--- refpolicy-2.20110726.orig/build.conf +++ refpolicy-2.20110726/build.conf @@ -50,7 +50,7 @@ # User-based access control (UBAC) # Enable UBAC for role separations. -UBAC = y +UBAC = n # Custom build options. This field enables custom # build options. Putting foo here will enable --- refpolicy-2.20110726.orig/config/appconfig-mcs/seusers +++ refpolicy-2.20110726/config/appconfig-mcs/seusers @@ -1,3 +1,3 @@ system_u:system_u:s0-mcs_systemhigh -root:root:s0-mcs_systemhigh -__default__:user_u:s0 +root:unconfined_u:s0-mcs_systemhigh +__default__:unconfined_u:s0-mcs_systemhigh --- refpolicy-2.20110726.orig/policy/users +++ refpolicy-2.20110726/policy/users @@ -29,7 +29,7 @@ gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # Until order dependence is fixed for users: -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) # # The following users correspond to Unix identities. --- refpolicy-2.20110726.orig/policy/constraints +++ refpolicy-2.20110726/policy/constraints @@ -28,7 +28,7 @@ define(`basic_ubac_conditions',` ifdef(`enable_ubac',` u1 == u2 - or u1 == system_u + or u1 == system_u or u1 == unconfined_u or u2 == system_u or t1 != ubac_constrained_type or t2 != ubac_constrained_type --- refpolicy-2.20110726.orig/policy/global_tunables +++ refpolicy-2.20110726/policy/global_tunables @@ -111,3 +111,10 @@ ##

## gen_tunable(user_tcp_server,false) + +## +##

+## Allow users to manage files on dosfs_t devices, usually removable media +##

+## +gen_tunable(user_manage_dos_files,true) --- refpolicy-2.20110726.orig/policy/mcs +++ refpolicy-2.20110726/policy/mcs @@ -71,32 +71,59 @@ mlsconstrain file { read ioctl lock execute execute_no_trans } (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); -mlsconstrain file { write setattr append unlink link rename } +mlsconstrain file { write setattr append link rename } +ifdef(`distro_debian', ` + ((( h1 dom h2 ) and ( l1 domby l2 )) or ( t1 == mcswriteall ) or (t2 == mcstrustedobject) or ( t2 == domain )); +', ` (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); +') + +mlsconstrain file { unlink } +ifdef(`distro_debian', ` + ((( h1 dom h2 ) and ( l1 domby l2 )) or (( t1 == mcswriteall ) or ( t1 == mcsdeleteall )) or (t2 == mcstrustedobject) or ( t2 == domain )); +', ` + (( h1 dom h2 ) or (( t1 == mcswriteall ) or ( t1 == mcsdeleteall )) or ( t2 == domain )); +') mlsconstrain dir { search read ioctl lock } - (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t1 == mcsdeleteall ) or ( t2 == domain )); -mlsconstrain dir { write setattr append unlink link rename add_name remove_name } +mlsconstrain dir { setattr append link rename add_name } (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); +mlsconstrain dir { write unlink remove_name } + (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t1 == mcsdeleteall ) or ( t2 == domain )); + # New filesystem object labels must be dominated by the relabeling subject # clearance, also the objects are single-level. mlsconstrain file { create relabelto } +ifdef(`distro_debian', ` + (( h1 dom h2 ) and ( l2 eq h2 ) and ((l1 domby l2) or (t2 == mcstrustedobject))); +', ` (( h1 dom h2 ) and ( l2 eq h2 )); +') # new file labels must be dominated by the relabeling subject clearance mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } ( h1 dom h2 ); +# not mandatory at this time - can write down mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } (( h1 dom h2 ) and ( l2 eq h2 )); mlsconstrain process { transition dyntransition } +ifdef(`distro_debian', ` + (( ( h1 dom h2 ) and ((l1 domby l2) or (t1 == mcssetlow)) ) or ( t1 == mcssetcats )); +', ` (( h1 dom h2 ) or ( t1 == mcssetcats )); +') mlsconstrain process { ptrace } +ifdef(`distro_debian', ` + ( (h1 dom h2) and ((l1 domby l2) or ( t1 == mcsptraceall )) ); +', ` (( h1 dom h2) or ( t1 == mcsptraceall )); +') mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 == mcskillall )); --- refpolicy-2.20110726.orig/policy/support/loadable_module.spt +++ refpolicy-2.20110726/policy/support/loadable_module.spt @@ -95,7 +95,7 @@ # define(`optional_policy',` ifelse(regexp(`$1',`\W'),`-1',` - refpolicywarn(`deprecated use of module name ($1) as first parameter of optional_policy() block.') + refpolicyerr(`deprecated use of module name ($1) as first parameter of optional_policy() block.') optional_policy(shift($*)) ',` optional {`'pushdef(`__in_optional_policy') --- refpolicy-2.20110726.orig/policy/support/misc_patterns.spt +++ refpolicy-2.20110726/policy/support/misc_patterns.spt @@ -51,7 +51,7 @@ # Other process permissions # define(`send_audit_msgs_pattern',` - refpolicywarn(`$0($*) has been deprecated, please use logging_send_audit_msgs($1) instead.') + refpolicyerr(`$0($*) has been deprecated, please use logging_send_audit_msgs($1) instead.') allow $1 self:capability audit_write; allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; ') --- refpolicy-2.20110726.orig/policy/support/obj_perm_sets.spt +++ refpolicy-2.20110726/policy/support/obj_perm_sets.spt @@ -54,47 +54,47 @@ # # Permissions for getting file attributes. # -define(`stat_file_perms', `{ getattr } refpolicywarn(`$0 is deprecated please use getattr_file_perms instead.')') +define(`stat_file_perms', `{ getattr } refpolicyerr(`$0 is deprecated please use getattr_file_perms instead.')') # # Permissions for executing files. # -define(`x_file_perms', `{ getattr open execute } refpolicywarn(`$0 is deprecated please use { getattr execute } instead.')') +define(`x_file_perms', `{ getattr open execute } refpolicyerr(`$0 is deprecated please use { getattr execute } instead.')') # # Permissions for reading files and their attributes. # -define(`r_file_perms', `{ open read getattr lock ioctl } refpolicywarn(`$0 is deprecated please use read_file_perms instead.')') +define(`r_file_perms', `{ open read getattr lock ioctl } refpolicyerr(`$0 is deprecated please use read_file_perms instead.')') # # Permissions for reading and executing files. # -define(`rx_file_perms', `{ open read getattr lock execute ioctl } refpolicywarn(`$0 is deprecated please use { mmap_file_perms ioctl lock } instead.')') +define(`rx_file_perms', `{ open read getattr lock execute ioctl } refpolicyerr(`$0 is deprecated please use { mmap_file_perms ioctl lock } instead.')') # # Permissions for reading and appending to files. # -define(`ra_file_perms', `{ open ioctl read getattr lock append } refpolicywarn(`$0 is deprecated please use { read_file_perms append_file_perms } instead.')') +define(`ra_file_perms', `{ open ioctl read getattr lock append } refpolicyerr(`$0 is deprecated please use { read_file_perms append_file_perms } instead.')') # # Permissions for linking, unlinking and renaming files. # -define(`link_file_perms', `{ getattr link unlink rename } refpolicywarn(`$0 is deprecated please use { getattr link unlink rename } instead.')') +define(`link_file_perms', `{ getattr link unlink rename } refpolicyerr(`$0 is deprecated please use { getattr link unlink rename } instead.')') # # Permissions for creating lnk_files. # -define(`create_lnk_perms', `{ create read write getattr setattr link unlink rename } refpolicywarn(`$0 is deprecated please use manage_lnk_file_perms instead.')') +define(`create_lnk_perms', `{ create read write getattr setattr link unlink rename } refpolicyerr(`$0 is deprecated please use manage_lnk_file_perms instead.')') # # Permissions for reading directories and their attributes. # -define(`r_dir_perms', `{ open read getattr lock search ioctl } refpolicywarn(`$0 is deprecated please use list_dir_perms instead.')') +define(`r_dir_perms', `{ open read getattr lock search ioctl } refpolicyerr(`$0 is deprecated please use list_dir_perms instead.')') # # Permissions for reading and adding names to directories. # -define(`ra_dir_perms', `{ open read getattr lock search ioctl add_name write } refpolicywarn(`$0 is deprecated please use { list_dir_perms add_entry_dir_perms } instead.')') +define(`ra_dir_perms', `{ open read getattr lock search ioctl add_name write } refpolicyerr(`$0 is deprecated please use { list_dir_perms add_entry_dir_perms } instead.')') # --- refpolicy-2.20110726.orig/policy/modules/apps/gpg.te +++ refpolicy-2.20110726/policy/modules/apps/gpg.te @@ -53,6 +53,7 @@ typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t }; application_domain(gpg_pinentry_t, pinentry_exec_t) ubac_constrained(gpg_pinentry_t) +files_read_var_lib_files(gpg_pinentry_t) type gpg_pinentry_tmp_t; files_tmp_file(gpg_pinentry_tmp_t) @@ -222,6 +223,9 @@ manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) +filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file) +files_read_etc_files(gpg_agent_t) +kernel_read_crypto_sysctls(gpg_agent_t) # allow gpg to connect to the gpg agent stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) @@ -272,6 +276,10 @@ mozilla_dontaudit_rw_user_home_files(gpg_agent_t) ') +optional_policy(` + xdm_sigchld(gpg_agent_t) +') + ############################## # # Pinentry local policy --- refpolicy-2.20110726.orig/policy/modules/apps/gpg.fc +++ refpolicy-2.20110726/policy/modules/apps/gpg.fc @@ -1,6 +1,9 @@ HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) +HOME_DIR/\.gnupg/gpg.conf gen_context(system_u:object_r:user_home_t,s0) +HOME_DIR/\.gnupg/log-socket gen_context(system_u:object_r:gpg_agent_tmp_t,s0) /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) /usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0) --- refpolicy-2.20110726.orig/policy/modules/apps/gitosis.fc +++ refpolicy-2.20110726/policy/modules/apps/gitosis.fc @@ -1,5 +1,9 @@ /usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0) /usr/bin/gl-auth-command -- gen_context(system_u:object_r:gitosis_exec_t,s0) +ifdef(`distro_debian', ` +/srv/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) +', ` /var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) +') /var/lib/gitolite(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0) --- refpolicy-2.20110726.orig/policy/modules/apps/screen.fc +++ refpolicy-2.20110726/policy/modules/apps/screen.fc @@ -13,3 +13,6 @@ # /var # /var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) +ifdef(`distro_debian', ` +/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/apps/mono.te +++ refpolicy-2.20110726/policy/modules/apps/mono.te @@ -45,6 +45,7 @@ unconfined_domain(mono_t) unconfined_dbus_chat(mono_t) unconfined_dbus_connect(mono_t) + in_unconfined_r(mono_t) ') optional_policy(` --- refpolicy-2.20110726.orig/policy/modules/apps/pulseaudio.fc +++ refpolicy-2.20110726/policy/modules/apps/pulseaudio.fc @@ -5,3 +5,6 @@ /var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) /var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) +ifdef(`distro_debian', ` +/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/apps/webalizer.fc +++ refpolicy-2.20110726/policy/modules/apps/webalizer.fc @@ -3,6 +3,7 @@ # /usr # /usr/bin/webalizer -- gen_context(system_u:object_r:webalizer_exec_t,s0) +/usr/bin/awffull -- gen_context(system_u:object_r:webalizer_exec_t,s0) # # /var --- refpolicy-2.20110726.orig/policy/modules/apps/uml.fc +++ refpolicy-2.20110726/policy/modules/apps/uml.fc @@ -12,3 +12,6 @@ # /var # /var/run/uml-utilities(/.*)? gen_context(system_u:object_r:uml_switch_var_run_t,s0) +ifdef(`distro_debian', ` +/run/uml-utilities(/.*)? gen_context(system_u:object_r:uml_switch_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/apps/mozilla.if +++ refpolicy-2.20110726/policy/modules/apps/mozilla.if @@ -17,16 +17,16 @@ # interface(`mozilla_role',` gen_require(` - type mozilla_t, mozilla_exec_t, mozilla_home_t; + type mozilla_t, chrome_sandbox_t, mozilla_exec_t, chrome_browser_exec_t, mozilla_home_t; ') - role $1 types mozilla_t; + role $1 types { mozilla_t chrome_sandbox_t }; - domain_auto_trans($2, mozilla_exec_t, mozilla_t) + domain_auto_trans($2, { mozilla_exec_t chrome_browser_exec_t }, mozilla_t) # Unrestricted inheritance from the caller. allow $2 mozilla_t:process { noatsecure siginh rlimitinh }; - allow mozilla_t $2:fd use; - allow mozilla_t $2:process { sigchld signull }; + allow { mozilla_t chrome_sandbox_t } $2:fd use; + allow { mozilla_t chrome_sandbox_t } $2:process { sigchld signull }; allow mozilla_t $2:unix_stream_socket connectto; # Allow the user domain to signal/ps. @@ -179,10 +179,10 @@ # interface(`mozilla_domtrans',` gen_require(` - type mozilla_t, mozilla_exec_t; + type mozilla_t, mozilla_exec_t, chrome_browser_exec_t; ') - domtrans_pattern($1, mozilla_exec_t, mozilla_t) + domtrans_pattern($1, { mozilla_exec_t chrome_browser_exec_t }, mozilla_t) ') ######################################## --- refpolicy-2.20110726.orig/policy/modules/apps/mozilla.fc +++ refpolicy-2.20110726/policy/modules/apps/mozilla.fc @@ -3,6 +3,7 @@ HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) # # /bin @@ -14,6 +15,9 @@ /usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) +ifdef(`distro_debian', ` +/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0) +') # # /lib @@ -27,3 +31,6 @@ /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/chromium(-browser)?/chromium(-browser)?-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) +/usr/lib/chromium(-browser)?/chromium(-browser)? -- gen_context(system_u:object_r:chrome_browser_exec_t,s0) +/usr/lib/xulrunner-1.9.1/xulrunner-stub -- gen_context(system_u:object_r:mozilla_exec_t,s0) --- refpolicy-2.20110726.orig/policy/modules/apps/awstats.te +++ refpolicy-2.20110726/policy/modules/apps/awstats.te @@ -17,6 +17,7 @@ type awstats_var_lib_t; files_type(awstats_var_lib_t) +apache_script_exec_domain(awstats) apache_content_template(awstats) ######################################## --- refpolicy-2.20110726.orig/policy/modules/apps/webalizer.te +++ refpolicy-2.20110726/policy/modules/apps/webalizer.te @@ -13,17 +13,13 @@ type webalizer_etc_t; files_config_file(webalizer_etc_t) -type webalizer_usage_t; -files_type(webalizer_usage_t) - type webalizer_tmp_t; files_tmp_file(webalizer_tmp_t) type webalizer_var_lib_t; files_type(webalizer_var_lib_t) -type webalizer_write_t; -files_type(webalizer_write_t) +typealias webalizer_var_lib_t alias { webalizer_write_t webalizer_usage_t }; ######################################## # @@ -71,6 +67,7 @@ files_read_etc_files(webalizer_t) files_read_etc_runtime_files(webalizer_t) +files_read_usr_files(webalizer_t) logging_list_logs(webalizer_t) logging_send_syslog_msg(webalizer_t) --- refpolicy-2.20110726.orig/policy/modules/apps/mozilla.te +++ refpolicy-2.20110726/policy/modules/apps/mozilla.te @@ -19,6 +19,46 @@ application_domain(mozilla_t, mozilla_exec_t) ubac_constrained(mozilla_t) +type chrome_sandbox_t; +type chrome_sandbox_exec_t; +type chrome_browser_exec_t; +application_domain(mozilla_t, chrome_browser_exec_t) +domain_auto_trans(chrome_sandbox_t, chrome_browser_exec_t, mozilla_t) +application_domain(chrome_sandbox_t, chrome_sandbox_exec_t) +ubac_constrained(chrome_sandbox_t) +fs_getattr_xattr_fs(chrome_sandbox_t) +fs_getattr_xattr_fs(mozilla_t) + +allow chrome_sandbox_t mozilla_t:dir list_dir_perms; +allow chrome_sandbox_t mozilla_t:fifo_file rw_file_perms; +allow chrome_sandbox_t mozilla_t:file read_file_perms; +allow chrome_sandbox_t mozilla_t:lnk_file read_lnk_file_perms; +allow chrome_sandbox_t mozilla_t:unix_dgram_socket { read write }; +allow chrome_sandbox_t mozilla_t:unix_stream_socket { read write }; +allow chrome_sandbox_t mozilla_t:fd use; +allow chrome_sandbox_t mozilla_t:file write; +allow chrome_sandbox_t proc_t:dir read; +allow chrome_sandbox_t self:process setrlimit; +type chrome_sandbox_tmp_t; +files_tmp_file(chrome_sandbox_tmp_t) +ubac_constrained(chrome_sandbox_tmp_t) +files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { file dir }) +allow chrome_sandbox_t chrome_sandbox_tmp_t:dir manage_dir_perms; +allow mozilla_t self:unix_dgram_socket sendto; +allow mozilla_t chrome_browser_exec_t:file execute_no_trans; +# for V8 +allow mozilla_t self:process execmem; + + +allow mozilla_t chrome_sandbox_t:shm { write unix_read getattr unix_write associate read }; +allow mozilla_t chrome_sandbox_t:unix_dgram_socket { read write }; + + +ifdef(`distro_debian', ` +# bug in chromium +allow mozilla_t chrome_browser_exec_t:file execmod; +') + type mozilla_conf_t; files_config_file(mozilla_conf_t) @@ -55,6 +95,19 @@ # Local policy # +dontaudit chrome_sandbox_t domain:dir getattr; +application_domain(chrome_sandbox_t, chrome_sandbox_exec_t) +domain_auto_trans(mozilla_t, chrome_sandbox_exec_t, chrome_sandbox_t) +allow mozilla_t mozilla_home_t:sock_file manage_sock_file_perms; +allow chrome_sandbox_t mozilla_t:fifo_file rw_file_perms; +allow chrome_sandbox_t mozilla_t:unix_dgram_socket { read write }; +allow chrome_sandbox_t mozilla_t:unix_stream_socket { read write }; +allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid net_raw net_raw sys_chroot sys_ptrace sys_admin }; +allow chrome_sandbox_t mozilla_t:process { share sigchld }; +allow mozilla_t chrome_sandbox_t:fd use; +allow mozilla_t chrome_sandbox_t:unix_stream_socket { read write }; +dev_read_sysfs(mozilla_t) + allow mozilla_t self:capability { sys_nice setgid setuid }; allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; allow mozilla_t self:fifo_file rw_fifo_file_perms; --- refpolicy-2.20110726.orig/policy/modules/apps/gpg.if +++ refpolicy-2.20110726/policy/modules/apps/gpg.if @@ -22,6 +22,7 @@ type gpg_agent_tmp_t; type gpg_helper_t, gpg_pinentry_t; type gpg_pinentry_tmp_t; + type gpg_secret_t; ') role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }; @@ -54,6 +55,8 @@ manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) + allow $2 gpg_secret_t:dir list_dir_perms; + optional_policy(` gpg_pinentry_dbus_chat($2) ') @@ -67,6 +70,49 @@ ') ') +############################################################ +## +## Transition to gpg_agent_t from another domain +## Used for ssh_agent_t to launch the gpg agent for X logins +## +## +## +## domain to run the gpg agent +## +## +# +interface(`run_gpg_agent',` + gen_require(` + type gpg_agent_t, gpg_agent_exec_t; + ') + domtrans_pattern($1, gpg_agent_exec_t, gpg_agent_t) +') + +######################################## +## +## Transition to a user domain from gpg_agent_t +## +## +## +## Domain to transition to +## +## +## +## +## Type of file for log data - usually a home type +## +## +# +interface(`gpg_agent_domtrans_user',` + gen_require(` + type gpg_agent_t, shell_exec_t, bin_t; + ') + allow $1 gpg_agent_t:fd use; + allow gpg_agent_t $1:process signull; + allow gpg_agent_t $2:file { getattr append }; + domain_auto_trans(gpg_agent_t, { shell_exec_t bin_t }, $1) +') + ######################################## ## ## Transition to a user gpg domain. --- refpolicy-2.20110726.orig/policy/modules/admin/rpm.fc +++ refpolicy-2.20110726/policy/modules/admin/rpm.fc @@ -37,7 +37,13 @@ /var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) /var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) +ifdef(`distro_debian', ` +/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) +') /var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) +ifdef(`distro_debian', ` +/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) +') # SuSE ifdef(`distro_suse', ` --- refpolicy-2.20110726.orig/policy/modules/admin/logrotate.te +++ refpolicy-2.20110726/policy/modules/admin/logrotate.te @@ -103,9 +103,12 @@ files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) -# cjp: why is this needed? +# logrotate has to restart some daemons init_domtrans_script(logrotate_t) +# for runlevel +init_dontaudit_write_utmp(logrotate_t) + logging_manage_all_logs(logrotate_t) logging_send_syslog_msg(logrotate_t) logging_send_audit_msgs(logrotate_t) @@ -122,7 +125,7 @@ cron_system_entry(logrotate_t, logrotate_exec_t) cron_search_spool(logrotate_t) - + mta_send_mail(logrotate_t) ifdef(`distro_debian', ` @@ -142,6 +145,10 @@ ') optional_policy(` + unconfined_dontaudit_search_home_dirs(logrotate_t) +') + +optional_policy(` acct_domtrans(logrotate_t) acct_manage_data(logrotate_t) acct_exec_data(logrotate_t) @@ -162,6 +169,10 @@ ') optional_policy(` + webalizer_domtrans(logrotate_t) +') + +optional_policy(` consoletype_exec(logrotate_t) ') --- refpolicy-2.20110726.orig/policy/modules/admin/alsa.fc +++ refpolicy-2.20110726/policy/modules/admin/alsa.fc @@ -2,10 +2,16 @@ /bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) -/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) +/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) +/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) +ifdef(`distro_debian', ` +/var/lib/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) +/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0) +/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) +', ` +/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) +/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) +') /sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) /sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) --- refpolicy-2.20110726.orig/policy/modules/admin/certwatch.if +++ refpolicy-2.20110726/policy/modules/admin/certwatch.if @@ -73,6 +73,6 @@ ## # interface(`certwatach_run',` - refpolicywarn(`$0($*) has been deprecated, please use certwatch_run() instead.') + refpolicyerr(`$0($*) has been deprecated, please use certwatch_run() instead.') certwatch_run($*) ') --- refpolicy-2.20110726.orig/policy/modules/admin/kismet.fc +++ refpolicy-2.20110726/policy/modules/admin/kismet.fc @@ -4,3 +4,6 @@ /var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0) /var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0) /var/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0) +ifdef(`distro_debian', ` +/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/admin/vbetool.te +++ refpolicy-2.20110726/policy/modules/admin/vbetool.te @@ -30,6 +30,7 @@ dev_rw_sysfs(vbetool_t) dev_rw_xserver_misc(vbetool_t) dev_rw_mtrr(vbetool_t) +fs_list_inotifyfs(vbetool_t) domain_mmap_low(vbetool_t) --- refpolicy-2.20110726.orig/policy/modules/admin/tmpreaper.te +++ refpolicy-2.20110726/policy/modules/admin/tmpreaper.te @@ -30,8 +30,7 @@ files_getattr_all_dirs(tmpreaper_t) files_getattr_all_files(tmpreaper_t) -mls_file_read_all_levels(tmpreaper_t) -mls_file_write_all_levels(tmpreaper_t) +mcs_file_delete_all(tmpreaper_t) logging_send_syslog_msg(tmpreaper_t) @@ -39,6 +38,7 @@ miscfiles_delete_man_pages(tmpreaper_t) cron_system_entry(tmpreaper_t, tmpreaper_exec_t) +init_system_domain(tmpreaper_t, tmpreaper_exec_t) ifdef(`distro_redhat',` userdom_list_user_home_content(tmpreaper_t) --- refpolicy-2.20110726.orig/policy/modules/admin/quota.te +++ refpolicy-2.20110726/policy/modules/admin/quota.te @@ -20,6 +20,7 @@ # Local policy # +kernel_request_load_module(quota_t) allow quota_t self:capability { sys_admin dac_override }; dontaudit quota_t self:capability sys_tty_config; allow quota_t self:process signal_perms; --- refpolicy-2.20110726.orig/policy/modules/admin/logrotate.if +++ refpolicy-2.20110726/policy/modules/admin/logrotate.if @@ -84,6 +84,24 @@ ######################################## ## +## Search logrotate runtime directries +## +## +## +## Domain allowed access. +## +## +# +interface(`logrotate_search_varlib',` + gen_require(` + type logrotate_var_lib_t; + ') + + allow $1 logrotate_var_lib_t:dir search; +') + +######################################## +## ## Do not audit attempts to inherit logrotate file descriptors. ## ## --- refpolicy-2.20110726.orig/policy/modules/admin/tmpreaper.fc +++ refpolicy-2.20110726/policy/modules/admin/tmpreaper.fc @@ -1,2 +1,6 @@ /usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) /usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) +ifdef(`distro_debian', ` +/etc/init\.d/mountall-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) +/etc/init\.d/mountnfs-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/admin/apt.fc +++ refpolicy-2.20110726/policy/modules/admin/apt.fc @@ -14,8 +14,12 @@ # aptitude lock /var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0) +ifdef(`distro_debian', ` +/var/run/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0) +/run/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0) +') # aptitude log -/var/log/aptitude gen_context(system_u:object_r:apt_var_log_t,s0) +/var/log/aptitude.* gen_context(system_u:object_r:apt_var_log_t,s0) # dpkg terminal log /var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0) --- refpolicy-2.20110726.orig/policy/modules/admin/sudo.if +++ refpolicy-2.20110726/policy/modules/admin/sudo.if @@ -177,3 +177,29 @@ allow $1 sudodomain:process sigchld; ') + +####################################### +## +## Execute sudo_exec_t without a domain transition +## +## +##

+## This interface allows a domain to execute sudo_exec_t without a +## domain transition. It is for daemons that already have setuid +## access but are running as uid != 0. +##

+## +## +## +## The domain that can execute sudo. +## +## +# +template(`can_exec_sudo',` + + gen_require(` + type sudo_exec_t; + ') + + can_exec($1, sudo_exec_t) +') --- refpolicy-2.20110726.orig/policy/modules/admin/vpn.fc +++ refpolicy-2.20110726/policy/modules/admin/vpn.fc @@ -11,3 +11,6 @@ /usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) /var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) +ifdef(`distro_debian', ` +/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/admin/mrtg.fc +++ refpolicy-2.20110726/policy/modules/admin/mrtg.fc @@ -14,5 +14,12 @@ # /var/lib/mrtg(/.*)? gen_context(system_u:object_r:mrtg_var_lib_t,s0) /var/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0) +ifdef(`distro_debian', ` +/var/run/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0) +/run/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0) +') /var/log/mrtg(/.*)? gen_context(system_u:object_r:mrtg_log_t,s0) /var/run/mrtg\.pid gen_context(system_u:object_r:mrtg_var_run_t,s0) +ifdef(`distro_debian', ` +/run/mrtg\.pid gen_context(system_u:object_r:mrtg_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/admin/dpkg.te +++ refpolicy-2.20110726/policy/modules/admin/dpkg.te @@ -51,8 +51,8 @@ # dpkg Local policy # -allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable }; -allow dpkg_t self:process { setpgid fork getsched setfscreate }; +allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable ipc_lock }; +allow dpkg_t self:process { setrlimit setpgid fork getsched setfscreate }; allow dpkg_t self:fd use; allow dpkg_t self:fifo_file rw_fifo_file_perms; allow dpkg_t self:unix_dgram_socket create_socket_perms; @@ -66,6 +66,16 @@ allow dpkg_t self:msgq create_msgq_perms; allow dpkg_t self:msg { send receive }; +# This is for se_aptitude et al, so that maintainer scripts can talk back. +apt_use_fds(dpkg_script_t) +apt_rw_pipes(dpkg_script_t) + +# This is for the maintainer scripts +init_use_script_fds(dpkg_script_t) + +# se_apt-get needs this to run dpkg-preconfigure +init_use_script_ptys(dpkg_t) + allow dpkg_t dpkg_lock_t:file manage_file_perms; manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) @@ -147,7 +157,6 @@ files_exec_etc_files(dpkg_t) init_domtrans_script(dpkg_t) -init_use_script_ptys(dpkg_t) libs_exec_ld_so(dpkg_t) libs_exec_lib_files(dpkg_t) @@ -163,11 +172,15 @@ userdom_use_user_terminals(dpkg_t) userdom_use_unpriv_users_fds(dpkg_t) +allow userdomain dpkg_var_lib_t:dir list_dir_perms; +allow userdomain dpkg_var_lib_t:file read_file_perms; # transition to dpkg script: dpkg_domtrans_script(dpkg_t) -# since the scripts aren't labeled correctly yet... +# since the scripts are not labeled correctly yet... allow dpkg_t dpkg_var_lib_t:file mmap_file_perms; +# This is used for running config files for debconf interactions +allow dpkg_t dpkg_tmp_t:file { execute execute_no_trans }; optional_policy(` apt_use_ptys(dpkg_t) @@ -289,7 +302,6 @@ auth_manage_all_files_except_auth_files(dpkg_script_t) init_domtrans_script(dpkg_script_t) -init_use_script_fds(dpkg_script_t) libs_exec_ld_so(dpkg_script_t) libs_exec_lib_files(dpkg_script_t) --- refpolicy-2.20110726.orig/policy/modules/system/lvm.te +++ refpolicy-2.20110726/policy/modules/system/lvm.te @@ -41,6 +41,11 @@ type lvm_tmp_t; files_tmp_file(lvm_tmp_t) +allow lvm_t self:sem create_sem_perms; +optional_policy(` + unconfined_sem_rw(lvm_t) +') + ######################################## # # Cluster LVM daemon local policy @@ -178,6 +183,7 @@ allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms }; +term_dontaudit_use_generic_ptys(lvm_t) manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t) manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t) --- refpolicy-2.20110726.orig/policy/modules/system/mount.te +++ refpolicy-2.20110726/policy/modules/system/mount.te @@ -23,20 +23,26 @@ type mount_tmp_t; files_tmp_file(mount_tmp_t) +dev_read_sysfs(mount_t) + # causes problems with interfaces when # this is optionally declared in monolithic # policy--duplicate type declaration type unconfined_mount_t; application_domain(unconfined_mount_t, mount_exec_t) +kernel_request_load_module(mount_t) ######################################## # # mount local policy # +kernel_setsched(mount_t) + # setuid/setgid needed to mount cifs allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; +dev_read_urand(mount_t) allow mount_t mount_loopback_t:file read_file_perms; allow mount_t mount_tmp_t:file manage_file_perms; --- refpolicy-2.20110726.orig/policy/modules/system/lvm.fc +++ refpolicy-2.20110726/policy/modules/system/lvm.fc @@ -97,5 +97,15 @@ /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) +ifdef(`distro_debian', ` +/var/run/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) +/run/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) +') /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) +ifdef(`distro_debian', ` +/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) +') /var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) +ifdef(`distro_debian', ` +/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/system/ipsec.fc +++ refpolicy-2.20110726/policy/modules/system/ipsec.fc @@ -43,4 +43,10 @@ /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) +ifdef(`distro_debian', ` +/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) +') /var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) +ifdef(`distro_debian', ` +/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/system/selinuxutil.te +++ refpolicy-2.20110726/policy/modules/system/selinuxutil.te @@ -107,6 +107,9 @@ type setfiles_exec_t alias restorecon_exec_t; init_system_domain(setfiles_t, setfiles_exec_t) domain_obj_id_change_exemption(setfiles_t) +term_read_console(setfiles_t) +dev_read_urand(setfiles_t) +dev_rw_generic_chr_files(setfiles_t) ######################################## # @@ -159,6 +162,7 @@ read_files_pattern(load_policy_t,{ policy_src_t policy_config_t },policy_config_t) domain_use_interactive_fds(load_policy_t) +dev_read_urand(load_policy_t) # for mcs.conf files_read_etc_files(load_policy_t) @@ -304,6 +308,7 @@ allow restorecond_t self:capability { dac_override dac_read_search fowner }; allow restorecond_t self:fifo_file rw_fifo_file_perms; +dev_read_urand(restorecond_t) allow restorecond_t restorecond_var_run_t:file manage_file_perms; files_pid_filetrans(restorecond_t, restorecond_var_run_t, file) @@ -424,6 +429,7 @@ allow semanage_t self:unix_stream_socket create_stream_socket_perms; allow semanage_t self:unix_dgram_socket create_socket_perms; allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +fs_getattr_xattr_fs(semanage_t) allow semanage_t policy_config_t:file rw_file_perms; @@ -431,6 +437,10 @@ allow semanage_t semanage_tmp_t:file manage_file_perms; files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) +ifdef(`targeted_policy',` + allow semanage_t initrc_t:fd use; +') + kernel_read_system_state(semanage_t) kernel_read_kernel_sysctls(semanage_t) @@ -448,6 +458,7 @@ mls_file_write_all_levels(semanage_t) mls_file_read_all_levels(semanage_t) +selinux_get_fs_mount(semanage_t) selinux_validate_context(semanage_t) selinux_get_enforce_mode(semanage_t) selinux_getattr_fs(semanage_t) @@ -493,6 +504,10 @@ ') ') +optional_policy(` + pythonsupport_compiled_read(semanage_t) +') + ######################################## # # Setfiles local policy --- refpolicy-2.20110726.orig/policy/modules/system/unconfined.te +++ refpolicy-2.20110726/policy/modules/system/unconfined.te @@ -21,6 +21,15 @@ init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) role unconfined_r types unconfined_execmem_t; +## +##

+## Enabling this allows some daemons to access unconfined_home_dir_t and +## unconfined_home_t as if they were regular home directories. This does +## reduce the protection... +##

+## +gen_bool(daemon_access_unconfined_home,true) + ######################################## # # Local policy @@ -30,10 +39,9 @@ files_create_boot_flag(unconfined_t) -mcs_killall(unconfined_t) -mcs_ptrace_all(unconfined_t) +allow unconfined_r system_r; -init_run_daemon(unconfined_t, unconfined_r) +init_run_daemon(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) libs_run_ldconfig(unconfined_t, unconfined_r) @@ -49,6 +57,9 @@ userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) +ifdef(`distro_debian',` + seutil_run_runinit(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t }) +') ifdef(`distro_gentoo',` seutil_run_runinit(unconfined_t, unconfined_r) seutil_init_script_run_runinit(unconfined_t, unconfined_r) --- refpolicy-2.20110726.orig/policy/modules/system/xen.te +++ refpolicy-2.20110726/policy/modules/system/xen.te @@ -83,6 +83,9 @@ files_type(xend_var_lib_t) # for mounting an NFS store files_mountpoint(xend_var_lib_t) +fs_getattr_xattr_fs(xend_t) +# for /var/lib/python-support/python2.5/.path +files_read_var_lib_files(xend_t) # log files type xend_var_log_t; @@ -341,6 +344,13 @@ netutils_domtrans(xend_t) +unconfined_dontaudit_search_home_dirs({ xend_t xenconsoled_t xenstored_t }) +ifdef(`distro_debian', ` +# xend uses LD_PRELOAD or similar for libxenctrl.so +allow xend_t { xenconsoled_t xenstored_t }:process noatsecure; +') +allow xend_t xenstored_var_run_t:file manage_file_perms; + optional_policy(` brctl_domtrans(xend_t) ') @@ -354,12 +364,16 @@ # Xen console local policy # -allow xenconsoled_t self:capability { dac_override fsetid ipc_lock }; +allow xenconsoled_t self:capability { dac_override fsetid ipc_lock sys_tty_config }; allow xenconsoled_t self:process setrlimit; allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; allow xenconsoled_t self:fifo_file rw_fifo_file_perms; +allow xenconsoled_t self:unix_dgram_socket create_socket_perms; + +# for /usr/lib/pt_chown +libs_exec_lib_files(xenconsoled_t) -allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms; +allow xenconsoled_t xen_devpts_t:chr_file { setattr rw_term_perms }; # pid file manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) @@ -377,6 +391,7 @@ domain_dontaudit_ptrace_all_domains(xenconsoled_t) files_read_etc_files(xenconsoled_t) +corecmd_search_bin(xenconsoled_t) files_read_usr_files(xenconsoled_t) fs_list_tmpfs(xenconsoled_t) @@ -428,6 +443,10 @@ manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) files_var_lib_filetrans(xenstored_t, xenstored_var_lib_t, { file dir sock_file }) +allow xend_t xenstored_var_lib_t:dir rw_dir_perms; +allow xend_t xenstored_var_lib_t:file unlink; +corecmd_search_bin(xenstored_t) +fs_manage_xenfs_dirs(xenstored_t) stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchnd_t) @@ -472,6 +491,7 @@ manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) files_search_var_lib(xm_t) +files_read_kernel_img(xm_t) allow xm_t xen_image_t:dir rw_dir_perms; allow xm_t xen_image_t:file read_file_perms; --- refpolicy-2.20110726.orig/policy/modules/system/xen.fc +++ refpolicy-2.20110726/policy/modules/system/xen.fc @@ -32,12 +32,36 @@ /var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) /var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0) +') /var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0) +') /var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) +ifdef(`distro_debian', ` +/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) +') /var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) +ifdef(`distro_debian', ` +/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) +') /var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0) +ifdef(`distro_debian', ` +/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0) +') /var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) +ifdef(`distro_debian', ` +/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) +') /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) +ifdef(`distro_debian', ` +/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) +') /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) +ifdef(`distro_debian', ` +/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) +') /xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0) --- refpolicy-2.20110726.orig/policy/modules/system/init.if +++ refpolicy-2.20110726/policy/modules/system/init.if @@ -346,6 +346,8 @@ domtrans_pattern(initrc_t, $2, $1) + init_use_fds($1) + ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray # fds open from the initrd --- refpolicy-2.20110726.orig/policy/modules/system/init.fc +++ refpolicy-2.20110726/policy/modules/system/init.fc @@ -15,6 +15,16 @@ /etc/vmware/init\.d/vmware -- gen_context(system_u:object_r:initrc_exec_t,s0) /etc/x11/startDM\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0) ') +ifdef(`distro_debian',` +/var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0) +ifdef(`distro_debian', ` +/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0) +') +/var/run/kdm/.* -- gen_context(system_u:object_r:initrc_var_run_t,s0) +ifdef(`distro_debian', ` +/run/kdm/.* -- gen_context(system_u:object_r:initrc_var_run_t,s0) +') +') # # /dev --- refpolicy-2.20110726.orig/policy/modules/system/init.te +++ refpolicy-2.20110726/policy/modules/system/init.te @@ -178,6 +178,12 @@ fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) ') +ifdef(`distro_debian',` + fs_rw_tmpfs_chr_files(init_t) + fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) +') + +optional_policy(` tunable_policy(`init_upstart',` corecmd_shell_domtrans(init_t, initrc_t) ',` @@ -185,6 +191,7 @@ # causes problems with upstart sysadm_shell_domtrans(init_t) ') +') optional_policy(` auth_rw_login_records(init_t) @@ -240,7 +247,8 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; -files_pid_filetrans(initrc_t, initrc_var_run_t, file) +files_pid_filetrans(initrc_t,initrc_var_run_t,file) +storage_var_run_filetrans_fixed_disk(initrc_t) can_exec(initrc_t, initrc_tmp_t) manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) @@ -287,6 +295,7 @@ dev_read_framebuffer(initrc_t) dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) +clock_rw_adjtime(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) @@ -294,8 +303,14 @@ dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -# Wants to remove udev.tbl: -dev_delete_generic_symlinks(initrc_t) + +optional_policy(` + # Wants to remove udev.tbl: + dev_delete_generic_symlinks(initrc_t) + udev_unlink_table(initrc_t) + dev_delete_generic_dirs(initrc_t) +') + dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) # Early devtmpfs @@ -391,6 +406,7 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) +logging_setattr_xconsole(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -407,10 +423,18 @@ # started from init should be placed in their own domain. userdom_use_user_terminals(initrc_t) +# seed udev /dev +dev_create_generic_dirs(initrc_t) + ifdef(`distro_debian',` - dev_setattr_generic_dirs(initrc_t) + # to be able to create /dev/xconsole + dev_create_generic_pipes(initrc_t) - fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir) + # for /etc/network/run/ifstate + sysnet_manage_config(initrc_t) + fs_tmpfs_filetrans(initrc_t,initrc_var_run_t,dir) + allow initrc_t initrc_var_run_t:dir manage_dir_perms; + allow initrc_t initrc_var_run_t:lnk_file manage_lnk_file_perms; # for storing state under /dev/shm fs_setattr_tmpfs_dirs(initrc_t) @@ -418,6 +442,21 @@ storage_tmpfs_filetrans_fixed_disk(initrc_t) files_setattr_etc_dirs(initrc_t) + + selinux_get_fs_mount(init_t) + + # for /lib/init/rw/.ramfs + fs_tmpfs_filetrans(initrc_t,initrc_state_t,file) + + # for progress_state which is created by the initramfs + fs_allow_tmpfs_file_read(initrc_t) + + # /etc/network/if-up.d/mountnfs wants to mkdir + # /var/run/network/mountnfs as a poor mans lock + allow initrc_t var_run_t:dir create; + + # for lsb_release which calls apt-cache + apt_read_cache(initrc_t) ') ifdef(`distro_gentoo',` @@ -427,13 +466,11 @@ allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) - dev_create_generic_dirs(initrc_t) term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks # with /dev/.rcboot to decide if we are in # early init - dev_create_generic_dirs(initrc_t) dev_delete_generic_dirs(initrc_t) # allow bootmisc to create /var/lock/.keep. @@ -735,6 +772,7 @@ optional_policy(` postfix_list_spool(initrc_t) + postfix_read_config(initrc_t) ') optional_policy(` @@ -844,9 +882,6 @@ ') optional_policy(` - # Set device ownerships/modes. - xserver_setattr_console_pipes(initrc_t) - # init script wants to check if it needs to update windowmanagerlist xserver_read_xdm_rw_config(initrc_t) ') --- refpolicy-2.20110726.orig/policy/modules/system/authlogin.fc +++ refpolicy-2.20110726/policy/modules/system/authlogin.fc @@ -1,11 +1,12 @@ /bin/login -- gen_context(system_u:object_r:login_exec_t,s0) -/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) -/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0) -/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) +/etc/\.group\.edit\.swp -- gen_context(system_u:object_r:shadow_t,s0) +/etc/\.gshadow\.edit\.swp -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) +/etc/\.passwd\.edit\.swp -- gen_context(system_u:object_r:shadow_t,s0) +/etc/\.shadow\.edit\.swp -- gen_context(system_u:object_r:shadow_t,s0) /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) --- refpolicy-2.20110726.orig/policy/modules/system/setrans.te +++ refpolicy-2.20110726/policy/modules/system/setrans.te @@ -50,7 +50,7 @@ files_pid_filetrans(setrans_t, setrans_var_run_t, { file dir }) kernel_read_kernel_sysctls(setrans_t) -kernel_read_proc_symlinks(setrans_t) +kernel_read_system_state(setrans_t) # allow performing getpidcon() on all processes domain_read_all_domains_state(setrans_t) --- refpolicy-2.20110726.orig/policy/modules/system/sysnetwork.te +++ refpolicy-2.20110726/policy/modules/system/sysnetwork.te @@ -253,6 +253,7 @@ allow ifconfig_t self:sem create_sem_perms; allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; +term_read_console(ifconfig_t) # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; # for /sbin/ip --- refpolicy-2.20110726.orig/policy/modules/system/sysnetwork.fc +++ refpolicy-2.20110726/policy/modules/system/sysnetwork.fc @@ -28,6 +28,13 @@ /etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0) ') +ifdef(`distro_debian', ` +/dev/shm/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) +ifdef(`distro_debian', ` +/run/shm/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) +/var/run/shm/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) +') +') # # /sbin # @@ -60,6 +67,9 @@ /var/lib/wifiroamd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) /var/run/dhclient.* -- gen_context(system_u:object_r:dhcpc_var_run_t,s0) +ifdef(`distro_debian', ` +/run/dhclient.* -- gen_context(system_u:object_r:dhcpc_var_run_t,s0) +') ifdef(`distro_gentoo',` /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) --- refpolicy-2.20110726.orig/policy/modules/system/logging.fc +++ refpolicy-2.20110726/policy/modules/system/logging.fc @@ -1,4 +1,5 @@ /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) +/dev/xconsole -p gen_context(system_u:object_r:xconsole_device_t,s0) /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) --- refpolicy-2.20110726.orig/policy/modules/system/pythonsupport.te +++ refpolicy-2.20110726/policy/modules/system/pythonsupport.te @@ -0,0 +1,41 @@ +policy_module(pythonsupport,0.0.1) + +######################################## +# +# Declarations +# + +type pythoncompile_t; +type pythoncompile_exec_t; +domain_type(pythoncompile_t) +domain_entry_file(pythoncompile_t, pythoncompile_exec_t) + +type python_compiled_t; +files_type(python_compiled_t) + +######################################## +# +# python-support local policy +# + +kernel_read_system_state(pythoncompile_t) +kernel_read_kernel_sysctls(pythoncompile_t) + +corecmd_exec_bin(pythoncompile_t) +corecmd_exec_sbin(pythoncompile_t) + +files_read_etc_files(pythoncompile_t) +files_read_usr_files(pythoncompile_t) + +libs_use_ld_so(pythoncompile_t) +libs_use_shared_libs(pythoncompile_t) +libs_use_lib_files(pythoncompile_t) + +miscfiles_read_localization(pythoncompile_t) + + +# create compiled python modules +allow pythoncompile_t python_compiled_t:dir manage_dir_perms; +allow pythoncompile_t python_compiled_t:file manage_file_perms; +allow pythoncompile_t python_compiled_t:lnk_file manage_lnk_file_perms; +files_var_lib_filetrans(pythoncompile_t, python_compiled_t, dir) --- refpolicy-2.20110726.orig/policy/modules/system/clock.te +++ refpolicy-2.20110726/policy/modules/system/clock.te @@ -24,6 +24,7 @@ dontaudit hwclock_t self:capability sys_tty_config; allow hwclock_t self:process signal_perms; allow hwclock_t self:fifo_file rw_fifo_file_perms; +dev_read_urand(hwclock_t) # Allow hwclock to store & retrieve correction factors. allow hwclock_t adjtime_t:file { rw_file_perms setattr }; --- refpolicy-2.20110726.orig/policy/modules/system/pcmcia.fc +++ refpolicy-2.20110726/policy/modules/system/pcmcia.fc @@ -7,4 +7,10 @@ /var/lib/pcmcia(/.*)? gen_context(system_u:object_r:cardmgr_var_run_t,s0) /var/run/cardmgr\.pid -- gen_context(system_u:object_r:cardmgr_var_run_t,s0) +ifdef(`distro_debian', ` +/run/cardmgr\.pid -- gen_context(system_u:object_r:cardmgr_var_run_t,s0) +') /var/run/stab -- gen_context(system_u:object_r:cardmgr_var_run_t,s0) +ifdef(`distro_debian', ` +/run/stab -- gen_context(system_u:object_r:cardmgr_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/system/getty.fc +++ refpolicy-2.20110726/policy/modules/system/getty.fc @@ -7,6 +7,9 @@ /var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0) /var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0) +ifdef(`distro_debian', ` +/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0) +') /var/spool/fax(/.*)? gen_context(system_u:object_r:getty_var_run_t,s0) /var/spool/voice(/.*)? gen_context(system_u:object_r:getty_var_run_t,s0) --- refpolicy-2.20110726.orig/policy/modules/system/hotplug.fc +++ refpolicy-2.20110726/policy/modules/system/hotplug.fc @@ -8,4 +8,10 @@ /sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0) /var/run/usb(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0) +ifdef(`distro_debian', ` +/run/usb(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0) +') /var/run/hotplug(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0) +ifdef(`distro_debian', ` +/run/hotplug(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/system/libraries.te +++ refpolicy-2.20110726/policy/modules/system/libraries.te @@ -97,6 +97,11 @@ userdom_use_user_terminals(ldconfig_t) userdom_use_all_users_fds(ldconfig_t) +optional_policy(` + # This is needed for apt to get and install packages silently + apt_dontaudit_use_fds(ldconfig_t) +') + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(ldconfig_t) --- refpolicy-2.20110726.orig/policy/modules/system/iodine.fc +++ refpolicy-2.20110726/policy/modules/system/iodine.fc @@ -0,0 +1 @@ +/usr/sbin/iodine.* -- gen_context(system_u:object_r:iodine_exec_t,s0) --- refpolicy-2.20110726.orig/policy/modules/system/iodine.te +++ refpolicy-2.20110726/policy/modules/system/iodine.te @@ -0,0 +1,26 @@ +policy_module(iodine,1.0.0) + +# policy for the iodine IP over DNS tunneling daemon +type iodine_t; +type iodine_exec_t; +files_type(iodine_exec_t) +init_daemon_domain(iodine_t, iodine_exec_t) + +logging_send_syslog_msg(iodine_t) +kernel_search_network_sysctl(iodine_t) +kernel_read_network_state(iodine_t) +kernel_request_load_module(iodine_t) +kernel_read_system_state(iodine_t) +files_read_etc_files(iodine_t) +corecmd_exec_shell(iodine_t) +allow iodine_t self:capability { setgid setuid net_bind_service net_admin net_raw sys_chroot }; +sysnet_domtrans_ifconfig(iodine_t) + +allow iodine_t self:rawip_socket { write read create }; +allow iodine_t self:unix_dgram_socket { create connect }; +corenet_raw_receive_generic_node(iodine_t) +corenet_rw_tun_tap_dev(iodine_t) +corenet_udp_bind_dns_port(iodine_t) +corenet_udp_bind_generic_node(iodine_t) +allow iodine_t self:udp_socket connected_socket_perms; +allow iodine_t self:tun_socket create; --- refpolicy-2.20110726.orig/policy/modules/system/udev.te +++ refpolicy-2.20110726/policy/modules/system/udev.te @@ -14,6 +14,8 @@ domain_interactive_fd(udev_t) init_daemon_domain(udev_t, udev_exec_t) +init_domtrans_script(udev_t) + type udev_etc_t alias etc_udev_t; files_config_file(udev_etc_t) @@ -52,8 +54,8 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; allow udev_t self:rawip_socket create_socket_perms; +fs_read_anon_inodefs_files(udev_t) -allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) allow udev_t udev_helper_exec_t:dir list_dir_perms; @@ -64,10 +66,13 @@ # create udev database in /dev/.udevdb allow udev_t udev_tbl_t:file manage_file_perms; -dev_filetrans(udev_t, udev_tbl_t, file) +allow udev_t udev_tbl_t:lnk_file manage_lnk_file_perms; +allow udev_t udev_tbl_t:dir manage_dir_perms; +dev_filetrans(udev_t,udev_tbl_t,file) list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t) read_files_pattern(udev_t, udev_rules_t, udev_rules_t) +read_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t) manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) @@ -97,6 +102,7 @@ dev_rw_sysfs(udev_t) dev_manage_all_dev_nodes(udev_t) +dev_create_generic_symlinks(udev_t) dev_rw_generic_files(udev_t) dev_delete_generic_files(udev_t) dev_search_usbfs(udev_t) @@ -110,7 +116,11 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these files_read_usr_files(udev_t) +ifdef(`distro_debian', ` +files_manage_etc_runtime_files(udev_t) +', ` files_read_etc_runtime_files(udev_t) +') files_read_etc_files(udev_t) files_exec_etc_files(udev_t) files_dontaudit_search_isid_type_dirs(udev_t) @@ -161,22 +171,29 @@ seutil_domtrans_setfiles(udev_t) sysnet_domtrans_ifconfig(udev_t) +sysnet_manage_config(udev_t) sysnet_domtrans_dhcpc(udev_t) sysnet_rw_dhcp_config(udev_t) sysnet_read_dhcpc_pid(udev_t) sysnet_delete_dhcpc_pid(udev_t) sysnet_signal_dhcpc(udev_t) -sysnet_manage_config(udev_t) sysnet_etc_filetrans_config(udev_t) userdom_dontaudit_search_user_home_content(udev_t) +fstools_getattr_swap_files(udev_t) + ifdef(`distro_gentoo',` # during boot, init scripts use /dev/.rcsysinit # existance to determine if we are in early booting init_getattr_script_status_files(udev_t) ') +ifdef(`distro_debian',` + fs_manage_tmpfs_dirs(udev_t) + fs_manage_tmpfs_chr_files(udev_t) +') + ifdef(`distro_redhat',` fs_manage_tmpfs_dirs(udev_t) fs_manage_tmpfs_files(udev_t) @@ -285,6 +302,7 @@ kernel_read_xen_state(udev_t) xen_manage_log(udev_t) xen_read_image_files(udev_t) + fs_manage_xenfs_files(udev_t) ') optional_policy(` --- refpolicy-2.20110726.orig/policy/modules/system/udev.fc +++ refpolicy-2.20110726/policy/modules/system/udev.fc @@ -11,7 +11,15 @@ /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) +ifdef(`distro_debian', ` +/lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0) +/var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0) +ifdef(`distro_debian', ` +/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0) +') +', ` /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) +') /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) /sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) /sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) --- refpolicy-2.20110726.orig/policy/modules/system/setrans.fc +++ refpolicy-2.20110726/policy/modules/system/setrans.fc @@ -3,3 +3,6 @@ /sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0) /var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) +ifdef(`distro_debian', ` +/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) +') --- refpolicy-2.20110726.orig/policy/modules/system/pythonsupport.fc +++ refpolicy-2.20110726/policy/modules/system/pythonsupport.fc @@ -0,0 +1,2 @@ +/usr/sbin/update-python-modules -- gen_context(system_u:object_r:pythoncompile_exec_t,s0) +/var/lib/python-support(/.*)? gen_context(system_u:object_r:python_compiled_t,s0) --- refpolicy-2.20110726.orig/policy/modules/system/raid.fc +++ refpolicy-2.20110726/policy/modules/system/raid.fc @@ -4,3 +4,6 @@ /sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) +ifdef(`distro_debian', ` +/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/system/udev.if +++ refpolicy-2.20110726/policy/modules/system/udev.if @@ -168,6 +168,24 @@ ######################################## ## +## Allow process to remove udev table files +## +## +## +## The type of the process performing this action. +## +## +# +interface(`udev_unlink_table',` + gen_require(` + type udev_tbl_t; + ') + + allow $1 udev_tbl_t:file unlink; +') + +######################################## +## ## Read the udev device table. ## ## --- refpolicy-2.20110726.orig/policy/modules/system/authlogin.if +++ refpolicy-2.20110726/policy/modules/system/authlogin.if @@ -426,7 +426,7 @@ corecmd_search_bin($1) domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) - dontaudit $1 shadow_t:file { getattr read }; + dontaudit $1 shadow_t:file { open getattr read }; auth_domtrans_upd_passwd($1) ') --- refpolicy-2.20110726.orig/policy/modules/system/modutils.te +++ refpolicy-2.20110726/policy/modules/system/modutils.te @@ -20,6 +20,8 @@ mls_file_write_all_levels(insmod_t) role system_r types insmod_t; +kernel_request_load_module(insmod_t) + # module loading config type modules_conf_t; files_type(modules_conf_t) @@ -75,6 +77,12 @@ files_list_home(depmod_t) userdom_read_user_home_content_files(depmod_t) +ifdef(`distro_debian',` + optional_policy(` + unconfined_run_to(depmod_t, depmod_exec_t) + ') +') + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(depmod_t) @@ -104,11 +112,14 @@ # insmod local policy # -allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config }; +allow insmod_t self:capability { dac_override net_raw sys_admin sys_nice sys_tty_config }; allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; allow insmod_t self:udp_socket create_socket_perms; allow insmod_t self:rawip_socket create_socket_perms; +fs_mount_rpc_pipefs(insmod_t) +fs_list_rpc(insmod_t) +term_read_console(insmod_t) # Read module config and dependency information list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t) --- refpolicy-2.20110726.orig/policy/modules/system/unconfined.if +++ refpolicy-2.20110726/policy/modules/system/unconfined.if @@ -96,6 +96,7 @@ optional_policy(` xserver_unconfined($1) ') + ') ######################################## @@ -319,6 +320,38 @@ ######################################## ## +## Allow a domain to be in role unconfined_r +## +## +##

+## Allow the specified domain to be run in the role unconfined_r +## This is suitable for domains that are entered indirectly from +## unconfined_t +##

+##

+## Also allow the domain to send sigchld to unconfined_t and use fds +##

+## +## +## +## Domain to be in unconfined_r +## +## +# +interface(`in_unconfined_r',` + gen_require(` + type unconfined_t; + role unconfined_r; + ') + + role unconfined_r types $1; + allow $1 unconfined_t:process sigchld; + allow $1 unconfined_t:fd use; + allow $1 unconfined_t:fifo_file { read write getattr }; +') + +######################################## +## ## Inherit file descriptors from the unconfined domain. ## ## @@ -337,6 +370,24 @@ ######################################## ## +## rw access to a semaphore created by the unconfined domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_sem_rw',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:sem rw_sem_perms; +') + +######################################## +## ## Send a SIGCHLD signal to the unconfined domain. ## ## @@ -587,3 +638,82 @@ allow $1 unconfined_t:dbus acquire_svc; ') + +######################################## +## +## Read files in unconfined users home directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_read_home_content_files',` + gen_require(` + type unconfined_home_dir_t, unconfined_home_t; + ') + + files_search_home($1) + allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms; + read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t) + read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t) +') + +######################################## +## +## Do not audit attempts to search the unconfined +## users home directory. +## +## +## +## Domain to not audit. +## +## +# +interface(`unconfined_dontaudit_search_home_dirs',` + gen_require(` + type unconfined_home_dir_t; + ') + + dontaudit $1 unconfined_home_dir_t:dir search_dir_perms; +') + +######################################## +## +## Read unconfined users temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_read_tmp_files',` + gen_require(` + type unconfined_tmp_t; + ') + + files_search_tmp($1) + allow $1 unconfined_tmp_t:dir list_dir_perms; + read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t) + read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t) +') + +######################################## +## +## Write unconfined users temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_write_tmp_files',` + gen_require(` + type unconfined_tmp_t; + ') + + allow $1 unconfined_tmp_t:file { getattr write append }; +') --- refpolicy-2.20110726.orig/policy/modules/system/logging.if +++ refpolicy-2.20110726/policy/modules/system/logging.if @@ -901,6 +901,41 @@ ######################################## ## +## Set the attributes of the xconsole named pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_setattr_xconsole',` + gen_require(` + type xconsole_device_t; + ') + + allow $1 xconsole_device_t:fifo_file setattr; +') + +######################################## +## +## Read the xconsole named pipe. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_r_xconsole',` + gen_require(` + type xconsole_device_t; + ') + + allow $1 xconsole_device_t:fifo_file { getattr read }; +') +######################################## +## ## Create, read, write, and delete ## generic log files. ## --- refpolicy-2.20110726.orig/policy/modules/system/unconfined.fc +++ refpolicy-2.20110726/policy/modules/system/unconfined.fc @@ -1,7 +1,5 @@ # Add programs here which should not be confined by SELinux -# e.g.: -# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) -# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t +/opt/google/chrome/chrome -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) @@ -9,6 +7,9 @@ /usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/gcj-dbtool-4.1 -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/gij-4.1 -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/lib/openoffice/program/soffice.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ifdef(`distro_gentoo',` /usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) --- refpolicy-2.20110726.orig/policy/modules/system/fstools.fc +++ refpolicy-2.20110726/policy/modules/system/fstools.fc @@ -36,6 +36,9 @@ /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) +# this is not ideal, but the best way to minimise privs for initrc_t +/sbin/logsave -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) --- refpolicy-2.20110726.orig/policy/modules/system/logging.te +++ refpolicy-2.20110726/policy/modules/system/logging.te @@ -61,6 +61,11 @@ type syslog_conf_t; files_config_file(syslog_conf_t) +ifdef(`distro_debian', ` +# for xconsole detection + allow initrc_t syslog_conf_t:file read_file_perms; +') + type syslogd_t; type syslogd_exec_t; init_daemon_domain(syslogd_t, syslogd_exec_t) @@ -81,6 +86,13 @@ logging_log_file(var_log_t) files_mountpoint(var_log_t) +# this is not actually a device, its a pipe +type xconsole_device_t; +files_type(xconsole_device_t) +dev_associate(xconsole_device_t) +files_associate_tmp(xconsole_device_t) +allow syslogd_t xconsole_device_t:fifo_file rw_file_perms; + ifdef(`enable_mls',` init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh) init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh) @@ -93,6 +105,7 @@ allow auditctl_t self:capability { fsetid dac_read_search dac_override }; allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; +dev_read_urand(auditctl_t) read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) allow auditctl_t auditd_etc_t:dir list_dir_perms; @@ -132,6 +145,7 @@ allow auditd_t self:unix_dgram_socket create_socket_perms; allow auditd_t self:fifo_file rw_fifo_file_perms; allow auditd_t self:tcp_socket create_stream_socket_perms; +dev_read_urand(auditd_t) allow auditd_t auditd_etc_t:dir list_dir_perms; allow auditd_t auditd_etc_t:file read_file_perms; @@ -224,6 +238,7 @@ allow audisp_t self:fifo_file rw_fifo_file_perms; allow audisp_t self:unix_stream_socket create_stream_socket_perms; allow audisp_t self:unix_dgram_socket create_socket_perms; +dev_read_urand(audisp_t) allow audisp_t auditd_t:unix_stream_socket rw_socket_perms; @@ -354,11 +369,11 @@ # chown fsetid for syslog-ng # sys_admin for the integrated klog of syslog-ng and metalog # cjp: why net_admin! -allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid }; +allow syslogd_t self:capability { chown dac_override fsetid net_admin sys_admin sys_nice sys_resource sys_tty_config }; dontaudit syslogd_t self:capability sys_tty_config; # setpgid for metalog # setrlimit for syslog-ng -allow syslogd_t self:process { signal_perms setpgid setrlimit }; +allow syslogd_t self:process { signal_perms setpgid setrlimit getsched setsched }; # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; @@ -377,6 +392,9 @@ manage_files_pattern(syslogd_t, var_log_t, var_log_t) rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) +# for rsyslogd, this access is harmless so making it unconditional +allow syslogd_t proc_t:file { getattr read }; + # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; @@ -506,8 +524,3 @@ optional_policy(` udev_read_db(syslogd_t) ') - -optional_policy(` - # log to the xconsole - xserver_rw_console(syslogd_t) -') --- refpolicy-2.20110726.orig/policy/modules/system/iscsi.fc +++ refpolicy-2.20110726/policy/modules/system/iscsi.fc @@ -3,5 +3,12 @@ /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) +ifdef(`distro_debian', ` +/var/run/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) +/run/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) +') /var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0) /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) +ifdef(`distro_debian', ` +/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/system/userdomain.te +++ refpolicy-2.20110726/policy/modules/system/userdomain.te @@ -91,6 +91,9 @@ files_tmpfs_file(user_tmpfs_t) userdom_user_home_content(user_tmpfs_t) +type user_hugetlbfs_t; +files_hugetlbfs_file(user_hugetlbfs_t) + type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) --- refpolicy-2.20110726.orig/policy/modules/system/getty.te +++ refpolicy-2.20110726/policy/modules/system/getty.te @@ -37,6 +37,7 @@ dontaudit getty_t self:capability sys_tty_config; allow getty_t self:process { getpgid setpgid getsession signal_perms }; allow getty_t self:fifo_file rw_fifo_file_perms; +dev_read_urand(getty_t) read_files_pattern(getty_t, getty_etc_t, getty_etc_t) read_lnk_files_pattern(getty_t, getty_etc_t, getty_etc_t) --- refpolicy-2.20110726.orig/policy/modules/system/sysnetwork.if +++ refpolicy-2.20110726/policy/modules/system/sysnetwork.if @@ -423,6 +423,7 @@ type net_conf_t; ') + allow $1 net_conf_t:dir manage_dir_perms; allow $1 net_conf_t:file manage_file_perms; ifdef(`distro_redhat',` --- refpolicy-2.20110726.orig/policy/modules/system/iptables.te +++ refpolicy-2.20110726/policy/modules/system/iptables.te @@ -27,6 +27,7 @@ # Iptables local policy # +kernel_request_load_module(iptables_t) allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw }; dontaudit iptables_t self:capability sys_tty_config; allow iptables_t self:fifo_file rw_fifo_file_perms; --- refpolicy-2.20110726.orig/policy/modules/system/libraries.fc +++ refpolicy-2.20110726/policy/modules/system/libraries.fc @@ -6,6 +6,8 @@ /emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) /emul/ia32-linux/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) /emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) +/lib64 -d gen_context(system_u:object_r:lib_t,s0) +/lib64/.* gen_context(system_u:object_r:lib_t,s0) ') ifdef(`distro_gentoo',` @@ -37,13 +39,20 @@ # /lib -d gen_context(system_u:object_r:lib_t,s0) /lib/.* gen_context(system_u:object_r:lib_t,s0) +ifdef(`distro_debian', ` +/lib32 -d gen_context(system_u:object_r:lib_t,s0) +/lib32/.* gen_context(system_u:object_r:lib_t,s0) +/lib32/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) +/lib32/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +', ` /lib64 -d gen_context(system_u:object_r:lib_t,s0) /lib64/.* gen_context(system_u:object_r:lib_t,s0) -/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) /lib64/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) +/lib64/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +') +/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) /lib/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/lib64/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ifdef(`distro_debian',` /lib32 -l gen_context(system_u:object_r:lib_t,s0) @@ -62,7 +71,11 @@ # /opt/.*\.so gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) +ifdef(`distro_debian',` +/opt/(.*/)?lib32(/.*)? gen_context(system_u:object_r:lib_t,s0) +', ` /opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) +') /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) @@ -119,9 +132,14 @@ /usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0) /usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) +ifdef(`distro_debian',` +/usr/(.*/)?lib32(/.*)? gen_context(system_u:object_r:lib_t,s0) +/usr/(.*/)?lib(32)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) +', ` /usr/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) - /usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) +') + /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) --- refpolicy-2.20110726.orig/policy/modules/system/pythonsupport.if +++ refpolicy-2.20110726/policy/modules/system/pythonsupport.if @@ -0,0 +1,83 @@ +## Support for precompiling python modules +## +##

+## Debians python-support will precompile installed python +## packages for installed python versions. This way, +## the python2.3-foobar and python2.4-foobar (and 2.5) packages +## could be merged into one python-foobar while keeping the +## dependency information useful. +##

+## +# + +######################################## +## +## Execute the python-support utility to precompile modules. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`pythonsupport_domtrans',` + gen_require(` + type pythoncompile_t, pythoncompile_exec_t; + ') + + domain_auto_trans($1,pythoncompile_exec_t,pythoncompile_t) + + allow $1 pythoncompile_t:fd use; + allow pythoncompile_t $1:fd use; + allow $1 pythoncompile_t:fifo_file rw_file_perms; + allow $1 pythoncompile_t:process sigchld; +') + +######################################## +## +## Role access for python. +## +## +## +## Role allowed access. +## +## +## +## +## Domain allowed access. +## +## +## +# +interface(`python_role',` + gen_require(` + type pythoncompile_t, pythoncompile_exec_t; + ') + + domtrans_pattern($2, pythoncompile_exec_t, pythoncompile_t) + role $1 types pythoncompile_t; + + allow $2 pythoncompile_t:process { signal_perms }; + ps_process_pattern($2, pythoncompile_t) +') + +######################################## +## +## Read compiled python modules +## +## +## +## Domain allowed to read the compiled python modules. +## +## +# +interface(`pythonsupport_compiled_read',` + gen_require(` + type python_compiled_t; + ') + + files_search_var_lib($1) + allow $1 python_compiled_t:dir list_dir_perms; + allow $1 python_compiled_t:file read_file_perms; + allow $1 python_compiled_t:lnk_file read_lnk_file_perms; +') --- refpolicy-2.20110726.orig/policy/modules/system/iodine.if +++ refpolicy-2.20110726/policy/modules/system/iodine.if @@ -0,0 +1 @@ +## --- refpolicy-2.20110726.orig/policy/modules/system/userdomain.if +++ refpolicy-2.20110726/policy/modules/system/userdomain.if @@ -87,6 +87,7 @@ files_read_etc_files($1_t) files_read_etc_runtime_files($1_t) files_read_usr_files($1_t) + files_exec_usr_files($1_t) # Read directories and files with the readable_t type. # This type is a general type for "world"-readable files. files_list_world_readable($1_t) @@ -117,6 +118,19 @@ # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') + + tunable_policy(`user_manage_dos_files',` + fs_manage_dos_dirs($1_t) + fs_manage_dos_files($1_t) + ') + + ifdef(`distro_debian', ` + # allow reading /var/lib/apt/lists + apt_read_db($1_t) + # allow reading /var/cache/apt - should not be needed but + # does not really matter + apt_read_cache($1_t) + ') ') ####################################### @@ -349,6 +363,7 @@ interface(`userdom_manage_tmpfs_role',` gen_require(` type user_tmpfs_t; + type user_hugetlbfs_t; ') manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t) @@ -357,6 +372,8 @@ manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t) manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t) fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + manage_files_pattern($2, user_hugetlbfs_t, user_hugetlbfs_t) + fs_hugetlbfs_filetrans($2, user_hugetlbfs_t, { file }) ') ####################################### @@ -532,6 +549,7 @@ files_read_var_symlinks($1_t) files_read_generic_spool($1_t) files_read_var_lib_files($1_t) + files_read_var_lib_symlinks($1_t) # Stat lost+found. files_getattr_lost_found_dirs($1_t) @@ -655,6 +673,10 @@ ') optional_policy(` + pythonsupport_compiled_read($1_t) + ') + + optional_policy(` pcscd_read_pub_files($1_t) pcscd_stream_connect($1_t) ') @@ -961,7 +983,6 @@ # Need the following rule to allow users to run vpnc corenet_tcp_bind_xserver_port($1_t) - files_exec_usr_files($1_t) # cjp: why? files_read_kernel_symbol_table($1_t) @@ -1006,10 +1027,49 @@ optional_policy(` setroubleshoot_stream_connect($1_t) ') + + optional_policy(` + mysqld_exec($1_t) + ') ') ####################################### ## +## The template for creating a user with network access. +## +## +##

+## This template creates a user domain, types, and +## rules for the user's tty, pty, home directories, +## tmp, and tmpfs files. +##

+##

+## This differs from the unpriv_user_template by allowing non-privileged network access. +##

+## +## +## +## The prefix of the user domain (e.g., sysadm +## is the prefix for sysadm_t). +## +## +# +template(`network_user_template',` + ############################## + # + # Declarations + # + + # Inherit rules for ordinary users. + userdom_unpriv_user_template($1) + # like user_tcp_server + corenet_tcp_bind_generic_port($1_t) + sysnet_dns_name_resolve($1_t) + allow $1_t self:tcp_socket create_stream_socket_perms; + allow $1_t self:udp_socket create_stream_socket_perms; +') +####################################### +## ## The template for creating an administrative user. ## ## --- refpolicy-2.20110726.orig/policy/modules/system/selinuxutil.fc +++ refpolicy-2.20110726/policy/modules/system/selinuxutil.fc @@ -46,3 +46,6 @@ # /var/run # /var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0) +ifdef(`distro_debian', ` +/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/jabber.if +++ refpolicy-2.20110726/policy/modules/services/jabber.if @@ -11,7 +11,7 @@ ## # interface(`jabber_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## --- refpolicy-2.20110726.orig/policy/modules/services/dbus.fc +++ refpolicy-2.20110726/policy/modules/services/dbus.fc @@ -6,12 +6,23 @@ /lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) +ifdef(`distro_redhat', ` /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +') +ifdef(`distro_debian', ` +/usr/lib/dbus-1.0/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +') /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') +ifdef(`distro_debian',` +/usr/lib/gnome-vfs-2.0/gnome-vfs-daemon -- gen_context(system_u:object_r:bin_t,s0) +') ifdef(`distro_redhat',` /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) ') --- refpolicy-2.20110726.orig/policy/modules/services/jabber.te +++ refpolicy-2.20110726/policy/modules/services/jabber.te @@ -28,10 +28,11 @@ allow jabberd_t self:capability dac_override; dontaudit jabberd_t self:capability sys_tty_config; -allow jabberd_t self:process signal_perms; -allow jabberd_t self:fifo_file read_fifo_file_perms; +allow jabberd_t self:process { signal_perms getsched setsched }; +allow jabberd_t self:fifo_file rw_fifo_file_perms; allow jabberd_t self:tcp_socket create_stream_socket_perms; allow jabberd_t self:udp_socket create_socket_perms; +corenet_udp_bind_generic_node(jabberd_t) manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t) files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file) @@ -44,7 +45,7 @@ kernel_read_kernel_sysctls(jabberd_t) kernel_list_proc(jabberd_t) -kernel_read_proc_symlinks(jabberd_t) +kernel_read_system_state(jabberd_t) corenet_all_recvfrom_unlabeled(jabberd_t) corenet_all_recvfrom_netlabel(jabberd_t) @@ -55,14 +56,19 @@ corenet_tcp_sendrecv_all_ports(jabberd_t) corenet_udp_sendrecv_all_ports(jabberd_t) corenet_tcp_bind_generic_node(jabberd_t) +corenet_tcp_connect_generic_port(jabberd_t) corenet_tcp_bind_jabber_client_port(jabberd_t) corenet_tcp_bind_jabber_interserver_port(jabberd_t) corenet_sendrecv_jabber_client_server_packets(jabberd_t) corenet_sendrecv_jabber_interserver_server_packets(jabberd_t) +corecmd_exec_bin(jabberd_t) +corecmd_exec_shell(jabberd_t) + dev_read_sysfs(jabberd_t) # For SSL dev_read_rand(jabberd_t) +dev_read_urand(jabberd_t) domain_use_interactive_fds(jabberd_t) @@ -82,6 +88,10 @@ userdom_dontaudit_search_user_home_dirs(jabberd_t) optional_policy(` + run_epmd(jabberd_t, system_r) +') + +optional_policy(` nis_use_ypbind(jabberd_t) ') --- refpolicy-2.20110726.orig/policy/modules/services/fetchmail.fc +++ refpolicy-2.20110726/policy/modules/services/fetchmail.fc @@ -16,4 +16,8 @@ # /var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0) +ifdef(`distro_debian', ` +/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0) +') /var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0) +/var/lib/fetchmail(/.*)? gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/ftp.fc +++ refpolicy-2.20110726/policy/modules/services/ftp.fc @@ -23,6 +23,9 @@ # /var # /var/run/proftpd.* gen_context(system_u:object_r:ftpd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/proftpd.* gen_context(system_u:object_r:ftpd_var_run_t,s0) +') /var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/cron.if +++ refpolicy-2.20110726/policy/modules/services/cron.if @@ -35,7 +35,8 @@ allow $1_t self:fifo_file rw_fifo_file_perms; allow $1_t $1_tmp_t:file manage_file_perms; - files_tmp_filetrans($1_t, $1_tmp_t, file) + allow $1_t $1_tmp_t:dir manage_dir_perms; + files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) # create files in /var/spool/cron manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) @@ -207,7 +208,7 @@ class passwd crontab; ') - role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t }; + role $1 types { cronjob_t admin_crontab_t }; # cronjob shows up in user ps ps_process_pattern($2, cronjob_t) @@ -257,11 +258,12 @@ # interface(`cron_system_entry',` gen_require(` - type crond_t, system_cronjob_t; + type crond_t, system_cronjob_t, crond_tmp_t; ') domtrans_pattern(system_cronjob_t, $2, $1) domtrans_pattern(crond_t, $2, $1) + allow $1 crond_tmp_t:file { read write ioctl }; role system_r types $1; ') @@ -631,3 +633,22 @@ dontaudit $1 system_cronjob_tmp_t:file write_file_perms; ') + +######################################## +## +## Allow crond to search directories that are home directories for +## accounts used or parent directories of home directories. +## +## +## +## Type of directory that crond_t may search. +## +## +# +interface(`crond_search_dir',` + gen_require(` + type crond_t; + ') + + allow crond_t $1:dir search; +') --- refpolicy-2.20110726.orig/policy/modules/services/ricci.fc +++ refpolicy-2.20110726/policy/modules/services/ricci.fc @@ -12,5 +12,14 @@ /var/log/clumond\.log -- gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0) /var/run/clumond\.sock -s gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0) +ifdef(`distro_debian', ` +/run/clumond\.sock -s gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0) +') /var/run/modclusterd\.pid -- gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0) +ifdef(`distro_debian', ` +/run/modclusterd\.pid -- gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0) +') /var/run/ricci\.pid -- gen_context(system_u:object_r:ricci_var_run_t,s0) +ifdef(`distro_debian', ` +/run/ricci\.pid -- gen_context(system_u:object_r:ricci_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/ssh.if +++ refpolicy-2.20110726/policy/modules/services/ssh.if @@ -421,6 +421,11 @@ ') optional_policy(` + run_gpg_agent($1_ssh_agent_t) + ') + + optional_policy(` + xdm_sigchld($1_ssh_agent_t) xserver_use_xdm_fds($1_ssh_agent_t) xserver_rw_xdm_pipes($1_ssh_agent_t) ') @@ -563,7 +568,7 @@ ## # interface(`ssh_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## --- refpolicy-2.20110726.orig/policy/modules/services/aisexec.fc +++ refpolicy-2.20110726/policy/modules/services/aisexec.fc @@ -7,3 +7,6 @@ /var/log/cluster/aisexec\.log -- gen_context(system_u:object_r:aisexec_var_log_t,s0) /var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0) +ifdef(`distro_debian', ` +/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/mta.te +++ refpolicy-2.20110726/policy/modules/services/mta.te @@ -5,11 +5,18 @@ # Declarations # +# attribute used for domains that act on behalf of the user to deliver mail +# to the queue attribute mailcontent_type; attribute mta_exec_type; attribute mta_user_agent; + +# attribute used for domains that deliver mail locally attribute mailserver_delivery; + attribute mailserver_domain; + +# attribute used for domains that send mail externally (smtp or lmtp) attribute mailserver_sender; attribute user_mail_domain; --- refpolicy-2.20110726.orig/policy/modules/services/portmap.if +++ refpolicy-2.20110726/policy/modules/services/portmap.if @@ -57,7 +57,7 @@ ## # interface(`portmap_udp_send',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## @@ -71,7 +71,7 @@ ## # interface(`portmap_udp_chat',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## @@ -85,5 +85,5 @@ ## # interface(`portmap_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') --- refpolicy-2.20110726.orig/policy/modules/services/dhcp.fc +++ refpolicy-2.20110726/policy/modules/services/dhcp.fc @@ -6,3 +6,6 @@ /var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) /var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/xserver.fc +++ refpolicy-2.20110726/policy/modules/services/xserver.fc @@ -9,11 +9,7 @@ HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) - -# -# /dev -# -/dev/xconsole -p gen_context(system_u:object_r:xconsole_device_t,s0) +HOME_DIR/\.xsession-errors -- gen_context(system_u:object_r:xauth_home_t,s0) # # /etc @@ -21,10 +17,10 @@ /etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0) -/etc/kde3?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0) -/etc/kde3?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0) -/etc/kde3?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) -/etc/kde3?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0) +/etc/kde[34]?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0) +/etc/kde[34]?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0) +/etc/kde[34]?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) +/etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0) /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) @@ -33,10 +29,9 @@ /etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) -ifdef(`distro_redhat',` +/etc/gdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/gdm/PostSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/gdm/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) -') # # /opt @@ -65,13 +60,12 @@ /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) -ifdef(`distro_debian', ` -/usr/sbin/gdm -- gen_context(system_u:object_r:xdm_exec_t,s0) -') /usr/lib(64)?/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +ifndef(`distro_debian', ` /usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) +') /usr/X11R6/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/X11R6/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) @@ -88,18 +82,26 @@ # /var # -/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) - -/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +/var/lib/[xgkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) -/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) +ifdef(`distro_debian', ` +/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) +') /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +ifdef(`distro_debian', ` +/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +') +/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +ifdef(`distro_debian', ` +/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +') ifdef(`distro_suse',` /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/devicekit.fc +++ refpolicy-2.20110726/policy/modules/services/devicekit.fc @@ -2,13 +2,31 @@ /usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) /usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) /usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) +/usr/lib/udisks/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) +/usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0) +ifdef(`distro_debian',` +/usr/lib/upower/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) +', ` /usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) +') /var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) /var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) /var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) /var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +ifdef(`distro_debian', ` +/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +') /var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +ifdef(`distro_debian', ` +/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +') /var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +ifdef(`distro_debian', ` +/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +') /var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +ifdef(`distro_debian', ` +/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/openct.fc +++ refpolicy-2.20110726/policy/modules/services/openct.fc @@ -8,3 +8,6 @@ # /var # /var/run/openct(/.*)? gen_context(system_u:object_r:openct_var_run_t,s0) +ifdef(`distro_debian', ` +/run/openct(/.*)? gen_context(system_u:object_r:openct_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/smartmon.fc +++ refpolicy-2.20110726/policy/modules/services/smartmon.fc @@ -9,4 +9,7 @@ # /var # /var/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0) +ifdef(`distro_debian', ` +/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/spamassassin.te +++ refpolicy-2.20110726/policy/modules/services/spamassassin.te @@ -43,6 +43,7 @@ typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t }; application_domain(spamc_t, spamc_exec_t) ubac_constrained(spamc_t) +role system_r types spamc_t; type spamc_tmp_t; typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; @@ -52,7 +53,8 @@ type spamd_t; type spamd_exec_t; -init_daemon_domain(spamd_t, spamd_exec_t) +init_daemon_domain(spamd_t,spamd_exec_t) +can_exec(spamd_t,spamc_exec_t) type spamd_spool_t; files_type(spamd_spool_t) @@ -66,6 +68,7 @@ type spamd_var_run_t; files_pid_file(spamd_var_run_t) +manage_sock_files_pattern(spamd_t,spamd_var_run_t,spamd_var_run_t) ############################## # @@ -205,6 +208,7 @@ allow spamc_t self:unix_stream_socket connectto; allow spamc_t self:tcp_socket create_stream_socket_perms; allow spamc_t self:udp_socket create_socket_perms; +allow spamc_t self:netlink_route_socket { read write bind create getattr nlmsg_read }; manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) @@ -286,7 +290,7 @@ # setuids to the user running spamc. Comment this if you are not # using this ability. -allow spamd_t self:capability { setuid setgid dac_override sys_tty_config }; +allow spamd_t self:capability { kill setgid setuid dac_override sys_tty_config }; dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; @@ -333,6 +337,7 @@ corenet_udp_sendrecv_all_ports(spamd_t) corenet_tcp_bind_generic_node(spamd_t) corenet_tcp_bind_spamd_port(spamd_t) +corenet_tcp_connect_spamd_port(spamd_t) corenet_tcp_connect_razor_port(spamd_t) corenet_tcp_connect_smtp_port(spamd_t) corenet_sendrecv_razor_client_packets(spamd_t) @@ -421,6 +426,7 @@ optional_policy(` postfix_read_config(spamd_t) + postfix_search_spool(spamd_t) ') optional_policy(` --- refpolicy-2.20110726.orig/policy/modules/services/w3c.te +++ refpolicy-2.20110726/policy/modules/services/w3c.te @@ -5,6 +5,7 @@ # Declarations # +apache_script_exec_domain(w3c_validator) apache_content_template(w3c_validator) ######################################## --- refpolicy-2.20110726.orig/policy/modules/services/apache.if +++ refpolicy-2.20110726/policy/modules/services/apache.if @@ -11,12 +11,29 @@ ## ## # +template(`apache_script_exec_domain',` + type httpd_$1_script_exec_t; # customizable; + fs_associate(httpd_$1_script_exec_t) +') + +######################################## +## +## Create a set of derived types for apache +## web content. +## +## +## +## The prefix to be used for deriving type names. +## +## +# template(`apache_content_template',` gen_require(` attribute httpdcontent; attribute httpd_exec_scripts; attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; + type httpd_$1_script_exec_t; ') # allow write access to public file transfer # services files. @@ -37,7 +54,9 @@ role system_r types httpd_$1_script_t; # This type is used for executable scripts files - type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable; + # must be defined by the caller + # type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable; + typeattribute httpd_$1_script_exec_t httpd_script_exec_type; corecmd_shell_entry_type(httpd_$1_script_t) domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) @@ -50,6 +69,7 @@ files_type(httpd_$1_ra_content_t) read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t) + read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t) domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) @@ -108,6 +128,10 @@ seutil_dontaudit_search_config(httpd_$1_script_t) + allow httpd_t httpd_$1_content_t:dir list_dir_perms; + read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t) + read_lnk_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t) + tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_$1_script_t httpdcontent:file entrypoint; @@ -121,7 +145,7 @@ miscfiles_manage_public_files(httpd_$1_script_t) ') - # Allow the web server to run scripts and serve pages + # Allow the web server to run scripts tunable_policy(`httpd_builtin_scripting',` manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) @@ -222,6 +246,13 @@ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t) + manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) + relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) + relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t) + relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) + + manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) + manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t) manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t) --- refpolicy-2.20110726.orig/policy/modules/services/ftp.if +++ refpolicy-2.20110726/policy/modules/services/ftp.if @@ -29,7 +29,7 @@ ## # interface(`ftp_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## --- refpolicy-2.20110726.orig/policy/modules/services/spamassassin.if +++ refpolicy-2.20110726/policy/modules/services/spamassassin.if @@ -225,3 +225,23 @@ dontaudit $1 spamd_tmp_t:sock_file getattr; ') + +######################################## +## +## Connect to spamd via unix socket +## +## +## +## Domain to connect +## +## +# +interface(`spamassassin_connect_unix_sock',` + gen_require(` + type spamd_t, spamd_var_run_t; + ') + + allow $1 spamd_var_run_t:dir search_dir_perms; + allow $1 spamd_var_run_t:sock_file write; + allow $1 spamd_t:unix_stream_socket connectto; +') --- refpolicy-2.20110726.orig/policy/modules/services/zebra.fc +++ refpolicy-2.20110726/policy/modules/services/zebra.fc @@ -18,5 +18,14 @@ /var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) /var/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0) +ifdef(`distro_debian', ` +/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0) +') /var/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0) +ifdef(`distro_debian', ` +/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0) +') /var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0) +ifdef(`distro_debian', ` +/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/stunnel.fc +++ refpolicy-2.20110726/policy/modules/services/stunnel.fc @@ -5,3 +5,6 @@ /usr/sbin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0) /var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0) +ifdef(`distro_debian', ` +/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/clogd.fc +++ refpolicy-2.20110726/policy/modules/services/clogd.fc @@ -1,3 +1,6 @@ /usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0) /var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/samba.fc +++ refpolicy-2.20110726/policy/modules/services/samba.fc @@ -37,17 +37,53 @@ /var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) +') /var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) +') /var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) +') /var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) +') /var/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) +') /var/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0) +') /var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0) +') /var/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) +') /var/run/samba/share_info\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/samba/share_info\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) +') /var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0) +') /var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) +') /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) +ifdef(`distro_debian', ` +/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) +') /var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/corosync.fc +++ refpolicy-2.20110726/policy/modules/services/corosync.fc @@ -9,4 +9,10 @@ /var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0) /var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0) +ifdef(`distro_debian', ` +/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0) +') /var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) +ifdef(`distro_debian', ` +/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/soundserver.fc +++ refpolicy-2.20110726/policy/modules/services/soundserver.fc @@ -8,6 +8,12 @@ /usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0) /var/run/nasd(/.*)? gen_context(system_u:object_r:soundd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/nasd(/.*)? gen_context(system_u:object_r:soundd_var_run_t,s0) +') /var/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0) +') /var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/asterisk.fc +++ refpolicy-2.20110726/policy/modules/services/asterisk.fc @@ -6,4 +6,7 @@ /var/lib/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_lib_t,s0) /var/log/asterisk(/.*)? gen_context(system_u:object_r:asterisk_log_t,s0) /var/run/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_run_t,s0) +ifdef(`distro_debian', ` +/run/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_run_t,s0) +') /var/spool/asterisk(/.*)? gen_context(system_u:object_r:asterisk_spool_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/ssh.fc +++ refpolicy-2.20110726/policy/modules/services/ssh.fc @@ -14,3 +14,6 @@ /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/dkim.if +++ refpolicy-2.20110726/policy/modules/services/dkim.if @@ -1 +1,20 @@ ## DomainKeys Identified Mail milter. + +######################################## +## +## Connect to dkim-milter. +## +## +## +## Domain allowed to connect. +## +## +# +interface(`dkim_stream_connect',` + gen_require(` + type dkim_milter_t, dkim_milter_data_t; + ') + + stream_connect_pattern($1,dkim_milter_data_t,dkim_milter_data_t,dkim_milter_t) +') + --- refpolicy-2.20110726.orig/policy/modules/services/portmap.fc +++ refpolicy-2.20110726/policy/modules/services/portmap.fc @@ -4,9 +4,16 @@ ifdef(`distro_debian',` /sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) /sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) +/var/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0) +ifdef(`distro_debian', ` +/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0) +') ', ` /usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) /usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) ') /var/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0) +ifdef(`distro_debian', ` +/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/tor.fc +++ refpolicy-2.20110726/policy/modules/services/tor.fc @@ -10,3 +10,6 @@ /var/log/tor(/.*)? gen_context(system_u:object_r:tor_var_log_t,s0) /var/run/tor(/.*)? gen_context(system_u:object_r:tor_var_run_t,s0) +ifdef(`distro_debian', ` +/run/tor(/.*)? gen_context(system_u:object_r:tor_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/apache.fc +++ refpolicy-2.20110726/policy/modules/services/apache.fc @@ -32,8 +32,12 @@ /usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) /usr/lib(64)?/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +ifdef(`distro_debian', ` +/usr/lib/apache2/mpm-.*/.*$ -- gen_context(system_u:object_r:httpd_exec_t,s0) +', ` /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) +') /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) @@ -79,7 +83,8 @@ /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) - +/var/lib/squirrelmail/data(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) + /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) @@ -93,11 +98,29 @@ ') /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) +') /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) +') /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) +') /var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +') /var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) +') /var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) +') /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/avahi.fc +++ refpolicy-2.20110726/policy/modules/services/avahi.fc @@ -5,5 +5,8 @@ /usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0) /var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0) +ifdef(`distro_debian', ` +/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0) +') /var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/ricci.te +++ refpolicy-2.20110726/policy/modules/services/ricci.te @@ -213,7 +213,9 @@ mount_domtrans(ricci_modcluster_t) -consoletype_exec(ricci_modcluster_t) +optional_policy(` + consoletype_exec(ricci_modcluster_t) +') ricci_stream_connect_modclusterd(ricci_modcluster_t) @@ -394,7 +396,9 @@ # Needed for running chkconfig files_manage_etc_symlinks(ricci_modservice_t) -consoletype_exec(ricci_modservice_t) +optional_policy(` + consoletype_exec(ricci_modservice_t) +') init_domtrans_script(ricci_modservice_t) @@ -456,7 +460,9 @@ modutils_read_module_deps(ricci_modstorage_t) -consoletype_exec(ricci_modstorage_t) +optional_policy(` + consoletype_exec(ricci_modstorage_t) +') mount_domtrans(ricci_modstorage_t) --- refpolicy-2.20110726.orig/policy/modules/services/cvs.te +++ refpolicy-2.20110726/policy/modules/services/cvs.te @@ -106,6 +106,7 @@ # CVSWeb policy # +apache_script_exec_domain(cvs) optional_policy(` apache_content_template(cvs) --- refpolicy-2.20110726.orig/policy/modules/services/munin.fc +++ refpolicy-2.20110726/policy/modules/services/munin.fc @@ -65,5 +65,8 @@ /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) +ifdef(`distro_debian', ` +/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) +') /var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) /var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/fail2ban.fc +++ refpolicy-2.20110726/policy/modules/services/fail2ban.fc @@ -6,3 +6,6 @@ /var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0) /var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0) /var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) +ifdef(`distro_debian', ` +/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/apache.te +++ refpolicy-2.20110726/policy/modules/services/apache.te @@ -215,6 +215,7 @@ files_tmp_file(httpd_suexec_tmp_t) # setup the system domain for system CGI scripts +apache_script_exec_domain(sys) apache_content_template(sys) typealias httpd_sys_content_t alias ntop_http_content_t; @@ -224,6 +225,7 @@ type httpd_tmpfs_t; files_tmpfs_file(httpd_tmpfs_t) +apache_script_exec_domain(user) apache_content_template(user) ubac_constrained(httpd_user_script_t) userdom_user_home_content(httpd_user_content_t) @@ -469,6 +471,14 @@ tunable_policy(`httpd_enable_homedirs',` userdom_read_user_home_content_files(httpd_t) ') +optional_policy(` + gen_require(` + bool daemon_access_unconfined_home; + ') + tunable_policy(`httpd_enable_homedirs && daemon_access_unconfined_home', ` + unconfined_read_home_content_files(httpd_t) + ') +') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_files(httpd_t) @@ -517,7 +527,10 @@ ') optional_policy(` +# for cron jobs to restart Apache cron_system_entry(httpd_t, httpd_exec_t) +# For cron jobs to run from accounts with home directories in the web store + crond_search_dir(httpd_sys_content_t) ') optional_policy(` @@ -542,8 +555,11 @@ ') ') -optional_policy(` kerberos_keytab_template(httpd, httpd_t) + +optional_policy(` + # read munin files + munin_search_lib(httpd_t) ') optional_policy(` @@ -739,6 +755,14 @@ corenet_tcp_connect_all_ports(httpd_suexec_t) corenet_sendrecv_all_client_packets(httpd_suexec_t) ') +optional_policy(` + gen_require(` + bool daemon_access_unconfined_home; + ') + tunable_policy(`httpd_enable_homedirs && daemon_access_unconfined_home', ` + unconfined_read_home_content_files(httpd_suexec_t) + ') +') tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_sys_script_t httpdcontent:file entrypoint; @@ -824,6 +848,14 @@ tunable_policy(`httpd_enable_homedirs',` userdom_read_user_home_content_files(httpd_sys_script_t) ') +optional_policy(` + gen_require(` + bool daemon_access_unconfined_home; + ') + tunable_policy(`httpd_enable_homedirs && daemon_access_unconfined_home', ` + unconfined_read_home_content_files(httpd_sys_script_t) + ') +') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_files(httpd_sys_script_t) --- refpolicy-2.20110726.orig/policy/modules/services/dkim.te +++ refpolicy-2.20110726/policy/modules/services/dkim.te @@ -11,12 +11,18 @@ type dkim_milter_private_key_t; files_type(dkim_milter_private_key_t) +type dkim_milter_tmp_t; +files_tmp_file(dkim_milter_tmp_t) +ubac_constrained(dkim_milter_tmp_t) +files_tmp_filetrans(dkim_milter_t, dkim_milter_tmp_t, file) + ######################################## # # Local policy # allow dkim_milter_t self:capability { setgid setuid }; +kernel_read_system_state(dkim_milter_t) read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) --- refpolicy-2.20110726.orig/policy/modules/services/inn.fc +++ refpolicy-2.20110726/policy/modules/services/inn.fc @@ -62,6 +62,12 @@ /var/log/news(/.*)? gen_context(system_u:object_r:innd_log_t,s0) /var/run/innd(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/innd(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0) +') /var/run/news(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/news(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0) +') /var/spool/news(/.*)? gen_context(system_u:object_r:news_spool_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/postfix.if +++ refpolicy-2.20110726/policy/modules/services/postfix.if @@ -163,6 +163,7 @@ allow postfix_$1_t self:capability dac_override; domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) + in_unconfined_r(postfix_$1_t) domain_use_interactive_fds(postfix_$1_t) ') @@ -374,6 +375,7 @@ ') domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) + domain_system_change_exemption($1) ') ######################################## @@ -454,7 +456,7 @@ ####################################### ## -## Execute the master postqueue in the caller domain. +## Allow the master postqueue to use a fifo of the caller and send sigchld ## ## ## @@ -462,12 +464,14 @@ ## ## # -interface(`posftix_exec_postqueue',` +interface(`posftix_run_postqueue',` gen_require(` - type postfix_postqueue_exec_t; + type postfix_postqueue_t; ') - can_exec($1, postfix_postqueue_exec_t) + allow postfix_postqueue_t $1:fd use; + allow postfix_postqueue_t $1:fifo_file rw_file_perms; + allow postfix_postqueue_t $1:process sigchld; ') ######################################## --- refpolicy-2.20110726.orig/policy/modules/services/dcc.fc +++ refpolicy-2.20110726/policy/modules/services/dcc.fc @@ -5,17 +5,36 @@ /usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0) /usr/bin/dccproc -- gen_context(system_u:object_r:dcc_client_exec_t,s0) +ifdef(`distro_redhat',` /usr/libexec/dcc/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0) /usr/libexec/dcc/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0) /usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) /usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) +') +ifdef(`distro_debian',` +/usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0) +/usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0) +/usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) +/usr/sbin/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) +') +ifdef(`distro_redhat',` /var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) /var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) - +', ` /var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) /var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) +') /var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0) +ifdef(`distro_debian', ` +/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0) +') /var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) +ifdef(`distro_debian', ` +/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) +') /var/run/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/mysql.fc +++ refpolicy-2.20110726/policy/modules/services/mysql.fc @@ -16,6 +16,8 @@ /usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0) /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) +/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) +/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0) /usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) # @@ -27,4 +29,10 @@ /var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) /var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0) +ifdef(`distro_debian', ` +/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0) +') /var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/ntp.fc +++ refpolicy-2.20110726/policy/modules/services/ntp.fc @@ -20,3 +20,6 @@ /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) /var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/spamassassin.fc +++ refpolicy-2.20110726/policy/modules/services/spamassassin.fc @@ -10,6 +10,9 @@ /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) +') /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/exim.fc +++ refpolicy-2.20110726/policy/modules/services/exim.fc @@ -1,8 +1,14 @@ /usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0) /var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0) /var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0) +ifdef(`distro_debian', ` +/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0) +') /var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0) ifdef(`distro_debian',` /var/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0) +ifdef(`distro_debian', ` +/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0) +') ') --- refpolicy-2.20110726.orig/policy/modules/services/ldap.fc +++ refpolicy-2.20110726/policy/modules/services/ldap.fc @@ -5,13 +5,25 @@ /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) ifdef(`distro_debian',` -/usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) +/usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) ') /var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) /var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0) /var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0) +') /var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) +') /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) +') /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/ntop.fc +++ refpolicy-2.20110726/policy/modules/services/ntop.fc @@ -4,3 +4,6 @@ /var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0) /var/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0) +ifdef(`distro_debian', ` +/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/mysql.if +++ refpolicy-2.20110726/policy/modules/services/mysql.if @@ -353,3 +353,23 @@ admin_pattern($1, mysqld_tmp_t) ') + +######################################## +## +## Execute mysqld in the caller domain. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`mysqld_exec',` + gen_require(` + type mysqld_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, mysqld_exec_t) +') --- refpolicy-2.20110726.orig/policy/modules/services/mailman.fc +++ refpolicy-2.20110726/policy/modules/services/mailman.fc @@ -4,8 +4,15 @@ /var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) /var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) /var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) +ifdef(`distro_debian', ` +/var/run/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) +/run/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) +') /var/log/mailman(/.*)? gen_context(system_u:object_r:mailman_log_t,s0) /var/run/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) +ifdef(`distro_debian', ` +/run/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) +') # # distro_debian --- refpolicy-2.20110726.orig/policy/modules/services/nsd.fc +++ refpolicy-2.20110726/policy/modules/services/nsd.fc @@ -12,3 +12,6 @@ /var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) /var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0) /var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/ppp.if +++ refpolicy-2.20110726/policy/modules/services/ppp.if @@ -228,6 +228,24 @@ ######################################## ## +## Execute domain in the ppp caller. +## +## +## +## Domain allowed access. +## +## +# +interface(`ppp_script_exec',` + gen_require(` + type pppd_script_exec_t; + ') + + can_exec($1, pppd_script_exec_t) +') + +######################################## +## ## Read PPP-writable configuration files. ## ## --- refpolicy-2.20110726.orig/policy/modules/services/uucp.fc +++ refpolicy-2.20110726/policy/modules/services/uucp.fc @@ -7,5 +7,9 @@ /var/spool/uucppublic(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0) /var/lock/uucp(/.*)? gen_context(system_u:object_r:uucpd_lock_t,s0) +ifdef(`distro_debian', ` +/var/run/lock/uucp(/.*)? gen_context(system_u:object_r:uucpd_lock_t,s0) +/run/lock/uucp(/.*)? gen_context(system_u:object_r:uucpd_lock_t,s0) +') /var/log/uucp(/.*)? gen_context(system_u:object_r:uucpd_log_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/apm.fc +++ refpolicy-2.20110726/policy/modules/services/apm.fc @@ -14,9 +14,21 @@ /var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0) /var/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0) +') /var/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0) +') /var/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0) +') /var/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0) +') ifdef(`distro_suse',` /var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/xserver.if +++ refpolicy-2.20110726/policy/modules/services/xserver.if @@ -116,6 +116,24 @@ ######################################## ## +## Allow domain to send sigchld to xdm_t +## and environment. +## +## +## +## Domain allowed access. +## +## +# +interface(`xdm_sigchld',` + gen_require(` + type xdm_t; + ') + allow $1 xdm_t:process sigchld; +') + +######################################## +## ## Rules required for using the X Windows server ## and environment. ## @@ -280,7 +298,7 @@ ## # interface(`xserver_user_client',` - refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') + refpolicyerr(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') gen_require(` type xdm_t, xdm_tmp_t; type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; @@ -577,18 +595,18 @@ ## # interface(`xserver_use_all_users_fonts',` - refpolicywarn(`$0() has been deprecated, please use xserver_use_user_fonts.') + refpolicyerr(`$0() has been deprecated, please use xserver_use_user_fonts.') xserver_use_user_fonts($1) ') ######################################## ## -## Read all users .Xauthority. +## Read all users .Xauthority. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`xserver_read_user_xauth',` @@ -729,6 +747,7 @@ files_search_tmp($1) stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) + stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t) ') ######################################## --- refpolicy-2.20110726.orig/policy/modules/services/mailman.te +++ refpolicy-2.20110726/policy/modules/services/mailman.te @@ -61,6 +61,8 @@ # Mailman mail local policy # +dev_read_urand(mailman_mail_t) +files_read_usr_files(mailman_mail_t) allow mailman_mail_t self:unix_dgram_socket create_socket_perms; allow mailman_mail_t self:process { signal signull }; allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; @@ -125,4 +127,5 @@ optional_policy(` su_exec(mailman_queue_t) -') \ No newline at end of file +') + --- refpolicy-2.20110726.orig/policy/modules/services/policykit.fc +++ refpolicy-2.20110726/policy/modules/services/policykit.fc @@ -3,6 +3,8 @@ /usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) /usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) +/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) + /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) /usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) @@ -12,4 +14,7 @@ /var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) /var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) +ifdef(`distro_debian', ` +/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/courier.if +++ refpolicy-2.20110726/policy/modules/services/courier.if @@ -29,7 +29,7 @@ allow courier_$1_t self:capability dac_override; dontaudit courier_$1_t self:capability sys_tty_config; allow courier_$1_t self:process { setpgid signal_perms }; - allow courier_$1_t self:fifo_file { read write getattr }; + allow courier_$1_t self:fifo_file rw_fifo_file_perms; allow courier_$1_t self:tcp_socket create_stream_socket_perms; allow courier_$1_t self:udp_socket create_socket_perms; @@ -105,6 +105,25 @@ ') ######################################## +## +## Act as a client for the courier authdaemon +## +## +## +## Domain allowed access. +## +## +# +interface(`courier_authdaemon_client',` + gen_require(` + type courier_authdaemon_t, courier_etc_t, courier_var_run_t; + ') + allow $1 courier_authdaemon_t:unix_stream_socket connectto; + allow $1 courier_etc_t:dir search; + allow $1 courier_var_run_t:sock_file write; +') + +######################################## ## ## Execute the courier POP3 and IMAP server with ## a domain transition. --- refpolicy-2.20110726.orig/policy/modules/services/canna.fc +++ refpolicy-2.20110726/policy/modules/services/canna.fc @@ -19,5 +19,14 @@ /var/log/wnn(/.*)? gen_context(system_u:object_r:canna_log_t,s0) /var/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0) +ifdef(`distro_debian', ` +/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0) +') /var/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0) +ifdef(`distro_debian', ` +/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0) +') /var/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0) +ifdef(`distro_debian', ` +/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/psad.fc +++ refpolicy-2.20110726/policy/modules/services/psad.fc @@ -6,3 +6,6 @@ /var/lib/psad(/.*)? gen_context(system_u:object_r:psad_var_lib_t,s0) /var/log/psad(/.*)? gen_context(system_u:object_r:psad_var_log_t,s0) /var/run/psad(/.*)? gen_context(system_u:object_r:psad_var_run_t,s0) +ifdef(`distro_debian', ` +/run/psad(/.*)? gen_context(system_u:object_r:psad_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/nis.if +++ refpolicy-2.20110726/policy/modules/services/nis.if @@ -205,7 +205,7 @@ ## # interface(`nis_udp_send_ypbind',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## @@ -219,7 +219,7 @@ ## # interface(`nis_tcp_connect_ypbind',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## --- refpolicy-2.20110726.orig/policy/modules/services/gpm.te +++ refpolicy-2.20110726/policy/modules/services/gpm.te @@ -27,7 +27,7 @@ # allow gpm_t self:capability { setpcap setuid dac_override sys_admin sys_tty_config }; -allow gpm_t self:process { getcap setcap }; +allow gpm_t self:process { signal signull getcap setcap }; allow gpm_t self:unix_stream_socket create_stream_socket_perms; allow gpm_t gpm_conf_t:dir list_dir_perms; --- refpolicy-2.20110726.orig/policy/modules/services/portmap.te +++ refpolicy-2.20110726/policy/modules/services/portmap.te @@ -32,6 +32,8 @@ allow portmap_t self:unix_stream_socket create_stream_socket_perms; allow portmap_t self:tcp_socket create_stream_socket_perms; allow portmap_t self:udp_socket create_socket_perms; +dev_read_urand(portmap_t) +term_read_console(portmap_t) manage_dirs_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t) manage_files_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t) @@ -112,6 +114,8 @@ allow portmap_helper_t portmap_var_run_t:file manage_file_perms; files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file) +dev_read_urand(portmap_helper_t) +term_read_console(portmap_helper_t) corenet_all_recvfrom_unlabeled(portmap_helper_t) corenet_all_recvfrom_netlabel(portmap_helper_t) --- refpolicy-2.20110726.orig/policy/modules/services/networkmanager.te +++ refpolicy-2.20110726/policy/modules/services/networkmanager.te @@ -270,6 +270,7 @@ # wpa_cli local policy # +domain_auto_trans(NetworkManager_t, wpa_cli_exec_t, wpa_cli_t) allow wpa_cli_t self:capability dac_override; allow wpa_cli_t self:unix_dgram_socket create_socket_perms; --- refpolicy-2.20110726.orig/policy/modules/services/snort.fc +++ refpolicy-2.20110726/policy/modules/services/snort.fc @@ -7,3 +7,6 @@ /var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0) /var/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0) +ifdef(`distro_debian', ` +/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/transproxy.fc +++ refpolicy-2.20110726/policy/modules/services/transproxy.fc @@ -1,3 +1,6 @@ /usr/sbin/tproxy -- gen_context(system_u:object_r:transproxy_exec_t,s0) /var/run/tproxy\.pid -- gen_context(system_u:object_r:transproxy_var_run_t,s0) +ifdef(`distro_debian', ` +/run/tproxy\.pid -- gen_context(system_u:object_r:transproxy_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/devicekit.te +++ refpolicy-2.20110726/policy/modules/services/devicekit.te @@ -203,7 +203,9 @@ corecmd_exec_bin(devicekit_power_t) corecmd_exec_shell(devicekit_power_t) -consoletype_exec(devicekit_power_t) +optional_policy(` + consoletype_exec(devicekit_power_t) +') domain_read_all_domains_state(devicekit_power_t) --- refpolicy-2.20110726.orig/policy/modules/services/courier.fc +++ refpolicy-2.20110726/policy/modules/services/courier.fc @@ -7,6 +7,7 @@ /usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) /usr/lib(64)?/courier/(courier-)?authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) +/usr/sbin/authdaemond -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) /usr/lib(64)?/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0) /usr/lib(64)?/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) /usr/lib(64)?/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) @@ -14,7 +15,8 @@ /usr/lib(64)?/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) /usr/lib(64)?/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) /usr/lib(64)?/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) -/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0) +/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:courier_sqwebmail_exec_t,s0) +/var/cache/sqwebmail(/.*)? gen_context(system_u:object_r:courier_sqwebmail_cache_t,s0) ifdef(`distro_gentoo',` /usr/lib(64)?/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/pxe.fc +++ refpolicy-2.20110726/policy/modules/services/pxe.fc @@ -4,3 +4,6 @@ /var/log/pxe\.log -- gen_context(system_u:object_r:pxe_log_t,s0) /var/run/pxe\.pid -- gen_context(system_u:object_r:pxe_var_run_t,s0) +ifdef(`distro_debian', ` +/run/pxe\.pid -- gen_context(system_u:object_r:pxe_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/snmp.te +++ refpolicy-2.20110726/policy/modules/services/snmp.te @@ -24,7 +24,7 @@ # # Local policy # -allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config }; +allow snmpd_t self:capability { chown dac_override setgid setuid kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config }; dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:process { signal_perms getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; --- refpolicy-2.20110726.orig/policy/modules/services/snmp.fc +++ refpolicy-2.20110726/policy/modules/services/snmp.fc @@ -21,4 +21,10 @@ /var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0) /var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) +') /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/ccs.fc +++ refpolicy-2.20110726/policy/modules/services/ccs.fc @@ -3,4 +3,10 @@ /sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0) /var/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0) +ifdef(`distro_debian', ` +/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0) +') /var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0) +ifdef(`distro_debian', ` +/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/cron.fc +++ refpolicy-2.20110726/policy/modules/services/cron.fc @@ -5,6 +5,7 @@ /usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0) /usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0) +/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0) /usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0) /usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0) @@ -12,12 +13,35 @@ /usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +ifdef(`distro_debian', ` +/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +') /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +ifdef(`distro_debian', ` +/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +') /var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +ifdef(`distro_debian', ` +/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +') /var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0) +ifdef(`distro_debian', ` +/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0) +') /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) +ifdef(`distro_debian', ` +/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) +') /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +ifdef(`distro_debian', ` +/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +') +ifdef(`distro_debian', ` +/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0) +/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) +/var/spool/cron/atjobs/[^/]* -- <> +') /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) @@ -45,3 +69,5 @@ /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) + +/var/log/prelink.log -- gen_context(system_u:object_r:cron_log_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/cups.if +++ refpolicy-2.20110726/policy/modules/services/cups.if @@ -75,7 +75,7 @@ ## # interface(`cups_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## --- refpolicy-2.20110726.orig/policy/modules/services/milter.te +++ refpolicy-2.20110726/policy/modules/services/milter.te @@ -20,6 +20,10 @@ type spamass_milter_state_t; files_type(spamass_milter_state_t) +files_pid_file(spamass_milter_data_t) +files_pid_filetrans(spamass_milter_t, spamass_milter_data_t, { file sock_file }) +allow spamass_milter_t spamass_milter_data_t:{ file sock_file } manage_file_perms; + ######################################## # # milter-greylist local policy --- refpolicy-2.20110726.orig/policy/modules/services/i18n_input.fc +++ refpolicy-2.20110726/policy/modules/services/i18n_input.fc @@ -17,3 +17,6 @@ # /var/run/iiim(/.*)? gen_context(system_u:object_r:i18n_input_var_run_t,s0) +ifdef(`distro_debian', ` +/run/iiim(/.*)? gen_context(system_u:object_r:i18n_input_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/perdition.te +++ refpolicy-2.20110726/policy/modules/services/perdition.te @@ -20,13 +20,16 @@ # Local policy # -allow perdition_t self:capability { setgid setuid }; +allow perdition_t self:netlink_route_socket create_netlink_socket_perms; +allow perdition_t self:capability { chown fowner setgid setuid }; +dev_read_urand(perdition_t) dontaudit perdition_t self:capability sys_tty_config; allow perdition_t self:process signal_perms; allow perdition_t self:tcp_socket create_stream_socket_perms; allow perdition_t self:udp_socket create_socket_perms; allow perdition_t perdition_etc_t:file read_file_perms; +allow perdition_t perdition_etc_t:dir r_dir_perms; files_search_etc(perdition_t) manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t) @@ -46,6 +49,8 @@ corenet_udp_sendrecv_all_ports(perdition_t) corenet_tcp_bind_generic_node(perdition_t) corenet_tcp_bind_pop_port(perdition_t) +corenet_tcp_bind_sieve_port(perdition_t) +corenet_tcp_connect_pop_port(perdition_t) corenet_sendrecv_pop_server_packets(perdition_t) dev_read_sysfs(perdition_t) @@ -73,3 +78,7 @@ optional_policy(` udev_read_db(perdition_t) ') +optional_policy(` + mysql_tcp_connect(perdition_t) + mysql_stream_connect(perdition_t) +') --- refpolicy-2.20110726.orig/policy/modules/services/memcached.fc +++ refpolicy-2.20110726/policy/modules/services/memcached.fc @@ -3,3 +3,6 @@ /usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0) /var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0) +ifdef(`distro_debian', ` +/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/pads.fc +++ refpolicy-2.20110726/policy/modules/services/pads.fc @@ -8,3 +8,6 @@ /usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t, s0) /var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0) +ifdef(`distro_debian', ` +/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/nscd.fc +++ refpolicy-2.20110726/policy/modules/services/nscd.fc @@ -8,6 +8,15 @@ /var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0) /var/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0) +') /var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) +') /var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/nessus.if +++ refpolicy-2.20110726/policy/modules/services/nessus.if @@ -11,5 +11,5 @@ ## # interface(`nessus_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') --- refpolicy-2.20110726.orig/policy/modules/services/postfix.fc +++ refpolicy-2.20110726/policy/modules/services/postfix.fc @@ -29,6 +29,8 @@ /usr/lib(64)?/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) /usr/lib(64)?/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) /usr/lib(64)?/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) +/etc/network/if-down.d/postfix -- gen_context(system_u:object_r:initrc_exec_t,s0) +/etc/network/if-up.d/postfix -- gen_context(system_u:object_r:initrc_exec_t,s0) ') /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/finger.if +++ refpolicy-2.20110726/policy/modules/services/finger.if @@ -29,5 +29,5 @@ ## # interface(`finger_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') --- refpolicy-2.20110726.orig/policy/modules/services/snmp.if +++ refpolicy-2.20110726/policy/modules/services/snmp.if @@ -30,7 +30,7 @@ ## # interface(`snmp_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## @@ -44,7 +44,7 @@ ## # interface(`snmp_udp_chat',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## --- refpolicy-2.20110726.orig/policy/modules/services/dante.fc +++ refpolicy-2.20110726/policy/modules/services/dante.fc @@ -4,3 +4,6 @@ /usr/sbin/sockd -- gen_context(system_u:object_r:dante_exec_t,s0) /var/run/sockd\.pid -- gen_context(system_u:object_r:dante_var_run_t,s0) +ifdef(`distro_debian', ` +/run/sockd\.pid -- gen_context(system_u:object_r:dante_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/openvpn.fc +++ refpolicy-2.20110726/policy/modules/services/openvpn.fc @@ -15,3 +15,10 @@ # /var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) /var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) +ifdef(`distro_debian', ` +/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) +') +/var/run/openvpn.client.* -- gen_context(system_u:object_r:openvpn_var_run_t,s0) +ifdef(`distro_debian', ` +/run/openvpn.client.* -- gen_context(system_u:object_r:openvpn_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/fetchmail.te +++ refpolicy-2.20110726/policy/modules/services/fetchmail.te @@ -19,6 +19,11 @@ type fetchmail_uidl_cache_t; files_type(fetchmail_uidl_cache_t) +type fetchmail_tmp_t; +files_tmp_file(fetchmail_tmp_t) +ubac_constrained(fetchmail_tmp_t) +files_tmp_filetrans(fetchmail_t, fetchmail_tmp_t, file) + ######################################## # # Local policy --- refpolicy-2.20110726.orig/policy/modules/services/soundserver.if +++ refpolicy-2.20110726/policy/modules/services/soundserver.if @@ -11,7 +11,7 @@ ## # interface(`soundserver_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## --- refpolicy-2.20110726.orig/policy/modules/services/asterisk.te +++ refpolicy-2.20110726/policy/modules/services/asterisk.te @@ -45,7 +45,7 @@ allow asterisk_t self:fifo_file rw_fifo_file_perms; allow asterisk_t self:sem create_sem_perms; allow asterisk_t self:shm create_shm_perms; -allow asterisk_t self:unix_stream_socket connectto; +allow asterisk_t self:unix_stream_socket { connectto rw_stream_socket_perms }; allow asterisk_t self:tcp_socket create_stream_socket_perms; allow asterisk_t self:udp_socket create_socket_perms; --- refpolicy-2.20110726.orig/policy/modules/services/prelude.te +++ refpolicy-2.20110726/policy/modules/services/prelude.te @@ -278,6 +278,7 @@ # prewikka_cgi Declarations # +apache_script_exec_domain(prewikka) optional_policy(` apache_content_template(prewikka) --- refpolicy-2.20110726.orig/policy/modules/services/lircd.fc +++ refpolicy-2.20110726/policy/modules/services/lircd.fc @@ -6,5 +6,14 @@ /usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0) /var/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0) +') /var/run/lircd(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/lircd(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0) +') /var/run/lircd\.pid gen_context(system_u:object_r:lircd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/lircd\.pid gen_context(system_u:object_r:lircd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/puppet.fc +++ refpolicy-2.20110726/policy/modules/services/puppet.fc @@ -9,3 +9,6 @@ /var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) /var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) /var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) +ifdef(`distro_debian', ` +/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/jabber.fc +++ refpolicy-2.20110726/policy/modules/services/jabber.fc @@ -1,6 +1,9 @@ /etc/rc\.d/init\.d/jabber -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0) /usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0) +/usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0) /var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) +/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) /var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) +/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/bluetooth.if +++ refpolicy-2.20110726/policy/modules/services/bluetooth.if @@ -126,7 +126,7 @@ ## # interface(`bluetooth_domtrans_helper',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## @@ -152,7 +152,7 @@ ## # interface(`bluetooth_run_helper',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## --- refpolicy-2.20110726.orig/policy/modules/services/watchdog.te +++ refpolicy-2.20110726/policy/modules/services/watchdog.te @@ -54,7 +54,7 @@ corenet_sendrecv_all_client_packets(watchdog_t) dev_read_sysfs(watchdog_t) -dev_write_watchdog(watchdog_t) +dev_rw_watchdog(watchdog_t) # do not care about saving the random seed dev_dontaudit_read_rand(watchdog_t) dev_dontaudit_read_urand(watchdog_t) --- refpolicy-2.20110726.orig/policy/modules/services/dcc.te +++ refpolicy-2.20110726/policy/modules/services/dcc.te @@ -91,6 +91,9 @@ allow cdcc_t dcc_client_map_t:file rw_file_perms; # Access files in /var/dcc. The map file can be updated +ifdef(`distro_debian',` +files_search_var_lib(cdcc_t) +') allow cdcc_t dcc_var_t:dir list_dir_perms; read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) @@ -128,6 +131,9 @@ files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir }) # Access files in /var/dcc. The map file can be updated +ifdef(`distro_debian',` +files_search_var_lib(dcc_client_t) +') allow dcc_client_t dcc_var_t:dir list_dir_perms; manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) @@ -176,6 +182,9 @@ manage_files_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t) files_tmp_filetrans(dcc_dbclean_t, dcc_dbclean_tmp_t, { file dir }) +ifdef(`distro_debian',` +files_search_var_lib(dcc_dbclean_t) +') manage_dirs_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) manage_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) @@ -214,6 +223,9 @@ allow dccd_t dcc_client_map_t:file rw_file_perms; # Access files in /var/dcc. The map file can be updated +ifdef(`distro_debian',` +files_search_var_lib(dccd_t) +') allow dccd_t dcc_var_t:dir list_dir_perms; read_files_pattern(dccd_t, dcc_var_t, dcc_var_t) read_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t) @@ -288,6 +300,9 @@ allow dccifd_t dcc_client_map_t:file rw_file_perms; # Updating dcc_db, flod, ... +ifdef(`distro_debian',` +files_search_var_lib(dccifd_t) +') manage_dirs_pattern(dccifd_t, dcc_var_t, dcc_var_t) manage_files_pattern(dccifd_t, dcc_var_t, dcc_var_t) manage_lnk_files_pattern(dccifd_t, dcc_var_t, dcc_var_t) @@ -352,6 +367,9 @@ allow dccm_t dcc_client_map_t:file rw_file_perms; +ifdef(`distro_debian',` +files_search_var_lib(dccm_t) +') manage_dirs_pattern(dccm_t, dcc_var_t, dcc_var_t) manage_files_pattern(dccm_t, dcc_var_t, dcc_var_t) manage_lnk_files_pattern(dccm_t, dcc_var_t, dcc_var_t) --- refpolicy-2.20110726.orig/policy/modules/services/rsync.fc +++ refpolicy-2.20110726/policy/modules/services/rsync.fc @@ -5,3 +5,6 @@ /var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0) /var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) +ifdef(`distro_debian', ` +/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/tuned.fc +++ refpolicy-2.20110726/policy/modules/services/tuned.fc @@ -6,3 +6,6 @@ /var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0) /var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0) +ifdef(`distro_debian', ` +/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/i18n_input.if +++ refpolicy-2.20110726/policy/modules/services/i18n_input.if @@ -11,5 +11,5 @@ ## # interface(`i18n_use',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') --- refpolicy-2.20110726.orig/policy/modules/services/rhcs.fc +++ refpolicy-2.20110726/policy/modules/services/rhcs.fc @@ -6,6 +6,10 @@ /usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) /var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) +ifdef(`distro_debian', ` +/var/run/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) +/run/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) +') /var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) @@ -15,8 +19,26 @@ /var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) /var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0) +ifdef(`distro_debian', ` +/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0) +') /var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0) +ifdef(`distro_debian', ` +/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0) +') /var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0) +ifdef(`distro_debian', ` +/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0) +') /var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) +ifdef(`distro_debian', ` +/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) +') /var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0) +') /var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/ifplugd.fc +++ refpolicy-2.20110726/policy/modules/services/ifplugd.fc @@ -5,3 +5,6 @@ /usr/sbin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0) /var/run/ifplugd.* gen_context(system_u:object_r:ifplugd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/ifplugd.* gen_context(system_u:object_r:ifplugd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/cpucontrol.fc +++ refpolicy-2.20110726/policy/modules/services/cpucontrol.fc @@ -8,3 +8,6 @@ /usr/sbin/powernowd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) /var/run/cpufreqd\.pid -- gen_context(system_u:object_r:cpuspeed_var_run_t,s0) +ifdef(`distro_debian', ` +/run/cpufreqd\.pid -- gen_context(system_u:object_r:cpuspeed_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/openvpn.te +++ refpolicy-2.20110726/policy/modules/services/openvpn.te @@ -64,6 +64,10 @@ manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir }) +# for the list of vulnerable keys +files_read_usr_files(openvpn_t) +files_read_var_lib_files(openvpn_t) + kernel_read_kernel_sysctls(openvpn_t) kernel_read_net_sysctls(openvpn_t) kernel_read_network_state(openvpn_t) --- refpolicy-2.20110726.orig/policy/modules/services/pyicqt.fc +++ refpolicy-2.20110726/policy/modules/services/pyicqt.fc @@ -3,5 +3,8 @@ /usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0) /var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0) +ifdef(`distro_debian', ` +/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0) +') /var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_spool_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/ddclient.fc +++ refpolicy-2.20110726/policy/modules/services/ddclient.fc @@ -9,4 +9,10 @@ /var/lib/ddt-client(/.*)? gen_context(system_u:object_r:ddclient_var_lib_t,s0) /var/log/ddtcd\.log.* -- gen_context(system_u:object_r:ddclient_log_t,s0) /var/run/ddclient\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) +ifdef(`distro_debian', ` +/run/ddclient\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) +') /var/run/ddtcd\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) +ifdef(`distro_debian', ` +/run/ddtcd\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/ppp.fc +++ refpolicy-2.20110726/policy/modules/services/ppp.fc @@ -29,10 +29,22 @@ # /var # /var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0) +') /var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0) +') /var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) +') # Fix pptp sockets /var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) +ifdef(`distro_debian', ` +/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) +') /var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0) /var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/ircd.fc +++ refpolicy-2.20110726/policy/modules/services/ircd.fc @@ -5,3 +5,6 @@ /var/lib/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_lib_t,s0) /var/log/(dancer-)?ircd(/.*)? gen_context(system_u:object_r:ircd_log_t,s0) /var/run/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/rpcbind.fc +++ refpolicy-2.20110726/policy/modules/services/rpcbind.fc @@ -5,5 +5,14 @@ /var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0) /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) +ifdef(`distro_debian', ` +/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) +') /var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) +ifdef(`distro_debian', ` +/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) +') /var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0) +ifdef(`distro_debian', ` +/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/varnishd.fc +++ refpolicy-2.20110726/policy/modules/services/varnishd.fc @@ -14,5 +14,14 @@ /var/log/varnish(/.*)? gen_context(system_u:object_r:varnishlog_log_t,s0) /var/run/varnish\.pid -- gen_context(system_u:object_r:varnishd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/varnish\.pid -- gen_context(system_u:object_r:varnishd_var_run_t,s0) +') /var/run/varnishlog\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0) +ifdef(`distro_debian', ` +/run/varnishlog\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0) +') /var/run/varnishncsa\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0) +ifdef(`distro_debian', ` +/run/varnishncsa\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/hal.fc +++ refpolicy-2.20110726/policy/modules/services/hal.fc @@ -19,14 +19,32 @@ /var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0) /var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0) -/var/log/pm-.*\.log gen_context(system_u:object_r:hald_log_t,s0) +/var/log/pm-.*\.log.* gen_context(system_u:object_r:hald_log_t,s0) /var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) +ifdef(`distro_debian', ` +/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) +') /var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0) +ifdef(`distro_debian', ` +/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0) +') /var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) +ifdef(`distro_debian', ` +/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) +') /var/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) +ifdef(`distro_debian', ` +/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) +') /var/run/synce.* gen_context(system_u:object_r:hald_var_run_t,s0) +ifdef(`distro_debian', ` +/run/synce.* gen_context(system_u:object_r:hald_var_run_t,s0) +') /var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0) +ifdef(`distro_debian', ` +/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0) +') ifdef(`distro_gentoo',` /var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/postfix.te +++ refpolicy-2.20110726/policy/modules/services/postfix.te @@ -26,6 +26,9 @@ postfix_server_domain_template(local) mta_mailserver_delivery(postfix_local_t) +# allow postfix_local_t to run programs like vacation that send mail +mta_sendmail_domtrans(postfix_local_t, postfix_postdrop_t) + # Program for creating database files type postfix_map_t; type postfix_map_exec_t; @@ -183,9 +186,11 @@ ifdef(`distro_redhat',` # for newer main.cf that uses /etc/aliases mta_manage_aliases(postfix_master_t) - mta_etc_filetrans_aliases(postfix_master_t) ') +mta_etc_filetrans_aliases(postfix_master_t) +allow postfix_master_t etc_aliases_t:file manage_file_perms; + optional_policy(` cyrus_stream_connect(postfix_master_t) ') @@ -201,6 +206,8 @@ optional_policy(` mysql_stream_connect(postfix_master_t) + mysql_stream_connect(postfix_smtpd_t) + mysql_stream_connect(postfix_cleanup_t) ') optional_policy(` @@ -231,6 +238,11 @@ manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) +# for milters - may be a bug in postfix +allow postfix_cleanup_t postfix_smtpd_t:fd use; +allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket { getattr read write shutdown }; +allow postfix_cleanup_t postfix_smtpd_t:tcp_socket { read write getattr getopt }; + ######################################## # # Postfix cleanup local policy @@ -240,6 +252,7 @@ # connect to master process stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t) +write_sock_files_pattern(postfix_virtual_t,postfix_private_t,postfix_private_t) rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) @@ -273,6 +286,9 @@ # for .forward - maybe we need a new type for it? rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t) +# so it can write to the lock file +mta_rw_spool(postfix_local_t) + allow postfix_local_t postfix_spool_t:file rw_file_perms; corecmd_exec_shell(postfix_local_t) @@ -304,7 +320,7 @@ ') optional_policy(` - procmail_domtrans(postfix_local_t) + lda_domtrans(postfix_local_t) ') ######################################## @@ -405,11 +421,17 @@ dovecot_domtrans_deliver(postfix_pipe_t) ') +corecmd_exec_bin(postfix_pipe_t) + optional_policy(` procmail_domtrans(postfix_pipe_t) ') optional_policy(` + lda_domtrans(postfix_pipe_t) +') + +optional_policy(` mailman_domtrans_queue(postfix_pipe_t) ') @@ -565,7 +587,7 @@ ') optional_policy(` - milter_stream_connect_all(postfix_smtp_t) + milter_stream_connect_all(postfix_smtpd_t) ') ######################################## @@ -603,6 +625,15 @@ ') optional_policy(` + clamav_stream_connect(postfix_smtpd_t) +') + +optional_policy(` + dkim_stream_connect(postfix_smtpd_t) + dkim_stream_connect(postfix_cleanup_t) +') + +optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -630,3 +661,8 @@ # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) + +# for talking to spamass-milter +optional_policy(` + spamassassin_connect_unix_sock(postfix_smtpd_t) +') --- refpolicy-2.20110726.orig/policy/modules/services/nut.fc +++ refpolicy-2.20110726/policy/modules/services/nut.fc @@ -6,6 +6,9 @@ /usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) /var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0) +ifdef(`distro_debian', ` +/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0) +') /var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) /var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/vhostmd.fc +++ refpolicy-2.20110726/policy/modules/services/vhostmd.fc @@ -3,3 +3,6 @@ /usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0) /var/run/vhostmd.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/vhostmd.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/portslave.te +++ refpolicy-2.20110726/policy/modules/services/portslave.te @@ -13,6 +13,9 @@ type portslave_etc_t; files_config_file(portslave_etc_t) +# for filters +can_exec(portslave_t, { portslave_etc_t portslave_exec_t }) + type portslave_lock_t; files_lock_file(portslave_lock_t) @@ -62,8 +65,10 @@ corenet_udp_sendrecv_generic_node(portslave_t) corenet_tcp_sendrecv_all_ports(portslave_t) corenet_udp_sendrecv_all_ports(portslave_t) +corenet_udp_bind_all_nodes(portslave_t) corenet_rw_ppp_dev(portslave_t) +miscfiles_read_localization(portslave_t) dev_read_sysfs(portslave_t) # for ssh dev_read_urand(portslave_t) @@ -102,6 +107,7 @@ # instead of exec. ppp_read_rw_config(portslave_t) ppp_exec(portslave_t) +ppp_script_exec(portslave_t) ppp_read_secrets(portslave_t) ppp_manage_pid_files(portslave_t) ppp_pid_filetrans(portslave_t) --- refpolicy-2.20110726.orig/policy/modules/services/cron.te +++ refpolicy-2.20110726/policy/modules/services/cron.te @@ -136,8 +136,8 @@ # Cron daemon local policy # -allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; -dontaudit crond_t self:capability { sys_resource sys_tty_config }; +allow crond_t self:capability { dac_override setgid setuid sys_nice sys_resource dac_read_search }; +dontaudit crond_t self:capability { sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; allow crond_t self:fd use; @@ -222,6 +222,7 @@ userdom_list_user_home_dirs(crond_t) mta_send_mail(crond_t) +system_mail_file_access(crond_tmp_t) ifdef(`distro_debian',` # pam_limits is used @@ -260,6 +261,8 @@ optional_policy(` amavis_search_lib(crond_t) + # for bayes maintainance scripts + amavis_domtrans(crond_t) ') optional_policy(` @@ -468,7 +471,8 @@ ') optional_policy(` - mysql_read_config(system_cronjob_t) + mysql_read_config(system_crond_t) + mysql_stream_connect(system_crond_t) ') optional_policy(` --- refpolicy-2.20110726.orig/policy/modules/services/sssd.fc +++ refpolicy-2.20110726/policy/modules/services/sssd.fc @@ -9,3 +9,6 @@ /var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0) /var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/kerberos.if +++ refpolicy-2.20110726/policy/modules/services/kerberos.if @@ -237,8 +237,10 @@ allow $2 $1_keytab_t:file read_file_perms; - kerberos_read_keytab($2) - kerberos_use($2) + optional_policy(` + kerberos_read_keytab($2) + kerberos_use($2) + ') ') ######################################## --- refpolicy-2.20110726.orig/policy/modules/services/inetd.if +++ refpolicy-2.20110726/policy/modules/services/inetd.if @@ -150,7 +150,7 @@ ## # interface(`inetd_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## @@ -183,7 +183,7 @@ ## # interface(`inetd_udp_send',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## --- refpolicy-2.20110726.orig/policy/modules/services/automount.if +++ refpolicy-2.20110726/policy/modules/services/automount.if @@ -49,7 +49,7 @@ ## # interface(`automount_exec_config',` - refpolicywarn(`$0(): has been deprecated, please use files_exec_etc_files() instead.') + refpolicyerr(`$0(): has been deprecated, please use files_exec_etc_files() instead.') files_exec_etc_files($1) ') --- refpolicy-2.20110726.orig/policy/modules/services/perdition.if +++ refpolicy-2.20110726/policy/modules/services/perdition.if @@ -11,5 +11,5 @@ ## # interface(`perdition_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') --- refpolicy-2.20110726.orig/policy/modules/services/apm.te +++ refpolicy-2.20110726/policy/modules/services/apm.te @@ -190,6 +190,9 @@ optional_policy(` networkmanager_dbus_chat(apmd_t) ') + optional_policy(` + hal_dbus_chat(apmd_t) + ') ') optional_policy(` --- refpolicy-2.20110726.orig/policy/modules/services/nagios.fc +++ refpolicy-2.20110726/policy/modules/services/nagios.fc @@ -1,7 +1,9 @@ /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) -/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) +/etc/nagios/nrpe\.* -- gen_context(system_u:object_r:nrpe_etc_t,s0) +ifndef(`distro_debian', ` /etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) /etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) +') /usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) /usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) @@ -13,13 +15,19 @@ /var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) /var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0) +ifdef(`distro_debian', ` +/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0) +') /var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) ifdef(`distro_debian',` -/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) -') +/usr/sbin/nagios.* -- gen_context(system_u:object_r:nagios_exec_t,s0) +/usr/lib/cgi-bin/nagios.?/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) +/usr/lib/nagios3/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) +', ` /usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +') /usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) # admin plugins --- refpolicy-2.20110726.orig/policy/modules/services/dkim.fc +++ refpolicy-2.20110726/policy/modules/services/dkim.fc @@ -5,5 +5,14 @@ /var/db/dkim(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) /var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) +ifdef(`distro_debian', ` +/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) +') /var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) +ifdef(`distro_debian', ` +/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) +') /var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0) +ifdef(`distro_debian', ` +/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/watchdog.fc +++ refpolicy-2.20110726/policy/modules/services/watchdog.fc @@ -3,3 +3,6 @@ /var/log/watchdog(/.*)? gen_context(system_u:object_r:watchdog_log_t,s0) /var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0) +ifdef(`distro_debian', ` +/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/postfixpolicyd.fc +++ refpolicy-2.20110726/policy/modules/services/postfixpolicyd.fc @@ -4,3 +4,6 @@ /usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0) /var/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0) +ifdef(`distro_debian', ` +/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/epmd.if +++ refpolicy-2.20110726/policy/modules/services/epmd.if @@ -0,0 +1,29 @@ +## Erlang Port Mapper Daemon (epmd). + +######################################## +## +## Execute epmd in the epmd domain, and +## allow the specified role the epmd domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed the epmd domain. +## +## +## +# +interface(`run_epmd',` + gen_require(` + type epmd_t, epmd_exec_t; + ') + + domtrans_pattern($1, epmd_exec_t, epmd_t) + role $2 types epmd_t; + corenet_tcp_connect_epmd_port($1) +') + --- refpolicy-2.20110726.orig/policy/modules/services/lpd.fc +++ refpolicy-2.20110726/policy/modules/services/lpd.fc @@ -35,3 +35,6 @@ /var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) /var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0) /var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/denyhosts.fc +++ refpolicy-2.20110726/policy/modules/services/denyhosts.fc @@ -4,4 +4,8 @@ /var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t,s0) /var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t,s0) +ifdef(`distro_debian', ` +/var/run/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t,s0) +/run/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t,s0) +') /var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/bind.te +++ refpolicy-2.20110726/policy/modules/services/bind.te @@ -69,6 +69,9 @@ allow named_t self:tcp_socket create_stream_socket_perms; allow named_t self:udp_socket create_socket_perms; +# because lwresd calls access(".", W_OK) +files_dontaudit_rw_root_dir(named_t) + allow named_t dnssec_t:file read_file_perms; # read configuration @@ -199,6 +202,7 @@ allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms }; allow ndc_t self:tcp_socket create_socket_perms; allow ndc_t self:netlink_route_socket r_netlink_socket_perms; +dev_read_urand(ndc_t) allow ndc_t dnssec_t:file read_file_perms; allow ndc_t dnssec_t:lnk_file { getattr read }; --- refpolicy-2.20110726.orig/policy/modules/services/courier.te +++ refpolicy-2.20110726/policy/modules/services/courier.te @@ -24,12 +24,21 @@ type courier_var_run_t; files_pid_file(courier_var_run_t) +files_pid_filetrans(courier_authdaemon_t, courier_var_run_t, { file sock_file }) type courier_exec_t; mta_agent_executable(courier_exec_t) +type courier_sqwebmail_cache_t; +files_type(courier_sqwebmail_cache_t) + courier_domain_template(sqwebmail) typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t; +files_pid_filetrans(courier_sqwebmail_t, courier_var_run_t, { file sock_file }) + +manage_files_pattern(courier_sqwebmail_t, courier_sqwebmail_cache_t, courier_sqwebmail_cache_t) + +dev_read_urand(courier_sqwebmail_t) ######################################## # @@ -45,12 +54,9 @@ allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms; -allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms; allow courier_authdaemon_t courier_tcpd_t:process sigchld; allow courier_authdaemon_t courier_tcpd_t:fd use; -allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; -allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms; create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t) @@ -89,10 +95,17 @@ # POP3/IMAP local policy # -allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms; +allow courier_pop_t self:capability { setgid setuid }; +allow courier_pop_t courier_authdaemon_t:{ unix_stream_socket tcp_socket } { connectto rw_stream_socket_perms }; allow courier_pop_t courier_authdaemon_t:process sigchld; allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; +dev_read_urand(courier_pop_t) + +# for FAM with IMAP +sysnet_use_portmap(courier_pop_t) +corenet_tcp_bind_all_rpc_ports(courier_pop_t) +corenet_tcp_bind_all_nodes(courier_pop_t) # inherits file handle - should it? allow courier_pop_t courier_var_lib_t:file { read write }; --- refpolicy-2.20110726.orig/policy/modules/services/mysql.te +++ refpolicy-2.20110726/policy/modules/services/mysql.te @@ -58,10 +58,13 @@ allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; allow mysqld_t self:fifo_file rw_fifo_file_perms; allow mysqld_t self:shm create_shm_perms; -allow mysqld_t self:unix_stream_socket create_stream_socket_perms; +allow mysqld_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow mysqld_t self:tcp_socket create_stream_socket_perms; allow mysqld_t self:udp_socket create_socket_perms; +corecmd_exec_shell(mysqld_t) +corecmd_exec_bin(mysqld_t) + manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) @@ -180,6 +183,7 @@ files_dontaudit_getattr_all_dirs(mysqld_safe_t) logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) +logging_send_syslog_msg(mysqld_safe_t) hostname_exec(mysqld_safe_t) --- refpolicy-2.20110726.orig/policy/modules/services/icecast.fc +++ refpolicy-2.20110726/policy/modules/services/icecast.fc @@ -5,3 +5,6 @@ /var/log/icecast(/.*)? gen_context(system_u:object_r:icecast_log_t,s0) /var/run/icecast(/.*)? gen_context(system_u:object_r:icecast_var_run_t,s0) +ifdef(`distro_debian', ` +/run/icecast(/.*)? gen_context(system_u:object_r:icecast_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/apcupsd.te +++ refpolicy-2.20110726/policy/modules/services/apcupsd.te @@ -107,6 +107,7 @@ # apcupsd_cgi Declarations # +apache_script_exec_domain(apcupsd_cgi) optional_policy(` apache_content_template(apcupsd_cgi) --- refpolicy-2.20110726.orig/policy/modules/services/networkmanager.fc +++ refpolicy-2.20110726/policy/modules/services/networkmanager.fc @@ -20,7 +20,22 @@ /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +ifdef(`distro_debian', ` +/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +') /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +ifdef(`distro_debian', ` +/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +') /var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +ifdef(`distro_debian', ` +/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +') /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +ifdef(`distro_debian', ` +/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +') /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +ifdef(`distro_debian', ` +/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/sasl.fc +++ refpolicy-2.20110726/policy/modules/services/sasl.fc @@ -10,3 +10,6 @@ # /var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) /var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/smokeping.fc +++ refpolicy-2.20110726/policy/modules/services/smokeping.fc @@ -7,3 +7,6 @@ /var/lib/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_lib_t,s0) /var/run/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_run_t,s0) +ifdef(`distro_debian', ` +/run/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/radvd.fc +++ refpolicy-2.20110726/policy/modules/services/radvd.fc @@ -4,4 +4,10 @@ /usr/sbin/radvd -- gen_context(system_u:object_r:radvd_exec_t,s0) /var/run/radvd\.pid -- gen_context(system_u:object_r:radvd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/radvd\.pid -- gen_context(system_u:object_r:radvd_var_run_t,s0) +') /var/run/radvd(/.*)? gen_context(system_u:object_r:radvd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/radvd(/.*)? gen_context(system_u:object_r:radvd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/howl.fc +++ refpolicy-2.20110726/policy/modules/services/howl.fc @@ -3,3 +3,6 @@ /usr/bin/nifd -- gen_context(system_u:object_r:howl_exec_t,s0) /var/run/nifd\.pid -- gen_context(system_u:object_r:howl_var_run_t,s0) +ifdef(`distro_debian', ` +/run/nifd\.pid -- gen_context(system_u:object_r:howl_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/dovecot.fc +++ refpolicy-2.20110726/policy/modules/services/dovecot.fc @@ -9,6 +9,12 @@ /etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) /etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0) +# Debian uses /etc/dovecot/ +ifdef(`distro_debian', ` +/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0) +/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) +') + # # /usr # @@ -18,8 +24,8 @@ /usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) ifdef(`distro_debian', ` -/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) +/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) +/usr/lib/dovecot/.+ -- gen_context(system_u:object_r:bin_t,s0) ') ifdef(`distro_redhat', ` @@ -33,7 +39,16 @@ # /var # /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) -/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) +ifdef(`distro_debian', ` +/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) +') +ifdef(`distro_redhat', ` +# this is a hard link to /var/lib/dovecot/ssl-parameters.dat +/var/run/dovecot/login/ssl-parameters.dat gen_context(system_u:object_r:dovecot_var_lib_t,s0) +ifdef(`distro_debian', ` +/run/dovecot/login/ssl-parameters.dat gen_context(system_u:object_r:dovecot_var_lib_t,s0) +') +') /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/amavis.fc +++ refpolicy-2.20110726/policy/modules/services/amavis.fc @@ -3,16 +3,21 @@ /etc/amavisd(/.*)? gen_context(system_u:object_r:amavis_etc_t,s0) /etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0) +ifdef(`strict_policy',` /usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0) /usr/lib(64)?/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0) +') ifdef(`distro_debian',` -/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0) +/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0) ') /var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) /var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) /var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0) /var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0) +ifdef(`distro_debian', ` +/run/amavis(d)?(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0) +') /var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0) /var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/nsd.if +++ refpolicy-2.20110726/policy/modules/services/nsd.if @@ -11,7 +11,7 @@ ## # interface(`nsd_udp_chat',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## @@ -25,5 +25,5 @@ ## # interface(`nsd_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') --- refpolicy-2.20110726.orig/policy/modules/services/radius.if +++ refpolicy-2.20110726/policy/modules/services/radius.if @@ -11,7 +11,7 @@ ## # interface(`radius_use',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## --- refpolicy-2.20110726.orig/policy/modules/services/epmd.fc +++ refpolicy-2.20110726/policy/modules/services/epmd.fc @@ -0,0 +1 @@ +/usr/lib/erlang/erts-[^/]*/bin/epmd -- gen_context(system_u:object_r:epmd_exec_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/cyphesis.fc +++ refpolicy-2.20110726/policy/modules/services/cyphesis.fc @@ -3,3 +3,6 @@ /var/log/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_log_t,s0) /var/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_var_run_t,s0) +ifdef(`distro_debian', ` +/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/dictd.fc +++ refpolicy-2.20110726/policy/modules/services/dictd.fc @@ -7,3 +7,6 @@ /var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0) /var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/bind.if +++ refpolicy-2.20110726/policy/modules/services/bind.if @@ -336,7 +336,7 @@ ## # interface(`bind_udp_chat_named',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## --- refpolicy-2.20110726.orig/policy/modules/services/gatekeeper.fc +++ refpolicy-2.20110726/policy/modules/services/gatekeeper.fc @@ -5,4 +5,10 @@ /var/log/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_log_t,s0) /var/run/gk\.pid -- gen_context(system_u:object_r:gatekeeper_var_run_t,s0) +ifdef(`distro_debian', ` +/run/gk\.pid -- gen_context(system_u:object_r:gatekeeper_var_run_t,s0) +') /var/run/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_var_run_t,s0) +ifdef(`distro_debian', ` +/run/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/nis.fc +++ refpolicy-2.20110726/policy/modules/services/nis.fc @@ -16,6 +16,18 @@ /var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) /var/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0) +ifdef(`distro_debian', ` +/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0) +') /var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) +ifdef(`distro_debian', ` +/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) +') /var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) +ifdef(`distro_debian', ` +/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) +') /var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/automount.fc +++ refpolicy-2.20110726/policy/modules/services/automount.fc @@ -14,3 +14,6 @@ # /var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0) +ifdef(`distro_debian', ` +/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/clamav.fc +++ refpolicy-2.20110726/policy/modules/services/clamav.fc @@ -8,13 +8,47 @@ /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) /usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) +/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) +') +/var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0) +') +/var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0) +') +/var/spool/postfix/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) + /var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) /var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0) /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) /var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0) /var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) -/var/run/clamav.* gen_context(system_u:object_r:clamd_var_run_t,s0) -/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) +') /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) + +/etc/amavis\.conf -- gen_context(system_u:object_r:clamd_etc_t,s0) +/etc/amavisd(/.*)? -- gen_context(system_u:object_r:clamd_etc_t,s0) + +/usr/sbin/amavisd.* -- gen_context(system_u:object_r:clamd_exec_t,s0) + +ifdef(`distro_debian',` +/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:clamd_exec_t,s0) +') + +/var/amavis(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) +/var/lib/amavis(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) +/var/log/amavisd\.log -- gen_context(system_u:object_r:clamd_var_lib_t,s0) +/var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) +ifdef(`distro_debian', ` +/run/amavis(d)?(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) +') +/var/spool/amavisd(/.*)? gen_context(system_u:object_r:clamd_spool_t,s0) +/var/virusmails(/.*)? gen_context(system_u:object_r:clamd_spool_t,s0) /var/spool/MailScanner(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/inetd.te +++ refpolicy-2.20110726/policy/modules/services/inetd.te @@ -77,6 +77,7 @@ corenet_udp_bind_generic_node(inetd_t) corenet_tcp_connect_all_ports(inetd_t) corenet_sendrecv_all_client_packets(inetd_t) +allow inetd_t self:netlink_route_socket r_netlink_socket_perms; # listen on service ports: corenet_tcp_bind_amanda_port(inetd_t) --- refpolicy-2.20110726.orig/policy/modules/services/rpc.if +++ refpolicy-2.20110726/policy/modules/services/rpc.if @@ -133,7 +133,7 @@ ## # interface(`rpc_udp_send',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## @@ -374,7 +374,7 @@ ## # interface(`rpc_udp_send_nfs',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## --- refpolicy-2.20110726.orig/policy/modules/services/postgrey.fc +++ refpolicy-2.20110726/policy/modules/services/postgrey.fc @@ -7,6 +7,12 @@ /var/lib/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_lib_t,s0) /var/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0) +ifdef(`distro_debian', ` +/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0) +') /var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0) +ifdef(`distro_debian', ` +/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0) +') /var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/plymouthd.fc +++ refpolicy-2.20110726/policy/modules/services/plymouthd.fc @@ -4,4 +4,7 @@ /var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0) /var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) +') /var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/nslcd.fc +++ refpolicy-2.20110726/policy/modules/services/nslcd.fc @@ -2,3 +2,6 @@ /etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0) /usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0) /var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/squid.fc +++ refpolicy-2.20110726/policy/modules/services/squid.fc @@ -10,5 +10,8 @@ /var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0) /var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0) /var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) +ifdef(`distro_debian', ` +/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) +') /var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) /var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/epmd.te +++ refpolicy-2.20110726/policy/modules/services/epmd.te @@ -0,0 +1,52 @@ + +policy_module(epmd, 1.7.1) + +######################################## +# +# Declarations +# + +## +##

+## Allow the Erlang Port mapper to coordinate all nodes in distributed +## computing. It also wants to run on single nodes so any daemon written in +## Erlang will need it. +##

+## + +type epmd_t; +type epmd_exec_t; +init_daemon_domain(epmd_t,epmd_exec_t) +role system_r types epmd_t; + +######################################## +# +# epmd local policy +# + +allow epmd_t self:tcp_socket create_stream_socket_perms; +#allow epmd_t self:udp_socket create_socket_perms; + +corenet_all_recvfrom_unlabeled(epmd_t) +corenet_all_recvfrom_netlabel(epmd_t) +corenet_tcp_bind_epmd_port(epmd_t) +corenet_tcp_sendrecv_all_if(epmd_t) +#corenet_udp_sendrecv_all_if(epmd_t) +corenet_tcp_sendrecv_all_nodes(epmd_t) +#corenet_udp_sendrecv_all_nodes(epmd_t) +corenet_tcp_sendrecv_all_ports(epmd_t) +#corenet_udp_sendrecv_all_ports(epmd_t) +corenet_tcp_bind_all_nodes(epmd_t) +#corenet_udp_bind_all_nodes(epmd_t) +#corenet_tcp_connect_all_ports(epmd_t) +#corenet_udp_bind_all_unreserved_ports(epmd_t) + +files_read_etc_files(epmd_t) + +libs_use_ld_so(epmd_t) +libs_use_shared_libs(epmd_t) + +logging_send_syslog_msg(epmd_t) + +miscfiles_read_localization(epmd_t) + --- refpolicy-2.20110726.orig/policy/modules/services/portreserve.fc +++ refpolicy-2.20110726/policy/modules/services/portreserve.fc @@ -5,3 +5,6 @@ /sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) /var/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0) +ifdef(`distro_debian', ` +/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/certmaster.fc +++ refpolicy-2.20110726/policy/modules/services/certmaster.fc @@ -6,3 +6,6 @@ /var/lib/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_lib_t,s0) /var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) /var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) +ifdef(`distro_debian', ` +/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/radius.fc +++ refpolicy-2.20110726/policy/modules/services/radius.fc @@ -20,4 +20,10 @@ /var/log/radwtmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0) /var/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0) +') /var/run/radiusd\.pid -- gen_context(system_u:object_r:radiusd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/radiusd\.pid -- gen_context(system_u:object_r:radiusd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/consolekit.fc +++ refpolicy-2.20110726/policy/modules/services/consolekit.fc @@ -3,5 +3,15 @@ /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) /var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) +ifdef(`distro_debian', ` +/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) +') /var/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) +ifdef(`distro_debian', ` +/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) +') /var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) +ifdef(`distro_debian', ` +/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) +') +/usr/lib/ConsoleKit(/.*)? gen_context(system_u:object_r:bin_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/certmonger.fc +++ refpolicy-2.20110726/policy/modules/services/certmonger.fc @@ -4,3 +4,6 @@ /var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0) /var/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0) +ifdef(`distro_debian', ` +/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/postgresql.fc +++ refpolicy-2.20110726/policy/modules/services/postgresql.fc @@ -44,5 +44,11 @@ ') /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) +ifdef(`distro_debian', ` +/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) +') /var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) +ifdef(`distro_debian', ` +/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/bind.fc +++ refpolicy-2.20110726/policy/modules/services/bind.fc @@ -14,9 +14,21 @@ /var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) /var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0) +ifdef(`distro_debian', ` +/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0) +') /var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) +ifdef(`distro_debian', ` +/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) +') /var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) +ifdef(`distro_debian', ` +/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) +') /var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) +ifdef(`distro_debian', ` +/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) +') ifdef(`distro_debian',` /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/squid.te +++ refpolicy-2.20110726/policy/modules/services/squid.te @@ -177,6 +177,7 @@ corenet_tcp_bind_netport_port(squid_t) ') +apache_script_exec_domain(squid) optional_policy(` apache_content_template(squid) --- refpolicy-2.20110726.orig/policy/modules/services/lda.fc +++ refpolicy-2.20110726/policy/modules/services/lda.fc @@ -0,0 +1,9 @@ + +/usr/bin/procmail -- gen_context(system_u:object_r:lda_exec_t,s0) +/usr/bin/maildrop -- gen_context(system_u:object_r:lda_exec_t,s0) +/usr/sbin/deliverquota.maildrop -- gen_context(system_u:object_r:lda_exec_t,s0) +/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:lda_exec_t,s0) +/usr/bin/mailbot -- gen_context(system_u:object_r:lda_exec_t,s0) + +/etc/courier/maildroprc -- gen_context(system_u:object_r:lda_etc_t,s0) +/var/log/maildrop.log -- gen_context(system_u:object_r:lda_log_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/inetd.fc +++ refpolicy-2.20110726/policy/modules/services/inetd.fc @@ -10,3 +10,6 @@ /var/log/(x)?inetd\.log -- gen_context(system_u:object_r:inetd_log_t,s0) /var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/sendmail.fc +++ refpolicy-2.20110726/policy/modules/services/sendmail.fc @@ -3,4 +3,10 @@ /var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) /var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) +ifdef(`distro_debian', ` +/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) +') /var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) +ifdef(`distro_debian', ` +/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/setroubleshoot.fc +++ refpolicy-2.20110726/policy/modules/services/setroubleshoot.fc @@ -3,6 +3,9 @@ /usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) /var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) +ifdef(`distro_debian', ` +/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) +') /var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/milter.fc +++ refpolicy-2.20110726/policy/modules/services/milter.fc @@ -6,8 +6,25 @@ /var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0) /var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) +ifdef(`distro_debian', ` +/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) +') /var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) +ifdef(`distro_debian', ` +/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) +') /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) +ifdef(`distro_debian', ` +/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) +') +/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) +ifdef(`distro_debian', ` +/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) +') /var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0) +ifdef(`distro_debian', ` +/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0) +') /var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) +/var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/oddjob.fc +++ refpolicy-2.20110726/policy/modules/services/oddjob.fc @@ -3,3 +3,6 @@ /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) /var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) +ifdef(`distro_debian', ` +/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/bluetooth.fc +++ refpolicy-2.20110726/policy/modules/services/bluetooth.fc @@ -27,4 +27,10 @@ /var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0) /var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0) +ifdef(`distro_debian', ` +/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0) +') /var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0) +ifdef(`distro_debian', ` +/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/rpc.fc +++ refpolicy-2.20110726/policy/modules/services/rpc.fc @@ -28,4 +28,10 @@ /var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0) /var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) +') /var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/likewise.fc +++ refpolicy-2.20110726/policy/modules/services/likewise.fc @@ -46,9 +46,27 @@ /var/lib/likewise-open/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0) /var/run/eventlogd.pid -- gen_context(system_u:object_r:eventlogd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/eventlogd.pid -- gen_context(system_u:object_r:eventlogd_var_run_t,s0) +') /var/run/lsassd.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/lsassd.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0) +') /var/run/lwiod.pid -- gen_context(system_u:object_r:lwiod_var_run_t,s0) +ifdef(`distro_debian', ` +/run/lwiod.pid -- gen_context(system_u:object_r:lwiod_var_run_t,s0) +') /var/run/lwregd.pid -- gen_context(system_u:object_r:lwregd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/lwregd.pid -- gen_context(system_u:object_r:lwregd_var_run_t,s0) +') /var/run/netlogond.pid -- gen_context(system_u:object_r:netlogond_var_run_t,s0) +ifdef(`distro_debian', ` +/run/netlogond.pid -- gen_context(system_u:object_r:netlogond_var_run_t,s0) +') /var/run/srvsvcd.pid -- gen_context(system_u:object_r:srvsvcd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/srvsvcd.pid -- gen_context(system_u:object_r:srvsvcd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/dictd.if +++ refpolicy-2.20110726/policy/modules/services/dictd.if @@ -12,7 +12,7 @@ ## # interface(`dictd_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## --- refpolicy-2.20110726.orig/policy/modules/services/cups.fc +++ refpolicy-2.20110726/policy/modules/services/cups.fc @@ -65,9 +65,27 @@ /var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) /var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) /var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +') /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) +ifdef(`distro_debian', ` +/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) +') /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) +ifdef(`distro_debian', ` +/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) +') /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) +ifdef(`distro_debian', ` +/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) +') /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) +ifdef(`distro_debian', ` +/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) +') /var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) +ifdef(`distro_debian', ` +/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) +') /var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/xserver.te +++ refpolicy-2.20110726/policy/modules/services/xserver.te @@ -151,12 +151,6 @@ files_tmp_file(xauth_tmp_t) ubac_constrained(xauth_tmp_t) -# this is not actually a device, its a pipe -type xconsole_device_t; -files_type(xconsole_device_t) -fs_associate_tmpfs(xconsole_device_t) -files_associate_tmp(xconsole_device_t) - type xdm_t; type xdm_exec_t; auth_login_pgm_domain(xdm_t) @@ -317,7 +311,8 @@ allow xdm_t self:appletalk_socket create_socket_perms; allow xdm_t self:key { search link write }; -allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; +#allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; +logging_r_xconsole(xdm_t) # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) @@ -789,6 +784,7 @@ optional_policy(` unconfined_domain_noaudit(xserver_t) unconfined_domtrans(xserver_t) + unconfined_dbus_send(xserver_t) ') optional_policy(` --- refpolicy-2.20110726.orig/policy/modules/services/ksmtuned.fc +++ refpolicy-2.20110726/policy/modules/services/ksmtuned.fc @@ -3,3 +3,6 @@ /usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0) /var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0) +ifdef(`distro_debian', ` +/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/dovecot.te +++ refpolicy-2.20110726/policy/modules/services/dovecot.te @@ -20,11 +20,13 @@ type dovecot_cert_t; files_type(dovecot_cert_t) +ifdef(`distro_redhat', ` type dovecot_deliver_t; type dovecot_deliver_exec_t; domain_type(dovecot_deliver_t) domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t) role system_r types dovecot_deliver_t; +') type dovecot_etc_t; files_config_file(dovecot_etc_t) @@ -72,6 +74,7 @@ read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) +allow dovecot_t dovecot_etc_t:dir list_dir_perms; allow dovecot_t dovecot_etc_t:file read_file_perms; files_search_etc(dovecot_t) @@ -180,6 +183,10 @@ # dovecot auth local policy # +logging_search_logs(dovecot_auth_t) +allow dovecot_auth_t dovecot_etc_t:dir list_dir_perms; +allow dovecot_auth_t dovecot_etc_t:file read_file_perms; +manage_sock_files_pattern(dovecot_auth_t,dovecot_var_run_t,dovecot_var_run_t) allow dovecot_auth_t self:capability { chown dac_override setgid setuid }; allow dovecot_auth_t self:process { signal_perms getcap setcap }; allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; @@ -236,6 +243,8 @@ optional_policy(` mysql_search_db(dovecot_auth_t) mysql_stream_connect(dovecot_auth_t) + mysql_tcp_connect(dovecot_auth_t) + mysql_read_config(dovecot_auth_t) ') optional_policy(` @@ -250,10 +259,12 @@ # # dovecot deliver local policy # +ifdef(`distro_redhat', ` allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; allow dovecot_deliver_t dovecot_t:process signull; +allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms; allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; @@ -266,7 +277,6 @@ auth_use_nsswitch(dovecot_deliver_t) logging_send_syslog_msg(dovecot_deliver_t) -logging_search_logs(dovecot_auth_t) miscfiles_read_localization(dovecot_deliver_t) @@ -304,3 +314,15 @@ optional_policy(` mta_manage_spool(dovecot_deliver_t) ') +# end ifdef distro_redhat +') + +optional_policy(` + mysql_tcp_connect(dovecot_auth_t) + mysql_stream_connect(dovecot_auth_t) +') + +optional_policy(` + postgresql_tcp_connect(dovecot_auth_t) + postgresql_stream_connect(dovecot_auth_t) +') --- refpolicy-2.20110726.orig/policy/modules/services/squid.if +++ refpolicy-2.20110726/policy/modules/services/squid.if @@ -184,7 +184,7 @@ ## # interface(`squid_use',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## --- refpolicy-2.20110726.orig/policy/modules/services/rgmanager.fc +++ refpolicy-2.20110726/policy/modules/services/rgmanager.fc @@ -3,5 +3,11 @@ /var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) /var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) +ifdef(`distro_debian', ` +/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) +') /var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) +ifdef(`distro_debian', ` +/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/ldap.if +++ refpolicy-2.20110726/policy/modules/services/ldap.if @@ -50,7 +50,7 @@ ## # interface(`ldap_use',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## --- refpolicy-2.20110726.orig/policy/modules/services/dbus.if +++ refpolicy-2.20110726/policy/modules/services/dbus.if @@ -194,6 +194,8 @@ files_search_pids($1) stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) dbus_read_config($1) + allow system_dbusd_t $1:dir search; + allow system_dbusd_t $1:file read_file_perms; ') ####################################### --- refpolicy-2.20110726.orig/policy/modules/services/dnsmasq.fc +++ refpolicy-2.20110726/policy/modules/services/dnsmasq.fc @@ -9,4 +9,10 @@ /var/log/dnsmasq\.log gen_context(system_u:object_r:dnsmasq_var_log_t,s0) /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) +ifdef(`distro_debian', ` +/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) +') /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) +ifdef(`distro_debian', ` +/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/clamav.te +++ refpolicy-2.20110726/policy/modules/services/clamav.te @@ -36,6 +36,10 @@ type clamd_var_lib_t; files_type(clamd_var_lib_t) +# spool files +type clamd_spool_t; +files_type(clamd_spool_t) + # pid files type clamd_var_run_t; files_pid_file(clamd_var_run_t) @@ -53,6 +57,8 @@ type freshclam_exec_t; init_daemon_domain(freshclam_t, freshclam_exec_t) +allow freshclam_t self:netlink_route_socket r_netlink_socket_perms; + # log files type freshclam_var_log_t; logging_log_file(freshclam_var_log_t) @@ -62,12 +68,22 @@ # clamd local policy # +allow clamd_t self:process signull; allow clamd_t self:capability { kill setgid setuid dac_override }; dontaudit clamd_t self:capability sys_tty_config; allow clamd_t self:fifo_file rw_fifo_file_perms; allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow clamd_t self:unix_dgram_socket create_socket_perms; allow clamd_t self:tcp_socket { listen accept }; +allow clamd_t self:fd use; +corecmd_exec_bin(clamd_t) +corecmd_read_bin_symlinks(clamd_t) +files_read_usr_files(clamd_t) + +optional_policy(` +# to allow creating the unix domain socket + postfix_search_spool(clamd_t) +') # configuration files allow clamd_t clamd_etc_t:dir list_dir_perms; @@ -83,6 +99,10 @@ manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) +# spool files +manage_dirs_pattern(clamd_t,clamd_spool_t,clamd_spool_t) +manage_files_pattern(clamd_t,clamd_spool_t,clamd_spool_t) + # log files manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) @@ -100,17 +120,22 @@ corecmd_exec_shell(clamd_t) +# for /proc/meminfo +allow clamd_t proc_t:file { getattr read }; + corenet_all_recvfrom_unlabeled(clamd_t) corenet_all_recvfrom_netlabel(clamd_t) corenet_tcp_sendrecv_generic_if(clamd_t) corenet_tcp_sendrecv_generic_node(clamd_t) corenet_tcp_sendrecv_all_ports(clamd_t) corenet_tcp_sendrecv_clamd_port(clamd_t) +corenet_tcp_sendrecv_amavisd_send_port(clamd_t) corenet_tcp_bind_generic_node(clamd_t) corenet_tcp_bind_clamd_port(clamd_t) corenet_tcp_bind_generic_port(clamd_t) corenet_tcp_connect_generic_port(clamd_t) corenet_sendrecv_clamd_server_packets(clamd_t) +corenet_udp_bind_all_nodes(clamd_t) dev_read_rand(clamd_t) dev_read_urand(clamd_t) @@ -120,6 +145,7 @@ files_read_etc_files(clamd_t) files_read_etc_runtime_files(clamd_t) files_search_spool(clamd_t) +files_search_var_lib(clamd_t) auth_use_nsswitch(clamd_t) @@ -130,6 +156,7 @@ cron_use_fds(clamd_t) cron_use_system_job_fds(clamd_t) cron_rw_pipes(clamd_t) +crond_search_dir(clamd_var_lib_t) mta_read_config(clamd_t) mta_send_mail(clamd_t) @@ -156,6 +183,8 @@ # Freshclam local policy # +files_search_var_lib(freshclam_t) + allow freshclam_t self:capability { setgid setuid dac_override }; allow freshclam_t self:fifo_file rw_fifo_file_perms; allow freshclam_t self:unix_stream_socket create_stream_socket_perms; @@ -189,6 +218,7 @@ corenet_tcp_sendrecv_all_ports(freshclam_t) corenet_tcp_sendrecv_clamd_port(freshclam_t) corenet_tcp_connect_http_port(freshclam_t) +corenet_tcp_connect_http_cache_port(freshclam_t) corenet_sendrecv_http_client_packets(freshclam_t) dev_read_rand(freshclam_t) @@ -204,6 +234,7 @@ logging_send_syslog_msg(freshclam_t) miscfiles_read_localization(freshclam_t) +kernel_read_system_state(freshclam_t) clamav_stream_connect(freshclam_t) --- refpolicy-2.20110726.orig/policy/modules/services/munin.te +++ refpolicy-2.20110726/policy/modules/services/munin.te @@ -122,6 +122,7 @@ userdom_dontaudit_use_unpriv_user_fds(munin_t) userdom_dontaudit_search_user_home_dirs(munin_t) +apache_script_exec_domain(munin) optional_policy(` apache_content_template(munin) --- refpolicy-2.20110726.orig/policy/modules/services/exim.te +++ refpolicy-2.20110726/policy/modules/services/exim.te @@ -52,6 +52,11 @@ # exim local policy # +ifdef(`distro_debian', ` +# for /var/lib/exim4/config.autogenerated +files_read_var_lib_files(exim_t) +') + allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource }; allow exim_t self:process { setrlimit setpgid }; allow exim_t self:fifo_file rw_fifo_file_perms; --- refpolicy-2.20110726.orig/policy/modules/services/apcupsd.fc +++ refpolicy-2.20110726/policy/modules/services/apcupsd.fc @@ -8,6 +8,9 @@ /var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) /var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0) +') /var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) /var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/resmgr.fc +++ refpolicy-2.20110726/policy/modules/services/resmgr.fc @@ -4,4 +4,10 @@ /sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0) /var/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0) +') /var/run/resmgr\.pid -- gen_context(system_u:object_r:resmgrd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/resmgr\.pid -- gen_context(system_u:object_r:resmgrd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/git.te +++ refpolicy-2.20110726/policy/modules/services/git.te @@ -5,4 +5,5 @@ # Declarations # +apache_script_exec_domain(git) apache_content_template(git) --- refpolicy-2.20110726.orig/policy/modules/services/ssh.te +++ refpolicy-2.20110726/policy/modules/services/ssh.te @@ -44,6 +44,11 @@ init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) ') +ifdef(`distro_debian', ` +# for key blacklist related to openssl bug + allow sshd_t usr_t:file read_file_perms; +') + type ssh_t; type ssh_exec_t; typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t }; @@ -238,6 +243,8 @@ manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file }) +allow sshd_t self:process { getcap setcap }; + kernel_search_key(sshd_t) kernel_link_key(sshd_t) @@ -291,6 +298,10 @@ xserver_domtrans_xauth(sshd_t) ') +optional_policy(` + gitosis_read_lib_files(sshd_t) +') + ifdef(`TODO',` tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd --- refpolicy-2.20110726.orig/policy/modules/services/prelude.fc +++ refpolicy-2.20110726/policy/modules/services/prelude.fc @@ -13,6 +13,12 @@ /var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0) /var/log/prelude.* gen_context(system_u:object_r:prelude_log_t,s0) /var/run/prelude-lml.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0) +ifdef(`distro_debian', ` +/run/prelude-lml.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0) +') /var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0) +ifdef(`distro_debian', ` +/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0) +') /var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) /var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/lda.te +++ refpolicy-2.20110726/policy/modules/services/lda.te @@ -0,0 +1,162 @@ + +policy_module(lda, 1.9.0) + +######################################## +# +# Declarations +# + +type lda_t; +typealias lda_t alias procmail_t; +type lda_exec_t; +typealias lda_exec_t alias procmail_exec_t; +application_domain(lda_t,lda_exec_t) +role system_r types lda_t; + +type lda_tmp_t; +typealias lda_tmp_t alias procmail_tmp_t; +files_tmp_file(lda_tmp_t) + +type lda_etc_t; +files_config_file(lda_etc_t) + +type lda_log_t; +logging_log_file(lda_log_t) +manage_files_pattern(lda_t,lda_log_t,lda_log_t) +logging_log_filetrans(lda_t,lda_log_t,file) + + +######################################## +# +# Local policy +# + +allow lda_t self:capability { sys_nice chown setuid setgid dac_override }; +allow lda_t self:process { setsched signal signull }; +allow lda_t self:fifo_file rw_fifo_file_perms; +allow lda_t self:unix_stream_socket create_socket_perms; +allow lda_t self:unix_dgram_socket create_socket_perms; +allow lda_t self:tcp_socket create_stream_socket_perms; +allow lda_t self:udp_socket create_socket_perms; +read_files_pattern(lda_t,lda_etc_t,lda_etc_t) +read_lnk_files_pattern(lda_t,lda_etc_t,lda_etc_t) + +can_exec(lda_t,lda_exec_t) + +allow lda_t lda_tmp_t:file manage_file_perms; +files_tmp_filetrans(lda_t, lda_tmp_t, file) + +kernel_read_system_state(lda_t) +kernel_read_kernel_sysctls(lda_t) + +corenet_all_recvfrom_unlabeled(lda_t) +corenet_all_recvfrom_netlabel(lda_t) +corenet_tcp_sendrecv_all_if(lda_t) +corenet_udp_sendrecv_all_if(lda_t) +corenet_tcp_sendrecv_all_nodes(lda_t) +corenet_udp_sendrecv_all_nodes(lda_t) +corenet_tcp_sendrecv_all_ports(lda_t) +corenet_udp_sendrecv_all_ports(lda_t) +corenet_udp_bind_all_nodes(lda_t) +corenet_tcp_connect_spamd_port(lda_t) +corenet_sendrecv_spamd_client_packets(lda_t) +corenet_sendrecv_comsat_client_packets(lda_t) + +dev_read_urand(lda_t) + +fs_getattr_xattr_fs(lda_t) +fs_search_auto_mountpoints(lda_t) +fs_rw_anon_inodefs_files(lda_t) + +auth_use_nsswitch(lda_t) + +corecmd_exec_bin(lda_t) +corecmd_exec_shell(lda_t) + +files_read_etc_files(lda_t) +files_read_etc_runtime_files(lda_t) +files_search_pids(lda_t) +# for spamassasin +files_read_usr_files(lda_t) + +libs_use_ld_so(lda_t) +libs_use_shared_libs(lda_t) + +logging_send_syslog_msg(lda_t) + +miscfiles_read_localization(lda_t) + +# only works until we define a different type for maildir +userdom_manage_user_home_content_dirs(lda_t) +userdom_manage_user_home_content_files(lda_t) +userdom_user_home_dir_filetrans_user_home_content(lda_t, { dir file }) + +optional_policy(` + gen_require(` + bool daemon_access_unconfined_home; + ') +# tunable_policy(`daemon_access_unconfined_home', ` +# unconfined_write_home_content_files(lda_t) +# ') +') + +mta_manage_spool(lda_t) + +ifdef(`hide_broken_symptoms',` + mta_dontaudit_rw_queue(lda_t) +') + +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(lda_t) + fs_manage_nfs_files(lda_t) + fs_manage_nfs_symlinks(lda_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(lda_t) + fs_manage_cifs_files(lda_t) + fs_manage_cifs_symlinks(lda_t) +') + +optional_policy(` + clamav_domtrans_clamscan(lda_t) + clamav_search_lib(lda_t) +') + +optional_policy(` + courier_authdaemon_client(lda_t) +') + +optional_policy(` + munin_dontaudit_search_lib(lda_t) +') + +optional_policy(` + # for a bug in the postfix local program + postfix_dontaudit_rw_local_tcp_sockets(lda_t) + postfix_dontaudit_use_fds(lda_t) + postfix_read_spool_files(lda_t) + postfix_read_local_state(lda_t) + postfix_read_master_state(lda_t) +') + +optional_policy(` + pyzor_domtrans(lda_t) +') + +optional_policy(` + mta_read_config(lda_t) + sendmail_domtrans(lda_t) + sendmail_rw_tcp_sockets(lda_t) + sendmail_rw_unix_stream_sockets(lda_t) +') + +optional_policy(` + corenet_udp_bind_generic_port(lda_t) + corenet_dontaudit_udp_bind_all_ports(lda_t) + + spamassassin_exec(lda_t) + spamassassin_exec_client(lda_t) + spamassassin_read_lib_files(lda_t) +') + --- refpolicy-2.20110726.orig/policy/modules/services/pcscd.fc +++ refpolicy-2.20110726/policy/modules/services/pcscd.fc @@ -1,6 +1,18 @@ /var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0) +') /var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0) +') /var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0) +') /var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0) +') /usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/gpsd.fc +++ refpolicy-2.20110726/policy/modules/services/gpsd.fc @@ -3,4 +3,10 @@ /usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0) /var/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0) +') /var/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/virt.fc +++ refpolicy-2.20110726/policy/modules/services/virt.fc @@ -24,6 +24,12 @@ /var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +ifdef(`distro_debian', ` +/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +') /var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) +ifdef(`distro_debian', ` +/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) +') /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) --- refpolicy-2.20110726.orig/policy/modules/services/chronyd.fc +++ refpolicy-2.20110726/policy/modules/services/chronyd.fc @@ -7,3 +7,6 @@ /var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0) /var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0) /var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0) +ifdef(`distro_debian', ` +/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0) +') --- refpolicy-2.20110726.orig/policy/modules/services/mta.if +++ refpolicy-2.20110726/policy/modules/services/mta.if @@ -96,6 +96,8 @@ miscfiles_read_localization($1_mail_t) + kernel_read_system_state($1_mail_t) + optional_policy(` exim_read_log($1_mail_t) exim_append_log($1_mail_t) @@ -104,6 +106,8 @@ optional_policy(` postfix_domtrans_user_mail_handler($1_mail_t) + # for postalias - role stops unpriv user from doing it + postfix_domtrans_master($1_mail_t) ') optional_policy(` @@ -585,7 +589,7 @@ ## # interface(`mta_tcp_connect_all_mailservers',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ####################################### @@ -899,3 +903,20 @@ allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') + +######################################## +## +## Allow system_mail_t to access files of specified types +## +## +## +## File type that system_mail_t can access +## +## +# +interface(`system_mail_file_access',` + gen_require(` + type system_mail_t; + ') + allow system_mail_t $1:file { read write }; +') --- refpolicy-2.20110726.orig/policy/modules/services/sasl.te +++ refpolicy-2.20110726/policy/modules/services/sasl.te @@ -99,6 +99,7 @@ optional_policy(` mysql_search_db(saslauthd_t) mysql_stream_connect(saslauthd_t) + mysql_tcp_connect(saslauthd_t) ') optional_policy(` --- refpolicy-2.20110726.orig/policy/modules/services/lda.if +++ refpolicy-2.20110726/policy/modules/services/lda.if @@ -0,0 +1,41 @@ +## mail delivery agent + +######################################## +## +## Execute lda with a domain transition. +## +## +## +## Domain allowed access. +## +## +# +interface(`lda_domtrans',` + gen_require(` + type lda_exec_t, lda_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1,lda_exec_t,lda_t) +') + +######################################## +## +## Execute lda in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`lda_exec',` + gen_require(` + type lda_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + can_exec($1,lda_exec_t) +') --- refpolicy-2.20110726.orig/policy/modules/services/nagios.te +++ refpolicy-2.20110726/policy/modules/services/nagios.te @@ -143,6 +143,7 @@ # # Nagios CGI local policy # +apache_script_exec_domain(nagios) optional_policy(` apache_content_template(nagios) typealias httpd_nagios_script_t alias nagios_cgi_t; @@ -191,8 +192,15 @@ files_search_etc(nrpe_t) manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t) +manage_files_pattern(nrpe_t, nagios_var_run_t, nagios_var_run_t) files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) +type nrpe_tmp_t; +files_tmp_file(nrpe_tmp_t) +manage_dirs_pattern(nrpe_t, nrpe_tmp_t, nrpe_tmp_t) +manage_files_pattern(nrpe_t, nrpe_tmp_t, nrpe_tmp_t) +files_tmp_filetrans(nrpe_t, nrpe_tmp_t, { file dir }) + kernel_read_system_state(nrpe_t) kernel_read_kernel_sysctls(nrpe_t) @@ -202,6 +210,16 @@ corenet_tcp_bind_generic_node(nrpe_t) corenet_tcp_bind_inetd_child_port(nrpe_t) corenet_sendrecv_unlabeled_packets(nrpe_t) +corenet_all_recvfrom_unlabeled(nrpe_t) +corenet_all_recvfrom_netlabel(nrpe_t) +corenet_tcp_sendrecv_all_if(nrpe_t) +corenet_tcp_sendrecv_all_nodes(nrpe_t) +corenet_tcp_sendrecv_generic_port(nrpe_t) +corenet_tcp_bind_all_nodes(nrpe_t) +corenet_tcp_bind_nrpe_port(nrpe_t) +sysnet_dns_name_resolve(nrpe_t) + +allow nrpe_t self:netlink_route_socket create_netlink_socket_perms; dev_read_sysfs(nrpe_t) dev_read_urand(nrpe_t) @@ -223,6 +241,15 @@ userdom_dontaudit_use_unpriv_user_fds(nrpe_t) +domain_read_all_domains_state(nrpe_t) +fs_getattr_all_fs(nrpe_t) +storage_getattr_fixed_disk_dev(nrpe_t) +init_read_utmp(nrpe_t) + +term_dontaudit_getattr_all_user_ttys(nrpe_t) +term_dontaudit_getattr_unallocated_ttys(nrpe_t) +term_dontaudit_getattr_all_user_ptys(nrpe_t) + optional_policy(` inetd_tcp_service_domain(nrpe_t, nrpe_exec_t) ') @@ -270,6 +297,7 @@ # allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; +dontaudit nagios_mail_plugin_t self:capability { sys_resource }; allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms; allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms; @@ -289,17 +317,25 @@ sysnet_read_config(nagios_mail_plugin_t) +files_read_usr_files(nagios_mail_plugin_t) + optional_policy(` mta_send_mail(nagios_mail_plugin_t) ') optional_policy(` + can_exec_sudo(nagios_mail_plugin_t) +') + +optional_policy(` nscd_dontaudit_search_pid(nagios_mail_plugin_t) ') optional_policy(` postfix_stream_connect_master(nagios_mail_plugin_t) - posftix_exec_postqueue(nagios_mail_plugin_t) + posftix_run_postqueue(nagios_mail_plugin_t) + postfix_list_spool(nagios_mail_plugin_t) + postfix_read_spool_files(nagios_mail_plugin_t) ') ###################################### @@ -313,6 +349,7 @@ files_read_etc_runtime_files(nagios_checkdisk_plugin_t) fs_getattr_all_fs(nagios_checkdisk_plugin_t) +files_getattr_all_mountpoints(nagios_checkdisk_plugin_t) storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) @@ -343,6 +380,8 @@ ') optional_policy(` + mysql_read_config(nagios_services_plugin_t) + mysql_tcp_connect(nagios_services_plugin_t) mysql_stream_connect(nagios_services_plugin_t) ') @@ -389,3 +428,14 @@ optional_policy(` unconfined_domain(nagios_unconfined_plugin_t) ') + +optional_policy(` + mysql_tcp_connect(nrpe_t) + mysql_stream_connect(nrpe_t) + mysql_read_config(nrpe_t) +') + +optional_policy(` + postgresql_tcp_connect(nrpe_t) + postgresql_stream_connect(nrpe_t) +') --- refpolicy-2.20110726.orig/policy/modules/services/pegasus.fc +++ refpolicy-2.20110726/policy/modules/services/pegasus.fc @@ -8,5 +8,8 @@ /var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) /var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) +ifdef(`distro_debian', ` +/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) +') /usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) --- refpolicy-2.20110726.orig/policy/modules/kernel/corenetwork.if.in +++ refpolicy-2.20110726/policy/modules/kernel/corenetwork.if.in @@ -2145,7 +2145,7 @@ ## # interface(`corenet_non_ipsec_sendrecv',` - refpolicywarn(`$0($*) has been deprecated, use corenet_all_recvfrom_unlabeled() instead.') + refpolicyerr(`$0($*) has been deprecated, use corenet_all_recvfrom_unlabeled() instead.') corenet_all_recvfrom_unlabeled($1) ') @@ -2173,7 +2173,7 @@ ## # interface(`corenet_dontaudit_non_ipsec_sendrecv',` - refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_all_recvfrom_unlabeled() instead.') + refpolicyerr(`$0($*) has been deprecated, use corenet_dontaudit_all_recvfrom_unlabeled() instead.') corenet_dontaudit_all_recvfrom_unlabeled($1) ') @@ -2188,7 +2188,7 @@ ## # interface(`corenet_tcp_recv_netlabel',` - refpolicywarn(`$0($*) has been deprecated, use corenet_tcp_recvfrom_netlabel() instead.') + refpolicyerr(`$0($*) has been deprecated, use corenet_tcp_recvfrom_netlabel() instead.') corenet_tcp_recvfrom_netlabel($1) ') @@ -2243,7 +2243,7 @@ ## # interface(`corenet_dontaudit_tcp_recv_netlabel',` - refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_tcp_recvfrom_netlabel() instead.') + refpolicyerr(`$0($*) has been deprecated, use corenet_dontaudit_tcp_recvfrom_netlabel() instead.') corenet_dontaudit_tcp_recvfrom_netlabel($1) ') @@ -2299,7 +2299,7 @@ ## # interface(`corenet_udp_recv_netlabel',` - refpolicywarn(`$0($*) has been deprecated, use corenet_udp_recvfrom_netlabel() instead.') + refpolicyerr(`$0($*) has been deprecated, use corenet_udp_recvfrom_netlabel() instead.') corenet_udp_recvfrom_netlabel($1) ') @@ -2354,7 +2354,7 @@ ## # interface(`corenet_dontaudit_udp_recv_netlabel',` - refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_udp_recvfrom_netlabel($1) instead.') + refpolicyerr(`$0($*) has been deprecated, use corenet_dontaudit_udp_recvfrom_netlabel($1) instead.') corenet_dontaudit_udp_recvfrom_netlabel($1) ') @@ -2410,7 +2410,7 @@ ## # interface(`corenet_raw_recv_netlabel',` - refpolicywarn(`$0($*) has been deprecated, use corenet_raw_recvfrom_netlabel() instead.') + refpolicyerr(`$0($*) has been deprecated, use corenet_raw_recvfrom_netlabel() instead.') corenet_raw_recvfrom_netlabel($1) ') --- refpolicy-2.20110726.orig/policy/modules/kernel/filesystem.if +++ refpolicy-2.20110726/policy/modules/kernel/filesystem.if @@ -4064,6 +4064,24 @@ ######################################## ## +## Allow reading tmpfs files +## +## +## +## Domain to read files +## +## +# +interface(`fs_allow_tmpfs_file_read',` + gen_require(` + type tmpfs_t; + ') + + allow $1 tmpfs_t:file read; +') + +######################################## +## ## Create, read, write, and delete ## auto moutpoints. ## --- refpolicy-2.20110726.orig/policy/modules/kernel/corecommands.fc +++ refpolicy-2.20110726/policy/modules/kernel/corecommands.fc @@ -185,6 +185,7 @@ /usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -201,6 +202,9 @@ /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) +ifdef(`distro_debian', ` +/usr/lib(64)?/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) +') /usr/lib(64)?/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cups(/.*)? gen_context(system_u:object_r:bin_t,s0) --- refpolicy-2.20110726.orig/policy/modules/kernel/terminal.if +++ refpolicy-2.20110726/policy/modules/kernel/terminal.if @@ -909,7 +909,7 @@ ## # interface(`term_getattr_all_user_ptys',` - refpolicywarn(`$0 has been deprecated, use term_getattr_all_ptys() instead.') + refpolicyerr(`$0 has been deprecated, use term_getattr_all_ptys() instead.') term_getattr_all_ptys($1) ') @@ -926,7 +926,7 @@ ## # interface(`term_dontaudit_getattr_all_user_ptys',` - refpolicywarn(`$0 has been deprecated, use term_dontaudit_getattr_all_ptys() instead.') + refpolicyerr(`$0 has been deprecated, use term_dontaudit_getattr_all_ptys() instead.') term_dontaudit_getattr_all_ptys($1) ') @@ -943,7 +943,7 @@ ## # interface(`term_setattr_all_user_ptys',` - refpolicywarn(`$0 has been deprecated, use term_setattr_all_ptys() instead.') + refpolicyerr(`$0 has been deprecated, use term_setattr_all_ptys() instead.') term_setattr_all_ptys($1) ') @@ -958,7 +958,7 @@ ## # interface(`term_relabelto_all_user_ptys',` - refpolicywarn(`$0 has been deprecated, use term_relabelto_all_ptys() instead.') + refpolicyerr(`$0 has been deprecated, use term_relabelto_all_ptys() instead.') term_relabelto_all_ptys($1) ') @@ -973,7 +973,7 @@ ## # interface(`term_write_all_user_ptys',` - refpolicywarn(`$0 has been deprecated, use term_write_all_ptys() instead.') + refpolicyerr(`$0 has been deprecated, use term_write_all_ptys() instead.') term_write_all_ptys($1) ') @@ -989,7 +989,7 @@ ## # interface(`term_use_all_user_ptys',` - refpolicywarn(`$0 has been deprecated, use term_use_all_ptys() instead.') + refpolicyerr(`$0 has been deprecated, use term_use_all_ptys() instead.') term_use_all_ptys($1) ') @@ -1005,7 +1005,7 @@ ## # interface(`term_dontaudit_use_all_user_ptys',` - refpolicywarn(`$0 has been deprecated, use term_dontaudit_use_all_ptys() instead.') + refpolicyerr(`$0 has been deprecated, use term_dontaudit_use_all_ptys() instead.') term_dontaudit_use_all_ptys($1) ') @@ -1021,7 +1021,7 @@ ## # interface(`term_relabel_all_user_ptys',` - refpolicywarn(`$0 has been deprecated, use term_relabel_all_ptys() instead.') + refpolicyerr(`$0 has been deprecated, use term_relabel_all_ptys() instead.') term_relabel_all_ptys($1) ') @@ -1393,7 +1393,7 @@ ## # interface(`term_getattr_all_user_ttys',` - refpolicywarn(`$0() is deprecated, use term_getattr_all_ttys() instead.') + refpolicyerr(`$0() is deprecated, use term_getattr_all_ttys() instead.') term_getattr_all_ttys($1) ') @@ -1410,7 +1410,7 @@ ## # interface(`term_dontaudit_getattr_all_user_ttys',` - refpolicywarn(`$0() is deprecated, use term_dontaudit_getattr_all_ttys() instead.') + refpolicyerr(`$0() is deprecated, use term_dontaudit_getattr_all_ttys() instead.') term_dontaudit_getattr_all_ttys($1) ') @@ -1427,7 +1427,7 @@ ## # interface(`term_setattr_all_user_ttys',` - refpolicywarn(`$0() is deprecated, use term_setattr_all_ttys() instead.') + refpolicyerr(`$0() is deprecated, use term_setattr_all_ttys() instead.') term_setattr_all_ttys($1) ') @@ -1443,7 +1443,7 @@ ## # interface(`term_relabel_all_user_ttys',` - refpolicywarn(`$0() is deprecated, use term_relabel_all_ttys() instead.') + refpolicyerr(`$0() is deprecated, use term_relabel_all_ttys() instead.') term_relabel_all_ttys($1) ') @@ -1458,7 +1458,7 @@ ## # interface(`term_write_all_user_ttys',` - refpolicywarn(`$0() is deprecated, use term_write_all_ttys() instead.') + refpolicyerr(`$0() is deprecated, use term_write_all_ttys() instead.') term_write_all_ttys($1) ') @@ -1474,7 +1474,7 @@ ## # interface(`term_use_all_user_ttys',` - refpolicywarn(`$0() is deprecated, use term_use_all_ttys() instead.') + refpolicyerr(`$0() is deprecated, use term_use_all_ttys() instead.') term_use_all_ttys($1) ') @@ -1490,6 +1490,6 @@ ## # interface(`term_dontaudit_use_all_user_ttys',` - refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.') + refpolicyerr(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.') term_dontaudit_use_all_ttys($1) ') --- refpolicy-2.20110726.orig/policy/modules/kernel/mcs.te +++ refpolicy-2.20110726/policy/modules/kernel/mcs.te @@ -5,8 +5,19 @@ # Declarations # +# process may kill all processes (init) attribute mcskillall; +# process may ptrace at all levels attribute mcsptraceall; +# process may run a child in any level attribute mcssetcats; +# process may set the low level for a child with no restriction +attribute mcssetlow; +# object may be accessed by any process at a higher level +attribute mcstrustedobject; +# process may write all files/dirs attribute mcswriteall; +# process may read all files/dirs attribute mcsreadall; +# process may delete all files and write dirs as appropriate +attribute mcsdeleteall; --- refpolicy-2.20110726.orig/policy/modules/kernel/storage.if +++ refpolicy-2.20110726/policy/modules/kernel/storage.if @@ -290,6 +290,24 @@ ######################################## ## +## Create block devices in a directory labelled as var_run_t +## +## +## +## The type of the process performing this action. +## +## +# +interface(`storage_var_run_filetrans_fixed_disk',` + gen_require(` + type fixed_disk_device_t; + ') + + files_pid_filetrans($1,fixed_disk_device_t,blk_file) +') + +######################################## +## ## Relabel fixed disk device nodes. ## ## --- refpolicy-2.20110726.orig/policy/modules/kernel/kernel.if +++ refpolicy-2.20110726/policy/modules/kernel/kernel.if @@ -299,7 +299,7 @@ ## # interface(`kernel_tcp_recvfrom',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## @@ -313,7 +313,7 @@ ## # interface(`kernel_udp_send',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## @@ -327,7 +327,7 @@ ## # interface(`kernel_udp_recvfrom',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## --- refpolicy-2.20110726.orig/policy/modules/kernel/selinux.if +++ refpolicy-2.20110726/policy/modules/kernel/selinux.if @@ -544,6 +544,7 @@ allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; + allow $1 security_t:filesystem getattr; allow $1 security_t:security check_context; ') --- refpolicy-2.20110726.orig/policy/modules/kernel/filesystem.te +++ refpolicy-2.20110726/policy/modules/kernel/filesystem.te @@ -95,6 +95,8 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) +files_type(hugetlbfs_t) +files_poly_parent(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); type ibmasmfs_t; --- refpolicy-2.20110726.orig/policy/modules/kernel/corenetwork.te.in +++ refpolicy-2.20110726/policy/modules/kernel/corenetwork.te.in @@ -100,6 +100,7 @@ network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) network_port(dns, udp,53,s0, tcp,53,s0) +network_port(epmd, tcp,4369,s0) network_port(epmap, tcp,135,s0, udp,135,s0) network_port(fingerd, tcp,79,s0) network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) @@ -118,7 +119,7 @@ network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) -network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) +network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0) network_port(innd, tcp,119,s0) network_port(ipmi, udp,623,s0, udp,664,s0) network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0) @@ -155,6 +156,7 @@ network_port(nmbd, udp,137,s0, udp,138,s0) network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0) network_port(ntp, udp,123,s0) +network_port(nrpe, tcp,5666,s0) network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) network_port(ocsp, tcp,9080,s0) network_port(openvpn, tcp,1194,s0, udp,1194,s0) --- refpolicy-2.20110726.orig/policy/modules/kernel/selinux.te +++ refpolicy-2.20110726/policy/modules/kernel/selinux.te @@ -19,6 +19,7 @@ type security_t, boolean_type; fs_type(security_t) mls_trusted_object(security_t) +mcs_trusted_object(security_t) sid security gen_context(system_u:object_r:security_t,mls_systemhigh) genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0) genfscon securityfs / gen_context(system_u:object_r:security_t,s0) --- refpolicy-2.20110726.orig/policy/modules/kernel/devices.fc +++ refpolicy-2.20110726/policy/modules/kernel/devices.fc @@ -1,5 +1,12 @@ /dev -d gen_context(system_u:object_r:device_t,s0) +ifdef(`distro_debian',` +# this is a static /dev dir "backup mount" +# if you want to disable udev, you'll have to boot permissive and relabel! +/dev/\.static -d gen_context(system_u:object_r:device_t,s0) +/dev/\.static/dev -d gen_context(system_u:object_r:device_t,s0) +/dev/\.static/dev/(.*)? <> +') /dev/.* gen_context(system_u:object_r:device_t,s0) /dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) --- refpolicy-2.20110726.orig/policy/modules/kernel/mcs.if +++ refpolicy-2.20110726/policy/modules/kernel/mcs.if @@ -45,6 +45,26 @@ ######################################## ## +## This domain is allowed to delete files and directories +## regardless of their MCS category set. +## +## +## +## Domain target for user exemption. +## +## +## +# +interface(`mcs_file_delete_all',` + gen_require(` + attribute mcsdeleteall; + ') + + typeattribute $1 mcsdeleteall; +') + +######################################## +## ## This domain is allowed to sigkill and sigstop ## all domains regardless of their MCS category set. ## @@ -102,3 +122,53 @@ typeattribute $1 mcssetcats; ') + +######################################## +## +## Make specified domain MCS trusted +## for setting the low level of its range for the processes it executes, +## IE MCS will not be mandatory for it. +## +## +## +## Domain target for user exemption. +## +## +# +interface(`mcs_process_set_low',` + gen_require(` + attribute mcssetlow; + ') + + typeattribute $1 mcssetlow; +') + +######################################## +## +## Make specified object MCS trusted. +## +## +##

+## Make specified object MCS trusted. This +## allows all levels to read and write the +## object. +##

+##

+## This currently only applies to filesystem +## objects, for example, files and directories. +##

+## +## +## +## The type of the object. +## +## +# +interface(`mcs_trusted_object',` + gen_require(` + attribute mcstrustedobject; + ') + + typeattribute $1 mcstrustedobject; +') + --- refpolicy-2.20110726.orig/policy/modules/kernel/files.te +++ refpolicy-2.20110726/policy/modules/kernel/files.te @@ -31,6 +31,7 @@ attribute tmpfile; attribute tmpfsfile; +attribute hugetlbfsfile; # this attribute is not currently used and will be removed in the future. # unfortunately, this attribute can not be removed yet because it may cause @@ -213,6 +214,13 @@ ######################################## # +# Rules for all hugetlbfs file types +# + +fs_associate_hugetlbfs(hugetlbfsfile) + +######################################## +# # Unconfined access to this module # --- refpolicy-2.20110726.orig/policy/modules/kernel/files.fc +++ refpolicy-2.20110726/policy/modules/kernel/files.fc @@ -62,8 +62,6 @@ /etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0) -/etc/network/ifstate -- gen_context(system_u:object_r:etc_runtime_t,s0) - /etc/ptal/ptal-printd-like -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -255,5 +253,11 @@ /var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0) ifdef(`distro_debian',` -/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) +/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) +ifdef(`distro_debian', ` +/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) +') +# on Debian /lib/init/rw is a tmpfs used like /var/run but +# before /var is mounted +/lib/init/rw(/.*)? gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) ') --- refpolicy-2.20110726.orig/policy/modules/kernel/filesystem.fc +++ refpolicy-2.20110726/policy/modules/kernel/filesystem.fc @@ -1,4 +1,8 @@ /cgroup -d gen_context(system_u:object_r:cgroup_t,s0) +ifdef(`distro_debian', ` +/run/shm -d gen_context(system_u:object_r:tmpfs_t,s0) +/var/run/shm -d gen_context(system_u:object_r:tmpfs_t,s0) +') /cgroup/.* <> /dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) --- refpolicy-2.20110726.orig/policy/modules/kernel/devices.if +++ refpolicy-2.20110726/policy/modules/kernel/devices.if @@ -140,7 +140,7 @@ interface(`dev_relabel_all_dev_nodes',` gen_require(` attribute device_node; - type device_t; + type device_t, tmpfs_t; ') relabelfrom_dirs_pattern($1, device_t, device_node) @@ -150,6 +150,7 @@ relabelfrom_sock_files_pattern($1, device_t, device_node) relabel_blk_files_pattern($1, device_t, { device_t device_node }) relabel_chr_files_pattern($1, device_t, { device_t device_node }) + allow $1 tmpfs_t:chr_file { read write }; ') ######################################## @@ -787,6 +788,26 @@ ######################################## ## +## Create FIFO pipes in device directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_create_generic_pipes',` + gen_require(` + type device_t; + ') + allow $1 device_t:dir add_entry_dir_perms; + allow $1 device_t:fifo_file { getattr create }; + allow $1 device_t:dir search_dir_perms; + allow $1 device_t:file setattr_file_perms; +') + +######################################## +## ## Create, delete, read, and write symbolic links in device directories. ## ## @@ -2882,7 +2903,7 @@ ## # interface(`dev_read_mtrr',` - refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') + refpolicyerr(`$0($*) has been replaced with dev_rw_mtrr().') dev_rw_mtrr($1) ') @@ -2911,7 +2932,7 @@ ## # interface(`dev_write_mtrr',` - refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') + refpolicyerr(`$0($*) has been replaced with dev_rw_mtrr().') dev_rw_mtrr($1) ') @@ -4550,7 +4571,7 @@ ######################################## ## -## Write to watchdog devices. +## Read/Write watchdog devices. ## ## ## @@ -4558,12 +4579,12 @@ ## ## # -interface(`dev_write_watchdog',` +interface(`dev_rw_watchdog',` gen_require(` type device_t, watchdog_device_t; ') - write_chr_files_pattern($1, device_t, watchdog_device_t) + rw_chr_files_pattern($1, device_t, watchdog_device_t) ') ######################################## --- refpolicy-2.20110726.orig/policy/modules/kernel/files.if +++ refpolicy-2.20110726/policy/modules/kernel/files.if @@ -413,6 +413,26 @@ ######################################## ## +## Transform the type into a file, for use on a +## virtual memory filesystem (hugetlbfs). +## +## +## +## The type to be transformed. +## +## +# +interface(`files_hugetlbfs_file',` + gen_require(` + attribute hugetlbfsfile; + ') + + files_type($1) + typeattribute $1 hugetlbfsfile; +') + +######################################## +## ## Get the attributes of all directories. ## ## @@ -3460,8 +3480,9 @@ gen_require(` type mnt_t; ') - - allow $1 mnt_t:dir search_dir_perms; + + allow $1 mnt_t:dir search_dir_perms; + allow $1 mnt_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -3480,6 +3501,7 @@ ') dontaudit $1 mnt_t:dir search_dir_perms; + dontaudit $1 mnt_t:lnk_file read_lnk_file_perms; ') ######################################## @@ -3498,6 +3520,7 @@ ') allow $1 mnt_t:dir list_dir_perms; + allow $1 mnt_t:lnk_file read_lnk_file_perms; ') ###################################### @@ -5504,6 +5527,7 @@ allow $1 var_lock_t:lnk_file read_lnk_file_perms; allow $1 { var_t var_lock_t }:dir search_dir_perms; + allow $1 var_lock_t:lnk_file read_lnk_file_perms; allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) @@ -5527,6 +5551,7 @@ allow $1 var_lock_t:lnk_file read_lnk_file_perms; allow $1 { var_t var_lock_t }:dir search_dir_perms; + allow $1 var_lock_t:lnk_file read_lnk_file_perms; manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) @@ -5800,6 +5825,26 @@ ') ######################################## +## +## Create directories under /var/run +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_pid_dirs',` + gen_require(` + type var_t, var_run_t; + ') + + allow $1 var_t:dir search; + allow $1 var_run_t:lnk_file read_lnk_file_perms; + allow $1 var_run_t:dir manage_dir_perms; +') + +######################################## ## ## Do not audit attempts to write to daemon runtime data files. ## --- refpolicy-2.20110726.orig/policy/modules/roles/unprivuser.te +++ refpolicy-2.20110726/policy/modules/roles/unprivuser.te @@ -27,6 +27,9 @@ optional_policy(` xserver_role(user_r, user_t) ') +optional_policy(` + consolekit_dbus_chat(user_t) +') ifndef(`distro_redhat',` optional_policy(` --- refpolicy-2.20110726.orig/policy/modules/roles/sysadm.te +++ refpolicy-2.20110726/policy/modules/roles/sysadm.te @@ -156,6 +156,10 @@ ') optional_policy(` + python_role(sysadm_r, sysadm_t) +') + +optional_policy(` # allow system administrator to use the ipsec script to look # at things (e.g., ipsec auto --status) # probably should create an ipsec_admin role for this kind of thing --- refpolicy-2.20110726.orig/policy/modules/roles/staff.te +++ refpolicy-2.20110726/policy/modules/roles/staff.te @@ -41,6 +41,9 @@ optional_policy(` sudo_role_template(staff, staff_r, staff_t) ') +optional_policy(` + consolekit_dbus_chat(staff_t) +') optional_policy(` sysadm_role_change(staff_r) --- refpolicy-2.20110726.orig/debian/copyright +++ refpolicy-2.20110726/debian/copyright @@ -0,0 +1,49 @@ +This is the Debian package for the SELinux Reference policy, and it is +built from sources obtained from: + http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease + +This package was originally debianized by Erich Schubert + on Mon, 13 Feb 2006 22:50:03 +0100. + +The package has since changed maintainers, the current maintainer being +Manoj Srivastava . + +Changes: + * added Debian GNU/Linux package maintenance system files + * Some Debian specific tweaks and changes to policy also exist + + +The reference policy is +Copyright (C) 2002 Michael Droettboom +Copyright (C) 2003 - 2006 Tresys Technology, LLC + + +License: + + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, version 2 of the License. + + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this package; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + +The debian specific changes are Copyright © 2006 Manoj Srivastava, and +distributed under the terms of the GNU General Public License, version +2. + +On Debian GNU/Linux systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL-2'. + + A copy of the GNU General Public License is also available at + . You may also obtain + it by writing to the Free Software Foundation, Inc., 51 Franklin + St, Fifth Floor, Boston, MA 02110-1301 USA + +Manoj Srivastava +arch-tag: d4250e44-a0e0-4ee0-adb9-2bd74f6eeb27 --- refpolicy-2.20110726.orig/debian/doc.postinst +++ refpolicy-2.20110726/debian/doc.postinst @@ -0,0 +1,211 @@ +#! /bin/sh +# -*- Mode: Sh -*- +# postinst --- +# Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com ) +# Created On : Fri Nov 14 11:25:07 2003 +# Created On Node : glaurung.green-gryphon.com +# Last Modified By : Manoj Srivastava +# Last Modified On : Sun Aug 20 16:26:45 2006 +# Last Machine Used: glaurung.internal.golden-gryphon.com +# Update Count : 16 +# Status : Unknown, Use with caution! +# HISTORY : +# Description : +# +# arch-tag: 4e408b9c-d423-4177-b8a3-2d7b4fe51af7 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# + +# Abort if any command returns an error value +set -e + +package_name=selinux-policy-refpolicy-doc + +if [ -z "$package_name" ]; then + print >&2 "Internal Error. Please report a bug." + exit 1; +fi + +# This script is called as the last step of the installation of the +# package. All the package's files are in place, dpkg has already done +# its automatic conffile handling, and all the packages we depend of +# are already fully installed and configured. +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * abort-remove # if prerm fails during removal +# * `abort-remove' `in-favour' +# +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package +# +# quoting from the policy: +# Any necessary prompting should almost always be confined to the +# post-installation script, and should be protected with a conditional +# so that unnecessary prompting doesn't happen if a package's +# installation fails and the `postinst' is called with `abort-upgrade', +# `abort-remove' or `abort-deconfigure'. + +# The following idempotent stuff doesn't generally need protecting +# against being run in the abort-* cases. + +# Install info files into the dir file +#install-info --quiet --section "Development" "Development" \ +# --description="The GNU make utility." /usr/share/info/$package_name.info.gz + +# Create stub directories under /usr/local +##: if test ! -d /usr/local/lib/${package_name}; then +##: if test ! -d /usr/local/lib; then +##: if mkdir /usr/local/lib; then +##: chown root.staff /usr/local/lib || true +##: chmod 2775 /usr/local/lib || true +##: fi +##: fi +##: if mkdir /usr/local/lib/${package_name}; then +##: chown root.staff /usr/local/lib/${package_name} || true +##: chmod 2775 /usr/local/lib/${package_name} || true +##: fi +##: fi + +# Ensure the menu system is updated +##: [ ! -x /usr/bin/update-menus ] || /usr/bin/update-menus + +# Arrange for a daemon to be started at system boot time +##: update-rc.d ${package_name} default >/dev/null + +case "$1" in + configure) + # Configure this package. If the package must prompt the user for + # information, do it here. + # Install emacs lisp files + ##:if [ -x /usr/lib/emacsen-common/emacs-package-install ]; then + ##: /usr/lib/emacsen-common/emacs-package-install $package_name + ##:fi + + + # Activate menu-methods script + ##: chmod a+x /etc/menu-methods/${package_name} + + # Update ld.so cache + ##: ldconfig + + # Make our version of a program available + ##: update-alternatives \ + ##: --install /usr/bin/program program /usr/bin/alternative 50 \ + ##: --slave /usr/man/man1/program.1.gz program.1.gz \ + ##: /usr/man/man1/alternative.1.gz + + # Tell ucf that the file in /usr/share/foo is the latest + # maintainer version, and let it handle how to manage the real + # confuguration file in /etc. This is how a static configuration + # file can be handled: + ##:if which ucf >/dev/null 2>&1; then + ##: ucf /usr/share/${package_name}/configuration /etc/${package_name}.conf + ##:fi + + ### We could also do this on the fly. The following is from Tore + ### Anderson: + + #. /usr/share/debconf/confmodule + + ### find out what the user answered. + # db_get foo/run_on_boot + # run_on_boot=$RET + # db_stop + + ### safely create a temporary file to generate our suggested + ### configuration file. + # tempfile=`tempfile` + # cat << _eof > $tempfile + ### Configuration file for Foo. + + ### this was answered by you, the user in a debconf dialogue + # RUNONBOOT=$run_on_boot + + ### this was not, as it has a sane default value. + # COLOUROFSKY=blue + + #_eof + + ### Note that some versions of debconf do not release stdin, so + ### the following invocation of ucf may not work, since the stdin + ### is never coneected to ucfr. + + ### now, invoke ucf, which will take care of the rest, and ask + ### the user if he wants to update his file, if it is modified. + #ucf $tempfile /etc/foo.conf + + ### done! now we'll just clear up our cruft. + #rm -f $tempfile + + + + # There are three sub-cases: + if test "${2+set}" != set; then + # We're being installed by an ancient dpkg which doesn't remember + # which version was most recently configured, or even whether + # there is a most recently configured version. + : + + elif test -z "$2" || test "$2" = ""; then + # The package has not ever been configured on this system, or was + # purged since it was last configured. + : + + else + # Version $2 is the most recently configured version of this + # package. + : + + fi ;; + abort-upgrade) + # Back out of an attempt to upgrade this package FROM THIS VERSION + # to version $2. Undo the effects of "prerm upgrade $2". + : + + ;; + abort-remove) + if test "$2" != in-favour; then + echo "$0: undocumented call to \`postinst $*'" 1>&2 + exit 0 + fi + # Back out of an attempt to remove this package, which was due to + # a conflict with package $3 (version $4). Undo the effects of + # "prerm remove in-favour $3 $4". + : + + ;; + abort-deconfigure) + if test "$2" != in-favour || test "$5" != removing; then + echo "$0: undocumented call to \`postinst $*'" 1>&2 + exit 0 + fi + # Back out of an attempt to deconfigure this package, which was + # due to package $6 (version $7) which we depend on being removed + # to make way for package $3 (version $4). Undo the effects of + # "prerm deconfigure in-favour $3 $4 removing $6 $7". + : + + ;; + *) echo "$0: didn't understand being called with \`$1'" 1>&2 + exit 0;; +esac + +exit 0 --- refpolicy-2.20110726.orig/debian/changelog +++ refpolicy-2.20110726/debian/changelog @@ -0,0 +1,1399 @@ +refpolicy (2:2.20110726-1ubuntu1) precise; urgency=low + + * Merge from Debian testing. Remaining changes: + - debian/control: drop "selinux" conflict (Closes: #576598) + + -- Angel Abad Sat, 03 Dec 2011 15:16:52 +0100 + +refpolicy (2:2.20110726-1) unstable; urgency=low + + * New upstream policy + * Built for Wheezy, made it depend on all Wheezy versions. It won't work + on Squeeze and can't be easily backported. + * Label /dev/xconsole as xconsole_device_t + * Allow syslogd_t capability sys_nice and process:{ getsched setsched } + * Allow xconsole_device_t to be associated with device_t filesystems + * This version is a bit rough, you can boot unstable in enforcing mode and + login via ssh but I won't guarantee any more. + + -- Russell Coker Mon, 31 Oct 2011 21:54:20 +1100 + +refpolicy (2:0.2.20100524-13) unstable; urgency=low + + * Labeled awffull as webalizer_exec_t. + * Removed nx.pp from unstable as it doesn't build with latest utils. + + -- Russell Coker Thu, 15 Sep 2011 11:53:02 +1000 + +refpolicy (2:0.2.20100524-12ubuntu1) precise; urgency=low + + * Merge from debian testing. Remaining changes: + - debian/control: drop "selinux" conflict (Closes: #576598) + + -- Angel Abad Sun, 16 Oct 2011 16:06:08 +0200 + +refpolicy (2:0.2.20100524-12) unstable; urgency=low + + * Allow perdition to bind to sieve port, read /dev/urandom, and capabilities + chown and fowner. + * Allow nrpe_t to manage nagios_var_run_t files. + * Change the in_unconfined_r() interface so that postfix_postqueue_t can + read and write unconfined_t fifos. + * Allow quota_t to load kernel modules. + + -- Russell Coker Tue, 30 Aug 2011 23:10:50 +1000 + +refpolicy (2:0.2.20100524-11) unstable; urgency=low + + * Allow snmpd to setuid and setgid. + * Allow nagios services to connect to mysql servers via tcp and read /etc + files for mysql. + * Allow nagios_mail_plugin_t to read usr files. + * Allow postfix_postqueue_t to use a fd from nagios_mail_plugin_t. + * Allow crond_t the sys_resource capability to set resource limits for + children. + * Allow user_t to manage httpd_user_content_t, also allow httpd_t + the same access to httpd_user_content_t sym-links as to files. + * Allow gpg_agent_t to create sock_files under ~/.gnupg + Allow gpg_pinentry_t to read var_lib_t files for fonts.conf + * Allow perdition to authenticate with mysql, read directories of type + perdition_etc_t, connect to the pop ports + * Allow nagios_checkdisk_plugin_t to getattr all mountpoint dirs, so it + can check the root directory of a filesystem. + + -- Russell Coker Fri, 19 Aug 2011 16:36:17 +1000 + +refpolicy (2:0.2.20100524-10ubuntu1) oneiric; urgency=low + + * Merge from debian unstable. Remaining changes: + - debian/control: drop "selinux" conflict (Debian bug 576598) + + -- Angel Abad Tue, 26 Jul 2011 00:31:22 +0200 + +refpolicy (2:0.2.20100524-10) unstable; urgency=low + + * Label gpgsm as gpg_exec_t + * Add policy for /run etc, thanks to Martin Orr for + working on this, even though we can't use subst now. + Closes: #629066, #628039, #626720 + + -- Russell Coker Sun, 24 Jul 2011 15:50:23 +1000 + +refpolicy (2:0.2.20100524-9ubuntu1) oneiric; urgency=low + + * Merge from debian unstable. Remaining changes: + - debian/control: drop "selinux" conflict (Debian bug 576598) + + -- Angel Abad Tue, 17 May 2011 14:44:24 +0200 + +refpolicy (2:0.2.20100524-9) unstable; urgency=low + + * Make gnome.pp not be autoloaded and revert some of the gnome stuff from the + previous version. Getting gnome (gconfd) policy to work correctly is too + hard for Squeeze. + * Allow user_t to talk to xdm_var_run_t sockets so switch user can work. + * Allow mailman_mail_t to read /dev/urandom and usr_t files + * Allow xenconsoled_t capability sys_tty_config and create unix_dgram_socket + * Allow iodine_t to read /proc/filesystems + * Allow jabber_t to write it's fifos, process set/getsched, connect to + generic tcp ports, and bind to udp ports. + * Label /var/lib/sudo as pam_var_run_t + * Allow sshd_t to read gitosis files. + * Made the gitosis label apply to /srv/gitosis. + * Allow webalizer to read usr_t files for geoip database. + * Allow user_t and staff_t consolekit_dbus_chat() access so they can + determine their session status - necessary to login in KDE sometimes. + * Label ~/.gnupg/gpg.conf as user_home_t and allow user_t to list directories + of type gpg_secret_t so gpg-agent can start. + * Allow gpg_agent_t to launch a user session and send sigchld to xdm_t + * Allow user_ssh_agent_t to send sigchld to xdm_t and allow it to run the + gpg agent. + * Add new paths for chromium-browser to support the version in unstable, + needed for backports. + * Allow user_mail_t to transition to postfix_master_t for postalias, confined + by roles. Uses domain_system_change_exemption() for user_mail_t via + postfix_domtrans_master() which isn't ideal. + + -- Russell Coker Wed, 11 May 2011 11:58:46 +1000 + +refpolicy (2:0.2.20100524-8ubuntu1) oneiric; urgency=low + + * Merge from debian unstable. Remaining change: + - debian/control: drop "selinux" conflict (Debian bug 576598) + + -- Bhavani Shankar Sun, 01 May 2011 15:52:51 +0530 + +refpolicy (2:0.2.20100524-8) unstable; urgency=low + + * Add tunable user_manage_dos_files which defaults to true + * Correctly label /usr/lib/xulrunner-1.9.1/xulrunner-stub + * Allow mozilla to create directories under /tmp + * Use correct label for /usr/lib/libgconf2-4/gconfd-2 and load gnome.pp on + installation if libgconf2-4 is installed + * Use correct label for /usr/lib/upower/upowerd + * Dontaudit bind_t write attempts to / for lwresd calling access(".", W_OK) + * Allow user domains to execute mysqld_exec_t, for KDE + * Allow user_dbusd_t to execute gconfd_exec_t in user_gconfd_t. + * Label /var/lib/fetchmail as fetchmail_uidl_cache_t and allow fetchmail_t to + search /var/lib and manage fetchmail_uidl_cache_t dirs + * Allow xm_t to read kernel image files, needed for DomU startup on boot + * Allow gpg_agent_t to read etc_t files and sysctl_crypto_t. + * Allow network manager to run wpa_cli_exec_t programs. + + -- Russell Coker Fri, 11 Mar 2011 14:28:58 +1100 + +refpolicy (2:0.2.20100524-7ubuntu1) natty; urgency=low + + * Merge from debian unstable. Remaining changes: + - debian/control: drop "selinux" conflict (Debian bug 576598) + + -- Angel Abad Thu, 13 Jan 2011 22:04:50 +0100 + +refpolicy (2:0.2.20100524-7) unstable; urgency=low + + * Allow crontab_t to create a directory of type crontab_tmp_t, necessary to + allow crontab -e to work + + -- Russell Coker Thu, 13 Jan 2011 21:32:24 +1100 + +refpolicy (2:0.2.20100524-6ubuntu1) natty; urgency=low + + * Merge from debian unstable. Remaining changes: + - debian/control: drop "selinux" conflict (Debian bug 576598) + + -- Angel Abad Thu, 13 Jan 2011 13:40:14 +0100 + +refpolicy (2:0.2.20100524-6) unstable; urgency=low + + * Allow mysqld_safe_t to send messages to syslogd + * Allow mysqld_t to run shell scripts (shell_exec_t and bin_t) + * Fixed a bug in the previous release that stopped MTAs from talking to + the dkim-milter, the .if file had the wrong type. + * Made it load ipsec.pp if ipsec-tools or racoon is installed + * Include policy for the iodine IP over DNS tunnel daemon + * Allow saslauthd_t to talk to mysqld via TCP + * Allow freshclam_t to read proc_t files + * Allow postfix_local_t to write to mail_spool_t files for locking + * Allow system_mail_t (sendmail) to get read/write access to crond_tmp_t + + -- Russell Coker Thu, 13 Jan 2011 12:41:00 +1100 + +refpolicy (2:0.2.20100524-5ubuntu1) natty; urgency=low + + * Merge from debian unstable. Remaining change: + - ebian/control: drop "selinux" conflict (Debian bug 576598) + + -- Bhavani Shankar Sun, 09 Jan 2011 19:02:47 +0530 + +refpolicy (2:0.2.20100524-5) unstable; urgency=low + + * Label /usr/bin/tcsh as shell_exec_t + * Domain trans from unconfined_t to depmod_t + * Don't include /usr/lib/dovecot/deliver in dovecot.fc/te as it's in lda.pp + * Don't include /usr/sbin/spamass-milter and /var/spool/postfix/spamass in + spamassassin.fc as they are in milter.fc + * Label /var/run/spamass as spamass_milter_data_t + * Allow lvm_t rw access to unconfined_t semaphores. + * Added in_unconfined_r() interface and made postfix user domains use it + so they can be in the role unconfined_r. Ugly but no better solution at + this time + Closes: #592038 #599053 + * Include Chromium policy in mozilla.pp + * Allow sshd getcap and setcap access + * Correctly label ~/.xsession-errors + * Allow spamc_t to be in system_r and allow it access to netlink_route_socket + * Allow lda_t to talk to the Courier Authdaemon - for courier maildrop + * Allow fetchmail_t to read usr_t for certificates and to create /tmp files + * Allow cron jobs to write to crond_tmp_t + * Label courier socket files as courier_var_run_t + * Run /usr/sbin/authdaemond as courier_authdaemon_t + * Allow dkim_milter_t to read proc_t files and create /tmp files + * Allow dovecot domains to search dovecot_etc_t dirs + * Allow dovecot_auth_t to talk to mysqld via TCP and read /etc/mysql/my.cnf + * Label /etc/network/run as etc_t + * Label X as spamass_milter_var_run_t + * Remove unconfined_exec_t label from /usr/bin/qemu + Closes: #601686 + * Label /usr/lib/apache2/mpm-*/apache2 as httpd_exec_t + Closes: #608291 + * Allow nagios.pp to be installed without apache.pp + Closes: #587596 + * Removed amavis.pp because it doesn't work and it's functionality is covered + by clamav.pp + Closes: #559860 + * Allow mono_t to be in role unconfined_r + Closes: #540143 + + -- Russell Coker Sat, 08 Jan 2011 14:13:43 +1100 + +refpolicy (2:0.2.20100524-4ubuntu1) natty; urgency=low + + * Merge from debian unstable. Remaining changes: + - debian/control: drop "selinux" conflict (Debian bug 576598) + + -- Bhavani Shankar Sun, 17 Oct 2010 19:29:51 +0530 + +refpolicy (2:0.2.20100524-4) unstable; urgency=low + + * Label /dev/vd* as fixed_disk_device_t, closes: #589997 + * Remove mcskillall and mcsptraceall from unconfined_t, the sysadmin should + have unconfined_t:SystemLow-SystemHigh. + + -- Russell Coker Mon, 26 Jul 2010 11:18:00 +1000 + +refpolicy (2:0.2.20100524-3) unstable; urgency=low + + * Give freshclam_t and clamd_t the same access WRT execmem. + * Install lvm.pp when dmsetup is installed. + * Add label for /usr/lib/udisks/udisks-daemon . + * Made devicekit.pp and ricci.pp not depend on consoletype.pp and don't + build consoletype. + * label /usr/lib/udisks/.* as bin_t + * label /etc/kde4 the same way as /etc/kde3. + * Escape the . in /etc/init.d/mount... + * Allow insmod_t the capability sys_admin. + * Label all of /etc/network/run/* as etc_runtime_t and allow udev_t to manage + such files. + * Label /etc/network/if-(up|down).d/postfix as initrc_exec_t so that udev + can reload Postfix and push the queue. + * Label /usr/lib/ConsoleKit(/.*)? as bin_t to avoid an error message on + graphical login. + * On initial install load module policykit.pp when policykit-1 is installed. + * label /lib/init/rw(/.*)? as var_run_t. + * label /var/run/xauth as xdm_var_run_t. + * label /var/run/motd as initrc_var_run_t. + + -- Russell Coker Sat, 25 Jul 2010 09:39:00 +1000 + +refpolicy (2:0.2.20100524-2ubuntu1) maverick; urgency=low + + * Merge from debian unstable (LP: #607149). Remaining changes: + - debian/control: drop "selinux" conflict (Debian bug 576598). + + -- Angel Abad Fri, 09 Jul 2010 06:30:26 +0100 + +refpolicy (2:0.2.20100524-2) unstable; urgency=low + + * Include tmpreaper in base policy as mountnfs-bootclean.sh and + mountall-bootclean.sh need to run as tmpreaper_t. + * Added a new mcsdeleteall attribute for tmpreaper_t so that it can + delete files and directories regardless of mcs level. + * Allow perdition netlink_route_socket access. + * Allow nrpe_t to execute sudo and search /var/spool + also don't audit capability sys_resource. + * Allow postfix_local_t to run sendmail for programs like vacation + * Make the milter module be loaded if the milter-greylist or spamass-milter + package is installed. Make spamassassin policy optional when using the + milter module. + * Added a bunch of fixes from git mostly trivial stuff but also allowed + bootloader_t to load modules, allowed kismet_t to search home directories, + * Don't allow cron daemon to search /var/lib/logrotate. + * Fixed a typo in gitosis.if + * Commented out the genfscon line in selinux.if for the includes directory, + now sepolgen-ifgen works without error. + + -- Russell Coker Fri, 9 Jul 2010 09:47:00 +1000 + +refpolicy (2:0.2.20100524-1ubuntu1) maverick; urgency=low + + * Merge from debian unstable. Remaining changes: LP: #602199 + - debian/control: drop "selinux" conflict (Debian bug 576598). + + -- Bhavani Shankar Tue, 06 Jul 2010 14:26:53 +0530 + +refpolicy (2:0.2.20100524-1) unstable; urgency=low + + * New Upstream release. This version has had a good deal of testing for + server use but almost no testing for desktop use. The usual "Unstable" + disclaimers apply. + + * Disable UBAC - see http://etbe.coker.com.au/2010/05/26/ubac-selinux-debian/ + * Allow mount_t to read sysfs_t. + * Allow lvm_t to create semaphores. + * Allow mount_t and setfiles_t to read/write device_t chr_file. + * Allow udev to read sym-links in it's config directory. + * Allow vbetool_t to read inotify directories. + * Allow gpm_t self signull and signal access. + + -- Russell Coker Tue, 29 Jun 2010 10:42:00 +1000 + +refpolicy (2:0.2.20091117-3) unstable; urgency=low + + * label Google Chrome as unconfined_execmem_exec_t + * Change the apache_content_template() macro to not define the type + httpd_$1_script_exec_t, now the caller must unconditionally define it and + can therefore use it in it's .fc file without making a .fc dependency. + * Allow setrans_t to read proc_t files. + * Allow pppd to load modules. + * Allow watchdog_t to read/write /dev/watchdog + * Allow rpcd_t getcap and setcap access. + * Allow insmod_t to mount a rpc_pipefs_t filesystem. + * Correctly label kdm.log.* pm-*log* aptitude* + * Allow consolekit_t to access pam console data. + * Correctly label consolekit scripts + * Allow mount_t to set the scheduling for kernel threads. + + -- Russell Coker Tue, 18 May 2010 19:06:24 +1000 + +refpolicy (2:0.2.20091117-2ubuntu1) maverick; urgency=low + + * Merge from debian unstable. Remaining changes: + - debian/control: drop "selinux" conflict (Debian bug 576598). + + -- Kees Cook Thu, 24 Jun 2010 14:26:07 -0700 + +refpolicy (2:0.2.20091117-2) unstable; urgency=low + + * Label /etc/gdm/Xsession, /etc/gdm/PostSession/* and /etc/gdm/PreSession/* + as xsession_exec_t. + * Label /usr/lib/dbus-1.0/dbus-daemon-launch-helper as dbusd_exec_t. + * Allow syslogd_t to read/write access to xconsole_device_t. + * Allow system_dbusd_t list access to inotifyfs. + * Allow udev to manage symlinks under /dev + * Treat devtmpfs the same way as tmpfs. + * Changed upstream to http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease + * Allow iptables_t, insmod_t and mount_t to do module_request + * Use lib32 instead of lib64 + Closes: #569297 + * Make manage_lnk_file_perms allow write access for setting the timestamp. + * Use filesystem transitions for hugetlbfs_t. + * Label xenfs_t and allow xend etc to use it. + * Use lda_t for mail local delivery + * Allow udev to manage xenfs_t files, to write to etc_runtime_t (for ifstate), + and to load modules. + * Allow ifconfig to load modules. + * Made auth_domtrans_chk_passwd() specify dontaudit for shadow_t file open. + + -- Russell Coker Mon, 22 Feb 2010 07:58:07 +1100 + +refpolicy (2:0.2.20091117-1ubuntu1) lucid; urgency=low + + * debian/control: drop "selinux" conflict for sane installation + in Ubuntu (Debian bug 576598). + + -- Kees Cook Mon, 05 Apr 2010 13:03:23 -0700 + +refpolicy (2:0.2.20091117-1) unstable; urgency=low + + * New upstream release. + + -- Manoj Srivastava Thu, 19 Nov 2009 23:08:14 -0600 + +refpolicy (2:0.2.20091013-1) unstable; urgency=low + + * New upstream VCS snapshot + * Added modules: hddtemp, shorewall, kdump, gnomeclock, nslcd, rtkit, + seunshare (Dan Walsh); dkim (Stefan Schulze Frielinghaus); gitosis + (Miroslav Grepl); xscreensaver (Corentin Labbe) + * [dd26539]: [topic--urand-fix]: Fix issues related to + /dev/{urandom,console} + + Allow: load_policy_t, audisp_t, auditd_t, restorecond_t, portmap_t, + hwclock_t, auditctl_t, hostname_t, portmap_helper_t, ndc_t, mount_t, + dmidecode_t, getty_t, and setfiles_t to read /dev/urandom + + Allow: portmap_helper_t, insmod_t, ifconfig_t, setfiles_t and + portmap_t to read /dev/console + + Allow udev_t to access anon_inodefs_t + These changes take care of most of the problems encountered in recent + reference policy packages in Debian. Thanks to Russell Coker for the + fixes. + + -- Manoj Srivastava Tue, 13 Oct 2009 15:29:54 -0500 + +refpolicy (2:0.2.20090828-1) unstable; urgency=low + + * New upstream snapshot. + - Deprecated the userdom_xwindwos_client_template(). + * Modified the list of modules we build (added consolekit, and added a + dependency on consolekit to the devicekit policymodule. Turned off + ddcprobe, since it needs kudzu. + * Bug fix: "linking policy fails", thanks to Jonathan Nieder + (Closes: #544079). + * Bug fix: "linking policy fails (with a statement to file a bug)", + thanks to Philipp Kern (Closes: #543148). + * Bug fix: "module cvs appears to depend on module apache", thanks to + Russell Coker (Closes: #539855). + * Bug fix: "SELinux prevented console-kit-dae from using the terminal + /dev/tty0", thanks to Ritesh Raj Sarraf. We now have: + policy/modules/services/consolekit.te:term_use_all_terms(consolekit_t) + This should allow access to all terms and ttys. (Closes: #515167). + * Bug fix: "SELinux is preventing pulseaudio from loading + /usr/lib/libFLAC.so.8.2.0 which requires text relocation", thanks to + Ritesh Raj Sarraf. /usr/lib/libFLAC\.so.* now has the context + system_u:object_r:textrel_shlib_t, so this should now work. + (Closes: #515166). + * [1ba2425]: nscd cache location changed from /var/db/nscd to + /var/cache/nscd. The nscd policy module uses the old + nscd cache location. The cache location changed with glibc 2.7-1, + and the current nscd does place the files in /var/cache/nscd/. + Bug fix: "nscd cache location changed from /var/db/nscd to + /var/cache/nscd", thanks to Sami Haahtinen (Closes: #506779). + + -- Manoj Srivastava Fri, 28 Aug 2009 15:10:50 -0500 + +refpolicy (2:0.2.20090818-1) unstable; urgency=low + + * New upstream snapshot, with a number of improvements. + - Misc Gentoo fixes from Corentin Labbe. + - Debian policykit fixes from Martin Orr. + - Fix unconfined_r use of unconfined_java_t. + - Add missing x_device rules for XI2 functions, from Eamon Walsh. + - Add missing rules to make unconfined_cronjob_t a valid cron job domain. + - Add btrfs and ext4 to labeling targets. + - Fix infrastructure to expand macros in initrc_context when installing. + - Handle unix_chkpwd usage by useradd and groupadd. + - Add missing compatibility aliases for xdm_xserver*_t types. + + -- Manoj Srivastava Wed, 26 Aug 2009 16:31:37 -0500 + +refpolicy (2:0.2.20090730-2.1) unstable; urgency=low + + * Build policykit policy and default to loading it when the policykit + package is installed. + * Default to loading the consolekit module when the consolekit package is + installed. + + -- Russell Coker Wed, 26 Aug 2009 18:55:23 +1000 + +refpolicy (2:0.2.20090730-2) unstable; urgency=low + + * Bug fix: "selinux policy violation "Unknown" fo rs2ram + (hald_t)", thanks to Ritesh Raj Sarraf. This has been fixed for a + while, but I only just tested it. (Closes: #515566). + * Re-enable building in parallel. The current statge should be + friendlier to jobserver mode, disabling which causewd all the issues + with the previous state. + + -- Manoj Srivastava Sat, 22 Aug 2009 19:47:20 -0500 + +refpolicy (2:0.2.20090730-1) unstable; urgency=low + + * New upstream release. + * Updated the location of dovecot's configuration files. + * Bug fix: "dovecot's etc files are in unexpected location", thanks + to Frank Engler (Closes: #517712). + * Fixed rules to note that parallel=N fails. + * Bug fix: "FTBFS: tmp/rolemap.conf":2194:ERROR 'syntax + error' at token 'genfscon' on line 704548:", thanks to + Lucas Nussbaum (Closes: #536899). + * Bug fix: "dpkg-buildpackage -j2 fails on AMD64", thanks to Russell + Coker (Closes: #538789). + + -- Manoj Srivastava Sun, 09 Aug 2009 15:03:37 -0500 + +refpolicy (2:0.0.20090629-1) unstable; urgency=low + + * New upstream snapshot. + * [82f63f3]: Removed the lda policy package. There were a number of + reasons for doing so: this package was created in order to deal with + local mail delivery in Debian, and has not been adopted upstream. I + would like to remove the divergence from upstream policy, and not + maintian it. so that was incentive. Also, upstream policy for + mail-related packages has been improved in the meanwhile, and the lda + package was conflicting with some of the changes, so that was added + reason for it to go. + + -- Manoj Srivastava Mon, 29 Jun 2009 02:14:30 -0500 + +refpolicy (2:0.0.20090621-1) unstable; urgency=low + + * New upstream snapshot. + - Greylist milter from Paul Howarth. + - Crack db access for su to handle password expiration, from Brandon Whalen. + - Misc fixes for unix_update from Brandon Whalen. + - Add x_device permissions for XI2 functions, from Eamon Walsh. + - MLS constraints for the x_selection class, from Eamon Walsh. + - Postgresql updates from KaiGai Kohei. + - Milter state directory patch from Paul Howarth. + - Add MLS constrains for ingress/egress and secmark from Paul Moore. + - Drop write permission from fs_read_rpc_sockets(). + - Remove unused udev_runtime_t type. + - Patch for RadSec port from Glen Turner. + - Enable network_peer_controls policy capability from Paul Moore. + - Btrfs xattr support from Paul Moore. + - Add db_procedure install permission from KaiGai Kohei. + - Add support for network interfaces with access controlled by a Boolean + from the CLIP project. + - Several fixes from the CLIP project. + - Add support for labeled Booleans. + - Remove node definitions and change node usage to generic nodes. + - Add kernel_service access vectors, from Stephen Smalley. + - Added modules: + certmaster (Dan Walsh) + git (Dan Walsh) + gpsd (Miroslav Grepl) + guest (Dan Walsh) + ifplugd (Dan Walsh) + lircd (Miroslav Grepl) + logadm (Dan Walsh) + pingd (Dan Walsh) + psad (Dan Walsh) + portreserve (Dan Walsh) + ulogd (Dan Walsh) + webadm (Dan Walsh) + xguest (Dan Walsh) + zosremote (Dan Walsh) + + - Fix consistency of audioentropy and iscsi module naming. + - Debian file context fix for xen from Russell Coker. + - Xserver MLS fix from Eamon Walsh. + - Add omapi port for dhcpcd. + - Deprecate per-role templates and rolemap support. + - Implement user-based access control for use as role separations. + - Move shared library calls from individual modules to the domain module. + - Enable open permission checks policy capability. + - Remove hierarchy from portage module as it is not a good example of + hieararchy. + - Remove enableaudit target from modular build as semodule -DB supplants it. + - Added modules: + milter (Paul Howarth) + * Sync'd with Russell Coker + + -- Manoj Srivastava Mon, 22 Jun 2009 02:42:42 -0500 + +refpolicy (2:0.0.20081014-1) unstable; urgency=low + + * New upstream release + - Fix httpd_enable_homedirs to actually provide the access it is + supposed to provide. + - Add unused interface/template parameter metadata in XML. + - Patch to handle postfix data_directory from Vaclav Ovsik. + - SE-Postgresql policy from KaiGai Kohei. + - Patch for X.org dbus support from Martin Orr. + - Patch for labeled networking controls in 2.6.25 from Paul Moore. + - Module loading now requires setsched on kernel threads. + - Patch to allow gpg agent --write-env-file option from Vaclav Ovsik. + - X application data class from Eamon Walsh and Ted Toth. + - Move user roles into individual modules. + - Make hald_log_t a log file. + - Cryptsetup runs shell scripts. Patch from Martin Orr. + - Add file for enabling policy capabilities. + - Patch to fix leaky interface/template call depth calculator from + Vaclav Ovsik. + - Added modules: + kerneloops (Dan Walsh) + kismet (Dan Walsh) + podsleuth (Dan Walsh) + prelude (Dan Walsh) + qemu (Dan Walsh) + virt (Dan Walsh) + * Updated the link to the shared copyright file. + + -- Manoj Srivastava Sat, 14 Feb 2009 15:42:48 -0600 + +refpolicy (2:0.0.20080702-16) unstable; urgency=low + + * Allow system_dbusd_t to read /proc/X/cmdline so it knows the client name + * Label /usr/lib/gnome-vfs-2.0/gnome-vfs-daemon as bin_t + * Allow $1_gpg_t to read inotifyfs_t directories + * Allow user_t signull access to xdm_t for gdmflexiserver + * Fix the path for deliver in lda.fc + * Load lda.pp when dovecot-common is installed and dovecot.pp when other + dovecot packages are installed. Allow lda_t to use dovecot auth socket + * Allow dovecot_auth_t to create sockets labeled as dovecot_var_run_t, + also allow chown capability to apply correct ownership + * Label /usr/sbin/nrpe and allow it to search nagios_etc_t:dir, read etc_t + files, do setgid() and setuid(), create a pidfile, bind to port 5666, stat + filesystems, get a list of processes, and check mysql and postgresql + databases. + * Make mail_spool_t a filesystem_type. + * Allow snmpd_t capabilities setuid and chown + * Allow xdm_xserver_t to send dbus messages to unconfined_t + * Allow postfix_cleanup_t shutdown access to a postfix_smtpd_t + unix_stream_socket + * Allow clamd_t access to inherit it's own fds. + * Enable the watchdog policy in the build. + * Grant capability ipc_lock to dpkg_t + + -- Russell Coker Wed, 13 May 2009 09:13:38 +1000 + +refpolicy (2:0.0.20080702-15) unstable; urgency=low + + * Gave every domain that has process:setcap access also have process:getcap. + * Set the type of /etc/network/run/ifstate to etc_runtime_t and allow + udev_t to write to it. + * allow apt_t to manage directories of type apt_var_log_t + * allow initrc_t postfix_etc_t:file ioctl; + * allow postfix_showq_t to be used from user roles. + * allow postfix_virtual_t to connect to postfix_private_t sockets + * allow postfix_pipe_t to execute bin_t + * allow initrc_t udev_tbl_t:file unlink and device_t:dir rmdir + * allow the Courier POP server fill rw_file_perms access to courier_var_lib_t. + * allow jabberd_t to connect to jabber_interserver_port_t. + * allow fcrond to do all the funky things it desires. + * allow cupsd_t to read/write generic USB devices. + * allow webalizer to read /usr files (for GeoIP). + * Enable dovecot_t for daemon_access_unconfined_home + * dontaudit logrotate stating terminal devices. + * allow dpkg_t to set rlimit + * Label /var/lib/squirrelmail/data(/.*)? as httpd_squirrelmail_t. + * allow apmd_t to talk to hald_t via dbus. + * allow dovecot to connect to Mysql and PostgreSQL + * label most /usr/lib/dovecot/* files as bin_t + * Added new "lda" module for email local delivery agents such as maildrop + and procmail and don't build procmail.pp any more. + * Label /var/run/xauth/* as xdm_var_run_t. + * Label /var/run/openvpn.client* as openvpn_var_run_t. + * Make /var/log/?dm.log.* files get the type xserver_log_t + * Make /var/log/aptitude* files get the type apt_var_log_t + * Make /var/run/gdm_socket get the type xdm_var_run_t + * Labelled the entrypoint scripts under /etc/gdm as xsession_exec_t + * Fixed Debian labelling for atspool + * allow openvpn_t to access var_lib_t and usr_t files for vulnkey. + * allow user domains to access the xdm socket of type xdm_var_run_t for + switch user. + * allow unconfined_t to transition to system_dbusd_t. + Closes: #498965 + + -- Russell Coker Wed, 04 Mar 2009 23:10:14 +1100 + +refpolicy (2:0.0.20080702-14.1) unstable; urgency=low + + * Fix FTBS problems when building in parallel, by moving to the new, + make -j friendly targets in debian/rules. These rules have been tested + in several packages, and have been tested often with + "fakeroot make -j4 -f ./debian/rules binary". + * Updated the VCS-* variables in control to point to the git repo. + + -- Manoj Srivastava Wed, 07 Jan 2009 11:58:44 -0600 + +refpolicy (2:0.0.20080702-14) unstable; urgency=high + + * Allow noatsecure for Xen domains so that LD_PRELOAD will work across + a domain transition. Also dontaudit searching of the sysadm home dir + and allow xend_t to manage xenstored_var_run_t. + Allow losetup (fsadm_t) and udev access to Xen image files + * Add support for Exim. + * Add support for Jabber, including adding the epmd_t domain for the Erlang + Port Mapper Daemon (used by ejabberd). Label port 5280 as being for Jabber + (the ejabberd web administration service) and port 7777 (SOCKS5 + Bytestreams (XEP-0065) for proxy file transfer). + * Allow cron to search httpd_sys_content_t + * Dontaudit logrotate search access to unconfined_home_dir_t. + * Fixed labelling of /var/lock/mailman + * Allow courier_pop_t to read /dev/urandom and to do ioctl on it's fifos. + Also allow it to talk to portmap so the IMAP server can do FAM. + + -- Russell Coker Mon, 27 Oct 2008 23:01:33 +1100 + +refpolicy (2:0.0.20080702-13) unstable; urgency=high + + * Allow spamd_t to create a Unix domain socket. + * Allow clamd_t to read files under /usr (for Perl). + Allow it to connect to amavisd_send_port_t. + Allow it to talk to itself by unix stream sockets and bind to UDP nodes. + Closes: #502274 + * Allow logrotate_t to transition to webalizer_t for web log processing. + * Allow initrc_t to create fixed_disk_device_t nodes under var_run_t, + for the case where /etc/fstab has an error regarding the root fs. + * Use the Lenny paths for xm, xend, xenstored, and xenconsoled. + Add some extra permissions that Xen needs. + + -- Russell Coker Tue, 21 Oct 2008 00:36:00 +1100 + +refpolicy (2:0.0.20080702-12) unstable; urgency=low + + * Allow procmail to deliver mail to the unconfined home directories if + daemon_access_unconfined_home is set. + * Add the audioentropy module for use with the randomsound package. + * Allow spamd_t the kill capability. + * Make the default range for MCS __default__ users be s0-s0:c0.c1023, + this fixes a problem with restarting daemons after logging in as non-root + and running "su -". + + -- Russell Coker Tue, 07 Oct 2008 13:17:01 +1100 + +refpolicy (2:0.0.20080702-11) unstable; urgency=high + + * Create new interface crond_search_dir() and use it to allow crond_t to + search clamd_var_lib_t for amavis cron jobs. + * Allow postfix_cleanup_t to talk to dkim for signing local messages. + * Allow freshclam_t to read the routing table and talk to http_cache_port_t. + * Allow clamd_t to search bin_t and read bin_t links. + * Allow clamd_t to search postfix_spool_t for creation of Unix domain socket + in the sub-directory, this is ugly and a little bit wrong but makes it + easier to configure Postfix. + * Allow semanage_t (for setsebool and semodule) to call statfs(). + * Add Asterisk policy module, and grant setcap access. + * Copy the Fedora 10 cron changes to reduce the policy size. + Allow user_t to send sigchld to user_crontab_t and to write to + user_crontab_tmp_t files. Necessary for full functionality! + + -- Russell Coker Sat, 27 Sep 2008 18:52:00 +1000 + +refpolicy (2:0.0.20080702-10) unstable; urgency=low + + * Allow mailserver local delivery agent to manage_file_perm access to + mail_spool_t + Closes: #499218 + * Build a module for xen, and make lvm support optional in it. + * Make the postinst link the xen, lvm, and pcmcia modules if appropriate. + * Added the clamav module to the policy. + * Wrote a new DKIM module. + * Allowed crontab to create directories under /tmp. + * Made unconfined_crond_t an alias for unconfined_t and made unconfined cron + jobs work. + * Built the NAGIOS module and include the suggested change from #493979. + NB I won't have time to do any testing of this so someone else will need + to deploy it on a fully functional NAGIOS system. + Closes: #493979 + + -- Russell Coker Fri, 19 Sep 2008 22:25:00 +1000 + +refpolicy (2:0.0.20080702-9) unstable; urgency=low + + * Allow the Postfix newaliases to create new /etc/aliases.db file so that + the postinst for Postfix can work. + * The last update broke unconfined_mail_t for systems not running postfix, + fixing that (thanks Martin Orr). + Closes: #499064 + * Fix a check for syslogd being executable by logrotate (thanks Václav Ovsk). + Closes: #496809 + + -- Russell Coker Tue, 16 Sep 2008 20:42:00 +1000 + +refpolicy (2:0.0.20080702-8) unstable; urgency=low + + * Made the postinst faster on machines with small amounts of memory. 5% + improvement on AMD64 with 64M of RAM. Not sure how much benefit it might + give for a NSLUG. + * Allowed dictd to create pid file. + * Allowed mcstransd to getcap. + * Revert part of the change from 2:0.0.20080702-7, we don't want /etc/init.d + scripts running as run_init_t. + Closes: #498965 + * Makes Postfix work correctly. + Closes: #473043 + * Allow $1_mail_t to read proc_t:file (for Postfix). + + -- Russell Coker Fri, 12 Sep 2008 10:51:01 +1000 + +refpolicy (2:0.0.20080702-7) unstable; urgency=low + + * Polish updates, added labelling for /lib/udev/create_static_nodes, + /var/log/prelink.log, and corrected labelling for /var/run/kdm + * Made Postfix work with unconfined_t. + * Made spamass-milter run in the spamd_t domain, and allow postfix_smtpd_t + to talk to it. + * Labelled /var/cache/sqwebmail and allowed courier_sqwebmail_t to access it. + Also allowed courier_sqwebmail_t to access /dev/urandom. + * Allowed courier-pop and apache to access unconfined home directories. + * Changed the policy for /var/cache/ldconfig to match upstream. + * Allowed unconfined_t to run run_init. + + -- Russell Coker Wed, 10 Sep 2008 11:10:00 +1000 + +refpolicy (2:0.0.20080702-6) unstable; urgency=low + + * Made it build-depend on policycoreutils 2.0.49 and checkpolicy 2.0.16. + Closes: #494234 + * Made xserver.pp be loaded whenevedr xbase-clients is installed so that + /tmp/.ICE-unix gets the right context. + * Policy updates, allowed rsyslogd to work correctly + Allow gpg to read/write user files under /tmp + Set the context of /var/run/portmap_mapping and /var/cache/ldconfig + Allow users to read symlinks under /var/lib (for python) + Make udev_t transition when running initrc_exec_t. + Changed the type of /var/init/rw to var_run_t + Changed r_dir_perms to list_dir_perms and r_file_perms to read_file_perms + to avoid warnings. + Changed read_file_perms to read_lnk_file_perms for lnk_file class. + Set the contexts for /var/run/hotkey-setup, /var/run/motd, /var/run/kdm/*, + and /var/lib/gdm/* + Dontaudit logrotate_t trying to write initrc_var_run_t. + + -- Russell Coker Wed, 13 Aug 2008 08:20:08 +1000 + +refpolicy (2:0.0.20080702-5) unstable; urgency=low + + * Allow unconfined_r to transition to system_r. + + -- Russell Coker Tue, 29 Jul 2008 18:02:33 +1000 + +refpolicy (2:0.0.20080702-4) unstable; urgency=low + + * Policy updates. + * Depend on libsepol1 version 2.0.30-2. + + -- Russell Coker Tue, 29 Jul 2008 15:16:46 +1000 + +refpolicy (2:0.0.20080702-3) unstable; urgency=low + + * More policy fixes. + * Made it build-depend and depend on libsepol1 (>=2.0.30-2) + Closes: #492318 + * Made it automatically change the SELINUXTYPE if the old value is obsolete + and the policy was linked successfully. + + -- Russell Coker Sat, 26 Jul 2008 10:01:00 +1000 + +refpolicy (2:0.0.20080702-2) unstable; urgency=low + + * Made the mls package extra and made some other packages optional. + Closes: #490760 + * Merged some patches from older policy packages. + + -- Russell Coker Sun, 20 Jul 2008 16:48:19 +1000 + +refpolicy (2:0.0.20080702-1) unstable; urgency=low + + * Update to latest upstream and take over the package as Manoj seems busy + on other things. + * Change the policy package names to selinux-policy-default and + selinux-policy-mls. Made selinux-policy-default do strict and targeted + (targeted by default). + * Optimise module loading to halve postinst time. + * Depend on the latest policycoreutils (which sets the right default in + /etc/selinux/config). + + -- Russell Coker Sun, 13 Jul 2008 12:49:00 +1000 + +refpolicy (0.0.20080314-1) unstable; urgency=low + + * New upstream SVN HEAD + - Add wireshark module based on ethereal module. + - Revise upstart support in init module to use a tunable, as upstart is now + used in Fedora too. + - Add iferror.m4 rather generate it out of the Makefiles. + - Definitions for open permisson on file and similar objects from Eric + Paris. + - Apt updates for ptys and logs, from Martin Orr. + - RPC update from Vaclav Ovsik. + - Exim updates on Debian from Devin Carrawy. + - Pam and samba updates from Stefan Schulze Frielinghaus. + - Backup update on Debian from Vaclav Ovsik. + - Cracklib update on Debian from Vaclav Ovsik. + - Label /proc/kallsyms with system_map_t. + - 64-bit capabilities from Stephen Smalley. + - Labeled networking peer object class updates. + * refpolicy includes an Exim policy, but did not install it on a fresh + refpolicy installation, because the module package is exim.pp, while + Debian calls its exim package 'exim4'. Thanks to Devin Carraway for + the heavy lifting. Closes: #465208 + * Bug fix: "selinux-policy-refpolicy-dev: Installed build.conf specifies + MCS build type", thanks to Devin Carraway. Closes: #465215 + * Bug fix: "newer policycoreutils required", thanks to Max Kellermann + Closes: #469123 + * The latest set of packages also seem to resolve the consolekit + issues. Bug fix: "consolekit gives error messages when running with SELinux + enabled", thanks to Ritesh Raj Sarraf. Closes: #463995 + * Bug fix: "selinux-policy-refpolicy-targeted: descriptions seems to + misplace '.' to split paragraphs (debian/control)", thanks to + Felipe Augusto van de Wiel (faw). Closes: #466638,#466978 + + -- Manoj Srivastava Wed, 19 Mar 2008 18:27:23 -0500 + +refpolicy (0.0.20071214-1) unstable; urgency=low + + * New upstream release. This has updated policy for ssh, which + Closes: #433972 + * The new policy also permits postfix to read files on anon_inodefs file + systems, which then Closes: #435497 + * Allow use of wildcards when trying to map package names to policy + modules. Thanks to Vaclav Ovsik for the heavy lifting. Closes: #427906 + * Debian puts hpssd.py in /usr/lib -- not /usr/share. Thanks to Frodo + Looijaard. Closes: #443177 + * Alsa needs changes in file context as well. Thanks to Martin Orr + for pointing this out. Closes: #428464 + * Allow apache to read munin files. Thanks to Vesa-Pekka Palmu for + pointing this out. Closes: #433886 + * Fix targeted policies priority in control file. Thanks to Stas + Myasnikov for pointing this out. Closes: #447253 + * Several files in /usr/lib/cups/backend are hard links to files in + /usr/lib/cups/backend-available. In the cups.fc, only the files in + backend are tagged with the cupsd_exec_t, so the files in + backend-available are tagged with lib_t. This results in somewhat + undefined behaviour: depending on the order of directory traversal the + files are tagged with either lib_t or cupsd_exec_t. Thanks to Frodo + Looijaard. Closes: #442898 + * selinux-policy-refpolicy-dev now also depends on make and m4, since + those are required to actually build policy. Thanks to Erik + Johansson. Closes: #449203 + * Similarly, the source package recommends make and gcc, since those + are needed to build policy. Closes: #436211 + * The bug mentioned in 437139 does not exist in the new policy. A + versioned close will allow the bug to remain open for Etch. + Closes: #437139 + * The duplicate declaration of system_chkpwd_t does not appear to be in + the sources, based in a find/grep. Closes: #463818 + * There was a spurious + sign in policy/modules/kernel/devices.if. + Thanks to Frans Pop for pointing this out. Closes: #438887 + + -- Manoj Srivastava Sat, 09 Feb 2008 20:28:43 -0600 + +refpolicy (0.0.20070507-5) unstable; urgency=low + + * Allow users to read the dpkg database. With this change, every user + of the strict policy now has access to dpkg-checkbuildeps, grep-dctrl, + etc, which was not the case previously. + * Change the example localStrict.te policy file to silently ignore apt + searching for something in /var/lib. With this example policy loaded + in my strict policy UML virtual machine, I can compile packages in + enforcing mode. Based on advice on the mailing list, allow more things + to access /selinux + * Merge in changes from Russell Coker. These include a better fix for + /lib.init/rw. + + -- Manoj Srivastava Fri, 18 May 2007 00:34:07 -0500 + +refpolicy (0.0.20070507-4) unstable; urgency=low + + * Allow apt to run update by giving r_netlink_socket_perms to + self:netlink_route_socket. + * Allow apt/aptitude to update, and install files + - Added an interface to apt.if allow silently ignoring processes that + attempt to use file descriptors from apt. + - Bump the apt policy module version number, since we have added to + the interface. + - Added some stuff to dpkg.te to allow debconf .config file + interactions back to the user + - Add an optional dontaudit rule to libraries.te to allow + apt-get/aptitude to install packages silently. + * Very early in boot, /lib/init/rw is created as a mandatory tmpfs for + state information. Label that directory as initrc_tmp_t to allow + mount.te to be permitted to mount a tmpfs there. + * In init.te, allow /etc/network/if-up.d/mountnfs to create + /var/run/network/mountnfs as a poor mans lock. + + -- Manoj Srivastava Fri, 11 May 2007 00:55:07 -0500 + +refpolicy (0.0.20070507-3) unstable; urgency=low + + * Add hostfs as a recognized remote file-system. This should allow a + UML virtual machine to function in a fully enforcing mode. + + -- Manoj Srivastava Wed, 9 May 2007 15:48:26 -0500 + +refpolicy (0.0.20070507-2) unstable; urgency=medium + + * Keep track of modules that are really built into the base policy in + Debian. We then use this list to remove the modules .pp files from + the policy shipped, since they can not be installed along with the + base policy anyway. Make sure we don't add such modules hen + considering module dependencies either. + * Added Module ricci to modules.conf for both strict and targeted. + + -- Manoj Srivastava Mon, 7 May 2007 09:07:36 -0500 + +refpolicy (0.0.20070507-1) unstable; urgency=low + + * New upstream SVN HEAD. + - Miscellaneous consolekit fixes from Dan Walsh. + - Patch to have avahi use the nsswitch interface rather than individual + permissions from Dan Walsh. + - Patch to dontaudit logrotate searching avahi pid directory from Dan + Walsh. + - Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t + pipes to handle usage from userhelper from Dan Walsh. + - Patch to allow amavis to read spamassassin libraries from Dan Walsh. + - Patch to allow slocate to getattr other filesystems and directories + on those filesystems from Dan Walsh. + - Fixes for RHEL4 from the CLIP project. + - Replace the old lrrd fc entries with munin ones. + - Move program admin template usage out of + userdom_admin_user_template() to sysadm policy in userdomain.te to + fix usage of the template for third parties. + - Fix clockspeed_run_cli() declaration, it was incorrectly defined as a + template instead of an interface. + - Added modules: rwho (Nalin Dahyabhai) + * Updated dependencies, since this refpolicy needs newer toolchain, + + -- Manoj Srivastava Mon, 7 May 2007 01:47:44 -0500 + +refpolicy (0.0.20070417-1) unstable; urgency=low + + * New upstream release. + * Added XS-VCS-Arch and XS-VCS-Browse to debian/control, and updated + build dependencies. + * Bug fix: "selinux-policy-refpolicy-targeted: need file_contexts for + gcj-dbtool-4.1 and /var/log/account", thanks to Russell Coker + (Closes: #416910). + + -- Manoj Srivastava Thu, 19 Apr 2007 02:28:29 -0500 + +refpolicy (0.0.20061018-5) unstable; urgency=high + + * Add policy for log and lock files for aptitude. This is needed for + proper function; so one does not need to go into permissive mode to + run aptitude. Stolen from Erich. This is a low risk change. + * Debian puts grub in /usr/sbin/grub. Reflect that in the initial file + context. + * Debian creates /dev/xconsole independently of whether or not a xserver + has been installed or not. So move the policy related to /dev/sconsole + out of the xserver policy, and into places where relevant (init.te, + logging.fc), to reflect the status that /dev/console is present + anyway. + * Add support for /etc/network/run and /dev/shm/network, which seem to + be Debian specific as well. + * Allow udev to manage configuration files. + + -- Manoj Srivastava Fri, 9 Mar 2007 00:22:19 -0600 + +refpolicy (0.0.20061018-4) unstable; urgency=low + + * Bug fix: "selinux-policy-refpolicy-targeted: does not suggest a way to + fix the 'maybe failing' attempt in postinst", thanks to Eddy Petrisor. + While this does not belong in the postinst, I have addedthis to the + README.Debian file. This should be a low risk change. (Closes: #407691). + * Bug fix: "Default build.conf doesn't match default strict/targeted + policy", thanks to Stefan.The build.conf included in the reference + source policy describe to build a policy of the type "strict". The + default binary policies coming with Debian are build with the policy + type "strict-mcs" or "targeted-mcs". Change the build.conf shipped in + source to conform to what we really use. (changes TYPE=strict to + TYPE=strict-mcs, very low risk change. (Closes: #411256). + * Bug fix: "selinux-policy-refpolicy-targeted: openvpn policy do not + allow tcp connection mode", thanks to Rafal Kupka. This bug really + should be at least important, and we should fully support a class of + security product like OpenVPN on machines which are running SELinux, + and this is a very low risk change. (Closes: #409041). + * Install header files required for policy building for both strict and + targeted policies in a new -dev package, so it becomes really useful + to work with the source package. Moved the examples from the -src + package to this new -dev package, since the example is only useful in + with the headers provided. This is a new package, but it contains only + files already in the sources (No upstream changes at all), and is the + result of make install-headers. This new package has no rdepends, and + should be a very low risk addition to Debian. + * This release should be a whole lot better for building local policies, + including the policygentool for creating a new policy from scratch, + and ability to build local policy modular packages. The build.conf + files have been cleaned up, and the source policy defaults to targeted + policy, which is standard in Debian, as opposed to the strict policy, + which has priority optional. + + -- Manoj Srivastava Mon, 26 Feb 2007 22:37:17 -0600 + +refpolicy (0.0.20061018-3) unstable; urgency=high + + * Bug fix: "refpolicy: FTBFS: /bin/sh: debian/stamp/config-strict: No + such file or directory", thanks to Lucas Nussbaum. This was fixed by + moving all the stamps into ./debian instead. I'll re-visit the + ./debian/stamp/ directory in lenny. This is a pretty minor packaging + change. (Closes: #405613). + * Bug fix: "selinux-policy-refpolicy-targeted: Policy for dcc misses + Debian's FHS paths", thanks to Devin Carraway. From the bug report: + Many of the files in these packages are overlooked when labelling + files, because refpolicy's dcc module stipulates paths not consistent + with the Debian FHS layout. The files go unlabelled and dcc-client + (at least) stops working. The two major problems are the references + to /usr/libexec/dcc (damons, placed in /usr/sbin by the Debian + packages) and to /var/dcc (all sorts of things, placed under + /var/lib/dcc). A side effect of the latter is that dccifd_t and + probably others need search on var_lib_t, through which it must pass + to get to /var/lib/dcc. Fixed the policy; will send upstream. + (Closes: #404309). + * Bug fix: "selinux-policy-refpolicy-targeted: clamav policy forbids + clamd_t search on /var/lib", thanks to Devin Carraway. This is a + simple one line change, and obviously an oversight; I think getting + clamd to work is fairly important. (Closes: #404895). + * Bug fix: "selinux-policy-refpolicy-targeted: Multiple problems with + courier policy", thanks to Devin Carraway. There is detailed + information of the changes made in the bug report, and in the commit + logs. Again, fixing courier daemons seems pretty important; SELinux + tends to get used a lot on remote mail servers, and this fixes issues + with the policy. (Closes: #405103). + + -- Manoj Srivastava Mon, 15 Jan 2007 13:20:30 -0600 + +refpolicy (0.0.20061018-2) unstable; urgency=high + + * The This update enables MCS for targeted and strict, uses 1024 + categories (as Fedora uses - necessary for compatability). Please note + that enabling MCS categories is required for compatibility with + filesystems created on Fedora Core 5 and above, RHEL 5 and above, and + CentOS 5 and above. MCS categories is also a feature that we plan for + all future releases of SE Linux and does not have a nice upgrade path + - releasing etch without MCS will make things painful for SE Linux + users on the upgrade to lenny. This feature has been extensively + tested by Russel Coker and myself, and does not otherwise impact the + install. + * Allow semanage to use the initrd file descriptor in targeted policy. + * Fix a bug with restorecon. + * Bug fix: "refpolicy: qemu should have execmem permissions", thanks to + David Härdeman (Closes: #402293). + + -- Manoj Srivastava Fri, 22 Dec 2006 10:33:22 -0600 + +refpolicy (0.0.20061018-1) unstable; urgency=low + + * New upstream release + * Updated copyright file with the new location of the sources, and added + a watch file. + * Bug fix: "selinux-policy-refpolicy-targeted: postinst package list + retrieval suggestion", thanks to Alexander Buerger. Thanks to the + provided suggestion, the selection of policy modules to install is not + only faster, it is actually correct :) (Closes: #388744). + * Bug fix: "Makefile for building policy modules?", thanks to Uwe + Hermann. Provided an intial version, may have bugs. (Closes: #389116). + + -- Manoj Srivastava Tue, 24 Oct 2006 14:31:22 -0500 + +refpolicy (0.0.20060911-2) unstable; urgency=low + + * Fixed a typo in policy postinst that made all the policies reload at + every update. + + -- Manoj Srivastava Tue, 12 Sep 2006 10:28:11 -0500 + +refpolicy (0.0.20060911-1) unstable; urgency=low + + * New upstream SCM HEAD. + * Synched with Erich Schubert + + Added first draft of python-support. You'll want to relabel these files. + + Build python-support and setroubleshoot modules + + Removed modules from guessing hintfile that are included in base. + + * Bug fix: "Defaults should match the strict/targeted policy", thanks to + Uwe Hermann. Makde them match strict. (Closes: #386931). + * Bug fix: "selinux-policy-refpolicy-src: Duplicate entries in policy + files", thanks to Simon Richard Grint (Closes: #386909). + * Bug fix: "modules.conf vs. modules.conf.dist", thanks to Uwe Hermann + (Closes: #386887). + * Bug fix: "OUTPUT_POLICY and policy-version comments", thanks to Uwe + Hermann (Closes: #386930). + * Bug fix: "s/bzip2/gzip/?", thanks to Uwe Hermann (Closes: #386885). + * Bug fix: "selinux-refpolicy-src: include modules.conf files of strict + and targeted for -src package", thanks to Erich Schubert + (Closes: #386573). + + -- Manoj Srivastava Mon, 11 Sep 2006 17:46:10 -0500 + +refpolicy (0.0.20060907-3) unstable; urgency=low + + * Updated a few more policy modules to latest versions for Debian. + + -- Manoj Srivastava Fri, 8 Sep 2006 12:42:22 -0500 + +refpolicy (0.0.20060907-2) unstable; urgency=low + + * Update the module/package mapping. + * In the selinux-policy-refpolicy-src package, now ship the + modules.conf.strict and the modules.conf.targeted files which are used + to build the corresponding policy packages, snce the raw modules.conf + package has issues on Debian. + * With this version, we no longer ship the selinux-policy-refpolicy-src + unpacked into /etc with a gazillion conffiles; instead, we now ship a + compressed tarball in /usr/src, which the user may unpack where they + wish, and install policies as they wish. + + -- Manoj Srivastava Fri, 8 Sep 2006 10:49:40 -0500 + +refpolicy (0.0.20060907-1) unstable; urgency=low + + * New upstream SCM HEAD. + * Bug fix: "selinux-policy-refpolicy-src: Compile failure of modular + targeted policy", thanks to Simon Richard Grint. Put a wrapper around + the offending lines to only take effect when running a strict policy. + (Closes: #384502). + * Bug fix: "make: /usr/sbin/setfiles: Command not found", thanks to Uwe + Hermann. Fixed upstream. (Closes: #384850). + + -- Manoj Srivastava Fri, 8 Sep 2006 00:27:39 -0500 + +refpolicy (0.0.20060813-2) unstable; urgency=low + + * Bug fix: "Needs gawk", thanks to Simon Richard Grint + (Closes: #382821). + * Bug fix: "Move /etc/selinux/refpolicy/src/policy/man/man8/* + manpages?", thanks to Uwe Hermann (Closes: #372789). + * Fix errors in post installation initial policy creation process in the + postinst. + * Add directories required during policy build during postinst. This bug + prevented any policies being built when the package was initially + installed. Also, create an empty file_contexts.local file if it does + not already exist. + * Make selinux-policy-refpolicy-targeted provide and replace the + obsolete package selinux-policy-default; which should in the future be + just a virtual package. + * Added postrm packages to strict and targeted policy packages, in order + to clean out the directories in which files are created during policy + build. + * Rewrote the postinst in perl to allow us to do module dependency + checks, and to map policy modules to debian packages, in order to + better detect the modules that would be necessary for the target + machine. + * Also, compiling with either MCS or MLS produced errors while + installing policy, since we lack setrans daemon. So we are now + building with out them, created an easy to modify option to re-enable + it later. + * Updated modules.conf to use the latest offerings from Erich. + + -- Manoj Srivastava Mon, 21 Aug 2006 14:59:52 -0500 + +refpolicy (0.0.20060813-1) unstable; urgency=low + + * New upstream SCM HEAD. + * Bug fix: "refpolicy: FTBFS: tmp/generated_definitions.conf:597:ERROR + 'syntax error' at token '' on line 3416:", thanks to Andreas Jochens + (Closes: #379559). + * Bug fix: "FTBFS while generating selinux-policy-refpolicy-strict", + thanks to Devin Carraway (Closes: #379376). + * Python transition (#2): you are building a private python module. + (Closes: #380930). + + -- Manoj Srivastava Tue, 15 Aug 2006 09:53:06 -0500 + +refpolicy (0.0.20060509-2) unstable; urgency=low + + * Modified some paths to be more in line with upstream standards. + + -- Manoj Srivastava Fri, 12 May 2006 08:30:08 -0500 + +refpolicy (0.0.20060509-1) unstable; urgency=low + + * New upstream release. First packaging for Sid. + + -- Manoj Srivastava Tue, 9 May 2006 13:56:10 -0500 + +refpolicy (20060506-1) sesarge; urgency=low + + * New upstream checkout from CVS. + * Even more new modules. + + -- Erich Schubert Sat, 6 May 2006 21:44:07 +0200 + +refpolicy (20060418-2) sesarge; urgency=low + + * New upstream checkout from CVS. + + -- Erich Schubert Fri, 21 Apr 2006 19:17:05 +0200 + +refpolicy (20060417-1) sesarge; urgency=low + + * New upstream checkout from CVS. + * Until module linking is fixed, build everything into base. + (Sorry, this will result in a much larger policy than necessary. + Feel free to use the -src package to build your own!) + + -- Erich Schubert Mon, 17 Apr 2006 21:04:49 +0200 + +refpolicy (20060414-1) sesarge; urgency=low + + * New upstream version with tons of new policy files + + -- Erich Schubert Mon, 17 Apr 2006 20:48:50 +0200 + +refpolicy (20060329-2) sesarge; urgency=low + + * Merge upstream 20060329-2 + + -- Erich Schubert Mon, 3 Apr 2006 00:44:06 +0200 + +refpolicy (20060324-2) sesarge; urgency=low + + * Merge upstream 20060324-4 + + -- Erich Schubert Sat, 25 Mar 2006 03:34:36 +0100 + +refpolicy (20060324-1) sesarge; urgency=low + + * Merge upstream 20060323-2 + * Merge changes by Thomas Bleher + * Build with checkpolicy 1.30.1 + * Sorry, still doesn't work with make > 3.80 + + -- Erich Schubert Sat, 25 Mar 2006 02:21:00 +0100 + +refpolicy (20060315-2) sesarge; urgency=low + + * Make modular policy actually work. Hopefully. + (Up to now, optional_policy(`module') in base was not working upstream!) + * Revamp build process, don't use CDBS anymore since I didn't figure out + how to do two clean runs of the same source tree, and there is little + benefit here without any autotools or library magic needed + + -- Erich Schubert Fri, 17 Mar 2006 20:51:55 +0100 + +refpolicy (20060315-1.1) sesarge; urgency=low + + * Small tweaks and bugfixes to policy + + -- Erich Schubert Thu, 16 Mar 2006 23:13:40 +0100 + +refpolicy (20060315-1) sesarge; urgency=low + + * Merge with upstream and debian changes as of 20060309, rev 50 + * Merge with upstream and debian changes as of 20060315, rev 55 + * Added "netuser" role, similar to user_tcp_server boolean, but + you can enable it for single users only. + + -- Erich Schubert Thu, 16 Mar 2006 00:23:54 +0100 + +refpolicy (20060306-1) sesarge; urgency=low + + * Merge with upstream and debian policy changes as of 20060306, Rev 31 + * Try to auto-build a policy after a fresh install in postinst + * Add inetd module to base for now + * Increase policycoreutils build-dep to hopefully solve the users_extra + issues by using a newer policycoreutils for building... + + -- Erich Schubert Mon, 6 Mar 2006 17:10:43 +0100 + +refpolicy (20060227-1) sesarge; urgency=low + + * Merge with upstream and debian policy changes as of 20060227, Rev 20 + + -- Erich Schubert Tue, 28 Feb 2006 03:48:48 +0100 + +refpolicy (20060224-2) sesarge; urgency=low + + * Update build process to not require a tarball, include previous + patches into our "branch" of the reference policy instead. + + -- Erich Schubert Tue, 28 Feb 2006 03:13:51 +0100 + +refpolicy (20060224-1) sesarge; urgency=low + + * New upstream CVS checkout. + * Move policy src from /etc to /usr/share/selinux/refpolicy + This avoids an apt-get size limitation and follows Fedora. + * Ship edited build.conf with policy source. + * Use debhelper for installing documentation. + * Add dependency for source onto gawk. + + -- Erich Schubert Sat, 25 Feb 2006 01:01:44 +0100 + +refpolicy (20060222-1) sesarge; urgency=low + + * New upstream CVS checkout. + * Thomas also provided a workaround for the make issues in his version. + * Update dpkg/apt policy to interface renamings + * Remove dpkg_script_exec_t, as supporting this would require bad hacks + to dpkg and/or tar. Use dpkg_var_lib_t instead. + + -- Erich Schubert Thu, 23 Feb 2006 02:01:35 +0100 + +refpolicy (20060217-3) sesarge; urgency=low + + * Create selinux-policy-refpolicy-doc package + * DIRECT_INITRC=y + + -- Thomas Bleher Mon, 20 Feb 2006 23:43:53 +0000 + +refpolicy (20060217-2) sesarge; urgency=low + + * Added first drafts of dpkg, apt policy + + -- Erich Schubert Sat, 18 Feb 2006 03:20:59 +0100 + +refpolicy (20060217-1) sesarge; urgency=low + + * New upstream CVS checkout + * Document make incompaibility via build-dep + * Don't build some redhat specific policy modules, minor tweaks + + -- Erich Schubert Tue, 14 Feb 2006 02:35:04 +0100 + +refpolicy (20060213-1) sesarge; urgency=low + + * New upstream CVS checkout. + * Still not really useable + + -- Erich Schubert Tue, 14 Feb 2006 02:35:04 +0100 + +refpolicy (20060117-1) sesarge; urgency=low + + * Experimental release + + -- Erich Schubert Mon, 13 Feb 2006 22:50:03 +0100 + --- refpolicy-2.20110726.orig/debian/rules +++ refpolicy-2.20110726/debian/rules @@ -0,0 +1,65 @@ +#! /usr/bin/make -f +############################ -*- Mode: Makefile; coding: utf-8 -*- ########################### +## rules --- +## Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com ) +## Created On : Fri Nov 14 12:33:34 2003 +## Created On Node : glaurung.green-gryphon.com +## Last Modified By : Manoj Srivastava +## Last Modified On : Tue Nov 18 17:46:22 2003 +## Last Machine Used: glaurung.green-gryphon.com +## Update Count : 70 +## Status : Unknown, Use with caution! +## HISTORY : +## Description : +## +## arch-tag: 9a5063f4-1e20-4fff-b22a-de94c1e3d954 +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +## +############################################################################### + +# Include dpkg-architecture generated variables +include debian/common/archvars.mk + +# Does not work with the upstream build system +FAILS_PARALLEL_BUILD=parallel=N +# Set variables with information extracted from control and changelog files +include debian/common/pkgvars.mk + +# variables useful for perl packages +include debian/common/perlvars.mk + +# Install commands +include debian/common/install_cmds.mk + +include debian/local-vars.mk + +include debian/common/copt.mk + +include debian/common/automake.mk + + + +all: + @echo nothing to be done + +include debian/common/targets.mk + +include debian/local.mk + + +#Local variables: +#mode: makefile +#End: --- refpolicy-2.20110726.orig/debian/policygentool +++ refpolicy-2.20110726/debian/policygentool @@ -0,0 +1,300 @@ +#! /usr/bin/env python +# Copyright (C) 2006 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# arch-tag: 4c33ae23-a363-4ace-bae9-86fb8a792206 +import os, sys, getopt +import re + +########################### Interface File ############################# +interface="""\ +## policy for TEMPLATETYPE + +######################################## +## +## Execute a domain transition to run TEMPLATETYPE. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`TEMPLATETYPE_domtrans',` + gen_require(` + type TEMPLATETYPE_t, TEMPLATETYPE_exec_t; + ') + + domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t) + + allow $1 TEMPLATETYPE_t:fd use; + allow TEMPLATETYPE_t $1:fd use; + allow TEMPLATETYPE_t $1:fifo_file rw_file_perms; + allow TEMPLATETYPE_t $1:process sigchld; +') +""" + +########################### Type Enforcement File ############################# +te="""\ +policy_module(TEMPLATETYPE,1.0.0) + +######################################## +# +# Declarations +# + +type TEMPLATETYPE_t; +type TEMPLATETYPE_exec_t; +domain_type(TEMPLATETYPE_t) +init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t) +""" +te_pidfile=""" +# pid files +type TEMPLATETYPE_var_run_t; +files_pid_file(TEMPLATETYPE_var_run_t) +""" +te_logfile=""" +# log files +type TEMPLATETYPE_var_log_t; +logging_log_file(TEMPLATETYPE_var_log_t) +""" +te_libfile=""" +# var/lib files +type TEMPLATETYPE_var_lib_t; +files_type(TEMPLATETYPE_var_lib_t) +""" +te_sep=""" +######################################## +# +# TEMPLATETYPE local policy +# +# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules. + +# Some common macros (you might be able to remove some) +files_read_etc_files(TEMPLATETYPE_t) +libs_use_ld_so(TEMPLATETYPE_t) +libs_use_shared_libs(TEMPLATETYPE_t) +miscfiles_read_localization(TEMPLATETYPE_t) +## internal communication is often done using fifo and unix sockets. +allow TEMPLATETYPE_t self:fifo_file { read write }; +allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms; +""" +te_pidfile2=""" +# pid file +allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:file manage_file_perms; +allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:sock_file manage_file_perms; +allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:dir rw_dir_perms; +files_pid_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_run_t, { file sock_file }) +""" +te_logfile2=""" +# log files +allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:file create_file_perms; +allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:sock_file create_file_perms; +allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:dir { rw_dir_perms setattr }; +logging_log_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_log_t,{ sock_file file dir }) +""" +te_libfile2=""" +# var/lib files for TEMPLATETYPE +allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:file create_file_perms; +allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:sock_file create_file_perms; +allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:dir create_dir_perms; +files_var_lib_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_lib_t, { file dir sock_file }) +""" +te_network2=""" +## Networking basics (adjust to your needs!) +sysnet_dns_name_resolve(TEMPLATETYPE_t) +corenet_tcp_sendrecv_all_if(TEMPLATETYPE_t) +corenet_tcp_sendrecv_all_nodes(TEMPLATETYPE_t) +corenet_tcp_sendrecv_all_ports(TEMPLATETYPE_t) +corenet_non_ipsec_sendrecv(TEMPLATETYPE_t) +corenet_tcp_connect_http_port(TEMPLATETYPE_t) +#corenet_tcp_connect_all_ports(TEMPLATETYPE_t) +## if it is a network daemon, consider these: +#corenet_tcp_bind_all_ports(TEMPLATETYPE_t) +#corenet_tcp_bind_all_nodes(TEMPLATETYPE_t) +allow TEMPLATETYPE_t self:tcp_socket { listen accept }; +""" +te_initsc2=""" +# Init script handling +init_use_fds(TEMPLATETYPE_t) +init_use_script_ptys(TEMPLATETYPE_t) +domain_use_interactive_fds(TEMPLATETYPE_t) +""" + +########################### File Context ################################## +fc="""\ +# TEMPLATETYPE executable will have: +# label: system_u:object_r:TEMPLATETYPE_exec_t +# MLS sensitivity: s0 +# MCS categories: + +EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0) +""" +fc_pidfile="""\ +FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0) +""" +fc_logfile="""\ +FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_log_t,s0) +""" +fc_libfile="""\ +FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0) +""" +def errorExit(error): + sys.stderr.write("%s: " % sys.argv[0]) + sys.stderr.write("%s\n" % error) + sys.stderr.flush() + sys.exit(1) + + +def write_te_file(module, pidfile, logfile, libfile, network, initsc): + file="%s.te" % module + newte=re.sub("TEMPLATETYPE", module, te) + if pidfile: + newte= newte + re.sub("TEMPLATETYPE", module, te_pidfile) + if logfile: + newte= newte + re.sub("TEMPLATETYPE", module, te_logfile) + if libfile: + newte= newte + re.sub("TEMPLATETYPE", module, te_libfile) + newte= newte + re.sub("TEMPLATETYPE", module, te_sep) + if pidfile: + newte= newte + re.sub("TEMPLATETYPE", module, te_pidfile2) + if logfile: + newte= newte + re.sub("TEMPLATETYPE", module, te_logfile2) + if libfile: + newte= newte + re.sub("TEMPLATETYPE", module, te_libfile2) + if network: + newte= newte + re.sub("TEMPLATETYPE", module, te_network2) + if initsc: + newte= newte + re.sub("TEMPLATETYPE", module, te_initsc2) + if os.path.exists(file): + errorExit("%s already exists" % file) + fd = open(file, 'w') + fd.write(newte) + fd.close() + +def write_if_file(module): + file="%s.if" % module + newif=re.sub("TEMPLATETYPE", module, interface) + if os.path.exists(file): + errorExit("%s already exists" % file) + fd = open(file, 'w') + fd.write(newif) + fd.close() + +def write_fc_file(module, executable, pidfile, logfile, libfile): + file="%s.fc" % module + temp=re.sub("TEMPLATETYPE", module, fc) + newfc=re.sub("EXECUTABLE", executable, temp) + if pidfile: + temp=re.sub("TEMPLATETYPE", module, fc_pidfile) + newfc=newfc + re.sub("FILENAME", pidfile, temp) + if logfile: + temp=re.sub("TEMPLATETYPE", module, fc_logfile) + newfc=newfc + re.sub("FILENAME", logfile, temp) + if libfile: + temp=re.sub("TEMPLATETYPE", module, fc_libfile) + newfc=newfc + re.sub("FILENAME", libfile, temp) + if os.path.exists(file): + errorExit("%s already exists" % file) + fd = open(file, 'w') + fd.write(newfc) + fd.close() + +def gen_policy(module, executable, pidfile, logfile, libfile, initsc, network): + write_te_file(module, pidfile, logfile, libfile, initsc, network) + write_if_file(module) + write_fc_file(module, executable, pidfile, logfile, libfile) + +if __name__ == '__main__': + def usage(message = ""): + print '%s ModuleName Executable' % sys.argv[0] + sys.exit(1) + + if len(sys.argv) != 3: + usage() + + print """\n +This tool generate three files for policy development, A Type Enforcement (te) +file, a File Context (fc), and a Interface File(if). Most of the policy rules +will be written in the te file. Use the File Context file to associate file +paths with security context. Use the interface rules to allow other protected +domains to interact with the newly defined domains. + +After generating these files use the /usr/share/selinux/POLICY-NAME/include/Makefile to +compile your policy package. Then use the semodule tool to load it. + +# /usr/bin/policygentool myapp /usr/bin/myapp +# echo 'HEADERDIR:=/usr/share/selinux/refpolicy-targeted/include' >Makefile +# echo 'include $(HEADERDIR)/Makefile' >> Makefile +# make +# semodule -l myapp.pp +# restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc" + +Now you can turn on permissive mode, start your application and avc messages +will be generated. You can use audit2allow to help translate the avc messages +into policy. + +# setenforce 0 +# /etc/init.d/myapp start +# audit2allow -R -i /var/log/audit/audit.log + +Return to continue:""" + sys.stdin.readline().rstrip() + + print 'If the module uses pidfiles, what is the pidfile called?' + pidfile = sys.stdin.readline().rstrip() + if pidfile == "": + pidfile = None + print 'If the module uses logfiles, where are they stored?' + logfile = sys.stdin.readline().rstrip() + if logfile == "": + logfile = None + print 'If the module has var/lib files, where are they stored?' + libfile = sys.stdin.readline().rstrip() + if libfile == "": + libfile = None + print 'Does the module have a init script? [yN]' + initsc = sys.stdin.readline().rstrip() + if initsc == "" or initsc == "n" or initsc == "N": + initsc = False + elif initsc == "y" or initsc == "Y": + initsc = True + else: + raise "Please answer with 'y' or 'n'!" + print 'Does the module use the network? [yN]' + network = sys.stdin.readline().rstrip() + if network == "" or network == "n" or network == "N": + network = False + elif network == "y" or network == "Y": + network = True + else: + raise "Please answer with 'y' or 'n'!" + + gen_policy( + module=sys.argv[1], + executable=sys.argv[2], + pidfile=pidfile, + logfile=logfile, + libfile=libfile, + initsc=initsc, + network=network + ) + + --- refpolicy-2.20110726.orig/debian/example.fc +++ refpolicy-2.20110726/debian/example.fc @@ -0,0 +1,8 @@ +# myapp executable will have: +# label: system_u:object_r:myapp_exec_t +# MLS sensitivity: s0 +# MCS categories: + +/usr/sbin/myapp -- gen_context(system_u:object_r:myapp_exec_t,s0) + +# arch-tag: 883e01c8-54bc-4083-83b5-61be97c970fb --- refpolicy-2.20110726.orig/debian/Makefile.src +++ refpolicy-2.20110726/debian/Makefile.src @@ -0,0 +1,214 @@ +# arch-tag: 2d5f59a8-3b3b-4118-a3ef-4de1ea00d6e4 +# helper tools +AWK ?= gawk +INSTALL ?= install +M4 ?= m4 +SED ?= sed +EINFO ?= echo +PYTHON ?= python + +NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config) + +include build.conf + +# executables +PREFIX := /usr +BINDIR := $(PREFIX)/bin +SBINDIR := $(PREFIX)/sbin +CHECKMODULE := $(BINDIR)/checkmodule +SEMODULE := $(SBINDIR)/semodule +SEMOD_PKG := $(BINDIR)/semodule_package +XMLLINT := $(BINDIR)/xmllint + +# set default build options if missing +TYPE ?= strict +DIRECT_INITRC ?= n +POLY ?= n +QUIET ?= y + +genxml := $(PYTHON) support/segenxml.py + +docs = doc +polxml = $(docs)/policy.xml +xmldtd = support/policy.dtd +layerxml = metadata.xml + +globaltun = global_tunables.xml +globalbool = global_booleans.xml + +# compile strict policy if requested. +ifneq ($(findstring strict,$(TYPE)),) + M4PARAM += -D strict_policy +endif + +# compile targeted policy if requested. +ifneq ($(findstring targeted,$(TYPE)),) + M4PARAM += -D targeted_policy +endif + +# enable MLS if requested. +ifneq ($(findstring -mls,$(TYPE)),) + M4PARAM += -D enable_mls + CHECKPOLICY += -M + CHECKMODULE += -M +endif + +# enable MLS if MCS requested. +ifneq ($(findstring -mcs,$(TYPE)),) + M4PARAM += -D enable_mcs + CHECKPOLICY += -M + CHECKMODULE += -M +endif + +# enable distribution-specific policy +ifneq ($(DISTRO),) + M4PARAM += -D distro_$(DISTRO) +endif + +# enable polyinstantiation +ifeq ($(POLY),y) + M4PARAM += -D enable_polyinstantiation +endif + +ifeq ($(DIRECT_INITRC),y) + M4PARAM += -D direct_sysadm_daemon +endif + +# default MLS/MCS sensitivity and category settings. +MLS_SENS ?= 16 +MLS_CATS ?= 1024 +MCS_CATS ?= 1024 + +ifeq ($(QUIET),y) + verbose := @ +endif + +M4PARAM += -D hide_broken_symptoms -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS) -D mandatory_mcs + +# policy headers +m4support = $(wildcard support/*.spt) +all_layers = $(filter-out support,$(shell find $(wildcard *) -maxdepth 0 -type d)) +all_interfaces = $(foreach layer,$(all_layers),$(wildcard $(layer)/*.if)) +rolemap = rolemap + +detected_layers = $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d)) +3rd_party_mods = $(wildcard *.te) +detected_mods = $(3rd_party_mods) $(foreach layer,$(detected_layers),$(wildcard $(layer)/*.te)) +detected_ifs = $(detected_mods:.te=.if) +detected_fcs = $(detected_mods:.te=.fc) +all_packages = $(notdir $(detected_mods:.te=.pp)) + +vpath %.te $(detected_layers) +vpath %.if $(detected_layers) +vpath %.fc $(detected_layers) + +# if there are modules in the current directory, add them into the third party layer +ifneq "$(3rd_party_mods)" "" + genxml += -3 . +endif + +######################################## +# +# Functions +# + +# parse-rolemap-compat modulename,outputfile +define parse-rolemap-compat + $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ + $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 +endef + +# parse-rolemap modulename,outputfile +define parse-rolemap + $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ + $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 +endef + +# peruser-expansion modulename,outputfile +define peruser-expansion + $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 + $(call parse-rolemap,$1,$2) + $(verbose) echo "')" >> $2 + + $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 + $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 + $(call parse-rolemap-compat,$1,$2) + $(verbose) echo "')" >> $2 +endef + +.PHONY: clean all xml load +.SUFFIXES: +.SUFFIXES: .pp +# broken in make 3.81: +#.SECONDARY: + +######################################## +# +# Main targets +# + +all: $(all_packages) + +xml: $(polxml) + +######################################## +# +# Load module packages +# +load: $(all_packages) + @$(EINFO) "Loading $(NAME) modules: $(basename $(notdir $(all_packages)))" + $(verbose) $(SEMODULE) $(foreach mod,$^,-i $(mod)) + +######################################## +# +# Build module packages +# +tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te + @$(EINFO) "Compiling $(NAME) $(basename $(@F)) module" + @test -d tmp || mkdir -p tmp + $(call peruser-expansion,$(basename $(@F)),$@.role) + $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) + $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ + +tmp/%.mod.fc: $(m4support) %.fc + $(verbose) $(M4) $(M4PARAM) $^ > $@ + +%.pp: tmp/%.mod tmp/%.mod.fc + @echo "Creating $(NAME) $(@F) policy package" + $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc + +tmp/all_interfaces.conf: $(m4support) $(all_interfaces) $(detected_ifs) + @test -d tmp || mkdir -p tmp + $(verbose) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@ + +# so users dont have to make empty .fc and .if files +$(detected_ifs) $(detected_fcs): + @touch $@ + +######################################## +# +# Documentation generation +# + +# minimal dependencies here, because we don't want to rebuild +# this and its dependents every time the dependencies +# change. Also use all .if files here, rather then just the +# enabled modules. +$(polxml): $(detected_ifs) $(foreach dir,$(all_layers),$(dir)/$(layerxml)) + @echo "Creating $@" + @mkdir -p doc + $(verbose) echo '' > $@ + $(verbose) echo '' >> $@ + $(verbose) $(genxml) -m $(layerxml) --tunables-xml $(globaltun) --booleans-xml $(globalbool) $(all_layers) $(detected_layers) >> $@ + $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \ + $(XMLLINT) --noout --dtdvalid $(xmldtd) $@ ;\ + fi + +######################################## +# +# Clean the environment +# + +clean: + rm -fR tmp + rm -f *.pp --- refpolicy-2.20110726.orig/debian/example.mk +++ refpolicy-2.20110726/debian/example.mk @@ -0,0 +1,26 @@ +# installation paths + +AWK ?= gawk +NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)) + +MLSENABLED := $(shell cat /selinux/mls) +ifeq ($(MLSENABLED),) + MLSENABLED := 1 +endif + +ifeq ($(MLSENABLED),1) + MCSFLAG=-mcs +endif + +ifeq ($(NAME), mls) + NAME = strict + MCSFLAG = -mls +endif + +TYPE ?= $(NAME)${MCSFLAG} + +# This can also be changed to /usr/share/selinux/mls/include +HEADERDIR := /usr/share/selinux/default/include +include $(HEADERDIR)/Makefile + +# arch-tag: 56a0db1b-e624-4696-9882-9b7147b719f9 --- refpolicy-2.20110726.orig/debian/global_booleans.xml +++ refpolicy-2.20110726/debian/global_booleans.xml @@ -0,0 +1,25 @@ + + +

+Enabling secure mode disallows programs, such as +newrole, from transitioning to administrative +user domains. +

+ + + + +

+Disable transitions to insmod. +

+ + + + +

+boolean to determine whether the system permits loading policy, setting +enforcing mode, and changing boolean values. Set this to true and you +have to reboot to set it back +

+ + --- refpolicy-2.20110726.orig/debian/localStrict.te +++ refpolicy-2.20110726/debian/localStrict.te @@ -0,0 +1,98 @@ +########################### -*- Mode: Fundamental -*- ######################### +## localStrict.te --- +## Author : Manoj Srivastava ( srivasta@glaurung.internal.golden-gryphon.com ) +## Created On : Thu May 10 23:57:50 2007 +## Created On Node : glaurung.internal.golden-gryphon.com +## Last Modified By : Manoj Srivastava +## Last Modified On : Mon Oct 29 11:57:13 2007 +## Last Machine Used: anzu.internal.golden-gryphon.com +## Update Count : 5 +## Status : Unknown, Use with caution! +## HISTORY : +## Description : +## +## This is a example local policy, which is used by the author to set +## up am user mode linux virtual machine in enforcing mode using the +## strict policy. With this policy module loaded, root can run +## apt/aptitude/dpkg, install and remove packages, and mount a hostfs +## filesystem. +## +## This .te file can be compiled with: +## checkmodule -M -m -o localStrict.mod localStrict.te +## semodule_package -o localStrict.pp -m localStrict.mod +## And loaded into policy with: +## semodule -i localStrict.pp +## +## arch-tag: b4a20d2d-3c47-40c3-bc8f-a6adc1f31250 +## +############################################################################### + +module localStrict 1.0; + +require { + type apt_t; + type auditd_t; + type crond_t; + type fsadm_log_t; + type fsadm_t; + type initrc_t; + type mount_t; + type security_t; + type system_chkpwd_t; + type var_run_t; + class unix_stream_socket listen; + class file write; + class fd use; + class dir search; + class filesystem getattr; + class process setrlimit; +} + +#============= apt_t ============== +# src="apt_t" tgt="var_run_t" class="dir", perms="search" +# comm="aptitude" exe="" path="" +allow apt_t var_run_t:dir search; + +#============= auditd_t ============== +# src="auditd_t" tgt="auditd_t" class="unix_stream_socket", perms="listen" +# comm="audispd" exe="" path="" +allow auditd_t self:unix_stream_socket listen; + +#============= crond_t ============== +# Since cron policy explicitly did not give permission for this, +# we should silence the audit messages. +# src="crond_t" tgt="crond_t" class="process", perms="setrlimit" +# comm="cron" exe="" path="" +allow crond_t self:process setrlimit; + +##============= fsadm_t ============== +# src="fsadm_t" tgt="security_t" class="filesystem", perms="getattr" +# comm="fsck.ext3" exe="" path="" +allow fsadm_t security_t:filesystem getattr; + +#============= initrc_t ============== +### /etc/init.d/checkroot.sh running "/sbin/logsave", as well as +### /etc/init.d/checkfs.sh +# src="initrc_t" tgt="fsadm_log_t" class="file", perms="write" +# comm="logsave" exe="" path="" +allow initrc_t fsadm_log_t:file write; + +### Allow auditd postinst, fer instance +# src="initrc_t" tgt="apt_t" class="fd", perms="use" +# comm="auditd" exe="" path="" +allow initrc_t apt_t:fd use; + +#============= mount_t ============== +# src="mount_t" tgt="security_t" class="filesystem", perms="getattr" +# comm="mount" exe="" path="" +allow mount_t security_t:filesystem getattr; + +#============= system_chkpwd_t ============== +# src="system_chkpwd_t" tgt="security_t" class="filesystem", perms="getattr" +# comm="unix_chkpwd" exe="" path="" +allow system_chkpwd_t security_t:filesystem getattr; + +### I have no idea why this is looking in /var/run +# src="system_chkpwd_t" tgt="var_run_t" class="dir", perms="search" +# comm="unix_chkpwd" exe="" path="" +allow system_chkpwd_t var_run_t:dir search; --- refpolicy-2.20110726.orig/debian/README.Debian +++ refpolicy-2.20110726/debian/README.Debian @@ -0,0 +1,8 @@ +It would be useful for most users to be familiar with policycoreutils +tools in order to manipulate policies installed on the +system. Specifically, it is useful to be familiar with: + semodule(8) - Manage SELinux policy modules. + load_policy(8) - load a new policy into the kernel + + + -- Manoj Srivastava , Tue, 9 May 2006 14:07:31 -0500 --- refpolicy-2.20110726.orig/debian/local.mk +++ refpolicy-2.20110726/debian/local.mk @@ -0,0 +1,476 @@ +############################ -*- Mode: Makefile -*- ########################### +## local.mk --- +## Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com ) +## Created On : Sat Nov 15 10:42:10 2003 +## Created On Node : glaurung.green-gryphon.com +## Last Modified By : Manoj Srivastava +## Last Modified On : Sat Feb 14 15:46:22 2009 +## Last Machine Used: anzu.internal.golden-gryphon.com +## Update Count : 130 +## Status : Unknown, Use with caution! +## HISTORY : +## Description : +## +## arch-tag: b07b1015-30ba-4b46-915f-78c776a808f4 +## +############################################################################### + +testdir: + $(testdir) + +debian/stamp/pre-config-common: debian/stamp/conf/common +debian/stamp/pre-build-common: debian/stamp/build/common + +debian/stamp/CONFIG/selinux-policy-mls: debian/stamp/conf/selinux-policy-mls +debian/stamp/BUILD/selinux-policy-mls: debian/stamp/build/selinux-policy-mls +debian/stamp/INST/selinux-policy-mls: debian/stamp/install/selinux-policy-mls +debian/stamp/BIN/selinux-policy-mls: debian/stamp/binary/selinux-policy-mls + +debian/stamp/CONFIG/selinux-policy-default: debian/stamp/conf/selinux-policy-default +debian/stamp/BUILD/selinux-policy-default: debian/stamp/build/selinux-policy-default +debian/stamp/INST/selinux-policy-default: debian/stamp/install/selinux-policy-default +debian/stamp/BIN/selinux-policy-default: debian/stamp/binary/selinux-policy-default + + +debian/stamp/CONFIG/selinux-policy-src: debian/stamp/conf/selinux-policy-src +debian/stamp/BUILD/selinux-policy-src: debian/stamp/build/selinux-policy-src +debian/stamp/INST/selinux-policy-src: debian/stamp/install/selinux-policy-src +debian/stamp/BIN/selinux-policy-src: debian/stamp/binary/selinux-policy-src + +debian/stamp/CONFIG/selinux-policy-dev: debian/stamp/conf/selinux-policy-dev +debian/stamp/BUILD/selinux-policy-dev: debian/stamp/build/selinux-policy-dev +debian/stamp/INST/selinux-policy-dev: debian/stamp/install/selinux-policy-dev +debian/stamp/BIN/selinux-policy-dev: debian/stamp/binary/selinux-policy-dev + + +debian/stamp/CONFIG/selinux-policy-doc: debian/stamp/conf/selinux-policy-doc +debian/stamp/BUILD/selinux-policy-doc: debian/stamp/build/selinux-policy-doc +debian/stamp/INST/selinux-policy-doc: debian/stamp/install/selinux-policy-doc +debian/stamp/BIN/selinux-policy-doc: debian/stamp/binary/selinux-policy-doc + +CLEAN/selinux-policy-mls CLEAN/selinux-policy-default CLEAN/selinux-policy-src CLEAN/selinux-policy-src CLEAN/selinux-policy-dev CLEAN/selinux-policy-doc :: + $(REASON) + -test -f Makefile && $(MAKE) bare + test ! -d $(TMPTOP) || rm -rf $(TMPTOP) + test ! -d $(SRCTOP)/debian/build-$(package) || \ + rm -rf $(SRCTOP)/debian/build-$(package) + +debian/stamp/conf/common: + $(REASON) + $(checkdir) + @test -d debian/stamp/conf || mkdir -p debian/stamp/conf + test -d $(SRCTOP)/config/appconfig-mcs || \ + cp -a $(SRCTOP)/config/appconfig-mcs $(SRCTOP)/config/appconfig-default + test -d $(SRCTOP)/config/appconfig-mcs || \ + cp -a $(SRCTOP)/config/appconfig-mls $(SRCTOP)/config/appconfig-mls + echo done > $@ + +debian/stamp/conf/selinux-policy-mls: + $(REASON) + $(checkdir) + @test -d debian/stamp/conf || mkdir -p debian/stamp/conf + test ! -d $(SRCTOP)/debian/build-$(package) || \ + rm -rf $(SRCTOP)/debian/build-$(package) + mkdir -p $(SRCTOP)/debian/build-$(package) + test -e debian/stamp-config-mls || \ + cp -lr policy support Makefile Rules.modular doc \ + Rules.monolithic config VERSION Changelog COPYING INSTALL \ + README man $(SRCTOP)/debian/build-$(package) + cp debian/build.conf.mls $(SRCTOP)/debian/build-$(package)/build.conf + $(MAKE) -C $(SRCTOP)/debian/build-$(package) \ + NAME=mls TYPE=mls $(OPTIONS) bare + (cd $(SRCTOP)/debian/build-$(package) ; \ + $(MAKE) NAME=mls TYPE=mls $(OPTIONS) conf) + cp debian/modules.conf.mls \ + $(SRCTOP)/debian/build-$(package)/policy/modules.conf + echo done > $@ + +debian/stamp/conf/selinux-policy-default: + $(REASON) + $(checkdir) + @test -d debian/stamp/conf || mkdir -p debian/stamp/conf + test ! -d $(SRCTOP)/debian/build-$(package) || \ + rm -rf $(SRCTOP)/debian/build-$(package) + mkdir -p $(SRCTOP)/debian/build-$(package) + cp -lr policy support Makefile Rules.modular doc \ + Rules.monolithic config VERSION Changelog COPYING INSTALL \ + README man $(SRCTOP)/debian/build-$(package) + cp debian/build.conf.default $(SRCTOP)/debian/build-$(package)/build.conf + $(MAKE) -C $(SRCTOP)/debian/build-$(package) \ + NAME=default TYPE=mcs $(OPTIONS) bare + (cd $(SRCTOP)/debian/build-$(package) ; \ + $(MAKE) NAME=default TYPE=mcs $(OPTIONS) conf) + cp debian/modules.conf.default \ + $(SRCTOP)/debian/build-$(package)/policy/modules.conf + echo done > $@ + +debian/stamp/conf/selinux-policy-src: + $(REASON) + $(checkdir) + @test -d debian/stamp/conf || mkdir -p debian/stamp/conf + test ! -d $(SRCTOP)/debian/build-$(package) || \ + rm -rf $(SRCTOP)/debian/build-$(package) + mkdir -p $(SRCTOP)/debian/build-$(package) + cp -lr policy support Makefile Rules.modular doc \ + Rules.monolithic config VERSION Changelog COPYING INSTALL \ + README man $(SRCTOP)/debian/build-$(package) + cp debian/build.conf.default $(SRCTOP)/debian/build-$(package)/build.conf + (cd $(SRCTOP)/debian/build-$(package) ; \ + $(MAKE) NAME=default $(OPTIONS) conf) + cp debian/modules.conf.* $(SRCTOP)/debian/build-$(package)/policy/ + cp debian/build.conf.default $(SRCTOP)/debian/build-$(package)/policy/ + echo done > $@ + +debian/stamp/conf/selinux-policy-dev: + $(REASON) + $(checkdir) + @test -d debian/stamp/conf || mkdir -p debian/stamp/conf + test ! -d $(SRCTOP)/debian/build-$(package) || \ + rm -rf $(SRCTOP)/debian/build-$(package) + mkdir -p $(SRCTOP)/debian/build-$(package) + echo done > $@ + +debian/stamp/conf/selinux-policy-doc:: + $(REASON) + $(checkdir) + @test -d debian/stamp/conf || mkdir -p debian/stamp/conf + test ! -d $(SRCTOP)/debian/build-$(package) || \ + rm -rf $(SRCTOP)/debian/build-$(package) + mkdir -p $(SRCTOP)/debian/build-$(package) + cp -lr policy support Makefile Rules.modular doc \ + Rules.monolithic config VERSION Changelog COPYING INSTALL \ + README man $(SRCTOP)/debian/build-$(package) + cp debian/build.conf.default $(SRCTOP)/debian/build-$(package)/build.conf + (cd $(SRCTOP)/debian/build-$(package) ; \ + $(MAKE) NAME=default $(OPTIONS) conf ) + echo done > $@ + +debian/stamp/build/common: + $(REASON) + $(checkdir) + @test -d debian/stamp/build || mkdir -p debian/stamp/build + perl -wc debian/postinst.policy + echo done > $@ + +debian/stamp/build/selinux-policy-mls: + $(REASON) + $(checkdir) + @test -d debian/stamp/build || mkdir -p debian/stamp/build + test -e debian/stamp-build-mls || \ + (cd $(SRCTOP)/debian/build-$(package) ; \ + $(MAKE) NAME=mls TYPE=mls $(OPTIONS) policy all) + echo done > $@ + +debian/stamp/build/selinux-policy-default: + $(REASON) + $(checkdir) + @test -d debian/stamp/build || mkdir -p debian/stamp/build + (cd $(SRCTOP)/debian/build-$(package) ; \ + $(MAKE) NAME=default TYPE=mcs $(OPTIONS) policy all) + echo done > $@ + +debian/stamp/build/selinux-policy-src: + $(REASON) + $(checkdir) + @test -d debian/stamp/build || mkdir -p debian/stamp/build + echo done > $@ + +debian/stamp/build/selinux-policy-dev: + $(REASON) + $(checkdir) + @test -d debian/stamp/build || mkdir -p debian/stamp/build + echo done > $@ + +debian/stamp/build/selinux-policy-doc: + $(REASON) + $(checkdir) + @test -d debian/stamp/build || mkdir -p debian/stamp/build + echo done > $@ + + +debian/stamp/install/selinux-policy-mls: + $(REASON) + $(checkdir) + $(TESTROOT) + @test -d debian/stamp/install || mkdir -p debian/stamp/install + rm -rf $(TMPTOP) $(TMPTOP).deb + $(make_directory) $(DOCDIR)/ + $(make_directory) $(TMPTOP)/etc/selinux/mls/modules/active + $(make_directory) $(TMPTOP)/etc/selinux/mls/policy + test -f $(TMPTOP)/etc/selinux/mls/modules/active/file_contexts.local || \ + touch $(TMPTOP)/etc/selinux/mls/modules/active/file_contexts.local + touch $(TMPTOP)/etc/selinux/mls/modules/semanage.read.LOCK + chmod 600 $(TMPTOP)/etc/selinux/mls/modules/semanage.read.LOCK + touch $(TMPTOP)/etc/selinux/mls/modules/semanage.trans.LOCK + chmod 600 $(TMPTOP)/etc/selinux/mls/modules/semanage.trans.LOCK + (cd $(SRCTOP)/debian/build-$(package); \ + $(MAKE) NAME=mls TYPE=mls $(OPTIONS) \ + DESTDIR=$(TMPTOP) install install-headers \ + $(TMPTOP)/etc/selinux/mls/users/local.users \ + $(TMPTOP)/etc/selinux/mls/users/system.users) + for module in $(NON_MODULES); do \ + test ! -f $(TMPTOP)/usr/share/selinux/mls/$$module.pp || \ + rm -f $(TMPTOP)/usr/share/selinux/mls/$$module.pp; \ + done + $(install_file) debian/setrans.conf $(TMPTOP)/etc/selinux/mls/ + $(install_file) debian/file_contexts.subs_dist $(TMPTOP)/etc/selinux/mls/contexts/files/ + $(install_file) VERSION $(DOCDIR)/ + $(install_file) README $(DOCDIR)/ + $(install_file) debian/README.Debian $(DOCDIR)/ + $(install_file) debian/localStrict.te $(DOCDIR)/ + $(install_file) debian/NEWS.Debian $(DOCDIR)/NEWS.Debian + $(install_file) Changelog $(DOCDIR)/changelog + $(install_file) debian/changelog $(DOCDIR)/changelog.Debian + gzip -9fqr $(DOCDIR) + $(install_file) debian/copyright $(DOCDIR)/ + echo done > $@ + +debian/stamp/install/selinux-policy-default: + $(REASON) + $(checkdir) + $(TESTROOT) + @test -d debian/stamp/install || mkdir -p debian/stamp/install + rm -rf $(TMPTOP) $(TMPTOP).deb + $(make_directory) $(DOCDIR)/ + $(make_directory) $(TMPTOP)/etc/selinux/default/modules/active + $(make_directory) $(TMPTOP)/etc/selinux/default/policy + test -f $(TMPTOP)/etc/selinux/default/modules/active/file_contexts.local || \ + touch $(TMPTOP)/etc/selinux/default/modules/active/file_contexts.local + touch $(TMPTOP)/etc/selinux/default/modules/semanage.read.LOCK + chmod 600 $(TMPTOP)/etc/selinux/default/modules/semanage.read.LOCK + touch $(TMPTOP)/etc/selinux/default/modules/semanage.trans.LOCK + chmod 600 $(TMPTOP)/etc/selinux/default/modules/semanage.trans.LOCK + (cd $(SRCTOP)/debian/build-$(package); \ + $(MAKE) NAME=default TYPE=mcs $(OPTIONS) \ + DESTDIR=$(TMPTOP) install install-headers \ + $(TMPTOP)/etc/selinux/default/users/local.users \ + $(TMPTOP)/etc/selinux/default/users/system.users) + for module in $(NON_MODULES); do \ + test ! -f $(TMPTOP)/usr/share/selinux/default/$$module.pp || \ + rm -f $(TMPTOP)/usr/share/selinux/default/$$module.pp; \ + done + $(install_file) debian/setrans.conf $(TMPTOP)/etc/selinux/default/ + $(install_file) debian/file_contexts.subs_dist $(TMPTOP)/etc/selinux/default/contexts/files/ + $(install_file) VERSION $(DOCDIR)/ + $(install_file) README $(DOCDIR)/ + $(install_file) debian/README.Debian $(DOCDIR)/ + $(install_file) Changelog $(DOCDIR)/changelog + $(install_file) debian/changelog $(DOCDIR)/changelog.Debian + gzip -9fqr $(DOCDIR) + $(install_file) debian/copyright $(DOCDIR)/ + echo done > $@ + +debian/stamp/install/selinux-policy-src: + $(REASON) + $(checkdir) + $(TESTROOT) + @test -d debian/stamp/install || mkdir -p debian/stamp/install + rm -rf $(TMPTOP) $(TMPTOP).deb + $(make_directory) $(DOCDIR) + $(make_directory) $(TMPTOP)/usr/src + (cd $(SRCTOP)/debian/build-$(package); \ + $(MAKE) NAME=default $(OPTIONS) DESTDIR=$(TMPTOP) bare conf install-src; ) + find $(TMPTOP) -type d -name .arch-ids -print0 | xargs -0r rm -rf + test ! -e $(TMPTOP)/etc/selinux/default/src/policy/COPYING || \ + rm -f $(TMPTOP)/etc/selinux/default/src/policy/COPYING + rm -rf $(TMPTOP)/etc/selinux/default/src/policy/man + (cd $(TMPTOP)/etc/selinux/default/src/policy; \ + if test -f modules.conf; then \ + mv modules.conf modules.conf.dist; \ + fi; \ + ln -sf modules.conf.mls modules.conf) + $(install_file) policy/rolemap \ + $(TMPTOP)/etc/selinux/default/src/policy/ + $(install_file) debian/build.conf.default \ + $(TMPTOP)/etc/selinux/default/src/policy/build.conf + $(install_file) debian/global_booleans.xml \ + $(TMPTOP)/etc/selinux/default/src/policy/ + $(install_file) debian/global_tunables.xml \ + $(TMPTOP)/etc/selinux/default/src/policy/ + $(install_file) debian/Makefile.src \ + $(TMPTOP)/etc/selinux/default/src/policy/ + (cd $(TMPTOP)/etc/selinux/default/src/; mv policy $(package); \ + mv support $(package)/; \ + tar zfc $(TMPTOP)/usr/src/$(package).tar.gz $(package)) + rm -rf $(TMPTOP)/etc + $(install_file) VERSION $(DOCDIR)/ + $(install_file) README $(DOCDIR)/ + $(install_file) debian/README.Debian $(DOCDIR)/ + $(install_file) Changelog $(DOCDIR)/changelog + $(install_file) debian/changelog $(DOCDIR)/changelog.Debian + gzip -9fqr $(DOCDIR) + $(install_file) debian/copyright $(DOCDIR)/ + echo done > $@ + +debian/stamp/install/selinux-policy-dev: debian/stamp/install/selinux-policy-mls debian/stamp/install/selinux-policy-default + $(REASON) + $(checkdir) + $(TESTROOT) + @test -d debian/stamp/install || mkdir -p debian/stamp/install + rm -rf $(TMPTOP) $(TMPTOP).deb + $(make_directory) $(DOCDIR)/examples + $(make_directory) $(MAN1DIR) + $(make_directory) $(TMPTOP)/usr/bin + $(make_directory) $(TMPTOP)/usr/share/selinux/mls/include + $(make_directory) $(TMPTOP)/usr/share/selinux/default/include + find $(TMPTOP) -type d -name .arch-ids -print0 | xargs -0r rm -rf + (cd $(SRCTOP)/debian/selinux-policy-mls/usr/share/selinux/mls; \ + tar cfh - include | (cd $(TMPTOP)/usr/share/selinux/mls; umask 000; \ + tar xpsf -)) + (cd $(SRCTOP)/debian/selinux-policy-default/usr/share/selinux/default; \ + tar cfh - include | (cd $(TMPTOP)/usr/share/selinux/default; umask 000; \ + tar xpsf -)) + sed -e s/^[^#]*genfscon/###genfscon/ < $(TMPTOP)/usr/share/selinux/default/include/kernel/selinux.if > $(TMPTOP)/usr/share/selinux/default/include/kernel/selinux.if-new + mv $(TMPTOP)/usr/share/selinux/default/include/kernel/selinux.if-new $(TMPTOP)/usr/share/selinux/default/include/kernel/selinux.if + sed -e s/^[^#]*genfscon/###genfscon/ < $(TMPTOP)/usr/share/selinux/mls/include/kernel/selinux.if > $(TMPTOP)/usr/share/selinux/mls/include/kernel/selinux.if-new + mv $(TMPTOP)/usr/share/selinux/mls/include/kernel/selinux.if-new $(TMPTOP)/usr/share/selinux/mls/include/kernel/selinux.if + rm -rf $(SRCTOP)/debian/selinux-policy-mls/usr/share/selinux/mls/include + rm -rf $(SRCTOP)/debian/selinux-policy-default/usr/share/selinux/default/include + $(install_file) policy/rolemap \ + $(TMPTOP)/usr/share/selinux/default/include/support + $(install_file) debian/global_booleans.xml \ + $(TMPTOP)/usr/share/selinux/default/include/support + $(install_file) debian/global_tunables.xml \ + $(TMPTOP)/usr/share/selinux/default/include/support + $(install_file) debian/build.conf.default \ + $(TMPTOP)/usr/share/selinux/default/include/build.conf + $(install_file) policy/rolemap \ + $(TMPTOP)/usr/share/selinux/mls/include/support + $(install_file) debian/global_booleans.xml \ + $(TMPTOP)/usr/share/selinux/mls/include/support + $(install_file) debian/global_tunables.xml \ + $(TMPTOP)/usr/share/selinux/mls/include/support + $(install_file) debian/build.conf.mls \ + $(TMPTOP)/usr/share/selinux/mls/include/build.conf + chmod +x $(TMPTOP)/usr/share/selinux/default/include/support/segenxml.py + chmod +x $(TMPTOP)/usr/share/selinux/mls/include/support/segenxml.py + $(install_file) VERSION $(DOCDIR)/ + $(install_file) README $(DOCDIR)/ + $(install_file) debian/README.Debian $(DOCDIR)/ + $(install_file) Changelog $(DOCDIR)/changelog + $(install_file) debian/changelog $(DOCDIR)/changelog.Debian + gzip -9fqr $(DOCDIR) + $(install_file) debian/copyright $(DOCDIR)/ + $(install_file) debian/example.fc $(DOCDIR)/examples/ + $(install_file) debian/example.if $(DOCDIR)/examples/ + $(install_file) debian/example.te $(DOCDIR)/examples/ + $(install_file) debian/example.mk $(DOCDIR)/examples/Makefile + $(install_program) debian/policygentool $(TMPTOP)/usr/bin + $(install_file) debian/policygentool.1 $(MAN1DIR) + gzip -9fqr $(MAN1DIR) + echo done > $@ + +debian/stamp/install/selinux-policy-doc: + $(REASON) + $(checkdir) + $(TESTROOT) + @test -d debian/stamp/install || mkdir -p debian/stamp/install + rm -rf $(TMPTOP) $(TMPTOP).deb + $(make_directory) $(DOCDIR) + $(make_directory) $(DOCBASEDIR) + $(make_directory) $(MAN8DIR) + cp -a man/man8/*.8 $(MAN8DIR) + $(install_file) VERSION $(DOCDIR)/ + $(install_file) README $(DOCDIR)/ + $(install_file) debian/README.Debian $(DOCDIR)/ + $(install_file) Changelog $(DOCDIR)/changelog + $(install_file) debian/changelog $(DOCDIR)/changelog.Debian + $(install_file) debian/docentry $(DOCBASEDIR)/$(package) + gzip -9fqr $(MANDIR) + gzip -9fqr $(DOCDIR) + (cd $(SRCTOP)/debian/build-$(package); \ + $(MAKE) NAME=default $(OPTIONS) DESTDIR=$(TMPTOP) \ + PKGNAME=selinux-policy-doc conf html install-docs;) + gzip -9fq $(DOCDIR)/example.if $(DOCDIR)/example.fc $(DOCDIR)/Makefile.example + $(install_file) debian/copyright $(DOCDIR)/ + $(install_file) debian/docentry $(DOCBASEDIR)/$(package) + echo done > $@ + +debian/stamp/binary/selinux-policy-mls: + $(REASON) + $(checkdir) + $(TESTROOT) + @test -d debian/stamp/binary || mkdir -p debian/stamp/binary + $(make_directory) $(TMPTOP)/DEBIAN + (cd $(TMPTOP); find etc -type f | sed 's,^,/,' > DEBIAN/conffiles) + test ! -f $(TMPTOP)/DEBIAN/conffiles || test -s $(TMPTOP)/DEBIAN/conffiles || \ + rm $(TMPTOP)/DEBIAN/conffiles + sed -e 's/=T/mls/g' debian/postinst.policy > $(TMPTOP)/DEBIAN/postinst + chmod 755 $(TMPTOP)/DEBIAN/postinst + $(install_program) debian/mls.postrm $(TMPTOP)/DEBIAN/postrm + dpkg-gencontrol -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \ + -p$(package) -isp -P$(TMPTOP) + $(create_md5sum) $(TMPTOP) + chown -R root:root $(TMPTOP) + chmod -R u+w,go=rX $(TMPTOP) + dpkg --build $(TMPTOP) .. + echo done > $@ + +debian/stamp/binary/selinux-policy-default: + $(REASON) + $(checkdir) + $(TESTROOT) + @test -d debian/stamp/binary || mkdir -p debian/stamp/binary + $(make_directory) $(TMPTOP)/DEBIAN + (cd $(TMPTOP); find etc -type f | sed 's,^,/,' > DEBIAN/conffiles) + test ! -f $(TMPTOP)/DEBIAN/conffiles || test -s $(TMPTOP)/DEBIAN/conffiles ||\ + rm $(TMPTOP)/DEBIAN/conffiles + sed -e 's/=T/default/g' debian/postinst.policy >$(TMPTOP)/DEBIAN/postinst + chmod 755 $(TMPTOP)/DEBIAN/postinst + $(install_program) debian/default.postrm $(TMPTOP)/DEBIAN/postrm + dpkg-gencontrol -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \ + -p$(package) -isp -P$(TMPTOP) + $(create_md5sum) $(TMPTOP) + chown -R root:root $(TMPTOP) + chmod -R u+w,go=rX $(TMPTOP) + dpkg --build $(TMPTOP) .. + echo done > $@ + +debian/stamp/binary/selinux-policy-src: + $(REASON) + $(checkdir) + $(TESTROOT) + @test -d debian/stamp/binary || mkdir -p debian/stamp/binary + $(make_directory) $(TMPTOP)/DEBIAN + dpkg-gencontrol -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \ + -p$(package) -isp -P$(TMPTOP) + $(create_md5sum) $(TMPTOP) + chown -R root:root $(TMPTOP) + chmod -R u+w,go=rX $(TMPTOP) + dpkg --build $(TMPTOP) .. + echo done > $@ + +debian/stamp/binary/selinux-policy-dev: + $(REASON) + $(checkdir) + $(TESTROOT) + @test -d debian/stamp/binary || mkdir -p debian/stamp/binary + $(make_directory) $(TMPTOP)/DEBIAN + dpkg-gencontrol -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \ + -p$(package) -isp -P$(TMPTOP) + $(create_md5sum) $(TMPTOP) + chown -R root:root $(TMPTOP) + chmod -R u+w,go=rX $(TMPTOP) + dpkg --build $(TMPTOP) .. + echo done > $@ + +debian/stamp/binary/selinux-policy-doc: + $(REASON) + $(checkdir) + $(TESTROOT) + @test -d debian/stamp/binary || mkdir -p debian/stamp/binary + $(make_directory) $(TMPTOP)/DEBIAN + (cd $(TMPTOP); find etc -type f | sed 's,^,/,' > DEBIAN/conffiles) + test ! -f $(TMPTOP)/DEBIAN/conffiles || test -s $(TMPTOP)/DEBIAN/conffiles || \ + rm $(TMPTOP)/DEBIAN/conffiles + $(install_program) debian/doc.postinst $(TMPTOP)/DEBIAN/postinst + $(install_program) debian/doc.prerm $(TMPTOP)/DEBIAN/prerm + dpkg-gencontrol -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \ + -p$(package) -isp -P$(TMPTOP) + $(create_md5sum) $(TMPTOP) + chown -R root:root $(TMPTOP) + chmod -R u+w,go=rX $(TMPTOP) + dpkg --build $(TMPTOP) .. + echo done > $@ + + --- refpolicy-2.20110726.orig/debian/example.te +++ refpolicy-2.20110726/debian/example.te @@ -0,0 +1,30 @@ + +policy_module(myapp,1.0.0) + +######################################## +# +# Declarations +# + +type myapp_t; +type myapp_exec_t; +domain_type(myapp_t) +domain_entry_file(myapp_t, myapp_exec_t) + +type myapp_log_t; +logging_log_file(myapp_log_t) + +type myapp_tmp_t; +files_tmp_file(myapp_tmp_t) + +######################################## +# +# Myapp local policy +# + +allow myapp_t myapp_log_t:file ra_file_perms; + +allow myapp_t myapp_tmp_t:file manage_file_perms; +files_tmp_filetrans(myapp_t,myapp_tmp_t,file) + +# arch-tag: 5a574a9f-92ea-4cc2-becb-9715b6107d1b --- refpolicy-2.20110726.orig/debian/postinst.policy +++ refpolicy-2.20110726/debian/postinst.policy @@ -0,0 +1,339 @@ +#! /usr/bin/perl +# -*- Mode: Cperl -*- +# postinst.pl --- +# Author : Manoj Srivastava ( srivasta@golden-gryphon.com ) +# Created On : Mon Aug 21 01:14:21 2006 +# Created On Node : glaurung.internal.golden-gryphon.com +# Last Modified By : Manoj Srivastava +# Last Modified On : Tue Sep 1 22:50:34 2009 +# Last Machine Used: anzu.internal.golden-gryphon.com +# Update Count : 35 +# Status : Unknown, Use with caution! +# HISTORY : +# Description : +# +# arch-tag: 69c85425-4822-4b17-bb54-3b2d22e76687 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# +#use strict; #for debugging +use Cwd 'abs_path'; +$|=1; + +# Ignore all invocations except when called on to configure. +exit 0 if $ARGV[0] =~ /abort-upgrade/; +exit 0 if $ARGV[0] =~ /abort-remove/; +exit 0 if $ARGV[0] =~ /abort-deconfigure/; +exit 0 unless $ARGV[0] =~ /configure/; + +my $type = '=T'; +my $package_name= "selinux-policy-$type"; +my $policy_name = "$type"; +my $basedir = "/etc/selinux/$policy_name"; +my $src_dir = "/usr/share/selinux/$policy_name"; + +# List of all the modules in the policy +my @all_modules; +# Full path of all modules in the policy +my %Module_Path; +# Dpendencies for policy modules, as determined by semodule_deps +my %Deps = ( 'cups' => 'lpd', 'telnet' => 'remotelogin', + 'devicekit' => 'dbus' + ); +# A hash of all modules already processed +my %Seen; +# A hash of all packages installed on this machine +my %Installed; +# Policy modules in dependency order (subset of all modules in policy) +my @ordered; +# A list of modules already scheduled to be laoded +my %Loaded; +# and the order in which the modules should be loaded into policy. +my @load_order; +# A mapping of policy modules to Debian package names. +my %map = ( + 'apache' => [ 'apache*', 'cvsweb' ], + 'apm' => [ 'acpid' ], + 'asterisk' => [ 'asterisk' ], + 'automount' => [ 'autofs*' ], + 'avahi' => [ 'avahi-*' ], + 'bind' => [ 'bind9' ], +# 'bootloader' => [ 'grub', 'lilo' ], + 'cdrecord' => [ 'wodim' ], + 'clamav' => [ 'clamav', 'amavisd-new' ], + 'courier' => [ 'courier*' ], + 'consolekit' => [ 'consolekit' ], + 'cpufreqselector' => [ 'cpufreqd', 'cpufrequtils', 'gnome-applets' ], + 'cups' => [ 'cupsys*', 'cups', 'cups-bsd', 'cups-client', + 'cups-common' ], + 'cyrus' => [ 'cyrus*' ], + 'devicekit' => [ 'udev', 'hal', 'udisks' ], + 'dovecot' => [ 'dovecot-imapd', 'dovecot-pop3d' ], + 'dhcp' => [ 'dhcp*', 'dhclient*', 'pump' ], + 'dkim' => [ 'dkim-filter' ], + 'epmd' => [ 'erlang-base' ], + 'exim' => [ 'exim4' ], + 'finger' => [ 'finger', '*fingerd' ], + 'ftp' => [ 'ftp', '*ftpd' ], + 'gitosis' => [ 'gitosis' ], + 'gpg' => [ 'gnupg' ], + 'hddtemp' => [ 'hddtemp' ], + 'hwclock' => [ 'util-linux' ], + 'inetd' => [ '*-inetd', 'openbsd-inetd', 'netkit-inetd', + 'rinetd', 'rlinetd', 'xinetd' ], + 'iodine' => [ 'iodine' ], + 'ipsec' => [ 'ipsec-tools', 'racoon' ], + 'jabber' => [ 'jabber', 'ejabberd' ], + 'java' => [ 'sun-java5*', 'cacao', 'gcj*', 'gij*', 'kaffe*', + 'java*', 'jvm*', 'jre*', 'jsdk*' ], + 'kdump' => [ 'crash' ], + 'lda' => [ 'procmail', 'courier-maildrop', 'dovecot-common' ], + 'ldap' => [ 'slapd' ], + 'lpd' => [ 'lprng', 'rlpr' ], + 'loadkeys' => [ 'console-tools' ], + 'lvm' => [ 'lvm2', 'dmsetup' ], + 'milter' => [ 'milter-greylist', 'spamass-milter' ], + 'mono' => [ 'mono*' ], + 'munin' => [ 'munin-node' ], + 'mysql' => [ 'mysql-server', 'mysql-server*' ], + 'mozilla' => [ 'mozilla-browser', 'firefox', 'galeon', + 'mozilla-*', 'firefox*', 'epiphany-browser', + 'chromium-browser' ], + 'nagios' => [ 'nagios*' ], + 'netutils' => [ 'arping', 'nmap', '*-ping', 'traceroute*' ], + 'nslcd' => [ 'nslcd' ], + 'pcmcia' => [ 'pcmciautils' ], + 'policykit' => [ 'policykit', 'policykit-1' ], + 'ptchown' => [ 'libc-bin' ], + 'pythonsupport' => [ 'python-support' ], + 'radius' => [ 'freeradius*', 'radiusd*' ], + 'raid' => [ 'mdadm' ], + 'rpc' => [ 'nfs-common', 'nfs-kernel-server' ], + 'sasl' => [ 'libsasl2' ], + 'shorewall' => [ 'shorewall-common', 'shorewall-lite', + 'shorewall-perl', 'shorewall-shell', + 'shorewall6', 'shorewall6-lite' + ], + 'ssh' => [ 'openssh*' ], +# 'su' => [ 'login' ], + 'sysstat' => [ 'atsar' ], + 'telnet' => [ 'telnet', '*telnetd*' ], + 'uml' => [ 'linux-uml*' ], + 'uptime' => [ 'uptimed' ], + 'usbmodules' => [ 'usbutils' ], + 'varnishd' => [ 'varnish' ], +# 'usermanage' => [ 'passwd' ], + 'wm' => [ 'aewm', 'afterstep', 'awesome', 'blackbox', + 'compiz', 'ctwm', 'dwm', 'e17', 'evilwm', + 'fluxbox', 'flwm', 'fvwm', 'i3-wm', 'icewm', + 'lwm', 'matchbox-window-manager', 'metacity', + 'mutter', 'nawm', 'openbox', 'oroborus', + 'pekwm', 'ratpoison', 'sapphire', 'sawfish', + 'scrotwm', 'stumpwm','sugar-0.84', 'tinywm', + 'twm', 'uwm', 'vtwm', 'w9wm', 'wm2', 'wmaker', + 'xfwm4', 'xmonad', 'ion3', 'kwin', 'amiwm' + ], + 'xen' => [ 'xen-utils-common' ], + 'xscreensaver' => [ 'xscreensaver', 'kscreensaver', + 'gnome-screensaver', 'innerspace.app', + 'kanjisaver', 'kannasaver' ], + 'xserver' => [ 'gdm', 'kdm', 'xdm', 'xserver*', 'xbase-clients' ] + ); + +# Converts wildcard (glob) pattern into regex pattern (only `*' is wild). +sub wild2re { + my ($pat) = @_; + return join('.*', map(quotemeta, split('\*', $pat, -1))); +} + +# List all th modules, except the base module, in the policy +# directory. This sets @all_modules and %Module_Path +sub list_modules { + my $src_dir = shift; + print STDERR "Locating modules\n"; + opendir(DIR, $src_dir) || die "can't opendir $src_dir: $!"; + + @all_modules = grep { ! m/^base\.pp$/ && m/\.pp/ && -f "$src_dir/$_" } + readdir(DIR); + %Module_Path = map { +"$src_dir/$_" => 0 } @all_modules; + closedir DIR; +} + +# Using the hash array %Module_Path created in the last step, run +# semodule_deps to get the dependency relationships. This creates the +# %Deps dependency hash. +sub get_dependencies { + my $src_dir = shift; + print STDERR "Calculating dependencies between modules\n"; + open(COMMAND, '-|', "semodule_deps -g $src_dir/base.pp " . + join(' ', keys %Module_Path)) || die "Could not run semodule_deps"; + while () { + chomp; + next unless m/\-\>/; + next unless m/\s*(\S+)\s*\-\>\s*(\S+)\s*$/; + if (defined $Deps{$1}) { + $Deps{$1} = "$Deps{$1} $2"; + } + else { + $Deps{$1} = $2; + } + } + close COMMAND; +} + +# In this step, use the dependecy hash %Deps created in the last step, +# and feed the information to tsort to get an ordered list of +# modules. This creates the array @ordered +sub get_ordering { + print STDERR "Ordering modules based on dependencies\n"; + my $tempfile=`tempfile -p tsrt -m 0600`; + open(SORT, "| tsort > $tempfile") || die "can't open pipe to tsort: $!"; + for my $pkg (keys %Deps) { + for my $dep (split(/ /, $Deps{$pkg})) { + print SORT "$dep $pkg\n"; + } + } + close SORT; + + open(RESULTS, $tempfile) || die "can't read $tempfile: $!"; + while () { + chomp; + push @ordered, $_; + } + unlink $tempfile; + close RESULTS; +} + +my @Load_Order; +# Cycle over all the modules installed, starting with the dependency +# ordered modules, taking care that we only look at a module once. For +# each module, we look to see a mapping ogf the packages that need +# this policy module. We then query dpkg to see if any of the package +# patterns that are associated with a policy module are installed on +# this system, if so, we schedule the module to be loaded, ensuring +# that the dependent policy modules are also targeted for installation +# before the current module is installed. This creates the Seen hash, +# and the Load_Order array, as well as the Loaded hash. +sub installed_modules { + print STDERR "Selecting modules based on installed packages\n"; + + # This suggestion from Alexander Bürger + open( my $PACKAGES, "dpkg-query -W |" ) + or die("Cannot run 'dpkg-query -W'. $!"); + while( my $p = <$PACKAGES> ) { + $Installed{$1} = $2 if( $p =~ /^(.*)\t(.+)$/ ); + } + close($PACKAGES) or die("Could not close pipe."); + + foreach my $module (@ordered, @all_modules) { + $module =~ s/\.pp$//o; + + next if $Seen{$module}; + $Seen{$module}++; + + if (! defined $map{$module}) { $map{$module} = [ $module ]; } + + PACKAGE: + for my $pkg (@{ $map{$module} }) { + my $is_installed = index($pkg, '*') < 0 ? + $Installed{$pkg} # exact name + : grep(m/^@{[wild2re($pkg)]}$/, keys %Installed); # wildcard + if ($is_installed) { + if (defined $Deps{$module}) { + for my $dep (split(' ', $Deps{$module})) { + next if $Loaded{$dep}; + if (-e "${src_dir}/${dep}.pp") { + push @Load_Order, $dep; + $Loaded{$dep}++ + } + else { + print STDERR "Could not find ${src_dir}/${dep}.pp\n"; + print STDERR "which is required for module ${module}.pp\n"; + print STDERR "Assuming ${dep}.pp is built into base.pp\n"; + } + } + } + push @Load_Order, $module; + $Loaded{$module}++; + last PACKAGE; + } + } + } +} + +sub change_policy_type +{ + my $file = "/etc/selinux/config"; + open(IN, "<$file") or return; + open(OUT, ">$file.new") or close(IN) && return; + while() + { + if($_ =~ /^SELINUXTYPE *= *refpolicy/) + { + print OUT "SELINUXTYPE=$type\n"; + } + else + { + print OUT $_; + } + } + close(IN); + close(OUT); + rename("$file.new", "$file"); + print "changed policy type to $type as the \"refpolicy\" names are obsolete\n"; +} + +sub main { + if (-e "$basedir/modules/active/base.pp" ) { + print STDERR "You already have a $policy_name policy installed.\n"; + print STDERR "I am leaving it alone. Please check and update manually.\n"; + } + elsif (-e "$src_dir/base.pp") { + print STDERR "Notice: Trying to link (but not load) a $policy_name policy.\n"; + print STDERR "This process may fail -- you should check the results, and \n"; + print STDERR "you need to switch to this policy yourself anyway.\n\n"; + &list_modules("$src_dir"); + &get_dependencies("$src_dir"); + &get_ordering(); + &installed_modules(); + chdir "$src_dir" or die "Can't access $src_dir"; + my $semod = "semodule -b base.pp -s $policy_name -n "; + if("$type" eq "default") { + $semod .= " -i unconfined.pp"; + } + my $mod_list; + for my $mod (@Load_Order) { + $semod .= " -i ${mod}.pp"; + $mod_list .= " $mod"; + } + if (system($semod) == 0) { + print STDERR "Loaded modules $mod_list\n"; + change_policy_type(); + } + else { + print STDERR "Error running \"$semod\", please load policy manually and report a bug.\n"; + } + } + else { + print STDERR ".\n"; + } +} + +&main; + +exit 0; + +__END__ --- refpolicy-2.20110726.orig/debian/build.conf.mls +++ refpolicy-2.20110726/debian/build.conf.mls @@ -0,0 +1,75 @@ +######################################## +# +# Policy build options +# + +# Policy version +# By default, checkpolicy will create the highest +# version policy it supports. Setting this will +# override the version. This only has an +# effect for monolithic policies. +#OUTPUT_POLICY = 21 + +# Policy Type +# strict, targeted, +# strict-mls, targeted-mls, +# strict-mcs, targeted-mcs +TYPE = mls + +# Policy Name +# If set, this will be used as the policy +# name. Otherwise the policy type will be +# used for the name. +NAME = mls + +# Distribution +# Some distributions have portions of policy +# for programs or configurations specific to the +# distribution. Setting this will enable options +# for the distribution. +# redhat, gentoo, debian, suse, and rhel4 are current options. +# Fedora users should enable redhat. +DISTRO = debian + +# Unknown Permissions Handling +# The behavior for handling permissions defined in the +# kernel but missing from the policy. The permissions +# can either be allowed, denied, or the policy loading +# can be rejected. +# allow, deny, and reject are current options. +UNK_PERMS = deny + +# Direct admin init +# Setting this will allow sysadm to directly +# run init scripts, instead of requring run_init. +# This is a build option, as role transitions do +# not work in conditional policy. +DIRECT_INITRC = y + +# Build monolithic policy. Putting n here +# will build a loadable module policy. +MONOLITHIC = n + +# User-based access control (UBAC) +# Enable UBAC for role separations. +UBAC = n + +# Number of MLS Sensitivities +# The sensitivities will be s0 to s(MLS_SENS-1). +# Dominance will be in increasing numerical order +# with s0 being lowest. +MLS_SENS = 16 + +# Number of MLS Categories +# The categories will be c0 to c(MLS_CATS-1). +MLS_CATS = 1024 + +# Number of MCS Categories +# The categories will be c0 to c(MLS_CATS-1). +MCS_CATS = 1024 + +# Set this to y to only display status messages +# during build. +QUIET = n + +# arch-tag: 6e61abf2-f3d7-42b4-bbb9-7a1b38350518 --- refpolicy-2.20110726.orig/debian/doc.prerm +++ refpolicy-2.20110726/debian/doc.prerm @@ -0,0 +1,120 @@ +#! /bin/sh +# -*- Mode: Sh -*- +# prerm --- +# Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com ) +# Created On : Fri Nov 14 12:16:39 2003 +# Created On Node : glaurung.green-gryphon.com +# Last Modified By : Manoj Srivastava +# Last Modified On : Fri May 12 02:30:40 2006 +# Last Machine Used: glaurung.internal.golden-gryphon.com +# Update Count : 10 +# Status : Unknown, Use with caution! +# HISTORY : +# Description : +# +# arch-tag: a4c1a888-137d-4800-98f8-93d0365422d8 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# + +# Abort if any command returns an error value +set -e + +package_name=selinux-policy-refpolicy-doc + +if [ -z "$package_name" ]; then + print >&2 "Internal Error. Please report a bug." + exit 1; +fi + + +# This script is called as the first step in removing the package from +# the system. This includes cases where the user explicitly asked for +# the package to be removed, upgrade, automatic removal due to conflicts, +# and deconfiguration due to temporary removal of a depended-on package. + +# Info files should be uninstalled from the dir file in any case. +# install-info --quiet --remove /usr/info/${package_name} + +case "$1" in + remove) + # This package about to be removed. + : + + # Remove package-specific directories from /usr/local. Don't try + # to remove standard directories such as /usr/local/lib. + ##: if test -d /usr/local/lib/${package_name}; then + ##: rmdir /usr/local/lib/${package_name} || true + ##: fi + + # Deactivate menu-methods script. + ##: chmod a-x /etc/menu-methods/${package_name} + + # Withdraw our version of a program. + ##: update-alternatives --remove program /usr/bin/alternative + + # Get rid of the byte compiled files + ##: if [ -x /usr/lib/emacsen-common/emacs-package-remove ]; then + ##: /usr/lib/emacsen-common/emacs-package-remove $package_name + ##: fi + + # There are two sub-cases: + if test "${2+set}" = set; then + if test "$2" != in-favour; then + echo "$0: undocumented call to \`prerm $*'" 1>&2 + exit 0 + fi + # We are being removed because of a conflict with package $3 + # (version $4), which is now being installed. + : + + else + # The package is being removed in its own right. + : + + fi ;; + deconfigure) + if test "$2" != in-favour || test "$5" != removing; then + echo "$0: undocumented call to \`prerm $*'" 1>&2 + exit 0 + fi + # Package $6 (version $7) which we depend on is being removed due + # to a conflict with package $3 (version $4), and this package is + # being deconfigured until $6 can be reinstalled. + : + + ;; + upgrade) + # Prepare to upgrade FROM THIS VERSION of this package to version $2. + : + + if [ -L /usr/doc/$package_name ]; then + rm -f /usr/doc/$package_name + fi + + ;; + failed-upgrade) + # Prepare to upgrade from version $2 of this package TO THIS VERSION. + # This is only used if the old version's prerm couldn't handle it, + # and returned non-zero. (Fix old prerm bugs here.) + : + + ;; + *) echo "$0: didn't understand being called with \`$1'" 1>&2 + exit 0;; +esac + +exit 0 --- refpolicy-2.20110726.orig/debian/docentry +++ refpolicy-2.20110726/debian/docentry @@ -0,0 +1,24 @@ +Document: selinux-policy-refpolicy-doc +Title: SELinux Reference Policy +Author: various +Abstract: The SELinux Reference Policy (refpolicy) is a complete SELinux + policy, as an alternative to the existing strict and targeted + policies available from http://selinux.sf.net. The goal is to have + this policy as the system policy, be and used as the basis for + creating other policies. Refpolicy is based on the current strict and + targeted policies, but aims to accomplish many additional + goals: + + Strong Modularity + + Clearly stated security Goals + + Documentation + + Development Tool Support + + Forward Looking + + Configurability + + Flexible Base Policy + + Application Policy Variations + + Multi-Level Security +Section: System/Administration + +Format: HTML +Index: /usr/share/doc/selinux-policy-doc/html/index.html +Files: /usr/share/doc/selinux-policy-doc/html/*.html --- refpolicy-2.20110726.orig/debian/global_tunables.xml +++ refpolicy-2.20110726/debian/global_tunables.xml @@ -0,0 +1,583 @@ + + +

+Allow cvs daemon to read shadow +

+ + + + +

+Allow zebra daemon to write it configuration files +

+ + + + +

+Allow making the heap executable. +

+ + + + +

+Allow making anonymous memory executable, e.g. +for runtime-code generation or executable stack. +

+ + + + +

+Allow making a modified private file +mapping executable (text relocation). +

+ + + + +

+Allow making the stack executable via mprotect. +Also requires allow_execmem. +

+ + + + +

+Allow ftp servers to modify public files +used for public file transfer services. +

+ + + + +

+Allow ftp servers to use cifs +used for public file transfer services. +

+ + + + +

+Allow ftp servers to use nfs +used for public file transfer services. +

+ + + + +

+Allow gssd to read temp directory. +

+ + + + +

+Allow Apache to modify public files +used for public file transfer services. +

+ + + + +

+Allow Apache to use mod_auth_pam +

+ + + + +

+Allow java executable stack +

+ + + + +

+Allow system to run with kerberos +

+ + + + +

+Allow nfs servers to modify public files +used for public file transfer services. +

+ + + + +

+Allow rsync to modify public files +used for public file transfer services. +

+ + + + +

+Allow sasl to read shadow +

+ + + + +

+Allow samba to modify public files +used for public file transfer services. +

+ + + + +

+Allow system to run with NIS +

+ + + + +

+Enable extra rules in the cron domain +to support fcron. +

+ + + + +

+Allow ftp to read and write files in the user home directories +

+ + + + +

+Allow ftpd to run directly without inetd +

+ + + + +

+Enable reading of urandom for all domains. +

+

+This should be enabled when all programs +are compiled with ProPolice/SSP +stack smashing protection. All domains will +be allowed to read from /dev/urandom. +

+ + + + +

+Allow httpd to use built in scripting (usually php) +

+ + + + +

+Allow http daemon to tcp connect +

+ + + + +

+Allow httpd to connect to mysql/posgresql +

+ + + + +

+Allow httpd to act as a relay +

+ + + + +

+Allow httpd cgi support +

+ + + + +

+Allow httpd to act as a FTP server by +listening on the ftp port. +

+ + + + +

+Allow httpd to read home directories +

+ + + + +

+Run SSI execs in system CGI script domain. +

+ + + + +

+Allow http daemon to communicate with the TTY +

+ + + + +

+Run CGI in the main httpd domain +

+ + + + +

+Allow BIND to write the master zone files. +Generally this is used for dynamic DNS. +

+ + + + +

+Allow nfs to be exported read/write. +

+ + + + +

+Allow nfs to be exported read only +

+ + + + +

+Allow pppd to load kernel modules for certain modems +

+ + + + +

+Allow reading of default_t files. +

+ + + + +

+Allow samba to export user home directories. +

+ + + + +

+Allow samba to export NFS volumes. +

+ + + + +

+Allow squid to connect to all ports, not just +HTTP, FTP, and Gopher ports. +

+ + + + +

+Configure stunnel to be a standalone daemon or +inetd service. +

+ + + + +

+Support NFS home directories +

+ + + + +

+Support SAMBA home directories +

+ + + + +

+Control users use of ping and traceroute +

+ + + + +

+Allow gpg executable stack +

+ + + + +

+Allow mplayer executable stack +

+ + + + +

+Allow sysadm to ptrace all processes +

+ + + + +

+allow host key based authentication +

+ + + + +

+Allow users to connect to mysql +

+ + + + +

+Allows clients to write to the X server shared +memory segments. +

+ + + + +

+Allow cdrecord to read various content. +nfs, samba, removable devices, user temp +and untrusted content files +

+ + + + +

+Allow system cron jobs to relabel filesystem +for restoring file contexts. +

+ + + + +

+force to games to run in user_t +mapping executable (text relocation). +

+ + + + +

+Disable transitions to evolution domains. +

+ + + + +

+Disable transitions to user mozilla domains +

+ + + + +

+Disable transitions to user thunderbird domains +

+ + + + +

+Allow email client to various content. +nfs, samba, removable devices, user temp +and untrusted content files +

+ + + + +

+Control mozilla content access +

+ + + + +

+Allow pppd to be run for a regular user +

+ + + + +

+Allow applications to read untrusted content +If this is disallowed, Internet content has +to be manually relabeled for read access to be granted +

+ + + + +

+Allow ssh to run from inetd instead of as a daemon. +

+ + + + +

+Allow user spamassassin clients to use the network. +

+ + + + +

+Allow ssh logins as sysadm_r:sysadm_t +

+ + + + +

+Allow staff_r users to search the sysadm home +dir and read files (such as ~/.bashrc) +

+ + + + +

+Allow regular users direct mouse access +

+ + + + +

+Allow users to read system messages. +

+ + + + +

+Allow users to control network interfaces +(also needs USERCTL=true) +

+ + + + +

+Allow user to r/w files on filesystems +that do not have extended attributes (FAT, CDROM, FLOPPY) +

+ + + + +

+Allow users to run TCP servers (bind to ports and accept connection from +the same domain and outside users) disabling this forces FTP passive mode +and may change other protocols. +

+ + + + +

+Allow w to display everyone +

+ + + + +

+Allow applications to write untrusted content +If this is disallowed, no Internet content +will be stored. +

+ + + + +

+Allow xdm logins as sysadm +

+ + + + +

+Allow all daemons the ability to use unallocated ttys +

+ + + + +

+Allow mount to mount any file +

+ + + + +

+Allow spammd to read/write user home directories. +

+ + + + +

+Allow httpd cgi support +

+ + + + +

+Allow unconfined to dyntrans to unconfined_execmem +

+ + --- refpolicy-2.20110726.orig/debian/mls.postrm +++ refpolicy-2.20110726/debian/mls.postrm @@ -0,0 +1,176 @@ +#! /bin/sh +# -*- Mode: Sh -*- +# postrm --- +# Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com ) +# Created On : Fri Nov 14 12:22:20 2003 +# Created On Node : glaurung.green-gryphon.com +# Last Modified By : Manoj Srivastava +# Last Modified On : Sun Aug 20 20:52:23 2006 +# Last Machine Used: glaurung.internal.golden-gryphon.com +# Update Count : 11 +# Status : Unknown, Use with caution! +# HISTORY : +# Description : +# +# arch-tag: 56802d51-d980-4822-85c0-28fce19ed430 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + + +# Abort if any command returns an error value +set -e + +NAME=mls +package_name=selinux-policy-$NAME +POLICYNAME=$NAME +BASEDIR=/etc/selinux/$POLICYNAME + + +if [ -z "$package_name" ]; then + print >&2 "Internal Error. Please report a bug." + exit 1; +fi + +# This script is called twice during the removal of the package; once +# after the removal of the package's files from the system, and as +# the final step in the removal of this package, after the package's +# conffiles have been removed. +# summary of how this script can be called: +# * `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' overwrit>r> +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +# Ensure the menu system is updated +##: [ ! -x /usr/bin/update-menus ] || /usr/bin/update-menus + +case "$1" in + remove) + # This package is being removed, but its configuration has not yet + # been purged. + : + + # Remove diversion + ##: dpkg-divert --package ${package_name} --remove --rename \ + ##: --divert /usr/bin/other.real /usr/bin/other + + # ldconfig is NOT needed during removal of a library, only during + # installation + + ;; + purge) + # This package has previously been removed and is now having + # its configuration purged from the system. + : + + # we mimic dpkg as closely as possible, so we remove configuration + # files with dpkg backup extensions too: + ### Some of the following is from Tore Anderson: + ##: for ext in '~' '%' .bak .dpkg-tmp .dpkg-new .dpkg-old .dpkg-dist; do + ##: rm -f /etc/${package_name}.conf$ext + ##: done + + # remove the configuration file itself + ##: rm -f /etc/${package_name}.conf + rm -rf "$BASEDIR" + + # and finally clear it out from the ucf database + ##: ucf --purge /etc/${package_name}.conf + + # Remove symlinks from /etc/rc?.d + ##: update-rc.d ${package_name} remove >/dev/null + + ##: if [ -e /usr/share/debconf/confmodule ]; then + ##: # Purge this package's data from the debconf database. + ##: . /usr/share/debconf/confmodule + ##: db_purge + ##: fi + + # This package has previously been removed and is now having + # its configuration purged from the system. + ##: for flavour in emacs20 emacs21; do + ##: STARTDIR=/etc/$flavour/site-start.d; + ##: STARTFILE="${package_name}-init.el"; + ##: if [ -e "$STARTDIR/20$STARTFILE" ]; then + ##: rm -f "$STARTDIR/20$STARTFILE" + ##: fi + ##: done + + ;; + disappear) + if test "$2" != overwriter; then + echo "$0: undocumented call to \`postrm $*'" 1>&2 + exit 0 + fi + # This package has been completely overwritten by package $3 + # (version $4). All our files are already gone from the system. + # This is a special case: neither "prerm remove" nor "postrm remove" + # have been called, because dpkg didn't know that this package would + # disappear until this stage. + : + + ;; + upgrade) + # About to upgrade FROM THIS VERSION to version $2 of this package. + # "prerm upgrade" has been called for this version, and "preinst + # upgrade" has been called for the new version. Last chance to + # clean up. + : + + ;; + failed-upgrade) + # About to upgrade from version $2 of this package TO THIS VERSION. + # "prerm upgrade" has been called for the old version, and "preinst + # upgrade" has been called for this version. This is only used if + # the previous version's "postrm upgrade" couldn't handle it and + # returned non-zero. (Fix old postrm bugs here.) + : + + ;; + abort-install) + # Back out of an attempt to install this package. Undo the effects of + # "preinst install...". There are two sub-cases. + : + + if test "${2+set}" = set; then + # When the install was attempted, version $2's configuration + # files were still on the system. Undo the effects of "preinst + # install $2". + : + + else + # We were being installed from scratch. Undo the effects of + # "preinst install". + : + + fi ;; + abort-upgrade) + # Back out of an attempt to upgrade this package from version $2 + # TO THIS VERSION. Undo the effects of "preinst upgrade $2". + : + + ;; + *) echo "$0: didn't understand being called with \`$1'" 1>&2 + exit 0;; +esac + +exit 0 --- refpolicy-2.20110726.orig/debian/modules.conf.mls +++ refpolicy-2.20110726/debian/modules.conf.mls @@ -0,0 +1,2171 @@ +# +# This file contains a listing of available modules. +# To prevent a module from being used in policy +# creation, set the module name to "off". +# +# For monolithic policies, modules set to "base" and "module" +# will be built into the policy. +# +# For modular policies, modules set to "base" will be +# included in the base module. "module" will be compiled +# as individual loadable modules. +# + +# Layer: kernel +# Module: corecommands +# Required in base +# +# Core policy for shells, and generic programs +# in /bin, /sbin, /usr/bin, and /usr/sbin. +# +corecommands = base + +# Layer: kernel +# Module: corenetwork +# Required in base +# +# Policy controlling access to network objects +# +corenetwork = base + +# Layer: kernel +# Module: devices +# Required in base +# +# Device nodes and interfaces for many basic system devices. +# +devices = base + +# Layer: kernel +# Module: domain +# Required in base +# +# Core policy for domains. +# +domain = base + +# Layer: kernel +# Module: files +# Required in base +# +# Basic filesystem types and interfaces. +# +files = base + +# Layer: kernel +# Module: filesystem +# Required in base +# +# Policy for filesystems. +# +filesystem = base + +# Layer: kernel +# Module: kernel +# Required in base +# +# Policy for kernel threads, proc filesystem, +# and unlabeled processes and objects. +# +kernel = base + +# Layer: kernel +# Module: mcs +# Required in base +# +# Multicategory security policy +# +mcs = base + +# Layer: kernel +# Module: mls +# Required in base +# +# Multilevel security policy +# +mls = base + +# Layer: kernel +# Module: selinux +# Required in base +# +# Policy for kernel security interface, in particular, selinuxfs. +# +selinux = base + +# Layer: kernel +# Module: terminal +# Required in base +# +# Policy for terminals. +# +terminal = base + +# Layer: kernel +# Module: ubac +# Required in base +# +# User-based access control policy +# +ubac = base + +# Layer: admin +# Module: acct +# +# Berkeley process accounting +# +acct = module + +# Layer: admin +# Module: alsa +# +# Ainit ALSA configuration tool +# +alsa = module + +# Layer: admin +# Module: amanda +# +# Automated backup program. +# +amanda = module + +# Layer: admin +# Module: amtu +# +# Abstract Machine Test Utility +# +amtu = off + +# Layer: admin +# Module: anaconda +# +# Policy for the Anaconda installer. +# +anaconda = off + +# Layer: admin +# Module: apt +# +# APT advanced package tool. +# +apt = base + +# Layer: admin +# Module: backup +# +# System backup scripts +# +backup = module + +# Layer: admin +# Module: bootloader +# +# Policy for the kernel modules, kernel image, and bootloader. +# +bootloader = module + +# Layer: admin +# Module: brctl +# +# Utilities for configuring the linux ethernet bridge +# +brctl = module + +# Layer: admin +# Module: certwatch +# +# Digital Certificate Tracking +# +certwatch = module + +# Layer: admin +# Module: consoletype +# +# Determine of the console connected to the controlling terminal. +# +consoletype = off + +# Layer: admin +# Module: ddcprobe +# +# ddcprobe retrieves monitor and graphics card information +# +ddcprobe = off + +# Layer: admin +# Module: dmesg +# +# Policy for dmesg. +# +dmesg = base + +# Layer: admin +# Module: dmidecode +# +# Decode DMI data for x86/ia64 bioses. +# +dmidecode = module + +# Layer: admin +# Module: dpkg +# +# Policy for the Debian package manager. +# +dpkg = base + +# Layer: admin +# Module: firstboot +# +# Final system configuration run during the first boot +# after installation of Red Hat/Fedora systems. +# +firstboot = off + +# Layer: admin +# Module: kismet +# +# Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. +# +kismet = module + +# Layer: admin +# Module: kudzu +# +# Hardware detection and configuration tools +# +kudzu = off + +# Layer: admin +# Module: logrotate +# +# Rotate and archive system logs +# +logrotate = base + +# Layer: admin +# Module: logwatch +# +# System log analyzer and reporter +# +logwatch = module + +# Layer: admin +# Module: mrtg +# +# Network traffic graphing +# +mrtg = module + +# Layer: admin +# Module: netutils +# +# Network analysis utilities +# +netutils = module + +# Layer: admin +# Module: portage +# +# Portage Package Management System. The primary package management and +# distribution system for Gentoo. +# +portage = off + +# Layer: admin +# Module: prelink +# +# Prelink ELF shared library mappings. +# +prelink = module + +# Layer: admin +# Module: quota +# +# File system quota management +# +quota = module + +# Layer: admin +# Module: readahead +# +# Readahead, read files into page cache for improved performance +# +readahead = module + +# Layer: admin +# Module: rpm +# +# Policy for the RPM package manager. +# +rpm = module + +# Layer: admin +# Module: shorewall +# +# Shoreline Firewall high-level tool for configuring netfilter +# +shorewall = module + +# Layer: admin +# Module: su +# +# Run shells with substitute user and group +# +su = base + +# Layer: admin +# Module: sudo +# +# Execute a command with a substitute user +# +sudo = module + +# Layer: admin +# Module: sxid +# +# SUID/SGID program monitoring +# +sxid = module + +# Layer: admin +# Module: tmpreaper +# +# Manage temporary directory sizes and file ages +# +tmpreaper = base + +# Layer: admin +# Module: tripwire +# +# Tripwire file integrity checker. +# +tripwire = module + +# Layer: admin +# Module: tzdata +# +# Time zone updater +# +tzdata = module + +# Layer: admin +# Module: updfstab +# +# Red Hat utility to change /etc/fstab. +# +updfstab = off + +# Layer: admin +# Module: usbmodules +# +# List kernel modules of USB devices +# +usbmodules = module + +# Layer: admin +# Module: usermanage +# +# Policy for managing user accounts. +# +usermanage = base + +# Layer: admin +# Module: vbetool +# +# run real-mode video BIOS code to alter hardware state +# +vbetool = module + +# Layer: admin +# Module: vpn +# +# Virtual Private Networking client +# +vpn = module + +# Layer: apps +# Module: ada +# +# GNAT Ada95 compiler +# +ada = module + +# Layer: apps +# Module: authbind +# +# Tool for non-root processes to bind to reserved ports +# +authbind = module + +# Layer: apps +# Module: awstats +# +# AWStats is a free powerful and featureful tool that generates advanced +# web, streaming, ftp or mail server statistics, graphically. +# +awstats = module + +# Layer: apps +# Module: calamaris +# +# Squid log analysis +# +calamaris = module + +# Layer: apps +# Module: cdrecord +# +# Policy for cdrecord +# +cdrecord = module + +# Layer: apps +# Module: cpufreqselector +# +# Command-line CPU frequency settings. +# +cpufreqselector = module + +# Layer: apps +# Module: evolution +# +# Evolution email client +# +evolution = module + +# Layer: apps +# Module: games +# +# Games +# +games = module + +# Layer: apps +# Module: gift +# +# giFT peer to peer file sharing tool +# +gift = module + +# Layer: apps +# Module: gitosis +# +# Tools for managing and hosting git repositories. +# +gitosis = module + +# Layer: apps +# Module: gnome +# +# GNU network object model environment (GNOME) +# +gnome = module + +# Layer: apps +# Module: gpg +# +# Policy for GNU Privacy Guard and related programs. +# +gpg = module + +# Layer: apps +# Module: irc +# +# IRC client policy +# +irc = module + +# Layer: apps +# Module: java +# +# Java virtual machine +# +java = module + +# Layer: apps +# Module: loadkeys +# +# Load keyboard mappings. +# +loadkeys = module + +# Layer: apps +# Module: lockdev +# +# device locking policy for lockdev +# +lockdev = module + +# Layer: apps +# Module: mono +# +# Run .NET server and client applications on Linux. +# +mono = module + +# Layer: apps +# Module: mozilla +# +# Policy for Mozilla and related web browsers +# +mozilla = module + +# Layer: apps +# Module: mplayer +# +# Mplayer media player and encoder +# +mplayer = module + +# Layer: apps +# Module: podsleuth +# +# Podsleuth is a tool to get information about an Apple (TM) iPod (TM) +# +podsleuth = module + +# Layer: apps +# Module: ptchown +# +# helper function for grantpt(3), changes ownship and permissions of pseudotty +# +ptchown = module + +# Layer: apps +# Module: pulseaudio +# +# Pulseaudio network sound server. +# +pulseaudio = module + +# Layer: apps +# Module: qemu +# +# QEMU machine emulator and virtualizer +# +qemu = module + +# Layer: apps +# Module: rssh +# +# Restricted (scp/sftp) only shell +# +rssh = module + +# Layer: apps +# Module: screen +# +# GNU terminal multiplexer +# +screen = module + +# Layer: apps +# Module: seunshare +# +# Filesystem namespacing/polyinstantiation application. +# +seunshare = module + +# Layer: apps +# Module: slocate +# +# Update database for mlocate +# +slocate = module + +# Layer: apps +# Module: thunderbird +# +# Thunderbird email client +# +thunderbird = module + +# Layer: apps +# Module: tvtime +# +# tvtime - a high quality television application +# +tvtime = module + +# Layer: apps +# Module: uml +# +# Policy for UML +# +uml = module + +# Layer: apps +# Module: userhelper +# +# SELinux utility to run a shell with a new role +# +userhelper = module + +# Layer: apps +# Module: usernetctl +# +# User network interface configuration helper +# +usernetctl = module + +# Layer: apps +# Module: vmware +# +# VMWare Workstation virtual machines +# +vmware = module + +# Layer: apps +# Module: webalizer +# +# Web server log analysis +# +webalizer = module + +# Layer: apps +# Module: wine +# +# Wine Is Not an Emulator. Run Windows programs in Linux. +# +wine = module + +# Layer: apps +# Module: wireshark +# +# Wireshark packet capture tool. +# +wireshark = module + +# Layer: apps +# Module: wm +# +# X Window Managers +# +wm = module + +# Layer: apps +# Module: xscreensaver +# +# X Screensaver +# +xscreensaver = module + +# Layer: apps +# Module: yam +# +# Yum/Apt Mirroring +# +yam = module + +# Layer: kernel +# Module: storage +# +# Policy controlling access to storage devices +# +storage = base + +# Layer: roles +# Module: auditadm +# +# Audit administrator role +# +auditadm = base + +# Layer: roles +# Module: guest +# +# Least privledge terminal user role +# +guest = module + +# Layer: roles +# Module: logadm +# +# Log administrator role +# +logadm = module + +# Layer: roles +# Module: secadm +# +# Security administrator role +# +secadm = base + +# Layer: roles +# Module: staff +# +# Administrator's unprivileged user role +# +staff = base + +# Layer: roles +# Module: sysadm +# +# General system administration role +# +sysadm = base + +# Layer: roles +# Module: unprivuser +# +# Generic unprivileged user role +# +unprivuser = base + +# Layer: roles +# Module: webadm +# +# Web administrator role +# +webadm = module + +# Layer: roles +# Module: xguest +# +# Least privledge xwindows user role +# +xguest = module + +# Layer: services +# Module: abrt +# +# ABRT - automated bug-reporting tool +# +abrt = off + +# Layer: services +# Module: afs +# +# Andrew Filesystem server +# +afs = module + +# Layer: services +# Module: aide +# +# Aide filesystem integrity checker +# +aide = module + +# Layer: services +# Module: amavis +# +# Daemon that interfaces mail transfer agents and content +# checkers, such as virus scanners. +# +amavis = off + +# Layer: services +# Module: apache +# +# Apache web server +# +apache = module + +# Layer: services +# Module: apcupsd +# +# APC UPS monitoring daemon +# +apcupsd = module + +# Layer: services +# Module: apm +# +# Advanced power management daemon +# +apm = module + +# Layer: services +# Module: arpwatch +# +# Ethernet activity monitor. +# +arpwatch = module + +# Layer: services +# Module: asterisk +# +# Asterisk IP telephony server +# +asterisk = module + +# Layer: services +# Module: automount +# +# Filesystem automounter service. +# +automount = module + +# Layer: services +# Module: avahi +# +# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture +# +avahi = module + +# Layer: services +# Module: bind +# +# Berkeley internet name domain DNS server. +# +bind = module + +# Layer: services +# Module: bitlbee +# +# Bitlbee service +# +bitlbee = module + +# Layer: services +# Module: bluetooth +# +# Bluetooth tools and system services. +# +bluetooth = module + +# Layer: services +# Module: canna +# +# Canna - kana-kanji conversion server +# +canna = module + +# Layer: services +# Module: ccs +# +# Cluster Configuration System +# +ccs = module + +# Layer: services +# Module: certmaster +# +# Certmaster SSL certificate distribution service +# +certmaster = module + +# Layer: services +# Module: cipe +# +# Encrypted tunnel daemon +# +cipe = module + +# Layer: services +# Module: clamav +# +# ClamAV Virus Scanner +# +clamav = module + +# Layer: services +# Module: clockspeed +# +# Clockspeed simple network time protocol client +# +clockspeed = module + +# Layer: services +# Module: comsat +# +# Comsat, a biff server. +# +comsat = module + +# Layer: services +# Module: consolekit +# +# Framework for facilitating multiple user sessions on desktops. +# +consolekit = module + +# Layer: services +# Module: courier +# +# Courier IMAP and POP3 email servers +# +courier = module + +# Layer: services +# Module: cpucontrol +# +# Services for loading CPU microcode and CPU frequency scaling. +# +cpucontrol = module + +# Layer: services +# Module: cron +# +# Periodic execution of scheduled commands. +# +cron = base + +# Layer: services +# Module: cups +# +# Common UNIX printing system +# +cups = module + +# Layer: services +# Module: cvs +# +# Concurrent versions system +# +cvs = module + +# Layer: services +# Module: cyphesis +# +# Cyphesis WorldForge game server +# +cyphesis = module + +# Layer: services +# Module: cyrus +# +# Cyrus is an IMAP service intended to be run on sealed servers +# +cyrus = module + +# Layer: services +# Module: dante +# +# Dante msproxy and socks4/5 proxy server +# +dante = module + +# Layer: services +# Module: dbskk +# +# Dictionary server for the SKK Japanese input method system. +# +dbskk = module + +# Layer: services +# Module: dbus +# +# Desktop messaging bus +# +dbus = module + +# Layer: services +# Module: dcc +# +# Distributed checksum clearinghouse spam filtering +# +dcc = module + +# Layer: services +# Module: ddclient +# +# Update dynamic IP address at DynDNS.org +# +ddclient = module + +# Layer: services +# Module: devicekit +# +# Devicekit modular hardware abstraction layer +# +devicekit = module + +# Layer: services +# Module: dhcp +# +# Dynamic host configuration protocol (DHCP) server +# +dhcp = module + +# Layer: services +# Module: dictd +# +# Dictionary daemon +# +dictd = module + +# Layer: services +# Module: distcc +# +# Distributed compiler daemon +# +distcc = module + +# Layer: services +# Module: djbdns +# +# small and secure DNS daemon +# +djbdns = module + +# Layer: services +# Module: dkim +# +# DomainKeys Identified Mail milter. +# +dkim = module + +# Layer: services +# Module: dnsmasq +# +# dnsmasq DNS forwarder and DHCP server +# +dnsmasq = module + +# Layer: services +# Module: dovecot +# +# Dovecot POP and IMAP mail server +# +dovecot = module + +# Layer: services +# Module: epmd +# +# Erlang Port Mapper Daemon (epmd). +# +epmd = module + +# Layer: services +# Module: exim +# +# Exim mail transfer agent +# +exim = module + +# Layer: services +# Module: fail2ban +# +# Update firewall filtering to ban IP addresses with too many password failures. +# +fail2ban = module + +# Layer: services +# Module: fetchmail +# +# Remote-mail retrieval and forwarding utility +# +fetchmail = module + +# Layer: services +# Module: finger +# +# Finger user information service. +# +finger = module + +# Layer: services +# Module: fprintd +# +# DBus fingerprint reader service +# +fprintd = module + +# Layer: services +# Module: ftp +# +# File transfer protocol service +# +ftp = module + +# Layer: services +# Module: gatekeeper +# +# OpenH.323 Voice-Over-IP Gatekeeper +# +gatekeeper = module + +# Layer: services +# Module: git +# +# GIT revision control system +# +git = module + +# Layer: services +# Module: gnomeclock +# +# Gnome clock handler for setting the time. +# +gnomeclock = module + +# Layer: services +# Module: gpm +# +# General Purpose Mouse driver +# +gpm = module + +# Layer: services +# Module: gpsd +# +# gpsd monitor daemon +# +gpsd = module + +# Layer: services +# Module: hal +# +# Hardware abstraction layer +# +hal = base + +# Layer: services +# Module: hddtemp +# +# hddtemp hard disk temperature tool running as a daemon +# +hddtemp = module + +# Layer: services +# Module: howl +# +# Port of Apple Rendezvous multicast DNS +# +howl = module + +# Layer: services +# Module: i18n_input +# +# IIIMF htt server +# +i18n_input = module + +# Layer: services +# Module: ifplugd +# +# Bring up/down ethernet interfaces based on cable detection. +# +ifplugd = module + +# Layer: services +# Module: imaze +# +# iMaze game server +# +imaze = module + +# Layer: services +# Module: inetd +# +# Internet services daemon. +# +inetd = base + +# Layer: services +# Module: inn +# +# Internet News NNTP server +# +inn = module + +# Layer: services +# Module: ircd +# +# IRC server +# +ircd = module + +# Layer: services +# Module: irqbalance +# +# IRQ balancing daemon +# +irqbalance = module + +# Layer: services +# Module: jabber +# +# Jabber instant messaging server +# +jabber = module + +# Layer: services +# Module: kerberos +# +# MIT Kerberos admin and KDC +# +kerberos = module + +# Layer: services +# Module: kerneloops +# +# Service for reporting kernel oopses to kerneloops.org +# +kerneloops = module + +# Layer: services +# Module: ktalk +# +# KDE Talk daemon +# +ktalk = module + +# Layer: services +# Module: lda +# +# mail delivery agent +# +lda = module + +# Layer: services +# Module: ldap +# +# OpenLDAP directory server +# +ldap = module + +# Layer: services +# Module: lircd +# +# Linux infared remote control daemon +# +lircd = module + +# Layer: services +# Module: lpd +# +# Line printer daemon +# +lpd = module + +# Layer: services +# Module: mailman +# +# Mailman is for managing electronic mail discussion and e-newsletter lists +# +mailman = module + +# Layer: services +# Module: memcached +# +# high-performance memory object caching system +# +memcached = module + +# Layer: services +# Module: milter +# +# Milter mail filters +# +milter = module + +# Layer: services +# Module: modemmanager +# +# Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards. +# +modemmanager = module + +# Layer: services +# Module: monop +# +# Monopoly daemon +# +monop = module + +# Layer: services +# Module: mta +# +# Policy common to all email tranfer agents. +# +mta = base + +# Layer: services +# Module: munin +# +# Munin network-wide load graphing (formerly LRRD) +# +munin = module + +# Layer: services +# Module: mysql +# +# Policy for MySQL +# +mysql = module + +# Layer: services +# Module: nagios +# +# Net Saint / NAGIOS - network monitoring server +# +nagios = module + +# Layer: services +# Module: nessus +# +# Nessus network scanning daemon +# +nessus = module + +# Layer: services +# Module: networkmanager +# +# Manager for dynamically switching between networks. +# +networkmanager = module + +# Layer: services +# Module: nis +# +# Policy for NIS (YP) servers and clients +# +nis = module + +# Layer: services +# Module: nscd +# +# Name service cache daemon +# +nscd = module + +# Layer: services +# Module: nsd +# +# Authoritative only name server +# +nsd = module + +# Layer: services +# Module: nslcd +# +# nslcd - local LDAP name service daemon. +# +nslcd = module + +# Layer: services +# Module: ntop +# +# Network Top +# +ntop = module + +# Layer: services +# Module: ntp +# +# Network time protocol daemon +# +ntp = module + +# Layer: services +# Module: nx +# +# NX remote desktop +# +# nx = module + +# Layer: services +# Module: oav +# +# Open AntiVirus scannerdaemon and signature update +# +oav = module + +# Layer: services +# Module: oddjob +# +# Oddjob provides a mechanism by which unprivileged applications can +# request that specified privileged operations be performed on their +# behalf. +# +oddjob = module + +# Layer: services +# Module: oident +# +# SELinux policy for Oident daemon. +# +oident = module + +# Layer: services +# Module: openca +# +# OpenCA - Open Certificate Authority +# +openca = module + +# Layer: services +# Module: openct +# +# Service for handling smart card readers. +# +openct = module + +# Layer: services +# Module: openvpn +# +# full-featured SSL VPN solution +# +openvpn = module + +# Layer: services +# Module: pads +# +# Passive Asset Detection System +# +pads = module + +# Layer: services +# Module: pcscd +# +# PCSC smart card service +# +pcscd = module + +# Layer: services +# Module: pegasus +# +# The Open Group Pegasus CIM/WBEM Server. +# +pegasus = module + +# Layer: services +# Module: perdition +# +# Perdition POP and IMAP proxy +# +perdition = module + +# Layer: services +# Module: pingd +# +# Pingd of the Whatsup cluster node up/down detection utility +# +pingd = module + +# Layer: services +# Module: policykit +# +# Policy framework for controlling privileges for system-wide services. +# +policykit = module + +# Layer: services +# Module: portmap +# +# RPC port mapping service. +# +portmap = module + +# Layer: services +# Module: portreserve +# +# Reserve well-known ports in the RPC port range. +# +portreserve = module + +# Layer: services +# Module: portslave +# +# Portslave terminal server software +# +portslave = module + +# Layer: services +# Module: postfix +# +# Postfix email server +# +postfix = module + +# Layer: services +# Module: postfixpolicyd +# +# Postfix policy server +# +postfixpolicyd = module + +# Layer: services +# Module: postgresql +# +# PostgreSQL relational database +# +postgresql = module + +# Layer: services +# Module: postgrey +# +# Postfix grey-listing server +# +postgrey = module + +# Layer: services +# Module: ppp +# +# Point to Point Protocol daemon creates links in ppp networks +# +ppp = module + +# Layer: services +# Module: prelude +# +# Prelude hybrid intrusion detection system +# +prelude = module + +# Layer: services +# Module: privoxy +# +# Privacy enhancing web proxy. +# +privoxy = module + +# Layer: services +# Module: psad +# +# Intrusion Detection and Log Analysis with iptables +# +psad = module + +# Layer: services +# Module: publicfile +# +# publicfile supplies files to the public through HTTP and FTP +# +publicfile = module + +# Layer: services +# Module: puppet +# +# Puppet client daemon +# +puppet = module + +# Layer: services +# Module: pxe +# +# Server for the PXE network boot protocol +# +pxe = module + +# Layer: services +# Module: pyzor +# +# Pyzor is a distributed, collaborative spam detection and filtering network. +# +pyzor = module + +# Layer: services +# Module: qmail +# +# Qmail Mail Server +# +qmail = module + +# Layer: services +# Module: radius +# +# RADIUS authentication and accounting server. +# +radius = module + +# Layer: services +# Module: radvd +# +# IPv6 router advertisement daemon +# +radvd = module + +# Layer: services +# Module: razor +# +# A distributed, collaborative, spam detection and filtering network. +# +razor = module + +# Layer: services +# Module: rdisc +# +# Network router discovery daemon +# +rdisc = module + +# Layer: services +# Module: remotelogin +# +# Policy for rshd, rlogind, and telnetd. +# +remotelogin = module + +# Layer: services +# Module: resmgr +# +# Resource management daemon +# +resmgr = module + +# Layer: services +# Module: rhgb +# +# Red Hat Graphical Boot +# +rhgb = module + +# Layer: services +# Module: ricci +# +# Ricci cluster management agent +# +ricci = module + +# Layer: services +# Module: rlogin +# +# Remote login daemon +# +rlogin = module + +# Layer: services +# Module: roundup +# +# Roundup Issue Tracking System policy +# +roundup = module + +# Layer: services +# Module: rpc +# +# Remote Procedure Call Daemon for managment of network based process communication +# +rpc = module + +# Layer: services +# Module: rpcbind +# +# Universal Addresses to RPC Program Number Mapper +# +rpcbind = module + +# Layer: services +# Module: rshd +# +# Remote shell service. +# +rshd = module + +# Layer: services +# Module: rsync +# +# Fast incremental file transfer for synchronization +# +rsync = module + +# Layer: services +# Module: rtkit +# +# Realtime scheduling for user processes. +# +rtkit = module + +# Layer: services +# Module: rwho +# +# Who is logged in on other machines? +# +rwho = module + +# Layer: services +# Module: samba +# +# SMB and CIFS client/server programs for UNIX and +# name Service Switch daemon for resolving names +# from Windows NT servers. +# +samba = module + +# Layer: services +# Module: sasl +# +# SASL authentication server +# +sasl = module + +# Layer: services +# Module: sendmail +# +# Policy for sendmail. +# +sendmail = module + +# Layer: services +# Module: setroubleshoot +# +# SELinux troubleshooting service +# +setroubleshoot = module + +# Layer: services +# Module: slrnpull +# +# Service for downloading news feeds the slrn newsreader. +# +slrnpull = module + +# Layer: services +# Module: smartmon +# +# Smart disk monitoring daemon policy +# +smartmon = module + +# Layer: services +# Module: snmp +# +# Simple network management protocol services +# +snmp = module + +# Layer: services +# Module: snort +# +# Snort network intrusion detection system +# +snort = module + +# Layer: services +# Module: soundserver +# +# sound server for network audio server programs, nasd, yiff, etc +# +soundserver = module + +# Layer: services +# Module: spamassassin +# +# Filter used for removing unsolicited email. +# +spamassassin = module + +# Layer: services +# Module: speedtouch +# +# Alcatel speedtouch USB ADSL modem +# +speedtouch = module + +# Layer: services +# Module: squid +# +# Squid caching http proxy server +# +squid = module + +# Layer: services +# Module: ssh +# +# Secure shell client and server policy. +# +ssh = module + +# Layer: services +# Module: sssd +# +# System Security Services Daemon +# +sssd = module + +# Layer: services +# Module: stunnel +# +# SSL Tunneling Proxy +# +stunnel = module + +# Layer: services +# Module: sysstat +# +# Policy for sysstat. Reports on various system states +# +sysstat = module + +# Layer: services +# Module: tcpd +# +# Policy for TCP daemon. +# +tcpd = module + +# Layer: services +# Module: telnet +# +# Telnet daemon +# +telnet = module + +# Layer: services +# Module: tftp +# +# Trivial file transfer protocol daemon +# +tftp = module + +# Layer: services +# Module: tgtd +# +# Linux Target Framework Daemon. +# +tgtd = module + +# Layer: services +# Module: timidity +# +# MIDI to WAV converter and player configured as a service +# +timidity = module + +# Layer: services +# Module: tor +# +# TOR, the onion router +# +tor = module + +# Layer: services +# Module: transproxy +# +# HTTP transperant proxy +# +transproxy = module + +# Layer: services +# Module: tuned +# +# Dynamic adaptive system tuning daemon +# +tuned = module + +# Layer: services +# Module: ucspitcp +# +# ucspitcp policy +# +ucspitcp = module + +# Layer: services +# Module: ulogd +# +# Iptables/netfilter userspace logging daemon. +# +ulogd = module + +# Layer: services +# Module: uptime +# +# Uptime daemon +# +uptime = module + +# Layer: services +# Module: uucp +# +# Unix to Unix Copy +# +uucp = module + +# Layer: services +# Module: uwimap +# +# University of Washington IMAP toolkit POP3 and IMAP mail server +# +uwimap = module + +# Layer: services +# Module: varnishd +# +# Varnishd http accelerator daemon +# +varnishd = module + +# Layer: services +# Module: virt +# +# Libvirt virtualization API +# +virt = module + +# Layer: services +# Module: w3c +# +# W3C Markup Validator +# +w3c = module + +# Layer: services +# Module: watchdog +# +# Software watchdog +# +watchdog = module + +# Layer: services +# Module: xfs +# +# X Windows Font Server +# +xfs = module + +# Layer: services +# Module: xprint +# +# X print server +# +xprint = module + +# Layer: services +# Module: xserver +# +# X Windows Server +# +xserver = module + +# Layer: services +# Module: zabbix +# +# Distributed infrastructure monitoring +# +zabbix = module + +# Layer: services +# Module: zebra +# +# Zebra border gateway protocol network routing service +# +zebra = module + +# Layer: services +# Module: zosremote +# +# policy for z/OS Remote-services Audit dispatcher plugin +# +zosremote = module + +# Layer: system +# Module: application +# +# Policy for user executable applications. +# +application = base + +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = base + +# Layer: system +# Module: clock +# +# Policy for reading and setting the hardware clock. +# +clock = base + +# Layer: system +# Module: daemontools +# +# Collection of tools for managing UNIX services +# +daemontools = module + +# Layer: system +# Module: fstools +# +# Tools for filesystem management, such as mkfs and fsck. +# +fstools = base + +# Layer: system +# Module: getty +# +# Policy for getty. +# +getty = base + +# Layer: system +# Module: hostname +# +# Policy for changing the system host name. +# +hostname = base + +# Layer: system +# Module: hotplug +# +# Policy for hotplug system, for supporting the +# connection and disconnection of devices at runtime. +# +hotplug = module + +# Layer: system +# Module: init +# +# System initialization programs (init and init scripts). +# +init = base + +# Layer: system +# Module: ipsec +# +# TCP/IP encryption +# +ipsec = module + +# Layer: system +# Module: iodine +# +# IP over DNS tunneling +# +iodine = module + +# Layer: system +# Module: iptables +# +# Policy for iptables. +# +iptables = base + +# Layer: system +# Module: iscsi +# +# Establish connections to iSCSI devices +# +iscsi = module + +# Layer: system +# Module: kdump +# +# Kernel crash dumping mechanism +# +kdump = module + +# Layer: system +# Module: libraries +# +# Policy for system libraries. +# +libraries = base + +# Layer: system +# Module: locallogin +# +# Policy for local logins. +# +locallogin = base + +# Layer: system +# Module: logging +# +# Policy for the kernel message logger and system logging daemon. +# +logging = base + +# Layer: system +# Module: lvm +# +# Policy for logical volume management programs. +# +lvm = module + +# Layer: system +# Module: miscfiles +# +# Miscelaneous files. +# +miscfiles = base + +# Layer: system +# Module: modutils +# +# Policy for kernel module utilities +# +modutils = base + +# Layer: system +# Module: mount +# +# Policy for mount. +# +mount = base + +# Layer: system +# Module: netlabel +# +# NetLabel/CIPSO labeled networking management +# +netlabel = base + +# Layer: system +# Module: pcmcia +# +# PCMCIA card management services +# +pcmcia = module + +# Layer: system +# Module: pythonsupport +# +# Support for precompiling python modules +# +pythonsupport = module + +# Layer: system +# Module: raid +# +# RAID array management tools +# +raid = module + +# Layer: system +# Module: selinuxutil +# +# Policy for SELinux policy and userland applications. +# +selinuxutil = base + +# Layer: system +# Module: setrans +# +# SELinux MLS/MCS label translation service. +# +setrans = base + +# Layer: system +# Module: sysnetwork +# +# Policy for network configuration: ifconfig and dhcp client. +# +sysnetwork = base + +# Layer: system +# Module: udev +# +# Policy for udev. +# +udev = base + +# Layer: system +# Module: unconfined +# +# The unconfined domain. +# +unconfined = module + +# Layer: system +# Module: userdomain +# +# Policy for user domains +# +userdomain = base + +# Layer: system +# Module: xen +# +# Xen hypervisor +# +xen = module + --- refpolicy-2.20110726.orig/debian/NEWS +++ refpolicy-2.20110726/debian/NEWS @@ -0,0 +1,27 @@ +refpolicy (2:0.2.20100524-6) unstable; urgency=low + + http://etbe.coker.com.au/2010/04/21/upgrading-se-linux-system-squeez/ + + * I've documented the process of upgrading a SE Linux system to Lenny at + the above URL. But I'll summarise it here. + + deb http://www.coker.com.au lenny selinux + + * To run a Squeeze kernel with Lenny policy you need to use the latest Lenny + SE Linux policy from the above APT repository, install that and run + "selinux-policy-upgrade" to apply it before booting the Lenny kernel. + + * If you run a Lenny kernel with Squeeze policy then you will get a large + number of annoying kernel messages due to a minor kernel bug. The + command “dmesg -n 1” will prevent such messages from going to the system + console, this is necessary for a usable console login. + + * To upgrade a system to the Squeeze policy you should run the following + commands. They must be run in single-user mode if SE Linux is a critical + part of the system's security model but may be run from multi-user mode + if your use of SE Linux is just to catch any attacks that get past Unix + security. + + setenforce 0 ; selinux-policy-upgrade ; touch /.autorelabel ; reboot + + -- Russell Coker Thu, 13 Jan 2011 11:38:32 +1100 --- refpolicy-2.20110726.orig/debian/control +++ refpolicy-2.20110726/debian/control @@ -0,0 +1,128 @@ +Source: refpolicy +VCS-Git: git://git.debian.org/git/users/srivasta/debian/refpolicy.git +VCS-Browser: http://git.debian.org/?p=users/srivasta/debian/refpolicy.git;a=summary +Priority: optional +Section: admin +Homepage: http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Russell Coker +Uploaders: Erich Schubert , Manoj Srivastava +Standards-Version: 3.8.3.0 +Build-Depends-Indep: policycoreutils (>= 2.1.0), checkpolicy (>= 2.1.0), + python, m4, bzip2, gawk, libsepol1 (>=2.1.0) + +Package: selinux-policy-default +Architecture: all +Depends: policycoreutils (>= 2.1.0), libpam-modules (>= 0.77-0.se5), + python, libselinux1 (>= 2.0.35), libsepol1 (>=2.1.0) +Conflicts: cron (<< 3.0pl1-87.2sel), fcron (<< 2.9.3-3), logrotate (<< 3.7.1-1), + procps (<< 1:3.1.15-1), sysvinit (<< 2.86.ds1-1.se1), + selinux-policy-refpolicy-strict, selinux-policy-refpolicy-targeted +Recommends: checkpolicy, setools +Suggests: logcheck, syslog-summary +Description: Strict and Targeted variants of the SELinux policy + This is the reference policy for SE Linux. In the default configuration it + will provide the functionality previously known as the "targeted" policy. If + the module "unconfined" is removed then it provides the functionality + previously known as the "strict" policy. + . + This uses the MMCS system of categories. + +Package: selinux-policy-mls +Architecture: all +Priority: extra +Depends: policycoreutils (>= 2.1.0), libpam-modules (>= 0.77-0.se5), + python, libselinux1 (>= 2.0.35), libsepol1 (>=2.1.0) +Conflicts: cron (<< 3.0pl1-87.2sel), fcron (<< 2.9.3-3), logrotate (<< 3.7.1-1), + procps (<< 1:3.1.15-1), sysvinit (<< 2.86.ds1-1.se1), + selinux-policy-refpolicy-strict, selinux-policy-refpolicy-targeted +Recommends: checkpolicy, setools +Suggests: logcheck, syslog-summary +Description: MLS (Multi Level Security) variant of the SELinux policy + This is the reference policy for SE Linux built with MLS support. It allows + giving data labels such as "Top Secret" and preventing such data from leaking + to processes or files with lower classification. + . + It was developed for Common Criteria LSPP certification for RHEL. It will + probably never be well supported in Debian and is only recommended for + students who want to learn about the security features used by the military. + +Package: selinux-policy-src +Architecture: all +Depends: python, policycoreutils (>= 2.1.0), checkpolicy (>= 2.1.0), gawk +Conflicts: selinux-policy-refpolicy-targeted, selinux-policy-refpolicy-src +Recommends: setools +Suggests: logcheck, syslog-summary +Description: Source of the SELinux reference policy for customization + The SELinux Reference Policy (refpolicy) is a complete SELinux + policy, as an alternative to the existing strict and targeted + policies available from http://selinux.sf.net. The goal is to have + this policy as the system policy, be and used as the basis for + creating other policies. Refpolicy is based on the current strict and + targeted policies, but aims to accomplish many additional + goals: + + Strong Modularity + + Clearly stated security Goals + + Documentation + + Development Tool Support + + Forward Looking + + Configurability + + Flexible Base Policy + + Application Policy Variations + + Multi-Level Security + . + This is the source of the policy, provided so that local variations of + SELinux policy may be created. + +Package: selinux-policy-dev +Architecture: all +Depends: python, policycoreutils (>= 2.1.0), checkpolicy (>= 2.1.0), gawk, make, m4 +Recommends: setools +Conflicts: selinux-policy-refpolicy-dev +Description: Headers from the SELinux reference policy for building modules + The SELinux Reference Policy (refpolicy) is a complete SELinux + policy, as an alternative to the existing strict and targeted + policies available from http://selinux.sf.net. The goal is to have + this policy as the system policy, be and used as the basis for + creating other policies. Refpolicy is based on the current strict and + targeted policies, but aims to accomplish many additional + goals: + + Strong Modularity + + Clearly stated security Goals + + Documentation + + Development Tool Support + + Forward Looking + + Configurability + + Flexible Base Policy + + Application Policy Variations + + Multi-Level Security + . + This package provides header files for building your own SELinux + policy packages compatible with official policy packages. + +Package: selinux-policy-doc +Architecture: all +Section: doc +Recommends: make, gcc +Conflicts: selinux-policy-refpolicy-doc +Description: Documentation for the SELinux reference policy + The SELinux Reference Policy (refpolicy) is a complete SELinux + policy, as an alternative to the existing strict and targeted + policies available from http://selinux.sf.net. The goal is to have + this policy as the system policy, be and used as the basis for + creating other policies. Refpolicy is based on the current strict and + targeted policies, but aims to accomplish many additional + goals: + + Strong Modularity + + Clearly stated security Goals + + Documentation + + Development Tool Support + + Forward Looking + + Configurability + + Flexible Base Policy + + Application Policy Variations + + Multi-Level Security + . + This package contains the documentation for the reference policy. + + --- refpolicy-2.20110726.orig/debian/file_contexts.subs_dist +++ refpolicy-2.20110726/debian/file_contexts.subs_dist @@ -0,0 +1,5 @@ +/run /var/run +/run/lock /var/lock +/var/run/lock /var/lock +/run/shm /dev/shm +/var/run/shm /dev/shm --- refpolicy-2.20110726.orig/debian/default.postrm +++ refpolicy-2.20110726/debian/default.postrm @@ -0,0 +1,176 @@ +#! /bin/sh +# -*- Mode: Sh -*- +# postrm --- +# Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com ) +# Created On : Fri Nov 14 12:22:20 2003 +# Created On Node : glaurung.green-gryphon.com +# Last Modified By : Manoj Srivastava +# Last Modified On : Sun Aug 20 21:01:06 2006 +# Last Machine Used: glaurung.internal.golden-gryphon.com +# Update Count : 11 +# Status : Unknown, Use with caution! +# HISTORY : +# Description : +# +# arch-tag: bea9fd02-e287-4245-8009-9023c3333ff3 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + + +# Abort if any command returns an error value +set -e + +NAME=default +package_name=selinux-policy-$NAME +POLICYNAME=$NAME +BASEDIR=/etc/selinux/$POLICYNAME + + +if [ -z "$package_name" ]; then + print >&2 "Internal Error. Please report a bug." + exit 1; +fi + +# This script is called twice during the removal of the package; once +# after the removal of the package's files from the system, and as +# the final step in the removal of this package, after the package's +# conffiles have been removed. +# summary of how this script can be called: +# * `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' overwrit>r> +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +# Ensure the menu system is updated +##: [ ! -x /usr/bin/update-menus ] || /usr/bin/update-menus + +case "$1" in + remove) + # This package is being removed, but its configuration has not yet + # been purged. + : + + # Remove diversion + ##: dpkg-divert --package ${package_name} --remove --rename \ + ##: --divert /usr/bin/other.real /usr/bin/other + + # ldconfig is NOT needed during removal of a library, only during + # installation + + ;; + purge) + # This package has previously been removed and is now having + # its configuration purged from the system. + : + + # we mimic dpkg as closely as possible, so we remove configuration + # files with dpkg backup extensions too: + ### Some of the following is from Tore Anderson: + ##: for ext in '~' '%' .bak .dpkg-tmp .dpkg-new .dpkg-old .dpkg-dist; do + ##: rm -f /etc/${package_name}.conf$ext + ##: done + + # remove the configuration file itself + ##: rm -f /etc/${package_name}.conf + rm -rf "$BASEDIR" + + # and finally clear it out from the ucf database + ##: ucf --purge /etc/${package_name}.conf + + # Remove symlinks from /etc/rc?.d + ##: update-rc.d ${package_name} remove >/dev/null + + ##: if [ -e /usr/share/debconf/confmodule ]; then + ##: # Purge this package's data from the debconf database. + ##: . /usr/share/debconf/confmodule + ##: db_purge + ##: fi + + # This package has previously been removed and is now having + # its configuration purged from the system. + ##: for flavour in emacs20 emacs21; do + ##: STARTDIR=/etc/$flavour/site-start.d; + ##: STARTFILE="${package_name}-init.el"; + ##: if [ -e "$STARTDIR/20$STARTFILE" ]; then + ##: rm -f "$STARTDIR/20$STARTFILE" + ##: fi + ##: done + + ;; + disappear) + if test "$2" != overwriter; then + echo "$0: undocumented call to \`postrm $*'" 1>&2 + exit 0 + fi + # This package has been completely overwritten by package $3 + # (version $4). All our files are already gone from the system. + # This is a special case: neither "prerm remove" nor "postrm remove" + # have been called, because dpkg didn't know that this package would + # disappear until this stage. + : + + ;; + upgrade) + # About to upgrade FROM THIS VERSION to version $2 of this package. + # "prerm upgrade" has been called for this version, and "preinst + # upgrade" has been called for the new version. Last chance to + # clean up. + : + + ;; + failed-upgrade) + # About to upgrade from version $2 of this package TO THIS VERSION. + # "prerm upgrade" has been called for the old version, and "preinst + # upgrade" has been called for this version. This is only used if + # the previous version's "postrm upgrade" couldn't handle it and + # returned non-zero. (Fix old postrm bugs here.) + : + + ;; + abort-install) + # Back out of an attempt to install this package. Undo the effects of + # "preinst install...". There are two sub-cases. + : + + if test "${2+set}" = set; then + # When the install was attempted, version $2's configuration + # files were still on the system. Undo the effects of "preinst + # install $2". + : + + else + # We were being installed from scratch. Undo the effects of + # "preinst install". + : + + fi ;; + abort-upgrade) + # Back out of an attempt to upgrade this package from version $2 + # TO THIS VERSION. Undo the effects of "preinst upgrade $2". + : + + ;; + *) echo "$0: didn't understand being called with \`$1'" 1>&2 + exit 0;; +esac + +exit 0 --- refpolicy-2.20110726.orig/debian/example.if +++ refpolicy-2.20110726/debian/example.if @@ -0,0 +1,57 @@ +## Myapp example policy +## +##

+## More descriptive text about myapp. The +## tag can also use

,

    , and
      +## html tags for formatting. +##

      +##

      +## This policy supports the following myapp features: +##

        +##
      • Feature A
        • +##
      • Feature B
        • +##
      • Feature C
        • +##
      +##

      +## +# + +######################################## +## +## Execute a domain transition to run myapp. +## +## +## Domain allowed to transition. +## +# +interface(`myapp_domtrans',` + gen_require(` + type myapp_t, myapp_exec_t; + ') + + domain_auto_trans($1,myapp_exec_t,myapp_t) + + allow $1 myapp_t:fd use; + allow myapp_t $1:fd use; + allow $1 myapp_t:fifo_file rw_file_perms; + allow $1 myapp_t:process sigchld; +') + +######################################## +## +## Read myapp log files. +## +## +## Domain allowed to read the log files. +## +# +interface(`myapp_read_log',` + gen_require(` + type myapp_log_t; + ') + + logging_search_logs($1) + allow $1 myapp_log_t:file r_file_perms; +') + +# arch-tag: e3624959-d1f4-4546-850b-4a1f22f7018d --- refpolicy-2.20110726.orig/debian/policygentool.1 +++ refpolicy-2.20110726/debian/policygentool.1 @@ -0,0 +1,100 @@ +.\" -*- Mode: Nroff -*- +.\" policygentool.1 --- +.\" Author : Manoj Srivastava ( srivasta@glaurung.internal.golden-gryphon.com ) +.\" Created On : Mon Feb 26 20:57:11 2007 +.\" Created On Node : glaurung.internal.golden-gryphon.com +.\" Last Modified By : Manoj Srivastava +.\" Last Modified On : Mon Feb 26 23:18:43 2007 +.\" Last Machine Used: glaurung.internal.golden-gryphon.com +.\" Update Count : 12 +.\" Status : Unknown, Use with caution! +.\" HISTORY : +.\" Description : +.\" +.\" Copyright (c) 20077 Manoj Srivastava +.\" +.\" This is free documentation; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License as +.\" published by the Free Software Foundation; either version 2 of +.\" the License, or (at your option) any later version. +.\" +.\" The GNU General Public License's references to "object code" +.\" and "executables" are to be interpreted as the output of any +.\" document formatting or typesetting system, including +.\" intermediate and printed output. +.\" +.\" This manual is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public +.\" License along with this manual; if not, write to the Free +.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, +.\" USA. +.\" +.\" arch-tag: 8236ff3b-4ae2-4591-afa3-298e441e927c +.\" +.TH POLICYGENTOOL 1 "Feb 27 2007" "Debian" "Debian GNU/Linux manual" +.SH NAME +policygentool \- Interactive SELinux policy generation tool +.SH SYNOPSIS +.B policygentool +.I [options] +.I +.I +.SH DESCRIPTION +This tool generate three files for policy development, A Type Enforcement (te) +file, a File Context (fc), and a Interface File(if). Most of the policy rules +will be written in the te file. Use the File Context file to associate file +paths with security context. Use the interface rules to allow other protected +domains to interact with the newly defined domains. +.PP +The tool prompts for locations of +.I pidfiles, +any +.I logfiles, +files in +.I /var/lib, +and any +.I init scripts, +and whether any network access is desirable for the application. The +tool then generates the appropriate policy rules for the module. +After these files have been generated, the make files for the +appropriate SELinux policy, namely, +.I /usr/share/selinux/refpolicy-targeted/include/Makefile +or +.I /usr/share/selinux/refpolicy-strict/include/Makefile +can be used to compile the SELinux policy policy package. The +resulting policy package can be loaded using +.B semodule. +.PP + # /usr/bin/policygentool myapp /usr/bin/myapp + # cat >Makefile + > HEADERDIR:=/usr/share/selinux/refpolicy-targeted/include + > include $(HEADERDIR)/Makefile + > ^D + # make + # semodule -l myapp.pp + # restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc" + # setenforce 0 + # /etc/init.d/myapp start + # audit2allow -R -i /var/log/audit/audit.log +.SH OPTIONS +.TP +.B "-h, --help" +Print a short usage message. +.SH FILES +.PP +.I myapp.te, +.I myapp.if, +.I myapp.fc. +.SH "SEE ALSO" +semodule(8), +check_policy(8), +load_policy(8). +.SH BUGS +None known. +.SH AUTHOR +This manual page was written by Manoj Srivastava , +for the Debian GNU/Linux system. --- refpolicy-2.20110726.orig/debian/ChangeLog +++ refpolicy-2.20110726/debian/ChangeLog @@ -0,0 +1,42 @@ +2008-03-20 Manoj Srivastava + + * postinst.policy: + srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-13 + refpolicy includes an Exim policy, but doesn't install + it on a fresh refpolicy installation, because the module + package is exim.pp, while Debian calls its exim package + 'exim4'. Thanks to Devin Carraway for the heavy + lifting. + +2007-05-07 Manoj Srivastava + + * modules.conf.targeted (ricci): + srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-3 + Added module. + + * modules.conf.strict (ricci): + srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-3 + Added module. + + * postinst.policy (installed_modules): + srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-3 + Only add modules to the load order that have already + been shipped when considering dependencies for + modules. If the module is not shipped, chances are that + it was moved into the base policy. + + * local-vars.mk (NON_MODULES): + srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-3 + Added a list of modules that are really built into the + base policy in Debian. We then use this list to remove + the modules .pp files from the policy shipped, since + they can not be installed along with the base policy + anyway. + + * local.mk (install/selinux-policy-refpolicy-strict): + srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-3 + Remove the mosules that are built into the base already. + (install/selinux-policy-refpolicy-targeted): + srivasta@debian.org--lenny/debian-dir--refpolicy--1.0--patch-3 + Ditto. + --- refpolicy-2.20110726.orig/debian/build.conf.default +++ refpolicy-2.20110726/debian/build.conf.default @@ -0,0 +1,73 @@ +######################################## +# +# Policy build options +# + +# Policy version +# By default, checkpolicy will create the highest +# version policy it supports. Setting this will +# override the version. This only has an +# effect for monolithic policies. +#OUTPUT_POLICY = 21 + +# Policy Type +# standard, mls, mcs +TYPE = mcs + +# Policy Name +# If set, this will be used as the policy +# name. Otherwise the policy type will be +# used for the name. +NAME = default + +# Distribution +# Some distributions have portions of policy +# for programs or configurations specific to the +# distribution. Setting this will enable options +# for the distribution. +# redhat, gentoo, debian, suse, and rhel4 are current options. +# Fedora users should enable redhat. +DISTRO = debian + +# Unknown Permissions Handling +# The behavior for handling permissions defined in the +# kernel but missing from the policy. The permissions +# can either be allowed, denied, or the policy loading +# can be rejected. +# allow, deny, and reject are current options. +UNK_PERMS = deny + +# Direct admin init +# Setting this will allow sysadm to directly +# run init scripts, instead of requring run_init. +# This is a build option, as role transitions do +# not work in conditional policy. +DIRECT_INITRC = y + +# Build monolithic policy. Putting n here +# will build a loadable module policy. +MONOLITHIC = n + +# User-based access control (UBAC) +# Enable UBAC for role separations. +UBAC = n + +# Number of MLS Sensitivities +# The sensitivities will be s0 to s(MLS_SENS-1). +# Dominance will be in increasing numerical order +# with s0 being lowest. +MLS_SENS = 16 + +# Number of MLS Categories +# The categories will be c0 to c(MLS_CATS-1). +MLS_CATS = 1024 + +# Number of MCS Categories +# The categories will be c0 to c(MLS_CATS-1). +MCS_CATS = 1024 + +# Set this to y to only display status messages +# during build. +QUIET = n + +# arch-tag: ec64afa6-f6f8-4b08-b002-6025ada3a269 --- refpolicy-2.20110726.orig/debian/watch +++ refpolicy-2.20110726/debian/watch @@ -0,0 +1,8 @@ +# format version number, currently 2; this line is compulsory! +version=3 + +opts="uversionmangle=s/^2./0.2./" \ +http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease \ + /files/refpolicy/refpolicy-(.*)\.tar\.bz2 + +# arch-tag: cf70b245-38bc-49ea-a6a4-ac970978aea4 --- refpolicy-2.20110726.orig/debian/modules.conf.default +++ refpolicy-2.20110726/debian/modules.conf.default @@ -0,0 +1,2171 @@ +# +# This file contains a listing of available modules. +# To prevent a module from being used in policy +# creation, set the module name to "off". +# +# For monolithic policies, modules set to "base" and "module" +# will be built into the policy. +# +# For modular policies, modules set to "base" will be +# included in the base module. "module" will be compiled +# as individual loadable modules. +# + +# Layer: kernel +# Module: corecommands +# Required in base +# +# Core policy for shells, and generic programs +# in /bin, /sbin, /usr/bin, and /usr/sbin. +# +corecommands = base + +# Layer: kernel +# Module: corenetwork +# Required in base +# +# Policy controlling access to network objects +# +corenetwork = base + +# Layer: kernel +# Module: devices +# Required in base +# +# Device nodes and interfaces for many basic system devices. +# +devices = base + +# Layer: kernel +# Module: domain +# Required in base +# +# Core policy for domains. +# +domain = base + +# Layer: kernel +# Module: files +# Required in base +# +# Basic filesystem types and interfaces. +# +files = base + +# Layer: kernel +# Module: filesystem +# Required in base +# +# Policy for filesystems. +# +filesystem = base + +# Layer: kernel +# Module: kernel +# Required in base +# +# Policy for kernel threads, proc filesystem, +# and unlabeled processes and objects. +# +kernel = base + +# Layer: kernel +# Module: mcs +# Required in base +# +# Multicategory security policy +# +mcs = base + +# Layer: kernel +# Module: mls +# Required in base +# +# Multilevel security policy +# +mls = base + +# Layer: kernel +# Module: selinux +# Required in base +# +# Policy for kernel security interface, in particular, selinuxfs. +# +selinux = base + +# Layer: kernel +# Module: terminal +# Required in base +# +# Policy for terminals. +# +terminal = base + +# Layer: kernel +# Module: ubac +# Required in base +# +# User-based access control policy +# +ubac = base + +# Layer: admin +# Module: acct +# +# Berkeley process accounting +# +acct = module + +# Layer: admin +# Module: alsa +# +# Ainit ALSA configuration tool +# +alsa = module + +# Layer: admin +# Module: amanda +# +# Automated backup program. +# +amanda = module + +# Layer: admin +# Module: amtu +# +# Abstract Machine Test Utility +# +amtu = off + +# Layer: admin +# Module: anaconda +# +# Policy for the Anaconda installer. +# +anaconda = off + +# Layer: admin +# Module: apt +# +# APT advanced package tool. +# +apt = base + +# Layer: admin +# Module: backup +# +# System backup scripts +# +backup = module + +# Layer: admin +# Module: bootloader +# +# Policy for the kernel modules, kernel image, and bootloader. +# +bootloader = module + +# Layer: admin +# Module: brctl +# +# Utilities for configuring the linux ethernet bridge +# +brctl = module + +# Layer: admin +# Module: certwatch +# +# Digital Certificate Tracking +# +certwatch = module + +# Layer: admin +# Module: consoletype +# +# Determine of the console connected to the controlling terminal. +# +consoletype = off + +# Layer: admin +# Module: ddcprobe +# +# ddcprobe retrieves monitor and graphics card information +# +ddcprobe = off + +# Layer: admin +# Module: dmesg +# +# Policy for dmesg. +# +dmesg = base + +# Layer: admin +# Module: dmidecode +# +# Decode DMI data for x86/ia64 bioses. +# +dmidecode = module + +# Layer: admin +# Module: dpkg +# +# Policy for the Debian package manager. +# +dpkg = base + +# Layer: admin +# Module: firstboot +# +# Final system configuration run during the first boot +# after installation of Red Hat/Fedora systems. +# +firstboot = off + +# Layer: admin +# Module: kismet +# +# Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. +# +kismet = module + +# Layer: admin +# Module: kudzu +# +# Hardware detection and configuration tools +# +kudzu = off + +# Layer: admin +# Module: logrotate +# +# Rotate and archive system logs +# +logrotate = base + +# Layer: admin +# Module: logwatch +# +# System log analyzer and reporter +# +logwatch = module + +# Layer: admin +# Module: mrtg +# +# Network traffic graphing +# +mrtg = module + +# Layer: admin +# Module: netutils +# +# Network analysis utilities +# +netutils = module + +# Layer: admin +# Module: portage +# +# Portage Package Management System. The primary package management and +# distribution system for Gentoo. +# +portage = off + +# Layer: admin +# Module: prelink +# +# Prelink ELF shared library mappings. +# +prelink = module + +# Layer: admin +# Module: quota +# +# File system quota management +# +quota = module + +# Layer: admin +# Module: readahead +# +# Readahead, read files into page cache for improved performance +# +readahead = module + +# Layer: admin +# Module: rpm +# +# Policy for the RPM package manager. +# +rpm = module + +# Layer: admin +# Module: shorewall +# +# Shoreline Firewall high-level tool for configuring netfilter +# +shorewall = module + +# Layer: admin +# Module: su +# +# Run shells with substitute user and group +# +su = base + +# Layer: admin +# Module: sudo +# +# Execute a command with a substitute user +# +sudo = module + +# Layer: admin +# Module: sxid +# +# SUID/SGID program monitoring +# +sxid = module + +# Layer: admin +# Module: tmpreaper +# +# Manage temporary directory sizes and file ages +# +tmpreaper = base + +# Layer: admin +# Module: tripwire +# +# Tripwire file integrity checker. +# +tripwire = module + +# Layer: admin +# Module: tzdata +# +# Time zone updater +# +tzdata = module + +# Layer: admin +# Module: updfstab +# +# Red Hat utility to change /etc/fstab. +# +updfstab = off + +# Layer: admin +# Module: usbmodules +# +# List kernel modules of USB devices +# +usbmodules = module + +# Layer: admin +# Module: usermanage +# +# Policy for managing user accounts. +# +usermanage = base + +# Layer: admin +# Module: vbetool +# +# run real-mode video BIOS code to alter hardware state +# +vbetool = module + +# Layer: admin +# Module: vpn +# +# Virtual Private Networking client +# +vpn = module + +# Layer: apps +# Module: ada +# +# GNAT Ada95 compiler +# +ada = module + +# Layer: apps +# Module: authbind +# +# Tool for non-root processes to bind to reserved ports +# +authbind = module + +# Layer: apps +# Module: awstats +# +# AWStats is a free powerful and featureful tool that generates advanced +# web, streaming, ftp or mail server statistics, graphically. +# +awstats = module + +# Layer: apps +# Module: calamaris +# +# Squid log analysis +# +calamaris = module + +# Layer: apps +# Module: cdrecord +# +# Policy for cdrecord +# +cdrecord = module + +# Layer: apps +# Module: cpufreqselector +# +# Command-line CPU frequency settings. +# +cpufreqselector = module + +# Layer: apps +# Module: evolution +# +# Evolution email client +# +evolution = module + +# Layer: apps +# Module: games +# +# Games +# +games = module + +# Layer: apps +# Module: gift +# +# giFT peer to peer file sharing tool +# +gift = module + +# Layer: apps +# Module: gitosis +# +# Tools for managing and hosting git repositories. +# +gitosis = module + +# Layer: apps +# Module: gnome +# +# GNU network object model environment (GNOME) +# +gnome = module + +# Layer: apps +# Module: gpg +# +# Policy for GNU Privacy Guard and related programs. +# +gpg = module + +# Layer: apps +# Module: irc +# +# IRC client policy +# +irc = module + +# Layer: apps +# Module: java +# +# Java virtual machine +# +java = module + +# Layer: apps +# Module: loadkeys +# +# Load keyboard mappings. +# +loadkeys = module + +# Layer: apps +# Module: lockdev +# +# device locking policy for lockdev +# +lockdev = module + +# Layer: apps +# Module: mono +# +# Run .NET server and client applications on Linux. +# +mono = module + +# Layer: apps +# Module: mozilla +# +# Policy for Mozilla and related web browsers +# +mozilla = module + +# Layer: apps +# Module: mplayer +# +# Mplayer media player and encoder +# +mplayer = module + +# Layer: apps +# Module: podsleuth +# +# Podsleuth is a tool to get information about an Apple (TM) iPod (TM) +# +podsleuth = module + +# Layer: apps +# Module: ptchown +# +# helper function for grantpt(3), changes ownship and permissions of pseudotty +# +ptchown = module + +# Layer: apps +# Module: pulseaudio +# +# Pulseaudio network sound server. +# +pulseaudio = module + +# Layer: apps +# Module: qemu +# +# QEMU machine emulator and virtualizer +# +qemu = module + +# Layer: apps +# Module: rssh +# +# Restricted (scp/sftp) only shell +# +rssh = module + +# Layer: apps +# Module: screen +# +# GNU terminal multiplexer +# +screen = module + +# Layer: apps +# Module: seunshare +# +# Filesystem namespacing/polyinstantiation application. +# +seunshare = module + +# Layer: apps +# Module: slocate +# +# Update database for mlocate +# +slocate = module + +# Layer: apps +# Module: thunderbird +# +# Thunderbird email client +# +thunderbird = module + +# Layer: apps +# Module: tvtime +# +# tvtime - a high quality television application +# +tvtime = module + +# Layer: apps +# Module: uml +# +# Policy for UML +# +uml = module + +# Layer: apps +# Module: userhelper +# +# SELinux utility to run a shell with a new role +# +userhelper = module + +# Layer: apps +# Module: usernetctl +# +# User network interface configuration helper +# +usernetctl = module + +# Layer: apps +# Module: vmware +# +# VMWare Workstation virtual machines +# +vmware = module + +# Layer: apps +# Module: webalizer +# +# Web server log analysis +# +webalizer = module + +# Layer: apps +# Module: wine +# +# Wine Is Not an Emulator. Run Windows programs in Linux. +# +wine = module + +# Layer: apps +# Module: wireshark +# +# Wireshark packet capture tool. +# +wireshark = module + +# Layer: apps +# Module: wm +# +# X Window Managers +# +wm = module + +# Layer: apps +# Module: xscreensaver +# +# X Screensaver +# +xscreensaver = module + +# Layer: apps +# Module: yam +# +# Yum/Apt Mirroring +# +yam = module + +# Layer: kernel +# Module: storage +# +# Policy controlling access to storage devices +# +storage = base + +# Layer: roles +# Module: auditadm +# +# Audit administrator role +# +auditadm = module + +# Layer: roles +# Module: guest +# +# Least privledge terminal user role +# +guest = module + +# Layer: roles +# Module: logadm +# +# Log administrator role +# +logadm = module + +# Layer: roles +# Module: secadm +# +# Security administrator role +# +secadm = off + +# Layer: roles +# Module: staff +# +# Administrator's unprivileged user role +# +staff = base + +# Layer: roles +# Module: sysadm +# +# General system administration role +# +sysadm = base + +# Layer: roles +# Module: unprivuser +# +# Generic unprivileged user role +# +unprivuser = base + +# Layer: roles +# Module: webadm +# +# Web administrator role +# +webadm = module + +# Layer: roles +# Module: xguest +# +# Least privledge xwindows user role +# +xguest = module + +# Layer: services +# Module: abrt +# +# ABRT - automated bug-reporting tool +# +abrt = off + +# Layer: services +# Module: afs +# +# Andrew Filesystem server +# +afs = module + +# Layer: services +# Module: aide +# +# Aide filesystem integrity checker +# +aide = module + +# Layer: services +# Module: amavis +# +# Daemon that interfaces mail transfer agents and content +# checkers, such as virus scanners. +# +amavis = off + +# Layer: services +# Module: apache +# +# Apache web server +# +apache = module + +# Layer: services +# Module: apcupsd +# +# APC UPS monitoring daemon +# +apcupsd = module + +# Layer: services +# Module: apm +# +# Advanced power management daemon +# +apm = module + +# Layer: services +# Module: arpwatch +# +# Ethernet activity monitor. +# +arpwatch = module + +# Layer: services +# Module: asterisk +# +# Asterisk IP telephony server +# +asterisk = module + +# Layer: services +# Module: automount +# +# Filesystem automounter service. +# +automount = module + +# Layer: services +# Module: avahi +# +# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture +# +avahi = module + +# Layer: services +# Module: bind +# +# Berkeley internet name domain DNS server. +# +bind = module + +# Layer: services +# Module: bitlbee +# +# Bitlbee service +# +bitlbee = module + +# Layer: services +# Module: bluetooth +# +# Bluetooth tools and system services. +# +bluetooth = module + +# Layer: services +# Module: canna +# +# Canna - kana-kanji conversion server +# +canna = module + +# Layer: services +# Module: ccs +# +# Cluster Configuration System +# +ccs = module + +# Layer: services +# Module: certmaster +# +# Certmaster SSL certificate distribution service +# +certmaster = module + +# Layer: services +# Module: cipe +# +# Encrypted tunnel daemon +# +cipe = module + +# Layer: services +# Module: clamav +# +# ClamAV Virus Scanner +# +clamav = module + +# Layer: services +# Module: clockspeed +# +# Clockspeed simple network time protocol client +# +clockspeed = module + +# Layer: services +# Module: comsat +# +# Comsat, a biff server. +# +comsat = module + +# Layer: services +# Module: consolekit +# +# Framework for facilitating multiple user sessions on desktops. +# +consolekit = module + +# Layer: services +# Module: courier +# +# Courier IMAP and POP3 email servers +# +courier = module + +# Layer: services +# Module: cpucontrol +# +# Services for loading CPU microcode and CPU frequency scaling. +# +cpucontrol = module + +# Layer: services +# Module: cron +# +# Periodic execution of scheduled commands. +# +cron = base + +# Layer: services +# Module: cups +# +# Common UNIX printing system +# +cups = module + +# Layer: services +# Module: cvs +# +# Concurrent versions system +# +cvs = module + +# Layer: services +# Module: cyphesis +# +# Cyphesis WorldForge game server +# +cyphesis = module + +# Layer: services +# Module: cyrus +# +# Cyrus is an IMAP service intended to be run on sealed servers +# +cyrus = module + +# Layer: services +# Module: dante +# +# Dante msproxy and socks4/5 proxy server +# +dante = module + +# Layer: services +# Module: dbskk +# +# Dictionary server for the SKK Japanese input method system. +# +dbskk = module + +# Layer: services +# Module: dbus +# +# Desktop messaging bus +# +dbus = module + +# Layer: services +# Module: dcc +# +# Distributed checksum clearinghouse spam filtering +# +dcc = module + +# Layer: services +# Module: ddclient +# +# Update dynamic IP address at DynDNS.org +# +ddclient = module + +# Layer: services +# Module: devicekit +# +# Devicekit modular hardware abstraction layer +# +devicekit = module + +# Layer: services +# Module: dhcp +# +# Dynamic host configuration protocol (DHCP) server +# +dhcp = module + +# Layer: services +# Module: dictd +# +# Dictionary daemon +# +dictd = module + +# Layer: services +# Module: distcc +# +# Distributed compiler daemon +# +distcc = module + +# Layer: services +# Module: djbdns +# +# small and secure DNS daemon +# +djbdns = module + +# Layer: services +# Module: dkim +# +# DomainKeys Identified Mail milter. +# +dkim = module + +# Layer: services +# Module: dnsmasq +# +# dnsmasq DNS forwarder and DHCP server +# +dnsmasq = module + +# Layer: services +# Module: dovecot +# +# Dovecot POP and IMAP mail server +# +dovecot = module + +# Layer: services +# Module: epmd +# +# Erlang Port Mapper Daemon (epmd). +# +epmd = module + +# Layer: services +# Module: exim +# +# Exim mail transfer agent +# +exim = module + +# Layer: services +# Module: fail2ban +# +# Update firewall filtering to ban IP addresses with too many password failures. +# +fail2ban = module + +# Layer: services +# Module: fetchmail +# +# Remote-mail retrieval and forwarding utility +# +fetchmail = module + +# Layer: services +# Module: finger +# +# Finger user information service. +# +finger = module + +# Layer: services +# Module: fprintd +# +# DBus fingerprint reader service +# +fprintd = module + +# Layer: services +# Module: ftp +# +# File transfer protocol service +# +ftp = module + +# Layer: services +# Module: gatekeeper +# +# OpenH.323 Voice-Over-IP Gatekeeper +# +gatekeeper = module + +# Layer: services +# Module: git +# +# GIT revision control system +# +git = module + +# Layer: services +# Module: gnomeclock +# +# Gnome clock handler for setting the time. +# +gnomeclock = module + +# Layer: services +# Module: gpm +# +# General Purpose Mouse driver +# +gpm = module + +# Layer: services +# Module: gpsd +# +# gpsd monitor daemon +# +gpsd = module + +# Layer: services +# Module: hal +# +# Hardware abstraction layer +# +hal = base + +# Layer: services +# Module: hddtemp +# +# hddtemp hard disk temperature tool running as a daemon +# +hddtemp = module + +# Layer: services +# Module: howl +# +# Port of Apple Rendezvous multicast DNS +# +howl = module + +# Layer: services +# Module: i18n_input +# +# IIIMF htt server +# +i18n_input = module + +# Layer: services +# Module: ifplugd +# +# Bring up/down ethernet interfaces based on cable detection. +# +ifplugd = module + +# Layer: services +# Module: imaze +# +# iMaze game server +# +imaze = module + +# Layer: services +# Module: inetd +# +# Internet services daemon. +# +inetd = base + +# Layer: services +# Module: inn +# +# Internet News NNTP server +# +inn = module + +# Layer: services +# Module: ircd +# +# IRC server +# +ircd = module + +# Layer: services +# Module: irqbalance +# +# IRQ balancing daemon +# +irqbalance = module + +# Layer: services +# Module: jabber +# +# Jabber instant messaging server +# +jabber = module + +# Layer: services +# Module: kerberos +# +# MIT Kerberos admin and KDC +# +kerberos = module + +# Layer: services +# Module: kerneloops +# +# Service for reporting kernel oopses to kerneloops.org +# +kerneloops = module + +# Layer: services +# Module: ktalk +# +# KDE Talk daemon +# +ktalk = module + +# Layer: services +# Module: lda +# +# mail delivery agent +# +lda = module + +# Layer: services +# Module: ldap +# +# OpenLDAP directory server +# +ldap = module + +# Layer: services +# Module: lircd +# +# Linux infared remote control daemon +# +lircd = module + +# Layer: services +# Module: lpd +# +# Line printer daemon +# +lpd = module + +# Layer: services +# Module: mailman +# +# Mailman is for managing electronic mail discussion and e-newsletter lists +# +mailman = module + +# Layer: services +# Module: memcached +# +# high-performance memory object caching system +# +memcached = module + +# Layer: services +# Module: milter +# +# Milter mail filters +# +milter = module + +# Layer: services +# Module: modemmanager +# +# Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards. +# +modemmanager = module + +# Layer: services +# Module: monop +# +# Monopoly daemon +# +monop = module + +# Layer: services +# Module: mta +# +# Policy common to all email tranfer agents. +# +mta = base + +# Layer: services +# Module: munin +# +# Munin network-wide load graphing (formerly LRRD) +# +munin = module + +# Layer: services +# Module: mysql +# +# Policy for MySQL +# +mysql = module + +# Layer: services +# Module: nagios +# +# Net Saint / NAGIOS - network monitoring server +# +nagios = module + +# Layer: services +# Module: nessus +# +# Nessus network scanning daemon +# +nessus = module + +# Layer: services +# Module: networkmanager +# +# Manager for dynamically switching between networks. +# +networkmanager = module + +# Layer: services +# Module: nis +# +# Policy for NIS (YP) servers and clients +# +nis = module + +# Layer: services +# Module: nscd +# +# Name service cache daemon +# +nscd = module + +# Layer: services +# Module: nsd +# +# Authoritative only name server +# +nsd = module + +# Layer: services +# Module: nslcd +# +# nslcd - local LDAP name service daemon. +# +nslcd = module + +# Layer: services +# Module: ntop +# +# Network Top +# +ntop = module + +# Layer: services +# Module: ntp +# +# Network time protocol daemon +# +ntp = module + +# Layer: services +# Module: nx +# +# NX remote desktop +# +# nx = module + +# Layer: services +# Module: oav +# +# Open AntiVirus scannerdaemon and signature update +# +oav = module + +# Layer: services +# Module: oddjob +# +# Oddjob provides a mechanism by which unprivileged applications can +# request that specified privileged operations be performed on their +# behalf. +# +oddjob = module + +# Layer: services +# Module: oident +# +# SELinux policy for Oident daemon. +# +oident = module + +# Layer: services +# Module: openca +# +# OpenCA - Open Certificate Authority +# +openca = module + +# Layer: services +# Module: openct +# +# Service for handling smart card readers. +# +openct = module + +# Layer: services +# Module: openvpn +# +# full-featured SSL VPN solution +# +openvpn = module + +# Layer: services +# Module: pads +# +# Passive Asset Detection System +# +pads = module + +# Layer: services +# Module: pcscd +# +# PCSC smart card service +# +pcscd = module + +# Layer: services +# Module: pegasus +# +# The Open Group Pegasus CIM/WBEM Server. +# +pegasus = module + +# Layer: services +# Module: perdition +# +# Perdition POP and IMAP proxy +# +perdition = module + +# Layer: services +# Module: pingd +# +# Pingd of the Whatsup cluster node up/down detection utility +# +pingd = module + +# Layer: services +# Module: policykit +# +# Policy framework for controlling privileges for system-wide services. +# +policykit = module + +# Layer: services +# Module: portmap +# +# RPC port mapping service. +# +portmap = module + +# Layer: services +# Module: portreserve +# +# Reserve well-known ports in the RPC port range. +# +portreserve = module + +# Layer: services +# Module: portslave +# +# Portslave terminal server software +# +portslave = module + +# Layer: services +# Module: postfix +# +# Postfix email server +# +postfix = module + +# Layer: services +# Module: postfixpolicyd +# +# Postfix policy server +# +postfixpolicyd = module + +# Layer: services +# Module: postgresql +# +# PostgreSQL relational database +# +postgresql = module + +# Layer: services +# Module: postgrey +# +# Postfix grey-listing server +# +postgrey = module + +# Layer: services +# Module: ppp +# +# Point to Point Protocol daemon creates links in ppp networks +# +ppp = module + +# Layer: services +# Module: prelude +# +# Prelude hybrid intrusion detection system +# +prelude = module + +# Layer: services +# Module: privoxy +# +# Privacy enhancing web proxy. +# +privoxy = module + +# Layer: services +# Module: psad +# +# Intrusion Detection and Log Analysis with iptables +# +psad = module + +# Layer: services +# Module: publicfile +# +# publicfile supplies files to the public through HTTP and FTP +# +publicfile = module + +# Layer: services +# Module: puppet +# +# Puppet client daemon +# +puppet = module + +# Layer: services +# Module: pxe +# +# Server for the PXE network boot protocol +# +pxe = module + +# Layer: services +# Module: pyzor +# +# Pyzor is a distributed, collaborative spam detection and filtering network. +# +pyzor = module + +# Layer: services +# Module: qmail +# +# Qmail Mail Server +# +qmail = module + +# Layer: services +# Module: radius +# +# RADIUS authentication and accounting server. +# +radius = module + +# Layer: services +# Module: radvd +# +# IPv6 router advertisement daemon +# +radvd = module + +# Layer: services +# Module: razor +# +# A distributed, collaborative, spam detection and filtering network. +# +razor = module + +# Layer: services +# Module: rdisc +# +# Network router discovery daemon +# +rdisc = module + +# Layer: services +# Module: remotelogin +# +# Policy for rshd, rlogind, and telnetd. +# +remotelogin = module + +# Layer: services +# Module: resmgr +# +# Resource management daemon +# +resmgr = module + +# Layer: services +# Module: rhgb +# +# Red Hat Graphical Boot +# +rhgb = module + +# Layer: services +# Module: ricci +# +# Ricci cluster management agent +# +ricci = module + +# Layer: services +# Module: rlogin +# +# Remote login daemon +# +rlogin = module + +# Layer: services +# Module: roundup +# +# Roundup Issue Tracking System policy +# +roundup = module + +# Layer: services +# Module: rpc +# +# Remote Procedure Call Daemon for managment of network based process communication +# +rpc = module + +# Layer: services +# Module: rpcbind +# +# Universal Addresses to RPC Program Number Mapper +# +rpcbind = module + +# Layer: services +# Module: rshd +# +# Remote shell service. +# +rshd = module + +# Layer: services +# Module: rsync +# +# Fast incremental file transfer for synchronization +# +rsync = module + +# Layer: services +# Module: rtkit +# +# Realtime scheduling for user processes. +# +rtkit = module + +# Layer: services +# Module: rwho +# +# Who is logged in on other machines? +# +rwho = module + +# Layer: services +# Module: samba +# +# SMB and CIFS client/server programs for UNIX and +# name Service Switch daemon for resolving names +# from Windows NT servers. +# +samba = module + +# Layer: services +# Module: sasl +# +# SASL authentication server +# +sasl = module + +# Layer: services +# Module: sendmail +# +# Policy for sendmail. +# +sendmail = module + +# Layer: services +# Module: setroubleshoot +# +# SELinux troubleshooting service +# +setroubleshoot = module + +# Layer: services +# Module: slrnpull +# +# Service for downloading news feeds the slrn newsreader. +# +slrnpull = module + +# Layer: services +# Module: smartmon +# +# Smart disk monitoring daemon policy +# +smartmon = module + +# Layer: services +# Module: snmp +# +# Simple network management protocol services +# +snmp = module + +# Layer: services +# Module: snort +# +# Snort network intrusion detection system +# +snort = module + +# Layer: services +# Module: soundserver +# +# sound server for network audio server programs, nasd, yiff, etc +# +soundserver = module + +# Layer: services +# Module: spamassassin +# +# Filter used for removing unsolicited email. +# +spamassassin = module + +# Layer: services +# Module: speedtouch +# +# Alcatel speedtouch USB ADSL modem +# +speedtouch = module + +# Layer: services +# Module: squid +# +# Squid caching http proxy server +# +squid = module + +# Layer: services +# Module: ssh +# +# Secure shell client and server policy. +# +ssh = module + +# Layer: services +# Module: sssd +# +# System Security Services Daemon +# +sssd = module + +# Layer: services +# Module: stunnel +# +# SSL Tunneling Proxy +# +stunnel = module + +# Layer: services +# Module: sysstat +# +# Policy for sysstat. Reports on various system states +# +sysstat = module + +# Layer: services +# Module: tcpd +# +# Policy for TCP daemon. +# +tcpd = module + +# Layer: services +# Module: telnet +# +# Telnet daemon +# +telnet = module + +# Layer: services +# Module: tftp +# +# Trivial file transfer protocol daemon +# +tftp = module + +# Layer: services +# Module: tgtd +# +# Linux Target Framework Daemon. +# +tgtd = module + +# Layer: services +# Module: timidity +# +# MIDI to WAV converter and player configured as a service +# +timidity = module + +# Layer: services +# Module: tor +# +# TOR, the onion router +# +tor = module + +# Layer: services +# Module: transproxy +# +# HTTP transperant proxy +# +transproxy = module + +# Layer: services +# Module: tuned +# +# Dynamic adaptive system tuning daemon +# +tuned = module + +# Layer: services +# Module: ucspitcp +# +# ucspitcp policy +# +ucspitcp = module + +# Layer: services +# Module: ulogd +# +# Iptables/netfilter userspace logging daemon. +# +ulogd = module + +# Layer: services +# Module: uptime +# +# Uptime daemon +# +uptime = module + +# Layer: services +# Module: uucp +# +# Unix to Unix Copy +# +uucp = module + +# Layer: services +# Module: uwimap +# +# University of Washington IMAP toolkit POP3 and IMAP mail server +# +uwimap = module + +# Layer: services +# Module: varnishd +# +# Varnishd http accelerator daemon +# +varnishd = module + +# Layer: services +# Module: virt +# +# Libvirt virtualization API +# +virt = module + +# Layer: services +# Module: w3c +# +# W3C Markup Validator +# +w3c = module + +# Layer: services +# Module: watchdog +# +# Software watchdog +# +watchdog = module + +# Layer: services +# Module: xfs +# +# X Windows Font Server +# +xfs = module + +# Layer: services +# Module: xprint +# +# X print server +# +xprint = module + +# Layer: services +# Module: xserver +# +# X Windows Server +# +xserver = module + +# Layer: services +# Module: zabbix +# +# Distributed infrastructure monitoring +# +zabbix = module + +# Layer: services +# Module: zebra +# +# Zebra border gateway protocol network routing service +# +zebra = module + +# Layer: services +# Module: zosremote +# +# policy for z/OS Remote-services Audit dispatcher plugin +# +zosremote = module + +# Layer: system +# Module: application +# +# Policy for user executable applications. +# +application = base + +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = base + +# Layer: system +# Module: clock +# +# Policy for reading and setting the hardware clock. +# +clock = base + +# Layer: system +# Module: daemontools +# +# Collection of tools for managing UNIX services +# +daemontools = module + +# Layer: system +# Module: fstools +# +# Tools for filesystem management, such as mkfs and fsck. +# +fstools = base + +# Layer: system +# Module: getty +# +# Policy for getty. +# +getty = base + +# Layer: system +# Module: hostname +# +# Policy for changing the system host name. +# +hostname = base + +# Layer: system +# Module: hotplug +# +# Policy for hotplug system, for supporting the +# connection and disconnection of devices at runtime. +# +hotplug = module + +# Layer: system +# Module: init +# +# System initialization programs (init and init scripts). +# +init = base + +# Layer: system +# Module: ipsec +# +# TCP/IP encryption +# +ipsec = module + +# Layer: system +# Module: iodine +# +# IP over DNS tunneling +# +iodine = module + +# Layer: system +# Module: iptables +# +# Policy for iptables. +# +iptables = base + +# Layer: system +# Module: iscsi +# +# Establish connections to iSCSI devices +# +iscsi = module + +# Layer: system +# Module: kdump +# +# Kernel crash dumping mechanism +# +kdump = module + +# Layer: system +# Module: libraries +# +# Policy for system libraries. +# +libraries = base + +# Layer: system +# Module: locallogin +# +# Policy for local logins. +# +locallogin = base + +# Layer: system +# Module: logging +# +# Policy for the kernel message logger and system logging daemon. +# +logging = base + +# Layer: system +# Module: lvm +# +# Policy for logical volume management programs. +# +lvm = module + +# Layer: system +# Module: miscfiles +# +# Miscelaneous files. +# +miscfiles = base + +# Layer: system +# Module: modutils +# +# Policy for kernel module utilities +# +modutils = base + +# Layer: system +# Module: mount +# +# Policy for mount. +# +mount = base + +# Layer: system +# Module: netlabel +# +# NetLabel/CIPSO labeled networking management +# +netlabel = base + +# Layer: system +# Module: pcmcia +# +# PCMCIA card management services +# +pcmcia = module + +# Layer: system +# Module: pythonsupport +# +# Support for precompiling python modules +# +pythonsupport = module + +# Layer: system +# Module: raid +# +# RAID array management tools +# +raid = module + +# Layer: system +# Module: selinuxutil +# +# Policy for SELinux policy and userland applications. +# +selinuxutil = base + +# Layer: system +# Module: setrans +# +# SELinux MLS/MCS label translation service. +# +setrans = base + +# Layer: system +# Module: sysnetwork +# +# Policy for network configuration: ifconfig and dhcp client. +# +sysnetwork = base + +# Layer: system +# Module: udev +# +# Policy for udev. +# +udev = base + +# Layer: system +# Module: unconfined +# +# The unconfined domain. +# +unconfined = module + +# Layer: system +# Module: userdomain +# +# Policy for user domains +# +userdomain = base + +# Layer: system +# Module: xen +# +# Xen hypervisor +# +xen = module + --- refpolicy-2.20110726.orig/debian/setrans.conf +++ refpolicy-2.20110726/debian/setrans.conf @@ -0,0 +1,19 @@ +# +# Multi-Category Security translation table for SELinux +# +# Uncomment the following to disable translation libary +# disable=1 +# +# Objects can be categorized with 0-1023 categories defined by the admin. +# Objects can be in more than one category at a time. +# Categories are stored in the system as c0-c1023. Users can use this +# table to translate the categories into a more meaningful output. +# Examples: +# s0:c0=CompanyConfidential +# s0:c1=PatientRecord +# s0:c2=Unclassified +# s0:c3=TopSecret +# s0:c1,c3=CompanyConfidentialRedHat +s0=SystemLow +s0-s0:c0.c1023=SystemLow-SystemHigh +s0:c0.c1023=SystemHigh --- refpolicy-2.20110726.orig/debian/NEWS.Debian +++ refpolicy-2.20110726/debian/NEWS.Debian @@ -0,0 +1,24 @@ +refpolicy (2:0.0.20090621-1) unstable; urgency=low + + * There have been some major updates in the file contexts in this + release, so a relabelling of the file system is recommended after this + upgrade. Please install selinux-basics, touch /.autorelabel as root, + and reboot. + + -- Manoj Srivastava Mon, 22 Jun 2009 02:42:42 -0500 + + +refpolicy (0.0.20061018-2) unstable; urgency=high + + + * When installing strict policy, the postinst does not check for the + contents of /etc/selinux/config to see if SELINUXTYPE is set to + refpolicy-strict or not. Ideally, if config does not have SELINUXTYPE + set to refpolicy-strict, the installer should be prompted to see if + they want to change the policy type and relabel; this is not yet + done. Please ensure that the setting for SELINUXTYPE in the + configuration file /etc/selinux/config matches what you want it to + be. + + -- Manoj Srivastava Fri, 22 Dec 2006 10:40:38 -0600 + --- refpolicy-2.20110726.orig/debian/local-vars.mk +++ refpolicy-2.20110726/debian/local-vars.mk @@ -0,0 +1,68 @@ +############################ -*- Mode: Makefile -*- ########################### +## local-vars.mk --- +## Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com ) +## Created On : Sat Nov 15 10:43:00 2003 +## Created On Node : glaurung.green-gryphon.com +## Last Modified By : Manoj Srivastava +## Last Modified On : Sun Aug 20 21:57:04 2006 +## Last Machine Used: glaurung.internal.golden-gryphon.com +## Update Count : 14 +## Status : Unknown, Use with caution! +## HISTORY : +## Description : +## +## arch-tag: 1a76a87e-7af5-424a-a30d-61660c8f243e +## +############################################################################### + +FILES_TO_CLEAN = debian/files +STAMPS_TO_CLEAN = +DIRS_TO_CLEAN = config/appconfig-strict-mcs config/appconfig-targeted-mcs + +# Location of the source dir +SRCTOP := $(shell if [ "$$PWD" != "" ]; then echo $$PWD; else pwd; fi) +TMPTOP = $(SRCTOP)/debian/$(package) +LINTIANDIR = $(TMPTOP)/usr/share/lintian/overrides +DOCBASEDIR = $(TMPTOP)/usr/share/doc-base + +BINDIR = $(TMPTOP)$(PREFIX)/bin +LIBDIR = $(TMPTOP)$(PREFIX)/lib +# Man Pages +MANDIR = $(TMPTOP)/usr/share/man +MAN1DIR = $(MANDIR)/man1 +MAN3DIR = $(MANDIR)/man3 +MAN5DIR = $(MANDIR)/man5 +MAN7DIR = $(MANDIR)/man7 +MAN8DIR = $(MANDIR)/man8 + +INFODIR = $(TMPTOP)/usr/share/info +DOCTOP = $(TMPTOP)/usr/share/doc +DOCDIR = $(DOCTOP)/$(package) +MENUDIR = $(TMPTOP)/usr/lib/menu/ + +OPTIONS=DISTRO=debian DIRECT_INITRC=y MONOLITHIC=n + +PYDEFAULT =$(strip $(shell pyversions -vd)) +MODULES_DIR=$(TMPTOP)/usr/share/python-support/$(package) + +# set this to -mcs, -mls, or -mcs-mls +MCS_MLS_TYPE=-mcs + +# Things we have put into the base for Debian systems. +# egrep base debian/modules.conf.targeted | grep -v '#' | \ +# sort | sed -e 's/=.*$//g' +NON_MODULES=application apt authlogin clock corecommands \ + corenetwork cron devices dmesg domain dpkg files filesystem \ + fstools getty hostname init iptables kernel libraries \ + locallogin logging logrotate mcs miscfiles mls modutils mount \ + mta selinux selinuxutil storage su sysnetwork terminal \ + userdomain userhelper usermanage + +define checkdir + @test -f debian/rules -a -f policy/modules/kernel/kernel.fc || \ + (echo Not in correct source directory; exit 1) +endef + +define checkroot + @test $$(id -u) = 0 || (echo need root priviledges; exit 1) +endef --- refpolicy-2.20110726.orig/debian/common/pkgvars.mk +++ refpolicy-2.20110726/debian/common/pkgvars.mk @@ -0,0 +1,168 @@ +############################ -*- Mode: Makefile -*- ########################### +## pkgvars.mk --- +## Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com ) +## Created On : Sat Nov 15 02:56:30 2003 +## Created On Node : glaurung.green-gryphon.com +## Last Modified By : Manoj Srivastava +## Last Modified On : Thu Jun 15 12:05:46 2006 +## Last Machine Used: glaurung.internal.golden-gryphon.com +## Update Count : 11 +## Status : Unknown, Use with caution! +## HISTORY : +## Description : This is what allows us toseparate out the top level +## targets, by determining which packages needto be built. +## +## arch-tag: 75fcc720-7389-4eaa-a7ac-c556d3eac331 +## +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +## +############################################################################### + +# The maintainer information. +maintainer := $(shell LC_ALL=C dpkg-parsechangelog | grep ^Maintainer: | \ + sed 's/^Maintainer: *//') +email := srivasta@debian.org + +# Priority of this version (or urgency, as dchanges would call it) +urgency := $(shell LC_ALL=C dpkg-parsechangelog | grep ^Urgency: | \ + sed 's/^Urgency: *//') + +# Common useful variables +DEB_SOURCE_PACKAGE := $(strip $(shell egrep '^Source: ' debian/control | \ + cut -f 2 -d ':')) +DEB_VERSION := $(strip $(shell LC_ALL=C dpkg-parsechangelog | \ + egrep '^Version:' | cut -f 2 -d ' ')) +DEB_ISNATIVE := $(strip $(shell LC_ALL=C dpkg-parsechangelog | \ + perl -ne 'print if (m/^Version:/g && ! m/^Version:.*\-/);')) +DEB_DISTRIBUTION := $(strip $(shell LC_ALL=C dpkg-parsechangelog | \ + egrep '^Distribution:' | cut -f 2 -d ' ')) + +DEB_PACKAGES := $(shell perl -e ' \ + $$/=""; \ + while(<>){ \ + $$p=$$1 if m/^Package:\s*(\S+)/; \ + die "duplicate package $$p" if $$seen{$$p}; \ + $$seen{$$p}++; print "$$p " if $$p; \ + }' debian/control ) + +DEB_INDEP_PACKAGES := $(shell perl -e ' \ + $$/=""; \ + while(<>){ \ + $$p=$$1 if m/^Package:\s*(\S+)/; \ + die "duplicate package $$p" if $$seen{$$p}; \ + $$seen{$$p}++; \ + $$a=$$1 if m/^Architecture:\s*(\S+)/m; \ + next unless ($$a eq "all"); \ + print "$$p " if $$p; \ + }' debian/control ) + +DEB_ARCH_PACKAGES := $(shell perl -e ' \ + $$/=""; \ + while(<>){ \ + $$p=$$1 if m/^Package:\s*(\S+)/; \ + die "duplicate package $$p" if $$seen{$$p}; \ + $$seen{$$p}++; \ + $$c=""; \ + if (/^Architecture:\s*(.*?)\s*$$/sm) { \ + @a = split /\s+/, $$1 }; \ + for my $$b (@a) { \ + next unless ($$b eq "$(DEB_HOST_ARCH)" || \ + $$b eq "any"); \ + $$c="$$p"; \ + } \ + print "$$c " if $$c; \ + }' debian/control ) + +# This package is what we get after removing the psuedo dirs we use in rules +package = $(notdir $@) +DEBIANDIR = $(dir $(firstword $(MAKEFILE_LIST))) + +ifeq (,$(filter parallel=%,$(FAILS_PARALLEL_BUILD))) + ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + NUMJOBS = $(patsubst parallel=%,-j%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + endif +endif + +# Define canned sequences used to strip executables and libraries, +# keeping in mind the directives in DEB_BUILD_OPTIONS +ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) +define strip-exec +find $(TMPTOP) -type f | while read i; do \ + if file -b $$i | egrep -q "^ELF.*executable"; then \ + strip --strip-all --remove-section=.comment --remove-section=.note $$i; \ + fi; \ + done +endef + +define strip-lib +find $(TMPTOP) -type f | while read i; do \ + if file -b $$i | egrep -q "^ELF.*shared object"; then \ + strip --strip-unneeded --remove-section=.comment --remove-section=.note $$i; \ + fi; \ +done +endef +else +define strip-exec +@echo Not strippping executables as asked +endef + +define strip-lib +@echo Not strippping libraries as asked +endef + +endif + +# this canned command specifies how to run dpkg-shlibs to add things +# to debian/substvars by scanning executables and libraries; this +# should suffice for the common case. Some rules files might need some +# changes to the command sequence, though +define get-shlib-deps +k=`find $(TMPTOP) -type f | ( while read i; do \ + if file -b $$i | \ + egrep -q "^ELF.*(executable.*dynamically linked|shared object)"; then \ + j="$$j $$i"; \ + fi; \ +done; echo $$j; )`; if [ -n "$$k" ]; then dpkg-shlibdeps $$k; fi +endef + +# This canned sequence checks to see if all the libraries we link to +# actually provide some symbols needed by some executable ot library +# in the package itself. +ifeq (,$(strip $(filter nocheck,$(DEB_BUILD_OPTIONS)))) + ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE)) +define check-libraries +echo Checking libs +xtra=$$($(SHELL) debian/common/checklibs); \ +if [ -n "$$extra" ]; then \ + echo "Extra libraries: $$extra"; \ + exit 1; \ +fi +endef + else +define check-libraries +echo Not checking libs +endef + endif +else +define check-libraries +echo Not checking libs +endef +endif + + +#Local variables: +#mode: makefile +#End: --- refpolicy-2.20110726.orig/debian/common/get_shlib_ver +++ refpolicy-2.20110726/debian/common/get_shlib_ver @@ -0,0 +1,40 @@ +#! /bin/sh +# -*- Mode: Sh -*- +# get_shlib_ver --- +# Author : Manoj Srivastava ( srivasta@golden-gryphon.com ) +# Created On : Tue Sep 1 15:27:07 2009 +# Created On Node : anzu.internal.golden-gryphon.com +# Last Modified By : Manoj Srivastava +# Status : Unknown, Use with caution! +# HISTORY : +# Description : +# If there is a symbols file preent, get the most recent version a +# symbol was added in. +# + + +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +# Make sure we abort on error +set -e +progname="$(basename \"$0\")" + +test ! -d debian || \ + find debian -wholename 'debian/*\.symbols' | while read lib; do + echo -n "Shlib info for" ${lib%%.symbols} ": "; + sort -n -k 2,2b $lib | grep '^ ' | tail -n 1 | awk '{print $2;}'; +done + --- refpolicy-2.20110726.orig/debian/common/automake.mk +++ refpolicy-2.20110726/debian/common/automake.mk @@ -0,0 +1,37 @@ +############################ -*- Mode: Makefile -*- ########################### +## automake.mk --- +## Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com ) +## Created On : Sat Nov 15 02:47:23 2003 +## Created On Node : glaurung.green-gryphon.com +## Last Modified By : Manoj Srivastava +## Last Modified On : Sat Nov 15 02:47:53 2003 +## Last Machine Used: glaurung.green-gryphon.com +## Update Count : 1 +## Status : Unknown, Use with caution! +## HISTORY : +## Description : +## +## arch-tag: 1fabe69b-7cc8-4ecc-9411-bc5906b19857 +## +############################################################################### + +AUTOCONF_VERSION:=$(shell if [ -e configure ]; then \ + grep "Generated automatically using autoconf" \ + configure | sed -e 's/^.*autoconf version //g'; \ + fi) +HAVE_NEW_AUTOMAKE:=$(shell if [ "X$(AUTOCONF_VERSION)" != "X2.13" ]; then \ + echo 'YES' ; fi) + +ifneq ($(strip $(HAVE_NEW_AUTOMAKE)),) + ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE)) + confflags += --build $(DEB_BUILD_GNU_TYPE) + else + confflags += --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE) + endif +else + ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE)) + confflags += $(DEB_HOST_GNU_TYPE) + else + confflags += --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE) + endif +endif --- refpolicy-2.20110726.orig/debian/common/perlvars.mk +++ refpolicy-2.20110726/debian/common/perlvars.mk @@ -0,0 +1,27 @@ +############################ -*- Mode: Makefile -*- ########################### +## perlvars.mk --- +## Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com ) +## Created On : Sat Nov 15 02:55:47 2003 +## Created On Node : glaurung.green-gryphon.com +## Last Modified By : Manoj Srivastava +## Last Modified On : Sat Dec 13 13:50:58 2003 +## Last Machine Used: glaurung.green-gryphon.com +## Update Count : 3 +## Status : Unknown, Use with caution! +## HISTORY : +## Description : +## +## arch-tag: a97a01ba-d08d-404d-aa81-572717c03e6c +## +############################################################################### + +# Perl variables +PERL = /usr/bin/perl + +INSTALLPRIVLIB = $(TMPTOP)/$(shell \ + perl -e 'use Config; print "$$Config{'installprivlib'}\n";') +INSTALLARCHLIB = $(TMPTOP)/$(shell \ + perl -e 'use Config; print "$$Config{'installarchlib'}\n";') +INSTALLVENDORLIB =$(TMPTOP)/$(shell \ + perl -e 'use Config; print "$$Config{'vendorlibexp'}\n";') +CONFIG = INSTALLDIRS=vendor --- refpolicy-2.20110726.orig/debian/common/debconf.mk +++ refpolicy-2.20110726/debian/common/debconf.mk @@ -0,0 +1,42 @@ +############################ -*- Mode: Makefile -*- ########################### +## debconf.mk --- +## Author : Manoj Srivastava ( srivasta@glaurung.internal.golden-gryphon.com ) +## Created On : Fri Mar 12 11:11:31 2004 +## Created On Node : glaurung.internal.golden-gryphon.com +## Last Modified By : Manoj Srivastava +## Last Modified On : Mon Apr 11 13:19:10 2005 +## Last Machine Used: glaurung.internal.golden-gryphon.com +## Update Count : 20 +## Status : Unknown, Use with caution! +## HISTORY : +## Description : helps with using debconf +## +## arch-tag: 32b933a9-05ad-4c03-97a8-8644745b832a +## +############################################################################### + +# The idea behind this scheme is that the maintainer (or whoever's +# building the package for upload to unstable) has to build on a +# machine with po-debconf installed, but nobody else does. + +# Also, make sure that debian/control has ${debconf-depends} in the +# appropriate Depends: line., and use the following in the binary +# target: +# dpkg-gencontrol -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' +# + +# WARNING!! You need to create the debian/templates file before this +# all works. + +# Run debconf-updatepo whenever the template file changes. +# the tool podebconf-report-po is also a great friend to have in such +# circumstances +define CHECKPO + @for i in debian/po/*.po; do \ + if [ -f $$i ]; then \ + echo \"Checking: $$i\"; \ + msgmerge -U $$i debian/po/templates.pot; \ + msgfmt -o /dev/null -c --statistics $$i; \ + fi; \ + done +endef --- refpolicy-2.20110726.orig/debian/common/checklibs +++ refpolicy-2.20110726/debian/common/checklibs @@ -0,0 +1,78 @@ +#! /bin/sh +# -*- Mode: Sh -*- +# checklibs.sh --- +# Author : Manoj Srivastava ( srivasta@glaurung.internal.golden-gryphon.com ) +# Created On : Fri Sep 29 15:36:22 2006 +# Created On Node : glaurung.internal.golden-gryphon.com +# Last Modified By : Manoj Srivastava +# Last Modified On : Wed Sep 2 01:16:46 2009 +# Last Machine Used: anzu.internal.golden-gryphon.com +# Update Count : 47 +# Status : Unknown, Use with caution! +# HISTORY : +# Description : +# +# arch-tag: 8ba11489-77fa-45a0-92c4-9c5b162ee119 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +# Make sure we abort on error +set -e +progname="$(basename \"$0\")" + +trap 'rm -f search_patterns.txt;' ALRM HUP INT PIPE TERM ABRT FPE BUS QUIT SEGV ILL EXIT + +# Find all undefined symbols in all ELF objects in this tree +readelf -s -D -W $(find . -type f -print0 | xargs -0r file | grep " ELF" | \ + awk '{print $1}' | sed -e 's/:$//') | grep UND | grep -v LOCAL | + perl -ple 's/.*\s(\S+)\s*$/\^$1\$/g' | sort -u > search_patterns.txt; + +LOCAL_LIBS=$(find . -type f -print0 | xargs -0r file | egrep "ELF.*shared object" | \ + awk '{print $1}' | sed -e 's/:$//' -e 's,/[^/]*$,,') + +# Find all the libraries needed in this tree +objdump -T --private-headers $(find . -type f -print0 | \ + xargs -0r file | egrep "ELF.*(shared object|executable)" | \ + awk '{print $1}' | sed -e 's/:$//') | grep NEEDED | sort -u | awk '{print $2}' | + while read lib; do + # For each library, see where it lives on the file system + LIB= + for library_dir in "/lib" "/usr/lib" $LOCAL_LIBS $EXTRA_LIBRARY_PATHS; do + if [ -e "$library_dir/$lib" ]; then + LIB="$library_dir/$lib"; + break + fi + done + if [ -z "$LIB" ]; then + echo >&2 "Can't find $lib" + continue + fi + # If we fond the library, find what symbols it defines, and if these symbols + # are some that we need + if readelf -s -D -W $LIB | grep -v UND | perl -ple 's/.*\s(\S+)\s*$/$1/g' | \ + sort -u | grep -q -f search_patterns.txt ; then + # Library provides at least some symbols we need + if [ -n "$DEBUG" ]; then echo "Found $LIB"; fi + else + # Library does not provide any symbols we need + echo "$LIB" ; + fi +done + +# Get rid of the intermediate file +rm -f search_patterns.txt; +exit 0 + --- refpolicy-2.20110726.orig/debian/common/README +++ refpolicy-2.20110726/debian/common/README @@ -0,0 +1,78 @@ +# This file provides a quick overview of this build system. The idea is +# to convert ./debian/rules into a framework, which abstracts most of +# the work required to create a Debian package into this common set of +# make snippets. + +# The rules file would look like this: + +## Include dpkg-architecture generated variables +# This make snippet uses dpkg-architecture to set the various +# DEB_BUILD* and DEB_HOST* variables. It also adds a couple of DEBUG +# macros for use in the rules file. +include debian/common/archvars.mk + +## variables useful for perl packages +# This sets things like the installed location of the private lib, +# arch dependent lib, and vendor library directories. +include debian/common/perlvars.mk + +## Install commands +# This sets the convenience macros install_{file,script,program} and +# a make directory macro, all run as root, for the install and binary +# targets. It also includes a macro to create the md5sum for +# installed files. +include debian/common/install_cmds.mk + +## Per package variable settings. +# This file sets the Make variables on a per package basis. Things +# like include files, C, C++, and LD flags are set here, as well as +# installation paths or, really, anything else that would be needed +# during packaging operations +include debian/local-vars.mk + +## Setting C compiler flags. +# This file takes care of setting C compiler flags, setting the +# compiler if a cross compilation effort is detected, and either +# arranges for binaries to be stripped or not based on +# DEB_BUILD_OPTIONS. +include debian/common/copt.mk + +## Set automake configuration flags +# This file sets confflags variable with the proper --host and +# --build options if it detects a cross compilation effort underway. +include debian/common/automake.mk + +# Set up the default target. +all: + @echo nothing to be done + +## Include the common targets +# This file sets up the flow of control during a Debian package build +# process, taking into account policy requirements (mandatory +# targets, ordering targets). It sets up rules for each package found +# in ./debian/control file in the package, and arranges package build +# to follow the order of configuration, building, installation, and +# binary package creation (and of course, clean). + +# The details of the targets can be seen visually by running dot on +# the accompanying targets.dot file. In the figure, the legend is: +# Nodes attributes: +# filled == Work target (most work is done in dependencies added +# to these targets). These are the targets referred to +# in the local.mk file +# Octagon == Phony target +# Oval == Real target based on a time stamp +# Double lines denote a mandatory target +# +# Edge attributes: A Red line indicates the target is called using +# $(MAKE) -f ./debian/rules . So the targets connected by the +# red lines are run after all the dependencies have been updated, but +# before anything else is done. + +include debian/common/targets.mk + +## The bulk of packaging +# This file adds dependencies to the double-colon rules set up in +# targets.mk above, and perform the bulk of the packaging. +include debian/local.mk + --- refpolicy-2.20110726.orig/debian/common/targets.mk +++ refpolicy-2.20110726/debian/common/targets.mk @@ -0,0 +1,532 @@ +############################ -*- Mode: Makefile -*- ########################### +## targets.mk --- +## Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com ) +## Created On : Sat Nov 15 01:10:05 2003 +## Created On Node : glaurung.green-gryphon.com +## Last Modified By : Manoj Srivastava +## Last Modified On : Sat Apr 26 22:33:09 2008 +## Last Machine Used: anzu.internal.golden-gryphon.com +## Update Count : 131 +## Status : Unknown, Use with caution! +## HISTORY : +## Description : The top level targets mandated by policy, as well as +## their dependencies. +## +## arch-tag: a81086a7-00f7-4355-ac56-8f38396935f4 +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +## +############################################################################### + +####################################################################### +####################################################################### +############### Miscellaneous ############### +####################################################################### +####################################################################### +source diff: + @echo >&2 'source and diff are obsolete - use dpkg-source -b'; false + +define TESTROOT + @test $$(id -u) = 0 || (echo need root priviledges; exit 1) +endef + +testroot: + $(TESTROOT) + +checkpo: + $(CHECKPO) + +# arch-buildpackage likes to call this +prebuild: + +ifneq (,$(shell if [ -f $(DEBIANDIR)/watch ]; then echo yes; fi)) +.PHONY: get-orig-source +get-orig-source: + cd $(DEBIANDIR)/.. && \ + uscan --verbose --rename --destdir $(DEBIANDIR)../.. || true +endif + +# OK. We have two sets of rules here, one for arch dependent packages, +# and one for arch independent packages. We have already calculated a +# list of each of these packages. + +# In each set, we may need to do things in five steps: configure, +# build, install, package, and clean. Now, there can be a common +# actions to be taken for all the packages, all arch dependent +# packages, all all independent packages, and each package +# individually at each stage. + +########################################################################### +# The current code does a number of things: It ensures that the highest # +# dependency at any stage (usually the -Common target) depends on the # +# stamp-STAGE of the previous stage; so no work on a succeeding stage can # +# start before the previous stage is all done. # +########################################################################### + +########################################################################### +# In the following, the do_* targets make sure all the real non-generic # +# work is done, but are not in the direct line of dependencies. This # +# makes sure that previous step in the order is all up to date before any # +# of the per package target dependencies are run. # +########################################################################### + + +####################################################################### +####################################################################### +############### Configuration ############### +####################################################################### +####################################################################### +# Just a dummy target to make sure that the stamp directory exists +debian/stamp/dummy-config-common: + $(REASON) + @test -d debian/stamp || mkdir -p debian/stamp + @echo done > $@ + +# Configuration tasks common to arch and arch indep packages go here +debian/stamp/pre-config-common: debian/stamp/dummy-config-common + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + @echo done > $@ +# Do not add dependencies to this rule +debian/stamp/do-pre-config-common: debian/stamp/dummy-config-common + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + $(MAKE) -f debian/rules debian/stamp/pre-config-common + @echo done > $@ + +# Arch specific and arch independent tasks go here +debian/stamp/pre-config-arch: debian/stamp/do-pre-config-common + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + @echo done > $@ +# Do not add dependencies to this rule +debian/stamp/do-pre-config-arch: debian/stamp/do-pre-config-common + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + $(MAKE) -f debian/rules debian/stamp/pre-config-arch + @echo done > $@ + + +debian/stamp/pre-config-indep: debian/stamp/do-pre-config-common + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + @echo done > $@ +# Do not add dependencies to this rule +debian/stamp/do-pre-config-indep: debian/stamp/do-pre-config-common + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + $(MAKE) -f debian/rules debian/stamp/pre-config-indep + @echo done > $@ + +# Per package work happens as an added dependency of this rule. +$(patsubst %,debian/stamp/CONFIG/%,$(DEB_ARCH_PACKAGES)) : debian/stamp/CONFIG/% : debian/stamp/do-pre-config-arch + $(REASON) + $(checkdir) + @test -d debian/stamp/CONFIG || mkdir -p debian/stamp/CONFIG + @echo done > $@ +$(patsubst %,debian/stamp/CONFIG/%,$(DEB_INDEP_PACKAGES)) : debian/stamp/CONFIG/% : debian/stamp/do-pre-config-indep + $(REASON) + $(checkdir) + @test -d debian/stamp/CONFIG || mkdir -p debian/stamp/CONFIG + @echo done > $@ + +# Do not add dependencies to this rule +debian/stamp/dep-configure-arch: debian/stamp/do-pre-config-arch $(patsubst %,debian/stamp/CONFIG/%,$(DEB_ARCH_PACKAGES)) + $(REASON) + @test -d debian/stamp || mkdir -p debian/stamp + @echo done > $@ + +# Do not add dependencies to this rule +debian/stamp/dep-configure-indep: debian/stamp/do-pre-config-indep $(patsubst %,debian/stamp/CONFIG/%,$(DEB_INDEP_PACKAGES)) + $(REASON) + @test -d debian/stamp || mkdir -p debian/stamp + @echo done > $@ + +debian/stamp/do-configure-arch: debian/stamp/do-pre-config-arch + $(REASON) + @test -d debian/stamp/CONFIG || mkdir -p debian/stamp/CONFIG + $(MAKE) -f debian/rules debian/stamp/dep-configure-arch + @echo done > $@ +debian/stamp/do-configure-indep: debian/stamp/do-pre-config-indep + $(REASON) + @test -d debian/stamp/CONFIG || mkdir -p debian/stamp/CONFIG + $(MAKE) -f debian/rules debian/stamp/dep-configure-indep + @echo done > $@ + +# These three targets are required by policy +configure-arch: debian/stamp/do-configure-arch + $(REASON) +configure-indep: debian/stamp/do-configure-indep + $(REASON) +configure: debian/stamp/do-configure-arch debian/stamp/do-configure-indep + $(REASON) + +####################################################################### +####################################################################### +############### Build ############### +####################################################################### +####################################################################### +# tasks common to arch and arch indep packages go here +debian/stamp/pre-build-common: + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + @echo done > $@ + +# Arch specific and arch independent tasks go here +debian/stamp/pre-build-arch: debian/stamp/do-configure-arch + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + @echo done > $@ +debian/stamp/do-pre-build-arch: debian/stamp/do-configure-arch + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + @test -e debian/stamp/pre-build-common || $(MAKE) -f debian/rules debian/stamp/pre-build-common + $(MAKE) -f debian/rules debian/stamp/pre-build-arch + @echo done > $@ + +debian/stamp/pre-build-indep: debian/stamp/do-configure-indep + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + @echo done > $@ +debian/stamp/do-pre-build-indep: debian/stamp/do-configure-indep + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + @test -e debian/stamp/pre-build-common || $(MAKE) -f debian/rules debian/stamp/pre-build-common + $(MAKE) -f debian/rules debian/stamp/pre-build-indep + @echo done > $@ + +# Per package work happens as an added dependency of this rule. +$(patsubst %,debian/stamp/BUILD/%,$(DEB_ARCH_PACKAGES)) : debian/stamp/BUILD/% : debian/stamp/do-pre-build-arch + $(REASON) + $(checkdir) + @test -d debian/stamp/BUILD || mkdir -p debian/stamp/BUILD + @echo done > $@ + +$(patsubst %,debian/stamp/BUILD/%,$(DEB_INDEP_PACKAGES)) : debian/stamp/BUILD/% : debian/stamp/do-pre-build-indep + $(REASON) + $(checkdir) + @test -d debian/stamp/BUILD || mkdir -p debian/stamp/BUILD + @echo done > $@ + +# These do targeta make sure all the per package configuration is +# done, but is not in the direct line of dependencies. This makes sure +# that pre-config targets are all up to date before any of the per +# package target dependencies are run. +debian/stamp/dep-build-arch: debian/stamp/do-pre-build-arch $(patsubst %,debian/stamp/BUILD/%,$(DEB_ARCH_PACKAGES)) + $(REASON) + @test -d debian/stamp || mkdir -p debian/stamp + @echo done > $@ + +debian/stamp/dep-build-indep: debian/stamp/do-pre-build-indep $(patsubst %,debian/stamp/BUILD/%,$(DEB_INDEP_PACKAGES)) + $(REASON) + @test -d debian/stamp || mkdir -p debian/stamp + @echo done > $@ + +debian/stamp/do-build-arch: debian/stamp/do-pre-build-arch + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + $(MAKE) -f debian/rules debian/stamp/dep-build-arch + @echo done > $@ +debian/stamp/do-build-indep: debian/stamp/do-pre-build-indep + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + $(MAKE) -f debian/rules debian/stamp/dep-build-indep + @echo done > $@ + +# required +build-arch: debian/stamp/do-build-arch + $(REASON) +build-indep: debian/stamp/do-build-indep + $(REASON) +build: debian/stamp/do-build-arch debian/stamp/do-build-indep + $(REASON) + +# Work here +debian/stamp/post-build-arch: debian/stamp/do-build-arch + $(REASON) + @test -d debian/stamp || mkdir -p debian/stamp + @echo done > $@ +debian/stamp/do-post-build-arch: debian/stamp/do-build-arch + $(REASON) + @test -d debian/stamp || mkdir -p debian/stamp + $(MAKE) -f debian/rules debian/stamp/post-build-arch + @echo done > $@ + +debian/stamp/post-build-indep: debian/stamp/do-build-indep + $(REASON) + @test -d debian/stamp || mkdir -p debian/stamp + @echo done > $@ +debian/stamp/do-post-build-indep: debian/stamp/do-build-indep + $(REASON) + @test -d debian/stamp || mkdir -p debian/stamp + $(MAKE) -f debian/rules debian/stamp/post-build-indep + @echo done > $@ + +####################################################################### +####################################################################### +############### Install ############### +####################################################################### +####################################################################### +# tasks common to arch and arch indep packages go here +debian/stamp/pre-inst-common: + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + @echo done > $@ + +# Arch specific and arch independent tasks go here +debian/stamp/pre-inst-arch: debian/stamp/do-post-build-arch + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + @echo done > $@ +debian/stamp/do-pre-inst-arch: debian/stamp/do-post-build-arch + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + @test -e debian/stamp/INST-common || $(MAKE) -f debian/rules debian/stamp/pre-inst-common + $(MAKE) -f debian/rules debian/stamp/pre-inst-arch + @echo done > $@ + +debian/stamp/pre-inst-indep: debian/stamp/do-post-build-indep + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + @echo done > $@ +debian/stamp/do-pre-inst-indep: debian/stamp/do-post-build-indep + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + @test -e debian/stamp/INST-common || $(MAKE) -f debian/rules debian/stamp/pre-inst-common + $(MAKE) -f debian/rules debian/stamp/pre-inst-indep + @echo done > $@ + + +# Per package work happens as an added dependency of this rule +$(patsubst %,debian/stamp/INST/%,$(DEB_ARCH_PACKAGES)) : debian/stamp/INST/% : debian/stamp/do-pre-inst-arch + $(REASON) + $(checkdir) + @test -d debian/stamp/INST || mkdir -p debian/stamp/INST + @echo done > $@ +$(patsubst %,debian/stamp/INST/%,$(DEB_INDEP_PACKAGES)) : debian/stamp/INST/% : debian/stamp/do-pre-inst-indep + $(REASON) + $(checkdir) + @test -d debian/stamp/INST || mkdir -p debian/stamp/INST + @echo done > $@ + +# These do targeta make sure all the per package configuration is +# done, but is not in the direct line of dependencies. This makes sure +# that pre-config targets are all up to date before any of the per +# package target dependencies are run. +debian/stamp/dep-install-arch: debian/stamp/do-pre-inst-arch $(patsubst %,debian/stamp/INST/%,$(DEB_ARCH_PACKAGES)) + $(REASON) + @test -d debian/stamp || mkdir -p debian/stamp + @echo done > $@ + +debian/stamp/dep-install-indep: debian/stamp/do-pre-inst-indep $(patsubst %,debian/stamp/INST/%,$(DEB_INDEP_PACKAGES)) + $(REASON) + @test -d debian/stamp || mkdir -p debian/stamp + @echo done > $@ + + +debian/stamp/do-install-arch: debian/stamp/do-pre-inst-arch + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + $(MAKE) -f debian/rules debian/stamp/dep-install-arch + @echo done > $@ +debian/stamp/do-install-indep: debian/stamp/do-pre-inst-indep + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + $(MAKE) -f debian/rules debian/stamp/dep-install-indep + @echo done > $@ + +#required +install-arch: debian/stamp/do-install-arch + $(REASON) + $(TESTROOT) +install-indep: debian/stamp/do-install-indep + $(REASON) + $(TESTROOT) +install: debian/stamp/do-install-arch debian/stamp/do-install-indep + $(REASON) + $(TESTROOT) + +####################################################################### +####################################################################### +############### Package ############### +####################################################################### +####################################################################### +# tasks common to arch and arch indep packages go here +debian/stamp/pre-bin-common: + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + @echo done > $@ + +# Arch specific and arch independent tasks go here +debian/stamp/pre-bin-arch: debian/stamp/do-install-arch + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + @echo done > $@ +debian/stamp/do-pre-bin-arch: debian/stamp/do-install-arch + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + @test -e debian/stamp/BIN-common || $(MAKE) -f debian/rules debian/stamp/pre-bin-common + $(MAKE) -f debian/rules debian/stamp/pre-bin-arch + @echo done > $@ + +debian/stamp/pre-bin-indep: debian/stamp/do-install-indep + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + @echo done > $@ +debian/stamp/do-pre-bin-indep: debian/stamp/do-install-indep + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + @test -e debian/stamp/BIN-common || $(MAKE) -f debian/rules debian/stamp/pre-bin-common + $(MAKE) -f debian/rules debian/stamp/pre-bin-indep + @echo done > $@ + +# Per package work happens as an added dependency of this rule +$(patsubst %,debian/stamp/BIN/%,$(DEB_ARCH_PACKAGES)) : debian/stamp/BIN/% : debian/stamp/do-pre-bin-arch + $(REASON) + $(checkdir) + @test -d debian/stamp/BIN || mkdir -p debian/stamp/BIN + @echo done > $@ + +$(patsubst %,debian/stamp/BIN/%,$(DEB_INDEP_PACKAGES)) : debian/stamp/BIN/% : debian/stamp/do-pre-bin-indep + $(REASON) + $(checkdir) + @test -d debian/stamp/BIN || mkdir -p debian/stamp/BIN + @echo done > $@ + +# These do targeta make sure all the per package work is done, but is +# not in the direct line of dependencies. This makes sure that +# pre-config targets are all up to date before any of the per package +# target dependencies are run. +debian/stamp/dep-binary-arch: debian/stamp/pre-bin-arch $(patsubst %,debian/stamp/BIN/%,$(DEB_ARCH_PACKAGES)) + $(REASON) + @test -d debian/stamp || mkdir -p debian/stamp + @echo done > $@ + +debian/stamp/dep-binary-indep: debian/stamp/pre-bin-indep $(patsubst %,debian/stamp/BIN/%,$(DEB_INDEP_PACKAGES)) + $(REASON) + @test -d debian/stamp || mkdir -p debian/stamp + @echo done > $@ + +debian/stamp/do-binary-arch: debian/stamp/do-pre-bin-arch + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + $(MAKE) -f debian/rules debian/stamp/dep-binary-arch + @echo done > $@ +debian/stamp/do-binary-indep: debian/stamp/do-pre-bin-indep + $(REASON) + $(checkdir) + @test -d debian/stamp || mkdir -p debian/stamp + $(MAKE) -f debian/rules debian/stamp/dep-binary-indep + @echo done > $@ +# required +binary-arch: debian/stamp/do-binary-arch + $(REASON) + $(TESTROOT) +binary-indep: debian/stamp/do-binary-indep + $(REASON) + $(TESTROOT) +binary: debian/stamp/do-binary-arch debian/stamp/do-binary-indep + $(REASON) + $(TESTROOT) + @echo arch package = $(DEB_ARCH_PACKAGES) + @echo indep packages = $(DEB_INDEP_PACKAGES) + +####################################################################### +####################################################################### +############### Clean ############### +####################################################################### +####################################################################### +# Work here +CLN-common:: + $(REASON) + $(checkdir) + +# sync Work here +CLN-arch:: CLN-common + $(REASON) + $(checkdir) +CLN-indep:: CLN-common + $(REASON) + $(checkdir) +# Work here +$(patsubst %,CLEAN/%,$(DEB_ARCH_PACKAGES)) :: CLEAN/% : CLN-arch + $(REASON) + $(checkdir) +$(patsubst %,CLEAN/%,$(DEB_INDEP_PACKAGES)) :: CLEAN/% : CLN-indep + $(REASON) + $(checkdir) + +clean-arch: CLN-arch $(patsubst %,CLEAN/%,$(DEB_ARCH_PACKAGES)) + $(REASON) +clean-indep: CLN-indep $(patsubst %,CLEAN/%,$(DEB_INDEP_PACKAGES)) + $(REASON) +clean: clean-indep clean-arch + $(REASON) + -test -f Makefile && $(MAKE) distclean + -rm -f $(FILES_TO_CLEAN) $(STAMPS_TO_CLEAN) + -rm -rf $(DIRS_TO_CLEAN) debian/stamp + -rm -f core TAGS \ + `find . ! -regex '.*/\.git/.*' ! -regex '.*/\{arch\}/.*' \ + ! -regex '.*/CVS/.*' ! -regex '.*/\.arch-ids/.*' \ + ! -regex '.*/\.svn/.*' \ + \( -name '*.orig' -o -name '*.rej' -o -name '*~' -o \ + -name '*.bak' -o -name '#*#' -o -name '.*.orig' -o \ + -name '.*.rej' -o -name '.SUMS' \) \ + -print` + + +####################################################################### +####################################################################### +############### ############### +####################################################################### +####################################################################### +.PHONY: configure-arch configure-indep configure \ + build-arch build-indep build \ + install-arch install-indep install \ + binary-arch binary-indep binary \ + CLN-common CLN-indep CLN-arch clean-arch clean-indep clean \ + $(patsubst %,CLEAN/%, $(DEB_INDEP_PACKAGES)) $(patsubst %,CLEAN/%, $(DEB_ARCH_PACKAGES)) \ + implode explode prebuild checkpo + + +#Local variables: +#mode: makefile +#End: --- refpolicy-2.20110726.orig/debian/common/ChangeLog +++ refpolicy-2.20110726/debian/common/ChangeLog @@ -0,0 +1,59 @@ +2008-02-06 Manoj Srivastava + + * copt.mk: + srivasta@debian.org--lenny/skeleton-make-rules--main--0.1--patch-4 + The cross building support in Debian has been rewritten + to stop overriding the CC variable to $(MAKE) in order + to correctly support those packages that build internal + tools with the native compiler during the build. This + means that other packages that assume that CC will be + overridden by the cross-compiling build scripts now fail + to build. The patch is simply to set CC to + $(DEB_HOST_GNU_TYPE)-gcc only if a cross-build is + detected. + +2007-10-09 Manoj Srivastava + + * targets.mk: + srivasta@debian.org--lenny/skeleton-make-rules--main--0.1--patch-1 + fix dependency tree for targets, allow parralel + compilatoin. Many changes, thanks to dot. + +2007-09-20 Manoj Srivastava + + * targets.mk (stamp-clean): + srivasta@debian.org--lenny/skeleton-make-rules--main--0.1--base-0 + make clean not remove zero sized files. removed the part + that cleaned out zero sized files; since there are uses + for zero sized files (like, to nuke out files in + upstream sources and not inflate the diff. Any zero + sized files can still be nuked in the local.mk file. + +2006-10-02 Manoj Srivastava + + * checklibs: + srivasta@debian.org--etch/skeleton-make-rules--main--0.1--patch-15 + New file, to detect if there are unneeded library + dependencies + +2006-10-01 Manoj Srivastava + + * archvars.mk (doit): + srivasta@debian.org--etch/skeleton-make-rules--main--0.1--patch-14 + Add a macro to execute $(shell ...) macos verbosely to + help debugging. + +2006-09-15 Manoj Srivastava + + * targets.mk (stamp-clean): + srivasta@debian.org--etch/skeleton-make-rules--main--0.1--patch-13 + Exclude version control directories from the generic + clean command. + + +2006-08-23 Manoj Srivastava + + * pkgvars.mk (DEB_DISTRIBUTION): + srivasta@debian.org--etch/skeleton-make-rules--main--0.1--patch-6 + Add variable that contains the distribution information + --- refpolicy-2.20110726.orig/debian/common/install_cmds.mk +++ refpolicy-2.20110726/debian/common/install_cmds.mk @@ -0,0 +1,58 @@ +######################### -*- Mode: Makefile-Gmake -*- ######################## +## install_cmds.mk --- +## Author : Manoj Srivastava ( srivasta@golden-gryphon.com ) +## Created On : Fri Jun 16 14:40:20 2006 +## Created On Node : glaurung.internal.golden-gryphon.com +## Last Modified By : Manoj Srivastava +## Last Modified On : Wed Sep 6 11:43:05 2006 +## Last Machine Used: glaurung.internal.golden-gryphon.com +## Update Count : 9 +## Status : Unknown, Use with caution! +## HISTORY : +## Description : +## +## arch-tag: a38b6a93-2539-4034-9060-ae94d5c8a071 +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +## +############################################################################### + +# install commands +INSTALL = install +ifeq (,$(filter nostrip,$(DEB_BUILD_OPTIONS))) + INSTALL_PROGRAM += -s +endif +install_file = $(INSTALL) -p -o root -g root -m 644 +install_program = $(INSTALL) -p -o root -g root -m 755 +install_script = $(INSTALL) -p -o root -g root -m 755 +make_directory = $(INSTALL) -p -d -o root -g root -m 755 + +define create_md5sum + create_md5sums_fn () { \ + cd $$1 ; \ + find . -type f \ + ! -regex './DEBIAN/.*' \ + ! -regex './var/.*' $(EXTRA_MD5SUM_EXCLUDE) \ + -printf '%P\0' | xargs -r0 md5sum > DEBIAN/md5sums ; \ + if [ -z "DEBIAN/md5sums" ] ; then \ + rm -f "DEBIAN/md5sums" ; \ + fi ; \ + } ; \ + create_md5sums_fn +endef + +#Local variables: +#mode: makefile +#End: --- refpolicy-2.20110726.orig/debian/common/targets.dot +++ refpolicy-2.20110726/debian/common/targets.dot @@ -0,0 +1,293 @@ +strict digraph Targets { + //ranksep=0.750; + //nodesep=0.500; + + // Nodes attributes: filled == Double-colon targt (most work is done here) + // Oval == Target based on a time stamp + // Octagon == Phony target + // Double lines denote a mandatory target (periperies=2) + + // Edge attributes: Dotted line indicates the target is called using $(MAKE) + + "debian/stamp/dummy-config-common" [ style="bold", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/pre-config-common" [ style="filled", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/do-pre-config-common" [ style="bold", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/pre-config-arch" [ style="filled", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/do-pre-config-arch" [ style="bold", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/pre-config-indep" [ style="filled", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/do-pre-config-indep" [ style="bold", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/CONFIG/foo-arch" [ style="filled", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/CONFIG/bar-indep" [ style="filled", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/dep-configure-arch" [ style="bold", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/dep-configure-indep" [ style="bold", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/do-configure-arch" [ style="bold", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/do-configure-indep" [ style="bold", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10] + "configure-arch" [ style="bold", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10, shape="octagon"] + "configure-indep" [ style="bold", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10, shape="octagon"] + "configure" [ style="bold", color="#DEE3FF", fontcolor="NavyBlue", fontsize=10, shape="octagon"] + + "debian/stamp/pre-build-common" [ style="filled", color="#74A5ED", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/pre-build-arch" [ style="filled", color="#74A5ED", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/do-pre-build-arch" [ style="bold", color="#74A5ED", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/pre-build-indep" [ style="filled", color="#74A5ED", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/do-pre-build-indep" [ style="bold", color="#74A5ED", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/BUILD/foo-arch" [ style="filled", color="#74A5ED", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/BUILD/bar-indep" [ style="filled", color="#74A5ED", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/dep-build-arch" [ style="bold", color="#74A5ED", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/dep-build-indep" [ style="bold", color="#74A5ED", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/do-build-arch" [ style="bold", color="#74A5ED", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/do-build-indep" [ style="bold", color="#74A5ED", fontcolor="NavyBlue", fontsize=10] + "build-arch" [ style="bold", color="#74A5ED", fontcolor="NavyBlue", fontsize=10, shape="octagon", peripheries=2] + "build-indep" [ style="bold", color="#74A5ED", fontcolor="NavyBlue", fontsize=10, shape="octagon", peripheries=2] + "build" [ style="bold", color="#74A5ED", fontcolor="NavyBlue", fontsize=10, shape="octagon", peripheries=2] + "debian/stamp/post-build-arch" [ style="filled", color="#74A5ED", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/post-build-indep" [ style="filled", color="#74A5ED", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/do-post-build-arch" [ style="bold", color="#74A5ED", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/do-post-build-indep" [ style="bold", color="#74A5ED", fontcolor="NavyBlue", fontsize=10] + + "debian/stamp/pre-inst-common" [ style="filled", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/pre-inst-arch" [ style="filled", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/do-pre-inst-arch" [ style="bold", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/pre-inst-indep" [ style="filled", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/do-pre-inst-indep" [ style="bold", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/INST/foo-arch" [ style="filled", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/INST/bar-indep" [ style="filled", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/dep-install-arch" [ style="bold", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/dep-install-indep" [ style="bold", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/do-install-arch" [ style="bold", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/do-install-indep" [ style="bold", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10] + "install-arch" [ style="bold", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10, shape="octagon"] + "install-indep" [ style="bold", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10, shape="octagon"] + "install" [ style="bold", color="#F8DFDB", fontcolor="NavyBlue", fontsize=10, shape="octagon"] + + "debian/stamp/pre-bin-common" [ style="filled", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/pre-bin-arch" [ style="filled", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/do-pre-bin-arch" [ style="bold", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/pre-bin-indep" [ style="filled", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/do-pre-bin-indep" [ style="bold", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/BIN/foo-arch" [ style="filled", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/BIN/bar-indep" [ style="filled", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/dep-binary-arch" [ style="bold", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/dep-binary-indep" [ style="bold", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/do-binary-arch" [ style="bold", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10] + "debian/stamp/do-binary-indep" [ style="bold", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10] + "binary-arch" [ style="bold", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10, shape="octagon", peripheries=2] + "binary-indep" [ style="bold", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10, shape="octagon", peripheries=2] + "binary" [ style="bold", color="#CEFFC0", fontcolor="NavyBlue", fontsize=10, shape="octagon", peripheries=2] + + + "CLN-common" [ style="filled" , color="#E2E8C3", fontcolor="NavyBlue", fontsize=10, shape="octagon"] + "CLN-arch" [ style="filled" , color="#E2E8C3", fontcolor="NavyBlue", fontsize=10, shape="octagon"] + "CLN-indep" [ style="filled" , color="#E2E8C3", fontcolor="NavyBlue", fontsize=10, shape="octagon"] + "CLEAN/foo-arch" [ style="filled" , color="#E2E8C3", fontcolor="NavyBlue", fontsize=10, shape="octagon"] + "CLEAN/bar-indep" [ style="filled" , color="#E2E8C3", fontcolor="NavyBlue", fontsize=10, shape="octagon"] + "clean-arch" [ style="bold", color="#E2E8C3", fontcolor="NavyBlue", fontsize=10, shape="octagon"] + "clean-indep" [ style="bold", color="#E2E8C3", fontcolor="NavyBlue", fontsize=10, shape="octagon"] + "clean" [ style="bold", color="#E2E8C3", fontcolor="NavyBlue", fontsize=10, shape="octagon", peripheries=2] + + + "CLN-common" -> "CLN-arch" [dir=back] + "CLN-common" -> "CLN-indep" [dir=back] + "CLN-arch" -> "CLEAN/foo-arch" [dir=back] + "CLN-indep" -> "CLEAN/bar-indep" [dir=back] + "CLN-arch" -> "clean-arch" [dir=back] + "CLEAN/foo-arch" -> "clean-arch" [dir=back] + "CLN-indep" -> "clean-indep" [dir=back] + "CLEAN/bar-indep" -> "clean-indep" [dir=back] + "clean-indep" -> "clean" [dir=back] + "clean-arch" -> "clean" [dir=back] + +// "debian/stamp/dummy-config-common" -> "debian/stamp/pre-config-common" [dir=back] + "debian/stamp/dummy-config-common" -> "debian/stamp/do-pre-config-common" [dir=back] + "debian/stamp/pre-config-common" -> "debian/stamp/do-pre-config-common" [dir=back color="Red"] +// "CUSTOM-1" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"] +// "CUSTOM-1" -> "debian/stamp/pre-config-common" [dir=back] +// "debian/stamp/do-pre-config-common" -> "debian/stamp/pre-config-arch" [dir=back] + "debian/stamp/do-pre-config-common" -> "debian/stamp/do-pre-config-arch" [dir=back] + "debian/stamp/pre-config-arch" -> "debian/stamp/do-pre-config-arch" [dir=back color="Red"] +// "CUSTOM-2" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"] +// "CUSTOM-2" -> "debian/stamp/pre-config-arch" [dir=back] +// "debian/stamp/do-pre-config-common" -> "debian/stamp/pre-config-indep" [dir=back] + "debian/stamp/do-pre-config-common" -> "debian/stamp/do-pre-config-indep" [dir=back] + "debian/stamp/pre-config-indep" -> "debian/stamp/do-pre-config-indep" [dir=back color="Red"] +// "CUSTOM-3" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"] +// "CUSTOM-3" -> "debian/stamp/pre-config-indep" [dir=back] +// "debian/stamp/do-pre-config-arch" -> "debian/stamp/CONFIG/foo-arch" [dir=back] +// "debian/stamp/do-pre-config-indep" -> "debian/stamp/CONFIG/bar-indep" [dir=back] +// "debian/stamp/do-pre-config-arch" -> "debian/stamp/dep-configure-arch" [dir=back] + "debian/stamp/CONFIG/foo-arch" -> "debian/stamp/dep-configure-arch" [dir=back] +// "debian/stamp/do-pre-config-indep" -> "debian/stamp/dep-configure-indep" [dir=back] + "debian/stamp/CONFIG/bar-indep" -> "debian/stamp/dep-configure-indep" [dir=back] + + "debian/stamp/do-pre-config-arch" -> "debian/stamp/do-configure-arch" [dir=back] + "debian/stamp/dep-configure-arch" -> "debian/stamp/do-configure-arch" [dir=back color="Red"] +// "CUSTOM-4" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"] +// "CUSTOM-4" -> "debian/stamp/CONFIG/foo-arch" [dir=back] + "debian/stamp/do-pre-config-indep" -> "debian/stamp/do-configure-indep" [dir=back] + "debian/stamp/dep-configure-indep" -> "debian/stamp/do-configure-indep" [dir=back color="Red"] +// "CUSTOM-5" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"] +// "CUSTOM-5" -> "debian/stamp/CONFIG/bar-indep" [dir=back] + "debian/stamp/do-configure-arch" -> "configure-arch" [dir=back] + "debian/stamp/do-configure-indep" -> "configure-indep" [dir=back] + "debian/stamp/do-configure-arch" -> "configure" [dir=back] + "debian/stamp/do-configure-indep" -> "configure" [dir=back] + +// "debian/stamp/do-configure-arch" -> "debian/stamp/pre-build-arch" [dir=back] + "debian/stamp/do-configure-arch" -> "debian/stamp/do-pre-build-arch" [dir=back] + "debian/stamp/pre-build-common" -> "debian/stamp/do-pre-build-arch" [dir=back color="Red"] +// "CUSTOM-6" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"] +// "CUSTOM-6" -> "debian/stamp/pre-build-common" [dir=back] + "debian/stamp/pre-build-arch" -> "debian/stamp/do-pre-build-arch" [dir=back color="Red"] +// "CUSTOM-7" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"] +// "CUSTOM-7" -> "debian/stamp/pre-build-arch" [dir=back] + "debian/stamp/pre-build-common" -> "debian/stamp/do-pre-build-indep" [dir=back color="Red"] + "debian/stamp/do-configure-indep" -> "debian/stamp/do-pre-build-indep" [dir=back] +// "debian/stamp/do-configure-indep" -> "debian/stamp/pre-build-indep" [dir=back] + "debian/stamp/pre-build-indep" -> "debian/stamp/do-pre-build-indep" [dir=back color="Red"] +// "CUSTOM-8" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"] +// "CUSTOM-8" -> "debian/stamp/pre-build-indep" [dir=back] +// "debian/stamp/do-pre-build-arch" -> "debian/stamp/BUILD/foo-arch" [dir=back] +// "debian/stamp/do-pre-build-indep" -> "debian/stamp/BUILD/bar-indep" [dir=back] +// "debian/stamp/do-pre-build-arch" -> "debian/stamp/dep-build-arch" [dir=back] + "debian/stamp/BUILD/foo-arch" -> "debian/stamp/dep-build-arch" [dir=back] +// "debian/stamp/do-pre-build-indep" -> "debian/stamp/dep-build-indep" [dir=back] + "debian/stamp/BUILD/bar-indep" -> "debian/stamp/dep-build-indep" [dir=back] + "debian/stamp/do-pre-build-arch" -> "debian/stamp/do-build-arch" [dir=back] + "debian/stamp/dep-build-arch" -> "debian/stamp/do-build-arch" [dir=back color="Red"] +// "CUSTOM-9" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"] +// "CUSTOM-9" -> "debian/stamp/BUILD/foo-arch" [dir=back] + "debian/stamp/do-pre-build-indep" -> "debian/stamp/do-build-indep" [dir=back] + "debian/stamp/dep-build-indep" -> "debian/stamp/do-build-indep" [dir=back color="Red"] +// "CUSTOM-10" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"] +// "CUSTOM-10" -> "debian/stamp/BUILD/bar-indep" [dir=back] + "debian/stamp/do-build-arch" -> "build-arch" [dir=back] + "debian/stamp/do-build-indep" -> "build-indep" [dir=back] + "debian/stamp/do-build-arch" -> "build" [dir=back] + "debian/stamp/do-build-indep" -> "build" [dir=back] +// "debian/stamp/do-build-arch" -> "debian/stamp/post-build-arch" [dir=back] + "debian/stamp/do-build-arch" -> "debian/stamp/do-post-build-arch" [dir=back] + "debian/stamp/do-build-indep" -> "debian/stamp/do-post-build-indep" [dir=back] + "debian/stamp/post-build-arch" -> "debian/stamp/do-post-build-arch" [dir=back color="Red"] +// "CUSTOM-11" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"] +// "CUSTOM-11" -> "debian/stamp/post-build-arch" [dir=back] + "debian/stamp/post-build-indep" -> "debian/stamp/do-post-build-indep" [dir=back color="Red"] +// "CUSTOM-12" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"] +// "CUSTOM-12" -> "debian/stamp/post-build-indep" [dir=back] +// "debian/stamp/do-post-build-arch" -> "debian/stamp/pre-inst-arch" [dir=back] + "debian/stamp/pre-inst-common" -> "debian/stamp/do-pre-inst-arch" [dir=back color="Red"] +// "CUSTOM-13" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"] +// "CUSTOM-13" -> "debian/stamp/pre-inst-common" [dir=back] + "debian/stamp/do-post-build-arch" -> "debian/stamp/do-pre-inst-arch" [dir=back] + "debian/stamp/pre-inst-arch" -> "debian/stamp/do-pre-inst-arch" [dir=back color="Red"] +// "CUSTOM-14" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"] +// "CUSTOM-14" -> "debian/stamp/pre-inst-arch" [dir=back] +// "debian/stamp/do-post-build-indep" -> "debian/stamp/pre-inst-indep" [dir=back] + "debian/stamp/pre-inst-common" -> "debian/stamp/do-pre-inst-indep" [dir=back color="Red"] + "debian/stamp/do-post-build-indep" -> "debian/stamp/do-pre-inst-indep" [dir=back] + "debian/stamp/pre-inst-indep" -> "debian/stamp/do-pre-inst-indep" [dir=back color="Red"] +// "CUSTOM-15" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"] +// "CUSTOM-15" -> "debian/stamp/pre-inst-indep" [dir=back] +// "debian/stamp/do-pre-inst-arch" -> "debian/stamp/INST/foo-arch" [dir=back] +// "debian/stamp/do-pre-inst-indep" -> "debian/stamp/INST/bar-indep" [dir=back] +// "debian/stamp/do-pre-inst-arch" -> "debian/stamp/dep-install-arch" [dir=back] + "debian/stamp/INST/foo-arch" -> "debian/stamp/dep-install-arch" [dir=back] +// "debian/stamp/do-pre-inst-indep" -> "debian/stamp/dep-install-indep" [dir=back] + "debian/stamp/INST/bar-indep" -> "debian/stamp/dep-install-indep" [dir=back] + "debian/stamp/do-pre-inst-arch" -> "debian/stamp/do-install-arch" [dir=back] + "debian/stamp/dep-install-arch" -> "debian/stamp/do-install-arch" [dir=back color="Red"] +// "CUSTOM-16" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"] +// "CUSTOM-16" -> "debian/stamp/INST/foo-arch" [dir=back] + "debian/stamp/do-pre-inst-indep" -> "debian/stamp/do-install-indep" [dir=back] + "debian/stamp/dep-install-indep" -> "debian/stamp/do-install-indep" [dir=back color="Red"] +// "CUSTOM-17" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"] +// "CUSTOM-17" -> "debian/stamp/INST/bar-indep" [dir=back] + "debian/stamp/do-install-arch" -> "install-arch" [dir=back] + "debian/stamp/do-install-indep" -> "install-indep" [dir=back] + "debian/stamp/do-install-arch" -> "install" [dir=back] + "debian/stamp/do-install-indep" -> "install" [dir=back] +// "debian/stamp/do-install-arch" -> "debian/stamp/pre-bin-arch" [dir=back] + "debian/stamp/do-install-arch" -> "debian/stamp/do-pre-bin-arch" [dir=back] + "debian/stamp/pre-bin-common" -> "debian/stamp/do-pre-bin-arch" [dir=back color="Red"] +// "CUSTOM-18" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"] +// "CUSTOM-18" -> "debian/stamp/pre-bin-common" [dir=back] + "debian/stamp/pre-bin-arch" -> "debian/stamp/do-pre-bin-arch" [dir=back color="Red"] +// "CUSTOM-19" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"] +// "CUSTOM-19" -> "debian/stamp/pre-bin-arch" [dir=back] +// "debian/stamp/do-install-indep" -> "debian/stamp/pre-bin-indep" [dir=back] + "debian/stamp/pre-bin-common" -> "debian/stamp/do-pre-bin-indep" [dir=back color="Red"] + "debian/stamp/do-install-indep" -> "debian/stamp/do-pre-bin-indep" [dir=back] + "debian/stamp/pre-bin-indep" -> "debian/stamp/do-pre-bin-indep" [dir=back color="Red"] +// "CUSTOM-20" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"] +// "CUSTOM-20" -> "debian/stamp/pre-bin-indep" [dir=back] +// "debian/stamp/do-pre-bin-arch" -> "debian/stamp/BIN/foo-arch" [dir=back] +// "debian/stamp/do-pre-bin-indep" -> "debian/stamp/BIN/bar-indep" [dir=back] +// "debian/stamp/pre-bin-arch" -> "debian/stamp/dep-binary-arch" [dir=back] + "debian/stamp/BIN/foo-arch" -> "debian/stamp/dep-binary-arch" [dir=back] +// "debian/stamp/do-pre-bin-indep" -> "debian/stamp/dep-binary-indep" [dir=back] + "debian/stamp/BIN/bar-indep" -> "debian/stamp/dep-binary-indep" [dir=back] + "debian/stamp/do-pre-bin-arch" -> "debian/stamp/do-binary-arch" [dir=back] + "debian/stamp/dep-binary-arch" -> "debian/stamp/do-binary-arch" [dir=back color="Red"] +// "CUSTOM-21" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"] +// "CUSTOM-21" -> "debian/stamp/BIN/foo-arch" [dir=back] + "debian/stamp/do-pre-bin-indep" -> "debian/stamp/do-binary-indep" [dir=back] + "debian/stamp/dep-binary-indep" -> "debian/stamp/do-binary-indep" [dir=back color="Red"] +// "CUSTOM-22" [ style="filled", color="#FFE4B5", fontcolor="NavyBlue", fontsize=10, shape="diamond"] +// "CUSTOM-22" -> "debian/stamp/BIN/bar-indep" [dir=back] + "debian/stamp/do-binary-arch" -> "binary-arch" [dir=back] + "debian/stamp/do-binary-indep" -> "binary-indep" [dir=back] + "debian/stamp/do-binary-arch" -> "binary" [dir=back] + "debian/stamp/do-binary-indep" -> "binary" [dir=back] + + + "debian/stamp/dummy-config-common" -> "debian/stamp/pre-config-common" [style="invis"] + "debian/stamp/do-pre-config-common" -> "debian/stamp/pre-config-arch" [style="invis"] + "debian/stamp/do-pre-config-common" -> "debian/stamp/pre-config-indep" [style="invis"] + "debian/stamp/do-pre-config-arch" -> "debian/stamp/CONFIG/foo-arch" [style="invis"] + "debian/stamp/do-pre-config-indep" -> "debian/stamp/CONFIG/bar-indep" [style="invis"] + + "debian/stamp/dep-configure-arch" -> "configure" [style="invis"] + "debian/stamp/dep-configure-indep" -> "configure" [style="invis"] + "debian/stamp/dep-configure-arch" -> "configure-arch" [style="invis"] + "debian/stamp/dep-configure-indep" -> "configure-arch" [style="invis"] + "debian/stamp/dep-configure-arch" -> "configure-indep" [style="invis"] + "debian/stamp/dep-configure-indep" -> "configure-indep" [style="invis"] + "configure-arch" -> "configure" [style="invis"] + "configure-indep" -> "configure" [style="invis"] + "configure" -> "debian/stamp/pre-build-common" [style="invis"] + + + "debian/stamp/pre-build-common" -> "debian/stamp/pre-build-indep" [style="invis"] + "debian/stamp/pre-build-common" -> "debian/stamp/pre-build-arch" [style="invis"] + + "debian/stamp/do-pre-build-arch" -> "debian/stamp/BUILD/foo-arch" [style="invis"] + "debian/stamp/do-pre-build-indep" -> "debian/stamp/BUILD/bar-indep" [style="invis"] + "debian/stamp/do-build-arch" -> "debian/stamp/post-build-arch" [style="invis"] + "debian/stamp/do-build-indep" -> "debian/stamp/post-build-indep" [style="invis"] + "debian/stamp/do-post-build-arch" -> "build-arch" [style="invis"] + "debian/stamp/do-post-build-arch" -> "build" [style="invis"] + "debian/stamp/do-post-build-indep" -> "build-indep" [style="invis"] + "debian/stamp/do-post-build-indep" -> "build" [style="invis"] + "build-arch" -> "build" [style="invis"] + "build-indep" -> "build" [style="invis"] + + "build" -> "debian/stamp/pre-inst-common" [style="invis"] + + "debian/stamp/pre-inst-common" -> "debian/stamp/pre-inst-indep" [style="invis"] + "debian/stamp/pre-inst-common" -> "debian/stamp/pre-inst-arch" [style="invis"] + "debian/stamp/do-pre-inst-arch" -> "debian/stamp/INST/foo-arch" [style="invis"] + "debian/stamp/do-pre-inst-indep" -> "debian/stamp/INST/bar-indep" [style="invis"] + + "install-arch" -> "install" [style="invis"] + "install-indep" -> "install" [style="invis"] + + "debian/stamp/pre-bin-common" -> "debian/stamp/pre-bin-indep" [style="invis"] + "debian/stamp/pre-bin-common" -> "debian/stamp/pre-bin-arch" [style="invis"] + + "install" -> "debian/stamp/pre-bin-common" [style="invis"] + "debian/stamp/do-pre-bin-arch" -> "debian/stamp/BIN/foo-arch" [style="invis"] + "debian/stamp/do-pre-bin-indep" -> "debian/stamp/BIN/bar-indep" [style="invis"] + + "binary-arch" -> "binary" [style="invis"] + "binary-indep" -> "binary" [style="invis"] + +} --- refpolicy-2.20110726.orig/debian/common/archvars.mk +++ refpolicy-2.20110726/debian/common/archvars.mk @@ -0,0 +1,118 @@ +############################ -*- Mode: Makefile -*- ########################### +## archvars.mk --- +## Author : Manoj Srivastava ( srivasta@golden-gryphon.com ) +## Created On : Sat Nov 15 02:40:56 2003 +## Created On Node : glaurung.green-gryphon.com +## Last Modified By : Manoj Srivastava +## Last Modified On : Tue Nov 16 23:36:15 2004 +## Last Machine Used: glaurung.internal.golden-gryphon.com +## Update Count : 5 +## Status : Unknown, Use with caution! +## HISTORY : +## Description : calls dpkg-architecture and sets up various arch +## related variables +## +## arch-tag: e16dd848-0fd6-4c0e-ae66-bef20d1f7c63 +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +## +############################################################################### + + +DPKG_ARCH := dpkg-architecture + +ifeq ($(strip $(KPKG_ARCH)),um) + MAKING_VIRTUAL_IMAGE:=YES +endif +ifeq ($(strip $(KPKG_ARCH)),xen) + MAKING_VIRTUAL_IMAGE:=YES +endif + +ifneq ($(strip $(CONFIG_UM)),) + MAKING_VIRTUAL_IMAGE:=YES + KPKG_ARCH=um +endif + +ifneq ($(strip $(CONFIG_XEN)),) + MAKING_VIRTUAL_IMAGE:=YES + ifneq ($(strip $(CONFIG_X86_XEN)$(CONFIG_X86_64_XEN)),) + KPKG_SUBARCH=xen + else + KPKG_ARCH=xen + ifeq ($(strip $(CONFIG_XEN_PRIVILEGED_GUEST)),) + KPKG_SUBARCH=xenu + else + KPKG_SUBARCH=xen0 + endif + endif +endif + +ifdef KPKG_ARCH + ifeq ($(strip $(MAKING_VIRTUAL_IMAGE)),) + ifneq ($(CROSS_COMPILE),-) + ha:=-a$(KPKG_ARCH) + endif + endif +endif + +# set the dpkg-architecture vars +export DEB_BUILD_ARCH := $(shell $(DPKG_ARCH) -qDEB_BUILD_ARCH) +export DEB_BUILD_GNU_CPU := $(shell $(DPKG_ARCH) -qDEB_BUILD_GNU_CPU) +export DEB_BUILD_GNU_SYSTEM:= $(shell $(DPKG_ARCH) -qDEB_BUILD_GNU_SYSTEM) +export DEB_BUILD_GNU_TYPE := $(shell $(DPKG_ARCH) -qDEB_BUILD_GNU_TYPE) +export DEB_HOST_ARCH := $(shell $(DPKG_ARCH) $(ha) -qDEB_HOST_ARCH) +export DEB_HOST_ARCH_OS := $(shell $(DPKG_ARCH) $(ha) -qDEB_HOST_ARCH_OS \ + 2>/dev/null|| true) +export DEB_HOST_ARCH_CPU := $(shell $(DPKG_ARCH) $(ha) -qDEB_HOST_ARCH_CPU \ + 2>/dev/null|| true) +export DEB_HOST_GNU_CPU := $(shell $(DPKG_ARCH) $(ha) -qDEB_HOST_GNU_CPU) +export DEB_HOST_GNU_SYSTEM := $(shell $(DPKG_ARCH) $(ha) -qDEB_HOST_GNU_SYSTEM) +export DEB_HOST_GNU_TYPE := $(shell $(DPKG_ARCH) $(ha) -qDEB_HOST_GNU_TYPE) + +# arrgh. future proofing +ifeq ($(DEB_HOST_GNU_SYSTEM), linux) + DEB_HOST_GNU_SYSTEM=linux-gnu +endif +ifeq ($(DEB_HOST_ARCH_OS),) + ifeq ($(DEB_HOST_GNU_SYSTEM), linux-gnu) + DEB_HOST_ARCH_OS := linux + endif + ifeq ($(DEB_HOST_GNU_SYSTEM), kfreebsd-gnu) + DEB_HOST_ARCH_OS := kfreebsd + endif +endif + +REASON = @if [ -f $@ ]; then \ + echo "====== making $(notdir $@) because of $(notdir $?) ======";\ + else \ + echo "====== making target $@ [new prereqs: $(notdir $?)]======"; \ + fi + +OLDREASON = @if [ -f $@ ]; then \ + echo "====== making $(notdir $@) because of $(notdir $?) ======";\ + else \ + echo "====== making (creating) $(notdir $@) ======"; \ + fi + +LIBREASON = @echo "====== making $(notdir $@)($(notdir $%))because of $(notdir $?)======" + + +# macro outputing $(1) if DEBUG_DEBIAN_RULES is set, and resolving it +# in all cases usage $(call doit,some shell command) +doit = $(if $(DEBUG_DEBIAN_RULES),$(warning DEBUG: $(1)))$(shell $(1)) + +#Local variables: +#mode: makefile +#End: --- refpolicy-2.20110726.orig/debian/common/copt.mk +++ refpolicy-2.20110726/debian/common/copt.mk @@ -0,0 +1,44 @@ +############################ -*- Mode: Makefile -*- ########################### +## copt.mk --- +## Author : Manoj Srivastava ( srivasta@glaurung.green-gryphon.com ) +## Created On : Sat Nov 15 02:48:40 2003 +## Created On Node : glaurung.green-gryphon.com +## Last Modified By : Manoj Srivastava +## Last Modified On : Sat Nov 15 02:49:07 2003 +## Last Machine Used: glaurung.green-gryphon.com +## Update Count : 1 +## Status : Unknown, Use with caution! +## HISTORY : +## Description : +## +## arch-tag: a0045c20-f1b3-4852-9a4b-1a33ebd7c1b8 +## +############################################################################### + +PREFIX := /usr +# set CC to $(DEB_HOST_GNU_TYPE)-gcc only if a cross-build is detected +ifneq ($(DEB_HOST_GNU_TYPE),$(DEB_BUILD_GNU_TYPE)) + CC=$(DEB_HOST_GNU_TYPE)-gcc +else + CC = cc +endif + +# Policy 10.1 says to make this the default +CFLAGS = -Wall -g + +ifneq (,$(filter noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O0 +else + CFLAGS += -O2 +endif + +## ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS))) +## endif + +ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) + STRIP += -s + LDFLAGS += -s + INT_INSTALL_TARGET = install +else + INT_INSTALL_TARGET = install +endif