Adding alternate root patch to restorecon (setfiles?)

Adding alternate root patch to restorecon (setfiles?)

[Daniel J Walsh]

We are beginning to look into how we could support clusters with SELinux. 
Usually in clusters you move your configuration off on to some shared 
storage.

So you might do a cp -a  /var/named /shared/var/named

We need some way of relabeling these directories with file context.  My 
idea is to add an alternate
root qualifier to restorecon

So in the above example you would do a

restorecon -R -p /shared /shared/var/named

I think this would work fairly well for chroot environments also.

Ideas?


Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding alternate root patch to restorecon (setfiles?)

[Stephen Smalley]

On Mon, 2004-10-18 at 15:31, Daniel J Walsh wrote:
> We are beginning to look into how we could support clusters with SELinux. 
> Usually in clusters you move your configuration off on to some shared 
> storage.
> 
> So you might do a cp -a  /var/named /shared/var/named
> 
> We need some way of relabeling these directories with file context.  My 
> idea is to add an alternate
> root qualifier to restorecon
> 
> So in the above example you would do a
> 
> restorecon -R -p /shared /shared/var/named
> 
> I think this would work fairly well for chroot environments also.

setfiles already has such an option (-r).  setfiles and restorecon
increasingly resemble one another except in their default behaviors.

Previously, you indicated that you viewed the important difference as
being that setfiles takes a specified file_contexts while restorecon
only uses the system one, thereby imposing different trust burdens on
the caller.  But note that setfiles policy already limits the set of
types that it can read, and this could possibly be pruned further to
avoid any types writable by a less trusted caller if there are such
types.

Merging them into one program and re-visiting whether setfiles can
leverage matchpathcon(3) might be worthwhile.  At present, it doesn't do
so because it wants the spec info for use in conflict detection, IIRC.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding alternate root patch to restorecon (setfiles?)

[Daniel J Walsh]

Stephen Smalley wrote:

>On Mon, 2004-10-18 at 15:31, Daniel J Walsh wrote:
>  
>
>>We are beginning to look into how we could support clusters with SELinux. 
>>Usually in clusters you move your configuration off on to some shared 
>>storage.
>>
>>So you might do a cp -a  /var/named /shared/var/named
>>
>>We need some way of relabeling these directories with file context.  My 
>>idea is to add an alternate
>>root qualifier to restorecon
>>
>>So in the above example you would do a
>>
>>restorecon -R -p /shared /shared/var/named
>>
>>I think this would work fairly well for chroot environments also.
>>    
>>
>
>setfiles already has such an option (-r).  setfiles and restorecon
>increasingly resemble one another except in their default behaviors.
>
>Previously, you indicated that you viewed the important difference as
>being that setfiles takes a specified file_contexts while restorecon
>only uses the system one, thereby imposing different trust burdens on
>the caller.  But note that setfiles policy already limits the set of
>types that it can read, and this could possibly be pruned further to
>avoid any types writable by a less trusted caller if there are such
>types.
>
>Merging them into one program and re-visiting whether setfiles can
>leverage matchpathcon(3) might be worthwhile.  At present, it doesn't do
>so because it wants the spec info for use in conflict detection, IIRC.
>
>  
>
I agree.  A couple of things in merging them would be to eliminate the 
need to specify the file_context file.  It should
be figured out directly.  Maybe convert restorecon into a wrapper around 
setfiles. 

One other thing we are talking about is the ability to specify 
additional file_contexts file.
Sort of a local_file_context, so that users could override or add 
certain file context without requiring the sources rpm.
users file should also be treated like this.

We need to drive to the point where selinux-policy-*-sources is treated 
like kernel sources.  IE hardly anyone would ever
install sources file.

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding alternate root patch to restorecon (setfiles?)

[Thomas Bleher]

[-- Attachment #1: Type: text/plain, Size: 1127 bytes --]

* Daniel J Walsh <dwalsh@redhat.com> [2004-10-18 22:40]:
> We are beginning to look into how we could support clusters with SELinux. 
> Usually in clusters you move your configuration off on to some shared 
> storage.
> 
> So you might do a cp -a  /var/named /shared/var/named
> 
> We need some way of relabeling these directories with file context.  My 
> idea is to add an alternate
> root qualifier to restorecon

One thing to note here is that restorecon becomes more dangerous with
your changes. Right now restorecon is relatively safe in that you can
only change file labels to their system default. It would probably be
acceptable in most environments to give users access to restorecon so
they could properly set labels for files in their home dir.

With your changes and this scenario, users could do something like
        restorecon -p /home/foo /home/foo/sbin/unix_chkpwd
and start reading /etc/shadow.
So I am not sure this is the right way.

Thomas


-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Adding alternate root patch to restorecon (setfiles?)

[Daniel J Walsh]

Thomas Bleher wrote:

>* Daniel J Walsh <dwalsh@redhat.com> [2004-10-18 22:40]:
>  
>
>>We are beginning to look into how we could support clusters with SELinux. 
>>Usually in clusters you move your configuration off on to some shared 
>>storage.
>>
>>So you might do a cp -a  /var/named /shared/var/named
>>
>>We need some way of relabeling these directories with file context.  My 
>>idea is to add an alternate
>>root qualifier to restorecon
>>    
>>
>
>One thing to note here is that restorecon becomes more dangerous with
>your changes. Right now restorecon is relatively safe in that you can
>only change file labels to their system default. It would probably be
>acceptable in most environments to give users access to restorecon so
>they could properly set labels for files in their home dir.
>
>With your changes and this scenario, users could do something like
>        restorecon -p /home/foo /home/foo/sbin/unix_chkpwd
>and start reading /etc/shadow.
>So I am not sure this is the right way.
>
>Thomas
>
>
>  
>
Good point, good thing I never put out a patched version.  We need ideas 
on the best way to do something
like this.

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding alternate root patch to restorecon (setfiles?)

[Stephen Smalley]

On Tue, 2004-10-19 at 14:36, Luke Kenneth Casson Leighton wrote:
> um... what happens if a user runs restorecon in a chroot environment
> that they create?
> 
> as an ordinary user, can they cp /lib/* and have the context preserved
> on their copy of libc.so.6?  just trying that now... no, it says setting
> attribute "security.selinux" for /home/sez/libc6.so.6': permission
> denied.
> 
> is there any concievable way round that?  [i hope not!]

Unprivileged user domains aren't allowed to transition to restorecon_t
in the policy.  There is a reason for that...
 
-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding alternate root patch to restorecon (setfiles?)

[Luke Kenneth Casson Leighton]

On Tue, Oct 19, 2004 at 09:33:06AM -0400, Daniel J Walsh wrote:
> Thomas Bleher wrote:
> Good point, good thing I never put out a patched version.  We need ideas 
> on the best way to do something
> like this.

um... what happens if a user runs restorecon in a chroot environment
that they create?

as an ordinary user, can they cp /lib/* and have the context preserved
on their copy of libc.so.6?  just trying that now... no, it says setting
attribute "security.selinux" for /home/sez/libc6.so.6': permission
denied.

is there any concievable way round that?  [i hope not!]

l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding alternate root patch to restorecon (setfiles?)

[Luke Kenneth Casson Leighton]

On Tue, Oct 19, 2004 at 02:26:44PM -0400, Stephen Smalley wrote:
> On Tue, 2004-10-19 at 14:36, Luke Kenneth Casson Leighton wrote:
> > um... what happens if a user runs restorecon in a chroot environment
> > that they create?
> > 
> > as an ordinary user, can they cp /lib/* and have the context preserved
> > on their copy of libc.so.6?  just trying that now... no, it says setting
> > attribute "security.selinux" for /home/sez/libc6.so.6': permission
> > denied.
> > 
> > is there any concievable way round that?  [i hope not!]
> 
> Unprivileged user domains aren't allowed to transition to restorecon_t
> in the policy.  There is a reason for that...
  
  ... gooood :)


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding alternate root patch to restorecon (setfiles?)

[Russell Coker]

On Wed, 20 Oct 2004 04:36, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> On Tue, Oct 19, 2004 at 09:33:06AM -0400, Daniel J Walsh wrote:
> > Thomas Bleher wrote:
> > Good point, good thing I never put out a patched version.  We need ideas
> > on the best way to do something
> > like this.
>
> um... what happens if a user runs restorecon in a chroot environment
> that they create?

One thing to note is that running programs inside a chroot environment in the 
same domain that they may run under in a non-chroot environment is probably a 
bad idea.

If the user can do something that is path sensitive then they can do it from 
user_t which does not have chroot capability.  If they enter a chroot 
environment then they do it through a program which has appropriate privs and 
then enter a different domain.

If the user can enter arbitary domains in a chroot then you are bound to lose 
somehow.


NB  This has nothing to do with the patches to restorecon, just something to 
note for future reference.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding alternate root patch to restorecon (setfiles?)

[Russell Coker]

On Tue, 19 Oct 2004 06:51, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
wrote:
> One thing to note here is that restorecon becomes more dangerous with
> your changes. Right now restorecon is relatively safe in that you can
> only change file labels to their system default. It would probably be
> acceptable in most environments to give users access to restorecon so
> they could properly set labels for files in their home dir.
>
> With your changes and this scenario, users could do something like
>         restorecon -p /home/foo /home/foo/sbin/unix_chkpwd

If the user is to run restorecon then they must run it in their own domain.  
There is no harm in allowing a user to run restorecon as user_t.  They can 
only relabel files that have their own identity and a certain set of types.

Maybe we should even have a script to run restorecon -R on the user's home 
directory that they can run at any time if SE Linux stops them doing what 
they want?

If user_t can run restorecon as restorecon_t then you will lose even if there 
is no -p option.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding alternate root patch to restorecon (setfiles?)

[Thomas Bleher]

[-- Attachment #1.1: Type: text/plain, Size: 1801 bytes --]

* Russell Coker <russell@coker.com.au> [2004-10-25 19:09]:
> On Tue, 19 Oct 2004 06:51, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
> wrote:
> > One thing to note here is that restorecon becomes more dangerous with
> > your changes. Right now restorecon is relatively safe in that you can
> > only change file labels to their system default. It would probably be
> > acceptable in most environments to give users access to restorecon so
> > they could properly set labels for files in their home dir.
> >
> > With your changes and this scenario, users could do something like
> >         restorecon -p /home/foo /home/foo/sbin/unix_chkpwd
> 
> If the user is to run restorecon then they must run it in their own domain.  
> There is no harm in allowing a user to run restorecon as user_t.  They can 
> only relabel files that have their own identity and a certain set of types.
> 
> Maybe we should even have a script to run restorecon -R on the user's home 
> directory that they can run at any time if SE Linux stops them doing what 
> they want?

OK, what do you guys think about the following patch:
It adds an attribute $1_domain_file_type, so all file types from derived
user domains can be grouped together. It also adds a restorecon_domain()
macro, so users can call restorecon to reset the labels on their files.

It is very lightly tested and probably missing a few permissions but
should give a good overview of the general idea.

Is such a thing safe?

Thomas

PS: It may be good to add a password check before restorecon (like
newrole does) so we are sure that it's the user who wants to relabel
his files.

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #1.2: restorecon.patch --]
[-- Type: text/plain, Size: 16345 bytes --]

diff -urN orig/macros/admin_macros.te mod/macros/admin_macros.te
--- orig/macros/admin_macros.te	2004-10-11 10:03:26.000000000 +0200
+++ mod/macros/admin_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -14,9 +14,12 @@
 #
 undefine(`admin_domain')
 define(`admin_domain',`
+# define an attribute for all files created by this role
+attribute $1_domain_file_type;
+
 # Type for home directory.
-type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type;
-type $1_home_t, file_type, sysadmfile, home_type;
+type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, $1_domain_file_type;
+type $1_home_t, file_type, sysadmfile, home_type, $1_domain_file_type;
 
 # Type and access for pty devices.
 can_create_pty($1)
diff -urN orig/macros/program/apache_macros.te mod/macros/program/apache_macros.te
--- orig/macros/program/apache_macros.te	2004-10-17 13:07:14.000000000 +0200
+++ mod/macros/program/apache_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -18,18 +18,23 @@
 file_type_auto_trans(httpd_$1_script_t, tmp_t, $1_tmp_t)
 ', `
 
+ifelse($1, sys, `
 #This type is for webpages
 #
 type httpd_$1_content_t, file_type, homedirfile, sysadmfile;
-ifelse($1, sys, `
 typealias httpd_sys_content_t alias httpd_sysadm_content_t;
-')
 
 # This type is used for .htaccess files
 #
 type httpd_$1_htaccess_t, file_type, sysadmfile;
 
 type httpd_$1_script_exec_t, file_type, sysadmfile;
+', `
+# same as above, add $1_domain_file_type attribute
+type httpd_$1_content_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
+type httpd_$1_htaccess_t, file_type, sysadmfile, $1_domain_file_type;
+type httpd_$1_script_exec_t, file_type, sysadmfile, $1_domain_file_type;
+')
 
 # Type that CGI scripts run as
 type httpd_$1_script_t, domain, privmail;
@@ -69,13 +74,20 @@
 uncond_can_ypbind(httpd_$1_script_t)
 }
 ')
+
+ifelse($1, `sys', `
 # The following are the only areas that 
 # scripts can read, read/write, or append to
 #
 type httpd_$1_script_ro_t, file_type, sysadmfile;
 type httpd_$1_script_rw_t, file_type, sysadmfile;
-file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
 type httpd_$1_script_ra_t, file_type, sysadmfile;
+', `
+type httpd_$1_script_ro_t, file_type, sysadmfile, $1_domain_file_type;
+type httpd_$1_script_rw_t, file_type, sysadmfile, $1_domain_file_type;
+type httpd_$1_script_ra_t, file_type, sysadmfile, $1_domain_file_type;
+')
+file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
 
 ifdef(`slocate.te', `
 ifelse($1, `sys', `', `
diff -urN orig/macros/program/crond_macros.te mod/macros/program/crond_macros.te
--- orig/macros/program/crond_macros.te	2004-09-11 14:31:47.000000000 +0200
+++ mod/macros/program/crond_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -36,7 +36,7 @@
 r_dir_file($1_crond_t, selinux_config_t)
 
 # Type of user crontabs once moved to cron spool.
-type $1_cron_spool_t, file_type, sysadmfile;
+type $1_cron_spool_t, file_type, sysadmfile ifelse($1, `system', `', `, $1_domain_file_type');
 
 ifdef(`fcron.te', `
 allow crond_t $1_cron_spool_t:file create_file_perms;
diff -urN orig/macros/program/fingerd_macros.te mod/macros/program/fingerd_macros.te
--- orig/macros/program/fingerd_macros.te	2003-08-14 14:37:36.000000000 +0200
+++ mod/macros/program/fingerd_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -10,6 +10,6 @@
 # allow fingerd to create a fingerlog file in the user home dir
 #
 define(`fingerd_macro', `
-type $1_home_fingerlog_t, file_type, sysadmfile;
+type $1_home_fingerlog_t, file_type, sysadmfile, $1_domain_file_type;
 file_type_auto_trans(fingerd_t, $1_home_dir_t, $1_home_fingerlog_t)
 ')
diff -urN orig/macros/program/gpg_agent_macros.te mod/macros/program/gpg_agent_macros.te
--- orig/macros/program/gpg_agent_macros.te	2004-09-21 22:24:44.000000000 +0200
+++ mod/macros/program/gpg_agent_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -58,7 +58,7 @@
 allow $1_gpg_agent_t self:fifo_file { getattr read write };
 
 # create /tmp files
-tmp_domain($1_gpg_agent)
+tmp_domain($1_gpg_agent, `, $1_domain_file_type')
 
 # gpg connect
 allow $1_gpg_t $1_gpg_agent_tmp_t:dir { search };
diff -urN orig/macros/program/gpg_macros.te mod/macros/program/gpg_macros.te
--- orig/macros/program/gpg_macros.te	2004-09-11 14:31:47.000000000 +0200
+++ mod/macros/program/gpg_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -25,7 +25,7 @@
 allow $1_t self:capability { setuid };
 ', `
 type $1_gpg_t, domain, privlog;
-type $1_gpg_secret_t, file_type, homedirfile, sysadmfile;
+type $1_gpg_secret_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 ')dnl end ifdef single_userdomain
 
 # Transition from the user domain to the derived domain.
diff -urN orig/macros/program/irc_macros.te mod/macros/program/irc_macros.te
--- orig/macros/program/irc_macros.te	2004-03-23 21:58:10.000000000 +0100
+++ mod/macros/program/irc_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -24,8 +24,8 @@
 ', `
 # Derived domain based on the calling user domain and the program.
 type $1_irc_t, domain;
-type $1_home_irc_t, file_type, homedirfile, sysadmfile;
-type $1_irc_exec_t, file_type, sysadmfile;
+type $1_home_irc_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
+type $1_irc_exec_t, file_type, sysadmfile, $1_domain_file_type;
 
 ifdef(`slocate.te', `
 allow $1_locate_t { $1_home_irc_t $1_irc_exec_t }:dir { getattr search };
diff -urN orig/macros/program/lpr_macros.te mod/macros/program/lpr_macros.te
--- orig/macros/program/lpr_macros.te	2004-09-11 14:31:47.000000000 +0200
+++ mod/macros/program/lpr_macros.te	2004-10-25 23:28:02.000000000 +0200
@@ -54,11 +54,11 @@
 r_dir_file($1_lpr_t, printconf_t)
 ')
 
-tmp_domain($1_lpr)
+tmp_domain($1_lpr, `, $1_domain_file_type')
 r_dir_file($1_lpr_t, $1_tmp_t)
 
 # Type for spool files.
-type $1_print_spool_t, file_type, sysadmfile;
+type $1_print_spool_t, file_type, sysadmfile, $1_domain_file_type;
 # Use this type when creating files in /var/spool/lpd and /var/spool/cups.
 file_type_auto_trans($1_lpr_t, print_spool_t, $1_print_spool_t, file)
 allow $1_lpr_t var_spool_t:dir { search };
diff -urN orig/macros/program/restorecon_macros.te mod/macros/program/restorecon_macros.te
--- orig/macros/program/restorecon_macros.te	1970-01-01 01:00:00.000000000 +0100
+++ mod/macros/program/restorecon_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -0,0 +1,34 @@
+# Macro for the user restorecon domain
+#
+# Allow the user to call restorecon and to relabel all his files
+#
+# Author: Thomas Bleher <ThomasBleher@gmx.de>
+#
+
+define(`restorecon_domain', `
+
+type $1_restorecon_t, domain;
+role $1_r types $1_restorecon_t;
+
+domain_auto_trans($1_t, restorecon_exec_t, $1_restorecon_t)
+
+base_file_read_access($1_restorecon_t)
+uses_shlib($1_restorecon_t)
+
+allow $1_restorecon_t $1_devpts_t:chr_file { read write };
+
+allow $1_restorecon_t privfd:fd use;
+
+r_dir_file($1_restorecon_t, selinux_config_t)
+r_dir_file($1_restorecon_t, default_context_t)
+r_dir_file($1_restorecon_t, file_context_t)
+r_dir_file($1_restorecon_t, policy_config_t)
+
+allow $1_restorecon_t proc_t:dir search;
+allow $1_restorecon_t proc_t:file { getattr read };
+dontaudit $1_restorecon_t proc_t:lnk_file { getattr read };
+
+allow $1_restorecon_t { tmp_t $1_domain_file_type }:dir { getattr search };
+allow $1_restorecon_t $1_domain_file_type:{ notdevfile_class_set dir } { getattr relabelfrom relabelto };
+ 
+')
diff -urN orig/macros/program/rssh_macros.te mod/macros/program/rssh_macros.te
--- orig/macros/program/rssh_macros.te	2004-09-23 11:38:30.000000000 +0200
+++ mod/macros/program/rssh_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -19,8 +19,8 @@
 role rssh_$1_r types rssh_$1_t;
 allow system_r rssh_$1_r;
 
-type rssh_$1_rw_t, file_type, sysadmfile;
-type rssh_$1_ro_t, file_type, sysadmfile;
+type rssh_$1_rw_t, file_type, sysadmfile, $1_domain_file_type;
+type rssh_$1_ro_t, file_type, sysadmfile, $1_domain_file_type;
 
 general_domain_access(rssh_$1_t);
 uses_shlib(rssh_$1_t);
diff -urN orig/macros/program/screen_macros.te mod/macros/program/screen_macros.te
--- orig/macros/program/screen_macros.te	2004-10-11 10:03:26.000000000 +0200
+++ mod/macros/program/screen_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -26,12 +26,12 @@
 typealias $1_home_t alias $1_home_screen_t;
 ', `
 type $1_screen_t, domain, privlog, privfd;
-type $1_home_screen_t, file_type, homedirfile, sysadmfile;
+type $1_home_screen_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 
 # Transition from the user domain to this domain.
 domain_auto_trans($1_t, screen_exec_t, $1_screen_t)
 
-tmp_domain($1_screen)
+tmp_domain($1_screen, `, $1_domain_file_type')
 base_file_read_access($1_screen_t)
 # The user role is authorized for this domain.
 role $1_r types $1_screen_t;
@@ -72,7 +72,7 @@
 # Create fifo
 allow $1_screen_t var_t:dir search;
 file_type_auto_trans($1_screen_t, var_run_t, screen_dir_t, dir)
-type $1_screen_var_run_t, file_type, sysadmfile, pidfile;
+type $1_screen_var_run_t, file_type, sysadmfile, pidfile, $1_domain_file_type;
 file_type_auto_trans($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file)
 
 allow $1_screen_t self:process { fork signal_perms };
diff -urN orig/macros/program/spamassassin_macros.te mod/macros/program/spamassassin_macros.te
--- orig/macros/program/spamassassin_macros.te	2004-10-14 13:09:56.000000000 +0200
+++ mod/macros/program/spamassassin_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -80,7 +80,7 @@
 dontaudit $1_spamassassin_t { sysctl_t sysctl_kernel_t }:dir search;
 
 # The type of ~/.spamassassin
-type $1_home_spamassassin_t, file_type, homedirfile, sysadmfile;
+type $1_home_spamassassin_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 create_dir_file($1_t, $1_home_spamassassin_t)
 allow $1_t $1_home_spamassassin_t:notdevfile_class_set { relabelfrom relabelto };
 allow $1_t $1_home_spamassassin_t:dir { relabelfrom relabelto };
diff -urN orig/macros/program/ssh_macros.te mod/macros/program/ssh_macros.te
--- orig/macros/program/ssh_macros.te	2004-10-17 13:07:15.000000000 +0200
+++ mod/macros/program/ssh_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -26,7 +26,7 @@
 ', `
 # Derived domain based on the calling user domain and the program.
 type $1_ssh_t, domain, privlog;
-type $1_home_ssh_t, file_type, homedirfile, sysadmfile;
+type $1_home_ssh_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 
 ifdef(`automount.te', `
 allow $1_ssh_t autofs_t:dir { search getattr };
diff -urN orig/macros/program/tvtime_macros.te mod/macros/program/tvtime_macros.te
--- orig/macros/program/tvtime_macros.te	2004-10-05 20:52:36.000000000 +0200
+++ mod/macros/program/tvtime_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -19,7 +19,7 @@
 ifdef(`tvtime.te', `
 define(`tvtime_domain',`
 # Derived domain based on the calling user domain and the program.
-type $1_home_tvtime_t, file_type, homedirfile, sysadmfile;
+type $1_home_tvtime_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 
 x_client_domain($1, tvtime)
 
diff -urN orig/macros/program/uml_macros.te mod/macros/program/uml_macros.te
--- orig/macros/program/uml_macros.te	2004-07-12 23:41:25.000000000 +0200
+++ mod/macros/program/uml_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -25,9 +25,9 @@
 ', `
 # Derived domain based on the calling user domain and the program.
 type $1_uml_t, domain;
-type $1_uml_exec_t, file_type, sysadmfile;
-type $1_uml_ro_t, file_type, sysadmfile;
-type $1_uml_rw_t, file_type, sysadmfile;
+type $1_uml_exec_t, file_type, sysadmfile, $1_domain_file_type;
+type $1_uml_ro_t, file_type, sysadmfile, $1_domain_file_type;
+type $1_uml_rw_t, file_type, sysadmfile, $1_domain_file_type;
 
 ifdef(`slocate.te', `
 allow $1_locate_t { $1_uml_exec_t $1_uml_ro_t $1_uml_rw_t }:dir { getattr search };
diff -urN orig/macros/program/vmware_macros.te mod/macros/program/vmware_macros.te
--- orig/macros/program/vmware_macros.te	2004-09-24 17:42:14.000000000 +0200
+++ mod/macros/program/vmware_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -23,10 +23,10 @@
 role $1_r types $1_vmware_t;
 
 # The user file type is for files created when the user is running VMWare
-type $1_vmware_file_t, homedirfile, file_type, sysadmfile;
+type $1_vmware_file_t, homedirfile, file_type, sysadmfile, $1_domain_file_type;
 
 # The user file type for the VMWare configuration files
-type $1_vmware_conf_t, homedirfile, file_type, sysadmfile;
+type $1_vmware_conf_t, homedirfile, file_type, sysadmfile, $1_domain_file_type;
 
 # for compatibility with older policy versions
 typealias $1_vmware_t alias vmware_$1_t;
diff -urN orig/macros/program/xauth_macros.te mod/macros/program/xauth_macros.te
--- orig/macros/program/xauth_macros.te	2004-06-19 10:31:44.000000000 +0200
+++ mod/macros/program/xauth_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -24,7 +24,7 @@
 ', `
 # Derived domain based on the calling user domain and the program.
 type $1_xauth_t, domain;
-type $1_home_xauth_t, file_type, homedirfile, sysadmfile;
+type $1_home_xauth_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 
 ifdef(`slocate.te', `
 allow $1_locate_t $1_home_xauth_t:file { getattr read };
@@ -84,7 +84,7 @@
 allow $1_xauth_t home_root_t:dir search;
 file_type_auto_trans($1_xauth_t, $1_home_dir_t, $1_home_xauth_t, file)
 
-tmp_domain($1_xauth)
+tmp_domain($1_xauth, `, $1_domain_file_type')
 allow $1_xauth_t $1_tmp_t:file { getattr ioctl read };
 
 ifdef(`nfs_home_dirs', `
diff -urN orig/macros/program/x_client_macros.te mod/macros/program/x_client_macros.te
--- orig/macros/program/x_client_macros.te	2004-09-11 14:31:47.000000000 +0200
+++ mod/macros/program/x_client_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -30,9 +30,9 @@
 ', `
 type $1_$2_t, domain $3;
 # Type for files that are writeable by this domain.
-type $1_$2_rw_t, file_type, homedirfile, sysadmfile, tmpfile;
+type $1_$2_rw_t, file_type, homedirfile, sysadmfile, tmpfile, $1_domain_file_type;
 # Type for files that are read-only for this domain
-type $1_$2_ro_t, file_type, homedirfile, sysadmfile;
+type $1_$2_ro_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 ')
 
 # Transition from the user domain to the derived domain.
diff -urN orig/macros/user_macros.te mod/macros/user_macros.te
--- orig/macros/user_macros.te	2004-10-19 21:15:26.000000000 +0200
+++ mod/macros/user_macros.te	2004-10-25 23:26:44.000000000 +0200
@@ -23,16 +23,16 @@
 ')dnl end single_userdomain
 
 # Type for home directory.
-type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type;
-type $1_home_t, file_type, sysadmfile, home_type, user_home_type;
+type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type, $1_domain_file_type;
+type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_domain_file_type;
 
-tmp_domain($1, `, user_tmpfile')
+tmp_domain($1, `, user_tmpfile, $1_domain_file_type')
 
 # Type and access for pty devices.
-can_create_pty($1, `, userpty_type, user_tty_type')
+can_create_pty($1, `, userpty_type, user_tty_type, $1_domain_file_type')
 
 #Type for tty devices.
-type $1_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type, dev_fs;
+type $1_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type, dev_fs, $1_domain_file_type;
  
 base_user_domain($1)
 
@@ -61,6 +61,7 @@
 # user domains.
 ifdef(`apache.te', `apache_domain($1)')
 ifdef(`slocate.te', `locate_domain($1)')
+ifdef(`restorecon.te', `restorecon_domain($1)')
 
 allow $1_t krb5_conf_t:file { getattr read };
 # allow port_t name binding for UDP because it is not very usable otherwise
@@ -135,6 +136,9 @@
 # user_t/$1_t is an unprivileged users domain.
 type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, nscd_client_domain, privfd;
 
+# define an attribute for all files created by this role
+attribute $1_domain_file_type;
+
 # Grant read/search permissions to some of /proc.
 allow $1_t proc_t:dir r_dir_perms;
 allow $1_t proc_t:{ file lnk_file } r_file_perms;

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Adding alternate root patch to restorecon (setfiles?)

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 1377 bytes --]

On Tue, 26 Oct 2004 07:31, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
wrote:
> OK, what do you guys think about the following patch:
> It adds an attribute $1_domain_file_type, so all file types from derived
> user domains can be grouped together. It also adds a restorecon_domain()
> macro, so users can call restorecon to reset the labels on their files.

I've attached a patch named "tom.diff" which applies after your patch to tweak 
a few things.  The new attribute allows a better way of dealing with the 
locate policy so I changed it appropriately.  I added some use of 
sysadm_domain_file_type.  Some of the types you had given the attribute 
$1_domain_file_type seemed inappropriate, this includes the print spool type, 
some temporary files, and files under /var/run.

Whether we have the user_restorecon_t domain etc is something that needs more 
consideration.  The attached patch named "diff" has the user_domain_file_type 
stuff from your patch with my amendments but none of the restorecon changes.  
I think that "diff" is worthy of being included in CVS regardless of what we 
do with restorecon.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: tom.diff --]
[-- Type: text/x-diff, Size: 8609 bytes --]

diff -ru policy.tom/macros/program/apache_macros.te policy.new/macros/program/apache_macros.te
--- policy.tom/macros/program/apache_macros.te	2004-10-26 23:20:42.000000000 +1000
+++ policy.new/macros/program/apache_macros.te	2004-10-26 23:19:27.000000000 +1000
@@ -21,7 +21,7 @@
 ifelse($1, sys, `
 #This type is for webpages
 #
-type httpd_$1_content_t, file_type, homedirfile, sysadmfile;
+type httpd_$1_content_t, file_type, homedirfile, sysadmfile, sysadm_domain_file_type;
 typealias httpd_sys_content_t alias httpd_sysadm_content_t;
 
 # This type is used for .htaccess files
@@ -79,9 +79,9 @@
 # The following are the only areas that 
 # scripts can read, read/write, or append to
 #
-type httpd_$1_script_ro_t, file_type, sysadmfile;
-type httpd_$1_script_rw_t, file_type, sysadmfile;
-type httpd_$1_script_ra_t, file_type, sysadmfile;
+type httpd_$1_script_ro_t, file_type, sysadmfile, sysadm_domain_file_type;
+type httpd_$1_script_rw_t, file_type, sysadmfile, sysadm_domain_file_type;
+type httpd_$1_script_ra_t, file_type, sysadmfile, sysadm_domain_file_type;
 ', `
 type httpd_$1_script_ro_t, file_type, sysadmfile, $1_domain_file_type;
 type httpd_$1_script_rw_t, file_type, sysadmfile, $1_domain_file_type;
@@ -89,13 +89,6 @@
 ')
 file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
 
-ifdef(`slocate.te', `
-ifelse($1, `sys', `', `
-allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:dir { getattr search };
-allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:file { getattr read };
-')dnl end ifelse
-')dnl end slocate.te
-
 #########################################################
 # Permissions for running child processes and scripts
 ##########################################################
diff -ru policy.tom/macros/program/crond_macros.te policy.new/macros/program/crond_macros.te
--- policy.tom/macros/program/crond_macros.te	2004-10-26 23:20:42.000000000 +1000
+++ policy.new/macros/program/crond_macros.te	2004-10-27 00:18:59.000000000 +1000
@@ -36,7 +36,7 @@
 r_dir_file($1_crond_t, selinux_config_t)
 
 # Type of user crontabs once moved to cron spool.
-type $1_cron_spool_t, file_type, sysadmfile ifelse($1, `system', `', `, $1_domain_file_type');
+type $1_cron_spool_t, file_type, sysadmfile;
 
 ifdef(`fcron.te', `
 allow crond_t $1_cron_spool_t:file create_file_perms;
diff -ru policy.tom/macros/program/irc_macros.te policy.new/macros/program/irc_macros.te
--- policy.tom/macros/program/irc_macros.te	2004-10-26 23:20:42.000000000 +1000
+++ policy.new/macros/program/irc_macros.te	2004-10-26 23:46:34.000000000 +1000
@@ -27,11 +27,6 @@
 type $1_home_irc_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 type $1_irc_exec_t, file_type, sysadmfile, $1_domain_file_type;
 
-ifdef(`slocate.te', `
-allow $1_locate_t { $1_home_irc_t $1_irc_exec_t }:dir { getattr search };
-allow $1_locate_t { $1_home_irc_t $1_irc_exec_t }:file { getattr read };
-')
-
 allow $1_t { $1_home_irc_t $1_irc_exec_t }:file { relabelfrom relabelto create_file_perms };
 
 # Transition from the user domain to this domain.
diff -ru policy.tom/macros/program/lpr_macros.te policy.new/macros/program/lpr_macros.te
--- policy.tom/macros/program/lpr_macros.te	2004-10-26 23:20:42.000000000 +1000
+++ policy.new/macros/program/lpr_macros.te	2004-10-26 23:21:33.000000000 +1000
@@ -54,11 +54,11 @@
 r_dir_file($1_lpr_t, printconf_t)
 ')
 
-tmp_domain($1_lpr, `, $1_domain_file_type')
+tmp_domain($1_lpr)
 r_dir_file($1_lpr_t, $1_tmp_t)
 
 # Type for spool files.
-type $1_print_spool_t, file_type, sysadmfile, $1_domain_file_type;
+type $1_print_spool_t, file_type, sysadmfile;
 # Use this type when creating files in /var/spool/lpd and /var/spool/cups.
 file_type_auto_trans($1_lpr_t, print_spool_t, $1_print_spool_t, file)
 allow $1_lpr_t var_spool_t:dir { search };
diff -ru policy.tom/macros/program/screen_macros.te policy.new/macros/program/screen_macros.te
--- policy.tom/macros/program/screen_macros.te	2004-10-26 23:20:42.000000000 +1000
+++ policy.new/macros/program/screen_macros.te	2004-10-26 23:22:33.000000000 +1000
@@ -31,7 +31,7 @@
 # Transition from the user domain to this domain.
 domain_auto_trans($1_t, screen_exec_t, $1_screen_t)
 
-tmp_domain($1_screen, `, $1_domain_file_type')
+tmp_domain($1_screen)
 base_file_read_access($1_screen_t)
 # The user role is authorized for this domain.
 role $1_r types $1_screen_t;
@@ -72,7 +72,7 @@
 # Create fifo
 allow $1_screen_t var_t:dir search;
 file_type_auto_trans($1_screen_t, var_run_t, screen_dir_t, dir)
-type $1_screen_var_run_t, file_type, sysadmfile, pidfile, $1_domain_file_type;
+type $1_screen_var_run_t, file_type, sysadmfile, pidfile;
 file_type_auto_trans($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file)
 
 allow $1_screen_t self:process { fork signal_perms };
diff -ru policy.tom/macros/program/slocate_macros.te policy.new/macros/program/slocate_macros.te
--- policy.tom/macros/program/slocate_macros.te	2004-09-03 14:10:35.000000000 +1000
+++ policy.new/macros/program/slocate_macros.te	2004-10-26 23:33:57.000000000 +1000
@@ -52,8 +52,8 @@
 allow $1_locate_t $1_tty_device_t:chr_file rw_file_perms;
 allow $1_locate_t $1_devpts_t:chr_file rw_file_perms;
 
-allow $1_locate_t { home_root_t $1_home_dir_t $1_home_t }:dir { getattr search };
-allow $1_locate_t $1_home_t:{ file lnk_file } { getattr read };
+allow $1_locate_t $1_domain_file_type:dir { getattr search };
+allow $1_locate_t $1_domain_file_type:{ file lnk_file sock_file fifo_file } { getattr read };
 
 base_file_read_access($1_locate_t)
 r_dir_file($1_locate_t, { etc_t lib_t var_t })
diff -ru policy.tom/macros/program/ssh_macros.te policy.new/macros/program/ssh_macros.te
--- policy.tom/macros/program/ssh_macros.te	2004-10-26 23:20:42.000000000 +1000
+++ policy.new/macros/program/ssh_macros.te	2004-10-26 23:46:14.000000000 +1000
@@ -115,11 +115,6 @@
 r_dir_file({ sshd_t sshd_extern_t }, $1_home_ssh_t)
 rw_dir_create_file($1_t, $1_home_ssh_t)
 
-ifdef(`slocate.te', `
-allow $1_locate_t $1_home_ssh_t:dir { getattr search };
-allow $1_locate_t $1_home_ssh_t:file { getattr read };
-')
-
 # for /bin/sh used to execute xauth
 dontaudit $1_ssh_t proc_t:dir search;
 dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
diff -ru policy.tom/macros/program/uml_macros.te policy.new/macros/program/uml_macros.te
--- policy.tom/macros/program/uml_macros.te	2004-10-26 23:20:42.000000000 +1000
+++ policy.new/macros/program/uml_macros.te	2004-10-26 23:46:42.000000000 +1000
@@ -29,11 +29,6 @@
 type $1_uml_ro_t, file_type, sysadmfile, $1_domain_file_type;
 type $1_uml_rw_t, file_type, sysadmfile, $1_domain_file_type;
 
-ifdef(`slocate.te', `
-allow $1_locate_t { $1_uml_exec_t $1_uml_ro_t $1_uml_rw_t }:dir { getattr search };
-allow $1_locate_t { $1_uml_exec_t $1_uml_ro_t $1_uml_rw_t }:file { getattr read };
-')
-
 can_ptrace($1_t, $1_uml_t)
 
 # for X
diff -ru policy.tom/macros/program/x_client_macros.te policy.new/macros/program/x_client_macros.te
--- policy.tom/macros/program/x_client_macros.te	2004-10-26 23:20:42.000000000 +1000
+++ policy.new/macros/program/x_client_macros.te	2004-10-26 23:46:20.000000000 +1000
@@ -81,11 +81,6 @@
 allow $1_t $1_$2_ro_t:fifo_file create_file_perms;
 allow $1_t $1_$2_ro_t:{ dir file lnk_file } { relabelto relabelfrom };
 
-ifdef(`slocate.te', `
-allow $1_locate_t { $1_$2_ro_t $1_$2_rw_t }:dir { getattr search };
-allow $1_locate_t { $1_$2_ro_t $1_$2_rw_t }:file { getattr read };
-')
-
 # Allow the user domain to send any signal to the $2 process.
 allow $1_t $1_$2_t:process signal_perms;
 
diff -ru policy.tom/macros/program/xauth_macros.te policy.new/macros/program/xauth_macros.te
--- policy.tom/macros/program/xauth_macros.te	2004-10-26 23:20:42.000000000 +1000
+++ policy.new/macros/program/xauth_macros.te	2004-10-26 23:46:26.000000000 +1000
@@ -26,10 +26,6 @@
 type $1_xauth_t, domain;
 type $1_home_xauth_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 
-ifdef(`slocate.te', `
-allow $1_locate_t $1_home_xauth_t:file { getattr read };
-')
-
 allow $1_xauth_t self:process signal;
 
 allow $1_t $1_home_xauth_t:file { relabelfrom relabelto create_file_perms };
@@ -84,7 +80,7 @@
 allow $1_xauth_t home_root_t:dir search;
 file_type_auto_trans($1_xauth_t, $1_home_dir_t, $1_home_xauth_t, file)
 
-tmp_domain($1_xauth, `, $1_domain_file_type')
+tmp_domain($1_xauth)
 allow $1_xauth_t $1_tmp_t:file { getattr ioctl read };
 
 ifdef(`nfs_home_dirs', `

[-- Attachment #3: diff --]
[-- Type: text/x-diff, Size: 15166 bytes --]

diff -ru policy/macros/admin_macros.te policy.new/macros/admin_macros.te
--- policy/macros/admin_macros.te	2004-10-02 03:36:13.000000000 +1000
+++ policy.new/macros/admin_macros.te	2004-10-26 23:15:16.000000000 +1000
@@ -14,9 +14,12 @@
 #
 undefine(`admin_domain')
 define(`admin_domain',`
+# define an attribute for all files created by this role
+attribute $1_domain_file_type;
+
 # Type for home directory.
-type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type;
-type $1_home_t, file_type, sysadmfile, home_type;
+type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, $1_domain_file_type;
+type $1_home_t, file_type, sysadmfile, home_type, $1_domain_file_type;
 
 # Type and access for pty devices.
 can_create_pty($1)
diff -ru policy/macros/program/apache_macros.te policy.new/macros/program/apache_macros.te
--- policy/macros/program/apache_macros.te	2004-10-15 14:57:20.000000000 +1000
+++ policy.new/macros/program/apache_macros.te	2004-10-26 23:19:27.000000000 +1000
@@ -18,18 +18,23 @@
 file_type_auto_trans(httpd_$1_script_t, tmp_t, $1_tmp_t)
 ', `
 
+ifelse($1, sys, `
 #This type is for webpages
 #
-type httpd_$1_content_t, file_type, homedirfile, sysadmfile;
-ifelse($1, sys, `
+type httpd_$1_content_t, file_type, homedirfile, sysadmfile, sysadm_domain_file_type;
 typealias httpd_sys_content_t alias httpd_sysadm_content_t;
-')
 
 # This type is used for .htaccess files
 #
 type httpd_$1_htaccess_t, file_type, sysadmfile;
 
 type httpd_$1_script_exec_t, file_type, sysadmfile;
+', `
+# same as above, add $1_domain_file_type attribute
+type httpd_$1_content_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
+type httpd_$1_htaccess_t, file_type, sysadmfile, $1_domain_file_type;
+type httpd_$1_script_exec_t, file_type, sysadmfile, $1_domain_file_type;
+')
 
 # Type that CGI scripts run as
 type httpd_$1_script_t, domain, privmail;
@@ -69,20 +74,20 @@
 uncond_can_ypbind(httpd_$1_script_t)
 }
 ')
+
+ifelse($1, `sys', `
 # The following are the only areas that 
 # scripts can read, read/write, or append to
 #
-type httpd_$1_script_ro_t, file_type, sysadmfile;
-type httpd_$1_script_rw_t, file_type, sysadmfile;
+type httpd_$1_script_ro_t, file_type, sysadmfile, sysadm_domain_file_type;
+type httpd_$1_script_rw_t, file_type, sysadmfile, sysadm_domain_file_type;
+type httpd_$1_script_ra_t, file_type, sysadmfile, sysadm_domain_file_type;
+', `
+type httpd_$1_script_ro_t, file_type, sysadmfile, $1_domain_file_type;
+type httpd_$1_script_rw_t, file_type, sysadmfile, $1_domain_file_type;
+type httpd_$1_script_ra_t, file_type, sysadmfile, $1_domain_file_type;
+')
 file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
-type httpd_$1_script_ra_t, file_type, sysadmfile;
-
-ifdef(`slocate.te', `
-ifelse($1, `sys', `', `
-allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:dir { getattr search };
-allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:file { getattr read };
-')dnl end ifelse
-')dnl end slocate.te
 
 #########################################################
 # Permissions for running child processes and scripts
diff -ru policy/macros/program/fingerd_macros.te policy.new/macros/program/fingerd_macros.te
--- policy/macros/program/fingerd_macros.te	2003-08-14 22:37:36.000000000 +1000
+++ policy.new/macros/program/fingerd_macros.te	2004-10-26 23:15:16.000000000 +1000
@@ -10,6 +10,6 @@
 # allow fingerd to create a fingerlog file in the user home dir
 #
 define(`fingerd_macro', `
-type $1_home_fingerlog_t, file_type, sysadmfile;
+type $1_home_fingerlog_t, file_type, sysadmfile, $1_domain_file_type;
 file_type_auto_trans(fingerd_t, $1_home_dir_t, $1_home_fingerlog_t)
 ')
diff -ru policy/macros/program/gpg_agent_macros.te policy.new/macros/program/gpg_agent_macros.te
--- policy/macros/program/gpg_agent_macros.te	2004-09-21 14:39:17.000000000 +1000
+++ policy.new/macros/program/gpg_agent_macros.te	2004-10-26 23:15:16.000000000 +1000
@@ -58,7 +58,7 @@
 allow $1_gpg_agent_t self:fifo_file { getattr read write };
 
 # create /tmp files
-tmp_domain($1_gpg_agent)
+tmp_domain($1_gpg_agent, `, $1_domain_file_type')
 
 # gpg connect
 allow $1_gpg_t $1_gpg_agent_tmp_t:dir { search };
diff -ru policy/macros/program/gpg_macros.te policy.new/macros/program/gpg_macros.te
--- policy/macros/program/gpg_macros.te	2004-08-28 12:05:12.000000000 +1000
+++ policy.new/macros/program/gpg_macros.te	2004-10-26 23:15:16.000000000 +1000
@@ -25,7 +25,7 @@
 allow $1_t self:capability { setuid };
 ', `
 type $1_gpg_t, domain, privlog;
-type $1_gpg_secret_t, file_type, homedirfile, sysadmfile;
+type $1_gpg_secret_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 ')dnl end ifdef single_userdomain
 
 # Transition from the user domain to the derived domain.
diff -ru policy/macros/program/irc_macros.te policy.new/macros/program/irc_macros.te
--- policy/macros/program/irc_macros.te	2004-03-27 00:46:45.000000000 +1100
+++ policy.new/macros/program/irc_macros.te	2004-10-26 23:46:34.000000000 +1000
@@ -24,13 +24,8 @@
 ', `
 # Derived domain based on the calling user domain and the program.
 type $1_irc_t, domain;
-type $1_home_irc_t, file_type, homedirfile, sysadmfile;
-type $1_irc_exec_t, file_type, sysadmfile;
-
-ifdef(`slocate.te', `
-allow $1_locate_t { $1_home_irc_t $1_irc_exec_t }:dir { getattr search };
-allow $1_locate_t { $1_home_irc_t $1_irc_exec_t }:file { getattr read };
-')
+type $1_home_irc_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
+type $1_irc_exec_t, file_type, sysadmfile, $1_domain_file_type;
 
 allow $1_t { $1_home_irc_t $1_irc_exec_t }:file { relabelfrom relabelto create_file_perms };
 
diff -ru policy/macros/program/rssh_macros.te policy.new/macros/program/rssh_macros.te
--- policy/macros/program/rssh_macros.te	2004-09-23 22:31:25.000000000 +1000
+++ policy.new/macros/program/rssh_macros.te	2004-10-26 23:15:16.000000000 +1000
@@ -19,8 +19,8 @@
 role rssh_$1_r types rssh_$1_t;
 allow system_r rssh_$1_r;
 
-type rssh_$1_rw_t, file_type, sysadmfile;
-type rssh_$1_ro_t, file_type, sysadmfile;
+type rssh_$1_rw_t, file_type, sysadmfile, $1_domain_file_type;
+type rssh_$1_ro_t, file_type, sysadmfile, $1_domain_file_type;
 
 general_domain_access(rssh_$1_t);
 uses_shlib(rssh_$1_t);
diff -ru policy/macros/program/screen_macros.te policy.new/macros/program/screen_macros.te
--- policy/macros/program/screen_macros.te	2004-10-02 03:36:13.000000000 +1000
+++ policy.new/macros/program/screen_macros.te	2004-10-26 23:22:33.000000000 +1000
@@ -26,7 +26,7 @@
 typealias $1_home_t alias $1_home_screen_t;
 ', `
 type $1_screen_t, domain, privlog, privfd;
-type $1_home_screen_t, file_type, homedirfile, sysadmfile;
+type $1_home_screen_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 
 # Transition from the user domain to this domain.
 domain_auto_trans($1_t, screen_exec_t, $1_screen_t)
diff -ru policy/macros/program/slocate_macros.te policy.new/macros/program/slocate_macros.te
--- policy/macros/program/slocate_macros.te	2004-09-03 14:10:35.000000000 +1000
+++ policy.new/macros/program/slocate_macros.te	2004-10-26 23:33:57.000000000 +1000
@@ -52,8 +52,8 @@
 allow $1_locate_t $1_tty_device_t:chr_file rw_file_perms;
 allow $1_locate_t $1_devpts_t:chr_file rw_file_perms;
 
-allow $1_locate_t { home_root_t $1_home_dir_t $1_home_t }:dir { getattr search };
-allow $1_locate_t $1_home_t:{ file lnk_file } { getattr read };
+allow $1_locate_t $1_domain_file_type:dir { getattr search };
+allow $1_locate_t $1_domain_file_type:{ file lnk_file sock_file fifo_file } { getattr read };
 
 base_file_read_access($1_locate_t)
 r_dir_file($1_locate_t, { etc_t lib_t var_t })
diff -ru policy/macros/program/spamassassin_macros.te policy.new/macros/program/spamassassin_macros.te
--- policy/macros/program/spamassassin_macros.te	2004-10-14 10:10:03.000000000 +1000
+++ policy.new/macros/program/spamassassin_macros.te	2004-10-26 23:15:16.000000000 +1000
@@ -80,7 +80,7 @@
 dontaudit $1_spamassassin_t { sysctl_t sysctl_kernel_t }:dir search;
 
 # The type of ~/.spamassassin
-type $1_home_spamassassin_t, file_type, homedirfile, sysadmfile;
+type $1_home_spamassassin_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 create_dir_file($1_t, $1_home_spamassassin_t)
 allow $1_t $1_home_spamassassin_t:notdevfile_class_set { relabelfrom relabelto };
 allow $1_t $1_home_spamassassin_t:dir { relabelfrom relabelto };
diff -ru policy/macros/program/ssh_macros.te policy.new/macros/program/ssh_macros.te
--- policy/macros/program/ssh_macros.te	2004-10-15 14:57:20.000000000 +1000
+++ policy.new/macros/program/ssh_macros.te	2004-10-26 23:46:14.000000000 +1000
@@ -26,7 +26,7 @@
 ', `
 # Derived domain based on the calling user domain and the program.
 type $1_ssh_t, domain, privlog;
-type $1_home_ssh_t, file_type, homedirfile, sysadmfile;
+type $1_home_ssh_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 
 ifdef(`automount.te', `
 allow $1_ssh_t autofs_t:dir { search getattr };
@@ -115,11 +115,6 @@
 r_dir_file({ sshd_t sshd_extern_t }, $1_home_ssh_t)
 rw_dir_create_file($1_t, $1_home_ssh_t)
 
-ifdef(`slocate.te', `
-allow $1_locate_t $1_home_ssh_t:dir { getattr search };
-allow $1_locate_t $1_home_ssh_t:file { getattr read };
-')
-
 # for /bin/sh used to execute xauth
 dontaudit $1_ssh_t proc_t:dir search;
 dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
diff -ru policy/macros/program/tvtime_macros.te policy.new/macros/program/tvtime_macros.te
--- policy/macros/program/tvtime_macros.te	2004-10-06 04:52:36.000000000 +1000
+++ policy.new/macros/program/tvtime_macros.te	2004-10-26 23:15:16.000000000 +1000
@@ -19,7 +19,7 @@
 ifdef(`tvtime.te', `
 define(`tvtime_domain',`
 # Derived domain based on the calling user domain and the program.
-type $1_home_tvtime_t, file_type, homedirfile, sysadmfile;
+type $1_home_tvtime_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 
 x_client_domain($1, tvtime)
 
diff -ru policy/macros/program/uml_macros.te policy.new/macros/program/uml_macros.te
--- policy/macros/program/uml_macros.te	2004-07-13 09:08:07.000000000 +1000
+++ policy.new/macros/program/uml_macros.te	2004-10-26 23:46:42.000000000 +1000
@@ -25,14 +25,9 @@
 ', `
 # Derived domain based on the calling user domain and the program.
 type $1_uml_t, domain;
-type $1_uml_exec_t, file_type, sysadmfile;
-type $1_uml_ro_t, file_type, sysadmfile;
-type $1_uml_rw_t, file_type, sysadmfile;
-
-ifdef(`slocate.te', `
-allow $1_locate_t { $1_uml_exec_t $1_uml_ro_t $1_uml_rw_t }:dir { getattr search };
-allow $1_locate_t { $1_uml_exec_t $1_uml_ro_t $1_uml_rw_t }:file { getattr read };
-')
+type $1_uml_exec_t, file_type, sysadmfile, $1_domain_file_type;
+type $1_uml_ro_t, file_type, sysadmfile, $1_domain_file_type;
+type $1_uml_rw_t, file_type, sysadmfile, $1_domain_file_type;
 
 can_ptrace($1_t, $1_uml_t)
 
diff -ru policy/macros/program/vmware_macros.te policy.new/macros/program/vmware_macros.te
--- policy/macros/program/vmware_macros.te	2004-09-25 01:42:14.000000000 +1000
+++ policy.new/macros/program/vmware_macros.te	2004-10-26 23:15:16.000000000 +1000
@@ -23,10 +23,10 @@
 role $1_r types $1_vmware_t;
 
 # The user file type is for files created when the user is running VMWare
-type $1_vmware_file_t, homedirfile, file_type, sysadmfile;
+type $1_vmware_file_t, homedirfile, file_type, sysadmfile, $1_domain_file_type;
 
 # The user file type for the VMWare configuration files
-type $1_vmware_conf_t, homedirfile, file_type, sysadmfile;
+type $1_vmware_conf_t, homedirfile, file_type, sysadmfile, $1_domain_file_type;
 
 # for compatibility with older policy versions
 typealias $1_vmware_t alias vmware_$1_t;
diff -ru policy/macros/program/x_client_macros.te policy.new/macros/program/x_client_macros.te
--- policy/macros/program/x_client_macros.te	2004-09-11 16:21:48.000000000 +1000
+++ policy.new/macros/program/x_client_macros.te	2004-10-26 23:46:20.000000000 +1000
@@ -30,9 +30,9 @@
 ', `
 type $1_$2_t, domain $3;
 # Type for files that are writeable by this domain.
-type $1_$2_rw_t, file_type, homedirfile, sysadmfile, tmpfile;
+type $1_$2_rw_t, file_type, homedirfile, sysadmfile, tmpfile, $1_domain_file_type;
 # Type for files that are read-only for this domain
-type $1_$2_ro_t, file_type, homedirfile, sysadmfile;
+type $1_$2_ro_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 ')
 
 # Transition from the user domain to the derived domain.
@@ -81,11 +81,6 @@
 allow $1_t $1_$2_ro_t:fifo_file create_file_perms;
 allow $1_t $1_$2_ro_t:{ dir file lnk_file } { relabelto relabelfrom };
 
-ifdef(`slocate.te', `
-allow $1_locate_t { $1_$2_ro_t $1_$2_rw_t }:dir { getattr search };
-allow $1_locate_t { $1_$2_ro_t $1_$2_rw_t }:file { getattr read };
-')
-
 # Allow the user domain to send any signal to the $2 process.
 allow $1_t $1_$2_t:process signal_perms;
 
diff -ru policy/macros/program/xauth_macros.te policy.new/macros/program/xauth_macros.te
--- policy/macros/program/xauth_macros.te	2004-06-17 15:10:45.000000000 +1000
+++ policy.new/macros/program/xauth_macros.te	2004-10-26 23:46:26.000000000 +1000
@@ -24,11 +24,7 @@
 ', `
 # Derived domain based on the calling user domain and the program.
 type $1_xauth_t, domain;
-type $1_home_xauth_t, file_type, homedirfile, sysadmfile;
-
-ifdef(`slocate.te', `
-allow $1_locate_t $1_home_xauth_t:file { getattr read };
-')
+type $1_home_xauth_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 
 allow $1_xauth_t self:process signal;
 
diff -ru policy/macros/user_macros.te policy.new/macros/user_macros.te
--- policy/macros/user_macros.te	2004-10-20 09:31:18.000000000 +1000
+++ policy.new/macros/user_macros.te	2004-10-27 00:20:47.000000000 +1000
@@ -23,16 +23,16 @@
 ')dnl end single_userdomain
 
 # Type for home directory.
-type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type;
-type $1_home_t, file_type, sysadmfile, home_type, user_home_type;
+type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type, $1_domain_file_type;
+type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_domain_file_type;
 
-tmp_domain($1, `, user_tmpfile')
+tmp_domain($1, `, user_tmpfile, $1_domain_file_type')
 
 # Type and access for pty devices.
-can_create_pty($1, `, userpty_type, user_tty_type')
+can_create_pty($1, `, userpty_type, user_tty_type, $1_domain_file_type')
 
 #Type for tty devices.
-type $1_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type, dev_fs;
+type $1_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type, dev_fs, $1_domain_file_type;
  
 base_user_domain($1)
 
@@ -135,6 +135,9 @@
 # user_t/$1_t is an unprivileged users domain.
 type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, nscd_client_domain, privfd;
 
+# define an attribute for all files created by this role
+attribute $1_domain_file_type;
+
 # Grant read/search permissions to some of /proc.
 allow $1_t proc_t:dir r_dir_perms;
 allow $1_t proc_t:{ file lnk_file } r_file_perms;

Re: Adding alternate root patch to restorecon (setfiles?)

[James Carter]

I haven't forgotten about this patch.  I will probably be working on
merging it Monday, without the restorecon stuff at first.

The $1_domain_file_type attribute is an interesting idea, although the
name is rather long.

This patch came just before I merged Dan's patch that added a
httpdcontent attribute, so some changes will be needed to this patch.
   
On Tue, 2004-10-26 at 10:36, Russell Coker wrote:
> On Tue, 26 Oct 2004 07:31, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
> wrote:
> > OK, what do you guys think about the following patch:
> > It adds an attribute $1_domain_file_type, so all file types from derived
> > user domains can be grouped together. It also adds a restorecon_domain()
> > macro, so users can call restorecon to reset the labels on their files.
> 
> I've attached a patch named "tom.diff" which applies after your patch to tweak 
> a few things.  The new attribute allows a better way of dealing with the 
> locate policy so I changed it appropriately.  I added some use of 
> sysadm_domain_file_type.  Some of the types you had given the attribute 
> $1_domain_file_type seemed inappropriate, this includes the print spool type, 
> some temporary files, and files under /var/run.
> 
> Whether we have the user_restorecon_t domain etc is something that needs more 
> consideration.  The attached patch named "diff" has the user_domain_file_type 
> stuff from your patch with my amendments but none of the restorecon changes.  
> I think that "diff" is worthy of being included in CVS regardless of what we 
> do with restorecon.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Remaining changes from my patch excluding can_network changes.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 103 bytes --]

Most of these are small bug fix changes.  Some are quite critical like the
removable_t associate one.


[-- Attachment #2: policy-small.patch --]
[-- Type: text/x-patch, Size: 20971 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.18.2/domains/program/init.te
--- nsapolicy/domains/program/init.te	2004-10-14 23:25:17.000000000 -0400
+++ policy-1.18.2/domains/program/init.te	2004-11-06 00:09:29.695365943 -0500
@@ -14,7 +14,7 @@
 # by init during initialization.  This pipe is used
 # to communicate with init.
 #
-type init_t, domain, privlog, mlstrustedreader, mlstrustedwriter, sysctl_kernel_writer;
+type init_t, domain, privlog, mlstrustedreader, mlstrustedwriter, sysctl_kernel_writer, nscd_client_domain;
 role system_r types init_t;
 uses_shlib(init_t);
 type init_exec_t, file_type, sysadmfile, exec_type;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/acct.te policy-1.18.2/domains/program/unused/acct.te
--- nsapolicy/domains/program/unused/acct.te	2004-10-19 16:03:05.000000000 -0400
+++ policy-1.18.2/domains/program/unused/acct.te	2004-11-06 00:09:29.695365943 -0500
@@ -63,6 +63,8 @@
 
 ifdef(`logrotate.te', `
 domain_auto_trans(logrotate_t, acct_exec_t, acct_t)
+allow logrotate_t acct_data_t:dir { search };
 allow logrotate_t acct_data_t:file { create_file_perms };
+can_exec(logrotate_t, acct_data_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.18.2/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te	2004-09-09 16:22:12.000000000 -0400
+++ policy-1.18.2/domains/program/unused/apmd.te	2004-11-06 00:09:29.696365838 -0500
@@ -9,7 +9,7 @@
 #
 # Rules for the apmd_t domain.
 #
-daemon_domain(apmd, `, privmodule')
+daemon_domain(apmd, `, privmodule, nscd_client_domain')
 
 # for SSP
 allow apmd_t urandom_device_t:chr_file read;
@@ -123,3 +123,4 @@
 # for a find /dev operation that gets /dev/shm
 dontaudit apmd_t tmpfs_t:dir r_dir_perms;
 dontaudit apmd_t selinux_config_t:dir search;
+allow apmd_t user_tty_type:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cardmgr.te policy-1.18.2/domains/program/unused/cardmgr.te
--- nsapolicy/domains/program/unused/cardmgr.te	2004-09-27 20:48:35.000000000 -0400
+++ policy-1.18.2/domains/program/unused/cardmgr.te	2004-11-06 00:09:29.696365838 -0500
@@ -82,3 +82,7 @@
 dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
 dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
 ')
+ifdef(`hald.te', `
+rw_dir_file(hald_t, cardmgr_var_run_t)
+allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.18.2/domains/program/unused/consoletype.te
--- nsapolicy/domains/program/unused/consoletype.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.18.2/domains/program/unused/consoletype.te	2004-11-06 00:09:29.697365732 -0500
@@ -59,3 +59,5 @@
 ')
 dontaudit consoletype_t proc_t:file { read };
 dontaudit consoletype_t root_t:file { read };
+allow consoletype_t crond_t:fifo_file { read };
+allow consoletype_t fs_t:filesystem { getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cpuspeed.te policy-1.18.2/domains/program/unused/cpuspeed.te
--- nsapolicy/domains/program/unused/cpuspeed.te	2004-03-17 13:26:05.000000000 -0500
+++ policy-1.18.2/domains/program/unused/cpuspeed.te	2004-11-06 00:09:29.697365732 -0500
@@ -8,3 +8,5 @@
 allow cpuspeed_t sysfs_t:file rw_file_perms;
 allow cpuspeed_t proc_t:dir r_dir_perms;
 allow cpuspeed_t proc_t:file { getattr read };
+allow cpuspeed_t etc_runtime_t:file { getattr read };
+allow cpuspeed_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbskkd.te policy-1.18.2/domains/program/unused/dbskkd.te
--- nsapolicy/domains/program/unused/dbskkd.te	2004-10-06 09:18:32.000000000 -0400
+++ policy-1.18.2/domains/program/unused/dbskkd.te	2004-11-06 00:09:29.698365627 -0500
@@ -9,5 +9,6 @@
 #
 # dbskkd_exec_t is the type of the dbskkd executable.
 #
+# Depends: inetd.te
 
 inetd_child_domain(dbskkd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ktalkd.te policy-1.18.2/domains/program/unused/ktalkd.te
--- nsapolicy/domains/program/unused/ktalkd.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.18.2/domains/program/unused/ktalkd.te	2004-11-06 00:09:29.699365522 -0500
@@ -2,6 +2,7 @@
 #
 # Author:  Dan Walsh <dwalsh@redhat.com>
 #
+# Depends: inetd.te
 
 #################################
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.18.2/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.18.2/domains/program/unused/kudzu.te	2004-11-06 00:09:29.700365417 -0500
@@ -13,7 +13,7 @@
 allow kudzu_t ramfs_t:dir search;
 allow kudzu_t ramfs_t:sock_file write;
 allow kudzu_t etc_t:file { getattr read };
-allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config };
+allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
 allow kudzu_t modules_conf_t:file { getattr read };
 allow kudzu_t modules_object_t:dir r_dir_perms;
 allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
@@ -80,7 +80,8 @@
 allow kudzu_t sysfs_t:lnk_file read;
 file_type_auto_trans(kudzu_t, etc_t, etc_runtime_t, file)
 allow kudzu_t tape_device_t:chr_file r_file_perms;
-allow kudzu_t tmp_t:dir { search };
+tmp_domain(kudzu)
+file_type_auto_trans(kudzu_t, tmp_t, kudzu_tmp_t, chr_file)
 
 # for file systems that are not yet mounted
 dontaudit kudzu_t file_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mdadm.te policy-1.18.2/domains/program/unused/mdadm.te
--- nsapolicy/domains/program/unused/mdadm.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.18.2/domains/program/unused/mdadm.te	2004-11-06 00:09:29.700365417 -0500
@@ -40,4 +40,4 @@
 dontaudit mdadm_t tmpfs_t:dir r_dir_perms;
 dontaudit mdadm_t initctl_t:fifo_file { getattr };
 var_run_domain(mdadm)
-allow mdadm_t var_t:dir { getattr };
+allow mdadm_t var_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.18.2/domains/program/unused/portmap.te
--- nsapolicy/domains/program/unused/portmap.te	2004-10-09 21:06:14.000000000 -0400
+++ policy-1.18.2/domains/program/unused/portmap.te	2004-11-06 00:10:58.306027721 -0500
@@ -23,6 +23,7 @@
 tmp_domain(portmap)
 
 allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
+dontaudit portmap_t reserved_port_type:tcp_socket name_bind;
 
 # portmap binds to arbitary ports
 allow portmap_t port_t:{ udp_socket tcp_socket } name_bind;
@@ -51,4 +52,5 @@
 
 # Use capabilities
 allow portmap_t self:capability { net_bind_service setuid setgid };
+allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.18.2/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.18.2/domains/program/unused/rsync.te	2004-11-06 00:09:29.703365101 -0500
@@ -2,6 +2,7 @@
 #
 # Author:  Dan Walsh <dwalsh@redhat.com>
 #
+# Depends: inetd.te
 
 #################################
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slocate.te policy-1.18.2/domains/program/unused/slocate.te
--- nsapolicy/domains/program/unused/slocate.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.18.2/domains/program/unused/slocate.te	2004-11-06 00:11:31.375539016 -0500
@@ -2,6 +2,7 @@
 #
 # Author:  Dan Walsh <dwalsh@redhat.com>
 #
+# Depends: inetd.te
 
 #################################
 #
@@ -70,3 +71,6 @@
 typealias sysadm_t alias sysadm_locate_t;
 
 allow locate_t userdomain:fd { use };
+ifdef(`cardmgr.te', `
+allow locate_t cardmgr_var_run_t:chr_file getattr;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.18.2/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2004-11-05 23:24:16.000000000 -0500
+++ policy-1.18.2/domains/program/unused/udev.te	2004-11-06 00:09:29.766358467 -0500
@@ -81,6 +81,7 @@
 ifdef(`xdm.te', `
 allow udev_t xdm_var_run_t:file { getattr read };
 ')
+dontaudit udev_t staff_home_dir_t:dir { search };
 
 ifdef(`hotplug.te', `
 r_dir_file(udev_t, hotplug_etc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypserv.te policy-1.18.2/domains/program/unused/ypserv.te
--- nsapolicy/domains/program/unused/ypserv.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.18.2/domains/program/unused/ypserv.te	2004-11-06 00:09:29.724362890 -0500
@@ -40,3 +40,4 @@
 allow rpcd_t ypserv_conf_t:file { getattr read };
 ')
 allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } { name_bind };
+dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } { name_bind };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/useradd.te policy-1.18.2/domains/program/useradd.te
--- nsapolicy/domains/program/useradd.te	2004-11-05 23:24:16.000000000 -0500
+++ policy-1.18.2/domains/program/useradd.te	2004-11-06 00:09:29.724362890 -0500
@@ -25,7 +25,7 @@
 domain_auto_trans(initrc_t, $1_exec_t, $1_t)
 
 # Use capabilities.
-allow $1_t self:capability { dac_override chown };
+allow $1_t self:capability { dac_override chown kill };
 
 # Allow access to context for shadow file
 can_getsecurity($1_t)
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/innd.fc policy-1.18.2/file_contexts/program/innd.fc
--- nsapolicy/file_contexts/program/innd.fc	2004-10-19 16:03:07.000000000 -0400
+++ policy-1.18.2/file_contexts/program/innd.fc	2004-11-06 00:09:29.740361205 -0500
@@ -27,7 +27,6 @@
 /usr/lib(64)?/news/bin/grephistory	--	system_u:object_r:innd_exec_t
 /usr/lib(64)?/news/bin/inews	--	system_u:object_r:innd_exec_t
 /usr/lib(64)?/news/bin/innconfval	--	system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/innd	--	system_u:object_r:innd_exec_t
 /usr/lib(64)?/news/bin/inndf	--	system_u:object_r:innd_exec_t
 /usr/lib(64)?/news/bin/inndstart	--	system_u:object_r:innd_exec_t
 /usr/lib(64)?/news/bin/innfeed	--	system_u:object_r:innd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mailman.fc policy-1.18.2/file_contexts/program/mailman.fc
--- nsapolicy/file_contexts/program/mailman.fc	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.18.2/file_contexts/program/mailman.fc	2004-11-06 00:09:29.741361100 -0500
@@ -1,25 +1,24 @@
 # mailman list server
+/var/lib/mailman(/.*)?		   system_u:object_r:mailman_data_t
 /var/log/mailman(/.*)?		   system_u:object_r:mailman_log_t
 /usr/lib/mailman/cron/.*	-- system_u:object_r:mailman_queue_exec_t
 /usr/lib/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t
+/var/run/mailman(/.*)?		   system_u:object_r:mailman_lock_t
+/var/lib/mailman/archives(/.*)?	system_u:object_r:mailman_archive_t
 
 ifdef(`distro_debian', `
 /usr/lib/cgi-bin/mailman/.* -- system_u:object_r:mailman_cgi_exec_t
 /usr/lib/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t
 /usr/mailman/mail/wrapper 	-- system_u:object_r:mailman_mail_exec_t
-/var/lib/mailman(/.*)?	   system_u:object_r:mailman_data_t
-/var/lib/mailman/archives(/.*)?	system_u:object_r:mailman_archive_t
 /etc/cron\.daily/mailman 	-- system_u:object_r:mailman_queue_exec_t
 /etc/cron\.monthly/mailman 	-- system_u:object_r:mailman_queue_exec_t
 ')
 
 ifdef(`distro_redhat', `
-/usr/lib/mailman/cgi-bin/.*	-- system_u:object_r:mailman_cgi_exec_t
-/var/mailman(/.*)?		   system_u:object_r:mailman_data_t
-/var/mailman/locks(/.*)?	   system_u:object_r:mailman_lock_t
-/var/mailman/archives(/.*)?	   system_u:object_r:mailman_archive_t
+/usr/lib/mailman/cgi-bin/.*	 -- system_u:object_r:mailman_cgi_exec_t
+/var/lock/mailman(/.*)?		    system_u:object_r:mailman_lock_t
 /usr/lib/mailman/scripts/mailman -- system_u:object_r:mailman_mail_exec_t
-/usr/lib/mailman/bin/qrunner  	-- system_u:object_r:mailman_queue_exec_t
-/var/mailman/lists(/.*)?	system_u:object_r:mailman_data_t
-/var/mailman/logs(/.*)?		   system_u:object_r:mailman_log_t
+/usr/lib/mailman/bin/qrunner  	 -- system_u:object_r:mailman_queue_exec_t
+/etc/mailman(/.*)?		   system_u:object_r:mailman_data_t
+/var/spool/mailman(/.*)?	   system_u:object_r:mailman_data_t
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ntpd.fc policy-1.18.2/file_contexts/program/ntpd.fc
--- nsapolicy/file_contexts/program/ntpd.fc	2004-10-09 21:06:15.000000000 -0400
+++ policy-1.18.2/file_contexts/program/ntpd.fc	2004-11-06 00:09:29.741361100 -0500
@@ -3,7 +3,7 @@
 /etc/ntp(d)?\.conf		--	system_u:object_r:net_conf_t
 /etc/ntp/step-tickers		--	system_u:object_r:net_conf_t
 /usr/sbin/ntpd			--	system_u:object_r:ntpd_exec_t
-/usr/sbin/ntpdate		--	system_u:object_r:ntpd_exec_t
+/usr/sbin/ntpdate		--	system_u:object_r:ntpdate_exec_t
 /var/log/ntpstats(/.*)?			system_u:object_r:ntpd_log_t
 /var/log/ntpd.*			--	system_u:object_r:ntpd_log_t
 /var/log/xntpd.*		--	system_u:object_r:ntpd_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/vpnc.fc policy-1.18.2/file_contexts/program/vpnc.fc
--- nsapolicy/file_contexts/program/vpnc.fc	2004-10-05 10:43:34.000000000 -0400
+++ policy-1.18.2/file_contexts/program/vpnc.fc	2004-11-06 00:09:29.742360994 -0500
@@ -1,2 +1,3 @@
 # vpnc
 /usr/sbin/vpnc		--	system_u:object_r:vpnc_exec_t
+/sbin/vpnc		--	system_u:object_r:vpnc_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.18.2/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2004-10-27 14:32:49.000000000 -0400
+++ policy-1.18.2/file_contexts/types.fc	2004-11-06 00:09:29.743360889 -0500
@@ -339,7 +339,8 @@
 /usr/inclu.e(/.*)?		system_u:object_r:usr_t
 /usr/libexec(/.*)?		system_u:object_r:bin_t
 /usr/src(/.*)?			system_u:object_r:src_t
-/usr/tmp(/.*)?			system_u:object_r:tmp_t
+/usr/tmp		-d	system_u:object_r:tmp_t
+/usr/tmp/.*			<<none>>
 /usr/man(/.*)?			system_u:object_r:man_t
 /usr/share/man(/.*)?		system_u:object_r:man_t
 /usr/share/mc/extfs/.*	--	system_u:object_r:bin_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.18.2/macros/admin_macros.te
--- nsapolicy/macros/admin_macros.te	2004-10-01 15:05:32.000000000 -0400
+++ policy-1.18.2/macros/admin_macros.te	2004-11-06 00:09:29.743360889 -0500
@@ -195,4 +195,5 @@
 
 # for lsof
 allow $1_t domain:socket_class_set getattr;
+allow $1_t eventpollfs_t:file getattr;
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.18.2/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-11-05 23:24:17.000000000 -0500
+++ policy-1.18.2/macros/base_user_macros.te	2004-11-06 00:09:29.744360784 -0500
@@ -46,9 +46,12 @@
 allow $1_t root_dir_type:dir { getattr };
 
 # open office is looking for the following
+allow $1_t dri_device_t:chr_file getattr;
 dontaudit $1_t dri_device_t:chr_file rw_file_perms;
-# Do not flood message log, if the user does ls /dev 
+# Do not flood message log, if the user does ls -lR /
 dontaudit $1_t dev_fs:dir_file_class_set getattr;
+dontaudit $1_t sysadmfile:file getattr;
+dontaudit $1_t sysadmfile:dir read;
 
 # allow ptrace
 can_ptrace($1_t, $1_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mount_macros.te policy-1.18.2/macros/program/mount_macros.te
--- nsapolicy/macros/program/mount_macros.te	2004-10-19 16:03:08.000000000 -0400
+++ policy-1.18.2/macros/program/mount_macros.te	2004-11-06 00:09:29.745360678 -0500
@@ -67,9 +67,11 @@
 ifdef(`gnome-pty-helper.te', `allow $2_t $1_gph_t:fd use;')
 
 ifdef(`distro_redhat',`
+ifdef(`pamconsole.te',`
 r_dir_file($2_t,pam_var_console_t)
 # mount config by default sets fscontext=removable_t
 allow $2_t dosfs_t:filesystem { relabelfrom };
+') dnl end pamconsole.te
 ') dnl end distro_redhat
 ') dnl end mount_domain
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/newrole_macros.te policy-1.18.2/macros/program/newrole_macros.te
--- nsapolicy/macros/program/newrole_macros.te	2004-11-01 11:04:37.000000000 -0500
+++ policy-1.18.2/macros/program/newrole_macros.te	2004-11-06 00:09:29.766358467 -0500
@@ -10,7 +10,7 @@
 # $1_t is the domain for the program.
 # $1_exec_t is the type of the executable.
 #
-type $1_t, domain, privrole, privowner, privlog, auth_chkpwd, privfd $2;
+type $1_t, domain, privrole, privowner, privlog, auth_chkpwd, nscd_client_domain, privfd $2;
 in_user_role($1_t)
 role sysadm_r types $1_t;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/sudo_macros.te policy-1.18.2/macros/program/sudo_macros.te
--- nsapolicy/macros/program/sudo_macros.te	2004-11-01 11:04:37.000000000 -0500
+++ policy-1.18.2/macros/program/sudo_macros.te	2004-11-06 00:09:29.745360678 -0500
@@ -31,4 +31,5 @@
 rw_dir_create_file($1_sudo_t, $1_tmp_t)
 rw_dir_create_file($1_sudo_t, $1_home_t)
 domain_auto_trans($1_t, sudo_exec_t, $1_sudo_t)
+r_dir_file($1_sudo_t, selinux_config_t)
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/tvtime_macros.te policy-1.18.2/macros/program/tvtime_macros.te
--- nsapolicy/macros/program/tvtime_macros.te	2004-10-05 14:52:36.000000000 -0400
+++ policy-1.18.2/macros/program/tvtime_macros.te	2004-11-06 00:09:29.746360573 -0500
@@ -33,7 +33,9 @@
 allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
 allow $1_tvtime_t self:process { setsched };
 allow $1_tvtime_t usr_t:file { getattr read };
+ifdef(`xdm.te', `
 allow $1_tvtime_t xdm_tmp_t:dir { search };
+')
 
 ')dnl end tvtime_domain
 
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.18.2/net_contexts
--- nsapolicy/net_contexts	2004-10-19 16:03:01.000000000 -0400
+++ policy-1.18.2/net_contexts	2004-11-06 00:12:13.252118368 -0500
@@ -93,7 +93,12 @@
 ifdef(`comsat.te', `
 portcon udp 512 system_u:object_r:comsat_port_t
 ')
-ifdef(`slapd.te', `portcon tcp 389 system_u:object_r:ldap_port_t')
+ifdef(`slapd.te', `
+portcon tcp 389 system_u:object_r:ldap_port_t
+portcon udp 389 system_u:object_r:ldap_port_t
+portcon tcp 636 system_u:object_r:ldap_port_t
+portcon udp 636 system_u:object_r:ldap_port_t
+')
 ifdef(`rlogind.te', `portcon tcp 513 system_u:object_r:rlogin_port_t')
 ifdef(`rshd.te', `portcon tcp 514 system_u:object_r:rsh_port_t')
 ifdef(`lpd.te', `portcon tcp 515 system_u:object_r:printer_port_t')
@@ -110,9 +115,12 @@
 ')
 ifdef(`kerberos.te', `
 portcon tcp 88 system_u:object_r:kerberos_port_t
+portcon udp 88 system_u:object_r:kerberos_port_t
 portcon tcp 749 system_u:object_r:kerberos_admin_port_t
 portcon tcp 750 system_u:object_r:kerberos_port_t
+portcon udp 750 system_u:object_r:kerberos_port_t
 portcon tcp 4444 system_u:object_r:kerberos_master_port_t
+portcon udp 4444 system_u:object_r:kerberos_master_port_t
 ')
 ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t')
 ifdef(`rsync.te', `
@@ -143,12 +151,12 @@
 ')
 ifdef(`asterisk.te', `
 portcon tcp 1720 system_u:object_r:asterisk_port_t
-portcon tcp 2000 system_u:object_r:asterisk_port_t
 portcon udp 2427 system_u:object_r:asterisk_port_t
 portcon udp 2727 system_u:object_r:asterisk_port_t
 portcon udp 4569 system_u:object_r:asterisk_port_t
 portcon udp 5060 system_u:object_r:asterisk_port_t
 ')
+portcon tcp 2000 system_u:object_r:mail_port_t
 ifdef(`zebra.te', `portcon tcp 2601 system_u:object_r:zebra_port_t')
 ifdef(`dictd.te', `portcon tcp 2628 system_u:object_r:dict_port_t')
 ifdef(`mysqld.te', `portcon tcp 3306 system_u:object_r:mysqld_port_t')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.18.2/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-10-27 14:32:49.000000000 -0400
+++ policy-1.18.2/tunables/tunable.tun	2004-11-06 00:12:58.735313440 -0500
@@ -1,9 +1,3 @@
-# Allow all domains to connect to nscd
-dnl define(`nscd_all_connect')
-
-# Allow users to control network interfaces (also needs USERCTL=true)
-dnl define(`user_net_control')
-
 # Allow users to execute the mount command
 dnl define(`user_can_mount')
 
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.18.2/types/file.te
--- nsapolicy/types/file.te	2004-11-05 23:24:17.000000000 -0500
+++ policy-1.18.2/types/file.te	2004-11-06 00:09:29.750360152 -0500
@@ -301,3 +301,4 @@
 # removable_t is the default type of all removable media
 type removable_t, file_type, sysadmfile, usercanread;
 allow removable_t self:filesystem associate;
+allow file_type removable_t:filesystem associate;
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.18.2/types/network.te
--- nsapolicy/types/network.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.18.2/types/network.te	2004-11-06 00:09:29.750360152 -0500
@@ -59,6 +59,11 @@
 #
 
 #
+# mail_port_t is for generic mail ports shared by different mail servers
+#
+type mail_port_t, port_type;
+
+#
 # port_t is the default type of INET port numbers.
 # The *_port_t types are used for specific port
 # numbers in net_contexts or net_contexts.mls.

can_network patch

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 793 bytes --]

This is the patch that eliminates connect from can_network.

The batch basically does a couple of things

can_network now calls
can_tcp_network
can_udp_network

All three functions take up to two parameters.  The first is the domain 
and the second is the ports that the
domain can send and receive messages from. If the ports are not provided 
then it defaults to port_type.

I have also added can_kerberos, can_resolve,  and can_ldap.
All three plus can_ypbind were added auth_chkpwd
can_kerberos(auth_chkpwd)
can_ldap(auth_chkpwd)
can_resolve(auth_chkpwd)
can_ypbind(auth_chkpwd)

So any domain that gets the auth_chkpwd attribute no longer needs these 
defined in its "te" file.

I have begun tightening up the ability to network on other daemons 
also.  These need further testing.

Dan


[-- Attachment #2: policy-network.patch --]
[-- Type: text/x-patch, Size: 57478 bytes --]

diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/crond.te policy-1.18.2.old/domains/program/crond.te
--- policy-1.18.2/domains/program/crond.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/crond.te	2004-11-05 23:57:55.322852943 -0500
@@ -23,7 +23,6 @@
 
 # Type for temporary files.
 tmp_domain(crond)
-can_ypbind(crond_t)
 
 crond_domain(system)
 
@@ -114,6 +113,8 @@
 # Use capabilities.
 allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
 
+allow crond_t urandom_device_t:chr_file { getattr read };
+
 # Read the system crontabs.
 allow system_crond_t system_cron_spool_t:file r_file_perms;
 
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/initrc.te policy-1.18.2.old/domains/program/initrc.te
--- policy-1.18.2/domains/program/initrc.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/initrc.te	2004-11-05 23:57:55.323852830 -0500
@@ -303,8 +303,8 @@
 ')
 
 # for lsof in shutdown scripts
-allow initrc_t krb5_conf_t:file read;
-dontaudit initrc_t krb5_conf_t:file write;
+can_kerberos(initrc_t)
+
 #
 # Wants to remove udev.tbl
 #
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/login.te policy-1.18.2.old/domains/program/login.te
--- policy-1.18.2/domains/program/login.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/login.te	2004-11-05 23:57:55.324852717 -0500
@@ -117,8 +117,6 @@
 allow $1_login_t mail_spool_t:file getattr;
 allow $1_login_t mail_spool_t:lnk_file read;
 
-dontaudit $1_login_t krb5_conf_t:file { write };
-allow $1_login_t krb5_conf_t:file { getattr read };
 # Get security policy decisions.
 can_getsecurity($1_login_t)
 
@@ -127,8 +125,6 @@
 allow $1_login_t default_context_t:dir { search };
 r_dir_file($1_login_t, selinux_config_t)
 
-can_ypbind($1_login_t)
-
 allow $1_login_t mouse_device_t:chr_file { getattr setattr };
 dontaudit $1_login_t init_t:fd { use };
 ')dnl end login_domain macro
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/ssh.te policy-1.18.2.old/domains/program/ssh.te
--- policy-1.18.2/domains/program/ssh.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/ssh.te	2004-11-05 23:57:55.325852605 -0500
@@ -69,17 +69,17 @@
 allow $1_t urandom_device_t:chr_file { getattr read };
 
 can_network($1_t)
+allow $1_t self:{ udp_socket tcp_socket } connect;
 
-allow $1_t self:capability { sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
+allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
 allow $1_t { home_root_t home_dir_type }:dir { search getattr };
-can_ypbind($1_t)
 if (use_nfs_home_dirs) {
 ifdef(`automount.te', `
 allow $1_t autofs_t:dir { search getattr };
 ')
 allow $1_t nfs_t:dir { search getattr };
 allow $1_t nfs_t:file { getattr read };
-}
+} dnl end if use_nfs_home_dirs
 
 # Set exec context.
 can_setexec($1_t)
@@ -213,8 +213,6 @@
 ifdef(`automount.te', `
 allow sshd_t autofs_t:dir { search };
 ')
-dontaudit sshd_t krb5_conf_t:file { write };
-allow sshd_t krb5_conf_t:file { getattr read };
 
 # ssh_keygen_t is the type of the ssh-keygen program when run at install time
 # and by sysadm_t
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/syslogd.te policy-1.18.2.old/domains/program/syslogd.te
--- policy-1.18.2/domains/program/syslogd.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/syslogd.te	2004-11-05 23:57:55.326852492 -0500
@@ -19,9 +19,13 @@
 daemon_domain(syslogd, `, privmem')
 ')
 
+# Allow name_bind for remote logging
+type syslogd_port_t, port_type, reserved_port_type;
 # can_network is for the UDP socket
-can_network(syslogd_t)
+can_udp_network(syslogd_t, `syslogd_port_t')
 can_ypbind(syslogd_t)
+allow syslogd_t syslogd_port_t:udp_socket name_bind;
+allow syslogd_t self:udp_socket connect;
 
 r_dir_file(syslogd_t, sysfs_t)
 
@@ -87,13 +92,10 @@
 # Allow syslog to a terminal
 allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
 
-# Allow name_bind for remote logging
-type syslogd_port_t, port_type, reserved_port_type;
-allow syslogd_t syslogd_port_t:udp_socket name_bind;
 #
 # /initrd is not umounted before minilog starts
 #
 dontaudit syslogd_t file_t:dir search;
 allow syslogd_t { tmpfs_t devpts_t }:dir { search };
 dontaudit syslogd_t unlabeled_t:file read;
-dontaudit syslogd_t devpts_t:chr_file getattr;
+dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/anaconda.te policy-1.18.2.old/domains/program/unused/anaconda.te
--- policy-1.18.2/domains/program/unused/anaconda.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/anaconda.te	2004-11-05 23:57:55.327852379 -0500
@@ -242,8 +242,7 @@
 ifdef(`udev.te', `
 domain_auto_trans(anaconda_t, udev_exec_t, udev_t)
 ')
-allow anaconda_t krb5_conf_t:file read;
-dontaudit anaconda_t krb5_conf_t:file write;
+can_kerberos(anaconda_t)
 
 ifdef(`ssh-agent.te', `
 role system_r types sysadm_ssh_agent_t;
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/apache.te policy-1.18.2.old/domains/program/unused/apache.te
--- policy-1.18.2/domains/program/unused/apache.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/apache.te	2004-11-05 23:57:55.328852266 -0500
@@ -136,6 +136,7 @@
 
 can_network(httpd_t)
 can_ypbind(httpd_t)
+allow httpd_t self:{ tcp_socket udp_socket } connect;
 
 ###################
 # Allow httpd to search users diretories
@@ -269,8 +270,7 @@
 ##################################################
 dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
 
-allow httpd_t krb5_conf_t:file { getattr read };
-dontaudit httpd_t krb5_conf_t:file { write };
+can_kerberos(httpd_t)
 
 ifdef(`targeted_policy', `
 typealias httpd_sys_content_t alias httpd_user_content_t;
@@ -298,5 +298,6 @@
 # Customer reported the following
 #
 ifdef(`snmpd.te', `
+dontaudit httpd_t snmpd_var_lib_t:dir { search };
 dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
 ')
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/canna.te policy-1.18.2.old/domains/program/unused/canna.te
--- policy-1.18.2/domains/program/unused/canna.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/canna.te	2004-11-05 23:57:55.329852154 -0500
@@ -28,8 +28,9 @@
 
 rw_dir_create_file(canna_t, canna_var_lib_t)
 
-can_network(canna_t)
+can_tcp_network(canna_t)
 can_ypbind(canna_t)
+allow canna_t self:tcp_socket connect;
 
 allow userdomain canna_var_run_t:dir search;
 allow userdomain canna_var_run_t:sock_file write;
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/courier.te policy-1.18.2.old/domains/program/unused/courier.te
--- policy-1.18.2/domains/program/unused/courier.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/courier.te	2004-11-05 23:57:55.330852041 -0500
@@ -47,7 +47,6 @@
 
 # Use the network.
 can_network(courier_$1_t)
-can_ypbind(courier_$1_t)
 allow courier_$1_t self:fifo_file { read write getattr };
 allow courier_$1_t self:unix_stream_socket create_stream_socket_perms;
 allow courier_$1_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/cups.te policy-1.18.2.old/domains/program/unused/cups.te
--- policy-1.18.2/domains/program/unused/cups.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/cups.te	2004-11-05 23:57:55.331851928 -0500
@@ -19,7 +19,8 @@
 typealias cupsd_rw_etc_t alias etc_cupsd_rw_t;
 
 can_network(cupsd_t)
-can_ypbind(cupsd_t)
+allow cupsd_t self:{ tcp_socket udp_socket } connect;
+
 logdir_domain(cupsd)
 
 tmp_domain(cupsd)
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/cyrus.te policy-1.18.2.old/domains/program/unused/cyrus.te
--- policy-1.18.2/domains/program/unused/cyrus.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/cyrus.te	2004-11-05 23:57:55.332851816 -0500
@@ -20,6 +20,7 @@
 
 can_network(cyrus_t)
 can_ypbind(cyrus_t)
+allow cyrus_t self:{ tcp_socket udp_socket } connect;
 can_exec(cyrus_t, bin_t)
 allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
 allow cyrus_t cyrus_var_lib_t:{file sock_file } create_file_perms;
@@ -45,3 +46,4 @@
 allow system_crond_t cyrus_var_lib_t:file create_file_perms;
 allow system_crond_su_t cyrus_var_lib_t:dir { search };
 ')
+allow cyrus_t mail_port_t:tcp_socket { name_bind };
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/dhcpc.te policy-1.18.2.old/domains/program/unused/dhcpc.te
--- policy-1.18.2/domains/program/unused/dhcpc.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/dhcpc.te	2004-11-05 23:57:55.333851703 -0500
@@ -22,8 +22,9 @@
 # for SSP
 allow dhcpc_t urandom_device_t:chr_file read;
 
-can_network(dhcpc_t)
+can_udp_network(dhcpc_t, `dhcpc_port_t')
 can_ypbind(dhcpc_t)
+allow dhcpc_t self:tcp_socket connect;
 allow dhcpc_t self:unix_dgram_socket create_socket_perms;
 allow dhcpc_t self:unix_stream_socket create_socket_perms;
 allow dhcpc_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/dhcpd.te policy-1.18.2.old/domains/program/unused/dhcpd.te
--- policy-1.18.2/domains/program/unused/dhcpd.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/dhcpd.te	2004-11-05 23:57:55.334851590 -0500
@@ -29,8 +29,10 @@
 typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
 
 # Use the network.
-can_network(dhcpd_t)
+can_udp_network(dhcpd_t, `dhcpd_port_t')
+can_tcp_network(dhcpd_t, `dns_port_t')
 can_ypbind(dhcpd_t)
+allow dhcpd_t self:tcp_socket connect;
 allow dhcpd_t self:unix_dgram_socket create_socket_perms;
 allow dhcpd_t self:unix_stream_socket create_socket_perms;
 
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/dovecot.te policy-1.18.2.old/domains/program/unused/dovecot.te
--- policy-1.18.2/domains/program/unused/dovecot.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/dovecot.te	2004-11-05 23:57:55.334851590 -0500
@@ -15,6 +15,8 @@
 allow dovecot_t self:process { setrlimit };
 can_network(dovecot_t)
 can_ypbind(dovecot_t)
+allow dovecot_t self:tcp_socket connect;
+
 allow dovecot_t self:unix_dgram_socket create_socket_perms;
 allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
 can_unix_connect(dovecot_t, self)
@@ -31,8 +33,7 @@
 allow dovecot_t { self proc_t }:file { getattr read };
 allow dovecot_t self:fifo_file rw_file_perms;
 
-dontaudit dovecot_t krb5_conf_t:file { write };
-allow dovecot_t krb5_conf_t:file { getattr read };
+can_kerberos(dovecot_t)
 
 daemon_sub_domain(dovecot_t, dovecot_auth, `, auth')
 allow dovecot_auth_t self:process { fork signal_perms };
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/firstboot.te policy-1.18.2.old/domains/program/unused/firstboot.te
--- policy-1.18.2/domains/program/unused/firstboot.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/firstboot.te	2004-11-05 23:57:55.335851478 -0500
@@ -55,8 +55,7 @@
 # Allow write to utmp file
 allow firstboot_t initrc_var_run_t:file { write };
 
-allow firstboot_t krb5_conf_t:file { getattr read };
-allow firstboot_t net_conf_t:file { getattr read };
+can_kerberos(firstboot_t)
 
 ifdef(`samba.te', `
 rw_dir_file(firstboot_t, samba_etc_t)
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/ftpd.te policy-1.18.2.old/domains/program/unused/ftpd.te
--- policy-1.18.2/domains/program/unused/ftpd.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/ftpd.te	2004-11-05 23:57:55.335851478 -0500
@@ -16,7 +16,7 @@
 typealias ftpd_etc_t alias etc_ftpd_t;
 
 can_network(ftpd_t)
-can_ypbind(ftpd_t)
+allow ftpd_t self:udp_socket connect;
 allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
 allow ftpd_t self:unix_stream_socket create_socket_perms;
 allow ftpd_t self:process { getcap setcap setsched setrlimit };
@@ -32,11 +32,13 @@
 
 ifdef(`crond.te', `
 system_crond_entry(ftpd_exec_t, ftpd_t)
+allow system_crond_t xferlog_t:file r_file_perms;
 can_exec(ftpd_t, { sbin_t shell_exec_t })
 allow ftpd_t usr_t:file { getattr read };
 ')
 
 allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
+allow ftpd_t port_t:tcp_socket { name_bind };
 
 # Allow ftpd to run directly without inetd.
 bool ftpd_is_daemon false;
@@ -85,9 +87,7 @@
 allow ftpd_t proc_t:file { getattr read };
 
 dontaudit ftpd_t sysadm_home_dir_t:dir getattr;
-dontaudit ftpd_t krb5_conf_t:file { write };
 dontaudit ftpd_t selinux_config_t:dir search;
-allow ftpd_t krb5_conf_t:file { getattr read };
 ifdef(`automount.te', `
 allow ftpd_t autofs_t:dir { search };
 ')
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/hald.te policy-1.18.2.old/domains/program/unused/hald.te
--- policy-1.18.2/domains/program/unused/hald.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/hald.te	2004-11-05 23:57:55.336851365 -0500
@@ -31,12 +31,13 @@
 
 allow hald_t bin_t:file { getattr };
 allow hald_t self:netlink_route_socket r_netlink_socket_perms;
-allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search };
+allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
 can_network(hald_t)
 can_ypbind(hald_t)
 
 allow hald_t device_t:lnk_file read;
 allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
+allow hald_t removable_device_t:blk_file { write };
 allow hald_t event_device_t:chr_file { getattr read ioctl };
 allow hald_t printer_device_t:chr_file rw_file_perms;
 allow hald_t urandom_device_t:chr_file { read };
@@ -60,7 +61,11 @@
 allow hald_t usbfs_t:dir search;
 allow hald_t usbfs_t:file { getattr read };
 allow hald_t bin_t:lnk_file read;
-r_dir_file(hald_t, { selinux_config_t default_context_t } )
+dontaudit hald_t selinux_config_t:dir { search };
 allow hald_t initrc_t:dbus { send_msg };
 allow initrc_t hald_t:dbus { send_msg };
 allow hald_t etc_runtime_t:file rw_file_perms;
+allow hald_t var_lib_t:dir search;
+allow hald_t device_t:dir { create_dir_perms };
+allow hald_t { device_t }:{ chr_file } { create_file_perms };
+tmp_domain(hald)
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/i18n_input.te policy-1.18.2.old/domains/program/unused/i18n_input.te
--- policy-1.18.2/domains/program/unused/i18n_input.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/i18n_input.te	2004-11-05 23:57:55.336851365 -0500
@@ -11,6 +11,7 @@
 can_exec(i18n_input_t, i18n_input_exec_t)
 can_network(i18n_input_t)
 can_ypbind(i18n_input_t)
+allow i18n_input_t self:udp_socket connect;
 
 can_tcp_connect(userdomain, i18n_input_t)
 
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/inetd.te policy-1.18.2.old/domains/program/unused/inetd.te
--- policy-1.18.2/domains/program/unused/inetd.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/inetd.te	2004-11-05 23:57:55.337851252 -0500
@@ -21,6 +21,8 @@
 daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
 
 can_network(inetd_t)
+allow inetd_t self:udp_socket connect;
+
 allow inetd_t self:unix_dgram_socket create_socket_perms;
 allow inetd_t self:unix_stream_socket create_socket_perms;
 allow inetd_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/innd.te policy-1.18.2.old/domains/program/unused/innd.te
--- policy-1.18.2/domains/program/unused/innd.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/innd.te	2004-11-05 23:57:55.338851140 -0500
@@ -30,6 +30,7 @@
 
 can_network(innd_t)
 can_ypbind(innd_t)
+allow innd_t self:udp_socket connect;
 
 can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } )
 allow innd_t self:unix_dgram_socket create_socket_perms;
@@ -64,6 +65,9 @@
 
 ifdef(`crond.te', `
 system_crond_entry(innd_exec_t, innd_t)
+allow system_crond_t innd_etc_t:file { getattr read };
+rw_dir_create_file(system_crond_t, innd_log_t)
+rw_dir_create_file(system_crond_t, innd_var_run_t)
 ')
 ifdef(`syslogd.te', `
 allow syslogd_t innd_log_t:dir search;
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/mailman.te policy-1.18.2.old/domains/program/unused/mailman.te
--- policy-1.18.2/domains/program/unused/mailman.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/mailman.te	2004-11-05 23:57:55.339851027 -0500
@@ -20,7 +20,7 @@
 can_exec_any(mailman_$1_t)
 allow mailman_$1_t { proc_t sysctl_t sysctl_kernel_t }:dir search;
 allow mailman_$1_t { proc_t sysctl_kernel_t }:file { read getattr };
-allow mailman_$1_t var_lib_t:dir { getattr search };
+allow mailman_$1_t var_lib_t:dir { getattr search read };
 allow mailman_$1_t var_lib_t:lnk_file read;
 allow mailman_$1_t device_t:dir search;
 allow mailman_$1_t etc_runtime_t:file { read getattr };
@@ -29,14 +29,16 @@
 allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
 allow mailman_$1_t fs_t:filesystem getattr;
 can_network(mailman_$1_t)
-can_ypbind(mailman_$1_t)
+allow mailman_$1_t self:udp_socket connect;
 allow mailman_$1_t self:unix_stream_socket create_socket_perms;
 allow mailman_$1_t var_t:dir r_dir_perms;
 ')
 
 mailman_domain(queue, `, auth_chkpwd, nscd_client_domain')
 can_tcp_connect(mailman_queue_t, mail_server_domain)
+allow mailman_queue_t self:tcp_socket connect;
 
+dontaudit mailman_queue_t src_t:dir { search };
 can_exec(mailman_queue_t, su_exec_t)
 allow mailman_queue_t self:capability { setgid setuid };
 allow mailman_queue_t self:fifo_file rw_file_perms;
@@ -72,8 +74,9 @@
 domain_auto_trans({ httpd_t httpd_suexec_t }, mailman_cgi_exec_t, mailman_cgi_t)
 # should have separate types for public and private archives
 r_dir_file(httpd_t, mailman_archive_t)
-allow httpd_t mailman_data_t:dir search;
-r_dir_file(mailman_cgi_t, mailman_archive_t)
+allow httpd_t mailman_data_t:dir { getattr search };
+rw_dir_file(mailman_cgi_t, mailman_archive_t)
+allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
 
 dontaudit mailman_cgi_t httpd_log_t:file append;
 allow httpd_t mailman_cgi_t:process signal;
@@ -83,6 +86,8 @@
 allow mailman_cgi_t httpd_sys_script_t:dir search;
 allow mailman_cgi_t devtty_t:chr_file { read write };
 allow mailman_cgi_t self:process { fork sigchld };
+allow mailman_cgi_t var_spool_t:dir { search };
+dontaudit mailman_cgi_t src_t:dir { search };
 ')
 
 allow mta_delivery_agent mailman_data_t:dir search;
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/named.te policy-1.18.2.old/domains/program/unused/named.te
--- policy-1.18.2/domains/program/unused/named.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/named.te	2004-11-05 23:57:55.340850914 -0500
@@ -49,8 +49,10 @@
 allow named_t etc_runtime_t:{ file lnk_file } { getattr read };
 
 #Named can use network
-can_network(named_t)
+can_network(named_t, `dns_port_t')
 can_ypbind(named_t)
+allow named_t self:tcp_socket connect;
+
 # allow UDP transfer to/from any program
 can_udp_send(domain, named_t)
 can_udp_send(named_t, domain)
@@ -101,6 +103,7 @@
 uses_shlib(ndc_t)
 can_network(ndc_t)
 can_ypbind(ndc_t)
+allow ndc_t self:tcp_socket connect;
 read_locale(ndc_t)
 can_tcp_connect(ndc_t, named_t)
 
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/nscd.te policy-1.18.2.old/domains/program/unused/nscd.te
--- policy-1.18.2/domains/program/unused/nscd.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/nscd.te	2004-11-05 23:57:55.341850801 -0500
@@ -24,6 +24,7 @@
 allow nscd_t etc_t:lnk_file read;
 can_network(nscd_t)
 can_ypbind(nscd_t)
+allow nscd_t self:{ tcp_socket udp_socket } connect;
 
 file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file)
 
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/ntpd.te policy-1.18.2.old/domains/program/unused/ntpd.te
--- policy-1.18.2/domains/program/unused/ntpd.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/ntpd.te	2004-11-05 23:57:55.341850801 -0500
@@ -12,6 +12,9 @@
 type ntp_drift_t, file_type, sysadmfile;
 type ntp_port_t, port_type, reserved_port_type;
 
+type ntpdate_exec_t, file_type, sysadmfile, exec_type;
+domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t)
+
 logdir_domain(ntpd)
 
 allow ntpd_t var_lib_t:dir r_dir_perms;
@@ -34,8 +37,10 @@
 allow ntpd_t etc_t:file { read getattr };
 
 # Use the network.
-can_network(ntpd_t)
+can_network(ntpd_t, `ntp_port_t')
 can_ypbind(ntpd_t)
+can_resolve(ntpd_t)
+allow ntpd_t self:{ tcp_socket udp_socket } connect;
 allow ntpd_t ntp_port_t:udp_socket name_bind;
 allow ntpd_t self:unix_dgram_socket create_socket_perms;
 allow ntpd_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/ping.te policy-1.18.2.old/domains/program/unused/ping.te
--- policy-1.18.2/domains/program/unused/ping.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/ping.te	2004-11-05 23:57:55.342850689 -0500
@@ -35,6 +35,7 @@
 can_ypbind(ping_t)
 allow ping_t etc_t:file { getattr read };
 allow ping_t self:unix_stream_socket create_socket_perms;
+allow ping_t self:{ tcp_socket udp_socket } connect;
 
 # Let ping create raw ICMP packets.
 allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
@@ -55,3 +56,5 @@
 # it tries to access /var/run
 dontaudit ping_t var_t:dir search;
 
+dontaudit ping_t devtty_t:chr_file { read write };
+dontaudit ping_t ping_t:capability { sys_tty_config };
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/portmap.te policy-1.18.2.old/domains/program/unused/portmap.te
--- policy-1.18.2/domains/program/unused/portmap.te	2004-11-06 00:10:58.306027721 -0500
+++ policy-1.18.2.old/domains/program/unused/portmap.te	2004-11-05 23:57:55.343850576 -0500
@@ -53,4 +53,3 @@
 # Use capabilities
 allow portmap_t self:capability { net_bind_service setuid setgid };
 allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
-
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/postfix.te policy-1.18.2.old/domains/program/unused/postfix.te
--- policy-1.18.2/domains/program/unused/postfix.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/postfix.te	2004-11-05 23:57:55.343850576 -0500
@@ -119,6 +119,8 @@
 allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
 can_network(postfix_master_t)
 can_ypbind(postfix_master_t)
+allow postfix_master_t self:{ tcp_socket udp_socket } connect;
+
 allow postfix_master_t smtp_port_t:tcp_socket name_bind;
 allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
 allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/postgresql.te policy-1.18.2.old/domains/program/unused/postgresql.te
--- policy-1.18.2/domains/program/unused/postgresql.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/postgresql.te	2004-11-05 23:57:55.344850463 -0500
@@ -13,6 +13,8 @@
 type postgresql_port_t, port_type;
 daemon_domain(postgresql)
 allow initrc_t postgresql_exec_t:lnk_file read;
+allow postgresql_t usr_t:file { getattr read };
+allow postgresql_t self:udp_socket connect;
 
 allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
 
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/rlogind.te policy-1.18.2.old/domains/program/unused/rlogind.te
--- policy-1.18.2/domains/program/unused/rlogind.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/rlogind.te	2004-11-05 23:57:55.344850463 -0500
@@ -14,7 +14,6 @@
 role system_r types rlogind_t;
 uses_shlib(rlogind_t)
 can_network(rlogind_t)
-can_ypbind(rlogind_t)
 type rlogind_exec_t, file_type, sysadmfile, exec_type;
 domain_auto_trans(inetd_t, rlogind_exec_t, rlogind_t)
 ifdef(`tcpd.te', `
@@ -75,8 +74,6 @@
 # Modify /var/log/wtmp.
 allow rlogind_t var_log_t:dir search;
 allow rlogind_t wtmp_t:file rw_file_perms;
-allow rlogind_t krb5_conf_t:file { getattr read };
-dontaudit rlogind_t krb5_conf_t:file write;
 allow rlogind_t urandom_device_t:chr_file { getattr read };
 dontaudit rlogind_t selinux_config_t:dir search;
 allow rlogind_t staff_home_dir_t:dir search;
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/rpcd.te policy-1.18.2.old/domains/program/unused/rpcd.te
--- policy-1.18.2/domains/program/unused/rpcd.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/rpcd.te	2004-11-05 23:57:55.345850351 -0500
@@ -14,6 +14,7 @@
 daemon_base_domain($1)
 can_network($1_t)
 can_ypbind($1_t)
+allow $1_t self:{ udp_socket tcp_socket } connect;
 allow $1_t etc_t:file { getattr read };
 read_locale($1_t)
 allow $1_t self:capability net_bind_service;
@@ -24,6 +25,7 @@
 allow $1_t var_lib_nfs_t:file create_file_perms;
 # do not log when it tries to bind to a port belonging to another domain
 dontaudit $1_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
+allow $1_t reserved_port_t:{ udp_socket tcp_socket } { name_bind };
 allow $1_t self:netlink_route_socket r_netlink_socket_perms;
 allow $1_t self:unix_dgram_socket create_socket_perms;
 allow $1_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/rshd.te policy-1.18.2.old/domains/program/unused/rshd.te
--- policy-1.18.2/domains/program/unused/rshd.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/rshd.te	2004-11-05 23:57:55.346850238 -0500
@@ -31,8 +31,9 @@
 allow rshd_t self:unix_dgram_socket create_socket_perms;
 allow rshd_t self:unix_stream_socket create_stream_socket_perms;
 allow rshd_t { home_root_t home_dir_type }:dir { search getattr };
-allow rshd_t krb5_conf_t:file { getattr read };
-dontaudit rshd_t krb5_conf_t:file write;
+can_kerberos(rshd_t)
 allow rshd_t tmp_t:dir { search };
+ifdef(`rlogind.te', `
 allow rshd_t rlogind_tmp_t:file rw_file_perms;
+')
 allow rshd_t urandom_device_t:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/samba.te policy-1.18.2.old/domains/program/unused/samba.te
--- policy-1.18.2/domains/program/unused/samba.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/samba.te	2004-11-05 23:57:55.347850125 -0500
@@ -49,7 +49,6 @@
 
 # Use the network.
 can_network(smbd_t)
-can_ypbind(smbd_t)
 
 allow smbd_t urandom_device_t:chr_file { getattr read };
 
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/sendmail.te policy-1.18.2.old/domains/program/unused/sendmail.te
--- policy-1.18.2/domains/program/unused/sendmail.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/sendmail.te	2004-11-05 23:57:55.347850125 -0500
@@ -27,6 +27,7 @@
 # Use the network.
 can_network(sendmail_t)
 can_ypbind(sendmail_t)
+allow sendmail_t self:{ tcp_socket udp_socket } connect;
 
 allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
 allow sendmail_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/slapd.te policy-1.18.2.old/domains/program/unused/slapd.te
--- policy-1.18.2/domains/program/unused/slapd.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/slapd.te	2004-11-05 23:57:55.348850013 -0500
@@ -30,6 +30,7 @@
 allow slapd_t self:unix_dgram_socket create_socket_perms;
 # allow any domain to connect to the LDAP server
 can_tcp_connect(domain, slapd_t)
+allow slapd_t self:{ tcp_socket udp_socket } connect;
 
 # Use capabilities  should not need kill...
 allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw };
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/slocate.te policy-1.18.2.old/domains/program/unused/slocate.te
--- policy-1.18.2/domains/program/unused/slocate.te	2004-11-06 00:11:31.375539016 -0500
+++ policy-1.18.2.old/domains/program/unused/slocate.te	2004-11-05 23:57:55.348850013 -0500
@@ -2,7 +2,6 @@
 #
 # Author:  Dan Walsh <dwalsh@redhat.com>
 #
-# Depends: inetd.te
 
 #################################
 #
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/snmpd.te policy-1.18.2.old/domains/program/unused/snmpd.te
--- policy-1.18.2/domains/program/unused/snmpd.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/snmpd.te	2004-11-05 23:57:55.349849900 -0500
@@ -15,6 +15,7 @@
 
 can_network(snmpd_t)
 can_ypbind(snmpd_t)
+allow snmpd_t self:{ tcp_socket udp_socket } connect;
 
 type snmp_port_t, port_type, reserved_port_type;
 allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind;
@@ -38,7 +39,7 @@
 allow snmpd_t self:unix_dgram_socket create_socket_perms;
 allow snmpd_t self:unix_stream_socket create_socket_perms;
 allow snmpd_t etc_t:lnk_file read;
-allow snmpd_t { etc_t etc_runtime_t }:file { getattr read };
+allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
 allow snmpd_t urandom_device_t:chr_file read;
 allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config };
 
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/spamd.te policy-1.18.2.old/domains/program/unused/spamd.te
--- policy-1.18.2/domains/program/unused/spamd.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/spamd.te	2004-11-05 23:57:55.349849900 -0500
@@ -24,6 +24,7 @@
 dontaudit spamd_t sysadm_home_dir_t:dir getattr;
 
 can_network(spamd_t)
+allow spamd_t self:{ tcp_socket udp_socket } connect;
 allow spamd_t self:capability { net_bind_service };
 
 allow spamd_t proc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/squid.te policy-1.18.2.old/domains/program/unused/squid.te
--- policy-1.18.2/domains/program/unused/squid.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/squid.te	2004-11-05 23:57:55.350849787 -0500
@@ -55,6 +55,7 @@
 can_network(squid_t)
 can_ypbind(squid_t)
 can_tcp_connect(web_client_domain, squid_t)
+allow squid_t self:{ tcp_socket udp_socket } connect;
 
 # tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
 allow squid_t http_cache_port_t:tcp_socket name_bind;
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/swat.te policy-1.18.2.old/domains/program/unused/swat.te
--- policy-1.18.2/domains/program/unused/swat.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/swat.te	2004-11-05 23:57:55.350849787 -0500
@@ -2,6 +2,7 @@
 #
 # Author:  Dan Walsh <dwalsh@redhat.com>
 #
+# Depends: inetd.te
 
 #################################
 #
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/traceroute.te policy-1.18.2.old/domains/program/unused/traceroute.te
--- policy-1.18.2/domains/program/unused/traceroute.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/traceroute.te	2004-11-05 23:57:55.351849675 -0500
@@ -20,6 +20,7 @@
 uses_shlib(traceroute_t)
 can_network(traceroute_t)
 can_ypbind(traceroute_t)
+allow traceroute_t self:{ tcp_socket udp_socket } connect;
 allow traceroute_t node_t:rawip_socket node_bind;
 type traceroute_exec_t, file_type, sysadmfile, exec_type;
 
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/uwimapd.te policy-1.18.2.old/domains/program/unused/uwimapd.te
--- policy-1.18.2/domains/program/unused/uwimapd.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/uwimapd.te	2004-11-05 23:57:55.352849562 -0500
@@ -9,7 +9,6 @@
 tmp_domain(imapd)
 
 can_network(imapd_t)
-can_ypbind(imapd_t)
 
 #declare our own services
 allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/vpnc.te policy-1.18.2.old/domains/program/unused/vpnc.te
--- policy-1.18.2/domains/program/unused/vpnc.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/vpnc.te	2004-11-05 23:57:55.352849562 -0500
@@ -17,6 +17,8 @@
 # Use the network.
 can_network(vpnc_t)
 can_ypbind(vpnc_t)
+allow vpnc_t self:udp_socket connect;
+allow vpnc_t self:socket create_socket_perms;
 
 # Use capabilities.
 allow vpnc_t self:capability { net_admin ipc_lock net_bind_service net_raw };
@@ -28,3 +30,12 @@
 allow vpnc_t self:unix_dgram_socket create_socket_perms;
 allow vpnc_t self:unix_stream_socket create_socket_perms;
 allow vpnc_t admin_tty_type:chr_file rw_file_perms;
+allow vpnc_t port_t:udp_socket { name_bind };
+allow vpnc_t etc_runtime_t:file { getattr read };
+allow vpnc_t proc_t:file { getattr read };
+dontaudit vpnc_t selinux_config_t:dir search;
+can_exec(vpnc_t, {bin_t sbin_t ifconfig_exec_t shell_exec_t })
+allow vpnc_t sysctl_net_t:dir { search };
+allow vpnc_t sbin_t:dir { search };
+allow vpnc_t bin_t:dir { search };
+allow vpnc_t bin_t:lnk_file { read };
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/xdm.te policy-1.18.2.old/domains/program/unused/xdm.te
--- policy-1.18.2/domains/program/unused/xdm.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/xdm.te	2004-11-05 23:57:55.353849449 -0500
@@ -46,7 +46,7 @@
 allow xdm_t default_context_t:file { read getattr };
 
 can_network(xdm_t)
-can_ypbind(xdm_t)
+allow xdm_t self:udp_socket connect;
 allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow xdm_t self:unix_dgram_socket create_socket_perms;
 allow xdm_t self:fifo_file rw_file_perms;
@@ -287,7 +287,7 @@
 }
 
 # for .dmrc
-allow xdm_t user_home_dir_type:dir search;
+allow xdm_t user_home_dir_type:dir { getattr search };
 allow xdm_t user_home_type:file { getattr read };
 
 allow xdm_t mnt_t:dir { getattr read search };
@@ -309,8 +309,6 @@
 ')
 
 allow xdm_t var_log_t:file { read };
-dontaudit xdm_t krb5_conf_t:file { write };
-allow xdm_t krb5_conf_t:file { getattr read };
 allow xdm_t self:capability { sys_nice sys_rawio net_bind_service };
 allow xdm_t self:process { setrlimit };
 allow xdm_t wtmp_t:file { getattr read };
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/program/unused/ypbind.te policy-1.18.2.old/domains/program/unused/ypbind.te
--- policy-1.18.2/domains/program/unused/ypbind.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/program/unused/ypbind.te	2004-11-05 23:57:55.354849337 -0500
@@ -12,8 +12,6 @@
 #
 daemon_domain(ypbind)
 
-bool allow_ypbind true;
-
 tmp_domain(ypbind)
 
 # Use capabilities.
@@ -22,6 +20,7 @@
 # Use the network.
 can_network(ypbind_t)
 allow ypbind_t port_t:{ tcp_socket udp_socket } name_bind;
+allow ypbind_t self:{ tcp_socket udp_socket } connect;
 
 allow ypbind_t self:fifo_file rw_file_perms;
 
@@ -39,5 +38,5 @@
 allow ypbind_t etc_t:file { getattr read };
 allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
 allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
-allow ypbind_t reserved_port_t:tcp_socket { name_bind };
-allow ypbind_t reserved_port_t:udp_socket { name_bind };
+allow ypbind_t reserved_port_t:{ tcp_socket udp_socket } { name_bind };
+dontaudit ypbind_t reserved_port_type:{udp_socket tcp_socket} { name_bind };
diff --exclude-from=exclude -N -u -r policy-1.18.2/domains/user.te policy-1.18.2.old/domains/user.te
--- policy-1.18.2/domains/user.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/domains/user.te	2004-11-05 23:57:55.355849224 -0500
@@ -15,6 +15,9 @@
 # and may change other protocols 
 bool user_tcp_server false;
 
+# Allow system to run with NIS
+bool allow_ypbind false;
+
 # Allow users to rw usb devices
 bool user_rw_usb false;
 
diff --exclude-from=exclude -N -u -r policy-1.18.2/macros/base_user_macros.te policy-1.18.2.old/macros/base_user_macros.te
--- policy-1.18.2/macros/base_user_macros.te	2004-11-06 00:09:29.744360784 -0500
+++ policy-1.18.2.old/macros/base_user_macros.te	2004-11-05 23:58:27.899181436 -0500
@@ -196,12 +196,19 @@
 # Use the network.
 can_network($1_t)
 can_ypbind($1_t)
+allow $1_t self:{ tcp_socket udp_socket } connect;
+
+ifdef(`pamconsole.te', `
+allow $1_t pam_var_console_t:dir { search };
+')
+
+allow $1_t var_lock_t:dir { search };
 
 # Grant permissions to access the system DBus
 ifdef(`dbusd.te', `
 dbusd_client(system, $1)
 can_network($1_dbusd_t)
-allow $1_dbusd_t reserved_port_t:tcp_socket name_bind;
+allow $1_dbusd_t reserved_port_t:tcp_socket { name_bind };
 
 allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
 dbusd_client($1, $1)
diff --exclude-from=exclude -N -u -r policy-1.18.2/macros/core_macros.te policy-1.18.2.old/macros/core_macros.te
--- policy-1.18.2/macros/core_macros.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/macros/core_macros.te	2004-11-05 23:57:55.360848660 -0500
@@ -132,22 +132,32 @@
 #
 # Permissions for using sockets.
 # 
-define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
+define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind getopt setopt shutdown }')
 
 #
 # Permissions for creating and using sockets.
 # 
-define(`create_socket_perms', `{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
+define(`connected_socket_perms', `{ create rw_socket_perms }')
+
+#
+# Permissions for creating, connecting and using sockets.
+# 
+define(`create_socket_perms', `{ connected_socket_perms connect }')
 
 #
 # Permissions for using stream sockets.
 # 
-define(`rw_stream_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }')
+define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
+
+#
+# Permissions for creating and using stream sockets.
+# 
+define(`connected_stream_socket_perms', `{ create rw_stream_socket_perms }')
 
 #
 # Permissions for creating and using stream sockets.
 # 
-define(`create_stream_socket_perms', `{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }')
+define(`create_stream_socket_perms', `{ connect connected_stream_socket_perms }')
 
 
 #
diff --exclude-from=exclude -N -u -r policy-1.18.2/macros/global_macros.te policy-1.18.2.old/macros/global_macros.te
--- policy-1.18.2/macros/global_macros.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/macros/global_macros.te	2004-11-05 23:57:55.361848548 -0500
@@ -118,64 +118,6 @@
 
 #################################
 #
-# can_network(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network',`
-#
-# Allow the domain to create and use UDP and TCP sockets.
-# Other kinds of sockets must be separately authorized for use.
-allow $1 self:udp_socket create_socket_perms;
-allow $1 self:tcp_socket create_stream_socket_perms;
-
-#
-# Allow the domain to send or receive using any network interface.
-# netif_type is a type attribute for all network interface types.
-#
-allow $1 netif_type:netif { tcp_send udp_send rawip_send };
-allow $1 netif_type:netif { tcp_recv udp_recv rawip_recv };
-
-#
-# Allow the domain to send to or receive from any node.
-# node_type is a type attribute for all node types.
-#
-allow $1 node_type:node { tcp_send udp_send rawip_send };
-allow $1 node_type:node { tcp_recv udp_recv rawip_recv };
-
-#
-# Allow the domain to send to or receive from any port.
-# port_type is a type attribute for all port types.
-#
-allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg };
-
-#
-# Allow the domain to send NFS client requests via the socket
-# created by mount.
-#
-allow $1 mount_t:udp_socket rw_socket_perms;
-
-#
-# Bind to the default port type.
-# Other port types must be separately authorized.
-#
-#allow $1 port_t:udp_socket name_bind;
-#allow $1 port_t:tcp_socket name_bind;
-
-# XXX Allow binding to any node type.  Remove once
-# individual rules have been added to all domains that 
-# bind sockets. 
-allow $1 node_type: { tcp_socket udp_socket } node_bind;
-#
-# Allow access to network files including /etc/resolv.conf
-#
-allow $1 net_conf_t:file r_file_perms;
-')dnl end can_network definition
-
-#################################
-#
 # can_sysctl(domain)
 #
 # Permissions for modifying sysctl parameters.
@@ -271,6 +213,7 @@
 define(`daemon_core_rules', `
 type $1_t, domain, privlog, daemon $2;
 type $1_exec_t, file_type, sysadmfile, exec_type;
+dontaudit $1_t self:capability sys_tty_config;
 
 role system_r types $1_t;
 
diff --exclude-from=exclude -N -u -r policy-1.18.2/macros/network_macros.te policy-1.18.2.old/macros/network_macros.te
--- policy-1.18.2/macros/network_macros.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.18.2.old/macros/network_macros.te	2004-11-05 23:57:55.362848435 -0500
@@ -0,0 +1,108 @@
+#################################
+#
+# can_network(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`base_can_network',`
+#
+# Allow the domain to create and use $2 sockets.
+# Other kinds of sockets must be separately authorized for use.
+allow $1 self:$2_socket connected_socket_perms;
+
+#
+# Allow the domain to send or receive using any network interface.
+# netif_type is a type attribute for all network interface types.
+#
+allow $1 netif_type:netif { $2_send rawip_send };
+allow $1 netif_type:netif { $2_recv rawip_recv };
+
+#
+# Allow the domain to send to or receive from any node.
+# node_type is a type attribute for all node types.
+#
+allow $1 node_type:node { $2_send rawip_send };
+allow $1 node_type:node { $2_recv rawip_recv };
+
+#
+# Allow the domain to send to or receive from any port.
+# port_type is a type attribute for all port types.
+#
+ifelse($3, `', `
+allow $1 port_type:{ $2_socket } { send_msg recv_msg };
+', `
+allow $1 $3:{ $2_socket } { send_msg recv_msg };
+')
+
+# XXX Allow binding to any node type.  Remove once
+# individual rules have been added to all domains that 
+# bind sockets. 
+allow $1 node_type: { $2_socket } node_bind;
+#
+# Allow access to network files including /etc/resolv.conf
+#
+allow $1 net_conf_t:file r_file_perms;
+')dnl end can_network definition
+
+#################################
+#
+# can_tcp_network(domain)
+#
+# Permissions for accessing a tcp network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_tcp_network',`
+base_can_network($1, tcp, `$2')
+allow $1 self:tcp_socket { listen accept };
+')
+
+#################################
+#
+# can_udp_network(domain)
+#
+# Permissions for accessing a udp network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_udp_network',`
+base_can_network($1, udp, `$2')
+')
+
+#################################
+#
+# can_network(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network',`
+
+can_tcp_network($1, `$2')
+can_udp_network($1, `$2')
+
+#
+# Allow the domain to send NFS client requests via the socket
+# created by mount.
+#
+allow $1 mount_t:udp_socket rw_socket_perms;
+
+')dnl end can_network definition
+
+define(`can_resolve',`
+can_udp_network($1, `dns_port_t')
+allow $1 self:udp_socket connect;
+')
+define(`can_ldap',`
+can_tcp_network($1, `ldap_port_t')
+allow $1 self:tcp_socket connect;
+')
+define(`can_kerberos',`
+can_network($1, `kerberos_port_t')
+allow $1 self:{ udp_socket tcp_socket } connect;
+dontaudit $1 krb5_conf_t:file { write };
+allow $1 krb5_conf_t:file { getattr read };
+')
diff --exclude-from=exclude -N -u -r policy-1.18.2/macros/program/cdrecord_macros.te policy-1.18.2.old/macros/program/cdrecord_macros.te
--- policy-1.18.2/macros/program/cdrecord_macros.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/macros/program/cdrecord_macros.te	2004-11-05 23:57:55.363848322 -0500
@@ -32,9 +32,9 @@
 
 # allow cdrecord to read user files
 r_dir_file($1_cdrecord_t, { $1_home_t $1_tmp_t })
-if (use_nfs_home_dirs) {
+ifdef(`nfs_home_dirs', `
 r_dir_file($1_cdrecord_t, nfs_t)
-}
+')dnl end if nfs_home_dirs
 
 # allow searching for cdrom-drive
 allow $1_cdrecord_t device_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r policy-1.18.2/macros/program/chkpwd_macros.te policy-1.18.2.old/macros/program/chkpwd_macros.te
--- policy-1.18.2/macros/program/chkpwd_macros.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/macros/program/chkpwd_macros.te	2004-11-05 23:57:55.363848322 -0500
@@ -21,13 +21,20 @@
 allow $1_chkpwd_t proc_t:file read;
 can_getcon($1_chkpwd_t)
 can_ypbind($1_chkpwd_t)
+can_kerberos($1_chkpwd_t)
+can_ldap($1_chkpwd_t)
+can_resolve($1_chkpwd_t)
 # Transition from the user domain to this domain.
 ifelse($1, system, `
 domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
 role system_r types system_chkpwd_t;
 dontaudit auth_chkpwd shadow_t:file { getattr read };
 allow auth_chkpwd sbin_t:dir search;
-dontaudit $1_chkpwd_t tty_device_t:chr_file rw_file_perms;
+dontaudit $1_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
+can_ypbind(auth_chkpwd)
+can_kerberos(auth_chkpwd)
+can_ldap(auth_chkpwd)
+can_resolve(auth_chkpwd)
 ', `
 domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
 allow $1_t sbin_t:dir search;
diff --exclude-from=exclude -N -u -r policy-1.18.2/macros/program/crond_macros.te policy-1.18.2.old/macros/program/crond_macros.te
--- policy-1.18.2/macros/program/crond_macros.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/macros/program/crond_macros.te	2004-11-05 23:57:55.364848210 -0500
@@ -68,6 +68,7 @@
 # This domain is granted permissions common to most domains.
 can_network($1_crond_t)
 can_ypbind($1_crond_t)
+allow $1_crond_t self:{ tcp_socket udp_socket } connect;
 r_dir_file($1_crond_t, self)
 allow $1_crond_t self:fifo_file rw_file_perms;
 allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r policy-1.18.2/macros/program/inetd_macros.te policy-1.18.2.old/macros/program/inetd_macros.te
--- policy-1.18.2/macros/program/inetd_macros.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/macros/program/inetd_macros.te	2004-11-05 23:57:55.364848210 -0500
@@ -43,8 +43,7 @@
 allow $1_t home_root_t:dir { search };
 allow $1_t self:dir { search };
 allow $1_t self:file { getattr read };
-allow $1_t krb5_conf_t:file r_file_perms;
-dontaudit $1_t krb5_conf_t:file write;
+can_kerberos($1_t)
 allow $1_t urandom_device_t:chr_file { getattr read };
 type $1_port_t, port_type, reserved_port_type;
 # Use sockets inherited from inetd.
diff --exclude-from=exclude -N -u -r policy-1.18.2/macros/program/mozilla_macros.te policy-1.18.2.old/macros/program/mozilla_macros.te
--- policy-1.18.2/macros/program/mozilla_macros.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/macros/program/mozilla_macros.te	2004-11-05 23:57:55.365848097 -0500
@@ -17,6 +17,7 @@
 #
 define(`mozilla_domain',`
 x_client_domain($1, mozilla, `, web_client_domain, privlog')
+allow $1_mozilla_t self:{ tcp_socket udp_socket } { connect };
 
 allow $1_mozilla_t sound_device_t:chr_file rw_file_perms;
 
@@ -112,6 +113,7 @@
 # Eliminate errors from scanning with the 
 #
 dontaudit $1_mozilla_t file_type:dir getattr;
+allow $1_mozilla_t self:sem create_sem_perms;
 
 ifdef(`xdm.te', `
 allow $1_mozilla_t xdm_t:fifo_file { write read };
diff --exclude-from=exclude -N -u -r policy-1.18.2/macros/program/mta_macros.te policy-1.18.2.old/macros/program/mta_macros.te
--- policy-1.18.2/macros/program/mta_macros.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/macros/program/mta_macros.te	2004-11-05 23:57:55.366847984 -0500
@@ -37,6 +37,7 @@
 can_ypbind($1_mail_t)
 allow $1_mail_t self:unix_dgram_socket create_socket_perms;
 allow $1_mail_t self:unix_stream_socket create_socket_perms;
+allow $1_mail_t self:{ tcp_socket udp_socket } connect;
 
 read_locale($1_mail_t)
 read_sysctl($1_mail_t)
diff --exclude-from=exclude -N -u -r policy-1.18.2/macros/program/newrole_macros.te policy-1.18.2.old/macros/program/newrole_macros.te
--- policy-1.18.2/macros/program/newrole_macros.te	2004-11-06 00:09:29.766358467 -0500
+++ policy-1.18.2.old/macros/program/newrole_macros.te	2004-11-05 23:57:55.366847984 -0500
@@ -34,9 +34,6 @@
 allow $1_t bin_t:lnk_file read;
 allow $1_t shell_exec_t:file r_file_perms;
 
-can_ypbind($1_t)
-dontaudit $1_t krb5_conf_t:file { write };
-allow $1_t krb5_conf_t:file { getattr read };
 allow $1_t urandom_device_t:chr_file { getattr read };
 
 # Allow $1_t to transition to user domains.
diff --exclude-from=exclude -N -u -r policy-1.18.2/macros/program/ssh_macros.te policy-1.18.2.old/macros/program/ssh_macros.te
--- policy-1.18.2/macros/program/ssh_macros.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/macros/program/ssh_macros.te	2004-11-05 23:57:55.367847872 -0500
@@ -84,6 +84,7 @@
 # to access the network.
 can_network($1_ssh_t)
 can_ypbind($1_ssh_t)
+allow $1_ssh_t self:{ tcp_socket udp_socket } connect;
 
 # Use capabilities.
 allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
@@ -157,8 +158,7 @@
 allow $1_ssh_t xdm_xserver_t:shm r_shm_perms;
 allow $1_ssh_t xdm_xserver_t:fd use;
 allow $1_ssh_t xdm_xserver_tmpfs_t:file read;
-allow $1_ssh_t krb5_conf_t:file { getattr read };
-dontaudit $1_ssh_t krb5_conf_t:file { write };
+can_kerberos($1_ssh_t)
 ')dnl end if xdm.te
 ')dnl end macro definition
 
diff --exclude-from=exclude -N -u -r policy-1.18.2/macros/program/su_macros.te policy-1.18.2.old/macros/program/su_macros.te
--- policy-1.18.2/macros/program/su_macros.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/macros/program/su_macros.te	2004-11-05 23:57:55.368847759 -0500
@@ -87,8 +87,7 @@
 # Write to utmp.
 allow $1_su_t { var_t var_run_t }:dir search;
 allow $1_su_t initrc_var_run_t:file rw_file_perms;
-dontaudit $1_su_t krb5_conf_t:file { write };
-allow $1_su_t krb5_conf_t:file { getattr read };
+can_kerberos($1_su_t)
 ') dnl end su_restricted_domain
 
 define(`su_mini_domain', `
diff --exclude-from=exclude -N -u -r policy-1.18.2/macros/program/userhelper_macros.te policy-1.18.2.old/macros/program/userhelper_macros.te
--- policy-1.18.2/macros/program/userhelper_macros.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/macros/program/userhelper_macros.te	2004-11-05 23:57:55.369847646 -0500
@@ -123,7 +123,6 @@
 ')
 allow $1_userhelper_t sysctl_t:dir { search };
 role system_r types $1_userhelper_t;
-allow $1_userhelper_t krb5_conf_t:file { getattr read };
 r_dir_file($1_userhelper_t, nfs_t)
 
 ifdef(`xdm.te', `
@@ -139,6 +138,9 @@
 domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
 allow $1_userhelper_t $1_home_xauth_t:file { getattr read };
 ')
+
+ifdef(`pamconsole.te', `
 allow $1_userhelper_t pam_var_console_t:dir { search };
+')
 
 ')dnl end userhelper macro
diff --exclude-from=exclude -N -u -r policy-1.18.2/macros/program/xserver_macros.te policy-1.18.2.old/macros/program/xserver_macros.te
--- policy-1.18.2/macros/program/xserver_macros.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/macros/program/xserver_macros.te	2004-11-05 23:57:55.370847533 -0500
@@ -27,10 +27,11 @@
 ifdef(`distro_redhat', `
 type $1_xserver_t, domain, privlog, privmem, privmodule, nscd_client_domain;
 allow $1_xserver_t sysctl_modprobe_t:file { getattr read };
+ifdef(`rpm.te', `
 allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
 allow $1_xserver_t rpm_tmpfs_t:file { read write };
 allow $1_xserver_t rpm_t:fd { use };
-
+')
 ', `
 type $1_xserver_t, domain, privlog, privmem, nscd_client_domain;
 ')
@@ -51,6 +52,7 @@
 uses_shlib($1_xserver_t)
 can_network($1_xserver_t)
 can_ypbind($1_xserver_t)
+allow $1_xserver_t self:udp_socket connect;
 allow $1_xserver_t xserver_port_t:tcp_socket name_bind;
 
 # for access within the domain
@@ -148,6 +150,7 @@
 allow xdm_xserver_t xdm_t:process signal;
 allow xdm_xserver_t xdm_t:shm rw_shm_perms;
 allow xdm_t xdm_xserver_t:shm rw_shm_perms;
+dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
 ')
 ', `
 allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r policy-1.18.2/macros/program/ypbind_macros.te policy-1.18.2.old/macros/program/ypbind_macros.te
--- policy-1.18.2/macros/program/ypbind_macros.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/macros/program/ypbind_macros.te	2004-11-05 23:57:55.370847533 -0500
@@ -4,12 +4,16 @@
 can_network($1)
 r_dir_file($1,var_yp_t)
 allow $1 { reserved_port_t port_t }:{ tcp_socket udp_socket } name_bind;
+allow $1 self:{ tcp_socket udp_socket } connect;
+dontaudit $1 self:capability net_bind_service;
 ')
 
 define(`can_ypbind', `
 ifdef(`ypbind.te', `
 if (allow_ypbind) {
 uncond_can_ypbind($1)
+} else {
+dontaudit $1 var_yp_t:dir { search };
 }
 ') dnl ypbind.te
 ') dnl can_ypbind
diff --exclude-from=exclude -N -u -r policy-1.18.2/macros/user_macros.te policy-1.18.2.old/macros/user_macros.te
--- policy-1.18.2/macros/user_macros.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/macros/user_macros.te	2004-11-05 23:57:55.371847421 -0500
@@ -57,7 +57,7 @@
 ifdef(`apache.te', `apache_domain($1)')
 ifdef(`slocate.te', `locate_domain($1)')
 
-allow $1_t krb5_conf_t:file { getattr read };
+can_kerberos($1_t)
 # allow port_t name binding for UDP because it is not very usable otherwise
 allow $1_t port_t:udp_socket name_bind;
 
@@ -142,11 +142,6 @@
 # Stat lost+found.
 allow $1_t lost_found_t:dir getattr;
 
-# Read the /tmp directory and any /tmp files with the base type.
-# Temporary files created at runtime will typically use derived types.
-allow $1_t tmp_t:dir r_dir_perms;
-allow $1_t tmp_t:{ file lnk_file } r_file_perms;
-
 # Read /var, /var/spool, /var/run.
 allow $1_t var_t:dir r_dir_perms;
 allow $1_t var_t:notdevfile_class_set r_file_perms;
@@ -224,9 +219,11 @@
 allow $1_mount_t iso9660_t:filesystem { relabelfrom };
 allow $1_mount_t removable_t:filesystem { mount relabelto };
 allow $1_mount_t removable_t:dir { mounton };
+ifdef(`xdm.te', `
 allow $1_mount_t xdm_t:fd { use };
 allow $1_mount_t xdm_t:fifo_file { write };
 ')
+')
 
 #
 # Rules used to associate a homedir as a mountpoint
diff --exclude-from=exclude -N -u -r policy-1.18.2/targeted/domains/unconfined.te policy-1.18.2.old/targeted/domains/unconfined.te
--- policy-1.18.2/targeted/domains/unconfined.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/targeted/domains/unconfined.te	2004-11-05 23:57:55.375846970 -0500
@@ -42,4 +42,7 @@
 # Support NFS home directories
 bool use_nfs_home_dirs false;
 
+# Allow system to run with NIS
+bool allow_ypbind false;
+
 
diff --exclude-from=exclude -N -u -r policy-1.18.2/tunables/distro.tun policy-1.18.2.old/tunables/distro.tun
--- policy-1.18.2/tunables/distro.tun	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.old/tunables/distro.tun	2004-11-05 23:57:55.375846970 -0500
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r policy-1.18.2/tunables/tunable.tun policy-1.18.2.old/tunables/tunable.tun
--- policy-1.18.2/tunables/tunable.tun	2004-11-06 00:12:58.735313440 -0500
+++ policy-1.18.2.old/tunables/tunable.tun	2004-11-05 23:57:55.376846857 -0500
@@ -1,27 +1,27 @@
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

Re: Adding alternate root patch to restorecon (setfiles?)

[Thomas Bleher]

* James Carter <jwcart2@epoch.ncsc.mil> [2004-11-05 22:37]:
> I haven't forgotten about this patch.  I will probably be working on
> merging it Monday, without the restorecon stuff at first.

Yes, that's OK. The restorecon stuff was more a "let's toss this idea
around to see what people say about it". I'm not sure myself if it
should be merged.
 
> The $1_domain_file_type attribute is an interesting idea, although the
> name is rather long.

I guess I'm just bad at naming. Feel free to take a shorter name. :)

Thanks,
Thomas


> This patch came just before I merged Dan's patch that added a
> httpdcontent attribute, so some changes will be needed to this patch.
>    
> On Tue, 2004-10-26 at 10:36, Russell Coker wrote:
> > On Tue, 26 Oct 2004 07:31, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
> > wrote:
> > > OK, what do you guys think about the following patch:
> > > It adds an attribute $1_domain_file_type, so all file types from derived
> > > user domains can be grouped together. It also adds a restorecon_domain()
> > > macro, so users can call restorecon to reset the labels on their files.
> > 
> > I've attached a patch named "tom.diff" which applies after your patch to tweak 
> > a few things.  The new attribute allows a better way of dealing with the 
> > locate policy so I changed it appropriately.  I added some use of 
> > sysadm_domain_file_type.  Some of the types you had given the attribute 
> > $1_domain_file_type seemed inappropriate, this includes the print spool type, 
> > some temporary files, and files under /var/run.
> > 
> > Whether we have the user_restorecon_t domain etc is something that needs more 
> > consideration.  The attached patch named "diff" has the user_domain_file_type 
> > stuff from your patch with my amendments but none of the restorecon changes.  
> > I think that "diff" is worthy of being included in CVS regardless of what we 
> > do with restorecon.
> -- 
> James Carter <jwcart2@epoch.ncsc.mil>
> National Security Agency

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Small patch to allow pam_console handle /dev/pmu

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1 bytes --]



[-- Attachment #2: policy-1.18.2-pmu.patch --]
[-- Type: text/x-patch, Size: 2131 bytes --]

diff -u -r policy-1.18.2/domains/program/unused/pamconsole.te policy-1.18.2.new/domains/program/unused/pamconsole.te
--- policy-1.18.2/domains/program/unused/pamconsole.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.new/domains/program/unused/pamconsole.te	2004-11-08 12:27:01.200075563 -0500
@@ -24,7 +24,7 @@
 allow pam_console_t device_t:dir { getattr read };
 allow pam_console_t device_t:lnk_file { getattr read };
 # mouse_device_t is for joy sticks
-allow pam_console_t { framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr };
+allow pam_console_t { framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr };
 allow pam_console_t { removable_device_t fixed_disk_device_t }:blk_file { getattr setattr };
 
 allow pam_console_t mnt_t:dir r_dir_perms;
diff -u -r policy-1.18.2/file_contexts/types.fc policy-1.18.2.new/file_contexts/types.fc
--- policy-1.18.2/file_contexts/types.fc	2004-11-08 12:30:07.495998998 -0500
+++ policy-1.18.2.new/file_contexts/types.fc	2004-11-08 12:28:21.830953399 -0500
@@ -202,6 +202,7 @@
 /u?dev/fb[0-9]*		-c	system_u:object_r:framebuf_device_t
 /u?dev/apm_bios		-c	system_u:object_r:apm_bios_t
 /u?dev/cpu/mtrr		-c	system_u:object_r:mtrr_device_t
+/u?dev/pmu		-c	system_u:object_r:power_device_t
 /u?dev/(radio|video|vbi|vtx).* -c	system_u:object_r:v4l_device_t
 /u?dev/winradio.	-c	system_u:object_r:v4l_device_t
 /u?dev/vttuner		-c	system_u:object_r:v4l_device_t
diff -u -r policy-1.18.2/types/device.te policy-1.18.2.new/types/device.te
--- policy-1.18.2/types/device.te	2004-11-05 23:39:10.000000000 -0500
+++ policy-1.18.2.new/types/device.te	2004-11-08 12:27:25.530322964 -0500
@@ -130,6 +130,8 @@
 # Type for /dev/cpu/mtrr
 type mtrr_device_t, device_type, dev_fs;
 
+# Type for /dev/pmu 
+type power_device_t, device_type, dev_fs;
 
 # Type for /dev/apm_bios
 type apm_bios_t, device_type, dev_fs;

Re: Remaining changes from my patch excluding can_network changes.

[James Carter]

Merged.

On Sat, 2004-11-06 at 00:23, Daniel J Walsh wrote:
> Most of these are small bug fix changes.  Some are quite critical like the
> removable_t associate one.

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Small patch to allow pam_console handle /dev/pmu

[James Carter]

Merged.

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_network patch

[James Carter]

This patch is on the right track.

On Sat, 2004-11-06 at 00:33, Daniel J Walsh wrote:
> This is the patch that eliminates connect from can_network.
> 
> The batch basically does a couple of things
> 
> can_network now calls
> can_tcp_network
> can_udp_network

I think can_network should have the same functionality as before.
There should be new macros for the reduced permissions.
It seems like we should have at least these macros:

can_tcp_client (or can_tcp_out) - connect, etc
can_tcp_server (or can_tcp_in) - bind, listen, accept, etc
can_udp
can_udp_connect - if connect is needed.

This patch has 34 lines adding connect permissions.  We should
definitely seek to reduce the number of lines related to networking
outside of the network macros.  I think Russell made a similar comment a
while back.

> diff --exclude-from=exclude -N -u -r policy-1.18.2/macros/core_macros.te policy-1.18.2.old/macros/core_macros.te
> --- policy-1.18.2/macros/core_macros.te	2004-11-05 23:39:10.000000000 -0500
> +++ policy-1.18.2.old/macros/core_macros.te	2004-11-05 23:57:55.360848660 -0500
> @@ -132,22 +132,32 @@
>  #
>  # Permissions for using sockets.
>  # 
> -define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
> +define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind getopt setopt shutdown }')
>  
>  #
>  # Permissions for creating and using sockets.
>  # 
> -define(`create_socket_perms', `{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
> +define(`connected_socket_perms', `{ create rw_socket_perms }')

This doesn't make sense to me.  Why grant "create", if already
connected?

> +
> +#
> +# Permissions for creating, connecting and using sockets.
> +# 
> +define(`create_socket_perms', `{ connected_socket_perms connect }')
>  
>  #
>  # Permissions for using stream sockets.
>  # 
> -define(`rw_stream_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }')
> +define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
> +
> +#
> +# Permissions for creating and using stream sockets.
> +# 
> +define(`connected_stream_socket_perms', `{ create rw_stream_socket_perms }')
>  

Same thing here.

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_network patch

[Daniel J Walsh]

James Carter wrote:

>This patch is on the right track.
>
>On Sat, 2004-11-06 at 00:33, Daniel J Walsh wrote:
>  
>
>>This is the patch that eliminates connect from can_network.
>>
>>The batch basically does a couple of things
>>
>>can_network now calls
>>can_tcp_network
>>can_udp_network
>>    
>>
>
>I think can_network should have the same functionality as before.
>There should be new macros for the reduced permissions.
>It seems like we should have at least these macros:
>
>can_tcp_client (or can_tcp_out) - connect, etc
>can_tcp_server (or can_tcp_in) - bind, listen, accept, etc
>can_udp
>can_udp_connect - if connect is needed.
>
>  
>
>This patch has 34 lines adding connect permissions.  We should
>definitely seek to reduce the number of lines related to networking
>outside of the network macros.  I think Russell made a similar comment a
>while back.
>  
>
My goal with the redesign was to make connect equivalent to name_bind.

After examining this further and talking with James, I realize that this 
is not possible
without a modification to the kernel.

Basically I want name_connect permission, so the policy would be written 
such that
a domain can only "connect" to certain ports.   So a domain which did a 
connect(socket, DNS_PORT_T)
Would need a rule like
allow mydomain_t dns_port_t:socketc name_connect;

Then all domains that can_network would either have a name_bind or a 
name_connect  associated
with it and a lock down of the ports that they will use.

One goal of a lot of hackers now is to take over machines and use them 
as mail forwarders
(Spammers) or as launch sites for further attacks.  You don't even need 
root access to do this. 
Our current can_network() allows you all domains to connect to any port 
using UDP and TCP.

I have gotten partially there by breaking can_network into 
can_udp_network and
can_tcp_network.  Also eliminating the connect priveledge from all 
daemons that don't use it
makes them more secure. 

The port stuff that I added does not work as I expected and I am 
removing some of it.

>  
>
>>diff --exclude-from=exclude -N -u -r policy-1.18.2/macros/core_macros.te policy-1.18.2.old/macros/core_macros.te
>>--- policy-1.18.2/macros/core_macros.te	2004-11-05 23:39:10.000000000 -0500
>>+++ policy-1.18.2.old/macros/core_macros.te	2004-11-05 23:57:55.360848660 -0500
>>@@ -132,22 +132,32 @@
>> #
>> # Permissions for using sockets.
>> # 
>>-define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
>>+define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind getopt setopt shutdown }')
>> 
>> #
>> # Permissions for creating and using sockets.
>> # 
>>-define(`create_socket_perms', `{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
>>+define(`connected_socket_perms', `{ create rw_socket_perms }')
>>    
>>
>
>This doesn't make sense to me.  Why grant "create", if already
>connected?
>
>  
>
connected_socket_perms might not be a great name, but it is to be used 
with accept(socket) daemons,
versus connect(socket) domains.  We named it that because it is just 
removing the "connect" privledge, so the
socket must all ready be "connected" :^).

>>+
>>+#
>>+# Permissions for creating, connecting and using sockets.
>>+# 
>>+define(`create_socket_perms', `{ connected_socket_perms connect }')
>> 
>> #
>> # Permissions for using stream sockets.
>> # 
>>-define(`rw_stream_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }')
>>+define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
>>+
>>+#
>>+# Permissions for creating and using stream sockets.
>>+# 
>>+define(`connected_stream_socket_perms', `{ create rw_stream_socket_perms }')
>> 
>>    
>>
>
>Same thing here.
>
>  
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Patches without the can_network patch.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 394 bytes --]

Removal of alot of kerberos and can_ypbind calls.  (Centralized under 
the auth call).

Several apache fixes to make squirrelmail work as well as mod_perl and 
mod_python.

Fixes to dovecot to get it to work with squirrelmail

Fixes to hal to allow it to create a chr_file device for pcmcia card 
communication.

Added lockdev policy

Fixes for mailman policy

A few more nscd_client_domains



[-- Attachment #2: policy-small.patch --]
[-- Type: text/x-patch, Size: 48748 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.19.1/domains/program/crond.te
--- nsapolicy/domains/program/crond.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.1/domains/program/crond.te	2004-11-10 17:30:03.409889426 -0500
@@ -23,7 +23,6 @@
 
 # Type for temporary files.
 tmp_domain(crond)
-can_ypbind(crond_t)
 
 crond_domain(system)
 
@@ -114,6 +113,8 @@
 # Use capabilities.
 allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
 
+allow crond_t urandom_device_t:chr_file { getattr read };
+
 # Read the system crontabs.
 allow system_crond_t system_cron_spool_t:file r_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.19.1/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.1/domains/program/initrc.te	2004-11-10 17:30:03.410889314 -0500
@@ -303,8 +303,8 @@
 ')
 
 # for lsof in shutdown scripts
-allow initrc_t krb5_conf_t:file read;
-dontaudit initrc_t krb5_conf_t:file write;
+can_kerberos(initrc_t)
+
 #
 # Wants to remove udev.tbl
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.19.1/domains/program/login.te
--- nsapolicy/domains/program/login.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.1/domains/program/login.te	2004-11-10 17:30:03.411889201 -0500
@@ -117,8 +117,6 @@
 allow $1_login_t mail_spool_t:file getattr;
 allow $1_login_t mail_spool_t:lnk_file read;
 
-dontaudit $1_login_t krb5_conf_t:file write;
-allow $1_login_t krb5_conf_t:file { getattr read };
 # Get security policy decisions.
 can_getsecurity($1_login_t)
 
@@ -127,8 +125,6 @@
 allow $1_login_t default_context_t:dir search;
 r_dir_file($1_login_t, selinux_config_t)
 
-can_ypbind($1_login_t)
-
 allow $1_login_t mouse_device_t:chr_file { getattr setattr };
 dontaudit $1_login_t init_t:fd use;
 ')dnl end login_domain macro
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.19.1/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.1/domains/program/ssh.te	2004-11-10 17:34:01.995972995 -0500
@@ -70,9 +70,8 @@
 
 can_network($1_t)
 
-allow $1_t self:capability { sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
+allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
 allow $1_t { home_root_t home_dir_type }:dir { search getattr };
-can_ypbind($1_t)
 if (use_nfs_home_dirs) {
 ifdef(`automount.te', `
 allow $1_t autofs_t:dir { search getattr };
@@ -213,8 +212,6 @@
 ifdef(`automount.te', `
 allow sshd_t autofs_t:dir search;
 ')
-dontaudit sshd_t krb5_conf_t:file write;
-allow sshd_t krb5_conf_t:file { getattr read };
 
 # ssh_keygen_t is the type of the ssh-keygen program when run at install time
 # and by sysadm_t
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.19.1/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.1/domains/program/syslogd.te	2004-11-10 17:34:55.342954578 -0500
@@ -96,4 +96,4 @@
 dontaudit syslogd_t file_t:dir search;
 allow syslogd_t { tmpfs_t devpts_t }:dir search;
 dontaudit syslogd_t unlabeled_t:file read;
-dontaudit syslogd_t devpts_t:chr_file getattr;
+dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/anaconda.te policy-1.19.1/domains/program/unused/anaconda.te
--- nsapolicy/domains/program/unused/anaconda.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.1/domains/program/unused/anaconda.te	2004-11-10 17:30:03.411889201 -0500
@@ -242,8 +242,7 @@
 ifdef(`udev.te', `
 domain_auto_trans(anaconda_t, udev_exec_t, udev_t)
 ')
-allow anaconda_t krb5_conf_t:file read;
-dontaudit anaconda_t krb5_conf_t:file write;
+can_kerberos(anaconda_t)
 
 ifdef(`ssh-agent.te', `
 role system_r types sysadm_ssh_agent_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.1/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.1/domains/program/unused/apache.te	2004-11-10 17:56:47.888877824 -0500
@@ -133,6 +133,7 @@
 # execute perl
 allow httpd_t { bin_t sbin_t }:dir r_dir_perms;
 can_exec(httpd_t, { bin_t sbin_t })
+allow httpd_t bin_t:lnk_file read;
 
 can_network(httpd_t)
 can_ypbind(httpd_t)
@@ -201,6 +202,10 @@
 if (httpd_ssi_exec) {
 domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t)
 }
+r_dir_file(httpd_t, httpd_sys_script_ro_t)
+create_dir_file(httpd_t, httpd_sys_script_rw_t)
+ra_dir_file(httpd_t, httpd_sys_script_ra_t)
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 
 ##################################################
 #
@@ -269,8 +274,7 @@
 ##################################################
 dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
 
-allow httpd_t krb5_conf_t:file { getattr read };
-dontaudit httpd_t krb5_conf_t:file write;
+can_kerberos(httpd_t)
 
 ifdef(`targeted_policy', `
 typealias httpd_sys_content_t alias httpd_user_content_t;
@@ -298,5 +302,13 @@
 # Customer reported the following
 #
 ifdef(`snmpd.te', `
+dontaudit httpd_t snmpd_var_lib_t:dir search;
 dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
 ')
+
+# Running squirrelmail requires this permissions
+ifdef(`mta.te', `
+allow system_mail_t httpd_log_t:file { append getattr };
+allow system_mail_t httpd_sys_script_rw_t:file { append read };
+allow system_mail_t httpd_t:tcp_socket { read write };
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/arpwatch.te policy-1.19.1/domains/program/unused/arpwatch.te
--- nsapolicy/domains/program/unused/arpwatch.te	2004-11-05 23:24:16.000000000 -0500
+++ policy-1.19.1/domains/program/unused/arpwatch.te	2004-11-10 17:30:03.412889088 -0500
@@ -27,6 +27,7 @@
 
 allow arpwatch_t sbin_t:dir search;
 allow arpwatch_t sbin_t:lnk_file read;
+r_dir_file(arpwatch_t, etc_t)
 can_ypbind(arpwatch_t)
 allow system_mail_t arpwatch_tmp_t:file rw_file_perms;
 ifdef(`postfix.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.19.1/domains/program/unused/bluetooth.te
--- nsapolicy/domains/program/unused/bluetooth.te	2004-11-05 23:24:16.000000000 -0500
+++ policy-1.19.1/domains/program/unused/bluetooth.te	2004-11-10 17:30:03.412889088 -0500
@@ -22,7 +22,10 @@
 # Use the network.
 can_network(bluetooth_t)
 can_ypbind(bluetooth_t)
+ifdef(`dbusd.te', `
 dbusd_client(system, bluetooth)
+allow bluetooth_t system_dbusd_t:dbus send_msg;
+')
 allow bluetooth_t self:socket { create setopt ioctl bind listen };
 allow bluetooth_t self:unix_dgram_socket create_socket_perms;
 allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/courier.te policy-1.19.1/domains/program/unused/courier.te
--- nsapolicy/domains/program/unused/courier.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.19.1/domains/program/unused/courier.te	2004-11-10 17:30:03.413888975 -0500
@@ -47,7 +47,6 @@
 
 # Use the network.
 can_network(courier_$1_t)
-can_ypbind(courier_$1_t)
 allow courier_$1_t self:fifo_file { read write getattr };
 allow courier_$1_t self:unix_stream_socket create_stream_socket_perms;
 allow courier_$1_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.19.1/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.1/domains/program/unused/cups.te	2004-11-10 17:36:49.019130037 -0500
@@ -19,7 +19,6 @@
 typealias cupsd_rw_etc_t alias etc_cupsd_rw_t;
 
 can_network(cupsd_t)
-can_ypbind(cupsd_t)
 logdir_domain(cupsd)
 
 tmp_domain(cupsd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.19.1/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.1/domains/program/unused/dovecot.te	2004-11-10 17:38:35.374131445 -0500
@@ -31,10 +31,14 @@
 allow dovecot_t { self proc_t }:file { getattr read };
 allow dovecot_t self:fifo_file rw_file_perms;
 
-dontaudit dovecot_t krb5_conf_t:file write;
-allow dovecot_t krb5_conf_t:file { getattr read };
+can_kerberos(dovecot_t)
 
-daemon_sub_domain(dovecot_t, dovecot_auth, `, auth')
+allow dovecot_t tmp_t:dir search;
+rw_dir_file(dovecot_t, mail_spool_t)
+allow dovecot_t mail_spool_t:lnk_file read;
+allow dovecot_t var_spool_t:dir { search };
+
+daemon_sub_domain(dovecot_t, dovecot_auth, `, auth, auth_chkpwd')
 allow dovecot_auth_t self:process { fork signal_perms };
 allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
 allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
@@ -47,3 +51,5 @@
 allow dovecot_auth_t sysctl_kernel_t:dir search;
 allow dovecot_auth_t sysctl_kernel_t:file read;
 allow dovecot_auth_t sysctl_t:dir search;
+dontaudit dovecot_auth_t selinux_config_t:dir search;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.19.1/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.1/domains/program/unused/ftpd.te	2004-11-10 17:39:19.706130067 -0500
@@ -16,7 +16,6 @@
 typealias ftpd_etc_t alias etc_ftpd_t;
 
 can_network(ftpd_t)
-can_ypbind(ftpd_t)
 allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
 allow ftpd_t self:unix_stream_socket create_socket_perms;
 allow ftpd_t self:process { getcap setcap setsched setrlimit };
@@ -85,9 +84,7 @@
 allow ftpd_t proc_t:file { getattr read };
 
 dontaudit ftpd_t sysadm_home_dir_t:dir getattr;
-dontaudit ftpd_t krb5_conf_t:file write;
 dontaudit ftpd_t selinux_config_t:dir search;
-allow ftpd_t krb5_conf_t:file { getattr read };
 ifdef(`automount.te', `
 allow ftpd_t autofs_t:dir search;
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.19.1/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.1/domains/program/unused/hald.te	2004-11-10 17:40:15.314856488 -0500
@@ -31,12 +31,13 @@
 
 allow hald_t bin_t:file getattr;
 allow hald_t self:netlink_route_socket r_netlink_socket_perms;
-allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search };
+allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
 can_network(hald_t)
 can_ypbind(hald_t)
 
 allow hald_t device_t:lnk_file read;
 allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
+allow hald_t removable_device_t:blk_file write;
 allow hald_t event_device_t:chr_file { getattr read ioctl };
 allow hald_t printer_device_t:chr_file rw_file_perms;
 allow hald_t urandom_device_t:chr_file read;
@@ -64,3 +65,7 @@
 allow hald_t initrc_t:dbus send_msg;
 allow initrc_t hald_t:dbus send_msg;
 allow hald_t etc_runtime_t:file rw_file_perms;
+allow hald_t var_lib_t:dir search;
+allow hald_t device_t:dir create_dir_perms;
+allow hald_t device_t:chr_file create_file_perms;
+tmp_domain(hald)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lockdev.te policy-1.19.1/domains/program/unused/lockdev.te
--- nsapolicy/domains/program/unused/lockdev.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.19.1/domains/program/unused/lockdev.te	2004-11-10 17:59:50.581267119 -0500
@@ -0,0 +1,11 @@
+#DESC Lockdev - libblockdev helper application
+#
+# Authors:  Daniel Walsh <dwalsh@redhat.com> 
+#
+
+
+# Type for the lockdev
+type lockdev_exec_t, file_type, sysadmfile, exec_type;
+
+# Everything else is in the lockdev_domain macro in
+# macros/program/lockdev_macros.te.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mailman.te policy-1.19.1/domains/program/unused/mailman.te
--- nsapolicy/domains/program/unused/mailman.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.1/domains/program/unused/mailman.te	2004-11-10 17:44:21.526079815 -0500
@@ -20,7 +20,7 @@
 can_exec_any(mailman_$1_t)
 allow mailman_$1_t { proc_t sysctl_t sysctl_kernel_t }:dir search;
 allow mailman_$1_t { proc_t sysctl_kernel_t }:file { read getattr };
-allow mailman_$1_t var_lib_t:dir { getattr search };
+allow mailman_$1_t var_lib_t:dir { getattr search read };
 allow mailman_$1_t var_lib_t:lnk_file read;
 allow mailman_$1_t device_t:dir search;
 allow mailman_$1_t etc_runtime_t:file { read getattr };
@@ -29,7 +29,6 @@
 allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
 allow mailman_$1_t fs_t:filesystem getattr;
 can_network(mailman_$1_t)
-can_ypbind(mailman_$1_t)
 allow mailman_$1_t self:unix_stream_socket create_socket_perms;
 allow mailman_$1_t var_t:dir r_dir_perms;
 ')
@@ -72,8 +71,9 @@
 domain_auto_trans({ httpd_t httpd_suexec_t }, mailman_cgi_exec_t, mailman_cgi_t)
 # should have separate types for public and private archives
 r_dir_file(httpd_t, mailman_archive_t)
-allow httpd_t mailman_data_t:dir search;
-r_dir_file(mailman_cgi_t, mailman_archive_t)
+rw_dir_file(mailman_cgi_t, mailman_archive_t)
+allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
+allow httpd_t mailman_data_t:dir { getattr search };
 
 dontaudit mailman_cgi_t httpd_log_t:file append;
 allow httpd_t mailman_cgi_t:process signal;
@@ -83,6 +83,8 @@
 allow mailman_cgi_t httpd_sys_script_t:dir search;
 allow mailman_cgi_t devtty_t:chr_file { read write };
 allow mailman_cgi_t self:process { fork sigchld };
+allow mailman_cgi_t var_spool_t:dir search;
+dontaudit mailman_cgi_t src_t:dir search;
 ')
 
 allow mta_delivery_agent mailman_data_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.19.1/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.1/domains/program/unused/ntpd.te	2004-11-10 17:45:02.917410193 -0500
@@ -12,7 +12,10 @@
 type ntp_drift_t, file_type, sysadmfile;
 type ntp_port_t, port_type, reserved_port_type;
 
+type ntpdate_exec_t, file_type, sysadmfile, exec_type;
+domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t)
+
 logdir_domain(ntpd)
 
 allow ntpd_t var_lib_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.19.1/domains/program/unused/ping.te
--- nsapolicy/domains/program/unused/ping.te	2004-06-16 13:33:36.000000000 -0400
+++ policy-1.19.1/domains/program/unused/ping.te	2004-11-10 17:45:38.999339558 -0500
@@ -54,4 +54,6 @@
 
 # it tries to access /var/run
 dontaudit ping_t var_t:dir search;
+dontaudit ping_t devtty_t:chr_file { read write };
+dontaudit ping_t ping_t:capability sys_tty_config;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.19.1/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.19.1/domains/program/unused/postgresql.te	2004-11-10 17:46:14.180370560 -0500
@@ -13,6 +13,7 @@
 type postgresql_port_t, port_type;
 daemon_domain(postgresql)
 allow initrc_t postgresql_exec_t:lnk_file read;
+allow postgresql_t usr_t:file { getattr read };
 
 allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/procmail.te policy-1.19.1/domains/program/unused/procmail.te
--- nsapolicy/domains/program/unused/procmail.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.19.1/domains/program/unused/procmail.te	2004-11-10 17:30:03.458883899 -0500
@@ -11,7 +11,7 @@
 # procmail_exec_t is the type of the procmail executable.
 #
 # privhome only works until we define a different type for maildir
-type procmail_t, domain, privlog, privhome;
+type procmail_t, domain, privlog, privhome, nscd_client_domain;
 type procmail_exec_t, file_type, sysadmfile, exec_type;
 
 role system_r types procmail_t;
@@ -70,8 +70,9 @@
 
 ifdef(`sendmail.te', `
 r_dir_file(procmail_t, etc_mail_t)
+allow procmail_t sendmail_t:tcp_socket { read write };
 ')
 
 ifdef(`hide_broken_symptoms', `
-dontaudit procmail_t mqueue_spool_t:file { getattr read };
+dontaudit procmail_t mqueue_spool_t:file { getattr read write };
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rlogind.te policy-1.19.1/domains/program/unused/rlogind.te
--- nsapolicy/domains/program/unused/rlogind.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.19.1/domains/program/unused/rlogind.te	2004-11-10 17:30:03.459883786 -0500
@@ -14,7 +14,6 @@
 role system_r types rlogind_t;
 uses_shlib(rlogind_t)
 can_network(rlogind_t)
-can_ypbind(rlogind_t)
 type rlogind_exec_t, file_type, sysadmfile, exec_type;
 domain_auto_trans(inetd_t, rlogind_exec_t, rlogind_t)
 ifdef(`tcpd.te', `
@@ -75,8 +74,6 @@
 # Modify /var/log/wtmp.
 allow rlogind_t var_log_t:dir search;
 allow rlogind_t wtmp_t:file rw_file_perms;
-allow rlogind_t krb5_conf_t:file { getattr read };
-dontaudit rlogind_t krb5_conf_t:file write;
 allow rlogind_t urandom_device_t:chr_file { getattr read };
 dontaudit rlogind_t selinux_config_t:dir search;
 allow rlogind_t staff_home_dir_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rshd.te policy-1.19.1/domains/program/unused/rshd.te
--- nsapolicy/domains/program/unused/rshd.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.19.1/domains/program/unused/rshd.te	2004-11-10 17:30:03.459883786 -0500
@@ -31,8 +31,9 @@
 allow rshd_t self:unix_dgram_socket create_socket_perms;
 allow rshd_t self:unix_stream_socket create_stream_socket_perms;
 allow rshd_t { home_root_t home_dir_type }:dir { search getattr };
-allow rshd_t krb5_conf_t:file { getattr read };
-dontaudit rshd_t krb5_conf_t:file write;
+can_kerberos(rshd_t)
 allow rshd_t tmp_t:dir { search };
+ifdef(`rlogind.te', `
 allow rshd_t rlogind_tmp_t:file rw_file_perms;
+')
 allow rshd_t urandom_device_t:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.19.1/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.1/domains/program/unused/samba.te	2004-11-10 17:30:03.460883673 -0500
@@ -49,7 +49,6 @@
 
 # Use the network.
 can_network(smbd_t)
-can_ypbind(smbd_t)
 
 allow smbd_t urandom_device_t:chr_file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/swat.te policy-1.19.1/domains/program/unused/swat.te
--- nsapolicy/domains/program/unused/swat.te	2004-10-06 09:18:32.000000000 -0400
+++ policy-1.19.1/domains/program/unused/swat.te	2004-11-10 17:30:03.460883673 -0500
@@ -2,6 +2,7 @@
 #
 # Author:  Dan Walsh <dwalsh@redhat.com>
 #
+# Depends: inetd.te
 
 #################################
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/uwimapd.te policy-1.19.1/domains/program/unused/uwimapd.te
--- nsapolicy/domains/program/unused/uwimapd.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.1/domains/program/unused/uwimapd.te	2004-11-10 17:30:03.461883561 -0500
@@ -9,7 +9,6 @@
 tmp_domain(imapd)
 
 can_network(imapd_t)
-can_ypbind(imapd_t)
 
 #declare our own services
 allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.19.1/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.1/domains/program/unused/xdm.te	2004-11-10 17:47:38.531854326 -0500
@@ -46,7 +46,6 @@
 allow xdm_t default_context_t:file { read getattr };
 
 can_network(xdm_t)
-can_ypbind(xdm_t)
 allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow xdm_t self:unix_dgram_socket create_socket_perms;
 allow xdm_t self:fifo_file rw_file_perms;
@@ -287,7 +286,7 @@
 }
 
 # for .dmrc
-allow xdm_t user_home_dir_type:dir search;
+allow xdm_t user_home_dir_type:dir { getattr search };
 allow xdm_t user_home_type:file { getattr read };
 
 allow xdm_t mnt_t:dir { getattr read search };
@@ -309,8 +308,6 @@
 ')
 
 allow xdm_t var_log_t:file read;
-dontaudit xdm_t krb5_conf_t:file write;
-allow xdm_t krb5_conf_t:file { getattr read };
 allow xdm_t self:capability { sys_nice sys_rawio net_bind_service };
 allow xdm_t self:process setrlimit;
 allow xdm_t wtmp_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypbind.te policy-1.19.1/domains/program/unused/ypbind.te
--- nsapolicy/domains/program/unused/ypbind.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.1/domains/program/unused/ypbind.te	2004-11-10 17:47:51.590381109 -0500
@@ -12,8 +12,6 @@
 #
 daemon_domain(ypbind)
 
-bool allow_ypbind true;
-
 tmp_domain(ypbind)
 
 # Use capabilities.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.19.1/domains/user.te
--- nsapolicy/domains/user.te	2004-11-05 23:24:16.000000000 -0500
+++ policy-1.19.1/domains/user.te	2004-11-10 17:30:03.462883448 -0500
@@ -15,6 +15,9 @@
 # and may change other protocols 
 bool user_tcp_server false;
 
+# Allow system to run with NIS
+bool allow_ypbind false;
+
 # Allow users to rw usb devices
 bool user_rw_usb false;
 
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.19.1/file_contexts/program/apache.fc
--- nsapolicy/file_contexts/program/apache.fc	2004-10-14 23:25:19.000000000 -0400
+++ policy-1.19.1/file_contexts/program/apache.fc	2004-11-10 17:30:03.463883335 -0500
@@ -37,3 +37,4 @@
 # suse puts shell scripts there :-(
 /usr/share/apache2/.*	--	system_u:object_r:bin_t
 ')
+/var/lib/squirrelmail/prefs(/.*)?	system_u:object_r:httpd_sys_script_rw_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/bootloader.fc policy-1.19.1/file_contexts/program/bootloader.fc
--- nsapolicy/file_contexts/program/bootloader.fc	2004-08-18 08:42:50.000000000 -0400
+++ policy-1.19.1/file_contexts/program/bootloader.fc	2004-11-10 17:30:03.463883335 -0500
@@ -9,4 +9,3 @@
 /etc/mkinitrd/scripts/.* --	system_u:object_r:bootloader_exec_t
 /sbin/ybin.*		--	system_u:object_r:bootloader_exec_t
 /etc/yaboot\.conf.*	--	system_u:object_r:bootloader_etc_t
-/boot/grub/menu.lst	--	system_u:object_r:boot_runtime_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/lockdev.fc policy-1.19.1/file_contexts/program/lockdev.fc
--- nsapolicy/file_contexts/program/lockdev.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.19.1/file_contexts/program/lockdev.fc	2004-11-10 17:30:03.464883222 -0500
@@ -0,0 +1,2 @@
+# lockdev 
+/usr/sbin/lockdev	--	system_u:object_r:lockdev_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ntpd.fc policy-1.19.1/file_contexts/program/ntpd.fc
--- nsapolicy/file_contexts/program/ntpd.fc	2004-10-09 21:06:15.000000000 -0400
+++ policy-1.19.1/file_contexts/program/ntpd.fc	2004-11-10 17:30:03.464883222 -0500
@@ -3,7 +3,7 @@
 /etc/ntp(d)?\.conf		--	system_u:object_r:net_conf_t
 /etc/ntp/step-tickers		--	system_u:object_r:net_conf_t
 /usr/sbin/ntpd			--	system_u:object_r:ntpd_exec_t
-/usr/sbin/ntpdate		--	system_u:object_r:ntpd_exec_t
+/usr/sbin/ntpdate		--	system_u:object_r:ntpdate_exec_t
 /var/log/ntpstats(/.*)?			system_u:object_r:ntpd_log_t
 /var/log/ntpd.*			--	system_u:object_r:ntpd_log_t
 /var/log/xntpd.*		--	system_u:object_r:ntpd_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.19.1/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.1/file_contexts/types.fc	2004-11-10 17:30:03.465883109 -0500
@@ -111,7 +111,6 @@
 #
 /boot(/.*)?			system_u:object_r:boot_t
 /boot/System\.map-.*	--	system_u:object_r:system_map_t
-/boot/kernel\.h.*	--	system_u:object_r:boot_runtime_t
 
 #
 # /dev
diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.19.1/macros/admin_macros.te
--- nsapolicy/macros/admin_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.1/macros/admin_macros.te	2004-11-10 17:30:03.466882997 -0500
@@ -17,6 +17,7 @@
 # Type for home directory.
 type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type;
 type $1_home_t, file_type, sysadmfile, home_type;
+attribute $1_homedirfile;
 
 # Type and access for pty devices.
 can_create_pty($1)
@@ -106,6 +107,7 @@
 allow $1_t tty_device_t:chr_file rw_file_perms;
 allow $1_t ttyfile:chr_file rw_file_perms;
 allow $1_t ptyfile:chr_file rw_file_perms;
+allow $1_t serial_device:chr_file setattr;
 
 # allow setting up tunnels
 allow $1_t tun_tap_device_t:chr_file rw_file_perms;
@@ -155,6 +157,7 @@
 allow xdm_t $1_home_t:lnk_file read;
 allow xdm_t $1_home_t:dir search;
 }
+allow $1_t xdm_t:fifo_file rw_file_perms;
 ')dnl end ifdef xauth.te
 ')dnl end ifdef xdm.te
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.19.1/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.1/macros/base_user_macros.te	2004-11-10 17:48:49.047898957 -0500
@@ -197,6 +197,12 @@
 can_network($1_t)
 can_ypbind($1_t)
 
+ifdef(`pamconsole.te', `
+allow $1_t pam_var_console_t:dir search;
+')
+
+allow $1_t var_lock_t:dir search;
+
 # Grant permissions to access the system DBus
 ifdef(`dbusd.te', `
 dbusd_client(system, $1)
@@ -269,7 +275,8 @@
 allow $1_t xdm_xserver_tmp_t:sock_file { read write };
 allow $1_t xdm_xserver_tmp_t:dir search;
 allow $1_t xdm_xserver_t:unix_stream_socket connectto;
-allow $1_t xdm_var_run_t:dir search;
+# certain apps want to read xdm.pid file
+r_dir_file($1_t, xdm_var_run_t)
 allow $1_t xdm_var_lib_t:file { getattr read };
 allow xdm_t $1_home_dir_t:dir getattr;
 ifdef(`xauth.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.19.1/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.1/macros/global_macros.te	2004-11-10 17:49:34.622757364 -0500
@@ -271,6 +271,7 @@
 define(`daemon_core_rules', `
 type $1_t, domain, privlog, daemon $2;
 type $1_exec_t, file_type, sysadmfile, exec_type;
+dontaudit $1_t self:capability sys_tty_config;
 
 role system_r types $1_t;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.19.1/macros/network_macros.te
--- nsapolicy/macros/network_macros.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.19.1/macros/network_macros.te	2004-11-10 17:50:28.419688186 -0500
@@ -0,0 +1,5 @@
+define(`can_kerberos',`
+can_network($1)
+dontaudit $1 krb5_conf_t:file write;
+allow $1 krb5_conf_t:file { getattr read };
+')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.19.1/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.1/macros/program/apache_macros.te	2004-11-10 17:30:03.467882884 -0500
@@ -3,7 +3,7 @@
 
 #This type is for webpages
 #
-type httpd_$1_content_t, file_type, homedirfile, httpdcontent, sysadmfile;
+type httpd_$1_content_t, file_type, ifelse($1, sys, `', `$1_homedirfile, ') httpdcontent, sysadmfile;
 ifelse($1, sys, `
 typealias httpd_sys_content_t alias httpd_sysadm_content_t;
 ')
@@ -17,7 +17,7 @@
 type httpd_$1_script_exec_t, file_type, sysadmfile;
 
 # Type that CGI scripts run as
-type httpd_$1_script_t, domain, privmail;
+type httpd_$1_script_t, domain, privmail, nscd_client_domain;
 role system_r types httpd_$1_script_t;
 
 if (httpd_enable_cgi) {
@@ -91,7 +91,7 @@
 #########################################################################
 can_exec(httpd_$1_script_t, { bin_t shell_exec_t })
 allow httpd_$1_script_t { bin_t sbin_t }:dir { getattr search };
-allow httpd_$1_script_t bin_t:lnk_file read;
+allow httpd_$1_script_t { sbin_t bin_t }:lnk_file read;
 allow httpd_$1_script_t etc_t:file { getattr read };
 
 ############################################################################
@@ -178,6 +178,6 @@
 ############################################
 # Allow scripts to append to http logs
 #########################################
-allow httpd_$1_script_t httpd_log_t:file append;
+allow httpd_$1_script_t httpd_log_t:file { getattr append };
 
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.19.1/macros/program/chkpwd_macros.te
--- nsapolicy/macros/program/chkpwd_macros.te	2004-10-09 21:06:15.000000000 -0400
+++ policy-1.19.1/macros/program/chkpwd_macros.te	2004-11-10 17:54:43.803876651 -0500
@@ -15,19 +15,22 @@
 ifdef(`chkpwd.te', `
 define(`chkpwd_domain',`
 # Derived domain based on the calling user domain and the program.
-type $1_chkpwd_t, domain, privlog, auth;
+type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth;
 
 # is_selinux_enabled
 allow $1_chkpwd_t proc_t:file read;
 can_getcon($1_chkpwd_t)
 can_ypbind($1_chkpwd_t)
+can_kerberos($1_chkpwd_t)
 # Transition from the user domain to this domain.
 ifelse($1, system, `
 domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
 role system_r types system_chkpwd_t;
 dontaudit auth_chkpwd shadow_t:file { getattr read };
 allow auth_chkpwd sbin_t:dir search;
-dontaudit $1_chkpwd_t tty_device_t:chr_file rw_file_perms;
+dontaudit $1_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
+can_ypbind(auth_chkpwd)
+can_kerberos(auth_chkpwd)
 ', `
 domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
 allow $1_t sbin_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_macros.te policy-1.19.1/macros/program/gpg_macros.te
--- nsapolicy/macros/program/gpg_macros.te	2004-11-05 23:24:17.000000000 -0500
+++ policy-1.19.1/macros/program/gpg_macros.te	2004-11-10 17:30:03.468882771 -0500
@@ -19,7 +19,7 @@
 define(`gpg_domain', `
 # Derived domain based on the calling user domain and the program.
 type $1_gpg_t, domain, privlog;
-type $1_gpg_secret_t, file_type, homedirfile, sysadmfile;
+type $1_gpg_secret_t, file_type, $1_homedirfile, sysadmfile;
 
 # Transition from the user domain to the derived domain.
 domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t)
@@ -82,6 +82,7 @@
 
 allow $1_gpg_t self:capability { ipc_lock setuid };
 allow $1_gpg_t devtty_t:chr_file rw_file_perms;
+rw_dir_create_file($1_gpg_t, $1_homedirfile)
 
 allow $1_gpg_t { etc_t usr_t }:dir r_dir_perms;
 allow $1_gpg_t fs_t:filesystem getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/inetd_macros.te policy-1.19.1/macros/program/inetd_macros.te
--- nsapolicy/macros/program/inetd_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.1/macros/program/inetd_macros.te	2004-11-10 17:30:03.469882658 -0500
@@ -43,8 +43,7 @@
 allow $1_t home_root_t:dir search;
 allow $1_t self:dir search;
 allow $1_t self:file { getattr read };
-allow $1_t krb5_conf_t:file r_file_perms;
-dontaudit $1_t krb5_conf_t:file write;
+can_kerberos($1_t)
 allow $1_t urandom_device_t:chr_file { getattr read };
 type $1_port_t, port_type, reserved_port_type;
 # Use sockets inherited from inetd.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/irc_macros.te policy-1.19.1/macros/program/irc_macros.te
--- nsapolicy/macros/program/irc_macros.te	2004-11-05 23:24:17.000000000 -0500
+++ policy-1.19.1/macros/program/irc_macros.te	2004-11-10 17:30:03.469882658 -0500
@@ -20,7 +20,7 @@
 define(`irc_domain',`
 # Derived domain based on the calling user domain and the program.
 type $1_irc_t, domain;
-type $1_home_irc_t, file_type, homedirfile, sysadmfile;
+type $1_home_irc_t, file_type, $1_homedirfile, sysadmfile;
 type $1_irc_exec_t, file_type, sysadmfile;
 
 ifdef(`slocate.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/lockdev_macros.te policy-1.19.1/macros/program/lockdev_macros.te
--- nsapolicy/macros/program/lockdev_macros.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.19.1/macros/program/lockdev_macros.te	2004-11-10 17:30:03.470882545 -0500
@@ -0,0 +1,46 @@
+#
+# Macros for lockdev domains.
+#
+
+#
+# Authors:  Daniel Walsh <dwalsh@redhat.com> 
+#
+
+#
+# lockdev_domain(domain_prefix)
+#
+# Define a derived domain for the lockdev programs when executed
+# by a user domain.
+#
+# The type declaration for the executable type for this program is
+# provided separately in domains/program/lockdev.te. 
+#
+undefine(`lockdev_domain')
+define(`lockdev_domain',`
+# Derived domain based on the calling user domain and the program
+type $1_lockdev_t, domain, privlog;
+# Transition from the user domain to the derived domain.
+domain_auto_trans($1_t, lockdev_exec_t, $1_lockdev_t)
+
+# The user role is authorized for this domain.
+role $1_r types $1_lockdev_t;
+# Use capabilities.
+allow $1_lockdev_t self:capability setgid;
+allow $1_lockdev_t $1_t:process signull;
+
+allow $1_lockdev_t var_t:dir search;
+
+lock_domain($1_lockdev)
+
+r_dir_file($1_lockdev_t, lockfile)
+
+allow $1_lockdev_t device_t:dir search;
+allow $1_lockdev_t null_device_t:chr_file rw_file_perms;
+allow $1_lockdev_t { $1_tty_device_t $1_devpts_t }:chr_file rw_file_perms;
+dontaudit $1_lockdev_t root_t:dir search;
+
+uses_shlib($1_lockdev_t)
+allow $1_lockdev_t fs_t:filesystem getattr;
+
+')dnl end macro definition
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mount_macros.te policy-1.19.1/macros/program/mount_macros.te
--- nsapolicy/macros/program/mount_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.1/macros/program/mount_macros.te	2004-11-10 17:30:03.470882545 -0500
@@ -81,7 +81,7 @@
 # mount domain. 
 #
 define(`mount_loopback_privs',`
-type $1_$2_source_t, file_type, sysadmfile, homedirfile;
+type $1_$2_source_t, file_type, sysadmfile, $1_homedirfile;
 allow $1_t $1_$2_source_t:file create_file_perms;
 allow $1_t $1_$2_source_t:file { relabelto relabelfrom };
 allow $2_t $1_$2_source_t:file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.1/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.1/macros/program/mozilla_macros.te	2004-11-10 17:51:41.396455207 -0500
@@ -78,7 +78,7 @@
 #
 if (mozilla_readhome || mozilla_writehome) {
 r_dir_file($1_mozilla_t, $1_home_t)
-dontaudit $1_mozilla_t homedirfile:{ file dir } getattr;
+dontaudit $1_mozilla_t $1_homedirfile:{ file dir } getattr;
 file_type_auto_trans($1_mozilla_t, tmp_t, $1_tmp_t)
 } else {
 file_type_auto_trans($1_mozilla_t, tmp_t, $1_mozilla_rw_t)
@@ -112,6 +112,7 @@
 # Eliminate errors from scanning with the 
 #
 dontaudit $1_mozilla_t file_type:dir getattr;
+allow $1_mozilla_t self:sem create_sem_perms;
 
 ifdef(`xdm.te', `
 allow $1_mozilla_t xdm_t:fifo_file { write read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.19.1/macros/program/mta_macros.te
--- nsapolicy/macros/program/mta_macros.te	2004-11-05 23:24:17.000000000 -0500
+++ policy-1.19.1/macros/program/mta_macros.te	2004-11-10 17:51:56.986696371 -0500
@@ -20,7 +20,7 @@
 undefine(`mail_domain')
 define(`mail_domain',`
 # Derived domain based on the calling user domain and the program.
-type $1_mail_t, domain, privlog, user_mail_domain;
+type $1_mail_t, domain, privlog, user_mail_domain, nscd_client_domain;
 
 ifdef(`sendmail.te', `
 sendmail_user_domain($1)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/newrole_macros.te policy-1.19.1/macros/program/newrole_macros.te
--- nsapolicy/macros/program/newrole_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.1/macros/program/newrole_macros.te	2004-11-10 17:30:03.493879951 -0500
@@ -34,9 +34,6 @@
 allow $1_t bin_t:lnk_file read;
 allow $1_t shell_exec_t:file r_file_perms;
 
-can_ypbind($1_t)
-dontaudit $1_t krb5_conf_t:file write;
-allow $1_t krb5_conf_t:file { getattr read };
 allow $1_t urandom_device_t:chr_file { getattr read };
 
 # Allow $1_t to transition to user domains.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/screen_macros.te policy-1.19.1/macros/program/screen_macros.te
--- nsapolicy/macros/program/screen_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.1/macros/program/screen_macros.te	2004-11-10 17:30:03.494879838 -0500
@@ -22,7 +22,7 @@
 define(`screen_domain',`
 # Derived domain based on the calling user domain and the program.
 type $1_screen_t, domain, privlog, privfd;
-type $1_home_screen_t, file_type, homedirfile, sysadmfile;
+type $1_home_screen_t, file_type, $1_homedirfile, sysadmfile;
 
 # Transition from the user domain to this domain.
 domain_auto_trans($1_t, screen_exec_t, $1_screen_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/spamassassin_macros.te policy-1.19.1/macros/program/spamassassin_macros.te
--- nsapolicy/macros/program/spamassassin_macros.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.19.1/macros/program/spamassassin_macros.te	2004-11-10 17:30:03.495879725 -0500
@@ -80,7 +80,7 @@
 dontaudit $1_spamassassin_t { sysctl_t sysctl_kernel_t }:dir search;
 
 # The type of ~/.spamassassin
-type $1_home_spamassassin_t, file_type, homedirfile, sysadmfile;
+type $1_home_spamassassin_t, file_type, $1_homedirfile, sysadmfile;
 create_dir_file($1_t, $1_home_spamassassin_t)
 allow $1_t $1_home_spamassassin_t:notdevfile_class_set { relabelfrom relabelto };
 allow $1_t $1_home_spamassassin_t:dir { relabelfrom relabelto };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.19.1/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.1/macros/program/ssh_macros.te	2004-11-10 17:52:36.231268938 -0500
@@ -22,7 +22,7 @@
 define(`ssh_domain',`
 # Derived domain based on the calling user domain and the program.
 type $1_ssh_t, domain, privlog, nscd_client_domain;
-type $1_home_ssh_t, file_type, homedirfile, sysadmfile;
+type $1_home_ssh_t, file_type, $1_homedirfile, sysadmfile;
 
 ifdef(`automount.te', `
 allow $1_ssh_t autofs_t:dir { search getattr };
@@ -157,8 +157,7 @@
 allow $1_ssh_t xdm_xserver_t:shm r_shm_perms;
 allow $1_ssh_t xdm_xserver_t:fd use;
 allow $1_ssh_t xdm_xserver_tmpfs_t:file read;
-allow $1_ssh_t krb5_conf_t:file { getattr read };
-dontaudit $1_ssh_t krb5_conf_t:file write;
+can_kerberos($1_ssh_t)
 ')dnl end if xdm.te
 ')dnl end macro definition
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.19.1/macros/program/su_macros.te
--- nsapolicy/macros/program/su_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.1/macros/program/su_macros.te	2004-11-10 17:30:03.495879725 -0500
@@ -87,8 +87,7 @@
 # Write to utmp.
 allow $1_su_t { var_t var_run_t }:dir search;
 allow $1_su_t initrc_var_run_t:file rw_file_perms;
-dontaudit $1_su_t krb5_conf_t:file write;
-allow $1_su_t krb5_conf_t:file { getattr read };
+can_kerberos($1_su_t)
 ') dnl end su_restricted_domain
 
 define(`su_mini_domain', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/tvtime_macros.te policy-1.19.1/macros/program/tvtime_macros.te
--- nsapolicy/macros/program/tvtime_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.1/macros/program/tvtime_macros.te	2004-11-10 17:30:03.496879613 -0500
@@ -19,7 +19,7 @@
 ifdef(`tvtime.te', `
 define(`tvtime_domain',`
 # Derived domain based on the calling user domain and the program.
-type $1_home_tvtime_t, file_type, homedirfile, sysadmfile;
+type $1_home_tvtime_t, file_type, $1_homedirfile, sysadmfile;
 
 x_client_domain($1, tvtime)
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.19.1/macros/program/userhelper_macros.te
--- nsapolicy/macros/program/userhelper_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.1/macros/program/userhelper_macros.te	2004-11-10 17:30:03.496879613 -0500
@@ -123,7 +123,6 @@
 ')
 allow $1_userhelper_t sysctl_t:dir search;
 role system_r types $1_userhelper_t;
-allow $1_userhelper_t krb5_conf_t:file { getattr read };
 r_dir_file($1_userhelper_t, nfs_t)
 
 ifdef(`xdm.te', `
@@ -139,6 +138,9 @@
 domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
 allow $1_userhelper_t $1_home_xauth_t:file { getattr read };
 ')
+
+ifdef(`pamconsole.te', `
 allow $1_userhelper_t pam_var_console_t:dir { search };
+')
 
 ')dnl end userhelper macro
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/vmware_macros.te policy-1.19.1/macros/program/vmware_macros.te
--- nsapolicy/macros/program/vmware_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.1/macros/program/vmware_macros.te	2004-11-10 17:30:03.497879500 -0500
@@ -23,10 +23,10 @@
 role $1_r types $1_vmware_t;
 
 # The user file type is for files created when the user is running VMWare
-type $1_vmware_file_t, homedirfile, file_type, sysadmfile;
+type $1_vmware_file_t, $1_homedirfile, file_type, sysadmfile;
 
 # The user file type for the VMWare configuration files
-type $1_vmware_conf_t, homedirfile, file_type, sysadmfile;
+type $1_vmware_conf_t, $1_homedirfile, file_type, sysadmfile;
 
 # for compatibility with older policy versions
 typealias $1_vmware_t alias vmware_$1_t;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xauth_macros.te policy-1.19.1/macros/program/xauth_macros.te
--- nsapolicy/macros/program/xauth_macros.te	2004-11-05 23:24:17.000000000 -0500
+++ policy-1.19.1/macros/program/xauth_macros.te	2004-11-10 17:30:03.497879500 -0500
@@ -20,7 +20,7 @@
 define(`xauth_domain',`
 # Derived domain based on the calling user domain and the program.
 type $1_xauth_t, domain;
-type $1_home_xauth_t, file_type, homedirfile, sysadmfile;
+type $1_home_xauth_t, file_type, $1_homedirfile, sysadmfile;
 
 ifdef(`slocate.te', `
 allow $1_locate_t $1_home_xauth_t:file { getattr read };
@@ -48,6 +48,7 @@
 ')
 
 allow $1_xauth_t privfd:fd use;
+allow $1_xauth_t ptmx_t:chr_file { read write };
 
 # allow ps to show xauth
 allow $1_t $1_xauth_t:dir { search getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.19.1/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te	2004-11-05 23:24:17.000000000 -0500
+++ policy-1.19.1/macros/program/x_client_macros.te	2004-11-10 17:30:03.498879387 -0500
@@ -25,9 +25,9 @@
 # Derived domain based on the calling user domain and the program.
 type $1_$2_t, domain $3;
 # Type for files that are writeable by this domain.
-type $1_$2_rw_t, file_type, homedirfile, sysadmfile, tmpfile;
+type $1_$2_rw_t, file_type, $1_homedirfile, sysadmfile, tmpfile;
 # Type for files that are read-only for this domain
-type $1_$2_ro_t, file_type, homedirfile, sysadmfile;
+type $1_$2_ro_t, file_type, $1_homedirfile, sysadmfile;
 
 # Transition from the user domain to the derived domain.
 ifelse($2, games, `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ypbind_macros.te policy-1.19.1/macros/program/ypbind_macros.te
--- nsapolicy/macros/program/ypbind_macros.te	2004-10-13 22:41:58.000000000 -0400
+++ policy-1.19.1/macros/program/ypbind_macros.te	2004-11-10 17:32:37.064554655 -0500
@@ -4,12 +4,15 @@
 can_network($1)
 r_dir_file($1,var_yp_t)
 allow $1 { reserved_port_t port_t }:{ tcp_socket udp_socket } name_bind;
+dontaudit $1 self:capability net_bind_service;
 ')
 
 define(`can_ypbind', `
 ifdef(`ypbind.te', `
 if (allow_ypbind) {
 uncond_can_ypbind($1)
+} else {
+dontaudit $1 var_yp_t:dir search;
 }
 ') dnl ypbind.te
 ') dnl can_ypbind
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.19.1/macros/user_macros.te
--- nsapolicy/macros/user_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.1/macros/user_macros.te	2004-11-10 17:30:03.499879274 -0500
@@ -56,8 +56,9 @@
 # user domains.
 ifdef(`apache.te', `apache_domain($1)')
 ifdef(`slocate.te', `locate_domain($1)')
+ifdef(`lockdev.te', `lockdev_domain($1)')
 
-allow $1_t krb5_conf_t:file { getattr read };
+can_kerberos($1_t)
 # allow port_t name binding for UDP because it is not very usable otherwise
 allow $1_t port_t:udp_socket name_bind;
 
@@ -123,9 +124,14 @@
 undefine(`full_user_role')
 define(`full_user_role', `
 
+# certain apps ask for this priv kdesu, fetchmail
+# dac controls force the user to only lower priority
+allow $1_t self:process setrlimit;
+
 # user_t/$1_t is an unprivileged users domain.
 type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, nscd_client_domain, privfd;
 
+attribute $1_homedirfile;
 # Grant read/search permissions to some of /proc.
 allow $1_t proc_t:dir r_dir_perms;
 allow $1_t proc_t:{ file lnk_file } r_file_perms;
@@ -142,11 +148,6 @@
 # Stat lost+found.
 allow $1_t lost_found_t:dir getattr;
 
-# Read the /tmp directory and any /tmp files with the base type.
-# Temporary files created at runtime will typically use derived types.
-allow $1_t tmp_t:dir r_dir_perms;
-allow $1_t tmp_t:{ file lnk_file } r_file_perms;
-
 # Read /var, /var/spool, /var/run.
 allow $1_t var_t:dir r_dir_perms;
 allow $1_t var_t:notdevfile_class_set r_file_perms;
@@ -224,15 +225,17 @@
 allow $1_mount_t iso9660_t:filesystem relabelfrom;
 allow $1_mount_t removable_t:filesystem { mount relabelto };
 allow $1_mount_t removable_t:dir mounton;
+ifdef(`xdm.te', `
 allow $1_mount_t xdm_t:fd use;
 allow $1_mount_t xdm_t:fifo_file write;
 ')
+')
 
 #
 # Rules used to associate a homedir as a mountpoint
 #
 allow $1_home_t $1_home_t:filesystem associate;
-allow homedirfile $1_home_t:filesystem associate;
+allow $1_homedirfile $1_home_t:filesystem associate;
 ')
 
 undefine(`in_user_role')
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.19.1/net_contexts
--- nsapolicy/net_contexts	2004-11-09 13:35:11.000000000 -0500
+++ policy-1.19.1/net_contexts	2004-11-10 17:30:03.500879161 -0500
@@ -113,7 +113,6 @@
 portcon tcp 631 system_u:object_r:ipp_port_t
 portcon udp 631 system_u:object_r:ipp_port_t
 ')
-ifdef(`kerberos.te', `
 portcon tcp 88 system_u:object_r:kerberos_port_t
 portcon udp 88 system_u:object_r:kerberos_port_t
 portcon tcp 749 system_u:object_r:kerberos_admin_port_t
@@ -121,7 +120,6 @@
 portcon udp 750 system_u:object_r:kerberos_port_t
 portcon tcp 4444 system_u:object_r:kerberos_master_port_t
 portcon udp 4444 system_u:object_r:kerberos_master_port_t
-')
 ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t')
 ifdef(`rsync.te', `
 portcon tcp 873 system_u:object_r:rsync_port_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.19.1/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.1/targeted/domains/unconfined.te	2004-11-10 17:30:03.501879048 -0500
@@ -42,4 +42,7 @@
 # Support NFS home directories
 bool use_nfs_home_dirs false;
 
+# Allow system to run with NIS
+bool allow_ypbind false;
+
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.19.1/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.19.1/tunables/distro.tun	2004-11-10 17:30:03.501879048 -0500
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.19.1/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.1/tunables/tunable.tun	2004-11-10 17:30:03.502878936 -0500
@@ -1,27 +1,27 @@
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

Re: Patches without the can_network patch.

[Thomas Bleher]

[-- Attachment #1: Type: text/plain, Size: 1617 bytes --]

* Daniel J Walsh <dwalsh@redhat.com> [2004-11-11 00:12]:
> Removal of alot of kerberos and can_ypbind calls.  (Centralized under 
> the auth call).

> --- nsapolicy/macros/admin_macros.te	2004-11-09 13:35:13.000000000 -0500
> +++ policy-1.19.1/macros/admin_macros.te	2004-11-10 17:30:03.466882997 -0500
> @@ -106,6 +107,7 @@
>  allow $1_t tty_device_t:chr_file rw_file_perms;
>  allow $1_t ttyfile:chr_file rw_file_perms;
>  allow $1_t ptyfile:chr_file rw_file_perms;
> +allow $1_t serial_device:chr_file setattr;

I recently thought if we should add
allow sysadm_t device_type:{ chr_file blk_file } setattr;
This is currently forbidden.
Most admins will want to change device permissions as to allow access to
specific users.
What do others think about this?

> --- nsapolicy/macros/network_macros.te	1969-12-31 19:00:00.000000000 -0500
> +++ policy-1.19.1/macros/network_macros.te	2004-11-10 17:50:28.419688186 -0500
> @@ -0,0 +1,5 @@
> +define(`can_kerberos',`
> +can_network($1)
> +dontaudit $1 krb5_conf_t:file write;
> +allow $1 krb5_conf_t:file { getattr read };
> +')

This needs to be conditionalized. Most users don't use kerberos, they
should not have the can_network() for many different domains.
I'd like to have a file kerberos-client.te plus a boolean (optional).
That way, users who do not use kerberos can remove it completely from
policy (why should I have files labeled krb5_conf_t if I don't use
kerberos at all?)

Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Patches without the can_network patch.

[James Carter]

Merged with some changes.
- Changed the attribute $1_homedirfile to $1_file_type
- Removed the attribute homedirfile since it is not being used.
- Moved can_kerberos to a new file named kerberos_macros.te instead of
network_macros.te
- Added "ifdef(`kerberos.te', `" to the can_kerberos macro.
- Did not remove the "ifdef`kerberos.te', `" in net_contexts.

On Wed, 2004-11-10 at 18:11, Daniel J Walsh wrote:
> Removal of alot of kerberos and can_ypbind calls.  (Centralized under 
> the auth call).
> 
> Several apache fixes to make squirrelmail work as well as mod_perl and 
> mod_python.
> 
> Fixes to dovecot to get it to work with squirrelmail
> 
> Fixes to hal to allow it to create a chr_file device for pcmcia card 
> communication.
> 
> Added lockdev policy
> 
> Fixes for mailman policy
> 
> A few more nscd_client_domains
> 
<snip>
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.19.1/macros/network_macros.te
> --- nsapolicy/macros/network_macros.te	1969-12-31 19:00:00.000000000 -0500
> +++ policy-1.19.1/macros/network_macros.te	2004-11-10 17:50:28.419688186 -0500
> @@ -0,0 +1,5 @@
> +define(`can_kerberos',`
> +can_network($1)
> +dontaudit $1 krb5_conf_t:file write;
> +allow $1 krb5_conf_t:file { getattr read };
> +')
<snip>
> diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.19.1/net_contexts
> --- nsapolicy/net_contexts	2004-11-09 13:35:11.000000000 -0500
> +++ policy-1.19.1/net_contexts	2004-11-10 17:30:03.500879161 -0500
> @@ -113,7 +113,6 @@
>  portcon tcp 631 system_u:object_r:ipp_port_t
>  portcon udp 631 system_u:object_r:ipp_port_t
>  ')
> -ifdef(`kerberos.te', `
>  portcon tcp 88 system_u:object_r:kerberos_port_t
>  portcon udp 88 system_u:object_r:kerberos_port_t
>  portcon tcp 749 system_u:object_r:kerberos_admin_port_t
> @@ -121,7 +120,6 @@
>  portcon udp 750 system_u:object_r:kerberos_port_t
>  portcon tcp 4444 system_u:object_r:kerberos_master_port_t
>  portcon udp 4444 system_u:object_r:kerberos_master_port_t
> -')
>  ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t')
>  ifdef(`rsync.te', `
>  portcon tcp 873 system_u:object_r:rsync_port_t

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patches without the can_network patch.

[Kodungallur Varma]

Hi all,

           is there any selinux play machine that I can login and is
currently up. Mr.Russel Cockers machine seems not up and running. I
tried other debian and gentoo machines as well but unable to login.
also I have a fedora core 3 machine and in the policy sources I dont
have the tunables.te file. I dont know why this is missing as I had
that in the core 2. I wanted to tune some macros. thanx..

Ram


On Wed, 10 Nov 2004 18:11:37 -0500, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Removal of alot of kerberos and can_ypbind calls.  (Centralized under
> the auth call).
> 
> Several apache fixes to make squirrelmail work as well as mod_perl and
> mod_python.
> 
> Fixes to dovecot to get it to work with squirrelmail
> 
> Fixes to hal to allow it to create a chr_file device for pcmcia card
> communication.
> 
> Added lockdev policy
> 
> Fixes for mailman policy
> 
> A few more nscd_client_domains
> 
> 
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patches without the can_network patch.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 238 bytes --]

Latest policy-small patch.   Many changes to make targeted policy work
better.

Lots of changes to apache policy.

Check out the changes to core_macros for create/rw socket_perms.  Maybe 
more acceptable. :^)

Many other minor changes.



[-- Attachment #2: policy-small.patch --]
[-- Type: text/x-patch, Size: 35491 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.19.2/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.2/domains/program/ldconfig.te	2004-11-18 08:48:23.918139878 -0500
@@ -8,7 +8,7 @@
 #
 # Rules for the ldconfig_t domain.
 #
-type ldconfig_t, domain, privlog;
+type ldconfig_t, domain, privlog, etc_writer;
 type ldconfig_exec_t, file_type, sysadmfile, exec_type;
 
 role sysadm_r types ldconfig_t;
@@ -26,7 +26,7 @@
 allow ldconfig_t lib_t:lnk_file create_lnk_perms;
 
 allow ldconfig_t userdomain:fd use;
-allow ldconfig_t etc_t:file { getattr read };
+allow ldconfig_t etc_t:file { getattr read unlink };
 allow ldconfig_t etc_t:lnk_file read;
 
 allow ldconfig_t fs_t:filesystem getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.19.2/domains/program/login.te
--- nsapolicy/domains/program/login.te	2004-11-18 08:13:57.000000000 -0500
+++ policy-1.19.2/domains/program/login.te	2004-11-18 08:48:23.919139766 -0500
@@ -182,6 +182,9 @@
 # Allow setting of attributes on sound devices.
 allow local_login_t sound_device_t:chr_file { getattr setattr };
 
+# Allow setting of attributes on power management devices.
+allow local_login_t power_device_t:chr_file { getattr setattr };
+
 #################################
 #
 # Rules for the remote_login_t domain.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/acct.te policy-1.19.2/domains/program/unused/acct.te
--- nsapolicy/domains/program/unused/acct.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.2/domains/program/unused/acct.te	2004-11-18 08:48:23.919139766 -0500
@@ -63,8 +63,7 @@
 
 ifdef(`logrotate.te', `
 domain_auto_trans(logrotate_t, acct_exec_t, acct_t)
-allow logrotate_t acct_data_t:dir search;
-allow logrotate_t acct_data_t:file { create_file_perms };
+rw_dir_create_file(logrotate_t, acct_data_t)
 can_exec(logrotate_t, acct_data_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.2/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2004-11-18 08:13:57.000000000 -0500
+++ policy-1.19.2/domains/program/unused/apache.te	2004-11-18 08:50:10.113157831 -0500
@@ -32,6 +32,9 @@
 # Run SSI execs in system CGI script domain.
 bool httpd_ssi_exec false;
 
+# Allow http daemon to communicate with the TTY
+bool httpd_tty_comm false;
+
 #########################################################
 # Apache types
 #########################################################
@@ -239,10 +242,12 @@
 # connect to mysql
 ifdef(`mysqld.te', `
 can_unix_connect(httpd_php_t, mysqld_t)
+can_unix_connect(httpd_t, mysqld_t)
 allow httpd_php_t mysqld_var_run_t:dir search;
 allow httpd_php_t mysqld_var_run_t:sock_file write;
 allow httpd_t mysqld_db_t:dir search;
 allow httpd_t mysqld_db_t:sock_file rw_file_perms;
+allow httpd_t mysqld_var_run_t:sock_file rw_file_perms;
 ')
 allow httpd_t bin_t:dir search;
 allow httpd_t sbin_t:dir search;
@@ -297,6 +302,7 @@
 #
 type httpd_runtime_t, file_type, sysadmfile;
 file_type_auto_trans(httpd_t, httpd_log_t, httpd_runtime_t, file)
+allow httpd_sys_script_t httpd_runtime_t:file { getattr append };
 ') dnl distro_redhat
 #
 # Customer reported the following
@@ -306,9 +312,28 @@
 dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
 ')
 
-# Running squirrelmail requires this permissions
+#
+# The following is needed to make squirrelmail work
+type httpd_squirrelmail_t, file_type, sysadmfile;
+create_dir_file(httpd_t, httpd_squirrelmail_t)
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
 ifdef(`mta.te', `
-allow system_mail_t httpd_log_t:file { append getattr };
-allow system_mail_t httpd_sys_script_rw_t:file { append read };
-allow system_mail_t httpd_t:tcp_socket { read write };
+dontaudit system_mail_t httpd_log_t:file { append getattr };
+allow system_mail_t httpd_squirrelmail_t:file { append read };
+dontaudit system_mail_t httpd_t:tcp_socket { read write };
+')
+
+application_domain(httpd_helper)
+role system_r types httpd_helper_t;
+domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
+
+allow httpd_helper_t devpts_t:dir { search };
+allow httpd_helper_t devtty_t:chr_file rw_file_perms;
+allow httpd_helper_t httpd_config_t:file { getattr read };
+allow httpd_helper_t httpd_log_t:file { append };
+if (httpd_tty_comm) {
+ifdef(`targeted_policy', `
+allow { httpd_helper_t httpd_t } devpts_t:chr_file { read write };
 ')
+allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
+}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.19.2/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.2/domains/program/unused/apmd.te	2004-11-18 08:48:23.920139653 -0500
@@ -114,7 +114,10 @@
 allow consoletype_t apmd_t:fifo_file write;
 ')
 ifdef(`mount.te', `allow mount_t apmd_t:fd use;')
-ifdef(`crond.te', `domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)')
+ifdef(`crond.te', `
+domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)
+allow apmd_t crond_t:fifo_file { getattr read write ioctl };
+')
 
 ifdef(`mta.te', `
 domain_auto_trans(apmd_t, sendmail_exec_t, system_mail_t) 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.19.2/domains/program/unused/consoletype.te
--- nsapolicy/domains/program/unused/consoletype.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.2/domains/program/unused/consoletype.te	2004-11-18 08:48:23.921139540 -0500
@@ -59,5 +59,6 @@
 ')
 dontaudit consoletype_t proc_t:file read;
 dontaudit consoletype_t root_t:file read;
-allow consoletype_t crond_t:fifo_file read;
+allow consoletype_t crond_t:fifo_file { read getattr ioctl };
+allow consoletype_t system_crond_t:fd use;
 allow consoletype_t fs_t:filesystem getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.19.2/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2004-11-18 08:13:57.000000000 -0500
+++ policy-1.19.2/domains/program/unused/cups.te	2004-11-18 08:51:22.563983161 -0500
@@ -59,7 +60,6 @@
 
 allow cupsd_t { etc_t etc_runtime_t }:file { getattr read ioctl };
 can_exec(cupsd_t, initrc_exec_t)
-can_exec(cupsd_t, hostname_exec_t)
 allow cupsd_t proc_t:file r_file_perms;
 allow cupsd_t proc_t:dir r_dir_perms;
 allow cupsd_t self:file { getattr read };
@@ -185,7 +185,7 @@
 allow cupsd_config_t cupsd_var_run_t:file { getattr read };
 allow cupsd_config_t cupsd_t:process { signal };
 allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
-allow cupsd_config_t cupsd_t:dir search;
+r_dir_file(cupsd_config_t, cupsd_t)
 
 allow cupsd_config_t self:capability chown;
 
@@ -212,8 +212,17 @@
 ')
 
 can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t })
+ifdef(`hostname.te', `
+can_exec(cupsd_t, hostname_exec_t)
+can_exec(cupsd_config_t, hostname_exec_t)
+')
 allow cupsd_config_t { bin_t sbin_t }:dir { search getattr };
 allow cupsd_config_t { bin_t sbin_t }:lnk_file read;
+# killall causes the following
+dontaudit cupsd_config_t domain:dir { getattr search };
+dontaudit cupsd_config_t selinux_config_t:dir search;
+
+can_exec(cupsd_config_t, cupsd_config_exec_t) 
 
 allow cupsd_config_t usr_t:file { getattr read };
 allow cupsd_config_t var_lib_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.19.2/domains/program/unused/cyrus.te
--- nsapolicy/domains/program/unused/cyrus.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.2/domains/program/unused/cyrus.te	2004-11-18 08:51:47.260196672 -0500
@@ -45,3 +45,4 @@
 allow system_crond_t cyrus_var_lib_t:file create_file_perms;
 allow system_crond_su_t cyrus_var_lib_t:dir search;
 ')
+allow cyrus_t mail_port_t:tcp_socket name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpd.te policy-1.19.2/domains/program/unused/dhcpd.te
--- nsapolicy/domains/program/unused/dhcpd.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.19.2/domains/program/unused/dhcpd.te	2004-11-18 08:53:24.057275000 -0500
@@ -33,6 +33,7 @@
 can_ypbind(dhcpd_t)
 allow dhcpd_t self:unix_dgram_socket create_socket_perms;
 allow dhcpd_t self:unix_stream_socket create_socket_perms;
+allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow dhcpd_t var_lib_t:dir search;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.19.2/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.2/domains/program/unused/ftpd.te	2004-11-18 08:54:09.695125653 -0500
@@ -31,11 +31,13 @@
 
 ifdef(`crond.te', `
 system_crond_entry(ftpd_exec_t, ftpd_t)
+allow system_crond_t xferlog_t:file r_file_perms;
 can_exec(ftpd_t, { sbin_t shell_exec_t })
 allow ftpd_t usr_t:file { getattr read };
 ')
 
 allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
+allow ftpd_t port_t:tcp_socket name_bind;
 
 # Allow ftpd to run directly without inetd.
 bool ftpd_is_daemon false;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/innd.te policy-1.19.2/domains/program/unused/innd.te
--- nsapolicy/domains/program/unused/innd.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.19.2/domains/program/unused/innd.te	2004-11-18 08:54:50.625507454 -0500
@@ -64,6 +64,9 @@
 
 ifdef(`crond.te', `
 system_crond_entry(innd_exec_t, innd_t)
+allow system_crond_t innd_etc_t:file { getattr read };
+rw_dir_create_file(system_crond_t, innd_log_t)
+rw_dir_create_file(system_crond_t, innd_var_run_t)
 ')
 ifdef(`syslogd.te', `
 allow syslogd_t innd_log_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.19.2/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.2/domains/program/unused/kudzu.te	2004-11-18 08:48:23.921139540 -0500
@@ -21,7 +21,7 @@
 allow kudzu_t proc_t:file { getattr read };
 allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
 allow kudzu_t scsi_generic_device_t:chr_file r_file_perms;
-allow kudzu_t { bin_t sbin_t }:dir search;
+allow kudzu_t { bin_t sbin_t }:dir { getattr search };
 allow kudzu_t { bin_t sbin_t }:lnk_file read;
 allow kudzu_t { sysctl_t sysctl_kernel_t }:dir search;
 allow kudzu_t sysctl_dev_t:dir { getattr search read };
@@ -85,3 +85,7 @@
 
 # for file systems that are not yet mounted
 dontaudit kudzu_t file_t:dir search;
+ifdef(`lpd.te', `
+allow kudzu_t printconf_t:file { getattr read };
+')
+allow kudzu_t zero_device_t:chr_file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.19.2/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te	2004-10-09 21:06:14.000000000 -0400
+++ policy-1.19.2/domains/program/unused/mta.te	2004-11-18 08:48:23.922139427 -0500
@@ -20,6 +20,7 @@
 # "mail user@domain"
 mail_domain(system)
 
+ifelse(`targeted-policy', `', `
 ifdef(`sendmail.te', `
 # sendmail has an ugly design, the one process parses input from the user and
 # then does system things with it.
@@ -32,11 +33,13 @@
 # allow the sysadmin to do "mail someone < /home/user/whatever"
 allow sysadm_mail_t user_home_dir_type:dir search;
 r_dir_file(sysadm_mail_t, user_home_type)
-
+')
 # for a mail server process that does things in response to a user command
 allow mta_user_agent userdomain:process sigchld;
 allow mta_user_agent { userdomain privfd }:fd use;
+ifdef(`crond.te', `
 allow mta_user_agent crond_t:process sigchld;
+')
 allow mta_user_agent sysadm_t:fifo_file { read write };
 
 allow { system_mail_t mta_user_agent } privmail:fd use;
@@ -57,3 +60,13 @@
 allow mta_delivery_agent devtty_t:chr_file rw_file_perms;
 allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };
 
+# rules are currently defined in sendmail.te, but it is not included in 
+# targeted policy.  We could move these rules permanantly here.
+ifdef(`targeted_policy', `
+allow system_mail_t self:dir { search };
+allow system_mail_t proc_t:dir search;
+allow system_mail_t proc_t:{ file lnk_file } { getattr read };
+allow system_mail_t fs_t:filesystem getattr;
+allow system_mail_t { var_t var_spool_t }:dir getattr;
+create_dir_file( system_mail_t, mqueue_spool_t)
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.19.2/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te	2004-11-05 23:24:16.000000000 -0500
+++ policy-1.19.2/domains/program/unused/named.te	2004-11-18 08:55:41.707743815 -0500
@@ -77,6 +77,7 @@
 
 allow named_t self:unix_stream_socket create_stream_socket_perms;
 allow named_t self:unix_dgram_socket create_socket_perms;
+allow named_t self:netlink_route_socket r_netlink_socket_perms;
 
 # Read sysctl kernel variables.
 allow named_t sysctl_t:dir r_dir_perms;
@@ -149,7 +150,7 @@
 allow ndc_t named_zone_t:file getattr;
 dontaudit ndc_t sysadm_home_t:dir { getattr search read };
 ')
-allow ndc_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
 dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl };
 # Allow init script to cp localtime to named_conf_t
 allow initrc_t named_conf_t:file { write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.19.2/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.2/domains/program/unused/ntpd.te	2004-11-18 09:16:48.946760475 -0500
@@ -42,18 +42,18 @@
 allow ntpd_t ntp_port_t:udp_socket name_bind;
 allow ntpd_t self:unix_dgram_socket create_socket_perms;
 allow ntpd_t self:unix_stream_socket create_socket_perms;
+allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
 
 # so the start script can change firewall entries
 allow initrc_t net_conf_t:file { getattr read ioctl };
 
 # for cron jobs
 # system_crond_t is not right, cron is not doing what it should
-ifdef(`crond.te', `
-system_crond_entry(ntpd_exec_t, ntpd_t)
+ifdef(`crond.te', `system_crond_entry(ntpd_exec_t, ntpd_t)')
 can_exec(ntpd_t, initrc_exec_t)
 allow ntpd_t self:fifo_file { read write getattr };
 allow ntpd_t etc_runtime_t:file r_file_perms;
-can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t logrotate_exec_t ntpd_exec_t })
+can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t ntpd_exec_t })
 allow ntpd_t { sbin_t bin_t }:dir search;
 allow ntpd_t bin_t:lnk_file read;
 allow ntpd_t sysctl_kernel_t:dir search;
@@ -63,7 +63,6 @@
 allow ntpd_t self:file { getattr read };
 dontaudit ntpd_t domain:dir search;
 ifdef(`logrotate.te', `can_exec(ntpd_t, logrotate_exec_t)')
-')
 
 allow ntpd_t devtty_t:chr_file rw_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.19.2/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.2/domains/program/unused/postgresql.te	2004-11-18 08:57:40.718315780 -0500
@@ -42,10 +42,11 @@
 
 logdir_domain(postgresql)
 
+ifdef(`crond.te', `
 # allow crond to find /usr/lib/postgresql/bin/do.maintenance
 allow crond_t postgresql_db_t:dir search;
-
 system_crond_entry(postgresql_exec_t, postgresql_t)
+')
 
 tmp_domain(postgresql);
 file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.19.2/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.2/domains/program/unused/rpcd.te	2004-11-18 08:58:17.120208533 -0500
@@ -24,6 +24,7 @@
 allow $1_t var_lib_nfs_t:file create_file_perms;
 # do not log when it tries to bind to a port belonging to another domain
 dontaudit $1_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
+allow $1_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
 allow $1_t self:netlink_route_socket r_netlink_socket_perms;
 allow $1_t self:unix_dgram_socket create_socket_perms;
 allow $1_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.19.2/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.2/domains/program/unused/snmpd.te	2004-11-18 08:58:52.256244113 -0500
@@ -38,7 +38,7 @@
 allow snmpd_t self:unix_dgram_socket create_socket_perms;
 allow snmpd_t self:unix_stream_socket create_socket_perms;
 allow snmpd_t etc_t:lnk_file read;
-allow snmpd_t { etc_t etc_runtime_t }:file { getattr read };
+allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
 allow snmpd_t urandom_device_t:chr_file read;
 allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.19.2/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.2/domains/program/unused/squid.te	2004-11-18 08:59:29.988986705 -0500
@@ -62,10 +62,12 @@
 
 # to allow running programs from /usr/lib/squid (IE unlinkd)
 # also allow exec()ing itself
-can_exec(squid_t, { lib_t squid_exec_t } )
+can_exec(squid_t, { lib_t squid_exec_t bin_t sbin_t } )
 allow squid_t { bin_t sbin_t }:dir search;
+allow squid_t { bin_t sbin_t }:lnk_file read;
 
 dontaudit squid_t { home_root_t security_t devpts_t }:dir getattr;
 ifdef(`targeted_policy', `
 dontaudit squid_t tty_device_t:chr_file { read write };
 ')
+allow squid_t urandom_device_t:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/vpnc.te policy-1.19.2/domains/program/unused/vpnc.te
--- nsapolicy/domains/program/unused/vpnc.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.19.2/domains/program/unused/vpnc.te	2004-11-18 09:17:37.765252256 -0500
@@ -17,6 +17,7 @@
 # Use the network.
 can_network(vpnc_t)
 can_ypbind(vpnc_t)
+allow vpnc_t self:socket create_socket_perms;
 
 # Use capabilities.
 allow vpnc_t self:capability { net_admin ipc_lock net_bind_service net_raw };
@@ -28,3 +29,12 @@
 allow vpnc_t self:unix_dgram_socket create_socket_perms;
 allow vpnc_t self:unix_stream_socket create_socket_perms;
 allow vpnc_t admin_tty_type:chr_file rw_file_perms;
+allow vpnc_t port_t:udp_socket name_bind;
+allow vpnc_t etc_runtime_t:file { getattr read };
+allow vpnc_t proc_t:file { getattr read };
+dontaudit vpnc_t selinux_config_t:dir search;
+can_exec(vpnc_t, {bin_t sbin_t ifconfig_exec_t shell_exec_t })
+allow vpnc_t sysctl_net_t:dir search;
+allow vpnc_t sbin_t:dir search;
+allow vpnc_t bin_t:dir search;
+allow vpnc_t bin_t:lnk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.19.2/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.2/domains/program/unused/xdm.te	2004-11-18 09:01:02.054598887 -0500
@@ -241,6 +241,9 @@
 # Access sound device.
 allow xdm_t sound_device_t:chr_file { setattr getattr };
 
+# Allow setting of attributes on power management devices.
+allow xdm_t power_device_t:chr_file { getattr setattr };
+
 # Run the X server in a derived domain.
 xserver_domain(xdm)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.19.2/domains/user.te
--- nsapolicy/domains/user.te	2004-11-18 08:13:57.000000000 -0500
+++ policy-1.19.2/domains/user.te	2004-11-18 08:48:23.922139427 -0500
@@ -18,6 +18,9 @@
 # Allow system to run with NIS
 bool allow_ypbind false;
 
+# Allow system to run with kerberos
+bool allow_kerberos false;
+
 # Allow users to rw usb devices
 bool user_rw_usb false;
 
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.19.2/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc	2004-10-06 16:21:13.000000000 -0400
+++ policy-1.19.2/file_contexts/distros.fc	2004-11-18 08:48:23.923139314 -0500
@@ -30,5 +30,6 @@
 /usr/share/system-config-nfs/nfs-export.py	--	system_u:object_r:bin_t
 /usr/share/pydict/pydict.py	--	system_u:object_r:bin_t
 /usr/share/cvs/contrib/rcs2log	--	system_u:object_r:bin_t
+/usr/share/pwlib/make/ptlib-config --	system_u:object_r:bin_t
 ')
 
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.19.2/file_contexts/program/apache.fc
--- nsapolicy/file_contexts/program/apache.fc	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.2/file_contexts/program/apache.fc	2004-11-18 08:48:23.924139201 -0500
@@ -27,6 +27,7 @@
 /var/cache/mod_ssl(/.*)?	system_u:object_r:httpd_cache_t
 /var/run/apache(2)?.pid.* --	system_u:object_r:httpd_var_run_t
 /var/lib/httpd(/.*)?		system_u:object_r:httpd_var_lib_t
+/var/lib/php/session(/.*)?	system_u:object_r:httpd_var_run_t
 /etc/apache-ssl(2)?(/.*)?	system_u:object_r:httpd_config_t
 /usr/lib/apache-ssl(/.*)? --	system_u:object_r:httpd_exec_t
 /usr/sbin/apache-ssl(2)? --	system_u:object_r:httpd_exec_t
@@ -37,4 +38,5 @@
 # suse puts shell scripts there :-(
 /usr/share/apache2/.*	--	system_u:object_r:bin_t
 ')
-/var/lib/squirrelmail/prefs(/.*)?	system_u:object_r:httpd_sys_script_rw_t
+/var/lib/squirrelmail/prefs(/.*)?	system_u:object_r:httpd_squirrelmail_t
+/usr/bin/htsslpass --	system_u:object_r:httpd_helper_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.19.2/file_contexts/program/cups.fc
--- nsapolicy/file_contexts/program/cups.fc	2004-10-14 23:25:19.000000000 -0400
+++ policy-1.19.2/file_contexts/program/cups.fc	2004-11-18 08:48:23.924139201 -0500
@@ -1,7 +1,7 @@
 # cups printing
 /etc/cups(/.*)?			system_u:object_r:cupsd_etc_t
 /usr/share/cups(/.*)?		system_u:object_r:cupsd_etc_t
-/etc/alchemist/namespace/printconf/local.adl system_u:object_r:cupsd_rw_etc_t
+/etc/alchemist/namespace/printconf(/.*)? system_u:object_r:cupsd_rw_etc_t
 /var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t
 /etc/cups/client\.conf	--	system_u:object_r:etc_t
 /etc/cups/cupsd.conf.* --	system_u:object_r:cupsd_rw_etc_t
@@ -33,3 +33,4 @@
 /usr/sbin/ptal-mlcd	--	system_u:object_r:ptal_exec_t
 /var/run/ptal-printd(/.*)?	system_u:object_r:ptal_var_run_t
 /var/run/ptal-mlcd(/.*)?	system_u:object_r:ptal_var_run_t
+/usr/share/foomatic/db/oldprinterids 	--	system_u:object_r:cupsd_rw_etc_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/hald.fc policy-1.19.2/file_contexts/program/hald.fc
--- nsapolicy/file_contexts/program/hald.fc	2004-09-22 16:19:13.000000000 -0400
+++ policy-1.19.2/file_contexts/program/hald.fc	2004-11-18 08:48:23.925139089 -0500
@@ -3,3 +3,4 @@
 /usr/libexec/hal-hotplug-map -- system_u:object_r:hald_exec_t
 /etc/hal/device.d/printer_remove.hal -- system_u:object_r:hald_exec_t
 /etc/hal/capability.d/printer_update.hal -- system_u:object_r:hald_exec_t
+/usr/share/hal/device-manager/hal-device-manager -- system_u:object_r:bin_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/sendmail.fc policy-1.19.2/file_contexts/program/sendmail.fc
--- nsapolicy/file_contexts/program/sendmail.fc	2004-10-07 08:02:02.000000000 -0400
+++ policy-1.19.2/file_contexts/program/sendmail.fc	2004-11-18 08:48:23.925139089 -0500
@@ -1,6 +1,5 @@
 # sendmail
 /etc/mail(/.*)?				system_u:object_r:etc_mail_t
-/var/spool/(client)?mqueue(/.*)?	system_u:object_r:mqueue_spool_t
 /var/log/sendmail\.st		--	system_u:object_r:sendmail_log_t
 /var/log/mail(/.*)?			system_u:object_r:sendmail_log_t
 /var/run/sendmail.pid		--	system_u:object_r:sendmail_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.19.2/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.2/file_contexts/types.fc	2004-11-18 08:48:23.927138863 -0500
@@ -334,6 +334,7 @@
 /usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
 /usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
 /usr(/.*)?/bin(/.*)?		system_u:object_r:bin_t
+/usr(/.*)?/Bin(/.*)?		system_u:object_r:bin_t
 /usr(/.*)?/sbin(/.*)?		system_u:object_r:sbin_t
 /usr/etc(/.*)?			system_u:object_r:etc_t
 /usr/inclu.e(/.*)?		system_u:object_r:usr_t
@@ -392,6 +393,7 @@
 #
 /var/spool(/.*)?		system_u:object_r:var_spool_t
 /var/spool/texmf(/.*)?		system_u:object_r:tetex_data_t
+/var/spool/(client)?mqueue(/.*)?	system_u:object_r:mqueue_spool_t
 
 # 
 # /var/log
diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.19.2/macros/admin_macros.te
--- nsapolicy/macros/admin_macros.te	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.2/macros/admin_macros.te	2004-11-18 08:48:23.927138863 -0500
@@ -196,6 +196,11 @@
 # Grant read and write access to /dev/console.
 allow $1_t console_device_t:chr_file rw_file_perms;
 
+# Allow MAKEDEV to work
+allow $1_t device_t:dir rw_dir_perms;
+allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
+allow $1_t device_t:lnk_file { create read };
+
 # for lsof
 allow $1_t domain:socket_class_set getattr;
 allow $1_t eventpollfs_t:file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.19.2/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.2/macros/base_user_macros.te	2004-11-18 09:01:27.432735456 -0500
@@ -291,6 +291,9 @@
 # Access the sound device.
 allow $1_t sound_device_t:chr_file { getattr read write ioctl };
 
+# Access the power device.
+allow $1_t power_device_t:chr_file { getattr read write ioctl };
+
 allow $1_t var_log_t:dir { getattr search };
 dontaudit $1_t logfile:file getattr;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.19.2/macros/core_macros.te
--- nsapolicy/macros/core_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.2/macros/core_macros.te	2004-11-18 09:05:47.706368626 -0500
@@ -137,17 +137,27 @@
 #
 # Permissions for creating and using sockets.
 # 
-define(`create_socket_perms', `{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
+define(`create_socket_perms', `{ create rw_socket_perms }')
 
 #
 # Permissions for using stream sockets.
 # 
-define(`rw_stream_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }')
+define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
 
 #
 # Permissions for creating and using stream sockets.
 # 
-define(`create_stream_socket_perms', `{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }')
+define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
+
+#
+# Permissions for creating and using sockets.
+# 
+define(`connected_socket_perms', `{ create_socket_perms -connect }')
+
+#
+# Permissions for creating and using sockets.
+# 
+define(`connected_stream_socket_perms', `{ create_stream_socket_perms -connect }')
 
 
 #
@@ -158,12 +168,12 @@
 #
 # Permissions for using netlink sockets for operations that modify state.
 # 
-define(`rw_netlink_socket_perms', `{ create rw_socket_perms nlmsg_read nlmsg_write }')
+define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
 
 #
 # Permissions for using netlink sockets for operations that observe state.
 # 
-define(`r_netlink_socket_perms', `{ create rw_socket_perms nlmsg_read }')
+define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
 
 #
 # Permissions for sending all signals.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.19.2/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.2/macros/program/apache_macros.te	2004-11-18 09:06:46.828697818 -0500
@@ -110,11 +110,12 @@
 create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)
 ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
 
-if (httpd_enable_cgi) && (httpd_unified) {
+if (httpd_enable_cgi) && (httpd_unified) ifdef(`targeted_policy', ` && ! (httpd_disable_trans)') {
 ifelse($1, sys, `
 domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
 domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
 domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
+create_dir_file(httpd_t, httpdcontent)
 ', `
 create_dir_file(httpd_$1_script_t, httpdcontent)
 can_exec(httpd_$1_script_t, httpdcontent )
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/inetd_macros.te policy-1.19.2/macros/program/inetd_macros.te
--- nsapolicy/macros/program/inetd_macros.te	2004-11-18 08:13:59.000000000 -0500
+++ policy-1.19.2/macros/program/inetd_macros.te	2004-11-18 09:07:36.065142440 -0500
@@ -44,7 +44,7 @@
 allow $1_t self:dir search;
 allow $1_t self:file { getattr read };
 can_kerberos($1_t)
-allow $1_t urandom_device_t:chr_file { getattr read };
+allow $1_t urandom_device_t:chr_file r_file_perms;
 type $1_port_t, port_type, reserved_port_type;
 # Use sockets inherited from inetd.
 ifelse($2, `', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/kerberos_macros.te policy-1.19.2/macros/program/kerberos_macros.te
--- nsapolicy/macros/program/kerberos_macros.te	2004-11-17 14:51:55.000000000 -0500
+++ policy-1.19.2/macros/program/kerberos_macros.te	2004-11-18 09:08:04.893889675 -0500
@@ -1,7 +1,9 @@
 define(`can_kerberos',`
 ifdef(`kerberos.te',`
+if (allow_kerberos) {
 can_network($1)
 dontaudit $1 krb5_conf_t:file write;
 allow $1 krb5_conf_t:file { getattr read };
+}
 ') dnl kerberos.te
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/lpr_macros.te policy-1.19.2/macros/program/lpr_macros.te
--- nsapolicy/macros/program/lpr_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.2/macros/program/lpr_macros.te	2004-11-18 09:09:14.527032926 -0500
@@ -18,7 +18,7 @@
 undefine(`lpr_domain')
 define(`lpr_domain',`
 # Derived domain based on the calling user domain and the program
-type $1_lpr_t, domain, privlog;
+type $1_lpr_t, domain, privlog, nscd_client_domain;
 
 # Transition from the user domain to the derived domain.
 domain_auto_trans($1_t, lpr_exec_t, $1_lpr_t)
@@ -104,6 +104,7 @@
 # Connect to lpd via a TCP socket.
 can_tcp_connect($1_lpr_t, lpd_t)
 
+allow $1_lpr_t fs_t:filesystem getattr;
 # Send SIGHUP to lpd.
 allow $1_lpr_t lpd_t:process signal;
 
@@ -120,5 +121,11 @@
 can_tcp_connect({ $1_lpr_t $1_t }, cupsd_t)
 ')dnl end ifdef cups.te
 
+ifdef(`hide_broken_symptoms', `
+# thunderbird causes these
+dontaudit $1_lpr_t $1_t:tcp_socket { read write };
+dontaudit $1_lpr_t { $1_home_t $1_tmp_t }:file write;
+')
+
 ')dnl end macro definition
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.2/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2004-11-18 08:13:59.000000000 -0500
+++ policy-1.19.2/macros/program/mozilla_macros.te	2004-11-18 09:10:42.462111158 -0500
@@ -105,6 +105,8 @@
 dontaudit $1_mozilla_t bin_t:dir getattr;
 dontaudit $1_mozilla_t port_type:tcp_socket name_bind;
 dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
+# running mplayer within firefox asks for this
+allow $1_mozilla_t clock_device_t:chr_file r_file_perms;
 # Mozilla tries to delete .fonts.cache-1
 dontaudit $1_mozilla_t $1_home_t:file unlink;
 dontaudit $1_mozilla_t tmpfile:file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.19.2/macros/program/mta_macros.te
--- nsapolicy/macros/program/mta_macros.te	2004-11-18 08:13:59.000000000 -0500
+++ policy-1.19.2/macros/program/mta_macros.te	2004-11-18 09:11:15.394395389 -0500
@@ -61,9 +61,11 @@
 domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
 allow privmail sendmail_exec_t:lnk_file { getattr read };
 
+ifdef(`crond.te', `
 # Read cron temporary files.
 allow system_mail_t system_crond_tmp_t:file { read getattr ioctl };
 allow mta_user_agent system_crond_tmp_t:file { read getattr };
+')
 allow system_mail_t initrc_devpts_t:chr_file { read write getattr };
 
 ', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.19.2/macros/program/xserver_macros.te
--- nsapolicy/macros/program/xserver_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.2/macros/program/xserver_macros.te	2004-11-18 09:12:18.809240254 -0500
@@ -27,9 +27,11 @@
 ifdef(`distro_redhat', `
 type $1_xserver_t, domain, privlog, privmem, privmodule, nscd_client_domain;
 allow $1_xserver_t sysctl_modprobe_t:file { getattr read };
+ifdef(`rpm.te', `
 allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
 allow $1_xserver_t rpm_tmpfs_t:file { read write };
 allow $1_xserver_t rpm_t:fd use;
+')
 
 ', `
 type $1_xserver_t, domain, privlog, privmem, nscd_client_domain;
@@ -148,6 +150,7 @@
 allow xdm_xserver_t xdm_t:process signal;
 allow xdm_xserver_t xdm_t:shm rw_shm_perms;
 allow xdm_t xdm_xserver_t:shm rw_shm_perms;
+dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
 ')
 ', `
 allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.19.2/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te	2004-11-18 08:14:00.000000000 -0500
+++ policy-1.19.2/targeted/domains/unconfined.te	2004-11-18 08:48:23.928138750 -0500
@@ -45,4 +45,7 @@
 # Allow system to run with NIS
 bool allow_ypbind false;
 
+# Allow system to run with Kerberos
+bool allow_kerberos false;
+
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.19.2/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.19.2/tunables/distro.tun	2004-11-18 08:48:23.929138637 -0500
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.19.2/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.2/tunables/tunable.tun	2004-11-18 08:48:23.929138637 -0500
@@ -1,27 +1,27 @@
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

can_network patch.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1 bytes --]



[-- Attachment #2: policy-network.patch --]
[-- Type: text/x-patch, Size: 31941 bytes --]

diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/ssh.te policy-1.19.2.good/domains/program/ssh.te
--- policy-1.19.2/domains/program/ssh.te	2004-11-18 08:14:48.000000000 -0500
+++ policy-1.19.2.good/domains/program/ssh.te	2004-11-18 08:35:53.834772235 -0500
@@ -69,6 +69,7 @@
 allow $1_t urandom_device_t:chr_file { getattr read };
 
 can_network($1_t)
+allow $1_t self:{ udp_socket tcp_socket } connect;
 
 allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
 allow $1_t { home_root_t home_dir_type }:dir { search getattr };
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/apache.te policy-1.19.2.good/domains/program/unused/apache.te
--- policy-1.19.2/domains/program/unused/apache.te	2004-11-18 08:50:10.113157831 -0500
+++ policy-1.19.2.good/domains/program/unused/apache.te	2004-11-18 08:35:53.836772009 -0500
@@ -140,6 +140,7 @@
 
 can_network(httpd_t)
 can_ypbind(httpd_t)
+allow httpd_t self:{ tcp_socket udp_socket } connect;
 
 ###################
 # Allow httpd to search users diretories
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/canna.te policy-1.19.2.good/domains/program/unused/canna.te
--- policy-1.19.2/domains/program/unused/canna.te	2004-11-18 08:14:51.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/canna.te	2004-11-18 08:35:53.837771897 -0500
@@ -28,8 +28,9 @@
 
 rw_dir_create_file(canna_t, canna_var_lib_t)
 
-can_network(canna_t)
+can_tcp_network(canna_t)
 can_ypbind(canna_t)
+allow canna_t self:tcp_socket connect;
 
 allow userdomain canna_var_run_t:dir search;
 allow userdomain canna_var_run_t:sock_file write;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/cups.te policy-1.19.2.good/domains/program/unused/cups.te
--- policy-1.19.2/domains/program/unused/cups.te	2004-11-18 08:51:22.563983161 -0500
+++ policy-1.19.2.good/domains/program/unused/cups.te	2004-11-18 08:35:53.839771671 -0500
@@ -19,6 +19,7 @@
 typealias cupsd_rw_etc_t alias etc_cupsd_rw_t;
 
 can_network(cupsd_t)
+allow cupsd_t self:{ tcp_socket udp_socket } connect;
 
 logdir_domain(cupsd)
 
@@ -194,6 +195,7 @@
 
 can_network(cupsd_config_t)
 can_tcp_connect(cupsd_config_t, cupsd_t)
+allow cupsd_config_t self:tcp_socket connect;
 allow cupsd_config_t self:fifo_file rw_file_perms;
 
 allow cupsd_config_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/cyrus.te policy-1.19.2.good/domains/program/unused/cyrus.te
--- policy-1.19.2/domains/program/unused/cyrus.te	2004-11-18 08:51:47.260196672 -0500
+++ policy-1.19.2.good/domains/program/unused/cyrus.te	2004-11-18 08:35:53.839771671 -0500
@@ -20,6 +20,7 @@
 
 can_network(cyrus_t)
 can_ypbind(cyrus_t)
+allow cyrus_t self:{ tcp_socket udp_socket } connect;
 can_exec(cyrus_t, bin_t)
 allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
 allow cyrus_t cyrus_var_lib_t:{file sock_file } create_file_perms;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/dhcpc.te policy-1.19.2.good/domains/program/unused/dhcpc.te
--- policy-1.19.2/domains/program/unused/dhcpc.te	2004-11-18 08:14:53.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/dhcpc.te	2004-11-18 08:52:51.492949252 -0500
@@ -22,8 +22,9 @@
 # for SSP
 allow dhcpc_t urandom_device_t:chr_file read;
 
-can_network(dhcpc_t)
+can_network(dhcpc_t, `{ dhcpc_port_t dhcpd_port_t }')
 can_ypbind(dhcpc_t)
+allow dhcpc_t self:tcp_socket connect;
 allow dhcpc_t self:unix_dgram_socket create_socket_perms;
 allow dhcpc_t self:unix_stream_socket create_socket_perms;
 allow dhcpc_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/dhcpd.te policy-1.19.2.good/domains/program/unused/dhcpd.te
--- policy-1.19.2/domains/program/unused/dhcpd.te	2004-11-18 08:53:24.057275000 -0500
+++ policy-1.19.2.good/domains/program/unused/dhcpd.te	2004-11-18 08:35:53.840771558 -0500
@@ -31,6 +31,7 @@
 # Use the network.
 can_network(dhcpd_t)
 can_ypbind(dhcpd_t)
+allow dhcpd_t self:tcp_socket connect;
 allow dhcpd_t self:unix_dgram_socket create_socket_perms;
 allow dhcpd_t self:unix_stream_socket create_socket_perms;
 allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/dovecot.te policy-1.19.2.good/domains/program/unused/dovecot.te
--- policy-1.19.2/domains/program/unused/dovecot.te	2004-11-18 08:14:48.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/dovecot.te	2004-11-18 08:35:53.841771445 -0500
@@ -15,6 +15,8 @@
 allow dovecot_t self:process setrlimit;
 can_network(dovecot_t)
 can_ypbind(dovecot_t)
+allow dovecot_t self:tcp_socket connect;
+
 allow dovecot_t self:unix_dgram_socket create_socket_perms;
 allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
 can_unix_connect(dovecot_t, self)
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/ftpd.te policy-1.19.2.good/domains/program/unused/ftpd.te
--- policy-1.19.2/domains/program/unused/ftpd.te	2004-11-18 08:54:09.695125653 -0500
+++ policy-1.19.2.good/domains/program/unused/ftpd.te	2004-11-18 08:35:53.842771333 -0500
@@ -16,6 +16,7 @@
 typealias ftpd_etc_t alias etc_ftpd_t;
 
 can_network(ftpd_t)
+allow ftpd_t self:udp_socket connect;
 allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
 allow ftpd_t self:unix_stream_socket create_socket_perms;
 allow ftpd_t self:process { getcap setcap setsched setrlimit };
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/i18n_input.te policy-1.19.2.good/domains/program/unused/i18n_input.te
--- policy-1.19.2/domains/program/unused/i18n_input.te	2004-11-18 08:14:53.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/i18n_input.te	2004-11-18 08:35:53.842771333 -0500
@@ -11,6 +11,7 @@
 can_exec(i18n_input_t, i18n_input_exec_t)
 can_network(i18n_input_t)
 can_ypbind(i18n_input_t)
+allow i18n_input_t self:udp_socket connect;
 
 can_tcp_connect(userdomain, i18n_input_t)
 
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/inetd.te policy-1.19.2.good/domains/program/unused/inetd.te
--- policy-1.19.2/domains/program/unused/inetd.te	2004-11-18 08:14:56.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/inetd.te	2004-11-18 08:35:53.843771220 -0500
@@ -21,6 +21,8 @@
 daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
 
 can_network(inetd_t)
+allow inetd_t self:{ tcp_socket udp_socket } connect;
+
 allow inetd_t self:unix_dgram_socket create_socket_perms;
 allow inetd_t self:unix_stream_socket create_socket_perms;
 allow inetd_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/innd.te policy-1.19.2.good/domains/program/unused/innd.te
--- policy-1.19.2/domains/program/unused/innd.te	2004-11-18 08:54:50.625507454 -0500
+++ policy-1.19.2.good/domains/program/unused/innd.te	2004-11-18 08:35:53.843771220 -0500
@@ -30,6 +30,7 @@
 
 can_network(innd_t)
 can_ypbind(innd_t)
+allow innd_t self:udp_socket connect;
 
 can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } )
 allow innd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/kerberos.te policy-1.19.2.good/domains/program/unused/kerberos.te
--- policy-1.19.2/domains/program/unused/kerberos.te	2004-11-18 08:14:50.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/kerberos.te	2004-11-18 08:35:53.844771107 -0500
@@ -16,10 +16,6 @@
 #
 # Rules for the krb5kdc_t,kadmind_t domains.
 #
-type kerberos_port_t, port_type, reserved_port_type;
-type kerberos_admin_port_t, port_type, reserved_port_type;
-type kerberos_master_port_t, port_type;
-
 daemon_domain(krb5kdc)
 daemon_domain(kadmind)
 
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/mailman.te policy-1.19.2.good/domains/program/unused/mailman.te
--- policy-1.19.2/domains/program/unused/mailman.te	2004-11-18 08:14:49.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/mailman.te	2004-11-18 08:35:53.845770994 -0500
@@ -29,12 +29,14 @@
 allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
 allow mailman_$1_t fs_t:filesystem getattr;
 can_network(mailman_$1_t)
+allow mailman_$1_t self:udp_socket connect;
 allow mailman_$1_t self:unix_stream_socket create_socket_perms;
 allow mailman_$1_t var_t:dir r_dir_perms;
 ')
 
 mailman_domain(queue, `, auth_chkpwd, nscd_client_domain')
 can_tcp_connect(mailman_queue_t, mail_server_domain)
+allow mailman_queue_t self:tcp_socket connect;
 
 can_exec(mailman_queue_t, su_exec_t)
 allow mailman_queue_t self:capability { setgid setuid };
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/named.te policy-1.19.2.good/domains/program/unused/named.te
--- policy-1.19.2/domains/program/unused/named.te	2004-11-18 08:55:41.707743815 -0500
+++ policy-1.19.2.good/domains/program/unused/named.te	2004-11-18 08:35:53.847770768 -0500
@@ -51,6 +51,8 @@
 #Named can use network
 can_network(named_t)
 can_ypbind(named_t)
+allow named_t self:tcp_socket connect;
+
 # allow UDP transfer to/from any program
 can_udp_send(domain, named_t)
 can_udp_send(named_t, domain)
@@ -102,6 +104,8 @@
 uses_shlib(ndc_t)
 can_network(ndc_t)
 can_ypbind(ndc_t)
+allow ndc_t self:tcp_socket connect;
+can_resolve(ndc_t)
 read_locale(ndc_t)
 can_tcp_connect(ndc_t, named_t)
 
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/nscd.te policy-1.19.2.good/domains/program/unused/nscd.te
--- policy-1.19.2/domains/program/unused/nscd.te	2004-11-18 08:14:48.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/nscd.te	2004-11-18 08:35:53.847770768 -0500
@@ -24,6 +24,7 @@
 allow nscd_t etc_t:lnk_file read;
 can_network(nscd_t)
 can_ypbind(nscd_t)
+allow nscd_t self:{ tcp_socket udp_socket } connect;
 
 file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file)
 
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/ntpd.te policy-1.19.2.good/domains/program/unused/ntpd.te
--- policy-1.19.2/domains/program/unused/ntpd.te	2004-11-18 09:16:48.946760475 -0500
+++ policy-1.19.2.good/domains/program/unused/ntpd.te	2004-11-18 08:35:53.848770656 -0500
@@ -39,6 +39,7 @@
 # Use the network.
 can_network(ntpd_t)
 can_ypbind(ntpd_t)
+allow ntpd_t self:{ tcp_socket udp_socket } connect;
 allow ntpd_t ntp_port_t:udp_socket name_bind;
 allow ntpd_t self:unix_dgram_socket create_socket_perms;
 allow ntpd_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/ping.te policy-1.19.2.good/domains/program/unused/ping.te
--- policy-1.19.2/domains/program/unused/ping.te	2004-11-18 08:14:51.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/ping.te	2004-11-18 08:35:53.848770656 -0500
@@ -35,6 +35,7 @@
 can_ypbind(ping_t)
 allow ping_t etc_t:file { getattr read };
 allow ping_t self:unix_stream_socket create_socket_perms;
+allow ping_t self:{ tcp_socket udp_socket } connect;
 
 # Let ping create raw ICMP packets.
 allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/postfix.te policy-1.19.2.good/domains/program/unused/postfix.te
--- policy-1.19.2/domains/program/unused/postfix.te	2004-11-18 08:14:50.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/postfix.te	2004-11-18 08:35:53.849770543 -0500
@@ -119,6 +119,8 @@
 allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
 can_network(postfix_master_t)
 can_ypbind(postfix_master_t)
+allow postfix_master_t self:{ tcp_socket udp_socket } connect;
+
 allow postfix_master_t smtp_port_t:tcp_socket name_bind;
 allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
 allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
@@ -158,6 +160,7 @@
 allow postfix_$1_t self:capability { setuid setgid dac_override };
 can_network(postfix_$1_t)
 can_ypbind(postfix_$1_t)
+allow postfix_$1_t self:{ tcp_socket udp_socket } connect;
 ')
 
 postfix_server_domain(smtp, `, mail_server_sender')
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/postgresql.te policy-1.19.2.good/domains/program/unused/postgresql.te
--- policy-1.19.2/domains/program/unused/postgresql.te	2004-11-18 08:57:40.718315780 -0500
+++ policy-1.19.2.good/domains/program/unused/postgresql.te	2004-11-18 08:35:53.850770430 -0500
@@ -14,6 +14,7 @@
 daemon_domain(postgresql)
 allow initrc_t postgresql_exec_t:lnk_file read;
 allow postgresql_t usr_t:file { getattr read };
+allow postgresql_t self:udp_socket connect;
 
 allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
 
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/privoxy.te policy-1.19.2.good/domains/program/unused/privoxy.te
--- policy-1.19.2/domains/program/unused/privoxy.te	2004-11-18 08:14:49.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/privoxy.te	2004-11-18 08:35:53.851770317 -0500
@@ -18,6 +18,7 @@
 # Use the network.
 can_network(privoxy_t)
 allow privoxy_t port_t:{ tcp_socket udp_socket } name_bind;
+allow privoxy_t self:{ tcp_socket udp_socket } connect;
 allow privoxy_t etc_t:file { getattr read };
 allow privoxy_t self:capability { setgid setuid };
 allow privoxy_t self:unix_stream_socket create_socket_perms ;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/rpcd.te policy-1.19.2.good/domains/program/unused/rpcd.te
--- policy-1.19.2/domains/program/unused/rpcd.te	2004-11-18 08:58:17.120208533 -0500
+++ policy-1.19.2.good/domains/program/unused/rpcd.te	2004-11-18 08:35:53.851770317 -0500
@@ -14,6 +14,7 @@
 daemon_base_domain($1)
 can_network($1_t)
 can_ypbind($1_t)
+allow $1_t self:{ udp_socket tcp_socket } connect;
 allow $1_t etc_t:file { getattr read };
 read_locale($1_t)
 allow $1_t self:capability net_bind_service;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/sendmail.te policy-1.19.2.good/domains/program/unused/sendmail.te
--- policy-1.19.2/domains/program/unused/sendmail.te	2004-11-18 08:14:51.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/sendmail.te	2004-11-18 08:35:53.852770204 -0500
@@ -27,6 +27,7 @@
 # Use the network.
 can_network(sendmail_t)
 can_ypbind(sendmail_t)
+allow sendmail_t self:{ tcp_socket udp_socket } connect;
 
 allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
 allow sendmail_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/slapd.te policy-1.19.2.good/domains/program/unused/slapd.te
--- policy-1.19.2/domains/program/unused/slapd.te	2004-11-18 08:14:51.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/slapd.te	2004-11-18 08:35:53.852770204 -0500
@@ -30,6 +30,7 @@
 allow slapd_t self:unix_dgram_socket create_socket_perms;
 # allow any domain to connect to the LDAP server
 can_tcp_connect(domain, slapd_t)
+allow slapd_t self:{ tcp_socket udp_socket } connect;
 
 # Use capabilities  should not need kill...
 allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw };
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/snmpd.te policy-1.19.2.good/domains/program/unused/snmpd.te
--- policy-1.19.2/domains/program/unused/snmpd.te	2004-11-18 08:58:52.256244113 -0500
+++ policy-1.19.2.good/domains/program/unused/snmpd.te	2004-11-18 08:35:53.853770092 -0500
@@ -15,6 +15,7 @@
 
 can_network(snmpd_t)
 can_ypbind(snmpd_t)
+allow snmpd_t self:{ tcp_socket udp_socket } connect;
 
 type snmp_port_t, port_type, reserved_port_type;
 allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/spamd.te policy-1.19.2.good/domains/program/unused/spamd.te
--- policy-1.19.2/domains/program/unused/spamd.te	2004-11-18 08:14:53.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/spamd.te	2004-11-18 08:35:53.853770092 -0500
@@ -24,6 +24,7 @@
 dontaudit spamd_t sysadm_home_dir_t:dir getattr;
 
 can_network(spamd_t)
+allow spamd_t self:{ tcp_socket udp_socket } connect;
 allow spamd_t self:capability net_bind_service;
 
 allow spamd_t proc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/squid.te policy-1.19.2.good/domains/program/unused/squid.te
--- policy-1.19.2/domains/program/unused/squid.te	2004-11-18 08:59:29.988986705 -0500
+++ policy-1.19.2.good/domains/program/unused/squid.te	2004-11-18 08:35:53.854769979 -0500
@@ -55,6 +55,7 @@
 can_network(squid_t)
 can_ypbind(squid_t)
 can_tcp_connect(web_client_domain, squid_t)
+allow squid_t self:{ tcp_socket udp_socket } connect;
 
 # tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
 allow squid_t http_cache_port_t:tcp_socket name_bind;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/traceroute.te policy-1.19.2.good/domains/program/unused/traceroute.te
--- policy-1.19.2/domains/program/unused/traceroute.te	2004-11-18 08:14:54.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/traceroute.te	2004-11-18 08:35:53.855769866 -0500
@@ -20,6 +20,7 @@
 uses_shlib(traceroute_t)
 can_network(traceroute_t)
 can_ypbind(traceroute_t)
+allow traceroute_t self:{ tcp_socket udp_socket } connect;
 allow traceroute_t node_t:rawip_socket node_bind;
 type traceroute_exec_t, file_type, sysadmfile, exec_type;
 
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/vpnc.te policy-1.19.2.good/domains/program/unused/vpnc.te
--- policy-1.19.2/domains/program/unused/vpnc.te	2004-11-18 09:17:37.765252256 -0500
+++ policy-1.19.2.good/domains/program/unused/vpnc.te	2004-11-18 08:35:53.855769866 -0500
@@ -17,6 +17,7 @@
 # Use the network.
 can_network(vpnc_t)
 can_ypbind(vpnc_t)
+allow vpnc_t self:udp_socket connect;
 allow vpnc_t self:socket create_socket_perms;
 
 # Use capabilities.
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/xdm.te policy-1.19.2.good/domains/program/unused/xdm.te
--- policy-1.19.2/domains/program/unused/xdm.te	2004-11-18 09:01:02.054598887 -0500
+++ policy-1.19.2.good/domains/program/unused/xdm.te	2004-11-18 08:35:53.856769753 -0500
@@ -46,6 +46,7 @@
 allow xdm_t default_context_t:file { read getattr };
 
 can_network(xdm_t)
+allow xdm_t self:udp_socket connect;
 allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow xdm_t self:unix_dgram_socket create_socket_perms;
 allow xdm_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/ypbind.te policy-1.19.2.good/domains/program/unused/ypbind.te
--- policy-1.19.2/domains/program/unused/ypbind.te	2004-11-18 08:14:53.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/ypbind.te	2004-11-18 08:35:53.857769640 -0500
@@ -20,6 +20,7 @@
 # Use the network.
 can_network(ypbind_t)
 allow ypbind_t port_t:{ tcp_socket udp_socket } name_bind;
+allow ypbind_t self:{ tcp_socket udp_socket } connect;
 
 allow ypbind_t self:fifo_file rw_file_perms;
 
diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/base_user_macros.te policy-1.19.2.good/macros/base_user_macros.te
--- policy-1.19.2/macros/base_user_macros.te	2004-11-18 09:01:27.432735456 -0500
+++ policy-1.19.2.good/macros/base_user_macros.te	2004-11-18 08:35:53.862769076 -0500
@@ -196,6 +196,7 @@
 # Use the network.
 can_network($1_t)
 can_ypbind($1_t)
+allow $1_t self:{ tcp_socket udp_socket } connect;
 
 ifdef(`pamconsole.te', `
 allow $1_t pam_var_console_t:dir search;
diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/global_macros.te policy-1.19.2.good/macros/global_macros.te
--- policy-1.19.2/macros/global_macros.te	2004-11-18 08:14:45.000000000 -0500
+++ policy-1.19.2.good/macros/global_macros.te	2004-11-18 08:35:53.865768738 -0500
@@ -118,64 +118,6 @@
 
 #################################
 #
-# can_network(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network',`
-#
-# Allow the domain to create and use UDP and TCP sockets.
-# Other kinds of sockets must be separately authorized for use.
-allow $1 self:udp_socket create_socket_perms;
-allow $1 self:tcp_socket create_stream_socket_perms;
-
-#
-# Allow the domain to send or receive using any network interface.
-# netif_type is a type attribute for all network interface types.
-#
-allow $1 netif_type:netif { tcp_send udp_send rawip_send };
-allow $1 netif_type:netif { tcp_recv udp_recv rawip_recv };
-
-#
-# Allow the domain to send to or receive from any node.
-# node_type is a type attribute for all node types.
-#
-allow $1 node_type:node { tcp_send udp_send rawip_send };
-allow $1 node_type:node { tcp_recv udp_recv rawip_recv };
-
-#
-# Allow the domain to send to or receive from any port.
-# port_type is a type attribute for all port types.
-#
-allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg };
-
-#
-# Allow the domain to send NFS client requests via the socket
-# created by mount.
-#
-allow $1 mount_t:udp_socket rw_socket_perms;
-
-#
-# Bind to the default port type.
-# Other port types must be separately authorized.
-#
-#allow $1 port_t:udp_socket name_bind;
-#allow $1 port_t:tcp_socket name_bind;
-
-# XXX Allow binding to any node type.  Remove once
-# individual rules have been added to all domains that 
-# bind sockets. 
-allow $1 node_type: { tcp_socket udp_socket } node_bind;
-#
-# Allow access to network files including /etc/resolv.conf
-#
-allow $1 net_conf_t:file r_file_perms;
-')dnl end can_network definition
-
-#################################
-#
 # can_sysctl(domain)
 #
 # Permissions for modifying sysctl parameters.
diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/network_macros.te policy-1.19.2.good/macros/network_macros.te
--- policy-1.19.2/macros/network_macros.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.19.2.good/macros/network_macros.te	2004-11-18 08:35:53.865768738 -0500
@@ -0,0 +1,103 @@
+#################################
+#
+# can_network(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`base_can_network',`
+#
+# Allow the domain to create and use $2 sockets.
+# Other kinds of sockets must be separately authorized for use.
+allow $1 self:$2_socket connected_socket_perms;
+
+#
+# Allow the domain to send or receive using any network interface.
+# netif_type is a type attribute for all network interface types.
+#
+allow $1 netif_type:netif { $2_send rawip_send };
+allow $1 netif_type:netif { $2_recv rawip_recv };
+
+#
+# Allow the domain to send to or receive from any node.
+# node_type is a type attribute for all node types.
+#
+allow $1 node_type:node { $2_send rawip_send };
+allow $1 node_type:node { $2_recv rawip_recv };
+
+#
+# Allow the domain to send to or receive from any port.
+# port_type is a type attribute for all port types.
+#
+ifelse($3, `', `
+allow $1 port_type:$2_socket { send_msg recv_msg };
+', `
+allow $1 $3:$2_socket { send_msg recv_msg };
+')
+
+# XXX Allow binding to any node type.  Remove once
+# individual rules have been added to all domains that 
+# bind sockets. 
+allow $1 node_type:$2_socket node_bind;
+#
+# Allow access to network files including /etc/resolv.conf
+#
+allow $1 net_conf_t:file r_file_perms;
+')dnl end can_network definition
+
+#################################
+#
+# can_tcp_network(domain)
+#
+# Permissions for accessing a tcp network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_tcp_network',`
+base_can_network($1, tcp, `$2')
+allow $1 self:tcp_socket { listen accept };
+')
+
+#################################
+#
+# can_udp_network(domain)
+#
+# Permissions for accessing a udp network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_udp_network',`
+base_can_network($1, udp, `$2')
+')
+
+#################################
+#
+# can_network(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network',`
+
+can_tcp_network($1, `$2')
+can_udp_network($1, `$2')
+
+#
+# Allow the domain to send NFS client requests via the socket
+# created by mount.
+#
+allow $1 mount_t:udp_socket rw_socket_perms;
+
+')dnl end can_network definition
+
+define(`can_resolve',`
+can_udp_network($1, `dns_port_t')
+allow $1 self:udp_socket connect;
+')
+define(`can_ldap',`
+can_tcp_network($1, `ldap_port_t')
+allow $1 self:tcp_socket connect;
+')
+
diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/chkpwd_macros.te policy-1.19.2.good/macros/program/chkpwd_macros.te
--- policy-1.19.2/macros/program/chkpwd_macros.te	2004-11-18 08:14:45.000000000 -0500
+++ policy-1.19.2.good/macros/program/chkpwd_macros.te	2004-11-18 08:35:53.904764338 -0500
@@ -22,6 +22,8 @@
 can_getcon($1_chkpwd_t)
 can_ypbind($1_chkpwd_t)
 can_kerberos($1_chkpwd_t)
+can_ldap($1_chkpwd_t)
+can_resolve($1_chkpwd_t)
 # Transition from the user domain to this domain.
 ifelse($1, system, `
 domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
@@ -31,6 +33,8 @@
 dontaudit $1_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
 can_ypbind(auth_chkpwd)
 can_kerberos(auth_chkpwd)
+can_ldap(auth_chkpwd)
+can_resolve(auth_chkpwd)
 ', `
 domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
 allow $1_t sbin_t:dir search;
diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/crond_macros.te policy-1.19.2.good/macros/program/crond_macros.te
--- policy-1.19.2/macros/program/crond_macros.te	2004-11-18 08:14:44.000000000 -0500
+++ policy-1.19.2.good/macros/program/crond_macros.te	2004-11-18 08:35:53.905764225 -0500
@@ -68,6 +68,7 @@
 # This domain is granted permissions common to most domains.
 can_network($1_crond_t)
 can_ypbind($1_crond_t)
+allow $1_crond_t self:{ tcp_socket udp_socket } connect;
 r_dir_file($1_crond_t, self)
 allow $1_crond_t self:fifo_file rw_file_perms;
 allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/kerberos_macros.te policy-1.19.2.good/macros/program/kerberos_macros.te
--- policy-1.19.2/macros/program/kerberos_macros.te	2004-11-18 09:08:04.893889675 -0500
+++ policy-1.19.2.good/macros/program/kerberos_macros.te	2004-11-18 08:35:53.906764112 -0500
@@ -1,7 +1,8 @@
 define(`can_kerberos',`
 ifdef(`kerberos.te',`
 if (allow_kerberos) {
-can_network($1)
+allow $1 self:{ udp_socket tcp_socket } connect;
+can_network($1, `kerberos_port_t')
 dontaudit $1 krb5_conf_t:file write;
 allow $1 krb5_conf_t:file { getattr read };
 }
diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/lpr_macros.te policy-1.19.2.good/macros/program/lpr_macros.te
--- policy-1.19.2/macros/program/lpr_macros.te	2004-11-18 09:09:14.527032926 -0500
+++ policy-1.19.2.good/macros/program/lpr_macros.te	2004-11-18 08:35:53.906764112 -0500
@@ -103,6 +103,7 @@
 
 # Connect to lpd via a TCP socket.
 can_tcp_connect($1_lpr_t, lpd_t)
+allow $1_lpr_t self:tcp_socket connect;
 
 allow $1_lpr_t fs_t:filesystem getattr;
 # Send SIGHUP to lpd.
diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/mozilla_macros.te policy-1.19.2.good/macros/program/mozilla_macros.te
--- policy-1.19.2/macros/program/mozilla_macros.te	2004-11-18 09:10:42.462111158 -0500
+++ policy-1.19.2.good/macros/program/mozilla_macros.te	2004-11-18 09:10:17.656909944 -0500
@@ -17,6 +17,7 @@
 #
 define(`mozilla_domain',`
 x_client_domain($1, mozilla, `, web_client_domain, privlog')
+allow $1_mozilla_t self:{ tcp_socket udp_socket } connect;
 
 allow $1_mozilla_t sound_device_t:chr_file rw_file_perms;
 
diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/mta_macros.te policy-1.19.2.good/macros/program/mta_macros.te
--- policy-1.19.2/macros/program/mta_macros.te	2004-11-18 09:11:15.394395389 -0500
+++ policy-1.19.2.good/macros/program/mta_macros.te	2004-11-18 08:35:53.908763887 -0500
@@ -37,6 +37,7 @@
 can_ypbind($1_mail_t)
 allow $1_mail_t self:unix_dgram_socket create_socket_perms;
 allow $1_mail_t self:unix_stream_socket create_socket_perms;
+allow $1_mail_t self:{ tcp_socket udp_socket } connect;
 
 read_locale($1_mail_t)
 read_sysctl($1_mail_t)
diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/ssh_macros.te policy-1.19.2.good/macros/program/ssh_macros.te
--- policy-1.19.2/macros/program/ssh_macros.te	2004-11-18 08:14:45.000000000 -0500
+++ policy-1.19.2.good/macros/program/ssh_macros.te	2004-11-18 08:35:53.909763774 -0500
@@ -84,6 +84,7 @@
 # to access the network.
 can_network($1_ssh_t)
 can_ypbind($1_ssh_t)
+allow $1_ssh_t self:{ tcp_socket udp_socket } connect;
 
 # Use capabilities.
 allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/xserver_macros.te policy-1.19.2.good/macros/program/xserver_macros.te
--- policy-1.19.2/macros/program/xserver_macros.te	2004-11-18 09:12:18.809240254 -0500
+++ policy-1.19.2.good/macros/program/xserver_macros.te	2004-11-18 08:35:53.909763774 -0500
@@ -53,6 +52,7 @@
 uses_shlib($1_xserver_t)
 can_network($1_xserver_t)
 can_ypbind($1_xserver_t)
+allow $1_xserver_t self:udp_socket connect;
 allow $1_xserver_t xserver_port_t:tcp_socket name_bind;
 
 # for access within the domain
diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/ypbind_macros.te policy-1.19.2.good/macros/program/ypbind_macros.te
--- policy-1.19.2/macros/program/ypbind_macros.te	2004-11-18 08:14:45.000000000 -0500
+++ policy-1.19.2.good/macros/program/ypbind_macros.te	2004-11-18 08:35:53.910763661 -0500
@@ -4,6 +4,7 @@
 can_network($1)
 r_dir_file($1,var_yp_t)
 allow $1 { reserved_port_t port_t }:{ tcp_socket udp_socket } name_bind;
+allow $1 self:{ tcp_socket udp_socket } connect;
 dontaudit $1 self:capability net_bind_service;
 ')
 
diff --exclude-from=exclude -N -u -r policy-1.19.2/net_contexts policy-1.19.2.good/net_contexts
--- policy-1.19.2/net_contexts	2004-11-18 08:14:45.000000000 -0500
+++ policy-1.19.2.good/net_contexts	2004-11-18 08:35:53.911763548 -0500
@@ -113,7 +113,6 @@
 portcon tcp 631 system_u:object_r:ipp_port_t
 portcon udp 631 system_u:object_r:ipp_port_t
 ')
-ifdef(`kerberos.te', `
 portcon tcp 88 system_u:object_r:kerberos_port_t
 portcon udp 88 system_u:object_r:kerberos_port_t
 portcon tcp 749 system_u:object_r:kerberos_admin_port_t
@@ -121,7 +120,6 @@
 portcon udp 750 system_u:object_r:kerberos_port_t
 portcon tcp 4444 system_u:object_r:kerberos_master_port_t
 portcon udp 4444 system_u:object_r:kerberos_master_port_t
-')
 ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t')
 ifdef(`rsync.te', `
 portcon tcp 873 system_u:object_r:rsync_port_t
diff --exclude-from=exclude -N -u -r policy-1.19.2/types/network.te policy-1.19.2.good/types/network.te
--- policy-1.19.2/types/network.te	2004-11-18 08:14:44.000000000 -0500
+++ policy-1.19.2.good/types/network.te	2004-11-18 08:35:53.913763323 -0500
@@ -64,6 +64,13 @@
 type mail_port_t, port_type;
 
 #
+# Ports used to communicate with kerberos server
+#
+type kerberos_port_t, port_type, reserved_port_type;
+type kerberos_admin_port_t, port_type, reserved_port_type;
+type kerberos_master_port_t, port_type;
+
+#
 # port_t is the default type of INET port numbers.
 # The *_port_t types are used for specific port
 # numbers in net_contexts or net_contexts.mls.

Re: Patches without the can_network patch.

[Thomas Bleher]

[-- Attachment #1: Type: text/plain, Size: 947 bytes --]

* Daniel J Walsh <dwalsh@redhat.com> [2004-11-18 15:32]:
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.19.2/domains/program/ldconfig.te
> --- nsapolicy/domains/program/ldconfig.te	2004-11-09 13:35:12.000000000 -0500
> +++ policy-1.19.2/domains/program/ldconfig.te	2004-11-18 08:48:23.918139878 -0500
> @@ -26,7 +26,7 @@
>  allow ldconfig_t lib_t:lnk_file create_lnk_perms;
>  
>  allow ldconfig_t userdomain:fd use;
> -allow ldconfig_t etc_t:file { getattr read };
> +allow ldconfig_t etc_t:file { getattr read unlink };

Which files does it want to unlink? Is it possible that the file was
just mislabeled? (there's this line in the policy:
file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file)
so it should probably be ld_so_cache_t)

Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Patches without the can_network patch.

[Daniel J Walsh]

Thomas Bleher wrote:

>* Daniel J Walsh <dwalsh@redhat.com> [2004-11-18 15:32]:
>  
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.19.2/domains/program/ldconfig.te
>>--- nsapolicy/domains/program/ldconfig.te	2004-11-09 13:35:12.000000000 -0500
>>+++ policy-1.19.2/domains/program/ldconfig.te	2004-11-18 08:48:23.918139878 -0500
>>@@ -26,7 +26,7 @@
>> allow ldconfig_t lib_t:lnk_file create_lnk_perms;
>> 
>> allow ldconfig_t userdomain:fd use;
>>-allow ldconfig_t etc_t:file { getattr read };
>>+allow ldconfig_t etc_t:file { getattr read unlink };
>>    
>>
>
>Which files does it want to unlink? Is it possible that the file was
>just mislabeled? (there's this line in the policy:
>file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file)
>so it should probably be ld_so_cache_t)
>
>Thomas
>
>  
>
Yes I added this because it gets, mislabeled and then can not change it 
back.
A bug in RPM was causing it many times.   Booting in non enforcing 
mode,  non selinux mode
This can easily happen on targeted policy, but could also happen on strict,
Allowing ldconfig_t from unlink etc_t files seems like a reasonable way 
around the problem.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patches without the can_network patch.

[Thomas Bleher]

[-- Attachment #1: Type: text/plain, Size: 1636 bytes --]

* Daniel J Walsh <dwalsh@redhat.com> [2004-11-18 20:50]:
> Thomas Bleher wrote:
> >* Daniel J Walsh <dwalsh@redhat.com> [2004-11-18 15:32]:
> >>policy-1.19.2/domains/program/ldconfig.te
> >>--- nsapolicy/domains/program/ldconfig.te	2004-11-09 
> >>13:35:12.000000000 -0500
> >>+++ policy-1.19.2/domains/program/ldconfig.te	2004-11-18 
> >>08:48:23.918139878 -0500
> >>@@ -26,7 +26,7 @@
> >>allow ldconfig_t lib_t:lnk_file create_lnk_perms;
> >>
> >>allow ldconfig_t userdomain:fd use;
> >>-allow ldconfig_t etc_t:file { getattr read };
> >>+allow ldconfig_t etc_t:file { getattr read unlink };
> >>   
> >
> >Which files does it want to unlink? Is it possible that the file was
> >just mislabeled? (there's this line in the policy:
> >file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file)
> >so it should probably be ld_so_cache_t)
> > 
> >
> Yes I added this because it gets, mislabeled and then can not change it 
> back.
> A bug in RPM was causing it many times.   Booting in non enforcing 
> mode,  non selinux mode
> This can easily happen on targeted policy, but could also happen on strict,
> Allowing ldconfig_t from unlink etc_t files seems like a reasonable way 
> around the problem.

Ah, OK. Best solution would probably be to make ldconfig create its files in a
separate directory, but until then this seems like a good workaround.
How about a comment above this line like:
# allow ldconfig to work if /etc/ld.so.cache is mislabeled

Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Patches without the can_network patch.

[James Carter]

Merged.

On Thu, 2004-11-18 at 09:32, Daniel J Walsh wrote:
> Latest policy-small patch.   Many changes to make targeted policy work
> better.
> 
> Lots of changes to apache policy.
> 
> Check out the changes to core_macros for create/rw socket_perms.  Maybe 
> more acceptable. :^)
> 
> Many other minor changes.
> 
> 
> 
> ______________________________________________________________________
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.19.2/domains/program/ldconfig.te
> --- nsapolicy/domains/program/ldconfig.te	2004-11-09 13:35:12.000000000 -0500
> +++ policy-1.19.2/domains/program/ldconfig.te	2004-11-18 08:48:23.918139878 -0500
> @@ -8,7 +8,7 @@
>  #
>  # Rules for the ldconfig_t domain.
>  #
> -type ldconfig_t, domain, privlog;
> +type ldconfig_t, domain, privlog, etc_writer;
>  type ldconfig_exec_t, file_type, sysadmfile, exec_type;
>  
>  role sysadm_r types ldconfig_t;
> @@ -26,7 +26,7 @@
>  allow ldconfig_t lib_t:lnk_file create_lnk_perms;
>  
>  allow ldconfig_t userdomain:fd use;
> -allow ldconfig_t etc_t:file { getattr read };
> +allow ldconfig_t etc_t:file { getattr read unlink };
>  allow ldconfig_t etc_t:lnk_file read;
>  
>  allow ldconfig_t fs_t:filesystem getattr;
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.19.2/domains/program/login.te
> --- nsapolicy/domains/program/login.te	2004-11-18 08:13:57.000000000 -0500
> +++ policy-1.19.2/domains/program/login.te	2004-11-18 08:48:23.919139766 -0500
> @@ -182,6 +182,9 @@
>  # Allow setting of attributes on sound devices.
>  allow local_login_t sound_device_t:chr_file { getattr setattr };
>  
> +# Allow setting of attributes on power management devices.
> +allow local_login_t power_device_t:chr_file { getattr setattr };
> +
>  #################################
>  #
>  # Rules for the remote_login_t domain.
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/acct.te policy-1.19.2/domains/program/unused/acct.te
> --- nsapolicy/domains/program/unused/acct.te	2004-11-09 13:35:12.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/acct.te	2004-11-18 08:48:23.919139766 -0500
> @@ -63,8 +63,7 @@
>  
>  ifdef(`logrotate.te', `
>  domain_auto_trans(logrotate_t, acct_exec_t, acct_t)
> -allow logrotate_t acct_data_t:dir search;
> -allow logrotate_t acct_data_t:file { create_file_perms };
> +rw_dir_create_file(logrotate_t, acct_data_t)
>  can_exec(logrotate_t, acct_data_t)
>  ')
>  
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.2/domains/program/unused/apache.te
> --- nsapolicy/domains/program/unused/apache.te	2004-11-18 08:13:57.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/apache.te	2004-11-18 08:50:10.113157831 -0500
> @@ -32,6 +32,9 @@
>  # Run SSI execs in system CGI script domain.
>  bool httpd_ssi_exec false;
>  
> +# Allow http daemon to communicate with the TTY
> +bool httpd_tty_comm false;
> +
>  #########################################################
>  # Apache types
>  #########################################################
> @@ -239,10 +242,12 @@
>  # connect to mysql
>  ifdef(`mysqld.te', `
>  can_unix_connect(httpd_php_t, mysqld_t)
> +can_unix_connect(httpd_t, mysqld_t)
>  allow httpd_php_t mysqld_var_run_t:dir search;
>  allow httpd_php_t mysqld_var_run_t:sock_file write;
>  allow httpd_t mysqld_db_t:dir search;
>  allow httpd_t mysqld_db_t:sock_file rw_file_perms;
> +allow httpd_t mysqld_var_run_t:sock_file rw_file_perms;
>  ')
>  allow httpd_t bin_t:dir search;
>  allow httpd_t sbin_t:dir search;
> @@ -297,6 +302,7 @@
>  #
>  type httpd_runtime_t, file_type, sysadmfile;
>  file_type_auto_trans(httpd_t, httpd_log_t, httpd_runtime_t, file)
> +allow httpd_sys_script_t httpd_runtime_t:file { getattr append };
>  ') dnl distro_redhat
>  #
>  # Customer reported the following
> @@ -306,9 +312,28 @@
>  dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
>  ')
>  
> -# Running squirrelmail requires this permissions
> +#
> +# The following is needed to make squirrelmail work
> +type httpd_squirrelmail_t, file_type, sysadmfile;
> +create_dir_file(httpd_t, httpd_squirrelmail_t)
> +allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
>  ifdef(`mta.te', `
> -allow system_mail_t httpd_log_t:file { append getattr };
> -allow system_mail_t httpd_sys_script_rw_t:file { append read };
> -allow system_mail_t httpd_t:tcp_socket { read write };
> +dontaudit system_mail_t httpd_log_t:file { append getattr };
> +allow system_mail_t httpd_squirrelmail_t:file { append read };
> +dontaudit system_mail_t httpd_t:tcp_socket { read write };
> +')
> +
> +application_domain(httpd_helper)
> +role system_r types httpd_helper_t;
> +domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
> +
> +allow httpd_helper_t devpts_t:dir { search };
> +allow httpd_helper_t devtty_t:chr_file rw_file_perms;
> +allow httpd_helper_t httpd_config_t:file { getattr read };
> +allow httpd_helper_t httpd_log_t:file { append };
> +if (httpd_tty_comm) {
> +ifdef(`targeted_policy', `
> +allow { httpd_helper_t httpd_t } devpts_t:chr_file { read write };
>  ')
> +allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
> +}
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.19.2/domains/program/unused/apmd.te
> --- nsapolicy/domains/program/unused/apmd.te	2004-11-09 13:35:12.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/apmd.te	2004-11-18 08:48:23.920139653 -0500
> @@ -114,7 +114,10 @@
>  allow consoletype_t apmd_t:fifo_file write;
>  ')
>  ifdef(`mount.te', `allow mount_t apmd_t:fd use;')
> -ifdef(`crond.te', `domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)')
> +ifdef(`crond.te', `
> +domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)
> +allow apmd_t crond_t:fifo_file { getattr read write ioctl };
> +')
>  
>  ifdef(`mta.te', `
>  domain_auto_trans(apmd_t, sendmail_exec_t, system_mail_t) 
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.19.2/domains/program/unused/consoletype.te
> --- nsapolicy/domains/program/unused/consoletype.te	2004-11-09 13:35:12.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/consoletype.te	2004-11-18 08:48:23.921139540 -0500
> @@ -59,5 +59,6 @@
>  ')
>  dontaudit consoletype_t proc_t:file read;
>  dontaudit consoletype_t root_t:file read;
> -allow consoletype_t crond_t:fifo_file read;
> +allow consoletype_t crond_t:fifo_file { read getattr ioctl };
> +allow consoletype_t system_crond_t:fd use;
>  allow consoletype_t fs_t:filesystem getattr;
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.19.2/domains/program/unused/cups.te
> --- nsapolicy/domains/program/unused/cups.te	2004-11-18 08:13:57.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/cups.te	2004-11-18 08:51:22.563983161 -0500
> @@ -59,7 +60,6 @@
>  
>  allow cupsd_t { etc_t etc_runtime_t }:file { getattr read ioctl };
>  can_exec(cupsd_t, initrc_exec_t)
> -can_exec(cupsd_t, hostname_exec_t)
>  allow cupsd_t proc_t:file r_file_perms;
>  allow cupsd_t proc_t:dir r_dir_perms;
>  allow cupsd_t self:file { getattr read };
> @@ -185,7 +185,7 @@
>  allow cupsd_config_t cupsd_var_run_t:file { getattr read };
>  allow cupsd_config_t cupsd_t:process { signal };
>  allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
> -allow cupsd_config_t cupsd_t:dir search;
> +r_dir_file(cupsd_config_t, cupsd_t)
>  
>  allow cupsd_config_t self:capability chown;
>  
> @@ -212,8 +212,17 @@
>  ')
>  
>  can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t })
> +ifdef(`hostname.te', `
> +can_exec(cupsd_t, hostname_exec_t)
> +can_exec(cupsd_config_t, hostname_exec_t)
> +')
>  allow cupsd_config_t { bin_t sbin_t }:dir { search getattr };
>  allow cupsd_config_t { bin_t sbin_t }:lnk_file read;
> +# killall causes the following
> +dontaudit cupsd_config_t domain:dir { getattr search };
> +dontaudit cupsd_config_t selinux_config_t:dir search;
> +
> +can_exec(cupsd_config_t, cupsd_config_exec_t) 
>  
>  allow cupsd_config_t usr_t:file { getattr read };
>  allow cupsd_config_t var_lib_t:dir { getattr search };
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.19.2/domains/program/unused/cyrus.te
> --- nsapolicy/domains/program/unused/cyrus.te	2004-11-09 13:35:12.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/cyrus.te	2004-11-18 08:51:47.260196672 -0500
> @@ -45,3 +45,4 @@
>  allow system_crond_t cyrus_var_lib_t:file create_file_perms;
>  allow system_crond_su_t cyrus_var_lib_t:dir search;
>  ')
> +allow cyrus_t mail_port_t:tcp_socket name_bind;
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpd.te policy-1.19.2/domains/program/unused/dhcpd.te
> --- nsapolicy/domains/program/unused/dhcpd.te	2004-10-14 23:25:18.000000000 -0400
> +++ policy-1.19.2/domains/program/unused/dhcpd.te	2004-11-18 08:53:24.057275000 -0500
> @@ -33,6 +33,7 @@
>  can_ypbind(dhcpd_t)
>  allow dhcpd_t self:unix_dgram_socket create_socket_perms;
>  allow dhcpd_t self:unix_stream_socket create_socket_perms;
> +allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
>  
>  allow dhcpd_t var_lib_t:dir search;
>  
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.19.2/domains/program/unused/ftpd.te
> --- nsapolicy/domains/program/unused/ftpd.te	2004-11-18 08:13:58.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/ftpd.te	2004-11-18 08:54:09.695125653 -0500
> @@ -31,11 +31,13 @@
>  
>  ifdef(`crond.te', `
>  system_crond_entry(ftpd_exec_t, ftpd_t)
> +allow system_crond_t xferlog_t:file r_file_perms;
>  can_exec(ftpd_t, { sbin_t shell_exec_t })
>  allow ftpd_t usr_t:file { getattr read };
>  ')
>  
>  allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
> +allow ftpd_t port_t:tcp_socket name_bind;
>  
>  # Allow ftpd to run directly without inetd.
>  bool ftpd_is_daemon false;
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/innd.te policy-1.19.2/domains/program/unused/innd.te
> --- nsapolicy/domains/program/unused/innd.te	2004-10-19 16:03:06.000000000 -0400
> +++ policy-1.19.2/domains/program/unused/innd.te	2004-11-18 08:54:50.625507454 -0500
> @@ -64,6 +64,9 @@
>  
>  ifdef(`crond.te', `
>  system_crond_entry(innd_exec_t, innd_t)
> +allow system_crond_t innd_etc_t:file { getattr read };
> +rw_dir_create_file(system_crond_t, innd_log_t)
> +rw_dir_create_file(system_crond_t, innd_var_run_t)
>  ')
>  ifdef(`syslogd.te', `
>  allow syslogd_t innd_log_t:dir search;
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.19.2/domains/program/unused/kudzu.te
> --- nsapolicy/domains/program/unused/kudzu.te	2004-11-09 13:35:12.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/kudzu.te	2004-11-18 08:48:23.921139540 -0500
> @@ -21,7 +21,7 @@
>  allow kudzu_t proc_t:file { getattr read };
>  allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
>  allow kudzu_t scsi_generic_device_t:chr_file r_file_perms;
> -allow kudzu_t { bin_t sbin_t }:dir search;
> +allow kudzu_t { bin_t sbin_t }:dir { getattr search };
>  allow kudzu_t { bin_t sbin_t }:lnk_file read;
>  allow kudzu_t { sysctl_t sysctl_kernel_t }:dir search;
>  allow kudzu_t sysctl_dev_t:dir { getattr search read };
> @@ -85,3 +85,7 @@
>  
>  # for file systems that are not yet mounted
>  dontaudit kudzu_t file_t:dir search;
> +ifdef(`lpd.te', `
> +allow kudzu_t printconf_t:file { getattr read };
> +')
> +allow kudzu_t zero_device_t:chr_file r_file_perms;
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.19.2/domains/program/unused/mta.te
> --- nsapolicy/domains/program/unused/mta.te	2004-10-09 21:06:14.000000000 -0400
> +++ policy-1.19.2/domains/program/unused/mta.te	2004-11-18 08:48:23.922139427 -0500
> @@ -20,6 +20,7 @@
>  # "mail user@domain"
>  mail_domain(system)
>  
> +ifelse(`targeted-policy', `', `
>  ifdef(`sendmail.te', `
>  # sendmail has an ugly design, the one process parses input from the user and
>  # then does system things with it.
> @@ -32,11 +33,13 @@
>  # allow the sysadmin to do "mail someone < /home/user/whatever"
>  allow sysadm_mail_t user_home_dir_type:dir search;
>  r_dir_file(sysadm_mail_t, user_home_type)
> -
> +')
>  # for a mail server process that does things in response to a user command
>  allow mta_user_agent userdomain:process sigchld;
>  allow mta_user_agent { userdomain privfd }:fd use;
> +ifdef(`crond.te', `
>  allow mta_user_agent crond_t:process sigchld;
> +')
>  allow mta_user_agent sysadm_t:fifo_file { read write };
>  
>  allow { system_mail_t mta_user_agent } privmail:fd use;
> @@ -57,3 +60,13 @@
>  allow mta_delivery_agent devtty_t:chr_file rw_file_perms;
>  allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };
>  
> +# rules are currently defined in sendmail.te, but it is not included in 
> +# targeted policy.  We could move these rules permanantly here.
> +ifdef(`targeted_policy', `
> +allow system_mail_t self:dir { search };
> +allow system_mail_t proc_t:dir search;
> +allow system_mail_t proc_t:{ file lnk_file } { getattr read };
> +allow system_mail_t fs_t:filesystem getattr;
> +allow system_mail_t { var_t var_spool_t }:dir getattr;
> +create_dir_file( system_mail_t, mqueue_spool_t)
> +')
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.19.2/domains/program/unused/named.te
> --- nsapolicy/domains/program/unused/named.te	2004-11-05 23:24:16.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/named.te	2004-11-18 08:55:41.707743815 -0500
> @@ -77,6 +77,7 @@
>  
>  allow named_t self:unix_stream_socket create_stream_socket_perms;
>  allow named_t self:unix_dgram_socket create_socket_perms;
> +allow named_t self:netlink_route_socket r_netlink_socket_perms;
>  
>  # Read sysctl kernel variables.
>  allow named_t sysctl_t:dir r_dir_perms;
> @@ -149,7 +150,7 @@
>  allow ndc_t named_zone_t:file getattr;
>  dontaudit ndc_t sysadm_home_t:dir { getattr search read };
>  ')
> -allow ndc_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
> +allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
>  dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl };
>  # Allow init script to cp localtime to named_conf_t
>  allow initrc_t named_conf_t:file { write };
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.19.2/domains/program/unused/ntpd.te
> --- nsapolicy/domains/program/unused/ntpd.te	2004-11-18 08:13:58.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/ntpd.te	2004-11-18 09:16:48.946760475 -0500
> @@ -42,18 +42,18 @@
>  allow ntpd_t ntp_port_t:udp_socket name_bind;
>  allow ntpd_t self:unix_dgram_socket create_socket_perms;
>  allow ntpd_t self:unix_stream_socket create_socket_perms;
> +allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
>  
>  # so the start script can change firewall entries
>  allow initrc_t net_conf_t:file { getattr read ioctl };
>  
>  # for cron jobs
>  # system_crond_t is not right, cron is not doing what it should
> -ifdef(`crond.te', `
> -system_crond_entry(ntpd_exec_t, ntpd_t)
> +ifdef(`crond.te', `system_crond_entry(ntpd_exec_t, ntpd_t)')
>  can_exec(ntpd_t, initrc_exec_t)
>  allow ntpd_t self:fifo_file { read write getattr };
>  allow ntpd_t etc_runtime_t:file r_file_perms;
> -can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t logrotate_exec_t ntpd_exec_t })
> +can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t ntpd_exec_t })
>  allow ntpd_t { sbin_t bin_t }:dir search;
>  allow ntpd_t bin_t:lnk_file read;
>  allow ntpd_t sysctl_kernel_t:dir search;
> @@ -63,7 +63,6 @@
>  allow ntpd_t self:file { getattr read };
>  dontaudit ntpd_t domain:dir search;
>  ifdef(`logrotate.te', `can_exec(ntpd_t, logrotate_exec_t)')
> -')
>  
>  allow ntpd_t devtty_t:chr_file rw_file_perms;
>  
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.19.2/domains/program/unused/postgresql.te
> --- nsapolicy/domains/program/unused/postgresql.te	2004-11-18 08:13:58.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/postgresql.te	2004-11-18 08:57:40.718315780 -0500
> @@ -42,10 +42,11 @@
>  
>  logdir_domain(postgresql)
>  
> +ifdef(`crond.te', `
>  # allow crond to find /usr/lib/postgresql/bin/do.maintenance
>  allow crond_t postgresql_db_t:dir search;
> -
>  system_crond_entry(postgresql_exec_t, postgresql_t)
> +')
>  
>  tmp_domain(postgresql);
>  file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t)
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.19.2/domains/program/unused/rpcd.te
> --- nsapolicy/domains/program/unused/rpcd.te	2004-11-09 13:35:12.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/rpcd.te	2004-11-18 08:58:17.120208533 -0500
> @@ -24,6 +24,7 @@
>  allow $1_t var_lib_nfs_t:file create_file_perms;
>  # do not log when it tries to bind to a port belonging to another domain
>  dontaudit $1_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
> +allow $1_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
>  allow $1_t self:netlink_route_socket r_netlink_socket_perms;
>  allow $1_t self:unix_dgram_socket create_socket_perms;
>  allow $1_t self:unix_stream_socket create_stream_socket_perms;
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.19.2/domains/program/unused/snmpd.te
> --- nsapolicy/domains/program/unused/snmpd.te	2004-11-09 13:35:13.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/snmpd.te	2004-11-18 08:58:52.256244113 -0500
> @@ -38,7 +38,7 @@
>  allow snmpd_t self:unix_dgram_socket create_socket_perms;
>  allow snmpd_t self:unix_stream_socket create_socket_perms;
>  allow snmpd_t etc_t:lnk_file read;
> -allow snmpd_t { etc_t etc_runtime_t }:file { getattr read };
> +allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
>  allow snmpd_t urandom_device_t:chr_file read;
>  allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config };
>  
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.19.2/domains/program/unused/squid.te
> --- nsapolicy/domains/program/unused/squid.te	2004-11-09 13:35:13.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/squid.te	2004-11-18 08:59:29.988986705 -0500
> @@ -62,10 +62,12 @@
>  
>  # to allow running programs from /usr/lib/squid (IE unlinkd)
>  # also allow exec()ing itself
> -can_exec(squid_t, { lib_t squid_exec_t } )
> +can_exec(squid_t, { lib_t squid_exec_t bin_t sbin_t } )
>  allow squid_t { bin_t sbin_t }:dir search;
> +allow squid_t { bin_t sbin_t }:lnk_file read;
>  
>  dontaudit squid_t { home_root_t security_t devpts_t }:dir getattr;
>  ifdef(`targeted_policy', `
>  dontaudit squid_t tty_device_t:chr_file { read write };
>  ')
> +allow squid_t urandom_device_t:chr_file { getattr read };
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/vpnc.te policy-1.19.2/domains/program/unused/vpnc.te
> --- nsapolicy/domains/program/unused/vpnc.te	2004-10-14 23:25:18.000000000 -0400
> +++ policy-1.19.2/domains/program/unused/vpnc.te	2004-11-18 09:17:37.765252256 -0500
> @@ -17,6 +17,7 @@
>  # Use the network.
>  can_network(vpnc_t)
>  can_ypbind(vpnc_t)
> +allow vpnc_t self:socket create_socket_perms;
>  
>  # Use capabilities.
>  allow vpnc_t self:capability { net_admin ipc_lock net_bind_service net_raw };
> @@ -28,3 +29,12 @@
>  allow vpnc_t self:unix_dgram_socket create_socket_perms;
>  allow vpnc_t self:unix_stream_socket create_socket_perms;
>  allow vpnc_t admin_tty_type:chr_file rw_file_perms;
> +allow vpnc_t port_t:udp_socket name_bind;
> +allow vpnc_t etc_runtime_t:file { getattr read };
> +allow vpnc_t proc_t:file { getattr read };
> +dontaudit vpnc_t selinux_config_t:dir search;
> +can_exec(vpnc_t, {bin_t sbin_t ifconfig_exec_t shell_exec_t })
> +allow vpnc_t sysctl_net_t:dir search;
> +allow vpnc_t sbin_t:dir search;
> +allow vpnc_t bin_t:dir search;
> +allow vpnc_t bin_t:lnk_file read;
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.19.2/domains/program/unused/xdm.te
> --- nsapolicy/domains/program/unused/xdm.te	2004-11-18 08:13:58.000000000 -0500
> +++ policy-1.19.2/domains/program/unused/xdm.te	2004-11-18 09:01:02.054598887 -0500
> @@ -241,6 +241,9 @@
>  # Access sound device.
>  allow xdm_t sound_device_t:chr_file { setattr getattr };
>  
> +# Allow setting of attributes on power management devices.
> +allow xdm_t power_device_t:chr_file { getattr setattr };
> +
>  # Run the X server in a derived domain.
>  xserver_domain(xdm)
>  
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.19.2/domains/user.te
> --- nsapolicy/domains/user.te	2004-11-18 08:13:57.000000000 -0500
> +++ policy-1.19.2/domains/user.te	2004-11-18 08:48:23.922139427 -0500
> @@ -18,6 +18,9 @@
>  # Allow system to run with NIS
>  bool allow_ypbind false;
>  
> +# Allow system to run with kerberos
> +bool allow_kerberos false;
> +
>  # Allow users to rw usb devices
>  bool user_rw_usb false;
>  
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.19.2/file_contexts/distros.fc
> --- nsapolicy/file_contexts/distros.fc	2004-10-06 16:21:13.000000000 -0400
> +++ policy-1.19.2/file_contexts/distros.fc	2004-11-18 08:48:23.923139314 -0500
> @@ -30,5 +30,6 @@
>  /usr/share/system-config-nfs/nfs-export.py	--	system_u:object_r:bin_t
>  /usr/share/pydict/pydict.py	--	system_u:object_r:bin_t
>  /usr/share/cvs/contrib/rcs2log	--	system_u:object_r:bin_t
> +/usr/share/pwlib/make/ptlib-config --	system_u:object_r:bin_t
>  ')
>  
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.19.2/file_contexts/program/apache.fc
> --- nsapolicy/file_contexts/program/apache.fc	2004-11-18 08:13:58.000000000 -0500
> +++ policy-1.19.2/file_contexts/program/apache.fc	2004-11-18 08:48:23.924139201 -0500
> @@ -27,6 +27,7 @@
>  /var/cache/mod_ssl(/.*)?	system_u:object_r:httpd_cache_t
>  /var/run/apache(2)?.pid.* --	system_u:object_r:httpd_var_run_t
>  /var/lib/httpd(/.*)?		system_u:object_r:httpd_var_lib_t
> +/var/lib/php/session(/.*)?	system_u:object_r:httpd_var_run_t
>  /etc/apache-ssl(2)?(/.*)?	system_u:object_r:httpd_config_t
>  /usr/lib/apache-ssl(/.*)? --	system_u:object_r:httpd_exec_t
>  /usr/sbin/apache-ssl(2)? --	system_u:object_r:httpd_exec_t
> @@ -37,4 +38,5 @@
>  # suse puts shell scripts there :-(
>  /usr/share/apache2/.*	--	system_u:object_r:bin_t
>  ')
> -/var/lib/squirrelmail/prefs(/.*)?	system_u:object_r:httpd_sys_script_rw_t
> +/var/lib/squirrelmail/prefs(/.*)?	system_u:object_r:httpd_squirrelmail_t
> +/usr/bin/htsslpass --	system_u:object_r:httpd_helper_exec_t
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.19.2/file_contexts/program/cups.fc
> --- nsapolicy/file_contexts/program/cups.fc	2004-10-14 23:25:19.000000000 -0400
> +++ policy-1.19.2/file_contexts/program/cups.fc	2004-11-18 08:48:23.924139201 -0500
> @@ -1,7 +1,7 @@
>  # cups printing
>  /etc/cups(/.*)?			system_u:object_r:cupsd_etc_t
>  /usr/share/cups(/.*)?		system_u:object_r:cupsd_etc_t
> -/etc/alchemist/namespace/printconf/local.adl system_u:object_r:cupsd_rw_etc_t
> +/etc/alchemist/namespace/printconf(/.*)? system_u:object_r:cupsd_rw_etc_t
>  /var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t
>  /etc/cups/client\.conf	--	system_u:object_r:etc_t
>  /etc/cups/cupsd.conf.* --	system_u:object_r:cupsd_rw_etc_t
> @@ -33,3 +33,4 @@
>  /usr/sbin/ptal-mlcd	--	system_u:object_r:ptal_exec_t
>  /var/run/ptal-printd(/.*)?	system_u:object_r:ptal_var_run_t
>  /var/run/ptal-mlcd(/.*)?	system_u:object_r:ptal_var_run_t
> +/usr/share/foomatic/db/oldprinterids 	--	system_u:object_r:cupsd_rw_etc_t
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/hald.fc policy-1.19.2/file_contexts/program/hald.fc
> --- nsapolicy/file_contexts/program/hald.fc	2004-09-22 16:19:13.000000000 -0400
> +++ policy-1.19.2/file_contexts/program/hald.fc	2004-11-18 08:48:23.925139089 -0500
> @@ -3,3 +3,4 @@
>  /usr/libexec/hal-hotplug-map -- system_u:object_r:hald_exec_t
>  /etc/hal/device.d/printer_remove.hal -- system_u:object_r:hald_exec_t
>  /etc/hal/capability.d/printer_update.hal -- system_u:object_r:hald_exec_t
> +/usr/share/hal/device-manager/hal-device-manager -- system_u:object_r:bin_t
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/sendmail.fc policy-1.19.2/file_contexts/program/sendmail.fc
> --- nsapolicy/file_contexts/program/sendmail.fc	2004-10-07 08:02:02.000000000 -0400
> +++ policy-1.19.2/file_contexts/program/sendmail.fc	2004-11-18 08:48:23.925139089 -0500
> @@ -1,6 +1,5 @@
>  # sendmail
>  /etc/mail(/.*)?				system_u:object_r:etc_mail_t
> -/var/spool/(client)?mqueue(/.*)?	system_u:object_r:mqueue_spool_t
>  /var/log/sendmail\.st		--	system_u:object_r:sendmail_log_t
>  /var/log/mail(/.*)?			system_u:object_r:sendmail_log_t
>  /var/run/sendmail.pid		--	system_u:object_r:sendmail_var_run_t
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.19.2/file_contexts/types.fc
> --- nsapolicy/file_contexts/types.fc	2004-11-18 08:13:58.000000000 -0500
> +++ policy-1.19.2/file_contexts/types.fc	2004-11-18 08:48:23.927138863 -0500
> @@ -334,6 +334,7 @@
>  /usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
>  /usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
>  /usr(/.*)?/bin(/.*)?		system_u:object_r:bin_t
> +/usr(/.*)?/Bin(/.*)?		system_u:object_r:bin_t
>  /usr(/.*)?/sbin(/.*)?		system_u:object_r:sbin_t
>  /usr/etc(/.*)?			system_u:object_r:etc_t
>  /usr/inclu.e(/.*)?		system_u:object_r:usr_t
> @@ -392,6 +393,7 @@
>  #
>  /var/spool(/.*)?		system_u:object_r:var_spool_t
>  /var/spool/texmf(/.*)?		system_u:object_r:tetex_data_t
> +/var/spool/(client)?mqueue(/.*)?	system_u:object_r:mqueue_spool_t
>  
>  # 
>  # /var/log
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.19.2/macros/admin_macros.te
> --- nsapolicy/macros/admin_macros.te	2004-11-18 08:13:58.000000000 -0500
> +++ policy-1.19.2/macros/admin_macros.te	2004-11-18 08:48:23.927138863 -0500
> @@ -196,6 +196,11 @@
>  # Grant read and write access to /dev/console.
>  allow $1_t console_device_t:chr_file rw_file_perms;
>  
> +# Allow MAKEDEV to work
> +allow $1_t device_t:dir rw_dir_perms;
> +allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
> +allow $1_t device_t:lnk_file { create read };
> +
>  # for lsof
>  allow $1_t domain:socket_class_set getattr;
>  allow $1_t eventpollfs_t:file getattr;
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.19.2/macros/base_user_macros.te
> --- nsapolicy/macros/base_user_macros.te	2004-11-18 08:13:58.000000000 -0500
> +++ policy-1.19.2/macros/base_user_macros.te	2004-11-18 09:01:27.432735456 -0500
> @@ -291,6 +291,9 @@
>  # Access the sound device.
>  allow $1_t sound_device_t:chr_file { getattr read write ioctl };
>  
> +# Access the power device.
> +allow $1_t power_device_t:chr_file { getattr read write ioctl };
> +
>  allow $1_t var_log_t:dir { getattr search };
>  dontaudit $1_t logfile:file getattr;
>  
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.19.2/macros/core_macros.te
> --- nsapolicy/macros/core_macros.te	2004-11-09 13:35:13.000000000 -0500
> +++ policy-1.19.2/macros/core_macros.te	2004-11-18 09:05:47.706368626 -0500
> @@ -137,17 +137,27 @@
>  #
>  # Permissions for creating and using sockets.
>  # 
> -define(`create_socket_perms', `{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
> +define(`create_socket_perms', `{ create rw_socket_perms }')
>  
>  #
>  # Permissions for using stream sockets.
>  # 
> -define(`rw_stream_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }')
> +define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
>  
>  #
>  # Permissions for creating and using stream sockets.
>  # 
> -define(`create_stream_socket_perms', `{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }')
> +define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
> +
> +#
> +# Permissions for creating and using sockets.
> +# 
> +define(`connected_socket_perms', `{ create_socket_perms -connect }')
> +
> +#
> +# Permissions for creating and using sockets.
> +# 
> +define(`connected_stream_socket_perms', `{ create_stream_socket_perms -connect }')
>  
> 
>  #
> @@ -158,12 +168,12 @@
>  #
>  # Permissions for using netlink sockets for operations that modify state.
>  # 
> -define(`rw_netlink_socket_perms', `{ create rw_socket_perms nlmsg_read nlmsg_write }')
> +define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
>  
>  #
>  # Permissions for using netlink sockets for operations that observe state.
>  # 
> -define(`r_netlink_socket_perms', `{ create rw_socket_perms nlmsg_read }')
> +define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
>  
>  #
>  # Permissions for sending all signals.
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.19.2/macros/program/apache_macros.te
> --- nsapolicy/macros/program/apache_macros.te	2004-11-18 08:13:58.000000000 -0500
> +++ policy-1.19.2/macros/program/apache_macros.te	2004-11-18 09:06:46.828697818 -0500
> @@ -110,11 +110,12 @@
>  create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)
>  ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
>  
> -if (httpd_enable_cgi) && (httpd_unified) {
> +if (httpd_enable_cgi) && (httpd_unified) ifdef(`targeted_policy', ` && ! (httpd_disable_trans)') {
>  ifelse($1, sys, `
>  domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
>  domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
>  domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
> +create_dir_file(httpd_t, httpdcontent)
>  ', `
>  create_dir_file(httpd_$1_script_t, httpdcontent)
>  can_exec(httpd_$1_script_t, httpdcontent )
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/inetd_macros.te policy-1.19.2/macros/program/inetd_macros.te
> --- nsapolicy/macros/program/inetd_macros.te	2004-11-18 08:13:59.000000000 -0500
> +++ policy-1.19.2/macros/program/inetd_macros.te	2004-11-18 09:07:36.065142440 -0500
> @@ -44,7 +44,7 @@
>  allow $1_t self:dir search;
>  allow $1_t self:file { getattr read };
>  can_kerberos($1_t)
> -allow $1_t urandom_device_t:chr_file { getattr read };
> +allow $1_t urandom_device_t:chr_file r_file_perms;
>  type $1_port_t, port_type, reserved_port_type;
>  # Use sockets inherited from inetd.
>  ifelse($2, `', `
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/kerberos_macros.te policy-1.19.2/macros/program/kerberos_macros.te
> --- nsapolicy/macros/program/kerberos_macros.te	2004-11-17 14:51:55.000000000 -0500
> +++ policy-1.19.2/macros/program/kerberos_macros.te	2004-11-18 09:08:04.893889675 -0500
> @@ -1,7 +1,9 @@
>  define(`can_kerberos',`
>  ifdef(`kerberos.te',`
> +if (allow_kerberos) {
>  can_network($1)
>  dontaudit $1 krb5_conf_t:file write;
>  allow $1 krb5_conf_t:file { getattr read };
> +}
>  ') dnl kerberos.te
>  ')
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/lpr_macros.te policy-1.19.2/macros/program/lpr_macros.te
> --- nsapolicy/macros/program/lpr_macros.te	2004-11-09 13:35:13.000000000 -0500
> +++ policy-1.19.2/macros/program/lpr_macros.te	2004-11-18 09:09:14.527032926 -0500
> @@ -18,7 +18,7 @@
>  undefine(`lpr_domain')
>  define(`lpr_domain',`
>  # Derived domain based on the calling user domain and the program
> -type $1_lpr_t, domain, privlog;
> +type $1_lpr_t, domain, privlog, nscd_client_domain;
>  
>  # Transition from the user domain to the derived domain.
>  domain_auto_trans($1_t, lpr_exec_t, $1_lpr_t)
> @@ -104,6 +104,7 @@
>  # Connect to lpd via a TCP socket.
>  can_tcp_connect($1_lpr_t, lpd_t)
>  
> +allow $1_lpr_t fs_t:filesystem getattr;
>  # Send SIGHUP to lpd.
>  allow $1_lpr_t lpd_t:process signal;
>  
> @@ -120,5 +121,11 @@
>  can_tcp_connect({ $1_lpr_t $1_t }, cupsd_t)
>  ')dnl end ifdef cups.te
>  
> +ifdef(`hide_broken_symptoms', `
> +# thunderbird causes these
> +dontaudit $1_lpr_t $1_t:tcp_socket { read write };
> +dontaudit $1_lpr_t { $1_home_t $1_tmp_t }:file write;
> +')
> +
>  ')dnl end macro definition
>  
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.2/macros/program/mozilla_macros.te
> --- nsapolicy/macros/program/mozilla_macros.te	2004-11-18 08:13:59.000000000 -0500
> +++ policy-1.19.2/macros/program/mozilla_macros.te	2004-11-18 09:10:42.462111158 -0500
> @@ -105,6 +105,8 @@
>  dontaudit $1_mozilla_t bin_t:dir getattr;
>  dontaudit $1_mozilla_t port_type:tcp_socket name_bind;
>  dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
> +# running mplayer within firefox asks for this
> +allow $1_mozilla_t clock_device_t:chr_file r_file_perms;
>  # Mozilla tries to delete .fonts.cache-1
>  dontaudit $1_mozilla_t $1_home_t:file unlink;
>  dontaudit $1_mozilla_t tmpfile:file getattr;
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.19.2/macros/program/mta_macros.te
> --- nsapolicy/macros/program/mta_macros.te	2004-11-18 08:13:59.000000000 -0500
> +++ policy-1.19.2/macros/program/mta_macros.te	2004-11-18 09:11:15.394395389 -0500
> @@ -61,9 +61,11 @@
>  domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
>  allow privmail sendmail_exec_t:lnk_file { getattr read };
>  
> +ifdef(`crond.te', `
>  # Read cron temporary files.
>  allow system_mail_t system_crond_tmp_t:file { read getattr ioctl };
>  allow mta_user_agent system_crond_tmp_t:file { read getattr };
> +')
>  allow system_mail_t initrc_devpts_t:chr_file { read write getattr };
>  
>  ', `
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.19.2/macros/program/xserver_macros.te
> --- nsapolicy/macros/program/xserver_macros.te	2004-11-09 13:35:13.000000000 -0500
> +++ policy-1.19.2/macros/program/xserver_macros.te	2004-11-18 09:12:18.809240254 -0500
> @@ -27,9 +27,11 @@
>  ifdef(`distro_redhat', `
>  type $1_xserver_t, domain, privlog, privmem, privmodule, nscd_client_domain;
>  allow $1_xserver_t sysctl_modprobe_t:file { getattr read };
> +ifdef(`rpm.te', `
>  allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
>  allow $1_xserver_t rpm_tmpfs_t:file { read write };
>  allow $1_xserver_t rpm_t:fd use;
> +')
>  
>  ', `
>  type $1_xserver_t, domain, privlog, privmem, nscd_client_domain;
> @@ -148,6 +150,7 @@
>  allow xdm_xserver_t xdm_t:process signal;
>  allow xdm_xserver_t xdm_t:shm rw_shm_perms;
>  allow xdm_t xdm_xserver_t:shm rw_shm_perms;
> +dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
>  ')
>  ', `
>  allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
> diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.19.2/targeted/domains/unconfined.te
> --- nsapolicy/targeted/domains/unconfined.te	2004-11-18 08:14:00.000000000 -0500
> +++ policy-1.19.2/targeted/domains/unconfined.te	2004-11-18 08:48:23.928138750 -0500
> @@ -45,4 +45,7 @@
>  # Allow system to run with NIS
>  bool allow_ypbind false;
>  
> +# Allow system to run with Kerberos
> +bool allow_kerberos false;
> +
>  
> diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.19.2/tunables/distro.tun
> --- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
> +++ policy-1.19.2/tunables/distro.tun	2004-11-18 08:48:23.929138637 -0500
> @@ -5,7 +5,7 @@
>  # appropriate ifdefs.
>  
> 
> -dnl define(`distro_redhat')
> +define(`distro_redhat')
>  
>  dnl define(`distro_suse')
>  
> diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.19.2/tunables/tunable.tun
> --- nsapolicy/tunables/tunable.tun	2004-11-09 13:35:13.000000000 -0500
> +++ policy-1.19.2/tunables/tunable.tun	2004-11-18 08:48:23.929138637 -0500
> @@ -1,27 +1,27 @@
>  # Allow users to execute the mount command
> -dnl define(`user_can_mount')
> +define(`user_can_mount')
>  
>  # Allow rpm to run unconfined.
> -dnl define(`unlimitedRPM')
> +define(`unlimitedRPM')
>  
>  # Allow privileged utilities like hotplug and insmod to run unconfined.
> -dnl define(`unlimitedUtils')
> +define(`unlimitedUtils')
>  
>  # Allow rc scripts to run unconfined, including any daemon
>  # started by an rc script that does not have a domain transition
>  # explicitly defined.
> -dnl define(`unlimitedRC')
> +define(`unlimitedRC')
>  
>  # Allow sysadm_t to directly start daemons
>  define(`direct_sysadm_daemon')
>  
>  # Do not audit things that we know to be broken but which
>  # are not security risks
> -dnl define(`hide_broken_symptoms')
> +define(`hide_broken_symptoms')
>  
>  # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
>  # Otherwise, only staff_r can do so.
> -dnl define(`user_canbe_sysadm')
> +define(`user_canbe_sysadm')
>  
>  # Allow xinetd to run unconfined, including any services it starts
>  # that do not have a domain transition explicitly defined.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_network patch.

[James Carter]

I am OK with what the changes do, but I would rather see a new macro
then to just remove the connect permission from can_network().

On the other hand, it looks like there is 119 uses of can_network() and
Dan is only adding 32 lines with connect permissions, so only 25% seem
to need the connect permisison.

Would anyone be upset if the functionality of can_network() changes?

Any comments?

On Thu, 2004-11-18 at 09:33, Daniel J Walsh wrote:
<snip>
> diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/global_macros.te policy-1.19.2.good/macros/global_macros.te
> --- policy-1.19.2/macros/global_macros.te	2004-11-18 08:14:45.000000000 -0500
> +++ policy-1.19.2.good/macros/global_macros.te	2004-11-18 08:35:53.865768738 -0500
> @@ -118,64 +118,6 @@
>  
>  #################################
>  #
> -# can_network(domain)
> -#
> -# Permissions for accessing the network.
> -# See types/network.te for the network types.
> -# See net_contexts for security contexts for network entities.
> -#
> -define(`can_network',`
> -#
> -# Allow the domain to create and use UDP and TCP sockets.
> -# Other kinds of sockets must be separately authorized for use.
> -allow $1 self:udp_socket create_socket_perms;
> -allow $1 self:tcp_socket create_stream_socket_perms;
> -
> -#
> -# Allow the domain to send or receive using any network interface.
> -# netif_type is a type attribute for all network interface types.
> -#
> -allow $1 netif_type:netif { tcp_send udp_send rawip_send };
> -allow $1 netif_type:netif { tcp_recv udp_recv rawip_recv };
> -
> -#
> -# Allow the domain to send to or receive from any node.
> -# node_type is a type attribute for all node types.
> -#
> -allow $1 node_type:node { tcp_send udp_send rawip_send };
> -allow $1 node_type:node { tcp_recv udp_recv rawip_recv };
> -
> -#
> -# Allow the domain to send to or receive from any port.
> -# port_type is a type attribute for all port types.
> -#
> -allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg };
> -
> -#
> -# Allow the domain to send NFS client requests via the socket
> -# created by mount.
> -#
> -allow $1 mount_t:udp_socket rw_socket_perms;
> -
> -#
> -# Bind to the default port type.
> -# Other port types must be separately authorized.
> -#
> -#allow $1 port_t:udp_socket name_bind;
> -#allow $1 port_t:tcp_socket name_bind;
> -
> -# XXX Allow binding to any node type.  Remove once
> -# individual rules have been added to all domains that 
> -# bind sockets. 
> -allow $1 node_type: { tcp_socket udp_socket } node_bind;
> -#
> -# Allow access to network files including /etc/resolv.conf
> -#
> -allow $1 net_conf_t:file r_file_perms;
> -')dnl end can_network definition
> -
> -#################################
> -#
>  # can_sysctl(domain)
>  #
>  # Permissions for modifying sysctl parameters.
> diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/network_macros.te policy-1.19.2.good/macros/network_macros.te
> --- policy-1.19.2/macros/network_macros.te	1969-12-31 19:00:00.000000000 -0500
> +++ policy-1.19.2.good/macros/network_macros.te	2004-11-18 08:35:53.865768738 -0500
> @@ -0,0 +1,103 @@
> +#################################
> +#
> +# can_network(domain)
> +#
> +# Permissions for accessing the network.
> +# See types/network.te for the network types.
> +# See net_contexts for security contexts for network entities.
> +#
> +define(`base_can_network',`
> +#
> +# Allow the domain to create and use $2 sockets.
> +# Other kinds of sockets must be separately authorized for use.
> +allow $1 self:$2_socket connected_socket_perms;
> +
> +#
> +# Allow the domain to send or receive using any network interface.
> +# netif_type is a type attribute for all network interface types.
> +#
> +allow $1 netif_type:netif { $2_send rawip_send };
> +allow $1 netif_type:netif { $2_recv rawip_recv };
> +
> +#
> +# Allow the domain to send to or receive from any node.
> +# node_type is a type attribute for all node types.
> +#
> +allow $1 node_type:node { $2_send rawip_send };
> +allow $1 node_type:node { $2_recv rawip_recv };
> +
> +#
> +# Allow the domain to send to or receive from any port.
> +# port_type is a type attribute for all port types.
> +#
> +ifelse($3, `', `
> +allow $1 port_type:$2_socket { send_msg recv_msg };
> +', `
> +allow $1 $3:$2_socket { send_msg recv_msg };
> +')
> +
> +# XXX Allow binding to any node type.  Remove once
> +# individual rules have been added to all domains that 
> +# bind sockets. 
> +allow $1 node_type:$2_socket node_bind;
> +#
> +# Allow access to network files including /etc/resolv.conf
> +#
> +allow $1 net_conf_t:file r_file_perms;
> +')dnl end can_network definition
> +
> +#################################
> +#
> +# can_tcp_network(domain)
> +#
> +# Permissions for accessing a tcp network.
> +# See types/network.te for the network types.
> +# See net_contexts for security contexts for network entities.
> +#
> +define(`can_tcp_network',`
> +base_can_network($1, tcp, `$2')
> +allow $1 self:tcp_socket { listen accept };
> +')
> +
> +#################################
> +#
> +# can_udp_network(domain)
> +#
> +# Permissions for accessing a udp network.
> +# See types/network.te for the network types.
> +# See net_contexts for security contexts for network entities.
> +#
> +define(`can_udp_network',`
> +base_can_network($1, udp, `$2')
> +')
> +
> +#################################
> +#
> +# can_network(domain)
> +#
> +# Permissions for accessing the network.
> +# See types/network.te for the network types.
> +# See net_contexts for security contexts for network entities.
> +#
> +define(`can_network',`
> +
> +can_tcp_network($1, `$2')
> +can_udp_network($1, `$2')
> +
> +#
> +# Allow the domain to send NFS client requests via the socket
> +# created by mount.
> +#
> +allow $1 mount_t:udp_socket rw_socket_perms;
> +
> +')dnl end can_network definition
> +
> +define(`can_resolve',`
> +can_udp_network($1, `dns_port_t')
> +allow $1 self:udp_socket connect;
> +')
> +define(`can_ldap',`
> +can_tcp_network($1, `ldap_port_t')
> +allow $1 self:tcp_socket connect;
> +')
> +
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_network patch.

[Stephen Smalley]

On Tue, 2004-11-23 at 13:52, James Carter wrote:
> I am OK with what the changes do, but I would rather see a new macro
> then to just remove the connect permission from can_network().
> 
> On the other hand, it looks like there is 119 uses of can_network() and
> Dan is only adding 32 lines with connect permissions, so only 25% seem
> to need the connect permisison.
> 
> Would anyone be upset if the functionality of can_network() changes?
> 
> Any comments?

My preference:  Feel free to refactor can_network() into smaller macros
that can_network() then includes, but don't change the overall set of
permissions allowed by can_network().  Instead, change the calling
domains to use the smaller macros as appropriate, e.g. can_tcp_server()
for domains that just want bind/listen/accept (and the usual permissions
for basic use of the socket), can_tcp_client() for domains that just
want connect (and the usual permissions for basic use of the socket). 
If you are reading policy and you see can_network(), you should be able
to assume unrestricted use of the network.  If you see can_tcp_client(),
you get a clear sense as to what that means.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_network patch.

[Daniel J Walsh]

Stephen Smalley wrote:

>On Tue, 2004-11-23 at 13:52, James Carter wrote:
>  
>
>>I am OK with what the changes do, but I would rather see a new macro
>>then to just remove the connect permission from can_network().
>>
>>On the other hand, it looks like there is 119 uses of can_network() and
>>Dan is only adding 32 lines with connect permissions, so only 25% seem
>>to need the connect permisison.
>>
>>Would anyone be upset if the functionality of can_network() changes?
>>
>>Any comments?
>>    
>>
>
>My preference:  Feel free to refactor can_network() into smaller macros
>that can_network() then includes, but don't change the overall set of
>permissions allowed by can_network().  Instead, change the calling
>domains to use the smaller macros as appropriate, e.g. can_tcp_server()
>for domains that just want bind/listen/accept (and the usual permissions
>for basic use of the socket), can_tcp_client() for domains that just
>want connect (and the usual permissions for basic use of the socket). 
>If you are reading policy and you see can_network(), you should be able
>to assume unrestricted use of the network.  If you see can_tcp_client(),
>you get a clear sense as to what that means.
>
>  
>
Well thats ok, but it means we change 87 instances and leave 19 instances. 
Which does not make much sense to me. 
We are still treating name_bind separately.  I see bind and connect 
being the similar access rights.  IE Both are used to "connect" a port to a
socket.  So why aren't we talking about moving name_bind into the 
can_network series of connections?
I still think we need ability to specify which ports a network can 
connect to.
Any movement on providing this capability?

I can add
can_network_server()
can_network_client()
can_tcp_server()
can_tcp_client()
can_udp_server()
can_udp_client()

And then retain can_network


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_network patch.

[Stephen Smalley]

On Tue, 2004-11-23 at 14:37, Daniel J Walsh wrote:
> Well thats ok, but it means we change 87 instances and leave 19 instances. 
> Which does not make much sense to me.

It accurately represents what we are doing, i.e. removing a permission
from 87 domains that never needed it based on an explicit assessment.   

> We are still treating name_bind separately.  I see bind and connect 
> being the similar access rights.  IE Both are used to "connect" a port to a
> socket.  So why aren't we talking about moving name_bind into the 
> can_network series of connections?

Process->socket bind permission is granted by can_network(), as with
process->socket connect permission.  socket->port name_bind permission
is allowed separately, as can_network is too generic to know which ports
are needed by the application, and we certainly don't want to allow
arbitrary port binding.  However, we used to allow name_bind for the
default port_t type in can_network(), and could probably restore those
rules now that all reserved ports are guaranteed to be mapped to
reserved_port_t or an individual port type.

If no one agrees with me about preserving can_network() semantics, then
I can be overruled.  But I thought that Russell had voiced a similar
concern earlier.

> I still think we need ability to specify which ports a network can 
> connect to.
> Any movement on providing this capability?

Not yet, AFAIK.  I don't think it will be difficult, but it is too late
for certain distro releases anyway.  So even if we gave you the
capability now, you couldn't make use of it for some time.

> I can add
> can_network_server()
> can_network_client()
> can_tcp_server()
> can_tcp_client()
> can_udp_server()
> can_udp_client()
> 
> And then retain can_network

client/server distinction only makes sense for TCP.  You can distinguish
sender/receiver for UDP, but most real applications that use UDP are
going to be acting as both a sender and a receiver anyway.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_network patch.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 918 bytes --]

    *   This patch includes the ugliness to get sun's jre plugin to work
      in Mozilla.  (otherwize mozilla crashes).
    * Removed distro_gentoo checks around proc_net since we want these also.
    * Futzed around with userhelper so that mozilla can run it.
    * Cleaned up stunnel.te so it should be usable for gentoo and other
      distributions.
    * Some cleanup of apache to allow starting of apache with ssl keys
    * Includes modification to global_macros to extract out
      network_macros.te


network_macros.te includes

can_network - with all the current functionaility

I added

can_network_server (Has listen and accept, both udp and tcp)
can_network_server_udp
can_network_server_tcp

can_network_client (Has connect, both udp and tcp)
can_network_client_tcp
can_network_client_udp

can_network_udp  - Same as can_network but only for udp
can_network_tcp - Same as can_network but only for tcp


[-- Attachment #2: policy-small.patch --]
[-- Type: text/x-patch, Size: 22534 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.19.5/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te	2004-11-20 22:29:08.000000000 -0500
+++ policy-1.19.5/domains/program/ifconfig.te	2004-11-24 10:57:51.317336099 -0500
@@ -38,12 +38,8 @@
 allow ifconfig_t { kernel_t init_t }:fd use;
 
 # Access /proc
-allow ifconfig_t proc_t:dir r_dir_perms;
-allow ifconfig_t proc_t:file r_file_perms;
-ifdef(`distro_gentoo', `
-allow ifconfig_t proc_net_t:dir r_dir_perms;
-allow ifconfig_t proc_net_t:file r_file_perms;
-')
+r_dir_file(ifconfig_t, proc_t)
+r_dir_file(ifconfig_t, proc_net_t)
 
 allow ifconfig_t privfd:fd use;
 allow ifconfig_t run_init_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.5/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2004-11-24 07:00:50.000000000 -0500
+++ policy-1.19.5/domains/program/unused/apache.te	2004-11-24 10:57:51.318335986 -0500
@@ -322,14 +322,13 @@
 application_domain(httpd_helper)
 role system_r types httpd_helper_t;
 domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
-
-allow httpd_helper_t devpts_t:dir { search };
-allow httpd_helper_t devtty_t:chr_file rw_file_perms;
 allow httpd_helper_t httpd_config_t:file { getattr read };
 allow httpd_helper_t httpd_log_t:file { append };
+
 if (httpd_tty_comm) {
+allow { httpd_t httpd_helper_t } devpts_t:dir { search };
 ifdef(`targeted_policy', `
-allow { httpd_helper_t httpd_t } devpts_t:chr_file { read write };
+allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file { read write };
 ')
 allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
 }
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/iptables.te policy-1.19.5/domains/program/unused/iptables.te
--- nsapolicy/domains/program/unused/iptables.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.5/domains/program/unused/iptables.te	2004-11-24 10:57:51.319335873 -0500
@@ -54,10 +54,8 @@
 ifdef(`gnome-pty-helper.te', `allow iptables_t sysadm_gph_t:fd use;')
 
 allow iptables_t proc_t:file { getattr read };
-ifdef(`distro_gentoo', `
 allow iptables_t proc_net_t:dir { search };
 allow iptables_t proc_net_t:file { read getattr };
-')
 
 # system-config-network appends to /var/log
 allow iptables_t var_log_t:file append;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.19.5/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.5/domains/program/unused/rpcd.te	2004-11-24 10:59:38.728216864 -0500
@@ -72,9 +72,7 @@
 
 # for /proc/fs/nfs/exports - should we have a new type?
 allow nfsd_t proc_t:file r_file_perms;
-ifdef(`distro_gentoo', `
 allow nfsd_t proc_net_t:dir search;
-')
 allow nfsd_t exports_t:file { getattr read };
 
 allow nfsd_t nfsd_fs_t:filesystem mount;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.19.5/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.5/domains/program/unused/snmpd.te	2004-11-24 10:57:51.320335760 -0500
@@ -70,11 +70,9 @@
 ')
 allow snmpd_t var_lib_nfs_t:dir search;
 
-ifdef(`distro_gentoo', `
 # needed in order to retrieve net traffic data
 allow snmpd_t proc_net_t:dir search;
 allow snmpd_t proc_net_t:file r_file_perms;
-')
 
 dontaudit snmpd_t domain:dir { getattr search };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/stunnel.te policy-1.19.5/domains/program/unused/stunnel.te
--- nsapolicy/domains/program/unused/stunnel.te	2004-11-24 08:36:21.000000000 -0500
+++ policy-1.19.5/domains/program/unused/stunnel.te	2004-11-24 10:57:51.322335534 -0500
@@ -2,6 +2,12 @@
 #
 # Author:   petre rodan <kaiowas@gentoo.org>
 #
+ifelse(`distro_gentoo', `', `
+
+inetd_child_domain(stunnel, tcp)
+allow stunnel_t self:capability sys_chroot;
+
+', `
 
 type stunnel_port_t, port_type;
 
@@ -9,14 +15,15 @@
 
 can_network(stunnel_t)
 
-type stunnel_etc_t, file_type, sysadmfile;
-
 allow stunnel_t self:capability { setgid setuid sys_chroot };
 allow stunnel_t self:fifo_file { read write };
 allow stunnel_t self:tcp_socket { read write };
 allow stunnel_t self:unix_stream_socket { connect create };
 
-allow stunnel_t stunnel_port_t:tcp_socket { name_bind };
+r_dir_file(stunnel_t, etc_t)
+')
 
+type stunnel_etc_t, file_type, sysadmfile;
 r_dir_file(stunnel_t, stunnel_etc_t)
-r_dir_file(stunnel_t, etc_t)
+allow stunnel_t stunnel_port_t:tcp_socket { name_bind };
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/watchdog.te policy-1.19.5/domains/program/unused/watchdog.te
--- nsapolicy/domains/program/unused/watchdog.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.5/domains/program/unused/watchdog.te	2004-11-24 10:57:51.322335534 -0500
@@ -25,7 +25,6 @@
 allow watchdog_t self:unix_stream_socket create_socket_perms;
 can_network(watchdog_t)
 can_ypbind(watchdog_t)
-allow watchdog_t self:udp_socket create_socket_perms;
 allow watchdog_t bin_t:dir search;
 allow watchdog_t bin_t:lnk_file read;
 allow watchdog_t init_t:process signal;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.19.5/domains/user.te
--- nsapolicy/domains/user.te	2004-11-20 22:29:08.000000000 -0500
+++ policy-1.19.5/domains/user.te	2004-11-24 10:57:51.323335422 -0500
@@ -53,7 +53,6 @@
 # Reach sysadm_t via programs like userhelper/sudo/su
 undefine(`reach_sysadm')
 define(`reach_sysadm', `
-ifdef(`userhelper.te', `userhelper_domain($1)')
 ifdef(`sudo.te', `sudo_domain($1)')
 ifdef(`su.te', `
 su_domain($1)
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.19.5/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2004-11-24 07:00:50.000000000 -0500
+++ policy-1.19.5/file_contexts/types.fc	2004-11-24 10:57:51.324335309 -0500
@@ -334,6 +334,9 @@
 /usr(/.*)?			system_u:object_r:usr_t
 /usr(/.*)?/lib(64)?(/.*)?	system_u:object_r:lib_t
 /usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
+/usr(/.*)?/java/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
+/usr(/.*)?/java/.*\.jar	--	system_u:object_r:shlib_t
+/usr(/.*)?/java/.*\.jsa	--	system_u:object_r:shlib_t
 /usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
 /usr(/.*)?/bin(/.*)?		system_u:object_r:bin_t
 /usr(/.*)?/Bin(/.*)?		system_u:object_r:bin_t
diff --exclude-from=exclude -N -u -r nsapolicy/genfs_contexts policy-1.19.5/genfs_contexts
--- nsapolicy/genfs_contexts	2004-11-20 22:29:08.000000000 -0500
+++ policy-1.19.5/genfs_contexts	2004-11-24 10:57:51.325335196 -0500
@@ -36,9 +36,7 @@
 genfscon proc /kcore			system_u:object_r:proc_kcore_t
 genfscon proc /mdstat			system_u:object_r:proc_mdstat_t
 genfscon proc /mtrr			system_u:object_r:mtrr_device_t
-ifdef(`distro_gentoo', `
 genfscon proc /net			system_u:object_r:proc_net_t
-')
 genfscon proc /sysvipc			system_u:object_r:proc_t
 genfscon proc /sys			system_u:object_r:sysctl_t
 genfscon proc /sys/kernel		system_u:object_r:sysctl_kernel_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.19.5/macros/admin_macros.te
--- nsapolicy/macros/admin_macros.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.5/macros/admin_macros.te	2004-11-24 10:57:51.325335196 -0500
@@ -33,7 +33,6 @@
 allow $1_t self:capability setuid;
 
 ifdef(`su.te', `su_domain($1)')
-ifdef(`userhelper.te', `userhelper_domain($1)')
 ifdef(`sudo.te', `sudo_domain($1)')
 
 # Violates the goal of limiting write access to checkpolicy.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.19.5/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-11-24 07:00:51.000000000 -0500
+++ policy-1.19.5/macros/base_user_macros.te	2004-11-24 10:57:51.326335083 -0500
@@ -160,6 +160,7 @@
 
 ifdef(`screen.te', `screen_domain($1)')
 ifdef(`tvtime.te', `tvtime_domain($1)')
+ifdef(`userhelper.te', `userhelper_domain($1)')
 ifdef(`mozilla.te', `mozilla_domain($1)')
 ifdef(`games.te', `games_domain($1)')
 ifdef(`gpg.te', `gpg_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.19.5/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.5/macros/global_macros.te	2004-11-24 10:57:51.327334970 -0500
@@ -118,64 +118,6 @@
 
 #################################
 #
-# can_network(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network',`
-#
-# Allow the domain to create and use UDP and TCP sockets.
-# Other kinds of sockets must be separately authorized for use.
-allow $1 self:udp_socket create_socket_perms;
-allow $1 self:tcp_socket create_stream_socket_perms;
-
-#
-# Allow the domain to send or receive using any network interface.
-# netif_type is a type attribute for all network interface types.
-#
-allow $1 netif_type:netif { tcp_send udp_send rawip_send };
-allow $1 netif_type:netif { tcp_recv udp_recv rawip_recv };
-
-#
-# Allow the domain to send to or receive from any node.
-# node_type is a type attribute for all node types.
-#
-allow $1 node_type:node { tcp_send udp_send rawip_send };
-allow $1 node_type:node { tcp_recv udp_recv rawip_recv };
-
-#
-# Allow the domain to send to or receive from any port.
-# port_type is a type attribute for all port types.
-#
-allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg };
-
-#
-# Allow the domain to send NFS client requests via the socket
-# created by mount.
-#
-allow $1 mount_t:udp_socket rw_socket_perms;
-
-#
-# Bind to the default port type.
-# Other port types must be separately authorized.
-#
-#allow $1 port_t:udp_socket name_bind;
-#allow $1 port_t:tcp_socket name_bind;
-
-# XXX Allow binding to any node type.  Remove once
-# individual rules have been added to all domains that 
-# bind sockets. 
-allow $1 node_type: { tcp_socket udp_socket } node_bind;
-#
-# Allow access to network files including /etc/resolv.conf
-#
-allow $1 net_conf_t:file r_file_perms;
-')dnl end can_network definition
-
-#################################
-#
 # can_sysctl(domain)
 #
 # Permissions for modifying sysctl parameters.
@@ -215,10 +157,7 @@
 allow $1 proc_t:dir r_dir_perms;
 allow $1 proc_t:notdevfile_class_set r_file_perms;
 allow $1 proc_mdstat_t:file r_file_perms;
-ifdef(`distro_gentoo', `
-allow $1 proc_net_t:dir r_dir_perms;
-allow $1 proc_net_t:file r_file_perms;
-')
+r_dir_file($1, proc_net_t)
 
 # Stat /proc/kmsg and /proc/kcore.
 allow $1 proc_fs:file stat_file_perms;
@@ -558,7 +497,7 @@
 # pseudo filesystem types that are applied to both the filesystem
 # and its files.
 allow $1 { unlabeled_t fs_type }:dir_file_class_set *;
-allow $1 proc_fs: file *;
+allow $1 proc_fs:{ dir file } *;
 
 # For /proc/pid
 r_dir_file($1,domain)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.19.5/macros/network_macros.te
--- nsapolicy/macros/network_macros.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.19.5/macros/network_macros.te	2004-11-24 10:57:51.328334858 -0500
@@ -0,0 +1,189 @@
+#################################
+#
+# can_network(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`base_can_network',`
+#
+# Allow the domain to create and use $2 sockets.
+# Other kinds of sockets must be separately authorized for use.
+allow $1 self:$2_socket connected_socket_perms;
+
+#
+# Allow the domain to send or receive using any network interface.
+# netif_type is a type attribute for all network interface types.
+#
+allow $1 netif_type:netif { $2_send rawip_send };
+allow $1 netif_type:netif { $2_recv rawip_recv };
+
+#
+# Allow the domain to send to or receive from any node.
+# node_type is a type attribute for all node types.
+#
+allow $1 node_type:node { $2_send rawip_send };
+allow $1 node_type:node { $2_recv rawip_recv };
+
+#
+# Allow the domain to send to or receive from any port.
+# port_type is a type attribute for all port types.
+#
+ifelse($3, `', `
+allow $1 port_type:$2_socket { send_msg recv_msg };
+', `
+allow $1 $3:$2_socket { send_msg recv_msg };
+')
+
+# XXX Allow binding to any node type.  Remove once
+# individual rules have been added to all domains that 
+# bind sockets. 
+allow $1 node_type:$2_socket node_bind;
+#
+# Allow access to network files including /etc/resolv.conf
+#
+allow $1 net_conf_t:file r_file_perms;
+')dnl end can_network definition
+
+#################################
+#
+# can_network_server_tcp(domain)
+#
+# Permissions for accessing a tcp network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network_server_tcp',`
+base_can_network($1, tcp, `$2')
+allow $1 self:tcp_socket { listen accept };
+')
+
+#################################
+#
+# can_network_server_udp(domain)
+#
+# Permissions for accessing a udp network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network_server_udp',`
+base_can_network($1, udp, `$2')
+')
+
+#################################
+#
+# can_network_client_tcp(domain)
+#
+# Permissions for accessing a tcp network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network_client_tcp',`
+base_can_network($1, tcp, `$2')
+allow $1 self:tcp_socket { connect };
+')
+
+#################################
+#
+# can_network_client_udp(domain)
+#
+# Permissions for accessing a udp network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network_client_udp',`
+base_can_network($1, udp, `$2')
+allow $1 self:udp_socket { connect };
+')
+
+#################################
+#
+# can_network_tcp(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network_tcp',`
+
+can_network_server_tcp($1, `$2')
+can_network_client_tcp($1, `$2')
+
+')
+
+#################################
+#
+# can_network_udp(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network_udp',`
+
+can_network_client_udp($1, `$2')
+can_network_server_udp($1, `$2')
+
+')
+
+#################################
+#
+# can_network_server(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network_server',`
+
+can_network_server_tcp($1, `$2')
+can_network_server_udp($1, `$2')
+
+')dnl end can_network_server definition
+
+
+#################################
+#
+# can_network_client(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network_client',`
+
+can_network_client_tcp($1, `$2')
+can_network_client_udp($1, `$2')
+
+')dnl end can_network_client definition
+
+#################################
+#
+# can_network(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network',`
+
+can_network_tcp($1, `$2')
+can_network_udp($1, `$2')
+
+#
+# Allow the domain to send NFS client requests via the socket
+# created by mount.
+#
+allow $1 mount_t:udp_socket rw_socket_perms;
+
+')dnl end can_network definition
+
+define(`can_resolve',`
+can_network_client_udp($1, `dns_port_t')
+')
+
+define(`can_ldap',`
+can_network_client_tcp($1, `ldap_port_t')
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.19.5/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.5/macros/program/apache_macros.te	2004-11-24 10:57:51.329334745 -0500
@@ -42,6 +42,7 @@
 allow httpd_$1_script_t fs_t:filesystem getattr;
 allow httpd_$1_script_t self:unix_stream_socket create_socket_perms;
 allow httpd_$1_script_t proc_t:file { getattr read };
+allow httpd_$1_script_t httpd_t:unix_stream_socket { read write };
 
 allow httpd_$1_script_t { self proc_t }:dir r_dir_perms;
 allow httpd_$1_script_t { self proc_t }:lnk_file read;
@@ -89,9 +90,7 @@
 # Allow the script interpreters to run the scripts.  So
 # the perl executable will be able to run a perl script
 #########################################################################
-can_exec(httpd_$1_script_t, { bin_t shell_exec_t })
-allow httpd_$1_script_t { bin_t sbin_t }:dir { getattr search };
-allow httpd_$1_script_t { sbin_t bin_t }:lnk_file read;
+can_exec_any(httpd_$1_script_t)
 allow httpd_$1_script_t etc_t:file { getattr read };
 
 ############################################################################
@@ -117,10 +116,10 @@
 domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
 create_dir_file(httpd_t, httpdcontent)
 ', `
-create_dir_file(httpd_$1_script_t, httpdcontent)
 can_exec(httpd_$1_script_t, httpdcontent )
 domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
 ')
+create_dir_file(httpd_$1_script_t, httpdcontent)
 }
 
 ifelse($1, sys, `
@@ -167,6 +166,9 @@
 }
 ')dnl end ifelse sys
 
+dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
+dontaudit httpd_$1_script_t sysctl_t:dir search;
+
 ################################################################
 # Allow the web server to run scripts and serve pages
 ##############################################################
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.19.5/macros/program/chkpwd_macros.te
--- nsapolicy/macros/program/chkpwd_macros.te	2004-11-18 08:13:59.000000000 -0500
+++ policy-1.19.5/macros/program/chkpwd_macros.te	2004-11-24 10:57:51.330334632 -0500
@@ -22,6 +22,8 @@
 can_getcon($1_chkpwd_t)
 can_ypbind($1_chkpwd_t)
 can_kerberos($1_chkpwd_t)
+can_ldap($1_chkpwd_t)
+can_resolve($1_chkpwd_t)
 # Transition from the user domain to this domain.
 ifelse($1, system, `
 domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
@@ -31,6 +33,8 @@
 dontaudit $1_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
 can_ypbind(auth_chkpwd)
 can_kerberos(auth_chkpwd)
+can_ldap(auth_chkpwd)
+can_resolve(auth_chkpwd)
 ', `
 domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
 allow $1_t sbin_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/kerberos_macros.te policy-1.19.5/macros/program/kerberos_macros.te
--- nsapolicy/macros/program/kerberos_macros.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.5/macros/program/kerberos_macros.te	2004-11-24 10:57:51.331334519 -0500
@@ -1,7 +1,8 @@
 define(`can_kerberos',`
 ifdef(`kerberos.te',`
 if (allow_kerberos) {
-can_network($1)
+can_network_client($1, `kerberos_port_t')
+can_resolve($1)
 dontaudit $1 krb5_conf_t:file write;
 allow $1 krb5_conf_t:file { getattr read };
 }
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.5/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2004-11-24 07:00:51.000000000 -0500
+++ policy-1.19.5/macros/program/mozilla_macros.te	2004-11-24 10:57:51.332334406 -0500
@@ -29,7 +29,8 @@
 
 allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read };
 allow $1_mozilla_t var_lib_t:file { getattr read };
-allow $1_mozilla_t urandom_device_t:chr_file { getattr ioctl read };
+allow $1_mozilla_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read append };
+
 allow $1_mozilla_t self:socket create_socket_perms;
 allow $1_mozilla_t self:file { getattr read };
 
@@ -117,8 +118,20 @@
 dontaudit $1_mozilla_t file_type:dir getattr;
 allow $1_mozilla_t self:sem create_sem_perms;
 
+ifdef(`userhelper.te', `
+domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
+')
 dontaudit $1_mozilla_t selinux_config_t:dir search;
 
+#
+# Rules needed to run java apps
+#
+allow $1_mozilla_t ld_so_cache_t:file execute;
+allow $1_mozilla_t locale_t:file execute;
+dontaudit $1_mozilla_t *:{ chr_file file } execute;
+dontaudit $1_t ld_so_cache_t:file execute;
+dontaudit $1_t locale_t:file execute;
+
 ifdef(`xdm.te', `
 allow $1_mozilla_t xdm_t:fifo_file { write read };
 allow $1_mozilla_t xdm_tmp_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.19.5/macros/program/userhelper_macros.te
--- nsapolicy/macros/program/userhelper_macros.te	2004-11-24 07:00:51.000000000 -0500
+++ policy-1.19.5/macros/program/userhelper_macros.te	2004-11-24 10:57:51.332334406 -0500
@@ -143,8 +143,4 @@
 allow $1_userhelper_t pam_var_console_t:dir { search };
 ')
 
-ifdef(`mozilla.te', `
-domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
-')
-
 ')dnl end userhelper macro
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/vmware_macros.te policy-1.19.5/macros/program/vmware_macros.te
--- nsapolicy/macros/program/vmware_macros.te	2004-11-20 22:29:10.000000000 -0500
+++ policy-1.19.5/macros/program/vmware_macros.te	2004-11-24 10:57:51.333334293 -0500
@@ -55,10 +55,8 @@
 
 # Access /proc
 r_dir_file($1_vmware_t, proc_t)
-ifdef(`distro_gentoo', `
 allow $1_vmware_t proc_net_t:dir search;
 allow $1_vmware_t proc_net_t:file { getattr read };
-')
 
 # Access to some files in the user home directory
 r_dir_file($1_vmware_t, $1_home_t)
diff --exclude-from=exclude -N -u -r nsapolicy/types/procfs.te policy-1.19.5/types/procfs.te
--- nsapolicy/types/procfs.te	2004-11-20 22:29:10.000000000 -0500
+++ policy-1.19.5/types/procfs.te	2004-11-24 10:57:51.334334181 -0500
@@ -12,14 +12,13 @@
 # proc_kmsg_t is the type of /proc/kmsg.
 # proc_kcore_t is the type of /proc/kcore.
 # proc_mdstat_t is the type of /proc/mdstat.
+# proc_net_t is the type of /proc/net.
 #
 type proc_t, fs_type, proc_fs, root_dir_type;
 type proc_kmsg_t, proc_fs;
 type proc_kcore_t, proc_fs;
 type proc_mdstat_t, proc_fs;
-ifdef(`distro_gentoo', `
 type proc_net_t, proc_fs;
-')
 
 #
 # sysctl_t is the type of /proc/sys.

Re: can_network patch.

[Stephen Smalley]

On Wed, 2004-11-24 at 11:22, Daniel J Walsh wrote:
>     * Futzed around with userhelper so that mozilla can run it.

Sorry, why would you want to allow mozilla to run userhelper?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_network patch.

[Daniel J Walsh]

Stephen Smalley wrote:

>On Wed, 2004-11-24 at 11:22, Daniel J Walsh wrote:
>  
>
>>    * Futzed around with userhelper so that mozilla can run it.
>>    
>>
>
>Sorry, why would you want to allow mozilla to run userhelper?
>
>  
>
system-config-packages

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_network patch.

[James Carter]

Merged with some changes.

After talking with Steve, I removed can_network_server_udp and
can_network_client_udp, and just used can_network_udp.  There is no
security gained for udp in not allowing the connect if they already can
send and receive.

Also removed, for now, the mozilla_macros.te chunk that allowed mozilla
to execute userhelper and the rules giving mozilla more execute
permissions.  

I missed the userhelper stuff yesterday.  Letting mozilla run userhelper
has some serious security implications.

Isn't it possible to give the JRE the execute permisisons without giving
it to $1_mozilla_t?

On Wed, 2004-11-24 at 11:22, Daniel J Walsh wrote:
>     *   This patch includes the ugliness to get sun's jre plugin to work
>       in Mozilla.  (otherwize mozilla crashes).
>     * Removed distro_gentoo checks around proc_net since we want these also.
>     * Futzed around with userhelper so that mozilla can run it.
>     * Cleaned up stunnel.te so it should be usable for gentoo and other
>       distributions.
>     * Some cleanup of apache to allow starting of apache with ssl keys
>     * Includes modification to global_macros to extract out
>       network_macros.te
> 
> 
> network_macros.te includes
> 
> can_network - with all the current functionaility
> 
> I added
> 
> can_network_server (Has listen and accept, both udp and tcp)
> can_network_server_udp
> can_network_server_tcp
> 
> can_network_client (Has connect, both udp and tcp)
> can_network_client_tcp
> can_network_client_udp
> 
> can_network_udp  - Same as can_network but only for udp
> can_network_tcp - Same as can_network but only for tcp
> 
> 
> ______________________________________________________________________
<snip>
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.19.5/macros/network_macros.te
> --- nsapolicy/macros/network_macros.te	1969-12-31 19:00:00.000000000 -0500
> +++ policy-1.19.5/macros/network_macros.te	2004-11-24 10:57:51.328334858 -0500
> @@ -0,0 +1,189 @@
> +#################################
> +#
> +# can_network(domain)
> +#
> +# Permissions for accessing the network.
> +# See types/network.te for the network types.
> +# See net_contexts for security contexts for network entities.
> +#
> +define(`base_can_network',`
> +#
> +# Allow the domain to create and use $2 sockets.
> +# Other kinds of sockets must be separately authorized for use.
> +allow $1 self:$2_socket connected_socket_perms;
> +
> +#
> +# Allow the domain to send or receive using any network interface.
> +# netif_type is a type attribute for all network interface types.
> +#
> +allow $1 netif_type:netif { $2_send rawip_send };
> +allow $1 netif_type:netif { $2_recv rawip_recv };
> +
> +#
> +# Allow the domain to send to or receive from any node.
> +# node_type is a type attribute for all node types.
> +#
> +allow $1 node_type:node { $2_send rawip_send };
> +allow $1 node_type:node { $2_recv rawip_recv };
> +
> +#
> +# Allow the domain to send to or receive from any port.
> +# port_type is a type attribute for all port types.
> +#
> +ifelse($3, `', `
> +allow $1 port_type:$2_socket { send_msg recv_msg };
> +', `
> +allow $1 $3:$2_socket { send_msg recv_msg };
> +')
> +
> +# XXX Allow binding to any node type.  Remove once
> +# individual rules have been added to all domains that 
> +# bind sockets. 
> +allow $1 node_type:$2_socket node_bind;
> +#
> +# Allow access to network files including /etc/resolv.conf
> +#
> +allow $1 net_conf_t:file r_file_perms;
> +')dnl end can_network definition
> +
> +#################################
> +#
> +# can_network_server_tcp(domain)
> +#
> +# Permissions for accessing a tcp network.
> +# See types/network.te for the network types.
> +# See net_contexts for security contexts for network entities.
> +#
> +define(`can_network_server_tcp',`
> +base_can_network($1, tcp, `$2')
> +allow $1 self:tcp_socket { listen accept };
> +')
> +
> +#################################
> +#
> +# can_network_server_udp(domain)
> +#
> +# Permissions for accessing a udp network.
> +# See types/network.te for the network types.
> +# See net_contexts for security contexts for network entities.
> +#
> +define(`can_network_server_udp',`
> +base_can_network($1, udp, `$2')
> +')
> +
> +#################################
> +#
> +# can_network_client_tcp(domain)
> +#
> +# Permissions for accessing a tcp network.
> +# See types/network.te for the network types.
> +# See net_contexts for security contexts for network entities.
> +#
> +define(`can_network_client_tcp',`
> +base_can_network($1, tcp, `$2')
> +allow $1 self:tcp_socket { connect };
> +')
> +
> +#################################
> +#
> +# can_network_client_udp(domain)
> +#
> +# Permissions for accessing a udp network.
> +# See types/network.te for the network types.
> +# See net_contexts for security contexts for network entities.
> +#
> +define(`can_network_client_udp',`
> +base_can_network($1, udp, `$2')
> +allow $1 self:udp_socket { connect };
> +')
> +
> +#################################
> +#
> +# can_network_tcp(domain)
> +#
> +# Permissions for accessing the network.
> +# See types/network.te for the network types.
> +# See net_contexts for security contexts for network entities.
> +#
> +define(`can_network_tcp',`
> +
> +can_network_server_tcp($1, `$2')
> +can_network_client_tcp($1, `$2')
> +
> +')
> +
> +#################################
> +#
> +# can_network_udp(domain)
> +#
> +# Permissions for accessing the network.
> +# See types/network.te for the network types.
> +# See net_contexts for security contexts for network entities.
> +#
> +define(`can_network_udp',`
> +
> +can_network_client_udp($1, `$2')
> +can_network_server_udp($1, `$2')
> +
> +')
> +
> +#################################
> +#
> +# can_network_server(domain)
> +#
> +# Permissions for accessing the network.
> +# See types/network.te for the network types.
> +# See net_contexts for security contexts for network entities.
> +#
> +define(`can_network_server',`
> +
> +can_network_server_tcp($1, `$2')
> +can_network_server_udp($1, `$2')
> +
> +')dnl end can_network_server definition
> +
> +
> +#################################
> +#
> +# can_network_client(domain)
> +#
> +# Permissions for accessing the network.
> +# See types/network.te for the network types.
> +# See net_contexts for security contexts for network entities.
> +#
> +define(`can_network_client',`
> +
> +can_network_client_tcp($1, `$2')
> +can_network_client_udp($1, `$2')
> +
> +')dnl end can_network_client definition
> +
> +#################################
> +#
> +# can_network(domain)
> +#
> +# Permissions for accessing the network.
> +# See types/network.te for the network types.
> +# See net_contexts for security contexts for network entities.
> +#
> +define(`can_network',`
> +
> +can_network_tcp($1, `$2')
> +can_network_udp($1, `$2')
> +
> +#
> +# Allow the domain to send NFS client requests via the socket
> +# created by mount.
> +#
> +allow $1 mount_t:udp_socket rw_socket_perms;
> +
> +')dnl end can_network definition
> +
> +define(`can_resolve',`
> +can_network_client_udp($1, `dns_port_t')
> +')
> +
> +define(`can_ldap',`
> +can_network_client_tcp($1, `ldap_port_t')
> +')
> +

<snip>

> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.5/macros/program/mozilla_macros.te
> --- nsapolicy/macros/program/mozilla_macros.te	2004-11-24 07:00:51.000000000 -0500
> +++ policy-1.19.5/macros/program/mozilla_macros.te	2004-11-24 10:57:51.332334406 -0500
> @@ -29,7 +29,8 @@
>  
>  allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read };
>  allow $1_mozilla_t var_lib_t:file { getattr read };
> -allow $1_mozilla_t urandom_device_t:chr_file { getattr ioctl read };
> +allow $1_mozilla_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read append };
> +
>  allow $1_mozilla_t self:socket create_socket_perms;
>  allow $1_mozilla_t self:file { getattr read };
>  
> @@ -117,8 +118,20 @@
>  dontaudit $1_mozilla_t file_type:dir getattr;
>  allow $1_mozilla_t self:sem create_sem_perms;
>  
> +ifdef(`userhelper.te', `
> +domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
> +')
>  dontaudit $1_mozilla_t selinux_config_t:dir search;
>  
> +#
> +# Rules needed to run java apps
> +#
> +allow $1_mozilla_t ld_so_cache_t:file execute;
> +allow $1_mozilla_t locale_t:file execute;
> +dontaudit $1_mozilla_t *:{ chr_file file } execute;
> +dontaudit $1_t ld_so_cache_t:file execute;
> +dontaudit $1_t locale_t:file execute;
> +
>  ifdef(`xdm.te', `
>  allow $1_mozilla_t xdm_t:fifo_file { write read };
>  allow $1_mozilla_t xdm_tmp_t:dir search;

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_network patch.

[Daniel J Walsh]

James Carter wrote:

>Merged with some changes.
>
>After talking with Steve, I removed can_network_server_udp and
>can_network_client_udp, and just used can_network_udp.  There is no
>security gained for udp in not allowing the connect if they already can
>send and receive.
>  
>
Ok,  this might be a candidate for a boolean

>Also removed, for now, the mozilla_macros.te chunk that allowed mozilla
>to execute userhelper and the rules giving mozilla more execute
>permissions.  
>
>I missed the userhelper stuff yesterday.  Letting mozilla run userhelper
>has some serious security implications.
>
>Isn't it possible to give the JRE the execute permisisons without giving
>it to $1_mozilla_t?
>
>  
>
Yes, although it will probably need alot of the same privs as mozilla, 
and be quite complicated.

>On Wed, 2004-11-24 at 11:22, Daniel J Walsh wrote:
>  
>
>>    *   This patch includes the ugliness to get sun's jre plugin to work
>>      in Mozilla.  (otherwize mozilla crashes).
>>    * Removed distro_gentoo checks around proc_net since we want these also.
>>    * Futzed around with userhelper so that mozilla can run it.
>>    * Cleaned up stunnel.te so it should be usable for gentoo and other
>>      distributions.
>>    * Some cleanup of apache to allow starting of apache with ssl keys
>>    * Includes modification to global_macros to extract out
>>      network_macros.te
>>
>>
>>network_macros.te includes
>>
>>can_network - with all the current functionaility
>>
>>I added
>>
>>can_network_server (Has listen and accept, both udp and tcp)
>>can_network_server_udp
>>can_network_server_tcp
>>
>>can_network_client (Has connect, both udp and tcp)
>>can_network_client_tcp
>>can_network_client_udp
>>
>>can_network_udp  - Same as can_network but only for udp
>>can_network_tcp - Same as can_network but only for tcp
>>
>>
>>______________________________________________________________________
>>    
>>
><snip>
>  
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.19.5/macros/network_macros.te
>>--- nsapolicy/macros/network_macros.te	1969-12-31 19:00:00.000000000 -0500
>>+++ policy-1.19.5/macros/network_macros.te	2004-11-24 10:57:51.328334858 -0500
>>@@ -0,0 +1,189 @@
>>+#################################
>>+#
>>+# can_network(domain)
>>+#
>>+# Permissions for accessing the network.
>>+# See types/network.te for the network types.
>>+# See net_contexts for security contexts for network entities.
>>+#
>>+define(`base_can_network',`
>>+#
>>+# Allow the domain to create and use $2 sockets.
>>+# Other kinds of sockets must be separately authorized for use.
>>+allow $1 self:$2_socket connected_socket_perms;
>>+
>>+#
>>+# Allow the domain to send or receive using any network interface.
>>+# netif_type is a type attribute for all network interface types.
>>+#
>>+allow $1 netif_type:netif { $2_send rawip_send };
>>+allow $1 netif_type:netif { $2_recv rawip_recv };
>>+
>>+#
>>+# Allow the domain to send to or receive from any node.
>>+# node_type is a type attribute for all node types.
>>+#
>>+allow $1 node_type:node { $2_send rawip_send };
>>+allow $1 node_type:node { $2_recv rawip_recv };
>>+
>>+#
>>+# Allow the domain to send to or receive from any port.
>>+# port_type is a type attribute for all port types.
>>+#
>>+ifelse($3, `', `
>>+allow $1 port_type:$2_socket { send_msg recv_msg };
>>+', `
>>+allow $1 $3:$2_socket { send_msg recv_msg };
>>+')
>>+
>>+# XXX Allow binding to any node type.  Remove once
>>+# individual rules have been added to all domains that 
>>+# bind sockets. 
>>+allow $1 node_type:$2_socket node_bind;
>>+#
>>+# Allow access to network files including /etc/resolv.conf
>>+#
>>+allow $1 net_conf_t:file r_file_perms;
>>+')dnl end can_network definition
>>+
>>+#################################
>>+#
>>+# can_network_server_tcp(domain)
>>+#
>>+# Permissions for accessing a tcp network.
>>+# See types/network.te for the network types.
>>+# See net_contexts for security contexts for network entities.
>>+#
>>+define(`can_network_server_tcp',`
>>+base_can_network($1, tcp, `$2')
>>+allow $1 self:tcp_socket { listen accept };
>>+')
>>+
>>+#################################
>>+#
>>+# can_network_server_udp(domain)
>>+#
>>+# Permissions for accessing a udp network.
>>+# See types/network.te for the network types.
>>+# See net_contexts for security contexts for network entities.
>>+#
>>+define(`can_network_server_udp',`
>>+base_can_network($1, udp, `$2')
>>+')
>>+
>>+#################################
>>+#
>>+# can_network_client_tcp(domain)
>>+#
>>+# Permissions for accessing a tcp network.
>>+# See types/network.te for the network types.
>>+# See net_contexts for security contexts for network entities.
>>+#
>>+define(`can_network_client_tcp',`
>>+base_can_network($1, tcp, `$2')
>>+allow $1 self:tcp_socket { connect };
>>+')
>>+
>>+#################################
>>+#
>>+# can_network_client_udp(domain)
>>+#
>>+# Permissions for accessing a udp network.
>>+# See types/network.te for the network types.
>>+# See net_contexts for security contexts for network entities.
>>+#
>>+define(`can_network_client_udp',`
>>+base_can_network($1, udp, `$2')
>>+allow $1 self:udp_socket { connect };
>>+')
>>+
>>+#################################
>>+#
>>+# can_network_tcp(domain)
>>+#
>>+# Permissions for accessing the network.
>>+# See types/network.te for the network types.
>>+# See net_contexts for security contexts for network entities.
>>+#
>>+define(`can_network_tcp',`
>>+
>>+can_network_server_tcp($1, `$2')
>>+can_network_client_tcp($1, `$2')
>>+
>>+')
>>+
>>+#################################
>>+#
>>+# can_network_udp(domain)
>>+#
>>+# Permissions for accessing the network.
>>+# See types/network.te for the network types.
>>+# See net_contexts for security contexts for network entities.
>>+#
>>+define(`can_network_udp',`
>>+
>>+can_network_client_udp($1, `$2')
>>+can_network_server_udp($1, `$2')
>>+
>>+')
>>+
>>+#################################
>>+#
>>+# can_network_server(domain)
>>+#
>>+# Permissions for accessing the network.
>>+# See types/network.te for the network types.
>>+# See net_contexts for security contexts for network entities.
>>+#
>>+define(`can_network_server',`
>>+
>>+can_network_server_tcp($1, `$2')
>>+can_network_server_udp($1, `$2')
>>+
>>+')dnl end can_network_server definition
>>+
>>+
>>+#################################
>>+#
>>+# can_network_client(domain)
>>+#
>>+# Permissions for accessing the network.
>>+# See types/network.te for the network types.
>>+# See net_contexts for security contexts for network entities.
>>+#
>>+define(`can_network_client',`
>>+
>>+can_network_client_tcp($1, `$2')
>>+can_network_client_udp($1, `$2')
>>+
>>+')dnl end can_network_client definition
>>+
>>+#################################
>>+#
>>+# can_network(domain)
>>+#
>>+# Permissions for accessing the network.
>>+# See types/network.te for the network types.
>>+# See net_contexts for security contexts for network entities.
>>+#
>>+define(`can_network',`
>>+
>>+can_network_tcp($1, `$2')
>>+can_network_udp($1, `$2')
>>+
>>+#
>>+# Allow the domain to send NFS client requests via the socket
>>+# created by mount.
>>+#
>>+allow $1 mount_t:udp_socket rw_socket_perms;
>>+
>>+')dnl end can_network definition
>>+
>>+define(`can_resolve',`
>>+can_network_client_udp($1, `dns_port_t')
>>+')
>>+
>>+define(`can_ldap',`
>>+can_network_client_tcp($1, `ldap_port_t')
>>+')
>>+
>>    
>>
>
><snip>
>
>  
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.5/macros/program/mozilla_macros.te
>>--- nsapolicy/macros/program/mozilla_macros.te	2004-11-24 07:00:51.000000000 -0500
>>+++ policy-1.19.5/macros/program/mozilla_macros.te	2004-11-24 10:57:51.332334406 -0500
>>@@ -29,7 +29,8 @@
>> 
>> allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read };
>> allow $1_mozilla_t var_lib_t:file { getattr read };
>>-allow $1_mozilla_t urandom_device_t:chr_file { getattr ioctl read };
>>+allow $1_mozilla_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read append };
>>+
>> allow $1_mozilla_t self:socket create_socket_perms;
>> allow $1_mozilla_t self:file { getattr read };
>> 
>>@@ -117,8 +118,20 @@
>> dontaudit $1_mozilla_t file_type:dir getattr;
>> allow $1_mozilla_t self:sem create_sem_perms;
>> 
>>+ifdef(`userhelper.te', `
>>+domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
>>+')
>> dontaudit $1_mozilla_t selinux_config_t:dir search;
>> 
>>+#
>>+# Rules needed to run java apps
>>+#
>>+allow $1_mozilla_t ld_so_cache_t:file execute;
>>+allow $1_mozilla_t locale_t:file execute;
>>+dontaudit $1_mozilla_t *:{ chr_file file } execute;
>>+dontaudit $1_t ld_so_cache_t:file execute;
>>+dontaudit $1_t locale_t:file execute;
>>+
>> ifdef(`xdm.te', `
>> allow $1_mozilla_t xdm_t:fifo_file { write read };
>> allow $1_mozilla_t xdm_tmp_t:dir search;
>>    
>>
>
>  
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_network patch.

[Russell Coker]

On Wednesday 24 November 2004 07:07, Stephen Smalley <sds@epoch.ncsc.mil> 
wrote:
> If no one agrees with me about preserving can_network() semantics, then
> I can be overruled.  But I thought that Russell had voiced a similar
> concern earlier.

I still think that can_network() should keep it's traditional functionality.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_network patch.

[Daniel J Walsh]

Russell Coker wrote:

>On Wednesday 24 November 2004 07:07, Stephen Smalley <sds@epoch.ncsc.mil> 
>wrote:
>  
>
>>If no one agrees with me about preserving can_network() semantics, then
>>I can be overruled.  But I thought that Russell had voiced a similar
>>concern earlier.
>>    
>>
>
>I still think that can_network() should keep it's traditional functionality.
>
>  
>
The latest patch can_network has the same functionality, we now have 
other options to tighten security though.

can_network_tcp
can_network_udp
...

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Reissue previous patch

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 40 bytes --]

Several can_network_clients were wrong


[-- Attachment #2: policy-20041130.patch --]
[-- Type: text/x-patch, Size: 84255 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.19.7/attrib.te
--- nsapolicy/attrib.te	2004-11-18 08:13:57.000000000 -0500
+++ policy-1.19.7/attrib.te	2004-11-30 11:29:15.000000000 -0500
@@ -225,14 +225,6 @@
 # overall filesystem statistics.
 attribute fs_type;
 
-# The root_dir_type attribute identifies all types assigned to 
-# root directories of filesystems (not limited to persistent
-# filesystems).
-# XXX This attribute was used to grant mountassociate permission,
-# XXX but this permission is no longer defined.  We can likely
-# XXX remove this attribute.
-attribute root_dir_type;
-
 # The exec_type attribute identifies all types assigned
 # to entrypoint executables for domains.  This attribute is 
 # used in TE rules and assertions that should be applied to all 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.19.7/domains/program/crond.te
--- nsapolicy/domains/program/crond.te	2004-11-18 08:13:57.000000000 -0500
+++ policy-1.19.7/domains/program/crond.te	2004-11-30 11:28:52.000000000 -0500
@@ -147,7 +147,7 @@
 ')
 
 # Stat any file and search any directory for find.
-allow system_crond_t { root_dir_type file_type fs_type }:notdevfile_class_set getattr;
+allow system_crond_t { file_type fs_type }:notdevfile_class_set getattr;
 allow system_crond_t device_type:{ chr_file blk_file } getattr;
 allow system_crond_t file_type:dir { read search getattr };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.19.7/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te	2004-11-20 22:29:08.000000000 -0500
+++ policy-1.19.7/domains/program/ldconfig.te	2004-11-30 06:18:45.000000000 -0500
@@ -42,3 +42,4 @@
 allow ldconfig_t { var_lib_t bin_t }:dir search;
 ')
 
+allow ldconfig_t proc_t:file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.19.7/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.7/domains/program/modutil.te	2004-11-30 06:18:45.000000000 -0500
@@ -77,7 +77,6 @@
 ifdef(`unlimitedUtils', `
 unconfined_domain(insmod_t) 
 ')
-can_network(insmod_t)
 can_ypbind(insmod_t)
 uses_shlib(insmod_t)
 read_locale(insmod_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.19.7/domains/program/mount.te
--- nsapolicy/domains/program/mount.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.7/domains/program/mount.te	2004-11-30 06:18:45.000000000 -0500
@@ -64,7 +64,7 @@
 
 ifdef(`portmap.te', `
 # for nfs
-can_network(mount_t)
+can_network_server(mount_t)
 can_ypbind(mount_t)
 allow mount_t port_t:{ tcp_socket udp_socket } name_bind;
 allow mount_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.19.7/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te	2004-11-20 22:29:08.000000000 -0500
+++ policy-1.19.7/domains/program/syslogd.te	2004-11-30 06:18:45.000000000 -0500
@@ -20,7 +20,7 @@
 ')
 
 # can_network is for the UDP socket
-can_network(syslogd_t)
+can_network_udp(syslogd_t)
 can_ypbind(syslogd_t)
 
 r_dir_file(syslogd_t, sysfs_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.19.7/domains/program/unused/amanda.te
--- nsapolicy/domains/program/unused/amanda.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.7/domains/program/unused/amanda.te	2004-11-30 06:18:45.000000000 -0500
@@ -170,7 +170,7 @@
 # Network and process communication
 ###################################
 
-can_network(amanda_t);
+can_network_server(amanda_t);
 can_ypbind(amanda_t);
 
 allow amanda_t self:fifo_file { getattr read write ioctl lock };
@@ -247,7 +247,7 @@
 # amrecover network and process communication
 #############################################
 
-can_network(amanda_recover_t);
+can_network_server(amanda_recover_t);
 can_ypbind(amanda_recover_t);
 
 allow amanda_recover_t self:fifo_file { getattr ioctl read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/anaconda.te policy-1.19.7/domains/program/unused/anaconda.te
--- nsapolicy/domains/program/unused/anaconda.te	2004-11-18 08:13:57.000000000 -0500
+++ policy-1.19.7/domains/program/unused/anaconda.te	2004-11-30 07:09:53.000000000 -0500
@@ -12,241 +12,36 @@
 #
 type anaconda_t, admin, etc_writer, fs_domain, privmem, auth_write, domain, privlog, privowner, privmodule, sysctl_kernel_writer, unrestricted;
 role system_r types anaconda_t;
-uses_shlib(anaconda_t);
+unconfined_domain(anaconda_t);
 
-# for halt to down interfaces
-allow anaconda_t self:udp_socket create_socket_perms;
-
-# read files in /etc/init.d
-allow anaconda_t etc_t:lnk_file r_file_perms;
-
-allow anaconda_t self:passwd rootok;
-read_locale(anaconda_t)
-
-r_dir_file(anaconda_t, usr_t)
-
-# Read system information files in /proc.
-allow anaconda_t proc_t:dir r_dir_perms;
-allow anaconda_t proc_t:{ file lnk_file } r_file_perms;
-
-# Allow IPC with self
-allow anaconda_t self:unix_dgram_socket create_socket_perms;
-allow anaconda_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow anaconda_t self:fifo_file rw_file_perms;
-
-# Read the root directory of a usbdevfs filesystem, and
-# the devices and drivers files.  Permit stating of the
-# device nodes, but nothing else.
-allow anaconda_t usbdevfs_t:dir r_dir_perms;
-allow anaconda_t usbdevfs_t:lnk_file r_file_perms;
-allow anaconda_t usbdevfs_t:file getattr;
-
-# allow anaconda to fork and renice itself
-allow anaconda_t self:process { fork sigchld setsched setpgid };
-
-# Can create ptys for open_init_pty
-can_create_pty(anaconda)
-
-tmp_domain(anaconda)
-
-var_run_domain(anaconda)
-allow anaconda_t var_run_t:{ file sock_file lnk_file } unlink;
-allow anaconda_t var_run_t:dir { create rmdir };
-
-allow anaconda_t framebuf_device_t:chr_file r_file_perms;
-
-# Use capabilities.
-allow anaconda_t self:capability ~{ sys_admin sys_module };
-
-# Use system operations.
-allow anaconda_t kernel_t:system *;
-
-# Run helper programs in the anaconda_t domain.
-allow anaconda_t { bin_t sbin_t }:dir r_dir_perms;
-allow anaconda_t { bin_t sbin_t }:lnk_file read;
-can_exec(anaconda_t, etc_t)
-can_exec(anaconda_t, lib_t)
-can_exec(anaconda_t, bin_t)
-can_exec(anaconda_t, sbin_t)
-can_exec(anaconda_t, exec_type)
-#
-#  These rules are here to allow init scripts to su
-#
 role system_r types ldconfig_t;
 domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
 
 role system_r types sysadm_su_t;
 domain_auto_trans(anaconda_t, su_exec_t, sysadm_su_t)
-allow anaconda_t self:passwd rootok;
-
-# read /lib/modules
-allow anaconda_t modules_object_t:dir { search read };
-
-# Read conf.modules.
-allow anaconda_t modules_conf_t:file r_file_perms;
 
 # Run other rc scripts in the anaconda_t domain.
 domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t)
 
-# Run init (telinit) in the anaconda_t domain.
-can_exec(anaconda_t, init_exec_t)
-
-# Communicate with the init process.
-allow anaconda_t initctl_t:fifo_file rw_file_perms;
-
-# Read /proc/PID directories for all domains.
-can_ps(anaconda_t, domain)
-allow anaconda_t domain:process getsession;
-
-# Mount and unmount file systems.
-allow anaconda_t fs_type:filesystem mount_fs_perms;
-allow anaconda_t file_t:dir { read search getattr mounton };
-
-# Update /etc/ld.so.cache.
-allow anaconda_t ld_so_cache_t:file rw_file_perms;
-
-ifdef(`sendmail.te', `
-# Update /etc/mail.
-allow anaconda_t etc_mail_t:file { setattr rw_file_perms };
-')
-
-# Update /var/log/wtmp and /var/log/dmesg.
-allow anaconda_t wtmp_t:file { setattr rw_file_perms };
-allow anaconda_t var_log_t:file { setattr rw_file_perms };
-allow anaconda_t lastlog_t:file { setattr rw_file_perms };
 domain_auto_trans(anaconda_t, dmesg_exec_t, dmesg_t)
 
-# remove old locks
-allow anaconda_t lockfile:dir rw_dir_perms;
-allow anaconda_t lockfile:file { getattr unlink };
-
-# Access /var/lib/random-seed.
-allow anaconda_t var_lib_t:file rw_file_perms;
-allow anaconda_t var_lib_t:file unlink;
-
-# Create lock file.
-allow anaconda_t var_lock_t:dir create_dir_perms;
-allow anaconda_t var_lock_t:file create_file_perms;
-
-# Set the clock.
-allow anaconda_t clock_device_t:devfile_class_set rw_file_perms;
-
-# Kill all processes.
-allow anaconda_t domain:process signal_perms;
-
-# Write to /dev/urandom.
-allow anaconda_t urandom_device_t:chr_file rw_file_perms;
-
-# Set device ownerships/modes.
-allow anaconda_t framebuf_device_t:lnk_file read;
-allow anaconda_t framebuf_device_t:devfile_class_set setattr;
-allow anaconda_t misc_device_t:devfile_class_set setattr;
-allow anaconda_t device_t:devfile_class_set setattr;
-allow anaconda_t fixed_disk_device_t:devfile_class_set setattr;
-allow anaconda_t removable_device_t:devfile_class_set setattr;
-
-# Stat any file.
-allow anaconda_t file_type:file_class_set getattr;
-allow anaconda_t file_type:dir { search getattr };
-
-# Read and write console and ttys.
-allow anaconda_t devtty_t:chr_file rw_file_perms;
-allow anaconda_t console_device_t:chr_file rw_file_perms;
-allow anaconda_t tty_device_t:chr_file rw_file_perms;
-allow anaconda_t ttyfile:chr_file rw_file_perms;
-allow anaconda_t ptyfile:chr_file rw_file_perms;
-
-# Reset tty labels.
-allow anaconda_t ttyfile:chr_file relabelfrom;
-allow anaconda_t tty_device_t:chr_file relabelto;
-
 ifdef(`distro_redhat', `
-# Create and read /boot/kernel.h and /boot/System.map.
-# Redhat systems typically create this file at boot time.
-allow anaconda_t boot_t:lnk_file rw_file_perms;
 file_type_auto_trans(anaconda_t, boot_t, boot_runtime_t, file)
 ')
 
-allow anaconda_t system_map_t:{ file lnk_file } r_file_perms;
-
-# Unlink /halt.
-allow anaconda_t root_t:dir { search write remove_name };
-allow anaconda_t root_t:file { unlink write };
-
-allow anaconda_t var_spool_t:file rw_file_perms;
-
-# Allow access to the sysadm TTYs. Note that this will give access to the 
-# TTYs to any process in the anaconda_t domain. Therefore, daemons and such
-# started from init should be placed in their own domain.
-allow anaconda_t admin_tty_type:chr_file rw_file_perms;
-
-# Access sound device and files.
-allow anaconda_t sound_device_t:chr_file { setattr ioctl read write };
-ifdef(`sound.te', `allow anaconda_t sound_file_t:file { setattr write };')
-
-ifdef(`distro_redhat', `
 ifdef(`rpm.te', `
 # Access /var/lib/rpm.
-allow anaconda_t rpm_var_lib_t:dir rw_dir_perms;
-allow anaconda_t rpm_var_lib_t:file create_file_perms;
 domain_auto_trans(anaconda_t, rpm_exec_t, rpm_t)
 ')
-')
 
-# Update /var/log/ksyms.*.
-# badly named type, /var/log/boot gets the same name too which is confusing
 file_type_auto_trans(anaconda_t, var_log_t, var_log_ksyms_t, file)
 
-ifdef(`apmd.te', `
-# Access /dev/apm_bios.
-allow anaconda_t apm_bios_t:chr_file { setattr getattr };')
-
-ifdef(`lpd.te', `
-# Read printconf files.
-allow anaconda_t printconf_t:dir r_dir_perms;
-allow anaconda_t printconf_t:file r_file_perms;')
-
-# Create and delete /.autofsck
-allow anaconda_t root_t:dir { search write add_name };
-allow anaconda_t root_t:file { create setattr unlink getattr };
-allow anaconda_t file_t:file { unlink getattr };
-
-# Read user home directories.
-allow anaconda_t { home_root_t home_type }:dir r_dir_perms;
-allow anaconda_t home_type:file r_file_perms;
-
-# for system start scripts
-allow anaconda_t pidfile:dir rw_dir_perms;
-allow anaconda_t pidfile:sock_file unlink;
-rw_dir_create_file(anaconda_t, var_lib_t)
-
-# allow start scripts to clean /tmp
-allow anaconda_t { unlabeled_t tmpfile }:dir { rw_dir_perms rmdir };
-allow anaconda_t { unlabeled_t tmpfile }:notdevfile_class_set { getattr unlink };
-
-# for lsof which is used by alsa shutdown
-dontaudit anaconda_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
-dontaudit anaconda_t proc_kmsg_t:file getattr;
-
-# Rsync
-dontaudit anaconda_t mail_spool_t:lnk_file read;
-
-allow anaconda_t sysfs_t:dir { getattr read search };
-allow anaconda_t sysfs_t:file { getattr read };
-allow anaconda_t sysfs_t:lnk_file { getattr read };
-allow anaconda_t udev_runtime_t:file rw_file_perms;
-allow anaconda_t device_type:chr_file setattr;
-
-# for lsof in shutdown scripts
-allow anaconda_t security_t:dir getattr;
 ifdef(`udev.te', `
 domain_auto_trans(anaconda_t, udev_exec_t, udev_t)
 ')
-can_kerberos(anaconda_t)
 
 ifdef(`ssh-agent.te', `
 role system_r types sysadm_ssh_agent_t;
 domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
 ')
 domain_auto_trans(anaconda_t , admin_passwd_exec_t, sysadm_passwd_t)
-unconfined_domain(anaconda_t) 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/arpwatch.te policy-1.19.7/domains/program/unused/arpwatch.te
--- nsapolicy/domains/program/unused/arpwatch.te	2004-11-20 22:29:08.000000000 -0500
+++ policy-1.19.7/domains/program/unused/arpwatch.te	2004-11-30 06:18:45.000000000 -0500
@@ -18,7 +18,7 @@
 
 allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
 
-can_network(arpwatch_t)
+can_network_server(arpwatch_t)
 allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms;
 allow arpwatch_t self:udp_socket create_socket_perms;
 allow arpwatch_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/asterisk.te policy-1.19.7/domains/program/unused/asterisk.te
--- nsapolicy/domains/program/unused/asterisk.te	2004-11-30 05:59:38.000000000 -0500
+++ policy-1.19.7/domains/program/unused/asterisk.te	2004-11-30 06:18:45.000000000 -0500
@@ -39,7 +39,7 @@
 # are labeled usr_t
 allow asterisk_t usr_t:file r_file_perms;
 
-can_network(asterisk_t)
+can_network_server(asterisk_t)
 can_ypbind(asterisk_t)
 allow asterisk_t etc_t:file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/automount.te policy-1.19.7/domains/program/unused/automount.te
--- nsapolicy/domains/program/unused/automount.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.7/domains/program/unused/automount.te	2004-11-30 06:18:45.000000000 -0500
@@ -33,7 +33,7 @@
 # because config files can be shell scripts
 can_exec(automount_t, { etc_t automount_etc_t })
 
-can_network(automount_t)
+can_network_server(automount_t)
 can_ypbind(automount_t)
 
 ifdef(`fsadm.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/backup.te policy-1.19.7/domains/program/unused/backup.te
--- nsapolicy/domains/program/unused/backup.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.7/domains/program/unused/backup.te	2004-11-30 06:18:45.000000000 -0500
@@ -26,7 +26,7 @@
 # for SSP
 allow backup_t urandom_device_t:chr_file read;
 
-can_network(backup_t)
+can_network_server(backup_t)
 can_ypbind(backup_t)
 uses_shlib(backup_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.19.7/domains/program/unused/bluetooth.te
--- nsapolicy/domains/program/unused/bluetooth.te	2004-11-18 08:13:57.000000000 -0500
+++ policy-1.19.7/domains/program/unused/bluetooth.te	2004-11-30 06:18:45.000000000 -0500
@@ -20,7 +20,7 @@
 rw_dir_create_file(bluetooth_t, var_lock_t)
 
 # Use the network.
-can_network(bluetooth_t)
+can_network_server(bluetooth_t)
 can_ypbind(bluetooth_t)
 ifdef(`dbusd.te', `
 dbusd_client(system, bluetooth)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/calamaris.te policy-1.19.7/domains/program/unused/calamaris.te
--- nsapolicy/domains/program/unused/calamaris.te	2004-11-05 23:24:16.000000000 -0500
+++ policy-1.19.7/domains/program/unused/calamaris.te	2004-11-30 06:18:45.000000000 -0500
@@ -59,7 +59,7 @@
 allow calamaris_t etc_t:lnk_file read;
 dontaudit calamaris_t etc_t:file ioctl;
 dontaudit calamaris_t sysadm_home_dir_t:dir { getattr search };
-can_network(calamaris_t)
+can_network_server(calamaris_t)
 can_ypbind(calamaris_t)
 ifdef(`named.te', `
 can_udp_send(calamaris_t, named_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/canna.te policy-1.19.7/domains/program/unused/canna.te
--- nsapolicy/domains/program/unused/canna.te	2004-10-19 16:03:06.000000000 -0400
+++ policy-1.19.7/domains/program/unused/canna.te	2004-11-30 06:18:45.000000000 -0500
@@ -28,7 +28,7 @@
 
 rw_dir_create_file(canna_t, canna_var_lib_t)
 
-can_network(canna_t)
+can_network_tcp(canna_t)
 can_ypbind(canna_t)
 
 allow userdomain canna_var_run_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ciped.te policy-1.19.7/domains/program/unused/ciped.te
--- nsapolicy/domains/program/unused/ciped.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.7/domains/program/unused/ciped.te	2004-11-30 06:18:45.000000000 -0500
@@ -7,7 +7,7 @@
 
 type cipe_port_t, port_type;
 
-can_network(ciped_t)
+can_network_server(ciped_t)
 can_ypbind(ciped_t)
 allow ciped_t cipe_port_t:udp_socket name_bind;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/clamav.te policy-1.19.7/domains/program/unused/clamav.te
--- nsapolicy/domains/program/unused/clamav.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.19.7/domains/program/unused/clamav.te	2004-11-30 06:18:45.000000000 -0500
@@ -22,7 +22,7 @@
 allow freshclam_t sysctl_kernel_t:dir search;
 allow freshclam_t sysctl_kernel_t:file { getattr read };
 
-can_network(freshclam_t)
+can_network_server(freshclam_t)
 can_ypbind(freshclam_t)
 
 # Access virus signatures
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/courier.te policy-1.19.7/domains/program/unused/courier.te
--- nsapolicy/domains/program/unused/courier.te	2004-11-18 08:13:57.000000000 -0500
+++ policy-1.19.7/domains/program/unused/courier.te	2004-11-30 06:18:45.000000000 -0500
@@ -46,7 +46,7 @@
 allow courier_$1_t self:capability dac_override;
 
 # Use the network.
-can_network(courier_$1_t)
+can_network_server(courier_$1_t)
 allow courier_$1_t self:fifo_file { read write getattr };
 allow courier_$1_t self:unix_stream_socket create_stream_socket_perms;
 allow courier_$1_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.19.7/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2004-11-30 05:59:38.000000000 -0500
+++ policy-1.19.7/domains/program/unused/cups.te	2004-11-30 06:20:21.000000000 -0500
@@ -191,7 +191,7 @@
 rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
 rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
 
-can_network(cupsd_config_t)
+can_network_server_tcp(cupsd_config_t)
 can_tcp_connect(cupsd_config_t, cupsd_t)
 allow cupsd_config_t self:fifo_file rw_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dante.te policy-1.19.7/domains/program/unused/dante.te
--- nsapolicy/domains/program/unused/dante.te	2004-11-19 14:25:12.000000000 -0500
+++ policy-1.19.7/domains/program/unused/dante.te	2004-11-30 06:18:45.000000000 -0500
@@ -7,7 +7,7 @@
 type socks_port_t, port_type;
 
 daemon_domain(dante)
-can_network(dante_t)
+can_network_server(dante_t)
 
 allow dante_t self:fifo_file { read write };
 allow dante_t self:capability { setuid };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ddclient.te policy-1.19.7/domains/program/unused/ddclient.te
--- nsapolicy/domains/program/unused/ddclient.te	2004-10-29 14:33:17.000000000 -0400
+++ policy-1.19.7/domains/program/unused/ddclient.te	2004-11-30 06:18:45.000000000 -0500
@@ -29,7 +29,7 @@
 allow ddclient_t sysctl_net_t:dir { search };
 
 # network-related goodies
-can_network(ddclient_t)
+can_network_server(ddclient_t)
 allow ddclient_t self:unix_dgram_socket create_socket_perms;
 
 # allow access to ddclient.conf and ddclient.cache
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ddt-client.te policy-1.19.7/domains/program/unused/ddt-client.te
--- nsapolicy/domains/program/unused/ddt-client.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.19.7/domains/program/unused/ddt-client.te	2004-11-30 06:18:45.000000000 -0500
@@ -23,7 +23,7 @@
 file_type_trans(ddt_client_t, var_lib_t, var_lib_ddt_client_t)
 
 # Use the network.
-can_network(ddt_client_t)
+can_network_server(ddt_client_t)
 can_ypbind(ddt_client_t)
 allow ddt_client_t self:unix_stream_socket create_socket_perms;
 allow ddt_client_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/devfsd.te policy-1.19.7/domains/program/unused/devfsd.te
--- nsapolicy/domains/program/unused/devfsd.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.7/domains/program/unused/devfsd.te	2004-11-30 06:18:45.000000000 -0500
@@ -89,6 +89,5 @@
 allow kernel_t device_t:filesystem mount;
 
 # for nss-ldap etc
-can_network(devfsd_t)
+can_network_client_tcp(devfsd_t)
 can_ypbind(devfsd_t)
-allow devfsd_t self:tcp_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dictd.te policy-1.19.7/domains/program/unused/dictd.te
--- nsapolicy/domains/program/unused/dictd.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.19.7/domains/program/unused/dictd.te	2004-11-30 06:18:45.000000000 -0500
@@ -42,7 +42,7 @@
 
 allow dictd_t self:unix_stream_socket create_stream_socket_perms;
 
-can_network(dictd_t)
+can_network_server(dictd_t)
 can_ypbind(dictd_t)
 can_tcp_connect(userdomain, dictd_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/distcc.te policy-1.19.7/domains/program/unused/distcc.te
--- nsapolicy/domains/program/unused/distcc.te	2004-11-05 23:24:16.000000000 -0500
+++ policy-1.19.7/domains/program/unused/distcc.te	2004-11-30 06:18:45.000000000 -0500
@@ -4,7 +4,7 @@
 #
 
 daemon_domain(distccd)
-can_network(distccd_t)
+can_network_server(distccd_t)
 can_ypbind(distccd_t)
 log_domain(distccd)
 tmp_domain(distccd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dnsmasq.te policy-1.19.7/domains/program/unused/dnsmasq.te
--- nsapolicy/domains/program/unused/dnsmasq.te	2004-09-29 07:36:46.000000000 -0400
+++ policy-1.19.7/domains/program/unused/dnsmasq.te	2004-11-30 06:18:45.000000000 -0500
@@ -16,7 +16,7 @@
 allow dnsmasq_t urandom_device_t:chr_file read;
 
 # network-related goodies
-can_network(dnsmasq_t)
+can_network_server(dnsmasq_t)
 can_ypbind(dnsmasq_t)
 allow dnsmasq_t self:packet_socket create_socket_perms;
 allow dnsmasq_t self:rawip_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.19.7/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te	2004-11-30 05:59:38.000000000 -0500
+++ policy-1.19.7/domains/program/unused/dovecot.te	2004-11-30 15:52:17.539853018 -0500
@@ -13,7 +13,7 @@
 
 allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
 allow dovecot_t self:process setrlimit;
-can_network(dovecot_t)
+can_network_tcp(dovecot_t)
 can_ypbind(dovecot_t)
 allow dovecot_t self:unix_dgram_socket create_socket_perms;
 allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dpkg.te policy-1.19.7/domains/program/unused/dpkg.te
--- nsapolicy/domains/program/unused/dpkg.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.7/domains/program/unused/dpkg.te	2004-11-30 11:27:40.000000000 -0500
@@ -297,7 +297,7 @@
 allow dpkg_t device_type:{ chr_file blk_file } getattr;
 dontaudit dpkg_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
 allow dpkg_t proc_kmsg_t:file getattr;
-allow dpkg_t root_dir_type:dir getattr;
+allow dpkg_t fs_type:dir getattr;
 
 # allow compiling and loading new policy
 create_dir_file(dpkg_t, { policy_src_t policy_config_t })
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/fingerd.te policy-1.19.7/domains/program/unused/fingerd.te
--- nsapolicy/domains/program/unused/fingerd.te	2004-10-09 21:06:14.000000000 -0400
+++ policy-1.19.7/domains/program/unused/fingerd.te	2004-11-30 06:18:45.000000000 -0500
@@ -47,7 +47,7 @@
 allow fingerd_t { ttyfile ptyfile }:chr_file getattr;
 
 # Use the network.
-can_network(fingerd_t)
+can_network_server(fingerd_t)
 can_ypbind(fingerd_t)
 
 allow fingerd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/firstboot.te policy-1.19.7/domains/program/unused/firstboot.te
--- nsapolicy/domains/program/unused/firstboot.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.7/domains/program/unused/firstboot.te	2004-11-30 06:18:45.000000000 -0500
@@ -114,7 +114,7 @@
 allow iptables_t firstboot_t:fd use;
 allow iptables_t firstboot_t:fifo_file write;
 ')
-can_network(firstboot_t)
+can_network_server(firstboot_t)
 can_ypbind(firstboot_t)
 ifdef(`printconf.te', `
 can_exec(firstboot_t, printconf_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/gatekeeper.te policy-1.19.7/domains/program/unused/gatekeeper.te
--- nsapolicy/domains/program/unused/gatekeeper.te	2004-11-05 23:24:16.000000000 -0500
+++ policy-1.19.7/domains/program/unused/gatekeeper.te	2004-11-30 06:18:45.000000000 -0500
@@ -22,7 +22,7 @@
 logdir_domain(gatekeeper)
 
 # Use the network.
-can_network(gatekeeper_t)
+can_network_server(gatekeeper_t)
 can_ypbind(gatekeeper_t)
 allow gatekeeper_t gatekeeper_port_t:{ udp_socket tcp_socket } name_bind;
 allow gatekeeper_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.19.7/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2004-11-30 05:59:38.000000000 -0500
+++ policy-1.19.7/domains/program/unused/hald.te	2004-11-30 06:18:45.000000000 -0500
@@ -33,7 +33,7 @@
 allow hald_t bin_t:file getattr;
 allow hald_t self:netlink_route_socket r_netlink_socket_perms;
 allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
-can_network(hald_t)
+can_network_server(hald_t)
 can_ypbind(hald_t)
 
 allow hald_t device_t:lnk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.19.7/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.7/domains/program/unused/hotplug.te	2004-11-30 11:41:09.000000000 -0500
@@ -149,7 +149,7 @@
 
 file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file)
 
-can_network(hotplug_t)
+can_network_server(hotplug_t)
 can_ypbind(hotplug_t)
 dbusd_client(system, hotplug)
 
@@ -165,3 +165,4 @@
 unconfined_domain(hotplug_t) 
 ')
 
+ allow kernel_t hotplug_etc_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/howl.te policy-1.19.7/domains/program/unused/howl.te
--- nsapolicy/domains/program/unused/howl.te	2004-10-13 22:41:57.000000000 -0400
+++ policy-1.19.7/domains/program/unused/howl.te	2004-11-30 06:18:45.000000000 -0500
@@ -5,7 +5,7 @@
 
 daemon_domain(howl)
 allow howl_t proc_t:file { getattr read };
-can_network(howl_t)
+can_network_server(howl_t)
 can_ypbind(howl_t)
 allow howl_t self:capability { kill net_admin };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/imazesrv.te policy-1.19.7/domains/program/unused/imazesrv.te
--- nsapolicy/domains/program/unused/imazesrv.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.7/domains/program/unused/imazesrv.te	2004-11-30 06:18:45.000000000 -0500
@@ -21,7 +21,7 @@
 
 create_append_log_file(imazesrv_t,imazesrv_log_t)
 
-can_network(imazesrv_t)
+can_network_server(imazesrv_t)
 
 allow imazesrv_t self:capability net_bind_service;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.19.7/domains/program/unused/ipsec.te
--- nsapolicy/domains/program/unused/ipsec.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.7/domains/program/unused/ipsec.te	2004-11-30 06:18:45.000000000 -0500
@@ -167,7 +167,7 @@
 allow ipsec_t self:unix_stream_socket {create setopt bind listen accept read write };
 
 # Pluto needs network access
-can_network(ipsec_t)
+can_network_server(ipsec_t)
 can_ypbind(ipsec_t)
 allow ipsec_t self:unix_dgram_socket { create connect write };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/iptables.te policy-1.19.7/domains/program/unused/iptables.te
--- nsapolicy/domains/program/unused/iptables.te	2004-11-30 05:59:38.000000000 -0500
+++ policy-1.19.7/domains/program/unused/iptables.te	2004-11-30 06:18:45.000000000 -0500
@@ -36,7 +36,7 @@
 
 # for iptables -L
 allow iptables_t self:unix_stream_socket create_socket_perms;
-can_network(iptables_t)
+can_network_server(iptables_t)
 can_ypbind(iptables_t)
 
 allow iptables_t bin_t:file { execute execute_no_trans };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ircd.te policy-1.19.7/domains/program/unused/ircd.te
--- nsapolicy/domains/program/unused/ircd.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.19.7/domains/program/unused/ircd.te	2004-11-30 06:18:45.000000000 -0500
@@ -23,7 +23,7 @@
 var_lib_domain(ircd)
 
 # Use the network.
-can_network(ircd_t)
+can_network_server(ircd_t)
 can_ypbind(ircd_t)
 #allow ircd_t self:fifo_file { read write };
 allow ircd_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/jabberd.te policy-1.19.7/domains/program/unused/jabberd.te
--- nsapolicy/domains/program/unused/jabberd.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.7/domains/program/unused/jabberd.te	2004-11-30 06:18:45.000000000 -0500
@@ -19,7 +19,7 @@
 # For SSL
 allow jabberd_t random_device_t:file r_file_perms;
 
-can_network(jabberd_t)
+can_network_server(jabberd_t)
 can_ypbind(jabberd_t)
 
 allow jabberd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kerberos.te policy-1.19.7/domains/program/unused/kerberos.te
--- nsapolicy/domains/program/unused/kerberos.te	2004-11-24 07:00:50.000000000 -0500
+++ policy-1.19.7/domains/program/unused/kerberos.te	2004-11-30 06:18:45.000000000 -0500
@@ -16,10 +16,6 @@
 #
 # Rules for the krb5kdc_t,kadmind_t domains.
 #
-type kerberos_port_t, port_type, reserved_port_type;
-type kerberos_admin_port_t, port_type, reserved_port_type;
-type kerberos_master_port_t, port_type;
-
 daemon_domain(krb5kdc)
 daemon_domain(kadmind)
 
@@ -38,7 +34,7 @@
 allow kadmind_t self:capability { setuid setgid net_bind_service chown fowner dac_override sys_nice };
 
 # krb5kdc and kadmind can use network
-can_network( { krb5kdc_t kadmind_t } )
+can_network_server( { krb5kdc_t kadmind_t } )
 can_ypbind( { krb5kdc_t kadmind_t } )
 
 # allow UDP transfer to/from any program
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.19.7/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te	2004-11-30 05:59:38.000000000 -0500
+++ policy-1.19.7/domains/program/unused/kudzu.te	2004-11-30 06:22:11.000000000 -0500
@@ -22,7 +22,8 @@
 allow kudzu_t modules_object_t:dir r_dir_perms;
 allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
 allow kudzu_t mouse_device_t:chr_file { read write };
-allow kudzu_t proc_t:file { getattr read };
+allow kudzu_t proc_net_t:dir r_dir_perms;
+allow kudzu_t { proc_net_t proc_t }:file { getattr read };
 allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
 allow kudzu_t scsi_generic_device_t:chr_file r_file_perms;
 allow kudzu_t { bin_t sbin_t }:dir { getattr search };
@@ -92,4 +93,5 @@
 ifdef(`lpd.te', `
 allow kudzu_t printconf_t:file { getattr read };
 ')
-allow kudzu_t zero_device_t:chr_file r_file_perms;
+allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms;
+dontaudit kudzu_t src_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lpd.te policy-1.19.7/domains/program/unused/lpd.te
--- nsapolicy/domains/program/unused/lpd.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.7/domains/program/unused/lpd.te	2004-11-30 06:18:45.000000000 -0500
@@ -36,7 +36,7 @@
 type checkpc_t, domain, privlog;
 role system_r types checkpc_t;
 uses_shlib(checkpc_t)
-can_network(checkpc_t)
+can_network_server(checkpc_t)
 can_ypbind(checkpc_t)
 log_domain(checkpc)
 type checkpc_exec_t, file_type, sysadmfile, exec_type;
@@ -103,7 +103,7 @@
 allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner };
 
 # Use the network.
-can_network(lpd_t)
+can_network_server(lpd_t)
 can_ypbind(lpd_t)
 allow lpd_t self:fifo_file rw_file_perms;
 allow lpd_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lrrd.te policy-1.19.7/domains/program/unused/lrrd.te
--- nsapolicy/domains/program/unused/lrrd.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.7/domains/program/unused/lrrd.te	2004-11-30 06:18:45.000000000 -0500
@@ -58,7 +58,7 @@
 can_unix_connect(sysadm_t, lrrd_t)
 can_unix_connect(lrrd_t, lrrd_t)
 can_unix_send(lrrd_t, lrrd_t)
-can_network(lrrd_t)
+can_network_server(lrrd_t)
 can_ypbind(lrrd_t)
 
 ifdef(`logrotate.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/monopd.te policy-1.19.7/domains/program/unused/monopd.te
--- nsapolicy/domains/program/unused/monopd.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.19.7/domains/program/unused/monopd.te	2004-11-30 06:18:45.000000000 -0500
@@ -15,7 +15,7 @@
 type share_monopd_t, file_type, sysadmfile;
 
 # Use the network.
-can_network(monopd_t)
+can_network_server(monopd_t)
 can_ypbind(monopd_t)
 
 type monopd_port_t, port_type;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mrtg.te policy-1.19.7/domains/program/unused/mrtg.te
--- nsapolicy/domains/program/unused/mrtg.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.7/domains/program/unused/mrtg.te	2004-11-30 06:18:45.000000000 -0500
@@ -31,7 +31,7 @@
 r_dir_file(mrtg_t, lib_t)
 
 # Use the network.
-can_network(mrtg_t)
+can_network_server(mrtg_t)
 can_ypbind(mrtg_t)
 
 allow mrtg_t self:fifo_file { getattr read write ioctl };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.19.7/domains/program/unused/mysqld.te
--- nsapolicy/domains/program/unused/mysqld.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.7/domains/program/unused/mysqld.te	2004-11-30 06:18:45.000000000 -0500
@@ -44,7 +44,7 @@
 create_dir_file(mysqld_t, mysqld_db_t)
 allow mysqld_t var_lib_t:dir { getattr search };
 
-can_network(mysqld_t)
+can_network_server(mysqld_t)
 can_ypbind(mysqld_t)
 
 # read config files
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nagios.te policy-1.19.7/domains/program/unused/nagios.te
--- nsapolicy/domains/program/unused/nagios.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.19.7/domains/program/unused/nagios.te	2004-11-30 06:18:45.000000000 -0500
@@ -41,7 +41,7 @@
 
 allow nagios_t proc_t:file { getattr read };
 
-can_network(nagios_t)
+can_network_server(nagios_t)
 can_ypbind(nagios_t)
 
 # read config files
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.19.7/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.7/domains/program/unused/named.te	2004-11-30 15:55:47.302243130 -0500
@@ -100,8 +101,9 @@
 type ndc_exec_t, file_type,sysadmfile, exec_type;
 domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t)
 uses_shlib(ndc_t)
-can_network(ndc_t)
+can_network_client_tcp(ndc_t)
 can_ypbind(ndc_t)
+can_resolve(ndc_t)
 read_locale(ndc_t)
 can_tcp_connect(ndc_t, named_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nessusd.te policy-1.19.7/domains/program/unused/nessusd.te
--- nsapolicy/domains/program/unused/nessusd.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.19.7/domains/program/unused/nessusd.te	2004-11-30 06:18:45.000000000 -0500
@@ -22,7 +22,7 @@
 #tmp_domain(nessusd)
 
 # Use the network.
-can_network(nessusd_t)
+can_network_server(nessusd_t)
 can_ypbind(nessusd_t)
 allow nessusd_t self:unix_stream_socket create_socket_perms;
 #allow nessusd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.19.7/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.7/domains/program/unused/nscd.te	2004-11-30 06:18:45.000000000 -0500
@@ -22,7 +22,7 @@
 
 allow nscd_t etc_t:file r_file_perms;
 allow nscd_t etc_t:lnk_file read;
-can_network(nscd_t)
+can_network_client(nscd_t)
 can_ypbind(nscd_t)
 
 file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nsd.te policy-1.19.7/domains/program/unused/nsd.te
--- nsapolicy/domains/program/unused/nsd.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.7/domains/program/unused/nsd.te	2004-11-30 06:18:45.000000000 -0500
@@ -19,7 +19,7 @@
 type nsd_crond_t, domain, privlog;
 role system_r types nsd_crond_t;
 uses_shlib(nsd_crond_t)
-can_network(nsd_crond_t)
+can_network_server(nsd_crond_t)
 can_ypbind(nsd_crond_t)
 allow nsd_crond_t self:unix_dgram_socket create_socket_perms;
 allow nsd_crond_t self:process { fork signal_perms };
@@ -78,7 +78,7 @@
 allow nsd_t etc_t:{ file lnk_file } { getattr read };
 
 # nsd can use network
-can_network(nsd_t)
+can_network_server(nsd_t)
 can_ypbind(nsd_t)
 # allow client access from caching BIND
 ifdef(`named.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.19.7/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.7/domains/program/unused/ntpd.te	2004-11-30 15:56:08.200890874 -0500
@@ -19,6 +19,8 @@
 
 allow ntpd_t var_lib_t:dir r_dir_perms;
 allow ntpd_t usr_t:file r_file_perms;
+# reading  /usr/share/ssl/cert.pem requires
+allow ntpd_t usr_t:lnk_file read;
 allow ntpd_t ntp_drift_t:dir rw_dir_perms;
 allow ntpd_t ntp_drift_t:file create_file_perms;
 
@@ -26,6 +28,7 @@
 allow ntpd_t urandom_device_t:chr_file read;
 
 allow ntpd_t self:capability { kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot };
+dontaudit ntpd_t self:capability { net_admin };
 allow ntpd_t self:process { setcap setsched };
 # ntpdate wants sys_nice
 dontaudit ntpd_t self:capability { fsetid sys_nice };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/oav-update.te policy-1.19.7/domains/program/unused/oav-update.te
--- nsapolicy/domains/program/unused/oav-update.te	2003-08-14 08:37:36.000000000 -0400
+++ policy-1.19.7/domains/program/unused/oav-update.te	2004-11-30 06:18:45.000000000 -0500
@@ -35,4 +35,4 @@
 allow oav_update_t oav_update_var_lib_t:lnk_file r_file_perms;
 
 # Can download via network
-can_network(oav_update_t)
+can_network_server(oav_update_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/openvpn.te policy-1.19.7/domains/program/unused/openvpn.te
--- nsapolicy/domains/program/unused/openvpn.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.7/domains/program/unused/openvpn.te	2004-11-30 06:18:45.000000000 -0500
@@ -24,7 +24,7 @@
 allow openvpn_t self:capability net_admin;
 r_dir_file(openvpn_t, sysctl_net_t)
 
-can_network(openvpn_t)
+can_network_server(openvpn_t)
 allow openvpn_t openvpn_port_t:udp_socket name_bind;
 
 # OpenVPN executes a lot of helper programs and scripts
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/perdition.te policy-1.19.7/domains/program/unused/perdition.te
--- nsapolicy/domains/program/unused/perdition.te	2004-03-23 15:58:08.000000000 -0500
+++ policy-1.19.7/domains/program/unused/perdition.te	2004-11-30 06:18:45.000000000 -0500
@@ -16,7 +16,7 @@
 typealias perdition_etc_t alias etc_perdition_t;
 
 # Use the network.
-can_network(perdition_t)
+can_network_server(perdition_t)
 allow perdition_t self:unix_stream_socket create_socket_perms;
 allow perdition_t self:unix_dgram_socket create_socket_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.19.7/domains/program/unused/ping.te
--- nsapolicy/domains/program/unused/ping.te	2004-11-30 05:59:38.000000000 -0500
+++ policy-1.19.7/domains/program/unused/ping.te	2004-11-30 06:18:45.000000000 -0500
@@ -31,7 +31,7 @@
 domain_auto_trans(initrc_t, ping_exec_t, ping_t)
 
 uses_shlib(ping_t)
-can_network(ping_t)
+can_network_client(ping_t)
 can_ypbind(ping_t)
 allow ping_t etc_t:file { getattr read };
 allow ping_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.19.7/domains/program/unused/portmap.te
--- nsapolicy/domains/program/unused/portmap.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.7/domains/program/unused/portmap.te	2004-11-30 06:18:45.000000000 -0500
@@ -13,7 +13,7 @@
 #
 daemon_domain(portmap, `, nscd_client_domain')
 
-can_network(portmap_t)
+can_network_server(portmap_t)
 can_ypbind(portmap_t)
 allow portmap_t self:unix_dgram_socket create_socket_perms;
 allow portmap_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portslave.te policy-1.19.7/domains/program/unused/portslave.te
--- nsapolicy/domains/program/unused/portslave.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.19.7/domains/program/unused/portslave.te	2004-11-30 06:18:45.000000000 -0500
@@ -38,7 +38,7 @@
 
 allow portslave_t pppd_secret_t:file r_file_perms;
 
-can_network(portslave_t)
+can_network_server(portslave_t)
 allow portslave_t fs_t:filesystem getattr;
 ifdef(`radius.te', `
 can_udp_send(portslave_t, radiusd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.19.7/domains/program/unused/postfix.te
--- nsapolicy/domains/program/unused/postfix.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.7/domains/program/unused/postfix.te	2004-11-30 15:56:27.879675921 -0500
@@ -156,7 +157,7 @@
 domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
 allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
 allow postfix_$1_t self:capability { setuid setgid dac_override };
-can_network(postfix_$1_t)
+can_network_client(postfix_$1_t)
 can_ypbind(postfix_$1_t)
 ')
 
@@ -349,6 +350,6 @@
 allow postfix_map_t self:capability setgid;
 allow postfix_map_t self:unix_dgram_socket create_socket_perms;
 dontaudit postfix_map_t var_t:dir search;
-can_network(postfix_map_t)
+can_network_server(postfix_map_t)
 allow postfix_local_t mail_spool_t:dir { remove_name };
 allow postfix_local_t mail_spool_t:file { unlink };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.19.7/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te	2004-11-30 05:59:39.000000000 -0500
+++ policy-1.19.7/domains/program/unused/postgresql.te	2004-11-30 06:18:45.000000000 -0500
@@ -52,7 +52,7 @@
 file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t)
 
 # Use the network.
-can_network(postgresql_t)
+can_network_server(postgresql_t)
 allow postgresql_t self:fifo_file { getattr read write ioctl };
 allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
 can_unix_connect(postgresql_t, self)
@@ -126,3 +126,6 @@
 dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
 ')
 
+dontaudit postgresql_t home_root_t:dir search;
+can_kerberos(postgresql_t)
+allow postgresql_t urandom_device_t:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgrey.te policy-1.19.7/domains/program/unused/postgrey.te
--- nsapolicy/domains/program/unused/postgrey.te	2004-11-30 05:59:39.000000000 -0500
+++ policy-1.19.7/domains/program/unused/postgrey.te	2004-11-30 06:24:17.000000000 -0500
@@ -17,7 +17,7 @@
 allow postgrey_t { etc_t etc_runtime_t }:file { getattr read };
 etcdir_domain(postgrey)
 
-can_network(postgrey_t)
+can_network_server_tcp(postgrey_t)
 can_ypbind(postgrey_t)
 allow postgrey_t postgrey_port_t:tcp_socket name_bind;
 allow postgrey_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.19.7/domains/program/unused/pppd.te
--- nsapolicy/domains/program/unused/pppd.te	2004-10-14 23:25:18.000000000 -0400
+++ policy-1.19.7/domains/program/unused/pppd.te	2004-11-30 06:18:45.000000000 -0500
@@ -30,7 +30,7 @@
 log_domain(pppd)
 
 # Use the network.
-can_network(pppd_t)
+can_network_server(pppd_t)
 can_ypbind(pppd_t)
 
 # Use capabilities.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/privoxy.te policy-1.19.7/domains/program/unused/privoxy.te
--- nsapolicy/domains/program/unused/privoxy.te	2004-03-17 13:26:05.000000000 -0500
+++ policy-1.19.7/domains/program/unused/privoxy.te	2004-11-30 06:18:45.000000000 -0500
@@ -16,7 +16,7 @@
 allow privoxy_t self:capability net_bind_service;
 
 # Use the network.
-can_network(privoxy_t)
+can_network_server(privoxy_t)
 allow privoxy_t port_t:{ tcp_socket udp_socket } name_bind;
 allow privoxy_t etc_t:file { getattr read };
 allow privoxy_t self:capability { setgid setuid };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/procmail.te policy-1.19.7/domains/program/unused/procmail.te
--- nsapolicy/domains/program/unused/procmail.te	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.7/domains/program/unused/procmail.te	2004-11-30 06:18:45.000000000 -0500
@@ -18,7 +18,7 @@
 
 uses_shlib(procmail_t)
 allow procmail_t device_t:dir search;
-can_network(procmail_t)
+can_network_server(procmail_t)
 can_ypbind(procmail_t)
 
 allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/qmail.te policy-1.19.7/domains/program/unused/qmail.te
--- nsapolicy/domains/program/unused/qmail.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.7/domains/program/unused/qmail.te	2004-11-30 06:18:45.000000000 -0500
@@ -84,7 +84,7 @@
 
 qmaild_sub_domain(qmail_rspawn_t, qmail_remote)
 allow qmail_rspawn_t qmail_remote_exec_t:file read;
-can_network(qmail_remote_t)
+can_network_server(qmail_remote_t)
 can_ypbind(qmail_remote_t)
 allow qmail_remote_t qmail_spool_t:dir search;
 allow qmail_remote_t qmail_spool_t:file rw_file_perms;
@@ -125,12 +125,12 @@
 allow qmail_tcp_env_t inetd_t:tcp_socket { read write getattr };
 allow qmail_tcp_env_t inetd_t:process sigchld;
 allow qmail_tcp_env_t sbin_t:dir search;
-can_network(qmail_tcp_env_t)
+can_network_server(qmail_tcp_env_t)
 can_ypbind(qmail_tcp_env_t)
 
 qmaild_sub_domain(qmail_tcp_env_t, qmail_smtpd)
 allow qmail_tcp_env_t qmail_smtpd_exec_t:file read;
-can_network(qmail_smtpd_t)
+can_network_server(qmail_smtpd_t)
 can_ypbind(qmail_smtpd_t)
 allow qmail_smtpd_t inetd_t:fd use;
 allow qmail_smtpd_t inetd_t:tcp_socket { read write };
@@ -181,7 +181,7 @@
 
 qmaild_sub_domain(user_crond_t, qmail_serialmail)
 in_user_role(qmail_serialmail_t)
-can_network(qmail_serialmail_t)
+can_network_server(qmail_serialmail_t)
 can_ypbind(qmail_serialmail_t)
 can_exec(qmail_serialmail_t, qmail_serialmail_exec_t)
 allow qmail_serialmail_t self:process { fork signal_perms };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/radius.te policy-1.19.7/domains/program/unused/radius.te
--- nsapolicy/domains/program/unused/radius.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.19.7/domains/program/unused/radius.te	2004-11-30 06:18:45.000000000 -0500
@@ -50,7 +50,7 @@
 # gzip also needs chown access to preserve GID for radwtmp files
 allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
 
-can_network(radiusd_t)
+can_network_server(radiusd_t)
 can_ypbind(radiusd_t)
 allow radiusd_t { radius_port_t radacct_port_t }:udp_socket name_bind;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/radvd.te policy-1.19.7/domains/program/unused/radvd.te
--- nsapolicy/domains/program/unused/radvd.te	2004-11-09 13:35:12.000000000 -0500
+++ policy-1.19.7/domains/program/unused/radvd.te	2004-11-30 06:18:45.000000000 -0500
@@ -19,7 +19,7 @@
 allow radvd_t self:{ unix_dgram_socket rawip_socket } create;
 allow radvd_t self:unix_stream_socket create_socket_perms;
 
-can_network(radvd_t)
+can_network_server(radvd_t)
 
 allow radvd_t proc_t:dir r_dir_perms;
 allow radvd_t proc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.19.7/domains/program/unused/rhgb.te
--- nsapolicy/domains/program/unused/rhgb.te	2004-11-30 05:59:39.000000000 -0500
+++ policy-1.19.7/domains/program/unused/rhgb.te	2004-11-30 06:18:45.000000000 -0500
@@ -39,7 +39,7 @@
 allow rhgb_t self:capability { sys_admin sys_tty_config };
 dontaudit rhgb_t var_run_t:dir search;
 
-can_network(rhgb_t)
+can_network_server(rhgb_t)
 can_ypbind(rhgb_t)
 
 # for fonts
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rlogind.te policy-1.19.7/domains/program/unused/rlogind.te
--- nsapolicy/domains/program/unused/rlogind.te	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.7/domains/program/unused/rlogind.te	2004-11-30 06:18:45.000000000 -0500
@@ -13,7 +13,7 @@
 type rlogind_t, domain, privlog, auth_chkpwd, privfd;
 role system_r types rlogind_t;
 uses_shlib(rlogind_t)
-can_network(rlogind_t)
+can_network_server(rlogind_t)
 type rlogind_exec_t, file_type, sysadmfile, exec_type;
 domain_auto_trans(inetd_t, rlogind_exec_t, rlogind_t)
 ifdef(`tcpd.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.19.7/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te	2004-11-29 10:24:17.000000000 -0500
+++ policy-1.19.7/domains/program/unused/rpcd.te	2004-11-30 15:56:56.484456299 -0500
@@ -62,7 +62,7 @@
 
 # nfs kernel server needs kernel UDP access.  It is less risky and painful
 # to just give it everything.
-can_network(kernel_t)
+can_network_server(kernel_t)
 #can_udp_send(kernel_t, rpcd_t)
 #can_udp_send(rpcd_t, kernel_t)
 
@@ -125,3 +125,4 @@
 r_dir_file(rpcd_t, rpc_pipefs_t)
 allow rpcd_t rpc_pipefs_t:sock_file { read write };
 dontaudit rpcd_t selinux_config_t:dir { search };
+allow rpcd_t proc_net_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rshd.te policy-1.19.7/domains/program/unused/rshd.te
--- nsapolicy/domains/program/unused/rshd.te	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.7/domains/program/unused/rshd.te	2004-11-30 06:18:45.000000000 -0500
@@ -23,7 +23,7 @@
 allow rshd_t self:capability { net_bind_service setuid setgid fowner fsetid chown dac_override};
 
 # Use the network.
-can_network(rshd_t)
+can_network_server(rshd_t)
 can_ypbind(rshd_t)
 
 allow rshd_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.19.7/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.7/domains/program/unused/samba.te	2004-11-30 06:18:45.000000000 -0500
@@ -48,7 +48,7 @@
 allow smbd_t self:capability { setgid setuid sys_resource net_bind_service lease };
 
 # Use the network.
-can_network(smbd_t)
+can_network_server(smbd_t)
 
 allow smbd_t urandom_device_t:chr_file { getattr read };
 
@@ -96,7 +96,7 @@
 allow nmbd_t self:capability net_bind_service;
 
 # Use the network.
-can_network(nmbd_t)
+can_network_server(nmbd_t)
 
 # Permissions for Samba files in /etc/samba
 allow nmbd_t samba_etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/scannerdaemon.te policy-1.19.7/domains/program/unused/scannerdaemon.te
--- nsapolicy/domains/program/unused/scannerdaemon.te	2004-03-17 13:26:05.000000000 -0500
+++ policy-1.19.7/domains/program/unused/scannerdaemon.te	2004-11-30 06:18:45.000000000 -0500
@@ -12,7 +12,7 @@
 
 #networking
 daemon_domain(scannerdaemon)
-can_network(scannerdaemon_t)
+can_network_server(scannerdaemon_t)
 ifdef(`postfix.te',
 `can_tcp_connect(postfix_bounce_t,scannerdaemon_t);')
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slocate.te policy-1.19.7/domains/program/unused/slocate.te
--- nsapolicy/domains/program/unused/slocate.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.7/domains/program/unused/slocate.te	2004-11-30 11:25:41.000000000 -0500
@@ -23,9 +23,9 @@
 
 allow locate_t { userpty_type admin_tty_type }:chr_file rw_file_perms;
 
-allow locate_t { root_dir_type file_type }:dir r_dir_perms;
+allow locate_t { fs_type file_type }:dir r_dir_perms;
 allow locate_t file_type:lnk_file r_file_perms;
-allow locate_t { root_dir_type file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr;
+allow locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr;
 dontaudit locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } read;
 dontaudit locate_t security_t:dir getattr;
 dontaudit locate_t shadow_t:file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.19.7/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te	2004-11-29 10:24:17.000000000 -0500
+++ policy-1.19.7/domains/program/unused/snmpd.te	2004-11-30 15:48:35.206877793 -0500
@@ -13,7 +13,7 @@
 #temp
 allow snmpd_t var_t:dir getattr;
 
-can_network(snmpd_t)
+can_network_server(snmpd_t)
 can_ypbind(snmpd_t)
 
 type snmp_port_t, port_type, reserved_port_type;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snort.te policy-1.19.7/domains/program/unused/snort.te
--- nsapolicy/domains/program/unused/snort.te	2004-11-19 11:20:43.000000000 -0500
+++ policy-1.19.7/domains/program/unused/snort.te	2004-11-30 06:18:45.000000000 -0500
@@ -9,7 +9,7 @@
 
 logdir_domain(snort)
 allow snort_t snort_log_t:dir create;
-can_network(snort_t)
+can_network_server(snort_t)
 type snort_etc_t, file_type, sysadmfile;
 
 # Create temporary files.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sound-server.te policy-1.19.7/domains/program/unused/sound-server.te
--- nsapolicy/domains/program/unused/sound-server.te	2004-03-17 13:26:05.000000000 -0500
+++ policy-1.19.7/domains/program/unused/sound-server.te	2004-11-30 06:18:45.000000000 -0500
@@ -24,7 +24,7 @@
 allow soundd_t device_t:lnk_file read;
 
 # Use the network.
-can_network(soundd_t)
+can_network_server(soundd_t)
 allow soundd_t self:unix_stream_socket create_stream_socket_perms;
 allow soundd_t self:unix_dgram_socket create_socket_perms;
 # allow any domain to connect to the sound server
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/spamd.te policy-1.19.7/domains/program/unused/spamd.te
--- nsapolicy/domains/program/unused/spamd.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.7/domains/program/unused/spamd.te	2004-11-30 06:18:45.000000000 -0500
@@ -23,7 +23,7 @@
 dontaudit spamd_t initrc_var_run_t:file { read write lock };
 dontaudit spamd_t sysadm_home_dir_t:dir getattr;
 
-can_network(spamd_t)
+can_network_server(spamd_t)
 allow spamd_t self:capability net_bind_service;
 
 allow spamd_t proc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.19.7/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.7/domains/program/unused/squid.te	2004-11-30 06:18:45.000000000 -0500
@@ -62,7 +62,7 @@
 
 # to allow running programs from /usr/lib/squid (IE unlinkd)
 # also allow exec()ing itself
-can_exec(squid_t, { lib_t squid_exec_t bin_t sbin_t } )
+can_exec(squid_t, { lib_t squid_exec_t bin_t sbin_t shell_exec_t } )
 allow squid_t { bin_t sbin_t }:dir search;
 allow squid_t { bin_t sbin_t }:lnk_file read;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sxid.te policy-1.19.7/domains/program/unused/sxid.te
--- nsapolicy/domains/program/unused/sxid.te	2004-11-30 05:59:39.000000000 -0500
+++ policy-1.19.7/domains/program/unused/sxid.te	2004-11-30 11:28:08.000000000 -0500
@@ -32,10 +32,10 @@
 allow sxid_t ttyfile:chr_file getattr;
 allow sxid_t file_type:dir { getattr read search };
 allow sxid_t sysadmfile:file read;
-allow sxid_t root_dir_type:dir { getattr read search };
+allow sxid_t fs_type:dir { getattr read search };
 
 # Use the network.
-can_network(sxid_t)
+can_network_server(sxid_t)
 allow sxid_t self:fifo_file rw_file_perms;
 allow sxid_t self:unix_stream_socket create_socket_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sysstat.te policy-1.19.7/domains/program/unused/sysstat.te
--- nsapolicy/domains/program/unused/sysstat.te	2004-06-16 13:33:36.000000000 -0400
+++ policy-1.19.7/domains/program/unused/sysstat.te	2004-11-30 06:18:45.000000000 -0500
@@ -51,8 +51,8 @@
 allow sysstat_t fs_t:filesystem getattr;
 
 # get info from /proc
-allow sysstat_t { proc_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:dir r_dir_perms;
-allow sysstat_t { proc_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:file { read getattr };
+allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:dir r_dir_perms;
+allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:file { read getattr };
 
 domain_auto_trans(initrc_t, sysstat_exec_t, sysstat_t)
 allow sysstat_t init_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/tcpd.te policy-1.19.7/domains/program/unused/tcpd.te
--- nsapolicy/domains/program/unused/tcpd.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.19.7/domains/program/unused/tcpd.te	2004-11-30 06:18:45.000000000 -0500
@@ -21,7 +21,7 @@
 # no good reason for this, probably nscd
 dontaudit tcpd_t var_t:dir search;
 
-can_network(tcpd_t)
+can_network_server(tcpd_t)
 can_ypbind(tcpd_t)
 allow tcpd_t self:unix_dgram_socket create_socket_perms;
 allow tcpd_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/tftpd.te policy-1.19.7/domains/program/unused/tftpd.te
--- nsapolicy/domains/program/unused/tftpd.te	2004-11-30 05:59:39.000000000 -0500
+++ policy-1.19.7/domains/program/unused/tftpd.te	2004-11-30 11:17:39.000000000 -0500
@@ -22,7 +22,7 @@
 domain_auto_trans(inetd_t, tftpd_exec_t, tftpd_t)
 
 # Use the network.
-can_network(tftpd_t)
+can_network_udp(tftpd_t)
 allow tftpd_t tftp_port_t:udp_socket name_bind;
 ifdef(`inetd.te', `
 allow inetd_t tftp_port_t:udp_socket name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/timidity.te policy-1.19.7/domains/program/unused/timidity.te
--- nsapolicy/domains/program/unused/timidity.te	2004-10-29 14:33:17.000000000 -0400
+++ policy-1.19.7/domains/program/unused/timidity.te	2004-11-30 06:18:45.000000000 -0500
@@ -5,7 +5,7 @@
 # Note: You only need this policy if you want to run timidity as a server
 
 daemon_base_domain(timidity)
-can_network(timidity_t)
+can_network_server(timidity_t)
 
 allow timidity_t device_t:lnk_file read;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/tinydns.te policy-1.19.7/domains/program/unused/tinydns.te
--- nsapolicy/domains/program/unused/tinydns.te	2004-07-07 16:46:41.000000000 -0400
+++ policy-1.19.7/domains/program/unused/tinydns.te	2004-11-30 06:18:45.000000000 -0500
@@ -30,7 +30,7 @@
 allow tinydns_t etc_runtime_t:{ file lnk_file } { getattr read };
 
 #tinydns can use network
-can_network(tinydns_t)
+can_network_server(tinydns_t)
 allow tinydns_t dns_port_t:{ udp_socket tcp_socket } name_bind;
 # allow UDP transfer to/from any program
 can_udp_send(domain, tinydns_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/traceroute.te policy-1.19.7/domains/program/unused/traceroute.te
--- nsapolicy/domains/program/unused/traceroute.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.19.7/domains/program/unused/traceroute.te	2004-11-30 06:18:45.000000000 -0500
@@ -18,7 +18,7 @@
 # for user_ping:
 in_user_role(traceroute_t)
 uses_shlib(traceroute_t)
-can_network(traceroute_t)
+can_network_client(traceroute_t)
 can_ypbind(traceroute_t)
 allow traceroute_t node_t:rawip_socket node_bind;
 type traceroute_exec_t, file_type, sysadmfile, exec_type;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/transproxy.te policy-1.19.7/domains/program/unused/transproxy.te
--- nsapolicy/domains/program/unused/transproxy.te	2004-03-23 15:58:08.000000000 -0500
+++ policy-1.19.7/domains/program/unused/transproxy.te	2004-11-30 06:18:45.000000000 -0500
@@ -15,7 +15,7 @@
 type transproxy_port_t, port_type;
 
 # Use the network.
-can_network(transproxy_t)
+can_network_server_tcp(transproxy_t)
 allow transproxy_t transproxy_port_t:tcp_socket name_bind;
 
 #allow transproxy_t self:fifo_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/uwimapd.te policy-1.19.7/domains/program/unused/uwimapd.te
--- nsapolicy/domains/program/unused/uwimapd.te	2004-11-18 08:13:58.000000000 -0500
+++ policy-1.19.7/domains/program/unused/uwimapd.te	2004-11-30 06:18:45.000000000 -0500
@@ -8,7 +8,7 @@
 daemon_domain(imapd, `, auth_chkpwd, privhome')
 tmp_domain(imapd)
 
-can_network(imapd_t)
+can_network_server_tcp(imapd_t)
 
 #declare our own services
 allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/webalizer.te policy-1.19.7/domains/program/unused/webalizer.te
--- nsapolicy/domains/program/unused/webalizer.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.7/domains/program/unused/webalizer.te	2004-11-30 06:18:45.000000000 -0500
@@ -40,7 +40,7 @@
 allow webalizer_t proc_t:file r_file_perms;
 
 # network
-can_network(webalizer_t)
+can_network_server(webalizer_t)
 
 #process communication inside webalizer itself
 general_domain_access(webalizer_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xprint.te policy-1.19.7/domains/program/unused/xprint.te
--- nsapolicy/domains/program/unused/xprint.te	2004-08-27 16:51:30.000000000 -0400
+++ policy-1.19.7/domains/program/unused/xprint.te	2004-11-30 06:18:45.000000000 -0500
@@ -30,7 +30,7 @@
 ')
 
 # Use the network.
-can_network(xprint_t)
+can_network_server(xprint_t)
 can_ypbind(xprint_t)
 allow xprint_t self:fifo_file rw_file_perms;
 allow xprint_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypserv.te policy-1.19.7/domains/program/unused/ypserv.te
--- nsapolicy/domains/program/unused/ypserv.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.7/domains/program/unused/ypserv.te	2004-11-30 06:28:40.000000000 -0500
@@ -16,8 +16,7 @@
 allow ypserv_t self:capability { net_admin net_bind_service };
 
 # Use the network.
-can_network(ypserv_t)
-allow ypserv_t port_t:{ tcp_socket udp_socket } name_bind;
+can_network_server(ypserv_t)
 
 allow ypserv_t self:fifo_file rw_file_perms;
 
@@ -39,5 +38,5 @@
 ifdef(`rpcd.te', `
 allow rpcd_t ypserv_conf_t:file { getattr read };
 ')
-allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } { name_bind };
+allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
 dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/zebra.te policy-1.19.7/domains/program/unused/zebra.te
--- nsapolicy/domains/program/unused/zebra.te	2004-08-27 09:30:29.000000000 -0400
+++ policy-1.19.7/domains/program/unused/zebra.te	2004-11-30 06:18:45.000000000 -0500
@@ -9,7 +9,7 @@
 type zebra_conf_t, file_type, sysadmfile;
 r_dir_file({ initrc_t zebra_t }, zebra_conf_t)
 
-can_network(zebra_t)
+can_network_server(zebra_t)
 can_ypbind(zebra_t)
 allow zebra_t { etc_t etc_runtime_t }:file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.19.7/domains/user.te
--- nsapolicy/domains/user.te	2004-11-30 05:59:38.000000000 -0500
+++ policy-1.19.7/domains/user.te	2004-11-30 06:29:22.000000000 -0500
@@ -55,6 +55,7 @@
 # Reach sysadm_t via programs like userhelper/sudo/su
 undefine(`reach_sysadm')
 define(`reach_sysadm', `
+ifdef(`userhelper.te', `userhelper_domain($1)')
 ifdef(`sudo.te', `sudo_domain($1)')
 ifdef(`su.te', `
 su_domain($1)
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/hotplug.fc policy-1.19.7/file_contexts/program/hotplug.fc
--- nsapolicy/file_contexts/program/hotplug.fc	2004-11-24 07:00:50.000000000 -0500
+++ policy-1.19.7/file_contexts/program/hotplug.fc	2004-11-30 11:40:10.000000000 -0500
@@ -10,3 +10,4 @@
 /etc/hotplug/hotplug\.functions --	system_u:object_r:sbin_t
 /var/run/usb(/.*)?		system_u:object_r:hotplug_var_run_t
 /var/run/hotplug(/.*)?		system_u:object_r:hotplug_var_run_t
+/etc/hotplug/firmware.agent	--	system_u:object_r:hotplug_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mozilla.fc policy-1.19.7/file_contexts/program/mozilla.fc
--- nsapolicy/file_contexts/program/mozilla.fc	2004-11-19 11:20:44.000000000 -0500
+++ policy-1.19.7/file_contexts/program/mozilla.fc	2004-11-30 13:10:00.000000000 -0500
@@ -1,4 +1,5 @@
 #  netscape/mozilla
+HOME_DIR/\.galeon(/.*)?	system_u:object_r:ROLE_mozilla_rw_t
 HOME_DIR/\.netscape(/.*)?	system_u:object_r:ROLE_mozilla_rw_t
 HOME_DIR/\.mozilla(/.*)?	system_u:object_r:ROLE_mozilla_rw_t
 HOME_DIR/\.phoenix(/.*)?	system_u:object_r:ROLE_mozilla_rw_t
@@ -12,6 +13,7 @@
 /usr/bin/epiphany-bin   --	system_u:object_r:mozilla_exec_t
 /usr/bin/mozilla-[0-9].* --	system_u:object_r:mozilla_exec_t
 /usr/bin/mozilla-bin-[0-9].* --	system_u:object_r:mozilla_exec_t
+/usr/lib(64)?/galeon/galeon -- system_u:object_r:mozilla_exec_t
 /usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- system_u:object_r:mozilla_exec_t
 /usr/lib(64)?/netscape/base-4/wrapper -- system_u:object_r:mozilla_exec_t
 /usr/lib(64)?/mozilla[^/]*/reg.+	--	system_u:object_r:mozilla_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/sendmail.fc policy-1.19.7/file_contexts/program/sendmail.fc
--- nsapolicy/file_contexts/program/sendmail.fc	2004-11-30 05:59:39.000000000 -0500
+++ policy-1.19.7/file_contexts/program/sendmail.fc	2004-11-30 06:18:45.000000000 -0500
@@ -1,6 +1,5 @@
 # sendmail
 /etc/mail(/.*)?				system_u:object_r:etc_mail_t
-/var/spool/(client)?mqueue(/.*)?	system_u:object_r:mqueue_spool_t
 /var/log/sendmail\.st		--	system_u:object_r:sendmail_log_t
 /var/log/mail(/.*)?			system_u:object_r:sendmail_log_t
 /var/run/sendmail\.pid		--	system_u:object_r:sendmail_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.19.7/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2004-11-30 05:59:39.000000000 -0500
+++ policy-1.19.7/file_contexts/types.fc	2004-11-30 06:18:45.000000000 -0500
@@ -334,9 +334,6 @@
 /usr(/.*)?			system_u:object_r:usr_t
 /usr(/.*)?/lib(64)?(/.*)?	system_u:object_r:lib_t
 /usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
-/usr(/.*)?/java/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
-/usr(/.*)?/java/.*\.jar	--	system_u:object_r:shlib_t
-/usr(/.*)?/java/.*\.jsa	--	system_u:object_r:shlib_t
 /usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
 /usr(/.*)?/bin(/.*)?		system_u:object_r:bin_t
 /usr(/.*)?/Bin(/.*)?		system_u:object_r:bin_t
@@ -399,6 +396,7 @@
 #
 /var/spool(/.*)?		system_u:object_r:var_spool_t
 /var/spool/texmf(/.*)?		system_u:object_r:tetex_data_t
+/var/spool/(client)?mqueue(/.*)?	system_u:object_r:mqueue_spool_t
 
 # 
 # /var/log
diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.19.7/macros/admin_macros.te
--- nsapolicy/macros/admin_macros.te	2004-11-30 05:59:39.000000000 -0500
+++ policy-1.19.7/macros/admin_macros.te	2004-11-30 06:18:45.000000000 -0500
@@ -33,6 +33,7 @@
 allow $1_t self:capability setuid;
 
 ifdef(`su.te', `su_domain($1)')
+ifdef(`userhelper.te', `userhelper_domain($1)')
 ifdef(`sudo.te', `sudo_domain($1)')
 
 # Violates the goal of limiting write access to checkpolicy.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.19.7/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-11-30 05:59:39.000000000 -0500
+++ policy-1.19.7/macros/base_user_macros.te	2004-11-30 11:26:55.000000000 -0500
@@ -43,7 +43,7 @@
 # for eject
 allow $1_t fixed_disk_device_t:blk_file getattr;
 
-allow $1_t root_dir_type:dir { getattr };
+allow $1_t fs_type:dir { getattr };
 
 # open office is looking for the following
 allow $1_t dri_device_t:chr_file getattr;
@@ -160,7 +160,6 @@
 
 ifdef(`screen.te', `screen_domain($1)')
 ifdef(`tvtime.te', `tvtime_domain($1)')
-ifdef(`userhelper.te', `userhelper_domain($1)')
 ifdef(`mozilla.te', `mozilla_domain($1)')
 ifdef(`games.te', `games_domain($1)')
 ifdef(`gpg.te', `gpg_domain($1)')
@@ -207,7 +206,7 @@
 # Grant permissions to access the system DBus
 ifdef(`dbusd.te', `
 dbusd_client(system, $1)
-can_network($1_dbusd_t)
+can_network_server_tcp($1_dbusd_t)
 allow $1_dbusd_t reserved_port_t:tcp_socket name_bind;
 
 allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.19.7/macros/program/games_domain.te
--- nsapolicy/macros/program/games_domain.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.7/macros/program/games_domain.te	2004-11-30 06:18:45.000000000 -0500
@@ -46,5 +46,13 @@
 allow $1_games_t event_device_t:chr_file getattr;
 allow $1_games_t mouse_device_t:chr_file getattr;
 allow $1_games_t self:file { getattr read };
+
+# kpat spews errors
+dontaudit $1_games_t bin_t:dir getattr;
+dontaudit $1_games_t var_run_t:dir search;
+ifdef(`xdm.te', `
+dontaudit $1_games_t xdm_xserver_tmp_t:dir getattr;
+')
+
 ')dnl end macro definition
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gph_macros.te policy-1.19.7/macros/program/gph_macros.te
--- nsapolicy/macros/program/gph_macros.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.7/macros/program/gph_macros.te	2004-11-30 06:18:45.000000000 -0500
@@ -55,7 +55,7 @@
 allow $1_t $1_gph_t:fd use;
 
 # Use the network, e.g. for NIS lookups.
-can_network($1_gph_t)
+can_resolve($1_gph_t)
 can_ypbind($1_gph_t)
 
 allow $1_gph_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/inetd_macros.te policy-1.19.7/macros/program/inetd_macros.te
--- nsapolicy/macros/program/inetd_macros.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.7/macros/program/inetd_macros.te	2004-11-30 06:18:45.000000000 -0500
@@ -14,7 +14,7 @@
 domain_auto_trans(inetd_t, $1_exec_t, $1_t)
 allow inetd_t $1_t:process sigkill;
 
-can_network($1_t)
+can_network_server($1_t)
 can_ypbind($1_t)
 uses_shlib($1_t)
 allow $1_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/irc_macros.te policy-1.19.7/macros/program/irc_macros.te
--- nsapolicy/macros/program/irc_macros.te	2004-11-18 08:13:59.000000000 -0500
+++ policy-1.19.7/macros/program/irc_macros.te	2004-11-30 06:18:45.000000000 -0500
@@ -47,7 +47,7 @@
 allow $1_t $1_irc_t:process signal;
 
 # Use the network.
-can_network($1_irc_t)
+can_network_client($1_irc_t)
 can_ypbind($1_irc_t)
 
 allow $1_irc_t usr_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/kerberos_macros.te policy-1.19.7/macros/program/kerberos_macros.te
--- nsapolicy/macros/program/kerberos_macros.te	2004-11-29 10:24:17.000000000 -0500
+++ policy-1.19.7/macros/program/kerberos_macros.te	2004-11-30 06:18:45.000000000 -0500
@@ -3,8 +3,8 @@
 if (allow_kerberos) {
 can_network_client($1, `kerberos_port_t')
 can_resolve($1)
-dontaudit $1 krb5_conf_t:file write;
-allow $1 krb5_conf_t:file { getattr read };
 }
 ') dnl kerberos.te
+dontaudit $1 krb5_conf_t:file write;
+allow $1 krb5_conf_t:file { getattr read };
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/lpr_macros.te policy-1.19.7/macros/program/lpr_macros.te
--- nsapolicy/macros/program/lpr_macros.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.7/macros/program/lpr_macros.te	2004-11-30 06:18:45.000000000 -0500
@@ -34,7 +34,7 @@
 role $1_r types $1_lpr_t;
 
 # This domain is granted permissions common to most domains (including can_net)
-can_network($1_lpr_t)
+can_network_client($1_lpr_t)
 can_ypbind($1_lpr_t)
 
 # Use capabilities.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.7/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2004-11-30 05:59:39.000000000 -0500
+++ policy-1.19.7/macros/program/mozilla_macros.te	2004-11-30 06:19:08.000000000 -0500
@@ -48,6 +48,7 @@
 allow $1_mozilla_t device_t:dir r_dir_perms;
 allow $1_mozilla_t devpts_t:dir r_dir_perms;
 allow $1_mozilla_t proc_t:file { getattr read };
+r_dir_file($1_mozilla_t, proc_net_t)
 dontaudit $1_mozilla_t tty_device_t:chr_file getattr;
 
 dontaudit $1_mozilla_t proc_t:dir read;
@@ -115,6 +116,20 @@
 dontaudit $1_mozilla_t file_type:dir getattr;
 allow $1_mozilla_t self:sem create_sem_perms;
 
+ifdef(`userhelper.te', `
+domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
+')
+dontaudit $1_mozilla_t selinux_config_t:dir search;
+
+#
+# Rules needed to run java apps
+#
+allow $1_mozilla_t ld_so_cache_t:file execute;
+allow $1_mozilla_t locale_t:file execute;
+dontaudit $1_mozilla_t *:{ chr_file file } execute;
+dontaudit $1_t ld_so_cache_t:file execute;
+dontaudit $1_t locale_t:file execute;
+
 dontaudit $1_mozilla_t selinux_config_t:dir search;
 
 ifdef(`xdm.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.19.7/macros/program/mta_macros.te
--- nsapolicy/macros/program/mta_macros.te	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.7/macros/program/mta_macros.te	2004-11-30 06:18:45.000000000 -0500
@@ -33,7 +33,7 @@
 role $1_r types $1_mail_t;
 
 uses_shlib($1_mail_t)
-can_network($1_mail_t)
+can_network_client_tcp($1_mail_t)
 can_ypbind($1_mail_t)
 allow $1_mail_t self:unix_dgram_socket create_socket_perms;
 allow $1_mail_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/slocate_macros.te policy-1.19.7/macros/program/slocate_macros.te
--- nsapolicy/macros/program/slocate_macros.te	2004-11-30 05:59:40.000000000 -0500
+++ policy-1.19.7/macros/program/slocate_macros.te	2004-11-30 11:26:11.000000000 -0500
@@ -57,8 +57,8 @@
 
 base_file_read_access($1_locate_t)
 r_dir_file($1_locate_t, { etc_t lib_t var_t })
-dontaudit $1_locate_t { root_dir_type file_type }:dir r_dir_perms;
-dontaudit $1_locate_t { root_dir_type file_type -shadow_t}:file { getattr read };
+dontaudit $1_locate_t { fs_type file_type }:dir r_dir_perms;
+dontaudit $1_locate_t { fs_type file_type -shadow_t}:file { getattr read };
 ')
 
 ', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.19.7/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te	2004-11-30 05:59:40.000000000 -0500
+++ policy-1.19.7/macros/program/ssh_macros.te	2004-11-30 06:18:45.000000000 -0500
@@ -82,7 +82,7 @@
 
 # Grant permissions needed to create TCP and UDP sockets and
 # to access the network.
-can_network($1_ssh_t)
+can_network_client_tcp($1_ssh_t)
 can_ypbind($1_ssh_t)
 
 # Use capabilities.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.19.7/macros/program/userhelper_macros.te
--- nsapolicy/macros/program/userhelper_macros.te	2004-11-30 05:59:40.000000000 -0500
+++ policy-1.19.7/macros/program/userhelper_macros.te	2004-11-30 06:18:45.000000000 -0500
@@ -140,4 +140,8 @@
 allow $1_userhelper_t pam_var_console_t:dir { search };
 ')
 
+ifdef(`mozilla.te', `
+domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
+')
+
 ')dnl end userhelper macro
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xauth_macros.te policy-1.19.7/macros/program/xauth_macros.te
--- nsapolicy/macros/program/xauth_macros.te	2004-11-30 05:59:40.000000000 -0500
+++ policy-1.19.7/macros/program/xauth_macros.te	2004-11-30 06:18:45.000000000 -0500
@@ -54,7 +54,7 @@
 uses_shlib($1_xauth_t)
 
 # allow DNS lookups...
-can_network($1_xauth_t)
+can_resolve($1_xauth_t)
 can_ypbind($1_xauth_t)
 ifdef(`named.te', `
 can_udp_send($1_xauth_t, named_t)
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.19.7/net_contexts
--- nsapolicy/net_contexts	2004-11-09 13:35:11.000000000 -0500
+++ policy-1.19.7/net_contexts	2004-11-30 06:18:45.000000000 -0500
@@ -113,7 +113,6 @@
 portcon tcp 631 system_u:object_r:ipp_port_t
 portcon udp 631 system_u:object_r:ipp_port_t
 ')
-ifdef(`kerberos.te', `
 portcon tcp 88 system_u:object_r:kerberos_port_t
 portcon udp 88 system_u:object_r:kerberos_port_t
 portcon tcp 749 system_u:object_r:kerberos_admin_port_t
@@ -121,7 +120,6 @@
 portcon udp 750 system_u:object_r:kerberos_port_t
 portcon tcp 4444 system_u:object_r:kerberos_master_port_t
 portcon udp 4444 system_u:object_r:kerberos_master_port_t
-')
 ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t')
 ifdef(`rsync.te', `
 portcon tcp 873 system_u:object_r:rsync_port_t
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.19.7/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.19.7/tunables/distro.tun	2004-11-30 06:18:45.000000000 -0500
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.19.7/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.7/tunables/tunable.tun	2004-11-30 06:31:15.000000000 -0500
@@ -2,10 +2,10 @@
 dnl define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
@@ -17,11 +17,11 @@
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/devpts.te policy-1.19.7/types/devpts.te
--- nsapolicy/types/devpts.te	2004-09-22 16:19:14.000000000 -0400
+++ policy-1.19.7/types/devpts.te	2004-11-30 11:31:48.000000000 -0500
@@ -16,6 +16,6 @@
 # devpts_t is the type of the devpts file system and 
 # the type of the root directory of the file system.
 #
-type devpts_t, fs_type, root_dir_type;
+type devpts_t, fs_type;
 
 
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.19.7/types/file.te
--- nsapolicy/types/file.te	2004-11-30 05:59:40.000000000 -0500
+++ policy-1.19.7/types/file.te	2004-11-30 11:31:55.000000000 -0500
@@ -33,12 +33,12 @@
 # assigned an extended attribute (EA) value (when using a filesystem
 # that supports EAs).
 #
-type file_t, file_type, root_dir_type, sysadmfile;
+type file_t, file_type, sysadmfile;
 
 # default_t is the default type for files that do not
 # match any specification in the file_contexts configuration
 # other than the generic /.* specification.
-type default_t, file_type, root_dir_type, sysadmfile;
+type default_t, file_type, sysadmfile;
 
 #
 # root_t is the type for the root directory.
@@ -64,7 +64,7 @@
 # boot_t is the type for files in /boot,
 # including the kernel.
 #
-type boot_t, file_type, root_dir_type, sysadmfile;
+type boot_t, file_type, sysadmfile;
 # system_map_t is for the system.map files in /boot
 type system_map_t, file_type, sysadmfile;
 
@@ -157,7 +157,7 @@
 #
 # usr_t is the type for /usr.
 #
-type usr_t, file_type, root_dir_type, sysadmfile;
+type usr_t, file_type, sysadmfile;
 
 #
 # src_t is the type of files in the system src directories.
@@ -167,7 +167,7 @@
 #
 # var_t is the type for /var.
 #
-type var_t, file_type, root_dir_type, sysadmfile;
+type var_t, file_type,  sysadmfile;
 
 #
 # Types for subdirectories of /var.
@@ -264,28 +264,28 @@
 # Allow the pty to be associated with the file system.
 allow devpts_t self:filesystem associate;
 
-type tmpfs_t, file_type, sysadmfile, fs_type, root_dir_type;
+type tmpfs_t, file_type, sysadmfile, fs_type;
 allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
 
-type autofs_t, fs_type, root_dir_type, noexattrfile, sysadmfile;
+type autofs_t, fs_type, noexattrfile, sysadmfile;
 allow autofs_t self:filesystem associate;
 
-type usbdevfs_t, fs_type, root_dir_type, noexattrfile, sysadmfile;
+type usbdevfs_t, fs_type, noexattrfile, sysadmfile;
 allow usbdevfs_t self:filesystem associate;
 
-type sysfs_t, fs_type, root_dir_type, sysadmfile;
+type sysfs_t, fs_type,  sysadmfile;
 allow sysfs_t self:filesystem associate;
 
-type iso9660_t, fs_type, root_dir_type, noexattrfile, sysadmfile;
+type iso9660_t, fs_type, noexattrfile, sysadmfile;
 allow iso9660_t self:filesystem associate;
 
-type romfs_t, fs_type, root_dir_type, sysadmfile;
+type romfs_t, fs_type, sysadmfile;
 allow romfs_t self:filesystem associate;
 
-type ramfs_t, fs_type, root_dir_type, sysadmfile;
+type ramfs_t, fs_type, sysadmfile;
 allow ramfs_t self:filesystem associate;
 
-type dosfs_t, fs_type, root_dir_type, noexattrfile, sysadmfile;
+type dosfs_t, fs_type, noexattrfile, sysadmfile;
 allow dosfs_t self:filesystem associate;
 
 # udev_runtime_t is the type of the udev table file
@@ -294,7 +294,7 @@
 # krb5_conf_t is the type of the /etc/krb5.conf file
 type krb5_conf_t, file_type, sysadmfile;
 
-type cifs_t, fs_type, root_dir_type, noexattrfile, sysadmfile;
+type cifs_t, fs_type, noexattrfile, sysadmfile;
 allow cifs_t self:filesystem associate;
 typealias cifs_t alias sambafs_t;
 
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.19.7/types/network.te
--- nsapolicy/types/network.te	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.7/types/network.te	2004-11-30 06:18:45.000000000 -0500
@@ -64,6 +64,13 @@
 type mail_port_t, port_type;
 
 #
+# Ports used to communicate with kerberos server
+#
+type kerberos_port_t, port_type, reserved_port_type;
+type kerberos_admin_port_t, port_type, reserved_port_type;
+type kerberos_master_port_t, port_type;
+
+#
 # port_t is the default type of INET port numbers.
 # The *_port_t types are used for specific port
 # numbers in net_contexts or net_contexts.mls.
diff --exclude-from=exclude -N -u -r nsapolicy/types/nfs.te policy-1.19.7/types/nfs.te
--- nsapolicy/types/nfs.te	2004-09-22 16:19:14.000000000 -0400
+++ policy-1.19.7/types/nfs.te	2004-11-30 11:31:36.000000000 -0500
@@ -13,7 +13,7 @@
 # The nfs_*_t types are used for specific NFS
 # servers in net_contexts or net_contexts.mls.
 #
-type nfs_t, fs_type, root_dir_type;
+type nfs_t, fs_type;
 
 #
 # Allow NFS files to be associated with an NFS file system.
diff --exclude-from=exclude -N -u -r nsapolicy/types/procfs.te policy-1.19.7/types/procfs.te
--- nsapolicy/types/procfs.te	2004-11-29 10:24:18.000000000 -0500
+++ policy-1.19.7/types/procfs.te	2004-11-30 11:32:00.000000000 -0500
@@ -14,7 +14,7 @@
 # proc_mdstat_t is the type of /proc/mdstat.
 # proc_net_t is the type of /proc/net.
 #
-type proc_t, fs_type, proc_fs, root_dir_type;
+type proc_t, fs_type, proc_fs;
 type proc_kmsg_t, proc_fs;
 type proc_kcore_t, proc_fs;
 type proc_mdstat_t, proc_fs;

Re: Reissue previous patch

[James Carter]

Merged with some changes.

On Tue, 2004-11-30 at 16:19, Daniel J Walsh wrote:
> Several can_network_clients were wrong
<snip>
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.19.7/domains/program/mount.te
> --- nsapolicy/domains/program/mount.te	2004-11-09 13:35:12.000000000 -0500
> +++ policy-1.19.7/domains/program/mount.te	2004-11-30 06:18:45.000000000 -0500
> @@ -64,7 +64,7 @@
>  
>  ifdef(`portmap.te', `
>  # for nfs
> -can_network(mount_t)
> +can_network_server(mount_t)
>  can_ypbind(mount_t)
>  allow mount_t port_t:{ tcp_socket udp_socket } name_bind;
>  allow mount_t reserved_port_t:{ tcp_socket udp_socket } name_bind;

Left it as can_network(), otherwise, I can't mount a NFS partition.  May
be able to separate the NFS client and server usages, by I haven't
looked into it.

<snip>
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/howl.te policy-1.19.7/domains/program/unused/howl.te
> --- nsapolicy/domains/program/unused/howl.te	2004-10-13 22:41:57.000000000 -0400
> +++ policy-1.19.7/domains/program/unused/howl.te	2004-11-30 06:18:45.000000000 -0500
> @@ -5,7 +5,7 @@
>  
>  daemon_domain(howl)
>  allow howl_t proc_t:file { getattr read };
> -can_network(howl_t)
> +can_network_server(howl_t)
>  can_ypbind(howl_t)
>  allow howl_t self:capability { kill net_admin };
>  

I used:
-allow howl_t proc_t:file { getattr read };
-can_network(howl_t)
+allow howl_t proc_net_t:dir search;
+allow howl_t proc_net_t:file {getattr read };
+can_network_server(howl_t)

<snip>
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.19.7/macros/program/ssh_macros.te
> --- nsapolicy/macros/program/ssh_macros.te	2004-11-30 05:59:40.000000000 -0500
> +++ policy-1.19.7/macros/program/ssh_macros.te	2004-11-30 06:18:45.000000000 -0500
> @@ -82,7 +82,7 @@
>  
>  # Grant permissions needed to create TCP and UDP sockets and
>  # to access the network.
> -can_network($1_ssh_t)
> +can_network_client_tcp($1_ssh_t)
>  can_ypbind($1_ssh_t)
>  
>  # Use capabilities.

I used can_network_client() instead.

The following was needed by ssh during my normal usage of it (like
updating the CVS tree on sourceforge.)

allow user_ssh_t self:udp_socket create

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Reissue previous patch

[Daniel J Walsh]

James Carter wrote:

>Merged with some changes.
>
>On Tue, 2004-11-30 at 16:19, Daniel J Walsh wrote:
>  
>
>>Several can_network_clients were wrong
>>    
>>
><snip>
>  
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.19.7/domains/program/mount.te
>>--- nsapolicy/domains/program/mount.te	2004-11-09 13:35:12.000000000 -0500
>>+++ policy-1.19.7/domains/program/mount.te	2004-11-30 06:18:45.000000000 -0500
>>@@ -64,7 +64,7 @@
>> 
>> ifdef(`portmap.te', `
>> # for nfs
>>-can_network(mount_t)
>>+can_network_server(mount_t)
>> can_ypbind(mount_t)
>> allow mount_t port_t:{ tcp_socket udp_socket } name_bind;
>> allow mount_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
>>    
>>
>
>Left it as can_network(), otherwise, I can't mount a NFS partition.  May
>be able to separate the NFS client and server usages, by I haven't
>looked into it.
>
><snip>
>  
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/howl.te policy-1.19.7/domains/program/unused/howl.te
>>--- nsapolicy/domains/program/unused/howl.te	2004-10-13 22:41:57.000000000 -0400
>>+++ policy-1.19.7/domains/program/unused/howl.te	2004-11-30 06:18:45.000000000 -0500
>>@@ -5,7 +5,7 @@
>> 
>> daemon_domain(howl)
>> allow howl_t proc_t:file { getattr read };
>>-can_network(howl_t)
>>+can_network_server(howl_t)
>> can_ypbind(howl_t)
>> allow howl_t self:capability { kill net_admin };
>> 
>>    
>>
>
>I used:
>-allow howl_t proc_t:file { getattr read };
>-can_network(howl_t)
>+allow howl_t proc_net_t:dir search;
>+allow howl_t proc_net_t:file {getattr read };
>+can_network_server(howl_t)
>
><snip>
>  
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.19.7/macros/program/ssh_macros.te
>>--- nsapolicy/macros/program/ssh_macros.te	2004-11-30 05:59:40.000000000 -0500
>>+++ policy-1.19.7/macros/program/ssh_macros.te	2004-11-30 06:18:45.000000000 -0500
>>@@ -82,7 +82,7 @@
>> 
>> # Grant permissions needed to create TCP and UDP sockets and
>> # to access the network.
>>-can_network($1_ssh_t)
>>+can_network_client_tcp($1_ssh_t)
>> can_ypbind($1_ssh_t)
>> 
>> # Use capabilities.
>>    
>>
>
>I used can_network_client() instead.
>
>The following was needed by ssh during my normal usage of it (like
>updating the CVS tree on sourceforge.)
>
>allow user_ssh_t self:udp_socket create
>
>  
>
I think this is caused by the resolver.  This is why I would like to get 
to the point of using
can_resolve() where we specify the exact port that you can connect to.

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Reissue previous patch

[Stephen Smalley]

On Thu, 2004-12-02 at 09:16, Daniel J Walsh wrote:
> I think this is caused by the resolver.  This is why I would like to get 
> to the point of using
> can_resolve() where we specify the exact port that you can connect to.

Aren't the udp_socket send_msg/recv_msg permissions sufficient for this
purpose (check is between the socket context and the remote port
context), i.e. you can say that it can only send_msg/recv_msg to
dns_port_t:udp_socket?

Likewise, in what cases is it not sufficient to use the tcp_socket
send_msg/recv_msg permissions (i.e. when do you truly need the separate
name_connect permission check that you proposed earlier)?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Reissue previous patch

[James Carter]

On Thu, 2004-12-02 at 09:16, Daniel J Walsh wrote:
> James Carter wrote:
> 
<snip>
> >>diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.19.7/macros/program/ssh_macros.te
> >>--- nsapolicy/macros/program/ssh_macros.te	2004-11-30 05:59:40.000000000 -0500
> >>+++ policy-1.19.7/macros/program/ssh_macros.te	2004-11-30 06:18:45.000000000 -0500
> >>@@ -82,7 +82,7 @@
> >> 
> >> # Grant permissions needed to create TCP and UDP sockets and
> >> # to access the network.
> >>-can_network($1_ssh_t)
> >>+can_network_client_tcp($1_ssh_t)
> >> can_ypbind($1_ssh_t)
> >> 
> >> # Use capabilities.
> >>    
> >>
> >
> >I used can_network_client() instead.
> >
> >The following was needed by ssh during my normal usage of it (like
> >updating the CVS tree on sourceforge.)
> >
> >allow user_ssh_t self:udp_socket create
> >
> >  
> >
> I think this is caused by the resolver.  This is why I would like to get 
> to the point of using
> can_resolve() where we specify the exact port that you can connect to.

You're right.  I changed it to use can_network_client_tcp() and
can_resolve().

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Reissue previous patch

[Daniel J Walsh]

Stephen Smalley wrote:

>On Thu, 2004-12-02 at 09:16, Daniel J Walsh wrote:
>  
>
>>I think this is caused by the resolver.  This is why I would like to get 
>>to the point of using
>>can_resolve() where we specify the exact port that you can connect to.
>>    
>>
>
>Aren't the udp_socket send_msg/recv_msg permissions sufficient for this
>purpose (check is between the socket context and the remote port
>context), i.e. you can say that it can only send_msg/recv_msg to
>dns_port_t:udp_socket?
>
>Likewise, in what cases is it not sufficient to use the tcp_socket
>send_msg/recv_msg permissions (i.e. when do you truly need the separate
>name_connect permission check that you proposed earlier)?
>
>  
>
I think you get into a problem where you are required to act as both a 
server and a client.  You end up with
a server rule saying that you can only receive packets from port 123, 
when you want to recieve from anywhere
but only send to 123, or you end up with the ability to send/receive 
anywhere and this overrides the ability to only connect to 123.
 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest patch

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 398 bytes --]

Allow booloader to run exec_type, so it can pick up consoletype.

Allow initrc to cleanup ptal runtime files in init scripts

Add file contexts for bin_t files in the /usr partition.

Fix policy so htdig will work

Make changes so ipx_interface and friends will run( ALthough I need help 
on this stuff since I don't have access to IPX network, nor do
I want too :*)

Fix console and jave labeling

[-- Attachment #2: policy-20041202.patch --]
[-- Type: text/x-patch, Size: 7488 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.8/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2004-11-29 10:24:17.000000000 -0500
+++ policy-1.19.8/domains/program/unused/apache.te	2004-11-30 16:54:39.000000000 -0500
@@ -332,3 +332,6 @@
 ')
 allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
 }
+
+read_sysctl(httpd_sys_script_t)
+allow httpd_sys_script_t var_lib_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bootloader.te policy-1.19.8/domains/program/unused/bootloader.te
--- nsapolicy/domains/program/unused/bootloader.te	2004-11-05 23:24:16.000000000 -0500
+++ policy-1.19.8/domains/program/unused/bootloader.te	2004-12-01 10:54:10.000000000 -0500
@@ -58,7 +58,7 @@
 # uncomment the following line if you use "lilo -p"
 #file_type_auto_trans(bootloader_t, etc_t, bootloader_etc_t, file);
 
-can_exec(bootloader_t, { bootloader_exec_t shell_exec_t ls_exec_t bin_t sbin_t })
+can_exec_any(bootloader_t)
 allow bootloader_t shell_exec_t:lnk_file read;
 allow bootloader_t { bin_t sbin_t }:dir search;
 allow bootloader_t { bin_t sbin_t }:lnk_file read;
@@ -131,14 +131,6 @@
 allow bootloader_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
 allow bootloader_t initrc_t:fifo_file { read write };
 
-ifdef(`distro_debian', `
-# for making an initrd
-can_exec(bootloader_t, mount_exec_t)
-ifdef(`chroot.te', `
-can_exec(bootloader_t, chroot_exec_t)
-')dnl end chroot.te
-')dnl end distro_debian
-
 # for reading BIOS data
 allow bootloader_t memory_device_t:chr_file r_file_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.19.8/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2004-12-02 14:11:41.692784006 -0500
+++ policy-1.19.8/domains/program/unused/cups.te	2004-12-02 13:44:06.204217215 -0500
@@ -157,6 +157,9 @@
 allow cupsd_t ptal_var_run_t:dir search;
 dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
 
+allow initrc_t ptal_var_run_t:dir rmdir;
+allow initrc_t ptal_var_run_t:fifo_file unlink;
+
 dontaudit cupsd_t selinux_config_t:dir search;
 dontaudit cupsd_t selinux_config_t:file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.19.8/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.8/file_contexts/distros.fc	2004-12-01 16:26:58.000000000 -0500
@@ -31,6 +31,9 @@
 /usr/share/pydict/pydict\.py	--	system_u:object_r:bin_t
 /usr/share/cvs/contrib/rcs2log	--	system_u:object_r:bin_t
 /usr/share/pwlib/make/ptlib-config --	system_u:object_r:bin_t
+/usr/share/texmf/web2c/mktexdir	--	system_u:object_r:bin_t
+/usr/share/texmf/web2c/mktexnam	--	system_u:object_r:bin_t
+/usr/share/texmf/web2c/mktexupd	--	system_u:object_r:bin_t
 ')
 
 ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.19.8/file_contexts/program/apache.fc
--- nsapolicy/file_contexts/program/apache.fc	2004-11-20 22:29:09.000000000 -0500
+++ policy-1.19.8/file_contexts/program/apache.fc	2004-11-30 16:49:58.000000000 -0500
@@ -40,3 +40,6 @@
 ')
 /var/lib/squirrelmail/prefs(/.*)?	system_u:object_r:httpd_squirrelmail_t
 /usr/bin/htsslpass --	system_u:object_r:httpd_helper_exec_t
+/usr/share/htdig(/.*)?		system_u:object_r:httpd_sys_content_t
+/var/lib/htdig(/.*)?		system_u:object_r:httpd_sys_content_t
+/etc/htdig(/.*)?		system_u:object_r:httpd_sys_content_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ifconfig.fc policy-1.19.8/file_contexts/program/ifconfig.fc
--- nsapolicy/file_contexts/program/ifconfig.fc	2004-11-19 11:20:43.000000000 -0500
+++ policy-1.19.8/file_contexts/program/ifconfig.fc	2004-12-01 09:01:45.000000000 -0500
@@ -7,3 +7,6 @@
 /bin/ip			--	system_u:object_r:ifconfig_exec_t
 /sbin/ethtool		--	system_u:object_r:ifconfig_exec_t
 /sbin/mii-tool		--	system_u:object_r:ifconfig_exec_t
+/sbin/ipx_interface	--	system_u:object_r:ifconfig_exec_t
+/sbin/ipx_configure	--	system_u:object_r:ifconfig_exec_t
+/sbin/ipx_internal_net	--	system_u:object_r:ifconfig_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.19.8/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2004-12-02 14:11:43.377594270 -0500
+++ policy-1.19.8/file_contexts/types.fc	2004-12-02 13:27:20.530471384 -0500
@@ -139,6 +139,9 @@
 /u?dev/cu.*		-c	system_u:object_r:tty_device_t
 /u?dev/vcs[^/]*		-c	system_u:object_r:tty_device_t
 /u?dev/ip2[^/]*		-c	system_u:object_r:tty_device_t
+/u?dev/hvc.*		-c	system_u:object_r:tty_device_t
+/u?dev/hvsi.*		-c	system_u:object_r:tty_device_t
+/u?dev/ttySG.*		-c	system_u:object_r:tty_device_t
 /u?dev/tty		-c	system_u:object_r:devtty_t
 /dev/lp.*		-c	system_u:object_r:printer_device_t
 /dev/par.*		-c	system_u:object_r:printer_device_t
@@ -334,6 +337,9 @@
 /usr(/.*)?			system_u:object_r:usr_t
 /usr(/.*)?/lib(64)?(/.*)?	system_u:object_r:lib_t
 /usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
+/usr(/.*)?/java/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
+/usr(/.*)?/java/.*\.jar	--	system_u:object_r:shlib_t
+/usr(/.*)?/java/.*\.jsa	--	system_u:object_r:shlib_t
 /usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
 /usr(/.*)?/bin(/.*)?		system_u:object_r:bin_t
 /usr(/.*)?/Bin(/.*)?		system_u:object_r:bin_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.8/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2004-12-02 14:11:43.625566345 -0500
+++ policy-1.19.8/macros/program/mozilla_macros.te	2004-12-02 13:39:30.762236174 -0500
@@ -98,6 +98,7 @@
 dontaudit $1_mozilla_t boot_t:dir getattr;
 ifdef(`cups.te', `
 allow $1_mozilla_t cupsd_etc_t:dir search;
+allow $1_mozilla_t cupsd_rw_etc_t:file { getattr read };
 ')
 allow $1_mozilla_t $1_t:tcp_socket { read write };
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.19.8/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
+++ policy-1.19.8/tunables/distro.tun	2004-11-30 16:17:10.000000000 -0500
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.19.8/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-11-09 13:35:13.000000000 -0500
+++ policy-1.19.8/tunables/tunable.tun	2004-11-30 16:17:10.000000000 -0500
@@ -2,10 +2,10 @@
 dnl define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
@@ -17,11 +17,11 @@
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.

Re: Latest patch

[James Carter]

Merged.

On Thu, 2004-12-02 at 14:27, Daniel J Walsh wrote:
> Allow booloader to run exec_type, so it can pick up consoletype.
> 
> Allow initrc to cleanup ptal runtime files in init scripts
> 
> Add file contexts for bin_t files in the /usr partition.
> 
> Fix policy so htdig will work
> 
> Make changes so ipx_interface and friends will run( ALthough I need help 
> on this stuff since I don't have access to IPX network, nor do
> I want too :*)
> 
> Fix console and jave labeling
> 
> ______________________________________________________________________
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.8/domains/program/unused/apache.te
> --- nsapolicy/domains/program/unused/apache.te	2004-11-29 10:24:17.000000000 -0500
> +++ policy-1.19.8/domains/program/unused/apache.te	2004-11-30 16:54:39.000000000 -0500
> @@ -332,3 +332,6 @@
>  ')
>  allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
>  }
> +
> +read_sysctl(httpd_sys_script_t)
> +allow httpd_sys_script_t var_lib_t:dir search;
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bootloader.te policy-1.19.8/domains/program/unused/bootloader.te
> --- nsapolicy/domains/program/unused/bootloader.te	2004-11-05 23:24:16.000000000 -0500
> +++ policy-1.19.8/domains/program/unused/bootloader.te	2004-12-01 10:54:10.000000000 -0500
> @@ -58,7 +58,7 @@
>  # uncomment the following line if you use "lilo -p"
>  #file_type_auto_trans(bootloader_t, etc_t, bootloader_etc_t, file);
>  
> -can_exec(bootloader_t, { bootloader_exec_t shell_exec_t ls_exec_t bin_t sbin_t })
> +can_exec_any(bootloader_t)
>  allow bootloader_t shell_exec_t:lnk_file read;
>  allow bootloader_t { bin_t sbin_t }:dir search;
>  allow bootloader_t { bin_t sbin_t }:lnk_file read;
> @@ -131,14 +131,6 @@
>  allow bootloader_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
>  allow bootloader_t initrc_t:fifo_file { read write };
>  
> -ifdef(`distro_debian', `
> -# for making an initrd
> -can_exec(bootloader_t, mount_exec_t)
> -ifdef(`chroot.te', `
> -can_exec(bootloader_t, chroot_exec_t)
> -')dnl end chroot.te
> -')dnl end distro_debian
> -
>  # for reading BIOS data
>  allow bootloader_t memory_device_t:chr_file r_file_perms;
>  
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.19.8/domains/program/unused/cups.te
> --- nsapolicy/domains/program/unused/cups.te	2004-12-02 14:11:41.692784006 -0500
> +++ policy-1.19.8/domains/program/unused/cups.te	2004-12-02 13:44:06.204217215 -0500
> @@ -157,6 +157,9 @@
>  allow cupsd_t ptal_var_run_t:dir search;
>  dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
>  
> +allow initrc_t ptal_var_run_t:dir rmdir;
> +allow initrc_t ptal_var_run_t:fifo_file unlink;
> +
>  dontaudit cupsd_t selinux_config_t:dir search;
>  dontaudit cupsd_t selinux_config_t:file { getattr read };
>  
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.19.8/file_contexts/distros.fc
> --- nsapolicy/file_contexts/distros.fc	2004-11-20 22:29:09.000000000 -0500
> +++ policy-1.19.8/file_contexts/distros.fc	2004-12-01 16:26:58.000000000 -0500
> @@ -31,6 +31,9 @@
>  /usr/share/pydict/pydict\.py	--	system_u:object_r:bin_t
>  /usr/share/cvs/contrib/rcs2log	--	system_u:object_r:bin_t
>  /usr/share/pwlib/make/ptlib-config --	system_u:object_r:bin_t
> +/usr/share/texmf/web2c/mktexdir	--	system_u:object_r:bin_t
> +/usr/share/texmf/web2c/mktexnam	--	system_u:object_r:bin_t
> +/usr/share/texmf/web2c/mktexupd	--	system_u:object_r:bin_t
>  ')
>  
>  ifdef(`distro_suse', `
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.19.8/file_contexts/program/apache.fc
> --- nsapolicy/file_contexts/program/apache.fc	2004-11-20 22:29:09.000000000 -0500
> +++ policy-1.19.8/file_contexts/program/apache.fc	2004-11-30 16:49:58.000000000 -0500
> @@ -40,3 +40,6 @@
>  ')
>  /var/lib/squirrelmail/prefs(/.*)?	system_u:object_r:httpd_squirrelmail_t
>  /usr/bin/htsslpass --	system_u:object_r:httpd_helper_exec_t
> +/usr/share/htdig(/.*)?		system_u:object_r:httpd_sys_content_t
> +/var/lib/htdig(/.*)?		system_u:object_r:httpd_sys_content_t
> +/etc/htdig(/.*)?		system_u:object_r:httpd_sys_content_t
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ifconfig.fc policy-1.19.8/file_contexts/program/ifconfig.fc
> --- nsapolicy/file_contexts/program/ifconfig.fc	2004-11-19 11:20:43.000000000 -0500
> +++ policy-1.19.8/file_contexts/program/ifconfig.fc	2004-12-01 09:01:45.000000000 -0500
> @@ -7,3 +7,6 @@
>  /bin/ip			--	system_u:object_r:ifconfig_exec_t
>  /sbin/ethtool		--	system_u:object_r:ifconfig_exec_t
>  /sbin/mii-tool		--	system_u:object_r:ifconfig_exec_t
> +/sbin/ipx_interface	--	system_u:object_r:ifconfig_exec_t
> +/sbin/ipx_configure	--	system_u:object_r:ifconfig_exec_t
> +/sbin/ipx_internal_net	--	system_u:object_r:ifconfig_exec_t
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.19.8/file_contexts/types.fc
> --- nsapolicy/file_contexts/types.fc	2004-12-02 14:11:43.377594270 -0500
> +++ policy-1.19.8/file_contexts/types.fc	2004-12-02 13:27:20.530471384 -0500
> @@ -139,6 +139,9 @@
>  /u?dev/cu.*		-c	system_u:object_r:tty_device_t
>  /u?dev/vcs[^/]*		-c	system_u:object_r:tty_device_t
>  /u?dev/ip2[^/]*		-c	system_u:object_r:tty_device_t
> +/u?dev/hvc.*		-c	system_u:object_r:tty_device_t
> +/u?dev/hvsi.*		-c	system_u:object_r:tty_device_t
> +/u?dev/ttySG.*		-c	system_u:object_r:tty_device_t
>  /u?dev/tty		-c	system_u:object_r:devtty_t
>  /dev/lp.*		-c	system_u:object_r:printer_device_t
>  /dev/par.*		-c	system_u:object_r:printer_device_t
> @@ -334,6 +337,9 @@
>  /usr(/.*)?			system_u:object_r:usr_t
>  /usr(/.*)?/lib(64)?(/.*)?	system_u:object_r:lib_t
>  /usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
> +/usr(/.*)?/java/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
> +/usr(/.*)?/java/.*\.jar	--	system_u:object_r:shlib_t
> +/usr(/.*)?/java/.*\.jsa	--	system_u:object_r:shlib_t
>  /usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
>  /usr(/.*)?/bin(/.*)?		system_u:object_r:bin_t
>  /usr(/.*)?/Bin(/.*)?		system_u:object_r:bin_t
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.8/macros/program/mozilla_macros.te
> --- nsapolicy/macros/program/mozilla_macros.te	2004-12-02 14:11:43.625566345 -0500
> +++ policy-1.19.8/macros/program/mozilla_macros.te	2004-12-02 13:39:30.762236174 -0500
> @@ -98,6 +98,7 @@
>  dontaudit $1_mozilla_t boot_t:dir getattr;
>  ifdef(`cups.te', `
>  allow $1_mozilla_t cupsd_etc_t:dir search;
> +allow $1_mozilla_t cupsd_rw_etc_t:file { getattr read };
>  ')
>  allow $1_mozilla_t $1_t:tcp_socket { read write };
>  
> diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.19.8/tunables/distro.tun
> --- nsapolicy/tunables/distro.tun	2004-08-20 13:57:29.000000000 -0400
> +++ policy-1.19.8/tunables/distro.tun	2004-11-30 16:17:10.000000000 -0500
> @@ -5,7 +5,7 @@
>  # appropriate ifdefs.
>  
> 
> -dnl define(`distro_redhat')
> +define(`distro_redhat')
>  
>  dnl define(`distro_suse')
>  
> diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.19.8/tunables/tunable.tun
> --- nsapolicy/tunables/tunable.tun	2004-11-09 13:35:13.000000000 -0500
> +++ policy-1.19.8/tunables/tunable.tun	2004-11-30 16:17:10.000000000 -0500
> @@ -2,10 +2,10 @@
>  dnl define(`user_can_mount')
>  
>  # Allow rpm to run unconfined.
> -dnl define(`unlimitedRPM')
> +define(`unlimitedRPM')
>  
>  # Allow privileged utilities like hotplug and insmod to run unconfined.
> -dnl define(`unlimitedUtils')
> +define(`unlimitedUtils')
>  
>  # Allow rc scripts to run unconfined, including any daemon
>  # started by an rc script that does not have a domain transition
> @@ -17,11 +17,11 @@
>  
>  # Do not audit things that we know to be broken but which
>  # are not security risks
> -dnl define(`hide_broken_symptoms')
> +define(`hide_broken_symptoms')
>  
>  # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
>  # Otherwise, only staff_r can do so.
> -dnl define(`user_canbe_sysadm')
> +define(`user_canbe_sysadm')
>  
>  # Allow xinetd to run unconfined, including any services it starts
>  # that do not have a domain transition explicitly defined.
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_network patch.

[Stephen Smalley]

On Wed, 2004-11-24 at 11:54, Daniel J Walsh wrote:
> Stephen Smalley wrote:
> >Sorry, why would you want to allow mozilla to run userhelper? 
> >
> system-config-packages

I can run system-config-packages here on FC3 without this domain
transition defined, and I don't see how mozilla factors into it.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_network patch.

[Daniel J Walsh]

Stephen Smalley wrote:

>On Wed, 2004-11-24 at 11:54, Daniel J Walsh wrote:
>  
>
>>Stephen Smalley wrote:
>>    
>>
>>>Sorry, why would you want to allow mozilla to run userhelper? 
>>>
>>>      
>>>
>>system-config-packages
>>    
>>
>
>I can run system-config-packages here on FC3 without this domain
>transition defined, and I don't see how mozilla factors into it.
>
>  
>
When installing a package within firefox, it attemps to exec 
system-config-packages which blows up because
*-mozilla-t can not run userhelper apps.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_network patch.

[Stephen Smalley]

On Fri, 2004-12-10 at 12:06, Daniel J Walsh wrote:
> When installing a package within firefox, it attemps to exec 
> system-config-packages which blows up because
> *-mozilla-t can not run userhelper apps.

Installing a package within firefox?  If you are talking about something
firefox downloaded, then why does it use system-config-packages?  And I
would expect that you would end up installing any such packages local to
the user's home directory at most (and even then only if policy allows
writing to it), not on a system-wide basis.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_network patch.

[Daniel J Walsh]

Stephen Smalley wrote:

>On Fri, 2004-12-10 at 12:06, Daniel J Walsh wrote:
>  
>
>>When installing a package within firefox, it attemps to exec 
>>system-config-packages which blows up because
>>*-mozilla-t can not run userhelper apps.
>>    
>>
>
>Installing a package within firefox?  If you are talking about something
>firefox downloaded, then why does it use system-config-packages?  And I
>would expect that you would end up installing any such packages local to
>the user's home directory at most (and even then only if policy allows
>writing to it), not on a system-wide basis.
>
>  
>
You can trigger it by executing
 firefox selinux-policy-strict-1.19.12-1.src.rpm


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_network patch.

[Stephen Smalley]

On Fri, 2004-12-10 at 13:01, Daniel J Walsh wrote:
> You can trigger it by executing
>  firefox selinux-policy-strict-1.19.12-1.src.rpm

Ok, but why would I want to do that?  Does firefox do that automatically
for downloads?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_network patch.

[Russell Coker]

On Saturday 11 December 2004 05:01, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Stephen Smalley wrote:
> >On Fri, 2004-12-10 at 12:06, Daniel J Walsh wrote:
> >>When installing a package within firefox, it attemps to exec
> >>system-config-packages which blows up because
> >>*-mozilla-t can not run userhelper apps.
> >
> >Installing a package within firefox?  If you are talking about something
> >firefox downloaded, then why does it use system-config-packages?  And I
> >would expect that you would end up installing any such packages local to
> >the user's home directory at most (and even then only if policy allows
> >writing to it), not on a system-wide basis.
>
> You can trigger it by executing
>  firefox selinux-policy-strict-1.19.12-1.src.rpm

We have mozilla running in it's own domain to limit the risk of exploits of 
mozilla taking over the rest of the system.  Allowing mozilla to install 
packages seems to directly contradict this aim.

Maybe we should just remove the mozilla policy?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_network patch.

[Daniel J Walsh]

Stephen Smalley wrote:

>On Fri, 2004-12-10 at 13:01, Daniel J Walsh wrote:
>  
>
>>You can trigger it by executing
>> firefox selinux-policy-strict-1.19.12-1.src.rpm
>>    
>>
>
>Ok, but why would I want to do that?  Does firefox do that automatically
>for downloads?
>
>  
>
No,  It seems to happen if someone emails you a rpm, it actually is 
probably bad behavior.
I am going to talk to the desktop team and see what their ideas are.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_network patch.

[Thomas Bleher]

[-- Attachment #1: Type: text/plain, Size: 1552 bytes --]

* Russell Coker <russell@coker.com.au> [2004-12-10 20:04]:
> On Saturday 11 December 2004 05:01, Daniel J Walsh <dwalsh@redhat.com> wrote:
> > Stephen Smalley wrote:
> > >On Fri, 2004-12-10 at 12:06, Daniel J Walsh wrote:
> > >>When installing a package within firefox, it attemps to exec
> > >>system-config-packages which blows up because
> > >>*-mozilla-t can not run userhelper apps.
> > >
> > >Installing a package within firefox?  If you are talking about something
> > >firefox downloaded, then why does it use system-config-packages?  And I
> > >would expect that you would end up installing any such packages local to
> > >the user's home directory at most (and even then only if policy allows
> > >writing to it), not on a system-wide basis.
> >
> > You can trigger it by executing
> >  firefox selinux-policy-strict-1.19.12-1.src.rpm
> 
> We have mozilla running in it's own domain to limit the risk of exploits of 
> mozilla taking over the rest of the system.  Allowing mozilla to install 
> packages seems to directly contradict this aim.
> 
> Maybe we should just remove the mozilla policy?

Or add a boolean to control the transition from the userdomain to
mozilla. Then we can have a locked down policy for people who just want
to securely browse the web. People who want all the bells and whistles
can turn the transition off at the cost of higher exposure.

Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: can_network patch.

[James Carter]

For now I removed the user_helper stuff in mozilla_macros.te.  It causes
a compile error if the user_canbe_sysadm tunable is not defined right
now anyway.

On Fri, 2004-12-10 at 14:11, Thomas Bleher wrote:
> * Russell Coker <russell@coker.com.au> [2004-12-10 20:04]:
> > On Saturday 11 December 2004 05:01, Daniel J Walsh <dwalsh@redhat.com> wrote:
> > > Stephen Smalley wrote:
> > > >On Fri, 2004-12-10 at 12:06, Daniel J Walsh wrote:
> > > >>When installing a package within firefox, it attemps to exec
> > > >>system-config-packages which blows up because
> > > >>*-mozilla-t can not run userhelper apps.
> > > >
> > > >Installing a package within firefox?  If you are talking about something
> > > >firefox downloaded, then why does it use system-config-packages?  And I
> > > >would expect that you would end up installing any such packages local to
> > > >the user's home directory at most (and even then only if policy allows
> > > >writing to it), not on a system-wide basis.
> > >
> > > You can trigger it by executing
> > >  firefox selinux-policy-strict-1.19.12-1.src.rpm
> > 
> > We have mozilla running in it's own domain to limit the risk of exploits of 
> > mozilla taking over the rest of the system.  Allowing mozilla to install 
> > packages seems to directly contradict this aim.
> > 
> > Maybe we should just remove the mozilla policy?
> 
> Or add a boolean to control the transition from the userdomain to
> mozilla. Then we can have a locked down policy for people who just want
> to securely browse the web. People who want all the bells and whistles
> can turn the transition off at the cost of higher exposure.
> 
> Thomas
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_network patch.

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 805 bytes --]

On Sat, 11 Dec 2004 05:11:07 +1100, Russell Coker said:

> We have mozilla running in it's own domain to limit the risk of exploits of 
> mozilla taking over the rest of the system.  Allowing mozilla to install 
> packages seems to directly contradict this aim.

Gaak.  Given the "browser can install software" mentality that's one of the single
biggest design borkages in That Other Browser/Operating System, we should do what
we can to fix this...

> Maybe we should just remove the mozilla policy?

I'd rather have a mozilla policy that enforces (roughly) "it can play inside
the ~/.mozilla tree, and download into ~/Downloads or similar, and any other
activity is constrained".

Or did you mean "remove the bit of policy that allows it to install packages",
in which case we're in total agreement....

[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: can_network patch.

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 476 bytes --]

On Fri, 10 Dec 2004 20:11:07 +0100, Thomas Bleher said:

> Or add a boolean to control the transition from the userdomain to
> mozilla. Then we can have a locked down policy for people who just want
> to securely browse the web. People who want all the bells and whistles
> can turn the transition off at the cost of higher exposure.

I could live with that.  However, before long we're in danger of getting lost
in a maze of tiny little twisty booleans, all different... :)


[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: can_network patch.

[Russell Coker]

On Saturday 11 December 2004 08:01, Valdis.Kletnieks@vt.edu wrote:
> On Sat, 11 Dec 2004 05:11:07 +1100, Russell Coker said:
> > We have mozilla running in it's own domain to limit the risk of exploits
> > of mozilla taking over the rest of the system.  Allowing mozilla to
> > install packages seems to directly contradict this aim.
>
> Gaak.  Given the "browser can install software" mentality that's one of the
> single biggest design borkages in That Other Browser/Operating System, we
> should do what we can to fix this...

I agree.

> > Maybe we should just remove the mozilla policy?
>
> I'd rather have a mozilla policy that enforces (roughly) "it can play
> inside the ~/.mozilla tree, and download into ~/Downloads or similar, and
> any other activity is constrained".

Same here.

> Or did you mean "remove the bit of policy that allows it to install
> packages", in which case we're in total agreement....

If we were going to give Mozilla the access to install packages (as was in the 
CVS until recently) then there was no benefit in trying to restrict it's 
access so we may as well have removed mozilla.te.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: can_network patch.

[David Caplan]

Valdis.Kletnieks@vt.edu wrote:
> On Fri, 10 Dec 2004 20:11:07 +0100, Thomas Bleher said:
> 
> 
>>Or add a boolean to control the transition from the userdomain to
>>mozilla. Then we can have a locked down policy for people who just want
>>to securely browse the web. People who want all the bells and whistles
>>can turn the transition off at the cost of higher exposure.
> 
> 
> I could live with that.  However, before long we're in danger of getting lost
> in a maze of tiny little twisty booleans, all different... :)
> 

That is a good reason why the use of booleans and addition of 
conditional policy blocks needs to be considered very carefully. 
Another important reason is that even though a chunk of policy may be 
controlled by a conditional expression, from a pure policy analysis 
point of view, it must be considered that the conditional permissions 
are allowed (i.e., if the rule(s) are in the policy then it is 
_possible_ that they may be enabled).  In a perfect world, if the 
permissions are always going to be disabled for a particular instance 
then they shouldn't be in the policy at all.

That said, this issue was discussed before on the list 
(http://tinyurl.com/596gq) and there are practical accepted reasons for 
using booleans/conditionals as tunable mechanisms in some cases.  I 
would just echo your caution that we don't want to get "lost in a maze 
of tiny little twisty booleans".

David

-- 
__________________________________

David Caplan
dac@tresys.com
Tresys Technology, LLC

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Adding alternate root patch to restorecon (setfiles?)

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 19 bytes --]

Forgot patch.

Dan

[-- Attachment #2: policycoreutils-altroot.patch --]
[-- Type: text/plain, Size: 2149 bytes --]

--- policycoreutils-1.17.6/restorecon/restorecon.c.altroot	2004-10-06 09:47:47.000000000 -0400
+++ policycoreutils-1.17.6/restorecon/restorecon.c	2004-10-18 15:35:41.124661316 -0400
@@ -8,11 +8,13 @@
  * to match the specification returned by matchpathcon.
  *
  * USAGE:
- * restorecon [-Rnv] pathname...
+ * restorecon [-Rnv] [ -o outputfile ] [ -p alt_root ] pathname...
  * 
+ * -R	recurse
  * -n	Do not change any file labels.
  * -v	Show changes in file labels.  
- * -o filename save list of files with incorrect context
+ * -o	filename save list of files with incorrect context
+ * -p	alternate root: strip off alt_root from pathname when doing matchfilecon
  *
  * pathname...	The file(s) to label 
  *
@@ -40,6 +42,8 @@
 static int verbose=0;
 static FILE *outfile=NULL;
 static char *progname;
+static char *alt_root=NULL;
+static int alt_len=0;
 static int errors=0;
 static int recurse;
 
@@ -52,6 +56,7 @@
 int restore(char *filename) {
   int retcontext=0;
   int retval=0;
+  char *target=NULL;
   security_context_t scontext;
   security_context_t prev_context;
   int len=strlen(filename);
@@ -99,9 +104,14 @@
     }
     filename = p;
   }
-  retval = matchpathcon(filename, st.st_mode, &scontext);
+
+  target=filename;
+  if (alt_len != 0 && strncmp(alt_root, filename, alt_len) == 0)
+	  target=&filename[alt_len];
+
+  retval = matchpathcon(target, st.st_mode, &scontext);
   if (retval < 0) {
-    fprintf(stderr,"matchpathcon(%s) failed %s\n", filename,strerror(errno));
+    fprintf(stderr,"matchpathcon(%s) failed %s\n", target,strerror(errno));
     return 1;
   } 
   if (strcmp(scontext,"<<none>>")==0) {
@@ -179,7 +189,7 @@
 
   memset(buf,0, sizeof(buf));
 
-  while ((opt = getopt(argc, argv, "Rnvf:o:")) > 0) {
+  while ((opt = getopt(argc, argv, "Rnvf:o:p:")) > 0) {
     switch (opt) {
     case 'n':
       change = 0;
@@ -187,6 +197,12 @@
     case 'R':
       recurse = 1;
       break;
+    case 'p':
+      alt_root=strdup(optarg);
+      alt_len=strlen(optarg);
+      if (alt_root[alt_len-1]=='/') 
+	      alt_len--;
+      break;
     case 'o':
       outfile = fopen(optarg,"w");
       if (!outfile) {