@ -6,9 +6,16 @@
# Declarations
#
+# attribute used for domains that act on behalf of the user to deliver mail
+# to the queue
attribute mta_user_agent;
+
+# attribute used for domains that deliver mail locally
attribute mailserver_delivery;
+
attribute mailserver_domain;
+
+# attribute used for domains that send mail externally (smtp or lmtp)
attribute mailserver_sender;
attribute user_mail_domain;
@@ -24,6 +31,7 @@
type mail_spool_t;
files_type(mail_spool_t)
+fs_type(mail_spool_t)
type sendmail_exec_t;
application_executable_file(sendmail_exec_t)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/openvpn.fc
+++ refpolicy-0.0.20080702/policy/modules/services/openvpn.fc
@@ -2,6 +2,7 @@
# /etc
#
/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0)
+/etc/openvpn/ipp.txt -- gen_context(system_u:object_r:openvpn_var_run_t,s0)
#
# /usr
@@ -13,3 +14,4 @@
#
/var/log/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_log_t,s0)
/var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0)
+/var/run/openvpn.client.* -- gen_context(system_u:object_r:openvpn_var_run_t,s0)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/procmail.te
+++ refpolicy-0.0.20080702/policy/modules/services/procmail.te
@@ -75,6 +75,15 @@
# only works until we define a different type for maildir
userdom_priveleged_home_dir_manager(procmail_t)
+optional_policy(`
+ gen_require(`
+ bool daemon_access_unconfined_home;
+ ')
+ tunable_policy(`daemon_access_unconfined_home', `
+ unconfined_write_home_content_files(procmail_t)
+ ')
+')
+
# Do not audit attempts to access /root.
staff_dontaudit_search_home_dirs(procmail_t)
sysadm_dontaudit_search_home_dirs(procmail_t)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/epmd.if
+++ refpolicy-0.0.20080702/policy/modules/services/epmd.if
@@ -0,0 +1,29 @@
+## <summary>Erlang Port Mapper Daemon (epmd).</summary>
+
+########################################
+## <summary>
+## Execute epmd in the epmd domain, and
+## allow the specified role the epmd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the epmd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`run_epmd',`
+ gen_require(`
+ type epmd_t, epmd_exec_t;
+ ')
+
+ domtrans_pattern($1, epmd_exec_t, epmd_t)
+ role $2 types epmd_t;
+ corenet_tcp_connect_epmd_port($1)
+')
+
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/audioentropy.fc
+++ refpolicy-0.0.20080702/policy/modules/services/audioentropy.fc
@@ -1,4 +1,4 @@
#
# /usr
#
-/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0)
+/usr/sbin/randomsound -- gen_context(system_u:object_r:entropyd_exec_t,s0)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/dovecot.fc
+++ refpolicy-0.0.20080702/policy/modules/services/dovecot.fc
@@ -17,6 +17,7 @@
ifdef(`distro_debian', `
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/lib/dovecot/.+ -- gen_context(system_u:object_r:bin_t,s0)
')
ifdef(`distro_redhat', `
@@ -27,8 +28,10 @@
# /var
#
/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
+ifdef(`distro_redhat', `
# this is a hard link to /var/lib/dovecot/ssl-parameters.dat
/var/run/dovecot/login/ssl-parameters.dat gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+')
/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/ntp.te
+++ refpolicy-0.0.20080702/policy/modules/services/ntp.te
@@ -34,7 +34,7 @@
# ntpdate wants sys_nice
allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource };
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
-allow ntpd_t self:process { signal_perms setcap setsched setrlimit };
+allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
allow ntpd_t self:fifo_file { read write getattr };
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/dkim.if
+++ refpolicy-0.0.20080702/policy/modules/services/dkim.if
@@ -0,0 +1,20 @@
+## <summary>DKIM Milter - add and validate public key signatures on email</summary>
+
+########################################
+## <summary>
+## Connect to dkim-milter.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to connect.
+## </summary>
+## </param>
+#
+interface(`dkim_stream_connect',`
+ gen_require(`
+ type dkim_t, dkim_var_run_t;
+ ')
+
+ stream_connect_pattern($1,dkim_var_run_t,dkim_var_run_t,dkim_t)
+')
+
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/epmd.te
+++ refpolicy-0.0.20080702/policy/modules/services/epmd.te
@@ -0,0 +1,52 @@
+
+policy_module(epmd, 1.7.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow the Erlang Port mapper to coordinate all nodes in distributed
+## computing. It also wants to run on single nodes so any daemon written in
+## Erlang will need it.
+## </p>
+## </desc>
+
+type epmd_t;
+type epmd_exec_t;
+init_daemon_domain(epmd_t,epmd_exec_t)
+role system_r types epmd_t;
+
+########################################
+#
+# epmd local policy
+#
+
+allow epmd_t self:tcp_socket create_stream_socket_perms;
+#allow epmd_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(epmd_t)
+corenet_all_recvfrom_netlabel(epmd_t)
+corenet_tcp_bind_epmd_port(epmd_t)
+corenet_tcp_sendrecv_all_if(epmd_t)
+#corenet_udp_sendrecv_all_if(epmd_t)
+corenet_tcp_sendrecv_all_nodes(epmd_t)
+#corenet_udp_sendrecv_all_nodes(epmd_t)
+corenet_tcp_sendrecv_all_ports(epmd_t)
+#corenet_udp_sendrecv_all_ports(epmd_t)
+corenet_tcp_bind_all_nodes(epmd_t)
+#corenet_udp_bind_all_nodes(epmd_t)
+#corenet_tcp_connect_all_ports(epmd_t)
+#corenet_udp_bind_all_unreserved_ports(epmd_t)
+
+files_read_etc_files(epmd_t)
+
+libs_use_ld_so(epmd_t)
+libs_use_shared_libs(epmd_t)
+
+logging_send_syslog_msg(epmd_t)
+
+miscfiles_read_localization(epmd_t)
+
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/watchdog.te
+++ refpolicy-0.0.20080702/policy/modules/services/watchdog.te
@@ -21,13 +21,18 @@
# Declarations
#
-allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };
+allow watchdog_t self:capability { net_raw sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };
dontaudit watchdog_t self:capability sys_tty_config;
allow watchdog_t self:process { setsched signal_perms };
allow watchdog_t self:fifo_file rw_fifo_file_perms;
allow watchdog_t self:unix_stream_socket create_socket_perms;
allow watchdog_t self:tcp_socket create_stream_socket_perms;
allow watchdog_t self:udp_socket create_socket_perms;
+allow watchdog_t self:rawip_socket create_socket_perms;
+corenet_raw_sendrecv_all_if(watchdog_t)
+corenet_raw_sendrecv_all_nodes(watchdog_t)
+files_read_all_pids(watchdog_t)
+kernel_read_network_state(watchdog_t)
allow watchdog_t watchdog_log_t:file manage_file_perms;
logging_log_filetrans(watchdog_t,watchdog_log_t,file)
@@ -67,13 +72,14 @@
domain_signull_all_domains(watchdog_t)
domain_signal_all_domains(watchdog_t)
domain_kill_all_domains(watchdog_t)
+mcs_killall(watchdog_t)
files_read_etc_files(watchdog_t)
# for updating mtab on umount
files_manage_etc_runtime_files(watchdog_t)
files_etc_filetrans_etc_runtime(watchdog_t,file)
-fs_unmount_xattr_fs(watchdog_t)
+fs_unmount_all_fs(watchdog_t)
fs_getattr_all_fs(watchdog_t)
fs_search_auto_mountpoints(watchdog_t)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/fetchmail.te
+++ refpolicy-0.0.20080702/policy/modules/services/fetchmail.te
@@ -87,7 +87,7 @@
sysadm_dontaudit_search_home_dirs(fetchmail_t)
optional_policy(`
- procmail_domtrans(fetchmail_t)
+ lda_domtrans(fetchmail_t)
')
optional_policy(`
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/openvpn.te
+++ refpolicy-0.0.20080702/policy/modules/services/openvpn.te
@@ -35,6 +35,7 @@
# openvpn local policy
#
+kernel_request_load_module(openvpn_t)
allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_tty_config };
allow openvpn_t self:process { signal getsched };
@@ -43,6 +44,8 @@
allow openvpn_t self:udp_socket create_socket_perms;
allow openvpn_t self:tcp_socket server_stream_socket_perms;
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
+allow openvpn_t self:socket create;
+allow openvpn_t self:tun_socket create;
allow openvpn_t openvpn_etc_t:dir list_dir_perms;
read_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t)
@@ -54,6 +57,10 @@
manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
+# for the list of vulnerable keys
+files_read_usr_files(openvpn_t)
+files_read_var_lib_files(openvpn_t)
+
kernel_read_kernel_sysctls(openvpn_t)
kernel_read_net_sysctls(openvpn_t)
kernel_read_network_state(openvpn_t)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/dictd.fc
+++ refpolicy-0.0.20080702/policy/modules/services/dictd.fc
@@ -4,3 +4,4 @@
/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0)
/var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0)
+/var/run/dictd.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/avahi.te
+++ refpolicy-0.0.20080702/policy/modules/services/avahi.te
@@ -20,7 +20,7 @@
allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot };
dontaudit avahi_t self:capability sys_tty_config;
-allow avahi_t self:process { setrlimit signal_perms setcap };
+allow avahi_t self:process { setrlimit signal_perms getcap setcap };
allow avahi_t self:fifo_file { read write };
allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow avahi_t self:unix_dgram_socket create_socket_perms;
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/sasl.te
+++ refpolicy-0.0.20080702/policy/modules/services/sasl.te
@@ -102,15 +102,29 @@
kerberos_read_keytab(saslauthd_t)
')
+corenet_tcp_connect_mysqld_port(saslauthd_t)
optional_policy(`
mysql_search_db(saslauthd_t)
mysql_stream_connect(saslauthd_t)
')
optional_policy(`
+ postgresql_stream_connect(saslauthd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(saslauthd_t)
')
optional_policy(`
udev_read_db(saslauthd_t)
')
+
+corenet_tcp_connect_postgresql_port(saslauthd_t)
+
+optional_policy(`
+ postgresql_tcp_connect(saslauthd_t)
+ postgresql_stream_connect(saslauthd_t)
+')
+
+
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/milter.if
+++ refpolicy-0.0.20080702/policy/modules/services/milter.if
@@ -0,0 +1,102 @@
+## <summary>Milter mail filters</summary>
+
+########################################
+## <summary>
+## Create a set of derived types for various
+## mail filter applications using the milter interface.
+## </summary>
+## <param name="milter_name">
+## <summary>
+## The name to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`milter_template',`
+ # attributes common to all milters
+ gen_require(`
+ attribute milter_data_type, milter_domains;
+ ')
+
+ type $1_milter_t, milter_domains;
+ type $1_milter_exec_t;
+ init_daemon_domain($1_milter_t, $1_milter_exec_t)
+ role system_r types $1_milter_t;
+
+ # Type for the milter data (e.g. the socket used to communicate with the MTA)
+ type $1_milter_data_t, milter_data_type;
+ files_type($1_milter_data_t)
+
+ allow $1_milter_t self:fifo_file rw_fifo_file_perms;
+
+ # Allow communication with MTA over a unix-domain socket
+ # Note: usage with TCP sockets requires additional policy
+ manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
+
+ # Create other data files and directories in the data directory
+ manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
+
+ files_read_etc_files($1_milter_t)
+
+ miscfiles_read_localization($1_milter_t)
+
+ logging_send_syslog_msg($1_milter_t)
+')
+
+########################################
+## <summary>
+## MTA communication with milter sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`milter_stream_connect_all',`
+ gen_require(`
+ attribute milter_data_type, milter_domains;
+ ')
+
+ getattr_dirs_pattern($1, milter_data_type, milter_data_type)
+ stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
+')
+
+########################################
+## <summary>
+## Allow getattr of milter sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`milter_getattr_all_sockets',`
+ gen_require(`
+ attribute milter_data_type;
+ ')
+
+ getattr_dirs_pattern($1, milter_data_type, milter_data_type)
+ getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
+')
+
+########################################
+## <summary>
+## Manage spamassassin milter state
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`milter_manage_spamass_state',`
+ gen_require(`
+ type spamass_milter_state_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+ manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+ manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+')
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/asterisk.te
+++ refpolicy-0.0.20080702/policy/modules/services/asterisk.te
@@ -39,7 +39,7 @@
# dac_override for /var/run/asterisk
allow asterisk_t self:capability { dac_override setgid setuid sys_nice };
dontaudit asterisk_t self:capability sys_tty_config;
-allow asterisk_t self:process { setsched signal_perms };
+allow asterisk_t self:process { setsched signal_perms getcap setcap };
allow asterisk_t self:fifo_file rw_fifo_file_perms;
allow asterisk_t self:sem create_sem_perms;
allow asterisk_t self:shm create_shm_perms;
@@ -141,7 +141,4 @@
udev_read_db(asterisk_t)
')
-ifdef(`TODO',`
-allow initrc_t asterisk_var_run_t:fifo_file unlink;
-allow sysadm_t asterisk_t:unix_stream_socket { connectto rw_stream_socket_perms };
-')
+allow asterisk_t self:unix_stream_socket { connectto rw_stream_socket_perms };
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/networkmanager.te
+++ refpolicy-0.0.20080702/policy/modules/services/networkmanager.te
@@ -22,7 +22,7 @@
# and it receives a unexpected signal (rh bug #204161)
allow NetworkManager_t self:capability { kill setgid setuid dac_override net_admin net_raw net_bind_service ipc_lock };
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
-allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
+allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched signal_perms };
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/snmp.te
+++ refpolicy-0.0.20080702/policy/modules/services/snmp.te
@@ -22,7 +22,7 @@
#
# Local policy
#
-allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config };
+allow snmpd_t self:capability { chown dac_override kill setuid net_admin sys_nice sys_tty_config };
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
allow snmpd_t self:fifo_file rw_fifo_file_perms;
allow snmpd_t self:unix_dgram_socket create_socket_perms;
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/postfix.if
+++ refpolicy-0.0.20080702/policy/modules/services/postfix.if
@@ -186,9 +186,13 @@
gen_require(`
attribute postfix_user_domains;
type postfix_postdrop_t;
+ type postfix_postqueue_t;
+ type postfix_showq_t;
')
role $3 types postfix_postdrop_t;
+ role $3 types postfix_postqueue_t;
+ role $3 types postfix_showq_t;
allow postfix_user_domains $2:process sigchld;
allow postfix_user_domains $2:fifo_file { write getattr };
@@ -212,7 +216,7 @@
')
allow $1 postfix_etc_t:dir { getattr read search };
- allow $1 postfix_etc_t:file { read getattr };
+ allow $1 postfix_etc_t:file { read getattr ioctl };
allow $1 postfix_etc_t:lnk_file { getattr read };
files_search_etc($1)
')
@@ -524,3 +528,4 @@
typeattribute $1 postfix_user_domtrans;
')
+
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/mailman.fc
+++ refpolicy-0.0.20080702/policy/modules/services/mailman.fc
@@ -18,6 +18,8 @@
/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
')
+/var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
+
#
# distro_redhat
#
@@ -28,6 +30,5 @@
/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-/var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
/var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
')
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/dovecot.if
+++ refpolicy-0.0.20080702/policy/modules/services/dovecot.if
@@ -36,3 +36,21 @@
dontaudit $1 dovecot_var_lib_t:file unlink;
')
+
+########################################
+## <summary>
+## Allow client to connect to Dovecot auth socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to connect
+## </summary>
+## </param>
+#
+interface(`dovecot_auth_client',`
+ gen_require(`
+ type dovecot_auth_t, dovecot_var_run_t;
+ ')
+
+ stream_connect_pattern(lda_t, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)
+')
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/milter.te
+++ refpolicy-0.0.20080702/policy/modules/services/milter.te
@@ -0,0 +1,101 @@
+
+policy_module(milter, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+# attributes common to all milters
+attribute milter_domains;
+attribute milter_data_type;
+
+# currently-supported milters are milter-greylist, milter-regex and spamass-milter
+milter_template(greylist)
+milter_template(regex)
+ifdef(`unused', `
+milter_template(spamass)
+
+# Type for the spamass-milter home directory, under which spamassassin will
+# store system-wide preferences, bayes databases etc. if not configured to
+# use per-user configuration
+type spamass_milter_state_t;
+files_type(spamass_milter_state_t)
+')
+
+########################################
+#
+# milter-greylist local policy
+# ensure smtp clients retry mail like real MTAs and not spamware
+# http://hcpnet.free.fr/milter-greylist/
+#
+
+# It removes any existing socket (not owned by root) whilst running as root,
+# fixes permissions, renices itself and then calls setgid() and setuid() to
+# drop privileges
+allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
+allow greylist_milter_t self:process { setsched getsched };
+
+# It creates a pid file /var/run/milter-greylist.pid
+files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
+
+kernel_read_kernel_sysctls(greylist_milter_t)
+
+# Allow the milter to read a GeoIP database in /usr/share
+files_read_usr_files(greylist_milter_t)
+# The milter runs from /var/lib/milter-greylist and maintains files there
+files_search_var_lib(greylist_milter_t)
+
+# Look up username for dropping privs
+auth_use_nsswitch(greylist_milter_t)
+
+# Config is in /etc/mail/greylist.conf
+mta_read_config(greylist_milter_t)
+
+########################################
+#
+# milter-regex local policy
+# filter emails using regular expressions
+# http://www.benzedrine.cx/milter-regex.html
+#
+
+# It removes any existing socket (not owned by root) whilst running as root
+# and then calls setgid() and setuid() to drop privileges
+allow regex_milter_t self:capability { setuid setgid dac_override };
+
+# The milter's socket directory lives under /var/spool
+files_search_spool(regex_milter_t)
+
+# Look up username for dropping privs
+auth_use_nsswitch(regex_milter_t)
+
+# Config is in /etc/mail/milter-regex.conf
+mta_read_config(regex_milter_t)
+
+ifdef(`unused', `
+########################################
+#
+# spamass-milter local policy
+# pipe emails through SpamAssassin
+# http://savannah.nongnu.org/projects/spamass-milt/
+#
+
+# The milter runs from /var/lib/spamass-milter
+allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
+files_search_var_lib(spamass_milter_t)
+
+kernel_read_system_state(spamass_milter_t)
+
+# When used with -b or -B options, the milter invokes sendmail to send mail
+# to a spamtrap address, using popen()
+corecmd_exec_shell(spamass_milter_t)
+corecmd_read_bin_symlinks(spamass_milter_t)
+corecmd_search_bin(spamass_milter_t)
+
+mta_send_mail(spamass_milter_t)
+
+# The main job of the milter is to pipe spam through spamc and act on the result
+optional_policy(`
+ spamassassin_domtrans_client(spamass_milter_t)
+')
+')
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/spamassassin.fc
+++ refpolicy-0.0.20080702/policy/modules/services/spamassassin.fc
@@ -6,6 +6,7 @@
/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamd_exec_t,s0)
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
@@ -14,3 +15,4 @@
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/apm.te
+++ refpolicy-0.0.20080702/policy/modules/services/apm.te
@@ -193,6 +193,9 @@
optional_policy(`
networkmanager_dbus_chat(apmd_t)
')
+ optional_policy(`
+ hal_dbus_chat(apmd_t)
+ ')
')
optional_policy(`
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/cron.fc
+++ refpolicy-0.0.20080702/policy/modules/services/cron.fc
@@ -4,6 +4,7 @@
/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
@@ -17,9 +18,15 @@
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+ifdef(`distro_debian', `
+/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/atjobs/[^/]* -- <<none>>
+', `
/var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0)
/var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0)
/var/spool/at/[^/]* -- <<none>>
+')
/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
@@ -45,3 +52,5 @@
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+/var/log/prelink.log -- gen_context(system_u:object_r:cron_log_t,s0)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/sendmail.te
+++ refpolicy-0.0.20080702/policy/modules/services/sendmail.te
@@ -118,7 +118,7 @@
')
optional_policy(`
- procmail_domtrans(sendmail_t)
+ lda_domtrans(sendmail_t)
')
optional_policy(`
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/jabber.te
+++ refpolicy-0.0.20080702/policy/modules/services/jabber.te
@@ -27,7 +27,7 @@
allow jabberd_t self:capability dac_override;
dontaudit jabberd_t self:capability sys_tty_config;
allow jabberd_t self:process signal_perms;
-allow jabberd_t self:fifo_file { read write getattr };
+allow jabberd_t self:fifo_file rw_file_perms;
allow jabberd_t self:tcp_socket create_stream_socket_perms;
allow jabberd_t self:udp_socket create_socket_perms;
@@ -42,7 +42,7 @@
kernel_read_kernel_sysctls(jabberd_t)
kernel_list_proc(jabberd_t)
-kernel_read_proc_symlinks(jabberd_t)
+kernel_read_system_state(jabberd_t)
corenet_all_recvfrom_unlabeled(jabberd_t)
corenet_all_recvfrom_netlabel(jabberd_t)
@@ -52,15 +52,21 @@
corenet_udp_sendrecv_all_nodes(jabberd_t)
corenet_tcp_sendrecv_all_ports(jabberd_t)
corenet_udp_sendrecv_all_ports(jabberd_t)
+corenet_udp_bind_all_nodes(jabberd_t)
corenet_tcp_bind_all_nodes(jabberd_t)
corenet_tcp_bind_jabber_client_port(jabberd_t)
corenet_tcp_bind_jabber_interserver_port(jabberd_t)
corenet_sendrecv_jabber_client_server_packets(jabberd_t)
corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
+corenet_tcp_connect_jabber_interserver_port(jabberd_t)
+
+corecmd_exec_bin(jabberd_t)
+corecmd_exec_shell(jabberd_t)
dev_read_sysfs(jabberd_t)
# For SSL
dev_read_rand(jabberd_t)
+dev_read_urand(jabberd_t)
domain_use_interactive_fds(jabberd_t)
@@ -84,6 +90,10 @@
sysadm_dontaudit_search_home_dirs(jabberd_t)
optional_policy(`
+ run_epmd(jabberd_t, system_r)
+')
+
+optional_policy(`
nis_use_ypbind(jabberd_t)
')
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/watchdog.fc
+++ refpolicy-0.0.20080702/policy/modules/services/watchdog.fc
@@ -1,4 +1,5 @@
/usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0)
+/usr/sbin/wd_keepalive -- gen_context(system_u:object_r:watchdog_exec_t,s0)
/var/log/watchdog(/.*)? gen_context(system_u:object_r:watchdog_log_t,s0)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/clamav.fc
+++ refpolicy-0.0.20080702/policy/modules/services/clamav.fc
@@ -5,11 +5,13 @@
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
+/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/spool/postfix/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
@@ -18,3 +20,19 @@
/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
+
+/etc/amavis\.conf -- gen_context(system_u:object_r:clamd_etc_t,s0)
+/etc/amavisd(/.*)? -- gen_context(system_u:object_r:clamd_etc_t,s0)
+
+/usr/sbin/amavisd.* -- gen_context(system_u:object_r:clamd_exec_t,s0)
+
+ifdef(`distro_debian',`
+/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:clamd_exec_t,s0)
+')
+
+/var/amavis(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
+/var/lib/amavis(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
+/var/log/amavisd\.log -- gen_context(system_u:object_r:clamd_var_lib_t,s0)
+/var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
+/var/spool/amavisd(/.*)? gen_context(system_u:object_r:clamd_spool_t,s0)
+/var/virusmails(/.*)? gen_context(system_u:object_r:clamd_spool_t,s0)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/dkim.fc
+++ refpolicy-0.0.20080702/policy/modules/services/dkim.fc
@@ -0,0 +1,6 @@
+/etc/dkim(/.*)? gen_context(system_u:object_r:dkim_etc_t,s0)
+/etc/dkim-filter.conf -- gen_context(system_u:object_r:dkim_etc_t,s0)
+
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_exec_t,s0)
+
+/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_var_run_t,s0)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/dbus.fc
+++ refpolicy-0.0.20080702/policy/modules/services/dbus.fc
@@ -8,6 +8,9 @@
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+ifdef(`distro_debian',`
+/usr/lib/gnome-vfs-2.0/gnome-vfs-daemon -- gen_context(system_u:object_r:bin_t,s0)
+')
ifdef(`distro_redhat',`
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
')
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/lda.te
+++ refpolicy-0.0.20080702/policy/modules/services/lda.te
@@ -0,0 +1,168 @@
+
+policy_module(lda, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type lda_t;
+typealias lda_t alias procmail_t;
+type lda_exec_t;
+typealias lda_exec_t alias procmail_exec_t;
+application_domain(lda_t,lda_exec_t)
+role system_r types lda_t;
+
+type lda_tmp_t;
+typealias lda_tmp_t alias procmail_tmp_t;
+files_tmp_file(lda_tmp_t)
+
+type lda_etc_t;
+files_config_file(lda_etc_t)
+
+type lda_log_t;
+logging_log_file(lda_log_t)
+manage_files_pattern(lda_t,lda_log_t,lda_log_t)
+logging_log_filetrans(lda_t,lda_log_t,file)
+
+
+########################################
+#
+# Local policy
+#
+
+allow lda_t self:capability { sys_nice chown setuid setgid dac_override };
+allow lda_t self:process { setsched signal signull };
+allow lda_t self:fifo_file rw_fifo_file_perms;
+allow lda_t self:unix_stream_socket create_socket_perms;
+allow lda_t self:unix_dgram_socket create_socket_perms;
+allow lda_t self:tcp_socket create_stream_socket_perms;
+allow lda_t self:udp_socket create_socket_perms;
+read_files_pattern(lda_t,lda_etc_t,lda_etc_t)
+read_lnk_files_pattern(lda_t,lda_etc_t,lda_etc_t)
+
+can_exec(lda_t,lda_exec_t)
+
+allow lda_t lda_tmp_t:file manage_file_perms;
+files_tmp_filetrans(lda_t, lda_tmp_t, file)
+
+kernel_read_system_state(lda_t)
+kernel_read_kernel_sysctls(lda_t)
+
+corenet_all_recvfrom_unlabeled(lda_t)
+corenet_all_recvfrom_netlabel(lda_t)
+corenet_tcp_sendrecv_all_if(lda_t)
+corenet_udp_sendrecv_all_if(lda_t)
+corenet_tcp_sendrecv_all_nodes(lda_t)
+corenet_udp_sendrecv_all_nodes(lda_t)
+corenet_tcp_sendrecv_all_ports(lda_t)
+corenet_udp_sendrecv_all_ports(lda_t)
+corenet_udp_bind_all_nodes(lda_t)
+corenet_tcp_connect_spamd_port(lda_t)
+corenet_sendrecv_spamd_client_packets(lda_t)
+corenet_sendrecv_comsat_client_packets(lda_t)
+
+dev_read_urand(lda_t)
+
+fs_getattr_xattr_fs(lda_t)
+fs_search_auto_mountpoints(lda_t)
+fs_rw_anon_inodefs_files(lda_t)
+
+auth_use_nsswitch(lda_t)
+
+corecmd_exec_bin(lda_t)
+corecmd_exec_shell(lda_t)
+
+files_read_etc_files(lda_t)
+files_read_etc_runtime_files(lda_t)
+files_search_pids(lda_t)
+# for spamassasin
+files_read_usr_files(lda_t)
+
+libs_use_ld_so(lda_t)
+libs_use_shared_libs(lda_t)
+
+logging_send_syslog_msg(lda_t)
+
+miscfiles_read_localization(lda_t)
+
+# only works until we define a different type for maildir
+userdom_priveleged_home_dir_manager(lda_t)
+
+optional_policy(`
+ gen_require(`
+ bool daemon_access_unconfined_home;
+ ')
+ tunable_policy(`daemon_access_unconfined_home', `
+ unconfined_write_home_content_files(lda_t)
+ ')
+')
+
+# Do not audit attempts to access /root.
+staff_dontaudit_search_home_dirs(lda_t)
+sysadm_dontaudit_search_home_dirs(lda_t)
+
+mta_manage_spool(lda_t)
+
+ifdef(`hide_broken_symptoms',`
+ mta_dontaudit_rw_queue(lda_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(lda_t)
+ fs_manage_nfs_files(lda_t)
+ fs_manage_nfs_symlinks(lda_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(lda_t)
+ fs_manage_cifs_files(lda_t)
+ fs_manage_cifs_symlinks(lda_t)
+')
+
+optional_policy(`
+ clamav_domtrans_clamscan(lda_t)
+ clamav_search_lib(lda_t)
+')
+
+optional_policy(`
+ munin_dontaudit_search_lib(lda_t)
+')
+
+optional_policy(`
+ # for a bug in the postfix local program
+ postfix_dontaudit_rw_local_tcp_sockets(lda_t)
+ postfix_dontaudit_use_fds(lda_t)
+ postfix_read_spool_files(lda_t)
+ postfix_read_local_state(lda_t)
+ postfix_read_master_state(lda_t)
+')
+
+optional_policy(`
+ pyzor_domtrans(lda_t)
+')
+
+optional_policy(`
+ mta_read_config(lda_t)
+ sendmail_domtrans(lda_t)
+ sendmail_rw_tcp_sockets(lda_t)
+ sendmail_rw_unix_stream_sockets(lda_t)
+')
+
+optional_policy(`
+ corenet_udp_bind_generic_port(lda_t)
+ corenet_dontaudit_udp_bind_all_ports(lda_t)
+
+ spamassassin_exec(lda_t)
+ spamassassin_exec_client(lda_t)
+ spamassassin_read_lib_files(lda_t)
+')
+
+optional_policy(`
+ courier_search_config(lda_t)
+ courier_authdaemon_client(lda_t)
+')
+
+optional_policy(`
+ dovecot_auth_client(lda_t)
+')
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/dkim.te
+++ refpolicy-0.0.20080702/policy/modules/services/dkim.te
@@ -0,0 +1,65 @@
+
+policy_module(dkim,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# Main dkim domain
+type dkim_t;
+type dkim_exec_t;
+init_daemon_domain(dkim_t, dkim_exec_t)
+
+# configuration files
+type dkim_etc_t;
+files_type(dkim_etc_t)
+
+# pid files
+type dkim_var_run_t;
+files_pid_file(dkim_var_run_t)
+manage_files_pattern(dkim_t, dkim_var_run_t, dkim_var_run_t)
+
+########################################
+#
+# dkim local policy
+#
+
+allow dkim_t self:capability { setgid setuid };
+allow dkim_t self:fifo_file rw_fifo_file_perms;
+allow dkim_t self:unix_stream_socket create_stream_socket_perms;
+allow dkim_t self:tcp_socket { listen accept };
+allow dkim_t self:process signal;
+files_search_tmp(dkim_t)
+
+# configuration files
+allow dkim_t dkim_etc_t:dir list_dir_perms;
+read_files_pattern(dkim_t,dkim_etc_t,dkim_etc_t)
+read_lnk_files_pattern(dkim_t,dkim_etc_t,dkim_etc_t)
+
+manage_sock_files_pattern(dkim_t,dkim_var_run_t,dkim_var_run_t)
+
+corenet_all_recvfrom_unlabeled(dkim_t)
+corenet_all_recvfrom_netlabel(dkim_t)
+corenet_tcp_sendrecv_all_if(dkim_t)
+corenet_tcp_sendrecv_all_nodes(dkim_t)
+corenet_tcp_sendrecv_all_ports(dkim_t)
+corenet_tcp_bind_all_nodes(dkim_t)
+
+dev_read_rand(dkim_t)
+dev_read_urand(dkim_t)
+
+files_read_etc_files(dkim_t)
+
+libs_use_ld_so(dkim_t)
+libs_use_shared_libs(dkim_t)
+
+logging_send_syslog_msg(dkim_t)
+
+miscfiles_read_localization(dkim_t)
+
+sysnet_dns_name_resolve(dkim_t)
+
+kernel_read_system_state(dkim_t)
+kernel_read_sysctl(dkim_t)
+kernel_read_kernel_sysctls(dkim_t)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/courier.if
+++ refpolicy-0.0.20080702/policy/modules/services/courier.if
@@ -29,7 +29,7 @@
allow courier_$1_t self:capability dac_override;
dontaudit courier_$1_t self:capability sys_tty_config;
allow courier_$1_t self:process { setpgid signal_perms };
- allow courier_$1_t self:fifo_file { read write getattr };
+ allow courier_$1_t self:fifo_file rw_fifo_file_perms;
allow courier_$1_t self:tcp_socket create_stream_socket_perms;
allow courier_$1_t self:udp_socket create_socket_perms;
@@ -107,6 +107,26 @@
########################################
## <summary>
+## Client access to the Courier Auth daemon
+## </summary>
+## <param name="prefix">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`courier_authdaemon_client',`
+ gen_require(`
+ type courier_authdaemon_t, courier_var_run_t;
+ ')
+
+ allow $1 courier_authdaemon_t:unix_stream_socket connectto;
+ allow $1 courier_var_run_t:dir search;
+ allow $1 courier_var_run_t:sock_file write;
+')
+
+########################################
+## <summary>
## Execute the courier POP3 and IMAP server with
## a domain transition.
## </summary>
@@ -123,3 +143,21 @@
domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
')
+
+########################################
+## <summary>
+## Search the courier config directory
+## </summary>
+## <param name="prefix">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`courier_search_config',`
+ gen_require(`
+ type courier_etc_t;
+ ')
+
+ allow $1 courier_etc_t:dir list_dir_perms;
+')
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/zebra.te
+++ refpolicy-0.0.20080702/policy/modules/services/zebra.te
@@ -37,7 +37,7 @@
allow zebra_t self:capability { setgid setuid net_admin net_raw };
dontaudit zebra_t self:capability sys_tty_config;
-allow zebra_t self:process { signal_perms setcap };
+allow zebra_t self:process { signal_perms getcap setcap };
allow zebra_t self:file { ioctl read write getattr lock append };
allow zebra_t self:unix_dgram_socket create_socket_perms;
allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/dovecot.te
+++ refpolicy-0.0.20080702/policy/modules/services/dovecot.te
@@ -120,6 +120,16 @@
sysadm_dontaudit_search_home_dirs(dovecot_t)
optional_policy(`
+ gen_require(`
+ bool daemon_access_unconfined_home;
+ ')
+ if(daemon_access_unconfined_home) {
+ unconfined_write_home_content_files(dovecot_t)
+ }
+')
+
+
+optional_policy(`
kerberos_use(dovecot_t)
')
@@ -140,13 +150,15 @@
# dovecot auth local policy
#
-allow dovecot_auth_t self:capability { setgid setuid };
+manage_sock_files_pattern(dovecot_auth_t,dovecot_var_run_t,dovecot_var_run_t)
+allow dovecot_auth_t self:capability { setgid setuid chown };
allow dovecot_auth_t self:process signal_perms;
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto getattr accept read write ioctl };
+allow dovecot_auth_t dovecot_var_run_t:sock_file write;
allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
@@ -187,3 +199,13 @@
optional_policy(`
logging_send_syslog_msg(dovecot_auth_t)
')
+
+optional_policy(`
+ mysql_tcp_connect(dovecot_auth_t)
+ mysql_stream_connect(dovecot_auth_t)
+')
+
+optional_policy(`
+ postgresql_tcp_connect(dovecot_auth_t)
+ postgresql_stream_connect(dovecot_auth_t)
+')
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/nagios.te
+++ refpolicy-0.0.20080702/policy/modules/services/nagios.te
@@ -30,9 +30,22 @@
type nrpe_exec_t;
init_daemon_domain(nrpe_t, nrpe_exec_t)
+type nrpe_var_run_t;
+files_pid_file(nrpe_var_run_t)
+
type nrpe_etc_t;
files_config_file(nrpe_etc_t)
+files_read_usr_files(nrpe_t)
+
+mta_send_mail(nrpe_t)
+optional_policy(`
+ postfix_per_role_template(system, nrpe_t, system_r)
+ postfix_list_spool(nrpe_t)
+ postfix_read_spool_files(nrpe_t)
+')
+files_search_spool(nrpe_t)
+
########################################
#
# Nagios local policy
@@ -88,6 +101,7 @@
files_read_kernel_symbol_table(nagios_t)
fs_getattr_all_fs(nagios_t)
+fs_getattr_all_dirs(nagios_t)
fs_search_auto_mountpoints(nagios_t)
# for who
@@ -173,16 +187,41 @@
# Nagios remote plugin executor local policy
#
-dontaudit nrpe_t self:capability sys_tty_config;
-allow nrpe_t self:process { setpgid signal_perms };
+dontaudit nrpe_t self:capability { sys_resource sys_tty_config };
+allow nrpe_t self:capability { setgid setuid };
+allow nrpe_t self:process { setpgid signal_perms setsched };
allow nrpe_t self:fifo_file rw_fifo_file_perms;
+dontaudit nrpe_t self:process { ptrace setrlimit };
+
+manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t)
+files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
+
+type nrpe_tmp_t;
+files_tmp_file(nrpe_tmp_t)
+manage_dirs_pattern(nrpe_t, nrpe_tmp_t, nrpe_tmp_t)
+manage_files_pattern(nrpe_t, nrpe_tmp_t, nrpe_tmp_t)
+files_tmp_filetrans(nrpe_t, nrpe_tmp_t, { file dir })
allow nrpe_t nrpe_etc_t:file { getattr read };
+files_read_etc_files(nrpe_t)
files_search_etc(nrpe_t)
+allow nrpe_t nagios_etc_t:dir list_dir_perms;
kernel_read_system_state(nrpe_t)
kernel_read_kernel_sysctls(nrpe_t)
+corenet_all_recvfrom_unlabeled(nrpe_t)
+corenet_all_recvfrom_netlabel(nrpe_t)
+corenet_tcp_sendrecv_all_if(nrpe_t)
+corenet_tcp_sendrecv_all_nodes(nrpe_t)
+corenet_tcp_sendrecv_generic_port(nrpe_t)
+corenet_tcp_bind_all_nodes(nrpe_t)
+corenet_tcp_bind_nrpe_port(nrpe_t)
+allow nrpe_t self:tcp_socket create_stream_socket_perms;
+sysnet_dns_name_resolve(nrpe_t)
+
+allow nrpe_t self:netlink_route_socket create_netlink_socket_perms;
+
corecmd_exec_bin(nrpe_t)
corecmd_exec_shell(nrpe_t)
@@ -204,6 +243,20 @@
userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
+domain_read_all_domains_state(nrpe_t)
+fs_getattr_all_fs(nrpe_t)
+fs_getattr_all_dirs(nrpe_t)
+storage_getattr_fixed_disk_dev(nrpe_t)
+init_read_utmp(nrpe_t)
+
+term_dontaudit_getattr_all_user_ttys(nrpe_t)
+term_dontaudit_getattr_unallocated_ttys(nrpe_t)
+term_dontaudit_getattr_all_user_ptys(nrpe_t)
+
+optional_policy(`
+ can_exec_sudo(nrpe_t)
+')
+
optional_policy(`
inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
')
@@ -219,3 +272,14 @@
optional_policy(`
udev_read_db(nrpe_t)
')
+
+optional_policy(`
+ mysql_tcp_connect(nrpe_t)
+ mysql_stream_connect(nrpe_t)
+ mysql_read_config(nrpe_t)
+')
+
+optional_policy(`
+ postgresql_tcp_connect(nrpe_t)
+ postgresql_stream_connect(nrpe_t)
+')
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/cron.if
+++ refpolicy-0.0.20080702/policy/modules/services/cron.if
@@ -39,14 +39,13 @@
type crond_t, cron_spool_t, crontab_exec_t;
class dbus send_msg;
')
+ typealias $1_t alias $1_crond_t;
# Type of user crontabs once moved to cron spool.
type $1_cron_spool_t, cron_spool_type;
files_type($1_cron_spool_t)
- type $1_crond_t;
- domain_type($1_crond_t)
- domain_cron_exemption_target($1_crond_t)
+ domain_cron_exemption_target($1_t)
corecmd_shell_entry_type($1_crond_t)
role $3 types $1_crond_t;
@@ -62,12 +61,6 @@
# $1_crond_t local policy
#
- allow $1_crond_t self:capability dac_override;
- allow $1_crond_t self:process { signal_perms setsched };
- allow $1_crond_t self:fifo_file rw_fifo_file_perms;
- allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_crond_t self:unix_dgram_socket create_socket_perms;
-
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
@@ -81,109 +74,180 @@
# The transition is requested explicitly by the modified crond
# via setexeccon. There is no way to set up an automatic
# transition, since crontabs are configuration files, not executables.
- allow crond_t $1_crond_t:process transition;
- dontaudit crond_t $1_crond_t:process { noatsecure siginh rlimitinh };
- allow crond_t $1_crond_t:fd use;
- allow $1_crond_t crond_t:fd use;
- allow $1_crond_t crond_t:fifo_file rw_file_perms;
- allow $1_crond_t crond_t:process sigchld;
-
- kernel_read_system_state($1_crond_t)
- kernel_read_kernel_sysctls($1_crond_t)
-
- # ps does not need to access /boot when run from cron
- files_dontaudit_search_boot($1_crond_t)
-
- corenet_all_recvfrom_unlabeled($1_crond_t)
- corenet_all_recvfrom_netlabel($1_crond_t)
- corenet_tcp_sendrecv_all_if($1_crond_t)
- corenet_udp_sendrecv_all_if($1_crond_t)
- corenet_tcp_sendrecv_all_nodes($1_crond_t)
- corenet_udp_sendrecv_all_nodes($1_crond_t)
- corenet_tcp_sendrecv_all_ports($1_crond_t)
- corenet_udp_sendrecv_all_ports($1_crond_t)
- corenet_tcp_connect_all_ports($1_crond_t)
- corenet_sendrecv_all_client_packets($1_crond_t)
-
- dev_read_urand($1_crond_t)
-
- fs_getattr_all_fs($1_crond_t)
-
- corecmd_exec_all_executables($1_crond_t)
-
- # quiet other ps operations
- domain_dontaudit_read_all_domains_state($1_crond_t)
- domain_dontaudit_getattr_all_domains($1_crond_t)
-
- files_read_usr_files($1_crond_t)
- files_exec_etc_files($1_crond_t)
- # for nscd:
- files_dontaudit_search_pids($1_crond_t)
-
- libs_use_ld_so($1_crond_t)
- libs_use_shared_libs($1_crond_t)
- libs_exec_lib_files($1_crond_t)
- libs_exec_ld_so($1_crond_t)
-
- files_read_etc_runtime_files($1_crond_t)
- files_read_var_files($1_crond_t)
- files_search_spool($1_crond_t)
-
- logging_search_logs($1_crond_t)
-
- seutil_read_config($1_crond_t)
-
- miscfiles_read_localization($1_crond_t)
-
- userdom_manage_user_tmp_files($1,$1_crond_t)
- userdom_manage_user_tmp_symlinks($1,$1_crond_t)
- userdom_manage_user_tmp_pipes($1,$1_crond_t)
- userdom_manage_user_tmp_sockets($1,$1_crond_t)
- # Run scripts in user home directory and access shared libs.
- userdom_exec_user_home_content_files($1,$1_crond_t)
- # Access user files and dirs.
-# userdom_manage_user_home_subdir_dirs($1,$1_crond_t)
- userdom_manage_user_home_content_files($1,$1_crond_t)
- userdom_manage_user_home_content_symlinks($1,$1_crond_t)
- userdom_manage_user_home_content_pipes($1,$1_crond_t)
- userdom_manage_user_home_content_sockets($1,$1_crond_t)
-# userdom_user_home_dir_filetrans_user_home_content($1,$1_crond_t,notdevfile_class_set)
+ allow crond_t $1_t:process transition;
+ dontaudit crond_t $1_t:process { noatsecure siginh rlimitinh };
+ allow crond_t $1_t:fd use;
+ allow $1_t crond_t:fd use;
+ allow $1_t crond_t:fifo_file rw_file_perms;
+ allow $1_t crond_t:process sigchld;
tunable_policy(`fcron_crond', `
allow crond_t $1_cron_spool_t:file manage_file_perms;
')
- # need a per-role version of this:
- #optional_policy(`
- # mono_domtrans($1_crond_t)
- #')
+ ##############################
+ #
+ # $1_crontab_t local policy
+ #
- optional_policy(`
- dbus_stub($1_crond_t)
+ # dac_override is to create the file in the directory under /tmp
+ allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
+ allow $1_crontab_t self:process signal_perms;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, crontab_exec_t, $1_crontab_t)
+
+ # crontab shows up in user ps
+ ps_process_pattern($2,$1_crontab_t)
+
+ # for ^Z
+ allow $2 $1_crontab_t:process signal;
+
+ # Allow crond to read those crontabs in cron spool.
+ allow crond_t $1_cron_spool_t:file manage_file_perms;
+
+ allow $1_crontab_t $1_crontab_tmp_t:file manage_file_perms;
+ allow $1_crontab_t $1_crontab_tmp_t:dir manage_dir_perms;
+ files_tmp_filetrans($1_crontab_t,$1_crontab_tmp_t,{ file dir })
+ allow $2 $1_crontab_tmp_t:dir rw_dir_perms;
+ allow $2 $1_crontab_tmp_t:file manage_file_perms;
+
+ # create files in /var/spool/cron
+ manage_files_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t)
+ filetrans_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t,file)
+ files_search_spool($1_crontab_t)
+
+ # crontab signals crond by updating the mtime on the spooldir
+ allow $1_crontab_t cron_spool_t:dir setattr;
+
+ kernel_read_system_state($1_crontab_t)
+
+ # for the checks used by crontab -u
+ selinux_dontaudit_search_fs($1_crontab_t)
- allow $1_crond_t $2:dbus send_msg;
- ')
+ fs_getattr_xattr_fs($1_crontab_t)
+
+ # Run helper programs as the user domain
+ corecmd_bin_domtrans($1_crontab_t,$2)
+ corecmd_shell_domtrans($1_crontab_t,$2)
+ allow $2 $1_crontab_t:process sigchld;
+
+ domain_use_interactive_fds($1_crontab_t)
+
+ files_read_etc_files($1_crontab_t)
+ files_dontaudit_search_pids($1_crontab_t)
+
+ libs_use_ld_so($1_crontab_t)
+ libs_use_shared_libs($1_crontab_t)
+
+ logging_send_syslog_msg($1_crontab_t)
+
+ miscfiles_read_localization($1_crontab_t)
+
+ seutil_read_config($1_crontab_t)
+
+ userdom_manage_user_tmp_dirs($1,$1_crontab_t)
+ userdom_manage_user_tmp_files($1,$1_crontab_t)
+ # Access terminals.
+ userdom_use_user_terminals($1,$1_crontab_t)
+ # Read user crontabs
+ userdom_read_user_home_content_files($1,$1_crontab_t)
+
+ tunable_policy(`fcron_crond',`
+ # fcron wants an instant update of a crontab change
+ # also crontab does a security check for crontab -u
+ allow $1_crontab_t crond_t:process signal;
+ allow $1_crontab_t crond_var_run_t:file read_file_perms;
+
+ allow $1_crontab_t self:process setfscreate;
+ init_dontaudit_rw_utmp($1_crontab_t)
+ can_exec($1_crontab_t, crontab_exec_t)
+ ')
optional_policy(`
- nis_use_ypbind($1_crond_t)
+ nscd_socket_use($1_crontab_t)
')
ifdef(`TODO',`
- optional_policy(`
- create_dir_file($1_crond_t, httpd_$1_content_t)
+ # Read user crontabs
+ dontaudit $1_crontab_t $1_home_dir_t:dir write;
+ ') dnl endif TODO
+')
+
+#######################################
+## <summary>
+## Per-role template which uses an existing domain for the cron job
+## </summary>
+## <desc>
+## <p>
+## This template allows crond to run programs in an existing domain.
+## A type for the user crontab is created.
+## </p>
+## <p>
+## This template was written for unconfined_t.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`cron_existing_domain_per_role_template', `
+ gen_require(`
+ attribute cron_spool_type;
+ type crond_t, cron_spool_t, crontab_exec_t;
+ class dbus send_msg;
')
- allow $1_crond_t tmp_t:dir rw_dir_perms;
- type_transition $1_crond_t $1_tmp_t:{ file lnk_file sock_file fifo_file } $1_tmp_t;
- ifdef(`mta.te', `
- domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
- allow $1_crond_t sendmail_exec_t:lnk_file read_lnk_file_perms;
-
- # $1_mail_t should only be reading from the cron fifo not needing to write
- dontaudit $1_mail_t crond_t:fifo_file write;
- allow mta_user_agent $1_crond_t:fd use;
+ # Type of user crontabs once moved to cron spool.
+ type $1_cron_spool_t, cron_spool_type;
+ files_type($1_cron_spool_t)
+
+ typealias $2 alias $1_crond_t;
+ domain_cron_exemption_target($2)
+
+ type $1_crontab_t;
+ application_domain($1_crontab_t,crontab_exec_t)
+ role $3 types $1_crontab_t;
+
+ type $1_crontab_tmp_t;
+ files_tmp_file($1_crontab_tmp_t)
+
+ # The entrypoint interface is not used as this is not
+ # a regular entrypoint. Since crontab files are
+ # not directly executed, crond must ensure that
+ # the crontab file has a type that is appropriate
+ # for the domain of the user cron job. It
+ # performs an entrypoint permission check
+ # for this purpose.
+ allow $2 $1_cron_spool_t:file entrypoint;
+
+ # Permit a transition from the crond_t domain to this domain.
+ # The transition is requested explicitly by the modified crond
+ # via setexeccon. There is no way to set up an automatic
+ # transition, since crontabs are configuration files, not executables.
+ allow crond_t $2:process transition;
+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+ allow crond_t $2:fd use;
+ allow $2 crond_t:fd use;
+ allow $2 crond_t:fifo_file rw_file_perms;
+ allow $2 crond_t:process sigchld;
+
+ tunable_policy(`fcron_crond', `
+ allow crond_t $1_cron_spool_t:file manage_file_perms;
')
- ') dnl endif TODO
##############################
#
@@ -207,7 +271,8 @@
allow crond_t $1_cron_spool_t:file manage_file_perms;
allow $1_crontab_t $1_crontab_tmp_t:file manage_file_perms;
- files_tmp_filetrans($1_crontab_t,$1_crontab_tmp_t,file)
+ allow $1_crontab_t $1_crontab_tmp_t:dir manage_dir_perms;
+ files_tmp_filetrans($1_crontab_t,$1_crontab_tmp_t,{ file dir })
# create files in /var/spool/cron
manage_files_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t)
@@ -286,14 +351,12 @@
template(`cron_admin_template',`
gen_require(`
attribute cron_spool_type;
- type $1_crontab_t, $1_crond_t;
+ type $1_crontab_t;
')
# Allow our crontab domain to unlink a user cron spool file.
allow $1_crontab_t cron_spool_type:file { getattr read unlink };
- logging_read_generic_logs($1_crond_t)
-
# Manipulate other users crontab.
selinux_get_fs_mount($1_crontab_t)
selinux_validate_context($1_crontab_t)
@@ -584,3 +647,22 @@
dontaudit $1 system_crond_tmp_t:file append;
')
+
+########################################
+## <summary>
+## Allow crond to search directories that are home directories for
+## accounts used or parent directories of home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Type of directory that crond_t may search.
+## </summary>
+## </param>
+#
+interface(`crond_search_dir',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ allow crond_t $1:dir search;
+')
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/jabber.fc
+++ refpolicy-0.0.20080702/policy/modules/services/jabber.fc
@@ -1,4 +1,7 @@
/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
+/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/dictd.te
+++ refpolicy-0.0.20080702/policy/modules/services/dictd.te
@@ -13,6 +13,11 @@
type dictd_etc_t;
files_config_file(dictd_etc_t)
+type dictd_var_run_t;
+files_pid_file(dictd_var_run_t)
+files_pid_filetrans(dictd_t, dictd_var_run_t, { file })
+manage_files_pattern(dictd_t, dictd_var_run_t, dictd_var_run_t)
+
type dictd_var_lib_t alias var_lib_dictd_t;
files_type(dictd_var_lib_t)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/ppp.te
+++ refpolicy-0.0.20080702/policy/modules/services/ppp.te
@@ -155,6 +155,7 @@
files_exec_etc_files(pppd_t)
files_manage_etc_runtime_files(pppd_t)
files_dontaudit_write_etc_files(pppd_t)
+kernel_request_load_module(pppd_t)
# for scripts
files_read_etc_files(pppd_t)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/exim.te
+++ refpolicy-0.0.20080702/policy/modules/services/exim.te
@@ -6,21 +6,6 @@
# Declarations
#
-## <desc>
-## <p>
-## Allow exim to read unprivileged user files.
-## </p>
-## </desc>
-gen_tunable(exim_read_user_files,false)
-
-## <desc>
-## <p>
-## Allow exim to create, read, write, and delete
-## unprivileged user files.
-## </p>
-## </desc>
-gen_tunable(exim_manage_user_files,false)
-
type exim_t;
type exim_exec_t;
init_daemon_domain(exim_t, exim_exec_t)
@@ -42,6 +27,12 @@
# exim local policy
#
+ifdef(`distro_debian', `
+# for /var/lib/exim4/config.autogenerated
+files_read_var_lib_files(exim_t)
+')
+
+allow exim_t self:process setrlimit;
allow exim_t self:capability { dac_override dac_read_search setuid setgid fowner chown };
allow exim_t self:fifo_file rw_fifo_file_perms;
allow exim_t self:unix_stream_socket create_stream_socket_perms;
@@ -71,6 +62,7 @@
corecmd_search_bin(exim_t)
+kernel_read_network_state(exim_t)
corenet_all_recvfrom_unlabeled(exim_t)
corenet_tcp_sendrecv_all_if(exim_t)
corenet_tcp_sendrecv_all_nodes(exim_t)
@@ -90,6 +82,7 @@
domain_use_interactive_fds(exim_t)
files_read_etc_files(exim_t)
+fs_getattr_xattr_fs(exim_t)
auth_use_nsswitch(exim_t)
@@ -102,20 +95,10 @@
sysnet_dns_name_resolve(exim_t)
-unprivuser_dontaudit_search_home_dirs(exim_t)
+mta_mailserver_delivery(exim_t)
mta_read_aliases(exim_t)
mta_rw_spool(exim_t)
sysadm_dontaudit_search_home_dirs(exim_t)
-tunable_policy(`exim_read_user_files',`
- userdom_read_unpriv_users_home_content_files(exim_t)
- userdom_read_unpriv_users_tmp_files(exim_t)
-')
-
-tunable_policy(`exim_manage_user_files',`
- userdom_manage_unpriv_users_home_content_dirs(exim_t)
- userdom_read_unpriv_users_tmp_files(exim_t)
- userdom_write_unpriv_users_tmp_files(exim_t)
-')
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/services/apache.fc
+++ refpolicy-0.0.20080702/policy/modules/services/apache.fc
@@ -52,6 +52,7 @@
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+/var/lib/squirrelmail/data(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/apps/webalizer.te
+++ refpolicy-0.0.20080702/policy/modules/apps/webalizer.te
@@ -48,6 +48,7 @@
allow webalizer_t self:udp_socket { connect connected_socket_perms };
allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;
+files_read_usr_files(webalizer_t)
allow webalizer_t webalizer_etc_t:file { getattr read };
manage_dirs_pattern(webalizer_t,webalizer_tmp_t,webalizer_tmp_t)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/system/udev.fc
+++ refpolicy-0.0.20080702/policy/modules/system/udev.fc
@@ -10,7 +10,12 @@
/etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
+ifdef(`distro_debian', `
+/lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
+/var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
+', `
/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+')
/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/system/iscsi.te
+++ refpolicy-0.0.20080702/policy/modules/system/iscsi.te
@@ -1,5 +1,5 @@
-policy_module(iscsid,1.4.0)
+policy_module(iscsi,1.4.0)
########################################
#
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/system/fstools.te
+++ refpolicy-0.0.20080702/policy/modules/system/fstools.te
@@ -184,4 +184,5 @@
optional_policy(`
xen_append_log(fsadm_t)
+ xen_rw_image_files(fsadm_t)
')
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/system/udev.if
+++ refpolicy-0.0.20080702/policy/modules/system/udev.if
@@ -131,3 +131,21 @@
dev_list_all_dev_nodes($1)
allow $1 udev_tdb_t:file rw_file_perms;
')
+
+########################################
+## <summary>
+## Allow process to remove udev table files
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`udev_unlink_table',`
+ gen_require(`
+ type udev_tbl_t;
+ ')
+
+ allow $1 udev_tbl_t:file unlink;
+')
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/system/unconfined.if
+++ refpolicy-0.0.20080702/policy/modules/system/unconfined.if
@@ -103,6 +103,7 @@
optional_policy(`
xserver_unconfined($1)
')
+
')
########################################
@@ -618,6 +619,45 @@
########################################
## <summary>
+## Read/write/create files in unconfined users home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_write_home_content_files',`
+ gen_require(`
+ type unconfined_home_dir_t, unconfined_home_t;
+ ')
+
+ files_search_home($1)
+ userdom_user_home_dir_filetrans_user_home_content(unconfined, $1, { dir file })
+ userdom_manage_user_home_content_files(unconfined, $1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the unconfined
+## users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_search_home_dirs',`
+ gen_require(`
+ type unconfined_home_dir_t;
+ ')
+
+ dontaudit $1 unconfined_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## Read unconfined users temporary files.
## </summary>
## <param name="domain">
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/system/xen.te
+++ refpolicy-0.0.20080702/policy/modules/system/xen.te
@@ -34,6 +34,9 @@
files_type(xend_var_lib_t)
# for mounting an NFS store
files_mountpoint(xend_var_lib_t)
+fs_getattr_xattr_fs(xend_t)
+# for /var/lib/python-support/python2.5/.path
+files_read_var_lib_files(xend_t)
# log files
type xend_var_log_t;
@@ -123,10 +126,7 @@
files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir })
# transition to store
-domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
-allow xenstored_t xend_t:fd use;
-allow xenstored_t xend_t:process sigchld;
-allow xenstored_t xend_t:fifo_file write;
+domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
# transition to console
domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
@@ -167,7 +167,6 @@
dev_rw_xen(xend_t)
domain_read_all_domains_state(xend_t)
-domain_dontaudit_read_all_domains_state(xend_t)
domain_dontaudit_ptrace_all_domains(xend_t)
files_read_etc_files(xend_t)
@@ -193,7 +192,9 @@
logging_send_syslog_msg(xend_t)
-lvm_domtrans(xend_t)
+optional_policy(`
+ lvm_domtrans(xend_t)
+')
miscfiles_read_localization(xend_t)
@@ -211,7 +212,13 @@
netutils_domtrans(xend_t)
-sysadm_dontaudit_search_home_dirs(xend_t)
+sysadm_dontaudit_search_home_dirs({ xend_t xenconsoled_t xenstored_t })
+unconfined_dontaudit_search_home_dirs({ xend_t xenconsoled_t xenstored_t })
+ifdef(`distro_debian', `
+# xend uses LD_PRELOAD or similar for libxenctrl.so
+allow xend_t { xenconsoled_t xenstored_t }:process noatsecure;
+')
+allow xend_t xenstored_var_run_t:file manage_file_perms;
optional_policy(`
consoletype_exec(xend_t)
@@ -224,7 +231,7 @@
allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
-allow xenconsoled_t self:fifo_file { read write };
+allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
@@ -243,6 +250,7 @@
domain_dontaudit_ptrace_all_domains(xenconsoled_t)
+corecmd_search_bin(xenconsoled_t)
files_read_usr_files(xenconsoled_t)
term_create_pty(xenconsoled_t,xen_devpts_t);
@@ -279,6 +287,9 @@
manage_files_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t)
manage_sock_files_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t)
files_var_lib_filetrans(xenstored_t,xenstored_var_lib_t,{ file dir sock_file })
+allow xend_t xenstored_var_lib_t:dir rw_dir_perms;
+allow xend_t xenstored_var_lib_t:file unlink;
+corecmd_search_bin(xenstored_t)
kernel_write_xen_state(xenstored_t)
kernel_read_xen_state(xenstored_t)
@@ -318,7 +329,7 @@
allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
# internal communication is often done using fifo and unix sockets.
-allow xm_t self:fifo_file { read write };
+allow xm_t self:fifo_file rw_fifo_file_perms;
allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xm_t self:tcp_socket create_stream_socket_perms;
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/system/modutils.te
+++ refpolicy-0.0.20080702/policy/modules/system/modutils.te
@@ -10,6 +10,8 @@
# Declarations
#
+kernel_request_load_module(insmod_t)
+
# module loading config
type modules_conf_t;
files_type(modules_conf_t)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/system/xen.if
+++ refpolicy-0.0.20080702/policy/modules/system/xen.if
@@ -76,6 +76,25 @@
########################################
## <summary>
+## Read and write xen image files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xen_rw_image_files',`
+ gen_require(`
+ type xen_image_t, xend_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ rw_files_pattern($1,{ xend_var_lib_t xen_image_t },xen_image_t)
+')
+
+########################################
+## <summary>
## Allow the specified domain to append
## xend log files.
## </summary>
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/system/setrans.te
+++ refpolicy-0.0.20080702/policy/modules/system/setrans.te
@@ -28,7 +28,7 @@
#
allow setrans_t self:capability sys_resource;
-allow setrans_t self:process { setrlimit setcap signal_perms };
+allow setrans_t self:process { setrlimit getcap setcap signal_perms };
allow setrans_t self:unix_stream_socket create_stream_socket_perms;
allow setrans_t self:unix_dgram_socket create_socket_perms;
allow setrans_t self:netlink_selinux_socket create_socket_perms;
@@ -42,7 +42,7 @@
files_pid_filetrans(setrans_t,setrans_var_run_t,file)
kernel_read_kernel_sysctls(setrans_t)
-kernel_read_proc_symlinks(setrans_t)
+kernel_read_system_state(setrans_t)
# allow performing getpidcon() on all processes
domain_read_all_domains_state(setrans_t)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/system/xen.fc
+++ refpolicy-0.0.20080702/policy/modules/system/xen.fc
@@ -1,11 +1,17 @@
/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
/usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0)
-
+ifdef(`distro_debian', `
+/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
+/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
+/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
+/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
+', `
/usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
+')
/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
/var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/system/iptables.te
+++ refpolicy-0.0.20080702/policy/modules/system/iptables.te
@@ -22,6 +22,7 @@
# Iptables local policy
#
+kernel_request_load_module(iptables_t)
allow iptables_t self:capability { net_admin net_raw };
dontaudit iptables_t self:capability sys_tty_config;
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/modules/system/mount.te
+++ refpolicy-0.0.20080702/policy/modules/system/mount.te
@@ -115,8 +115,10 @@
sysnet_use_portmap(mount_t)
+kernel_request_load_module(mount_t)
selinux_get_enforce_mode(mount_t)
seutil_read_config(mount_t)
+kernel_setsched(mount_t)
userdom_use_all_users_fds(mount_t)
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/flask/access_vectors
+++ refpolicy-0.0.20080702/policy/flask/access_vectors
@@ -94,6 +94,33 @@
}
#
+# Define a common prefix for pointer and keyboard access vectors.
+#
+
+common x_device
+{
+ getattr
+ setattr
+ use
+ read
+ write
+ getfocus
+ setfocus
+ bell
+ force_cursor
+ freeze
+ grab
+ manage
+ list_property
+ get_property
+ set_property
+ add
+ remove
+ create
+ destroy
+}
+
+#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
@@ -157,6 +184,9 @@
class sock_file
inherits file
+{
+ open
+}
class fifo_file
inherits file
@@ -347,6 +377,7 @@
syslog_read
syslog_mod
syslog_console
+ module_request
}
#
@@ -360,32 +391,32 @@
# Care should be taken to ensure that these are consistent with
# those definitions. (Order matters)
- chown
+ chown
dac_override
dac_read_search
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
linux_immutable
net_bind_service
net_broadcast
- net_admin
- net_raw
- ipc_lock
- ipc_owner
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
sys_module
- sys_rawio
+ sys_rawio
sys_chroot
sys_ptrace
- sys_pacct
- sys_admin
- sys_boot
- sys_nice
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
sys_resource
- sys_time
+ sys_time
sys_tty_config
mknod
lease
@@ -616,6 +647,7 @@
nlmsg_write
nlmsg_relay
nlmsg_readpriv
+ nlmsg_tty_audit
}
class netlink_ip6fw_socket
@@ -782,3 +814,19 @@
paste_after_confirm
copy
}
+
+class kernel_service
+{
+ use_as_override
+ create_files_as
+}
+
+class tun_socket
+inherits socket
+
+class x_pointer
+inherits x_device
+
+class x_keyboard
+inherits x_device
+
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/policy/flask/security_classes
+++ refpolicy-0.0.20080702/policy/flask/security_classes
@@ -116,4 +116,13 @@
class x_synthetic_event # userspace
class x_application_data # userspace
+# kernel services that need to override task security, e.g. cachefiles
+class kernel_service
+
+class tun_socket
+
+# Still More SE-X Windows stuff
+class x_pointer # userspace
+class x_keyboard # userspace
+
# FLASK
only in patch2:
unchanged:
--- refpolicy-0.0.20080702.orig/config/appconfig-mcs/default_contexts
+++ refpolicy-0.0.20080702/config/appconfig-mcs/default_contexts
@@ -1,4 +1,4 @@
-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
+system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 unconfined_r:unconfined_t:s0 system_r:system_crond_t:s0
system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
-- System Information:
Debian Release: 6.0
APT prefers testing
APT policy: (350, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply to: