From: James Carter <jwcart2@epoch.ncsc.mil>
To: Daniel J Walsh <dwalsh@redhat.com>
Cc: SELinux <selinux@tycho.nsa.gov>
Subject: Re: Latest patch
Date: Fri, 03 Dec 2004 08:40:48 -0500 [thread overview]
Message-ID: <1102081248.15627.3.camel@moss-lions.epoch.ncsc.mil> (raw)
In-Reply-To: <41AF6C93.8040109@redhat.com>
Merged.
On Thu, 2004-12-02 at 14:27, Daniel J Walsh wrote:
> Allow booloader to run exec_type, so it can pick up consoletype.
>
> Allow initrc to cleanup ptal runtime files in init scripts
>
> Add file contexts for bin_t files in the /usr partition.
>
> Fix policy so htdig will work
>
> Make changes so ipx_interface and friends will run( ALthough I need help
> on this stuff since I don't have access to IPX network, nor do
> I want too :*)
>
> Fix console and jave labeling
>
> ______________________________________________________________________
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.19.8/domains/program/unused/apache.te
> --- nsapolicy/domains/program/unused/apache.te 2004-11-29 10:24:17.000000000 -0500
> +++ policy-1.19.8/domains/program/unused/apache.te 2004-11-30 16:54:39.000000000 -0500
> @@ -332,3 +332,6 @@
> ')
> allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
> }
> +
> +read_sysctl(httpd_sys_script_t)
> +allow httpd_sys_script_t var_lib_t:dir search;
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bootloader.te policy-1.19.8/domains/program/unused/bootloader.te
> --- nsapolicy/domains/program/unused/bootloader.te 2004-11-05 23:24:16.000000000 -0500
> +++ policy-1.19.8/domains/program/unused/bootloader.te 2004-12-01 10:54:10.000000000 -0500
> @@ -58,7 +58,7 @@
> # uncomment the following line if you use "lilo -p"
> #file_type_auto_trans(bootloader_t, etc_t, bootloader_etc_t, file);
>
> -can_exec(bootloader_t, { bootloader_exec_t shell_exec_t ls_exec_t bin_t sbin_t })
> +can_exec_any(bootloader_t)
> allow bootloader_t shell_exec_t:lnk_file read;
> allow bootloader_t { bin_t sbin_t }:dir search;
> allow bootloader_t { bin_t sbin_t }:lnk_file read;
> @@ -131,14 +131,6 @@
> allow bootloader_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
> allow bootloader_t initrc_t:fifo_file { read write };
>
> -ifdef(`distro_debian', `
> -# for making an initrd
> -can_exec(bootloader_t, mount_exec_t)
> -ifdef(`chroot.te', `
> -can_exec(bootloader_t, chroot_exec_t)
> -')dnl end chroot.te
> -')dnl end distro_debian
> -
> # for reading BIOS data
> allow bootloader_t memory_device_t:chr_file r_file_perms;
>
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.19.8/domains/program/unused/cups.te
> --- nsapolicy/domains/program/unused/cups.te 2004-12-02 14:11:41.692784006 -0500
> +++ policy-1.19.8/domains/program/unused/cups.te 2004-12-02 13:44:06.204217215 -0500
> @@ -157,6 +157,9 @@
> allow cupsd_t ptal_var_run_t:dir search;
> dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
>
> +allow initrc_t ptal_var_run_t:dir rmdir;
> +allow initrc_t ptal_var_run_t:fifo_file unlink;
> +
> dontaudit cupsd_t selinux_config_t:dir search;
> dontaudit cupsd_t selinux_config_t:file { getattr read };
>
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.19.8/file_contexts/distros.fc
> --- nsapolicy/file_contexts/distros.fc 2004-11-20 22:29:09.000000000 -0500
> +++ policy-1.19.8/file_contexts/distros.fc 2004-12-01 16:26:58.000000000 -0500
> @@ -31,6 +31,9 @@
> /usr/share/pydict/pydict\.py -- system_u:object_r:bin_t
> /usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t
> /usr/share/pwlib/make/ptlib-config -- system_u:object_r:bin_t
> +/usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t
> +/usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t
> +/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t
> ')
>
> ifdef(`distro_suse', `
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.19.8/file_contexts/program/apache.fc
> --- nsapolicy/file_contexts/program/apache.fc 2004-11-20 22:29:09.000000000 -0500
> +++ policy-1.19.8/file_contexts/program/apache.fc 2004-11-30 16:49:58.000000000 -0500
> @@ -40,3 +40,6 @@
> ')
> /var/lib/squirrelmail/prefs(/.*)? system_u:object_r:httpd_squirrelmail_t
> /usr/bin/htsslpass -- system_u:object_r:httpd_helper_exec_t
> +/usr/share/htdig(/.*)? system_u:object_r:httpd_sys_content_t
> +/var/lib/htdig(/.*)? system_u:object_r:httpd_sys_content_t
> +/etc/htdig(/.*)? system_u:object_r:httpd_sys_content_t
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ifconfig.fc policy-1.19.8/file_contexts/program/ifconfig.fc
> --- nsapolicy/file_contexts/program/ifconfig.fc 2004-11-19 11:20:43.000000000 -0500
> +++ policy-1.19.8/file_contexts/program/ifconfig.fc 2004-12-01 09:01:45.000000000 -0500
> @@ -7,3 +7,6 @@
> /bin/ip -- system_u:object_r:ifconfig_exec_t
> /sbin/ethtool -- system_u:object_r:ifconfig_exec_t
> /sbin/mii-tool -- system_u:object_r:ifconfig_exec_t
> +/sbin/ipx_interface -- system_u:object_r:ifconfig_exec_t
> +/sbin/ipx_configure -- system_u:object_r:ifconfig_exec_t
> +/sbin/ipx_internal_net -- system_u:object_r:ifconfig_exec_t
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.19.8/file_contexts/types.fc
> --- nsapolicy/file_contexts/types.fc 2004-12-02 14:11:43.377594270 -0500
> +++ policy-1.19.8/file_contexts/types.fc 2004-12-02 13:27:20.530471384 -0500
> @@ -139,6 +139,9 @@
> /u?dev/cu.* -c system_u:object_r:tty_device_t
> /u?dev/vcs[^/]* -c system_u:object_r:tty_device_t
> /u?dev/ip2[^/]* -c system_u:object_r:tty_device_t
> +/u?dev/hvc.* -c system_u:object_r:tty_device_t
> +/u?dev/hvsi.* -c system_u:object_r:tty_device_t
> +/u?dev/ttySG.* -c system_u:object_r:tty_device_t
> /u?dev/tty -c system_u:object_r:devtty_t
> /dev/lp.* -c system_u:object_r:printer_device_t
> /dev/par.* -c system_u:object_r:printer_device_t
> @@ -334,6 +337,9 @@
> /usr(/.*)? system_u:object_r:usr_t
> /usr(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t
> /usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
> +/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
> +/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t
> +/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t
> /usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
> /usr(/.*)?/bin(/.*)? system_u:object_r:bin_t
> /usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.19.8/macros/program/mozilla_macros.te
> --- nsapolicy/macros/program/mozilla_macros.te 2004-12-02 14:11:43.625566345 -0500
> +++ policy-1.19.8/macros/program/mozilla_macros.te 2004-12-02 13:39:30.762236174 -0500
> @@ -98,6 +98,7 @@
> dontaudit $1_mozilla_t boot_t:dir getattr;
> ifdef(`cups.te', `
> allow $1_mozilla_t cupsd_etc_t:dir search;
> +allow $1_mozilla_t cupsd_rw_etc_t:file { getattr read };
> ')
> allow $1_mozilla_t $1_t:tcp_socket { read write };
>
> diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.19.8/tunables/distro.tun
> --- nsapolicy/tunables/distro.tun 2004-08-20 13:57:29.000000000 -0400
> +++ policy-1.19.8/tunables/distro.tun 2004-11-30 16:17:10.000000000 -0500
> @@ -5,7 +5,7 @@
> # appropriate ifdefs.
>
>
> -dnl define(`distro_redhat')
> +define(`distro_redhat')
>
> dnl define(`distro_suse')
>
> diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.19.8/tunables/tunable.tun
> --- nsapolicy/tunables/tunable.tun 2004-11-09 13:35:13.000000000 -0500
> +++ policy-1.19.8/tunables/tunable.tun 2004-11-30 16:17:10.000000000 -0500
> @@ -2,10 +2,10 @@
> dnl define(`user_can_mount')
>
> # Allow rpm to run unconfined.
> -dnl define(`unlimitedRPM')
> +define(`unlimitedRPM')
>
> # Allow privileged utilities like hotplug and insmod to run unconfined.
> -dnl define(`unlimitedUtils')
> +define(`unlimitedUtils')
>
> # Allow rc scripts to run unconfined, including any daemon
> # started by an rc script that does not have a domain transition
> @@ -17,11 +17,11 @@
>
> # Do not audit things that we know to be broken but which
> # are not security risks
> -dnl define(`hide_broken_symptoms')
> +define(`hide_broken_symptoms')
>
> # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
> # Otherwise, only staff_r can do so.
> -dnl define(`user_canbe_sysadm')
> +define(`user_canbe_sysadm')
>
> # Allow xinetd to run unconfined, including any services it starts
> # that do not have a domain transition explicitly defined.
--
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2004-12-03 13:38 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-18 19:31 Adding alternate root patch to restorecon (setfiles?) Daniel J Walsh
2004-10-18 19:55 ` Stephen Smalley
2004-10-18 20:11 ` Daniel J Walsh
2004-10-18 20:51 ` Thomas Bleher
2004-10-19 13:33 ` Daniel J Walsh
2004-10-19 18:36 ` Luke Kenneth Casson Leighton
2004-10-19 18:26 ` Stephen Smalley
2004-10-19 20:27 ` Luke Kenneth Casson Leighton
2004-10-25 15:35 ` Russell Coker
2004-10-25 15:38 ` Russell Coker
2004-10-25 21:31 ` Thomas Bleher
2004-10-26 14:36 ` Russell Coker
2004-11-05 21:39 ` James Carter
2004-11-06 5:23 ` Remaining changes from my patch excluding can_network changes Daniel J Walsh
2004-11-08 17:33 ` Small patch to allow pam_console handle /dev/pmu Daniel J Walsh
2004-11-08 21:21 ` James Carter
2004-11-08 21:21 ` Remaining changes from my patch excluding can_network changes James Carter
2004-11-06 5:33 ` can_network patch Daniel J Walsh
2004-11-09 21:34 ` James Carter
2004-11-09 22:15 ` Daniel J Walsh
2004-11-06 10:40 ` Adding alternate root patch to restorecon (setfiles?) Thomas Bleher
2004-11-10 23:11 ` Patches without the can_network patch Daniel J Walsh
2004-11-10 23:38 ` Thomas Bleher
2004-11-17 20:15 ` James Carter
2004-11-18 14:32 ` Daniel J Walsh
2004-11-18 19:43 ` Thomas Bleher
2004-11-18 19:50 ` Daniel J Walsh
2004-11-18 19:59 ` Thomas Bleher
2004-11-19 22:05 ` James Carter
2004-11-18 14:33 ` Daniel J Walsh
2004-11-23 18:52 ` James Carter
2004-11-23 19:06 ` Stephen Smalley
2004-11-23 19:37 ` Daniel J Walsh
2004-11-23 20:07 ` Stephen Smalley
2004-11-25 19:40 ` Russell Coker
2004-11-26 11:55 ` Daniel J Walsh
2004-11-24 16:22 ` Daniel J Walsh
2004-11-24 16:39 ` Stephen Smalley
2004-11-24 16:54 ` Daniel J Walsh
2004-12-10 15:43 ` Stephen Smalley
2004-12-10 17:06 ` Daniel J Walsh
2004-12-10 17:10 ` Stephen Smalley
2004-12-10 18:01 ` Daniel J Walsh
2004-12-10 18:02 ` Stephen Smalley
2004-12-10 18:13 ` Daniel J Walsh
2004-12-10 18:11 ` Russell Coker
2004-12-10 19:11 ` Thomas Bleher
2004-12-10 20:23 ` James Carter
2004-12-10 21:39 ` Valdis.Kletnieks
2004-12-13 12:18 ` David Caplan
2004-12-10 21:01 ` Valdis.Kletnieks
2004-12-10 23:47 ` Russell Coker
2004-11-24 19:48 ` James Carter
2004-11-24 20:24 ` Daniel J Walsh
2004-11-30 21:19 ` Reissue previous patch Daniel J Walsh
2004-12-02 13:54 ` James Carter
2004-12-02 14:16 ` Daniel J Walsh
2004-12-02 15:51 ` Stephen Smalley
2004-12-02 18:35 ` Daniel J Walsh
2004-12-02 17:51 ` James Carter
2004-12-02 19:27 ` Latest patch Daniel J Walsh
2004-12-03 13:40 ` James Carter [this message]
2004-11-17 23:35 ` Patches without the can_network patch Kodungallur Varma
2004-12-09 17:46 patch: add policy for gpg helpers Thomas Bleher
2004-12-15 20:43 ` James Carter
2004-12-16 16:50 ` Latest patch Daniel J Walsh
2004-12-20 21:43 ` James Carter
2004-12-17 1:22 [patch] misc. policy updates Greg Norris
2004-12-20 1:01 ` Russell Coker
2004-12-20 21:54 ` James Carter
2004-12-28 22:29 ` Latest patch Daniel J Walsh
[not found] <4256D267.7050403@comcast.net>
2005-04-14 14:04 ` Latest Patch James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1102081248.15627.3.camel@moss-lions.epoch.ncsc.mil \
--to=jwcart2@epoch.ncsc.mil \
--cc=dwalsh@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.