Latest Ref Policy Diffs

Latest Ref Policy Diffs

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 719 bytes --]

Major change in targeted policy is about to hit.  Basically we are going 
to turn off allow_execmod, allow_execmem, and allow_execstack by default 
for unconfined_t programs.

So several of these patches are to allow that to happen.  Including 
turning on a real xdm policy.  Getting rid of the alias of 
texrel_shlib_t to shlib_t.  Mozilla libraries all marked 
texrel_shlib_t.  ( A bug has been reported on this and hopefully a fix will
be added.)

So far I see hal and Xorg as needing execmem.

gfs support is added

Most if not all of the kernel leaky file descriptors have been fixed so 
alot of nasty dontaudits are no longer necessary.

customizable_types file generated from base.pp for targeted policy.

-- 



[-- Attachment #2: policy-20051208.patch --]
[-- Type: text/x-patch, Size: 18826 bytes --]

diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/default_contexts serefpolicy-2.1.0/config/appconfig-targeted-mcs/default_contexts
--- nsaserefpolicy/config/appconfig-targeted-mcs/default_contexts	2005-11-14 18:24:05.000000000 -0500
+++ serefpolicy-2.1.0/config/appconfig-targeted-mcs/default_contexts	2005-12-08 15:30:35.000000000 -0500
@@ -1,3 +1,4 @@
+system_r:xdm_t:s0		system_r:unconfined_t:s0
 system_r:unconfined_t:s0	system_r:unconfined_t:s0
 system_r:initrc_t:s0		system_r:unconfined_t:s0
 system_r:local_login_t:s0	system_r:unconfined_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.1.0/Makefile
--- nsaserefpolicy/Makefile	2005-12-05 22:35:02.000000000 -0500
+++ serefpolicy-2.1.0/Makefile	2005-12-08 15:28:11.000000000 -0500
@@ -92,7 +92,7 @@
 
 # enable MLS if requested.
 ifneq ($(findstring -mls,$(TYPE)),)
-	override M4PARAM += -D enable_mls
+	override M4PARAM += -D enable_mls -D separate_secadm
 	override CHECKPOLICY += -M
 	override CHECKMODULE += -M
 endif
@@ -274,11 +274,6 @@
 	@mkdir -p $(APPDIR)
 	$(QUIET) install -m 644 $< $@
 
-$(APPDIR)/customizable_types: policy.conf
-	@mkdir -p $(APPDIR)
-	$(QUIET) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
-	$(QUIET) install -m 644 tmp/customizable_types $@ 
-
 $(APPDIR)/default_type: $(APPCONF)/default_type
 	@mkdir -p $(APPDIR)
 	$(QUIET) install -m 644 $< $@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-2.1.0/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if	2005-11-29 18:36:30.000000000 -0500
+++ serefpolicy-2.1.0/policy/modules/admin/su.if	2005-12-08 15:28:11.000000000 -0500
@@ -50,6 +50,9 @@
 	selinux_compute_relabel_context($1_su_t)
 	selinux_compute_user_contexts($1_su_t)
 
+	files_dontaudit_getattr_tmp_dir($1_su_t)
+	files_dontaudit_read_etc_runtime_files($1_su_t)
+
 	auth_domtrans_chk_passwd($1_su_t)
 	auth_dontaudit_read_shadow($1_su_t)
 	auth_use_nsswitch($1_su_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.1.0/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te	2005-11-25 08:11:10.000000000 -0500
+++ serefpolicy-2.1.0/policy/modules/kernel/filesystem.te	2005-12-08 15:28:11.000000000 -0500
@@ -25,6 +25,7 @@
 fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
 
 # Use the allocating task SID to label inodes in the following filesystem
 # types, and label the filesystem itself with the specified context.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.te serefpolicy-2.1.0/policy/modules/services/canna.te
--- nsaserefpolicy/policy/modules/services/canna.te	2005-12-06 19:49:49.000000000 -0500
+++ serefpolicy-2.1.0/policy/modules/services/canna.te	2005-12-08 15:28:11.000000000 -0500
@@ -47,7 +47,6 @@
 
 kernel_read_kernel_sysctl(canna_t)
 kernel_read_system_state(canna_t)
-kernel_dontaudit_use_fd(canna_t)
 
 corenet_tcp_sendrecv_all_if(canna_t)
 corenet_raw_sendrecv_all_if(canna_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.1.0/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te	2005-12-06 19:49:50.000000000 -0500
+++ serefpolicy-2.1.0/policy/modules/services/cups.te	2005-12-08 15:28:11.000000000 -0500
@@ -471,6 +471,7 @@
 # Cups configuration daemon local policy
 #
 
+allow cupsd_config_t cupsd_log_t:file rw_file_perms;
 allow cupsd_config_t self:capability { chown sys_tty_config };
 dontaudit cupsd_config_t self:capability sys_tty_config;
 allow cupsd_config_t self:process signal_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-2.1.0/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te	2005-12-06 19:49:50.000000000 -0500
+++ serefpolicy-2.1.0/policy/modules/services/dbus.te	2005-12-08 15:28:11.000000000 -0500
@@ -32,7 +32,7 @@
 # cjp: dac_override should probably go in a distro_debian
 allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
 dontaudit system_dbusd_t self:capability sys_tty_config;
-allow system_dbusd_t self:process { getattr signal_perms };
+allow system_dbusd_t self:process { getattr signal_perms setcap };
 allow system_dbusd_t self:fifo_file { read write };
 allow system_dbusd_t self:dbus { send_msg acquire_svc };
 allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.1.0/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te	2005-12-06 19:49:50.000000000 -0500
+++ serefpolicy-2.1.0/policy/modules/services/ftp.te	2005-12-08 15:28:11.000000000 -0500
@@ -105,6 +105,9 @@
 
 domain_use_wide_inherit_fd(ftpd_t)
 
+files_search_var_lib_dir(ftpd_t)
+auth_use_nsswitch(ftpd_t)
+
 files_search_etc(ftpd_t)
 files_read_etc_files(ftpd_t)
 files_read_etc_runtime_files(ftpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.1.0/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te	2005-12-06 19:49:50.000000000 -0500
+++ serefpolicy-2.1.0/policy/modules/services/hal.te	2005-12-08 15:28:11.000000000 -0500
@@ -23,11 +23,13 @@
 
 allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
 dontaudit hald_t self:capability sys_tty_config;
-allow hald_t self:process signal_perms;
+# vbetool requires execmem
+allow hald_t self:process { execmem signal_perms };
 allow hald_t self:fifo_file rw_file_perms;
 allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow hald_t self:unix_dgram_socket create_socket_perms;
 allow hald_t self:netlink_route_socket r_netlink_socket_perms;
+allow hald_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow hald_t self:tcp_socket create_stream_socket_perms;
 allow hald_t self:udp_socket create_socket_perms;
@@ -59,7 +61,10 @@
 corenet_tcp_bind_all_nodes(hald_t)
 corenet_udp_bind_all_nodes(hald_t)
 
-dev_read_sysfs(hald_t)
+# hal is now execing pm-suspend
+files_create_boot_flag(hald_t)
+dev_rw_sysfs(hald_t)
+
 dev_rw_usbfs(hald_t)
 dev_read_urand(hald_t)
 dev_read_input(hald_t)
@@ -138,6 +143,10 @@
 	cups_signal_config(hald_t)
 ')
 
+optional_policy(`ntp',`
+	ntp_domtrans(hald_t)
+')
+
 optional_policy(`dbus',`
 	dbus_system_bus_client_template(hald,hald_t)
 	dbus_send_system_bus_msg(hald_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.1.0/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te	2005-12-06 19:49:50.000000000 -0500
+++ serefpolicy-2.1.0/policy/modules/services/mta.te	2005-12-08 15:28:11.000000000 -0500
@@ -57,15 +57,6 @@
 
 userdom_use_sysadm_terms(system_mail_t)
 
-ifdef(`hide_broken_symptoms',`
-	# Red Hat systems seem to have a stray
-	# fds open from the initrd
-	ifdef(`distro_redhat',`
-		kernel_dontaudit_use_fd(system_mail_t)
-		storage_dontaudit_read_fixed_disk(system_mail_t)
-	')
-')
-
 ifdef(`targeted_policy',`
 	typealias system_mail_t alias sysadm_mail_t;
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-2.1.0/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if	2005-12-06 19:49:50.000000000 -0500
+++ serefpolicy-2.1.0/policy/modules/services/nis.if	2005-12-08 15:28:11.000000000 -0500
@@ -150,8 +150,10 @@
 interface(`nis_signal_ypbind',`
 	gen_require(`
 		type ypbind_t;
+		type ypbind_var_run_t;
 	')
 
+	allow $1 ypbind_var_run_t:file read;
 	allow $1 ypbind_t:process signal;
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-2.1.0/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te	2005-12-06 19:49:51.000000000 -0500
+++ serefpolicy-2.1.0/policy/modules/services/sasl.te	2005-12-08 15:28:11.000000000 -0500
@@ -18,6 +18,7 @@
 # Local policy
 #
 
+allow saslauthd_t self:capability setuid;
 dontaudit saslauthd_t self:capability sys_tty_config;
 allow saslauthd_t self:process signal_perms;
 allow saslauthd_t self:fifo_file { read write };
@@ -56,9 +57,10 @@
 domain_use_wide_inherit_fd(saslauthd_t)
 
 files_read_etc_files(saslauthd_t)
-files_read_etc_runtime_files(saslauthd_t)
+files_dontaudit_read_etc_runtime_files(saslauthd_t)
 files_search_var_lib(saslauthd_t)
 files_dontaudit_getattr_home_dir(saslauthd_t)
+files_dontaudit_getattr_tmp_dir(saslauthd_t)
 
 init_use_fd(saslauthd_t)
 init_use_script_pty(saslauthd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.1.0/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te	2005-12-06 19:49:51.000000000 -0500
+++ serefpolicy-2.1.0/policy/modules/services/spamassassin.te	2005-12-08 15:28:11.000000000 -0500
@@ -73,6 +73,7 @@
 corenet_tcp_bind_all_nodes(spamd_t)
 corenet_udp_bind_all_nodes(spamd_t)
 corenet_tcp_bind_spamd_port(spamd_t)
+corenet_udp_bind_generic_port(spamd_t)
 
 dev_read_sysfs(spamd_t)
 dev_read_urand(spamd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xdm.te serefpolicy-2.1.0/policy/modules/services/xdm.te
--- nsaserefpolicy/policy/modules/services/xdm.te	2005-11-25 08:11:12.000000000 -0500
+++ serefpolicy-2.1.0/policy/modules/services/xdm.te	2005-12-08 15:28:11.000000000 -0500
@@ -6,11 +6,7 @@
 # Declarations
 #
 
-ifdef(`targeted_policy',`
-	unconfined_alias_domain(xdm_t)
-',`
-	type xdm_t;
-')
+type xdm_t;
 
 # real declaration moved to mls until
 # range_transition works in loadable modules
@@ -79,6 +75,8 @@
 
 ifdef(`targeted_policy',`
 	unconfined_domain_template(xdm_t)
+	allow xdm_t self:process execmem;
+	 unconfined_domtrans(xdm_t)
 ',`
 	allow xdm_t xdm_lock_t:file create_file_perms;
 	files_create_lock(xdm_t,xdm_lock_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.1.0/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te	2005-11-25 08:11:12.000000000 -0500
+++ serefpolicy-2.1.0/policy/modules/system/hostname.te	2005-12-08 15:28:11.000000000 -0500
@@ -22,7 +22,6 @@
 allow hostname_t self:unix_stream_socket create_stream_socket_perms;
 dontaudit hostname_t self:capability sys_tty_config;
 
-kernel_dontaudit_use_fd(hostname_t)
 kernel_list_proc(hostname_t)
 kernel_read_proc_symlinks(hostname_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.1.0/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if	2005-12-05 22:35:03.000000000 -0500
+++ serefpolicy-2.1.0/policy/modules/system/init.if	2005-12-08 15:28:11.000000000 -0500
@@ -31,18 +31,6 @@
 	allow init_t $1:fd use;
 	allow $1 init_t:fifo_file rw_file_perms;
 	allow $1 init_t:process sigchld;
-
-	# Red Hat systems seem to have stray
-	# fds open from the initrd
-	ifdef(`hide_broken_symptoms',`
-		# Red Hat systems seem to have a stray
-		# fds open from the initrd
-		ifdef(`distro_redhat',`
-			kernel_dontaudit_use_fd($1)
-			storage_dontaudit_read_fixed_disk($1)
-			files_dontaudit_read_root_file($1)
-		')
-	')
 ')
 
 ########################################
@@ -82,16 +70,6 @@
 		typeattribute $2 direct_init_entry;
 	')
 
-	ifdef(`hide_broken_symptoms',`
-		# Red Hat systems seem to have a stray
-		# fds open from the initrd
-		ifdef(`distro_redhat',`
-			kernel_dontaudit_use_fd($1)
-			storage_dontaudit_read_fixed_disk($1)
-			files_dontaudit_read_root_file($1)
-		')
-	')
-
 	ifdef(`targeted_policy',`
 		# this regex is a hack, since it assumes there is a
 		# _t at the end of the domain type.  If there is no _t
@@ -164,15 +142,6 @@
 	allow $1 initrc_t:fifo_file rw_file_perms;
 	allow $1 initrc_t:process sigchld;
 
-	ifdef(`hide_broken_symptoms',`
-		# Red Hat systems seem to have a stray
-		# fds open from the initrd
-		ifdef(`distro_redhat',`
-			kernel_dontaudit_use_fd($1)
-			storage_dontaudit_read_fixed_disk($1)
-			files_dontaudit_read_root_file($1)
-		')
-	')
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.1.0/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc	2005-12-02 17:53:27.000000000 -0500
+++ serefpolicy-2.1.0/policy/modules/system/libraries.fc	2005-12-08 15:28:11.000000000 -0500
@@ -62,7 +62,8 @@
 /usr/lib(64)?/im/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
 /usr/lib(64)?/iiim/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
 
-/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* --	gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/lib(64)?/libGL(core)?\.so(\.[^/]*)* --	gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/lib(64)?/libGLU\.so(\.[^/]*)* --	gen_context(system_u:object_r:texrel_shlib_t,s0)
 /usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
 
 /usr/(local/)?lib/wine/.*\.so  		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
@@ -103,7 +104,10 @@
 /usr/lib/valgrind/hp2ps			--	gen_context(system_u:object_r:texrel_shlib_t,s0)
 /usr/lib/valgrind/stage2		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
 /usr/lib/valgrind/vg.*\.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
-/usr/lib/.*/libxpcom_core.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/lib(64)?/thunderbird.*\.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/lib(64)?/mozilla.*\.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/lib(64)?/sunbird.*\.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/lib(64)?/firefox.*\.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
 /usr/lib/.*/program/libicudata\.so.*	--	gen_context(system_u:object_r:texrel_shlib_t,s0)
 /usr/lib/.*/program/libsts645li\.so	--	gen_context(system_u:object_r:texrel_shlib_t,s0)
 /usr/lib/.*/program/libvclplug_gen645li\.so --	gen_context(system_u:object_r:texrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.1.0/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te	2005-11-25 08:11:12.000000000 -0500
+++ serefpolicy-2.1.0/policy/modules/system/libraries.te	2005-12-08 15:28:11.000000000 -0500
@@ -42,12 +42,8 @@
 # texrel_shlib_t is the type of shared objects in the system lib
 # directories, which require text relocation.
 #
-ifdef(`targeted_policy',`
-	typealias lib_t alias texrel_shlib_t;
-',`
-	type texrel_shlib_t;
-	files_type(texrel_shlib_t)
-')
+type texrel_shlib_t;
+files_type(texrel_shlib_t)
 
 ########################################
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.1.0/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te	2005-11-25 08:11:12.000000000 -0500
+++ serefpolicy-2.1.0/policy/modules/system/locallogin.te	2005-12-08 15:28:11.000000000 -0500
@@ -168,13 +168,6 @@
 # Search for mail spool file.
 mta_getattr_spool(local_login_t)
 
-# Red Hat systems seem to have a stray
-# fd open from the initrd
-ifdef(`distro_redhat',`
-	kernel_dontaudit_use_fd(local_login_t)
-	files_dontaudit_read_root_file(local_login_t)
-')
-
 ifdef(`targeted_policy',`
 	unconfined_domain_template(local_login_t)
 	unconfined_shell_domtrans(local_login_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.1.0/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te	2005-12-06 19:49:51.000000000 -0500
+++ serefpolicy-2.1.0/policy/modules/system/mount.te	2005-12-08 15:28:11.000000000 -0500
@@ -26,7 +26,6 @@
 files_create_tmp_files(mount_t,mount_tmp_t,{ file dir })
 
 kernel_read_system_state(mount_t)
-kernel_dontaudit_use_fd(mount_t)
 
 corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
 corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
@@ -95,9 +94,7 @@
 
 optional_policy(`portmap',`
 	# for nfs
-	#allow portmap_t mount_t:udp_socket { sendto recvfrom };
-	#allow mount_t portmap_t:udp_socket { sendto recvfrom };
-	#allow mount_t rpc_pipefs_t:dir search;
+	allow mount_t rpc_pipefs_t:dir search;
 	corenet_tcp_sendrecv_all_if(mount_t)
 	corenet_raw_sendrecv_all_if(mount_t)
 	corenet_udp_sendrecv_all_if(mount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.1.0/Rules.modular
--- nsaserefpolicy/Rules.modular	2005-11-23 10:06:37.000000000 -0500
+++ serefpolicy-2.1.0/Rules.modular	2005-12-08 15:28:11.000000000 -0500
@@ -41,6 +41,8 @@
 
 install: $(INSTPKG) $(APPFILES)
 
+APPFILES += $(APPDIR)/customizable_types 
+
 ########################################
 #
 # Load all configured modules
@@ -82,6 +84,11 @@
 	@echo "Creating $(NAME) base module package"
 	$(QUIET) $(SEMOD_PKG) -o $@ -m tmp/base.mod -f $(BASE_FC)
 
+$(APPDIR)/customizable_types: base.pp
+	@mkdir -p $(APPDIR)
+	$(QUIET) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
+	$(QUIET) install -m 644 tmp/customizable_types $@ 
+
 tmp/base.mod: base.conf
 	@echo "Compiling $(NAME) base module"
 	$(QUIET) $(CHECKMODULE) $^ -o $@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-2.1.0/Rules.monolithic
--- nsaserefpolicy/Rules.monolithic	2005-12-06 19:49:49.000000000 -0500
+++ serefpolicy-2.1.0/Rules.monolithic	2005-12-08 15:28:11.000000000 -0500
@@ -14,6 +14,11 @@
 
 APPFILES += $(APPDIR)/customizable_types $(INSTALLDIR)/booleans
 
+$(APPDIR)/customizable_types: policy.conf
+	@mkdir -p $(APPDIR)
+	$(QUIET) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
+	$(QUIET) install -m 644 tmp/customizable_types $@ 
+
 # for monolithic policy use all base and module to create policy
 ALL_MODULES := $(strip $(BASE_MODS) $(MOD_MODS))
 
@@ -22,7 +27,7 @@
 ALL_FC_FILES := $(ALL_MODULES:.te=.fc)
 
 PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
-POST_TE_FILES := $(USER_FILES) $(POLDIR)/constraints
+POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/users $(POLDIR)/constraints
 
 POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
 

Re: Latest Ref Policy Diffs

[Christopher J. PeBenito]

On Thu, 2005-12-08 at 16:14 -0500, Daniel J Walsh wrote:
> Major change in targeted policy is about to hit.  Basically we are going 
> to turn off allow_execmod, allow_execmem, and allow_execstack by default 
> for unconfined_t programs.

I just have a question about this hunk:

> @@ -79,6 +75,8 @@
>  
>  ifdef(`targeted_policy',`
>         unconfined_domain_template(xdm_t)
> +       allow xdm_t self:process execmem;
> +        unconfined_domtrans(xdm_t)
>  ',`
>         allow xdm_t xdm_lock_t:file create_file_perms;
>         files_create_lock(xdm_t,xdm_lock_t)

Shouldn't the execmem be outside of the ifdef, since if it needs this,
it will need it regardless of the policy type?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Ref Policy Diffs

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Thu, 2005-12-08 at 16:14 -0500, Daniel J Walsh wrote:
>   
>> Major change in targeted policy is about to hit.  Basically we are going 
>> to turn off allow_execmod, allow_execmem, and allow_execstack by default 
>> for unconfined_t programs.
>>     
>
> I just have a question about this hunk:
>
>   
>> @@ -79,6 +75,8 @@
>>  
>>  ifdef(`targeted_policy',`
>>         unconfined_domain_template(xdm_t)
>> +       allow xdm_t self:process execmem;
>> +        unconfined_domtrans(xdm_t)
>>  ',`
>>         allow xdm_t xdm_lock_t:file create_file_perms;
>>         files_create_lock(xdm_t,xdm_lock_t)
>>     
>
> Shouldn't the execmem be outside of the ifdef, since if it needs this,
> it will need it regardless of the policy type?
>
>   
I think in a strict policy machine, the xserver will need this not xdm?

Since we are not using xserver policy, The xserver is running as xdm.

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Ref Policy Diffs

[Christopher J. PeBenito]

On Fri, 2005-12-09 at 09:40 -0500, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Thu, 2005-12-08 at 16:14 -0500, Daniel J Walsh wrote:
> >   
> >> Major change in targeted policy is about to hit.  Basically we are going 
> >> to turn off allow_execmod, allow_execmem, and allow_execstack by default 
> >> for unconfined_t programs.
> >>
> > I just have a question about this hunk:
> >   
> >> @@ -79,6 +75,8 @@
> >>  
> >>  ifdef(`targeted_policy',`
> >>         unconfined_domain_template(xdm_t)
> >> +       allow xdm_t self:process execmem;
> >> +        unconfined_domtrans(xdm_t)
> >>  ',`
> >>         allow xdm_t xdm_lock_t:file create_file_perms;
> >>         files_create_lock(xdm_t,xdm_lock_t)
> >>     
> >
> > Shouldn't the execmem be outside of the ifdef, since if it needs this,
> > it will need it regardless of the policy type?
> >
> I think in a strict policy machine, the xserver will need this not xdm?
> 
> Since we are not using xserver policy, The xserver is running as xdm.

Ok, that makes sense.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Ref Policy Diffs

[Christopher J. PeBenito]

On Thu, 2005-12-08 at 16:14 -0500, Daniel J Walsh wrote: 
> Major change in targeted policy is about to hit.  Basically we are going 
> to turn off allow_execmod, allow_execmem, and allow_execstack by default 
> for unconfined_t programs.
> 
> So several of these patches are to allow that to happen.  Including 
> turning on a real xdm policy.  Getting rid of the alias of 
> texrel_shlib_t to shlib_t.  Mozilla libraries all marked 
> texrel_shlib_t.  ( A bug has been reported on this and hopefully a fix will
> be added.)
> 
> So far I see hal and Xorg as needing execmem.
> 
> gfs support is added
> 
> Most if not all of the kernel leaky file descriptors have been fixed so 
> alot of nasty dontaudits are no longer necessary.
> 
> customizable_types file generated from base.pp for targeted policy.

Merged.  Added a comment as to why the udp bind for generic ports
(port_t) is needed for spamd.

One note, we want to keep the organization in the modules consistent, so
calls to a particular module should generally be grouped together (e.g.,
all interfaces calls to the files module usually go together).  This
would have made it easier to spot that there was a block that was adding
files_dontaudit_read_etc_runtime_files($1_su_t), when there already was
a files_read_etc_runtime_files($1_su_t).

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Ref Policy Diffs

[Stephen Smalley]

On Thu, 2005-12-08 at 16:14 -0500, Daniel J Walsh wrote:
> Major change in targeted policy is about to hit.  Basically we are going 
> to turn off allow_execmod, allow_execmem, and allow_execstack by default 
> for unconfined_t programs.
> 
> So several of these patches are to allow that to happen.  Including 
> turning on a real xdm policy.  Getting rid of the alias of 
> texrel_shlib_t to shlib_t.  Mozilla libraries all marked 
> texrel_shlib_t.  ( A bug has been reported on this and hopefully a fix will
> be added.)
> 
> So far I see hal and Xorg as needing execmem.

As I recall, targeted policy was _very_ permissive in its granting of
execmod and execmem due to the early breakage problems when kernels with
those checks were shipped as updates to older Fedora releases
(particularly due to the ppc kernel problems).  From a quick look at
reference policy, it looks like this has been preserved in its
files_unconfined(), domain_base_type(), and unconfined_domain_template()
interfaces.  I'm also not sure that all occurrences of execmem et al are
wrapped with the booleans (execmod to texrel_shlib_t should remain
outside of the boolean, as that is the purpose of texrel_shlib_t, but
any other occurrences should be wrapped).

Nit:  It is more difficult to search through reference policy for
occurrences of execmem et al due to the inlining of
general_domain_access() everywhere (which happens to include it in an
exclusion list of permissions to not allow to self:process).  It will
also be harder to add further excluded permissions to that list in the
future due to such inlining.  Rationale for such inlining in the
reference policy?

> gfs support is added

I don't think gfs supports security xattrs yet, so I don't think you
want it to use fs_use_xattr as its labeling mechanism.  Even if it did
support security xattrs, we are going to run into a problem with
performing the inode security initialization on d_instantiate for remote
(or userspace) filesystems, because we cannot propagate ERESTARTSYS from
d_instantiate up the call chain presently, and such filesystems may need
to return that when they have to wait on a reply from the peer.  We'll
have the same issue for NFSv4.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Ref Policy Diffs

[Christopher J. PeBenito]

On Mon, 2005-12-12 at 09:54 -0500, Stephen Smalley wrote:
> On Thu, 2005-12-08 at 16:14 -0500, Daniel J Walsh wrote:
> Nit:  It is more difficult to search through reference policy for
> occurrences of execmem et al due to the inlining of
> general_domain_access() everywhere (which happens to include it in an
> exclusion list of permissions to not allow to self:process).  It will
> also be harder to add further excluded permissions to that list in the
> future due to such inlining.  Rationale for such inlining in the
> reference policy?

The rationale is the same for all of the example policy macros, save
obvious ones like domain_auto_trans(), can_exec(), object class set, and
permission set macros.  We wanted to expand all of the macros so that we
could see all the rules for each domain.  After all the modules have
been ported over, we can more easily see the common policy patterns.
Then we can reevaluate the old macros and decide what to do with them.
We do intend to add support macros and templates to cover common policy
patterns, but we just haven't gotten to this part yet, since we're still
porting modules over from the example policy.

> > gfs support is added
> 
> I don't think gfs supports security xattrs yet, so I don't think you
> want it to use fs_use_xattr as its labeling mechanism.

Ok, I can reverse this change.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest Ref Policy Diffs

[Eric Paris]

> > gfs support is added
> 
> I don't think gfs supports security xattrs yet, so I don't think you
> want it to use fs_use_xattr as its labeling mechanism.  Even if it did
> support security xattrs, we are going to run into a problem with
> performing the inode security initialization on d_instantiate for remote
> (or userspace) filesystems, because we cannot propagate ERESTARTSYS from
> d_instantiate up the call chain presently, and such filesystems may need
> to return that when they have to wait on a reply from the peer.  We'll
> have the same issue for NFSv4.
> 

I know Red Hat engineering has added support for security xattrs to GFS
and has it working.  I think this is why Dan pushed this upstream.  I
don't know if this GFS code is released or anything like that, so I'm
copying the engineer working an it.  Hopefully he can also comment on
your other point.

-Eric


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.