diff --git a/refpolicy/policy/global_booleans b/refpolicy/policy/global_booleans
index 557029288..7b89ba941 100644
--- a/refpolicy/policy/global_booleans
+++ b/refpolicy/policy/global_booleans
@@ -8,3 +8,11 @@
## newrole, from transitioning to administrative
## user domains.
gen_bool(secure_mode,false)
+
+## Disable transitions to insmod.
+gen_bool(secure_mode_insmod,false)
+
+## boolean to determine whether the system permits loading policy, setting
+## enforcing mode, and changing boolean values. Set this to true and you
+## have to reboot to set it back
+gen_bool(secure_mode_policyload,false)
diff --git a/refpolicy/policy/modules/kernel/selinux.if b/refpolicy/policy/modules/kernel/selinux.if
index 9ebdad0ac..0235de050 100644
--- a/refpolicy/policy/modules/kernel/selinux.if
+++ b/refpolicy/policy/modules/kernel/selinux.if
@@ -127,13 +127,17 @@ interface(`selinux_set_enforce_mode',`
gen_require(`
type security_t;
attribute can_setenforce;
+ bool secure_mode_policyload;
')
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read write };
- allow $1 security_t:security setenforce;
- auditallow $1 security_t:security setenforce;
typeattribute $1 can_setenforce;
+
+ if(!secure_mode_policyload) {
+ allow $1 security_t:security setenforce;
+ auditallow $1 security_t:security setenforce;
+ }
')
########################################
@@ -148,13 +152,17 @@ interface(`selinux_load_policy',`
gen_require(`
type security_t;
attribute can_load_policy;
+ bool secure_mode_policyload;
')
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read write };
- allow $1 security_t:security load_policy;
- auditallow $1 security_t:security load_policy;
typeattribute $1 can_load_policy;
+
+ if(!secure_mode_policyload) {
+ allow $1 security_t:security load_policy;
+ auditallow $1 security_t:security load_policy;
+ }
')
########################################
@@ -175,26 +183,20 @@ interface(`selinux_load_policy',`
##
## The process type allowed to set the Boolean.
##
-##
-## The type of Booleans the caller is allowed to set.
-##
#
interface(`selinux_set_boolean',`
gen_require(`
type security_t;
')
- ifelse(`$2',`',`
- allow $1 security_t:dir { getattr search read };
- allow $1 security_t:file { getattr read write };
- ',`
- allow $1 $2:dir { getattr search read };
- allow $1 $2:file { getattr read write };
- ')
-
allow $1 security_t:dir search;
- allow $1 security_t:security setbool;
- auditallow $1 security_t:security setbool;
+ allow $1 security_t:dir { getattr search read };
+ allow $1 security_t:file { getattr read write };
+
+ if(!secure_mode_policyload) {
+ allow $1 security_t:security setbool;
+ auditallow $1 security_t:security setbool;
+ }
')
########################################
@@ -358,16 +360,19 @@ interface(`selinux_compute_user_contexts',`
interface(`selinux_unconfined',`
gen_require(`
attribute can_load_policy, can_setenforce, can_setsecparam;
+ bool secure_mode_policyload;
type security_t;
')
- # Access the security API.
- allow $1 security_t:security *;
- auditallow $1 security_t:security { load_policy setenforce setbool };
-
# use SELinuxfs
allow $1 security_t:dir { getattr search read };
allow $1 security_t:file { getattr read write };
typeattribute $1 can_load_policy, can_setenforce, can_setsecparam;
+
+ if(!secure_mode_policyload) {
+ # Access the security API.
+ allow $1 security_t:security *;
+ auditallow $1 security_t:security { load_policy setenforce setbool };
+ }
')
diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if
index cd712fe45..c25bafbcf 100644
--- a/refpolicy/policy/modules/services/dbus.if
+++ b/refpolicy/policy/modules/services/dbus.if
@@ -57,7 +57,7 @@ template(`dbus_per_userdomain_template',`
allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
- # Receive notifications of policy reloads and enforcing status changes.
+ allow $1_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
# For connecting to the bus
diff --git a/refpolicy/policy/modules/services/dhcp.te b/refpolicy/policy/modules/services/dhcp.te
index 8fab93b78..c6ad9d552 100644
--- a/refpolicy/policy/modules/services/dhcp.te
+++ b/refpolicy/policy/modules/services/dhcp.te
@@ -123,10 +123,6 @@ optional_policy(`mount.te',`
mount_send_nfs_client_request(dhcpd_t)
')
-optional_policy(`netutils.te',`
- netutils_domtrans(dhcpd_t)
-')
-
optional_policy(`nis.te',`
nis_use_ypbind(dhcpd_t)
')
diff --git a/refpolicy/policy/modules/services/pegasus.fc b/refpolicy/policy/modules/services/pegasus.fc
index 7547a4506..601c91ca0 100644
--- a/refpolicy/policy/modules/services/pegasus.fc
+++ b/refpolicy/policy/modules/services/pegasus.fc
@@ -1,5 +1,6 @@
/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
+/etc/Pegasus/pegasus_current.conf gen_context(system_u:object_r:pegasus_data_t,s0)
/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
@@ -9,9 +10,3 @@
/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
-
-ifdef(`TODO',`
-/usr/sbin/cimauth -- gen_context(system_u:object_r:pegasus_conf_exec_t,s0)
-/usr/sbin/cimconfig -- gen_context(system_u:object_r:pegasus_conf_exec_t,s0)
-/usr/sbin/cimuser -- gen_context(system_u:object_r:pegasus_conf_exec_t,s0)
-')
diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te
index 3bafb9d12..873473125 100644
--- a/refpolicy/policy/modules/services/ppp.te
+++ b/refpolicy/policy/modules/services/ppp.te
@@ -197,8 +197,8 @@ ifdef(`targeted_policy', `
')
optional_policy(`modutils.te',`
- tunable_policy(`pppd_can_insmod',`
- modutils_domtrans_insmod(pppd_t)
+ tunable_policy(`pppd_can_insmod && ! secure_mode_insmod',`
+ modutils_domtrans_insmod_uncond(pppd_t)
')
')
diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te
index 5a92e15d8..8efec4433 100644
--- a/refpolicy/policy/modules/system/fstools.te
+++ b/refpolicy/policy/modules/system/fstools.te
@@ -77,6 +77,8 @@ fs_remount_xattr_fs(fsadm_t)
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dir(fsadm_t)
+mls_file_write_down(fsadm_t)
+
storage_raw_read_fixed_disk(fsadm_t)
storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index d9b3af0d7..23cd16135 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -123,6 +123,8 @@ kernel_sigchld_from_unlabeled(init_t)
dev_read_sysfs(init_t)
+mls_process_write_down(init_t)
+
selinux_set_boolean(init_t)
term_use_all_terms(init_t)
diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
index 6d56a6738..e15643dde 100644
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@@ -60,7 +60,6 @@ ifdef(`distro_redhat',`
/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
-/usr/lib(64)?/Pegasus/providers/.*\.so.* gen_context(system_u:object_r:shlib_t,s0)
/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/(local/)?lib/wine/.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if
index b7f78b04f..29a53bc4e 100644
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@@ -58,13 +58,15 @@ interface(`modutils_rename_module_conf',`
########################################
##
-## Execute insmod in the insmod domain.
+## Unconditionally execute insmod in the insmod domain.
##
##
## The type of the process performing this action.
##
#
-interface(`modutils_domtrans_insmod',`
+# cjp: this is added for pppd, due to nested
+# conditionals not working.
+interface(`modutils_domtrans_insmod_uncond',`
gen_require(`
type insmod_t, insmod_exec_t;
')
@@ -78,6 +80,24 @@ interface(`modutils_domtrans_insmod',`
allow insmod_t $1:process sigchld;
')
+########################################
+##
+## Execute insmod in the insmod domain.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`modutils_domtrans_insmod',`
+ gen_require(`
+ bool secure_mode_insmod;
+ ')
+
+ if (!secure_mode_insmod) {
+ modutils_domtrans_insmod_uncond($1)
+ }
+')
+
########################################
##
## Execute insmod in the insmod domain, and
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 6705b1c04..07b155fa5 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -344,14 +344,18 @@ ifdef(`targeted_policy',`
term_use_unallocated_tty(ifconfig_t)
')
-optional_policy(`ppp.te',`
- ppp_use_fd(ifconfig_t)
+optional_policy(`netutils.te',`
+ netutils_domtrans(dhcpc_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(ifconfig_t)
')
+optional_policy(`ppp.te',`
+ ppp_use_fd(ifconfig_t)
+')
+
ifdef(`TODO',`
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
optional_policy(`rhgb.te', `
diff --git a/targeted/ChangeLog b/targeted/ChangeLog
index db9833c5c..9be123194 100644
--- a/targeted/ChangeLog
+++ b/targeted/ChangeLog
@@ -1,3 +1,26 @@
+1.27.2 2005-10-20
+ * Merged patch from Chad Hanson. Modified MLS constraints.
+ Provided comments for the MLS attributes.
+ * Merged two patches from Thomas Bleher which made some minor
+ fixes and cleanups.
+ * Merged patches from Russell Coker. Added comments to some of the
+ MLS attributes. Added the secure_mode_insmod boolean to determine
+ whether the system permits loading policy, setting enforcing mode,
+ and changing boolean values. Made minor fixes for the cdrecord_domain
+ macro, application_domain, newrole_domain, and daemon_base_domain
+ macros. Added rules to allow the mail server to access the user
+ home directories in the targeted policy and allows the postfix
+ showq program to do DNS lookups. Minor fixes for the MCS
+ policy. Made other minor fixes and cleanups.
+ * Merged patch from Dan Walsh. Added opencd, pegasus, readahead,
+ and roundup policies. Created can_access_pty macro to handle pty
+ output. Created nsswithch_domain macro for domains using
+ nsswitch. Added mcs transition rules. Removed mqueue and added
+ capifs genfscon entries. Added dhcpd and pegasus ports. Added
+ domain transitions from login domains to pam_console and alsa
+ domains. Added rules to allow the httpd and squid domains to
+ relay more protocols. For the targeted policy, removed sysadm_r
+ role from unconfined_t. Made other fixes and cleanups.
1.27.1 2005-09-15
* Merged small patches from Russell Coker for the apostrophe,
dhcpc, fsadm, and setfiles policy.
diff --git a/targeted/Makefile b/targeted/Makefile
index de87e341d..431165403 100644
--- a/targeted/Makefile
+++ b/targeted/Makefile
@@ -27,7 +27,7 @@ CHECKPOLICY = $(BINDIR)/checkpolicy
GENHOMEDIRCON = $(SBINDIR)/genhomedircon
SETFILES = $(SBINDIR)/setfiles
VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
-PREVERS := 19
+PREVERS := 20
KERNVERS := $(shell cat /selinux/policyvers)
MLSENABLED := $(shell cat /selinux/mls)
POLICYVER := policy.$(VERS)
@@ -178,11 +178,7 @@ endif
reload tmp/load: $(LOADPATH)
@echo "Loading Policy ..."
-ifeq ($(VERS), $(KERNVERS))
- $(LOADPOLICY) $(LOADPATH)
-else
- $(LOADPOLICY) $(POLICYPATH)/policy.$(PREVERS)
-endif
+ $(LOADPOLICY)
touch tmp/load
load: tmp/load $(FCPATH)
diff --git a/targeted/VERSION b/targeted/VERSION
index 08002f86c..457f03854 100644
--- a/targeted/VERSION
+++ b/targeted/VERSION
@@ -1 +1 @@
-1.27.1
+1.27.2
diff --git a/targeted/domains/program/dhcpc.te b/targeted/domains/program/dhcpc.te
index 8e16fc7b6..d21b9db8f 100644
--- a/targeted/domains/program/dhcpc.te
+++ b/targeted/domains/program/dhcpc.te
@@ -164,5 +164,5 @@ allow unconfined_t dhcpc_t:dbus send_msg;
allow dhcpc_t unconfined_t:dbus send_msg;
')
')
-ifdef(`netutils.te', `domain_auto_trans(dhcpd_t, netutils_exec_t, netutils_t)')
+ifdef(`netutils.te', `domain_auto_trans(dhcpc_t, netutils_exec_t, netutils_t)')
allow dhcpc_t locale_t:file write;
diff --git a/targeted/domains/program/fsadm.te b/targeted/domains/program/fsadm.te
index 1d01c3daf..0bfbb6862 100644
--- a/targeted/domains/program/fsadm.te
+++ b/targeted/domains/program/fsadm.te
@@ -12,7 +12,7 @@
# administration.
# fsadm_exec_t is the type of the corresponding programs.
#
-type fsadm_t, domain, privlog, fs_domain, mlsfileread;
+type fsadm_t, domain, privlog, fs_domain, mlsfileread, mlsfilewrite;
role system_r types fsadm_t;
role sysadm_r types fsadm_t;
diff --git a/targeted/domains/program/init.te b/targeted/domains/program/init.te
index 185e0baa0..dc5c0508a 100644
--- a/targeted/domains/program/init.te
+++ b/targeted/domains/program/init.te
@@ -14,7 +14,7 @@
# by init during initialization. This pipe is used
# to communicate with init.
#
-type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite;
+type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite, mlsprocwrite;
role system_r types init_t;
uses_shlib(init_t);
type init_exec_t, file_type, sysadmfile, exec_type;
diff --git a/targeted/domains/program/load_policy.te b/targeted/domains/program/load_policy.te
index 7ff7a61c1..3d43900fc 100644
--- a/targeted/domains/program/load_policy.te
+++ b/targeted/domains/program/load_policy.te
@@ -8,6 +8,10 @@
# load_policy_t is the domain type for load_policy
# load_policy_exec_t is the file type for the executable
+# boolean to determine whether the system permits loading policy, setting
+# enforcing mode, and changing boolean values. Set this to true and you
+# have to reboot to set it back
+bool secure_mode_policyload false;
type load_policy_t, domain;
role sysadm_r types load_policy_t;
diff --git a/targeted/domains/program/modutil.te b/targeted/domains/program/modutil.te
index f69f2bbc3..a93453443 100644
--- a/targeted/domains/program/modutil.te
+++ b/targeted/domains/program/modutil.te
@@ -77,11 +77,15 @@ type insmod_t, domain, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(
;
role system_r types insmod_t;
role sysadm_r types insmod_t;
+type insmod_exec_t, file_type, exec_type, sysadmfile;
+
+bool secure_mode_insmod false;
+
+can_ypbind(insmod_t)
ifdef(`unlimitedUtils', `
unconfined_domain(insmod_t)
')
-can_ypbind(insmod_t)
uses_shlib(insmod_t)
read_locale(insmod_t)
@@ -128,7 +132,7 @@ allow insmod_t self:udp_socket create_socket_perms;
allow insmod_t self:unix_dgram_socket create_socket_perms;
allow insmod_t self:unix_stream_socket create_stream_socket_perms;
allow insmod_t self:rawip_socket create_socket_perms;
-allow insmod_t self:capability { dac_override kill net_raw sys_module sys_tty_config };
+allow insmod_t self:capability { dac_override kill net_raw sys_tty_config };
allow insmod_t domain:process signal;
allow insmod_t self:process { fork signal_perms };
allow insmod_t device_t:dir search;
@@ -161,8 +165,11 @@ allow insmod_t sysctl_hotplug_t:file { getattr read };
allow insmod_t device_t:dir read;
allow insmod_t devpts_t:dir { getattr search };
-type insmod_exec_t, file_type, exec_type, sysadmfile;
+if (!secure_mode_insmod) {
domain_auto_trans(privmodule, insmod_exec_t, insmod_t)
+allow insmod_t self:capability sys_module;
+}dnl end if !secure_mode_insmod
+
can_exec(insmod_t, { insmod_exec_t shell_exec_t bin_t sbin_t etc_t })
allow insmod_t devtty_t:chr_file rw_file_perms;
allow insmod_t privmodule:process sigchld;
diff --git a/targeted/domains/program/ping.te b/targeted/domains/program/ping.te
index 6461c51a3..0a0d94c1e 100644
--- a/targeted/domains/program/ping.te
+++ b/targeted/domains/program/ping.te
@@ -37,7 +37,6 @@ domain_auto_trans(initrc_t, ping_exec_t, ping_t)
uses_shlib(ping_t)
can_network_client(ping_t)
can_resolve(ping_t)
-allow ping_t dns_port_t:tcp_socket name_connect;
can_ypbind(ping_t)
allow ping_t etc_t:file { getattr read };
allow ping_t self:unix_stream_socket create_socket_perms;
diff --git a/targeted/domains/program/postfix.te b/targeted/domains/program/postfix.te
index 25ec4c479..6b94177fa 100644
--- a/targeted/domains/program/postfix.te
+++ b/targeted/domains/program/postfix.te
@@ -193,10 +193,10 @@ allow postfix_smtpd_t self:file { getattr read };
# for prng_exch
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
+
allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
postfix_server_domain(local, `, mta_delivery_agent')
-
ifdef(`procmail.te', `
domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t)
# for a bug in the postfix local program
diff --git a/targeted/domains/program/spamd.te b/targeted/domains/program/spamd.te
index 01283ca48..7c250024f 100644
--- a/targeted/domains/program/spamd.te
+++ b/targeted/domains/program/spamd.te
@@ -9,20 +9,19 @@ daemon_domain(spamd)
tmp_domain(spamd)
-allow spamd_t spamd_port_t:tcp_socket name_bind;
-
general_domain_access(spamd_t)
uses_shlib(spamd_t)
-can_ypbind(spamd_t)
read_sysctl(spamd_t)
# Various Perl bits
allow spamd_t lib_t:file rx_file_perms;
dontaudit spamd_t shadow_t:file { getattr read };
dontaudit spamd_t initrc_var_run_t:file { read write lock };
-dontaudit spamd_t sysadm_home_dir_t:dir getattr;
+dontaudit spamd_t sysadm_home_dir_t:dir { getattr search };
can_network_server(spamd_t)
+allow spamd_t spamd_port_t:tcp_socket name_bind;
+can_ypbind(spamd_t)
allow spamd_t self:capability net_bind_service;
allow spamd_t proc_t:file { getattr read };
diff --git a/targeted/file_contexts/program/pegasus.fc b/targeted/file_contexts/program/pegasus.fc
index a527df31d..f4b9f15c8 100644
--- a/targeted/file_contexts/program/pegasus.fc
+++ b/targeted/file_contexts/program/pegasus.fc
@@ -1,11 +1,9 @@
# File Contexts for The Open Group Pegasus (tog-pegasus) cimserver
/usr/sbin/cimserver -- system_u:object_r:pegasus_exec_t:s0
-/usr/sbin/cimconfig -- system_u:object_r:pegasus_conf_exec_t:s0
-/usr/sbin/cimuser -- system_u:object_r:pegasus_conf_exec_t:s0
-/usr/sbin/cimauth -- system_u:object_r:pegasus_conf_exec_t:s0
/usr/sbin/init_repository -- system_u:object_r:pegasus_exec_t:s0
-/usr/lib(64)?/Pegasus/providers/.*\.so.* system_u:object_r:shlib_t:s0
/etc/Pegasus(/.*)? system_u:object_r:pegasus_conf_t:s0
/var/lib/Pegasus(/.*)? system_u:object_r:pegasus_data_t:s0
/var/run/tog-pegasus(/.*)? system_u:object_r:pegasus_var_run_t:s0
/usr/share/Pegasus/mof(/.*)?/.*\.mof system_u:object_r:pegasus_mof_t:s0
+/etc/Pegasus/pegasus_current.conf system_u:object_r:pegasus_data_t:s0
+
diff --git a/targeted/macros/base_user_macros.te b/targeted/macros/base_user_macros.te
index 4c5b36a61..cecbaf7d4 100644
--- a/targeted/macros/base_user_macros.te
+++ b/targeted/macros/base_user_macros.te
@@ -173,6 +173,7 @@ ifdef(`gnome-pty-helper.te', `gph_domain($1, $1)')
ifdef(`chkpwd.te', `chkpwd_domain($1)')
ifdef(`fingerd.te', `fingerd_macro($1)')
ifdef(`mta.te', `mail_domain($1)')
+ifdef(`exim.te', `exim_user_domain($1)')
ifdef(`crontab.te', `crontab_domain($1)')
ifdef(`screen.te', `screen_domain($1)')
diff --git a/targeted/macros/core_macros.te b/targeted/macros/core_macros.te
index 4a5900a2b..6bae8bf44 100644
--- a/targeted/macros/core_macros.te
+++ b/targeted/macros/core_macros.te
@@ -306,8 +306,10 @@ allow $1 self:file { getattr read };
# Access selinuxfs.
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read write };
+if (!secure_mode_policyload) {
allow $1 security_t:security setenforce;
auditallow $1 security_t:security setenforce;
+}dnl end if !secure_mode_policyload
')
##################################
@@ -326,8 +328,10 @@ allow $1 self:file { getattr read };
# Access selinuxfs.
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read write };
+if (!secure_mode_policyload) {
allow $1 security_t:security setbool;
auditallow $1 security_t:security setbool;
+}dnl end if !secure_mode_policyload
')
##################################
@@ -367,8 +371,10 @@ allow $1 self:file { getattr read };
# Access selinuxfs.
allow $1 security_t:dir { read search getattr };
allow $1 security_t:file { getattr read write };
+if (!secure_mode_policyload) {
allow $1 security_t:security load_policy;
auditallow $1 security_t:security load_policy;
+}dnl end if !secure_mode_policyload
')
#################################
diff --git a/targeted/macros/global_macros.te b/targeted/macros/global_macros.te
index 3825abb39..0faa4bef3 100644
--- a/targeted/macros/global_macros.te
+++ b/targeted/macros/global_macros.te
@@ -324,13 +324,14 @@ can_exec(sysadm_t, $1_exec_t)
} else {
') dnl transitionbool
domain_auto_trans(initrc_t, $1_exec_t, $1_t)
+
allow initrc_t $1_t:process { noatsecure siginh rlimitinh };
ifdef(`direct_sysadm_daemon', `
ifelse(`$3', `nosysadm', `', `
domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
allow sysadm_t $1_t:process { noatsecure siginh rlimitinh };
-')dnl end direct_sysadm_daemon
')dnl end nosysadm
+')dnl end direct_sysadm_daemon
ifelse(index(`$2', `transitionbool'), -1, `', `
}
') dnl end transitionbool
@@ -703,8 +704,10 @@ allow $1 domain:{ sem msgq shm } *;
allow $1 domain:msg { send receive };
# Access the security API.
+if (!secure_mode_policyload) {
allow $1 security_t:security *;
auditallow $1 security_t:security { load_policy setenforce setbool };
+}dnl end if !secure_mode_policyload
# Perform certain system operations that lacked individual capabilities.
allow $1 kernel_t:system *;
@@ -758,4 +761,6 @@ r_dir_file($1, cert_t)
allow $1 { random_device_t urandom_device_t }:chr_file { getattr read };
allow $1 self:capability { audit_write audit_control };
dontaudit $1 shadow_t:file { getattr read };
+allow $1 sbin_t:dir search;
+allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
')
diff --git a/targeted/macros/program/cdrecord_macros.te b/targeted/macros/program/cdrecord_macros.te
index fc1fc9511..72d3f4fd2 100644
--- a/targeted/macros/program/cdrecord_macros.te
+++ b/targeted/macros/program/cdrecord_macros.te
@@ -45,5 +45,9 @@ can_access_pty($1_cdrecord_t, $1)
allow $1_cdrecord_t $1_home_t:dir search;
allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms;
allow $1_cdrecord_t $1_home_t:file r_file_perms;
+if (use_nfs_home_dirs) {
+allow $1_cdrecord_t mnt_t:dir search;
+r_dir_file($1_cdrecord_t, nfs_t)
+}
')
diff --git a/targeted/macros/program/chkpwd_macros.te b/targeted/macros/program/chkpwd_macros.te
index 34f194850..62d8b44b8 100644
--- a/targeted/macros/program/chkpwd_macros.te
+++ b/targeted/macros/program/chkpwd_macros.te
@@ -27,15 +27,10 @@ authentication_domain($1_chkpwd_t)
ifelse($1, system, `
domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
-allow auth_chkpwd sbin_t:dir search;
-allow auth_chkpwd self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
authentication_domain(auth_chkpwd)
', `
domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
-allow $1_t sbin_t:dir search;
-allow $1_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
# Write to the user domain tty.
access_terminal($1_chkpwd_t, $1)
diff --git a/targeted/macros/program/dbusd_macros.te b/targeted/macros/program/dbusd_macros.te
index 744478e55..2e542a0ac 100644
--- a/targeted/macros/program/dbusd_macros.te
+++ b/targeted/macros/program/dbusd_macros.te
@@ -40,7 +40,8 @@ allow $1_dbusd_t proc_t:file read;
can_getsecurity($1_dbusd_t)
r_dir_file($1_dbusd_t, default_context_t)
-allow system_dbusd_t self:netlink_selinux_socket create_socket_perms;
+allow $1_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
ifdef(`pamconsole.te', `
r_dir_file($1_dbusd_t, pam_var_console_t)
diff --git a/targeted/macros/program/ypbind_macros.te b/targeted/macros/program/ypbind_macros.te
index 61db7cc0a..04a8f1dbb 100644
--- a/targeted/macros/program/ypbind_macros.te
+++ b/targeted/macros/program/ypbind_macros.te
@@ -1,4 +1,3 @@
-
define(`uncond_can_ypbind', `
can_network($1)
r_dir_file($1,var_yp_t)